Things from Me
Happy Friday everyone! Welcome back!
…
A big heads-up to start this issue. I would generally just leave the following in its own section for Microsoft Sentinel in the newsletter, but there’s been enough discussion around this that it warrants amplified placement in the newsletter introduction this week. There’s a poll that follows the announcement.
Microsoft Sentinel in the Azure portal to be retired July 2026
Microsoft Sentinel is generally available in the Microsoft Defender portal, including for customers without Microsoft Defender XDR or an E5 license. This means that you can use Microsoft Sentinel in the Defender portal even if you aren't using other Microsoft Defender services.
Starting in July 2026, Microsoft Sentinel will be supported in the Defender portal only, and any remaining customers using the Azure portal will be automatically redirected.
If you're currently using Microsoft Sentinel in the Azure portal, we recommend that you start planning your transition to the Defender portal now to ensure a smooth transition and take full advantage of the unified security operations experience offered by Microsoft Defender.
For more information, see:
Transition your Microsoft Sentinel environment to the Defender portal
Planning your move to Microsoft Defender portal for all Microsoft Sentinel customers (blog)
…
That’s it from me for this week. I have another keynote opportunity coming up in November in London.
I hope to see many of you there. Registration is here: https://www.securitysummit.ai/
Talk soon.
-Rod
Things that are Related
Why passkeys are the next frontier in digital security - The traditional password that generations of computer users have come to love and hate may soon be replaced by something called a "passkey." You've likely even been prompted to create one. While many people may not know just how easy it is to start experimenting with this new creation, there are still hurdles that must be cleared before adoption becomes widespread.
Learn how to build an AI-powered, unified SOC in new Microsoft e-book - Organizations also need to embrace AI and automation, moving away from manual, reactive security to an automated, proactive defense. But the transition is easier said than done. For most organizations, this transition will require significant effort that spans not just technology, but people and processes too. To help organizations make the move beyond silos to an integrated, defense-in-depth approach, we’re sharing a new e-book—our introduction to building a coordinated defense. In this post, we walk through the key content you can find in the e-book and share more resources on integrated cyberthreat protection.
Enhancing Microsoft 365 security by eliminating high-privilege access - In this blog you will hear directly from Microsoft’s Deputy Chief Information Security Officer (CISO) for Experiences and Devices, Naresh Kannan, about eliminating high-privileged access across all Microsoft 365 applications. This blog is part of an ongoing series where our Deputy CISOs share their thoughts on what is most important in their respective domains. In this series you will get practical advice and forward-looking commentary on where the industry is going, as well as tactics you should start (and stop) deploying, and more.
Microsoft expands Zero Trust workshop to cover network, SecOps, and more - The Microsoft Zero Trust workshop is more than a training session—it’s a call to action for organizations to reimagine their approach to security in the modern digital landscape and operationalize this vision. With the expanded pillars, this workshop now includes comprehensive insights for implementing a Zero Trust strategy that covers posture, prevention, detection, and response. Give it a try today.
Microsoft Sentinel Things
Introducing Summary Rules Templates: Streamlining Data Aggregation in Microsoft Sentinel - We’re excited to announce the launch of Summary Rules Templates as a new content type in the Content Hub, designed to help customers streamline verbose data into actionable insights.
New and Improved Microsoft Sentinel documentation program - So if you followed my old blog post (at Create a Word document that describes your Microsoft Sentinel environment – Yet Another Security Blog), you will be familiar with this program. It goes out and makes a ton of REST API calls to get all the information pertaining to your environment and puts it into a Word document.
No limit on the number of workspaces you can onboard to the Defender portal - There is no longer any limit to the number of workspaces you can onboard to the Defender portal. Limitations still apply to the number of workspaces you can include in a Log Analytics query, and in the number of workspaces you can or should include in a scheduled analytics rule.
Microsoft Sentinel Analytical Rule Tuning - Microsoft Sentinel's analytical rules form the backbone of your security operations centre's detection capabilities. However, deploying rules isn't enough. Effective rule tuning is essential for maintaining high detection accuracy whilst minimising alert fatigue. This comprehensive guide explores the critical aspects of Sentinel rule tuning that every security team should master.
Defender for Cloud Things
Scanning support for Chainguard container images and Wolfi - Microsoft Defender for Cloud's vulnerability scanner, powered by Microsoft Defender Vulnerability Management, is extending its scanning coverage to Chainguard container images, and identify vulnerabilities in Chainguard Images and Wolfi to validate that they're shipping the most secure builds possible. As additional image types are being scanned, your bill might increase. For all supported distributions, see Registries and images support for vulnerability assessment.
Defender XDR Things
(Preview) The GraphApiAuditEvents table in advanced hunting is now available for preview. This table contains information about Microsoft Entra ID API requests made to Microsoft Graph API for resources in the tenant.
(Preview) The DisruptionAndResponseEvents
table, now available in advanced hunting, contains information about automatic attack disruption events in Microsoft Defender XDR. These events include both block and policy application events related to triggered attack disruption policies, and automatic actions that were taken across related workloads. Increase your visibility and awareness of active, complex attacks disrupted by attack disruption to understand the attacks' scope, context, impact, and actions taken.
Defender for Identity Things
New security posture assessments for unmonitored identity servers - Microsoft Defender for Identity now includes three security posture assessments that detect when Microsoft Entra Connect, Active Directory Federation Services (ADFS), or Active Directory Certificate Services (ADCS) servers are present in your environment but aren't monitored. Use these assessments to improve monitoring coverage and strengthen your hybrid identity security posture.
Defender for Cloud Apps Things
“Behaviors” data type in Microsoft Defender for Cloud Apps - General Availability - The Behaviors data type significantly enhances overall threat detection accuracy by reducing alerts on generic anomalies and surfacing alerts only when observed patterns align with real security scenarios. You can now use Behaviors to conduct investigations in Advanced Hunting, build better custom detections based on behavioral signals, and benefit from automatic inclusion of context-related behaviors into incidents. This provides clearer context and helps security operations teams to reduce alert fatigue, prioritize, and respond more efficiently.
Microsoft Purview Things
Search and Purge using the Security and Compliance PowerShell cmdlets - As a reminder, E3/G3 customers must use the Security and Compliance PowerShell cmdlets to execute the purge operation. Searches can continue to be created using the New-ComplianceSearch cmdlet and then run the newly created search using the Start-ComplianceSearch cmdlet.
Microsoft Entra Things
Zero-Trust Agents: Adding Identity and Access to Multi-Agent Workflows - AI agents need identity and trust just like humans. In this article, we demonstrate a zero-trust approach to autonomous AI agents by integrating Identity and access management into an enterprise agentic workflow.