THE PROMPT for Microsoft Security - Issue #61
Powered by grief, gratitude, and way too many KQL queries
Things from Me
Happy Friday everyone!
Thanks all to your comments and well wishes with the recent loss of my stepmom. You all are wonderful. This community is amazing!
…
Exciting Update: Must Learn KQL Goes Mobile!
After the smash-hit launch of the desktop app for Must Learn KQL, I’m thrilled to invite you to beta test the iOS mobile version! Co-developed with the talented Toby G., this app packs 21 interactive lessons, live query practice against real data, quizzes, progress tracking, and even Game Center leaderboards to make mastering Kusto Query Language fun and competitive.
Whether you’re a security pro hunting threats in Microsoft Sentinel or an analyst diving into Azure Data Explorer, it’s your on-the-go guide from beginner to expert. Beta testing runs 3-4 weeks—join now via TestFlight: https://testflight.apple.com/join/cyAUvWyw and help shape the future of KQL learning!
…
Looking for an exciting career in cybersecurity? My good friends at Invoke have an opening for a Cloud Solution Architect – Threat Protection.
Invoke is a fantastic company to work for—after all, who wouldn’t want to join the team that clinched the Microsoft Security Excellence Awards for Security Services Partner of the Year? As a Microsoft System Integrator with specialized partnerships, Invoke is at the forefront of threat protection, identity management, and AI-driven solutions. In their Cloud Solution Architect – Threat Protection role (remote, based in Houston, TX), you’ll lead enterprise implementations using cutting-edge Microsoft tools like Defender XDR, Sentinel, and Security Copilot, collaborating with top stakeholders to harden security postures and drive innovation.
Check out the job description and apply here: https://invoke.rippling-ats.com/job/983633/cloud-solution-architect-threat-protection
…
That’s it from me for this week. Have a great week ahead!
Talk soon.
-Rod
Things to Watch
Things that are Related
Infostealers without borders: macOS, Python stealers, and platform abuse - Infostealer threats are rapidly expanding beyond traditional Windows-focused campaigns, increasingly targeting macOS environments, leveraging cross-platform languages such as Python, and abusing trusted platforms and utilities to silently deliver credential-stealing malware at scale. Since late 2025, Microsoft Defender Experts has observed macOS targeted infostealer campaigns using social engineering techniques—including ClickFix-style prompts and malicious DMG installers—to deploy macOS-specific infostealers such as DigitStealer, MacSync, and Atomic macOS Stealer (AMOS).
Cloud forensics: Forensic readiness and incident response in Azure Virtual Desktop - Azure Virtual Desktop (AVD) has rapidly become a core tool for enabling remote work at scale. Consequently, it’s also emerging as a target for threat actors. Recent Microsoft Incident Response engagements show that threat actors are exploiting AVD deployments for lateral movement and persistence. By hijacking legitimate AVD user accounts, they gain what is essentially a trusted “endpoint” inside the network without having to install malware.
Microsoft SDL: Evolving security practices for an AI-powered world - As AI reshapes the world, organizations encounter unprecedented risks, and security leaders take on new responsibilities. Microsoft’s Secure Development Lifecycle (SDL) is expanding to address AI-specific security concerns in addition to the traditional software security areas that it has historically covered.
Detecting backdoored language models at scale - Today, we are releasing new research on detecting backdoors in open-weight language models. Our research highlights several key properties of language model backdoors, laying the groundwork for a practical scanner designed to detect backdoored models at scale and improve overall trust in AI systems.
How Nonprofits Can Strengthen Cybersecurity with Small Steps (That Make a Big Difference) - Nonprofits are often stretched thin—limited budgets, diverse users, and critical missions. But that doesn’t mean cybersecurity has to be overwhelming. In fact, some of the most effective protections are simple, affordable, and accessible to organizations of any size.
The security implementation gap: Why Microsoft is supporting Operation Winter SHIELD - Every conversation I have with information security leaders tends to land in the same place. People understand what matters. They know the frameworks, the controls, and the guidance. They can explain why identity security, patching, and access control are critical. And yet incidents keep happening for the same reasons.
Things for Partners
February update: What’s new in Security for Partners
Microsoft Sentinel Things
Microsoft Sentinel Storage Explained: Analytics Tier vs Data Lake vs Data Archive - Microsoft documentation explains what each option is, but it does not provide a clear, operational framework for deciding where each log or table should live in real-world Sentinel environments.
The Agentic SOC Era: How Sentinel MCP Enables Autonomous Security Reasoning - Microsoft Sentinel MCP Server, now generally available, augments analysts with intelligence that can reason across signals, automate investigations, and surface what truly matters. AI helps Security Operations Center (SOCs) move faster, reduce fatigue, and measurably improve the security posture of the organization.
The Microsoft Copilot Data Connector for Microsoft Sentinel is Now in Public Preview - We are happy to announce a new data connector that is available the public: the Microsoft Copilot data connector for Microsoft Sentinel. The new Microsoft Copilot data connector will allow for audit logs and activities generated by different offerings of Copilot to be ingested into Microsoft Sentinel and Microsoft Sentinel data lake. This allows for Copilot activities to be leveraged within Microsoft Sentinel features such as analytic rules/custom detections, Workbooks, automation, and more. This also allows for Copilot data to be sent to Sentinel data lake, which opens the possibilities for integrations with custom graphs, MCP server, and more while offering lower cost ingestion and longer retention as needed.
Automating Azure VM & Arc Server Data Collection Rule Association with PowerShell - In Microsoft Sentinel or Azure Monitor deployments, onboarding virtual machines and Arc-enabled servers to Data Collection Rules (DCRs) is a key step. Doing this manually for dozens (or hundreds) of machines is time-consuming and error-prone.
Defender for Cloud Things
Architecting Trust: A NIST-Based Security Governance Framework for AI Agents - As artificial intelligence evolves from simple chatbots to autonomous agents capable of making decisions and taking action, the need for robust security governance has never been greater. This blog explores how organizations can architect trust in the age of AI agents by leveraging the NIST AI Risk Management Framework and the Microsoft Foundry ecosystem. Whether you’re a security leader, developer, or business stakeholder, you’ll discover practical strategies to manage risk, ensure compliance, and build resilient, trustworthy AI solutions.
Extending Defender’s AI Threat Protection to Microsoft Foundry Agents - Today’s blog post introduces new capabilities to strengthen the security and governance of AI agents using Microsoft Foundry Agent Service and explores how Microsoft Defender helps organizations secure Foundry agents as they move from experimentation to production.
Defender XDR Things
Splitting single-tenant Microsoft Defender XDR Sentinel logs in multiple company scenarios - If we connect all the company-specific Sentinel workspaces to the same tenant, they will all get the same data, seeing each other’s sensitive data and multiplying ingestion costs across all companies. The following sections describe a simple, yet effective solution for this problem, leveraging Log Analytics workspace transformations and some simple KQL query statements.
Case study: Securing AI application supply chains - The rapid adoption of AI applications, including agents, orchestrators, and autonomous workflows, represents a significant shift in how software systems are built and operated. Unlike traditional applications, these systems are active participants in execution. They make decisions, invoke tools, and interact with other systems on behalf of users. While this evolution enables new capabilities, it also introduces an expanded and less familiar attack surface.
Microsoft Defender Experts Things
New Clickfix variant ‘CrashFix’ deploying Python Remote Access Trojan - In January 2026, Microsoft Defender Experts identified a new evolution in the ongoing ClickFix campaign. This updated tactic deliberately crashes victims’ browsers and then attempts to lure users into executing malicious commands under the pretext of restoring normal functionality.
Microsoft Purview Things
General Availability of Microsoft Purview eDiscovery Graph API for E3 Customers - As of December 1st, 2025, the Microsoft Purview eDiscovery Graph API Standard hit General Availability (GA). It provides a programmatic way to manage eDiscovery cases, searches, holds, and exports for organizations that have only M365 E3 licenses. It extends automation capabilities that were previously exclusive to eDiscovery Premium customers with M365 E5 (or equivalent add-on SKU) licenses.
Building Secure, Enterprise Ready AI Agents with Purview SDK and Agent Framework - At Microsoft Ignite, we announced the public preview of Purview integration with the Agent Framework SDK—making it easier to build AI agents that are secure, compliant, and enterprise‑ready from day one. AI agents are quickly moving from demos to production. They reason over enterprise data, collaborate with other agents, and take real actions. As that happens, one thing becomes non‑negotiable: Governance has to be built in. That’s where Purview SDK comes in.
Microsoft Entra Things
Conditional Access for Canvas Apps with Entra - Not all Canvas Apps require the same level of protection. Here we dive into how Conditional Access lets Power Platform admins apply the right security to the right app, with a step-by-step example of enforcing access policies using Entra ID and PowerShell.