THE PROMPT for Microsoft Security - Issue #51
Nothing Says 'Security' Like Outsmarting Threats with a Clever One-Liner
Things from Me
Happy Friday, folks!
Welcome to this week’s edition of the newsletter! If you’ve been following along, you know we’ve had a bit of an on-again/off-again rhythm lately—and this week is no exception. I’m thrilled to bring you fresh insights today, but heads up: there will be no newsletter next week.
Why? I’ll be in Nashville speaking at the Midwest Management Summit (MMS), sharing ideas and connecting with some of the brightest minds in the industry. If you’re attending, come say hi!
During next week, I’ll be talking about the new Microsoft Sentinel features announced a couple weeks ago, giving the State of the Union for Security Copilot, and co-delivering a session on Microsoft Purview. It’s truly a cornucopia of topics.
Check out my schedule: https://mms2025music.sched.com/speaker/rod_trent.28kie72h
The Midwest Management Summit (MMS) is a premier technical conference focused on systems and endpoint management, delivering real-world insights through expert-led sessions, interactive discussions, and networking opportunities. It emphasizes practical content around Microsoft technologies like ConfigMgr, Intune, Windows 11/365, security, and cloud infrastructure, making it a go-to event for IT professionals, MVPs, and Microsoft enthusiasts. The “Music City Edition” is one of two annual events (the other being at MOA in May), held in the vibrant setting of Nashville, Tennessee.
So, we’ll talk again in a couple weeks. In the meantime, let’s dive into this week’s content—you won’t want to miss it.
Talk soon.
-Rod
Things to Attend
Microsoft Ignite - Get the edge you need to drive impact in the era of AI. Join us to bolster your knowledge, build connections, and explore emerging technologies.
San Francisco, Moscone Center
November 18–21, 2025 (optional pre-day November 17)
Online
November 18–20, 2025
Securing agentic AI: Your guide to the Microsoft Ignite sessions catalog - Join us, in San Francisco from November 17–21—or online from November 18–20—as we spotlight our AI-first, end-to-end security platform designed to protect identities, devices, data, applications, clouds, infrastructure, and—critically—AI systems and agents.
Things that are Related
Calm in the Chaos | Security Insider - Adrian Hill, lead investigator for Microsoft IR, explains it simply: “Our job is to bring clarity, calm, and momentum—fast. We set the tone in the first 30 seconds. Because if the customer doesn’t trust us immediately, we can’t help them recover.” Whether dropped into an active breach or brought in for proactive support, Microsoft’s IR team works to stabilize, guide, and rebuild. Every engagement starts with empathy and ends with action.
New Microsoft Secure Future Initiative (SFI) patterns and practices: Practical guides to strengthen security - This next set of SFI patterns and practices articles include practical, actionable guidance built by practitioners, for practitioners, in the areas of network, engineering systems, and security response. Each of the six articles includes details on how Microsoft has improved our security posture in each area so customers, partners, and the broader security community can do the same.
Things to Watch/Listen To
Security Copilot Things
Agentic security your way: Build your own Security Copilot agents - Microsoft Security Copilot is redefining how security and IT teams operate. Today at Microsoft Secure, we’re unveiling powerful updates that put genAI and agent-driven automation at the center of modern defense. In a world where threats move faster than ever, alerts pile up, and resources stay tight, Security Copilot delivers the competitive edge: contextual intelligence, a growing network of agents, and the flexibility to build your own.
Redefining Cyber Defence with Microsoft Security Exposure Management (MSEM) and Security Copilot - Anas Hadidi and Shruti Ailani bring this blog to you to help you leverage Security Copilot automations to understand your cyber exposure via Microsoft Security Exposure Management (MSEM) which can be an aggregator for your Microsoft or non-Microsoft exposure sources.
Microsoft Sentinel Things
Microsoft Sentinel and Defender: ITSM Integrations Explained - While Defender’s alert correlation brings strong benefits—reducing alert fatigue and surfacing multi-stage attacks—it can also impact how incidents are synchronized with external ITSM systems. If your Microsoft Sentinel workspace has been migrated to Defender, it is important to revisit your ITSM integration. This blog post walks you through the key updates you will need to make.
App Assure’s Sentinel promise now extends to Microsoft Sentinel data lake - Microsoft Sentinel continues to lead the industry as a cloud-native SIEM, trusted by organizations worldwide to deliver scalable, intelligent security analytics. On September 30th, Sentinel’s new data lake features become generally available. This unlocks new threat hunting, compliance, and investigation scenarios for security teams looking for a cost-effective solution to long-term retention of valuable security logs. Most importantly, the same connectors bringing your data into Sentinel’s analytics tier today, will now seamlessly bring that data into the data lake.
Microsoft Sentinel data lake FAQ - The Sentinel data lake is a game changer for security teams, serving as the foundational layer for agentic defense, deeper security insights and graph-based enrichment. In this blog we offer answers to many of the questions we’ve heard from our customers and partners on Sentinel data lake and billing.
Defender for Endpoint Things
Detecting and Alerting on MDE Sensor Health Transitions Using KQL and Logic Apps - Maintaining the health of Microsoft Defender for Endpoint (MDE) sensors is essential to ensure continuous visibility across your virtual machines. When a sensor goes from Active to Inactive, it can create blind spots and delay threat detection. This blog shows you how to automate detection and alerting for these sensor health transitions using Kusto Query Language (KQL) and Azure Logic Apps. With this setup, your security team will receive timely alerts when sensors stop reporting, enabling faster response and stronger endpoint coverage with minimal manual effort.
Strengthen Your Security Posture This October with Smarter Endpoint Protection - As organizations accelerate digital transformation, endpoints have become the frontline of defense—and the most frequent target. From phishing emails to fileless malware, attackers are exploiting gaps in visibility and response. It’s no longer enough to react after the fact. You need security that’s proactive, intelligent, and built for scale. Microsoft Defender for Endpoint delivers exactly that—combining real-time detection, automated remediation, and deep threat analytics to help you stay ahead of adversaries.
Defender for Threat Intelligence Things
Investigating targeted “payroll pirate” attacks affecting US universities - Microsoft Threat Intelligence has observed a financially motivated threat actor that we track as Storm-2657 compromising employee accounts to gain unauthorized access to employee profiles and divert salary payments to attacker-controlled accounts. These types of attacks have been dubbed “payroll pirate” by the industry. Storm-2657 is actively targeting a range of US-based organizations, particularly employees in sectors like higher education, to gain access to third-party human resources (HR) software as a service (SaaS) platforms like Workday.
Defender XDR Things
Effective Tips To Manage Microsoft Defender XDR Tables - Microsoft Sentinel’s integration with Microsoft Defender XDR has unlocked unified data management capabilities for SOC teams. In a previous post, we discussed and explored log tiering with the new Sentinel Data Lake in depth, which is generally available (GA) as of September 30th, 2025. In this follow-up, we’ll deep-dive into how to manage Microsoft Defender XDR tables after you onboard a Sentinel workspace to the Defender portal.
Investigating active exploitation of CVE-2025-10035 GoAnywhere Managed File Transfer vulnerability - Microsoft urges customers to upgrade to the latest version following Fortra’s recommendations. We are publishing this blog post to increase awareness of this threat and to share end-to-end protection coverage details across Microsoft Defender, as well as security posture hardening recommendations for customers.
How Microsoft Defender helps security teams detect prompt injection attacks in Microsoft 365 Copilot - We’re excited to share that Microsoft Defender now provides visibility into prompt injection attempts within Microsoft 365 Copilot and helps security teams detect and respond to prompt injection attacks more efficiently and at a broader context, with insights that go beyond individual interaction.
Microsoft Purview Things
Know Your Risk: Using Microsoft Purview to Protect Sensitive Data - In today’s digital-first world, data is everywhere—and so are the risks. From donor records to financial reports, sensitive information flows across emails, documents, and cloud platforms. In keeping with the Cybersecurity Awareness Month theme, this is the perfect time to ask: Do you know where your sensitive data lives—and how well it’s protected?
Step-by-Step Guide: Integrating Microsoft Purview with Azure Databricks and Microsoft Fabric - This article provides practical guidance on setup, cost considerations, and integration steps for Azure Databricks and Microsoft Fabric to help organizations plan for building a strong data governance framework. It outlines how Microsoft Purview can unify governance efforts across cloud platforms, enabling consistent policy enforcement, metadata management, and lineage tracking. The content is tailored for architects and data leaders seeking to execute governance in scalable, hybrid environments.
Disrupting threats targeting Microsoft Teams - The extensive collaboration features and global adoption of Microsoft Teams make it a high-value target for both cybercriminals and state-sponsored actors. Threat actors abuse its core capabilities – messaging (chat), calls and meetings, and video-based screen-sharing – at different points along the attack chain. This raises the stakes for defenders to proactively monitor, detect, and respond.