THE PROMPT for Microsoft Security - Issue #58

The only newsletter that correlates better than Defender XDR

Jan 09, 2026

Things from Me

Happy New Year, everyone!

Welcome back to THE PROMPT for Microsoft Security after our holiday hiatus. I hope you all had a wonderful, restful break filled with family, friends, and plenty of recharge time as we closed out 2025 and rang in 2026.

We’re kicking off the new year refreshed and excited to dive back into the latest updates, features, and insights across Microsoft’s Unified Security Operations Platform. You can expect the same reliable weekly updates you’ve come to rely on—every Friday, packed with the most important news, innovations, and community highlights to help you stay ahead in the ever-evolving world of security.

A huge thank you to all of you for your incredible readership, engagement, comments, and shares throughout the past year. Your support and feedback make this community thrive, and I’m truly grateful for each and every one of you.

Here’s to an amazing 2026—let’s make it secure, innovative, and unstoppable!

…

Congratulations to Jose Lazaro and Marcus Burnap on the release of your outstanding new book, Unified SecOps Playbook: End-to-end enterprise security with Microsoft Sentinel, Defender XDR, and Security Copilot!

This is a massive achievement — delivering a practical, end-to-end guide that ties together Microsoft Sentinel, Defender XDR, and Security Copilot into a cohesive SecOps framework is exactly what the community has been waiting for. Your expertise shines through, and this playbook is already poised to become an essential resource for security teams building governed, measurable, and AI-powered security operations.

Huge kudos for pouring your knowledge into something that will help countless organizations level up their defenses. Well-deserved celebration — here’s to the book flying off the (virtual) shelves!

Grab your copy here: https://amzn.to/4jswH6t

…

That’s it from me for this week.

Talk soon.

-Rod

Things that are Related

Artificial Intelligence & Security - AI introduces both opportunities and risks. A responsible approach to AI security involves three dimensions:

Risk Mitigation: It Is addressing threats from immature or malicious AI applications.
Security Applications: These are used to enhance AI security and public safety.
Governance Systems: Establishing frameworks to manage AI risks and ensure safe development.

Explore the latest Microsoft Incident Response proactive services for enhanced resilience - Delivered by the same experts who handle real-world crises, Microsoft proactive services equip security teams with insights and skills to be informed, resilient, and ready—because the best response is one you never need to make.

Things to Watch/Listen To

THE Security Insights Show

THE Security Insights Show Episode 282: Quantum Leaps and Zero-Day Zealots

Join our hosts December 18th, 2025, as they dive into the electrifying world of Microsoft Security’s latest breakthroughs. This episode unpacks real-world triumphs in thwarting sophisticated AI-driven phishing swarms, and debates the hottest zero-day exploits shaking the headlines. Packed with insider tips this is your must-listen guide to staying light…

Listen now

22 days ago · 4 likes · 2 comments · Rod Trent

Security Copilot Things

Accelerate Your Security Copilot Readiness with Our Global Technical Workshop Series - The Security Copilot Technical Customer Readiness team is delivering free, virtual hands-on workshops year-round, available across multiple time zones to fit global schedules. These sessions are designed specifically for technical practitioners who want to deepen their AI for Security expertise with Microsoft Entra, Intune, Microsoft Purview, and Microsoft Threat Protection.

Microsoft Sentinel Things

Important Update for Microsoft Sentinel Users: Deprecation of Alert-Triggered Playbooks in Analytics Rules - If you’re managing security operations with Microsoft Sentinel, you’ve likely received a notification about an upcoming change to how playbooks are triggered by analytics rules. Microsoft has announced the deprecation of the classic method for assigning alert-triggered playbooks directly within analytics rules. This change takes effect on March 15, 2026, and it’s time to prepare your environment to avoid disruptions.

Kql Toolbox #2: Find Your Noisiest Log Sources (with Cost) - In the last KQL Toolbox, we zoomed out and looked at billable ingest trends over time—how many GiB per day you’re ingesting, and roughly how much that’s costing you in Microsoft Sentinel. This time, we’re zooming in.

Turning off incident correlation for Sentinel alerts in the Defender portal - If you’ve ever worked through a Sentinel‑to‑Defender transition, you already know the pain point. Sentinel’s incident model is beautifully straightforward: one analytics rule, one grouping configuration, one predictable incident. Defender XDR, on the other hand, takes all your alerts, stirs in correlation logic, attacker activity sequences, multi‑product signals and sometimes hands you back incidents shaped slightly differently than what your automation playbooks expect.

Fighting alert fatigue with built-in incident prioritization - There is a new feature in the Defender portal that helps prioritize your incident queue automatically. The Defender incident queue now applies a machine learning–driven prioritization algorithm across all incidents, including Microsoft native detections, custom detections, and third-party signals when they surface in Defender or Sentinel.

Defender XDR Things

Announcing public preview: Uncovering hidden threats with the Dynamic Threat Detection Agent - At Ignite, we announced the Security Copilot Dynamic Threat Detection Agent in Microsoft Defender: an always on, adaptive backend agent that uncovers hidden threats across Defender and Microsoft Sentinel environments. Today we are excited to share that the customers who meet the prerequisites will now enter public preview of this agent. Running in the Defender backend, the agent delivers Copilot-sourced alerts directly into familiar workflows—complete with natural language explanations, mapped MITRE techniques, and tailored remediation steps.

Phishing actors exploit complex routing and misconfigurations to spoof domains - Phishing actors are exploiting complex routing scenarios and misconfigured spoof protections to effectively spoof organizations’ domains and deliver phishing emails that appear, superficially, to have been sent internally. Threat actors have leveraged this vector to deliver a wide variety of phishing messages related to various phishing-as-a-service (PhaaS) platforms such as Tycoon2FA. These include messages with lures themed around voicemails, shared documents, communications from human resources (HR) departments, password resets or expirations, and others, leading to credential phishing.

Introducing AI-powered incident prioritization in Microsoft Defender - Security teams don’t struggle because they lack alerts—they struggle because they have too many, arriving faster than humans can triage. Microsoft Defender brings Microsoft Defender XDR and Microsoft Sentinel signals together into correlated incidents, which is exactly what you want for end-to-end visibility. But it also means your incident queue can become the bottleneck.

Defender for Endpoint Things

Determine Defender for Endpoint offboarding state of Windows machines using PowerShell - In Defender for Endpoint, one of the key states to understand about your endpoints is, the offboarding state. In this state, machines are no longer reporting MDE telemetry to Defender portal and if another AV/AM solution is in place, the Windows Defender Antivirus component will switch to a disabled state.

Defender for Identity Things

New security posture assessment: Identify service accounts in privileged groups - This identity security posture assessment lists Active Directory service accounts with direct or nested membership in privileged groups. You can use this assessment to identify service accounts with elevated permissions and take action when privileged access isn’t required. For more information, see: Security posture assessment: Identify service accounts in privileged groups

New security posture assessment: Locate accounts in built-in Operator Groups - This identity security posture assessment lists Active Directory accounts that are members of built-in Operator Groups, including direct and indirect membership. You can use this assessment to review legacy or unnecessary operator access and take action when elevated access isn’t required. For more information, see: Security posture assessment: Locate accounts in built-in Operator Groups

Defender Experts Things

Introducing the Microsoft Defender Experts Suite: Elevate your security with expert-led services - Security teams are being pushed to their limits as AI‑powered cyberattacks grow in speed, scale, and sophistication—and only 14% of organizations surveyed by the World Economic Forum report they feel confident they have the right people and skills needed to meet their cybersecurity objectives. As cyberthreats evolve faster than many teams can hire or train, pressure mounts to strengthen defenses, increase resilience, and achieve security outcomes faster. We’re here to help. Introducing the new Microsoft Defender Experts Suite, a new security offering that provides expert-led services that help organizations defend against advanced cyberthreats, build long‑term resilience, and modernize security operations with confidence.

Microsoft Purview Things

Microsoft Purview Data Governance - Authoring Custom Data Quality rules using expression languages - The cost of poor-quality data runs into millions of dollars in direct losses. When indirect costs—such as missed opportunities—are included, the total impact is many times higher. Poor data quality also creates significant societal costs. It can lead customers to pay higher prices for goods and services and force citizens to bear higher taxes due to inefficiencies and errors.

Securing the AI Pipeline – From Data to Deployment - Securing AI isn’t just about protecting a single model—it’s about safeguarding the entire pipeline that transforms raw data into actionable intelligence. This pipeline spans multiple stages, from data collection and preparation to model training, validation, and deployment, each introducing unique risks that adversaries can exploit. Data poisoning, model tampering, and supply chain attacks are no longer theoretical—they’re real threats that can undermine trust and compliance. By viewing the pipeline through a security lens, organizations can identify these vulnerabilities early and apply layered defenses such as Zero Trust principles, data lineage tracking, and runtime monitoring. This holistic approach ensures that AI systems remain resilient, auditable, and aligned with enterprise risk and regulatory requirements.

Always‑on Diagnostics for Purview Endpoint DLP: Effortless, Zero‑Friction troubleshooting for admins - Historically, some security teams have struggled with the challenge of troubleshooting issues with endpoint DLP. Investigations can often slow down because reproducing issues, collecting traces, and aligning on context can be tedious. With always-on diagnostics in Purview endpoint data loss prevention (DLP), our goal has been simple: make troubleshooting seamless, and effortless—without ever disrupting the information worker.

Discussion about this post

Ready for more?