THE PROMPT for Microsoft Security - Issue #47
From Cyber Threats to Comic Con: Rod’s Multiverse of Madness
Things from Me
Happy Friday everyone!
With planning well underway here, I feel like things are starting to clear up a bit as we determine the path forward for a number of things for the next quarter and half year.
So, I did a new thing this past week.
I may have mentioned to some of you, but I’ve been asked to participate in an upcoming Comic Con. Many of you know that in addition to my day job, I also write fiction books. In trying to determine the best way to participate in Comic Con, I settled on a couple things. First, I’ll be in-person to sign books (of course). Secondly, I’ve kicked off a new site (https://RodsFictionBooks.com) where all of my existing books are online to read. The first chapter of every book is free, but subscribing to the site, gives full access to all my books. So, a subscriber can explore every page of my published books, get first looks at new releases, and follow along with my creative journey as I share sneak peeks and full expanse of works in progress. Plus, connect with me directly and share your thoughts by commenting on chapters as they take shape.
I’m excited about this as it gives people a way to renew their interest in fiction. Studies show just six minutes of reading daily can reduce stress by 68%. So, I’m happy to also aid in healthy habits. :)
Get started now with the free first chapter of a brand-new book:
…
Just a heads-up. I have a little bit of travel coming up soon. First off, I’ll be in Redmond at the end of September and then I’ll be in Nashville, TN in October. So, if any of you are around when I am, I’d love to connect, have coffee, and talk all things Microsoft security.
…
That’s it from me for this week.
Talk soon.
-Rod
Things that are Related
Safeguarding Data in the AI Age - In today’s digital world, data is the lifeblood of organizations – and protecting it has never been more critical. As of 2025, cybercrime is estimated to cost the global economy $9.2 trillion annually. More than 80% of organizations globally have experienced at least one data breach in the past year and insiders account for 20% of data breaches. And the datasphere is growing exponentially!
Things to Watch/Listen To
Microsoft Sentinel Things
Solution - Fix Microsoft Sentinel Missing Incident Description - In early July 2025, Microsoft announced that Microsoft Sentinel in the Azure Portal will be deprecated as of July 1, 2026. From that date forward, all access requests to the Azure Portal will be automatically redirected to the Microsoft Defender portal.
Defender for Endpoint Things
Defender XDR Things
Custom detection rules get a boost—explore what’s new in Microsoft Defender - If you are a Microsoft Sentinel user and have connected your Sentinel workspace to Microsoft Defender, you are probably more familiar with analytics rules in Microsoft Sentinel and are looking to explore the capabilities and benefits of custom detections. Understanding and leveraging custom detection rules can significantly enhance your organization's security posture. This blog will delve into the benefits of custom detections and showcase scenarios that highlight their capabilities, helping you make the most of this robust feature. We are excited to release these brand-new enhancements that are now available in public preview.
Phishing Triage Agent in Defender XDR: Say Goodbye to False Positives and Analyst Fatigue - Phishing remains one of the most common and dangerous attack vectors in cybersecurity. With the rise of user-reported suspicious emails, Security Operations Center (SOC) teams are overwhelmed by the volume and complexity of triage. Enter the Phishing Triage Agent, a new capability within Microsoft Defender XDR and Security Copilot that uses AI to automate phishing classification, reduce false positives, and accelerate incident response.
Protect against OAuth Attacks in Salesforce with Microsoft Defender - OAuth applications have emerged as a prominent attack vector for adversaries and introduce new risks that many organizations overlook, because employees sometimes establish app-to-app connections without thorough evaluation and because OAuth tokens used by cloud applications may be stolen or leaked in a variety of ways.
Defender Experts Things
Cloud forensics: Why enabling Microsoft Azure Storage Account logs matters - During a security breach, critical evidence may surface in unexpected places, such as Azure Storage. Although often overlooked, Azure Storage logs can provide invaluable insights for digital forensics, helping investigators reconstruct attacker activity, trace data access patterns, and detect anomalies. As part of our exploration of cloud forensics, we demonstrate how Azure Storage Logs can be leveraged for security investigations and emphasize their essential role in incident response and breach analysis.
Microsoft Purview Things
Chats, Channels, Copilot Tracks – What Purview Really Finds - Because if you search for Teams messages in Purview, you are not digging in a tidy archive, but stumbling through a labyrinth. Suddenly, Copilot traces from Word, meeting artifacts, call leftovers and chat snippets that no one had on the list are mixed. Sounds chaotic? And it is.
Microsoft Entra Things
Update Entra ID Device Extension Attributes via PowerShell & Create Dynamic Security Groups - Introduction Microsoft Entra ID device objects provide a rich set of properties for identity, compliance, and device management. Among these, extension attributes allow organizations to store custom metadata on device objects in the cloud directory (not to be confused with on-premises AD extension attributes). These attributes are useful for categorization, automation, and policy enforcement. You can update these extension attributes using PowerShell through the Microsoft Graph API. Once populated, these attributes can be leveraged to create dynamic device groups in Entra ID, enabling targeted Defender for Endpoint policies, Conditional Access policies, Intune configurations, or application assignments.