Things from Me
Happy Friday, everyone!
I hope this week’s edition finds you well. Before we dive into the latest updates, a quick note: there will be no newsletter next week as I’ll be traveling to Redmond for an all-hands — and I’m especially excited to meet my team in person for the first time!
This week’s issue is packed with insights and resources to help you stay ahead in the ever-evolving security landscape. From preparing for Microsoft Secure on September 30th, to best practices for integrating Security Copilot with Logic Apps, and the latest on Microsoft Sentinel UEBA, there’s something here for every security professional.
Let’s explore how to innovate boldly, deploy safely, and build security into every layer of your solutions — starting from day one.
…
But before that…
Next week is Microsoft Secure!
September 30, 2025 | 9:00 AM - 10:00 AM Pacific Time (UTC-7) - Unify your security for the AI era - Explore the latest solutions that can help you protect your data, cloud, and AI investments with an AI-first, end-to-end platform at Microsoft Secure. Learn how to recruit the right Security Copilot agents to harden defenses and boost your team’s efficiency, and how intelligent tools from Microsoft Security enables you to adapt to today’s threat landscape with limited resources.
Register here: https://aka.ms/MSSecure
…
Well…it has finally happened. The Advanced Must Learn KQL book is now available!
Read about it: Announcing the Release of “Must Learn KQL: Advanced Edition” – Level Up Your Data Querying Skills!
…
Enjoying this newsletter? Did you know there’s a Saturday edition with a funnier, less Microsoft-centric vibe?
Check out Rod’s Saturday Funnies (The Super Saturday Security Show).
…
That’s it from me for this week.
Talk soon.
-Rod
Things to Attend
September 30, 2025 | 9:00 AM - 10:00 AM Pacific Time (UTC-7) - Unify your security for the AI era - Explore the latest solutions that can help you protect your data, cloud, and AI investments with an AI-first, end-to-end platform at Microsoft Secure. Learn how to recruit the right Security Copilot agents to harden defenses and boost your team’s efficiency, and how intelligent tools from Microsoft Security enables you to adapt to today’s threat landscape with limited resources.
Things that are Related
Design Security in Solutions from Day One! Innovate boldly, Deploy Safely, and Never Regret it! - As organizations navigate the complexities of modern cloud environments, embedding security early in the architecture lifecycle proves invaluable. For privacy and compliance requirements I will provide generic examples. A startup that designed its web application with secure authentication and encrypted data storage from the outset avoided costly retrofits after a major client demanded compliance with data protection standards, saving thousands in redevelopment expenses and winning the deal faster. Similarly, a healthcare company that incorporated automated security checks during initial development was able to launch its patient portal weeks ahead of schedule, as their product passed regulatory audits on the first submission, accelerating their go-to-market timeline.
Things to Watch/Listen To
Security Copilot Things
Supercharging Security Copilot with Logic Apps: Best practices and pro tips - Integrating Microsoft Security Copilot with Azure Logic Apps enables security teams to automate investigations, orchestrate fast incident response, and unify workflows across the modern enterprise. By leveraging the unique strengths of both platforms, organizations can achieve scalable and efficient security-centric automation.
Microsoft Sentinel Things
Microsoft Sentinel UEBA enters a new era of behavioral analytics - SOC teams know the struggle: every data point could be a security signal. The result? Analysts are drowning in logs, chasing false positives, and trying to piece together fragmented clues. That changes with Microsoft Sentinel User and Entity Behavior Analytics (UEBA).
Defender for Cloud Things
Malware automated remediation in Defender for Storage (Preview) - Malware automated remediation in Defender for Storage malware scanning is now available in public preview. With this new capability, malicious blobs detected during on-upload or on-demand scanning can be automatically soft-deleted. This ensures harmful content is quarantined while still recoverable for further investigation. You can enable or disable malware automated remediation at either the subscription or storage account level from the Microsoft Defender for Cloud tab in the Azure portal, or by using the API.
Defender for Storage: Malware Automated Remediation - From Security to Protection - As every museum curator knows, security is never static. New threats emerge, and the tools we use to protect our treasures must evolve. Today, we are excited to share the next chapter in our journey: the introduction of malware automated remediation as part of our Defender for Cloud Storage Security solution (Microsoft Defender for Storage). This feature marks a pivotal shift - from simply detecting threats to actively preventing their spread, ensuring your “museum” remains not just secure, but truly protected.
Defender for Identity Things
New API support for unified agent - We are excited to announce the availability of a new Graph-based API for managing unified agent server actions in Microsoft Defender for Identity. This capability is currently in preview and available in API Beta version. This API allows customers to:
Monitor the status of unified agent servers
Enable or disable the automatic activation of eligible servers
Activate or deactivate the agent on eligible servers
Microsoft Security Exposure Management Things
Shadow IT Isn’t Going Away: Why Continuous Discovery May Be the Only Way Forward - Shadow IT has always been a bit of a ghost story in cybersecurity. You know it’s there, lurking in the background, but it rarely shows itself until something goes wrong. For years, people thought it just meant employees sneaking Dropbox or Slack into their workflow without permission. That’s still part of it, sure, but the real problem today seems much bigger.
Microsoft Purview Things
Advanced Retention Features in Microsoft Purview - Welcome, IT professionals! Our five-part series on Microsoft Purview retention policies guides you through managing data in Microsoft 365. Part one introduced retention policies for automated data retention and deletion. Part two covered Exchange and Teams communications, and part three addressed SharePoint and OneDrive documents. Now, part four explores advanced features for IT admins and compliance officers, focusing on standard retention policies that retain data for business or audit purposes, such as preserving emails or files for operational needs.
Microsoft Purview delivered 30% reduction in data breach likelihood - A recent Total Economic Impact™ (TEI) of Microsoft Purview study by Forrester Consulting, commissioned by Microsoft, offers valuable insights into how organizations are modernizing their data protection strategies. The study covers the tangible benefits of unifying data security, data governance, and data compliance under a single platform—an approach exemplified by Microsoft Purview.
Defender Threat Intelligence Things
AI vs. AI: Detecting an AI-obfuscated phishing campaign - Microsoft Threat Intelligence recently detected and blocked a credential phishing campaign that likely used AI-generated code to obfuscate its payload and evade traditional defenses. Appearing to be aided by a large language model (LLM), the activity obfuscated its behavior within an SVG file, leveraging business terminology and a synthetic structure to disguise its malicious intent. In analyzing the malicious file, Microsoft Security Copilot assessed that the code was “not something a human would typically write from scratch due to its complexity, verbosity, and lack of practical utility.”
XCSSET evolves again: Analyzing the latest updates to XCSSET’s inventory - Microsoft Threat Intelligence has identified yet another XCSSET variant in the wild that introduces further updates and new modules beyond those detailed in our March 2025 blog post. The XCSSET malware is designed to infect Xcode projects, typically used by software developers, and run while an Xcode project is being built. We assess that this mode of infection and propagation banks on project files being shared among developers building Apple or macOS-related applications.
Microsoft Entra Things
Driving transparency: New logging capabilities and attribute enhancements in Microsoft Entra - Explore how new logging updates in Microsoft Entra bring agent visibility and enriched logs for deeper, more actionable sign-in insights.
Entra Group Source of Authority CONVERSION: Enabling Cloud-First Identity Management - As organizations adopt a cloud-first strategy, reducing reliance on on-premises Active Directory becomes essential. Microsoft Entra Group Source of Authority (SOA) conversion enables IT teams to shift group management from AD DS to the cloud, simplifying governance and minimizing hybrid complexity. By converting the source of authority for groups to Microsoft Entra ID, organizations can manage memberships natively in the cloud, support advanced governance scenarios, and accelerate identity modernization while maintaining security and continuity.