Things from Me
Happy Friday everyone!
Before we dive into this week’s updates, a quick heads-up: there will be no newsletter next week as I’m taking a much-needed vacation.
Aside from a couple of work commitments I couldn’t wiggle out of (you know how it goes), I’ll be doing my absolute best to NOT work—which, for me, is a real challenge. Wish me luck!
Thanks for being here, and I’ll be back in your inbox the following week, hopefully a little more rested and a lot less caffeinated.
Talk soon.
-Rod
Things that are Related
Launching Microsoft's Secure Future Initiative patterns and practices - We’re excited to launch Microsoft Secure Future Initiative (SFI) patterns and practices: a new library of actionable guidance designed to help organizations implement security measures at scale.
Security leadership in the age of constant disruption - The next wave of innovation is already here: AI, quantum computing, intelligent agents and other emerging technologies are beginning to transform how organizations operate. But with transformation comes a sharp rise in risk. For today’s business leaders, the question is no longer if disruption will impact your organization’s security; it’s how fast you can adapt.
Project Ire autonomously identifies malware at scale - Today, we are excited to introduce an autonomous AI agent that can analyze and classify software without assistance, a step forward in cybersecurity and malware detection. The prototype, Project Ire, automates what is considered the gold standard in malware classification: fully reverse engineering a software file without any clues about its origin or purpose. It uses decompilers and other tools, reviews their output, and determines whether the software is malicious or benign.
Zero Day Quest: Join the largest hacking event with up to $5 million in total bounty awards - Building on that longstanding commitment to collaboration, we are excited to bring back Zero Day Quest in Spring 2026. This year’s event offers new opportunities for the security community to work hand in hand with Microsoft engineers and researchers. Together, we will share knowledge, learn from each other, and strengthen the security of the cloud and AI ecosystem.
Hacking Made Easy, Patching Made Optional: A Modern Cyber Tragedy - In today’s cyber threat landscape, the tools and techniques required to compromise enterprise environments are no longer confined to highly skilled adversaries or state-sponsored actors. While artificial intelligence is increasingly being used to enhance the sophistication of attacks, the majority of breaches still rely on simple, publicly accessible tools and well-established social engineering tactics. Another major issue is the persistent failure of enterprises to patch common vulnerabilities in a timely manner—despite the availability of fixes and public warnings. This negligence continues to be a key enabler of large-scale breaches, as demonstrated in several recent incidents.
General Availability of Azure Monitor Network Security Perimeter Features - We’re excited to announce that Azure Monitor Network Security Perimeter features are now generally available! This update is an important step forward for Azure Monitor’s security, providing comprehensive network isolation for your monitoring data. In this post, we’ll explain what Network Security Perimeter is, why it matters, and how it benefits Azure Monitor users. Network Security Perimeter is purpose-built to strengthen network security and monitoring, enabling customers to establish a more secure and isolated environment. As enterprise interest grows, it’s clear that this feature will play a key role in elevating the protection of Azure PaaS resources against evolving security threats.
Things to Attend
Help Shape the Microsoft Ignite Security Roundtable: Take Our Quick Survey - As we prepare for Microsoft Ignite, we’re building a focused, practitioner-led security roundtable and we want your input to ensure it reflects the most relevant and pressing topics in the field. We invite you to take a short survey and share the security topics, trends, and technical questions you want to see covered. Your input will directly influence the structure and substance of the Ignite Security Roundtable.
Things to Watch/Listen To
Security Copilot Things
Announcing Public Preview: Phishing Triage Agent in Microsoft Defender - the Phishing Triage Agent in Microsoft Defender is now available in Public Preview. It tackles one of the most repetitive tasks in the SOC: handling reports of user-submitted phish. Instead of manually combing through endless submission, security teams can now rely on an agent that triages thousands of alerts each day, typically within 15 minutes of detection. Early adopters are already seeing accelerated threat response and significant time savings.
Microsoft Sentinel Things
Navigating the Future with Microsoft Sentinel Data Lake - Are you planning to enable Sentinel Data Lake in your environment? - Big things have been happening in the Sentinel space, actually, even bigger than that, in the entire Microsoft Security Data landscape. While this Security Datalake development carries "Sentinel" in its name, it's about far more than just Sentinel itself. This innovation/change is set to power a whole new generation of Microsoft security capabilities, reaching across the entire ecosystem.
Table Talk: Sentinel’s New ThreatIntel Tables Explained - Microsoft Sentinel’s new ThreatIntel tables redefine threat intelligence with deeper context, smarter hunting, and streamlined data control.
How to store Defender XDR data for years in Sentinel data lake without expensive ingestion cost - In recent years, an increasing number of customers have requested options to extend retention in Microsoft Defender XDR beyond the default 30 days at a low cost, all with the requirement of having the KQL experience available.
Automating Microsoft Sentinel Deployment with GitHub Actions - Deploying Microsoft Sentinel resources manually can be time-consuming and error-prone. By leveraging GitHub Actions and Infrastructure as Code principles, we can automate the deployment of Sentinel solutions, analytical rules, and workbooks with a single push to our repository.
Mirror, mirror on my data lake - If you’ve been reading about the new Sentinel data lake, you’ve undoubtedly seen that data from analytics logs is “mirrored” to the data lake. But what does that actually mean?
Defender for Cloud Things
From Healthy to Unhealthy: Alerting on Defender for Cloud Recommendations with Logic Apps - This blog guides you through building an automated solution using Azure Logic Apps and KQL to monitor Microsoft Defender for Cloud recommendations. You'll learn how to detect when resources shift from a healthy to unhealthy security state, send customized email alerts, and proactively manage regressions—without manual effort. Ideal for security teams aiming to enhance visibility, reduce response time, and maintain strong cloud security posture.
Defender for Endpoint Things
Collect Security Events With Azure Monitor Agent On Workstations - Microsoft Defender for Endpoint (MDE) with Plan 2 provides a really great and relatively affordable way of ingesting large-scale events into your SIEM, like Microsoft Sentinel, for detection, correlation, and investigation. However, in some heavily regulated environments, MDE log collection is not enough because it does not collect information like Process Call Stacks, Service Modification, Service Deletion, etc. The EDR telemetry project for Windows might be interesting for you to compare with what MDE collects or does not collect.
Multi-tenant endpoint security policies distribution is now in Public Preview - We’re excited to announce a key milestone in Defender’s multi-tenant management journey—Microsoft Defender for Endpoint security policies can now be distributed across multiple tenants from the Defender multi-tenant portal. This capability empowers security teams to manage policies at scale, ensuring consistency and saving valuable time.
Defender XDR Things
Discover risks in AI model providers and MCP servers with Microsoft Defender - Microsoft Defender is expanding its capabilities to protect AI MCP use across the enterprise. Building on recent enhancements in Microsoft Defender for Cloud which now provides visibility into containers running MCP across AWS, GCP, and Azure, we're now adding support in Microsoft Defender for Cloud Apps to help security teams discover, manage, and protect not only generative AI apps, but also AI model providers and MCP servers. As AI tools spread, so does shadow AI - unauthorized or unmanaged use of AI tools that bypass IT and security controls.
Defender Experts Things
Elevate your protection with expanded Microsoft Defender Experts coverage - Defender Experts now offers 24/7, expert-driven protection for cloud workloads, beginning with hybrid and multicloud servers in Microsoft Defender for Cloud. Additionally, third-party network signals can be used in Microsoft Defender Experts for XDR to enhance incidents for faster and more accurate detection and response.
Memory under siege: The silent evolution of credential theft - As enterprise defenses continue to mature, threat actors are shifting toward quieter, more efficient techniques. Attackers are increasingly using native tools and stealthy methods to operate under the radar. The latest chapter in this ongoing cat-and-mouse game has moved to one of the most volatile and sensitive domains of a system: live memory.
Microsoft Purview Things
Microsoft Purview Unified Catalog Tools & Scripts - A comprehensive collection of tools, scripts, and applications for managing and working with Microsoft Purview Unified Catalog. This repository provides solutions for data governance, asset management, schema extraction, and automation tasks.
Sensitivity Auto-labelling via Document Property - This article explores the use of Office document properties as conditions for sensitivity auto-labelling. We will walk through some applicable scenarios and explore configuration options.
Enabling Open Data Sharing of Unity Catalog Assets with Microsoft Purview - As organizations scale their use of Databricks for data and AI workloads, enabling secure and discoverable access to Unity Catalog assets becomes increasingly important. In many cases, users such as analysts or business partners need to query specific datasets but do not have direct access to the Databricks workspace. Databricks Delta Sharing addresses this challenge by allowing secure access to data and AI assets through an open sharing protocol, making it possible to share governed datasets across organizational boundaries. Learn more about sharing data using the Delta Sharing open sharing protocol.
AI data governance made easy: How Microsoft Purview tackles GenAI risks and builds trust - Discover how Microsoft Purview helps software developers secure AI applications, protect data, and comply with regulations—without slowing innovation.
Preventing Oversharing in Microsoft 365 Copilot: A Technical Blueprint for Readiness - Microsoft’s Oversharing Risk Blueprint provides a tactical guide to help ensure Copilot doesn't unintentionally surface sensitive content due to excessive or legacy access permissions.
Information Protection in the Dead End - Many companies start information protection with Microsoft Purview, roll out labels, enable auto-classification, or build DLP policies. But after just a few weeks, there is a standstill. The reason is rarely in the technology – but almost always in the lack of preparation in terms of content. In this article, I show why this is the case – and why poor classification is not only a problem, but a risk for subsequent projects.
Microsoft Entra Things
Microsoft Entra Suite delivers 131% ROI by unifying identity and network access - Microsoft commissioned Forrester Consulting to conduct a Total Economic Impact™ (TEI) study of Microsoft Entra Suite. Forrester interviewed four decision-makers and surveyed 119 respondents to form a composite reflecting a global enterprise with 85,000 users and USD28,000,000,000 in annual revenue. Forrester found that with the Microsoft Entra Suite, this composite organization experienced USD14,400,000 in benefits over three years, with a net present value of USD8,200,000 and a 131% return on investment (ROI)—driven by faster onboarding, reduced IT overhead, and stronger security.
New governance tools for hybrid access and identity verification - Identity governance is undergoing changes. As work occurs across cloud applications, remote settings, and on-premises systems, it becomes increasingly important to track and manage access. Organizations require effective controls to oversee access, minimize manual tasks, and fulfill compliance requirements while maintaining necessary business systems.
Breaking down silos: A unified approach to identity and network access security - Secure access begins with a unified strategy—breakdown silos across identity and network access to strengthen your Zero Trust posture.
Uncover shadow AI, block threats, and protect data with Microsoft Entra Internet Access - Stop guessing which AI tools are in use. Stop waiting for threats to surface. Stop choosing between innovation and control—have both.