THE PROMPT for Microsoft Security - Issue #45

Securing Your Sanity—One Tip, Tweet, and Table at a Time

Aug 22, 2025

Things from Me

Happy Friday, everyone!

Last week was the perfect way to wrap up the summer. We took the week off for a family "staycation," trading hectic travel for a series of fun local day trips. We spent one beautiful afternoon kayaking, just enjoying the sun and the water. We also caught a movie, escaping into the cool theater for a couple of hours. The big finale was a trip to Kings Island, where we rode roller coasters until we were dizzy and laughing. It was a simple, wonderful week focused on just being together and making a few last-minute summer memories.

…

Did you know?

This may be one of the best but also unknown tips for getting support for Microsoft security platform products.

The Microsoft Security Support Team has its own X handle. It’s at: https://x.com/MSFTSecSuppTeam

The folks behind this handle are some of the hardest working support individuals at Microsoft. These are the people that answer your questions on TechCommunity and also from the X handle on everything MDE, MDCA, MDC, MDI, Purview, and Security Copilot.

To be honest, I didn’t know it myself (or forgot about it at some point), until I had a meeting last week that exposed it. This is a great option for support to keep in your toolbelt.

Follow the account and ask questions.

Stay connected with @MSFTSecSuppTeam on X for expert security tips, quick help, and support from the Microsoft Security community.

That’s it from me for this week.

Talk soon.

-Rod

Things to Attend

Connect with the security community at Microsoft Ignite 2025 - At Microsoft Ignite 2025, we will showcase end-to-end security innovations and share world-class threat and regulatory intelligence to give you the advantage you need to safely adopt AI and face the rapidly changing threat landscape. Register today using RSVP code ATXTJ77W to secure your spot and join us November 17-21, 2025, in San Francisco, California—or online November 18-21, 2025—for a week of immersive learning, hands-on experiences, and strategic insights tailored for security leaders, practitioners, and innovators.

Discover the latest security innovations at Microsoft Ignite 2025 - In today’s rapidly evolving digital world, security leaders and practitioners face new challenges—and opportunities—driven by the rise of AI. At Microsoft Ignite, we will showcase end-to-end security innovations and share world class threat and regulatory intelligence to give you the advantage you need to safely adopt AI and face the rapidly changing threat landscape.

Things that are Related

Quantum-safe security: Progress towards next-generation cryptography - Quantum computing promises transformative advancements, yet it also poses a very real risk to today’s cryptographic security. In the future scalable quantum computing could break public-key cryptography methods currently in use and undermine digital signatures, resulting in compromised authentication systems and identity verification.

Security Copilot Things

Microsoft Sentinel Things

Script: Sentinel Data Lake Table Management - Microsoft Sentinel’s data lake story is quietly powerful: you get fast, 90-day Analytics (Shortterm) for hunting and detections, plus scalable, lower-cost DataLake (Longterm) retention for compliance, threat intel enrichment, and deep forensics. That unlocks richer investigations, more complete timelines, and simpler evidence handling—without forcing everything to live in the hot tier. The catch? Tables never stop multiplying.

What is the default workspace in Sentinel data lake? - If you’ve recently onboarded to the Sentinel data lake and are using the KQL queries feature in the Data lake exploration blade, you’ve probably run into the Default workspace.

Microsoft Sentinel’s New Data Lake: Cut Costs & Boost Threat Detection - This article is written by someone who’s spent years helping security teams navigate Microsoft’s evolving ecosystem, translating complex capabilities into practical strategies. What follows is a hands-on look at the key features, benefits, and challenges of Sentinel’s Data Lake, designed to help you make the most of this powerful new architecture.

Log Tiering With Microsoft Sentinel Data Lake - Microsoft Sentinel has evolved from a cloud-native SIEM into a modern security data lake platform that enables organizations to ingest, retain, and analyze massive volumes of log data without compromising on cost or coverage. Traditional SIEMs forced security teams to make painful tradeoffs - either limit logging and retention (leaving blind spots) or pay exorbitant costs to store everything. Sentinels new data lake capability resolves this paradox by providing a unified, scalable repository for all security data with flexible tiered storage. This means SOCs can retain years of logs (up to 12 years) at a fraction of the cost of analytics-tier storage, gaining deep historical visibility for threat hunting and forensics.

Defender for Cloud Things

Microsoft Defender for Cloud expands U.S. Gov Cloud support for CSPM and server security - U.S. government organizations face unique security and compliance challenges as they migrate essential workloads to the cloud. To help meet these needs, Microsoft Defender for Cloud has expanded support in the Government Cloud with Defender cloud security posture management (CSPM) and Defender for Servers Plan 2. This expansion helps strengthen security posture with advanced threat protection, vulnerability management, and contextual risk insights across hybrid and multi-cloud environments.

Malware scanning add-on is now generally available in Azure Gov Secret and Top-Secret clouds - Microsoft Defender for Storage now includes malware scanning for Azure Government Secret and Top Clouds. This update aligns cloud storage protection features across both commercial and government cloud services.

Defender for Endpoint Things

Identify Defender for Endpoint Onboarding Method using PowerShell - Part 2 - To provide a layer of automation to discover what onboarding methods are used for a subset of devices in Defender for Endpoint, the following PowerShell script can be used to run on a set of devices you are troubleshooting and determine what method was used. It can be a useful alternative for administrators who do not have access to one or any of the MDE onboarding platforms.

Defender IoT Things

Latest Threat Intelligence (August 2025) - Microsoft Defender for IoT has released the August 2025 Threat Intelligence package. The package is available for download from the Microsoft Defender for IoT portal (click Updates, then Download file).

Defender Experts Things

Think before you Click(Fix): Analyzing the ClickFix social engineering technique - ver the past year, Microsoft Threat Intelligence and Microsoft Defender Experts have observed the ClickFix social engineering technique growing in popularity, with campaigns targeting thousands of enterprise and end-user devices globally every day. Since early 2024, we’ve helped multiple customers across various industries address such campaigns attempting to deliver payloads like the prolific Lumma Stealer malware. These payloads affect Windows and macOS devices and typically lead to information theft and data exfiltration.

Defender XDR Things

Leaving the key under the doormat: How Microsoft Defender uses AI to spot exposed credentials - Imagine locking your front door, only to leave the key under the doormat. It’s a habit many know is risky, but it’s still surprisingly common. In cybersecurity terms this is the equivalent of storing credentials in plain text fields within Active Directory. Microsoft Defender can now help eliminate this vulnerability with a new, AI-powered posture alert that uses layers of intelligence to spot exposed credentials.

Deep Dive: DLP Incidents, Alerts & Events - Part 1 - Prior to delving into the specifics, it is essential to understand that Microsoft Defender employs correlation analytics to aggregate related alerts and automated investigations from various products into a single incident. This comprehensive perspective enables security analysts to gain a clearer understanding of broader attack scenarios, facilitating more effective responses to complex threats across the organization.

Deep Dive: DLP Incidents, Alerts & Events - Part 2 - Like the Incidents, alerts also provide comprehensive information such as severity, status, category etc. to help users understand and navigate efficiently. In addition to these standard details, the alert view also displays the correlation reason, which is particularly beneficial for security analysts and administrators. The correlation reason explains why an alert is linked to a particular incident or other alerts, helping users trace how different pieces of suspicious activity are connected. By understanding the correlation reason, users can better assess the scope and impact of security issues, streamline investigations, and take more effective remediation actions, ultimately improving the overall security posture of the organization.

Microsoft Entra Things

Microsoft Entra Private Access for Domain Controllers is now in Public Preview - Microsoft Entra brings identity-centric Zero Trust access controls to the heart of your on-premises infrastructure: your domain controllers.

Microsoft Security Exposure Management Things

Microsoft Security Exposure Management Ninja Training | Microsoft Community Hub - This blog post has a curation of many Microsoft security exposure management (MSEM) resources, organized in a format that can help you to go from absolutely no knowledge in MSEM, to designing and implementing different scenarios. You can use this blog post as a training roadmap to ramp up your knowledge in MSEM.