THE PROMPT for Microsoft Security - Issue #74
Keeping You Safer One Newsletter at a Time (No Copilot Was Harmed in the Making of This Issue)
Things from Me
Happy Friday everyone!
Welcome back to another issue of THE PROMPT for Microsoft Security — your weekly roundup of the latest news, resources, and insights from across the Microsoft security ecosystem. Whether you’re deep in a SOC, managing endpoints, or navigating the ever-expanding landscape of AI and identity security, there’s something here for you this week.
There’s lots to get to so grab your coffee, settle in, and let’s dig in.
-Rod
Things to Attend
Level up your Azure Network Security Skills with our Upcoming Webinar Series - As network and application-layer threats continue to evolve, security and infrastructure teams need more than product knowledge. They need practical, scenario-driven guidance they can apply to real workloads. To support that, the Azure Network Security team is hosting a series of upcoming technical webinars covering the capabilities our customers rely on every day: Azure Web Application Firewall (WAF), Azure Firewall, Azure DDoS Protection and Azure Bastion.
Things that are Related
Reconstructing AI activity in investigations - AI interactions generate telemetry across Microsoft Purview, Defender, and Sentinel. That telemetry captures who initiated an interaction, when it occurred, and which resources were involved. It provides the foundation for reconstructing AI activity in enterprise environments. It’s turning those signals into an investigation. To help address that challenge, we’ve published a new investigator playbook for Microsoft 365 Copilot and Azure AI services. The playbook provides a structured approach for investigating AI-related activity using the telemetry already available across Microsoft security products.
Things to Watch/Listen To
Microsoft Sentinel Things
New Sentinel data ingestion reports make your life easier - Microsoft Sentinel customers have long faced the challenge of understanding exactly what data is flowing into their SIEM environment. Where is it landing? Are the ingestion patterns healthy? Are we losing data or having jumps in ingestion that will lead to a surprise bill?
Hunting at Machine Speed — KQL on the Sentinel Data Lake - Adversaries are not waiting. They generate variants, test paths, and pivot at machine speed. Static detection content alone cannot keep up. Hunting is part of how the SOC closes the gap.
Detecting AI agents and non-human identities in Microsoft Sentinel: the classic-agent blind spot - Build 2026 made the direction official. The industry is moving from the app era into the agent era, and Microsoft spent a real share of the keynote on securing agents across their lifecycle, from discovering what is exploitable to governing what is running in production. On the identity side the centerpiece is Microsoft Entra Agent ID, now generally available, which gives AI agents first-class identities and extends Conditional Access, Identity Protection, and full audit logging to them.
Defender for Endpoint Things
Microsoft Defender now monitors RPC activity - Microsoft Defender now monitors remote RPC activity from select interfaces and supports detection, disruption, and hunting over RPC call data.
Elevate your telemetry using custom data collection in Microsoft Defender - At Ignite in November, we announced that Microsoft Defender is now the only endpoint protection solution that allows data-hungry security teams to meet specific telemetry needs by optimizing their data collection right within the Defender portal, without the need to rely on fragmented and siloed solutions. Since then, we've heard from customers that this tool has been a game changer, enabling them to hunt through new data types as well as richer data on events already reported. The release of custom data collection was a key milestone in our ongoing journey to make Defender easy to manage and customize.
Introducing scheduled antivirus scans on Microsoft Defender Linux - Security teams rely on scheduled scans to ensure consistent coverage across devices, detect dormant or missed threats, and meet compliance requirements. However, managing scans on Linux has traditionally required custom scripts and cron-based setups, which can be hard to scale and maintain. That’s why we’re excited to introduce centrally managed scheduled antivirus scans for Linux in Microsoft Defender, now available in public preview. With this release, we are bringing built-in, flexible scheduling capabilities directly into Defender - making it easier to manage and standardize scan behaviour across Linux environments.
Defender XDR Things
How to Build Security Al Analyst agent in Defender XDR - The Security Analyst Agent helps security analysts quickly identify, assess, and prioritize risks by performing ready-to-use or custom analyses on security data. The agent provides actionable and prioritized insights, recommendations, and reports to uncover top vulnerabilities and risks. It supports data from Microsoft Defender XDR, Sentinel Log Analytics, or Sentinel Data Lake, and can perform complex analysis tasks such as anomaly detection, clustering, risk scoring, and forecasting without requiring code or queries.
Microsoft Purview Things
Extend Microsoft Purview data protection to AWS Bedrock agents for cross-cloud AI governance - Organizations are moving fast with AI, and many of those AI workloads are not staying in one cloud. A team might use Microsoft 365 and Microsoft Purview for governance and in addition to Microsoft Foundry they may still choose to run an AI agent on AWS Bedrock or on the Google Cloud Platform. The technical challenge is straightforward: how do you keep one consistent set of data security, governance, and compliance controls when the agent itself runs outside Microsoft Azure?
Defender Threat Intelligence Things
AI brands as bait: How threat actors are using the AI hype in social engineering - As threat actors operationalize AI to accelerate attacks, they are also leveraging the wider global interest around AI itself as a social engineering lure. In recent months, Microsoft Threat Intelligence has observed a growing number of campaigns that impersonate the branding of popular AI platforms such as ChatGPT, Microsoft Copilot, DeepSeek, and Anthropic’s Claude as lures. These campaigns, which don’t represent compromise of services, span phishing, malvertising, and search engine optimization (SEO)-driven attacks that ultimately lead to credential theft, financial fraud, or malware infection.
Microsoft Entra Things
Microsoft Entra ID security updates: What organizations need to do now - Prepare now for three Microsoft Entra ID changes affecting Custom controls, credential registration, and self-service password reset (SSPR) enforcement.
Identity and Access Management specialization: New workloads expand partner qualification - Starting May 11, 2026, new workloads expanded how partners can qualify for the Identity and Access Management specialization—lowering barriers and creating more paths to earn or renew.