THE PROMPT for Microsoft Security - Issue #54
Things from Me
Good Friday, everyone! Welcome to Issue #54 of THE PROMPT for Microsoft Security!
In this edition, we’re diving deep into the innovations shaping the future of cybersecurity—from enhanced query diagnostics in Azure Log Analytics to the evolving power of Microsoft Sentinel’s data lake. You’ll find insights on how generative AI is transforming SOC operations, new threat hunting capabilities, and the latest updates across Defender solutions. Whether you’re a developer, analyst, or security leader, this issue is packed with actionable content to help you stay ahead in an ever-changing threat landscape.
…
Ah, this time of year is truly magical for me—it’s like the world hits pause on the ordinary and dives headfirst into warmth and connection. Unlike the scattered holidays throughout the rest of the calendar, where celebrations might feel more solitary or routine, late fall and winter bring Thanksgiving and Christmas, those unbeatable duo that turn everything into a heartfelt reunion. It’s all about gathering around tables groaning with turkey, pies, and stories, or under twinkling lights exchanging gifts and laughter with family and friends. The air feels crisp with anticipation, the homes glow with decorations, and there’s this unspoken bond that pulls everyone closer, reminding us what really matters amid the chaos of everyday life. I just can’t get enough of it—it’s the season that recharges my soul every single year.
As the holiday season approaches, the two iconic celebrations vie for our hearts: Thanksgiving, with its feasts of gratitude and family gatherings, and Christmas, bursting with lights, gifts, and festive cheer. But which one reigns supreme in your book? Cast your vote in this quick poll and let’s see how the favorites stack up!
…
On a personal note, I’m thrilled to announce three free new “Old Like Us” stories dropping—one for each holiday! The Thanksgiving tale, “Fowl Play at Harvest Moon,” is already out and ready to dive into for some festive fun. Then comes “The Christmas Specter Part 2” on December 22nd, perfect for that spooky-holiday twist, followed by “New Year Reflections” on December 30th to wrap things up with some thoughtful vibes. Check them out and see how they capture that holiday spirit! Head over to https://RodsFictionBooks.com for the scoop.
…
That’s it for me.
Talk soon.
-Rod
Things that are Related
Introducing the enhanced query diagnostics in Azure Log Analytics - We’re excited to introduce a set of new capabilities that simplify query diagnostics and troubleshooting in Azure Log Analytics. With this new experience, users can now easily resolve query issues that may surface using the suggested recommendations, have a deeper visibility into query execution statistics and utilize those to optimize query performances.
People learn best when they feel welcome: The Story of Microsoft Security User Group Norway - In Norway, where most security events were still held online, a small group of cybersecurity enthusiasts felt the absence of real conversation and shared learning. They decided to change that. The idea was simple: build a space where people could meet, learn, and exchange real experiences — face-to-face. The first Microsoft Security User Group Norway meetup launched in Oslo with over 120 signups. Local speakers shared real-world insights, discussions continued long past the final session, and the energy was unmistakable. “From that first meetup, it was clear — people were ready to be together again.” Microsoft MVP, Craig Forshaw, recalled the moment when a community began to take shape.
Things to Watch/Listen To
Things to Have
Agent Builder - Crafting the perfect agent configuration in YAML can be time-consuming. That’s where this handy Python script comes in. It leverages the Grok API (from xAI) to automatically generate a CrewAI-compatible agent YAML file based on a simple prompt.
Purview scripts - This repository contains a collection of Python scripts for working with Azure Purview (Unified Data Catalog) and enterprise glossary/catalog operations. The scripts automate common tasks such as creating business terms, creating and managing data products, exporting and importing governance domains, and other catalogue interactions.
Things in the News
New IDC research highlights a major cloud security shift - Cloud security is at a tipping point. While moving to the cloud powers both growth and speed for organizations, it can also bring new risks. According to IDC’s latest research, organizations experienced an average of nine cloud security incidents in 2024, with 89% reporting a year-over-year increase. That’s not a typo. And it’s not just a statistic—it’s a wake-up call. As cyberthreats grow more sophisticated and cloud environments more complex, security leaders must rethink their strategies to stay ahead of threat actors.
Security Copilot Things
Learn what generative AI can do for your security operations center - Microsoft Security Copilot helps organizations address critical challenges of scale, complexity, and inefficiencies—as well as streamlining investigations, simplifying reporting, and more. It gives analysts a good idea of where to start, how to prioritize, and improves analyst confidence with actionable insights. By embedding generative AI into existing workflows, SOCs can operationalize and contextualize security data in ways never possible before—delivering guided responses, accelerating investigations, and transforming complex data into clear, actionable insights for both technical teams and business leaders.
Microsoft Sentinel Things
What’s New in Microsoft Sentinel: November 2025 - We’re excited to launch a new blog series focused on Microsoft Sentinel. From the latest product innovations and feature updates to industry recognition, success stories, and major events, you’ll find it all here. This first post kicks off the series by celebrating Microsoft’s recognition as a Leader in the 2025 Gartner Magic Quadrant for SIEM. It also introduces the latest innovations designed to deliver measurable impact and empower defenders with adaptable, collaborative tools in an evolving threat landscape.
Unlocking Developer Innovation with Microsoft Sentinel data lake - Microsoft Sentinel is evolving rapidly, transforming to be both an industry-leading SIEM and an AI-ready platform that empowers agentic defense across the security ecosystem. In our recent webinar: Introduction to Sentinel data lake for Developers, we explored how developers can leverage Sentinel’s unified data lake, extensible architecture, and integrated tools to build innovative security solutions. This post summarizes the key takeaways and actionable insights for developers looking to harness the full power of Sentinel.
Automating IOC hunts in Microsoft Sentinel data lake - A key advantage of the Sentinel data lake is its cost-efficiency, making it ideal for ingesting and retaining large volumes of security logs, such as network logs, without incurring high expenses or compromising coverage. By storing all security data in a unified, cost-effective data lake, organizations gain comprehensive, long-term visibility for historical threat hunting and TI matching, enabling investigations across extended timelines without the prohibitive costs of traditional analytics solutions. In this blog we will explore how security teams can leverage KQL jobs in Sentinel data lake to automate threat hunting and threat intelligence matching across network logs, enabling scalable, cost-effective, and continuous threat detection. By doing so, SOCs can efficiently process large volumes of data and transform raw logs into actionable insights efficiently with minimal manual intervention.
Master Codeless Connector Framework Development For Microsoft Sentinel - In this article, we’ll explain all the steps to develop, create, and deploy a CCF data connector for Sentinel. As an example, we will walk through building and creating a connector for SailPoint IdentityNow, a SaaS identity governance platform - but the same approach can be applied to any service with a REST API. By the end of this article, you should have a clear blueprint for creating a CCF connector for other SaaS apps.
Operationalizing the Sentinel data lake: A Practitioner’s Guide - This blog series is designed to empower you to fully leverage your Sentinel data lake investment – providing practical tools, actionable workflows, and analyst-ready templates that simplify querying datalake-tier data and enable SOC teams to turn raw logs into meaningful security insights. With the right guidance, you can maximize the value you get from your Sentinel data lake.
Defender for Cloud Things
Update Coverage Workbook in Microsoft Defender for Cloud to Include Defender for AI Plan status - Introduction The Coverage Workbook in Microsoft Defender for Cloud provides a centralized view of security coverage across your Azure environment. It helps security teams monitor which Defender plans are enabled for various resources and subscriptions, ensuring compliance and visibility into protection status. Currently, the workbook includes coverage for services like Defender for Servers, Defender for Storage, Defender for SQL, and others. However, it does not yet include Defender for AI enablement status, which is critical for organizations adopting AI workloads.
Unlocking Business Value: Microsoft’s Dual Approach to AI for Security and Security for AI - In an era where cyber threats evolve at an unprecedented pace and artificial intelligence (AI) transforms business operations, Microsoft stands at the forefront with a comprehensive strategy that addresses both leveraging AI to bolster security and safeguarding AI systems themselves. This white paper, presented in blog post format, explores Microsoft’s business value model for “AI for Security” – using AI to enhance threat detection, response, and prevention – and “Security for AI” – protecting AI deployments from emerging risks. Drawing from independent studies, real-world case studies, and economic analyses, we demonstrate how these approaches deliver tangible returns on investment (ROI) and total economic impact (TEI). Whether you’re a CISO evaluating security investments or a business leader integrating AI, this post provides insights, visuals, and calculations to guide your strategy.
Fast-Start Checklist for Microsoft Defender CSPM: From Enablement to Best Practices - Microsoft Defender Cloud Security Posture Management (Defender CSPM) provides agentless, multicloud protection for Azure, AWS, and GCP. This post outlines a fast-start checklist to help you enable and operationalize Defender CSPM effectively.
Defender XDR Things
SesameOp: Novel backdoor uses OpenAI Assistants API for command and control - Microsoft Incident Response – Detection and Response Team (DART) researchers uncovered a new backdoor that is notable for its novel use of the OpenAI Assistants Application Programming Interface (API) as a mechanism for command-and-control (C2) communications. Instead of relying on more traditional methods, the threat actor behind this backdoor abuses OpenAI as a C2 channel as a way to stealthily communicate and orchestrate malicious activities within the compromised environment. To do this, a component of the backdoor uses the OpenAI Assistants API as a storage or relay mechanism to fetch commands, which the malware then runs.
Defender for Identity Things
Comprehensive Identity Protection—Across Cloud and On-Premises - Hybrid IT environments, identity is the new perimeter—and protecting it requires visibility across both cloud and on-premises systems. While Microsoft Entra secures cloud identities with intelligent access controls, Microsoft Defender for Identity brings deep insight into your on-premises Active Directory. Together, they form a powerful duo for comprehensive identity protection.
Defender Experts Things
Delivering more threat hunting insights with Microsoft Defender Experts’ newest capabilities - The cybersecurity threat landscape continues to evolve with novel attacks and techniques emerging each day. Microsoft Defender Experts for Hunting, included with Microsoft Defender Experts for XDR, helps security teams stay ahead of evolving attacks by providing proactive threat hunting, powered by Microsoft’s vast threat intelligence with 100 trillion daily signals processed by over 10,000 experts.
Microsoft Purview Things
Unified Reporting in Microsoft Purview: Know your data posture - If you’ve ever struggled to answer questions like “How well are we protecting sensitive data?” or “Which DLP policies are actually working?”, you know the frustration. Data scattered across multiple tools, no unified view, and executives asking for metrics you can’t easily provide. That changes today. At Microsoft Purview, we’ve heard from thousands of customers about the visibility gap in data protection programs. You deploy policies, configure labels, and enable DLP: but proving effectiveness and identifying gaps has been unnecessarily difficult.
Defender for Office Things
Ensure your ICES solution works seamlessly alongside Microsoft Defender - In today’s evolving threat landscape, organizations increasingly rely on layered email security solutions to protect users and sensitive data. Microsoft supports and collaborates with Integrated Cloud Email Security (ICES) vendors that work in conjunction with Microsoft Defender, and customers who choose a layered approach to email security to ensure the maximum level of email protection.
You may be right after all! Disputing Submission Responses in Microsoft Defender for Office 365 - As a Microsoft MVP (Most Valuable Professional) specializing in SIEM, XDR, and Cloud Security, I have witnessed the rapid evolution of cybersecurity technologies, especially those designed to protect organizations from sophisticated threats targeting email and collaboration tools. Microsoft Defender for Office 365 introduced an LLM-based engine to help better classify phishing emails that, these days, are mostly written using AI anyways about a year ago. Today, I’m excited to spotlight a new place AI has been inserted into a workflow to make it better…a feature that elevates the transparency and responsiveness of threat management: the ability to dispute a submission response directly within Microsoft Defender for Office 365.
Microsoft Entra Things
Microsoft Entra: Building Trust in a Borderless Digital World - As nonprofits embrace hybrid work, multi-cloud environments, and digital transformation to better serve their missions, the need for secure, intelligent access has never been greater. Traditional identity solutions often fall short in protecting diverse user groups like staff, volunteers, donors, and partners. Microsoft Entra offers a unified family of identity and network access products designed to verify every identity, validate every access request, and secure every connection—helping nonprofits stay resilient, compliant, and mission-focused.