THE PROMPT for Microsoft Security - Issue #39
Liberty, BBQ, and Awkward Uncle Fireworks
Things from Me
Happy Fri—er—uhm—Thursday everyone!
Due to the July 4th, US Independence Day holiday this newsletter is delivering a day early this week.
…
I had mentioned last week that I’d give a good summary of my recent European speaking tour. It seems a bit of a distance now, but in reality I actually just returned from an inspiring European speaking tour with stops in Oslo, Norway and Edinburgh, Scotland—two cities with very different histories, both united by a shared energy for collaboration and innovation.
During each session, I had the privilege of speaking about Microsoft’s Secure Future Initiative and the Customer Connection Program (our private community where trusted feedback and real-world insight shape Microsoft's security story). The conversations were meaningful, honest, and energizing—proof that secure progress isn’t just about tools, but people.
Oslo welcomed me with that signature Scandinavian balance of precision and warmth. In Edinburgh—my first time there—I found a new personal favorite. The history, charm, and community spirit made a deep impression. Walking its cobbled streets between conversations reminded me why connection is at the heart of what we do.
Grateful for the opportunity to listen, learn, and build momentum with people who care deeply about the future of security and the role community plays in shaping it.
You can catch my entire photo album from the trip here: https://photos.app.goo.gl/cTQBLQ2RYYRc7wHH7
…
DON’T FORGET! 👉 Support Steve Beaumont and His Family
Every contribution, no matter the size, makes a difference. Let’s rally around Steve and show him the strength of our community. We’re just over 59% of fulfilling the request.
…
Help us help you!
Help us improve Defender for Cloud Documentation. We’re working to improve Microsoft Defender for Cloud documentation and want your feedback. This short survey (3–5 mins) will help us understand what’s working, what’s missing, and how we can better support your needs.
Take the survey here: https://aka.ms/AAwwqed
…
That’s it for me for this week. Want something to do for the long weekend? The following is a special, Independence Day KQL activity that goes live at 8am EST on July 4th.
KQL Celebration: Using Queries to Fulfill Independence Dreams
Talk soon.
-Rod
Things to Attend
Register today for the Microsoft Entra Suite Summer Camp - August 4-7, 2025: Learn to unify access controls, streamline employee lifecycle, secure access to on-prem and AI apps, and govern internet resources.
Ask Microsoft Anything about the new Microsoft Purview Data Security Investigations - Tuesday, Jul 15, 2025, 09:00 AM PDT - Microsoft Purview Data Security Investigations is a new solution that enables data security teams to identify incident-related data, investigate that data with generative AI-powered deep content analysis, and mitigate risk within one unified product. With its cutting-edge, generative AI-powered investigative capabilities, DSI transforms and scales how data security admins analyze incident-related data. DSI uncovers key security and sensitive data risks and facilitates secure collaboration between partner teams to mitigate those identified risks. This simplifies previously complex, time-consuming tasks – what once took months, can now be done in a fraction of the time. Join us for an AMA with the team that developed Microsoft Purview's newest solution!
Things that are Related
KQL Treasure Hunt: Sample Dataset - This repository contains sample data for the blog post "KQL Treasure Hunt: Solve a Data Mystery with Queries." The data simulates logs from the Starlight Outpost, a fictional space station, and is designed to teach KQL (Kusto Query Language) through a detective-style narrative.
Pop Culture KQL Datasets - This repository contains fictional datasets inspired by popular fictional universes—Star Wars and Harry Potter—designed for learning and experimenting with the Kusto Query Language (KQL) in Azure Data Explorer. These datasets were created to accompany the blog post "KQL in Pop Culture: Querying Your Favorite Fictional Worlds."
ApocalypseLogs Dataset for KQL vs. the Zombie Apocalypse - This repository contains the datasets for the blog post "KQL vs. the Zombie Apocalypse: Surviving with Data Queries". The datasets simulate a post-apocalyptic world with survivor camps, supply inventories, and zombie sightings. Use these files to follow along with the KQL queries in the blog post and practice analyzing data to survive the undead hordes.
Automating Enriched DDoS Alerts Using Logic Apps - In this blog, we explore a practical solution to automate and enrich Azure DDoS Protection alerts using Logic Apps. This integration enables security and operations teams to gain immediate visibility into active DDoS attacks through real-time, actionable email notifications. By combining Log Analytics & Logic Apps you can streamline alerting and reduce investigation time.
Responsible AI and the Evolution of AI Security - Artificial Intelligence (AI) is transforming how we build, integrate, and secure modern applications, especially with the rapid adoption of cloud platforms like Azure. As AI’s influence grows, so does the need to ensure that its development and deployment are responsible, ethical, and secure. This article explores why Responsible AI is now mandatory, how AI security has evolved, and the essential tools and techniques for building secure AI infrastructure and applications.
Things to Have
CaBypassFirstPartyApps.kql - Looking for sign-ins of first-party apps that do not apply to a closed CA policies (e.g., to require MFA or device compliance to all users and all apps), enriched with details about delegated permissions, EntraOps classification, and known bypasses by EntraScopes.com or Microsoft documentation. The query needs to be executed in Microsoft Defender XDR Advanced Hunting (with integrated Sentinel workspace).
Security Copilot Things
Microsoft Sentinel Things
Planning your move to Microsoft Defender portal for all Microsoft Sentinel customers - Onboarding to the new unified experience is easy and doesn’t require a typical migration. Just a few clicks and permissions. Customers can continue to use Sentinel in the Azure portal while it is available even after choosing to transition. Today, we’re announcing that we are moving to the next phase of the transition with a target to retire the Azure portal for Microsoft Sentinel by July 1, 2026. Customers not yet using the Defender portal should plan their transition accordingly.
Codeless Connector Platform (CCP) renamed to Codeless Connector Framework (CCF) - The Microsoft Sentinel Codeless Connector Platform (CCP) has been renamed to Codeless Connector Framework (CCF). The new name reflects the platform's evolution and avoids confusion with other platform-orineted services, while still providing the same ease of use and flexibility that users have come to expect.
Connector documentation consolidation - We have consolidated the connector reference documentation, merging the separate connector articles into a single, comprehensive reference table. You can find the new connector reference at Microsoft Sentinel data connectors.
Summary rule templates now in public preview - You can now use summary rule templates to deploy pre-built summary rules tailored to common security scenarios. These templates help you aggregate and analyze large datasets efficiently, don't require deep expertise, reduce setup time, and ensure best practices. For more information, see Aggregate Microsoft Sentinel data with summary rules (Preview).
How to Configure or Scale Log Caching DCR in Azure Monitor Agent for Microsoft Sentinel - If you’re using Azure Monitor Agent (AMA) for collecting logs from virtual machines, it’s important to understand the concept of log caching using Data Collection Rules (DCRs).
Demystifying Microsoft Sentinel Roles And Permissions - In this article, we’ll explore the various layers of Azure RBAC, examine built-in and custom roles within Sentinel, including the critical and various Microsoft Sentinel roles and permissions, and delve into the newly released granular RBAC capabilities in Azure Monitor Log Analytics and their integration with the Unified Security Operations platform (Microsoft Defender) portal. By the end, you’ll understand how to apply least-privilege principles across tenants, management groups, subscriptions, workspaces, and even individual log tables and rows.
A Little Slice of…Navigating the Incident Lifecycle – Previously we discussed how the Defender portal allows us to better corelate alerts, and streamline how we access data to investigate. Today, we will dive into how we can use these components come to conclusions within the SOC faster than ever before. Generally, Clive and I have intentionally stayed out of the mix here, and we’ll empower Kacper to tell the story of using Defender in real life – mainly in his own words.
Defender for Cloud Things
Optimizing Resource Allocation with Microsoft Defender CSPM - Defender CSPM (Cloud Security Posture Management) provides a data-driven approach to this problem. By continuously analyzing the security posture across Azure, AWS, and GCP, Defender CSPM calculates risk scores based on factors such as business impact, exposure, and potential exploitability. Armed with these insights, security teams can make informed decisions about where to focus resources, maximizing impact and reducing their overall risk.
New feature in Defender for Storage: Optional Index Tags - If you’re using Microsoft Defender for Storage to protect your blobs from malware, you probably know that scan results are automatically written to blob index tags. These tags are helpful for querying scan status efficiently and seeing results in near-real time in the blob itself, but for high-frequency scans, those extra writes can add up in cost.
Azure Arc and Defender for Servers: Connectivity and Monitoring Script - In many enterprise environments, infrastructure administrators may not have direct access to the Azure Arc portal or Microsoft Defender for Cloud. However, they are still responsible for ensuring that on-premises servers are properly onboarded and connected to Azure services such as Defender for Servers. This document provides an overview of Defender for Servers, explains how to onboard on-premises servers using Azure Arc, and introduces a PowerShell script that helps verify service health and connectivity from the local machine.
Defender for IoT Things
Latest Threat Intelligence (June 2025) - Microsoft Defender for IoT has released the June 2025 Threat Intelligence package. The package is available for download from the Microsoft Defender for IoT portal (click Updates, then Download file).
Microsoft Purview Things
Microsoft Purview SDK and APIs are now available in GA (07/01) enabling Azure AI Foundry and third-party AI developers to integrate enterprise-grade data security and compliance controls into custom AI apps and agents — across any platform and model for the following outcomes:
Prevent data oversharing by honoring label inheritance from grounding data sources
Protect against data leaks and insider risks with built-in safeguards
Govern AI runtime data through auditing, Data Lifecycle Management (DLM), eDiscovery (eD), and Communication Compliance (CC)
👉 Learn more at :
Defender for Office Things
Protection Against Email Bombs with Microsoft Defender for Office 365 - In today's digital age, email remains a critical communication tool for businesses and individuals. However, with the increasing sophistication of cyberattacks, email security has become more important than ever. One such threat that has been growing is the email bombing, a form of net abuse that sends large volumes of email to an address to overflow the mailbox, overwhelm the server, or distract attention from important email messages indicating a security breach.
Microsoft Entra Things
Protecting your Conditional Access Policies: Lean Backup Strategies for Entra ID - Conditional Access Policies are frequently discussed in posts and articles. This is hardly surprising, as they are a central component of modern zero-trust strategies. Sometimes there’s a new signal that can be added to the scope. Sometimes a fancy feature that, when used correctly, brings even more security. All of that is good, important, and absolutely necessary.
Enhancing Defense Security: The Power of Entra ID Governance - In the complex and highly regulated environment of the Defense Industrial Base (DIB), managing identity governance is a critical task. With restricted programs and the need for specific access controls, companies in the DIB face unique challenges. Microsoft Entra ID Governance offers a comprehensive solution to these challenges, helping organizations improve productivity, strengthen security, and meet compliance requirements.
Microsoft Entra Agent ID brings identity management to AI, plus key migration deadlines - Microsoft has just introduced Microsoft Entra Agent ID to extend its identity and access management services to AI agents. With Agent ID, organizations can decide how AI agents interact with data, systems, and users. Each agent receives a unique identifier and a consistent identity that can be used with different tools and environments - Microsoft said this helps with core identity functions such as authentication, authorization, and lifecycle management.
Readership Survey Results for Microsoft Entra Blog - Earlier this year, we launched our first Microsoft Entra blog reader survey. Nearly 50 people took the time to give us feedback, and 94% were satisfied with our content. We also received helpful feedback about what types of articles are preferred, the roles our readers hold, and both positive and critical feedback. THANK YOU!
What’s new in Microsoft Entra – June 2025 - Microsoft has introduced Microsoft Entra Agent ID, a new capability that brings identity and access management to AI agents, enabling organizations to govern how these agents interact with data, systems, and users. Agent ID provides each AI agent with a unique identifier and a consistent identity that can be used across tools and environments, supporting core identity functions such as authentication, authorization, and lifecycle management. By extending Entra's identity protections to AI agents, organizations can apply Conditional Access policies, enforce least privilege access, and monitor agent activity—just as they would with human users. This ensures safer deployment of AI while maintaining visibility and control.