<?xml version="1.0" encoding="UTF-8"?><rss xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:atom="http://www.w3.org/2005/Atom" version="2.0" xmlns:itunes="http://www.itunes.com/dtds/podcast-1.0.dtd" xmlns:googleplay="http://www.google.com/schemas/play-podcasts/1.0"><channel><title><![CDATA[Rod’s Blog: THE PROMPT for Microsoft Security]]></title><description><![CDATA[The weekly THE PROMPT for Microsoft Security newsletter helps uncover the new and important features and news for Microsoft's Unified Security Operations Platform.]]></description><link>https://rodtrent.substack.com/s/the-prompt-for-microsoft-security</link><image><url>https://substackcdn.com/image/fetch/$s_!rp9E!,w_256,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fe527d2fc-7b2f-448b-85fa-0e47bf452405_600x600.png</url><title>Rod’s Blog: THE PROMPT for Microsoft Security</title><link>https://rodtrent.substack.com/s/the-prompt-for-microsoft-security</link></image><generator>Substack</generator><lastBuildDate>Sun, 12 Jul 2026 00:49:44 GMT</lastBuildDate><atom:link href="https://rodtrent.substack.com/feed" rel="self" type="application/rss+xml"/><copyright><![CDATA[Rod Trent]]></copyright><language><![CDATA[en]]></language><webMaster><![CDATA[rodtrent@substack.com]]></webMaster><itunes:owner><itunes:email><![CDATA[rodtrent@substack.com]]></itunes:email><itunes:name><![CDATA[Rod Trent]]></itunes:name></itunes:owner><itunes:author><![CDATA[Rod Trent]]></itunes:author><googleplay:owner><![CDATA[rodtrent@substack.com]]></googleplay:owner><googleplay:email><![CDATA[rodtrent@substack.com]]></googleplay:email><googleplay:author><![CDATA[Rod Trent]]></googleplay:author><itunes:block><![CDATA[Yes]]></itunes:block><item><title><![CDATA[THE PROMPT for Microsoft Security - Issue #77]]></title><description><![CDATA[Things from Me]]></description><link>https://rodtrent.substack.com/p/the-prompt-for-microsoft-security-027</link><guid isPermaLink="false">https://rodtrent.substack.com/p/the-prompt-for-microsoft-security-027</guid><dc:creator><![CDATA[Rod Trent]]></dc:creator><pubDate>Fri, 10 Jul 2026 11:30:56 GMT</pubDate><enclosure url="https://substackcdn.com/image/fetch/$s_!BaUj!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F6f098ef3-d4f9-45ed-8739-08e6bbd1709c_1248x832.jpeg" length="0" type="image/jpeg"/><content:encoded><![CDATA[<div class="captioned-image-container"><figure><a class="image-link image2 is-viewable-img" target="_blank" href="https://substackcdn.com/image/fetch/$s_!BaUj!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F6f098ef3-d4f9-45ed-8739-08e6bbd1709c_1248x832.jpeg" data-component-name="Image2ToDOM"><div class="image2-inset"><picture><source type="image/webp" srcset="https://substackcdn.com/image/fetch/$s_!BaUj!,w_424,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F6f098ef3-d4f9-45ed-8739-08e6bbd1709c_1248x832.jpeg 424w, https://substackcdn.com/image/fetch/$s_!BaUj!,w_848,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F6f098ef3-d4f9-45ed-8739-08e6bbd1709c_1248x832.jpeg 848w, https://substackcdn.com/image/fetch/$s_!BaUj!,w_1272,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F6f098ef3-d4f9-45ed-8739-08e6bbd1709c_1248x832.jpeg 1272w, https://substackcdn.com/image/fetch/$s_!BaUj!,w_1456,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F6f098ef3-d4f9-45ed-8739-08e6bbd1709c_1248x832.jpeg 1456w" sizes="100vw"><img src="https://substackcdn.com/image/fetch/$s_!BaUj!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F6f098ef3-d4f9-45ed-8739-08e6bbd1709c_1248x832.jpeg" width="1248" height="832" data-attrs="{&quot;src&quot;:&quot;https://substack-post-media.s3.amazonaws.com/public/images/6f098ef3-d4f9-45ed-8739-08e6bbd1709c_1248x832.jpeg&quot;,&quot;srcNoWatermark&quot;:null,&quot;fullscreen&quot;:null,&quot;imageSize&quot;:null,&quot;height&quot;:832,&quot;width&quot;:1248,&quot;resizeWidth&quot;:null,&quot;bytes&quot;:217390,&quot;alt&quot;:null,&quot;title&quot;:null,&quot;type&quot;:&quot;image/jpeg&quot;,&quot;href&quot;:null,&quot;belowTheFold&quot;:false,&quot;topImage&quot;:true,&quot;internalRedirect&quot;:&quot;https://microsoftdefender.substack.com/i/205793799?img=https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F6f098ef3-d4f9-45ed-8739-08e6bbd1709c_1248x832.jpeg&quot;,&quot;isProcessing&quot;:false,&quot;align&quot;:null,&quot;offset&quot;:false}" class="sizing-normal" alt="" srcset="https://substackcdn.com/image/fetch/$s_!BaUj!,w_424,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F6f098ef3-d4f9-45ed-8739-08e6bbd1709c_1248x832.jpeg 424w, https://substackcdn.com/image/fetch/$s_!BaUj!,w_848,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F6f098ef3-d4f9-45ed-8739-08e6bbd1709c_1248x832.jpeg 848w, https://substackcdn.com/image/fetch/$s_!BaUj!,w_1272,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F6f098ef3-d4f9-45ed-8739-08e6bbd1709c_1248x832.jpeg 1272w, https://substackcdn.com/image/fetch/$s_!BaUj!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F6f098ef3-d4f9-45ed-8739-08e6bbd1709c_1248x832.jpeg 1456w" sizes="100vw" fetchpriority="high"></picture><div class="image-link-expand"><div class="pencraft pc-display-flex pc-gap-8 pc-reset"><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container restack-image"><svg role="img" width="20" height="20" viewBox="0 0 20 20" fill="none" stroke-width="1.5" stroke="var(--color-fg-primary)" stroke-linecap="round" stroke-linejoin="round" xmlns="http://www.w3.org/2000/svg"><g><title></title><path d="M2.53001 7.81595C3.49179 4.73911 6.43281 2.5 9.91173 2.5C13.1684 2.5 15.9537 4.46214 17.0852 7.23684L17.6179 8.67647M17.6179 8.67647L18.5002 4.26471M17.6179 8.67647L13.6473 6.91176M17.4995 12.1841C16.5378 15.2609 13.5967 17.5 10.1178 17.5C6.86118 17.5 4.07589 15.5379 2.94432 12.7632L2.41165 11.3235M2.41165 11.3235L1.5293 15.7353M2.41165 11.3235L6.38224 13.0882"></path></g></svg></button><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container view-image"><svg xmlns="http://www.w3.org/2000/svg" width="20" height="20" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="lucide lucide-maximize2 lucide-maximize-2"><polyline points="15 3 21 3 21 9"></polyline><polyline points="9 21 3 21 3 15"></polyline><line x1="21" x2="14" y1="3" y2="10"></line><line x1="3" x2="10" y1="21" y2="14"></line></svg></button></div></div></div></a></figure></div><h3>Things from Me</h3><p>Happy Friday everyone!</p><p>As you&#8217;re probably wondering, yes, things have been crazy this last week. The retirement buyouts at Microsoft were followed by layoff week - again. Layoffs at Microsoft are a regular thing and has become (sadly) the rhythm of business. I&#8217;ll have more to say about this next week. Suffice to say, personally I lost a lot of great colleagues and friends, and it will take a bit of time to put those feelings into coherent words.</p><p>THE PROMPT for Microsoft Security is a reader-supported publication. To receive new posts and support my work, consider becoming a free or paid subscriber.</p><p>&#8230;</p><p>There is some exciting news this week, though. I&#8217;m excited to amplify some big news from my friend and colleague <strong><a href="https://www.linkedin.com/in/merill/">Merill Fernando</a></strong>!</p><p>I&#8217;ve long admired Merill&#8217;s work in the Microsoft security community &#8212; especially his relentless focus on making tenant security practical, automated, and accessible for everyone. So when he shared why he&#8217;s stepping away from Microsoft to go full-time on <strong>Maester</strong>, it made perfect sense.</p><blockquote><p><strong>Why did Merill leave Microsoft?</strong><br>To work full-time on <strong>Maester</strong>.</p></blockquote><p>Over <strong>40,000+ tenants</strong> already rely on Maester every day to monitor and validate their Microsoft 365 security posture. As the Microsoft 365 and security landscapes continue to evolve rapidly, Merill wanted to ensure the tests stay relevant, comprehensive, and community-driven.</p><p>This week he launched <strong>Maester.Cloud</strong> &#8212; the perfect portal companion to the open-source Maester framework.</p><h3>What is Maester.Cloud?</h3><ul><li><p><strong>Track results over time</strong> with multi-year history, drift detection, and change alerts.</p></li><li><p><strong>Multi-tenant support</strong> &#8212; ideal for enterprises and MSPs.</p></li><li><p>Runs in <strong>your cloud</strong> (self-hosted option) or theirs.</p></li><li><p>Delivers durable evidence for audits, compliance, and continuous security improvement.</p></li></ul><p>Check out the full feature set at <strong><a href="https://maester.cloud/">maester.cloud</a></strong>.</p><p>Even more important: Maester Cloud is how Merill funds the ongoing development of the <strong>open-source Maester core</strong> and its tests. This keeps the framework free, community-owned, and growing for everyone.</p><p>He collaborated with the core team &#8212; <strong>Fabian Bader, Thomas Naunheim, Mike Soule, and Sam Erde</strong> &#8212; to publish the <strong>Maester Manifesto</strong> (highly recommended read: <a href="https://maester.cloud/manifesto">maester.cloud/manifesto</a>). It&#8217;s a clear promise to keep security testing open, reusable, and available to all.</p><p>If your organization values Maester and wants to help ensure it stays healthy and continues evolving, I&#8217;d encourage you to consider becoming a sponsor or Founding Supporter. Every bit helps keep the core open and free while powering innovation around it.</p><p>And please &#8212; share this announcement with your network. Tools like Maester make all of us in the Microsoft ecosystem stronger.</p><p>Huge congrats, Merill! This is a bold and impactful move. The community wins big from your full-time focus.</p><p>&#8230;</p><p>That&#8217;s it from me for this week. On to the newsletter&#8230;</p><p>-<a href="https://www.linkedin.com/in/rodtrent/">Rod</a></p><div class="captioned-image-container"><figure><a class="image-link image2 is-viewable-img" target="_blank" href="https://pastthebots.com/sponsor" data-component-name="Image2ToDOM"><div class="image2-inset"><picture><source type="image/webp" srcset="https://substackcdn.com/image/fetch/$s_!e2FR!,w_424,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fb1c13857-6724-427c-b716-02ce6f9564cc_1200x630.jpeg 424w, https://substackcdn.com/image/fetch/$s_!e2FR!,w_848,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fb1c13857-6724-427c-b716-02ce6f9564cc_1200x630.jpeg 848w, https://substackcdn.com/image/fetch/$s_!e2FR!,w_1272,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fb1c13857-6724-427c-b716-02ce6f9564cc_1200x630.jpeg 1272w, https://substackcdn.com/image/fetch/$s_!e2FR!,w_1456,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fb1c13857-6724-427c-b716-02ce6f9564cc_1200x630.jpeg 1456w" sizes="100vw"><img src="https://substackcdn.com/image/fetch/$s_!e2FR!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fb1c13857-6724-427c-b716-02ce6f9564cc_1200x630.jpeg" width="1200" height="630" data-attrs="{&quot;src&quot;:&quot;https://substack-post-media.s3.amazonaws.com/public/images/b1c13857-6724-427c-b716-02ce6f9564cc_1200x630.jpeg&quot;,&quot;srcNoWatermark&quot;:null,&quot;fullscreen&quot;:null,&quot;imageSize&quot;:null,&quot;height&quot;:630,&quot;width&quot;:1200,&quot;resizeWidth&quot;:null,&quot;bytes&quot;:null,&quot;alt&quot;:null,&quot;title&quot;:null,&quot;type&quot;:null,&quot;href&quot;:&quot;https://pastthebots.com/sponsor&quot;,&quot;belowTheFold&quot;:true,&quot;topImage&quot;:false,&quot;internalRedirect&quot;:null,&quot;isProcessing&quot;:false,&quot;align&quot;:null,&quot;offset&quot;:false}" class="sizing-normal" alt="" srcset="https://substackcdn.com/image/fetch/$s_!e2FR!,w_424,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fb1c13857-6724-427c-b716-02ce6f9564cc_1200x630.jpeg 424w, https://substackcdn.com/image/fetch/$s_!e2FR!,w_848,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fb1c13857-6724-427c-b716-02ce6f9564cc_1200x630.jpeg 848w, https://substackcdn.com/image/fetch/$s_!e2FR!,w_1272,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fb1c13857-6724-427c-b716-02ce6f9564cc_1200x630.jpeg 1272w, https://substackcdn.com/image/fetch/$s_!e2FR!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fb1c13857-6724-427c-b716-02ce6f9564cc_1200x630.jpeg 1456w" sizes="100vw" loading="lazy"></picture><div class="image-link-expand"><div class="pencraft pc-display-flex pc-gap-8 pc-reset"><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container restack-image"><svg role="img" width="20" height="20" viewBox="0 0 20 20" fill="none" stroke-width="1.5" stroke="var(--color-fg-primary)" stroke-linecap="round" stroke-linejoin="round" xmlns="http://www.w3.org/2000/svg"><g><title></title><path d="M2.53001 7.81595C3.49179 4.73911 6.43281 2.5 9.91173 2.5C13.1684 2.5 15.9537 4.46214 17.0852 7.23684L17.6179 8.67647M17.6179 8.67647L18.5002 4.26471M17.6179 8.67647L13.6473 6.91176M17.4995 12.1841C16.5378 15.2609 13.5967 17.5 10.1178 17.5C6.86118 17.5 4.07589 15.5379 2.94432 12.7632L2.41165 11.3235M2.41165 11.3235L1.5293 15.7353M2.41165 11.3235L6.38224 13.0882"></path></g></svg></button><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container view-image"><svg xmlns="http://www.w3.org/2000/svg" width="20" height="20" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="lucide lucide-maximize2 lucide-maximize-2"><polyline points="15 3 21 3 21 9"></polyline><polyline points="9 21 3 21 3 15"></polyline><line x1="21" x2="14" y1="3" y2="10"></line><line x1="3" x2="10" y1="21" y2="14"></line></svg></button></div></div></div></a></figure></div><h3>Recent layoffs have left a lot of strong professionals in limbo.</h3><p>That&#8217;s why we built <strong>Sponsor a Seeker</strong> &#8212; a simple way for the community to lift each other up.</p><p>For just <strong>$29</strong>, you can gift a full <strong>3-month Job-Hunt Pass</strong> packed with:<br>&#8226; Unlimited resume &amp; job description scans<br>&#8226; AI-powered rewrites that actually beat ATS systems<br>&#8226; Professional cover letter generation</p><p>Every dollar goes directly to the seeker.</p><p>You can:<br>&#8594; Sponsor someone like Alex M. (recently laid off front-end engineer)<br>&#8594; Or request sponsorship for yourself</p><p>Either way, you&#8217;re helping keep momentum alive in a tough market.</p><p>&#128073; Take action here: <a href="https://pastthebots.com/sponsor">pastthebots.com/sponsor</a></p><p>Let&#8217;s turn &#8220;I was laid off&#8221; into &#8220;Someone had my back.&#8221;</p><p>Thank you for being part of this community.</p><h3>News Things</h3><p><strong><a href="https://www.thurrott.com/windows/338705/microsoft-details-how-its-using-ai-to-improve-windows-security">Microsoft Details How It&#8217;s Using AI to Improve Windows Security</a></strong> - Microsoft announced two years ago that it was <a href="https://www.thurrott.com/microsoft/301957/microsoft-says-its-making-security-its-top-priority">making security its &#8220;top priority,&#8221;</a> and the company has been increasing its use of AI to find vulnerabilities earlier. Pavan Davuluri, EVP, Windows + Devices at Microsoft, <a href="https://blogs.windows.com/windowsexperience/2026/07/09/evolving-windows-vulnerability-management-to-meet-the-speed-of-ai-powered-discovery/">penned a blog post</a> today to detail the company&#8217;s latest efforts to keep Windows users protected against attackers.</p><h3>Things that are Related</h3><p><strong><a href="https://techcommunity.microsoft.com/blog/microsoftmechanicsblog/zero-trust-security-for-ai-agents/4533091">Zero Trust security for AI agents</a></strong> - Extend Conditional Access in Microsoft Entra to evaluate every agent authorization request in real time against the same risk signals as human users. Assign each agent its own managed identity with Entra Agent ID and scope permissions with Access Packages. Govern your MCP catalog as a software supply chain&#8202;&#8212;&#8202;unapproved tools don&#8217;t run, and approved servers lock behind Azure API Management.</p><p><strong><a href="https://techcommunity.microsoft.com/blog/fasttrackblog/mitigating-microsoft-365-copilot-access-risk-identity-and-device-controls-for-ze/4534574">Mitigating Microsoft 365 Copilot access risk: Identity and device controls for Zero Trust</a></strong> - Moving from mapping risk to reducing it, this post walks through how to mitigate the six Layer 1 identity and device risks (R1&#8211;R6) that determine who can access Microsoft 365 Copilot.</p><p><strong><a href="https://www.microsoft.com/en-us/security/blog/2026/07/08/protecting-microsoft-at-ai-speed-how-sfi-proactively-hardens-our-cloud/">Protecting Microsoft&nbsp;at AI speed:&nbsp;How SFI&nbsp;proactively hardens&nbsp;our cloud</a></strong>&nbsp; - At Microsoft we encompass these security requirements, along with threat knowledge and operational frameworks in our <a href="https://www.microsoft.com/en-us/trust-center/security/secure-future-initiative?msockid=0b896df9522a66ed29ed7a7d53b0676b">Secure Future Initiative (SFI)</a>, to guide what a well-defended cloud service looks like. But defining the requirements is only the start. Meeting them means continuously evaluating our live services against them, at AI speed.</p><h3>Things to Watch/Listen To</h3><div id="youtube2-G6Aot9UCePU" class="youtube-wrap" data-attrs="{&quot;videoId&quot;:&quot;G6Aot9UCePU&quot;,&quot;startTime&quot;:null,&quot;endTime&quot;:null}" data-component-name="Youtube2ToDOM"><div class="youtube-inner"><iframe src="https://www.youtube-nocookie.com/embed/G6Aot9UCePU?rel=0&amp;autoplay=0&amp;showinfo=0&amp;enablejsapi=0" frameborder="0" loading="lazy" gesture="media" allow="autoplay; fullscreen" allowautoplay="true" allowfullscreen="true" width="728" height="409"></iframe></div></div><h3>Microsoft Sentinel Things</h3><p><strong><a href="https://sentinel.blog/sentinel-as-code-26-07-from-markdown-to-the-boardroom/">Sentinel-As-Code 26.07: From Markdown to the Boardroom</a></strong> - Sentinel-As-Code 26.07 renders the Documenter's daily Markdown inventory into a styled Word (.docx) report: numbered table of contents, colour-coded severity tables, and 42 gap-analysis rules across MITRE ATT&amp;CK, cost, and hygiene. Here's what's in it, and what the same day's other pushes mean.</p><h4>Sentinel GA Releases</h4><p><strong>Manual Logic App Playbooks Trigger for Entities (Devices &amp; Identities) - </strong>SOC analysts can now run Logic App playbooks manually directly from the Device and Identity entity pages, from both the side panel and the main entity page. Same experience as on the Incident page. This closes another Ibiza sunset blocker.</p><p><strong>Cross Tenants Sentinel Logic App Playbooks Support in MTO - </strong>A new capability that lets Managed Security Service Providers (MSSPs) run Logic App playbooks across managed customer tenants directly from the Multi-Tenant Organization (MTO) view in the Defender portal.</p><p>MSSP SOC analysts can now trigger playbooks from one tenant on incidents in another tenant, both manually and through automation rules, while preserving full IP protection so customers do not have access to the MSSP&#8217;s playbooks.</p><p><strong>What&#8217;s new:</strong></p><ul><li><p><strong>Cross-tenant playbook selection</strong> from the MSSP tenant or the customer tenant. Customers get the flexibility to use standardized MSSP playbooks or customer-specific ones.</p></li><li><p><strong>Manual playbook trigger from MTO view:</strong> Select a Logic App playbook and run it on a customer incident directly from the MTO view. No tenant switching required.</p></li><li><p><strong>Automation rules with cross-tenant playbooks:</strong> Automation rules in MTO can now auto-trigger Logic App playbooks when incidents match the defined conditions across managed customers.</p></li></ul><h3>Defender XDR Things</h3><p><strong><a href="https://techcommunity.microsoft.com/blog/MicrosoftThreatProtectionBlog/microsoft-defender-now-integrates-with-dragos-forescout--armis-for-ot-security/4534936">Microsoft Defender now integrates with Dragos, Forescout, &amp; Armis for OT Security</a></strong> - To support customers in bringing their OT security solutions into their Security Operation (SOC) platform, we&#8217;re excited to announce an expansion of the Microsoft ecosystem with new OT security integrations from Dragos, Forescout, and Armis. This gives customers greater flexibility to use the OT security solutions that best fit their environments.</p><h3>Defender for Office Things</h3><p><strong><a href="https://techcommunity.microsoft.com/blog/MicrosoftDefenderforOffice365Blog/defending-the-inbox-against-prompt-injection-attacks/4534636">Defending the Inbox Against Prompt Injection Attacks</a></strong> - Today, we&#8217;re announcing a new capability in Microsoft Defender that addresses this. Microsoft Defender can now detect and isolate malicious AI instructions embedded in email, commonly referred to as prompt injection, before delivery. This reduces the risk of prompt injection reaching the inbox and activating against AI systems. By detecting these threats, organizations are better protected from prompt injection-driven compromise and unintended data exposure.</p><h3>Defender Threat Intelligence Things</h3><p><strong><a href="https://www.microsoft.com/en-us/security/blog/2026/07/09/gigawiper-anatomy-of-a-destructive-backdoor-assembled-from-multiple-malware/">GigaWiper: Anatomy of a destructive backdoor assembled from multiple malware</a></strong> - In October 2025, Microsoft Threat Intelligence identified destructive wiping activity and uncovered a sophisticated Go programming language (Golang)-based backdoor we now track as GigaWiper, a versatile implant that combines robust command-and-control (C2) capabilities with multiple destructive payloads, including disk wiping, fake ransomware, and system-level sabotage.</p><h3></h3><p>THE PROMPT for Microsoft Security is a reader-supported publication. To receive new posts and support my work, consider becoming a free or paid subscriber.</p>]]></content:encoded></item><item><title><![CDATA[THE PROMPT for Microsoft Security - Issue #76]]></title><description><![CDATA[Things from Me]]></description><link>https://rodtrent.substack.com/p/the-prompt-for-microsoft-security-78e</link><guid isPermaLink="false">https://rodtrent.substack.com/p/the-prompt-for-microsoft-security-78e</guid><dc:creator><![CDATA[Rod Trent]]></dc:creator><pubDate>Fri, 26 Jun 2026 11:31:42 GMT</pubDate><enclosure url="https://substackcdn.com/image/fetch/$s_!0whB!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fbf705550-ded8-43c2-935f-8df8bbc03d4a_1248x832.jpeg" length="0" type="image/jpeg"/><content:encoded><![CDATA[<div class="captioned-image-container"><figure><a class="image-link image2 is-viewable-img" target="_blank" href="https://substackcdn.com/image/fetch/$s_!0whB!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fbf705550-ded8-43c2-935f-8df8bbc03d4a_1248x832.jpeg" data-component-name="Image2ToDOM"><div class="image2-inset"><picture><source type="image/webp" srcset="https://substackcdn.com/image/fetch/$s_!0whB!,w_424,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fbf705550-ded8-43c2-935f-8df8bbc03d4a_1248x832.jpeg 424w, https://substackcdn.com/image/fetch/$s_!0whB!,w_848,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fbf705550-ded8-43c2-935f-8df8bbc03d4a_1248x832.jpeg 848w, https://substackcdn.com/image/fetch/$s_!0whB!,w_1272,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fbf705550-ded8-43c2-935f-8df8bbc03d4a_1248x832.jpeg 1272w, https://substackcdn.com/image/fetch/$s_!0whB!,w_1456,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fbf705550-ded8-43c2-935f-8df8bbc03d4a_1248x832.jpeg 1456w" sizes="100vw"><img src="https://substackcdn.com/image/fetch/$s_!0whB!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fbf705550-ded8-43c2-935f-8df8bbc03d4a_1248x832.jpeg" width="1248" height="832" data-attrs="{&quot;src&quot;:&quot;https://substack-post-media.s3.amazonaws.com/public/images/bf705550-ded8-43c2-935f-8df8bbc03d4a_1248x832.jpeg&quot;,&quot;srcNoWatermark&quot;:null,&quot;fullscreen&quot;:null,&quot;imageSize&quot;:null,&quot;height&quot;:832,&quot;width&quot;:1248,&quot;resizeWidth&quot;:null,&quot;bytes&quot;:283508,&quot;alt&quot;:null,&quot;title&quot;:null,&quot;type&quot;:&quot;image/jpeg&quot;,&quot;href&quot;:null,&quot;belowTheFold&quot;:false,&quot;topImage&quot;:true,&quot;internalRedirect&quot;:&quot;https://microsoftdefender.substack.com/i/202707791?img=https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fbf705550-ded8-43c2-935f-8df8bbc03d4a_1248x832.jpeg&quot;,&quot;isProcessing&quot;:false,&quot;align&quot;:null,&quot;offset&quot;:false}" class="sizing-normal" alt="" srcset="https://substackcdn.com/image/fetch/$s_!0whB!,w_424,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fbf705550-ded8-43c2-935f-8df8bbc03d4a_1248x832.jpeg 424w, https://substackcdn.com/image/fetch/$s_!0whB!,w_848,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fbf705550-ded8-43c2-935f-8df8bbc03d4a_1248x832.jpeg 848w, https://substackcdn.com/image/fetch/$s_!0whB!,w_1272,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fbf705550-ded8-43c2-935f-8df8bbc03d4a_1248x832.jpeg 1272w, https://substackcdn.com/image/fetch/$s_!0whB!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fbf705550-ded8-43c2-935f-8df8bbc03d4a_1248x832.jpeg 1456w" sizes="100vw" fetchpriority="high"></picture><div class="image-link-expand"><div class="pencraft pc-display-flex pc-gap-8 pc-reset"><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container restack-image"><svg role="img" width="20" height="20" viewBox="0 0 20 20" fill="none" stroke-width="1.5" stroke="var(--color-fg-primary)" stroke-linecap="round" stroke-linejoin="round" xmlns="http://www.w3.org/2000/svg"><g><title></title><path d="M2.53001 7.81595C3.49179 4.73911 6.43281 2.5 9.91173 2.5C13.1684 2.5 15.9537 4.46214 17.0852 7.23684L17.6179 8.67647M17.6179 8.67647L18.5002 4.26471M17.6179 8.67647L13.6473 6.91176M17.4995 12.1841C16.5378 15.2609 13.5967 17.5 10.1178 17.5C6.86118 17.5 4.07589 15.5379 2.94432 12.7632L2.41165 11.3235M2.41165 11.3235L1.5293 15.7353M2.41165 11.3235L6.38224 13.0882"></path></g></svg></button><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container view-image"><svg xmlns="http://www.w3.org/2000/svg" width="20" height="20" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="lucide lucide-maximize2 lucide-maximize-2"><polyline points="15 3 21 3 21 9"></polyline><polyline points="9 21 3 21 3 15"></polyline><line x1="21" x2="14" y1="3" y2="10"></line><line x1="3" x2="10" y1="21" y2="14"></line></svg></button></div></div></div></a></figure></div><h2>Things from Me</h2><p>Happy Friday everyone!</p><p>A quick heads up before you dive in.</p><p>THE PROMPT for Microsoft Security is a reader-supported publication. To receive new posts and support my work, consider becoming a free or paid subscriber.</p><p>Issue #76 is here, but I wanted to let you know that there will be no newsletter next week. Honestly, two reasons: first, I just need the brain space. Anyone who follows this stuff knows the Microsoft Security world moves fast, and sometimes you have to step back to stay sharp. Second - and this one&#8217;s a good reason - we&#8217;re celebrating the USA&#8217;s 250th birthday, and that feels like something worth actually being present for. So, the newsletter is taking the week of July 4th off along with me.</p><p>And while I&#8217;m being upfront about the schedule: I&#8217;ll also be going dark for a couple of weeks toward the end of July. If you&#8217;re in the Microsoft ecosystem, you already know what that means - it&#8217;s end of fiscal year, and things get a little hectic. I&#8217;ll be back before you miss me too much.</p><p>Thanks for being part of this community. Now, on to the good stuff.</p><p>Talk soon.</p><p>-<a href="https://www.linkedin.com/in/rodtrent/">Rod</a></p><h2>Things that are Related</h2><p><strong><a href="https://www.microsoft.com/en-us/security/blog/2026/06/18/autojack-single-page-rce-host-running-ai-agent/">AutoJack: How a single page can RCE the host running your AI agent</a></strong> - Ongoing research into AI agent framework security identified an exploit chain in AutoGen Studio (AutoGen&#8217;s open-source prototyping user interface) that allows untrusted web content rendered by a browsing agent to reach a local Model Context Protocol (MCP) WebSocket and spawn arbitrary processes on the host. The technique, which we call AutoJack, jacks the agent into becoming the attacker&#8217;s last-mile delivery vehicle by crossing the localhost trust boundary that many developer tools rely on.</p><p><strong><a href="https://www.microsoft.com/en-us/security/blog/2026/06/22/guarding-ai-memory/">Guarding AI memory</a></strong> - AI memory transforms an AI system from a stateless tool into a learning collaborator. That unlocks powerful experiences, but it also increases the attack surface of the AI system. Without memory, attackers need to achieve their objective in a single prompt. With AI memory, they can shape behavior gradually over time or plant memories that influence agent reasoning after the original context is gone and user awareness is lower.</p><h2>Things for Partners</h2><p><strong><a href="https://techcommunity.microsoft.com/blog/partnernews/june-update-what%E2%80%99s-new-in-security-for-partners/4529354">June update:&#8239;What&#8217;s&#8239;new in Security for&#8239;partners</a></strong> - As AI adoption accelerates, security expectations and partner opportunities are increasing just as fast. In this June Security partner update, Microsoft Security partners will find the latest product updates, incentives, and skilling designed to help you secure AI workloads, strengthen customer trust, and grow repeatable security services. From new capabilities across Microsoft Defender, Microsoft Sentinel, Microsoft Purview, and Microsoft Agent 365 to expanded go&#8209;to&#8209;market resources and partner&#8209;ready offers, this month&#8217;s updates focus on what you can sell, deliver, and operationalize now to stay ahead of an evolving threat landscape.</p><h2>Things in the News</h2><p><strong><a href="https://www.microsoft.com/en-us/security/blog/2026/06/18/new-forrester-study-shows-customers-who-unified-with-microsoft-security-benefited-from-124-roi/">New Forrester study shows customers who unified with Microsoft Security benefited from 124% ROI</a></strong> - Across many industries, organizations are unifying security and putting AI agents to work. Security teams are utilizing agents that reason, decide, and act on their behalf, under their governance. At Microsoft, we see this firsthand&#8212;more than 80% of the Fortune 500 are already using AI.1 The promise of this moment is enormous. The responsibility that comes with it is just as significant. This year, Microsoft commissioned Forrester Consulting to conduct a Total Economic Impact&#8482; (TEI) study for our AI-first, end-to-end security platform.</p><p><strong><a href="https://www.microsoft.com/en-us/security/blog/2026/06/22/one-intrusion-two-cyberattackers-uncovering-parallel-threat-activity/">One intrusion, two cyberattackers: Uncovering parallel threat activity</a></strong> - What began as a routine ransomware investigation quickly revealed something far more complex. In this ninth cyberattack series report, DART details how a single intrusion uncovered parallel activity from two unrelated threat actors operating simultaneously&#8212;blending tactics, obscuring signals, and challenging traditional assumptions about how multi-stage intrusion campaigns unfold across hybrid environments.</p><h2>Microsoft Sentinel Things</h2><p><strong><a href="https://techcommunity.microsoft.com/blog/MicrosoftSentinelBlog/a-guide-to-innovating-threat-hunting-with-microsoft-sentinel-custom-graph/4530287">A guide to innovating threat hunting with Microsoft Sentinel custom graph</a></strong> - <a href="https://learn.microsoft.com/azure/sentinel/datalake/sentinel-graph-overview?tabs=defender">Sentinel graph</a> is a relationship-first method for organizing and querying data within Microsoft Sentinel data lake. Activities amongst entities (users, devices, emails, IPs, applications, etc.) become a navigable structure that avoids a complex table structure. Rather than stitching together data and evidence via complex joins, users can follow multi-hop connections in order to understand insights such as blast radius, unseen pivots in malicious behavior, and investigative details that may not be as obvious within regular logs, all while visualizing these paths to assist in communicating evidence and findings.</p><div class="captioned-image-container"><figure><a class="image-link image2 is-viewable-img" target="_blank" href="https://pastthebots.com/" data-component-name="Image2ToDOM"><div class="image2-inset"><picture><source type="image/webp" srcset="https://substackcdn.com/image/fetch/$s_!-69w!,w_424,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F7a1c6c1a-4798-4054-ba39-6d87ab1decfd_1200x600.png 424w, https://substackcdn.com/image/fetch/$s_!-69w!,w_848,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F7a1c6c1a-4798-4054-ba39-6d87ab1decfd_1200x600.png 848w, https://substackcdn.com/image/fetch/$s_!-69w!,w_1272,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F7a1c6c1a-4798-4054-ba39-6d87ab1decfd_1200x600.png 1272w, https://substackcdn.com/image/fetch/$s_!-69w!,w_1456,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F7a1c6c1a-4798-4054-ba39-6d87ab1decfd_1200x600.png 1456w" sizes="100vw"><img src="https://substackcdn.com/image/fetch/$s_!-69w!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F7a1c6c1a-4798-4054-ba39-6d87ab1decfd_1200x600.png" width="1200" height="600" data-attrs="{&quot;src&quot;:&quot;https://substack-post-media.s3.amazonaws.com/public/images/7a1c6c1a-4798-4054-ba39-6d87ab1decfd_1200x600.png&quot;,&quot;srcNoWatermark&quot;:null,&quot;fullscreen&quot;:null,&quot;imageSize&quot;:null,&quot;height&quot;:600,&quot;width&quot;:1200,&quot;resizeWidth&quot;:null,&quot;bytes&quot;:66625,&quot;alt&quot;:null,&quot;title&quot;:null,&quot;type&quot;:&quot;image/png&quot;,&quot;href&quot;:&quot;https://pastthebots.com/&quot;,&quot;belowTheFold&quot;:true,&quot;topImage&quot;:false,&quot;internalRedirect&quot;:&quot;https://microsoftdefender.substack.com/i/202707791?img=https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F7a1c6c1a-4798-4054-ba39-6d87ab1decfd_1200x600.png&quot;,&quot;isProcessing&quot;:false,&quot;align&quot;:null,&quot;offset&quot;:false}" class="sizing-normal" alt="" srcset="https://substackcdn.com/image/fetch/$s_!-69w!,w_424,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F7a1c6c1a-4798-4054-ba39-6d87ab1decfd_1200x600.png 424w, https://substackcdn.com/image/fetch/$s_!-69w!,w_848,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F7a1c6c1a-4798-4054-ba39-6d87ab1decfd_1200x600.png 848w, https://substackcdn.com/image/fetch/$s_!-69w!,w_1272,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F7a1c6c1a-4798-4054-ba39-6d87ab1decfd_1200x600.png 1272w, https://substackcdn.com/image/fetch/$s_!-69w!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F7a1c6c1a-4798-4054-ba39-6d87ab1decfd_1200x600.png 1456w" sizes="100vw" loading="lazy"></picture><div class="image-link-expand"><div class="pencraft pc-display-flex pc-gap-8 pc-reset"><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container restack-image"><svg role="img" width="20" height="20" viewBox="0 0 20 20" fill="none" stroke-width="1.5" stroke="var(--color-fg-primary)" stroke-linecap="round" stroke-linejoin="round" xmlns="http://www.w3.org/2000/svg"><g><title></title><path d="M2.53001 7.81595C3.49179 4.73911 6.43281 2.5 9.91173 2.5C13.1684 2.5 15.9537 4.46214 17.0852 7.23684L17.6179 8.67647M17.6179 8.67647L18.5002 4.26471M17.6179 8.67647L13.6473 6.91176M17.4995 12.1841C16.5378 15.2609 13.5967 17.5 10.1178 17.5C6.86118 17.5 4.07589 15.5379 2.94432 12.7632L2.41165 11.3235M2.41165 11.3235L1.5293 15.7353M2.41165 11.3235L6.38224 13.0882"></path></g></svg></button><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container view-image"><svg xmlns="http://www.w3.org/2000/svg" width="20" height="20" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="lucide lucide-maximize2 lucide-maximize-2"><polyline points="15 3 21 3 21 9"></polyline><polyline points="9 21 3 21 3 15"></polyline><line x1="21" x2="14" y1="3" y2="10"></line><line x1="3" x2="10" y1="21" y2="14"></line></svg></button></div></div></div></a></figure></div><h2>Defender for Cloud Things</h2><p><strong><a href="https://www.microsoft.com/en-us/security/blog/2026/06/24/cnapp-evolution-how-microsoft-aligns-with-leading-cloud-risk-management-platforms/">CNAPP evolution: How Microsoft aligns with leading cloud risk management platforms</a></strong> - Cloud security is shifting from visibility to context-aware risk reduction, helping security teams understand which exposures matter most, prioritize what can be exploited, and reduce risk across the application lifecycle. As organizations continue to expand across multicloud environments, Kubernetes, APIs, and AI-powered workloads, security teams are overwhelmed with signals. The challenge is no longer identifying individual risks, but determining which combinations of vulnerabilities, identities, and data exposures are most critical to address at the source.</p><h2>Defender Threat Intelligence Things</h2><p><strong><a href="https://www.microsoft.com/en-us/security/blog/2026/06/24/stealc-and-amadey-breaking-down-infostealers-and-the-cybercrime-services-that-deliver-them/">StealC and Amadey: Breaking down infostealers and the cybercrime services that deliver them</a></strong> - Infostealers continue to be some of the most pervasive and impactful threats across the cybercrime ecosystem. They play a central role in intrusions, silently harvesting passwords, cookies, and session tokens before exfiltrating stolen data to attacker-controlled infrastructure. If not mitigated, these threats can turn a single consumer-device compromise into an enterprise risk: an infostealer infection on an employee&#8217;s personal device could yield corporate virtual private network (VPN) credentials, single sign-on (SSO) tokens, and session cookies that could allow an attacker to bypass multifactor authentication (MFA).</p><h2></h2><p>THE PROMPT for Microsoft Security is a reader-supported publication. To receive new posts and support my work, consider becoming a free or paid subscriber.</p>]]></content:encoded></item><item><title><![CDATA[THE PROMPT for Microsoft Security - Issue #75]]></title><description><![CDATA[Things from Me]]></description><link>https://rodtrent.substack.com/p/the-prompt-for-microsoft-security-32e</link><guid isPermaLink="false">https://rodtrent.substack.com/p/the-prompt-for-microsoft-security-32e</guid><dc:creator><![CDATA[Rod Trent]]></dc:creator><pubDate>Fri, 19 Jun 2026 11:30:47 GMT</pubDate><enclosure url="https://substackcdn.com/image/fetch/$s_!VSNr!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fe7f516aa-7dbd-496f-840e-24e5a9cc050b_1248x832.jpeg" length="0" type="image/jpeg"/><content:encoded><![CDATA[<div class="captioned-image-container"><figure><a class="image-link image2 is-viewable-img" target="_blank" href="https://substackcdn.com/image/fetch/$s_!VSNr!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fe7f516aa-7dbd-496f-840e-24e5a9cc050b_1248x832.jpeg" data-component-name="Image2ToDOM"><div class="image2-inset"><picture><source type="image/webp" srcset="https://substackcdn.com/image/fetch/$s_!VSNr!,w_424,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fe7f516aa-7dbd-496f-840e-24e5a9cc050b_1248x832.jpeg 424w, https://substackcdn.com/image/fetch/$s_!VSNr!,w_848,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fe7f516aa-7dbd-496f-840e-24e5a9cc050b_1248x832.jpeg 848w, https://substackcdn.com/image/fetch/$s_!VSNr!,w_1272,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fe7f516aa-7dbd-496f-840e-24e5a9cc050b_1248x832.jpeg 1272w, https://substackcdn.com/image/fetch/$s_!VSNr!,w_1456,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fe7f516aa-7dbd-496f-840e-24e5a9cc050b_1248x832.jpeg 1456w" sizes="100vw"><img src="https://substackcdn.com/image/fetch/$s_!VSNr!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fe7f516aa-7dbd-496f-840e-24e5a9cc050b_1248x832.jpeg" width="1248" height="832" data-attrs="{&quot;src&quot;:&quot;https://substack-post-media.s3.amazonaws.com/public/images/e7f516aa-7dbd-496f-840e-24e5a9cc050b_1248x832.jpeg&quot;,&quot;srcNoWatermark&quot;:null,&quot;fullscreen&quot;:null,&quot;imageSize&quot;:null,&quot;height&quot;:832,&quot;width&quot;:1248,&quot;resizeWidth&quot;:null,&quot;bytes&quot;:301592,&quot;alt&quot;:null,&quot;title&quot;:null,&quot;type&quot;:&quot;image/jpeg&quot;,&quot;href&quot;:null,&quot;belowTheFold&quot;:false,&quot;topImage&quot;:true,&quot;internalRedirect&quot;:&quot;https://microsoftdefender.substack.com/i/201630131?img=https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fe7f516aa-7dbd-496f-840e-24e5a9cc050b_1248x832.jpeg&quot;,&quot;isProcessing&quot;:false,&quot;align&quot;:null,&quot;offset&quot;:false}" class="sizing-normal" alt="" srcset="https://substackcdn.com/image/fetch/$s_!VSNr!,w_424,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fe7f516aa-7dbd-496f-840e-24e5a9cc050b_1248x832.jpeg 424w, https://substackcdn.com/image/fetch/$s_!VSNr!,w_848,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fe7f516aa-7dbd-496f-840e-24e5a9cc050b_1248x832.jpeg 848w, https://substackcdn.com/image/fetch/$s_!VSNr!,w_1272,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fe7f516aa-7dbd-496f-840e-24e5a9cc050b_1248x832.jpeg 1272w, https://substackcdn.com/image/fetch/$s_!VSNr!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fe7f516aa-7dbd-496f-840e-24e5a9cc050b_1248x832.jpeg 1456w" sizes="100vw" fetchpriority="high"></picture><div class="image-link-expand"><div class="pencraft pc-display-flex pc-gap-8 pc-reset"><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container restack-image"><svg role="img" width="20" height="20" viewBox="0 0 20 20" fill="none" stroke-width="1.5" stroke="var(--color-fg-primary)" stroke-linecap="round" stroke-linejoin="round" xmlns="http://www.w3.org/2000/svg"><g><title></title><path d="M2.53001 7.81595C3.49179 4.73911 6.43281 2.5 9.91173 2.5C13.1684 2.5 15.9537 4.46214 17.0852 7.23684L17.6179 8.67647M17.6179 8.67647L18.5002 4.26471M17.6179 8.67647L13.6473 6.91176M17.4995 12.1841C16.5378 15.2609 13.5967 17.5 10.1178 17.5C6.86118 17.5 4.07589 15.5379 2.94432 12.7632L2.41165 11.3235M2.41165 11.3235L1.5293 15.7353M2.41165 11.3235L6.38224 13.0882"></path></g></svg></button><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container view-image"><svg xmlns="http://www.w3.org/2000/svg" width="20" height="20" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="lucide lucide-maximize2 lucide-maximize-2"><polyline points="15 3 21 3 21 9"></polyline><polyline points="9 21 3 21 3 15"></polyline><line x1="21" x2="14" y1="3" y2="10"></line><line x1="3" x2="10" y1="21" y2="14"></line></svg></button></div></div></div></a></figure></div><h2>Things from Me</h2><p>Happy Friday everyone!</p><p>Issue #75. Seventy-five weeks of showing up, filtering the noise, and trying to make sense of a Microsoft Security landscape that refuses to sit still and honestly, I wouldn&#8217;t have it any other way.</p><p>THE PROMPT for Microsoft Security is a reader-supported publication. To receive new posts and support my work, consider becoming a free or paid subscriber.</p><p>Of course, in reality, this is way beyond issue #75. For those that have been here since the beginning, this newsletter was once a Sentinel-only newsletter that started in 2020. That newsletter was merged with this one in 2021 and has delivered every week since. So&#8230;let&#8217;s see&#8230;Grok tells me that&#8217;s a total of nearly 324 weeks or around 324 issues. But, yes, in its current form, we&#8217;re sitting at issue #75.</p><p>This week, the theme that keeps surfacing, whether in the Agentic SOC conversation, the AI-speed benchmarking discussion, or the identity blind spots hiding in plain sight, is that the gap between what attackers can do and what defenders are equipped to do is closing faster than most organizations realize. The good news: so is the tooling. Microsoft is shipping capabilities at a pace that would&#8217;ve seemed unrealistic even two years ago, and this issue is packed with proof.</p><p>As always, I&#8217;ve done the reading, so you don&#8217;t have to, but I&#8217;d encourage you to dig into the ones that matter most to your environment. The links are here; the context is yours to act on. Let&#8217;s get into it.</p><p>Thanks all for your continued attention.</p><p>-<a href="https://www.linkedin.com/in/rodtrent/">Rod</a></p><h2>Things to Attend</h2><p><strong><a href="https://techcommunity.microsoft.com/blog/partnernews/don%E2%80%99t-miss-these-key-opportunities-to-strengthen-your-security-practice/4526801">Don&#8217;t miss these key opportunities to strengthen your security practice</a></strong> - Security is the baseline expectation in migration and modernization&#8212;and the partners who lead in security can drive faster adoption, smoother deployments, and stronger customer outcomes from day one.</p><h2>Things that are Related</h2><p><strong><a href="https://techcommunity.microsoft.com/blog/AzureObservabilityBlog/inside-the-observability-agent-how-deep-investigations-and-reasoning-work/4527102">Inside the Observability Agent: How Deep Investigations and Reasoning Work</a></strong> - Today, investigating incidents often means navigating multiple tools, forming hypotheses manually, and guessing which signals matter. Deep investigation replaces that process with a structured system that explores multiple explanations, correlates signals across layers, and produces a data-backed root cause analysis.</p><p><strong><a href="https://socautomators.substack.com/p/deep-dive-the-context-graph-the-missing">DEEP DIVE: The Context Graph - The Missing System of Record for the Agentic SOC</a></strong> - Attackers operate at machine speed. The SOC does not. Sorry for the longer post but this issue has been bugging me for some time and warrants some attention from all of us.</p><p><strong><a href="https://www.microsoft.com/en-us/security/blog/2026/06/17/beyond-the-benchmark-advancing-security-at-ai-speed/">Beyond the benchmark: Advancing security at AI speed</a></strong> - Every vulnerability has two clocks running. One belongs to the defender racing to find it; the other to the cyberattacker hoping to find it first. For as long as software has existed, those clocks have favored the attacker, because modern code is vast, interconnected, and changing every day, while security reviews happen at fixed moments in time. The space between &#8220;code shipped&#8221; and &#8220;code reviewed&#8221; is where risk quietly accumulates.</p><p><strong><a href="https://socautomators.substack.com/p/evolve-or-be-automated-a-security">Evolve or Be Automated: A Security Veteran&#8217;s Take on the AI Frontier</a></strong> - The shift to cloud did it. SIEM and the move to security operations did it. EDR did it. Zero trust did it. Each time, the same pattern: a new way of working showed up, the people who leaned in early became the ones everyone else called for help, and the people who decided to &#8220;see how it plays out&#8221; spent the next three years catching up to where the early movers already were.</p><h2>Things to Watch/Listen To</h2><div class="embedded-post-wrap" data-attrs="{&quot;id&quot;:201613093,&quot;url&quot;:&quot;https://www.microsoftsecurityinsights.com/p/the-security-insights-show-episode-6b2&quot;,&quot;publication_id&quot;:1252746,&quot;publication_name&quot;:&quot;THE Security Insights Show&quot;,&quot;publication_logo_url&quot;:&quot;https://substackcdn.com/image/fetch/$s_!ZngQ!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F1bf84d0b-fceb-44b4-ae5f-10662ecc7e8b_500x500.png&quot;,&quot;title&quot;:&quot;The Security Insights Show Episode 293- Agent 365 &quot;,&quot;truncated_body_text&quot;:&quot;Edward will ask the burning question, is Agent 365 a security tool, product or just a hyper dense reporting tool. The world needs to know.&quot;,&quot;date&quot;:&quot;2026-06-11T22:46:45.948Z&quot;,&quot;like_count&quot;:0,&quot;comment_count&quot;:0,&quot;bylines&quot;:[{&quot;id&quot;:25142999,&quot;name&quot;:&quot;Rod Trent&quot;,&quot;handle&quot;:&quot;rodtrent&quot;,&quot;previous_name&quot;:&quot;Microsoft Sentinel this Week&quot;,&quot;photo_url&quot;:&quot;https://substack-post-media.s3.amazonaws.com/public/images/a31b8f6f-7b50-4643-a4d5-54ca83894c4c_800x800.png&quot;,&quot;bio&quot;:&quot;Rod Trent is a Senior Product Manager for Microsoft. He has spoken many times at many conferences over the past 30-some years and has written several books and hundreds of articles.&quot;,&quot;profile_set_up_at&quot;:&quot;2022-12-15T21:44:39.563Z&quot;,&quot;reader_installed_at&quot;:&quot;2023-01-13T16:04:11.272Z&quot;,&quot;publicationUsers&quot;:[{&quot;id&quot;:1211584,&quot;user_id&quot;:25142999,&quot;publication_id&quot;:1254398,&quot;role&quot;:&quot;admin&quot;,&quot;public&quot;:true,&quot;is_primary&quot;:true,&quot;publication&quot;:{&quot;id&quot;:1254398,&quot;name&quot;:&quot;Rod&#8217;s Blog&quot;,&quot;subdomain&quot;:&quot;rodtrent&quot;,&quot;custom_domain&quot;:null,&quot;custom_domain_optional&quot;:true,&quot;hero_text&quot;:&quot;Microsoft Security and AI. This is not an official Microsoft blog.&quot;,&quot;logo_url&quot;:&quot;https://substack-post-media.s3.amazonaws.com/public/images/e527d2fc-7b2f-448b-85fa-0e47bf452405_600x600.png&quot;,&quot;author_id&quot;:25142999,&quot;primary_user_id&quot;:25142999,&quot;theme_var_background_pop&quot;:&quot;#786CFF&quot;,&quot;created_at&quot;:&quot;2022-12-20T13:41:45.372Z&quot;,&quot;email_from_name&quot;:null,&quot;copyright&quot;:&quot;Rod Trent&quot;,&quot;founding_plan_name&quot;:&quot;Founding Member&quot;,&quot;community_enabled&quot;:true,&quot;invite_only&quot;:false,&quot;payments_state&quot;:&quot;enabled&quot;,&quot;language&quot;:null,&quot;explicit&quot;:false,&quot;homepage_type&quot;:&quot;newspaper&quot;,&quot;is_personal_mode&quot;:false,&quot;logo_url_wide&quot;:&quot;https://substack-post-media.s3.amazonaws.com/public/images/0979d0a9-076d-4984-903f-174d79becc86_1344x256.png&quot;}},{&quot;id&quot;:1202860,&quot;user_id&quot;:25142999,&quot;publication_id&quot;:1246049,&quot;role&quot;:&quot;admin&quot;,&quot;public&quot;:true,&quot;is_primary&quot;:false,&quot;publication&quot;:{&quot;id&quot;:1246049,&quot;name&quot;:&quot;THE PROMPT for Microsoft Security&quot;,&quot;subdomain&quot;:&quot;microsoftdefender&quot;,&quot;custom_domain&quot;:null,&quot;custom_domain_optional&quot;:false,&quot;hero_text&quot;:&quot;The weekly THE PROMPT for Microsoft Security newsletter helps uncover the new and important features and news for Microsoft's Unified Security Operations Platform.&quot;,&quot;logo_url&quot;:&quot;https://substack-post-media.s3.amazonaws.com/public/images/7c112404-c028-4923-b8ce-924902361d80_256x256.png&quot;,&quot;author_id&quot;:25142999,&quot;primary_user_id&quot;:null,&quot;theme_var_background_pop&quot;:&quot;#121BFA&quot;,&quot;created_at&quot;:&quot;2022-12-15T21:47:41.255Z&quot;,&quot;email_from_name&quot;:null,&quot;copyright&quot;:&quot;Rod Trent&quot;,&quot;founding_plan_name&quot;:&quot;Founding Member&quot;,&quot;community_enabled&quot;:true,&quot;invite_only&quot;:false,&quot;payments_state&quot;:&quot;enabled&quot;,&quot;language&quot;:null,&quot;explicit&quot;:false,&quot;homepage_type&quot;:&quot;newspaper&quot;,&quot;is_personal_mode&quot;:false,&quot;logo_url_wide&quot;:&quot;https://substack-post-media.s3.amazonaws.com/public/images/c59e1ae8-80b5-44c2-85c2-bba0b536900f_532x256.png&quot;}},{&quot;id&quot;:1209853,&quot;user_id&quot;:25142999,&quot;publication_id&quot;:1252746,&quot;role&quot;:&quot;admin&quot;,&quot;public&quot;:true,&quot;is_primary&quot;:false,&quot;publication&quot;:{&quot;id&quot;:1252746,&quot;name&quot;:&quot;THE Security Insights Show&quot;,&quot;subdomain&quot;:&quot;securityinsights&quot;,&quot;custom_domain&quot;:&quot;www.microsoftsecurityinsights.com&quot;,&quot;custom_domain_optional&quot;:false,&quot;hero_text&quot;:&quot;Hosted by Edward Walton, Frank Grimberg and Rod Trent, THE Insights Show provides conversation, information, news, tips on industry security solutions.&quot;,&quot;logo_url&quot;:&quot;https://substack-post-media.s3.amazonaws.com/public/images/1bf84d0b-fceb-44b4-ae5f-10662ecc7e8b_500x500.png&quot;,&quot;author_id&quot;:25142999,&quot;primary_user_id&quot;:115592344,&quot;theme_var_background_pop&quot;:&quot;#BAA049&quot;,&quot;created_at&quot;:&quot;2022-12-19T16:53:21.719Z&quot;,&quot;email_from_name&quot;:&quot;THE Security Insights Show&quot;,&quot;copyright&quot;:&quot;Rod Trent&quot;,&quot;founding_plan_name&quot;:null,&quot;community_enabled&quot;:true,&quot;invite_only&quot;:false,&quot;payments_state&quot;:&quot;disabled&quot;,&quot;language&quot;:null,&quot;explicit&quot;:false,&quot;homepage_type&quot;:&quot;newspaper&quot;,&quot;is_personal_mode&quot;:false,&quot;logo_url_wide&quot;:&quot;https://substack-post-media.s3.amazonaws.com/public/images/e7003902-2064-4b4b-a23e-74a8ade417d9_1920x533.jpeg&quot;}},{&quot;id&quot;:4622011,&quot;user_id&quot;:25142999,&quot;publication_id&quot;:4530869,&quot;role&quot;:&quot;admin&quot;,&quot;public&quot;:true,&quot;is_primary&quot;:false,&quot;publication&quot;:{&quot;id&quot;:4530869,&quot;name&quot;:&quot;myITforum&quot;,&quot;subdomain&quot;:&quot;myitforum&quot;,&quot;custom_domain&quot;:null,&quot;custom_domain_optional&quot;:false,&quot;hero_text&quot;:&quot;The myITforum community. Powered by you.&quot;,&quot;logo_url&quot;:&quot;https://substack-post-media.s3.amazonaws.com/public/images/e57bf70e-44d6-4b6d-87b3-13e6d8fb4881_250x250.png&quot;,&quot;author_id&quot;:25142999,&quot;primary_user_id&quot;:null,&quot;theme_var_background_pop&quot;:&quot;#FF6719&quot;,&quot;created_at&quot;:&quot;2025-03-28T15:02:52.364Z&quot;,&quot;email_from_name&quot;:&quot;myITforum&quot;,&quot;copyright&quot;:&quot;Rod Trent&quot;,&quot;founding_plan_name&quot;:&quot;Founding Member&quot;,&quot;community_enabled&quot;:true,&quot;invite_only&quot;:false,&quot;payments_state&quot;:&quot;enabled&quot;,&quot;language&quot;:null,&quot;explicit&quot;:false,&quot;homepage_type&quot;:&quot;newspaper&quot;,&quot;is_personal_mode&quot;:false,&quot;logo_url_wide&quot;:&quot;https://substack-post-media.s3.amazonaws.com/public/images/61faab9f-ec9c-4b15-9038-90eeff197953_207x64.png&quot;}},{&quot;id&quot;:6292288,&quot;user_id&quot;:25142999,&quot;publication_id&quot;:6167941,&quot;role&quot;:&quot;admin&quot;,&quot;public&quot;:true,&quot;is_primary&quot;:false,&quot;publication&quot;:{&quot;id&quot;:6167941,&quot;name&quot;:&quot;Rod&#8217;s Fiction Universe&quot;,&quot;subdomain&quot;:&quot;rodsfictionbooks&quot;,&quot;custom_domain&quot;:null,&quot;custom_domain_optional&quot;:false,&quot;hero_text&quot;:&quot;This site offers all-access to my current and future fiction books. &quot;,&quot;logo_url&quot;:&quot;https://substack-post-media.s3.amazonaws.com/public/images/bf150c76-3462-4e72-9f1a-f3d507179f90_512x512.png&quot;,&quot;author_id&quot;:25142999,&quot;primary_user_id&quot;:null,&quot;theme_var_background_pop&quot;:&quot;#FF6719&quot;,&quot;created_at&quot;:&quot;2025-09-01T22:55:42.544Z&quot;,&quot;email_from_name&quot;:&quot;Rod Trent from Rod&#8217;s Fiction Books&quot;,&quot;copyright&quot;:&quot;Rod Trent&quot;,&quot;founding_plan_name&quot;:&quot;Founding Member&quot;,&quot;community_enabled&quot;:true,&quot;invite_only&quot;:false,&quot;payments_state&quot;:&quot;enabled&quot;,&quot;language&quot;:null,&quot;explicit&quot;:false,&quot;homepage_type&quot;:&quot;magaziney&quot;,&quot;is_personal_mode&quot;:false,&quot;logo_url_wide&quot;:&quot;https://substack-post-media.s3.amazonaws.com/public/images/d7348a2b-f83f-47cc-bf8b-837b55171fcf_1344x256.png&quot;}}],&quot;twitter_screen_name&quot;:&quot;rodtrent&quot;,&quot;is_guest&quot;:false,&quot;bestseller_tier&quot;:100,&quot;status&quot;:{&quot;bestsellerTier&quot;:100,&quot;subscriberTier&quot;:1,&quot;leaderboard&quot;:null,&quot;vip&quot;:false,&quot;badge&quot;:{&quot;type&quot;:&quot;bestseller&quot;,&quot;tier&quot;:100},&quot;subscriber&quot;:null}},{&quot;id&quot;:25637175,&quot;name&quot;:&quot;Edward Walton&quot;,&quot;handle&quot;:&quot;securitybro&quot;,&quot;previous_name&quot;:null,&quot;photo_url&quot;:&quot;https://substackcdn.com/image/fetch/f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fbucketeer-e05bbc84-baa3-437e-9518-adb32be77984.s3.amazonaws.com%2Fpublic%2Fimages%2F89b98b87-6bce-4c30-ba8a-4cad6287197b_202x346.jpeg&quot;,&quot;bio&quot;:&quot;Edward Walton is a security leader with over 20 years of experience in information security. His focus is Threat Intel, threat analytics and SIEM.&quot;,&quot;profile_set_up_at&quot;:&quot;2024-04-26T19:20:40.812Z&quot;,&quot;reader_installed_at&quot;:null,&quot;publicationUsers&quot;:[{&quot;id&quot;:194879,&quot;user_id&quot;:25637175,&quot;publication_id&quot;:268192,&quot;role&quot;:&quot;admin&quot;,&quot;public&quot;:true,&quot;is_primary&quot;:true,&quot;publication&quot;:{&quot;id&quot;:268192,&quot;name&quot;:&quot;Ed's place of highly opinionated facts on Security!&quot;,&quot;subdomain&quot;:&quot;edwardwalton&quot;,&quot;custom_domain&quot;:null,&quot;custom_domain_optional&quot;:false,&quot;hero_text&quot;:&quot;Are we secure yet? Are we secure yet? &quot;,&quot;logo_url&quot;:null,&quot;author_id&quot;:25637175,&quot;primary_user_id&quot;:25637175,&quot;theme_var_background_pop&quot;:&quot;#FD5353&quot;,&quot;created_at&quot;:&quot;2021-01-22T17:52:33.499Z&quot;,&quot;email_from_name&quot;:null,&quot;copyright&quot;:&quot;Edward Walton&quot;,&quot;founding_plan_name&quot;:null,&quot;community_enabled&quot;:true,&quot;invite_only&quot;:false,&quot;payments_state&quot;:&quot;disabled&quot;,&quot;language&quot;:null,&quot;explicit&quot;:false,&quot;homepage_type&quot;:null,&quot;is_personal_mode&quot;:false,&quot;logo_url_wide&quot;:null}},{&quot;id&quot;:2422927,&quot;user_id&quot;:25637175,&quot;publication_id&quot;:1252746,&quot;role&quot;:&quot;admin&quot;,&quot;public&quot;:true,&quot;is_primary&quot;:false,&quot;publication&quot;:{&quot;id&quot;:1252746,&quot;name&quot;:&quot;THE Security Insights Show&quot;,&quot;subdomain&quot;:&quot;securityinsights&quot;,&quot;custom_domain&quot;:&quot;www.microsoftsecurityinsights.com&quot;,&quot;custom_domain_optional&quot;:false,&quot;hero_text&quot;:&quot;Hosted by Edward Walton, Frank Grimberg and Rod Trent, THE Insights Show provides conversation, information, news, tips on industry security solutions.&quot;,&quot;logo_url&quot;:&quot;https://substack-post-media.s3.amazonaws.com/public/images/1bf84d0b-fceb-44b4-ae5f-10662ecc7e8b_500x500.png&quot;,&quot;author_id&quot;:25142999,&quot;primary_user_id&quot;:115592344,&quot;theme_var_background_pop&quot;:&quot;#BAA049&quot;,&quot;created_at&quot;:&quot;2022-12-19T16:53:21.719Z&quot;,&quot;email_from_name&quot;:&quot;THE Security Insights Show&quot;,&quot;copyright&quot;:&quot;Rod Trent&quot;,&quot;founding_plan_name&quot;:null,&quot;community_enabled&quot;:true,&quot;invite_only&quot;:false,&quot;payments_state&quot;:&quot;disabled&quot;,&quot;language&quot;:null,&quot;explicit&quot;:false,&quot;homepage_type&quot;:&quot;newspaper&quot;,&quot;is_personal_mode&quot;:false,&quot;logo_url_wide&quot;:&quot;https://substack-post-media.s3.amazonaws.com/public/images/e7003902-2064-4b4b-a23e-74a8ade417d9_1920x533.jpeg&quot;}}],&quot;is_guest&quot;:false,&quot;bestseller_tier&quot;:null,&quot;status&quot;:{&quot;bestsellerTier&quot;:null,&quot;subscriberTier&quot;:1,&quot;leaderboard&quot;:null,&quot;vip&quot;:false,&quot;badge&quot;:{&quot;type&quot;:&quot;subscriber&quot;,&quot;tier&quot;:1,&quot;accent_colors&quot;:null},&quot;subscriber&quot;:null}},{&quot;id&quot;:115592344,&quot;name&quot;:&quot;Frank Grimberg&quot;,&quot;handle&quot;:&quot;frankgrimberg&quot;,&quot;previous_name&quot;:null,&quot;photo_url&quot;:&quot;https://substack-post-media.s3.amazonaws.com/public/images/23065326-db4e-4d18-b54a-b4751d05747e_144x144.png&quot;,&quot;bio&quot;:null,&quot;profile_set_up_at&quot;:null,&quot;reader_installed_at&quot;:null,&quot;publicationUsers&quot;:[{&quot;id&quot;:5852489,&quot;user_id&quot;:115592344,&quot;publication_id&quot;:1252746,&quot;role&quot;:&quot;admin&quot;,&quot;public&quot;:true,&quot;is_primary&quot;:true,&quot;publication&quot;:{&quot;id&quot;:1252746,&quot;name&quot;:&quot;THE Security Insights Show&quot;,&quot;subdomain&quot;:&quot;securityinsights&quot;,&quot;custom_domain&quot;:&quot;www.microsoftsecurityinsights.com&quot;,&quot;custom_domain_optional&quot;:false,&quot;hero_text&quot;:&quot;Hosted by Edward Walton, Frank Grimberg and Rod Trent, THE Insights Show provides conversation, information, news, tips on industry security solutions.&quot;,&quot;logo_url&quot;:&quot;https://substack-post-media.s3.amazonaws.com/public/images/1bf84d0b-fceb-44b4-ae5f-10662ecc7e8b_500x500.png&quot;,&quot;author_id&quot;:25142999,&quot;primary_user_id&quot;:115592344,&quot;theme_var_background_pop&quot;:&quot;#BAA049&quot;,&quot;created_at&quot;:&quot;2022-12-19T16:53:21.719Z&quot;,&quot;email_from_name&quot;:&quot;THE Security Insights Show&quot;,&quot;copyright&quot;:&quot;Rod Trent&quot;,&quot;founding_plan_name&quot;:null,&quot;community_enabled&quot;:true,&quot;invite_only&quot;:false,&quot;payments_state&quot;:&quot;disabled&quot;,&quot;language&quot;:null,&quot;explicit&quot;:false,&quot;homepage_type&quot;:&quot;newspaper&quot;,&quot;is_personal_mode&quot;:false,&quot;logo_url_wide&quot;:&quot;https://substack-post-media.s3.amazonaws.com/public/images/e7003902-2064-4b4b-a23e-74a8ade417d9_1920x533.jpeg&quot;}}],&quot;is_guest&quot;:false,&quot;bestseller_tier&quot;:null,&quot;status&quot;:{&quot;bestsellerTier&quot;:null,&quot;subscriberTier&quot;:null,&quot;leaderboard&quot;:null,&quot;vip&quot;:false,&quot;badge&quot;:null,&quot;subscriber&quot;:null}}],&quot;utm_campaign&quot;:null,&quot;belowTheFold&quot;:true,&quot;type&quot;:&quot;podcast&quot;,&quot;language&quot;:&quot;en&quot;,&quot;source&quot;:null}" data-component-name="EmbeddedPostToDOM"><a class="embedded-post" native="true" href="https://www.microsoftsecurityinsights.com/p/the-security-insights-show-episode-6b2?utm_source=substack&amp;utm_campaign=post_embed&amp;utm_medium=web"><div class="embedded-post-header"><img class="embedded-post-publication-logo" src="https://substackcdn.com/image/fetch/$s_!ZngQ!,w_56,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F1bf84d0b-fceb-44b4-ae5f-10662ecc7e8b_500x500.png" loading="lazy"><span class="embedded-post-publication-name">THE Security Insights Show</span></div><div class="embedded-post-title-wrapper"><div class="embedded-post-title-icon"><svg width="19" height="19" viewBox="0 0 24 24" fill="none" xmlns="http://www.w3.org/2000/svg">
  <path d="M3 18V12C3 9.61305 3.94821 7.32387 5.63604 5.63604C7.32387 3.94821 9.61305 3 12 3C14.3869 3 16.6761 3.94821 18.364 5.63604C20.0518 7.32387 21 9.61305 21 12V18" stroke-linecap="round" stroke-linejoin="round"></path>
  <path d="M21 19C21 19.5304 20.7893 20.0391 20.4142 20.4142C20.0391 20.7893 19.5304 21 19 21H18C17.4696 21 16.9609 20.7893 16.5858 20.4142C16.2107 20.0391 16 19.5304 16 19V16C16 15.4696 16.2107 14.9609 16.5858 14.5858C16.9609 14.2107 17.4696 14 18 14H21V19ZM3 19C3 19.5304 3.21071 20.0391 3.58579 20.4142C3.96086 20.7893 4.46957 21 5 21H6C6.53043 21 7.03914 20.7893 7.41421 20.4142C7.78929 20.0391 8 19.5304 8 19V16C8 15.4696 7.78929 14.9609 7.41421 14.5858C7.03914 14.2107 6.53043 14 6 14H3V19Z" stroke-linecap="round" stroke-linejoin="round"></path>
</svg></div><div class="embedded-post-title">The Security Insights Show Episode 293- Agent 365 </div></div><div class="embedded-post-body">Edward will ask the burning question, is Agent 365 a security tool, product or just a hyper dense reporting tool. The world needs to know&#8230;</div><div class="embedded-post-cta-wrapper"><div class="embedded-post-cta-icon"><svg width="32" height="32" viewBox="0 0 24 24" xmlns="http://www.w3.org/2000/svg">
  <path classname="inner-triangle" d="M10 8L16 12L10 16V8Z" stroke-width="1.5" stroke-linecap="round" stroke-linejoin="round"></path>
</svg></div><span class="embedded-post-cta">Listen now</span></div><div class="embedded-post-meta">a month ago &#183; Rod Trent, Edward Walton, and Frank Grimberg</div></a></div><h2>Things in the News</h2><p><strong><a href="https://www.microsoft.com/en-us/security/blog/2026/06/17/forrester-names-microsoft-a-leader-in-the-2026-extended-detection-and-response-platforms-wave-report/">&#8203;&#8203;Forrester names Microsoft a Leader in the 2026 Extended Detection and Response Platforms Wave&#8482; report</a></strong><a href="https://www.microsoft.com/en-us/security/blog/2026/06/17/forrester-names-microsoft-a-leader-in-the-2026-extended-detection-and-response-platforms-wave-report/"> </a>- <span data-color="rgb(23, 37, 61)" style="color: rgb(23, 37, 61);">We are excited to share that </span><strong>Microsoft has been named a Leader in <a href="https://aka.ms/XDR-reprint26">The Forrester Wave&#8482;: Extended Detection and Response Platforms, Q2 2026</a></strong><span data-color="rgb(23, 37, 61)" style="color: rgb(23, 37, 61);">. Microsoft ranked the highest of any vendor evaluated in the Strategy category and is the only vendor to receive the highest score in Vision. Microsoft also received the highest possible scores across the current offering criteria of identity detection, cloud detection, SIEM replacement, Threat Intelligence, Threat hunting, Administrative controls, and Training.</span></p><h2>Security Copilot Things</h2><p><strong><a href="https://techcommunity.microsoft.com/blog/coreinfrastructureandsecurityblog/security-copilot-rbac-for-embedded-experience-in-unified-security-platform/4528833">Security Copilot RBAC for Embedded Experience in Unified Security Platform</a></strong> - The evolution of Security Operations Centers (SOC) is increasingly driven by AI-powered capabilities that improve efficiency, accuracy, and response time. Microsoft Security Copilot represents a significant advancement in this space by embedding AI-driven assistance directly within security platforms such as Microsoft Defender XDR, Microsoft Sentinel, and Microsoft Entra.</p><p><strong><a href="https://techcommunity.microsoft.com/blog/coreinfrastructureandsecurityblog/microsoft-security-copilot-ai-driven-security-operations-at-greater-scale/4528912">Microsoft Security Copilot: AI-Driven Security Operations at Greater Scale</a></strong> - By leveraging real-time security signals, global threat intelligence, and an organization&#8217;s own data, Security Copilot provides contextually relevant, actionable insights for a wide range of security scenarios &#8212; from incident response and threat hunting to vulnerability management and compliance.</p><h2>Microsoft Sentinel Things</h2><p><strong><a href="https://www.bluevoyant.com/blog/asim-first-threat-detection-microsoft-sentinel">How BlueVoyant&#8217;s ASIM-First Strategy Simplifies Threat Detection in&#8230;</a></strong> - Earlier this year, BlueVoyant adopted a new detection strategy built on the Advanced Security Information Model (ASIM). For those unfamiliar, ASIM is Microsoft's normalisation layer that standardises log data across products into consistent schemas.</p><p><strong><a href="https://techcommunity.microsoft.com/blog/microsoftsentinelblog/transform-your-security-operation-with-a-unified-experience-in-defender/4527932">Transform your security operation with a unified experience in Defender</a></strong> - By <strong>March 31, 2027</strong>, all Microsoft Sentinel customers will be automatically transitioned to Defender. But this transition is about far more than a new interface. It&#8217;s an opportunity to modernize the SOC, streamline operations, and unlock capabilities designed for the AI-first era of security operations.</p><p><strong><a href="https://techcommunity.microsoft.com/blog/MicrosoftSentinelBlog/introducing-new-additions-to-microsoft-sentinel-normalization-and-asim/4524584">Introducing New Additions to Microsoft Sentinel Normalization and ASIM</a></strong> - Security teams deal with logs from dozens of sources, each with its own schema. This pain point makes it harder to write detections that work everywhere. The Advanced Security Information Model (ASIM) solves this by normalizing logs into a common schema, so a single analytic rule can cover a wide variety of sources without worrying about the source schema.</p><p><strong><a href="https://techcommunity.microsoft.com/blog/MicrosoftSentinelBlog/anatomy-of-the-change/4527934">Microsoft Sentinel in Microsoft Defender: Anatomy of the change</a></strong><a href="https://techcommunity.microsoft.com/blog/MicrosoftSentinelBlog/anatomy-of-the-change/4527934"> </a>- Incidents, alerts, correlation, and data&#8212;what actually changes with the new platform, and why it works in your favor. When you open Microsoft Sentinel in Microsoft Defender for the first time, the shift feels immediate: investigations are cleaner, workflows are more connected, and analysts can move through incidents with far less context switching.</p><p><strong><a href="https://techcommunity.microsoft.com/blog/MicrosoftSentinelBlog/detection-and-automation-reimagined/4527933">Detection and automation, reimagined</a></strong> - If you build detections for a living, the move to Defender is one of the most meaningful shifts to your workflow in years&#8212;and for most teams, it&#8217;s a welcome one. Your existing analytics rules don&#8217;t disappear. Your playbooks don&#8217;t need to be rewritten. Your workbooks continue to function exactly as they do today. What changes is the scope of what you can detect, automate, and investigate from a single experience.</p><h2>Defender for Cloud Things</h2><p><strong><a href="https://techcommunity.microsoft.com/blog/MicrosoftDefenderCloudBlog/closing-the-loop-on-container-security-from-code-to-runtime-in-the-ai-era/4528599">Closing the loop on container security: From code to runtime in the AI era</a></strong> - <span data-color="rgb(30, 30, 30)" style="color: rgb(30, 30, 30);">Containers are the backbone of modern cloud-native apps &#8212; and increasingly, the infrastructure powering AI, from AI assistants to a new wave of intelligent agents. They also blur the line between </span><strong>build</strong><span data-color="rgb(30, 30, 30)" style="color: rgb(30, 30, 30);">, </span><strong>deploy</strong><span data-color="rgb(30, 30, 30)" style="color: rgb(30, 30, 30);">, and </span><strong>runtime</strong><span data-color="rgb(30, 30, 30)" style="color: rgb(30, 30, 30);">: a single code change can become a running workload in minutes. A misconfiguration committed in the morning can be deployed in minutes and exploited before noon. At that speed, container security can no longer be a point-in-time check, it has to work as one continuous loop.</span></p><h2>Defender XDR Things</h2><p><strong><a href="https://techcommunity.microsoft.com/blog/microsoftthreatprotectionblog/securing-the-invisible-workforce/4528611">Securing the invisible workforce</a></strong> - Non-human identities are now the majority of the identity estate in most enterprises. Service principals access organizational resources across SharePoint, Azure, and Microsoft 365, Service accounts run critical business processes on-premises, OAuth apps move data across SaaS boundaries, and AI agents increasingly operate autonomously at machine speed.</p><div class="captioned-image-container"><figure><a class="image-link image2 is-viewable-img" target="_blank" href="https://pastthebots.com/lottery" data-component-name="Image2ToDOM"><div class="image2-inset"><picture><source type="image/webp" srcset="https://substackcdn.com/image/fetch/$s_!ry9z!,w_424,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F66511c2e-520d-4ac6-a26f-3ae94eca0d76_1200x600.png 424w, https://substackcdn.com/image/fetch/$s_!ry9z!,w_848,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F66511c2e-520d-4ac6-a26f-3ae94eca0d76_1200x600.png 848w, https://substackcdn.com/image/fetch/$s_!ry9z!,w_1272,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F66511c2e-520d-4ac6-a26f-3ae94eca0d76_1200x600.png 1272w, https://substackcdn.com/image/fetch/$s_!ry9z!,w_1456,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F66511c2e-520d-4ac6-a26f-3ae94eca0d76_1200x600.png 1456w" sizes="100vw"><img src="https://substackcdn.com/image/fetch/$s_!ry9z!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F66511c2e-520d-4ac6-a26f-3ae94eca0d76_1200x600.png" width="1200" height="600" data-attrs="{&quot;src&quot;:&quot;https://substack-post-media.s3.amazonaws.com/public/images/66511c2e-520d-4ac6-a26f-3ae94eca0d76_1200x600.png&quot;,&quot;srcNoWatermark&quot;:null,&quot;fullscreen&quot;:null,&quot;imageSize&quot;:null,&quot;height&quot;:600,&quot;width&quot;:1200,&quot;resizeWidth&quot;:null,&quot;bytes&quot;:69293,&quot;alt&quot;:null,&quot;title&quot;:null,&quot;type&quot;:&quot;image/png&quot;,&quot;href&quot;:&quot;https://pastthebots.com/lottery&quot;,&quot;belowTheFold&quot;:true,&quot;topImage&quot;:false,&quot;internalRedirect&quot;:&quot;https://microsoftdefender.substack.com/i/201630131?img=https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F66511c2e-520d-4ac6-a26f-3ae94eca0d76_1200x600.png&quot;,&quot;isProcessing&quot;:false,&quot;align&quot;:null,&quot;offset&quot;:false}" class="sizing-normal" alt="" srcset="https://substackcdn.com/image/fetch/$s_!ry9z!,w_424,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F66511c2e-520d-4ac6-a26f-3ae94eca0d76_1200x600.png 424w, https://substackcdn.com/image/fetch/$s_!ry9z!,w_848,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F66511c2e-520d-4ac6-a26f-3ae94eca0d76_1200x600.png 848w, https://substackcdn.com/image/fetch/$s_!ry9z!,w_1272,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F66511c2e-520d-4ac6-a26f-3ae94eca0d76_1200x600.png 1272w, https://substackcdn.com/image/fetch/$s_!ry9z!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F66511c2e-520d-4ac6-a26f-3ae94eca0d76_1200x600.png 1456w" sizes="100vw" loading="lazy"></picture><div class="image-link-expand"><div class="pencraft pc-display-flex pc-gap-8 pc-reset"><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container restack-image"><svg role="img" width="20" height="20" viewBox="0 0 20 20" fill="none" stroke-width="1.5" stroke="var(--color-fg-primary)" stroke-linecap="round" stroke-linejoin="round" xmlns="http://www.w3.org/2000/svg"><g><title></title><path d="M2.53001 7.81595C3.49179 4.73911 6.43281 2.5 9.91173 2.5C13.1684 2.5 15.9537 4.46214 17.0852 7.23684L17.6179 8.67647M17.6179 8.67647L18.5002 4.26471M17.6179 8.67647L13.6473 6.91176M17.4995 12.1841C16.5378 15.2609 13.5967 17.5 10.1178 17.5C6.86118 17.5 4.07589 15.5379 2.94432 12.7632L2.41165 11.3235M2.41165 11.3235L1.5293 15.7353M2.41165 11.3235L6.38224 13.0882"></path></g></svg></button><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container view-image"><svg xmlns="http://www.w3.org/2000/svg" width="20" height="20" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="lucide lucide-maximize2 lucide-maximize-2"><polyline points="15 3 21 3 21 9"></polyline><polyline points="9 21 3 21 3 15"></polyline><line x1="21" x2="14" y1="3" y2="10"></line><line x1="3" x2="10" y1="21" y2="14"></line></svg></button></div></div></div></a></figure></div><h2>Defender Experts Things</h2><p><strong><a href="https://www.microsoft.com/en-us/security/blog/2026/06/17/crypto-clipper-uses-tor-worm-like-propagation-for-persistence-control/">Crypto Clipper uses Tor and worm-like propagation for persistence and control</a></strong> - Microsoft Threat Intelligence and Microsoft Defender Experts identified a Windows-based cryptocurrency clipper that has affected users since February of 2026. Clipper malware relies on stealing clipboard data and parsing it for valuable assets.</p><h2>Microsoft Purview Things</h2><p><strong><a href="https://medium.com/microsoft-purview-in-practice/the-hard-truth-about-rolling-out-microsoft-purview-unified-catalog-and-how-id-configure-it-3c65ed084ef0">The Hard Truth About Rolling Out Microsoft Purview Unified Catalog and How I&#8217;d Configure It</a></strong> - You turned on Microsoft Purview to bring order to your data. Six weeks later, Collection Admin has sprawled across the org, nobody owns a single data product, and your catalog is somehow locked down and wide open at the same time. That is not a tooling problem. That is a rollout problem.</p><p><strong><a href="https://kusenberg.net/the-copilot-dlp-blind-spot-prompt-uploads">The Copilot DLP Blind Spot: Prompt Uploads</a></strong> - Microsoft Purview DLP for Microsoft 365 Copilot and Copilot Chat can inspect prompt text for sensitive information and block processing. Files that users upload directly into a prompt, however, are currently not scanned for their content. This applies to sensitive data such as credentials just as much as to potential prompt injection content. Governance must therefore not stop at the existence of a control, but understand where that control does not apply.</p><h2>Defender for Office Things</h2><p><strong><a href="https://www.microsoft.com/en-us/security/blog/2026/06/15/microsoft-defender-email-security-benchmarking-key-insights-from-one-year-of-data/">Microsoft Defender email security benchmarking: Key insights from one year of data</a></strong> - A year ago, we set out to change how email security effectiveness is measured. With <a href="https://www.microsoft.com/en-us/security/blog/2025/07/17/transparency-on-microsoft-defender-for-office-365-email-security-effectiveness/">our first benchmarking report in July 2025</a>, we committed to publishing real-world performance data, not synthetic tests, so security teams could make decisions grounded in evidence. With each quarterly update, we refined our methodology, expanded our analysis, and listened to customer and partner feedback.</p><p><strong><a href="https://techcommunity.microsoft.com/blog/MicrosoftDefenderforOffice365Blog/microsoft-defender-for-office-365-plan-1-is-now-rolling-out-to-microsoft-365-e3-/4527287">Microsoft Defender for Office 365 Plan 1 is now rolling out to Microsoft 365 E3 and Office 365 E3</a></strong> - Starting today, Microsoft Defender for Office 365 Plan 1 is rolling out to customers with Microsoft 365 E3/G3 and Office 365 E3/G3 licenses, with rollout expected to complete in August 2026. For security teams, this means added protection against phishing, malware, and malicious links across email and collaboration, without needing to purchase or deploy a separate email security solution. It also means some protections will turn on automatically, so now is the right time to review your configuration and prepare for any changes to mail flow, policies, and end-user experience.</p><h2>Defender Threat Intelligence Things</h2><p><strong><a href="https://www.microsoft.com/en-us/security/blog/2026/06/17/postinstall-payload-inside-mastra-npm-supply-chain-compromise/">From package to postinstall payload: Inside the Mastra npm supply chain compromise</a></strong> - <span data-color="rgb(23, 37, 61)" style="color: rgb(23, 37, 61);">Microsoft Threat Intelligence observed a large-scale npm supply chain attack affecting 140+ packages across the mastra and @mastra scopes on the npm registry. Microsoft shared its findings with the npm security team, and the compromised packages have been removed and the attacker&#8217;s publish access to the @mastra scope has been revoked. The compromise originated from the takeover of the ehindero npm maintainer account, which had publish rights across the Mastra ecosystem and was used to publish poisoned package versions that introduced </span><em>easy-day-js</em><span data-color="rgb(23, 37, 61)" style="color: rgb(23, 37, 61);">, a malicious typosquat of the popular </span><em>dayjs</em><span data-color="rgb(23, 37, 61)" style="color: rgb(23, 37, 61);"> library.</span></p><h2>Microsoft Entra Things</h2><p><strong><a href="https://techcommunity.microsoft.com/blog/microsoft-entra-blog/ai-is-accelerating-cyberattacks%E2%80%94here%E2%80%99s-how-to-stay-ahead/4528592">AI is accelerating cyberattacks&#8212;here&#8217;s how to stay ahead</a></strong> - See how Microsoft unifies identity and security signals to help teams prevent, detect, and respond to AI-accelerated attacks faster.</p><h2>Fun Thing This Week</h2><div class="captioned-image-container"><figure><a class="image-link image2 is-viewable-img" target="_blank" href="https://reelrifter.com/" data-component-name="Image2ToDOM"><div class="image2-inset"><picture><source type="image/webp" srcset="https://substackcdn.com/image/fetch/$s_!UULI!,w_424,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fff964a38-a944-416b-9564-4a1101f22db1_1200x400.png 424w, https://substackcdn.com/image/fetch/$s_!UULI!,w_848,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fff964a38-a944-416b-9564-4a1101f22db1_1200x400.png 848w, https://substackcdn.com/image/fetch/$s_!UULI!,w_1272,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fff964a38-a944-416b-9564-4a1101f22db1_1200x400.png 1272w, https://substackcdn.com/image/fetch/$s_!UULI!,w_1456,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fff964a38-a944-416b-9564-4a1101f22db1_1200x400.png 1456w" sizes="100vw"><img src="https://substackcdn.com/image/fetch/$s_!UULI!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fff964a38-a944-416b-9564-4a1101f22db1_1200x400.png" width="1200" height="400" data-attrs="{&quot;src&quot;:&quot;https://substack-post-media.s3.amazonaws.com/public/images/ff964a38-a944-416b-9564-4a1101f22db1_1200x400.png&quot;,&quot;srcNoWatermark&quot;:null,&quot;fullscreen&quot;:null,&quot;imageSize&quot;:null,&quot;height&quot;:400,&quot;width&quot;:1200,&quot;resizeWidth&quot;:null,&quot;bytes&quot;:242667,&quot;alt&quot;:null,&quot;title&quot;:null,&quot;type&quot;:&quot;image/png&quot;,&quot;href&quot;:&quot;https://reelrifter.com/&quot;,&quot;belowTheFold&quot;:true,&quot;topImage&quot;:false,&quot;internalRedirect&quot;:&quot;https://microsoftdefender.substack.com/i/201630131?img=https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fff964a38-a944-416b-9564-4a1101f22db1_1200x400.png&quot;,&quot;isProcessing&quot;:false,&quot;align&quot;:null,&quot;offset&quot;:false}" class="sizing-normal" alt="" srcset="https://substackcdn.com/image/fetch/$s_!UULI!,w_424,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fff964a38-a944-416b-9564-4a1101f22db1_1200x400.png 424w, https://substackcdn.com/image/fetch/$s_!UULI!,w_848,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fff964a38-a944-416b-9564-4a1101f22db1_1200x400.png 848w, https://substackcdn.com/image/fetch/$s_!UULI!,w_1272,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fff964a38-a944-416b-9564-4a1101f22db1_1200x400.png 1272w, https://substackcdn.com/image/fetch/$s_!UULI!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fff964a38-a944-416b-9564-4a1101f22db1_1200x400.png 1456w" sizes="100vw" loading="lazy"></picture><div class="image-link-expand"><div class="pencraft pc-display-flex pc-gap-8 pc-reset"><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container restack-image"><svg role="img" width="20" height="20" viewBox="0 0 20 20" fill="none" stroke-width="1.5" stroke="var(--color-fg-primary)" stroke-linecap="round" stroke-linejoin="round" xmlns="http://www.w3.org/2000/svg"><g><title></title><path d="M2.53001 7.81595C3.49179 4.73911 6.43281 2.5 9.91173 2.5C13.1684 2.5 15.9537 4.46214 17.0852 7.23684L17.6179 8.67647M17.6179 8.67647L18.5002 4.26471M17.6179 8.67647L13.6473 6.91176M17.4995 12.1841C16.5378 15.2609 13.5967 17.5 10.1178 17.5C6.86118 17.5 4.07589 15.5379 2.94432 12.7632L2.41165 11.3235M2.41165 11.3235L1.5293 15.7353M2.41165 11.3235L6.38224 13.0882"></path></g></svg></button><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container view-image"><svg xmlns="http://www.w3.org/2000/svg" width="20" height="20" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="lucide lucide-maximize2 lucide-maximize-2"><polyline points="15 3 21 3 21 9"></polyline><polyline points="9 21 3 21 3 15"></polyline><line x1="21" x2="14" y1="3" y2="10"></line><line x1="3" x2="10" y1="21" y2="14"></line></svg></button></div></div></div></a></figure></div><h2></h2><p>THE PROMPT for Microsoft Security is a reader-supported publication. To receive new posts and support my work, consider becoming a free or paid subscriber.</p>]]></content:encoded></item><item><title><![CDATA[THE PROMPT for Microsoft Security - Issue #74]]></title><description><![CDATA[Things from Me]]></description><link>https://rodtrent.substack.com/p/the-prompt-for-microsoft-security-96b</link><guid isPermaLink="false">https://rodtrent.substack.com/p/the-prompt-for-microsoft-security-96b</guid><dc:creator><![CDATA[Rod Trent]]></dc:creator><pubDate>Fri, 12 Jun 2026 11:31:11 GMT</pubDate><enclosure url="https://substackcdn.com/image/fetch/$s_!tAM3!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F316a6242-5e67-4a6c-baa9-573ce199b052_1248x832.jpeg" length="0" type="image/jpeg"/><content:encoded><![CDATA[<div class="captioned-image-container"><figure><a class="image-link image2 is-viewable-img" target="_blank" href="https://substackcdn.com/image/fetch/$s_!tAM3!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F316a6242-5e67-4a6c-baa9-573ce199b052_1248x832.jpeg" data-component-name="Image2ToDOM"><div class="image2-inset"><picture><source type="image/webp" srcset="https://substackcdn.com/image/fetch/$s_!tAM3!,w_424,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F316a6242-5e67-4a6c-baa9-573ce199b052_1248x832.jpeg 424w, https://substackcdn.com/image/fetch/$s_!tAM3!,w_848,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F316a6242-5e67-4a6c-baa9-573ce199b052_1248x832.jpeg 848w, https://substackcdn.com/image/fetch/$s_!tAM3!,w_1272,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F316a6242-5e67-4a6c-baa9-573ce199b052_1248x832.jpeg 1272w, https://substackcdn.com/image/fetch/$s_!tAM3!,w_1456,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F316a6242-5e67-4a6c-baa9-573ce199b052_1248x832.jpeg 1456w" sizes="100vw"><img src="https://substackcdn.com/image/fetch/$s_!tAM3!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F316a6242-5e67-4a6c-baa9-573ce199b052_1248x832.jpeg" width="1248" height="832" data-attrs="{&quot;src&quot;:&quot;https://substack-post-media.s3.amazonaws.com/public/images/316a6242-5e67-4a6c-baa9-573ce199b052_1248x832.jpeg&quot;,&quot;srcNoWatermark&quot;:null,&quot;fullscreen&quot;:null,&quot;imageSize&quot;:null,&quot;height&quot;:832,&quot;width&quot;:1248,&quot;resizeWidth&quot;:null,&quot;bytes&quot;:297706,&quot;alt&quot;:null,&quot;title&quot;:null,&quot;type&quot;:&quot;image/jpeg&quot;,&quot;href&quot;:null,&quot;belowTheFold&quot;:false,&quot;topImage&quot;:true,&quot;internalRedirect&quot;:&quot;https://microsoftdefender.substack.com/i/200615448?img=https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F316a6242-5e67-4a6c-baa9-573ce199b052_1248x832.jpeg&quot;,&quot;isProcessing&quot;:false,&quot;align&quot;:null,&quot;offset&quot;:false}" class="sizing-normal" alt="" srcset="https://substackcdn.com/image/fetch/$s_!tAM3!,w_424,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F316a6242-5e67-4a6c-baa9-573ce199b052_1248x832.jpeg 424w, https://substackcdn.com/image/fetch/$s_!tAM3!,w_848,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F316a6242-5e67-4a6c-baa9-573ce199b052_1248x832.jpeg 848w, https://substackcdn.com/image/fetch/$s_!tAM3!,w_1272,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F316a6242-5e67-4a6c-baa9-573ce199b052_1248x832.jpeg 1272w, https://substackcdn.com/image/fetch/$s_!tAM3!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F316a6242-5e67-4a6c-baa9-573ce199b052_1248x832.jpeg 1456w" sizes="100vw" fetchpriority="high"></picture><div class="image-link-expand"><div class="pencraft pc-display-flex pc-gap-8 pc-reset"><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container restack-image"><svg role="img" width="20" height="20" viewBox="0 0 20 20" fill="none" stroke-width="1.5" stroke="var(--color-fg-primary)" stroke-linecap="round" stroke-linejoin="round" xmlns="http://www.w3.org/2000/svg"><g><title></title><path d="M2.53001 7.81595C3.49179 4.73911 6.43281 2.5 9.91173 2.5C13.1684 2.5 15.9537 4.46214 17.0852 7.23684L17.6179 8.67647M17.6179 8.67647L18.5002 4.26471M17.6179 8.67647L13.6473 6.91176M17.4995 12.1841C16.5378 15.2609 13.5967 17.5 10.1178 17.5C6.86118 17.5 4.07589 15.5379 2.94432 12.7632L2.41165 11.3235M2.41165 11.3235L1.5293 15.7353M2.41165 11.3235L6.38224 13.0882"></path></g></svg></button><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container view-image"><svg xmlns="http://www.w3.org/2000/svg" width="20" height="20" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="lucide lucide-maximize2 lucide-maximize-2"><polyline points="15 3 21 3 21 9"></polyline><polyline points="9 21 3 21 3 15"></polyline><line x1="21" x2="14" y1="3" y2="10"></line><line x1="3" x2="10" y1="21" y2="14"></line></svg></button></div></div></div></a></figure></div><h2>Things from Me</h2><p>Happy Friday everyone!</p><p>Welcome back to another issue of THE PROMPT for Microsoft Security &#8212; your weekly roundup of the latest news, resources, and insights from across the Microsoft security ecosystem. Whether you&#8217;re deep in a SOC, managing endpoints, or navigating the ever-expanding landscape of AI and identity security, there&#8217;s something here for you this week.</p><p>THE PROMPT for Microsoft Security is a reader-supported publication. To receive new posts and support my work, consider becoming a free or paid subscriber.</p><p>There&#8217;s lots to get to so grab your coffee, settle in, and let&#8217;s dig in.</p><p>-<a href="https://www.linkedin.com/in/rodtrent/">Rod</a></p><h2>Things to Attend</h2><p><strong><a href="https://techcommunity.microsoft.com/blog/microsoft-security-blog/level-up-your-azure-network-security-skills-with-our-upcoming-webinar-series/4525584">Level up your Azure Network Security Skills with our Upcoming Webinar Series</a></strong> - As network and application-layer threats continue to evolve, security and infrastructure teams need more than product knowledge. They need practical, scenario-driven guidance they can apply to real workloads. To support that, the Azure Network Security team is hosting a series of upcoming technical webinars covering the capabilities our customers rely on every day: <a href="https://learn.microsoft.com/en-us/azure/web-application-firewall/afds/waf-front-door-drs?tabs=drs21">Azure Web Application Firewall (WAF),</a> <a href="https://learn.microsoft.com/en-us/azure/firewall/firewall-copilot">Azure Firewall,</a> <a href="https://learn.microsoft.com/en-us/azure/ddos-protection/">Azure DDoS Protection</a> and <a href="https://learn.microsoft.com/en-us/azure/bastion/">Azure Bastion</a>.</p><div class="captioned-image-container"><figure><a class="image-link image2 is-viewable-img" target="_blank" href="https://pastthebots.com/career-care" data-component-name="Image2ToDOM"><div class="image2-inset"><picture><source type="image/webp" srcset="https://substackcdn.com/image/fetch/$s_!TXAG!,w_424,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F4c4dfa06-e4bc-474b-9a59-d67db1bb3e8d_1200x400.png 424w, https://substackcdn.com/image/fetch/$s_!TXAG!,w_848,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F4c4dfa06-e4bc-474b-9a59-d67db1bb3e8d_1200x400.png 848w, https://substackcdn.com/image/fetch/$s_!TXAG!,w_1272,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F4c4dfa06-e4bc-474b-9a59-d67db1bb3e8d_1200x400.png 1272w, https://substackcdn.com/image/fetch/$s_!TXAG!,w_1456,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F4c4dfa06-e4bc-474b-9a59-d67db1bb3e8d_1200x400.png 1456w" sizes="100vw"><img src="https://substackcdn.com/image/fetch/$s_!TXAG!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F4c4dfa06-e4bc-474b-9a59-d67db1bb3e8d_1200x400.png" width="1200" height="400" data-attrs="{&quot;src&quot;:&quot;https://substack-post-media.s3.amazonaws.com/public/images/4c4dfa06-e4bc-474b-9a59-d67db1bb3e8d_1200x400.png&quot;,&quot;srcNoWatermark&quot;:null,&quot;fullscreen&quot;:null,&quot;imageSize&quot;:null,&quot;height&quot;:400,&quot;width&quot;:1200,&quot;resizeWidth&quot;:null,&quot;bytes&quot;:70492,&quot;alt&quot;:null,&quot;title&quot;:null,&quot;type&quot;:&quot;image/png&quot;,&quot;href&quot;:&quot;https://pastthebots.com/career-care&quot;,&quot;belowTheFold&quot;:true,&quot;topImage&quot;:false,&quot;internalRedirect&quot;:&quot;https://microsoftdefender.substack.com/i/200615448?img=https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F4c4dfa06-e4bc-474b-9a59-d67db1bb3e8d_1200x400.png&quot;,&quot;isProcessing&quot;:false,&quot;align&quot;:null,&quot;offset&quot;:false}" class="sizing-normal" alt="" srcset="https://substackcdn.com/image/fetch/$s_!TXAG!,w_424,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F4c4dfa06-e4bc-474b-9a59-d67db1bb3e8d_1200x400.png 424w, https://substackcdn.com/image/fetch/$s_!TXAG!,w_848,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F4c4dfa06-e4bc-474b-9a59-d67db1bb3e8d_1200x400.png 848w, https://substackcdn.com/image/fetch/$s_!TXAG!,w_1272,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F4c4dfa06-e4bc-474b-9a59-d67db1bb3e8d_1200x400.png 1272w, https://substackcdn.com/image/fetch/$s_!TXAG!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F4c4dfa06-e4bc-474b-9a59-d67db1bb3e8d_1200x400.png 1456w" sizes="100vw" loading="lazy"></picture><div class="image-link-expand"><div class="pencraft pc-display-flex pc-gap-8 pc-reset"><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container restack-image"><svg role="img" width="20" height="20" viewBox="0 0 20 20" fill="none" stroke-width="1.5" stroke="var(--color-fg-primary)" stroke-linecap="round" stroke-linejoin="round" xmlns="http://www.w3.org/2000/svg"><g><title></title><path d="M2.53001 7.81595C3.49179 4.73911 6.43281 2.5 9.91173 2.5C13.1684 2.5 15.9537 4.46214 17.0852 7.23684L17.6179 8.67647M17.6179 8.67647L18.5002 4.26471M17.6179 8.67647L13.6473 6.91176M17.4995 12.1841C16.5378 15.2609 13.5967 17.5 10.1178 17.5C6.86118 17.5 4.07589 15.5379 2.94432 12.7632L2.41165 11.3235M2.41165 11.3235L1.5293 15.7353M2.41165 11.3235L6.38224 13.0882"></path></g></svg></button><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container view-image"><svg xmlns="http://www.w3.org/2000/svg" width="20" height="20" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="lucide lucide-maximize2 lucide-maximize-2"><polyline points="15 3 21 3 21 9"></polyline><polyline points="9 21 3 21 3 15"></polyline><line x1="21" x2="14" y1="3" y2="10"></line><line x1="3" x2="10" y1="21" y2="14"></line></svg></button></div></div></div></a></figure></div><h2>Things that are Related</h2><p><strong><a href="https://www.microsoft.com/en-us/security/blog/2026/06/09/reconstructing-ai-activity-investigations/">Reconstructing AI activity in investigations</a></strong> - AI interactions generate telemetry across Microsoft Purview, Defender, and Sentinel. That telemetry captures who initiated an interaction, when it occurred, and which resources were involved. It provides the foundation for reconstructing AI activity in enterprise environments. It&#8217;s turning those signals into an investigation. To help address that challenge, <a href="https://aka.ms/AIIRplaybook">we&#8217;ve published a new investigator playbook</a> for Microsoft 365 Copilot and Azure AI services. The playbook provides a structured approach for investigating AI-related activity using the telemetry already available across Microsoft security products.</p><h2>Things to Watch/Listen To</h2><div id="youtube2-DMzkIq_DzhE" class="youtube-wrap" data-attrs="{&quot;videoId&quot;:&quot;DMzkIq_DzhE&quot;,&quot;startTime&quot;:null,&quot;endTime&quot;:null}" data-component-name="Youtube2ToDOM"><div class="youtube-inner"><iframe src="https://www.youtube-nocookie.com/embed/DMzkIq_DzhE?rel=0&amp;autoplay=0&amp;showinfo=0&amp;enablejsapi=0" frameborder="0" loading="lazy" gesture="media" allow="autoplay; fullscreen" allowautoplay="true" allowfullscreen="true" width="728" height="409"></iframe></div></div><h2>Microsoft Sentinel Things</h2><p><strong><a href="https://socautomators.substack.com/p/new-sentinel-data-ingestion-reports">New Sentinel data ingestion reports make your life easier</a></strong> - Microsoft Sentinel customers have long faced the challenge of understanding exactly what data is flowing into their SIEM environment. Where is it landing? Are the ingestion patterns healthy? Are we losing data or having jumps in ingestion that will lead to a surprise bill?</p><p><strong><a href="https://socautomators.substack.com/p/hunting-at-machine-speed-kql-on-the">Hunting at Machine Speed &#8212; KQL on the Sentinel Data Lake</a></strong> - Adversaries are not waiting. They generate variants, test paths, and pivot at machine speed. Static detection content alone cannot keep up. Hunting is part of how the SOC closes the gap.</p><p><strong><a href="https://techcommunity.microsoft.com/discussions/microsoftsentinel/detecting-ai-agents-and-non-human-identities-in-microsoft-sentinel-the-classic-a/4526787#M12940">Detecting AI agents and non-human identities in Microsoft Sentinel: the classic-agent blind spot</a></strong> - Build 2026 made the direction official. The industry is moving from the app era into the agent era, and Microsoft spent a real share of the keynote on securing agents across their lifecycle, from discovering what is exploitable to governing what is running in production. On the identity side the centerpiece is Microsoft Entra Agent ID, now generally available, which gives AI agents first-class identities and extends Conditional Access, Identity Protection, and full audit logging to them.</p><div class="captioned-image-container"><figure><a class="image-link image2 is-viewable-img" target="_blank" href="https://pastthebots.com/recruiter" data-component-name="Image2ToDOM"><div class="image2-inset"><picture><source type="image/webp" srcset="https://substackcdn.com/image/fetch/$s_!Pzg0!,w_424,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F575980a5-3f44-4390-9bf0-0ea4f6ee1b4a_1200x400.png 424w, https://substackcdn.com/image/fetch/$s_!Pzg0!,w_848,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F575980a5-3f44-4390-9bf0-0ea4f6ee1b4a_1200x400.png 848w, https://substackcdn.com/image/fetch/$s_!Pzg0!,w_1272,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F575980a5-3f44-4390-9bf0-0ea4f6ee1b4a_1200x400.png 1272w, https://substackcdn.com/image/fetch/$s_!Pzg0!,w_1456,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F575980a5-3f44-4390-9bf0-0ea4f6ee1b4a_1200x400.png 1456w" sizes="100vw"><img src="https://substackcdn.com/image/fetch/$s_!Pzg0!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F575980a5-3f44-4390-9bf0-0ea4f6ee1b4a_1200x400.png" width="1200" height="400" data-attrs="{&quot;src&quot;:&quot;https://substack-post-media.s3.amazonaws.com/public/images/575980a5-3f44-4390-9bf0-0ea4f6ee1b4a_1200x400.png&quot;,&quot;srcNoWatermark&quot;:null,&quot;fullscreen&quot;:null,&quot;imageSize&quot;:null,&quot;height&quot;:400,&quot;width&quot;:1200,&quot;resizeWidth&quot;:null,&quot;bytes&quot;:65146,&quot;alt&quot;:null,&quot;title&quot;:null,&quot;type&quot;:&quot;image/png&quot;,&quot;href&quot;:&quot;https://pastthebots.com/recruiter&quot;,&quot;belowTheFold&quot;:true,&quot;topImage&quot;:false,&quot;internalRedirect&quot;:&quot;https://microsoftdefender.substack.com/i/200615448?img=https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F575980a5-3f44-4390-9bf0-0ea4f6ee1b4a_1200x400.png&quot;,&quot;isProcessing&quot;:false,&quot;align&quot;:null,&quot;offset&quot;:false}" class="sizing-normal" alt="" srcset="https://substackcdn.com/image/fetch/$s_!Pzg0!,w_424,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F575980a5-3f44-4390-9bf0-0ea4f6ee1b4a_1200x400.png 424w, https://substackcdn.com/image/fetch/$s_!Pzg0!,w_848,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F575980a5-3f44-4390-9bf0-0ea4f6ee1b4a_1200x400.png 848w, https://substackcdn.com/image/fetch/$s_!Pzg0!,w_1272,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F575980a5-3f44-4390-9bf0-0ea4f6ee1b4a_1200x400.png 1272w, https://substackcdn.com/image/fetch/$s_!Pzg0!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F575980a5-3f44-4390-9bf0-0ea4f6ee1b4a_1200x400.png 1456w" sizes="100vw" loading="lazy"></picture><div class="image-link-expand"><div class="pencraft pc-display-flex pc-gap-8 pc-reset"><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container restack-image"><svg role="img" width="20" height="20" viewBox="0 0 20 20" fill="none" stroke-width="1.5" stroke="var(--color-fg-primary)" stroke-linecap="round" stroke-linejoin="round" xmlns="http://www.w3.org/2000/svg"><g><title></title><path d="M2.53001 7.81595C3.49179 4.73911 6.43281 2.5 9.91173 2.5C13.1684 2.5 15.9537 4.46214 17.0852 7.23684L17.6179 8.67647M17.6179 8.67647L18.5002 4.26471M17.6179 8.67647L13.6473 6.91176M17.4995 12.1841C16.5378 15.2609 13.5967 17.5 10.1178 17.5C6.86118 17.5 4.07589 15.5379 2.94432 12.7632L2.41165 11.3235M2.41165 11.3235L1.5293 15.7353M2.41165 11.3235L6.38224 13.0882"></path></g></svg></button><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container view-image"><svg xmlns="http://www.w3.org/2000/svg" width="20" height="20" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="lucide lucide-maximize2 lucide-maximize-2"><polyline points="15 3 21 3 21 9"></polyline><polyline points="9 21 3 21 3 15"></polyline><line x1="21" x2="14" y1="3" y2="10"></line><line x1="3" x2="10" y1="21" y2="14"></line></svg></button></div></div></div></a></figure></div><h2>Defender for Endpoint Things</h2><p><strong><a href="https://techcommunity.microsoft.com/blog/microsoftdefenderatpblog/microsoft-defender-now-monitors-rpc-activity/4523368">Microsoft Defender now monitors RPC activity</a></strong> - Microsoft Defender now monitors remote RPC activity from select interfaces and supports detection, disruption, and hunting over RPC call data.</p><p><strong><a href="https://techcommunity.microsoft.com/blog/microsoftdefenderatpblog/elevate-your-telemetry-using-custom-data-collection-in-microsoft-defender/4512530">Elevate your telemetry using custom data collection in Microsoft Defender</a></strong> - At Ignite in November, we announced that Microsoft Defender is now the only endpoint protection solution that allows data-hungry security teams to meet specific telemetry needs by optimizing their data collection right within the Defender portal, without the need to rely on fragmented and siloed solutions. Since then, we've heard from customers that this tool has been a game changer, enabling them to hunt through new data types as well as richer data on events already reported. The release of custom data collection was a key milestone in our ongoing journey to make Defender easy to manage and customize.</p><p><strong><a href="https://techcommunity.microsoft.com/blog/microsoftdefenderatpblog/introducing-scheduled-antivirus-scans-on-microsoft-defender-linux/4524578">Introducing scheduled antivirus scans on Microsoft Defender Linux</a></strong> - Security teams rely on scheduled scans to ensure consistent coverage across devices, detect dormant or missed threats, and meet compliance requirements. However, managing scans on Linux has traditionally required custom scripts and cron-based setups, which can be hard to scale and maintain. That&#8217;s why we&#8217;re excited to introduce <strong>centrally managed scheduled antivirus scans for Linux in Microsoft Defender</strong>, now available in <strong>public preview</strong>. With this release, we are bringing built-in, flexible scheduling capabilities directly into Defender - making it easier to manage and standardize scan behaviour across Linux environments.</p><h2>Defender XDR Things</h2><p><strong><a href="https://uros-babic.cloud/2026/06/08/how-to-build-security-al-analyst-agent-in-defender-xdr/">How to Build Security Al Analyst agent in Defender XDR</a></strong> - The Security Analyst Agent helps security analysts quickly identify, assess, and prioritize risks by performing ready-to-use or custom analyses on security data. The agent provides actionable and prioritized insights, recommendations, and reports to uncover top vulnerabilities and risks. It supports data from Microsoft Defender XDR, Sentinel Log Analytics, or Sentinel Data Lake, and can perform complex analysis tasks such as anomaly detection, clustering, risk scoring, and forecasting without requiring code or queries.</p><h2>Microsoft Purview Things</h2><p><strong><a href="https://techcommunity.microsoft.com/blog/microsoft-purview-blog/extend-microsoft-purview-data-protection-to-aws-bedrock-agents-for-cross-cloud-a/4525984">Extend Microsoft Purview data protection to AWS Bedrock agents for cross-cloud AI governance</a></strong> - Organizations are moving fast with AI, and many of those AI workloads are not staying in one cloud. A team might use Microsoft 365 and Microsoft Purview for governance and in addition to Microsoft Foundry they may still choose to run an AI agent on AWS Bedrock or on the Google Cloud Platform. The technical challenge is straightforward: how do you keep one consistent set of data security, governance, and compliance controls when the agent itself runs outside Microsoft Azure?</p><h2>Defender Threat Intelligence Things</h2><p><strong><a href="https://www.microsoft.com/en-us/security/blog/2026/06/08/ai-brands-as-bait-how-threat-actors-are-using-the-ai-hype-in-social-engineering/">AI brands as bait: How threat actors are using the AI hype in social engineering</a></strong> - As <a href="https://www.microsoft.com/en-us/security/blog/2026/03/06/ai-as-tradecraft-how-threat-actors-operationalize-ai/">threat actors operationalize AI</a> to accelerate attacks, they are also leveraging the wider global interest around AI itself as a social engineering lure. In recent months, Microsoft Threat Intelligence has observed a growing number of campaigns that impersonate the branding of popular AI platforms such as ChatGPT, Microsoft Copilot, DeepSeek, and Anthropic&#8217;s Claude as lures. These campaigns, which don&#8217;t represent compromise of services, span phishing, malvertising, and search engine optimization (SEO)-driven attacks that ultimately lead to credential theft, financial fraud, or malware infection.</p><div class="captioned-image-container"><figure><a class="image-link image2 is-viewable-img" target="_blank" href="https://pastthebots.com/" data-component-name="Image2ToDOM"><div class="image2-inset"><picture><source type="image/webp" srcset="https://substackcdn.com/image/fetch/$s_!mhJv!,w_424,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fccf650dc-9055-4f80-bdfb-300596c021f7_1760x576.jpeg 424w, https://substackcdn.com/image/fetch/$s_!mhJv!,w_848,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fccf650dc-9055-4f80-bdfb-300596c021f7_1760x576.jpeg 848w, https://substackcdn.com/image/fetch/$s_!mhJv!,w_1272,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fccf650dc-9055-4f80-bdfb-300596c021f7_1760x576.jpeg 1272w, https://substackcdn.com/image/fetch/$s_!mhJv!,w_1456,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fccf650dc-9055-4f80-bdfb-300596c021f7_1760x576.jpeg 1456w" sizes="100vw"><img src="https://substackcdn.com/image/fetch/$s_!mhJv!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fccf650dc-9055-4f80-bdfb-300596c021f7_1760x576.jpeg" width="1456" height="477" data-attrs="{&quot;src&quot;:&quot;https://substack-post-media.s3.amazonaws.com/public/images/ccf650dc-9055-4f80-bdfb-300596c021f7_1760x576.jpeg&quot;,&quot;srcNoWatermark&quot;:null,&quot;fullscreen&quot;:null,&quot;imageSize&quot;:null,&quot;height&quot;:477,&quot;width&quot;:1456,&quot;resizeWidth&quot;:null,&quot;bytes&quot;:175114,&quot;alt&quot;:null,&quot;title&quot;:null,&quot;type&quot;:&quot;image/jpeg&quot;,&quot;href&quot;:&quot;https://pastthebots.com/&quot;,&quot;belowTheFold&quot;:true,&quot;topImage&quot;:false,&quot;internalRedirect&quot;:&quot;https://microsoftdefender.substack.com/i/200615448?img=https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fccf650dc-9055-4f80-bdfb-300596c021f7_1760x576.jpeg&quot;,&quot;isProcessing&quot;:false,&quot;align&quot;:null,&quot;offset&quot;:false}" class="sizing-normal" alt="" srcset="https://substackcdn.com/image/fetch/$s_!mhJv!,w_424,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fccf650dc-9055-4f80-bdfb-300596c021f7_1760x576.jpeg 424w, https://substackcdn.com/image/fetch/$s_!mhJv!,w_848,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fccf650dc-9055-4f80-bdfb-300596c021f7_1760x576.jpeg 848w, https://substackcdn.com/image/fetch/$s_!mhJv!,w_1272,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fccf650dc-9055-4f80-bdfb-300596c021f7_1760x576.jpeg 1272w, https://substackcdn.com/image/fetch/$s_!mhJv!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fccf650dc-9055-4f80-bdfb-300596c021f7_1760x576.jpeg 1456w" sizes="100vw" loading="lazy"></picture><div class="image-link-expand"><div class="pencraft pc-display-flex pc-gap-8 pc-reset"><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container restack-image"><svg role="img" width="20" height="20" viewBox="0 0 20 20" fill="none" stroke-width="1.5" stroke="var(--color-fg-primary)" stroke-linecap="round" stroke-linejoin="round" xmlns="http://www.w3.org/2000/svg"><g><title></title><path d="M2.53001 7.81595C3.49179 4.73911 6.43281 2.5 9.91173 2.5C13.1684 2.5 15.9537 4.46214 17.0852 7.23684L17.6179 8.67647M17.6179 8.67647L18.5002 4.26471M17.6179 8.67647L13.6473 6.91176M17.4995 12.1841C16.5378 15.2609 13.5967 17.5 10.1178 17.5C6.86118 17.5 4.07589 15.5379 2.94432 12.7632L2.41165 11.3235M2.41165 11.3235L1.5293 15.7353M2.41165 11.3235L6.38224 13.0882"></path></g></svg></button><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container view-image"><svg xmlns="http://www.w3.org/2000/svg" width="20" height="20" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="lucide lucide-maximize2 lucide-maximize-2"><polyline points="15 3 21 3 21 9"></polyline><polyline points="9 21 3 21 3 15"></polyline><line x1="21" x2="14" y1="3" y2="10"></line><line x1="3" x2="10" y1="21" y2="14"></line></svg></button></div></div></div></a></figure></div><h2>Microsoft Entra Things</h2><p><strong><a href="https://techcommunity.microsoft.com/blog/microsoft-entra-blog/microsoft-entra-id-security-updates-what-organizations-need-to-do-now/4522024">Microsoft Entra ID security updates: What organizations need to do now</a></strong> - Prepare now for three Microsoft Entra ID changes affecting Custom controls, credential registration, and self-service password reset (SSPR) enforcement.</p><p><strong><a href="https://techcommunity.microsoft.com/blog/specialization-blog/more-ways-to-qualify-for-the-identity-and-access-management-specialization/4525686">Identity and Access Management specialization: New workloads expand partner qualification</a></strong> - Starting May 11, 2026, new workloads expanded how partners can qualify for the Identity and Access Management specialization&#8212;lowering barriers and creating more paths to earn or renew.</p><p>THE PROMPT for Microsoft Security is a reader-supported publication. To receive new posts and support my work, consider becoming a free or paid subscriber.</p>]]></content:encoded></item><item><title><![CDATA[THE PROMPT for Microsoft Security - Issue #73]]></title><description><![CDATA[Things from Me]]></description><link>https://rodtrent.substack.com/p/the-prompt-for-microsoft-security-18d</link><guid isPermaLink="false">https://rodtrent.substack.com/p/the-prompt-for-microsoft-security-18d</guid><dc:creator><![CDATA[Rod Trent]]></dc:creator><pubDate>Fri, 05 Jun 2026 11:30:26 GMT</pubDate><enclosure url="https://substackcdn.com/image/fetch/$s_!OB0H!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F21b38594-3cd8-489c-9e49-9a6481d9113a_1248x832.jpeg" length="0" type="image/jpeg"/><content:encoded><![CDATA[<div class="captioned-image-container"><figure><a class="image-link image2 is-viewable-img" target="_blank" href="https://substackcdn.com/image/fetch/$s_!OB0H!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F21b38594-3cd8-489c-9e49-9a6481d9113a_1248x832.jpeg" data-component-name="Image2ToDOM"><div class="image2-inset"><picture><source type="image/webp" srcset="https://substackcdn.com/image/fetch/$s_!OB0H!,w_424,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F21b38594-3cd8-489c-9e49-9a6481d9113a_1248x832.jpeg 424w, https://substackcdn.com/image/fetch/$s_!OB0H!,w_848,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F21b38594-3cd8-489c-9e49-9a6481d9113a_1248x832.jpeg 848w, https://substackcdn.com/image/fetch/$s_!OB0H!,w_1272,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F21b38594-3cd8-489c-9e49-9a6481d9113a_1248x832.jpeg 1272w, https://substackcdn.com/image/fetch/$s_!OB0H!,w_1456,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F21b38594-3cd8-489c-9e49-9a6481d9113a_1248x832.jpeg 1456w" sizes="100vw"><img src="https://substackcdn.com/image/fetch/$s_!OB0H!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F21b38594-3cd8-489c-9e49-9a6481d9113a_1248x832.jpeg" width="1248" height="832" data-attrs="{&quot;src&quot;:&quot;https://substack-post-media.s3.amazonaws.com/public/images/21b38594-3cd8-489c-9e49-9a6481d9113a_1248x832.jpeg&quot;,&quot;srcNoWatermark&quot;:null,&quot;fullscreen&quot;:null,&quot;imageSize&quot;:null,&quot;height&quot;:832,&quot;width&quot;:1248,&quot;resizeWidth&quot;:null,&quot;bytes&quot;:246638,&quot;alt&quot;:null,&quot;title&quot;:null,&quot;type&quot;:&quot;image/jpeg&quot;,&quot;href&quot;:null,&quot;belowTheFold&quot;:false,&quot;topImage&quot;:true,&quot;internalRedirect&quot;:&quot;https://microsoftdefender.substack.com/i/199782791?img=https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F21b38594-3cd8-489c-9e49-9a6481d9113a_1248x832.jpeg&quot;,&quot;isProcessing&quot;:false,&quot;align&quot;:null,&quot;offset&quot;:false}" class="sizing-normal" alt="" srcset="https://substackcdn.com/image/fetch/$s_!OB0H!,w_424,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F21b38594-3cd8-489c-9e49-9a6481d9113a_1248x832.jpeg 424w, https://substackcdn.com/image/fetch/$s_!OB0H!,w_848,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F21b38594-3cd8-489c-9e49-9a6481d9113a_1248x832.jpeg 848w, https://substackcdn.com/image/fetch/$s_!OB0H!,w_1272,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F21b38594-3cd8-489c-9e49-9a6481d9113a_1248x832.jpeg 1272w, https://substackcdn.com/image/fetch/$s_!OB0H!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F21b38594-3cd8-489c-9e49-9a6481d9113a_1248x832.jpeg 1456w" sizes="100vw" fetchpriority="high"></picture><div class="image-link-expand"><div class="pencraft pc-display-flex pc-gap-8 pc-reset"><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container restack-image"><svg role="img" width="20" height="20" viewBox="0 0 20 20" fill="none" stroke-width="1.5" stroke="var(--color-fg-primary)" stroke-linecap="round" stroke-linejoin="round" xmlns="http://www.w3.org/2000/svg"><g><title></title><path d="M2.53001 7.81595C3.49179 4.73911 6.43281 2.5 9.91173 2.5C13.1684 2.5 15.9537 4.46214 17.0852 7.23684L17.6179 8.67647M17.6179 8.67647L18.5002 4.26471M17.6179 8.67647L13.6473 6.91176M17.4995 12.1841C16.5378 15.2609 13.5967 17.5 10.1178 17.5C6.86118 17.5 4.07589 15.5379 2.94432 12.7632L2.41165 11.3235M2.41165 11.3235L1.5293 15.7353M2.41165 11.3235L6.38224 13.0882"></path></g></svg></button><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container view-image"><svg xmlns="http://www.w3.org/2000/svg" width="20" height="20" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="lucide lucide-maximize2 lucide-maximize-2"><polyline points="15 3 21 3 21 9"></polyline><polyline points="9 21 3 21 3 15"></polyline><line x1="21" x2="14" y1="3" y2="10"></line><line x1="3" x2="10" y1="21" y2="14"></line></svg></button></div></div></div></a></figure></div><h2>Things from Me</h2><p>Happy Friday folks!</p><p>If you&#8217;re looking to build real-world skills with <strong>Security Copilot</strong>, Microsoft is offering a fantastic opportunity right now. They&#8217;re running a series of <strong>free, virtual, hands-on technical workshops</strong> specifically designed for practitioners who want to go deeper with Copilot across Entra, Intune, Purview, and Microsoft Threat Protection.</p><p>THE PROMPT for Microsoft Security is a reader-supported publication. To receive new posts and support my work, consider becoming a free or paid subscriber.</p><p>These sessions feature scenario-based instruction, live demos, practical exercises, and expert Q&amp;A &#8212; all delivered across global time zones to make them accessible. Whether you&#8217;re focused on identity, endpoint, data security, or threat protection, there&#8217;s likely a workshop that fits your role and schedule.</p><p>&#128073; <a href="https://techcommunity.microsoft.com/blog/microsoft-security-blog/accelerate-your-security-copilot-readiness-with-our-global-technical-workshop-se/4483805?previewMessage=true">Register for a Security Copilot Virtual Workshop here</a></p><div><hr></div><p>On a different note, I&#8217;m really excited to share that a signed copy of <strong>Unlearn Security: It&#8217;s not a technology problem. It never was.</strong> by Sameh Younis just landed on my desk.</p><p>This book takes a refreshing and much-needed approach &#8212; stepping away from the purely technical lens and instead focusing on a new way of seeing the world that anyone can apply in their current role. Whether you&#8217;re a business leader making decisions, a security practitioner looking for a better path, or someone tired of hearing &#8220;security is everyone&#8217;s job&#8221; without real guidance on what that means, this one feels different. I&#8217;m genuinely looking forward to digging in.</p><p>You can grab it on Amazon: <a href="https://amzn.to/4x5Ydgt">https://amzn.to/4x5Ydgt</a></p><div><hr></div><p>Finally, I&#8217;ll be attending <strong>Black Hat 2026</strong> in Las Vegas this August. It&#8217;s always one of the best weeks of the year for connecting with sharp minds in the industry. If you&#8217;re going to be there, I&#8217;d love to say hello &#8212; drop me a note or catch me walking the halls.</p><p>Looking forward to catching up with all of you soon.</p><p>Talk soon.</p><p>-<a href="https://www.linkedin.com/in/rodtrent/">Rod</a></p><div class="captioned-image-container"><figure><a class="image-link image2 is-viewable-img" target="_blank" href="https://pastthebots.com/" data-component-name="Image2ToDOM"><div class="image2-inset"><picture><source type="image/webp" srcset="https://substackcdn.com/image/fetch/$s_!R68V!,w_424,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F2ef5978e-cde9-4a0b-8bc7-f7fce10c7c21_984x264.png 424w, https://substackcdn.com/image/fetch/$s_!R68V!,w_848,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F2ef5978e-cde9-4a0b-8bc7-f7fce10c7c21_984x264.png 848w, https://substackcdn.com/image/fetch/$s_!R68V!,w_1272,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F2ef5978e-cde9-4a0b-8bc7-f7fce10c7c21_984x264.png 1272w, https://substackcdn.com/image/fetch/$s_!R68V!,w_1456,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F2ef5978e-cde9-4a0b-8bc7-f7fce10c7c21_984x264.png 1456w" sizes="100vw"><img src="https://substackcdn.com/image/fetch/$s_!R68V!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F2ef5978e-cde9-4a0b-8bc7-f7fce10c7c21_984x264.png" width="984" height="264" data-attrs="{&quot;src&quot;:&quot;https://substack-post-media.s3.amazonaws.com/public/images/2ef5978e-cde9-4a0b-8bc7-f7fce10c7c21_984x264.png&quot;,&quot;srcNoWatermark&quot;:null,&quot;fullscreen&quot;:null,&quot;imageSize&quot;:null,&quot;height&quot;:264,&quot;width&quot;:984,&quot;resizeWidth&quot;:null,&quot;bytes&quot;:365222,&quot;alt&quot;:null,&quot;title&quot;:null,&quot;type&quot;:&quot;image/png&quot;,&quot;href&quot;:&quot;https://pastthebots.com/&quot;,&quot;belowTheFold&quot;:true,&quot;topImage&quot;:false,&quot;internalRedirect&quot;:&quot;https://microsoftdefender.substack.com/i/199782791?img=https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F2ef5978e-cde9-4a0b-8bc7-f7fce10c7c21_984x264.png&quot;,&quot;isProcessing&quot;:false,&quot;align&quot;:null,&quot;offset&quot;:false}" class="sizing-normal" alt="" srcset="https://substackcdn.com/image/fetch/$s_!R68V!,w_424,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F2ef5978e-cde9-4a0b-8bc7-f7fce10c7c21_984x264.png 424w, https://substackcdn.com/image/fetch/$s_!R68V!,w_848,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F2ef5978e-cde9-4a0b-8bc7-f7fce10c7c21_984x264.png 848w, https://substackcdn.com/image/fetch/$s_!R68V!,w_1272,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F2ef5978e-cde9-4a0b-8bc7-f7fce10c7c21_984x264.png 1272w, https://substackcdn.com/image/fetch/$s_!R68V!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F2ef5978e-cde9-4a0b-8bc7-f7fce10c7c21_984x264.png 1456w" sizes="100vw" loading="lazy"></picture><div class="image-link-expand"><div class="pencraft pc-display-flex pc-gap-8 pc-reset"><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container restack-image"><svg role="img" width="20" height="20" viewBox="0 0 20 20" fill="none" stroke-width="1.5" stroke="var(--color-fg-primary)" stroke-linecap="round" stroke-linejoin="round" xmlns="http://www.w3.org/2000/svg"><g><title></title><path d="M2.53001 7.81595C3.49179 4.73911 6.43281 2.5 9.91173 2.5C13.1684 2.5 15.9537 4.46214 17.0852 7.23684L17.6179 8.67647M17.6179 8.67647L18.5002 4.26471M17.6179 8.67647L13.6473 6.91176M17.4995 12.1841C16.5378 15.2609 13.5967 17.5 10.1178 17.5C6.86118 17.5 4.07589 15.5379 2.94432 12.7632L2.41165 11.3235M2.41165 11.3235L1.5293 15.7353M2.41165 11.3235L6.38224 13.0882"></path></g></svg></button><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container view-image"><svg xmlns="http://www.w3.org/2000/svg" width="20" height="20" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="lucide lucide-maximize2 lucide-maximize-2"><polyline points="15 3 21 3 21 9"></polyline><polyline points="9 21 3 21 3 15"></polyline><line x1="21" x2="14" y1="3" y2="10"></line><line x1="3" x2="10" y1="21" y2="14"></line></svg></button></div></div></div></a></figure></div><p>Before a recruiter ever sees it, an applicant tracking system parses, scores, and filters your r&#233;sum&#233;. Past the Bots shows you exactly what the machine extracts, why it gets dropped, and how to fix it. <strong><a href="http://Before a recruiter ever sees it, an applicant tracking system parses, scores, and filters your r&#233;sum&#233;. Past the Bots shows you exactly what the machine extracts, why it gets dropped, and how to fix it.">https://pastthebots.com</a></strong></p><h2>Things that are Related</h2><p><strong><a href="https://www.microsoft.com/en-us/security/blog/2026/06/02/microsoft-build-2026-securing-code-agents-and-models-across-the-development-lifecycle/">Microsoft Build 2026: Securing code, agents, and models across the development lifecycle</a></strong> - <a href="https://build.microsoft.com/en-US/home">At Microsoft Build 2026</a>, we are announcing new security tools and capabilities to give developers clear guidance in real time, scale with the complexity of tasks, and provide security teams with a consistent view across the full lifecycle so innovation can move fast and securely without the business losing control.<strong> </strong>Learn more about our solutions to help secure your code, secure your agents, and secure your models.</p><p><strong><a href="https://www.microsoft.com/en-us/security/blog/2026/06/04/updating-taxonomy-failure-modes-agentic-ai-systems-year-red-teaming-taught-us/">Updating the taxonomy of failure modes in agentic AI systems: What a year of red teaming taught us</a></strong> - When the Microsoft AI Red Team published the <a href="https://cdn-dynmedia-1.microsoft.com/is/content/microsoftcorp/microsoft/final/en-us/microsoft-brand/documents/Taxonomy-of-Failure-Mode-in-Agentic-AI-Systems-Whitepaper.pdf">Taxonomy of Failure Modes in Agentic AI Systems</a> in April 2025, the goal was a shared vocabulary for a threat landscape that did not fit existing frameworks. The v1.0 taxonomy was largely forward-looking, built on practitioner interviews, cross-company threat modeling, and our own early operational experience.</p><p><strong><a href="https://techcommunity.microsoft.com/blog/microsoft-security-blog/securing-the-new-risk-surface-local-agents-claws-and-open-runtimes/4524602">Securing Local Agents, Claws, Runtimes</a></strong> - The next wave of AI is more than just powerful models. We&#8217;re now seeing intelligent agents that run locally on our devices, interacting directly with sensitive data, apps, and systems. Some operate persistently: monitoring, planning, and executing tasks over time instead of just responding to one-off prompts. We call these more sustained, autonomous processes &#8220;claws.&#8221; Together, local agents and claws are changing how work gets done. They also introduce a new risk surface for organizations: these agents often run with deep access and minimal oversight on endpoints, meaning a single misstep or malicious input could lead to misuse of data, unintended system changes, or other real-world impacts.</p><p><strong><a href="https://www.microsoft.com/en-us/security/blog/2026/06/02/preinstall-persistence-inside-red-hat-npm-miasma-credential-stealing-campaign/">Preinstall to persistence: Inside the Red Hat npm Miasma credential-stealing campaign</a></strong> - Microsoft Threat Intelligence identified a large-scale npm supply chain attack affecting 32 maliciously modified packages across more than 90 versions under the @redhat-cloud-services npm scope. The compromise originated from the upstream RedHatInsights/javascript-clients Continuous Integration and Continuous Delivery (CI/CD) pipeline, allowing attackers to publish trojanized packages through the legitimate GitHub Actions OpenID Connect (OIDC) publishing workflow. As a result, the malicious packages carried authentic provenance signatures while embedding the campaign marker &#8220;Miasma: The Spreading Blight.&#8221;</p><p><strong><a href="https://techcommunity.microsoft.com/blog/azureobservabilityblog/is-94-of-your-syslog-just-noise-now-you-can-filter-it-out-before-ingestion-/4524600">Is 94% of your syslog just noise? Now you can filter it out before ingestion.</a></strong> - If you run Azure Monitor at scale, you already know the problem: your syslog, Windows event, and performance counter streams generate far more data than your team actually queries. Informational-severity messages, redundant counters, raw XML payloads that no one parses. All of it flows into your Log Analytics workspace, and all of it shows up on your bill. In the scenarios we tested with preview customers, teams were ingesting 10 to 20 times more data than they needed. What if you could filter, aggregate, and reshape that data before it ever reaches the workspace?</p><div id="youtube2-L_cJZH2gUQ4" class="youtube-wrap" data-attrs="{&quot;videoId&quot;:&quot;L_cJZH2gUQ4&quot;,&quot;startTime&quot;:null,&quot;endTime&quot;:null}" data-component-name="Youtube2ToDOM"><div class="youtube-inner"><iframe src="https://www.youtube-nocookie.com/embed/L_cJZH2gUQ4?rel=0&amp;autoplay=0&amp;showinfo=0&amp;enablejsapi=0" frameborder="0" loading="lazy" gesture="media" allow="autoplay; fullscreen" allowautoplay="true" allowfullscreen="true" width="728" height="409"></iframe></div></div><p><strong><a href="https://socautomators.substack.com/p/migrating-to-unified-secops-without">Migrating to Unified SecOps Without Breaking Detection</a></strong> - The migration to Microsoft unified security operations and the Sentinel data lake is not a rip-and-replace project. It is not a portal cleanup exercise. It is an operating model change that touches detection engineering, threat hunting, incident response, retention, cost, and ownership. If you rush it, you can break the detections you already trust. That is the risk most teams underestimate.</p><h2>Things to Have</h2><p><strong><a href="https://github.com/davidalonsod/Dalonso-Security-Repo/tree/main/Use%20Cases%20Threat%20Hunting/EntraIDConnect">AADProvisioningLogs &#8212; Threat Hunting &amp; Detection Pack</a></strong> - KQL detection / hunting pack for <strong>Microsoft Sentinel</strong> targeting the Microsoft Entra <strong>provisioning service</strong> (<code>AADProvisioningLogs</code>) plus hybrid coverage of the <strong>Entra Connect Sync</strong> service account (<code>SigninLogs</code>, <code>AADNonInteractiveUserSignInLogs</code>, <code>AuditLogs</code>).</p><h2>Things in the News</h2><p><strong><a href="https://www.theblaze.com/return/hackers-easily-fool-instagram-s-new-ai-identity-verification-humiliating-meta-once-again">Hackers easily fool Instagram&#8217;s new AI identity verification, humiliating Meta once again</a></strong> - There&#8217;s plenty of talk about how AI chatbots will take everyone&#8217;s jobs by the end of the decade, but so far, few companies have gone all in on the supposed wave of the future. One such company that did take the plunge, however, is Meta. After recently <a href="https://www.nytimes.com/2026/05/19/technology/meta-layoffs-ai.html">laying off 8,000 employees in favor of an AI workforce</a>, Zuckerberg is already reaping the repercussions of little-to-no human oversight as AI just caused one of the most devastating Instagram account breaches in its history.</p><h2>Microsoft Sentinel Things</h2><div class="embedded-post-wrap" data-attrs="{&quot;id&quot;:198412459,&quot;url&quot;:&quot;https://www.microsoftsecurityinsights.com/p/the-security-insights-show-episode-9f2&quot;,&quot;publication_id&quot;:1252746,&quot;publication_name&quot;:&quot;THE Security Insights Show&quot;,&quot;publication_logo_url&quot;:&quot;https://substackcdn.com/image/fetch/$s_!ZngQ!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F1bf84d0b-fceb-44b4-ae5f-10662ecc7e8b_500x500.png&quot;,&quot;title&quot;:&quot;The Security Insights Show Episode 292 - Sentinel Graph and data lake&quot;,&quot;truncated_body_text&quot;:&quot;We&#8217;re excited to welcome back Gary Bushey (Security Architect at Cyclotron) for a deep technical episode covering:&quot;,&quot;date&quot;:&quot;2026-05-28T23:00:54.010Z&quot;,&quot;like_count&quot;:0,&quot;comment_count&quot;:0,&quot;bylines&quot;:[{&quot;id&quot;:25142999,&quot;name&quot;:&quot;Rod Trent&quot;,&quot;handle&quot;:&quot;rodtrent&quot;,&quot;previous_name&quot;:&quot;Microsoft Sentinel this Week&quot;,&quot;photo_url&quot;:&quot;https://substack-post-media.s3.amazonaws.com/public/images/a31b8f6f-7b50-4643-a4d5-54ca83894c4c_800x800.png&quot;,&quot;bio&quot;:&quot;Rod Trent is a Senior Product Manager for Microsoft. He has spoken many times at many conferences over the past 30-some years and has written several books and hundreds of articles.&quot;,&quot;profile_set_up_at&quot;:&quot;2022-12-15T21:44:39.563Z&quot;,&quot;reader_installed_at&quot;:&quot;2023-01-13T16:04:11.272Z&quot;,&quot;publicationUsers&quot;:[{&quot;id&quot;:1211584,&quot;user_id&quot;:25142999,&quot;publication_id&quot;:1254398,&quot;role&quot;:&quot;admin&quot;,&quot;public&quot;:true,&quot;is_primary&quot;:true,&quot;publication&quot;:{&quot;id&quot;:1254398,&quot;name&quot;:&quot;Rod&#8217;s Blog&quot;,&quot;subdomain&quot;:&quot;rodtrent&quot;,&quot;custom_domain&quot;:null,&quot;custom_domain_optional&quot;:true,&quot;hero_text&quot;:&quot;Microsoft Security and AI. This is not an official Microsoft blog.&quot;,&quot;logo_url&quot;:&quot;https://substack-post-media.s3.amazonaws.com/public/images/e527d2fc-7b2f-448b-85fa-0e47bf452405_600x600.png&quot;,&quot;author_id&quot;:25142999,&quot;primary_user_id&quot;:25142999,&quot;theme_var_background_pop&quot;:&quot;#786CFF&quot;,&quot;created_at&quot;:&quot;2022-12-20T13:41:45.372Z&quot;,&quot;email_from_name&quot;:null,&quot;copyright&quot;:&quot;Rod Trent&quot;,&quot;founding_plan_name&quot;:&quot;Founding Member&quot;,&quot;community_enabled&quot;:true,&quot;invite_only&quot;:false,&quot;payments_state&quot;:&quot;enabled&quot;,&quot;language&quot;:null,&quot;explicit&quot;:false,&quot;homepage_type&quot;:&quot;newspaper&quot;,&quot;is_personal_mode&quot;:false,&quot;logo_url_wide&quot;:&quot;https://substack-post-media.s3.amazonaws.com/public/images/0979d0a9-076d-4984-903f-174d79becc86_1344x256.png&quot;}},{&quot;id&quot;:1202860,&quot;user_id&quot;:25142999,&quot;publication_id&quot;:1246049,&quot;role&quot;:&quot;admin&quot;,&quot;public&quot;:true,&quot;is_primary&quot;:false,&quot;publication&quot;:{&quot;id&quot;:1246049,&quot;name&quot;:&quot;THE PROMPT for Microsoft Security&quot;,&quot;subdomain&quot;:&quot;microsoftdefender&quot;,&quot;custom_domain&quot;:null,&quot;custom_domain_optional&quot;:false,&quot;hero_text&quot;:&quot;The weekly THE PROMPT for Microsoft Security newsletter helps uncover the new and important features and news for Microsoft's Unified Security Operations Platform.&quot;,&quot;logo_url&quot;:&quot;https://substack-post-media.s3.amazonaws.com/public/images/7c112404-c028-4923-b8ce-924902361d80_256x256.png&quot;,&quot;author_id&quot;:25142999,&quot;primary_user_id&quot;:null,&quot;theme_var_background_pop&quot;:&quot;#121BFA&quot;,&quot;created_at&quot;:&quot;2022-12-15T21:47:41.255Z&quot;,&quot;email_from_name&quot;:null,&quot;copyright&quot;:&quot;Rod Trent&quot;,&quot;founding_plan_name&quot;:&quot;Founding Member&quot;,&quot;community_enabled&quot;:true,&quot;invite_only&quot;:false,&quot;payments_state&quot;:&quot;enabled&quot;,&quot;language&quot;:null,&quot;explicit&quot;:false,&quot;homepage_type&quot;:&quot;newspaper&quot;,&quot;is_personal_mode&quot;:false,&quot;logo_url_wide&quot;:&quot;https://substack-post-media.s3.amazonaws.com/public/images/c59e1ae8-80b5-44c2-85c2-bba0b536900f_532x256.png&quot;}},{&quot;id&quot;:1209853,&quot;user_id&quot;:25142999,&quot;publication_id&quot;:1252746,&quot;role&quot;:&quot;admin&quot;,&quot;public&quot;:true,&quot;is_primary&quot;:false,&quot;publication&quot;:{&quot;id&quot;:1252746,&quot;name&quot;:&quot;THE Security Insights Show&quot;,&quot;subdomain&quot;:&quot;securityinsights&quot;,&quot;custom_domain&quot;:&quot;www.microsoftsecurityinsights.com&quot;,&quot;custom_domain_optional&quot;:false,&quot;hero_text&quot;:&quot;Hosted by Edward Walton, Frank Grimberg and Rod Trent, THE Insights Show provides conversation, information, news, tips on industry security solutions.&quot;,&quot;logo_url&quot;:&quot;https://substack-post-media.s3.amazonaws.com/public/images/1bf84d0b-fceb-44b4-ae5f-10662ecc7e8b_500x500.png&quot;,&quot;author_id&quot;:25142999,&quot;primary_user_id&quot;:115592344,&quot;theme_var_background_pop&quot;:&quot;#BAA049&quot;,&quot;created_at&quot;:&quot;2022-12-19T16:53:21.719Z&quot;,&quot;email_from_name&quot;:&quot;THE Security Insights Show&quot;,&quot;copyright&quot;:&quot;Rod Trent&quot;,&quot;founding_plan_name&quot;:null,&quot;community_enabled&quot;:true,&quot;invite_only&quot;:false,&quot;payments_state&quot;:&quot;disabled&quot;,&quot;language&quot;:null,&quot;explicit&quot;:false,&quot;homepage_type&quot;:&quot;newspaper&quot;,&quot;is_personal_mode&quot;:false,&quot;logo_url_wide&quot;:&quot;https://substack-post-media.s3.amazonaws.com/public/images/e7003902-2064-4b4b-a23e-74a8ade417d9_1920x533.jpeg&quot;}},{&quot;id&quot;:4622011,&quot;user_id&quot;:25142999,&quot;publication_id&quot;:4530869,&quot;role&quot;:&quot;admin&quot;,&quot;public&quot;:true,&quot;is_primary&quot;:false,&quot;publication&quot;:{&quot;id&quot;:4530869,&quot;name&quot;:&quot;myITforum&quot;,&quot;subdomain&quot;:&quot;myitforum&quot;,&quot;custom_domain&quot;:null,&quot;custom_domain_optional&quot;:false,&quot;hero_text&quot;:&quot;The myITforum community. Powered by you.&quot;,&quot;logo_url&quot;:&quot;https://substack-post-media.s3.amazonaws.com/public/images/e57bf70e-44d6-4b6d-87b3-13e6d8fb4881_250x250.png&quot;,&quot;author_id&quot;:25142999,&quot;primary_user_id&quot;:null,&quot;theme_var_background_pop&quot;:&quot;#FF6719&quot;,&quot;created_at&quot;:&quot;2025-03-28T15:02:52.364Z&quot;,&quot;email_from_name&quot;:&quot;myITforum&quot;,&quot;copyright&quot;:&quot;Rod Trent&quot;,&quot;founding_plan_name&quot;:&quot;Founding Member&quot;,&quot;community_enabled&quot;:true,&quot;invite_only&quot;:false,&quot;payments_state&quot;:&quot;enabled&quot;,&quot;language&quot;:null,&quot;explicit&quot;:false,&quot;homepage_type&quot;:&quot;newspaper&quot;,&quot;is_personal_mode&quot;:false,&quot;logo_url_wide&quot;:&quot;https://substack-post-media.s3.amazonaws.com/public/images/61faab9f-ec9c-4b15-9038-90eeff197953_207x64.png&quot;}},{&quot;id&quot;:6292288,&quot;user_id&quot;:25142999,&quot;publication_id&quot;:6167941,&quot;role&quot;:&quot;admin&quot;,&quot;public&quot;:true,&quot;is_primary&quot;:false,&quot;publication&quot;:{&quot;id&quot;:6167941,&quot;name&quot;:&quot;Rod&#8217;s Fiction Universe&quot;,&quot;subdomain&quot;:&quot;rodsfictionbooks&quot;,&quot;custom_domain&quot;:null,&quot;custom_domain_optional&quot;:false,&quot;hero_text&quot;:&quot;This site offers all-access to my current and future fiction books. &quot;,&quot;logo_url&quot;:&quot;https://substack-post-media.s3.amazonaws.com/public/images/bf150c76-3462-4e72-9f1a-f3d507179f90_512x512.png&quot;,&quot;author_id&quot;:25142999,&quot;primary_user_id&quot;:null,&quot;theme_var_background_pop&quot;:&quot;#FF6719&quot;,&quot;created_at&quot;:&quot;2025-09-01T22:55:42.544Z&quot;,&quot;email_from_name&quot;:&quot;Rod Trent from Rod&#8217;s Fiction Books&quot;,&quot;copyright&quot;:&quot;Rod Trent&quot;,&quot;founding_plan_name&quot;:&quot;Founding Member&quot;,&quot;community_enabled&quot;:true,&quot;invite_only&quot;:false,&quot;payments_state&quot;:&quot;enabled&quot;,&quot;language&quot;:null,&quot;explicit&quot;:false,&quot;homepage_type&quot;:&quot;magaziney&quot;,&quot;is_personal_mode&quot;:false,&quot;logo_url_wide&quot;:&quot;https://substack-post-media.s3.amazonaws.com/public/images/d7348a2b-f83f-47cc-bf8b-837b55171fcf_1344x256.png&quot;}}],&quot;twitter_screen_name&quot;:&quot;rodtrent&quot;,&quot;is_guest&quot;:false,&quot;bestseller_tier&quot;:100,&quot;status&quot;:{&quot;bestsellerTier&quot;:100,&quot;subscriberTier&quot;:1,&quot;leaderboard&quot;:null,&quot;vip&quot;:false,&quot;badge&quot;:{&quot;type&quot;:&quot;bestseller&quot;,&quot;tier&quot;:100},&quot;paidPublicationIds&quot;:[1459538],&quot;subscriber&quot;:null}},{&quot;id&quot;:25637175,&quot;name&quot;:&quot;Edward Walton&quot;,&quot;handle&quot;:&quot;securitybro&quot;,&quot;previous_name&quot;:null,&quot;photo_url&quot;:&quot;https://substackcdn.com/image/fetch/f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fbucketeer-e05bbc84-baa3-437e-9518-adb32be77984.s3.amazonaws.com%2Fpublic%2Fimages%2F89b98b87-6bce-4c30-ba8a-4cad6287197b_202x346.jpeg&quot;,&quot;bio&quot;:&quot;Edward Walton is a security leader with over 20 years of experience in information security. His focus is Threat Intel, threat analytics and SIEM.&quot;,&quot;profile_set_up_at&quot;:&quot;2024-04-26T19:20:40.812Z&quot;,&quot;reader_installed_at&quot;:null,&quot;publicationUsers&quot;:[{&quot;id&quot;:194879,&quot;user_id&quot;:25637175,&quot;publication_id&quot;:268192,&quot;role&quot;:&quot;admin&quot;,&quot;public&quot;:true,&quot;is_primary&quot;:true,&quot;publication&quot;:{&quot;id&quot;:268192,&quot;name&quot;:&quot;Ed's place of highly opinionated facts on Security!&quot;,&quot;subdomain&quot;:&quot;edwardwalton&quot;,&quot;custom_domain&quot;:null,&quot;custom_domain_optional&quot;:false,&quot;hero_text&quot;:&quot;Are we secure yet? Are we secure yet? &quot;,&quot;logo_url&quot;:null,&quot;author_id&quot;:25637175,&quot;primary_user_id&quot;:25637175,&quot;theme_var_background_pop&quot;:&quot;#FD5353&quot;,&quot;created_at&quot;:&quot;2021-01-22T17:52:33.499Z&quot;,&quot;email_from_name&quot;:null,&quot;copyright&quot;:&quot;Edward Walton&quot;,&quot;founding_plan_name&quot;:null,&quot;community_enabled&quot;:true,&quot;invite_only&quot;:false,&quot;payments_state&quot;:&quot;disabled&quot;,&quot;language&quot;:null,&quot;explicit&quot;:false,&quot;homepage_type&quot;:null,&quot;is_personal_mode&quot;:false,&quot;logo_url_wide&quot;:null}},{&quot;id&quot;:2422927,&quot;user_id&quot;:25637175,&quot;publication_id&quot;:1252746,&quot;role&quot;:&quot;admin&quot;,&quot;public&quot;:true,&quot;is_primary&quot;:false,&quot;publication&quot;:{&quot;id&quot;:1252746,&quot;name&quot;:&quot;THE Security Insights Show&quot;,&quot;subdomain&quot;:&quot;securityinsights&quot;,&quot;custom_domain&quot;:&quot;www.microsoftsecurityinsights.com&quot;,&quot;custom_domain_optional&quot;:false,&quot;hero_text&quot;:&quot;Hosted by Edward Walton, Frank Grimberg and Rod Trent, THE Insights Show provides conversation, information, news, tips on industry security solutions.&quot;,&quot;logo_url&quot;:&quot;https://substack-post-media.s3.amazonaws.com/public/images/1bf84d0b-fceb-44b4-ae5f-10662ecc7e8b_500x500.png&quot;,&quot;author_id&quot;:25142999,&quot;primary_user_id&quot;:115592344,&quot;theme_var_background_pop&quot;:&quot;#BAA049&quot;,&quot;created_at&quot;:&quot;2022-12-19T16:53:21.719Z&quot;,&quot;email_from_name&quot;:&quot;THE Security Insights Show&quot;,&quot;copyright&quot;:&quot;Rod Trent&quot;,&quot;founding_plan_name&quot;:null,&quot;community_enabled&quot;:true,&quot;invite_only&quot;:false,&quot;payments_state&quot;:&quot;disabled&quot;,&quot;language&quot;:null,&quot;explicit&quot;:false,&quot;homepage_type&quot;:&quot;newspaper&quot;,&quot;is_personal_mode&quot;:false,&quot;logo_url_wide&quot;:&quot;https://substack-post-media.s3.amazonaws.com/public/images/e7003902-2064-4b4b-a23e-74a8ade417d9_1920x533.jpeg&quot;}}],&quot;is_guest&quot;:false,&quot;bestseller_tier&quot;:null,&quot;status&quot;:{&quot;bestsellerTier&quot;:null,&quot;subscriberTier&quot;:1,&quot;leaderboard&quot;:null,&quot;vip&quot;:false,&quot;badge&quot;:{&quot;type&quot;:&quot;subscriber&quot;,&quot;tier&quot;:1,&quot;accent_colors&quot;:null},&quot;paidPublicationIds&quot;:[1254398],&quot;subscriber&quot;:null}},{&quot;id&quot;:115592344,&quot;name&quot;:&quot;Frank Grimberg&quot;,&quot;handle&quot;:&quot;frankgrimberg&quot;,&quot;previous_name&quot;:null,&quot;photo_url&quot;:&quot;https://substack-post-media.s3.amazonaws.com/public/images/23065326-db4e-4d18-b54a-b4751d05747e_144x144.png&quot;,&quot;bio&quot;:null,&quot;profile_set_up_at&quot;:null,&quot;reader_installed_at&quot;:null,&quot;publicationUsers&quot;:[{&quot;id&quot;:5852489,&quot;user_id&quot;:115592344,&quot;publication_id&quot;:1252746,&quot;role&quot;:&quot;admin&quot;,&quot;public&quot;:true,&quot;is_primary&quot;:true,&quot;publication&quot;:{&quot;id&quot;:1252746,&quot;name&quot;:&quot;THE Security Insights Show&quot;,&quot;subdomain&quot;:&quot;securityinsights&quot;,&quot;custom_domain&quot;:&quot;www.microsoftsecurityinsights.com&quot;,&quot;custom_domain_optional&quot;:false,&quot;hero_text&quot;:&quot;Hosted by Edward Walton, Frank Grimberg and Rod Trent, THE Insights Show provides conversation, information, news, tips on industry security solutions.&quot;,&quot;logo_url&quot;:&quot;https://substack-post-media.s3.amazonaws.com/public/images/1bf84d0b-fceb-44b4-ae5f-10662ecc7e8b_500x500.png&quot;,&quot;author_id&quot;:25142999,&quot;primary_user_id&quot;:115592344,&quot;theme_var_background_pop&quot;:&quot;#BAA049&quot;,&quot;created_at&quot;:&quot;2022-12-19T16:53:21.719Z&quot;,&quot;email_from_name&quot;:&quot;THE Security Insights Show&quot;,&quot;copyright&quot;:&quot;Rod Trent&quot;,&quot;founding_plan_name&quot;:null,&quot;community_enabled&quot;:true,&quot;invite_only&quot;:false,&quot;payments_state&quot;:&quot;disabled&quot;,&quot;language&quot;:null,&quot;explicit&quot;:false,&quot;homepage_type&quot;:&quot;newspaper&quot;,&quot;is_personal_mode&quot;:false,&quot;logo_url_wide&quot;:&quot;https://substack-post-media.s3.amazonaws.com/public/images/e7003902-2064-4b4b-a23e-74a8ade417d9_1920x533.jpeg&quot;}}],&quot;is_guest&quot;:false,&quot;bestseller_tier&quot;:null,&quot;status&quot;:{&quot;bestsellerTier&quot;:null,&quot;subscriberTier&quot;:null,&quot;leaderboard&quot;:null,&quot;vip&quot;:false,&quot;badge&quot;:null,&quot;paidPublicationIds&quot;:[],&quot;subscriber&quot;:null}}],&quot;utm_campaign&quot;:null,&quot;belowTheFold&quot;:true,&quot;type&quot;:&quot;podcast&quot;,&quot;language&quot;:&quot;en&quot;,&quot;source&quot;:null}" data-component-name="EmbeddedPostToDOM"><a class="embedded-post" native="true" href="https://www.microsoftsecurityinsights.com/p/the-security-insights-show-episode-9f2?utm_source=substack&amp;utm_campaign=post_embed&amp;utm_medium=web"><div class="embedded-post-header"><img class="embedded-post-publication-logo" src="https://substackcdn.com/image/fetch/$s_!ZngQ!,w_56,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F1bf84d0b-fceb-44b4-ae5f-10662ecc7e8b_500x500.png" loading="lazy"><span class="embedded-post-publication-name">THE Security Insights Show</span></div><div class="embedded-post-title-wrapper"><div class="embedded-post-title-icon"><svg width="19" height="19" viewBox="0 0 24 24" fill="none" xmlns="http://www.w3.org/2000/svg">
  <path d="M3 18V12C3 9.61305 3.94821 7.32387 5.63604 5.63604C7.32387 3.94821 9.61305 3 12 3C14.3869 3 16.6761 3.94821 18.364 5.63604C20.0518 7.32387 21 9.61305 21 12V18" stroke-linecap="round" stroke-linejoin="round"></path>
  <path d="M21 19C21 19.5304 20.7893 20.0391 20.4142 20.4142C20.0391 20.7893 19.5304 21 19 21H18C17.4696 21 16.9609 20.7893 16.5858 20.4142C16.2107 20.0391 16 19.5304 16 19V16C16 15.4696 16.2107 14.9609 16.5858 14.5858C16.9609 14.2107 17.4696 14 18 14H21V19ZM3 19C3 19.5304 3.21071 20.0391 3.58579 20.4142C3.96086 20.7893 4.46957 21 5 21H6C6.53043 21 7.03914 20.7893 7.41421 20.4142C7.78929 20.0391 8 19.5304 8 19V16C8 15.4696 7.78929 14.9609 7.41421 14.5858C7.03914 14.2107 6.53043 14 6 14H3V19Z" stroke-linecap="round" stroke-linejoin="round"></path>
</svg></div><div class="embedded-post-title">The Security Insights Show Episode 292 - Sentinel Graph and data lake</div></div><div class="embedded-post-body">We&#8217;re excited to welcome back Gary Bushey (Security Architect at Cyclotron) for a deep technical episode covering&#8230;</div><div class="embedded-post-cta-wrapper"><div class="embedded-post-cta-icon"><svg width="32" height="32" viewBox="0 0 24 24" xmlns="http://www.w3.org/2000/svg">
  <path classname="inner-triangle" d="M10 8L16 12L10 16V8Z" stroke-width="1.5" stroke-linecap="round" stroke-linejoin="round"></path>
</svg></div><span class="embedded-post-cta">Listen now</span></div><div class="embedded-post-meta">a month ago &#183; Rod Trent, Edward Walton, and Frank Grimberg</div></a></div><p><strong><a href="https://sentinel.blog/sentinel-as-code-wave-4-the-docs-nobody-wanted-to-write/">Sentinel-As-Code: Wave 4, the docs nobody wanted to write</a></strong><a href="https://sentinel.blog/sentinel-as-code-wave-4-the-docs-nobody-wanted-to-write/"> </a>- Nobody likes writing documentation. Even when you do write it, it starts dying the moment you save the file. Someone tweaks a setting in the portal, swaps a connector, changes a detection rule, and your carefully written workspace document is quietly drifting out of date for whoever reads it next. (That's assuming anyone still reads documentation these days, rather than pasting it into an AI and asking it to explain the whole thing like they're five.)</p><p><strong><a href="https://securingm365.com/defenderxdr/sentinel/sentineldefender-part4/">Series: Sentinel to Defender Portal - Automation, Playbooks and SOAR</a></strong> - That single line from <a href="https://learn.microsoft.com/en-us/azure/sentinel/automate-incident-handling-with-automation-rules">Microsoft's automation documentation</a> is worth sitting with before anything else in this article. If your SOC automation strategy was built around alert-triggered playbooks firing on Defender XDR signals, those playbooks do not fire in the Unified portal in the same way. The constraint is not a bug or a gap that will be patched quietly. It is a consequence of how the Defender XDR engine owns incident creation in the Unified portal, and understanding it is the starting point for understanding everything else about SOAR in this environment.</p><div class="captioned-image-container"><figure><a class="image-link image2 is-viewable-img" target="_blank" href="https://pastthebots.com/" data-component-name="Image2ToDOM"><div class="image2-inset"><picture><source type="image/webp" srcset="https://substackcdn.com/image/fetch/$s_!TPhm!,w_424,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F3466a9e7-966f-4b82-8f42-e7bbde7c0ca5_1760x576.jpeg 424w, https://substackcdn.com/image/fetch/$s_!TPhm!,w_848,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F3466a9e7-966f-4b82-8f42-e7bbde7c0ca5_1760x576.jpeg 848w, https://substackcdn.com/image/fetch/$s_!TPhm!,w_1272,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F3466a9e7-966f-4b82-8f42-e7bbde7c0ca5_1760x576.jpeg 1272w, https://substackcdn.com/image/fetch/$s_!TPhm!,w_1456,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F3466a9e7-966f-4b82-8f42-e7bbde7c0ca5_1760x576.jpeg 1456w" sizes="100vw"><img src="https://substackcdn.com/image/fetch/$s_!TPhm!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F3466a9e7-966f-4b82-8f42-e7bbde7c0ca5_1760x576.jpeg" width="1456" height="477" data-attrs="{&quot;src&quot;:&quot;https://substack-post-media.s3.amazonaws.com/public/images/3466a9e7-966f-4b82-8f42-e7bbde7c0ca5_1760x576.jpeg&quot;,&quot;srcNoWatermark&quot;:null,&quot;fullscreen&quot;:null,&quot;imageSize&quot;:null,&quot;height&quot;:477,&quot;width&quot;:1456,&quot;resizeWidth&quot;:null,&quot;bytes&quot;:175114,&quot;alt&quot;:null,&quot;title&quot;:null,&quot;type&quot;:&quot;image/jpeg&quot;,&quot;href&quot;:&quot;https://pastthebots.com/&quot;,&quot;belowTheFold&quot;:true,&quot;topImage&quot;:false,&quot;internalRedirect&quot;:&quot;https://microsoftdefender.substack.com/i/199782791?img=https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F3466a9e7-966f-4b82-8f42-e7bbde7c0ca5_1760x576.jpeg&quot;,&quot;isProcessing&quot;:false,&quot;align&quot;:null,&quot;offset&quot;:false}" class="sizing-normal" alt="" srcset="https://substackcdn.com/image/fetch/$s_!TPhm!,w_424,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F3466a9e7-966f-4b82-8f42-e7bbde7c0ca5_1760x576.jpeg 424w, https://substackcdn.com/image/fetch/$s_!TPhm!,w_848,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F3466a9e7-966f-4b82-8f42-e7bbde7c0ca5_1760x576.jpeg 848w, https://substackcdn.com/image/fetch/$s_!TPhm!,w_1272,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F3466a9e7-966f-4b82-8f42-e7bbde7c0ca5_1760x576.jpeg 1272w, https://substackcdn.com/image/fetch/$s_!TPhm!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F3466a9e7-966f-4b82-8f42-e7bbde7c0ca5_1760x576.jpeg 1456w" sizes="100vw" loading="lazy"></picture><div class="image-link-expand"><div class="pencraft pc-display-flex pc-gap-8 pc-reset"><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container restack-image"><svg role="img" width="20" height="20" viewBox="0 0 20 20" fill="none" stroke-width="1.5" stroke="var(--color-fg-primary)" stroke-linecap="round" stroke-linejoin="round" xmlns="http://www.w3.org/2000/svg"><g><title></title><path d="M2.53001 7.81595C3.49179 4.73911 6.43281 2.5 9.91173 2.5C13.1684 2.5 15.9537 4.46214 17.0852 7.23684L17.6179 8.67647M17.6179 8.67647L18.5002 4.26471M17.6179 8.67647L13.6473 6.91176M17.4995 12.1841C16.5378 15.2609 13.5967 17.5 10.1178 17.5C6.86118 17.5 4.07589 15.5379 2.94432 12.7632L2.41165 11.3235M2.41165 11.3235L1.5293 15.7353M2.41165 11.3235L6.38224 13.0882"></path></g></svg></button><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container view-image"><svg xmlns="http://www.w3.org/2000/svg" width="20" height="20" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="lucide lucide-maximize2 lucide-maximize-2"><polyline points="15 3 21 3 21 9"></polyline><polyline points="9 21 3 21 3 15"></polyline><line x1="21" x2="14" y1="3" y2="10"></line><line x1="3" x2="10" y1="21" y2="14"></line></svg></button></div></div></div></a></figure></div><h2>Defender for Cloud Things</h2><p><strong><a href="https://techcommunity.microsoft.com/blog/microsoftdefendercloudblog/now-generally-available-microsoft-defender-for-open-source-relational-databases-/4514651">Now Generally Available: Microsoft Defender for open source relational databases on AWS RDS</a></strong> - Open&#8209;source (OSS) relational databases are becoming increasingly critical and increasingly targeted in organization of all sizes. As organizations adopt multicloud architectures, these databases often run across Azure and Amazon Web Services (AWS), while security tools remain fragmented. The result is inconsistent visibility into sensitive data, disconnected alerts, and limited insight into how database exposure translates into real risk.</p><p><strong><a href="https://techcommunity.microsoft.com/blog/microsoftdefendercloudblog/start-secure-stay-secure-how-microsoft-is-closing-the-gap-from-code-to-runtime/4524580">Start Secure, Stay Secure: How Microsoft is Closing the Gap from Code to Runtime</a></strong> - Help identify and prioritize exploitable vulnerabilities from code to runtime using codename MDASH and the Microsoft Defender and GitHub Code Security (part of the former GitHub Advanced Security suite) native integration.</p><h2>Defender XDR Things</h2><p><strong><a href="https://www.microsoft.com/en-us/security/blog/2026/05/29/33-malicious-npm-packages-abuse-dependency-confusion-profile-developer-environments/">Malicious npm packages abuse dependency confusion to profile developer environments</a></strong> - Microsoft Threat Intelligence has uncovered an active supply chain attack involving malicious npm packages registered under organizational scopes that mirror real internal corporate namespaces, employing dependency confusion technique to deploy an obfuscated reconnaissance payload.</p><h2>Microsoft Purview Things</h2><p><strong><a href="https://techcommunity.microsoft.com/blog/microsoft-security-blog/microsoft-purview-enables-developers-with-strong-data-security-across-ai-apps-an/4524626">Microsoft Purview enables developers with strong data security across AI apps and agents</a></strong> - Build AI apps and agents faster&#8212;without compromising on data security or compliance. See how Microsoft Purview helps developers protect sensitive data across local agents, Foundry, GitHub Copilot, and more.</p><h2>Entra Things</h2><p><strong><a href="https://techcommunity.microsoft.com/blog/microsoft-entra-blog/run-global-secure-access-with-confidence-introducing-the-gsa-operations-guide/4524891">Run Global Secure Access with confidence: Introducing the GSA Operations Guide</a></strong> - Use the new Operations Guide to adopt alert-first workflows, standardize operations, and run Global Secure Access more reliably every day.</p><p>THE PROMPT for Microsoft Security is a reader-supported publication. To receive new posts and support my work, consider becoming a free or paid subscriber.</p>]]></content:encoded></item><item><title><![CDATA[THE PROMPT for Microsoft Security - Issue #72]]></title><description><![CDATA[Things from Me]]></description><link>https://rodtrent.substack.com/p/the-prompt-for-microsoft-security-0e6</link><guid isPermaLink="false">https://rodtrent.substack.com/p/the-prompt-for-microsoft-security-0e6</guid><dc:creator><![CDATA[Rod Trent]]></dc:creator><pubDate>Fri, 29 May 2026 11:15:24 GMT</pubDate><enclosure url="https://substackcdn.com/image/fetch/$s_!MJGO!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fd5a97ebd-b333-464f-b89d-fd90dfd3d2a4_1248x832.jpeg" length="0" type="image/jpeg"/><content:encoded><![CDATA[<div class="captioned-image-container"><figure><a class="image-link image2 is-viewable-img" target="_blank" href="https://substackcdn.com/image/fetch/$s_!MJGO!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fd5a97ebd-b333-464f-b89d-fd90dfd3d2a4_1248x832.jpeg" data-component-name="Image2ToDOM"><div class="image2-inset"><picture><source type="image/webp" srcset="https://substackcdn.com/image/fetch/$s_!MJGO!,w_424,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fd5a97ebd-b333-464f-b89d-fd90dfd3d2a4_1248x832.jpeg 424w, https://substackcdn.com/image/fetch/$s_!MJGO!,w_848,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fd5a97ebd-b333-464f-b89d-fd90dfd3d2a4_1248x832.jpeg 848w, https://substackcdn.com/image/fetch/$s_!MJGO!,w_1272,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fd5a97ebd-b333-464f-b89d-fd90dfd3d2a4_1248x832.jpeg 1272w, https://substackcdn.com/image/fetch/$s_!MJGO!,w_1456,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fd5a97ebd-b333-464f-b89d-fd90dfd3d2a4_1248x832.jpeg 1456w" sizes="100vw"><img src="https://substackcdn.com/image/fetch/$s_!MJGO!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fd5a97ebd-b333-464f-b89d-fd90dfd3d2a4_1248x832.jpeg" width="1248" height="832" data-attrs="{&quot;src&quot;:&quot;https://substack-post-media.s3.amazonaws.com/public/images/d5a97ebd-b333-464f-b89d-fd90dfd3d2a4_1248x832.jpeg&quot;,&quot;srcNoWatermark&quot;:null,&quot;fullscreen&quot;:null,&quot;imageSize&quot;:null,&quot;height&quot;:832,&quot;width&quot;:1248,&quot;resizeWidth&quot;:null,&quot;bytes&quot;:184023,&quot;alt&quot;:null,&quot;title&quot;:null,&quot;type&quot;:&quot;image/jpeg&quot;,&quot;href&quot;:null,&quot;belowTheFold&quot;:false,&quot;topImage&quot;:true,&quot;internalRedirect&quot;:&quot;https://microsoftdefender.substack.com/i/198748152?img=https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fd5a97ebd-b333-464f-b89d-fd90dfd3d2a4_1248x832.jpeg&quot;,&quot;isProcessing&quot;:false,&quot;align&quot;:null,&quot;offset&quot;:false}" class="sizing-normal" alt="" srcset="https://substackcdn.com/image/fetch/$s_!MJGO!,w_424,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fd5a97ebd-b333-464f-b89d-fd90dfd3d2a4_1248x832.jpeg 424w, https://substackcdn.com/image/fetch/$s_!MJGO!,w_848,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fd5a97ebd-b333-464f-b89d-fd90dfd3d2a4_1248x832.jpeg 848w, https://substackcdn.com/image/fetch/$s_!MJGO!,w_1272,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fd5a97ebd-b333-464f-b89d-fd90dfd3d2a4_1248x832.jpeg 1272w, https://substackcdn.com/image/fetch/$s_!MJGO!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fd5a97ebd-b333-464f-b89d-fd90dfd3d2a4_1248x832.jpeg 1456w" sizes="100vw" fetchpriority="high"></picture><div class="image-link-expand"><div class="pencraft pc-display-flex pc-gap-8 pc-reset"><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container restack-image"><svg role="img" width="20" height="20" viewBox="0 0 20 20" fill="none" stroke-width="1.5" stroke="var(--color-fg-primary)" stroke-linecap="round" stroke-linejoin="round" xmlns="http://www.w3.org/2000/svg"><g><title></title><path d="M2.53001 7.81595C3.49179 4.73911 6.43281 2.5 9.91173 2.5C13.1684 2.5 15.9537 4.46214 17.0852 7.23684L17.6179 8.67647M17.6179 8.67647L18.5002 4.26471M17.6179 8.67647L13.6473 6.91176M17.4995 12.1841C16.5378 15.2609 13.5967 17.5 10.1178 17.5C6.86118 17.5 4.07589 15.5379 2.94432 12.7632L2.41165 11.3235M2.41165 11.3235L1.5293 15.7353M2.41165 11.3235L6.38224 13.0882"></path></g></svg></button><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container view-image"><svg xmlns="http://www.w3.org/2000/svg" width="20" height="20" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="lucide lucide-maximize2 lucide-maximize-2"><polyline points="15 3 21 3 21 9"></polyline><polyline points="9 21 3 21 3 15"></polyline><line x1="21" x2="14" y1="3" y2="10"></line><line x1="3" x2="10" y1="21" y2="14"></line></svg></button></div></div></div></a></figure></div><h2>Things from Me</h2><p>Happy Friday, people! (&#8230;and AI Agent summarizers)</p><p>Welcome back to THE PROMPT for Microsoft Security!</p><p>THE PROMPT for Microsoft Security is a reader-supported publication. To receive new posts and support my work, consider becoming a free or paid subscriber.</p><p>It&#8217;s been a busy week in the Microsoft Security space, and this issue is packed with the good stuff. We&#8217;ve got a deep dive into tenant governance with Microsoft Entra, a look at how attackers are now using AI chatbots to spread cryptojacking malware (yes, really), and some solid quality-of-life improvements for Purview administrators. If you manage multi-tenant environments, you&#8217;re going to want to bookmark a few of the links in this one.</p><p>As always, I&#8217;ve curated the most relevant and actionable content I could find &#8212; so grab your coffee, settle in, and let&#8217;s get into it.</p><p>-<a href="https://www.linkedin.com/in/rodtrent/">Rod</a></p><h2>Things to Watch/Listen To</h2><div id="youtube2-nIOantcKcOI" class="youtube-wrap" data-attrs="{&quot;videoId&quot;:&quot;nIOantcKcOI&quot;,&quot;startTime&quot;:null,&quot;endTime&quot;:null}" data-component-name="Youtube2ToDOM"><div class="youtube-inner"><iframe src="https://www.youtube-nocookie.com/embed/nIOantcKcOI?rel=0&amp;autoplay=0&amp;showinfo=0&amp;enablejsapi=0" frameborder="0" loading="lazy" gesture="media" allow="autoplay; fullscreen" allowautoplay="true" allowfullscreen="true" width="728" height="409"></iframe></div></div><h2>Things in Techcommunity</h2><p><strong><a href="https://techcommunity.microsoft.com/blog/microsoft-security-blog/microsoft-security-community-spotlight-marcel-graewer/4523372">Microsoft Security Community Spotlight: Marcel Graewer</a></strong> - Meet Marcel Graewer, a Microsoft Customer and community leader who engages Microsoft Security users and fans around the world, from young students to seasoned practitioners.</p><h2>Things that are Related</h2><p><strong><a href="https://www.microsoft.com/en-us/security/blog/2026/05/28/the-gentlemen-ransomware-dissecting-a-self-propagating-go-encryptor/">The Gentlemen ransomware: Dissecting a self-propagating Go encryptor</a></strong> - Ransomware that combines robust encryption with rapid lateral movement significantly increases the risk and impact of an attack. The Gentlemen ransomware is a <a href="https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself/">ransomware-as-a-service (RaaS)</a> threat that is distinguished by its ability to pair its strong per-file encryption with an aggressive self-propagation capability designed to enable broad network compromise. In addition to using per-file ephemeral Curve25519 keys with XChaCha20 stream cipher, The Gentlemen ransomware attempts to spread across an environment using series of simultaneous, distinct lateral movement methods, increasing the likelihood of widespread impact once initial access is achieved.</p><p><strong><a href="https://rohitanandblog.substack.com/p/soc-for-ai-series-01">SOC for AI &#8212; 01: Your SOC Was Built for a War That Already Ended</a></strong> - A SOC for AI is not a traditional SOC with an AI chatbot bolted on. It is a detection and response capability redesigned from first principles around three realities: attackers operate at machine speed, AI systems are both weapons and attack surfaces, and most modern threats leave no malware signature.</p><h2>Things from Partners</h2><p><strong><a href="https://techcommunity.microsoft.com/blog/partnernews/partner-case-study--quorum-cyber/4523005">Partner Case Study | Quorum Cyber</a></strong> - Used Microsoft Sentinel to deliver a unified platform, greater visibility, and 24/7 threat response for election data nonprofit Data Trust.</p><h2>Defender XDR Things</h2><p><strong><a href="https://techcommunity.microsoft.com/blog/microsoftthreatprotectionblog/organize-your-multitenant-view-with-tenant-groups-in-microsoft-defender/4522992">Organize your multitenant view with Tenant Groups in Microsoft Defender</a></strong> - Managing security across many tenants shouldn&#8217;t mean drowning in a single, flat list. We&#8217;re excited to share a new capability, now in public preview in the Microsoft Defender multitenant (MTO) porta<strong>l</strong>: <strong>Tenant Groups</strong>&#8212;a flexible way to organize the tenants you manage and switch your view between them with a single click.</p><h2>Defender Experts Things</h2><p><strong><a href="https://www.microsoft.com/en-us/security/blog/2026/05/26/poisoned-search-results-gpu-mining-cryptojacking-campaign-abusing-screenconnect-microsoft-net-utilities/">From poisoned search results to GPU mining: A cryptojacking campaign abusing ScreenConnect and Microsoft .NET utilities</a></strong> - Microsoft Defender Experts identified an active cryptojacking campaign in which malicious download sites are surfaced not only through traditional search engine poisoning, but also through AI chatbot interactions. This emerging delivery technique extends social engineering beyond conventional search results and increases the visibility of malicious software recommendations.</p><h2>Microsoft Purview Things</h2><p><strong><a href="https://github.com/davidalonsod/Dalonso-Security-Repo/tree/main/Use%20Cases%20Threat%20Hunting/Purview">Purview / IRM / eDiscovery gap-filler pack for Microsoft Sentinel (v2.2)</a></strong> - ARM template that deploys <strong>14 scheduled analytic rules</strong> targeting detection gaps <strong>not</strong> covered by native Microsoft Purview DLP, IRM Adaptive Protection, MDA built-in policies, Activity Explorer, Compliance dashboards, or Sentinel UEBA / Fusion.</p><p><strong><a href="https://kusenberg.net/finally-more-clarity-for-microsoft-purview-roles">Finally: More Clarity for Microsoft Purview Roles - Julian Kusenberg IT Beratung</a></strong> - Microsoft is expanding the <strong>Role Groups page</strong> in the Purview Compliance Portal with additional lookup views. Administrators will be able to trace and review permissions much more easily.</p><h2>Defender Vulnerability Management</h2><p><strong><a href="https://techcommunity.microsoft.com/blog/vulnerability-management/how-to-exclude-specific-cves-with-cve-exceptions-in-microsoft-defender-vulnerabi/4523507">How to exclude specific CVEs with CVE exceptions in Microsoft Defender Vulnerability Management</a></strong> - A security recommendation can include many CVEs. If only one CVE is out of scope, excluding the full recommendation can hide vulnerabilities that still matter in your environment. CVE exceptions help you make a narrower decision: exclude one specific CVE for a defined scope and duration, while keeping the rest of the recommendation active.</p><h2>Microsoft Entra Things</h2><p><strong><a href="https://techcommunity.microsoft.com/blog/microsoft-entra-blog/find-shadow-tenants-and-reduce-risk-fast-with-microsoft-entra-tenant-governance/4521996">Find shadow tenants and reduce risk fast with Microsoft Entra Tenant Governance</a></strong> - Get continuous visibility into related tenants and the signals behind them&#8212;so you can reduce blind spots before they turn into incidents.</p><h2></h2><p>THE PROMPT for Microsoft Security is a reader-supported publication. To receive new posts and support my work, consider becoming a free or paid subscriber.</p>]]></content:encoded></item><item><title><![CDATA[THE PROMPT for Microsoft Security - Issue #71]]></title><description><![CDATA[Things from Me]]></description><link>https://rodtrent.substack.com/p/the-prompt-for-microsoft-security-838</link><guid isPermaLink="false">https://rodtrent.substack.com/p/the-prompt-for-microsoft-security-838</guid><dc:creator><![CDATA[Rod Trent]]></dc:creator><pubDate>Fri, 22 May 2026 11:30:53 GMT</pubDate><enclosure url="https://substackcdn.com/image/fetch/$s_!M8OE!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Feda88e95-8a84-435e-b264-d727d48e32da_1248x832.jpeg" length="0" type="image/jpeg"/><content:encoded><![CDATA[<div class="captioned-image-container"><figure><a class="image-link image2 is-viewable-img" target="_blank" href="https://substackcdn.com/image/fetch/$s_!M8OE!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Feda88e95-8a84-435e-b264-d727d48e32da_1248x832.jpeg" data-component-name="Image2ToDOM"><div class="image2-inset"><picture><source type="image/webp" srcset="https://substackcdn.com/image/fetch/$s_!M8OE!,w_424,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Feda88e95-8a84-435e-b264-d727d48e32da_1248x832.jpeg 424w, https://substackcdn.com/image/fetch/$s_!M8OE!,w_848,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Feda88e95-8a84-435e-b264-d727d48e32da_1248x832.jpeg 848w, https://substackcdn.com/image/fetch/$s_!M8OE!,w_1272,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Feda88e95-8a84-435e-b264-d727d48e32da_1248x832.jpeg 1272w, https://substackcdn.com/image/fetch/$s_!M8OE!,w_1456,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Feda88e95-8a84-435e-b264-d727d48e32da_1248x832.jpeg 1456w" sizes="100vw"><img src="https://substackcdn.com/image/fetch/$s_!M8OE!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Feda88e95-8a84-435e-b264-d727d48e32da_1248x832.jpeg" width="1248" height="832" data-attrs="{&quot;src&quot;:&quot;https://substack-post-media.s3.amazonaws.com/public/images/eda88e95-8a84-435e-b264-d727d48e32da_1248x832.jpeg&quot;,&quot;srcNoWatermark&quot;:null,&quot;fullscreen&quot;:null,&quot;imageSize&quot;:null,&quot;height&quot;:832,&quot;width&quot;:1248,&quot;resizeWidth&quot;:null,&quot;bytes&quot;:310878,&quot;alt&quot;:null,&quot;title&quot;:null,&quot;type&quot;:&quot;image/jpeg&quot;,&quot;href&quot;:null,&quot;belowTheFold&quot;:false,&quot;topImage&quot;:true,&quot;internalRedirect&quot;:&quot;https://microsoftdefender.substack.com/i/197884328?img=https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Feda88e95-8a84-435e-b264-d727d48e32da_1248x832.jpeg&quot;,&quot;isProcessing&quot;:false,&quot;align&quot;:null,&quot;offset&quot;:false}" class="sizing-normal" alt="" srcset="https://substackcdn.com/image/fetch/$s_!M8OE!,w_424,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Feda88e95-8a84-435e-b264-d727d48e32da_1248x832.jpeg 424w, https://substackcdn.com/image/fetch/$s_!M8OE!,w_848,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Feda88e95-8a84-435e-b264-d727d48e32da_1248x832.jpeg 848w, https://substackcdn.com/image/fetch/$s_!M8OE!,w_1272,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Feda88e95-8a84-435e-b264-d727d48e32da_1248x832.jpeg 1272w, https://substackcdn.com/image/fetch/$s_!M8OE!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Feda88e95-8a84-435e-b264-d727d48e32da_1248x832.jpeg 1456w" sizes="100vw" fetchpriority="high"></picture><div class="image-link-expand"><div class="pencraft pc-display-flex pc-gap-8 pc-reset"><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container restack-image"><svg role="img" width="20" height="20" viewBox="0 0 20 20" fill="none" stroke-width="1.5" stroke="var(--color-fg-primary)" stroke-linecap="round" stroke-linejoin="round" xmlns="http://www.w3.org/2000/svg"><g><title></title><path d="M2.53001 7.81595C3.49179 4.73911 6.43281 2.5 9.91173 2.5C13.1684 2.5 15.9537 4.46214 17.0852 7.23684L17.6179 8.67647M17.6179 8.67647L18.5002 4.26471M17.6179 8.67647L13.6473 6.91176M17.4995 12.1841C16.5378 15.2609 13.5967 17.5 10.1178 17.5C6.86118 17.5 4.07589 15.5379 2.94432 12.7632L2.41165 11.3235M2.41165 11.3235L1.5293 15.7353M2.41165 11.3235L6.38224 13.0882"></path></g></svg></button><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container view-image"><svg xmlns="http://www.w3.org/2000/svg" width="20" height="20" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="lucide lucide-maximize2 lucide-maximize-2"><polyline points="15 3 21 3 21 9"></polyline><polyline points="9 21 3 21 3 15"></polyline><line x1="21" x2="14" y1="3" y2="10"></line><line x1="3" x2="10" y1="21" y2="14"></line></svg></button></div></div></div></a></figure></div><h2>Things from Me</h2><p>Happy Friday everyone!</p><p>Lots of crazy things going on here at Microsoft, as it&#8217;s nearing the end of the fiscal year. But one thing I wanted to call out before heading into the actual newsletter.</p><p>THE PROMPT for Microsoft Security is a reader-supported publication. To receive new posts and support my work, consider becoming a free or paid subscriber.</p><p>Microsoft just introduced the <strong>Microsoft Certified: Cloud and AI Security Engineer Associate</strong> &#8212; a timely new credential designed for the evolving demands of securing modern cloud and AI workloads.</p><p>As organizations race to adopt AI and expand across hybrid cloud environments, security expectations have skyrocketed. This certification validates your ability to design and implement <strong>end-to-end security controls</strong> across identity, data, compute, networking, and AI systems &#8212; going beyond traditional Azure-focused security to address today&#8217;s broader threat landscape.</p><h3>Key Highlights:</h3><p><strong>Exam</strong>: SC-500: Implementing End-to-End Security Controls for Cloud and AI Workloads (now in <strong>beta</strong>)</p><p>Covers critical skills like:</p><ul><li><p>Managing identity, access, and governance (with Microsoft Entra ID)</p></li><li><p>Securing storage, databases, networking, and compute</p></li><li><p>Protecting AI solutions and monitoring overall security posture</p></li></ul><p>Ideal for security engineers working in Azure, hybrid, and multi-cloud setups who collaborate with architects, DevOps, and developers</p><p><strong>Special Beta Offer</strong>: The first <strong>300 candidates</strong> who take Exam SC-500 on or before <strong>June 8, 2026</strong> can get <strong>80% off</strong> using code <strong>VistaSC500</strong> (limited availability, some country restrictions apply).</p><p>General availability of the full certification is expected in <strong>July 2026</strong>.</p><p>Whether you&#8217;re looking to level up your skills, stand out in the job market, or future-proof your security career in the AI era, this is a certification worth watching closely.</p><p><strong>Ready to dive in?</strong> Check out the full announcement and exam details here:<br><a href="https://techcommunity.microsoft.com/blog/skills-hub-blog/new-microsoft-certified-cloud-and-ai-security-engineer-associate-certification/4494117">New Microsoft Certified: Cloud and AI Security Engineer Associate</a></p><p>What do you think &#8212; is this the right next step for your career? Drop a reply and me know!</p><p><em>Stay secure and keep learning,</em></p><p><em>Talk soon.</em></p><p>-<a href="https://www.linkedin.com/in/rodtrent/">Rod</a></p><h2>Things that are Related</h2><p><strong><a href="https://techcommunity.microsoft.com/blog/microsoft-security-blog/state-explosion-security-problem-in-ai-era-software-supply-chains/4518255">State Explosion Security Problem in AI-Era Software Supply Chains</a></strong> - AI-accelerated development is flooding the supply chain with code faster than security systems can scan it. A single line changes the intent of an entire package, and scanning infrastructure was never built for this pace.</p><p><strong><a href="https://www.microsoft.com/en-us/security/blog/2026/05/18/how-to-better-protect-your-growing-business-in-an-ai-powered-world/">How to better protect your growing business in an AI-powered world</a></strong> - How can we maximize the benefits of AI while staying protected in a rapidly evolving threat landscape?</p><p><strong><a href="https://techcommunity.microsoft.com/blog/azureinfrastructureblog/building-ai-guardian-extension-ai-detection-and-enterprise-ai-security/4521125">Building AI Guardian Extension: AI Detection and Enterprise AI Security</a></strong> - Generative AI tools such as ChatGPT, GitHub Copilot, and Google Gemini are rapidly becoming part of everyday enterprise workflows. Teams use them for code generation, documentation, analysis, support automation, and productivity enhancement. However, this accelerated adoption has also created a significant governance and security challenge: This is where AI Guardian Extension becomes valuable.</p><p><strong><a href="https://socautomators.substack.com/p/why-your-siem-architecture-needs2">Why Your SIEM Architecture Needs to Change</a></strong> - This series is all about building the Agentic SOC. We are building this from the ground up or for some taking a very close look at their existing SIEM and data architecture. We must have more data and the right data that the agentic SOC can leverage.</p><h2>Things to Watch/Listen To</h2><div class="embedded-post-wrap" data-attrs="{&quot;id&quot;:197223777,&quot;url&quot;:&quot;https://www.microsoftsecurityinsights.com/p/the-ai-security-insights-show-episode-63b&quot;,&quot;publication_id&quot;:1252746,&quot;publication_name&quot;:&quot;THE Security Insights Show&quot;,&quot;publication_logo_url&quot;:&quot;https://substackcdn.com/image/fetch/$s_!ZngQ!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F1bf84d0b-fceb-44b4-ae5f-10662ecc7e8b_500x500.png&quot;,&quot;title&quot;:&quot;The \&quot;AI\&quot; Security Insights Show Episode 291 - Aditya and Nanda from DataBahn&quot;,&quot;truncated_body_text&quot;:&quot;Guest link - https://www.databahn.ai/&quot;,&quot;date&quot;:&quot;2026-05-15T13:41:47.097Z&quot;,&quot;like_count&quot;:0,&quot;comment_count&quot;:0,&quot;bylines&quot;:[{&quot;id&quot;:25142999,&quot;name&quot;:&quot;Rod Trent&quot;,&quot;handle&quot;:&quot;rodtrent&quot;,&quot;previous_name&quot;:&quot;Microsoft Sentinel this Week&quot;,&quot;photo_url&quot;:&quot;https://substack-post-media.s3.amazonaws.com/public/images/a31b8f6f-7b50-4643-a4d5-54ca83894c4c_800x800.png&quot;,&quot;bio&quot;:&quot;Rod Trent is a Senior Product Manager for Microsoft. He has spoken many times at many conferences over the past 30-some years and has written several books and hundreds of articles.&quot;,&quot;profile_set_up_at&quot;:&quot;2022-12-15T21:44:39.563Z&quot;,&quot;reader_installed_at&quot;:&quot;2023-01-13T16:04:11.272Z&quot;,&quot;publicationUsers&quot;:[{&quot;id&quot;:1211584,&quot;user_id&quot;:25142999,&quot;publication_id&quot;:1254398,&quot;role&quot;:&quot;admin&quot;,&quot;public&quot;:true,&quot;is_primary&quot;:true,&quot;publication&quot;:{&quot;id&quot;:1254398,&quot;name&quot;:&quot;Rod&#8217;s Blog&quot;,&quot;subdomain&quot;:&quot;rodtrent&quot;,&quot;custom_domain&quot;:null,&quot;custom_domain_optional&quot;:true,&quot;hero_text&quot;:&quot;Microsoft Security and AI. This is not an official Microsoft blog.&quot;,&quot;logo_url&quot;:&quot;https://substack-post-media.s3.amazonaws.com/public/images/e527d2fc-7b2f-448b-85fa-0e47bf452405_600x600.png&quot;,&quot;author_id&quot;:25142999,&quot;primary_user_id&quot;:25142999,&quot;theme_var_background_pop&quot;:&quot;#786CFF&quot;,&quot;created_at&quot;:&quot;2022-12-20T13:41:45.372Z&quot;,&quot;email_from_name&quot;:null,&quot;copyright&quot;:&quot;Rod Trent&quot;,&quot;founding_plan_name&quot;:&quot;Founding Member&quot;,&quot;community_enabled&quot;:true,&quot;invite_only&quot;:false,&quot;payments_state&quot;:&quot;enabled&quot;,&quot;language&quot;:null,&quot;explicit&quot;:false,&quot;homepage_type&quot;:&quot;newspaper&quot;,&quot;is_personal_mode&quot;:false,&quot;logo_url_wide&quot;:&quot;https://substack-post-media.s3.amazonaws.com/public/images/0979d0a9-076d-4984-903f-174d79becc86_1344x256.png&quot;}},{&quot;id&quot;:1202860,&quot;user_id&quot;:25142999,&quot;publication_id&quot;:1246049,&quot;role&quot;:&quot;admin&quot;,&quot;public&quot;:true,&quot;is_primary&quot;:false,&quot;publication&quot;:{&quot;id&quot;:1246049,&quot;name&quot;:&quot;THE PROMPT for Microsoft Security&quot;,&quot;subdomain&quot;:&quot;microsoftdefender&quot;,&quot;custom_domain&quot;:null,&quot;custom_domain_optional&quot;:false,&quot;hero_text&quot;:&quot;The weekly THE PROMPT for Microsoft Security newsletter helps uncover the new and important features and news for Microsoft's Unified Security Operations Platform.&quot;,&quot;logo_url&quot;:&quot;https://substack-post-media.s3.amazonaws.com/public/images/7c112404-c028-4923-b8ce-924902361d80_256x256.png&quot;,&quot;author_id&quot;:25142999,&quot;primary_user_id&quot;:null,&quot;theme_var_background_pop&quot;:&quot;#121BFA&quot;,&quot;created_at&quot;:&quot;2022-12-15T21:47:41.255Z&quot;,&quot;email_from_name&quot;:null,&quot;copyright&quot;:&quot;Rod Trent&quot;,&quot;founding_plan_name&quot;:&quot;Founding Member&quot;,&quot;community_enabled&quot;:true,&quot;invite_only&quot;:false,&quot;payments_state&quot;:&quot;enabled&quot;,&quot;language&quot;:null,&quot;explicit&quot;:false,&quot;homepage_type&quot;:&quot;newspaper&quot;,&quot;is_personal_mode&quot;:false,&quot;logo_url_wide&quot;:&quot;https://substack-post-media.s3.amazonaws.com/public/images/c59e1ae8-80b5-44c2-85c2-bba0b536900f_532x256.png&quot;}},{&quot;id&quot;:1209853,&quot;user_id&quot;:25142999,&quot;publication_id&quot;:1252746,&quot;role&quot;:&quot;admin&quot;,&quot;public&quot;:true,&quot;is_primary&quot;:false,&quot;publication&quot;:{&quot;id&quot;:1252746,&quot;name&quot;:&quot;THE Security Insights Show&quot;,&quot;subdomain&quot;:&quot;securityinsights&quot;,&quot;custom_domain&quot;:&quot;www.microsoftsecurityinsights.com&quot;,&quot;custom_domain_optional&quot;:false,&quot;hero_text&quot;:&quot;Hosted by Edward Walton, Frank Grimberg and Rod Trent, THE Insights Show provides conversation, information, news, tips on industry security solutions.&quot;,&quot;logo_url&quot;:&quot;https://substack-post-media.s3.amazonaws.com/public/images/1bf84d0b-fceb-44b4-ae5f-10662ecc7e8b_500x500.png&quot;,&quot;author_id&quot;:25142999,&quot;primary_user_id&quot;:115592344,&quot;theme_var_background_pop&quot;:&quot;#BAA049&quot;,&quot;created_at&quot;:&quot;2022-12-19T16:53:21.719Z&quot;,&quot;email_from_name&quot;:&quot;THE Security Insights Show&quot;,&quot;copyright&quot;:&quot;Rod Trent&quot;,&quot;founding_plan_name&quot;:null,&quot;community_enabled&quot;:true,&quot;invite_only&quot;:false,&quot;payments_state&quot;:&quot;disabled&quot;,&quot;language&quot;:null,&quot;explicit&quot;:false,&quot;homepage_type&quot;:&quot;newspaper&quot;,&quot;is_personal_mode&quot;:false,&quot;logo_url_wide&quot;:&quot;https://substack-post-media.s3.amazonaws.com/public/images/e7003902-2064-4b4b-a23e-74a8ade417d9_1920x533.jpeg&quot;}},{&quot;id&quot;:4622011,&quot;user_id&quot;:25142999,&quot;publication_id&quot;:4530869,&quot;role&quot;:&quot;admin&quot;,&quot;public&quot;:true,&quot;is_primary&quot;:false,&quot;publication&quot;:{&quot;id&quot;:4530869,&quot;name&quot;:&quot;myITforum&quot;,&quot;subdomain&quot;:&quot;myitforum&quot;,&quot;custom_domain&quot;:null,&quot;custom_domain_optional&quot;:false,&quot;hero_text&quot;:&quot;The myITforum community. Powered by you.&quot;,&quot;logo_url&quot;:&quot;https://substack-post-media.s3.amazonaws.com/public/images/e57bf70e-44d6-4b6d-87b3-13e6d8fb4881_250x250.png&quot;,&quot;author_id&quot;:25142999,&quot;primary_user_id&quot;:null,&quot;theme_var_background_pop&quot;:&quot;#FF6719&quot;,&quot;created_at&quot;:&quot;2025-03-28T15:02:52.364Z&quot;,&quot;email_from_name&quot;:&quot;myITforum&quot;,&quot;copyright&quot;:&quot;Rod Trent&quot;,&quot;founding_plan_name&quot;:&quot;Founding Member&quot;,&quot;community_enabled&quot;:true,&quot;invite_only&quot;:false,&quot;payments_state&quot;:&quot;enabled&quot;,&quot;language&quot;:null,&quot;explicit&quot;:false,&quot;homepage_type&quot;:&quot;newspaper&quot;,&quot;is_personal_mode&quot;:false,&quot;logo_url_wide&quot;:&quot;https://substack-post-media.s3.amazonaws.com/public/images/61faab9f-ec9c-4b15-9038-90eeff197953_207x64.png&quot;}},{&quot;id&quot;:6292288,&quot;user_id&quot;:25142999,&quot;publication_id&quot;:6167941,&quot;role&quot;:&quot;admin&quot;,&quot;public&quot;:true,&quot;is_primary&quot;:false,&quot;publication&quot;:{&quot;id&quot;:6167941,&quot;name&quot;:&quot;Rod&#8217;s Fiction Universe&quot;,&quot;subdomain&quot;:&quot;rodsfictionbooks&quot;,&quot;custom_domain&quot;:null,&quot;custom_domain_optional&quot;:false,&quot;hero_text&quot;:&quot;This site offers all-access to my current and future fiction books. &quot;,&quot;logo_url&quot;:&quot;https://substack-post-media.s3.amazonaws.com/public/images/bf150c76-3462-4e72-9f1a-f3d507179f90_512x512.png&quot;,&quot;author_id&quot;:25142999,&quot;primary_user_id&quot;:null,&quot;theme_var_background_pop&quot;:&quot;#FF6719&quot;,&quot;created_at&quot;:&quot;2025-09-01T22:55:42.544Z&quot;,&quot;email_from_name&quot;:&quot;Rod Trent from Rod&#8217;s Fiction Books&quot;,&quot;copyright&quot;:&quot;Rod Trent&quot;,&quot;founding_plan_name&quot;:&quot;Founding Member&quot;,&quot;community_enabled&quot;:true,&quot;invite_only&quot;:false,&quot;payments_state&quot;:&quot;enabled&quot;,&quot;language&quot;:null,&quot;explicit&quot;:false,&quot;homepage_type&quot;:&quot;magaziney&quot;,&quot;is_personal_mode&quot;:false,&quot;logo_url_wide&quot;:&quot;https://substack-post-media.s3.amazonaws.com/public/images/d7348a2b-f83f-47cc-bf8b-837b55171fcf_1344x256.png&quot;}}],&quot;twitter_screen_name&quot;:&quot;rodtrent&quot;,&quot;is_guest&quot;:false,&quot;bestseller_tier&quot;:100,&quot;status&quot;:{&quot;bestsellerTier&quot;:100,&quot;subscriberTier&quot;:1,&quot;leaderboard&quot;:null,&quot;vip&quot;:false,&quot;badge&quot;:{&quot;type&quot;:&quot;bestseller&quot;,&quot;tier&quot;:100},&quot;paidPublicationIds&quot;:[1459538],&quot;subscriber&quot;:null}},{&quot;id&quot;:25637175,&quot;name&quot;:&quot;Edward Walton&quot;,&quot;handle&quot;:&quot;securitybro&quot;,&quot;previous_name&quot;:null,&quot;photo_url&quot;:&quot;https://substackcdn.com/image/fetch/f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fbucketeer-e05bbc84-baa3-437e-9518-adb32be77984.s3.amazonaws.com%2Fpublic%2Fimages%2F89b98b87-6bce-4c30-ba8a-4cad6287197b_202x346.jpeg&quot;,&quot;bio&quot;:&quot;Edward Walton is a security leader with over 20 years of experience in information security. His focus is Threat Intel, threat analytics and SIEM.&quot;,&quot;profile_set_up_at&quot;:&quot;2024-04-26T19:20:40.812Z&quot;,&quot;reader_installed_at&quot;:null,&quot;publicationUsers&quot;:[{&quot;id&quot;:194879,&quot;user_id&quot;:25637175,&quot;publication_id&quot;:268192,&quot;role&quot;:&quot;admin&quot;,&quot;public&quot;:true,&quot;is_primary&quot;:true,&quot;publication&quot;:{&quot;id&quot;:268192,&quot;name&quot;:&quot;Ed's place of highly opinionated facts on Security!&quot;,&quot;subdomain&quot;:&quot;edwardwalton&quot;,&quot;custom_domain&quot;:null,&quot;custom_domain_optional&quot;:false,&quot;hero_text&quot;:&quot;Are we secure yet? Are we secure yet? &quot;,&quot;logo_url&quot;:null,&quot;author_id&quot;:25637175,&quot;primary_user_id&quot;:25637175,&quot;theme_var_background_pop&quot;:&quot;#FD5353&quot;,&quot;created_at&quot;:&quot;2021-01-22T17:52:33.499Z&quot;,&quot;email_from_name&quot;:null,&quot;copyright&quot;:&quot;Edward Walton&quot;,&quot;founding_plan_name&quot;:null,&quot;community_enabled&quot;:true,&quot;invite_only&quot;:false,&quot;payments_state&quot;:&quot;disabled&quot;,&quot;language&quot;:null,&quot;explicit&quot;:false,&quot;homepage_type&quot;:null,&quot;is_personal_mode&quot;:false,&quot;logo_url_wide&quot;:null}},{&quot;id&quot;:2422927,&quot;user_id&quot;:25637175,&quot;publication_id&quot;:1252746,&quot;role&quot;:&quot;admin&quot;,&quot;public&quot;:true,&quot;is_primary&quot;:false,&quot;publication&quot;:{&quot;id&quot;:1252746,&quot;name&quot;:&quot;THE Security Insights Show&quot;,&quot;subdomain&quot;:&quot;securityinsights&quot;,&quot;custom_domain&quot;:&quot;www.microsoftsecurityinsights.com&quot;,&quot;custom_domain_optional&quot;:false,&quot;hero_text&quot;:&quot;Hosted by Edward Walton, Frank Grimberg and Rod Trent, THE Insights Show provides conversation, information, news, tips on industry security solutions.&quot;,&quot;logo_url&quot;:&quot;https://substack-post-media.s3.amazonaws.com/public/images/1bf84d0b-fceb-44b4-ae5f-10662ecc7e8b_500x500.png&quot;,&quot;author_id&quot;:25142999,&quot;primary_user_id&quot;:115592344,&quot;theme_var_background_pop&quot;:&quot;#BAA049&quot;,&quot;created_at&quot;:&quot;2022-12-19T16:53:21.719Z&quot;,&quot;email_from_name&quot;:&quot;THE Security Insights Show&quot;,&quot;copyright&quot;:&quot;Rod Trent&quot;,&quot;founding_plan_name&quot;:null,&quot;community_enabled&quot;:true,&quot;invite_only&quot;:false,&quot;payments_state&quot;:&quot;disabled&quot;,&quot;language&quot;:null,&quot;explicit&quot;:false,&quot;homepage_type&quot;:&quot;newspaper&quot;,&quot;is_personal_mode&quot;:false,&quot;logo_url_wide&quot;:&quot;https://substack-post-media.s3.amazonaws.com/public/images/e7003902-2064-4b4b-a23e-74a8ade417d9_1920x533.jpeg&quot;}}],&quot;is_guest&quot;:false,&quot;bestseller_tier&quot;:null,&quot;status&quot;:{&quot;bestsellerTier&quot;:null,&quot;subscriberTier&quot;:1,&quot;leaderboard&quot;:null,&quot;vip&quot;:false,&quot;badge&quot;:{&quot;type&quot;:&quot;subscriber&quot;,&quot;tier&quot;:1,&quot;accent_colors&quot;:null},&quot;paidPublicationIds&quot;:[1254398],&quot;subscriber&quot;:null}},{&quot;id&quot;:115592344,&quot;name&quot;:&quot;Frank Grimberg&quot;,&quot;handle&quot;:&quot;frankgrimberg&quot;,&quot;previous_name&quot;:null,&quot;photo_url&quot;:&quot;https://substack-post-media.s3.amazonaws.com/public/images/23065326-db4e-4d18-b54a-b4751d05747e_144x144.png&quot;,&quot;bio&quot;:null,&quot;profile_set_up_at&quot;:null,&quot;reader_installed_at&quot;:null,&quot;publicationUsers&quot;:[{&quot;id&quot;:5852489,&quot;user_id&quot;:115592344,&quot;publication_id&quot;:1252746,&quot;role&quot;:&quot;admin&quot;,&quot;public&quot;:true,&quot;is_primary&quot;:true,&quot;publication&quot;:{&quot;id&quot;:1252746,&quot;name&quot;:&quot;THE Security Insights Show&quot;,&quot;subdomain&quot;:&quot;securityinsights&quot;,&quot;custom_domain&quot;:&quot;www.microsoftsecurityinsights.com&quot;,&quot;custom_domain_optional&quot;:false,&quot;hero_text&quot;:&quot;Hosted by Edward Walton, Frank Grimberg and Rod Trent, THE Insights Show provides conversation, information, news, tips on industry security solutions.&quot;,&quot;logo_url&quot;:&quot;https://substack-post-media.s3.amazonaws.com/public/images/1bf84d0b-fceb-44b4-ae5f-10662ecc7e8b_500x500.png&quot;,&quot;author_id&quot;:25142999,&quot;primary_user_id&quot;:115592344,&quot;theme_var_background_pop&quot;:&quot;#BAA049&quot;,&quot;created_at&quot;:&quot;2022-12-19T16:53:21.719Z&quot;,&quot;email_from_name&quot;:&quot;THE Security Insights Show&quot;,&quot;copyright&quot;:&quot;Rod Trent&quot;,&quot;founding_plan_name&quot;:null,&quot;community_enabled&quot;:true,&quot;invite_only&quot;:false,&quot;payments_state&quot;:&quot;disabled&quot;,&quot;language&quot;:null,&quot;explicit&quot;:false,&quot;homepage_type&quot;:&quot;newspaper&quot;,&quot;is_personal_mode&quot;:false,&quot;logo_url_wide&quot;:&quot;https://substack-post-media.s3.amazonaws.com/public/images/e7003902-2064-4b4b-a23e-74a8ade417d9_1920x533.jpeg&quot;}}],&quot;is_guest&quot;:false,&quot;bestseller_tier&quot;:null,&quot;status&quot;:{&quot;bestsellerTier&quot;:null,&quot;subscriberTier&quot;:null,&quot;leaderboard&quot;:null,&quot;vip&quot;:false,&quot;badge&quot;:null,&quot;paidPublicationIds&quot;:[],&quot;subscriber&quot;:null}}],&quot;utm_campaign&quot;:null,&quot;belowTheFold&quot;:true,&quot;type&quot;:&quot;podcast&quot;,&quot;language&quot;:&quot;en&quot;,&quot;source&quot;:null}" data-component-name="EmbeddedPostToDOM"><a class="embedded-post" native="true" href="https://www.microsoftsecurityinsights.com/p/the-ai-security-insights-show-episode-63b?utm_source=substack&amp;utm_campaign=post_embed&amp;utm_medium=web"><div class="embedded-post-header"><img class="embedded-post-publication-logo" src="https://substackcdn.com/image/fetch/$s_!ZngQ!,w_56,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F1bf84d0b-fceb-44b4-ae5f-10662ecc7e8b_500x500.png" loading="lazy"><span class="embedded-post-publication-name">THE Security Insights Show</span></div><div class="embedded-post-title-wrapper"><div class="embedded-post-title-icon"><svg width="19" height="19" viewBox="0 0 24 24" fill="none" xmlns="http://www.w3.org/2000/svg">
  <path d="M3 18V12C3 9.61305 3.94821 7.32387 5.63604 5.63604C7.32387 3.94821 9.61305 3 12 3C14.3869 3 16.6761 3.94821 18.364 5.63604C20.0518 7.32387 21 9.61305 21 12V18" stroke-linecap="round" stroke-linejoin="round"></path>
  <path d="M21 19C21 19.5304 20.7893 20.0391 20.4142 20.4142C20.0391 20.7893 19.5304 21 19 21H18C17.4696 21 16.9609 20.7893 16.5858 20.4142C16.2107 20.0391 16 19.5304 16 19V16C16 15.4696 16.2107 14.9609 16.5858 14.5858C16.9609 14.2107 17.4696 14 18 14H21V19ZM3 19C3 19.5304 3.21071 20.0391 3.58579 20.4142C3.96086 20.7893 4.46957 21 5 21H6C6.53043 21 7.03914 20.7893 7.41421 20.4142C7.78929 20.0391 8 19.5304 8 19V16C8 15.4696 7.78929 14.9609 7.41421 14.5858C7.03914 14.2107 6.53043 14 6 14H3V19Z" stroke-linecap="round" stroke-linejoin="round"></path>
</svg></div><div class="embedded-post-title">The "AI" Security Insights Show Episode 291 - Aditya and Nanda from DataBahn</div></div><div class="embedded-post-body">Guest link - https://www.databahn.ai&#8230;</div><div class="embedded-post-cta-wrapper"><div class="embedded-post-cta-icon"><svg width="32" height="32" viewBox="0 0 24 24" xmlns="http://www.w3.org/2000/svg">
  <path classname="inner-triangle" d="M10 8L16 12L10 16V8Z" stroke-width="1.5" stroke-linecap="round" stroke-linejoin="round"></path>
</svg></div><span class="embedded-post-cta">Listen now</span></div><div class="embedded-post-meta">2 months ago &#183; Rod Trent, Edward Walton, and Frank Grimberg</div></a></div><h2>Microsoft Sentinel Things</h2><p><strong><a href="https://techcommunity.microsoft.com/blog/coreinfrastructureandsecurityblog/build-a-local-microsoft-sentinel-triage-agent-in-vs-code-copilot--mcp/4520486">Build a Local Microsoft Sentinel Triage Agent in VS Code (Copilot + MCP)</a></strong> - As SOC environments become increasingly data-rich, the real bottleneck shifts to investigation efficiency. In this post, we explore a local-first Sentinel triage workflow powered by Copilot and MCP, designed to reduce friction, improve reliability, and enable safer automation in incident response.</p><p><strong><a href="https://techcommunity.microsoft.com/blog/microsoftsentinelblog/agent-365-connector-monitor-hunt-and-investigate-ai-agent-activity-in-microsoft-/4520836">Agent 365 connector: Monitor, hunt, and investigate AI agent activity in Microsoft Sentinel</a></strong> - As enterprises scale the use of AI agents, SOC teams need visibility into AI agent behavior. The <strong>Agent 365 connector,</strong> now in public preview, streams rich agent telemetry from Agent 365 into Microsoft Sentinel data lake. Agent activity, such as agent data exposure or access drift, is surfaced alongside other security data, giving SOC teams a unified view across digital environments. AI Agent actions are correlated with agent identity, endpoint, and cloud signals, enabling analysts to run end&#8209;to&#8209;end investigations using KQL, graph, and MCP-powered workflows.</p><h2>Defender XDR Things</h2><p><strong><a href="https://medium.com/@rohitashokgowd/microsoft-defender-xdr-custom-detection-rules-a-complete-guide-best-practices-9faf8c837797">Microsoft Defender XDR Custom Detection Rules: A Complete Guide &amp; Best Practices</a></strong> - Microsoft Defender XDR custom detection rules have changed a lot in the past year&#8217;s. In October 2024, near-real-time (NRT) detections entered preview. In October 2025, custom detections became the default for new rules across Defender XDR and Sentinel. In January 2026, NRT support expanded to Sentinel data. Then in April 2026, Microsoft added a SentinelScope_CF requirement that can stop some analysts from seeing alerts if it&#8217;s missed.</p><p><strong><a href="https://www.microsoft.com/en-us/security/blog/2026/05/18/storm-2949-turned-compromised-identity-into-cloud-wide-breach/">How Storm-2949 turned a compromised identity into a cloud-wide breach</a></strong> - Microsoft Threat Intelligence recently uncovered a methodical, sophisticated, and multi-layered attack, where a threat actor we track as Storm-2949 launched a relentless campaign with a singular focus: to exfiltrate as much sensitive data from a target organization&#8217;s high-value assets as possible. The attack exfiltrated data from Microsoft 365 applications, file-hosting services, and Azure-hosted production environments, where the organization&#8217;s production application ecosystem resides.</p><h2>Microsoft Purview Things</h2><p><strong><a href="https://techcommunity.microsoft.com/blog/microsoft-security-blog/securing-ai-agents-end%E2%80%91to%E2%80%91end-connecting-purview-dspm-agent-365-and-the-ai-secur/4521155">Securing AI Agents End&#8209;to&#8209;End: Connecting Purview DSPM, Agent 365, and the AI Security Dashboard</a></strong><a href="https://techcommunity.microsoft.com/blog/microsoft-security-blog/securing-ai-agents-end%E2%80%91to%E2%80%91end-connecting-purview-dspm-agent-365-and-the-ai-secur/4521155"> </a>- Organizations deploying Microsoft Copilot and custom AI agents face a critical gap: <strong>security visibility is fragmented</strong> across data protection, identity governance, and threat detection tools. While Microsoft provides powerful capabilities through Purview Data Security Posture Management (DSPM), Agent 365, and the AI Security Dashboard, practitioners often struggle to understand <strong>how these components work together</strong> to deliver unified AI security posture management.</p><h2></h2><p>THE PROMPT for Microsoft Security is a reader-supported publication. To receive new posts and support my work, consider becoming a free or paid subscriber.</p>]]></content:encoded></item><item><title><![CDATA[THE PROMPT for Microsoft Security - Issue #70]]></title><description><![CDATA[Things from Me]]></description><link>https://rodtrent.substack.com/p/the-prompt-for-microsoft-security-15a</link><guid isPermaLink="false">https://rodtrent.substack.com/p/the-prompt-for-microsoft-security-15a</guid><dc:creator><![CDATA[Rod Trent]]></dc:creator><pubDate>Fri, 15 May 2026 11:31:47 GMT</pubDate><enclosure url="https://substackcdn.com/image/fetch/$s_!c5wS!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F1d2eb238-cb72-4889-9cc5-4621c1d51a11_1248x832.jpeg" length="0" type="image/jpeg"/><content:encoded><![CDATA[<div class="captioned-image-container"><figure><a class="image-link image2 is-viewable-img" target="_blank" href="https://substackcdn.com/image/fetch/$s_!c5wS!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F1d2eb238-cb72-4889-9cc5-4621c1d51a11_1248x832.jpeg" data-component-name="Image2ToDOM"><div class="image2-inset"><picture><source type="image/webp" srcset="https://substackcdn.com/image/fetch/$s_!c5wS!,w_424,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F1d2eb238-cb72-4889-9cc5-4621c1d51a11_1248x832.jpeg 424w, https://substackcdn.com/image/fetch/$s_!c5wS!,w_848,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F1d2eb238-cb72-4889-9cc5-4621c1d51a11_1248x832.jpeg 848w, https://substackcdn.com/image/fetch/$s_!c5wS!,w_1272,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F1d2eb238-cb72-4889-9cc5-4621c1d51a11_1248x832.jpeg 1272w, https://substackcdn.com/image/fetch/$s_!c5wS!,w_1456,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F1d2eb238-cb72-4889-9cc5-4621c1d51a11_1248x832.jpeg 1456w" sizes="100vw"><img src="https://substackcdn.com/image/fetch/$s_!c5wS!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F1d2eb238-cb72-4889-9cc5-4621c1d51a11_1248x832.jpeg" width="1248" height="832" data-attrs="{&quot;src&quot;:&quot;https://substack-post-media.s3.amazonaws.com/public/images/1d2eb238-cb72-4889-9cc5-4621c1d51a11_1248x832.jpeg&quot;,&quot;srcNoWatermark&quot;:null,&quot;fullscreen&quot;:null,&quot;imageSize&quot;:null,&quot;height&quot;:832,&quot;width&quot;:1248,&quot;resizeWidth&quot;:null,&quot;bytes&quot;:236106,&quot;alt&quot;:null,&quot;title&quot;:null,&quot;type&quot;:&quot;image/jpeg&quot;,&quot;href&quot;:null,&quot;belowTheFold&quot;:false,&quot;topImage&quot;:true,&quot;internalRedirect&quot;:&quot;https://microsoftdefender.substack.com/i/197214547?img=https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F1d2eb238-cb72-4889-9cc5-4621c1d51a11_1248x832.jpeg&quot;,&quot;isProcessing&quot;:false,&quot;align&quot;:null,&quot;offset&quot;:false}" class="sizing-normal" alt="" srcset="https://substackcdn.com/image/fetch/$s_!c5wS!,w_424,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F1d2eb238-cb72-4889-9cc5-4621c1d51a11_1248x832.jpeg 424w, https://substackcdn.com/image/fetch/$s_!c5wS!,w_848,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F1d2eb238-cb72-4889-9cc5-4621c1d51a11_1248x832.jpeg 848w, https://substackcdn.com/image/fetch/$s_!c5wS!,w_1272,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F1d2eb238-cb72-4889-9cc5-4621c1d51a11_1248x832.jpeg 1272w, https://substackcdn.com/image/fetch/$s_!c5wS!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F1d2eb238-cb72-4889-9cc5-4621c1d51a11_1248x832.jpeg 1456w" sizes="100vw" fetchpriority="high"></picture><div class="image-link-expand"><div class="pencraft pc-display-flex pc-gap-8 pc-reset"><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container restack-image"><svg role="img" width="20" height="20" viewBox="0 0 20 20" fill="none" stroke-width="1.5" stroke="var(--color-fg-primary)" stroke-linecap="round" stroke-linejoin="round" xmlns="http://www.w3.org/2000/svg"><g><title></title><path d="M2.53001 7.81595C3.49179 4.73911 6.43281 2.5 9.91173 2.5C13.1684 2.5 15.9537 4.46214 17.0852 7.23684L17.6179 8.67647M17.6179 8.67647L18.5002 4.26471M17.6179 8.67647L13.6473 6.91176M17.4995 12.1841C16.5378 15.2609 13.5967 17.5 10.1178 17.5C6.86118 17.5 4.07589 15.5379 2.94432 12.7632L2.41165 11.3235M2.41165 11.3235L1.5293 15.7353M2.41165 11.3235L6.38224 13.0882"></path></g></svg></button><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container view-image"><svg xmlns="http://www.w3.org/2000/svg" width="20" height="20" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="lucide lucide-maximize2 lucide-maximize-2"><polyline points="15 3 21 3 21 9"></polyline><polyline points="9 21 3 21 3 15"></polyline><line x1="21" x2="14" y1="3" y2="10"></line><line x1="3" x2="10" y1="21" y2="14"></line></svg></button></div></div></div></a></figure></div><h2>Things from Me</h2><p>Happy Friday everyone!</p><p>I&#8217;ve been deep in the trenches lately building practical tools that actually move the needle for Microsoft Security practitioners. I&#8217;m excited to share two brand-new, ready-to-use (or ready-to-fork) projects I just open-sourced:</p><ul><li><p><strong>I Built an AI SOC Analyst for Microsoft Sentinel and Defender XDR</strong> - A fully functional AI-powered analyst that triages, investigates, and documents incidents in your environment. Check it out and deploy it yourself: <a href="https://rodtrent.substack.com/p/i-built-an-ai-soc-analyst-for-microsoft">&#8594; Read the full post &amp; get the code</a></p></li><li><p><strong>GHASTriage: A One-Command Security Audit for Your GitHub Portfolio</strong> - Run a single command and get a comprehensive security posture report across all your repos &#8212; secrets scanning, misconfigs, dependency risks, and more. Perfect for individuals and teams who want to stay ahead of supply-chain threats. <a href="https://rodtrent.substack.com/p/ghastriage-a-one-command-security">&#8594; Try GHASTriage now</a></p></li></ul><p>Last week I had the privilege of speaking at <strong>MMSMOA 2026</strong> in five sessions, covering Microsoft Purview, Sentinel, and a heavy emphasis on AI Agents across the security stack. The energy in the room was fantastic, and one of the organizers, Kent Agerlund, put together an excellent roundup of the key security numbers and insights from the event. Highly recommended read:<br><a href="https://www.linkedin.com/pulse/mms-2026-moa-i-let-numbers-do-talking-kent-agerlund-wmmqe/">&#8594; MMS 2026 MOA: Let the Numbers Do the Talking</a></p><p>If you&#8217;re working with Microsoft Security tools and want to level up with AI, automation, and practical solutions, you&#8217;re in the right place. Let&#8217;s dive into this week&#8217;s prompts, insights, and actionable guidance.</p><p>Talk soon.</p><p>-<a href="https://www.linkedin.com/in/rodtrent/">Rod</a></p><div class="embedded-post-wrap" data-attrs="{&quot;id&quot;:197754233,&quot;url&quot;:&quot;https://rodtrent.substack.com/p/microsoft-unveils-mdash-a-game-changing&quot;,&quot;publication_id&quot;:1254398,&quot;publication_name&quot;:&quot;Rod&#8217;s Blog&quot;,&quot;publication_logo_url&quot;:&quot;https://substackcdn.com/image/fetch/$s_!rp9E!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fe527d2fc-7b2f-448b-85fa-0e47bf452405_600x600.png&quot;,&quot;title&quot;:&quot;Microsoft Unveils MDASH: A Game-Changing Multi-Model Agentic AI System for Cybersecurity&quot;,&quot;truncated_body_text&quot;:&quot;In a significant leap for AI-powered defense, Microsoft has introduced MDASH (Multi-Model Agentic Scanning Harness), a sophisticated cybersecurity system that orchestrates over 100 specialized AI age&#8230;&quot;,&quot;date&quot;:&quot;2026-05-14T20:21:46.605Z&quot;,&quot;like_count&quot;:4,&quot;comment_count&quot;:0,&quot;bylines&quot;:[{&quot;id&quot;:25142999,&quot;name&quot;:&quot;Rod Trent&quot;,&quot;handle&quot;:&quot;rodtrent&quot;,&quot;previous_name&quot;:&quot;Microsoft Sentinel this Week&quot;,&quot;photo_url&quot;:&quot;https://substack-post-media.s3.amazonaws.com/public/images/a31b8f6f-7b50-4643-a4d5-54ca83894c4c_800x800.png&quot;,&quot;bio&quot;:&quot;Rod Trent is a Senior Product Manager for Microsoft. He has spoken many times at many conferences over the past 30-some years and has written several books and hundreds of articles.&quot;,&quot;profile_set_up_at&quot;:&quot;2022-12-15T21:44:39.563Z&quot;,&quot;reader_installed_at&quot;:&quot;2023-01-13T16:04:11.272Z&quot;,&quot;publicationUsers&quot;:[{&quot;id&quot;:1211584,&quot;user_id&quot;:25142999,&quot;publication_id&quot;:1254398,&quot;role&quot;:&quot;admin&quot;,&quot;public&quot;:true,&quot;is_primary&quot;:true,&quot;publication&quot;:{&quot;id&quot;:1254398,&quot;name&quot;:&quot;Rod&#8217;s Blog&quot;,&quot;subdomain&quot;:&quot;rodtrent&quot;,&quot;custom_domain&quot;:null,&quot;custom_domain_optional&quot;:true,&quot;hero_text&quot;:&quot;Microsoft Security and AI. This is not an official Microsoft blog.&quot;,&quot;logo_url&quot;:&quot;https://substack-post-media.s3.amazonaws.com/public/images/e527d2fc-7b2f-448b-85fa-0e47bf452405_600x600.png&quot;,&quot;author_id&quot;:25142999,&quot;primary_user_id&quot;:25142999,&quot;theme_var_background_pop&quot;:&quot;#786CFF&quot;,&quot;created_at&quot;:&quot;2022-12-20T13:41:45.372Z&quot;,&quot;email_from_name&quot;:null,&quot;copyright&quot;:&quot;Rod Trent&quot;,&quot;founding_plan_name&quot;:&quot;Founding Member&quot;,&quot;community_enabled&quot;:true,&quot;invite_only&quot;:false,&quot;payments_state&quot;:&quot;enabled&quot;,&quot;language&quot;:null,&quot;explicit&quot;:false,&quot;homepage_type&quot;:&quot;newspaper&quot;,&quot;is_personal_mode&quot;:false,&quot;logo_url_wide&quot;:&quot;https://substack-post-media.s3.amazonaws.com/public/images/0979d0a9-076d-4984-903f-174d79becc86_1344x256.png&quot;}},{&quot;id&quot;:1202860,&quot;user_id&quot;:25142999,&quot;publication_id&quot;:1246049,&quot;role&quot;:&quot;admin&quot;,&quot;public&quot;:true,&quot;is_primary&quot;:false,&quot;publication&quot;:{&quot;id&quot;:1246049,&quot;name&quot;:&quot;THE PROMPT for Microsoft Security&quot;,&quot;subdomain&quot;:&quot;microsoftdefender&quot;,&quot;custom_domain&quot;:null,&quot;custom_domain_optional&quot;:false,&quot;hero_text&quot;:&quot;The weekly THE PROMPT for Microsoft Security newsletter helps uncover the new and important features and news for Microsoft's Unified Security Operations Platform.&quot;,&quot;logo_url&quot;:&quot;https://substack-post-media.s3.amazonaws.com/public/images/7c112404-c028-4923-b8ce-924902361d80_256x256.png&quot;,&quot;author_id&quot;:25142999,&quot;primary_user_id&quot;:null,&quot;theme_var_background_pop&quot;:&quot;#121BFA&quot;,&quot;created_at&quot;:&quot;2022-12-15T21:47:41.255Z&quot;,&quot;email_from_name&quot;:null,&quot;copyright&quot;:&quot;Rod Trent&quot;,&quot;founding_plan_name&quot;:&quot;Founding Member&quot;,&quot;community_enabled&quot;:true,&quot;invite_only&quot;:false,&quot;payments_state&quot;:&quot;enabled&quot;,&quot;language&quot;:null,&quot;explicit&quot;:false,&quot;homepage_type&quot;:&quot;newspaper&quot;,&quot;is_personal_mode&quot;:false,&quot;logo_url_wide&quot;:&quot;https://substack-post-media.s3.amazonaws.com/public/images/c59e1ae8-80b5-44c2-85c2-bba0b536900f_532x256.png&quot;}},{&quot;id&quot;:1209853,&quot;user_id&quot;:25142999,&quot;publication_id&quot;:1252746,&quot;role&quot;:&quot;admin&quot;,&quot;public&quot;:true,&quot;is_primary&quot;:false,&quot;publication&quot;:{&quot;id&quot;:1252746,&quot;name&quot;:&quot;THE Security Insights Show&quot;,&quot;subdomain&quot;:&quot;securityinsights&quot;,&quot;custom_domain&quot;:&quot;www.microsoftsecurityinsights.com&quot;,&quot;custom_domain_optional&quot;:false,&quot;hero_text&quot;:&quot;Hosted by Edward Walton, Frank Grimberg and Rod Trent, THE Insights Show provides conversation, information, news, tips on industry security solutions.&quot;,&quot;logo_url&quot;:&quot;https://substack-post-media.s3.amazonaws.com/public/images/1bf84d0b-fceb-44b4-ae5f-10662ecc7e8b_500x500.png&quot;,&quot;author_id&quot;:25142999,&quot;primary_user_id&quot;:115592344,&quot;theme_var_background_pop&quot;:&quot;#BAA049&quot;,&quot;created_at&quot;:&quot;2022-12-19T16:53:21.719Z&quot;,&quot;email_from_name&quot;:&quot;THE Security Insights Show&quot;,&quot;copyright&quot;:&quot;Rod Trent&quot;,&quot;founding_plan_name&quot;:null,&quot;community_enabled&quot;:true,&quot;invite_only&quot;:false,&quot;payments_state&quot;:&quot;disabled&quot;,&quot;language&quot;:null,&quot;explicit&quot;:false,&quot;homepage_type&quot;:&quot;newspaper&quot;,&quot;is_personal_mode&quot;:false,&quot;logo_url_wide&quot;:&quot;https://substack-post-media.s3.amazonaws.com/public/images/e7003902-2064-4b4b-a23e-74a8ade417d9_1920x533.jpeg&quot;}},{&quot;id&quot;:4622011,&quot;user_id&quot;:25142999,&quot;publication_id&quot;:4530869,&quot;role&quot;:&quot;admin&quot;,&quot;public&quot;:true,&quot;is_primary&quot;:false,&quot;publication&quot;:{&quot;id&quot;:4530869,&quot;name&quot;:&quot;myITforum&quot;,&quot;subdomain&quot;:&quot;myitforum&quot;,&quot;custom_domain&quot;:null,&quot;custom_domain_optional&quot;:false,&quot;hero_text&quot;:&quot;The myITforum community. Powered by you.&quot;,&quot;logo_url&quot;:&quot;https://substack-post-media.s3.amazonaws.com/public/images/e57bf70e-44d6-4b6d-87b3-13e6d8fb4881_250x250.png&quot;,&quot;author_id&quot;:25142999,&quot;primary_user_id&quot;:null,&quot;theme_var_background_pop&quot;:&quot;#FF6719&quot;,&quot;created_at&quot;:&quot;2025-03-28T15:02:52.364Z&quot;,&quot;email_from_name&quot;:&quot;myITforum&quot;,&quot;copyright&quot;:&quot;Rod Trent&quot;,&quot;founding_plan_name&quot;:&quot;Founding Member&quot;,&quot;community_enabled&quot;:true,&quot;invite_only&quot;:false,&quot;payments_state&quot;:&quot;enabled&quot;,&quot;language&quot;:null,&quot;explicit&quot;:false,&quot;homepage_type&quot;:&quot;newspaper&quot;,&quot;is_personal_mode&quot;:false,&quot;logo_url_wide&quot;:&quot;https://substack-post-media.s3.amazonaws.com/public/images/61faab9f-ec9c-4b15-9038-90eeff197953_207x64.png&quot;}},{&quot;id&quot;:6292288,&quot;user_id&quot;:25142999,&quot;publication_id&quot;:6167941,&quot;role&quot;:&quot;admin&quot;,&quot;public&quot;:true,&quot;is_primary&quot;:false,&quot;publication&quot;:{&quot;id&quot;:6167941,&quot;name&quot;:&quot;Rod&#8217;s Fiction Universe&quot;,&quot;subdomain&quot;:&quot;rodsfictionbooks&quot;,&quot;custom_domain&quot;:null,&quot;custom_domain_optional&quot;:false,&quot;hero_text&quot;:&quot;This site offers all-access to my current and future fiction books. &quot;,&quot;logo_url&quot;:&quot;https://substack-post-media.s3.amazonaws.com/public/images/bf150c76-3462-4e72-9f1a-f3d507179f90_512x512.png&quot;,&quot;author_id&quot;:25142999,&quot;primary_user_id&quot;:null,&quot;theme_var_background_pop&quot;:&quot;#FF6719&quot;,&quot;created_at&quot;:&quot;2025-09-01T22:55:42.544Z&quot;,&quot;email_from_name&quot;:&quot;Rod Trent from Rod&#8217;s Fiction Books&quot;,&quot;copyright&quot;:&quot;Rod Trent&quot;,&quot;founding_plan_name&quot;:&quot;Founding Member&quot;,&quot;community_enabled&quot;:true,&quot;invite_only&quot;:false,&quot;payments_state&quot;:&quot;enabled&quot;,&quot;language&quot;:null,&quot;explicit&quot;:false,&quot;homepage_type&quot;:&quot;magaziney&quot;,&quot;is_personal_mode&quot;:false,&quot;logo_url_wide&quot;:&quot;https://substack-post-media.s3.amazonaws.com/public/images/d7348a2b-f83f-47cc-bf8b-837b55171fcf_1344x256.png&quot;}}],&quot;twitter_screen_name&quot;:&quot;rodtrent&quot;,&quot;is_guest&quot;:false,&quot;bestseller_tier&quot;:100,&quot;status&quot;:{&quot;bestsellerTier&quot;:100,&quot;subscriberTier&quot;:1,&quot;leaderboard&quot;:null,&quot;vip&quot;:false,&quot;badge&quot;:{&quot;type&quot;:&quot;bestseller&quot;,&quot;tier&quot;:100},&quot;paidPublicationIds&quot;:[1459538],&quot;subscriber&quot;:null}}],&quot;utm_campaign&quot;:null,&quot;belowTheFold&quot;:true,&quot;type&quot;:&quot;newsletter&quot;,&quot;language&quot;:&quot;en&quot;,&quot;source&quot;:null}" data-component-name="EmbeddedPostToDOM"><a class="embedded-post" native="true" href="https://rodtrent.substack.com/p/microsoft-unveils-mdash-a-game-changing?utm_source=substack&amp;utm_campaign=post_embed&amp;utm_medium=web"><div class="embedded-post-header"><img class="embedded-post-publication-logo" src="https://substackcdn.com/image/fetch/$s_!rp9E!,w_56,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fe527d2fc-7b2f-448b-85fa-0e47bf452405_600x600.png" loading="lazy"><span class="embedded-post-publication-name">Rod&#8217;s Blog</span></div><div class="embedded-post-title-wrapper"><div class="embedded-post-title">Microsoft Unveils MDASH: A Game-Changing Multi-Model Agentic AI System for Cybersecurity</div></div><div class="embedded-post-body">In a significant leap for AI-powered defense, Microsoft has introduced MDASH (Multi-Model Agentic Scanning Harness), a sophisticated cybersecurity system that orchestrates over 100 specialized AI age&#8230;</div><div class="embedded-post-cta-wrapper"><span class="embedded-post-cta">Read more</span></div><div class="embedded-post-meta">2 months ago &#183; 4 likes &#183; Rod Trent</div></a></div><h2>Things that are Related</h2><p><strong><a href="https://socautomators.substack.com/p/are-ai-agents-changing-the-soc">Are AI Agents Changing the SOC?</a></strong> - A new wave of SaaS vendors is selling the same story: deploy our AI and your SOC runs itself. Tier 1 replaced. Tier 2 automated away. Tier 3 handled by agents that never sleep. That is not how this works. Not today, and not in any production SOC I have seen or built.</p><p><strong><a href="https://www.microsoft.com/en-us/security/blog/2026/05/12/defense-at-ai-speed-microsofts-new-multi-model-agentic-security-system-finds-16-new-vulnerabilities/">Defense at AI speed: Microsoft&#8217;s new multi-model agentic security system finds 16 new vulnerabilities</a></strong> - Today Microsoft announced a major step forward in AI-powered cyber defense: our new agentic security system helped researchers find 16 new vulnerabilities across the Windows networking and authentication stack&#8212;including four Critical remote code execution flaws in components such as the Windows kernel TCP/IP stack and the IKEv2 service. They used the new Microsoft Security <strong>m</strong>ulti-mo<strong>d</strong>el <strong>a</strong>gentic <strong>s</strong>canning <strong>h</strong>arness (codename MDASH) which was built by Microsoft&#8217;s Autonomous Code Security team. Unlike single-model approaches, the harness orchestrates more than 100 specialized AI agents across an ensemble of frontier and distilled models to discover, debate, and prove exploitable bugs end-to-end.</p><p><strong><a href="https://techcommunity.microsoft.com/blog/educatordeveloperblog/building-the-solution-teams-need-to-secure-ai-against-prompt-injection/4514198">Building the Solution Teams Need to Secure AI Against Prompt Injection</a></strong> - AI is being deployed faster than it is being secured. Threats like prompt injection remain difficult to mitigate in practice, leaving real-world systems exposed. To address this, we built a prompt injection testing platform powered by Microsoft Foundry.</p><p><strong><a href="https://www.microsoft.com/en-us/security/blog/2026/05/07/prompts-become-shells-rce-vulnerabilities-ai-agent-frameworks/">When prompts become shells: RCE vulnerabilities in AI agent framework</a></strong> - AI agents have fundamentally changed the threat model of AI model-based applications. By equipping these models with plugins (also called tools), your agents no longer just generate text; they now read files, search connected databases, run scripts, and perform other tasks to actively operate on your network. Because of this, vulnerabilities in the AI layer are no longer just a content issue and are an execution risk. If an attacker can control the parameters passed into these plugins via prompt injection, the agent may be driven to perform actions beyond its intended use.</p><p><strong><a href="https://www.microsoft.com/en-us/security/blog/2026/05/12/defending-consumer-web-properties-against-modern-ddos-attacks/">Defending consumer web properties against modern DDoS attacks</a></strong> - If you own, create, or maintain <a href="https://azure.microsoft.com/en-us/explore/security/">online services</a> and web portals, you&#8217;re probably aware of the dramatic upswing in DDoS attacks on your domains. AI has democratized tooling not just for us but for threat actors as well. DDoS in this era has extended from simple bandwidth saturation to sophisticated, application-layer abuse. Defending against this activity now requires system-level design, beyond just the typical network-level filtering. As botnets continue to expand their footprint and evade identification, it is important for us to take a step back, assess the situation, and take a defense-in-depth approach to increase our resilience against this class of disruption.</p><p><strong><a href="https://www.microsoft.com/en-us/msrc/blog/2026/05/a-note-on-patch-tuesday">Expect bigger Patch Tuesdays going forward as AI accelerates the discovery of vulnerabilities</a></strong> - The work of finding and fixing vulnerabilities continues to get faster, broader, and more rigorous across the industry. Customers should expect this to be reflected in the size of a given Patch Tuesday, and at times in how updates are delivered.</p><h2>Things to Watch/Listen To</h2><div id="youtube2-CrAJZy7ne3Q" class="youtube-wrap" data-attrs="{&quot;videoId&quot;:&quot;CrAJZy7ne3Q&quot;,&quot;startTime&quot;:null,&quot;endTime&quot;:null}" data-component-name="Youtube2ToDOM"><div class="youtube-inner"><iframe src="https://www.youtube-nocookie.com/embed/CrAJZy7ne3Q?rel=0&amp;autoplay=0&amp;showinfo=0&amp;enablejsapi=0" frameborder="0" loading="lazy" gesture="media" allow="autoplay; fullscreen" allowautoplay="true" allowfullscreen="true" width="728" height="409"></iframe></div></div><h2>Microsoft Sentinel Things</h2><p><strong><a href="https://techcommunity.microsoft.com/blog/MicrosoftSentinelBlog/extending-sentinel-data-integration-azure-blob-storage-support-for-ccf-connector/4516896">Extending Sentinel Data Integration: Azure Blob Storage Support for CCF Connectors</a></strong> - Explore a new data ingestion pattern for Microsoft Sentinel connectors, leveraging Azure Blob Storage to enable resilient, scalable pipelines that support high&#8209;volume data streaming and modern security operations.</p><p><strong><a href="https://techcommunity.microsoft.com/discussions/microsoftsentinel/sentinel-foundry---mcp-server-preview-github-community-release/4517063#M12928">Sentinel Foundry - MCP Server (Preview) (Github Community Release)</a></strong> - I&#8217;ve been cooking something that a lot of people in SOC have been struggling with &#8212; especially on the engineering side of <strong><a href="https://www.linkedin.com/company/microsoft/">Microsoft</a></strong> Sentinel. Thanks to the <strong><a href="https://www.linkedin.com/company/microsoft-security/">Microsoft Security</a></strong> team for shaping the capabilities of Sentinel even better with Sentinel Data Lake &amp; Modern SecOps.</p><p><strong><a href="https://sentinel.blog/sentinel-as-code-wave-3/">Sentinel-As-Code: Wave 3</a></strong> - <a href="https://sentinel.blog/sentinel-as-code-wave-2/">Wave 2</a> closed with one specific promise: end-to-end Pester tests wired in as a PR gate, with branch protection on <code>main</code> so nothing merged without a green run. Wave 3 lands that gate, plus a handful of other things that took shape alongside it.</p><h2>Defender for Endpoint Things</h2><p><strong><a href="https://techcommunity.microsoft.com/blog/microsoftdefenderatpblog/how-microsoft-defender-used-predictive-shielding-to-proactively-disrupt-a-ransom/4519498">How Microsoft Defender used predictive shielding to proactively disrupt a ransomware attack</a></strong> - Modern ransomware attacks are increasingly designed to blend in with normal IT operations, using trusted administrative tools to quietly weaken defenses and distribute malicious payloads at scale. In a recent real&#8209;world incident, a human&#8209;operated ransomware actor attempted to do exactly that by abusing <strong>Group Policy Objects (GPOs) to target hundreds of devices, but Microsoft Defender detected the attack and proactively hardened those devices before GPOs were deployed.</strong></p><h2>Defender for Cloud Things</h2><p><strong><a href="https://www.microsoft.com/en-us/security/blog/2026/05/14/configuration-becomes-vulnerability-exploitable-misconfigurations-ai-apps/">When configuration becomes a vulnerability: Exploitable misconfigurations in AI apps</a></strong> - AI and agentic application deployments on cloud-native platforms are increasing, and they often prioritize speed over secure configuration. Our observations from aggregated and anonymized Microsoft Defender for Cloud signals showed cases where AI services were publicly exposed with weak or missing authentication, creating exploitable misconfigurations that attackers actively abused. These issues enabled low-effort, high-impact outcomes such as remote code execution, credential theft, and access to sensitive internal tools and data.</p><h2>Defender XDR Things</h2><p><strong><a href="https://www.microsoft.com/en-us/security/blog/2026/05/12/undermining-the-trust-boundary-investigating-a-stealthy-intrusion-through-third-party-compromise/">Undermining the trust boundary: Investigating a stealthy intrusion through third-party compromise</a></strong> - In recent years, many sophisticated intrusions have increasingly avoided using noisy exploits, obvious malware, or custom tooling, instead leveraging systems that organizations already trust within their environments. By operating through legitimate and trusted administrative mechanisms, threat actors could more easily blend seamlessly into routine operations and remain undetected.</p><h2>Microsoft Entra Things</h2><p><strong><a href="https://techcommunity.microsoft.com/blog/microsoft-entra-blog/secure-the-moments-attackers-target-onboarding-access-requests-and-account-recov/3627344">Secure the moments attackers target: onboarding, access requests, and account recovery</a></strong> - Learn how Face Check supports high assurance identity verification for onboarding, access requests, and account recovery.</p><h2></h2><p>THE PROMPT for Microsoft Security is a reader-supported publication. To receive new posts and support my work, consider becoming a free or paid subscriber.</p>]]></content:encoded></item><item><title><![CDATA[THE PROMPT for Microsoft Security - Issue #69]]></title><description><![CDATA[Things from Me]]></description><link>https://rodtrent.substack.com/p/the-prompt-for-microsoft-security-e76</link><guid isPermaLink="false">https://rodtrent.substack.com/p/the-prompt-for-microsoft-security-e76</guid><dc:creator><![CDATA[Rod Trent]]></dc:creator><pubDate>Fri, 01 May 2026 11:31:42 GMT</pubDate><enclosure url="https://substackcdn.com/image/fetch/$s_!TeKp!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F0baa2623-0447-4f31-a086-e3196a06a448_1248x832.jpeg" length="0" type="image/jpeg"/><content:encoded><![CDATA[<div class="captioned-image-container"><figure><a class="image-link image2 is-viewable-img" target="_blank" href="https://substackcdn.com/image/fetch/$s_!TeKp!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F0baa2623-0447-4f31-a086-e3196a06a448_1248x832.jpeg" data-component-name="Image2ToDOM"><div class="image2-inset"><picture><source type="image/webp" srcset="https://substackcdn.com/image/fetch/$s_!TeKp!,w_424,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F0baa2623-0447-4f31-a086-e3196a06a448_1248x832.jpeg 424w, https://substackcdn.com/image/fetch/$s_!TeKp!,w_848,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F0baa2623-0447-4f31-a086-e3196a06a448_1248x832.jpeg 848w, https://substackcdn.com/image/fetch/$s_!TeKp!,w_1272,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F0baa2623-0447-4f31-a086-e3196a06a448_1248x832.jpeg 1272w, https://substackcdn.com/image/fetch/$s_!TeKp!,w_1456,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F0baa2623-0447-4f31-a086-e3196a06a448_1248x832.jpeg 1456w" sizes="100vw"><img src="https://substackcdn.com/image/fetch/$s_!TeKp!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F0baa2623-0447-4f31-a086-e3196a06a448_1248x832.jpeg" width="1248" height="832" data-attrs="{&quot;src&quot;:&quot;https://substack-post-media.s3.amazonaws.com/public/images/0baa2623-0447-4f31-a086-e3196a06a448_1248x832.jpeg&quot;,&quot;srcNoWatermark&quot;:null,&quot;fullscreen&quot;:null,&quot;imageSize&quot;:null,&quot;height&quot;:832,&quot;width&quot;:1248,&quot;resizeWidth&quot;:null,&quot;bytes&quot;:256826,&quot;alt&quot;:null,&quot;title&quot;:null,&quot;type&quot;:&quot;image/jpeg&quot;,&quot;href&quot;:null,&quot;belowTheFold&quot;:false,&quot;topImage&quot;:true,&quot;internalRedirect&quot;:&quot;https://microsoftdefender.substack.com/i/195239025?img=https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F0baa2623-0447-4f31-a086-e3196a06a448_1248x832.jpeg&quot;,&quot;isProcessing&quot;:false,&quot;align&quot;:null,&quot;offset&quot;:false}" class="sizing-normal" alt="" srcset="https://substackcdn.com/image/fetch/$s_!TeKp!,w_424,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F0baa2623-0447-4f31-a086-e3196a06a448_1248x832.jpeg 424w, https://substackcdn.com/image/fetch/$s_!TeKp!,w_848,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F0baa2623-0447-4f31-a086-e3196a06a448_1248x832.jpeg 848w, https://substackcdn.com/image/fetch/$s_!TeKp!,w_1272,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F0baa2623-0447-4f31-a086-e3196a06a448_1248x832.jpeg 1272w, https://substackcdn.com/image/fetch/$s_!TeKp!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F0baa2623-0447-4f31-a086-e3196a06a448_1248x832.jpeg 1456w" sizes="100vw" fetchpriority="high"></picture><div class="image-link-expand"><div class="pencraft pc-display-flex pc-gap-8 pc-reset"><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container restack-image"><svg role="img" width="20" height="20" viewBox="0 0 20 20" fill="none" stroke-width="1.5" stroke="var(--color-fg-primary)" stroke-linecap="round" stroke-linejoin="round" xmlns="http://www.w3.org/2000/svg"><g><title></title><path d="M2.53001 7.81595C3.49179 4.73911 6.43281 2.5 9.91173 2.5C13.1684 2.5 15.9537 4.46214 17.0852 7.23684L17.6179 8.67647M17.6179 8.67647L18.5002 4.26471M17.6179 8.67647L13.6473 6.91176M17.4995 12.1841C16.5378 15.2609 13.5967 17.5 10.1178 17.5C6.86118 17.5 4.07589 15.5379 2.94432 12.7632L2.41165 11.3235M2.41165 11.3235L1.5293 15.7353M2.41165 11.3235L6.38224 13.0882"></path></g></svg></button><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container view-image"><svg xmlns="http://www.w3.org/2000/svg" width="20" height="20" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="lucide lucide-maximize2 lucide-maximize-2"><polyline points="15 3 21 3 21 9"></polyline><polyline points="9 21 3 21 3 15"></polyline><line x1="21" x2="14" y1="3" y2="10"></line><line x1="3" x2="10" y1="21" y2="14"></line></svg></button></div></div></div></a></figure></div><h2>Things from Me</h2><p>Happy Friday everyone! Just a <strong>Quick NOTE about the newsletter delivery next week!</strong></p><p>I&#8217;ll be delivering two technical sessions with my co-speaker <strong>Sergey Chubarov</strong> (Microsoft MVP and Cloud Security Architect) next week at MMS at MOA.</p><p>THE PROMPT for Microsoft Security is a reader-supported publication. To receive new posts and support my work, consider becoming a free or paid subscriber.</p><p>Due to all the community busyness of the week, this newsletter will not deliver next week. However, as a consolation prize, all slide decks, demo scripts, narrated walkthrough videos, and supporting materials are in the GitHub repo: <a href="https://github.com/rod-trent/MMSMOA">https://github.com/rod-trent/MMSMOA</a>.</p><h3>Session 1: &#128737;&#65039; Agentic Threat Hunting with Microsoft Sentinel: From MCP Server to Graph Insights</h3><p>We&#8217;ll dive into building a modern threat-hunting strategy that combines the <strong>Model Context Protocol (MCP) Server</strong> for natural-language analysis with powerful graph-driven investigations in Microsoft Sentinel. You&#8217;ll see how to turn KQL queries into reusable MCP tools, integrate with Copilot or custom agents, leverage entity relationships and UEBA, and walk through realistic incident scenarios.</p><p><strong>Key takeaways:</strong></p><blockquote><p>&#8226; Operationalizing agentic hunting and Copilot integration</p><p>&#8226; Moving from tables to graphs (Account &#8596; Device &#8596; IP &#8596; App) for faster triage</p><p>&#8226; Ingestion pipelines, ASIM normalization, enrichment, cost control, and rollout checklists</p></blockquote><p>Demos include building an MCP server, running natural-language hunts, and full graph investigations with ready-to-use Python scripts.</p><h3>Session 2: &#128274; Governing GenAI: Monitoring and Securing Copilot with Microsoft Purview</h3><p>This session focuses on the security and compliance challenges of Microsoft 365 Copilot and GenAI. We&#8217;ll use <strong>Microsoft Purview</strong> as the central control plane, mapping real risks (sensitive prompts, data exfiltration, insider threats) to practical controls like sensitivity labels, DLP, Insider Risk, Audit, and eDiscovery.</p><p><strong>Key takeaways:</strong></p><blockquote><p>&#8226; A clear blueprint linking GenAI risks to Purview capabilities</p><p>&#8226; Building strong monitoring views with Audit logs</p><p>&#8226; Policy patterns and a phased rollout plan (including simulation mode and metrics)</p></blockquote><p>Demos feature PowerShell scripts for creating Copilot-aware labels, deploying DLP policies, analyzing audit logs, and testing enforcement &#8212; all starting safely in simulation mode.</p><p>Both slide decks (44 and 49 slides) have embedded videos, and every demo folder includes full MP4 walkthroughs.</p><p>I&#8217;ll also be on-hand throughout the event for <strong>lively discussions</strong> around the <strong>MVP program</strong> and the <strong>Security Advisors program</strong> at Microsoft. Come find me if you want to chat about community contributions, security best practices, or anything in the Microsoft ecosystem.</p><p>The event runs <strong>May 3&#8211;7, 2026</strong>, at the Radisson Blu in Bloomington, MN (right by the Mall of America). Looking forward to seeing you there and having great conversations!</p><p>Materials are all here: <a href="https://github.com/rod-trent/MMSMOA">github.com/rod-trent/MMSMOA</a>. Let&#8217;s make it a great week! &#128640;</p><p>&#8230;</p><p>Talk soon!</p><p>-<a href="https://www.linkedin.com/in/rodtrent/">Rod</a></p><h2>Things that are Related</h2><p><strong><a href="https://socautomators.substack.com/p/log-sources-your-soc-needs-for-detection-78f">Log Sources Your SOC Needs for Detection, Forensics, and Hunting- MUST-HAVE</a></strong> - This article covers the 20 log sources that form the core of your detection architecture &#8212; 14 must-have and 6 should-have. These are the sources that cover the attack chains that matter most: credential theft, BEC, ransomware lateral movement, privileged access abuse, and AI agent threats.</p><p><strong><a href="https://techcommunity.microsoft.com/blog/appsonazureblog/securing-your-ai-agents-before-they-ship-red-teaming-with-microsoft-pyrit/4515514">Securing Your AI Agents Before They Ship: Red Teaming with Microsoft PyRIT</a></strong> - As AI engineers, we&#8217;re shipping agents that reason, call tools, and act on behalf of users &#8212; but most of us haven&#8217;t security-tested them. Microsoft&#8217;s PyRIT framework gives you 53+ adversarial datasets, 70+ prompt converters, and 6 attack strategies out of the box. But PyRIT is a toolkit &#8212; it gives you the building blocks, not the pipeline. In this post, I walk through how to wrap PyRIT into a config-driven scanner with OWASP mapping, release gating, and CI/CD integration &#8212; so your team can start red-teaming AI agents in an afternoon, not weeks.</p><p><strong><a href="https://techcommunity.microsoft.com/blog/microsoftmissioncriticalblog/enterprise-security-assessment-a-strategic-lens-for-mission-critical-environment/4515991">Enterprise Security Assessment: A Strategic Lens for Mission Critical Environments</a></strong> - Understanding security posture at scale requires more than isolated control reviews or point&#8209;in&#8209;time assessments. The Enterprise Security Assessment (ESA) helps organizations understand their security posture across Azure, Microsoft 365, and hybrid environments from a true enterprise perspective. Instead of assessing individual services or workloads in isolation, ESA provides a <strong>single, enterprise&#8209;wide view of security</strong>.</p><p><strong><a href="https://rodtrent.substack.com/p/irql-incident-response-query-language">IRQL: Incident Response Query Language</a></strong> - I&#8217;m excited to share <strong>IRQL</strong> &#8212; a collection of Kusto functions designed to abstract away the chaos of disparate security logs and deliver a clean, intention-revealing query experience. Created by Saar Ron, John Lambert, and Diana Damenova, IRQL turns verbose, brittle KQL walls-of-text into readable, reusable pipelines that both humans and LLMs can understand and compose effectively.</p><h2>Microsoft Sentinel Things</h2><p><strong><a href="https://sentinel.blog/sentinel-playbook-manager/">Sentinel Playbook Manager</a></strong> - If you have ever tried to move a Microsoft Sentinel playbook from one tenant to another or from the portal into a Git repository you will know the pain. The out-of-the-box "Export Template" button gives you something <em>almost</em> useful: a JSON file stuffed with hardcoded subscription IDs, tenant IDs, resource group names, a region buried in every API path, connector names with designer suffixes like <code>azuresentinel-3</code>, and a <code>$connections</code> block that the ARM deployment engine is unhappy with.</p><p><strong><a href="https://medium.com/@rohitashokgowd/seven-queries-to-audit-the-sentinel-detections-your-soc-may-have-missed-8e9c73fc2522">Seven Queries to Audit the Sentinel Detections Your SOC May Have Missed.</a></strong> - Every Sentinel workspace I&#8217;ve worked with has rules that nobody remembers setting up. Sometimes just a few, sometimes a lot. They might have come from a content hub solution years ago, copied from a template during testing or created by someone who&#8217;s no longer around. They keep running, use up compute and no one checks what they produce.</p><p><strong><a href="https://www.microsoft.com/en-us/security/blog/2026/04/28/simplifying-aws-defense-microsoft-sentinel-ueba/">Simplifying AWS defense with Microsoft Sentinel UEBA</a></strong> - With the <a href="https://techcommunity.microsoft.com/blog/microsoftsentinelblog/microsoft-sentinel%E2%80%99s-ai-driven-ueba-ushers-in-the-next-era-of-behavioral-analyti/4448390">expansion of Microsoft Sentinel UEBA (User and Entity Behavior Analytics) into new data sources</a>, spanning multi-cloud (AWS, GCP), identity providers (Okta), and authentication logs (MDE DeviceLogon, Microsoft Entra ID Managed Identity, Service Principal sign-ins), defenders can now detect behavioral anomalies across hybrid environments from a single place.</p><p><strong><a href="https://sentinel.blog/sentinel-as-code-wave-2/">Sentinel-As-Code: Wave 2</a></strong> - Wave 1 was solid, but it had gaps. Wave 2 closes them and ships a lot more. The release adds a more robust framework, a substantially larger content library, and a set of operational capabilities that did not exist in Wave 1: a watchlist-driven DCR billing sync, a 111-rule community contribution from <a href="https://www.linkedin.com/in/david-alonso-dominguez/?ref=sentinel.blog">David Alonso</a>, a daily drift detector that auto-PRs portal edits back into the repo, 28 new Defender XDR detections, a major playbook catalogue reshuffle, a Pester test suite for the drift functions, and a documentation reorganization.</p><p><strong><a href="https://medium.com/@shakirabdul31/defending-the-ai-layer-using-microsoft-sentinels-copilot-detection-use-cases-cd002c5bc29a">Defending the AI Layer using Microsoft Sentinel&#8217;s Copilot Detection Use Cases</a></strong> - Every SOC has hardened its endpoints, tuned its identity detections, and mapped its network traffic. But there&#8217;s a new attack surface that most security teams are still figuring out how to monitor i.e. the<strong> AI layer</strong>. Microsoft Copilot is now embedded across Microsoft 365, Azure, and enterprise workflows. Users interact with it daily, prompting it, installing plugins, and in some cases, trying to misuse it.</p><p><strong><a href="https://techcommunity.microsoft.com/blog/microsoftsentinelblog/use-data-wrangler-to-streamline-your-microsoft-sentinel-data-lake-notebook-devel/4490214">Use Data Wrangler to Streamline Your Microsoft Sentinel data lake Notebook Development</a></strong> - As you create a Sentinel data lake notebook, sometimes you need to explore the data and refine it before moving to your next cell. Using the Data Wrangler extension in Visual Studio Code can help you visualize and shape your DataFrames more efficiently.</p><p><strong><a href="https://techcommunity.microsoft.com/blog/MicrosoftSentinelBlog/what%E2%80%99s-new-in-microsoft-sentinel-april-2026/4516354">What&#8217;s new in Microsoft Sentinel: April 2026</a></strong> - Welcome to the April 2026 edition of What's new in Microsoft Sentinel. April brings a broad set of updates, with <a href="https://techcommunity.microsoft.com/blog/microsoftsentinelblog/what%e2%80%99s-new-in-microsoft-sentinel-rsac-2026/4503971">RSAC 2026 announcements</a> rolling out alongside new features. Highlights include cost limit enforcement to prevent runaway query costs, curated open-source intelligence in Threat Analytics, and new data connectors for CrowdStrike, Imperva, AWS, and Logstash. Together, these innovations help security teams control costs, stay ahead of emerging threats, and broaden visibility without added complexity.</p><h2>Defender for Endpoint Things</h2><p><strong><a href="https://techcommunity.microsoft.com/blog/microsoftdefenderatpblog/assess-secure-boot-status-with-microsoft-defender/4510356">Assess Secure Boot status with Microsoft Defender</a></strong> - Enterprise organizations are approaching a critical security milestone: Windows Secure Boot 2011 certificates, currently deployed across millions of devices, are scheduled to expire in June 2026. These certificates need to be replaced by the newer 2023 certificates. To help organizations prepare, Microsoft Defender is introducing a new tool that provides centralized visibility into Secure Boot 2023 certificate readiness across your device fleet.</p><h2>Defender XDR Things</h2><p><strong><a href="https://techcommunity.microsoft.com/blog/microsoftthreatprotectionblog/microsoft-defender-new-advanced-hunting-enhancements/4514654">Microsoft Defender: New Advanced hunting enhancements</a></strong> - As a security analyst who actively hunts for critical threats, one of the most frustrating things that can happen is hitting a limit mid-query or encounter an experience that doesn&#8217;t behave as expected. The resulting friction and time spent troubleshooting or navigating takes valuable focus away from the investigation itself. To address this, we&#8217;ve made several enhancements across the experience to ensure investigations can scale seamlessly so analysts can stay focused on finding and stopping threats without interruption. These updates are based on your feedback and our commitment to continually improve the experience for analysts and customers alike.</p><p><strong><a href="https://socautomators.substack.com/p/update-to-microsoft-signinlogs">Update to Microsoft SigninLogs</a></strong> - Understanding how applications authenticate is critical for securing identities, enforcing Conditional Access, and planning modernization. Previously, sign&#8209;in logs have provided limited visibility into <em>which</em> authentication protocols and flows were actually used during authentication, often showing the protocol value as <code>None</code>.</p><h2>Defender Experts Things</h2><p><strong><a href="https://techcommunity.microsoft.com/blog/microsoftsecurityexperts/edr-coexistence-by-design-a-practical-starting-point-to-defender/4515265">EDR coexistence by design: A practical starting point to Defender</a></strong> - Increasingly, organizations are finding that coexistence can deliver meaningful security outcomes. In addition, when designed with purpose, coexistence allows teams to being realizing the value of their existing Microsoft licensing, strengthen detection and response, and build confidence in Defender under real-world operating conditions.</p><h2>Defender for Identity Things</h2><p>We&#8217;re excited to share <strong>new Unified Identity Inventory (UII) capabilities</strong>, including the ability to define <strong>identity correlation rules</strong> that enable correlation at scale and <strong>extend coverage to SaaS and cloud identities</strong>. These enhancements provide broader identity visibility and deeper analysis across modern environments.</p><ul><li><p>&#8203;&#8204;<a href="https://learn.microsoft.com/en-us/defender-cloud-apps/general-setup#enable-identity-inventory-integration">Enable Identity inventory integration - Microsoft Defender for Cloud Apps | Microsoft Learn</a></p></li><li><p><a href="https://learn.microsoft.com/en-us/defender-for-identity/identity-inventory?tabs=human-identities">View the Identity inventory - Microsoft Defender for Identity | Microsoft Learn</a></p></li><li><p><a href="https://learn.microsoft.com/en-us/defender-for-identity/custom-account-correlation-rules">Create custom account correlation rules (Preview) | Microsoft Learn</a></p></li></ul><h2>Defender for Office Things</h2><p><strong><a href="https://techcommunity.microsoft.com/blog/MicrosoftDefenderforOffice365Blog/granular-email-content-access-with-unified-rbac-%E2%80%93-now-the-default-for-new-defend/4505344">Granular email content access with unified RBAC &#8211; now the default for new Defender tenants</a></strong> - Email investigations are a key part of detecting and responding to phishing and malware. As security workflows continue to evolve, there is an increasing need to align email content visibility more closely with specific roles and scenarios, such as Tier&#8209;1 analysis or specialized workflows like user&#8209;reported phishing triage. Today we&#8217;re announcing additional &#8220;read-only&#8221; controls for more granular email access in Microsoft Defender and that starting on May 30<sup>th</sup>, 2026, unified RBAC will become the new default for permission modeling for new tenants.</p><h2>Entra Things</h2><p><strong><a href="https://techcommunity.microsoft.com/blog/microsoft-entra-blog/you-can%E2%80%99t-govern-what-you-can%E2%80%99t-see-closing-the-identity-visibility-gap-for-apps/4507464">You can&#8217;t govern what you can&#8217;t see: Closing the identity visibility gap for apps</a></strong> - Most organizations inherit thousands of ungoverned application accounts. Account discovery helps you find them and bring them under control.</p><h2></h2><p>THE PROMPT for Microsoft Security is a reader-supported publication. To receive new posts and support my work, consider becoming a free or paid subscriber.</p>]]></content:encoded></item><item><title><![CDATA[THE PROMPT for Microsoft Security - Issue #68]]></title><description><![CDATA[Things from Me]]></description><link>https://rodtrent.substack.com/p/the-prompt-for-microsoft-security-b40</link><guid isPermaLink="false">https://rodtrent.substack.com/p/the-prompt-for-microsoft-security-b40</guid><dc:creator><![CDATA[Rod Trent]]></dc:creator><pubDate>Fri, 24 Apr 2026 11:31:00 GMT</pubDate><enclosure url="https://substackcdn.com/image/fetch/$s_!ZbHj!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F4783e65a-f639-40b7-ab32-e8d4f3ef16be_1248x701.png" length="0" type="image/jpeg"/><content:encoded><![CDATA[<div class="captioned-image-container"><figure><a class="image-link image2 is-viewable-img" target="_blank" href="https://substackcdn.com/image/fetch/$s_!ZbHj!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F4783e65a-f639-40b7-ab32-e8d4f3ef16be_1248x701.png" data-component-name="Image2ToDOM"><div class="image2-inset"><picture><source type="image/webp" srcset="https://substackcdn.com/image/fetch/$s_!ZbHj!,w_424,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F4783e65a-f639-40b7-ab32-e8d4f3ef16be_1248x701.png 424w, https://substackcdn.com/image/fetch/$s_!ZbHj!,w_848,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F4783e65a-f639-40b7-ab32-e8d4f3ef16be_1248x701.png 848w, https://substackcdn.com/image/fetch/$s_!ZbHj!,w_1272,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F4783e65a-f639-40b7-ab32-e8d4f3ef16be_1248x701.png 1272w, https://substackcdn.com/image/fetch/$s_!ZbHj!,w_1456,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F4783e65a-f639-40b7-ab32-e8d4f3ef16be_1248x701.png 1456w" sizes="100vw"><img src="https://substackcdn.com/image/fetch/$s_!ZbHj!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F4783e65a-f639-40b7-ab32-e8d4f3ef16be_1248x701.png" width="1248" height="701" data-attrs="{&quot;src&quot;:&quot;https://substack-post-media.s3.amazonaws.com/public/images/4783e65a-f639-40b7-ab32-e8d4f3ef16be_1248x701.png&quot;,&quot;srcNoWatermark&quot;:null,&quot;fullscreen&quot;:null,&quot;imageSize&quot;:null,&quot;height&quot;:701,&quot;width&quot;:1248,&quot;resizeWidth&quot;:null,&quot;bytes&quot;:996118,&quot;alt&quot;:null,&quot;title&quot;:null,&quot;type&quot;:&quot;image/png&quot;,&quot;href&quot;:null,&quot;belowTheFold&quot;:false,&quot;topImage&quot;:true,&quot;internalRedirect&quot;:&quot;https://microsoftdefender.substack.com/i/194532400?img=https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F4783e65a-f639-40b7-ab32-e8d4f3ef16be_1248x701.png&quot;,&quot;isProcessing&quot;:false,&quot;align&quot;:null,&quot;offset&quot;:false}" class="sizing-normal" alt="" srcset="https://substackcdn.com/image/fetch/$s_!ZbHj!,w_424,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F4783e65a-f639-40b7-ab32-e8d4f3ef16be_1248x701.png 424w, https://substackcdn.com/image/fetch/$s_!ZbHj!,w_848,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F4783e65a-f639-40b7-ab32-e8d4f3ef16be_1248x701.png 848w, https://substackcdn.com/image/fetch/$s_!ZbHj!,w_1272,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F4783e65a-f639-40b7-ab32-e8d4f3ef16be_1248x701.png 1272w, https://substackcdn.com/image/fetch/$s_!ZbHj!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F4783e65a-f639-40b7-ab32-e8d4f3ef16be_1248x701.png 1456w" sizes="100vw" fetchpriority="high"></picture><div class="image-link-expand"><div class="pencraft pc-display-flex pc-gap-8 pc-reset"><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container restack-image"><svg role="img" width="20" height="20" viewBox="0 0 20 20" fill="none" stroke-width="1.5" stroke="var(--color-fg-primary)" stroke-linecap="round" stroke-linejoin="round" xmlns="http://www.w3.org/2000/svg"><g><title></title><path d="M2.53001 7.81595C3.49179 4.73911 6.43281 2.5 9.91173 2.5C13.1684 2.5 15.9537 4.46214 17.0852 7.23684L17.6179 8.67647M17.6179 8.67647L18.5002 4.26471M17.6179 8.67647L13.6473 6.91176M17.4995 12.1841C16.5378 15.2609 13.5967 17.5 10.1178 17.5C6.86118 17.5 4.07589 15.5379 2.94432 12.7632L2.41165 11.3235M2.41165 11.3235L1.5293 15.7353M2.41165 11.3235L6.38224 13.0882"></path></g></svg></button><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container view-image"><svg xmlns="http://www.w3.org/2000/svg" width="20" height="20" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="lucide lucide-maximize2 lucide-maximize-2"><polyline points="15 3 21 3 21 9"></polyline><polyline points="9 21 3 21 3 15"></polyline><line x1="21" x2="14" y1="3" y2="10"></line><line x1="3" x2="10" y1="21" y2="14"></line></svg></button></div></div></div></a></figure></div><h2>Things from Me</h2><p>Happy Friday everyone!</p><p>Microsoft has just unveiled the new official home for the Microsoft Security Community. The dedicated site, now live at <strong><a href="https://aka.ms/securitycommunity">aka.ms/securitycommunity</a></strong>, serves as a one-stop destination where security professionals can explore upcoming events, access technical content, and connect directly with Microsoft experts and peers across the global security ecosystem.</p><p>THE PROMPT for Microsoft Security is a reader-supported publication. To receive new posts and support my work, consider becoming a free or paid subscriber.</p><p>According to Microsoft, the new Microsoft Security Community Home is designed to make it easier than ever for members to:</p><ul><li><p>Discover both live and on-demand community events</p></li><li><p>Access a wide range of technical resources and learning opportunities</p></li><li><p>Connect with fellow security practitioners and Microsoft product teams</p></li><li><p>Stay up to date with the latest Microsoft Security announcements</p></li><li><p>Get involved through community programs, including opportunities to provide feedback that directly helps shape future Microsoft Security products and features</p></li></ul><p>Whether you&#8217;re looking to build your security expertise, join meaningful discussions, or help influence the direction of Microsoft&#8217;s security solutions, this new hub is positioned as your central starting point.</p><p>&#128073; You can visit the Microsoft Security Community Home right now at: <strong><a href="https://aka.ms/securitycommunity">aka.ms/securitycommunity</a></strong></p><p>&#8230;</p><p>This is a non-security topic, but a personal one - and one I think hits every tech geek. I&#8217;ve been working for almost a year now on an AI-infused project that seeks to revamp how TV/movie geeks watch content.</p><p>I&#8217;m thrilled to announce that <strong>ReelRifter</strong> &#8212; my passion project &#8212; is officially launching next month!</p><p>ReelRifter is the AI-powered hub that brings every TV show and movie from Netflix, Disney+, Max, Hulu, Prime, and beyond into one beautiful experience. It ends the chaos of juggling multiple apps, decision paralysis, and subscription guilt by delivering a universal watchlist, smart AI recommendations, episode tracking, leaving-soon alerts, subscription optimization, social features with friends, gamification, and much more.</p><p><strong>Key highlights at launch:</strong></p><ul><li><p><strong>AI-driven tools</strong> like mood-based &#8220;AI Picks,&#8221; &#8220;What to Watch Tonight,&#8221; and direct integration with ChatGPT/Claude via MCP Server</p></li><li><p>Detailed tracking (including Cancel Radar), binge planning, release radar, and rich analytics</p></li><li><p>Notifications, spoiler protection, family/household support (up to 5 members), and streaks/badges to make watching fun again</p></li></ul><p>You can sign-up now to be notified when its officially launched: <a href="https://ReelRifter.com">https://ReelRifter.com</a></p><p>&#8230;</p><p>That&#8217;s it from me for this week.</p><p>Talk soon.</p><p>-<a href="https://www.linkedin.com/in/rodtrent/">Rod</a></p><h2>Things to Have</h2><p><strong>A special one today</strong> &#8212; this comes from my good friend <strong>Morten Knudsen</strong>, Microsoft Security MVP.</p><p>Morten has built something genuinely useful for the community.</p><p><strong>What you see on your Defender dashboard isn&#8217;t what attackers see on their target list.</strong> One is sorted by severity; the other is sorted by opportunity. Microsoft Defender surfaces every vulnerability, misconfiguration, and exposure in your environment &#8212; but deciding which one to address first is where most teams get stuck. Closing that gap is the difference between staying busy and actually reducing risk.</p><p>That&#8217;s exactly why Morten created <strong><a href="https://github.com/KnudsenMorten/SecurityInsight">SecurityInsight</a></strong> &#8212; a free, community-built add-on to Microsoft Defender that helps you see risk the way a hacker would, and act on it the way a defender must.</p><p>Every recommendation across Endpoint, Azure, and Identity is scored on four powerful dimensions:</p><ul><li><p><strong>Consequence</strong></p></li><li><p><strong>Tier 0&#8211;3 asset criticality</strong></p></li><li><p><strong>Risk factors</strong> (Internet Exposure, Verified Secret, Lateral Movement, Exploit Signals, and more)</p></li><li><p><strong>Customizable Risk Index</strong></p></li></ul><p>If you&#8217;re responsible for Microsoft Defender security posture (and especially if you&#8217;re tired of drowning in alerts while wondering what actually matters), this is worth checking out.</p><p>&#128073; <strong>SecurityInsight</strong><br><a href="https://github.com/KnudsenMorten/SecurityInsight">https://github.com/KnudsenMorten/SecurityInsight</a></p><p>Big thanks to Morten for building and open-sourcing this &#8212; truly excellent work, my friend.</p><h2>Things that are Related</h2><p><strong><a href="https://socautomators.substack.com/p/expanded-log-sources-your-soc-needs">EXPANDED: Log Sources Your SOC Needs for Detection, Forensics, and Hunting</a></strong> - Last year we published very popular <a href="https://socautomators.substack.com/p/what-should-i-log-in-my-data-lake">What should I log in my data lake?</a> &#8212; a short guide that answered the question every SOC team was asking when Sentinel&#8217;s data lake went live. That article gave you a clean split: real-time detection and correlation in the SIEM, high-volume historical data in the lake, and a downloadable chart to make the decision for each source. It worked. It&#8217;s still one of our most-read posts. But the landscape has shifted underneath that guidance.</p><p><strong><a href="https://techcommunity.microsoft.com/blog/azureinfrastructureblog/how-ai-agents-are-turning-threat-intelligence-into-validated-detections/4513971">How AI Agents Are Turning Threat Intelligence Into Validated Detections</a></strong> - The promise of AI-assisted cybersecurity has long been hampered by a fundamental measurement problem: how do organizations validate whether an AI agent can actually perform the complex, multi-step work that security analysts do every day? Traditional benchmarks test whether models can recall MITRE ATT&amp;CK techniques or classify threat actor tactics, but they miss the harder question&#8212;can an agent translate raw threat intelligence into production-ready detection rules that find real attacks?</p><p><strong><a href="https://socautomators.substack.com/p/log-sources-your-soc-needs-for-detection-4c4">Log Sources Your SOC Needs for Detection, Forensics, and Hunting- Maturity Tiers</a></strong><a href="https://socautomators.substack.com/p/log-sources-your-soc-needs-for-detection-4c4"> </a>- You don&#8217;t need 37 log sources on day one. You need the right 14. This article explains the <strong>philosophy behind a phased SIEM implementation</strong> &#8212; why we start where we start, what each tier represents, and how to expand without drowning in noise or budget fights. For the detailed source-by-source breakdowns, see Articles 2b and 2c (coming shortly).</p><p><strong><a href="https://techcommunity.microsoft.com/blog/microsoftmissioncriticalblog/beyond-the-playbook-real-world-lessons-from-a-mission-critical-enterprise-securi/4514179">Beyond the Playbook: Real-World Lessons from a Mission Critical Enterprise Security Assessment</a></strong> - The Enterprise Security Assessment (ESA) is a comprehensive, tenant-wide evaluation that helps to understand and improve the security posture across Microsoft Azure, Microsoft 365, and hybrid environments.</p><h2>Things to Watch/Listen To</h2><div class="embedded-post-wrap" data-attrs="{&quot;id&quot;:194243238,&quot;url&quot;:&quot;https://www.microsoftsecurityinsights.com/p/the-ai-security-insights-show-episode-f4c&quot;,&quot;publication_id&quot;:1252746,&quot;publication_name&quot;:&quot;THE Security Insights Show&quot;,&quot;publication_logo_url&quot;:&quot;https://substackcdn.com/image/fetch/$s_!ZngQ!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F1bf84d0b-fceb-44b4-ae5f-10662ecc7e8b_500x500.png&quot;,&quot;title&quot;:&quot;The \&quot;AI\&quot; Security Insights Show Episode 289 - The RSA Recap Part 2 The Microsoft Partner Edition. &quot;,&quot;truncated_body_text&quot;:&quot;AI Pen Testing Power- What is the deal with Mythos?&quot;,&quot;date&quot;:&quot;2026-04-15T16:03:21.558Z&quot;,&quot;like_count&quot;:2,&quot;comment_count&quot;:1,&quot;bylines&quot;:[{&quot;id&quot;:25142999,&quot;name&quot;:&quot;Rod Trent&quot;,&quot;handle&quot;:&quot;rodtrent&quot;,&quot;previous_name&quot;:&quot;Microsoft Sentinel this Week&quot;,&quot;photo_url&quot;:&quot;https://substack-post-media.s3.amazonaws.com/public/images/a31b8f6f-7b50-4643-a4d5-54ca83894c4c_800x800.png&quot;,&quot;bio&quot;:&quot;Rod Trent is a Senior Product Manager for Microsoft. He has spoken many times at many conferences over the past 30-some years and has written several books and hundreds of articles.&quot;,&quot;profile_set_up_at&quot;:&quot;2022-12-15T21:44:39.563Z&quot;,&quot;reader_installed_at&quot;:&quot;2023-01-13T16:04:11.272Z&quot;,&quot;publicationUsers&quot;:[{&quot;id&quot;:1211584,&quot;user_id&quot;:25142999,&quot;publication_id&quot;:1254398,&quot;role&quot;:&quot;admin&quot;,&quot;public&quot;:true,&quot;is_primary&quot;:true,&quot;publication&quot;:{&quot;id&quot;:1254398,&quot;name&quot;:&quot;Rod&#8217;s Blog&quot;,&quot;subdomain&quot;:&quot;rodtrent&quot;,&quot;custom_domain&quot;:null,&quot;custom_domain_optional&quot;:true,&quot;hero_text&quot;:&quot;Microsoft Security and AI. This is not an official Microsoft blog.&quot;,&quot;logo_url&quot;:&quot;https://substack-post-media.s3.amazonaws.com/public/images/e527d2fc-7b2f-448b-85fa-0e47bf452405_600x600.png&quot;,&quot;author_id&quot;:25142999,&quot;primary_user_id&quot;:25142999,&quot;theme_var_background_pop&quot;:&quot;#786CFF&quot;,&quot;created_at&quot;:&quot;2022-12-20T13:41:45.372Z&quot;,&quot;email_from_name&quot;:null,&quot;copyright&quot;:&quot;Rod Trent&quot;,&quot;founding_plan_name&quot;:&quot;Founding Member&quot;,&quot;community_enabled&quot;:true,&quot;invite_only&quot;:false,&quot;payments_state&quot;:&quot;enabled&quot;,&quot;language&quot;:null,&quot;explicit&quot;:false,&quot;homepage_type&quot;:&quot;newspaper&quot;,&quot;is_personal_mode&quot;:false,&quot;logo_url_wide&quot;:&quot;https://substack-post-media.s3.amazonaws.com/public/images/0979d0a9-076d-4984-903f-174d79becc86_1344x256.png&quot;}},{&quot;id&quot;:1202860,&quot;user_id&quot;:25142999,&quot;publication_id&quot;:1246049,&quot;role&quot;:&quot;admin&quot;,&quot;public&quot;:true,&quot;is_primary&quot;:false,&quot;publication&quot;:{&quot;id&quot;:1246049,&quot;name&quot;:&quot;THE PROMPT for Microsoft Security&quot;,&quot;subdomain&quot;:&quot;microsoftdefender&quot;,&quot;custom_domain&quot;:null,&quot;custom_domain_optional&quot;:false,&quot;hero_text&quot;:&quot;The weekly THE PROMPT for Microsoft Security newsletter helps uncover the new and important features and news for Microsoft's Unified Security Operations Platform.&quot;,&quot;logo_url&quot;:&quot;https://substack-post-media.s3.amazonaws.com/public/images/7c112404-c028-4923-b8ce-924902361d80_256x256.png&quot;,&quot;author_id&quot;:25142999,&quot;primary_user_id&quot;:null,&quot;theme_var_background_pop&quot;:&quot;#121BFA&quot;,&quot;created_at&quot;:&quot;2022-12-15T21:47:41.255Z&quot;,&quot;email_from_name&quot;:null,&quot;copyright&quot;:&quot;Rod Trent&quot;,&quot;founding_plan_name&quot;:&quot;Founding Member&quot;,&quot;community_enabled&quot;:true,&quot;invite_only&quot;:false,&quot;payments_state&quot;:&quot;enabled&quot;,&quot;language&quot;:null,&quot;explicit&quot;:false,&quot;homepage_type&quot;:&quot;newspaper&quot;,&quot;is_personal_mode&quot;:false,&quot;logo_url_wide&quot;:&quot;https://substack-post-media.s3.amazonaws.com/public/images/c59e1ae8-80b5-44c2-85c2-bba0b536900f_532x256.png&quot;}},{&quot;id&quot;:1209853,&quot;user_id&quot;:25142999,&quot;publication_id&quot;:1252746,&quot;role&quot;:&quot;admin&quot;,&quot;public&quot;:true,&quot;is_primary&quot;:false,&quot;publication&quot;:{&quot;id&quot;:1252746,&quot;name&quot;:&quot;THE Security Insights Show&quot;,&quot;subdomain&quot;:&quot;securityinsights&quot;,&quot;custom_domain&quot;:&quot;www.microsoftsecurityinsights.com&quot;,&quot;custom_domain_optional&quot;:false,&quot;hero_text&quot;:&quot;Hosted by Edward Walton, Frank Grimberg and Rod Trent, THE Insights Show provides conversation, information, news, tips on industry security solutions.&quot;,&quot;logo_url&quot;:&quot;https://substack-post-media.s3.amazonaws.com/public/images/1bf84d0b-fceb-44b4-ae5f-10662ecc7e8b_500x500.png&quot;,&quot;author_id&quot;:25142999,&quot;primary_user_id&quot;:115592344,&quot;theme_var_background_pop&quot;:&quot;#BAA049&quot;,&quot;created_at&quot;:&quot;2022-12-19T16:53:21.719Z&quot;,&quot;email_from_name&quot;:&quot;THE Security Insights Show&quot;,&quot;copyright&quot;:&quot;Rod Trent&quot;,&quot;founding_plan_name&quot;:null,&quot;community_enabled&quot;:true,&quot;invite_only&quot;:false,&quot;payments_state&quot;:&quot;disabled&quot;,&quot;language&quot;:null,&quot;explicit&quot;:false,&quot;homepage_type&quot;:&quot;newspaper&quot;,&quot;is_personal_mode&quot;:false,&quot;logo_url_wide&quot;:&quot;https://substack-post-media.s3.amazonaws.com/public/images/e7003902-2064-4b4b-a23e-74a8ade417d9_1920x533.jpeg&quot;}},{&quot;id&quot;:4622011,&quot;user_id&quot;:25142999,&quot;publication_id&quot;:4530869,&quot;role&quot;:&quot;admin&quot;,&quot;public&quot;:true,&quot;is_primary&quot;:false,&quot;publication&quot;:{&quot;id&quot;:4530869,&quot;name&quot;:&quot;myITforum&quot;,&quot;subdomain&quot;:&quot;myitforum&quot;,&quot;custom_domain&quot;:null,&quot;custom_domain_optional&quot;:false,&quot;hero_text&quot;:&quot;The myITforum community. Powered by you.&quot;,&quot;logo_url&quot;:&quot;https://substack-post-media.s3.amazonaws.com/public/images/e57bf70e-44d6-4b6d-87b3-13e6d8fb4881_250x250.png&quot;,&quot;author_id&quot;:25142999,&quot;primary_user_id&quot;:null,&quot;theme_var_background_pop&quot;:&quot;#FF6719&quot;,&quot;created_at&quot;:&quot;2025-03-28T15:02:52.364Z&quot;,&quot;email_from_name&quot;:&quot;myITforum&quot;,&quot;copyright&quot;:&quot;Rod Trent&quot;,&quot;founding_plan_name&quot;:&quot;Founding Member&quot;,&quot;community_enabled&quot;:true,&quot;invite_only&quot;:false,&quot;payments_state&quot;:&quot;enabled&quot;,&quot;language&quot;:null,&quot;explicit&quot;:false,&quot;homepage_type&quot;:&quot;newspaper&quot;,&quot;is_personal_mode&quot;:false,&quot;logo_url_wide&quot;:&quot;https://substack-post-media.s3.amazonaws.com/public/images/61faab9f-ec9c-4b15-9038-90eeff197953_207x64.png&quot;}},{&quot;id&quot;:6292288,&quot;user_id&quot;:25142999,&quot;publication_id&quot;:6167941,&quot;role&quot;:&quot;admin&quot;,&quot;public&quot;:true,&quot;is_primary&quot;:false,&quot;publication&quot;:{&quot;id&quot;:6167941,&quot;name&quot;:&quot;Rod&#8217;s Fiction Universe&quot;,&quot;subdomain&quot;:&quot;rodsfictionbooks&quot;,&quot;custom_domain&quot;:null,&quot;custom_domain_optional&quot;:false,&quot;hero_text&quot;:&quot;This site offers all-access to my current and future fiction books. &quot;,&quot;logo_url&quot;:&quot;https://substack-post-media.s3.amazonaws.com/public/images/bf150c76-3462-4e72-9f1a-f3d507179f90_512x512.png&quot;,&quot;author_id&quot;:25142999,&quot;primary_user_id&quot;:null,&quot;theme_var_background_pop&quot;:&quot;#FF6719&quot;,&quot;created_at&quot;:&quot;2025-09-01T22:55:42.544Z&quot;,&quot;email_from_name&quot;:&quot;Rod Trent from Rod&#8217;s Fiction Books&quot;,&quot;copyright&quot;:&quot;Rod Trent&quot;,&quot;founding_plan_name&quot;:&quot;Founding Member&quot;,&quot;community_enabled&quot;:true,&quot;invite_only&quot;:false,&quot;payments_state&quot;:&quot;enabled&quot;,&quot;language&quot;:null,&quot;explicit&quot;:false,&quot;homepage_type&quot;:&quot;magaziney&quot;,&quot;is_personal_mode&quot;:false,&quot;logo_url_wide&quot;:&quot;https://substack-post-media.s3.amazonaws.com/public/images/d7348a2b-f83f-47cc-bf8b-837b55171fcf_1344x256.png&quot;}}],&quot;twitter_screen_name&quot;:&quot;rodtrent&quot;,&quot;is_guest&quot;:false,&quot;bestseller_tier&quot;:100,&quot;status&quot;:{&quot;bestsellerTier&quot;:100,&quot;subscriberTier&quot;:1,&quot;leaderboard&quot;:null,&quot;vip&quot;:false,&quot;badge&quot;:{&quot;type&quot;:&quot;bestseller&quot;,&quot;tier&quot;:100},&quot;paidPublicationIds&quot;:[1459538],&quot;subscriber&quot;:null}}],&quot;utm_campaign&quot;:null,&quot;belowTheFold&quot;:true,&quot;type&quot;:&quot;podcast&quot;,&quot;language&quot;:&quot;en&quot;,&quot;source&quot;:null}" data-component-name="EmbeddedPostToDOM"><a class="embedded-post" native="true" href="https://www.microsoftsecurityinsights.com/p/the-ai-security-insights-show-episode-f4c?utm_source=substack&amp;utm_campaign=post_embed&amp;utm_medium=web"><div class="embedded-post-header"><img class="embedded-post-publication-logo" src="https://substackcdn.com/image/fetch/$s_!ZngQ!,w_56,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F1bf84d0b-fceb-44b4-ae5f-10662ecc7e8b_500x500.png" loading="lazy"><span class="embedded-post-publication-name">THE Security Insights Show</span></div><div class="embedded-post-title-wrapper"><div class="embedded-post-title-icon"><svg width="19" height="19" viewBox="0 0 24 24" fill="none" xmlns="http://www.w3.org/2000/svg">
  <path d="M3 18V12C3 9.61305 3.94821 7.32387 5.63604 5.63604C7.32387 3.94821 9.61305 3 12 3C14.3869 3 16.6761 3.94821 18.364 5.63604C20.0518 7.32387 21 9.61305 21 12V18" stroke-linecap="round" stroke-linejoin="round"></path>
  <path d="M21 19C21 19.5304 20.7893 20.0391 20.4142 20.4142C20.0391 20.7893 19.5304 21 19 21H18C17.4696 21 16.9609 20.7893 16.5858 20.4142C16.2107 20.0391 16 19.5304 16 19V16C16 15.4696 16.2107 14.9609 16.5858 14.5858C16.9609 14.2107 17.4696 14 18 14H21V19ZM3 19C3 19.5304 3.21071 20.0391 3.58579 20.4142C3.96086 20.7893 4.46957 21 5 21H6C6.53043 21 7.03914 20.7893 7.41421 20.4142C7.78929 20.0391 8 19.5304 8 19V16C8 15.4696 7.78929 14.9609 7.41421 14.5858C7.03914 14.2107 6.53043 14 6 14H3V19Z" stroke-linecap="round" stroke-linejoin="round"></path>
</svg></div><div class="embedded-post-title">The "AI" Security Insights Show Episode 289 - The RSA Recap Part 2 The Microsoft Partner Edition. </div></div><div class="embedded-post-body">AI Pen Testing Power- What is the deal with Mythos&#8230;</div><div class="embedded-post-cta-wrapper"><div class="embedded-post-cta-icon"><svg width="32" height="32" viewBox="0 0 24 24" xmlns="http://www.w3.org/2000/svg">
  <path classname="inner-triangle" d="M10 8L16 12L10 16V8Z" stroke-width="1.5" stroke-linecap="round" stroke-linejoin="round"></path>
</svg></div><span class="embedded-post-cta">Listen now</span></div><div class="embedded-post-meta">3 months ago &#183; 2 likes &#183; 1 comment &#183; Rod Trent</div></a></div><h2>Things for Partners</h2><p><strong><a href="https://techcommunity.microsoft.com/blog/microsoft-security-blog/the-unified-secops-transition-%E2%80%94-why-it-is-a-security-architecture-decision-not-j/4513815">The Unified SecOps Transition &#8212; Why It Is a Security Architecture Decision, Not Just a Portal Change</a></strong> - Microsoft will retire the standalone Azure Sentinel portal on <a href="https://learn.microsoft.com/en-us/unified-secops/whats-new">March 31, 2027</a>. Most of the conversation around this transition focuses on cost optimization and portal consolidation. That framing undersells what is actually happening.</p><h2>Microsoft Sentinel Things</h2><p><strong><a href="https://techcommunity.microsoft.com/blog/microsoftsentinelblog/introducing-the-microsoft-sentinel-training-lab-hands-on-security-operations-in-/4513274">Introducing the Microsoft Sentinel Training Lab. Hands-On Security Operations in Minutes</a></strong> - Security operations is one of those things that&#8217;s hard to learn from slides alone. You need to <em>feel</em> what it&#8217;s like to triage a multi-stage incident, tune a noisy detection rule, or trace an attacker pivoting from an endpoint to the cloud. That&#8217;s exactly why we built the <strong>Microsoft Sentinel Training Lab</strong>.</p><h2>Defender XDR Things</h2><p><strong><a href="https://www.microsoft.com/en-us/security/blog/2026/04/17/domain-compromise-predictive-shielding-shut-down-lateral-movement/">Containing a domain compromise: How predictive shielding shut down lateral movement</a></strong> - In identity-based attack campaigns, any initial access activity can turn an already serious intrusion into a critical incident once it allows a threat actor to obtain domain-administration rights. At that point, the attacker effectively controls the Active Directory domain: they can change group memberships and Access Control Lists (ACLs), mint Kerberos tickets, replicate directory secrets, and push policy through mechanisms like Group Policy Objects (GPOs), among others.</p><p><strong><a href="https://www.microsoft.com/en-us/security/blog/2026/04/21/detection-strategies-cloud-identities-against-infiltrating-it-workers/">Detection strategies across cloud and identities against infiltrating IT workers</a></strong> - The shift to remote and hybrid work since the pandemic expanded global hiring and accelerated digital onboarding, increasing reliance on online identity verification and remote access. Threat actors such as <a href="https://www.microsoft.com/en-us/security/blog/2025/06/30/jasper-sleet-north-korean-remote-it-workers-evolving-tactics-to-infiltrate-organizations/">Jasper Sleet</a>, a North Korea-aligned threat actor, exploit this model by posing as legitimate hires using stolen or fabricated identities and AI-assisted deception to gain trusted access, generate revenue, and in some cases enable data theft, extortion, or follow-on compromise.</p><h2>Microsoft Purview Things</h2><p><strong><a href="https://annabordioug.com/2026/04/16/naming-your-microsoft-purview-data-loss-prevention-policies-to-support-a-successful-dlp-program/">Naming Your Microsoft Purview Data Loss Prevention Policies to Support a Successful DLP Program</a></strong> - Microsoft Purview Data Loss Prevention (DLP) policy and rule names often come as an afterthought during a DLP program implementation. Unlike sensitivity labels, end users do not see the DLP policy and rule names, so many organizations underestimate their importance. In reality, the DLP naming convention that organizations follow will have long-lasting impacts on the successful management and operationalization of their DLP program.</p><p><strong><a href="https://techcommunity.microsoft.com/blog/microsoft-security-blog/detecting-plain%E2%80%91text-password-exposure-using-custom-regex-in-microsoft-purview/4513022">Detecting Plain&#8209;Text Password Exposure Using Custom Regex in Microsoft Purview</a></strong> - Strong authentication controls like MFA significantly reduce account compromise &#8212; but they don&#8217;t eliminate the risk of password exposure.<br>In many organizations, users still interact with legacy systems, third&#8209;party tools, or service accounts that rely on password&#8209;only authentication. When those credentials are shared or stored in plain text &#8212; whether accidentally or out of convenience &#8212; they introduce a serious security risk.</p><p><strong><a href="https://techcommunity.microsoft.com/blog/microsoft-security-blog/safeguarding-sensitive-data-in-microsoft-365-copilot-interactions-dlp-for-micros/4512497">Safeguarding Sensitive Data in Microsoft 365 Copilot Interactions: DLP for Microsoft 365 Copilot</a></strong> - Microsoft 365 Copilot is redefining how organizations work, bringing the power of generative AI directly into our secure productivity tools. As Copilot adoption accelerates, we&#8217;ve heard that you want more control over how your sensitive data can be used in interactions with Copilot. At Ignite 2025, Microsoft announced a major enhancement: <strong>Microsoft Purview Data Loss Prevention for Microsoft 365 Copilot to safeguard Microsoft 365 Copilot and Copilot Chat prompts</strong>, now entering General Availability. Even better, this capability is included for all users of Microsoft 365 Copilot and Copilot Chat.</p><p><strong><a href="https://techcommunity.microsoft.com/blog/microsoft-purview-blog/from-oversharing-to-enforcement-a-practical-guide-to-ai-data-security-with-micro/4513727">From Oversharing to Enforcement: A Practical Guide to AI Data Security with Microsoft Purview</a></strong> - Generative AI accelerates productivity&#8212;but also amplifies data risk. A single prompt can expose sensitive files, unsanctioned tools can ingest proprietary data, and autonomous agents can act across a tenant at scale. Microsoft Purview addresses this shift. DSPM now provides unified visibility and control across Microsoft 365, Azure, Fabric, and third&#8209;party SaaS&#8212;focusing on the data itself: where it is, who can access it, how it&#8217;s used, and whether it&#8217;s protected. This blog outlines how AI changes the data security equation, what Purview delivers today, practical starting points, the path from visibility to remediation, and a phased model for mature AI governance.</p><h2>Defender for Office Things</h2><p><strong><a href="https://techcommunity.microsoft.com/blog/microsoftdefenderforoffice365blog/declutter-and-defend-reducing-promotional-mail-noise-with-microsoft-defender/4511732">Declutter and Defend: Reducing promotional mail noise with Microsoft Defender</a></strong> - Today we&#8217;re excited to announce that <strong>Microsoft Defender now includes built-in graymail filtering. </strong>It is delivered natively through a new <strong>Promotions experience in Outlook</strong> that automatically classifies and separates solicited bulk email, so it no longer competes with business-critical communication in the inbox. Now in <strong>Public Preview</strong>, this capability learns from how users interact with graymail to become more accurate over time. Coupled with the existing <a href="https://techcommunity.microsoft.com/blog/microsoftdefenderforoffice365blog/introducing-bulk-senders-insight-optimizing-bulk-email-management-for-enterprise/4193963">Bulk Senders Insight report</a>, Defender brings data-driven bulk classification and control into the security workflows you already use.</p><h2>Microsoft Entra Things</h2><p><strong><a href="https://techcommunity.microsoft.com/blog/healthcareandlifesciencesblog/modernizing-digital-health-record-governance-with-microsoft-entra-identity-gover/4512739">Modernizing Digital Health Record Governance with Microsoft Entra Identity Governance</a></strong> - Microsoft Entra Identity Governance was built to help address these challenges. By connecting authoritative workforce data to Microsoft Entra, automating joiner-mover-leaver processes, governing access through access packages, and recertifying access over time with access reviews, organizations can move from manual administration to policy-driven automation across the workforce lifecycle.</p><p><strong><a href="https://techcommunity.microsoft.com/blog/coreinfrastructureandsecurityblog/strengthening-identity-resilience-a-deep-dive-into-microsoft-entra-backup-and-re/4513401">Strengthening Identity Resilience: A Deep Dive into Microsoft Entra Backup and Recovery</a></strong> - Microsoft Entra ID Backup &amp; Recovery provides a native, Microsoft&#8209;managed capability to restore critical identity configurations after accidental changes or security incidents. It helps organizations quickly return their Entra tenant to a known good state, reducing risk and recovery time.</p><p><strong><a href="https://thalpius.com/2026/04/21/microsoft-entra-id-understanding-oauth-app-consent-and-permissions/">Microsoft Entra ID: Understanding OAuth App Consent and Permissions</a></strong> - Recently, Anthropic released a Microsoft 365 connector for Claude, their AI assistant. This connector allows Claude to interact with Microsoft 365 services on behalf of users and organizations. As part of deploying and testing this connector, I started looking more carefully at how OAuth app consent works in Microsoft Entra ID, and I noticed several misconceptions circulating online about how consent actually works, what it means when an admin grants consent, and how to properly scope access afterward.</p><p><strong><a href="https://socautomators.substack.com/p/device-preferred-credential-in-entra">Device-Preferred Credential in Entra ID</a></strong> - Authentication has come a long way, but one thing that has always felt a bit off is how systems choose <em>which</em> method to prompt you with. Historically, Entra ID leaned on a pretty simple rule: just use whatever the user last used. Logical? Sure. Ideal? Not really.</p><p><strong><a href="https://techcommunity.microsoft.com/blog/microsoft-entra-blog/now-generally-available-license-usage-insights-in-microsoft-entra/4507463">Now generally available: License usage insights in Microsoft Entra</a></strong> - Today, I&#8217;m excited to announce the <strong>general availability of Microsoft Entra license usage insights</strong>: a redesigned experience in the Microsoft Entra admin center that helps you better understand your license entitlements and how premium capabilities are being used across your organization.</p><p><strong><a href="https://techcommunity.microsoft.com/blog/azureinfrastructureblog/entra-id-login-via-azure-bastion-fails-after-vm-recreation/4509337">Entra ID Login via Azure Bastion Fails After VM Recreation</a></strong> - In large-scale Azure environments, enabling Microsoft Entra ID (formerly Azure Active Directory) authentication for Windows virtual machines is a widely adopted security best practice. It removes the dependency on local accounts, supports centralized identity governance, and works seamlessly with Azure Bastion for password less VM access.</p><p>However, you may encounter a confusing scenario where:</p><p>An Entra ID user attempts to sign in to a Windows VM through Azure Bastion</p><ul><li><p>The connection appears to succeed in the backend logs</p></li><li><p>The session is disconnected within a second</p></li><li><p>Bastion returns a generic sign-in error to the user</p></li></ul><h2></h2><p>THE PROMPT for Microsoft Security is a reader-supported publication. To receive new posts and support my work, consider becoming a free or paid subscriber.</p>]]></content:encoded></item><item><title><![CDATA[THE PROMPT for Microsoft Security - Issue #67]]></title><description><![CDATA[Things from Me]]></description><link>https://rodtrent.substack.com/p/the-prompt-for-microsoft-security-454</link><guid isPermaLink="false">https://rodtrent.substack.com/p/the-prompt-for-microsoft-security-454</guid><dc:creator><![CDATA[Rod Trent]]></dc:creator><pubDate>Fri, 17 Apr 2026 11:31:17 GMT</pubDate><enclosure url="https://substackcdn.com/image/fetch/$s_!WdmW!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F63a8714e-dbed-4866-8e44-6ff88d08e877_1248x832.jpeg" length="0" type="image/jpeg"/><content:encoded><![CDATA[<div class="captioned-image-container"><figure><a class="image-link image2 is-viewable-img" target="_blank" href="https://substackcdn.com/image/fetch/$s_!WdmW!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F63a8714e-dbed-4866-8e44-6ff88d08e877_1248x832.jpeg" data-component-name="Image2ToDOM"><div class="image2-inset"><picture><source type="image/webp" srcset="https://substackcdn.com/image/fetch/$s_!WdmW!,w_424,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F63a8714e-dbed-4866-8e44-6ff88d08e877_1248x832.jpeg 424w, https://substackcdn.com/image/fetch/$s_!WdmW!,w_848,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F63a8714e-dbed-4866-8e44-6ff88d08e877_1248x832.jpeg 848w, https://substackcdn.com/image/fetch/$s_!WdmW!,w_1272,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F63a8714e-dbed-4866-8e44-6ff88d08e877_1248x832.jpeg 1272w, https://substackcdn.com/image/fetch/$s_!WdmW!,w_1456,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F63a8714e-dbed-4866-8e44-6ff88d08e877_1248x832.jpeg 1456w" sizes="100vw"><img src="https://substackcdn.com/image/fetch/$s_!WdmW!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F63a8714e-dbed-4866-8e44-6ff88d08e877_1248x832.jpeg" width="1248" height="832" data-attrs="{&quot;src&quot;:&quot;https://substack-post-media.s3.amazonaws.com/public/images/63a8714e-dbed-4866-8e44-6ff88d08e877_1248x832.jpeg&quot;,&quot;srcNoWatermark&quot;:null,&quot;fullscreen&quot;:null,&quot;imageSize&quot;:null,&quot;height&quot;:832,&quot;width&quot;:1248,&quot;resizeWidth&quot;:null,&quot;bytes&quot;:264872,&quot;alt&quot;:null,&quot;title&quot;:null,&quot;type&quot;:&quot;image/jpeg&quot;,&quot;href&quot;:null,&quot;belowTheFold&quot;:false,&quot;topImage&quot;:true,&quot;internalRedirect&quot;:&quot;https://microsoftdefender.substack.com/i/193789332?img=https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F63a8714e-dbed-4866-8e44-6ff88d08e877_1248x832.jpeg&quot;,&quot;isProcessing&quot;:false,&quot;align&quot;:null,&quot;offset&quot;:false}" class="sizing-normal" alt="" srcset="https://substackcdn.com/image/fetch/$s_!WdmW!,w_424,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F63a8714e-dbed-4866-8e44-6ff88d08e877_1248x832.jpeg 424w, https://substackcdn.com/image/fetch/$s_!WdmW!,w_848,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F63a8714e-dbed-4866-8e44-6ff88d08e877_1248x832.jpeg 848w, https://substackcdn.com/image/fetch/$s_!WdmW!,w_1272,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F63a8714e-dbed-4866-8e44-6ff88d08e877_1248x832.jpeg 1272w, https://substackcdn.com/image/fetch/$s_!WdmW!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F63a8714e-dbed-4866-8e44-6ff88d08e877_1248x832.jpeg 1456w" sizes="100vw" fetchpriority="high"></picture><div class="image-link-expand"><div class="pencraft pc-display-flex pc-gap-8 pc-reset"><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container restack-image"><svg role="img" width="20" height="20" viewBox="0 0 20 20" fill="none" stroke-width="1.5" stroke="var(--color-fg-primary)" stroke-linecap="round" stroke-linejoin="round" xmlns="http://www.w3.org/2000/svg"><g><title></title><path d="M2.53001 7.81595C3.49179 4.73911 6.43281 2.5 9.91173 2.5C13.1684 2.5 15.9537 4.46214 17.0852 7.23684L17.6179 8.67647M17.6179 8.67647L18.5002 4.26471M17.6179 8.67647L13.6473 6.91176M17.4995 12.1841C16.5378 15.2609 13.5967 17.5 10.1178 17.5C6.86118 17.5 4.07589 15.5379 2.94432 12.7632L2.41165 11.3235M2.41165 11.3235L1.5293 15.7353M2.41165 11.3235L6.38224 13.0882"></path></g></svg></button><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container view-image"><svg xmlns="http://www.w3.org/2000/svg" width="20" height="20" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="lucide lucide-maximize2 lucide-maximize-2"><polyline points="15 3 21 3 21 9"></polyline><polyline points="9 21 3 21 3 15"></polyline><line x1="21" x2="14" y1="3" y2="10"></line><line x1="3" x2="10" y1="21" y2="14"></line></svg></button></div></div></div></a></figure></div><h2>Things from Me</h2><p>Happy Friday everyone!</p><p>Lately, a couple of ideas that started as &#8220;wouldn&#8217;t it be nice if&#8230;&#8221; moments have quietly turned into full-blown projects I&#8217;m genuinely excited about.</p><p>THE PROMPT for Microsoft Security is a reader-supported publication. To receive new posts and support my work, consider becoming a free or paid subscriber.</p><p>The first began as a simple desire to manage AI agents locally&#8212;nothing fancy, just something reliable that didn&#8217;t force me into complex setups or cloud dependencies. It has since evolved into <strong>AgentPlatform</strong>, a complete Windows 11 desktop application for creating, scheduling, running, exporting, and sharing AI agents. You can now browse and install agents from a built-in Agent Store, chain agents together, organize them into packs, and run everything with cron-based scheduling&#8212;all while keeping your data and API keys stored securely on your machine. It supports major providers like Grok (xAI), OpenAI, Anthropic, Ollama, and any OpenAI-compatible endpoint.</p><p><strong>&#8594; Check it out:</strong> <a href="https://github.com/rod-trent/AgentPlatform">https://github.com/rod-trent/AgentPlatform</a></p><p>The second idea sparked during a recent meeting when someone casually asked: &#8220;Wouldn&#8217;t it be cool if you could just grab specific pieces of websites and automatically pull in only the content that&#8217;s changed?&#8221; That small spark has grown into <strong>PulseKeeper</strong>, a local system tray application that curates personalized content from RSS feeds, YouTube, Reddit, podcasts, blogs, newsletters, and web pages. It lets you capture exact sections of sites (via browser extension or CSS selectors), tracks changes, filters out noise, and delivers clean daily digests in HTML, Markdown, or PDF. It even integrates directly with AgentPlatform for AI-powered summarization.</p><p><strong>&#8594; Check it out:</strong> <a href="https://github.com/rod-trent/PulseKeeper">https://github.com/rod-trent/PulseKeeper</a></p><p>Both tools grew out of real-world needs for simplicity, privacy, and control&#8212;values that carry over directly into how I think about security. Both are under active development, so keep watching.</p><p>Whether you&#8217;re experimenting with AI-driven security automation or just trying to stay on top of the ever-changing threat landscape, I hope you find these valuable.</p><p>That&#8217;s it from me for this week. Talk soon.</p><p>-<a href="https://www.linkedin.com/in/rodtrent/">Rod</a></p><h2>Things that are Related</h2><p><strong><a href="http://fuel https://www.microsoft.com/en-us/security/blog/2026/04/15/incident-response-for-ai-same-fire-different-fuel/">Incident response for AI: Same fire, different</a></strong> - AI introduces new categories of harm, accelerates response timelines, and calls for skills and telemetry that many teams are still developing. This post explores which <a href="https://learn.microsoft.com/security/zero-trust/sfi/incident-response-ai-systems">practices remain effective</a> and which require fresh preparation.</p><h2>Things to Watch/Listen To</h2><div class="embedded-post-wrap" data-attrs="{&quot;id&quot;:194243238,&quot;url&quot;:&quot;https://www.microsoftsecurityinsights.com/p/the-ai-security-insights-show-episode-f4c&quot;,&quot;publication_id&quot;:1252746,&quot;publication_name&quot;:&quot;THE Security Insights Show&quot;,&quot;publication_logo_url&quot;:&quot;https://substackcdn.com/image/fetch/$s_!ZngQ!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F1bf84d0b-fceb-44b4-ae5f-10662ecc7e8b_500x500.png&quot;,&quot;title&quot;:&quot;The \&quot;AI\&quot; Security Insights Show Episode 289 - The RSA Recap Part 2 The Microsoft Partner Edition. &quot;,&quot;truncated_body_text&quot;:&quot;AI Pen Testing Power- What is the deal with Mythos?&quot;,&quot;date&quot;:&quot;2026-04-15T16:03:21.558Z&quot;,&quot;like_count&quot;:1,&quot;comment_count&quot;:0,&quot;bylines&quot;:[{&quot;id&quot;:25142999,&quot;name&quot;:&quot;Rod Trent&quot;,&quot;handle&quot;:&quot;rodtrent&quot;,&quot;previous_name&quot;:&quot;Microsoft Sentinel this Week&quot;,&quot;photo_url&quot;:&quot;https://substack-post-media.s3.amazonaws.com/public/images/a31b8f6f-7b50-4643-a4d5-54ca83894c4c_800x800.png&quot;,&quot;bio&quot;:&quot;Rod Trent is a Senior Product Manager for Microsoft. He has spoken many times at many conferences over the past 30-some years and has written several books and hundreds of articles.&quot;,&quot;profile_set_up_at&quot;:&quot;2022-12-15T21:44:39.563Z&quot;,&quot;reader_installed_at&quot;:&quot;2023-01-13T16:04:11.272Z&quot;,&quot;publicationUsers&quot;:[{&quot;id&quot;:1211584,&quot;user_id&quot;:25142999,&quot;publication_id&quot;:1254398,&quot;role&quot;:&quot;admin&quot;,&quot;public&quot;:true,&quot;is_primary&quot;:true,&quot;publication&quot;:{&quot;id&quot;:1254398,&quot;name&quot;:&quot;Rod&#8217;s Blog&quot;,&quot;subdomain&quot;:&quot;rodtrent&quot;,&quot;custom_domain&quot;:null,&quot;custom_domain_optional&quot;:true,&quot;hero_text&quot;:&quot;Microsoft Security and AI. This is not an official Microsoft blog.&quot;,&quot;logo_url&quot;:&quot;https://substack-post-media.s3.amazonaws.com/public/images/e527d2fc-7b2f-448b-85fa-0e47bf452405_600x600.png&quot;,&quot;author_id&quot;:25142999,&quot;primary_user_id&quot;:25142999,&quot;theme_var_background_pop&quot;:&quot;#786CFF&quot;,&quot;created_at&quot;:&quot;2022-12-20T13:41:45.372Z&quot;,&quot;email_from_name&quot;:null,&quot;copyright&quot;:&quot;Rod Trent&quot;,&quot;founding_plan_name&quot;:&quot;Founding Member&quot;,&quot;community_enabled&quot;:true,&quot;invite_only&quot;:false,&quot;payments_state&quot;:&quot;enabled&quot;,&quot;language&quot;:null,&quot;explicit&quot;:false,&quot;homepage_type&quot;:&quot;newspaper&quot;,&quot;is_personal_mode&quot;:false,&quot;logo_url_wide&quot;:&quot;https://substack-post-media.s3.amazonaws.com/public/images/0979d0a9-076d-4984-903f-174d79becc86_1344x256.png&quot;}},{&quot;id&quot;:1202860,&quot;user_id&quot;:25142999,&quot;publication_id&quot;:1246049,&quot;role&quot;:&quot;admin&quot;,&quot;public&quot;:true,&quot;is_primary&quot;:false,&quot;publication&quot;:{&quot;id&quot;:1246049,&quot;name&quot;:&quot;THE PROMPT for Microsoft Security&quot;,&quot;subdomain&quot;:&quot;microsoftdefender&quot;,&quot;custom_domain&quot;:null,&quot;custom_domain_optional&quot;:false,&quot;hero_text&quot;:&quot;The weekly THE PROMPT for Microsoft Security newsletter helps uncover the new and important features and news for Microsoft's Unified Security Operations Platform.&quot;,&quot;logo_url&quot;:&quot;https://substack-post-media.s3.amazonaws.com/public/images/7c112404-c028-4923-b8ce-924902361d80_256x256.png&quot;,&quot;author_id&quot;:25142999,&quot;primary_user_id&quot;:null,&quot;theme_var_background_pop&quot;:&quot;#121BFA&quot;,&quot;created_at&quot;:&quot;2022-12-15T21:47:41.255Z&quot;,&quot;email_from_name&quot;:null,&quot;copyright&quot;:&quot;Rod Trent&quot;,&quot;founding_plan_name&quot;:&quot;Founding Member&quot;,&quot;community_enabled&quot;:true,&quot;invite_only&quot;:false,&quot;payments_state&quot;:&quot;enabled&quot;,&quot;language&quot;:null,&quot;explicit&quot;:false,&quot;homepage_type&quot;:&quot;newspaper&quot;,&quot;is_personal_mode&quot;:false,&quot;logo_url_wide&quot;:&quot;https://substack-post-media.s3.amazonaws.com/public/images/c59e1ae8-80b5-44c2-85c2-bba0b536900f_532x256.png&quot;}},{&quot;id&quot;:1209853,&quot;user_id&quot;:25142999,&quot;publication_id&quot;:1252746,&quot;role&quot;:&quot;admin&quot;,&quot;public&quot;:true,&quot;is_primary&quot;:false,&quot;publication&quot;:{&quot;id&quot;:1252746,&quot;name&quot;:&quot;THE Security Insights Show&quot;,&quot;subdomain&quot;:&quot;securityinsights&quot;,&quot;custom_domain&quot;:&quot;www.microsoftsecurityinsights.com&quot;,&quot;custom_domain_optional&quot;:false,&quot;hero_text&quot;:&quot;Hosted by Edward Walton, Frank Grimberg and Rod Trent, THE Insights Show provides conversation, information, news, tips on industry security solutions.&quot;,&quot;logo_url&quot;:&quot;https://substack-post-media.s3.amazonaws.com/public/images/1bf84d0b-fceb-44b4-ae5f-10662ecc7e8b_500x500.png&quot;,&quot;author_id&quot;:25142999,&quot;primary_user_id&quot;:115592344,&quot;theme_var_background_pop&quot;:&quot;#BAA049&quot;,&quot;created_at&quot;:&quot;2022-12-19T16:53:21.719Z&quot;,&quot;email_from_name&quot;:&quot;THE Security Insights Show&quot;,&quot;copyright&quot;:&quot;Rod Trent&quot;,&quot;founding_plan_name&quot;:null,&quot;community_enabled&quot;:true,&quot;invite_only&quot;:false,&quot;payments_state&quot;:&quot;disabled&quot;,&quot;language&quot;:null,&quot;explicit&quot;:false,&quot;homepage_type&quot;:&quot;newspaper&quot;,&quot;is_personal_mode&quot;:false,&quot;logo_url_wide&quot;:&quot;https://substack-post-media.s3.amazonaws.com/public/images/e7003902-2064-4b4b-a23e-74a8ade417d9_1920x533.jpeg&quot;}},{&quot;id&quot;:4622011,&quot;user_id&quot;:25142999,&quot;publication_id&quot;:4530869,&quot;role&quot;:&quot;admin&quot;,&quot;public&quot;:true,&quot;is_primary&quot;:false,&quot;publication&quot;:{&quot;id&quot;:4530869,&quot;name&quot;:&quot;myITforum&quot;,&quot;subdomain&quot;:&quot;myitforum&quot;,&quot;custom_domain&quot;:null,&quot;custom_domain_optional&quot;:false,&quot;hero_text&quot;:&quot;The myITforum community. Powered by you.&quot;,&quot;logo_url&quot;:&quot;https://substack-post-media.s3.amazonaws.com/public/images/e57bf70e-44d6-4b6d-87b3-13e6d8fb4881_250x250.png&quot;,&quot;author_id&quot;:25142999,&quot;primary_user_id&quot;:null,&quot;theme_var_background_pop&quot;:&quot;#FF6719&quot;,&quot;created_at&quot;:&quot;2025-03-28T15:02:52.364Z&quot;,&quot;email_from_name&quot;:&quot;myITforum&quot;,&quot;copyright&quot;:&quot;Rod Trent&quot;,&quot;founding_plan_name&quot;:&quot;Founding Member&quot;,&quot;community_enabled&quot;:true,&quot;invite_only&quot;:false,&quot;payments_state&quot;:&quot;enabled&quot;,&quot;language&quot;:null,&quot;explicit&quot;:false,&quot;homepage_type&quot;:&quot;newspaper&quot;,&quot;is_personal_mode&quot;:false,&quot;logo_url_wide&quot;:&quot;https://substack-post-media.s3.amazonaws.com/public/images/61faab9f-ec9c-4b15-9038-90eeff197953_207x64.png&quot;}},{&quot;id&quot;:6292288,&quot;user_id&quot;:25142999,&quot;publication_id&quot;:6167941,&quot;role&quot;:&quot;admin&quot;,&quot;public&quot;:true,&quot;is_primary&quot;:false,&quot;publication&quot;:{&quot;id&quot;:6167941,&quot;name&quot;:&quot;Rod&#8217;s Fiction Universe&quot;,&quot;subdomain&quot;:&quot;rodsfictionbooks&quot;,&quot;custom_domain&quot;:null,&quot;custom_domain_optional&quot;:false,&quot;hero_text&quot;:&quot;This site offers all-access to my current and future fiction books. &quot;,&quot;logo_url&quot;:&quot;https://substack-post-media.s3.amazonaws.com/public/images/bf150c76-3462-4e72-9f1a-f3d507179f90_512x512.png&quot;,&quot;author_id&quot;:25142999,&quot;primary_user_id&quot;:null,&quot;theme_var_background_pop&quot;:&quot;#FF6719&quot;,&quot;created_at&quot;:&quot;2025-09-01T22:55:42.544Z&quot;,&quot;email_from_name&quot;:&quot;Rod Trent from Rod&#8217;s Fiction Books&quot;,&quot;copyright&quot;:&quot;Rod Trent&quot;,&quot;founding_plan_name&quot;:&quot;Founding Member&quot;,&quot;community_enabled&quot;:true,&quot;invite_only&quot;:false,&quot;payments_state&quot;:&quot;enabled&quot;,&quot;language&quot;:null,&quot;explicit&quot;:false,&quot;homepage_type&quot;:&quot;magaziney&quot;,&quot;is_personal_mode&quot;:false,&quot;logo_url_wide&quot;:&quot;https://substack-post-media.s3.amazonaws.com/public/images/d7348a2b-f83f-47cc-bf8b-837b55171fcf_1344x256.png&quot;}}],&quot;twitter_screen_name&quot;:&quot;rodtrent&quot;,&quot;is_guest&quot;:false,&quot;bestseller_tier&quot;:100,&quot;status&quot;:{&quot;bestsellerTier&quot;:100,&quot;subscriberTier&quot;:1,&quot;leaderboard&quot;:null,&quot;vip&quot;:false,&quot;badge&quot;:{&quot;type&quot;:&quot;bestseller&quot;,&quot;tier&quot;:100},&quot;paidPublicationIds&quot;:[1459538],&quot;subscriber&quot;:null}}],&quot;utm_campaign&quot;:null,&quot;belowTheFold&quot;:true,&quot;type&quot;:&quot;podcast&quot;,&quot;language&quot;:&quot;en&quot;,&quot;source&quot;:null}" data-component-name="EmbeddedPostToDOM"><a class="embedded-post" native="true" href="https://www.microsoftsecurityinsights.com/p/the-ai-security-insights-show-episode-f4c?utm_source=substack&amp;utm_campaign=post_embed&amp;utm_medium=web"><div class="embedded-post-header"><img class="embedded-post-publication-logo" src="https://substackcdn.com/image/fetch/$s_!ZngQ!,w_56,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F1bf84d0b-fceb-44b4-ae5f-10662ecc7e8b_500x500.png" loading="lazy"><span class="embedded-post-publication-name">THE Security Insights Show</span></div><div class="embedded-post-title-wrapper"><div class="embedded-post-title-icon"><svg width="19" height="19" viewBox="0 0 24 24" fill="none" xmlns="http://www.w3.org/2000/svg">
  <path d="M3 18V12C3 9.61305 3.94821 7.32387 5.63604 5.63604C7.32387 3.94821 9.61305 3 12 3C14.3869 3 16.6761 3.94821 18.364 5.63604C20.0518 7.32387 21 9.61305 21 12V18" stroke-linecap="round" stroke-linejoin="round"></path>
  <path d="M21 19C21 19.5304 20.7893 20.0391 20.4142 20.4142C20.0391 20.7893 19.5304 21 19 21H18C17.4696 21 16.9609 20.7893 16.5858 20.4142C16.2107 20.0391 16 19.5304 16 19V16C16 15.4696 16.2107 14.9609 16.5858 14.5858C16.9609 14.2107 17.4696 14 18 14H21V19ZM3 19C3 19.5304 3.21071 20.0391 3.58579 20.4142C3.96086 20.7893 4.46957 21 5 21H6C6.53043 21 7.03914 20.7893 7.41421 20.4142C7.78929 20.0391 8 19.5304 8 19V16C8 15.4696 7.78929 14.9609 7.41421 14.5858C7.03914 14.2107 6.53043 14 6 14H3V19Z" stroke-linecap="round" stroke-linejoin="round"></path>
</svg></div><div class="embedded-post-title">The "AI" Security Insights Show Episode 289 - The RSA Recap Part 2 The Microsoft Partner Edition. </div></div><div class="embedded-post-body">AI Pen Testing Power- What is the deal with Mythos&#8230;</div><div class="embedded-post-cta-wrapper"><div class="embedded-post-cta-icon"><svg width="32" height="32" viewBox="0 0 24 24" xmlns="http://www.w3.org/2000/svg">
  <path classname="inner-triangle" d="M10 8L16 12L10 16V8Z" stroke-width="1.5" stroke-linecap="round" stroke-linejoin="round"></path>
</svg></div><span class="embedded-post-cta">Listen now</span></div><div class="embedded-post-meta">3 months ago &#183; 1 like &#183; Rod Trent</div></a></div><h2>Things to Have</h2><p><strong><a href="https://github.com/SCStelz/security-investigator">Security Investigation Automation System</a> - </strong>Comprehensive, automated security investigations powered by Microsoft Sentinel, Defender XDR, Graph API, and threat intelligence &#8212; with 25 specialized Agent Skills.</p><p><strong><a href="https://www.techchat.blog/2026/04/07/workbook-updates-admin-risk-compute/">Workbook Updates: Admin Risk &amp; Compute</a></strong> - Over the past few months, I have shared a set of workbooks focused on <strong>closing visibility gaps across identity and endpoint security data</strong>. These were built from real-world scenarios where the signals existed, but the connections between them were not always obvious. Today I am releasing <strong>major updates to both</strong>, expanding their scope and making them more useful for investigation, validation, and ongoing review.</p><p><strong><a href="https://techcommunity.microsoft.com/blog/microsoft-security-blog/credential-exposure-risk--response-workbook/4511172">Credential Exposure Risk &amp; Response Workbook</a></strong> - The Credential Exposure Risk &amp; Response Workbook transforms credential leakage detection from a technical alert stream into a measurable security capability aligned with operational risk, control effectiveness, and end&#8209;user impact. By correlating exposure events across workloads, departments, credential types, and individual users, the workbook provides end&#8209;to&#8209;end situational awareness of material credential risk across the organization. Security teams can drill down from detection trends to the originating artefact (email, file, or URL), accelerating triage, containment, and root&#8209;cause analysis.</p><p><strong><a href="https://github.com/davidalonsod/Dalonso-Security-Repo/tree/main/Use%20Cases%20Threat%20Hunting/Netskope">Netskope Web Transactions &#8211; Threat Hunting &amp; Analytic Rules for Microsoft Sentinel</a> - </strong>A curated collection of <strong>12 KQL threat-hunting queries</strong> and <strong>14 Scheduled Analytic Rules</strong> targeting the <code>NetskopeWebTx_CL</code> (custom log) table in Microsoft Sentinel. These rules complement &#8212; and do not duplicate &#8212; the <strong>10 built-in analytic rules</strong> shipped with the <a href="https://azuremarketplace.microsoft.com/marketplace/apps/netaborplatforminc1588aboraborplatform.netskope_web_transaction_events_mss?tab=Overview">Netskope Web Transaction Events</a> Content Hub solution.</p><h2>Security Copilot Things</h2><p><strong><a href="https://techcommunity.microsoft.com/blog/microsoftdefenderforoffice365blog/announcing-public-preview-security-copilot%E2%80%99s-email-summary-in-microsoft-defender/4510357">Announcing Public Preview: Security Copilot&#8217;s Email Summary in Microsoft Defender</a></strong> - Today, we are excited to announce the public preview of Security Copilot&#8217;s Email Summary capability, designed to bring those insights together and make email threat investigations faster, clearer, and more actionable.</p><h2>Microsoft Sentinel Things</h2><p><strong><a href="https://uros-babic.cloud/2026/04/15/built-in-sentinel-graph-identity-attack-path-visualization-in-defender-xdr/">Built&#8209;in Sentinel Graph: Identity Attack Path Visualization in Defender XDR</a></strong> - The <strong>Sentinel Graph experience</strong> was introduced as part of <strong>Public Preview on September 30, 2025</strong>, when Microsoft announced Sentinel Graph as a core capability built on top of the Microsoft Sentinel data lake. Since then, graph&#8209;based experiences have been gradually surfaced across the <strong>Microsoft Defender portal</strong>, enabling relationship&#8209;driven investigations across identity, cloud resources, and security signals.</p><p><strong><a href="https://techcommunity.microsoft.com/blog/microsoftsentinelblog/enforce-cost-limits-on-kql-queries-and-notebooks-in-the-microsoft-sentinel-data-/4511329">Enforce Cost Limits on KQL Queries and Notebooks in the Microsoft Sentinel Data Lake</a></strong> - Today, we're excited to announce <strong>threshold enforcement for KQL queries and notebooks in the Microsoft Sentinel data lake</strong>. With this release, you can go beyond notifications and automatically block new queries and jobs when your configured usage limits are exceeded. Your analysts keep working confidently, and your budgets stay protected.</p><p><strong><a href="https://techcommunity.microsoft.com/blog/microsoftsentinelblog/how-to-ingest-microsoft-intune-logs-into-microsoft-sentinel/4508562">How to Ingest Microsoft Intune Logs into Microsoft Sentinel</a></strong> - For many organizations using Microsoft Intune to manage devices, integrating Intune logs into Microsoft Sentinel is an essential for security operations (Incorporate the device into the SEIM). By routing Intune&#8217;s device management and compliance data into your central SIEM, you gain a unified view of endpoint events and can set up alerts on critical Intune activities e.g. devices falling out of compliance or policy changes. This unified monitoring helps security and IT teams detect issues faster, correlate Intune events with other security logs for threat hunting and improve compliance reporting. We&#8217;re publishing these best practices to help unblock common customer challenges in configuring Intune log ingestion. In this step-by-step guide, you&#8217;ll learn how to successfully send Intune logs to Microsoft Sentinel, so you can fully leverage Intune data for enhanced security and compliance visibility.</p><p><strong><a href="https://techcommunity.microsoft.com/blog/MicrosoftSentinelBlog/microsoft-sentinel-data-federation-expand-visibility-while-preserving-governance/4511258">Microsoft Sentinel data federation: Expand visibility while preserving governance</a></strong> - Microsoft Sentinel data federation now in public preview, is designed to meet customers where their data already lives, while preserving governance. Powered by Microsoft Fabric, customers can federate data from Microsoft Fabric, Azure Data Lake Storage (ADLS) Gen 2, and Azure Databricks into Sentinel data lake, without copying or duplicating the data.</p><p><strong><a href="https://techcommunity.microsoft.com/blog/MicrosoftSentinelBlog/running-kql-queries-on-microsoft-sentinel-data-lake-using-api/4503128">Running KQL queries on Microsoft Sentinel data lake using API</a></strong> - By running KQL (Kusto Query Language) queries on Microsoft Sentinel data lake through APIs, you can embed analytics directly into automation workflows, background services, and intelligent agents, without relying on manual query execution. In this post, we explore API based KQL query execution, review some of the scenarios where it delivers the most value, and what you need to get started.</p><p><strong><a href="https://techcommunity.microsoft.com/discussions/microsoftthreatprotection/microsoft-sentinel-mcp-entity-analyzer-explainable-risk-analysis-for-urls-and-id/4511606#M2664">Microsoft Sentinel MCP Entity Analyzer: Explainable risk analysis for URLs and identities</a></strong> - What makes this release important is not just that it adds another AI feature to Sentinel. It changes the implementation model for enrichment and triage. Instead of building and maintaining a chain of custom playbooks, KQL lookups, threat intel checks, and entity correlation logic, SOC teams can call a single analyzer that returns a reasoned verdict and supporting evidence. Microsoft positions the analyzer as available through Sentinel MCP server connections for agent platforms and through Logic Apps for SOAR workflows, which makes it useful both for interactive investigations and for automated response pipelines.</p><h2>Defender for Cloud Things</h2><p><strong><a href="https://techcommunity.microsoft.com/blog/microsoftdefendercloudblog/securing-multicloud-azure-aws--gcp-with-microsoft-defender-for-cloud-connector-b/4508563">Securing multicloud (Azure, AWS &amp; GCP) with Microsoft Defender for Cloud: Connector best practices</a></strong> - Many organizations run workloads across multiple cloud providers and need to maintain a strong security posture while ensuring interoperability. Microsoft Defender for Cloud is a cloud-native application protection platform (CNAPP) solution that helps secure these environments by providing unified visibility and protection for resources in AWS and GCP alongside Azure.</p><h2>Defender for Endpoint Things</h2><p><strong><a href="https://techcommunity.microsoft.com/blog/coreinfrastructureandsecurityblog/microsoft-defender-for-endpoint-mde-%E2%80%94-custom-role-design-for-troubleshooting-mod/4510646">Microsoft Defender for Endpoint (MDE) &#8212; Custom Role Design for Troubleshooting Mode&#8211;Only Access</a></strong> - In customer environments, <strong>Security Operations (SOC)</strong> teams and <strong>Windows infrastructure</strong> teams frequently need to investigate endpoint issues in the Microsoft Defender for Endpoint portal&#8212;often under time pressure&#8212;while still preserving strong governance over who can change security controls.</p><h2>Defender XDR Things</h2><p><strong><a href="https://socautomators.substack.com/p/threat-informed-defense-24-attack">Threat-Informed Defense: 24 Attack Patterns Mapped to the Microsoft Detection Stack</a></strong> - The DBIR analyzed 22,052 incidents. MDDR tracked 30+ billion threat signals daily. If you want to know what&#8217;s breaking organizations right now, the data is there.</p><p><strong><a href="https://techcommunity.microsoft.com/blog/microsoftsecurityexperts/hunting-infostealers---trusted-platform-abuse/4505343">Hunting Infostealers - Trusted Platform Abuse</a></strong> - Since late 2025, Platform abuse has become an increasingly prevalent tactic in the modern threat landscape, wherein adversaries deliberately exploit the legitimacy, scale, and user trust associated with widely used applications and services. By weaponizing platforms such as WhatsApp and seemingly benign PDF conversion tools, threat actors are able to disguise malicious activity within normal user behavior, enabling efficient malware delivery, lateral propagation, and evasion of traditional security controls.</p><h2>Microsoft Purview Things</h2><p><strong><a href="https://techcommunity.microsoft.com/blog/microsoft-security-blog/why-external-users-can%E2%80%99t-open-encrypted-attachments-in-certain-conditions--how-t/4510644">Why External Users Can&#8217;t Open Encrypted Attachments in Certain Conditions &amp; How to Fix It Securely</a></strong> - When Conditional Access policies enforce MFA across all cloud apps and include external users, encrypted attachments may require additional considerations. This post explains why.</p><p><strong><a href="https://techcommunity.microsoft.com/blog/microsoft-purview-blog/microsoft-purview-referential-architecture-diagrams/4510925">Microsoft Purview Referential Architecture Diagrams</a></strong> - The Microsoft Purview architecture diagrams provide a referential view of how data classification, sensitivity labeling, Data Loss Prevention (DLP) and Insider Risk operate across Microsoft 365 workloads. These diagrams are intended to help organizations understand where policy evaluation occurs, how signals flow between services, and how enforcement is applied consistently.</p><p><strong><a href="http://v">Data Security Posture Reports</a></strong> - Posture Reports are the authoritative proof that Microsoft Purview controls are not just configured, but actively protecting data at scale. They transform policy configuration into measurable, defensible security posture.</p><p><strong><a href="https://techcommunity.microsoft.com/blog/microsoft-purview-blog/data-security-posture-reports-custom-workspace-and-charts/4511341">Data Security Posture Reports (Custom Workspace and Charts)</a></strong> - NOW IN PUBLIC PREVIEW Custom Posture Reports are the authoritative proof that Microsoft Purview controls are not only configured, but actively protecting data at scale. They transform raw policy signals and configuration data into measurable, defensible security posture, providing clear, tailored insights that demonstrate control effectiveness and real&#8209;world impact.</p><h2>Defender Threat Intelligence Things</h2><p><strong><a href="https://techcommunity.microsoft.com/blog/microsoft-security-blog/enterprise-cybersecurity-in-the-age-of-ai-why-legacy-security-is-failing-as-atta/4511187">Enterprise Cybersecurity in the Age of AI: Why Legacy Security Is Failing as Attackers Move Faster</a></strong> - In recent months, Microsoft has <a href="https://www.microsoft.com/en-us/security/blog/2026/04/06/ai-enabled-device-code-phishing-campaign-april-2026/">documented AI&#8209;enabled phishing campaigns</a> abusing legitimate authentication mechanisms - including OAuth and device&#8209;code flows - to compromise enterprise accounts at scale. These campaigns rely on automation, dynamic code generation, and highly personalised lures, rather than on stealing passwords or exploiting traditional vulnerabilities.</p><h2>Microsoft Entra Things</h2><p><strong><a href="https://techcommunity.microsoft.com/blog/microsoft-entra-blog/what%E2%80%99s-new-in-microsoft-entra-%E2%80%93-march-2026/4502150">What&#8217;s new in Microsoft Entra &#8211; March 2026 Hub</a></strong> - From January through March 2026, Microsoft Entra introduced key updates to help organizations strengthen identity security, simplify governance, and improve user experience. This Q1 roundup highlights the latest feature releases and important changes&#8212;organized by product&#8212;so you can quickly see what&#8217;s new, what&#8217;s changing, and what actions you may need to take.</p><h2></h2><p>THE PROMPT for Microsoft Security is a reader-supported publication. To receive new posts and support my work, consider becoming a free or paid subscriber.</p>]]></content:encoded></item><item><title><![CDATA[THE PROMPT for Microsoft Security - Issue #66]]></title><description><![CDATA[Things from Me]]></description><link>https://rodtrent.substack.com/p/the-prompt-for-microsoft-security-275</link><guid isPermaLink="false">https://rodtrent.substack.com/p/the-prompt-for-microsoft-security-275</guid><dc:creator><![CDATA[Rod Trent]]></dc:creator><pubDate>Fri, 10 Apr 2026 11:31:14 GMT</pubDate><enclosure url="https://substackcdn.com/image/fetch/$s_!HT_Z!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fd12bb785-9317-4d4a-b08c-39615d45973d_1248x1033.jpeg" length="0" type="image/jpeg"/><content:encoded><![CDATA[<div class="captioned-image-container"><figure><a class="image-link image2 is-viewable-img" target="_blank" href="https://substackcdn.com/image/fetch/$s_!HT_Z!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fd12bb785-9317-4d4a-b08c-39615d45973d_1248x1033.jpeg" data-component-name="Image2ToDOM"><div class="image2-inset"><picture><source type="image/webp" srcset="https://substackcdn.com/image/fetch/$s_!HT_Z!,w_424,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fd12bb785-9317-4d4a-b08c-39615d45973d_1248x1033.jpeg 424w, https://substackcdn.com/image/fetch/$s_!HT_Z!,w_848,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fd12bb785-9317-4d4a-b08c-39615d45973d_1248x1033.jpeg 848w, https://substackcdn.com/image/fetch/$s_!HT_Z!,w_1272,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fd12bb785-9317-4d4a-b08c-39615d45973d_1248x1033.jpeg 1272w, https://substackcdn.com/image/fetch/$s_!HT_Z!,w_1456,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fd12bb785-9317-4d4a-b08c-39615d45973d_1248x1033.jpeg 1456w" sizes="100vw"><img src="https://substackcdn.com/image/fetch/$s_!HT_Z!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fd12bb785-9317-4d4a-b08c-39615d45973d_1248x1033.jpeg" width="1248" height="1033" data-attrs="{&quot;src&quot;:&quot;https://substack-post-media.s3.amazonaws.com/public/images/d12bb785-9317-4d4a-b08c-39615d45973d_1248x1033.jpeg&quot;,&quot;srcNoWatermark&quot;:null,&quot;fullscreen&quot;:null,&quot;imageSize&quot;:null,&quot;height&quot;:1033,&quot;width&quot;:1248,&quot;resizeWidth&quot;:null,&quot;bytes&quot;:179359,&quot;alt&quot;:null,&quot;title&quot;:null,&quot;type&quot;:&quot;image/jpeg&quot;,&quot;href&quot;:null,&quot;belowTheFold&quot;:false,&quot;topImage&quot;:true,&quot;internalRedirect&quot;:&quot;https://microsoftdefender.substack.com/i/193158626?img=https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fd12bb785-9317-4d4a-b08c-39615d45973d_1248x1033.jpeg&quot;,&quot;isProcessing&quot;:false,&quot;align&quot;:null,&quot;offset&quot;:false}" class="sizing-normal" alt="" srcset="https://substackcdn.com/image/fetch/$s_!HT_Z!,w_424,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fd12bb785-9317-4d4a-b08c-39615d45973d_1248x1033.jpeg 424w, https://substackcdn.com/image/fetch/$s_!HT_Z!,w_848,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fd12bb785-9317-4d4a-b08c-39615d45973d_1248x1033.jpeg 848w, https://substackcdn.com/image/fetch/$s_!HT_Z!,w_1272,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fd12bb785-9317-4d4a-b08c-39615d45973d_1248x1033.jpeg 1272w, https://substackcdn.com/image/fetch/$s_!HT_Z!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fd12bb785-9317-4d4a-b08c-39615d45973d_1248x1033.jpeg 1456w" sizes="100vw" fetchpriority="high"></picture><div class="image-link-expand"><div class="pencraft pc-display-flex pc-gap-8 pc-reset"><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container restack-image"><svg role="img" width="20" height="20" viewBox="0 0 20 20" fill="none" stroke-width="1.5" stroke="var(--color-fg-primary)" stroke-linecap="round" stroke-linejoin="round" xmlns="http://www.w3.org/2000/svg"><g><title></title><path d="M2.53001 7.81595C3.49179 4.73911 6.43281 2.5 9.91173 2.5C13.1684 2.5 15.9537 4.46214 17.0852 7.23684L17.6179 8.67647M17.6179 8.67647L18.5002 4.26471M17.6179 8.67647L13.6473 6.91176M17.4995 12.1841C16.5378 15.2609 13.5967 17.5 10.1178 17.5C6.86118 17.5 4.07589 15.5379 2.94432 12.7632L2.41165 11.3235M2.41165 11.3235L1.5293 15.7353M2.41165 11.3235L6.38224 13.0882"></path></g></svg></button><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container view-image"><svg xmlns="http://www.w3.org/2000/svg" width="20" height="20" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="lucide lucide-maximize2 lucide-maximize-2"><polyline points="15 3 21 3 21 9"></polyline><polyline points="9 21 3 21 3 15"></polyline><line x1="21" x2="14" y1="3" y2="10"></line><line x1="3" x2="10" y1="21" y2="14"></line></svg></button></div></div></div></a></figure></div><h2>Things from Me</h2><p>Happy Friday everyone!</p><p>I&#8217;m also asked quite a bit about what I do at Microsoft and I usually respond with something like &#8220;Oh, you know me. I just find ways of goofing off.&#8221; That phrase has become a common response from me over the years, primarily because I love my job and love what I do, so it feels many times like I am really just goofing off. My work doesn&#8217;t feel like work, but when I describe my tasks for the week, I see eyes glaze over about halfway through. Maybe it&#8217;s my presentation; maybe it&#8217;s because my work is boring to anyone else.</p><p>THE PROMPT for Microsoft Security is a reader-supported publication. To receive new posts and support my work, consider becoming a free or paid subscriber.</p><p>Here&#8217;s a quick, summarized bullet point list of what I&#8217;ve been working on since returning from the MVP Summit to prove there&#8217;s actual working going on over here.</p><ul><li><p>Over the past couple of weeks, I have been focused on one thing: keeping the momentum going between major moments and the day&#8209;to&#8209;day work of securing environments.</p></li><li><p>That is exactly why the <a href="https://aka.ms/SecurityAdvisors">Security Advisors Program </a>exists. It brings customers, partners, and MVPs together with Microsoft product teams for design input, focus groups, and private previews across the product lifecycle.</p></li><li><p>Coming out of the <a href="https://summit.microsoft.com/">MVP Summit 2026</a>, I have been focused on making it easier to re&#8209;engage with content and keep the feedback loop moving. That has included helping route MVP Summit - Session recaps so speakers and moderators can access and share the session summaries appropriately, rather than leaving product teams guessing where to go.</p></li><li><p>I have also been digging into the signals behind the Summit experience itself. For example, I pulled together session feedback analysis in MVP Summit Session Feedback to help summarize how Security sessions landed and where the outliers are. I also shared a concise leadership snapshot to anchor the story in Security&#8209;specific scale, engagement, and what to act on next</p></li><li><p>On the product engagement side, I have been working to make preview participation more consistent and scalable. I reached out across teams to identify who is already using Private Preview Group automations so we can rebuild and document the &#8220;how preview flighting works&#8221; muscle that was previously tribal knowledge. In parallel, I joined and tracked early preview scoping discussions, including Private Preview Scoping which is explicitly planning private preview timing and positioning for endpoint&#8209;focused security for AI scenarios.</p></li><li><p>I have also been clearing the practical friction that blocks participation. That included restoring access when an MVP lost entry to private community channels. And when issues show up in the wild, I escalate them: I requested review of a suspected Microsoft Defender SmartScreen false positive affecting an MVP&#8209;owned website in MVP&#8217;s web site is blocked by smartscreen.</p></li><li><p>Finally, I have been turning community activity into something actionable at leadership altitude. I shared MVP Teams Community Intelligence Report, which describes an automated way to synthesize MVP channel discussions into a weekly, leadership&#8209;ready report rather than letting important threads get lost. I also captured concrete follow&#8209;ups from MSEC CCP MBR, including a commitment to supply deeper MVP Summit insights once evaluation and reporting data fully lands.</p></li></ul><p>How about you? What does your week look like?</p><p>Talk soon.</p><p>-<a href="https://www.linkedin.com/in/rodtrent/">Rod</a></p><h2>Things that are Related</h2><p><strong><a href="https://www.microsoft.com/en-us/security/blog/2026/04/09/the-agentic-soc-rethinking-secops-for-the-next-decade/">The agentic SOC&#8212;Rethinking SecOps for the next decade</a></strong> - Every major shift in cyberattacker behavior over the past decade has followed a meaningful shift in how defenders operate. When security operation centers (SOCs) deployed endpoint detection and response (EDR)&#8212;and later extended detection and response (XDR)&#8212;security teams raised the bar, pushing cyberattackers beyond phishing, commodity malware, and perimeter&#8209;based attacks and into cloud infrastructure built for scale and speed.</p><p><strong><a href="https://techcommunity.microsoft.com/blog/publicsectorblog/from-fragmentation-to-resilience-why-next-gen-%E2%80%9Cwhole-of-state%E2%80%9D-is-future-of-pub-/4507434">From Fragmentation to Resilience: Why Next Gen &#8220;Whole of State&#8221; Is Future of Pub Sec Cybersecurity</a></strong> - Microsoft is focused on a <strong>Next Gen Whole of State</strong> approach: a state-wide, coordinated model that brings together <strong>cyber defense, risk management, and workforce development</strong> into a unified strategy&#8212;designed for scale, resilience, and trust.</p><p><strong><a href="https://techcommunity.microsoft.com/blog/microsoft-security-blog/mvp-champ-spotlight--uros-babic/4508948">MVP Champ Spotlight- Uros Babic</a></strong> - Uros is recognized as a Most Valued Professional (MVP) by Microsoft as an exceptional community leader for their technical expertise, leadership, speaking experience, online influence, and commitment to solving real-world problems. Learn more about MVPs and what it takes to become one here: <a href="https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fmvp.microsoft.com%2Fen-US%2Ffaq%3Fsection%3Dmvp&amp;data=05%7C02%7Cv-trrusher%40microsoft.com%7C73079713ce3c4f074fc408dde41c1490%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638917531505585318%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&amp;sdata=zqQ2HGF6%2Bf1tOAAVE62EJoRsvMAt05lKwqJZ2x310Y0%3D&amp;reserved=0">FAQ | Most Valuable Professionals</a>. Within our Security MVPs, Microsoft has hand-selected some of our top collaborative MVPs with a passion for working directly with the Product Group to share community insights with Microsoft and co-create content to help address the community needs.</p><p><strong><a href="https://socautomators.substack.com/p/threat-informed-defense-the-gap-between">Threat-Informed Defense: The Gap Between What Attackers Do and What SOCs See</a></strong> - The data is not the problem. The Verizon 2025 DBIR analyzed 22,052 incidents and 12,195 breaches. The Microsoft Digital Defense Report 2025 documented attack trends across billions of signals. The threat intelligence is abundant, detailed, and largely consistent across sources. We know what attackers are doing. The gap is between what those reports say and what most SOCs are actually instrumented to detect.</p><p><strong><a href="https://kqlquery.com/posts/kql-graph-security-visualization/">Unlock Different Security Perspectives with Kusto Graph Functions</a></strong> - This blog describes how to get started with the newly introduced functions and shares two examples. Graphs are not a new concept in Kusto, previous presentations and blogs of others explain the core of this functionality.</p><h2>Things to Watch/Listen To</h2><iframe class="spotify-wrap podcast" data-attrs="{&quot;image&quot;:&quot;&quot;,&quot;title&quot;:&quot;&quot;,&quot;subtitle&quot;:&quot;&quot;,&quot;description&quot;:&quot;&quot;,&quot;url&quot;:&quot;https://open.spotify.com/embed/episode/4hrAQFuI2rlYOf5lp5iTTB&quot;,&quot;belowTheFold&quot;:true,&quot;noScroll&quot;:true}" src="https://open.spotify.com/embed/episode/4hrAQFuI2rlYOf5lp5iTTB" frameborder="0" gesture="media" allowfullscreen="true" allow="encrypted-media" loading="lazy" data-component-name="Spotify2ToDOM" scrolling="no"></iframe><h2>Things from Partners</h2><p><strong><a href="https://www.anthropic.com/glasswing">Project Glasswing: Securing critical software for the AI era \ Anthropic</a></strong> - Today we&#8217;re announcing Project Glasswing<sup>1</sup>, a new initiative that brings together Amazon Web Services, Anthropic, Apple, Broadcom, Cisco, CrowdStrike, Google, JPMorganChase, the Linux Foundation, Microsoft, NVIDIA, and Palo Alto Networks in an effort to secure the world&#8217;s most critical software.</p><h2>Security Copilot Things</h2><p><strong><a href="https://securitysentinel.substack.com/p/microsoft-security-copilot-is-quickly">Microsoft Security Copilot is quickly becoming one of the most practical ways to operationalise AI in security.</a></strong> - I was going through the latest development toolkit, and one thing stands out: this is not just about &#8220;using AI&#8221; it is about designing security workflows that actually scale.</p><h2>Microsoft Sentinel Things</h2><p><strong><a href="https://medium.com/@shakirabdul31/log-ingestion-latency-in-microsoft-sentinel-kql-deep-dive-and-security-copilot-prompts-when-it-c1182c83128a">Log Ingestion Latency in Microsoft Sentinel: KQL Deep Dive and Security Copilot Prompts When It&#8230;</a></strong> - A practical guide for Sentinel admins on validating log ingestion latency across all CEF sources in Microsoft Sentinel.</p><p><strong><a href="https://techcommunity.microsoft.com/blog/microsoftsentinelblog/introducing-the-new-microsoft-sentinel-logstash-output-plugin-public-preview/4508904">Introducing the New Microsoft Sentinel Logstash Output Plugin (Public Preview!)</a></strong> - Many organizations rely on Logstash as a flexible, trusted data pipeline for collecting, transforming, and forwarding logs from on-premises and hybrid environments. Microsoft Sentinel has long supported a Logstash output plugin, enabling customers to send data directly into Sentinel as part of their existing pipelines. The original plugin was implemented in Ruby, and while it has served its purpose, it no longer meets Microsoft&#8217;s Secure Future Initiative (SFI) standards and has limited engineering support. To address both security and sustainability, we have <a href="https://rubygems.org/gems/microsoft-sentinel-log-analytics-logstash-output-plugin/versions/2.0.0-java">rebuilt the plugin</a> from the ground up in Java, a language that is more secure, better supported across Microsoft, and aligned with long-term platform investments. To ensure a seamless transition, the new implementation is still packaged and distributed as a standard Logstash Ruby gem. This means the installation and usage experience remains unchanged for customers, while benefiting from a more secure and maintainable foundation.</p><p><strong><a href="https://securingm365.com/defenderxdr/sentinel/sentineldefender-part2/">Series: Sentinel to Defender Portal - Before You Touch Anything</a></strong> - This post gives you a decision framework for working through that inventory. The framing throughout is forward-looking: what does the Unified portal in Defender XDR actually look like when you land there, and what in your current environment do you need to understand, adjust, or remediate to work well within it?</p><p><strong><a href="https://github.com/davidalonsod/Dalonso-Security-Repo/tree/main/Sentinel%20Cost%20Optimization">Sentinel Data Ingestion Control</a></strong> - ARM-deployable monitoring pack for <strong>any</strong> Microsoft Sentinel workspace: <strong>5 analytic rules</strong> + <strong>16 ingestion &amp; cost monitoring queries</strong> + <strong>15 cost optimization queries</strong> for data ingestion anomaly detection, noise identification, cost management, M365 E5 benefit tracking, Auxiliary table monitoring, and retention compliance.</p><p><strong><a href="https://techcommunity.microsoft.com/blog/microsoftsentinelblog/estimate-microsoft-sentinel-costs-with-confidence-using-the-new-sentinel-cost-es/4507062">Estimate Microsoft Sentinel Costs with Confidence Using the New Sentinel Cost Estimator</a></strong> - One of the first questions teams ask when evaluating Microsoft Sentinel is simple: what will this actually cost? Today, many customers and partners estimate Sentinel costs using the Azure Pricing Calculator, but it doesn&#8217;t provide the Sentinel-specific usage guidance needed to understand how each Sentinel meter contributes to overall spend. As a result, it can be hard to produce accurate, trustworthy estimates, especially early on, when you may not know every input upfront. To make these conversations easier and budgets more predictable, Microsoft is introducing the new Sentinel Cost Estimator (public preview) for Microsoft customers and partners.</p><h2>Defender XDR Things</h2><p><strong><a href="https://www.microsoft.com/en-us/security/blog/2026/04/06/ai-enabled-device-code-phishing-campaign-april-2026/">Inside an AI&#8209;enabled device code phishing campaign</a></strong> - Microsoft Defender Security Research has observed a widespread phishing campaign leveraging the Device Code Authentication flow to compromise organizational accounts at scale. While traditional device code attacks are typically narrow in scope, this campaign demonstrated a higher success rate, driven by automation and dynamic code generation that circumvented the standard 15-minute expiration window for device codes. This activity aligns with the emergence of EvilToken, a Phishing-as-a-Service (PhaaS) toolkit identified as a key driver of large-scale device code abuse.</p><h2>Defender Experts Things</h2><p><strong><a href="https://techcommunity.microsoft.com/blog/microsoftsecurityexperts/hunting-infostealers---python-stealers/4505342">Hunting Infostealers - Python Stealers</a></strong> - One of the most notable Python-based infostealers seen in 2025 was PXA Stealer. It harvests sensitive data from infected systems such as login credentials, financial information, and browser data. It is linked to Vietnamese-speaking threat actors who target government and education entities. It is primarily delivered via phishing campaigns that use social engineering to trick users into downloading malicious files onto their computer. Throughout the blog, we map observed activity to Microsoft Defender XDR coverage and provide actionable guidance to help organizations detect, mitigate, and respond to infostealers operating without borders.</p><h2>Microsoft Purview Things</h2><p><strong><a href="https://kusenberg.net/data-breaches-rarely-start-like-a-movie">Data Breaches Rarely Start Like a Movie</a></strong> - hen people hear <em>data breach</em>, they still imagine the big scene a black screen, red warning text, some attacker sitting in the dark, maybe ransomware, maybe a zero day, maybe tomorrow&#8217;s headline.</p><p><strong><a href="https://medium.com/@marcoOesterlin/your-microsoft-purview-unified-catalog-is-live-but-is-anyone-actually-finding-what-they-need-d36b6ada884d">Your Microsoft Purview Unified Catalog Is Live. But Is Anyone Actually Finding What They Need?</a></strong> - You launched the catalog. You published the data products. You sent the announcement email. Three months later, the data team is still getting the same requests they got before the launch.</p><h2>Microsoft Entra Things</h2><p><strong><a href="https://techcommunity.microsoft.com/blog/azuredevcommunityblog/building-mcp-servers-with-entra-id-and-pre-authorized-clients/4508453">Building MCP servers with Entra ID and pre-authorized clients</a></strong> - The <a href="https://modelcontextprotocol.io/">Model Context Protocol (MCP)</a> gives AI agents a standard way to call external tools, but things get more complicated when those tools need to know who the user is. In this post, I&#8217;ll show how to build an MCP server with the <a href="https://gofastmcp.com/">Python FastMCP package</a> that authenticates users with <a href="https://www.microsoft.com/en-us/security/business/identity-access/microsoft-entra-id">Microsoft Entra ID</a> when they connect from a pre-authorized client such as <a href="https://code.visualstudio.com/">VS Code</a>.</p><p><strong><a href="https://techcommunity.microsoft.com/blog/microsoft-security-blog/authorization-and-governance-for-ai-agents-runtime-authorization-beyond-identity/4509161">Authorization and Governance for AI Agents: Runtime Authorization Beyond Identity at Scale</a></strong> - This architecture is intended for organizations building AI agents that invoke tools or protected APIs&#8212;evolving from securing agent identity to governing autonomous execution at enterprise scale using a Microsoft Entra&#8209;protected Authorization Fabric.</p><h2></h2><p>THE PROMPT for Microsoft Security is a reader-supported publication. To receive new posts and support my work, consider becoming a free or paid subscriber.</p>]]></content:encoded></item><item><title><![CDATA[THE PROMPT for Microsoft Security - Issue #65]]></title><description><![CDATA[Things from Me]]></description><link>https://rodtrent.substack.com/p/the-prompt-for-microsoft-security-142</link><guid isPermaLink="false">https://rodtrent.substack.com/p/the-prompt-for-microsoft-security-142</guid><dc:creator><![CDATA[Rod Trent]]></dc:creator><pubDate>Fri, 03 Apr 2026 11:30:24 GMT</pubDate><enclosure url="https://substackcdn.com/image/fetch/$s_!FVcl!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fbcc03f38-764e-4ed3-ac5d-898b05d42c71_1024x788.png" length="0" type="image/jpeg"/><content:encoded><![CDATA[<div class="captioned-image-container"><figure><a class="image-link image2 is-viewable-img" target="_blank" href="https://substackcdn.com/image/fetch/$s_!FVcl!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fbcc03f38-764e-4ed3-ac5d-898b05d42c71_1024x788.png" data-component-name="Image2ToDOM"><div class="image2-inset"><picture><source type="image/webp" srcset="https://substackcdn.com/image/fetch/$s_!FVcl!,w_424,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fbcc03f38-764e-4ed3-ac5d-898b05d42c71_1024x788.png 424w, https://substackcdn.com/image/fetch/$s_!FVcl!,w_848,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fbcc03f38-764e-4ed3-ac5d-898b05d42c71_1024x788.png 848w, https://substackcdn.com/image/fetch/$s_!FVcl!,w_1272,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fbcc03f38-764e-4ed3-ac5d-898b05d42c71_1024x788.png 1272w, https://substackcdn.com/image/fetch/$s_!FVcl!,w_1456,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fbcc03f38-764e-4ed3-ac5d-898b05d42c71_1024x788.png 1456w" sizes="100vw"><img src="https://substackcdn.com/image/fetch/$s_!FVcl!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fbcc03f38-764e-4ed3-ac5d-898b05d42c71_1024x788.png" width="1024" height="788" data-attrs="{&quot;src&quot;:&quot;https://substack-post-media.s3.amazonaws.com/public/images/bcc03f38-764e-4ed3-ac5d-898b05d42c71_1024x788.png&quot;,&quot;srcNoWatermark&quot;:null,&quot;fullscreen&quot;:null,&quot;imageSize&quot;:null,&quot;height&quot;:788,&quot;width&quot;:1024,&quot;resizeWidth&quot;:null,&quot;bytes&quot;:760205,&quot;alt&quot;:null,&quot;title&quot;:null,&quot;type&quot;:&quot;image/png&quot;,&quot;href&quot;:null,&quot;belowTheFold&quot;:false,&quot;topImage&quot;:true,&quot;internalRedirect&quot;:&quot;https://microsoftdefender.substack.com/i/192600006?img=https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fbcc03f38-764e-4ed3-ac5d-898b05d42c71_1024x788.png&quot;,&quot;isProcessing&quot;:false,&quot;align&quot;:null,&quot;offset&quot;:false}" class="sizing-normal" alt="" srcset="https://substackcdn.com/image/fetch/$s_!FVcl!,w_424,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fbcc03f38-764e-4ed3-ac5d-898b05d42c71_1024x788.png 424w, https://substackcdn.com/image/fetch/$s_!FVcl!,w_848,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fbcc03f38-764e-4ed3-ac5d-898b05d42c71_1024x788.png 848w, https://substackcdn.com/image/fetch/$s_!FVcl!,w_1272,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fbcc03f38-764e-4ed3-ac5d-898b05d42c71_1024x788.png 1272w, https://substackcdn.com/image/fetch/$s_!FVcl!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fbcc03f38-764e-4ed3-ac5d-898b05d42c71_1024x788.png 1456w" sizes="100vw" fetchpriority="high"></picture><div class="image-link-expand"><div class="pencraft pc-display-flex pc-gap-8 pc-reset"><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container restack-image"><svg role="img" width="20" height="20" viewBox="0 0 20 20" fill="none" stroke-width="1.5" stroke="var(--color-fg-primary)" stroke-linecap="round" stroke-linejoin="round" xmlns="http://www.w3.org/2000/svg"><g><title></title><path d="M2.53001 7.81595C3.49179 4.73911 6.43281 2.5 9.91173 2.5C13.1684 2.5 15.9537 4.46214 17.0852 7.23684L17.6179 8.67647M17.6179 8.67647L18.5002 4.26471M17.6179 8.67647L13.6473 6.91176M17.4995 12.1841C16.5378 15.2609 13.5967 17.5 10.1178 17.5C6.86118 17.5 4.07589 15.5379 2.94432 12.7632L2.41165 11.3235M2.41165 11.3235L1.5293 15.7353M2.41165 11.3235L6.38224 13.0882"></path></g></svg></button><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container view-image"><svg xmlns="http://www.w3.org/2000/svg" width="20" height="20" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="lucide lucide-maximize2 lucide-maximize-2"><polyline points="15 3 21 3 21 9"></polyline><polyline points="9 21 3 21 3 15"></polyline><line x1="21" x2="14" y1="3" y2="10"></line><line x1="3" x2="10" y1="21" y2="14"></line></svg></button></div></div></div></a></figure></div><h2>Things from Me</h2><p><strong>A Microsoft FTE&#8217;s Reflections from MVP Summit 2026: Deep Insights &amp; Connections</strong></p><p><em>Every March, the Microsoft MVP Summit brings together a worldwide group of technologists, community leaders, and product teams for a few fast-moving days of learning and honest conversation. This year&#8217;s Summit reminded me that the value is never just in what you hear in the sessions, it is also in who you meet in the hallways, the ideas you trade over impromptu chats, and the shared commitment to make the Microsoft ecosystem better for everyone.</em></p><p>THE PROMPT for Microsoft Security is a reader-supported publication. To receive new posts and support my work, consider becoming a free or paid subscriber.</p><p>Last week, March 24 to 26, 2026, Microsoft headquarters in Redmond played host to the annual Microsoft MVP Summit. What an incredible few days it was. As someone fortunate enough to be part of this community, I walked away with a renewed sense of what makes the Microsoft MVP program truly special.</p><p>The NDA sessions delivered by my colleagues were, as always, packed with impressive technical depth. We dove into the latest advancements across Microsoft&#8217;s ecosystem. Everything from AI innovations and cloud infrastructure to productivity tools, security enhancements, and the roadmap for the platforms so many of us support every day. These closed-door conversations gave direct access to product teams, unfiltered feedback opportunities, and early insights that will help better serve all communities, customers, and the broader Microsoft ecosystem in the months ahead.</p><p>The level of detail and candor in those rooms is unmatched. It is where real-world challenges meet engineering priorities, and where MVPs can share the voice of the user directly with the people building the future of technology at Microsoft. If you have attended before, you know the feeling. Walking out of a session with your mind racing about new possibilities and ways to apply what you have learned.</p><p>But if I am being honest, the technical content, valuable as it is, only tells part of the story.</p><p><strong>Read the rest: </strong><a href="https://techcommunity.microsoft.com/blog/microsoft-security-blog/a-microsoft-fte%E2%80%99s-reflections-from-mvp-summit-2026-deep-insights--connections/4506986">A Microsoft FTE&#8217;s Reflections from MVP Summit 2026: Deep Insights &amp; Connections</a></p><p>-<a href="https://www.linkedin.com/in/rodtrent/">Rod</a></p><h2>Things that are Related</h2><p><strong><a href="https://gist.github.com/ddamenova/43696f1e7c63c66f924637e9577316ee">Kusto Graph Functions for Cybersecurity Investigations</a></strong> - A set of Kusto (KQL) functions that transform tabular query results into graph structures.</p><p><strong><a href="https://techcommunity.microsoft.com/blog/microsoft-security-blog/part-2-securing-ai-agents-with-azure-ai-foundry-from-abuse-patterns-to-lifecycle/4507836">Part 2: Securing AI Agents with Azure AI Foundry: From Abuse Patterns to Lifecycle Controls</a></strong> - In the previous blog, we explored what agent abuse is and why it is fundamentally different from traditional AI risks. We saw how abuse emerges from the interaction between autonomy, tools, memory, identity, and data access&#8212;operating at machine speed. Understanding the patterns, however, is only half the equation. In this post, we take the next step: mapping each agent abuse pattern to the security controls that Azure AI Foundry provides out of the box to help prevent, detect, and contain it. The goal is not to eliminate autonomy, but to govern it deliberately across the entire agent lifecycle. What makes this important is not just what controls exist, but how comprehensively they are integrated&#8212;from prompt ingestion and runtime execution to identity, data security, monitoring, and continuous evaluation.</p><p><strong><a href="https://www.microsoft.com/en-us/security/blog/2026/03/31/applying-security-fundamentals-to-ai-practical-advice-for-cisos/">Applying security fundamentals to AI: Practical advice for CISOs</a></strong> - The best way to think about how to effectively use and <a href="https://www.microsoft.com/en-us/security/business/solutions/security-for-ai">secure a modern AI system</a> is to imagine it like a very new, very junior person. It&#8217;s very smart and eager to help but can also be extremely unintelligent. Like a junior person, it works at its best when it&#8217;s given clear, fairly specific goals, and the vaguer its instructions, the more likely it is to misinterpret them. If you&#8217;re giving it the ability to do anything consequential, think about how you would give that responsibility to someone very new: at what point would you want them to stop and check with you before continuing, and what information would you want them to show you so that you could tell they were on track? Apply that same kind of human reasoning to AI and you will get best results.</p><p><strong><a href="https://www.microsoft.com/en-us/security/security-insider/threat-landscape/threat-to-critical-infrastructure-has-changed">The threat to critical infrastructure has changed. Has your readiness?</a></strong> - Critical infrastructure (CI) organizations underpin national security, public safety, and the economy. In 2026, the <a href="https://go.microsoft.com/fwlink/?linkid=2357912">cyber threat landscape facing these sectors</a> is structurally different than it was even two years ago. What Microsoft Threat Intelligence is observing across critical infrastructure environments right now is not a forecast. It is already happening. Threat actors are no longer focused solely on data theft or opportunistic disruption. They are establishing persistent access, footholds they can sit in quietly, undetected, and activate at the moment of maximum disruption. That is the threat CI leaders need to be preparing for today. Not someday. Now.</p><p><strong><a href="https://techcommunity.microsoft.com/blog/microsoft-security-blog/driving-devsecops-standards-nist%E2%80%99s-live-guidelines-for-secure-software-developme/4507781">Driving DevSecOps Standards: NIST&#8217;s Live Guidelines for Secure Software Development, Security, and Operations Practices</a></strong> - Microsoft appreciates the opportunity to participate in the National Institute of Standards and Technology&#8217;s (NIST) effort to evolve the <a href="https://pages.nist.gov/nccoe-devsecops/">Live Guidelines</a> for Secure Software Development, Security, and Operations (DevSecOps) Practices, building on the original NIST SP 1800-44 publication. This living guidance reflects ongoing, collaborative work to document practical approaches for securing the software development lifecycle, addressing challenges such as open-source risk, software supply chain integrity, Software Bill of Materials (SBOM), insider threats, and Zero Trust principles.</p><h2>Things to Have</h2><p><strong><a href="https://github.com/Bert-JanP/KustoHawk">KustoHawk</a> - </strong>KustoHawk is an incident triage and response tool for Microsoft Defender XDR and Microsoft Sentinel environments. The script collects common indicators of compromise and returns a complete picture of the activities performed by an device of account. The tool leverages Graph API to run the hunting queries across your unified XDR environment. Bases on a <a href="https://github.com/Bert-JanP/KustoHawk#authentication-tiers-and-permissions">tiering permission</a> model additional data can be collected via Graph API calls. The queries that are executed are listed in the <a href="https://github.com/Bert-JanP/KustoHawk/blob/main/Resources">Resources</a> folder.</p><h2>Microsoft Sentinel Things</h2><p><strong><a href="https://github.com/rohit8096-ag/sentinel-ingestion-analyzer">Sentinel Custom Ingestion Audit Tool</a></strong> - A PowerShell script that discovers every custom data ingestion method feeding into a Microsoft Sentinel workspace and generates a professional HTML dashboard report.</p><p><strong><a href="https://medium.com/@shakirabdul31/sentinel-log-collector-diagnostics-step-by-step-troubleshooting-and-security-copilot-prompts-bac80e361bd5">Sentinel Log Collector Diagnostics: Step-by-Step Troubleshooting and Security Copilot Prompts</a></strong> - In all Sentinel deployments, the log collector VM serves two distinct responsibilities simultaneously: <strong>Collector role, Forwarder role</strong>.</p><p><strong><a href="https://techcommunity.microsoft.com/blog/microsoft-security-blog/announcing-public-preview-of-custom-graphs-in-microsoft-sentinel/4507410">Announcing public preview of custom graphs in Microsoft Sentinel</a></strong> - We&#8217;re excited to announce the <strong>public preview of custom graphs in Sentinel, available starting April 1<sup>st</sup>. </strong>Custom graphs let defenders model relationships that are unique to their organization, then run graph analytics to surface blast radius, attack paths, privilege chains, chokepoints, and anomalies that are difficult to spot in tables alone. In this post, we&#8217;ll cover what custom graphs are, how they work, and how to get started so the entire team can use them.</p><p><strong><a href="https://techcommunity.microsoft.com/blog/microsoftsentinelblog/a-third-party-connector-integrating-claude-with-microsoft-sentinel-is-now-availa/4507013">A third-party connector integrating Claude with Microsoft Sentinel is now available</a></strong> - Security teams are increasingly exploring how AI assistants can support them in investigating incidents, asking questions, and exploring their data. At the same time, protecting that data, and controlling how it&#8217;s accessed, remains critical. Today, we&#8217;re sharing how Sentinel can securely support a third-party AI assistant like Claude through a new integration approach using <a href="https://techcommunity.microsoft.com/blog/microsoft-security-blog/microsoft-sentinel-mcp-server---generally-available-with-exciting-new-capabiliti/4470125">Sentinel&#8217;s Model Context Protocol (MCP) server,</a> while continuing to rely on <a href="https://www.microsoft.com/en-us/security/business/identity-access/microsoft-entra-id">Microsoft Entra ID</a> for enterprise grade authentication and access control. This approach uses Microsoft Sentinel with Entra ID to let third-party AI tools access Sentinel data securely.</p><p><strong><a href="https://techcommunity.microsoft.com/blog/microsoftsentinelblog/accelerate-agent-development-hacks-for-building-with-microsoft-sentinel-data-lak/4503039">Accelerate Agent Development: Hacks for Building with Microsoft Sentinel data lake</a></strong> - Explore a practical playbook for ISVs building Security Copilot&#8211;compatible agents, outlining how to leverage Microsoft Sentinel data lake, the Composite Application Model, and proven development patterns, to move from data ingestion to agent deployment faster.</p><h2>Defender Experts Things</h2><p><strong><a href="https://www.microsoft.com/en-us/security/blog/2026/03/31/whatsapp-malware-campaign-delivers-vbs-payloads-msi-backdoors/">WhatsApp malware campaign delivers VBS payloads and MSI backdoors</a></strong> - Microsoft Defender Experts (DEX) observed a campaign beginning in late February 2026 that uses WhatsApp messages to deliver malicious Visual Basic Script (VBS) files. Once executed, these scripts initiate a multi-stage infection chain designed to establish persistence and enable remote access.</p><p><strong><a href="https://techcommunity.microsoft.com/blog/microsoftsecurityexperts/hunting-infostealers---macos-threats/4494435">Hunting Infostealers - macOS Threats</a></strong> - The &#8220;Hunting Infostealers&#8221; blog series covers the ever-evolving threat of infostealers. Infostealers have gone from simple credential theft to subscription-based threats (i.e., Malware-as-a-Service) driving modern cybercrime. Threat actors target sensitive information such as browser data, cookies, and session tokens that can later be used for account takeovers or to fuel data breaches, ransomware attacks, and supply chain attacks. In this blog series, Microsoft Defender Experts examine how modern infostealers operate across operating systems and delivery channels by blending into legitimate ecosystems and evading conventional defenses.</p><h2>Entra Things</h2><p><strong><a href="https://techcommunity.microsoft.com/blog/microsoft-entra-blog/microsoft-entra-expands-scim-support-with-new-scim-2-0-apis-for-identity-lifecyc/4507465">Microsoft Entra expands SCIM support with new SCIM 2.0 APIs for identity lifecycle operations</a></strong> - Modern organizations rely on a growing ecosystem of applications, platforms, and services to run their business. Managing users and groups consistently across these systems is essential for security and operational efficiency. Many teams rely on the System for Cross-domain Identity Management (SCIM) standard to maintain predictable integrations, reduce custom provisioning work, and simplify lifecycle tasks across their environment.</p><h2>Microsoft Purview Things</h2><p><strong><a href="https://techcommunity.microsoft.com/blog/microsoft-security-blog/microsoft-purview-data-quality-thresholds-more-control-more-trust/4506546">Microsoft Purview Data Quality Thresholds: More Control, More Trust</a></strong> - A data quality threshold defines the minimum acceptable score for a rule to pass. Instead of applying a single fixed standard across all data, organizations can now set expectations that align with business context and criticality.</p><p><strong><a href="https://techcommunity.microsoft.com/blog/microsoft-security-blog/announcing-ga-advanced-resource-sets-in-microsoft-purview-unified-catalog/4504513">Announcing GA: Advanced Resource Sets in Microsoft Purview Unified Catalog</a></strong> - The Microsoft Purview product team is constantly listening to customer feedback about the data governance challenges that slow teams down. One of the most persistent pain points &#8212; understanding the true shape of large-scale data lakes where thousands of files represent a single logical dataset &#8212; has driven a highly requested capability. We are pleased to announce that <strong>Advanced Resource Sets</strong> are now generally available for all Microsoft Purview Unified Catalog customers.</p><p><strong><a href="https://techcommunity.microsoft.com/blog/viva_engage_blog/sensitivity-labels-are-coming-to-viva-engage-communities-heres-what-you-need-to-/4507443">Sensitivity Labels Are Coming to Viva Engage Communities Here&#8217;s What You Need to Know</a></strong> - If you've seen MC1250283 in your Message Center and have questions, you're not alone. In the past few weeks we've heard from customers across industries &#8212; financial services, manufacturing, healthcare, government &#8212; all asking variations of the same questions. This post is our attempt to answer them all in one place. You can find out more via this article <a href="https://learn.microsoft.com/en-us/viva/engage/manage-engage-communities/community-sensitivity-labeling">Sensitivity labels in Viva Engage. | Microsoft Learn</a></p><h2>Defender Vulnerability Management</h2><p><strong><a href="https://techcommunity.microsoft.com/blog/vulnerability-management/from-vulnerability-fatigue-to-action-how-skf-operationalized-mdvm-with-a-custom-/4495271">From Vulnerability Fatigue to Action: How SKF Operationalized MDVM with a Custom Dashboard</a></strong> - In today&#8217;s rapidly evolving digital landscape, organizations must proactively manage security risk and stay ahead of emerging threats to keep systems and data secure. However, many teams face &#8220;vulnerability fatigue&#8221;; remediation doesn&#8217;t get easier as environments grow, Mean Time to Remediate (MTTR) increases, and Mean Time to Exploit continues to shrink. (References: CyberMindr, &#8220;Average Time-to-Exploit in 2025&#8221;; &#8220;MTTR: The Most Important Security Metric&#8221;).</p><h2></h2><p>THE PROMPT for Microsoft Security is a reader-supported publication. To receive new posts and support my work, consider becoming a free or paid subscriber.</p>]]></content:encoded></item><item><title><![CDATA[THE PROMPT for Microsoft Security - Issue #64]]></title><description><![CDATA[Things from Me]]></description><link>https://rodtrent.substack.com/p/the-prompt-for-microsoft-security-a3b</link><guid isPermaLink="false">https://rodtrent.substack.com/p/the-prompt-for-microsoft-security-a3b</guid><dc:creator><![CDATA[Rod Trent]]></dc:creator><pubDate>Fri, 20 Mar 2026 11:30:57 GMT</pubDate><enclosure url="https://substackcdn.com/image/fetch/$s_!N6Ad!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F51c6c39a-2a3b-451f-8707-5298e2a37fcc_1024x772.jpeg" length="0" type="image/jpeg"/><content:encoded><![CDATA[<div class="captioned-image-container"><figure><a class="image-link image2 is-viewable-img" target="_blank" href="https://substackcdn.com/image/fetch/$s_!N6Ad!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F51c6c39a-2a3b-451f-8707-5298e2a37fcc_1024x772.jpeg" data-component-name="Image2ToDOM"><div class="image2-inset"><picture><source type="image/webp" srcset="https://substackcdn.com/image/fetch/$s_!N6Ad!,w_424,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F51c6c39a-2a3b-451f-8707-5298e2a37fcc_1024x772.jpeg 424w, https://substackcdn.com/image/fetch/$s_!N6Ad!,w_848,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F51c6c39a-2a3b-451f-8707-5298e2a37fcc_1024x772.jpeg 848w, https://substackcdn.com/image/fetch/$s_!N6Ad!,w_1272,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F51c6c39a-2a3b-451f-8707-5298e2a37fcc_1024x772.jpeg 1272w, https://substackcdn.com/image/fetch/$s_!N6Ad!,w_1456,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F51c6c39a-2a3b-451f-8707-5298e2a37fcc_1024x772.jpeg 1456w" sizes="100vw"><img src="https://substackcdn.com/image/fetch/$s_!N6Ad!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F51c6c39a-2a3b-451f-8707-5298e2a37fcc_1024x772.jpeg" width="1024" height="772" data-attrs="{&quot;src&quot;:&quot;https://substack-post-media.s3.amazonaws.com/public/images/51c6c39a-2a3b-451f-8707-5298e2a37fcc_1024x772.jpeg&quot;,&quot;srcNoWatermark&quot;:null,&quot;fullscreen&quot;:null,&quot;imageSize&quot;:null,&quot;height&quot;:772,&quot;width&quot;:1024,&quot;resizeWidth&quot;:null,&quot;bytes&quot;:259800,&quot;alt&quot;:null,&quot;title&quot;:null,&quot;type&quot;:&quot;image/jpeg&quot;,&quot;href&quot;:null,&quot;belowTheFold&quot;:false,&quot;topImage&quot;:true,&quot;internalRedirect&quot;:&quot;https://microsoftdefender.substack.com/i/191138210?img=https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F51c6c39a-2a3b-451f-8707-5298e2a37fcc_1024x772.jpeg&quot;,&quot;isProcessing&quot;:false,&quot;align&quot;:null,&quot;offset&quot;:false}" class="sizing-normal" alt="" srcset="https://substackcdn.com/image/fetch/$s_!N6Ad!,w_424,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F51c6c39a-2a3b-451f-8707-5298e2a37fcc_1024x772.jpeg 424w, https://substackcdn.com/image/fetch/$s_!N6Ad!,w_848,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F51c6c39a-2a3b-451f-8707-5298e2a37fcc_1024x772.jpeg 848w, https://substackcdn.com/image/fetch/$s_!N6Ad!,w_1272,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F51c6c39a-2a3b-451f-8707-5298e2a37fcc_1024x772.jpeg 1272w, https://substackcdn.com/image/fetch/$s_!N6Ad!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F51c6c39a-2a3b-451f-8707-5298e2a37fcc_1024x772.jpeg 1456w" sizes="100vw" fetchpriority="high"></picture><div class="image-link-expand"><div class="pencraft pc-display-flex pc-gap-8 pc-reset"><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container restack-image"><svg role="img" width="20" height="20" viewBox="0 0 20 20" fill="none" stroke-width="1.5" stroke="var(--color-fg-primary)" stroke-linecap="round" stroke-linejoin="round" xmlns="http://www.w3.org/2000/svg"><g><title></title><path d="M2.53001 7.81595C3.49179 4.73911 6.43281 2.5 9.91173 2.5C13.1684 2.5 15.9537 4.46214 17.0852 7.23684L17.6179 8.67647M17.6179 8.67647L18.5002 4.26471M17.6179 8.67647L13.6473 6.91176M17.4995 12.1841C16.5378 15.2609 13.5967 17.5 10.1178 17.5C6.86118 17.5 4.07589 15.5379 2.94432 12.7632L2.41165 11.3235M2.41165 11.3235L1.5293 15.7353M2.41165 11.3235L6.38224 13.0882"></path></g></svg></button><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container view-image"><svg xmlns="http://www.w3.org/2000/svg" width="20" height="20" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="lucide lucide-maximize2 lucide-maximize-2"><polyline points="15 3 21 3 21 9"></polyline><polyline points="9 21 3 21 3 15"></polyline><line x1="21" x2="14" y1="3" y2="10"></line><line x1="3" x2="10" y1="21" y2="14"></line></svg></button></div></div></div></a></figure></div><h2>Things from Me</h2><p>Happy Friday everyone!</p><p>I&#8217;ll be out of the office next week as I head to Microsoft headquarters in Redmond for the <strong>Microsoft MVP Summit</strong> (March 24&#8211;26, 2026). It&#8217;s always one of the highlights of the year, and this time around, we&#8217;ve poured months of effort into making it an especially fun, engaging, and deeply technical experience for the entire MVP community.</p><p>THE PROMPT for Microsoft Security is a reader-supported publication. To receive new posts and support my work, consider becoming a free or paid subscriber.</p><p>We&#8217;re expecting <strong>over 3,000 attendees</strong> in total, with more than <strong>1,500 joining us in person</strong> on campus&#8212;a fantastic turnout that promises incredible energy and connection.</p><p>I&#8217;m genuinely excited to reconnect with so many familiar faces, make new friends, dive into mind-expanding discussions, and&#8212;most importantly&#8212;spend time sharing our latest plans and vision with the Security MVPs. There&#8217;s nothing quite like being in the room (or on campus!) where ideas spark, collaborations form, and the future of Microsoft technologies takes shape.</p><p>I&#8217;ll be back in action the following week refreshed, recharged, and full of new insights to share.</p><p>Thanks as always for your support and for being part of this amazing community&#8212;talk to you soon!</p><p>-<a href="https://www.linkedin.com/in/rodtrent/">Rod</a></p><h2>Things that are Related</h2><p><strong><a href="https://techcommunity.microsoft.com/blog/azurenetworksecurityblog/orchestrating-intrusion-detection-and-prevention-signature-overrides-in-azure-fi/4502213">Orchestrating Intrusion Detection and Prevention Signature overrides in Azure Firewall Premium</a></strong> - Azure Firewall Premium provides strong protection with a built-in <strong>Intrusion Detection and Prevention System (IDPS)</strong>. It inspects inbound, outbound, and east-west traffic against Microsoft&#8217;s continuously updated signature set and can block threats before they reach your workloads.</p><p><strong><a href="https://www.microsoft.com/en-us/security/blog/2026/03/18/observability-ai-systems-strengthening-visibility-proactive-risk-detection/">Observability for AI Systems: Strengthening visibility for proactive risk detection</a></strong> - <a href="https://learn.microsoft.com/en-us/security/zero-trust/sfi/observability-ai-systems">Observability</a> is one of the foundational security and governance requirements for AI systems operating in production. Yet many organizations don&#8217;t understand the critical importance of observability for AI systems or how to implement effective AI observability. That mismatch creates potential blind spots at precisely the moment when visibility matters most.</p><p><strong><a href="https://techcommunity.microsoft.com/blog/AzureNetworkSecurityBlog/azure-bastion-enterprise-grade-secure-access-made-simple/4503833">Azure Bastion: Enterprise-grade secure access made simple</a></strong> - Managing secure remote access to virtual machines traditionally means juggling public IP addresses, configuring jump boxes, deploying VPN infrastructure, and managing complex firewall rules. Each layer adds cost, complexity, and potential security vulnerabilities. Azure Bastion changes everything. It&#8217;s a fully managed PaaS service that provides secure RDP/SSH connectivity to Azure VMs directly through the Azure portal, without exposing VMs to the public internet. No public IPs, no jump boxes, no VPN clients.</p><p><strong><a href="https://techcommunity.microsoft.com/blog/microsoft-security-blog/aligning-ai-agent-intent-a-framework-for-secure-and-governable-ai/4503551">Aligning AI agent intent: A framework for secure and governable AI</a></strong> - AI agents can follow user instructions while still violating organizational or developer intent. This research report explores the layers of agent intent and how to align them for secure enterprise AI adoption.</p><p><strong><a href="https://www.microsoft.com/en-us/security/blog/2026/03/19/when-tax-season-becomes-cyberattack-season-phishing-and-malware-campaigns-using-tax-related-lures/">When tax season becomes cyberattack season: Phishing and malware campaigns using tax-related lures</a></strong> - During tax season, threat actors reliably take advantage of the urgency and familiarity of time-sensitive emails, including refund notices, payroll forms, filing reminders, and requests from tax professionals, to trick targets into opening malicious attachments, scanning QR codes, or following multi-step link chains. Every year, there is an observable uptick in tax-themed campaigns as Tax Day (April 15) approaches in the United States, and this year is no different.</p><p><strong><a href="https://www.microsoft.com/en-us/security/blog/2026/03/19/new-tools-and-guidance-announcing-zero-trust-for-ai/">New tools and guidance: Announcing Zero Trust for AI</a></strong> - Over the past year, I have had conversations with security leaders across a variety of disciplines, and the energy around AI is undeniable. Organizations are moving fast, and security teams are rising to meet the moment. Time and again, the question comes back to the same thing: &#8220;We&#8217;re adopting AI fast, how do we make sure our security keeps pace?&#8221;</p><h2>Things to Have</h2><div class="captioned-image-container"><figure><a class="image-link image2 is-viewable-img" target="_blank" href="https://amzn.to/4bwOciG" data-component-name="Image2ToDOM"><div class="image2-inset"><picture><source type="image/webp" srcset="https://substackcdn.com/image/fetch/$s_!iziC!,w_424,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F2a9e120f-c1d7-465b-9285-6d823fbd4c9e_429x527.png 424w, https://substackcdn.com/image/fetch/$s_!iziC!,w_848,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F2a9e120f-c1d7-465b-9285-6d823fbd4c9e_429x527.png 848w, https://substackcdn.com/image/fetch/$s_!iziC!,w_1272,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F2a9e120f-c1d7-465b-9285-6d823fbd4c9e_429x527.png 1272w, https://substackcdn.com/image/fetch/$s_!iziC!,w_1456,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F2a9e120f-c1d7-465b-9285-6d823fbd4c9e_429x527.png 1456w" sizes="100vw"><img src="https://substackcdn.com/image/fetch/$s_!iziC!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F2a9e120f-c1d7-465b-9285-6d823fbd4c9e_429x527.png" width="231" height="283.7692307692308" data-attrs="{&quot;src&quot;:&quot;https://substack-post-media.s3.amazonaws.com/public/images/2a9e120f-c1d7-465b-9285-6d823fbd4c9e_429x527.png&quot;,&quot;srcNoWatermark&quot;:null,&quot;fullscreen&quot;:null,&quot;imageSize&quot;:null,&quot;height&quot;:527,&quot;width&quot;:429,&quot;resizeWidth&quot;:231,&quot;bytes&quot;:395568,&quot;alt&quot;:null,&quot;title&quot;:null,&quot;type&quot;:&quot;image/png&quot;,&quot;href&quot;:&quot;https://amzn.to/4bwOciG&quot;,&quot;belowTheFold&quot;:true,&quot;topImage&quot;:false,&quot;internalRedirect&quot;:&quot;https://microsoftdefender.substack.com/i/191138210?img=https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F2a9e120f-c1d7-465b-9285-6d823fbd4c9e_429x527.png&quot;,&quot;isProcessing&quot;:false,&quot;align&quot;:null,&quot;offset&quot;:false}" class="sizing-normal" alt="" srcset="https://substackcdn.com/image/fetch/$s_!iziC!,w_424,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F2a9e120f-c1d7-465b-9285-6d823fbd4c9e_429x527.png 424w, https://substackcdn.com/image/fetch/$s_!iziC!,w_848,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F2a9e120f-c1d7-465b-9285-6d823fbd4c9e_429x527.png 848w, https://substackcdn.com/image/fetch/$s_!iziC!,w_1272,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F2a9e120f-c1d7-465b-9285-6d823fbd4c9e_429x527.png 1272w, https://substackcdn.com/image/fetch/$s_!iziC!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F2a9e120f-c1d7-465b-9285-6d823fbd4c9e_429x527.png 1456w" sizes="100vw" loading="lazy"></picture><div class="image-link-expand"><div class="pencraft pc-display-flex pc-gap-8 pc-reset"><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container restack-image"><svg role="img" width="20" height="20" viewBox="0 0 20 20" fill="none" stroke-width="1.5" stroke="var(--color-fg-primary)" stroke-linecap="round" stroke-linejoin="round" xmlns="http://www.w3.org/2000/svg"><g><title></title><path d="M2.53001 7.81595C3.49179 4.73911 6.43281 2.5 9.91173 2.5C13.1684 2.5 15.9537 4.46214 17.0852 7.23684L17.6179 8.67647M17.6179 8.67647L18.5002 4.26471M17.6179 8.67647L13.6473 6.91176M17.4995 12.1841C16.5378 15.2609 13.5967 17.5 10.1178 17.5C6.86118 17.5 4.07589 15.5379 2.94432 12.7632L2.41165 11.3235M2.41165 11.3235L1.5293 15.7353M2.41165 11.3235L6.38224 13.0882"></path></g></svg></button><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container view-image"><svg xmlns="http://www.w3.org/2000/svg" width="20" height="20" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="lucide lucide-maximize2 lucide-maximize-2"><polyline points="15 3 21 3 21 9"></polyline><polyline points="9 21 3 21 3 15"></polyline><line x1="21" x2="14" y1="3" y2="10"></line><line x1="3" x2="10" y1="21" y2="14"></line></svg></button></div></div></div></a></figure></div><p>I'm thrilled to announce that &#8220;<strong><a href="https://amzn.to/4bwOciG">Into the mind of Microsoft Security - AI-Ready Security Strategy and Architectural Guidance for CISOs and Security Architects</a></strong>&#8221; by <a href="https://www.linkedin.com/in/samehyounis/">Sameh Younis</a> is now officially released and available for purchase!<br><br>Get it from Amazon: <a href="https://amzn.to/4bwOciG">https://amzn.to/4bwOciG</a></p><div><hr></div><div class="captioned-image-container"><figure><a class="image-link image2 is-viewable-img" target="_blank" href="http://Protect_your_M365_Data_in_the_age_of_AI_dominiquehermans_com_v20260310-HQ" data-component-name="Image2ToDOM"><div class="image2-inset"><picture><source type="image/webp" srcset="https://substackcdn.com/image/fetch/$s_!1Zss!,w_424,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Ff3ac58d3-da98-4acf-8df3-e03ba05bd175_300x424.png 424w, https://substackcdn.com/image/fetch/$s_!1Zss!,w_848,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Ff3ac58d3-da98-4acf-8df3-e03ba05bd175_300x424.png 848w, https://substackcdn.com/image/fetch/$s_!1Zss!,w_1272,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Ff3ac58d3-da98-4acf-8df3-e03ba05bd175_300x424.png 1272w, https://substackcdn.com/image/fetch/$s_!1Zss!,w_1456,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Ff3ac58d3-da98-4acf-8df3-e03ba05bd175_300x424.png 1456w" sizes="100vw"><img src="https://substackcdn.com/image/fetch/$s_!1Zss!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Ff3ac58d3-da98-4acf-8df3-e03ba05bd175_300x424.png" width="192" height="271.36" data-attrs="{&quot;src&quot;:&quot;https://substack-post-media.s3.amazonaws.com/public/images/f3ac58d3-da98-4acf-8df3-e03ba05bd175_300x424.png&quot;,&quot;srcNoWatermark&quot;:null,&quot;fullscreen&quot;:null,&quot;imageSize&quot;:null,&quot;height&quot;:424,&quot;width&quot;:300,&quot;resizeWidth&quot;:192,&quot;bytes&quot;:null,&quot;alt&quot;:&quot;&quot;,&quot;title&quot;:null,&quot;type&quot;:null,&quot;href&quot;:&quot;http://Protect_your_M365_Data_in_the_age_of_AI_dominiquehermans_com_v20260310-HQ&quot;,&quot;belowTheFold&quot;:true,&quot;topImage&quot;:false,&quot;internalRedirect&quot;:null,&quot;isProcessing&quot;:false,&quot;align&quot;:null,&quot;offset&quot;:false}" class="sizing-normal" alt="" title="" srcset="https://substackcdn.com/image/fetch/$s_!1Zss!,w_424,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Ff3ac58d3-da98-4acf-8df3-e03ba05bd175_300x424.png 424w, https://substackcdn.com/image/fetch/$s_!1Zss!,w_848,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Ff3ac58d3-da98-4acf-8df3-e03ba05bd175_300x424.png 848w, https://substackcdn.com/image/fetch/$s_!1Zss!,w_1272,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Ff3ac58d3-da98-4acf-8df3-e03ba05bd175_300x424.png 1272w, https://substackcdn.com/image/fetch/$s_!1Zss!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Ff3ac58d3-da98-4acf-8df3-e03ba05bd175_300x424.png 1456w" sizes="100vw" loading="lazy"></picture><div class="image-link-expand"><div class="pencraft pc-display-flex pc-gap-8 pc-reset"><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container restack-image"><svg role="img" width="20" height="20" viewBox="0 0 20 20" fill="none" stroke-width="1.5" stroke="var(--color-fg-primary)" stroke-linecap="round" stroke-linejoin="round" xmlns="http://www.w3.org/2000/svg"><g><title></title><path d="M2.53001 7.81595C3.49179 4.73911 6.43281 2.5 9.91173 2.5C13.1684 2.5 15.9537 4.46214 17.0852 7.23684L17.6179 8.67647M17.6179 8.67647L18.5002 4.26471M17.6179 8.67647L13.6473 6.91176M17.4995 12.1841C16.5378 15.2609 13.5967 17.5 10.1178 17.5C6.86118 17.5 4.07589 15.5379 2.94432 12.7632L2.41165 11.3235M2.41165 11.3235L1.5293 15.7353M2.41165 11.3235L6.38224 13.0882"></path></g></svg></button><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container view-image"><svg xmlns="http://www.w3.org/2000/svg" width="20" height="20" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="lucide lucide-maximize2 lucide-maximize-2"><polyline points="15 3 21 3 21 9"></polyline><polyline points="9 21 3 21 3 15"></polyline><line x1="21" x2="14" y1="3" y2="10"></line><line x1="3" x2="10" y1="21" y2="14"></line></svg></button></div></div></div></a></figure></div><p>The book, &#8220;<strong><a href="http://Protect_your_M365_Data_in_the_age_of_AI_dominiquehermans_com_v20260310-HQ">Protect Your Microsoft 365 Data in the Age of AI</a></strong>&#8221; is a collection of articles MVP <strong><a href="https://www.linkedin.com/in/dominiquehermans1/">Dominique Hermans</a></strong> published over the past year in the series <em>&#8220;Protect Your Microsoft 365 Data in the Age of AI.&#8221;</em></p><p>In the book, Dominique explains how to use Microsoft 365, Microsoft Purview, and Microsoft Defender for Cloud Apps to gain visibility and control over sensitive data shared with generative AI platforms, while still enabling employees to work effectively. He focuses on a flexible, policy-driven, layered approach that aligns technology with an organization&#8217;s governance strategy.</p><p><strong>Download the eBook:</strong> <a href="https://dominiquehermans.com/wp-content/uploads/2026/03/protect_your_m365_data_in_the_age_of_ai_dominiquehermans_com_v20260310-hq.pdf">Protect_your_M365_Data_in_the_age_of_AI_dominiquehermans_com_v20260310-HQ</a></p><p><strong>Dominique&#8217;s website:</strong> <a href="https://dominiquehermans.com/">https://dominiquehermans.com/</a></p><div><hr></div><p><strong><a href="https://github.com/marketplace/actions/microsoft-defender-scout">Microsoft Defender Scout</a> - </strong>Automated Security Assessment &amp; KQL Query Generation for Microsoft Defender.</p><h2>Microsoft Sentinel Things</h2><p><strong><a href="https://charbelnemnom.com/microsoft-sentinel-virtualmetric-datastream-pt2/">Maximizing Microsoft Sentinel ROI With VirtualMetric DataStream &#8211; Part 2</a></strong> - Microsoft Sentinel is an extremely powerful platform&#8212;but at scale, Windows telemetry (especially Security events) can quickly become one of the highest cost and noise drivers in the workspace. If you&#8217;re already centralizing Windows logs with Windows Event Forwarding (WEF) into a Windows Event Collector (WEC), you&#8217;ve already solved half the problem: you&#8217;ve reduced agent sprawl and built a clean collection pattern.</p><p><strong><a href="https://techcommunity.microsoft.com/blog/azurenetworksecurityblog/detect-correlate-contain-new-azure-firewall-idps-detections-in-microsoft-sentine/4502128">Detect, correlate, contain: New Azure Firewall IDPS detections in Microsoft Sentinel and XDR</a></strong> - As threat actors continue to blend reconnaissance, exploitation, and post-compromise activity, network-level signals remain critical for early detection and correlated response. To strengthen this layer, we're introducing five new Azure Firewall IDPS detections, now available out of the box in the Azure Firewall solution for Microsoft Sentinel and Microsoft Defender XDR.</p><p><strong><a href="https://techcommunity.microsoft.com/discussions/microsoftthreatprotection/what%E2%80%99s-new-in-microsoft-sentinel-and-xdr-ai-automation-data-lake-innovation-and-/4503442#M2652">What&#8217;s New in Microsoft Sentinel and XDR: AI Automation, Data Lake Innovation, and Unified SecOps</a></strong> - The most consequential &#8220;new&#8221; Microsoft Sentinel / Defender XDR narrative for a deeply technical Microsoft Tech Community article is the operational and engineering shift to <strong>unified security operations in the Microsoft Defender portal</strong>, including an explicit <strong>Azure portal retirement/sunset timeline</strong> and concrete migration implications (data tiering, correlation engine changes, schema differences, and automation behavior changes). Official sources now align on <strong>March 31, 2027</strong> as the sunset date for managing Microsoft Sentinel in the Azure portal, with customers being redirected to the Defender portal after that date.</p><p><strong><a href="https://techcommunity.microsoft.com/blog/microsoftsentinelblog/turning-historical-patterns-into-actionable-detection-pipelines-with-microsoft-s/4503126">Turning historical patterns into actionable detection pipelines with Microsoft Sentinel data lake</a></strong> - This article is part of the<strong> Sentinel data lake practitioner series</strong>. In <a href="https://techcommunity.microsoft.com/blog/microsoftsentinelblog/operationalizing-the-sentinel-data-lake-a-practitioner%E2%80%99s-guide/4466042">part 1</a>, we introduced the <strong>Operationalization Framework</strong> &#8212; a structured way to turn exploratory notebooks into reliable, scheduled Spark jobs within the Microsoft Sentinel data lake. Now in <strong>Part 2</strong>, we go from <em>framework</em> to <em>function</em> &#8212; showing how defenders can turn <strong>historical data into fresh, actionable insights</strong> using modular pipelines built around one of the most persistent threats today: <strong>Password Spray attacks</strong>.</p><h2>Microsoft Entra Things</h2><p><strong><a href="https://techcommunity.microsoft.com/blog/microsoft-entra-blog/secure-access-in-the-age-of-ai-key-findings-from-our-2026-report/4486060">Secure access in the age of AI: Key findings from our 2026 Report</a></strong> - As AI moves from experimentation into everyday workflows and AI agents begin operating more autonomously across systems, access environments are changing in scale, complexity, and speed. Our latest research, <a href="http://aka.ms/SecureAccessReport">Secure access in the age of AI ,</a> looks at how security leaders are navigating one of the fastest shifts in enterprise technology adoption, and where existing access models are starting to show strain. For organizations, AI brings meaningful opportunity. But every new AI tool or agent also introduces additional identities, permissions, and access paths. As a result, identity and network access are no longer just foundational controls. They are central to how organizations manage risk in the age of AI.</p><h2>Defender Experts for XDR Things</h2><div id="youtube2-8VjjXkZ_5eo" class="youtube-wrap" data-attrs="{&quot;videoId&quot;:&quot;8VjjXkZ_5eo&quot;,&quot;startTime&quot;:null,&quot;endTime&quot;:null}" data-component-name="Youtube2ToDOM"><div class="youtube-inner"><iframe src="https://www.youtube-nocookie.com/embed/8VjjXkZ_5eo?rel=0&amp;autoplay=0&amp;showinfo=0&amp;enablejsapi=0" frameborder="0" loading="lazy" gesture="media" allow="autoplay; fullscreen" allowautoplay="true" allowfullscreen="true" width="728" height="409"></iframe></div></div><h2>Microsoft Purview Things</h2><p><strong><a href="https://medium.com/@marcoOesterlin/i-built-a-tool-that-uses-an-agent-to-write-data-quality-rules-to-microsoft-purview-unified-catalog-fe1cfd416c06">I Built a Tool That Uses an Agent to Write Data Quality Rules to Microsoft Purview Unified Catalog</a></strong> - You have data assets registered in Microsoft Purview Unified Catalog with zero data quality rules attached. Maybe they came from Microsoft Fabric. Maybe Databricks or Snowflake. It does not matter. Someone wants full dimension coverage across every column of every gold layer table you own. There is no way you are doing that by hand. I built a tool that does it for you.</p><p><strong><a href="https://techcommunity.microsoft.com/blog/microsoft-purview-blog/ai%E2%80%91powered-troubleshooting-for-microsoft-purview-data-lifecycle-management/4502660">AI&#8209;Powered Troubleshooting for Microsoft Purview Data Lifecycle Management</a></strong> - Announcing the DLM Diagnostics MCP Server! Microsoft Purview Data Lifecycle Management (DLM) policies are critical for meeting compliance and governance requirements across Microsoft 365 workloads. However, when something goes wrong &#8211; such as retention policies not applying, archive mailboxes not expanding, or inactive mailboxes not getting purged &#8211; diagnosing the issue can be challenging and time&#8209;consuming.</p><p><strong><a href="https://techcommunity.microsoft.com/blog/microsoft-security-blog/new-microsoft-purview-innovations-for-fabric-to-safely-accelerate-your-ai-transf/4502156">New Microsoft Purview innovations for Fabric to safely accelerate your AI transformation</a></strong> - Organizations are skeptical about AI transformation due to concerns of sensitive data oversharing and poor data quality. In fact, 86% of organizations lack visibility into AI data flows, operating in darkness about what information employees share with AI systems. Compounding on this challenge, about 67% of executives are uncomfortable using data for AI due to quality concerns<a href="https://techcommunity.microsoft.com/blog/microsoft-security-blog/new-microsoft-purview-innovations-for-fabric-to-safely-accelerate-your-ai-transf/4502156#community-4502156-_ftn2">.</a> The challenges of data oversharing and poor data quality requires organizations to solve these issues seamlessly for the safe usage of AI. Microsoft Purview offers a modern, unified approach to help organizations secure and govern data across their entire data estate, in particular best in class integrations with M365, Microsoft Fabric, and Azure data estates, streamlining oversight and reducing complexity across the estate.</p><p>THE PROMPT for Microsoft Security is a reader-supported publication. To receive new posts and support my work, consider becoming a free or paid subscriber.</p>]]></content:encoded></item><item><title><![CDATA[THE PROMPT for Microsoft Security - Issue #63]]></title><description><![CDATA[Things from Me]]></description><link>https://rodtrent.substack.com/p/the-prompt-for-microsoft-security-741</link><guid isPermaLink="false">https://rodtrent.substack.com/p/the-prompt-for-microsoft-security-741</guid><dc:creator><![CDATA[Rod Trent]]></dc:creator><pubDate>Fri, 13 Mar 2026 11:31:38 GMT</pubDate><enclosure url="https://substackcdn.com/image/fetch/$s_!YEP-!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F2605eb8a-5f46-4daf-b711-2570a97fd085_1025x756.jpeg" length="0" type="image/jpeg"/><content:encoded><![CDATA[<div class="captioned-image-container"><figure><a class="image-link image2 is-viewable-img" target="_blank" href="https://substackcdn.com/image/fetch/$s_!YEP-!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F2605eb8a-5f46-4daf-b711-2570a97fd085_1025x756.jpeg" data-component-name="Image2ToDOM"><div class="image2-inset"><picture><source type="image/webp" srcset="https://substackcdn.com/image/fetch/$s_!YEP-!,w_424,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F2605eb8a-5f46-4daf-b711-2570a97fd085_1025x756.jpeg 424w, https://substackcdn.com/image/fetch/$s_!YEP-!,w_848,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F2605eb8a-5f46-4daf-b711-2570a97fd085_1025x756.jpeg 848w, https://substackcdn.com/image/fetch/$s_!YEP-!,w_1272,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F2605eb8a-5f46-4daf-b711-2570a97fd085_1025x756.jpeg 1272w, https://substackcdn.com/image/fetch/$s_!YEP-!,w_1456,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F2605eb8a-5f46-4daf-b711-2570a97fd085_1025x756.jpeg 1456w" sizes="100vw"><img src="https://substackcdn.com/image/fetch/$s_!YEP-!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F2605eb8a-5f46-4daf-b711-2570a97fd085_1025x756.jpeg" width="1025" height="756" data-attrs="{&quot;src&quot;:&quot;https://substack-post-media.s3.amazonaws.com/public/images/2605eb8a-5f46-4daf-b711-2570a97fd085_1025x756.jpeg&quot;,&quot;srcNoWatermark&quot;:null,&quot;fullscreen&quot;:null,&quot;imageSize&quot;:null,&quot;height&quot;:756,&quot;width&quot;:1025,&quot;resizeWidth&quot;:null,&quot;bytes&quot;:241143,&quot;alt&quot;:null,&quot;title&quot;:null,&quot;type&quot;:&quot;image/jpeg&quot;,&quot;href&quot;:null,&quot;belowTheFold&quot;:false,&quot;topImage&quot;:true,&quot;internalRedirect&quot;:&quot;https://microsoftdefender.substack.com/i/190413658?img=https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F2605eb8a-5f46-4daf-b711-2570a97fd085_1025x756.jpeg&quot;,&quot;isProcessing&quot;:false,&quot;align&quot;:null,&quot;offset&quot;:false}" class="sizing-normal" alt="" srcset="https://substackcdn.com/image/fetch/$s_!YEP-!,w_424,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F2605eb8a-5f46-4daf-b711-2570a97fd085_1025x756.jpeg 424w, https://substackcdn.com/image/fetch/$s_!YEP-!,w_848,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F2605eb8a-5f46-4daf-b711-2570a97fd085_1025x756.jpeg 848w, https://substackcdn.com/image/fetch/$s_!YEP-!,w_1272,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F2605eb8a-5f46-4daf-b711-2570a97fd085_1025x756.jpeg 1272w, https://substackcdn.com/image/fetch/$s_!YEP-!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F2605eb8a-5f46-4daf-b711-2570a97fd085_1025x756.jpeg 1456w" sizes="100vw" fetchpriority="high"></picture><div class="image-link-expand"><div class="pencraft pc-display-flex pc-gap-8 pc-reset"><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container restack-image"><svg role="img" width="20" height="20" viewBox="0 0 20 20" fill="none" stroke-width="1.5" stroke="var(--color-fg-primary)" stroke-linecap="round" stroke-linejoin="round" xmlns="http://www.w3.org/2000/svg"><g><title></title><path d="M2.53001 7.81595C3.49179 4.73911 6.43281 2.5 9.91173 2.5C13.1684 2.5 15.9537 4.46214 17.0852 7.23684L17.6179 8.67647M17.6179 8.67647L18.5002 4.26471M17.6179 8.67647L13.6473 6.91176M17.4995 12.1841C16.5378 15.2609 13.5967 17.5 10.1178 17.5C6.86118 17.5 4.07589 15.5379 2.94432 12.7632L2.41165 11.3235M2.41165 11.3235L1.5293 15.7353M2.41165 11.3235L6.38224 13.0882"></path></g></svg></button><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container view-image"><svg xmlns="http://www.w3.org/2000/svg" width="20" height="20" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="lucide lucide-maximize2 lucide-maximize-2"><polyline points="15 3 21 3 21 9"></polyline><polyline points="9 21 3 21 3 15"></polyline><line x1="21" x2="14" y1="3" y2="10"></line><line x1="3" x2="10" y1="21" y2="14"></line></svg></button></div></div></div></a></figure></div><h2>Things from Me</h2><p>Happy Friday everyone!</p><p><strong>We&#8217;re back! Did you miss me?</strong></p><p>After nearly a month of planes, trains, and very questionable airport coffee, I&#8217;m finally back in the office for a couple of weeks. It&#8217;s been a whirlwind tour&#8212;Paris, Denmark for Experts Live, Redmond, and now (briefly) home&#8212;before I pack up again and head <em>back</em> to Redmond for the MVP Summit in just a couple of weeks. Apparently, I really like frequent&#8209;flyer miles.</p><p>Between the travel and events, one other milestone worth sharing: I&#8217;ve released a new book. <em>Shadows in the Hollows</em> is a work of fiction, but it&#8217;s deeply rooted in my family&#8217;s culture and history and explores the often&#8209;overlooked story of the Melungeon people. If you&#8217;re curious, you can find it here: <a href="https://amzn.to/4sAYwNf">https://amzn.to/4sAYwNf</a></p><p>Additionally, I had some downtime once I returned to catch a breath, but also release version 4.0.4 of the Garmin Chat Desktop app. Details <strong><a href="https://rodtrent.substack.com/p/garmin-chat-desktop-v404-is-here">HERE</a></strong>. This version adds support for Ollama, the latest Claude models, and more activities (from 10 to 50).</p><p>More to come&#8212;after I unpack. Again.</p><p>Talk soon.</p><p>-<a href="https://www.linkedin.com/in/rodtrent/">Rod</a></p><h2>Things that are Related</h2><p><strong><a href="https://www.microsoft.com/en-us/security/blog/2026/03/09/secure-agentic-ai-for-your-frontier-transformation/">Secure agentic AI for your Frontier Transformation</a></strong> - Today we shared the next step to make <a href="https://aka.ms/AAzv8ia">Frontier Transformation</a> real for customers across every industry with Wave 3 of Microsoft 365 Copilot, Microsoft Agent 365, and Microsoft 365 E7: The Frontier Suite.</p><p><strong><a href="https://techcommunity.microsoft.com/blog/nonprofittechies/comprehensive-security-in-the-era-of-ai-what-nonprofits-need-to-know-now/4493892">Comprehensive Security in the Era of AI: What Nonprofits Need to Know Now</a></strong> - Microsoft&#8217;s guide, <em><strong>Comprehensive Security in the Era of AI</strong></em><strong>,</strong> offers nonprofits a clear, compassionate roadmap for navigating this moment of change. Below is a mission&#8209;focused summary of the guide&#8217;s key insights and how they apply directly to the nonprofit sector.</p><h2>Things to Watch/Listen To</h2><p><strong><a href="https://www.thepurviewpractitioner.com/podcast">The Purview Practitioner (podcast)</a></strong> - Everyone&#8217;s racing to get AI deployed - Copilot, agents, all of it. But the moment you switch this stuff on, it finds everything. Every bit of permission drift, every folder somebody shared five years ago, every sensitive document sitting somewhere it shouldn&#8217;t be. This podcast takes you through a real data security journey - from visibility and classification through to DLP, governance, and enabling AI without it all falling apart. Short episodes, practical advice, no jargon.</p><h2>Security Copilot Things</h2><p><strong><a href="https://techcommunity.microsoft.com/blog/SecurityCopilotBlog/introducing-agentic-secret-finder-finding-real-credentials-where-traditional-too/4500983">Introducing Agentic Secret Finder: Finding Real Credentials Where Traditional Tools Fail</a></strong> - Agentic Secret Finder (ASF) is an AI-powered capability in Microsoft Security Copilot that detects leaked credentials in unstructured content, such as emails, chat logs, documents, and screenshots, where traditional pattern-matching tools struggle. Agentic Secret Finder (ASF) is &#8220;agentic&#8221; because it relies on a multi&#8209;step, multi&#8209;agent reasoning workflow rather than a single pass detector. Detection, verification, and contextual analysis are handled by distinct reasoning stages, allowing ASF to find real credentials without flooding users with false positives. Unlike regex-based scanners, ASF uses reasoning to identify not just credentials, but the systems they unlock, helping security teams understand exposure and respond faster. In benchmark testing on synthetic datasets, ASF achieved 98.33% true credential detection with zero false alarms on realistic emails, chats, notes, and documents&#8212;while traditional regex scanners detected only about 40% of the same credentials. ASF is now generally available in Security Copilot, supporting 20+ credential types with high precision and actionable context.</p><h2>Microsoft Sentinel Things</h2><p><strong><a href="https://charbelnemnom.com/sentinel-cost-estimation-and-optimization/">Microsoft Sentinel Cost Estimation And Optimization &#8212; The Definitive Guide!</a></strong> - By the end of this comprehensive guide, you&#8217;ll learn proven techniques from working with a large number of customers after putting so many hours into this to accurately forecast costs, implement data filtering, and leverage automation to reduce overhead while maintaining full security visibility and compliance. This guide is ideal for security architects and financial decision-makers (CFOs) seeking to achieve predictable security budgets using Microsoft Sentinel as the platform, enabling deeper planning.</p><p><strong><a href="https://github.com/rohit8096-ag/Sentinel-Assessment-Tool">Sentinel MITRE ATT&amp;CK Coverage Analyzer</a></strong> - Analyze your Microsoft Sentinel analytical rules and Defender custom detection rules to generate comprehensive MITRE ATT&amp;CK coverage reports with beautiful visualizations, including interactive radar charts, MITRE Navigator heatmaps, table optimization insights, and executive summaries.</p><h2>Defender for Cloud Things</h2><p><strong><a href="https://techcommunity.microsoft.com/blog/microsoftdefendercloudblog/modern-database-protection-from-visibility-to-threat-detection-with-microsoft-de/4501289">Modern Database Protection: From Visibility to Threat Detection with Microsoft Defender for Cloud</a></strong> - Databases sit at the heart of modern businesses. They support everyday apps, reports and AI tools. For example, any time you engage a site that requires a username and password, there is a database at the back end that stores your login information. As organizations adopt multi-cloud and hybrid architectures, databases are generated all the time, creating database sprawl. As a result, tracking and managing every database, catching misconfigurations and vulnerabilities, knowing where sensitive information lives, all becomes increasingly difficult leaving a huge security gap. And because companies store their most valuable data, like your login information, credit card and social security numbers, in databases, databases are the main target for threat actors.</p><h2>Defender for Office Things</h2><p><strong><a href="https://www.microsoft.com/en-us/security/blog/2026/03/12/from-transparency-to-action-what-the-latest-microsoft-email-security-benchmark-reveals/">From transparency to action: What the latest Microsoft email security benchmark reveals</a></strong><a href="https://www.microsoft.com/en-us/security/blog/2026/03/12/from-transparency-to-action-what-the-latest-microsoft-email-security-benchmark-reveals/"> </a>- Today, we&#8217;re continuing that conversation. With the <a href="https://www.microsoft.com/en-us/security/business/siem-and-xdr/microsoft-defender-office-365/performance-benchmarking">latest Microsoft benchmarking data</a>, we&#8217;re sharing what real-world telemetry reveals about how effectively modern email threats are detected, mitigated, and stopped by Microsoft Defender, secure email gateway (SEG) providers, and integrated cloud email security (ICES) solutions.</p><h2>Defender for Endpoint Things</h2><p><strong><a href="https://techcommunity.microsoft.com/blog/microsoftdefenderatpblog/introducing-effective-settings-see-security-configurations-enforced-on-your-devi/4499551">Introducing effective settings: See security configurations enforced on your device</a></strong> - Security teams spend significant time defining policies for Microsoft Defender security settings. But when it comes to investigations or troubleshooting, the real question is often simple: <em>what is currently being enforced on this device?</em> Today, we&#8217;re excited to share that the <a href="https://learn.microsoft.com/en-us/defender-endpoint/investigate-machines?wt.mc_id=MVP_452337#configuration-management---effective-settings">settings experience</a> is now generally available in Defender to provide this critical visibility.</p><h2>Defender XDR Things</h2><p><strong><a href="https://www.linkedin.com/pulse/introducing-ms-defender-scout-samik-roy-7pdoc/?trackingId=0KcajbkEQgifiXh71q1CFA%3D%3D">Introducing MS Defender Scout</a></strong> - Today, I&#8217;m excited to announce <strong>MS Defender Scout - </strong>an open-source PowerShell tool that brings AI-assisted Advanced Hunting to your security operations.</p><p><strong><a href="https://techcommunity.microsoft.com/blog/microsoftsecurityexperts/when-trust-becomes-the-attack-vector-analysis-of-the-emeditor-supply-chain-compr/4499552">When Trust Becomes the Attack Vector: Analysis of the EmEditor Supply-Chain Compromise</a></strong> - There are countless security vulnerabilities and trust in software distribution is one of them. Users install applications from official vendor websites, enterprise controls allowlist signed software, and automated update mechanisms routinely pull code from trusted infrastructure. This post takes you through a supply-chain compromise targeting the EmEditor software distribution channel, where attackers weaponized a trusted WordPress-based download infrastructure to selectively deliver a trojanized MSI installer. It demonstrates how conditional server-side logic, installer abuse, and living-off-the-land techniques can bypass traditional defenses and enable credential theft at scale. It includes how the malicious installer behaved, and how defenders can detect and mitigate similar threats.</p><p><strong><a href="https://www.microsoft.com/en-us/security/blog/2026/03/12/storm-2561-uses-seo-poisoning-to-distribute-fake-vpn-clients-for-credential-theft/">Storm-2561 uses SEO poisoning to distribute fake VPN clients for credential theft</a></strong> - In mid-January 2026, Microsoft Defender Experts identified a credential theft campaign that uses fake virtual private network (VPN) clients distributed through search engine optimization (SEO) poisoning. The campaign redirects users searching for legitimate enterprise software to malicious ZIP files on attacker-controlled websites to deploy digitally signed trojans that masquerade as trusted VPN clients while harvesting VPN credentials. Microsoft Threat Intelligence attributes this activity to the cybercriminal threat actor Storm-2561.</p><h2>Defender Experts Things</h2><p><strong><a href="https://www.microsoft.com/en-us/security/blog/2026/03/11/contagious-interview-malware-delivered-through-fake-developer-job-interviews/">Contagious Interview: Malware delivered through fake developer job interviews</a></strong> - Microsoft Defender Experts has observed the Contagious Interview campaign, a sophisticated social engineering operation active since at least December 2022. Microsoft continues to detect activity associated with this campaign in recent customer environments, targeting software developers at enterprise solution providers and media and communications firms by abusing the trust inherent in modern recruitment workflows.</p><h2>Microsoft Purview Things</h2><p><strong><a href="https://techcommunity.microsoft.com/blog/microsoft-security-blog/purview-community-call-for-sessions/4499150">Purview Community: Call for Sessions!</a></strong> - Microsoft Purview Community Lighting Talks is a virtual event series featuring real-world demos, tips, and solutions directly from you, the Purview Community! The goal of these short, fluff-free lighting sessions is to foster authentic knowledge sharing, community connection, and highlight real experiences to empower others who use Microsoft Purview. The virtual events will be held in a simu-live format across multiple time zones and will include subject-matter experts and the speakers in a live-chat Q&amp;A for community participation.</p><p><strong><a href="https://datadefenders.victorwingsing.com/">Microsoft Purview MVP Map</a></strong> - Find your favorite (or all) Purview MVPs using this MVP-developed, interactive map.</p><p><strong><a href="https://www.microsoft.com/en-us/security/blog/2026/03/12/detecting-analyzing-prompt-abuse-in-ai-tools/">Detecting and analyzing prompt abuse in AI tools</a></strong> - Prompt abuse has emerged as a critical security concern, with prompt injection recognized as one of the most significant vulnerabilities in the <a href="https://genai.owasp.org/llm-top-10/">2025 OWASP guidance</a> for Large Language Model (LLM) Applications. Prompt abuse occurs when someone intentionally crafts inputs to make an AI system perform actions it was not designed to do, such as attempting to access sensitive information or overriding built-in safety instructions. Detecting abuse is challenging because it exploits natural language, like subtle differences in phrasing, which can manipulate AI behavior while leaving no obvious trace. Without proper logging and telemetry, attempts to access or summarize sensitive information can go unnoticed.</p><h2></h2><p>THE PROMPT for Microsoft Security is a reader-supported publication. To receive new posts and support my work, consider becoming a free or paid subscriber.</p>]]></content:encoded></item><item><title><![CDATA[THE PROMPT for Microsoft Security - Issue #62]]></title><description><![CDATA[Things from Me]]></description><link>https://rodtrent.substack.com/p/the-prompt-for-microsoft-security-565</link><guid isPermaLink="false">https://rodtrent.substack.com/p/the-prompt-for-microsoft-security-565</guid><dc:creator><![CDATA[Rod Trent]]></dc:creator><pubDate>Fri, 13 Feb 2026 12:31:19 GMT</pubDate><enclosure url="https://substackcdn.com/image/fetch/$s_!RWVx!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fe49bb4c7-9528-453e-8e6e-9610f55a6a43_1024x1219.jpeg" length="0" type="image/jpeg"/><content:encoded><![CDATA[<div class="captioned-image-container"><figure><a class="image-link image2 is-viewable-img" target="_blank" href="https://substackcdn.com/image/fetch/$s_!RWVx!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fe49bb4c7-9528-453e-8e6e-9610f55a6a43_1024x1219.jpeg" data-component-name="Image2ToDOM"><div class="image2-inset"><picture><source type="image/webp" srcset="https://substackcdn.com/image/fetch/$s_!RWVx!,w_424,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fe49bb4c7-9528-453e-8e6e-9610f55a6a43_1024x1219.jpeg 424w, https://substackcdn.com/image/fetch/$s_!RWVx!,w_848,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fe49bb4c7-9528-453e-8e6e-9610f55a6a43_1024x1219.jpeg 848w, https://substackcdn.com/image/fetch/$s_!RWVx!,w_1272,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fe49bb4c7-9528-453e-8e6e-9610f55a6a43_1024x1219.jpeg 1272w, https://substackcdn.com/image/fetch/$s_!RWVx!,w_1456,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fe49bb4c7-9528-453e-8e6e-9610f55a6a43_1024x1219.jpeg 1456w" sizes="100vw"><img src="https://substackcdn.com/image/fetch/$s_!RWVx!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fe49bb4c7-9528-453e-8e6e-9610f55a6a43_1024x1219.jpeg" width="439" height="522.5986328125" data-attrs="{&quot;src&quot;:&quot;https://substack-post-media.s3.amazonaws.com/public/images/e49bb4c7-9528-453e-8e6e-9610f55a6a43_1024x1219.jpeg&quot;,&quot;srcNoWatermark&quot;:null,&quot;fullscreen&quot;:null,&quot;imageSize&quot;:null,&quot;height&quot;:1219,&quot;width&quot;:1024,&quot;resizeWidth&quot;:439,&quot;bytes&quot;:344558,&quot;alt&quot;:null,&quot;title&quot;:null,&quot;type&quot;:&quot;image/jpeg&quot;,&quot;href&quot;:null,&quot;belowTheFold&quot;:false,&quot;topImage&quot;:true,&quot;internalRedirect&quot;:&quot;https://microsoftdefender.substack.com/i/186976881?img=https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fe49bb4c7-9528-453e-8e6e-9610f55a6a43_1024x1219.jpeg&quot;,&quot;isProcessing&quot;:false,&quot;align&quot;:null,&quot;offset&quot;:false}" class="sizing-normal" alt="" srcset="https://substackcdn.com/image/fetch/$s_!RWVx!,w_424,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fe49bb4c7-9528-453e-8e6e-9610f55a6a43_1024x1219.jpeg 424w, https://substackcdn.com/image/fetch/$s_!RWVx!,w_848,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fe49bb4c7-9528-453e-8e6e-9610f55a6a43_1024x1219.jpeg 848w, https://substackcdn.com/image/fetch/$s_!RWVx!,w_1272,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fe49bb4c7-9528-453e-8e6e-9610f55a6a43_1024x1219.jpeg 1272w, https://substackcdn.com/image/fetch/$s_!RWVx!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fe49bb4c7-9528-453e-8e6e-9610f55a6a43_1024x1219.jpeg 1456w" sizes="100vw" fetchpriority="high"></picture><div class="image-link-expand"><div class="pencraft pc-display-flex pc-gap-8 pc-reset"><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container restack-image"><svg role="img" width="20" height="20" viewBox="0 0 20 20" fill="none" stroke-width="1.5" stroke="var(--color-fg-primary)" stroke-linecap="round" stroke-linejoin="round" xmlns="http://www.w3.org/2000/svg"><g><title></title><path d="M2.53001 7.81595C3.49179 4.73911 6.43281 2.5 9.91173 2.5C13.1684 2.5 15.9537 4.46214 17.0852 7.23684L17.6179 8.67647M17.6179 8.67647L18.5002 4.26471M17.6179 8.67647L13.6473 6.91176M17.4995 12.1841C16.5378 15.2609 13.5967 17.5 10.1178 17.5C6.86118 17.5 4.07589 15.5379 2.94432 12.7632L2.41165 11.3235M2.41165 11.3235L1.5293 15.7353M2.41165 11.3235L6.38224 13.0882"></path></g></svg></button><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container view-image"><svg xmlns="http://www.w3.org/2000/svg" width="20" height="20" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="lucide lucide-maximize2 lucide-maximize-2"><polyline points="15 3 21 3 21 9"></polyline><polyline points="9 21 3 21 3 15"></polyline><line x1="21" x2="14" y1="3" y2="10"></line><line x1="3" x2="10" y1="21" y2="14"></line></svg></button></div></div></div></a></figure></div><h2>Things from Me</h2><p><strong>Newsletter Update: A Short Hiatus While Life Gets Wonderfully Busy</strong></p><p>Before we dive in, a quick heads&#8209;up: the newsletter will take a brief hiatus while I&#8217;m on the road for the next few weeks. But for very good reasons.</p><p>Next week, my wife and I are heading to Paris to celebrate our <strong>36th wedding anniversary</strong>. From there, we jump straight into <strong><a href="https://eldk26.expertslive.dk/">Experts Live Denmark</a></strong>, which marks my <strong>third year in a row</strong> participating. This conference has grown astonishingly fast. From its first small year just three years ago to <strong>over 1,000 attendees</strong> this year. I&#8217;m incredibly proud to be part of its journey. Even better, my wife and my youngest daughter will be there too, both volunteering to help keep the event running smoothly.</p><p>After Denmark, I&#8217;ll be home for&#8230; roughly the length of a laundry cycle&#8230; before catching a flight to Redmond for a week. Then I&#8217;ll get a couple of weeks back home in March before heading once again to Redmond for the <strong><a href="https://mvp.microsoft.com/MVPsummit">MVP Summit</a></strong>. And speaking of MVPs - I&#8217;m excited to share that I&#8217;ve recently stepped into an expanded role as the <strong>Security MVP Lead</strong>, guiding the Security area moving forward. It&#8217;s a big step, but one I&#8217;m genuinely thrilled about.</p><p>Thank you all for your continued enthusiasm for this newsletter and for the Microsoft security community. Your encouragement and engagement mean the world. I&#8217;ll be back with fresh updates once I return and catch my breath.</p><p>If you want to follow along with the travel, events, and all the behind-the-scenes moments, you can keep tabs on me here:</p><ul><li><p><strong>Substack:</strong> <a href="https://rodtrent.com">https://rodtrent.com</a></p></li><li><p><strong>X:</strong> <a href="https://x.com/rodtrent">@RodTrent</a></p></li><li><p><strong>LinkedIn:</strong> <a href="https://www.linkedin.com/in/rodtrent/">linkedin.com/in/rodtrent</a></p></li></ul><p>I&#8217;ll be sharing photos, thoughts, and stories along the way.</p><p>&#8230;</p><p>Lastly&#8230;</p><p>Hey, I built a thing. Well, I&#8217;ve built a bunch of things recently. I caught the bug and I&#8217;ve jumped back into development recently. I felt that the best way to understand all the AI nonsense was to dive headlong into it and figure out the backend of everything. The best way to accomplish that, in my opinion, is to build things that take advantage of the depth of the AI stack.</p><p>I have many, many projects on the simmer. You can find them all here in my JunkDrawer repo: <a href="https://github.com/rod-trent/JunkDrawer">https://github.com/rod-trent/JunkDrawer</a></p><p>But one thing stood out recently and got enough interest that I&#8217;ve turned the project into an actual thing.</p><p>The <a href="https://rodtrent.substack.com/p/garmin-chat-desktop-v40-choose-your">Garmin Chat Desktop app</a> is an application has taken on a life of its own. Who knew that Garmin ecosystem users wanted more from their fitness data than just manually sifting through Garmin Connect screens?</p><p>The <a href="https://rodtrent.substack.com/p/garmin-chat-desktop-v40-choose-your">Garmin Chat Desktop app</a> connects to your own Garmin data and then uses your GenAI API of choice to reason over the data. The result has been phenomenal and really makes the Garmin data workable and meaningful. I currently have over 1,000 people testing the app and many of the updates have come from the feedback. If you&#8217;re also a Garmin user and want to get on the tester train, I&#8217;m happy to welcome any and all.</p><p>I fully expect to officially release the app sometime in the next couple months, with mobile versions on the way.</p><p>Read about it all about it here:</p><p><strong><a href="https://rodtrent.substack.com/s/garmin-chat-desktop">Garmin Chat Desktop</a></strong></p><p>And, for those Peloton subscribers who are also part of the Garmin community, there&#8217;s: <strong><a href="https://rodtrent.substack.com/p/introducing-peloton-2-garmin-sync">Peloton 2 Garmin Sync</a></strong></p><p>&#8230;</p><p>Alright folks. That&#8217;s it for me for this week. We&#8217;ll talk soon&#8212;and thanks again for being the heart of this community.</p><p>-<a href="https://www.linkedin.com/in/rodtrent/">Rod</a></p><h2>Things to Attend</h2><p><strong><a href="https://techcommunity.microsoft.com/event/microsoft-security-events/live-ama-defining-ai-boundaries-with-data-sensitivity/4492858">Live AMA: Defining AI boundaries with data sensitivity</a> - Tuesday, Feb 17, 2026, 9:00 AM PST </strong>Online - As AI becomes embedded in everyday work, traditional data security models break down. Copilots and agents can search, summarize, and recombine information at machine speed, creating new exposure paths for sensitive data &#8212; even when nothing is formally shared or exfiltrated.</p><p>In this session, we&#8217;ll explain why <strong>data sensitivity, not data location, is now the true security boundary</strong>, and what that shift means for protecting information in the age of AI. We&#8217;ll walk through how organizations can establish a shared understanding of what data is sensitive, use sensitivity labels to consistently define how that data should be handled, and automatically enforce protections wherever data is created or used &#8212; including in AI experiences.</p><p>We&#8217;ll close with a live <strong>Ask Me Anything (AMA)</strong>, where you can bring real-world questions about securing Copilot and agents, scaling classification and labeling, and turning sensitivity into consistent, enforceable controls with Microsoft Purview.</p><h2>Things that are Related</h2><p><strong><a href="https://www.hanley.cloud/2026-02-08-KQL-Toolbox-7-From-Detection-Coverage-to-Response-Reality/">&#128736;&#65039; Kql Toolbox #7: From Detection Coverage To Response Reality</a></strong> - So now comes the unavoidable next question: <em><strong>Are our detections actually aligned to how attackers operate &#8212; and are we getting faster at shutting them down?</strong></em> This is where many SOCs stall out&#8230; They collect alerts, map techniques, and celebrate coverage &#8212; but never stop to ask whether all that visibility is translating into <strong>better response outcomes.</strong></p><p><strong><a href="https://www.microsoft.com/en-us/security/blog/2026/02/06/active-exploitation-solarwinds-web-help-desk/">Analysis of active exploitation of SolarWinds Web Help Desk</a></strong> - The Microsoft Defender Research Team observed a multi&#8209;stage intrusion where threat actors exploited internet&#8209;exposed <a href="https://www.solarwinds.com/web-help-desk">SolarWinds Web Help Desk</a> (WHD) instances to get an initial foothold and then laterally moved towards other high-value assets within the organization.</p><p><strong><a href="https://www.microsoft.com/en-us/security/blog/2026/02/09/prompt-attack-breaks-llm-safety/">A one-prompt attack that breaks LLM safety alignment</a></strong> - Large language models (LLMs) and diffusion models now power a wide range of applications, from document assistance to text-to-image generation, and users increasingly expect these systems to be safety-aligned by default. Yet safety alignment is only as robust as its weakest failure mode. Despite extensive work on safety post-training, it has been shown that models can be readily unaligned through post-deployment fine-tuning.</p><p><strong><a href="https://thealistairross.co.uk/2026/02/10/azure-monitor-agent-deployment-report/">Azure Monitor Agent Deployment Report</a></strong> - I have been using Power Bi more and more recently to create solutions to visuals and gather insights on data and a recent ask for help was to help understand the Azure Monitor Agent coverage, including identifying images that are not supported via the built in Azure policies.</p><p><strong><a href="https://www.microsoft.com/en-us/security/blog/2026/02/10/ai-recommendation-poisoning/">Manipulating&nbsp;AI memory&nbsp;for&nbsp;profit: The rise of&nbsp;AI&nbsp;Recommendation Poisoning</a></strong> - Microsoft security researchers have discovered a growing trend of AI memory poisoning attacks used for promotional purposes, a technique we call <strong>AI Recommendation Poisoning</strong>.</p><p><strong><a href="https://techcommunity.microsoft.com/blog/skills-hub-blog/strengthen-your-cloud-security-expertise-with-new-ai-security-training/4461295">Strengthen your cloud security expertise with new AI security training</a></strong> - As organizations accelerate their adoption of AI, the need for rigorous, cloud&#8209;ready security skills has never been greater. To help meet that need, we&#8217;re releasing a wave of new and updated Microsoft Learn offerings this month, designed to help you secure AI workloads, modernize incident response, strengthen identity governance, optimize security operations across the Microsoft Cloud, and more.</p><h2>Things to Watch/Listen To</h2><div class="embedded-post-wrap" data-attrs="{&quot;id&quot;:185209879,&quot;url&quot;:&quot;https://www.microsoftsecurityinsights.com/p/the-ai-security-insights-show-episode-f18&quot;,&quot;publication_id&quot;:1252746,&quot;publication_name&quot;:&quot;THE Security Insights Show&quot;,&quot;publication_logo_url&quot;:&quot;https://substackcdn.com/image/fetch/$s_!ZngQ!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F1bf84d0b-fceb-44b4-ae5f-10662ecc7e8b_500x500.png&quot;,&quot;title&quot;:&quot; The \&quot;AI\&quot; Security Insights Show Episode 284 - Microsoft Sentinel Pricing....it's like MAAGIC!&quot;,&quot;truncated_body_text&quot;:&quot;In this episode we have the good folks from the security company - LockBase Cyber. Leonard Volling and Charlie Smith will come on and talk about their new Microsoft Sentinel pricing tool.&quot;,&quot;date&quot;:&quot;2026-02-07T15:12:01.237Z&quot;,&quot;like_count&quot;:1,&quot;comment_count&quot;:2,&quot;bylines&quot;:[{&quot;id&quot;:25637175,&quot;name&quot;:&quot;Edward Walton&quot;,&quot;handle&quot;:&quot;securitybro&quot;,&quot;previous_name&quot;:null,&quot;photo_url&quot;:&quot;https://substackcdn.com/image/fetch/f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fbucketeer-e05bbc84-baa3-437e-9518-adb32be77984.s3.amazonaws.com%2Fpublic%2Fimages%2F89b98b87-6bce-4c30-ba8a-4cad6287197b_202x346.jpeg&quot;,&quot;bio&quot;:&quot;Edward Walton is a security leader with over 20 years of experience in information security. His focus is Threat Intel, threat analytics and SIEM.&quot;,&quot;profile_set_up_at&quot;:&quot;2024-04-26T19:20:40.812Z&quot;,&quot;reader_installed_at&quot;:null,&quot;publicationUsers&quot;:[{&quot;id&quot;:194879,&quot;user_id&quot;:25637175,&quot;publication_id&quot;:268192,&quot;role&quot;:&quot;admin&quot;,&quot;public&quot;:true,&quot;is_primary&quot;:true,&quot;publication&quot;:{&quot;id&quot;:268192,&quot;name&quot;:&quot;Ed's place of highly opinionated facts on Security!&quot;,&quot;subdomain&quot;:&quot;edwardwalton&quot;,&quot;custom_domain&quot;:null,&quot;custom_domain_optional&quot;:false,&quot;hero_text&quot;:&quot;Are we secure yet? Are we secure yet? &quot;,&quot;logo_url&quot;:null,&quot;author_id&quot;:25637175,&quot;primary_user_id&quot;:25637175,&quot;theme_var_background_pop&quot;:&quot;#FD5353&quot;,&quot;created_at&quot;:&quot;2021-01-22T17:52:33.499Z&quot;,&quot;email_from_name&quot;:null,&quot;copyright&quot;:&quot;Edward Walton&quot;,&quot;founding_plan_name&quot;:null,&quot;community_enabled&quot;:true,&quot;invite_only&quot;:false,&quot;payments_state&quot;:&quot;disabled&quot;,&quot;language&quot;:null,&quot;explicit&quot;:false,&quot;homepage_type&quot;:null,&quot;is_personal_mode&quot;:false}},{&quot;id&quot;:2422927,&quot;user_id&quot;:25637175,&quot;publication_id&quot;:1252746,&quot;role&quot;:&quot;admin&quot;,&quot;public&quot;:true,&quot;is_primary&quot;:false,&quot;publication&quot;:{&quot;id&quot;:1252746,&quot;name&quot;:&quot;THE Security Insights Show&quot;,&quot;subdomain&quot;:&quot;securityinsights&quot;,&quot;custom_domain&quot;:&quot;www.microsoftsecurityinsights.com&quot;,&quot;custom_domain_optional&quot;:false,&quot;hero_text&quot;:&quot;Hosted by Edward Walton, Frank Grimberg and Rod Trent, THE Insights Show provides conversation, information, news, tips on industry security solutions.&quot;,&quot;logo_url&quot;:&quot;https://substack-post-media.s3.amazonaws.com/public/images/1bf84d0b-fceb-44b4-ae5f-10662ecc7e8b_500x500.png&quot;,&quot;author_id&quot;:25142999,&quot;primary_user_id&quot;:null,&quot;theme_var_background_pop&quot;:&quot;#BAA049&quot;,&quot;created_at&quot;:&quot;2022-12-19T16:53:21.719Z&quot;,&quot;email_from_name&quot;:&quot;THE Security Insights Show&quot;,&quot;copyright&quot;:&quot;Rod Trent&quot;,&quot;founding_plan_name&quot;:null,&quot;community_enabled&quot;:true,&quot;invite_only&quot;:false,&quot;payments_state&quot;:&quot;disabled&quot;,&quot;language&quot;:null,&quot;explicit&quot;:false,&quot;homepage_type&quot;:&quot;newspaper&quot;,&quot;is_personal_mode&quot;:false}}],&quot;is_guest&quot;:false,&quot;bestseller_tier&quot;:null,&quot;status&quot;:{&quot;bestsellerTier&quot;:null,&quot;subscriberTier&quot;:1,&quot;leaderboard&quot;:null,&quot;vip&quot;:false,&quot;badge&quot;:{&quot;type&quot;:&quot;subscriber&quot;,&quot;tier&quot;:1,&quot;accent_colors&quot;:null},&quot;paidPublicationIds&quot;:[1254398],&quot;subscriber&quot;:null}},{&quot;id&quot;:25142999,&quot;name&quot;:&quot;Rod Trent&quot;,&quot;handle&quot;:&quot;rodtrent&quot;,&quot;previous_name&quot;:&quot;Microsoft Sentinel this Week&quot;,&quot;photo_url&quot;:&quot;https://substack-post-media.s3.amazonaws.com/public/images/a31b8f6f-7b50-4643-a4d5-54ca83894c4c_800x800.png&quot;,&quot;bio&quot;:&quot;Rod Trent is a Senior Product Manager for Microsoft. He has spoken many times at many conferences over the past 30-some years and has written several books and hundreds of articles.&quot;,&quot;profile_set_up_at&quot;:&quot;2022-12-15T21:44:39.563Z&quot;,&quot;reader_installed_at&quot;:&quot;2023-01-13T16:04:11.272Z&quot;,&quot;publicationUsers&quot;:[{&quot;id&quot;:1211584,&quot;user_id&quot;:25142999,&quot;publication_id&quot;:1254398,&quot;role&quot;:&quot;admin&quot;,&quot;public&quot;:true,&quot;is_primary&quot;:true,&quot;publication&quot;:{&quot;id&quot;:1254398,&quot;name&quot;:&quot;Rod&#8217;s Blog&quot;,&quot;subdomain&quot;:&quot;rodtrent&quot;,&quot;custom_domain&quot;:null,&quot;custom_domain_optional&quot;:true,&quot;hero_text&quot;:&quot;Microsoft Security and AI. This is not an official Microsoft blog.&quot;,&quot;logo_url&quot;:&quot;https://substack-post-media.s3.amazonaws.com/public/images/e527d2fc-7b2f-448b-85fa-0e47bf452405_600x600.png&quot;,&quot;author_id&quot;:25142999,&quot;primary_user_id&quot;:25142999,&quot;theme_var_background_pop&quot;:&quot;#786CFF&quot;,&quot;created_at&quot;:&quot;2022-12-20T13:41:45.372Z&quot;,&quot;email_from_name&quot;:null,&quot;copyright&quot;:&quot;Rod Trent&quot;,&quot;founding_plan_name&quot;:&quot;Founding Member&quot;,&quot;community_enabled&quot;:true,&quot;invite_only&quot;:false,&quot;payments_state&quot;:&quot;enabled&quot;,&quot;language&quot;:null,&quot;explicit&quot;:false,&quot;homepage_type&quot;:&quot;newspaper&quot;,&quot;is_personal_mode&quot;:false}},{&quot;id&quot;:1202860,&quot;user_id&quot;:25142999,&quot;publication_id&quot;:1246049,&quot;role&quot;:&quot;admin&quot;,&quot;public&quot;:true,&quot;is_primary&quot;:false,&quot;publication&quot;:{&quot;id&quot;:1246049,&quot;name&quot;:&quot;THE PROMPT for Microsoft Security&quot;,&quot;subdomain&quot;:&quot;microsoftdefender&quot;,&quot;custom_domain&quot;:null,&quot;custom_domain_optional&quot;:false,&quot;hero_text&quot;:&quot;The weekly THE PROMPT for Microsoft Security newsletter helps uncover the new and important features and news for Microsoft's Unified Security Operations Platform.&quot;,&quot;logo_url&quot;:&quot;https://substack-post-media.s3.amazonaws.com/public/images/7c112404-c028-4923-b8ce-924902361d80_256x256.png&quot;,&quot;author_id&quot;:25142999,&quot;primary_user_id&quot;:null,&quot;theme_var_background_pop&quot;:&quot;#121BFA&quot;,&quot;created_at&quot;:&quot;2022-12-15T21:47:41.255Z&quot;,&quot;email_from_name&quot;:null,&quot;copyright&quot;:&quot;Rod Trent&quot;,&quot;founding_plan_name&quot;:&quot;Founding Member&quot;,&quot;community_enabled&quot;:true,&quot;invite_only&quot;:false,&quot;payments_state&quot;:&quot;enabled&quot;,&quot;language&quot;:null,&quot;explicit&quot;:false,&quot;homepage_type&quot;:&quot;newspaper&quot;,&quot;is_personal_mode&quot;:false}},{&quot;id&quot;:1209853,&quot;user_id&quot;:25142999,&quot;publication_id&quot;:1252746,&quot;role&quot;:&quot;admin&quot;,&quot;public&quot;:true,&quot;is_primary&quot;:false,&quot;publication&quot;:{&quot;id&quot;:1252746,&quot;name&quot;:&quot;THE Security Insights Show&quot;,&quot;subdomain&quot;:&quot;securityinsights&quot;,&quot;custom_domain&quot;:&quot;www.microsoftsecurityinsights.com&quot;,&quot;custom_domain_optional&quot;:false,&quot;hero_text&quot;:&quot;Hosted by Edward Walton, Frank Grimberg and Rod Trent, THE Insights Show provides conversation, information, news, tips on industry security solutions.&quot;,&quot;logo_url&quot;:&quot;https://substack-post-media.s3.amazonaws.com/public/images/1bf84d0b-fceb-44b4-ae5f-10662ecc7e8b_500x500.png&quot;,&quot;author_id&quot;:25142999,&quot;primary_user_id&quot;:null,&quot;theme_var_background_pop&quot;:&quot;#BAA049&quot;,&quot;created_at&quot;:&quot;2022-12-19T16:53:21.719Z&quot;,&quot;email_from_name&quot;:&quot;THE Security Insights Show&quot;,&quot;copyright&quot;:&quot;Rod Trent&quot;,&quot;founding_plan_name&quot;:null,&quot;community_enabled&quot;:true,&quot;invite_only&quot;:false,&quot;payments_state&quot;:&quot;disabled&quot;,&quot;language&quot;:null,&quot;explicit&quot;:false,&quot;homepage_type&quot;:&quot;newspaper&quot;,&quot;is_personal_mode&quot;:false}},{&quot;id&quot;:4622011,&quot;user_id&quot;:25142999,&quot;publication_id&quot;:4530869,&quot;role&quot;:&quot;admin&quot;,&quot;public&quot;:true,&quot;is_primary&quot;:false,&quot;publication&quot;:{&quot;id&quot;:4530869,&quot;name&quot;:&quot;myITforum&quot;,&quot;subdomain&quot;:&quot;myitforum&quot;,&quot;custom_domain&quot;:null,&quot;custom_domain_optional&quot;:false,&quot;hero_text&quot;:&quot;The myITforum community. Powered by you.&quot;,&quot;logo_url&quot;:&quot;https://substack-post-media.s3.amazonaws.com/public/images/e57bf70e-44d6-4b6d-87b3-13e6d8fb4881_250x250.png&quot;,&quot;author_id&quot;:25142999,&quot;primary_user_id&quot;:null,&quot;theme_var_background_pop&quot;:&quot;#FF6719&quot;,&quot;created_at&quot;:&quot;2025-03-28T15:02:52.364Z&quot;,&quot;email_from_name&quot;:&quot;myITforum&quot;,&quot;copyright&quot;:&quot;Rod Trent&quot;,&quot;founding_plan_name&quot;:&quot;Founding Member&quot;,&quot;community_enabled&quot;:true,&quot;invite_only&quot;:false,&quot;payments_state&quot;:&quot;enabled&quot;,&quot;language&quot;:null,&quot;explicit&quot;:false,&quot;homepage_type&quot;:&quot;newspaper&quot;,&quot;is_personal_mode&quot;:false}},{&quot;id&quot;:6292288,&quot;user_id&quot;:25142999,&quot;publication_id&quot;:6167941,&quot;role&quot;:&quot;admin&quot;,&quot;public&quot;:true,&quot;is_primary&quot;:false,&quot;publication&quot;:{&quot;id&quot;:6167941,&quot;name&quot;:&quot;Rod&#8217;s Fiction Universe&quot;,&quot;subdomain&quot;:&quot;rodsfictionbooks&quot;,&quot;custom_domain&quot;:null,&quot;custom_domain_optional&quot;:false,&quot;hero_text&quot;:&quot;This site offers all-access to my current and future fiction books. &quot;,&quot;logo_url&quot;:&quot;https://substack-post-media.s3.amazonaws.com/public/images/bf150c76-3462-4e72-9f1a-f3d507179f90_512x512.png&quot;,&quot;author_id&quot;:25142999,&quot;primary_user_id&quot;:null,&quot;theme_var_background_pop&quot;:&quot;#FF6719&quot;,&quot;created_at&quot;:&quot;2025-09-01T22:55:42.544Z&quot;,&quot;email_from_name&quot;:&quot;Rod Trent from Rod&#8217;s Fiction Books&quot;,&quot;copyright&quot;:&quot;Rod Trent&quot;,&quot;founding_plan_name&quot;:&quot;Founding Member&quot;,&quot;community_enabled&quot;:true,&quot;invite_only&quot;:false,&quot;payments_state&quot;:&quot;enabled&quot;,&quot;language&quot;:null,&quot;explicit&quot;:false,&quot;homepage_type&quot;:&quot;magaziney&quot;,&quot;is_personal_mode&quot;:false}},{&quot;id&quot;:7024369,&quot;user_id&quot;:25142999,&quot;publication_id&quot;:6882673,&quot;role&quot;:&quot;admin&quot;,&quot;public&quot;:true,&quot;is_primary&quot;:false,&quot;publication&quot;:{&quot;id&quot;:6882673,&quot;name&quot;:&quot;PolitiBiblical&quot;,&quot;subdomain&quot;:&quot;politibiblical&quot;,&quot;custom_domain&quot;:null,&quot;custom_domain_optional&quot;:false,&quot;hero_text&quot;:&quot;Your go-to daily newsletter that bridges the worlds of politics and biblical wisdom. In a time when headlines feel chaotic and divisive, PolitiBiblical cuts through the noise by exploring current events through the timeless lens of Scripture.&quot;,&quot;logo_url&quot;:&quot;https://substack-post-media.s3.amazonaws.com/public/images/330df65c-05ba-43b9-9bd2-9789e5fb06e5_720x720.png&quot;,&quot;author_id&quot;:25142999,&quot;primary_user_id&quot;:null,&quot;theme_var_background_pop&quot;:&quot;#FF6719&quot;,&quot;created_at&quot;:&quot;2025-11-12T12:07:45.229Z&quot;,&quot;email_from_name&quot;:null,&quot;copyright&quot;:&quot;Rod Trent&quot;,&quot;founding_plan_name&quot;:&quot;Founding Member&quot;,&quot;community_enabled&quot;:true,&quot;invite_only&quot;:false,&quot;payments_state&quot;:&quot;enabled&quot;,&quot;language&quot;:null,&quot;explicit&quot;:false,&quot;homepage_type&quot;:&quot;newspaper&quot;,&quot;is_personal_mode&quot;:false}}],&quot;twitter_screen_name&quot;:&quot;rodtrent&quot;,&quot;is_guest&quot;:false,&quot;bestseller_tier&quot;:100,&quot;status&quot;:{&quot;bestsellerTier&quot;:100,&quot;subscriberTier&quot;:1,&quot;leaderboard&quot;:null,&quot;vip&quot;:false,&quot;badge&quot;:{&quot;type&quot;:&quot;bestseller&quot;,&quot;tier&quot;:100},&quot;paidPublicationIds&quot;:[1459538],&quot;subscriber&quot;:null}},{&quot;id&quot;:115592344,&quot;name&quot;:&quot;Frank Grimberg&quot;,&quot;handle&quot;:&quot;frankgrimberg&quot;,&quot;previous_name&quot;:null,&quot;photo_url&quot;:&quot;https://substack-post-media.s3.amazonaws.com/public/images/23065326-db4e-4d18-b54a-b4751d05747e_144x144.png&quot;,&quot;bio&quot;:null,&quot;profile_set_up_at&quot;:null,&quot;reader_installed_at&quot;:null,&quot;publicationUsers&quot;:[{&quot;id&quot;:5852489,&quot;user_id&quot;:115592344,&quot;publication_id&quot;:1252746,&quot;role&quot;:&quot;admin&quot;,&quot;public&quot;:true,&quot;is_primary&quot;:false,&quot;publication&quot;:{&quot;id&quot;:1252746,&quot;name&quot;:&quot;THE Security Insights Show&quot;,&quot;subdomain&quot;:&quot;securityinsights&quot;,&quot;custom_domain&quot;:&quot;www.microsoftsecurityinsights.com&quot;,&quot;custom_domain_optional&quot;:false,&quot;hero_text&quot;:&quot;Hosted by Edward Walton, Frank Grimberg and Rod Trent, THE Insights Show provides conversation, information, news, tips on industry security solutions.&quot;,&quot;logo_url&quot;:&quot;https://substack-post-media.s3.amazonaws.com/public/images/1bf84d0b-fceb-44b4-ae5f-10662ecc7e8b_500x500.png&quot;,&quot;author_id&quot;:25142999,&quot;primary_user_id&quot;:null,&quot;theme_var_background_pop&quot;:&quot;#BAA049&quot;,&quot;created_at&quot;:&quot;2022-12-19T16:53:21.719Z&quot;,&quot;email_from_name&quot;:&quot;THE Security Insights Show&quot;,&quot;copyright&quot;:&quot;Rod Trent&quot;,&quot;founding_plan_name&quot;:null,&quot;community_enabled&quot;:true,&quot;invite_only&quot;:false,&quot;payments_state&quot;:&quot;disabled&quot;,&quot;language&quot;:null,&quot;explicit&quot;:false,&quot;homepage_type&quot;:&quot;newspaper&quot;,&quot;is_personal_mode&quot;:false}}],&quot;is_guest&quot;:false,&quot;bestseller_tier&quot;:null,&quot;status&quot;:{&quot;bestsellerTier&quot;:null,&quot;subscriberTier&quot;:null,&quot;leaderboard&quot;:null,&quot;vip&quot;:false,&quot;badge&quot;:null,&quot;paidPublicationIds&quot;:[],&quot;subscriber&quot;:null}}],&quot;utm_campaign&quot;:null,&quot;belowTheFold&quot;:true,&quot;type&quot;:&quot;podcast&quot;,&quot;language&quot;:&quot;en&quot;,&quot;source&quot;:null}" data-component-name="EmbeddedPostToDOM"><a class="embedded-post" native="true" href="https://www.microsoftsecurityinsights.com/p/the-ai-security-insights-show-episode-f18?utm_source=substack&amp;utm_campaign=post_embed&amp;utm_medium=web"><div class="embedded-post-header"><img class="embedded-post-publication-logo" src="https://substackcdn.com/image/fetch/$s_!ZngQ!,w_56,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F1bf84d0b-fceb-44b4-ae5f-10662ecc7e8b_500x500.png" loading="lazy"><span class="embedded-post-publication-name">THE Security Insights Show</span></div><div class="embedded-post-title-wrapper"><div class="embedded-post-title-icon"><svg width="19" height="19" viewBox="0 0 24 24" fill="none" xmlns="http://www.w3.org/2000/svg">
  <path d="M3 18V12C3 9.61305 3.94821 7.32387 5.63604 5.63604C7.32387 3.94821 9.61305 3 12 3C14.3869 3 16.6761 3.94821 18.364 5.63604C20.0518 7.32387 21 9.61305 21 12V18" stroke-linecap="round" stroke-linejoin="round"></path>
  <path d="M21 19C21 19.5304 20.7893 20.0391 20.4142 20.4142C20.0391 20.7893 19.5304 21 19 21H18C17.4696 21 16.9609 20.7893 16.5858 20.4142C16.2107 20.0391 16 19.5304 16 19V16C16 15.4696 16.2107 14.9609 16.5858 14.5858C16.9609 14.2107 17.4696 14 18 14H21V19ZM3 19C3 19.5304 3.21071 20.0391 3.58579 20.4142C3.96086 20.7893 4.46957 21 5 21H6C6.53043 21 7.03914 20.7893 7.41421 20.4142C7.78929 20.0391 8 19.5304 8 19V16C8 15.4696 7.78929 14.9609 7.41421 14.5858C7.03914 14.2107 6.53043 14 6 14H3V19Z" stroke-linecap="round" stroke-linejoin="round"></path>
</svg></div><div class="embedded-post-title"> The "AI" Security Insights Show Episode 284 - Microsoft Sentinel Pricing....it's like MAAGIC!</div></div><div class="embedded-post-body">In this episode we have the good folks from the security company - LockBase Cyber. Leonard Volling and Charlie Smith will come on and talk about their new Microsoft Sentinel pricing tool&#8230;</div><div class="embedded-post-cta-wrapper"><div class="embedded-post-cta-icon"><svg width="32" height="32" viewBox="0 0 24 24" xmlns="http://www.w3.org/2000/svg">
  <path classname="inner-triangle" d="M10 8L16 12L10 16V8Z" stroke-width="1.5" stroke-linecap="round" stroke-linejoin="round"></path>
</svg></div><span class="embedded-post-cta">Listen now</span></div><div class="embedded-post-meta">5 months ago &#183; 1 like &#183; 2 comments &#183; Edward Walton, Rod Trent, and Frank Grimberg</div></a></div><h2>Things to Have</h2><p><strong><a href="https://github.com/SCStelz/security-investigator">Automated security investigation tool using Microsoft MCP Servers, GitHub Copilot, Python Modules and custom copilot-instructions</a></strong> - An investigation automation framework that combines <strong>GitHub Copilot</strong>, <strong>VS Code Agent Skills</strong>, and <strong>Model Context Protocol (MCP) servers</strong> to enable natural language security investigations. Ask questions like <em>"Investigate this user for the last 7 days"</em> or <em>"Is this IP malicious?"</em> and get comprehensive analysis with KQL queries, threat intelligence correlation, and professional reports.</p><p><strong><a href="https://www.microsoft.com/en-us/security/blog/2026/02/12/your-complete-guide-to-microsoft-experiences-at-rsac-2026-conference/">Your complete guide to Microsoft experiences at RSAC&#8482; 2026 Conference</a></strong> - In the agentic era, security must be ambient and autonomous, just like the AI it protects. This is our vision for security as the core primitive, woven into and around everything we build and throughout everything we do. At <a href="https://www.rsaconference.com/usa">RSAC 2026</a>, we&#8217;ll share how we are delivering on that vision through our AI-first, end-to-end, security platform that helps you protect every layer of the AI stack and secure with agentic AI.</p><h2>Microsoft Sentinel Things</h2><p><strong><a href="https://techcommunity.microsoft.com/blog/microsoftsentinelblog/update-changing-the-account-name-entity-mapping-in-microsoft-sentinel/4489040">Update: Changing the Account Name Entity Mapping in Microsoft Sentinel</a></strong><a href="https://techcommunity.microsoft.com/blog/microsoftsentinelblog/update-changing-the-account-name-entity-mapping-in-microsoft-sentinel/4489040"> </a>- The upcoming update introduces more consistent and predictable entity data across analytics, incidents, and automation by standardizing how the Account Name property is populated when using UPN&#8209;based mappings in analytic rules. Going forward, Account Name property will consistently contain only the UPN prefix, with new dedicated fields added for the full UPN and UPN suffix.</p><p><strong><a href="https://techcommunity.microsoft.com/blog/microsoftsentinelblog/lake-only-ingestion-for-microsoft-defender-advanced-hunting-tables-is-now-genera/4494206">Lake-Only Ingestion for Microsoft Defender Advanced Hunting Tables is Now Generally Available</a></strong> - Today, we&#8217;re excited to announce the general availability (GA) of lake&#8209;only ingestion for Microsoft XDR Advanced Hunting tables into Microsoft Sentinel data lake.</p><p><strong><a href="https://techcommunity.microsoft.com/blog/microsoftsentinelblog/what%E2%80%99s-new-in-microsoft-sentinel-february-2026/4494218">What&#8217;s new in Microsoft Sentinel: February 2026</a></strong> - This month&#8217;s updates focus on how security teams ingest, manage, and operationalize content, with new connectors, multi-tenant content distribution capabilities, and an enhanced UEBA Essentials solution to surface high&#8209;risk behavior faster across cloud and identity environments. We&#8217;re also introducing new partner-built agentic experiences available through Microsoft Security Store, enabling customers to extend Sentinel with specialized expertise directly inside their existing workflows.</p><p><strong><a href="https://www.microsoft.com/en-us/security/blog/2026/02/11/the-strategic-siem-buyers-guide-choosing-an-ai-ready-platform-for-the-agentic-era/">The strategic SIEM buyer&#8217;s guide: Choosing an AI-ready platform for the agentic era</a></strong> - Organizations can choose to spend the next year tuning and integrating their SIEM stack&#8212;or simplify the architecture and let a unified platform do the heavy lifting. If they choose a platform, it should make it inexpensive to ingest and retain more telemetry, automatically shape that data into analysis&#8209;ready form, and enrich it with graph&#8209;driven intelligence so both analysts and AI can quickly understand what matters and why. <strong><a href="https://marketingassets.microsoft.com/gdc/gdcP1msgh/original">The strategic SIEM buyer&#8217;s guide</a></strong> outlines what decision&#8209;makers should look for as they build a future&#8209;ready security operations center (SOC). Read on for a preview of key concepts covered in the guide.</p><p><strong><a href="https://socautomators.substack.com/p/all-in-sentinel-data-lake">All in Sentinel data lake</a></strong> - Microsoft just made data lake tier ingestion generally available for XDR Advanced Hunting tables in Microsoft Sentinel. If you&#8217;re running Sentinel today, this changes how you should think about your data strategy. Here&#8217;s the bottom line.</p><p><strong><a href="https://techcommunity.microsoft.com/blog/microsoftsentinelblog/public-preview-announcement-empower-real-time-security-with-microsoft-sentinel%E2%80%99s/4483884">Public Preview Announcement: Empower Real-Time Security with Microsoft Sentinel&#8217;s CCF Push Feature</a></strong> - Today, we are excited to announce the public preview of our latest innovation, the Sentinel Codeless Connector Framework (CCF) Push feature. CCF Push addresses a critical need: enabling seamless, automated, and immediate delivery of security data to Sentinel, so teams can respond to threats as they happen.</p><h2>Defender for Endpoint Things</h2><p><strong><a href="https://www.systanddeploy.com/2024/10/running-kql-queries-on-microsoft.html">Running KQL queries on Microsoft Defender for Endpoint through Azure Automation</a></strong> - In this post we will see how to run KQL queries on a Microsoft Defender for Endpoint through Azure Automation, PowerShell. and Graph API</p><h2>Defender for IoT Things</h2><p><strong>Preview and edit the devices list during the site set up process - </strong>Before completing the site association process, preview the list of devices you have chosen to associate with the site, and remove any devices that aren&#8217;t to be included in this site. For more information, see <a href="https://learn.microsoft.com/en-us/defender-for-iot/set-up-sites#preview-devices">preview devices</a>.</p><p><strong>Manually update the site association of a device - </strong>Manually assign or modify the site location for a specific device or set of devices. For more information, see <a href="https://learn.microsoft.com/en-us/defender-for-iot/manage-sites#manually-update-device-site-association">manually update device site association</a>.</p><h2>Entra Things</h2><p><strong><a href="https://techcommunity.microsoft.com/blog/microsoftmechanicsblog/microsoft-entra-agent-id-explained/4494408">Microsoft Entra Agent ID explained</a></strong> - Control AI agents as they are created across your environment by treating them like real identities with Microsoft Entra Agent ID.</p><h2>Defender XDR Things</h2><p><strong><a href="https://socautomators.substack.com/p/new-builtin-alert-tuning-rules-in">New built&#8209;in Alert Tuning rules in Defender</a></strong> - We&#8217;ve often talked about alert fatigue here on the socautomators blog and how too many alerts create<a href="https://socautomators.substack.com/p/automate-your-soc-noise-is-the-enemy"> noise which can be the enemy of speed</a>. The new built&#8209;in alert tuning rules in Defender XDR improve how alerts are processed. These rules are meant to help analysts focus on the alerts most likely to require action, while automated triage runs behind the scenes. Starting in late January 2026, the alert tuning experience became available. On February 5, 2026 the functionality became active.</p><p><strong><a href="https://techcommunity.microsoft.com/blog/microsoftthreatprotectionblog/from-signal-to-strategy-closing-attack-paths-with-identity-intelligence/4491856">From signal to strategy: Closing attack paths with identity intelligence</a></strong> - Today we are excited to share more about how Microsoft Defender can help security professionals proactively understand how identity-related risks, like leaked credentials, relate back to critical assets, helping security professionals proactively close potential entry points before they can be exploited.</p><p><strong><a href="https://www.microsoft.com/en-us/security/blog/2026/02/10/ai-recommendation-poisoning/">Manipulating&nbsp;AI memory&nbsp;for&nbsp;profit: The rise of&nbsp;AI&nbsp;Recommendation Poisoning</a></strong> - Microsoft security researchers have discovered a growing trend of AI memory poisoning attacks used for promotional purposes, a technique we call <strong>AI Recommendation Poisoning</strong>.</p><h2>Microsoft Purview Things</h2><p><strong><a href="https://medium.com/@marcoOesterlin/bringing-ai-powered-data-classification-for-microsoft-fabric-assets-in-microsoft-purview-unified-ed2e2c44dd89">Bringing AI-Powered Data Classification for Microsoft Fabric assets in Microsoft Purview Unified&#8230;</a></strong> - Microsoft Purview Unified Catalog offers automatic classification for Azure SQL databases and storage accounts. Run a scan with Scan rule sets (classification rules enabled), and the system detects patterns. Email addresses get email classifications, credit card numbers get credit card classifications. It works out of the box. For Microsoft Fabric lakehouse tables? No automatic classification. Microsoft Purview catalogs the assets and schemas, but classifications remain empty.</p><div id="youtube2-zEfyTBmGh9I" class="youtube-wrap" data-attrs="{&quot;videoId&quot;:&quot;zEfyTBmGh9I&quot;,&quot;startTime&quot;:null,&quot;endTime&quot;:null}" data-component-name="Youtube2ToDOM"><div class="youtube-inner"><iframe src="https://www.youtube-nocookie.com/embed/zEfyTBmGh9I?rel=0&amp;autoplay=0&amp;showinfo=0&amp;enablejsapi=0" frameborder="0" loading="lazy" gesture="media" allow="autoplay; fullscreen" allowautoplay="true" allowfullscreen="true" width="728" height="409"></iframe></div></div><p>THE PROMPT for Microsoft Security is a reader-supported publication. To receive new posts and support my work, consider becoming a free or paid subscriber.</p>]]></content:encoded></item><item><title><![CDATA[THE PROMPT for Microsoft Security - Issue #61]]></title><description><![CDATA[Things from Me]]></description><link>https://rodtrent.substack.com/p/the-prompt-for-microsoft-security-599</link><guid isPermaLink="false">https://rodtrent.substack.com/p/the-prompt-for-microsoft-security-599</guid><dc:creator><![CDATA[Rod Trent]]></dc:creator><pubDate>Fri, 06 Feb 2026 12:30:47 GMT</pubDate><enclosure url="https://substackcdn.com/image/fetch/$s_!mIKr!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fa02f74bd-247b-4bd0-ad94-4259f1a4d36f_1024x594.png" length="0" type="image/jpeg"/><content:encoded><![CDATA[<div class="captioned-image-container"><figure><a class="image-link image2 is-viewable-img" target="_blank" href="https://substackcdn.com/image/fetch/$s_!mIKr!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fa02f74bd-247b-4bd0-ad94-4259f1a4d36f_1024x594.png" data-component-name="Image2ToDOM"><div class="image2-inset"><picture><source type="image/webp" srcset="https://substackcdn.com/image/fetch/$s_!mIKr!,w_424,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fa02f74bd-247b-4bd0-ad94-4259f1a4d36f_1024x594.png 424w, https://substackcdn.com/image/fetch/$s_!mIKr!,w_848,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fa02f74bd-247b-4bd0-ad94-4259f1a4d36f_1024x594.png 848w, https://substackcdn.com/image/fetch/$s_!mIKr!,w_1272,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fa02f74bd-247b-4bd0-ad94-4259f1a4d36f_1024x594.png 1272w, https://substackcdn.com/image/fetch/$s_!mIKr!,w_1456,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fa02f74bd-247b-4bd0-ad94-4259f1a4d36f_1024x594.png 1456w" sizes="100vw"><img src="https://substackcdn.com/image/fetch/$s_!mIKr!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fa02f74bd-247b-4bd0-ad94-4259f1a4d36f_1024x594.png" width="1024" height="594" data-attrs="{&quot;src&quot;:&quot;https://substack-post-media.s3.amazonaws.com/public/images/a02f74bd-247b-4bd0-ad94-4259f1a4d36f_1024x594.png&quot;,&quot;srcNoWatermark&quot;:null,&quot;fullscreen&quot;:null,&quot;imageSize&quot;:null,&quot;height&quot;:594,&quot;width&quot;:1024,&quot;resizeWidth&quot;:null,&quot;bytes&quot;:642199,&quot;alt&quot;:null,&quot;title&quot;:null,&quot;type&quot;:&quot;image/png&quot;,&quot;href&quot;:null,&quot;belowTheFold&quot;:false,&quot;topImage&quot;:true,&quot;internalRedirect&quot;:&quot;https://microsoftdefender.substack.com/i/186187875?img=https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fa02f74bd-247b-4bd0-ad94-4259f1a4d36f_1024x594.png&quot;,&quot;isProcessing&quot;:false,&quot;align&quot;:null,&quot;offset&quot;:false}" class="sizing-normal" alt="" srcset="https://substackcdn.com/image/fetch/$s_!mIKr!,w_424,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fa02f74bd-247b-4bd0-ad94-4259f1a4d36f_1024x594.png 424w, https://substackcdn.com/image/fetch/$s_!mIKr!,w_848,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fa02f74bd-247b-4bd0-ad94-4259f1a4d36f_1024x594.png 848w, https://substackcdn.com/image/fetch/$s_!mIKr!,w_1272,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fa02f74bd-247b-4bd0-ad94-4259f1a4d36f_1024x594.png 1272w, https://substackcdn.com/image/fetch/$s_!mIKr!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fa02f74bd-247b-4bd0-ad94-4259f1a4d36f_1024x594.png 1456w" sizes="100vw" fetchpriority="high"></picture><div class="image-link-expand"><div class="pencraft pc-display-flex pc-gap-8 pc-reset"><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container restack-image"><svg role="img" width="20" height="20" viewBox="0 0 20 20" fill="none" stroke-width="1.5" stroke="var(--color-fg-primary)" stroke-linecap="round" stroke-linejoin="round" xmlns="http://www.w3.org/2000/svg"><g><title></title><path d="M2.53001 7.81595C3.49179 4.73911 6.43281 2.5 9.91173 2.5C13.1684 2.5 15.9537 4.46214 17.0852 7.23684L17.6179 8.67647M17.6179 8.67647L18.5002 4.26471M17.6179 8.67647L13.6473 6.91176M17.4995 12.1841C16.5378 15.2609 13.5967 17.5 10.1178 17.5C6.86118 17.5 4.07589 15.5379 2.94432 12.7632L2.41165 11.3235M2.41165 11.3235L1.5293 15.7353M2.41165 11.3235L6.38224 13.0882"></path></g></svg></button><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container view-image"><svg xmlns="http://www.w3.org/2000/svg" width="20" height="20" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="lucide lucide-maximize2 lucide-maximize-2"><polyline points="15 3 21 3 21 9"></polyline><polyline points="9 21 3 21 3 15"></polyline><line x1="21" x2="14" y1="3" y2="10"></line><line x1="3" x2="10" y1="21" y2="14"></line></svg></button></div></div></div></a></figure></div><h2>Things from Me</h2><p>Happy Friday everyone!</p><p>Thanks all to your comments and well wishes with the recent loss of my stepmom. You all are wonderful. This community is amazing!</p><p>&#8230;</p><p><strong>Exciting Update: Must Learn KQL Goes Mobile!</strong></p><p>After the smash-hit launch of the <a href="https://rodtrent.substack.com/p/introducing-the-must-learn-kql-learning">desktop app for Must Learn KQL</a>, I&#8217;m thrilled to invite you to beta test the iOS mobile version! Co-developed with the talented <a href="https://www.linkedin.com/in/546f627947/">Toby G.</a>, this app packs 21 interactive lessons, live query practice against real data, quizzes, progress tracking, and even Game Center leaderboards to make mastering Kusto Query Language fun and competitive.</p><p>Whether you&#8217;re a security pro hunting threats in Microsoft Sentinel or an analyst diving into Azure Data Explorer, it&#8217;s your on-the-go guide from beginner to expert. Beta testing runs 3-4 weeks&#8212;join now via TestFlight: <a href="https://testflight.apple.com/join/cyAUvWyw">https://testflight.apple.com/join/cyAUvWyw</a> and help shape the future of KQL learning!</p><p>&#8230;</p><p>Looking for an exciting career in cybersecurity? My good friends at Invoke have an opening for a <strong>Cloud Solution Architect &#8211; Threat Protection</strong>.</p><p>Invoke is a fantastic company to work for&#8212;after all, who wouldn&#8217;t want to join the team that clinched the <a href="https://www.invokellc.com/news-posts/invoke-recognized-as-a-microsoft-security-excellence-awards-winner-for-security-services-partner-of-the-year">Microsoft Security Excellence Awards for Security Services Partner of the Year</a>? As a Microsoft System Integrator with specialized partnerships, Invoke is at the forefront of threat protection, identity management, and AI-driven solutions. In their Cloud Solution Architect &#8211; Threat Protection role (remote, based in Houston, TX), you&#8217;ll lead enterprise implementations using cutting-edge Microsoft tools like Defender XDR, Sentinel, and Security Copilot, collaborating with top stakeholders to harden security postures and drive innovation.</p><p>Check out the job description and apply here: <a href="https://invoke.rippling-ats.com/job/983633/cloud-solution-architect-threat-protection?s=lim">https://invoke.rippling-ats.com/job/983633/cloud-solution-architect-threat-protection</a></p><p>&#8230;</p><p>That&#8217;s it from me for this week. Have a great week ahead!</p><p>Talk soon.</p><p>-<a href="https://www.linkedin.com/in/rodtrent/">Rod</a></p><h2>Things to Watch</h2><div id="youtube2-dJrctpL5E1I" class="youtube-wrap" data-attrs="{&quot;videoId&quot;:&quot;dJrctpL5E1I&quot;,&quot;startTime&quot;:null,&quot;endTime&quot;:null}" data-component-name="Youtube2ToDOM"><div class="youtube-inner"><iframe src="https://www.youtube-nocookie.com/embed/dJrctpL5E1I?rel=0&amp;autoplay=0&amp;showinfo=0&amp;enablejsapi=0" frameborder="0" loading="lazy" gesture="media" allow="autoplay; fullscreen" allowautoplay="true" allowfullscreen="true" width="728" height="409"></iframe></div></div><h2>Things that are Related</h2><p><strong><a href="https://www.microsoft.com/en-us/security/blog/2026/02/02/infostealers-without-borders-macos-python-stealers-and-platform-abuse/">Infostealers without borders: macOS, Python stealers, and platform abuse</a></strong> - Infostealer threats are rapidly expanding beyond traditional Windows-focused campaigns, increasingly targeting macOS environments, leveraging cross-platform languages such as Python, and abusing trusted platforms and utilities to silently deliver credential-stealing malware at scale. Since late 2025, Microsoft Defender Experts has observed macOS targeted infostealer campaigns using social engineering techniques&#8212;including ClickFix-style prompts and malicious DMG installers&#8212;to deploy macOS-specific infostealers such as DigitStealer, MacSync, and Atomic macOS Stealer (AMOS).</p><p><strong><a href="https://techcommunity.microsoft.com/blog/microsoftsecurityexperts/cloud-forensics-forensic-readiness-and-incident-response-in-azure-virtual-deskto/4488274">Cloud forensics: Forensic readiness and incident response in Azure Virtual Desktop</a></strong> - Azure Virtual Desktop (AVD) has rapidly become a core tool for enabling remote work at scale. Consequently, it&#8217;s also emerging as a target for threat actors. Recent Microsoft Incident Response engagements show that threat actors are exploiting AVD deployments for lateral movement and persistence. By hijacking legitimate AVD user accounts, they gain what is essentially a trusted &#8220;endpoint&#8221; inside the network without having to install malware.</p><p><strong><a href="https://www.microsoft.com/en-us/security/blog/2026/02/03/microsoft-sdl-evolving-security-practices-for-an-ai-powered-world/">Microsoft SDL: Evolving security practices for an AI-powered world</a></strong> - As AI reshapes the world, organizations encounter unprecedented risks, and security leaders take on new responsibilities. <a href="https://www.microsoft.com/en-us/securityengineering/sdl/?msockid=2e8921989a7365e81a5432639bc9644d">Microsoft&#8217;s Secure Development Lifecycle</a> (SDL) is expanding to address AI-specific security concerns in addition to the traditional software security areas that it has historically covered.</p><p><strong><a href="https://www.microsoft.com/en-us/security/blog/2026/02/04/detecting-backdoored-language-models-at-scale/">Detecting backdoored language models at scale</a></strong> - Today, we are releasing new research on detecting backdoors in open-weight language models. Our research highlights several key properties of language model backdoors, laying the groundwork for a practical scanner designed to detect backdoored models at scale and improve overall trust in AI systems.</p><p><strong><a href="https://techcommunity.microsoft.com/blog/nonprofittechies/how-nonprofits-can-strengthen-cybersecurity-with-small-steps-that-make-a-big-dif/4491585">How Nonprofits Can Strengthen Cybersecurity with Small Steps (That Make a Big Difference)</a></strong> - Nonprofits are often stretched thin&#8212;limited budgets, diverse users, and critical missions. But that doesn&#8217;t mean cybersecurity has to be overwhelming. In fact, some of the most effective protections are simple, affordable, and accessible to organizations of any size.</p><p><strong><a href="https://www.microsoft.com/en-us/security/blog/2026/02/05/the-security-implementation-gap-why-microsoft-is-supporting-operation-winter-shield/">The security implementation gap: Why Microsoft is supporting Operation Winter SHIELD</a></strong> - Every conversation I have with information security leaders tends to land in the same place. People understand what matters. They know the frameworks, the controls, and the guidance. They can explain why identity security, patching, and access control are critical. And yet incidents keep happening for the same reasons.</p><h2>Things for Partners</h2><p><strong><a href="https://techcommunity.microsoft.com/blog/partnernews/february-update-whats-new-in-security-for-partners/4490493">February update: What&#8217;s new in Security for Partners</a></strong></p><h2>Microsoft Sentinel Things</h2><p><strong><a href="https://secbyte.in/2026/02/04/microsoft-sentinel-storage-explained-analytics-tier-vs-data-lake-vs-data-archive/">Microsoft Sentinel Storage Explained: Analytics Tier vs Data Lake vs Data Archive</a></strong> - Microsoft documentation explains <em>what each option is</em>, but it does <strong>not</strong> provide a <strong>clear, operational framework</strong> for deciding <strong>where each log or table should live</strong> in real-world Sentinel environments.</p><p><strong><a href="https://techcommunity.microsoft.com/blog/microsoftsentinelblog/the-agentic-soc-era-how-sentinel-mcp-enables-autonomous-security-reasoning/4491003">The Agentic SOC Era: How Sentinel MCP Enables Autonomous Security Reasoning</a></strong> - <a href="https://techcommunity.microsoft.com/blog/microsoft-security-blog/microsoft-sentinel-mcp-server---generally-available-with-exciting-new-capabiliti/4470125">Microsoft Sentinel MCP Server</a>, now generally available, augments analysts with intelligence that can reason across signals, automate investigations, and surface what truly matters. AI helps Security Operations Center (SOCs) move faster, reduce fatigue, and measurably improve the security posture of the organization.</p><p><strong><a href="https://techcommunity.microsoft.com/blog/microsoftsentinelblog/the-microsoft-copilot-data-connector-for-microsoft-sentinel-is-now-in-public-pre/4491986">The Microsoft Copilot Data Connector for Microsoft Sentinel is Now in Public Preview</a></strong> - We are happy to announce a new data connector that is available the public: the Microsoft Copilot data connector for Microsoft Sentinel. The new Microsoft Copilot data connector will allow for audit logs and activities generated by different offerings of Copilot to be ingested into Microsoft Sentinel and Microsoft Sentinel data lake. This allows for Copilot activities to be leveraged within Microsoft Sentinel features such as analytic rules/custom detections, Workbooks, automation, and more. This also allows for Copilot data to be sent to Sentinel data lake, which opens the possibilities for integrations with <a href="https://learn.microsoft.com/en-us/azure/sentinel/datalake/sentinel-graph-overview?tabs=defender">custom graphs</a>, <a href="https://learn.microsoft.com/en-us/azure/sentinel/datalake/sentinel-mcp-overview">MCP server</a>, and more while offering lower cost ingestion and longer retention as needed.</p><p><strong><a href="https://secbyte.in/2025/09/26/automating-azure-vm-arc-server-data-collection-rule-association-with-powershell/">Automating Azure VM &amp; Arc Server Data Collection Rule Association with PowerShell</a></strong> - In Microsoft Sentinel or Azure Monitor deployments, onboarding virtual machines and Arc-enabled servers to <strong>Data Collection Rules (DCRs)</strong> is a key step. Doing this manually for dozens (or hundreds) of machines is time-consuming and error-prone.</p><h2>Defender for Cloud Things</h2><p><strong><a href="https://techcommunity.microsoft.com/blog/MicrosoftDefenderCloudBlog/architecting-trust-a-nist-based-security-governance-framework-for-ai-agents/4490556">Architecting Trust: A NIST-Based Security Governance Framework for AI Agents</a></strong> - As artificial intelligence evolves from simple chatbots to autonomous agents capable of making decisions and taking action, the need for robust security governance has never been greater. This blog explores how organizations can architect trust in the age of AI agents by leveraging the NIST AI Risk Management Framework and the Microsoft Foundry ecosystem. Whether you&#8217;re a security leader, developer, or business stakeholder, you&#8217;ll discover practical strategies to manage risk, ensure compliance, and build resilient, trustworthy AI solutions.</p><p><strong><a href="https://techcommunity.microsoft.com/blog/microsoftdefendercloudblog/extending-defender%E2%80%99s-ai-threat-protection-to-microsoft-foundry-agents/4491927">Extending Defender&#8217;s AI Threat Protection to Microsoft Foundry Agents</a></strong> - Today&#8217;s blog post introduces new capabilities to strengthen the security and governance of AI agents using Microsoft Foundry Agent Service and explores how Microsoft Defender helps organizations secure Foundry agents as they move from experimentation to production.</p><h2>Defender XDR Things</h2><p><strong><a href="https://techcommunity.microsoft.com/blog/coreinfrastructureandsecurityblog/splitting-single-tenant-microsoft-defender-xdr-sentinel-logs-in-multiple-company/4488251">Splitting single-tenant Microsoft Defender XDR Sentinel logs in multiple company scenarios</a></strong> - If we connect all the company-specific Sentinel workspaces to the same tenant, they will all get the same data, seeing each other&#8217;s sensitive data and multiplying ingestion costs across all companies. The following sections describe a simple, yet effective solution for this problem, leveraging Log Analytics workspace transformations and some simple KQL query statements.</p><p><strong><a href="https://www.microsoft.com/en-us/security/blog/2026/01/30/case-study-securing-ai-application-supply-chains/">Case study: Securing AI application supply chains</a></strong> - The rapid adoption of AI applications, including agents, orchestrators, and autonomous workflows, represents a significant shift in how software systems are built and operated. Unlike traditional applications, these systems are active participants in execution. They make decisions, invoke tools, and interact with other systems on behalf of users. While this evolution enables new capabilities, it also introduces an expanded and less familiar attack surface.</p><h2>Microsoft Defender Experts Things</h2><p><strong><a href="https://www.microsoft.com/en-us/security/blog/2026/02/05/clickfix-variant-crashfix-deploying-python-rat-trojan/">New Clickfix variant &#8216;CrashFix&#8217; deploying Python Remote Access Trojan</a></strong> - In January 2026, Microsoft Defender Experts identified a new evolution in the ongoing ClickFix campaign. This updated tactic deliberately crashes victims&#8217; browsers and then attempts to lure users into executing malicious commands under the pretext of restoring normal functionality.</p><h2>Microsoft Purview Things</h2><p><strong><a href="https://techcommunity.microsoft.com/blog/microsoft-security-blog/general-availability-of-microsoft-purview-ediscovery-graph-api-for-e3-customers/4489678">General Availability of Microsoft Purview eDiscovery Graph API for E3 Customers</a></strong> - As of December 1<sup>st</sup>, 2025, the Microsoft Purview eDiscovery Graph API Standard hit General Availability (GA). It provides a programmatic way to manage eDiscovery cases, searches, holds, and exports for organizations that have only M365 E3 licenses. It extends automation capabilities that were previously exclusive to eDiscovery Premium customers with M365 E5 (or equivalent add-on SKU) licenses.</p><p><strong><a href="https://techcommunity.microsoft.com/blog/microsoft-security-blog/building-secure-enterprise-ready-ai-agents-with-purview-sdk-and-agent-framework/4492356">Building Secure, Enterprise Ready AI Agents with Purview SDK and Agent Framework</a></strong> - At Microsoft Ignite, we announced the <strong>public preview of Purview integration with the Agent Framework SDK</strong>&#8212;making it easier to build AI agents that are secure, compliant, and enterprise&#8209;ready from day one. AI agents are quickly moving from demos to production. They reason over enterprise data, collaborate with other agents, and take real actions. As that happens, one thing becomes non&#8209;negotiable: <strong>Governance has to be built in. </strong>That&#8217;s where Purview SDK comes in.</p><div id="youtube2-yZQKnvSV3B0" class="youtube-wrap" data-attrs="{&quot;videoId&quot;:&quot;yZQKnvSV3B0&quot;,&quot;startTime&quot;:null,&quot;endTime&quot;:null}" data-component-name="Youtube2ToDOM"><div class="youtube-inner"><iframe src="https://www.youtube-nocookie.com/embed/yZQKnvSV3B0?rel=0&amp;autoplay=0&amp;showinfo=0&amp;enablejsapi=0" frameborder="0" loading="lazy" gesture="media" allow="autoplay; fullscreen" allowautoplay="true" allowfullscreen="true" width="728" height="409"></iframe></div></div><div id="youtube2-RQiMUOIWaWQ" class="youtube-wrap" data-attrs="{&quot;videoId&quot;:&quot;RQiMUOIWaWQ&quot;,&quot;startTime&quot;:null,&quot;endTime&quot;:null}" data-component-name="Youtube2ToDOM"><div class="youtube-inner"><iframe src="https://www.youtube-nocookie.com/embed/RQiMUOIWaWQ?rel=0&amp;autoplay=0&amp;showinfo=0&amp;enablejsapi=0" frameborder="0" loading="lazy" gesture="media" allow="autoplay; fullscreen" allowautoplay="true" allowfullscreen="true" width="728" height="409"></iframe></div></div><div id="youtube2-eqwaiOIUa0Q" class="youtube-wrap" data-attrs="{&quot;videoId&quot;:&quot;eqwaiOIUa0Q&quot;,&quot;startTime&quot;:null,&quot;endTime&quot;:null}" data-component-name="Youtube2ToDOM"><div class="youtube-inner"><iframe src="https://www.youtube-nocookie.com/embed/eqwaiOIUa0Q?rel=0&amp;autoplay=0&amp;showinfo=0&amp;enablejsapi=0" frameborder="0" loading="lazy" gesture="media" allow="autoplay; fullscreen" allowautoplay="true" allowfullscreen="true" width="728" height="409"></iframe></div></div><h2>Microsoft Entra Things</h2><p><strong><a href="https://techcommunity.microsoft.com/blog/microsoftmissioncriticalblog/conditional-access-for-canvas-apps-with-entra/4490854">Conditional Access for Canvas Apps with Entra</a></strong> - Not all Canvas Apps require the same level of protection. Here we dive into how Conditional Access lets Power Platform admins apply the right security to the right app, with a step-by-step example of enforcing access policies using Entra ID and PowerShell.</p><h2></h2><p>THE PROMPT for Microsoft Security is a reader-supported publication. To receive new posts and support my work, consider becoming a free or paid subscriber.</p>]]></content:encoded></item><item><title><![CDATA[THE PROMPT for Microsoft Security - Issue #60]]></title><description><![CDATA[Things from Me]]></description><link>https://rodtrent.substack.com/p/the-prompt-for-microsoft-security-26c</link><guid isPermaLink="false">https://rodtrent.substack.com/p/the-prompt-for-microsoft-security-26c</guid><dc:creator><![CDATA[Rod Trent]]></dc:creator><pubDate>Fri, 30 Jan 2026 12:31:11 GMT</pubDate><enclosure url="https://substackcdn.com/image/fetch/$s_!jffj!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F2ef79fad-f961-4e52-ab07-9793135802a6_1024x755.png" length="0" type="image/jpeg"/><content:encoded><![CDATA[<div class="captioned-image-container"><figure><a class="image-link image2 is-viewable-img" target="_blank" href="https://substackcdn.com/image/fetch/$s_!jffj!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F2ef79fad-f961-4e52-ab07-9793135802a6_1024x755.png" data-component-name="Image2ToDOM"><div class="image2-inset"><picture><source type="image/webp" srcset="https://substackcdn.com/image/fetch/$s_!jffj!,w_424,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F2ef79fad-f961-4e52-ab07-9793135802a6_1024x755.png 424w, https://substackcdn.com/image/fetch/$s_!jffj!,w_848,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F2ef79fad-f961-4e52-ab07-9793135802a6_1024x755.png 848w, https://substackcdn.com/image/fetch/$s_!jffj!,w_1272,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F2ef79fad-f961-4e52-ab07-9793135802a6_1024x755.png 1272w, https://substackcdn.com/image/fetch/$s_!jffj!,w_1456,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F2ef79fad-f961-4e52-ab07-9793135802a6_1024x755.png 1456w" sizes="100vw"><img src="https://substackcdn.com/image/fetch/$s_!jffj!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F2ef79fad-f961-4e52-ab07-9793135802a6_1024x755.png" width="1024" height="755" data-attrs="{&quot;src&quot;:&quot;https://substack-post-media.s3.amazonaws.com/public/images/2ef79fad-f961-4e52-ab07-9793135802a6_1024x755.png&quot;,&quot;srcNoWatermark&quot;:null,&quot;fullscreen&quot;:null,&quot;imageSize&quot;:null,&quot;height&quot;:755,&quot;width&quot;:1024,&quot;resizeWidth&quot;:null,&quot;bytes&quot;:943526,&quot;alt&quot;:null,&quot;title&quot;:null,&quot;type&quot;:&quot;image/png&quot;,&quot;href&quot;:null,&quot;belowTheFold&quot;:false,&quot;topImage&quot;:true,&quot;internalRedirect&quot;:&quot;https://microsoftdefender.substack.com/i/185469489?img=https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F2ef79fad-f961-4e52-ab07-9793135802a6_1024x755.png&quot;,&quot;isProcessing&quot;:false,&quot;align&quot;:null,&quot;offset&quot;:false}" class="sizing-normal" alt="" srcset="https://substackcdn.com/image/fetch/$s_!jffj!,w_424,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F2ef79fad-f961-4e52-ab07-9793135802a6_1024x755.png 424w, https://substackcdn.com/image/fetch/$s_!jffj!,w_848,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F2ef79fad-f961-4e52-ab07-9793135802a6_1024x755.png 848w, https://substackcdn.com/image/fetch/$s_!jffj!,w_1272,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F2ef79fad-f961-4e52-ab07-9793135802a6_1024x755.png 1272w, https://substackcdn.com/image/fetch/$s_!jffj!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F2ef79fad-f961-4e52-ab07-9793135802a6_1024x755.png 1456w" sizes="100vw" fetchpriority="high"></picture><div class="image-link-expand"><div class="pencraft pc-display-flex pc-gap-8 pc-reset"><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container restack-image"><svg role="img" width="20" height="20" viewBox="0 0 20 20" fill="none" stroke-width="1.5" stroke="var(--color-fg-primary)" stroke-linecap="round" stroke-linejoin="round" xmlns="http://www.w3.org/2000/svg"><g><title></title><path d="M2.53001 7.81595C3.49179 4.73911 6.43281 2.5 9.91173 2.5C13.1684 2.5 15.9537 4.46214 17.0852 7.23684L17.6179 8.67647M17.6179 8.67647L18.5002 4.26471M17.6179 8.67647L13.6473 6.91176M17.4995 12.1841C16.5378 15.2609 13.5967 17.5 10.1178 17.5C6.86118 17.5 4.07589 15.5379 2.94432 12.7632L2.41165 11.3235M2.41165 11.3235L1.5293 15.7353M2.41165 11.3235L6.38224 13.0882"></path></g></svg></button><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container view-image"><svg xmlns="http://www.w3.org/2000/svg" width="20" height="20" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="lucide lucide-maximize2 lucide-maximize-2"><polyline points="15 3 21 3 21 9"></polyline><polyline points="9 21 3 21 3 15"></polyline><line x1="21" x2="14" y1="3" y2="10"></line><line x1="3" x2="10" y1="21" y2="14"></line></svg></button></div></div></div></a></figure></div><h2>Things from Me</h2><p>Before we jump into this week&#8217;s updates, I want to share something a little more personal.</p><p>This past week, my stepmom passed away. Our family is still very much in the middle of navigating all the things that come with that&#8212;grief, logistics, and those quiet moments where life just feels heavier than usual. It&#8217;s been a reminder of how much happens behind the scenes for all of us, even as work and deadlines keep moving forward.</p><p>THE PROMPT for Microsoft Security is a reader-supported publication. To receive new posts and support my work, consider becoming a free or paid subscriber.</p><p>This community continues to be a bright spot and a grounding force for me, and I&#8217;m grateful for the patience, kindness, and understanding that show up here in big and small ways.</p><p>With that, let&#8217;s turn our focus to what&#8217;s ahead. Below you&#8217;ll find the latest updates, resources, and highlights from across the community&#8212;what&#8217;s new, what&#8217;s coming, and where you may want to lean in over the weeks ahead.</p><p>Talk soon.</p><p>-<a href="https://www.linkedin.com/in/rodtrent/">Rod</a></p><h2>Things that are Related</h2><p><strong><a href="https://www.microsoft.com/en-us/security/blog/2026/01/26/security-strategies-for-safeguarding-governmental-data/">Security strategies for safeguarding governmental data</a></strong> - <em>The Deputy CISO blog series is where <a href="https://www.microsoft.com/en-us/security/blog/topic/office-of-the-ciso/">Microsoft Deputy Chief Information Security Officers</a> (CISOs) share their thoughts on what is most important in their respective domains. In this series, you will get practical advice, tactics to start (and stop) deploying, forward-looking commentary on where the industry is going, and more.</em> <em>In this blog you will hear directly from Microsoft&#8217;s Deputy Chief Information Security Officer (CISO) for Government and Trust, Tim Langan, about our mindset concerning cyber defense for government spaces.</em></p><p><strong><a href="https://rodtrent.substack.com/p/beware-the-reprompt-attack-how-one">Beware the Reprompt Attack: How One Click Could Expose Your Data</a></strong> - Security experts at Varonis Threat Labs have dubbed this exploit &#8220;Reprompt,&#8221; and it&#8217;s as clever as it is concerning. Essentially, attackers can craft a seemingly innocent Copilot link&#8212;perhaps shared via email or chat&#8212;that embeds hidden instructions. Once you click it, Copilot springs into action, processing those commands in the background using your active Microsoft account session.</p><h2>Things to Have</h2><p><strong><a href="https://github.com/markolauren/ResponseMCP">Response MCP server for Agentic SOC</a></strong> - This MCP server exposes Microsoft Defender XDR capabilities as tools for agentic SecOps workflows. Security analysts use natural language through orchestrators like GitHub Copilot to manage incidents, isolate compromised devices, run antivirus scans, collect forensic packages, and execute incident response actions.</p><h2>Microsoft Sentinel Things</h2><p><strong><a href="https://techcommunity.microsoft.com/blog/microsoftsentinelblog/update-new-timeline-for-transitioning-sentinel-experience-to-defender-portal/4490464">UPDATE: New timeline for transitioning Sentinel experience to Defender portal</a></strong> - To reduce friction and support customers of all sizes, we are extending the sunset date for managing Microsoft Sentinel in the Azure portal to <strong>March 31, 2027</strong>. This additional time ensures customers can transition confidently while taking advantage of new capabilities that are becoming available in the Defender portal.</p><p><strong><a href="https://socautomators.substack.com/p/livestream-in-sentinel-retiring-in">Livestream in Sentinel retiring in March 2026</a></strong> - Livestream was built for real&#8209;time query execution and portal notifications. Sadly, this approach had a few inherent limitations, such as limited notification reach, non-persistent query results, and a lack of collaboration and integration with other tools.</p><p><strong><a href="https://www.hanley.cloud/2026-01-25-KQL-Toolbox-5-Phishing-&amp;-Malware-Hunting/">&#128736;&#65039; Kql Toolbox #5: Phishing &amp; Malware Hunting</a></strong><a href="https://www.hanley.cloud/2026-01-25-KQL-Toolbox-5-Phishing-&amp;-Malware-Hunting/"> </a>- Once you&#8217;ve got data quality, cost, and delta analysis in your toolkit, one question always pops up: <em>&#8220;Okay&#8230; now what threats are actually showing up in my telemetry?&#8221;</em> This is where <strong>phishing and malware hunting</strong> steps in&#8230; Email is the #1 vector in most real-world intrusions. Whether it&#8217;s a clever social-engineering campaign or a payload-laden attachment trying to evade detection, getting fast, prioritized insight into who is being targeted, who the most aggressive senders are, and which users or domains are seeing the most malicious activity is mission-critical for defenders.</p><p><strong><a href="https://techcommunity.microsoft.com/blog/microsoft-security-blog/advance-your-soc-skills-with-the-power-of-microsoft-sentinel-data-lake-and-graph/4489349">Advance Your SOC Skills with the Power of Microsoft Sentinel data lake and graph</a></strong> - Microsoft Sentinel has evolved beyond a traditional SIEM into a unified, AI-ready security platform that brings data, analytics, intelligence, and automation together. At the core are Microsoft Sentinel data lake and Microsoft Sentinel graph: data lake enables long-term retention and high-scale analytics, and graph adds entity relationships to speed investigations. We have updated skilling to reflect these changes, so defenders can build the right hands-on skills faster.</p><p><strong><a href="https://techcommunity.microsoft.com/discussions/microsoftthreatprotection/integrating-proofpoint-and-mimecast-email-security-with-microsoft-sentinel/4490093#M2623">Integrating Proofpoint and Mimecast Email Security with Microsoft Sentinel</a></strong> - Microsoft Sentinel can ingest rich email security telemetry from Proofpoint and Mimecast to power advanced phishing detection. The <strong>Proofpoint On Demand (POD) Email Security</strong> and <strong>Proofpoint Targeted Attack Protection (TAP)</strong> connectors pull threat logs (quarantines, spam, phishing attempts) and user click data into Sentinel. Similarly, the <strong>Mimecast Secure Email Gateway</strong> connector ingests detailed mail flow and targeted-threat logs (attachment/URL scans, impersonation events). These integrations use Azure-hosted ingestion (via Logic Apps or Azure Functions) and the new <em>Codeless Connector</em> framework to call vendor APIs on a schedule. The result is a consolidated dataset in Sentinel&#8217;s Log Analytics, enabling correlated alerting and hunting across email, identity, and endpoint signals.&#8239;</p><p><strong><a href="https://learn.microsoft.com/en-us/azure/sentinel/whats-new?tabs=defender-portal#ueba-behaviors-layer-aggregates-actionable-insights-from-raw-logs-in-near-real-time-preview">UEBA behaviors layer aggregates actionable insights from raw logs in near-real time (Preview) </a>- </strong>Microsoft Sentinel introduces a UEBA behaviors layer that transforms high-volume, low-level security logs into clear, human-readable behavioral insights in the Defender portal. This AI-powered capability aggregates and sequences raw events from supported data sources into normalized behaviors that explain &#8220;who did what to whom&#8221; with MITRE ATT&amp;CK context.</p><p><strong><a href="https://techcommunity.microsoft.com/blog/microsoftmissioncriticalblog/microsoft-sentinel-and-dataverse-integration/4490198">Microsoft Sentinel and Dataverse Integration</a></strong> - By streaming Dataverse audit logs into Sentinel, organizations gain centralized visibility into Power Platform activity and can leverage Sentinel&#8217;s analytics and automation to rapidly detect suspicious behavior and enhance governance.</p><h2>Defender for Cloud Things</h2><p><strong><a href="https://learn.microsoft.com/en-us/azure/defender-for-cloud/release-notes#microsoft-security-private-link-preview">Microsoft Security Private Link (Preview) </a>- </strong>Microsoft Defender for Cloud is announcing Microsoft Security Private Link in Preview. Microsoft Security Private Link enables private connectivity between Defender for Cloud and your workloads. The connection is established by creating private endpoints in your virtual network, allowing Defender for Cloud traffic to remain on the Microsoft backbone network and avoid exposure to the public internet. Private endpoints are currently supported for the Defender for Containers plan.</p><h2>Defender XDR Things</h2><p><strong><a href="https://www.itprofessor.cloud/threat-analytics-microsoft-defender/">Threat Analytics in Microsoft Defender: Complete Guide</a></strong> - All right class. You&#8217;re doing your SOC investigations at 3 pm Tuesday. A threat report drops that a Chinese state-backed group is hitting financial services with a zero-day. Your boss asks: &#8220;Are we vulnerable? What do we do?&#8221; If you don&#8217;t have Threat Analytics, you&#8217;re googling. You&#8217;re piecing together vendor reports. You&#8217;re trying to correlate what you read with what&#8217;s actually in your environment. It will take quite a while to tie all of those pieces together.</p><p><strong><a href="https://www.microsoft.com/en-us/security/blog/2026/01/29/turning-threat-reports-detection-insights-ai/">Turning threat reports into detection insights with AI</a></strong> - Security teams routinely need to transform unstructured threat knowledge, such as incident narratives, red team breach-path writeups, threat actor profiles, and public reports into concrete defensive action. The early stages of that work are often the slowest. These include extracting tactics, techniques, and procedures (TTPs) from long documents, mapping them to a standard taxonomy, and determining which TTPs are already covered by existing detections versus which represent potential gaps.</p><h2>Defender for Identity Things</h2><p><strong>Identity inventory enhancements are now generally available</strong></p><ul><li><p><strong>Accounts tab in Identity Inventory</strong>: The new <strong>Accounts</strong> tab provides a consolidated view of all accounts associated with an identity, including accounts from Active Directory, Microsoft Entra ID, and supported non-Microsoft identity providers. For more information, see <a href="https://learn.microsoft.com/en-us/defender-for-identity/manage-related-identities-accounts">Manage related identities and accounts</a>.</p></li><li><p><strong>Manually link and unlink accounts</strong>: Manually link or unlink accounts from an identity directly in the <strong>Accounts</strong> tab. This capability helps you correlate identity components from different directory sources and provides a complete identity context during investigations. For more information, see <a href="https://learn.microsoft.com/en-us/defender-for-identity/manage-related-identities-accounts">Manage related identities and accounts</a>.</p></li><li><p><strong>Identity-level remediation actions</strong>: You can now perform remediation actions such as disabling accounts or resetting passwords on one or more accounts linked to an identity. For more information, see <a href="https://learn.microsoft.com/en-us/defender-for-identity/remediation-actions#roles-and-permissions">Remediation actions</a>.</p></li><li><p><strong>New advanced hunting table</strong>: Advanced hunting in Microsoft Defender now includes the <strong><a href="https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-identityaccountinfo-table">IdentityAccountInfo</a></strong> table. This table provides account information from various sources, including Microsoft Entra ID, and links to the identity that owns the account.</p></li></ul><h2>Defender for Cloud Apps Things</h2><p><strong><a href="https://learn.microsoft.com/en-us/defender-cloud-apps/release-notes#workday-connector-updated-to-least-privilege-permission-model">Workday connector updated to least-privilege permission model</a> - </strong>The Workday connector now requires only &#8220;View&#8221; permissions to function. We have removed the &#8220;Modify&#8221; permission requirement to better align with the principle of least privilege. While existing configurations will continue to work, admins are encouraged to update the Workday account settings to remove these unnecessary rights as a security best practice.</p><h2>Microsoft Purview Things</h2><p><strong><a href="https://annabordioug.com/2026/01/24/deploying-purview-data-loss-prevention-for-microsoft-365/">Deploying Purview Data Loss Prevention for Microsoft 365</a></strong> - In this blog, we&#8217;ll be discussing deploying Purview DLP for Microsoft 365 workloads, including common deployment use cases, policy configuration, and some limitations to be aware of.</p><p><strong><a href="https://techcommunity.microsoft.com/blog/microsoft-security-blog/microsoft-purview-data-security-investigations-is-now-generally-available/4489363">Microsoft Purview Data Security Investigations is now generally available</a></strong> - Microsoft Purview Data Security Investigations enables data security teams to <strong>identify investigation-relevant data, investigate that data with AI-powered deep content analysis</strong>, and <strong>mitigate risk </strong>&#8212; all within one unified solution. Teams can quickly analyze data at scale to surface sensitive data and security risks, then collaborate securely to address them. By streamlining complex, time&#8209;consuming investigative workflows, admins can resolve investigations in hours instead of weeks or months.</p><p><strong><a href="https://www.microsoft.com/en-us/security/blog/2026/01/29/new-microsoft-data-security-index-report-explores-secure-ai-adoption-to-protect-sensitive-data/">New Microsoft Data Security Index report explores secure AI adoption to protect sensitive data</a></strong> - Generative AI and agentic AI are redefining how organizations innovate and operate, unlocking new levels of productivity, creativity and collaboration across industry teams. From accelerating content creation to streamlining workflows, AI offers transformative benefits that empower organizations to work smarter and faster. These capabilities, however, also introduce new dimensions of data risk&#8212;as AI adoption grows, so does the urgency for effective data security that keeps pace with AI innovation. In the <a href="https://info.microsoft.com/ww-landing-data-security-index-2026.html?lcid=en-us">2026 Microsoft Data Security Index</a> report, we explored one of the most pressing questions facing today&#8217;s organizations: <strong>How can we harness the power of AI while safeguarding sensitive data?</strong></p><h2>Defender for Office Things</h2><p><strong>Block communication from sender email address and domains in Teams</strong>: Admins can directly block <a href="https://learn.microsoft.com/en-us/defender-office-365/tenant-allow-block-list-teams-domains-configure">malicious domains and email addresses</a> from within the Microsoft Defender portal, seamlessly adding targeted entries to the Teams Admin Center (TAC) blocked domains and users list. This capability enables near real-time protection. When suspicious or abusive external organizations are identified, SOC teams can immediately block them, effectively halting new external chat messages, invites, and channel communications from those domains and senders while deleting existing ones.</p><p><strong>Expanding ZAP and Teams Admin quarantine to Plan 1</strong>: <a href="https://learn.microsoft.com/en-us/defender-office-365/zero-hour-auto-purge#zero-hour-auto-purge-zap-in-microsoft-teams">Zero-hour-auto-purge (ZAP)</a> and <a href="https://learn.microsoft.com/en-us/defender-office-365/quarantine-admin-manage-messages-files#use-the-microsoft-defender-portal-to-manage-microsoft-teams-quarantined-messages">admin management of quarantined Teams messages</a> is available to Microsoft Defender for Plan 1 by default, bringing a post-delivery protection layer.</p><h2>Microsoft Entra Things</h2><p><strong><a href="https://techcommunity.microsoft.com/blog/coreinfrastructureandsecurityblog/conditional-access-for-agent-identities-in-microsoft-entra/4489915">Conditional Access for Agent Identities in Microsoft Entra</a></strong> - Conditional Access for Agent Identities in Microsoft Entra extends Zero Trust principles to non&#8209;human identities by enforcing policy based access controls for agents, applications, and automated workloads. It ensures agent access is continuously evaluated based on identity, risk, and context before granting access to enterprise resources.</p><h2></h2><p>THE PROMPT for Microsoft Security is a reader-supported publication. To receive new posts and support my work, consider becoming a free or paid subscriber.</p>]]></content:encoded></item><item><title><![CDATA[THE PROMPT for Microsoft Security - Issue #59]]></title><description><![CDATA[Things from Me]]></description><link>https://rodtrent.substack.com/p/the-prompt-for-microsoft-security-170</link><guid isPermaLink="false">https://rodtrent.substack.com/p/the-prompt-for-microsoft-security-170</guid><dc:creator><![CDATA[Rod Trent]]></dc:creator><pubDate>Fri, 23 Jan 2026 12:31:12 GMT</pubDate><enclosure url="https://substackcdn.com/image/fetch/$s_!HYS9!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F8b880d0d-b415-44ec-b80e-67229805e52f_1024x754.jpeg" length="0" type="image/jpeg"/><content:encoded><![CDATA[<div class="captioned-image-container"><figure><a class="image-link image2 is-viewable-img" target="_blank" href="https://substackcdn.com/image/fetch/$s_!HYS9!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F8b880d0d-b415-44ec-b80e-67229805e52f_1024x754.jpeg" data-component-name="Image2ToDOM"><div class="image2-inset"><picture><source type="image/webp" srcset="https://substackcdn.com/image/fetch/$s_!HYS9!,w_424,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F8b880d0d-b415-44ec-b80e-67229805e52f_1024x754.jpeg 424w, https://substackcdn.com/image/fetch/$s_!HYS9!,w_848,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F8b880d0d-b415-44ec-b80e-67229805e52f_1024x754.jpeg 848w, https://substackcdn.com/image/fetch/$s_!HYS9!,w_1272,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F8b880d0d-b415-44ec-b80e-67229805e52f_1024x754.jpeg 1272w, https://substackcdn.com/image/fetch/$s_!HYS9!,w_1456,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F8b880d0d-b415-44ec-b80e-67229805e52f_1024x754.jpeg 1456w" sizes="100vw"><img src="https://substackcdn.com/image/fetch/$s_!HYS9!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F8b880d0d-b415-44ec-b80e-67229805e52f_1024x754.jpeg" width="1024" height="754" data-attrs="{&quot;src&quot;:&quot;https://substack-post-media.s3.amazonaws.com/public/images/8b880d0d-b415-44ec-b80e-67229805e52f_1024x754.jpeg&quot;,&quot;srcNoWatermark&quot;:null,&quot;fullscreen&quot;:null,&quot;imageSize&quot;:null,&quot;height&quot;:754,&quot;width&quot;:1024,&quot;resizeWidth&quot;:null,&quot;bytes&quot;:121917,&quot;alt&quot;:null,&quot;title&quot;:null,&quot;type&quot;:&quot;image/jpeg&quot;,&quot;href&quot;:null,&quot;belowTheFold&quot;:false,&quot;topImage&quot;:true,&quot;internalRedirect&quot;:&quot;https://microsoftdefender.substack.com/i/184687981?img=https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F8b880d0d-b415-44ec-b80e-67229805e52f_1024x754.jpeg&quot;,&quot;isProcessing&quot;:false,&quot;align&quot;:null,&quot;offset&quot;:false}" class="sizing-normal" alt="" srcset="https://substackcdn.com/image/fetch/$s_!HYS9!,w_424,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F8b880d0d-b415-44ec-b80e-67229805e52f_1024x754.jpeg 424w, https://substackcdn.com/image/fetch/$s_!HYS9!,w_848,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F8b880d0d-b415-44ec-b80e-67229805e52f_1024x754.jpeg 848w, https://substackcdn.com/image/fetch/$s_!HYS9!,w_1272,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F8b880d0d-b415-44ec-b80e-67229805e52f_1024x754.jpeg 1272w, https://substackcdn.com/image/fetch/$s_!HYS9!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F8b880d0d-b415-44ec-b80e-67229805e52f_1024x754.jpeg 1456w" sizes="100vw" fetchpriority="high"></picture><div class="image-link-expand"><div class="pencraft pc-display-flex pc-gap-8 pc-reset"><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container restack-image"><svg role="img" width="20" height="20" viewBox="0 0 20 20" fill="none" stroke-width="1.5" stroke="var(--color-fg-primary)" stroke-linecap="round" stroke-linejoin="round" xmlns="http://www.w3.org/2000/svg"><g><title></title><path d="M2.53001 7.81595C3.49179 4.73911 6.43281 2.5 9.91173 2.5C13.1684 2.5 15.9537 4.46214 17.0852 7.23684L17.6179 8.67647M17.6179 8.67647L18.5002 4.26471M17.6179 8.67647L13.6473 6.91176M17.4995 12.1841C16.5378 15.2609 13.5967 17.5 10.1178 17.5C6.86118 17.5 4.07589 15.5379 2.94432 12.7632L2.41165 11.3235M2.41165 11.3235L1.5293 15.7353M2.41165 11.3235L6.38224 13.0882"></path></g></svg></button><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container view-image"><svg xmlns="http://www.w3.org/2000/svg" width="20" height="20" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="lucide lucide-maximize2 lucide-maximize-2"><polyline points="15 3 21 3 21 9"></polyline><polyline points="9 21 3 21 3 15"></polyline><line x1="21" x2="14" y1="3" y2="10"></line><line x1="3" x2="10" y1="21" y2="14"></line></svg></button></div></div></div></a></figure></div><h2>Things from Me</h2><p>Happy Friday everyone!</p><p>It&#8217;s been a week. Here at the Trent household, we&#8217;re dealing with loss. As of today, my stepmom has not passed yet, but its expected soon.</p><p>Judy Trent was an amazing woman. She entered our lives as my stepmom but became so much more&#8212;a loving grandmother to every one of my children, wrapping them in her warmth and wisdom without hesitation. This week, as we said goodbye, my heart still aches for the light she&#8217;s taken with her, but it overflows with gratitude for the legacy she&#8217;s left behind. She touched countless lives with her kindness, her laughter, and her unyielding spirit, inspiring all who knew her to live a little fuller, love a little deeper.</p><p>We were so profoundly blessed to know her and to be loved by her&#8212;her heart held love for everyone she met, but as her family, we were doubly blessed, cherished in a way that made us feel truly seen and adored.</p><p>She is loved beyond words, treasured in every memory, and forever etched in our hearts. The world is brighter because of her.</p><p>There&#8217;s sadness for sure, but there&#8217;s joy in that we know where she ended up and that her impact and influence on us, my kids, and my grandkids will be seen throughout all the threads of their lives. That&#8217;s a true legacy. Knowing that you can leave things about yourself that make others better. It&#8217;s not about a career, or things, it&#8217;s about that you left this world better than when you came into it.</p><p>&#8230;</p><p><em><strong>Marco needs your feedback.</strong></em></p><p>In our ongoing mission to foster collaboration and innovation in the security space, I wanted to spotlight a call for community input from Marco Osterlin. He&#8217;s been hard at work on tools to streamline Unified Catalog management in Microsoft Purview, and he&#8217;s eager for feedback from fellow data stewards and security pros to shape his latest open-source prototype.</p><p>Marco shared details in his recent LinkedIn post, including a look back at last year&#8217;s API-driven Curation Portal and a sneak peek at the new, more user-friendly UI. He&#8217;s specifically asking: What features would make your day-to-day catalog management smoother&#8212;think bulk operations, integrations, or anything else that tackles real-world pain points?</p><p>Head over to his original post here: <a href="https://www.linkedin.com/posts/marco-oesterlin_i-need-community-feedback-last-year-i-was-activity-7419695413978554369-3Xyu?utm_source=share&amp;utm_medium=member_desktop&amp;rcm=ACoAAAAr-PkBnqM9D2sADP7g3RliFvu1W8JaKKc">https://www.linkedin.com/posts/marco-oesterlin_i-need-community-feedback-last-year-i-was-activity-7419695413978554369-3Xyu?utm_source=share&amp;utm_medium=member_desktop&amp;rcm=ACoAAAAr-PkBnqM9D2sADP7g3RliFvu1W8JaKKc</a></p><p>Drop your ideas directly in the comments there, or reply to this newsletter thread. Your insights could directly influence the next evolution of these tools, helping us all enhance data governance and security postures. Let&#8217;s rally around Marco and build something awesome together!</p><p>&#8230;</p><p>Exciting news for fans of cybersecurity discussions: Substack has just rolled out a brand-new TV app in beta, making it easier than ever to enjoy video content from your favorite creators right on your big screen. Launched today, the app is available for Apple TV, Google TV, and Android TV devices. Simply search for &#8220;Substack&#8221; in your TV&#8217;s app store&#8212;whether it&#8217;s the Apple App Store for Apple TV or the Apps section for Google and Android TV&#8212;and download it to get started. This move expands Substack&#8217;s reach beyond mobile and web, allowing subscribers to stream videos and live broadcasts comfortably from their living rooms.</p><p>For subscribers to <em>THE Security Insights Show</em> (hosted by Edward Walton, Frank Grimberg, and Rod Trent at <a href="https://www.microsoftsecurityinsights.com/">https://www.microsoftsecurityinsights.com/</a>), this means you can now catch the weekly episodes on your TV. The show delivers in-depth conversations, the latest news, practical tips, and insights into Microsoft security solutions and broader industry trends&#8212;all in video format. Recent episodes, like Episode 283 on the AI revolution in cybersecurity, are streamed live and available on-demand, blending expert analysis with engaging dialogue. With over 6,000 subscribers already tuning in, the show&#8217;s video podcast style is perfect for TV viewing, whether you&#8217;re settling in for a full episode or catching up on highlights.</p><p>To watch, log in to the Substack TV app with your account details. Your subscriptions will sync seamlessly, giving you access to <em>THE Security Insights Show</em>&#8216;s content matched to your free or paid tier. No more huddling around a phone or laptop&#8212;lean back and dive into the world of cybersecurity from the comfort of your couch. If you&#8217;re not subscribed yet, head over to the site and join the community for weekly updates that keep you ahead in the ever-evolving security landscape.</p><p>&#8230;</p><p>That&#8217;s it from me for this week. Talk soon.</p><p>-<a href="https://www.linkedin.com/in/rodtrent/">Rod</a></p><h2>Things that are Related</h2><p><strong><a href="https://socautomators.substack.com/p/vibe-coding-for-security-operations">Vibe Coding for Security Operations</a></strong> - We all have that list. The mental inventory of things that should exist but don&#8217;t. The hunt that would catch lateral movement. The automation that enriches alerts with threat intel in real time. The dashboard that finally makes sense without seventeen manual steps.</p><p><strong><a href="https://www.hanley.cloud/2026-01-18-KQL-Toolbox-4-What-Changed-Finding-Log-Sources-with-the-Biggest-Delta-in-Volume-&amp;-Cost/">&#128736;&#65039; Kql Toolbox #4: What Changed? Finding Log Sources With The Biggest Delta In Volume &amp; Cost</a></strong> - In <strong>KQL Toolbox #1</strong>, we learned how to measure Microsoft Sentinel ingest and translate it into real dollars. In <strong>KQL Toolbox #2</strong>, we identified which data sources were driving that cost. And in <strong>KQL Toolbox #3</strong>, we drilled all the way down to specific Event IDs, accounts, and devices generating noise.</p><p><strong><a href="https://learn.microsoft.com/en-us/graph/api/resources/security-api-overview?view=graph-rest-1.0#migrate-from-the-older-apis">Migrate from the older APIs</a> - </strong>The advanced hunting APIs in Microsoft Graph replace the older version of the API that was available through the <code>https://api.security.microsoft.com/api/advancedhunting/run</code> and <code>https://api.security.microsoft.com/api/advancedqueries/run</code> endpoints. The older APIs are now retired and will stop returning data on February 1, 2027.</p><p><strong><a href="https://www.microsoft.com/en-us/security/blog/2026/01/21/multistage-aitm-phishing-bec-campaign-abusing-sharepoint/">Resurgence of a multi&#8209;stage AiTM phishing and BEC campaign abusing SharePoint</a></strong> - Microsoft Defender Researchers uncovered a multi&#8209;stage adversary&#8209;in&#8209;the&#8209;middle (AiTM) phishing and business email compromise (BEC) campaign targeting multiple organizations in the energy sector, resulting in the compromise of various user accounts. The campaign abused SharePoint file&#8209;sharing services to deliver phishing payloads and relied on inbox rule creation to maintain persistence and evade user awareness. The attack transitioned into a series of AiTM attacks and follow-on BEC activity spanning multiple organizations.</p><h2>Things to Watch/Listen To</h2><div id="youtube2-nrE9govXhJY" class="youtube-wrap" data-attrs="{&quot;videoId&quot;:&quot;nrE9govXhJY&quot;,&quot;startTime&quot;:null,&quot;endTime&quot;:null}" data-component-name="Youtube2ToDOM"><div class="youtube-inner"><iframe src="https://www.youtube-nocookie.com/embed/nrE9govXhJY?rel=0&amp;autoplay=0&amp;showinfo=0&amp;enablejsapi=0" frameborder="0" loading="lazy" gesture="media" allow="autoplay; fullscreen" allowautoplay="true" allowfullscreen="true" width="728" height="409"></iframe></div></div><h2>Microsoft Sentinel Things</h2><p><strong><a href="https://kqlquery.com/posts/monitor-new-actions-sentinel-defender-xdr/">Monitor New Actions in Sentinel &amp; Defender XDR (V2)</a></strong><a href="https://kqlquery.com/posts/monitor-new-actions-sentinel-defender-xdr/"> </a>- Monitoring new actions in Microsoft Sentinel and Defender XDR is critical for continuously evaluating new possibilities to detect attacks and coverage. Last year I shared a solution to monitor for these new actions in Microsoft Sentinel and Microsoft Defender XDR (Blog: <a href="https://kqlquery.com/posts/monitor-new-actions/">Monitor For New Actions In Sentinel And MDE</a>). With the introduction of the Unified Security Operations Platform, the <a href="https://kqlquery.com/posts/hunting-api-kql/">API support</a> to run hunting queries has changed. Because of this, the original solution was due for an upgrade not only in the way it collected logs, but also to include support for very large environments.</p><p><strong><a href="https://techcommunity.microsoft.com/blog/microsoftsentinelblog/automating-microsoft-sentinel-a-blog-series-on-enabling-smart-security/4487260">Automating Microsoft Sentinel: A blog series on enabling Smart Security</a></strong> - Learn how to use automation tools and techniques to make your security operations awesome right away with Microsoft Sentinel. Welcome to the fourth entry of our blog series on automating Microsoft Sentinel. My apologies for how long it has taken to get this post completed and published.</p><p><strong><a href="https://techcommunity.microsoft.com/blog/microsoftsentinelblog/accelerate-your-move-to-microsoft-sentinel-with-the-new-ai-powered-siem-migratio/4488505">Accelerate your move to Microsoft Sentinel with the new AI Powered SIEM migration experience</a></strong> - Migrating from one SIEM to another is a critical decision&#8212;and often one of the hardest to execute. Legacy SIEM migrations are complex, resource-heavy, and time-consuming, often taking up to 15 months with extensive manual effort and cross-team coordination. Organizations face hurdles like multi-phased processes, translating and validating hundreds of detection rules, mapping diverse data sources, and maintaining operational continuity. These challenges have historically slowed cloud adoption and driven up migration costs.</p><h2>Defender for Endpoint Things</h2><p><strong><a href="https://techcommunity.microsoft.com/blog/coreinfrastructureandsecurityblog/determine-defender-for-endpoint-offboarding-state-for-linux-devices/4488207">Determine Defender for Endpoint offboarding state for Linux devices</a></strong> - Similarly with Windows endpoints, in Defender for Endpoint for Linux, one of the key states to understand about your endpoints is, the offboarding state. In this state, machines are no longer reporting MDE telemetry to Defender portal and if another AV/AM solution is in place, the Defender Antivirus component needs to be switched to a passive mode to prevent performance issues at the endpoint if two AV solutions are running in active mode.</p><h2>Defender XDR Things</h2><p><strong><a href="https://www.microsoft.com/en-us/security/blog/2026/01/21/new-era-of-agents-new-era-of-posture/">A new era of agents, a new era of posture</a></strong> - The rise of AI Agents marks one of the most exciting shifts in technology today. Unlike traditional applications or cloud resources, these agents are not passive components- they reason, make decisions, invoke tools, and interact with other agents and systems on behalf of users. This autonomy brings powerful opportunities, but it also introduces a new set of risks, especially given how easily AI agents can be created, even by teams who may not fully understand the security implications.</p><h2>Microsoft Purview Things</h2><p><strong><a href="https://techcommunity.microsoft.com/blog/microsoft-security-blog/microsoft-purview-data-risk-assessments-m365-vs-fabric/4487222">Microsoft Purview Data Risk Assessments: M365 vs Fabric</a></strong> - Generative AI changes the oversharing equation. It can surface data faster, to more people, with less friction, which means existing permission mistakes become more visible, more quickly. Microsoft Purview Data Risk Assessments are designed to identify and help you remediate oversharing risks before (or while) AI experiences like Copilot and analytics copilots accelerate access patterns.</p><p><strong><a href="https://techcommunity.microsoft.com/blog/azurepurviewblog/data-security-posture-management-for-ai/4484148">Data Security Posture Management for AI</a></strong> - Microsoft Purview Data Security Posture Management (DSPM) for AI provides a unified location to monitor how AI Applications (Microsoft Copilot, AI systems created in Azure AI Foundry, AI Agents, and AI applications using 3<sup>rd</sup> party Large Language Models). This Blog Post aims to provide the reader with a holistic understanding of achieving Data Security and Governance using Purview Data Security and Governance for AI offering. Purview DSPM is not to be confused with Defender Cloud Security Posture Management (CSPM) which is covered in the <a href="https://aka.ms/spm4aiBlog">Blog Post Demystifying Cloud Security Posture Management for AI</a>.</p><p><strong><a href="https://www.microsoft.com/en-us/security/blog/2026/01/22/microsoft-security-success-stories-why-integrated-security-is-the-foundation-of-ai-transformation/">Microsoft Security success stories: Why integrated security is the foundation of AI transformation</a></strong> - AI is transforming how organizations operate and how they approach security. In this new era of agentic AI, every interaction, digital or human, must be built on trust. As businesses modernize, they&#8217;re not just adopting AI tools, they&#8217;re rearchitecting their digital foundations. And that means security can&#8217;t be an afterthought. It must be woven in from the beginning into every layer of the stack&#8212;ubiquitous, ambient, and autonomous&#8212;just like the AI it protects.</p><h2>Microsoft Entra Things</h2><p><strong><a href="https://techcommunity.microsoft.com/blog/microsoft-entra-blog/simplify-your-identity-landscape-reduce-risk-and-modernize-access-for-any-identi/4486059">Simplify your identity landscape, reduce risk, and modernize access for any identity</a></strong> - A new four&#8209;part webinar series that helps you turn the 2026 identity strategy into actionable steps&#8212;with demos, templates, and guidance from Microsoft Entra.</p><h2></h2><p>THE PROMPT for Microsoft Security is a reader-supported publication. To receive new posts and support my work, consider becoming a free or paid subscriber.</p>]]></content:encoded></item><item><title><![CDATA[THE PROMPT for Microsoft Security - Issue #59]]></title><description><![CDATA[Things from Me]]></description><link>https://rodtrent.substack.com/p/the-prompt-for-microsoft-security-125</link><guid isPermaLink="false">https://rodtrent.substack.com/p/the-prompt-for-microsoft-security-125</guid><dc:creator><![CDATA[Rod Trent]]></dc:creator><pubDate>Fri, 16 Jan 2026 12:30:10 GMT</pubDate><enclosure url="https://substackcdn.com/image/fetch/$s_!uyjO!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F5346375c-7242-48f0-852c-0f6a730a9dc9_1344x976.png" length="0" type="image/jpeg"/><content:encoded><![CDATA[<div class="captioned-image-container"><figure><a class="image-link image2 is-viewable-img" target="_blank" href="https://substackcdn.com/image/fetch/$s_!uyjO!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F5346375c-7242-48f0-852c-0f6a730a9dc9_1344x976.png" data-component-name="Image2ToDOM"><div class="image2-inset"><picture><source type="image/webp" srcset="https://substackcdn.com/image/fetch/$s_!uyjO!,w_424,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F5346375c-7242-48f0-852c-0f6a730a9dc9_1344x976.png 424w, https://substackcdn.com/image/fetch/$s_!uyjO!,w_848,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F5346375c-7242-48f0-852c-0f6a730a9dc9_1344x976.png 848w, https://substackcdn.com/image/fetch/$s_!uyjO!,w_1272,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F5346375c-7242-48f0-852c-0f6a730a9dc9_1344x976.png 1272w, https://substackcdn.com/image/fetch/$s_!uyjO!,w_1456,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F5346375c-7242-48f0-852c-0f6a730a9dc9_1344x976.png 1456w" sizes="100vw"><img src="https://substackcdn.com/image/fetch/$s_!uyjO!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F5346375c-7242-48f0-852c-0f6a730a9dc9_1344x976.png" width="1344" height="976" data-attrs="{&quot;src&quot;:&quot;https://substack-post-media.s3.amazonaws.com/public/images/5346375c-7242-48f0-852c-0f6a730a9dc9_1344x976.png&quot;,&quot;srcNoWatermark&quot;:null,&quot;fullscreen&quot;:null,&quot;imageSize&quot;:null,&quot;height&quot;:976,&quot;width&quot;:1344,&quot;resizeWidth&quot;:null,&quot;bytes&quot;:1938363,&quot;alt&quot;:null,&quot;title&quot;:null,&quot;type&quot;:&quot;image/png&quot;,&quot;href&quot;:null,&quot;belowTheFold&quot;:false,&quot;topImage&quot;:true,&quot;internalRedirect&quot;:&quot;https://microsoftdefender.substack.com/i/183936044?img=https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F5346375c-7242-48f0-852c-0f6a730a9dc9_1344x976.png&quot;,&quot;isProcessing&quot;:false,&quot;align&quot;:null,&quot;offset&quot;:false}" class="sizing-normal" alt="" srcset="https://substackcdn.com/image/fetch/$s_!uyjO!,w_424,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F5346375c-7242-48f0-852c-0f6a730a9dc9_1344x976.png 424w, https://substackcdn.com/image/fetch/$s_!uyjO!,w_848,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F5346375c-7242-48f0-852c-0f6a730a9dc9_1344x976.png 848w, https://substackcdn.com/image/fetch/$s_!uyjO!,w_1272,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F5346375c-7242-48f0-852c-0f6a730a9dc9_1344x976.png 1272w, https://substackcdn.com/image/fetch/$s_!uyjO!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F5346375c-7242-48f0-852c-0f6a730a9dc9_1344x976.png 1456w" sizes="100vw" fetchpriority="high"></picture><div class="image-link-expand"><div class="pencraft pc-display-flex pc-gap-8 pc-reset"><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container restack-image"><svg role="img" width="20" height="20" viewBox="0 0 20 20" fill="none" stroke-width="1.5" stroke="var(--color-fg-primary)" stroke-linecap="round" stroke-linejoin="round" xmlns="http://www.w3.org/2000/svg"><g><title></title><path d="M2.53001 7.81595C3.49179 4.73911 6.43281 2.5 9.91173 2.5C13.1684 2.5 15.9537 4.46214 17.0852 7.23684L17.6179 8.67647M17.6179 8.67647L18.5002 4.26471M17.6179 8.67647L13.6473 6.91176M17.4995 12.1841C16.5378 15.2609 13.5967 17.5 10.1178 17.5C6.86118 17.5 4.07589 15.5379 2.94432 12.7632L2.41165 11.3235M2.41165 11.3235L1.5293 15.7353M2.41165 11.3235L6.38224 13.0882"></path></g></svg></button><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container view-image"><svg xmlns="http://www.w3.org/2000/svg" width="20" height="20" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="lucide lucide-maximize2 lucide-maximize-2"><polyline points="15 3 21 3 21 9"></polyline><polyline points="9 21 3 21 3 15"></polyline><line x1="21" x2="14" y1="3" y2="10"></line><line x1="3" x2="10" y1="21" y2="14"></line></svg></button></div></div></div></a></figure></div><h2>Things from Me</h2><p>Happy Friday everyone!</p><p>Welcome to this edition of the newsletter. Here you&#8217;ll find the usual mix of updates, highlights, and stories. From what we&#8217;ve been building together, to what&#8217;s coming next, to the voices and moments that continue to shape the Microsoft security community. It&#8217;s a snapshot of progress, momentum, and collaboration, and I hope something here sparks an idea, a smile, or a useful takeaway for you.</p><p>THE PROMPT for Microsoft Security is a reader-supported publication. To receive new posts and support my work, consider becoming a free or paid subscriber.</p><p>Before diving in, I wanted to add a brief personal note.</p><p>The past few weeks have come with some unexpected and difficult moments involving both my mom and my step&#8209;mom. Nothing dramatic, but enough of a reminder that watching parents get older is&#8230; hard. It has a way of quietly rearranging your priorities and forcing you to slow down, reflect, and sit with things you may have been putting off.</p><p>It&#8217;s made me think a lot about unresolved conversations, about showing up even when life is busy, and about how intentional we have to be with the people we love. The work will always be there. The inbox will refill. But moments and memories don&#8217;t wait and they&#8217;re worth protecting.</p><p>So, as you read through this newsletter, my hope is twofold: that you stay connected to the great work happening here, and that it also serves as a gentle nudge to keep your own circle close. Take the time when you can. Build the memories. Say the things that matter.</p><p>Thanks, as always, for being part of this journey&#8212;and for the grace, kindness, and humanity that make this community what it is.</p><p>That&#8217;s it from me for this week.</p><p>Talk soon.</p><p>-<a href="https://www.linkedin.com/in/rodtrent/">Rod</a></p><h2>Things that are Related</h2><p><strong><a href="https://www.microsoft.com/en-us/security/blog/2026/01/13/how-microsoft-builds-privacy-and-security-to-work-hand-in-hand/">How Microsoft builds privacy and security to work hand-in-hand</a></strong> - For decades, Microsoft has consistently prioritized earning and maintaining the trust of the people and organizations that rely on its technologies. The 2025 Axios Harris Poll 100 ranked Microsoft as one of the top three most trusted brands in the United States. At Microsoft, we believe one of the best ways we can build trust is through our long-established core values of respect, accountability, and integrity. We also instill confidence in our approach to regulations by demonstrating rigorous internal compliance discipline&#8212;such as regular audits, cross-functional reviews, and executive oversight&#8212;that mirrors the reliability we extend to customers externally.</p><p><strong><a href="https://www.microsoft.com/en-us/security/blog/2026/01/14/inside-redvds-how-a-single-virtual-desktop-provider-fueled-worldwide-cybercriminal-operations/">Inside RedVDS: How a single virtual desktop provider fueled worldwide cybercriminal operations</a></strong> - Over the past year, Microsoft Threat Intelligence observed the proliferation of RedVDS, a virtual dedicated server (VDS) provider used by multiple financially motivated threat actors to commit business email compromise (BEC), mass phishing, account takeover, and financial fraud. Microsoft&#8217;s investigation into RedVDS services and infrastructure uncovered a global network of disparate cybercriminals purchasing and using to target multiple sectors, including legal, construction, manufacturing, real estate, healthcare, and education in the United States, Canada, United Kingdom, France, Germany, Australia, and countries with substantial banking infrastructure targets that have a higher potential for financial gain. In collaboration with law enforcement agencies worldwide, <a href="https://blogs.microsoft.com/on-the-issues/2026/01/14/microsoft-disrupts-cybercrime/">Microsoft&#8217;s Digital Crimes Unit (DCU) recently facilitated a disruption of RedVDS infrastructure and related operations</a>.</p><p><strong><a href="https://rodtrent.substack.com/p/introducing-the-automated-web-vulnerability">Introducing the Automated Web Vulnerability Auditor (AWVA): A Simple Tool for Basic Web Security Scanning</a> - </strong>I&#8217;m excited to talk about a little project called the <strong>Automated Web Vulnerability Auditor (AWVA)</strong>. It&#8217;s a straightforward Python-based app built with Streamlit that performs basic passive scans on websites to identify common security issues. But it doesn&#8217;t stop there&#8212;it integrates with the xAI Grok API to provide remediation steps and up-to-date threat intelligence. Think of it as a quick-and-dirty auditor for spotting potential vulnerabilities without getting too invasive.</p><p><strong><a href="https://rodtrent.substack.com/p/introducing-my-deepfake-detection">Introducing My Deepfake Detection Tool: Spotting AI-Generated Fakes with Grok Vision</a> - </strong>From viral videos of celebrities saying things they never said to manipulated images used in scams or political propaganda, the need for accessible tools to detect these fakes has never been greater. That&#8217;s why I built the <strong>Deepfake Detection Tool</strong> &#8211; a simple, powerful web app powered by Streamlit and xAI&#8217;s Grok Vision API. This tool lets anyone upload an image or video (or paste a URL) and get an AI-assisted analysis on whether it might be a deepfake.</p><p><strong><a href="https://rodtrent.substack.com/p/navigating-the-risks-of-ai-agents">Navigating the Risks of AI Agents: Best Practices for Mitigation and Safety</a> -</strong> As we step into 2026, with AI agents becoming more integrated into daily operations, it&#8217;s crucial to prioritize risk mitigation. This blog post explores the key risks associated with AI agents and outlines best practices for managing them, drawing on insights from industry experts and frameworks to help you build safer, more reliable systems.</p><p><strong>Build Your Phishing Defense Skills with This AI-Powered Simulator - </strong>This open-source Streamlit app, powered by xAI&#8217;s Grok models, simulates realistic phishing scenarios to train users in spotting malicious emails. Whether you&#8217;re an individual sharpening your skills or a team enhancing security awareness, <a href="https://github.com/rod-trent/JunkDrawer/tree/main/PhishSim">PhishSim</a> turns learning into an engaging game.</p><h2>Things to Watch/Listen To</h2><div id="youtube2-G5OPJMZB7hM" class="youtube-wrap" data-attrs="{&quot;videoId&quot;:&quot;G5OPJMZB7hM&quot;,&quot;startTime&quot;:null,&quot;endTime&quot;:null}" data-component-name="Youtube2ToDOM"><div class="youtube-inner"><iframe src="https://www.youtube-nocookie.com/embed/G5OPJMZB7hM?rel=0&amp;autoplay=0&amp;showinfo=0&amp;enablejsapi=0" frameborder="0" loading="lazy" gesture="media" allow="autoplay; fullscreen" allowautoplay="true" allowfullscreen="true" width="728" height="409"></iframe></div></div><h2>Things to Have</h2><p><strong><a href="https://github.com/MHaggis/Security-Detections-MCP">Security Detections MCP</a> - </strong>An MCP (Model Context Protocol) server that lets LLMs query a unified database of <strong>Sigma</strong>, <strong>Splunk ESCU</strong>, <strong>Elastic</strong>, and <strong>KQL</strong> security detection rules.</p><h2>Security Copilot Things</h2><p><strong><a href="https://rodtrent.substack.com/p/build-custom-copilot-agents-in-seconds">Build Custom Copilot Agents in Seconds: Meet CreateAgentYAML.py &#8211; A Hidden Gem for Microsoft 365 Copilot Fans</a> - </strong>If you&#8217;re deep in the Microsoft 365 Copilot ecosystem (or the new &#8220;Agent&#8221; wave with Copilot Studio), you know one of the biggest pain points: creating the <strong>agent manifest YAML</strong> file by hand.</p><h2>Microsoft Sentinel Things</h2><p><strong><a href="https://www.hanley.cloud/2026-01-10-KQL-Toolbox-3-Which-Event-ID-Noises-Up-Your-Logs-(and-Who-s-Causing-It)/">Kql Toolbox #3: Which Event Id Noises Up Your Logs (and Who&#8217;s Causing It)?</a></strong> - <strong>This week, we&#8217;re building directly on that foundation&#8230;</strong> Because once you know which <strong>log sources</strong> and which <strong>Event IDs</strong> are the <em>most expensive</em>, the very next question becomes: &#8220;Okay&#8230; but which Event ID fires the most often, and which accounts are responsible for generating it?&#8221;</p><p><strong><a href="https://techcommunity.microsoft.com/blog/microsoftsentinelblog/turn-complexity-into-clarity-introducing-the-new-ueba-behaviors-layer-in-microso/4484493">Turn Complexity into Clarity: Introducing the New UEBA Behaviors Layer in Microsoft Sentinel</a></strong> - Today, we're thrilled to announce the <strong>release of the UEBA Behaviors layer</strong> - a breakthrough AI-based UEBA capability in Microsoft Sentinel that fundamentally changes how SOC teams understand and respond to security events.</p><p><strong><a href="https://sentinel.blog/consentfix-securing-your-tenant-against-oauth-authorisation-code-theft/">ConsentFix: Securing Your Tenant Against OAuth Authorisation Code Theft</a></strong> - There's a new OAuth attack making the rounds that's caught the attention of security professionals. ConsentFix (sometimes called AuthCodeFix) exploits a design quirk in how Microsoft first-party applications handle OAuth flows, and it's very effective. There is a straightforward mitigation that takes about five minutes to implement using PowerShell.</p><p><strong><a href="https://rodtrent.substack.com/p/important-update-for-microsoft-sentinel">Important Update for Microsoft Sentinel Users: Deprecation of Alert-Triggered Playbooks in Analytics Rules</a> - </strong>If you&#8217;re managing security operations with Microsoft Sentinel, you&#8217;ve likely received a notification about an upcoming change to how playbooks are triggered by analytics rules. Microsoft has announced the deprecation of the classic method for assigning alert-triggered playbooks directly within analytics rules. This change takes effect on <strong>March 15, 2026</strong>, and it&#8217;s time to prepare your environment to avoid disruptions.</p><h2>Defender for Cloud Things</h2><p><strong><a href="https://learn.microsoft.com/en-us/azure/defender-for-cloud/release-notes#microsoft-security-private-link-preview">Microsoft Security Private Link (Preview)</a> - </strong>Microsoft Defender for Cloud is announcing Microsoft Security Private Link in Preview. Microsoft Security Private Link enables private connectivity between Defender for Cloud and your workloads. The connection is established by creating private endpoints in your virtual network, allowing Defender for Cloud traffic to remain on the Microsoft backbone network and avoid exposure to the public internet.</p><h2>Microsoft Purview Things</h2><p><strong><a href="https://www.microsoft.com/en-us/security/blog/2026/01/14/microsoft-named-a-leader-in-idc-marketscape-for-unified-ai-governance-platforms/">Microsoft named a Leader in IDC MarketScape for Unified AI Governance Platforms</a></strong> - As organizations rapidly embrace generative and agentic AI, ensuring robust, unified governance has never been more critical. That&#8217;s why <strong>Microsoft is honored to be named a Leader in the <a href="https://marketingassets.microsoft.com/gdc/gdcvb3Tx9/original">2025-2026 IDC MarketScape for Worldwide Unified AI Governance Platforms</a></strong> (Vendor Assessment (#US53514825, December 2025). We believe this recognition highlights our commitment to making AI innovation safe, responsible, and enterprise-ready&#8212;so you can move fast without compromising trust or compliance.</p><p><strong>Microsoft Purview Data Security Investigations (DSI) is now generally available!</strong> <a href="https://learn.microsoft.com/en-us/purview/data-security-investigations">https://learn.microsoft.com/en-us/purview/data-security-investigations</a></p><h2>Defender for Office Things</h2><p><strong><a href="https://techcommunity.microsoft.com/blog/microsoftdefenderforoffice365blog/secure-collaboration-in-microsoft-teams-with-efficient-and-automated-threat-prot/4484479">Secure collaboration in Microsoft Teams with efficient and automated Threat Protection and response</a></strong> - With more than 300 million monthly active users on Microsoft Teams, ensuring secure collaboration has become increasingly critical. As the threat landscape continues to change, our security measures must adapt accordingly. To address these challenges, we are pleased to announce enhanced protection and Security Operations response capabilities for enterprise messages containing URLs in Teams, utilizing Microsoft Defender.</p><p><strong><a href="https://socautomators.substack.com/p/change-to-auto-remediation-in-defender">Change to auto-remediation in Defender for Office</a></strong> - If you&#8217;ve been following the evolution of Automated Investigation and Response (AIR), you know the feature has been steadily moving toward a world where the SOC spends less time clicking &#8220;approve&#8221; and more time hunting real threats. This latest update is another big step forward.</p><p>THE PROMPT for Microsoft Security is a reader-supported publication. To receive new posts and support my work, consider becoming a free or paid subscriber.</p>]]></content:encoded></item></channel></rss>