Recent Blogs
Overview and Challenge
Security Operations Centers (SOCs) and InfoOps teams are constantly challenged to reduce Mean Time to Detect (MTTD) and Mean Time to Respond (MTTR). Analysts often spend valu...
Sep 15, 2025
Introduction
Cybersecurity teams today face an overwhelming volume of potential threats, alerts, and hypothetical scenarios. The digital landscape is vast, dynamic, and ever-shifting, especially as...
Sep 15, 2025
We’re excited to share our latest Data Security deployment blueprint: “Lightweight guide to mitigate data leakage”—a practical resource designed to help organizations quickly enable core data securit...
Sep 15, 2025
4 MIN READ
How long have you been working with Microsoft products?
I am a Microsoft MVP in Security and a results-driven and dedicated Senior Solutions Architect with more than 14 years of professional exper...
Sep 12, 2025Recent Discussions
MDE-Onboarding issue
Hello Community, while i am trying to onboard a windows 10 machine into MDE where there is already another AV running which is Kaspersky, i am facing that issue that Microsoft AV is not able to revert its status from disabled into running state (passive mode). even if i am trying to start the service manually, it will revert itself back to the disable status. Did anyone experience that issue before between Defender AV and Kaspersky?
Ransomeware query
If any ransomware detection i need following query for advance hunting in defender Look for rapid file modification or creation or deletion 2. Rapid file encryption one 3. look for a ransom note 4. look for encryption algorithms 5. look for double extension 6. Also query for birth time of the fileRegistry modifications
If a file was downloaded, executed, and created a registry entry for persistence, is it enough to just delete the file from its original location? Or does the registry entry also need to be removed? What happens if it is not removed? If a malicious file created an entry under HKLM Run, HKCU Run, or RunOnce, and the file is later deleted but the registry entry is left behind, will the system still try to execute it at startup?
Single Rule for No logs receiving (Global + Per-device Thresholds)
Hi everyone, I currently maintain one Analytics rule per table to detect when logs stop coming in. Some tables receive data from multiple sources, each with a different expected interval (for example, some sources send every 10 minutes, others every 30 minutes). In other SIEM platforms there’s usually: A global threshold (e.g., 60 minutes) for all sources. Optional per-device/per-table thresholds that override the global value. Is there a recommended way to implement one global rule that uses a default threshold but allows per-source overrides when a particular device or log table has a different expected frequency? Also, if there are other approaches you use to manage “logs not received” detection, I’d love to hear your suggestions as well. This is a sample of my current rule let threshold = 1h; AzureActivity | summarize LastHeartBeat = max(TimeGenerated) | where LastHeartBeat < ago(threshold)
Data product search is broken: no results for partial terms
Searching for data products using partial terms returns zero results, despite the existence of data products with matching names. For example, searching for 'risk' yields no results even though we have three data products that have 'riskscores' in their names. I have created a support ticket, and was told that the PG has stated this behavior was by design. I just can't wrap my head around this statement. Search is the reason why data catalog tools are popular and help democratize data, and this type of searching doesn’t really help to make the data products discoverable. A feature request was created (3135) but I was also asked to post here for visibility. Here's some proof:
Little warning on the new Purview suite for M365BP
Microsoft introduced a highly needed and expected compliance suite add-on for Microsoft 365 Business Premium. Microsoft Purview Suite for Business Premium: $10/user/month Microsoft 365 BP are unable to add Microsoft 365 E5 Compliance suite $12/user/month and forced to move to M365E3 to be able to add this product. So as a Microsoft partner I was delighted to see that Microsoft introduced this new product and made it possible to give SMB customers the tools they need to comply with all kinds of regulations. BUT: What a disappointment it is, this new product. It is a lame strip down version of the E5 Compliance suite and missing essential functionality that regulated SMB customers badly need. What the was going on in de mind of the product manager who is responsible for this product. Besides missing crucial functionality like Compliance Manager, Compliance Portal and Privilege Access Management it also misses in product features. Some examples: Data Loss Prevention: Great for protection your sensitive information leaking out of your organisation, but with a little more investigation, I found out that Administrative Units is not supported Information Protection: Automatic Labels is not supported Insider Risk management: No Adaptive Protection Compliance Manager: No Policies, No Alerts DSPM for AI: No Policies So, Microsoft come on, you can do better than this and embrace SMB’s more seriously and make E5 compliance available like you did with E5 security for M365BP users and stop with this lame and incomplete product. My recommendation to M365BP customers who need Compliance add-on, don’t buy this new suite, unless you don’t need the above functionality.
Massive reduction in Threat Intelligence IP data since Monday 10th June
Hi, Anyone else see a massive reduction in Threat Intelligence IP data since Monday 10th June into Sentinel platforms? I operate two Sentinel environments and they both seen the same change. The screenshot below is the past 30 days. The past 48 hours still reports some IP information being sent but at a very reduced rate. What's changed with the feed?How to practice SC-200 content on an empty tenant
Hello, I am following the SC 200 course on Microsoft Learn. It is great and everything but my m365 business tenant is empty. I don't have VMs, logs, user activity or anything. I learned some KQL and microsoft provides some datasets for practice. Are there any such data I can load on my tenant for threat hunting and other SC-200 related practices or is there an isolated simulation environment I can use for learning?Safeguard data on third-party collaboration platforms
I am exploring options to safeguard sensitive data in third-party collaboration platforms like GitHub and Confluence. Does Microsoft Purview provide any native integration for these platforms? Do I need to rely on third-party connectors/integrations to extend Purview’s capabilities into these environments?
Events
We begin our webinar series with a review of the latest IDC whitepaper on secure access strategies for the AI era. The document examines how organizations are focusing on integrating identity and net...
Online
Security Compute Units (SCUs) are the required resource units that power Microsoft Security Copilot, ensuring dependable and consistent performance across both standalone and embedded product experie...
Online