Microsoft Sentinel data lake is now generally available
Security is being reengineered for the AI era, shifting from static controls to fast, platform-driven defense. Traditional tools, scattered data, and outdated systems struggle against modern threats. An AI-ready, data-first foundation is needed to unify telemetry, standardize agent access, and enable autonomous responses while ensuring humans are in command of strategy and high-impact investigations. Security teams already anchor their operations around SIEMs for comprehensive visibility. We're building on that foundation by evolving Microsoft Sentinel into both the SIEM and the platform for agentic defense—connecting analytics and context across ecosystems. Today, we’re introducing new platform capabilities that build on Sentinel data lake: Sentinel graph for deeper insight and context; an MCP server and tools to make data agent ready; new developer capabilities; and a Security Store for effortless discovery and deployment—so protection accelerates to machine speed while analysts do their best work. We’ve reached a major milestone in our journey to modernize security operations — Microsoft Sentinel data lake is now generally available. This fully managed, cloud-native data lake is redefining how security teams manage, analyze, and act on their data cost-effectively. Since its introduction, organizations across sectors are embracing Sentinel data lake for its transformative impact on security operations. Customers consistently highlight its ability to unify security data from diverse sources, enabling enhanced threat detection and investigation. Many cite cost efficiency as a key benefit, with tiered storage and flexible retention, helping reduce costs. With petabytes of data already ingested, users are gaining real-time and historical insights at scale. "With Microsoft Sentinel data lake integration, we now have a scalable and cost-efficient solution for retaining Microsoft Sentinel data for long-term retention. This empowers our security and compliance teams with seamless access to historical telemetry data right within the data lake explorer and Jupyter notebooks - enabling advanced threat hunting, forensic analysis, and AI-powered insights at scale" Farhan Nadeem, Senior Security Engineer Government of Nunavut Industry partners also commend its role in modernizing SOC workflows and accelerating AI-driven analytics. “Microsoft Sentinel data lake amplifies BlueVoyant’s ability to transform security operations into a mature, intelligence-driven discipline. It preserves institutional memory across years of telemetry, which empowers advanced threat hunting strategies that evolve with time. Security teams can validate which data sources yield actionable insights, uncover persistent attack patterns, and retain high-value indicators that support long-term strategic advantage.” Milan Patel, CRO BlueVoyant Microsoft Sentinel data lake use-cases There are many powerful ways customers are unlocking value with Sentinel data lake—here are just a few impactful examples.: Threat investigations over extended timelines: Security analysts query data older than 90 days to uncover slow-moving attacks—like brute-force and password spray campaigns—that span accounts and geographies. Behavioral baselining for deeper insights: SOC engineers build time-series models using months of sign-in logs to establish a standard of normal behavior and identify unusual patterns, such as credential abuse or lateral movement. Alert enrichment: SOC teams correlate alerts with Firewall and Netflow data, often stored only in the data lake, reducing false positives and increasing alert accuracy. Retrospective threat hunting with new indicators of compromise (IOCs): Threat intelligence teams react to emerging IOCs by running historical queries across the data lake, enabling rapid and informed response. ML-Powered insights: SOC engineers use Spark Notebooks to build and operationalize custom machine learning models for anomaly detection, alert enrichment, and predictive analytics. The Sentinel data lake is more than a storage solution—it’s the foundation for modern, AI-powered security operations. Whether you're scaling your SOC, building deeper analytics, or preparing for future threats, the Sentinel data lake is ready to support your journey. What’s new Regional expansion In light of strong customer demand in public preview, at GA we are expanding Sentinel data lake availability to additional regions. These new regions will roll out progressively over the coming weeks. For more information, see documentation. Flexible data ingestion and management With over 350 native connectors, SOC teams can seamlessly ingest both structured and semi-structured data at scale. Data is automatically mirrored from the analytics tier to the data lake tier, at no additional cost, ensuring a single, unified copy is available for diverse use cases across security operations. Since the public preview of Microsoft Sentinel data lake, we've launched 45 new connectors built on the scalable and performant Codeless Connector Framework (CCF), including connectors for: GCP: SQL, DNS, VPC Flow, Resource Manager, IAM, Apigee AWS: Security Hub findings, Route53 DNS Others: Alibaba Cloud, Oracle, Salesforce, Snowflake, Cisco Sentinel’s connector ecosystem is designed to help security teams seamlessly unify signals across hybrid environments, without the need for heavy engineering effort. Explore the full list of connectors in our documentation here. App Assure Microsoft Sentinel data lake promise As part of our commitment to customer success, we are expanding the App Assure Microsoft Sentinel promise to Sentinel data lake. This means customers can confidently onboard their data, knowing that App Assure stands ready to help resolve connector issues such as replacing deprecated APIs with updated ones, and accelerating new integrations. Whether you're working with existing Independent Software Vendor (ISV) solutions or building new ones, App Assure will collaborate directly with ISVs to ensure seamless data ingestion into the lake. This promise reinforces our dedication to delivering reliable, scalable, and secure security operations, backed by engineering support and a thriving partner ecosystem. Cost management and billing We are introducing new cost management features in public preview to help customers with cost predictability, billing transparency, and operational efficiency. Customers can set usage-based alerts on specific meters to monitor and control costs. For example, you can receive alerts when query or notebook usage passes set limits, helping avoid unexpected expenses and manage budgets. In-product reports provide customers with insights into usage trends over time, enabling them to identify cost drivers and optimize data retention and processing strategies. To support the ingestion and standardization of diverse data sources, we are introducing a new Data Processing feature that applies a $0.10 per GB charge for all data as it is ingested into the data lake. This feature enables a broad array of transformations like redaction, splitting, filtering and normalizing data. This feature was not billed during public preview but will be chargeable at GA starting October 1,2025. Data lake ingestion charges of $0.05 per GB will apply to Entra asset data; starting October 1, 2025. This was previously not billed during public preview. Retaining security data to perform deep analytics and investigations is crucial for defending against threats. To help enable customers to retain all their security data for extended periods cost effectively, data lake storage, including asset data storage, is now billed with a simple and uniform data compression rate of 6:1 across all data sources. Please refer to Plan costs and understand Microsoft Sentinel pricing and billing article for more information. For detailed prerequisites and instructions on configuring and managing asset connectors, refer to the official documentation: Asset data in Microsoft Sentinel data lake. KQL and Notebook enhancements We are introducing several enhancements to our data lake analytics capabilities with an upgraded KQL and notebook experience. Security teams can now run multi-workspace KQL queries for broader threat correlation and schedule KQL jobs more frequently. Frequent KQL jobs enable SOC teams to automate historical threat intelligence matching, summarize alert trends, and aggregate signals across workspaces. For example, schedule recurring jobs to scan for matches against newly ingested IOCs, helping uncover threats that were previously undetected and strengthening threat hunting and investigation workflows. The enhanced Jobs page offers operational clarity for SOC teams with a comprehensive view into job health and activity. At the top, a summary dashboard provides instant visibility into key metrics, total jobs, completions, and failures, helping teams quickly assess job health. A filterable list view displays essential details such as job names, status, frequency, and last run information, enabling quick prioritization and triage. For more detailed diagnostics, users can view individual jobs to access job runs telemetry such as job run duration, row count, and additional historical execution trends, providing additional visibility. Notebooks are receiving a significant upgrade, offering streamlined user experience for querying the data lake. Users now benefit from IntelliSense support for syntax and table names, making query authoring faster and more intuitive. They can also configure custom compute session timeouts and warning windows to better manage resources. Scheduling notebooks as jobs is now simpler, and users can leverage GitHub Copilot for intelligent assistance throughout the process. Together, these KQL and notebook improvements deliver deeper, more customizable analytics, helping customers unlock richer insights, accelerate threat response, and scale securely across diverse environments. Powering agentic defense Data centralization powers AI agents and automation to access comprehensive, historical, and real-time data for advanced analytics, anomaly detection, and autonomous threat response. Support for tools like KQL queries, Spark notebooks, and machine learning models in the data lake, allows agentic systems to continuously learn, adapt, and act on emerging threats. Integration with Security Copilot and MCP Server further enhances agentic defense, enabling smarter, faster, and context-rich security operations—all built on the foundation of Sentinel’s unified data lake. Microsoft Sentinel 50 GB commitment tier promotional pricing To make Microsoft Sentinel more accessible to small and mid-sized customers, we are introducing a new 50 GB commitment tier in public preview, with promotional pricing offered from October 1, 2025, to March 31, 2026. Customers who choose the 50 GB commitment tier during this period will maintain their promotional rate until March 31, 2027. This offer is available in all regions where Microsoft Sentinel is sold, with regional variations in promotional pricing. It is accessible through EA, CSP, and Direct channels. The new 50 GB commitment tier details will be available starting October 1, 2025, on the Microsoft Sentinel pricing page. Thank you to our customers and partners We’re incredibly grateful for the continued partnership and collaboration from our customers and partners throughout this journey. Your feedback and trust have been instrumental in shaping Microsoft Sentinel data lake into what it is today. Thank you for being a part of this critical milestone—we’re excited to keep building together. Get started today By centralizing data, optimizing costs, expanding coverage, and enabling deep analytics, Microsoft Sentinel empowers security teams to operate smarter, faster, and more effectively. Get started with Microsoft Sentinel data lake today in the Microsoft Defender experience. To learn more, see: Microsoft Sentinel—AI-Powered Cloud SIEM & Platform Pricing: Pricing page, Plan costs and understand Microsoft Sentinel pricing and billing Documentation: Connect Sentinel to Defender, Jupyter notebooks in Microsoft Sentinel data lake, KQL and the Microsoft Sentinel data lake, Permissions for Microsoft Sentinel data lake, Manage data tiers and retention in Microsoft Defender experience Blogs: Sentinel data lake FAQ blog, Empowering defenders in the era of AI, Microsoft Sentinel graph announcement, App Assure Microsoft Sentinel data lake promise
Announcing Microsoft Sentinel Model Context Protocol (MCP) server – Public Preview
Security is being reengineered for the AI era—moving beyond static, rulebound controls and after-the-fact response toward platform-led, machine-speed defense. The challenge is clear: fragmented tools, sprawling signals, and legacy architectures that can’t match the velocity and scale of modern attacks. What’s needed is an AI-ready, data-first foundation—one that turns telemetry into a security graph, standardizes access for agents, and coordinates autonomous actions while keeping humans in command of strategy and high-impact investigations. Security teams already center operations on their SIEM for end-to-end visibility, and we’re advancing that foundation by evolving Microsoft Sentinel into both the SIEM and the platform for agentic defense—connecting analytics and context across ecosystems. And now, we’re introducing new platform capabilities that build on Sentinel data lake: Sentinel graph for deeper insight and context; an MCP server and tools to make data agent ready; new developer capabilities; and Security Store for effortless discovery and deployment—so protection accelerates to machine speed while analysts do their best work. Introducing Sentinel MCP server We’re excited to announce the public preview of Microsoft Sentinel MCP (Model Context Protocol) server, a fully managed cloud service built on an open standard that lets AI agents seamlessly access the rich security context in your Sentinel data lake. Recent advances in large language models have enabled AI agents to perform reasoning—breaking down complex tasks, inferring patterns, and planning multistep actions, making them capable of autonomously performing business processes. To unlock this potential in cybersecurity, agents must operate with your organization’s real security context, not just public training data. Sentinel MCP server solves that by providing standardized, secure access to that context—across graph relationships, tabular telemetry, and vector embeddings—via reusable, natural language tools, enabling security teams to unlock the full potential of AI-driven automation and focus on what matters most. Why Model Context Protocol (MCP)? Model Context Protocol (MCP) is a rapidly growing open standard that allows AI models to securely communicate with external applications, services, and data sources through a well-structured interface. Think of MCP as a bridge that lets an AI agents understand and invoke an application’s capabilities. These capabilities are exposed as discrete “tools” with natural language inputs and outputs. The AI agent can autonomously choose the right tool (or combination of tools) for the task it needs to accomplish. In simpler terms, MCP standardizes how an AI talks to systems. Instead of developers writing custom connectors for each application, the MCP server presents a menu of available actions to the AI in a language it understands. This means an AI agent can discover what it can do (search data, run queries, trigger actions, etc.) and then execute those actions safely and intelligently. By adopting an open standard like MCP, Microsoft is ensuring that our AI integrations are interoperable and future-proof. Any AI application that speaks MCP can connect. Security Copilot offers built-in integration, while other MCP-compatible platforms can leverage your Sentinel data and services can quickly connect by simply adding a new MCP server and typing Sentinel’s MCP server URL. How to Get Started Sentinel MCP server is a fully managed service now available to all Sentinel data lake customers. If you are already onboarded to Sentinel data lake, you are ready to begin using MCP. Not using Sentinel data lake yet? Learn more here. Currently, you can connect to the Sentinel MCP server using Visual Studio Code (VS Code) with the GitHub Copilot add-on. Here’s a step-by-step guide: Open VS Code and authenticate with an account that has at least Security Reader role access (required to query the data lake via the Sentinel MCP server) Open the Command Palette in VS Code (Ctrl + Shift + P) Type or select “MCP: Add Server…” Choose “HTTP” (HTTP or Server-Sent Event) Enter the Sentinel MCP server URL: “https://sentinel.microsoft.com/mcp/data-exploration" When prompted, allow authentication with the Sentinel MCP server by clicking “Allow” Once connected, GitHub Copilot will be linked to Sentinel MCP server. Open the agent pane, set it to Agent mode (Ctrl + Shift + I), and you are ready to go. GitHub Copilot will autonomously identify and utilize Sentinel MCP tools as necessary. You can now experience how AI agents powered by the Sentinel MCP server access and utilize your security context using natural language, without knowing KQL, which tables to query and wrangle complex schemas. Try prompts like: “Find the top 3 users that are at risk and explain why they are at risk.” “Find sign-in failures in the last 24 hours and give me a brief summary of key findings.” “Identify devices that showed an outstanding amount of outgoing network connections.” To learn more about the existing capabilities of Sentinel MCP tools, refer to our documentation. Security Copilot will also feature native integration with Sentinel MCP server; this seamless connectivity will enhance autonomous security agents and the open prompting experience. Check out the Security Copilot blog for additional details. What’s coming next? The public preview of Sentinel MCP server marks the beginning of a new era in cybersecurity—one where AI agents operate with full context, precision, and autonomy. In the coming months, the MCP toolset will expand to support natural language access across tabular, graph, and embedding-based data, enabling agents to reason over both structured and unstructured signals. This evolution will dramatically boost agentic performance, allowing them to handle more complex tasks, surface deeper insights, and accelerate protection to machine speed. As we continue to build out this ecosystem, your feedback will be essential in shaping its future. Be sure to check out the Microsoft Secure for a deeper dive and live demo of Sentinel MCP server in action.Become a Microsoft Defender for Cloud Ninja
[Last update: 09/30/2025] All content has been reviewed and updated for September 2025. This blog post has a curation of many Microsoft Defender for Cloud (formerly known as Azure Security Center and Azure Defender) resources, organized in a format that can help you to go from absolutely no knowledge in Microsoft Defender for Cloud, to design and implement different scenarios. You can use this blog post as a training roadmap to learn more about Microsoft Defender for Cloud. On November 2nd, at Microsoft Ignite 2021, Microsoft announced the rebrand of Azure Security Center and Azure Defender for Microsoft Defender for Cloud. To learn more about this change, read this article. Every month we are adding new updates to this article, and you can track it by checking the red date besides the topic. If you already study all the modules and you are ready for the knowledge check, follow the procedures below: To obtain the Defender for Cloud Ninja Certificate 1. Take this knowledge check here, where you will find questions about different areas and plans available in Defender for Cloud. 2. If you score 80% or more in the knowledge check, request your participation certificate here. If you achieved less than 80%, please review the questions that you got it wrong, study more and take the assessment again. Note: it can take up to 24 hours for you to receive your certificate via email. To obtain the Defender for Servers Ninja Certificate (Introduced in 08/2023) 1. Take this knowledge check here, where you will find only questions related to Defender for Servers. 2. If you score 80% or more in the knowledge check, request your participation certificate here. If you achieved less than 80%, please review the questions that you got it wrong, study more and take the assessment again. Note: it can take up to 24 hours for you to receive your certificate via email. Modules To become an Microsoft Defender for Cloud Ninja, you will need to complete each module. The content of each module will vary, refer to the legend to understand the type of content before clicking in the topic’s hyperlink. The table below summarizes the content of each module: Module Description 0 - CNAPP In this module you will familiarize yourself with the concepts of CNAPP and how to plan Defender for Cloud deployment as a CNAPP solution. 1 – Introducing Microsoft Defender for Cloud and Microsoft Defender Cloud plans In this module you will familiarize yourself with Microsoft Defender for Cloud and understand the use case scenarios. You will also learn about Microsoft Defender for Cloud and Microsoft Defender Cloud plans pricing and overall architecture data flow. 2 – Planning Microsoft Defender for Cloud In this module you will learn the main considerations to correctly plan Microsoft Defender for Cloud deployment. From supported platforms to best practices implementation. 3 – Enhance your Cloud Security Posture In this module you will learn how to leverage Cloud Security Posture management capabilities, such as Secure Score and Attack Path to continuous improvement of your cloud security posture. This module includes automation samples that can be used to facilitate secure score adoption and operations. 4 – Cloud Security Posture Management Capabilities in Microsoft Defender for Cloud In this module you will learn how to use the cloud security posture management capabilities available in Microsoft Defender for Cloud, which includes vulnerability assessment, inventory, workflow automation and custom dashboards with workbooks. 5 – Regulatory Compliance Capabilities in Microsoft Defender for Cloud In this module you will learn about the regulatory compliance dashboard in Microsoft Defender for Cloud and give you insights on how to include additional standards. In this module you will also familiarize yourself with Azure Blueprints for regulatory standards. 6 – Cloud Workload Protection Platform Capabilities in Azure Defender In this module you will learn how the advanced cloud capabilities in Microsoft Defender for Cloud work, which includes JIT, File Integrity Monitoring and Adaptive Application Control. This module also covers how threat protection works in Microsoft Defender for Cloud, the different categories of detections, and how to simulate alerts. 7 – Streaming Alerts and Recommendations to a SIEM Solution In this module you will learn how to use native Microsoft Defender for Cloud capabilities to stream recommendations and alerts to different platforms. You will also learn more about Azure Sentinel native connectivity with Microsoft Defender for Cloud. Lastly, you will learn how to leverage Graph Security API to stream alerts from Microsoft Defender for Cloud to Splunk. 8 – Integrations and APIs In this module you will learn about the different integration capabilities in Microsoft Defender for Cloud, how to connect Tenable to Microsoft Defender for Cloud, and how other supported solutions can be integrated with Microsoft Defender for Cloud. 9 - DevOps Security In this module you will learn more about DevOps Security capabilities in Defender for Cloud. You will be able to follow the interactive guide to understand the core capabilities and how to navigate through the product. 10 - Defender for APIs In this module you will learn more about the new plan announced at RSA 2023. You will be able to follow the steps to onboard the plan and validate the threat detection capability. 11 - AI Posture Management and Workload Protection In this module you will learn more about the risks of Gen AI and how Defender for Cloud can help improve your AI posture management and detect threats against your Gen AI apps. Module 0 - Cloud Native Application Protection Platform (CNAPP) Improving Your Multi-Cloud Security with a CNAPP - a vendor agnostic approach Microsoft CNAPP Solution Planning and Operationalizing Microsoft CNAPP Understanding Cloud Native Application Protection Platforms (CNAPP) Cloud Native Applications Protection Platform (CNAPP) Microsoft CNAPP eBook Understanding CNAPP Why Microsoft Leads the IDC CNAPP MarketScape: Key Insights for Security Decision-Makers Module 1 - Introducing Microsoft Defender for Cloud What is Microsoft Defender for Cloud? A New Approach to Get Your Cloud Risks Under Control Getting Started with Microsoft Defender for Cloud Implementing a CNAPP Strategy to Embed Security From Code to Cloud Boost multicloud security with a comprehensive code to cloud strategy A new name for multi-cloud security: Microsoft Defender for Cloud Common questions about Defender for Cloud MDC Cost Calculator Microsoft Defender for Cloud expands U.S. Gov Cloud support for CSPM and server security Module 2 – Planning Microsoft Defender for Cloud Features for IaaS workloads Features for PaaS workloads Built-in RBAC Roles in Microsoft Defender for Cloud Enterprise Onboarding Guide Design Considerations for Log Analytics Workspace Onboarding on-premises machines using Windows Admin Center Understanding Security Policies in Microsoft Defender for Cloud Creating Custom Policies Centralized Policy Management in Microsoft Defender for Cloud using Management Groups Planning Data Collection for IaaS VMs Microsoft Defender for Cloud PoC Series – Microsoft Defender for Resource Manager Microsoft Defender for Cloud PoC Series – Microsoft Defender for Storage How to Effectively Perform an Microsoft Defender for Cloud PoC Microsoft Defender for Cloud PoC Series – Microsoft Defender for App Service Considerations for Multi-Tenant Scenario Microsoft Defender for Cloud PoC Series – Microsoft Defender CSPM Microsoft Defender for DevOps GitHub Connector - Microsoft Defender for Cloud PoC Series Grant tenant-wide permissions to yourself Simplifying Onboarding to Microsoft Defender for Cloud with Terraform Module 3 – Enhance your Cloud Security Posture How Secure Score affects your governance Enhance your Secure Score in Microsoft Defender for Cloud Security recommendations Active User (Public Preview) Resource exemption Customizing Endpoint Protection Recommendation in Microsoft Defender for Cloud Deliver a Security Score weekly briefing Send Microsoft Defender for Cloud Recommendations to Azure Resource Stakeholders Secure Score Reduction Alert Average Time taken to remediate resources Improved experience for managing the default Azure security policies Security Policy Enhancements in Defender for Cloud Create custom recommendations and security standards Secure Score Overtime Workbook Automation Artifacts for Secure Score Recommendations Connecting Defender for Cloud with Jira Remediation Scripts Module 4 – Cloud Security Posture Management Capabilities in Microsoft Defender for Cloud CSPM in Defender for Cloud Take a Proactive Risk-Based Approach to Securing your Cloud Native Applications Predict future security incidents! Cloud Security Posture Management with Microsoft Defender Software inventory filters added to asset inventory Drive your organization to security actions using Governance experience Managing Asset Inventory in Microsoft Defender for Cloud Vulnerability Assessment Workbook Template Vulnerability Assessment for Containers Implementing Workflow Automation Workflow Automation Artifacts Creating Custom Dashboard for Microsoft Defender for Cloud Using Microsoft Defender for Cloud API for Workflow Automation What you need to know when deleting and re-creating the security connector(s) in Defender for Cloud Connect AWS Account with Microsoft Defender for Cloud Video Demo - Connecting AWS accounts Microsoft Defender for Cloud PoC Series - Multi-cloud with AWS Onboarding your AWS/GCP environment to Microsoft Defender for Cloud with Terraform How to better manage cost of API calls that Defender for Cloud makes to AWS Connect GCP Account with Microsoft Defender for Cloud Protecting Containers in GCP with Defender for Containers Video Demo - Connecting GCP Accounts Microsoft Defender for Cloud PoC Series - Multicloud with GCP All You Need to Know About Microsoft Defender for Cloud Multicloud Protection Custom recommendations for AWS and GCP 31 new and enhanced multicloud regulatory standards coverage Azure Monitor Workbooks integrated into Microsoft Defender for Cloud and three templates provided How to Generate a Microsoft Defender for Cloud exemption and disable policy report Cloud security posture and contextualization across cloud boundaries from a single dashboard Best Practices to Manage and Mitigate Security Recommendations Defender CSPM Defender CSPM Plan Options Go Beyond Checkboxes: Proactive Cloud Security with Microsoft Defender CSPM Cloud Security Explorer Identify and remediate attack paths Agentless scanning for machines Cloud security explorer and Attack path analysis Governance Rules at Scale Governance Improvements Data Security Aware Posture Management Unlocking API visibility: Defender for Cloud Expands API security to Function Apps and Logic Apps A Proactive Approach to Cloud Security Posture Management with Microsoft Defender for Cloud Prioritize Risk remediation with Microsoft Defender for Cloud Attack Path Analysis Understanding data aware security posture capability Agentless Container Posture Agentless Container Posture Management Refining Attack Paths: Prioritizing Real-World, Exploitable Threats (09/30/2025) Microsoft Defender for Cloud - Automate Notifications when new Attack Paths are created Proactively secure your Google Cloud Resources with Microsoft Defender for Cloud Demystifying Defender CSPM Discover and Protect Sensitive Data with Defender for Cloud Defender for cloud's Agentless secret scanning for virtual machines is now generally available! Defender CSPM Support for GCP Data Security Dashboard Agentless Container Posture Management in Multicloud Agentless malware scanning for servers Recommendation Prioritization Unified insights from Microsoft Entra Permissions Management Defender CSPM Internet Exposure Analysis Future-Proofing Cloud Security with Defender CSPM ServiceNow's integration now includes Configuration Compliance module Agentless code scanning for GitHub and Azure DevOps (preview) 🚀 Suggested Labs: Improving your Secure Posture Connecting a GCP project Connecting an AWS project Defender CSPM Agentless container posture through Defender CSPM Contextual Security capabilities for AWS using Defender CSPM Module 5 – Regulatory Compliance Capabilities in Microsoft Defender for Cloud Understanding Regulatory Compliance Capabilities in Microsoft Defender for Cloud Adding new regulatory compliance standards Regulatory Compliance workbook Regulatory compliance dashboard now includes Azure Audit reports Microsoft cloud security benchmark: Azure compute benchmark is now aligned with CIS! Updated naming format of Center for Internet Security (CIS) standards in regulatory compliance CIS Azure Foundations Benchmark v2.0.0 in regulatory compliance dashboard Spanish National Security Framework (Esquema Nacional de Seguridad (ENS)) added to regulatory compliance dashboard for Azure Microsoft Defender for Cloud Adds Four New Regulatory Frameworks | Microsoft Community Hub 🚀 Suggested Lab: Regulatory Compliance Module 6 – Cloud Workload Protection Platform Capabilities in Microsoft Defender for Clouds Understanding Just-in-Time VM Access Implementing JIT VM Access File Integrity Monitoring in Microsoft Defender Understanding Threat Protection in Microsoft Defender Performing Advanced Risk Hunting in Defender for Cloud Microsoft Defender for Servers Demystifying Defender for Servers Onboarding directly (without Azure Arc) to Defender for Servers Agentless secret scanning for virtual machines in Defender for servers P2 & DCSPM Vulnerability Management in Defender for Cloud File Integrity Monitoring using Microsoft Defender for Endpoint Microsoft Defender for Containers Basics of Defender for Containers Secure your Containers from Build to Runtime AWS ECR Coverage in Defender for Containers Upgrade to Microsoft Defender Vulnerability Management End to end container security with unified SOC experience Binary drift detection episode Binary drift detection Cloud Detection Response experience Exploring the Latest Container Security Updates from Microsoft Ignite 2024 Unveiling Kubernetes lateral movement and attack paths with Microsoft Defender for Cloud Onboarding Docker Hub and JFrog Artifactory Improvements in Container’s Posture Management New AKS Security Dashboard in Defender for Cloud The Risk of Default Configuration: How Out-of-the-Box Helm Charts Can Breach Your Cluster Your cluster, your rules: Helm support for container security with Microsoft Defender for Cloud Microsoft Defender for Storage Protect your storage resources against blob-hunting Malware Scanning in Defender for Storage What's New in Defender for Storage Automated Remediation for Malware Detection - Defender for Storage (09/30/2025) Defender for Storage: Malware Automated Remediation - From Security to Protection (09/30/2025) 🎉Malware scanning add-on is now generally available in Azure Gov Secret and Top-Secret clouds Defender for Storage: Malware Scan Error Message Update Protecting Cloud Storage in the Age of AI Microsoft Defender for SQL New Defender for SQL VA Defender for SQL on Machines Enhanced Agent Update Microsoft Defender for SQL Anywhere New autoprovisioning process for SQL Server on machines plan Enhancements for protecting hosted SQL servers across clouds and hybrid environments Defender for Open-Source Relational Databases Multicloud Microsoft Defender for KeyVault Microsoft Defender for AppService Microsoft Defender for Resource Manager Understanding Security Incident Security Alert Correlation Alert Reference Guide 'Copy alert JSON' button added to security alert details pane Alert Suppression Simulating Alerts in Microsoft Defender for Cloud Alert validation Simulating alerts for Windows Simulating alerts for Linux Simulating alerts for Containers Simulating alerts for Storage Simulating alerts for Microsoft Key Vault Simulating alerts for Microsoft Defender for Resource Manager Integration with Microsoft Defender for Endpoint Auto-provisioning of Microsoft Defender for Endpoint unified solution Resolve security threats with Microsoft Defender for Cloud Protect your servers and VMs from brute-force and malware attacks with Microsoft Defender for Cloud Filter security alerts by IP address Alerts by resource group Defender for Servers Security Alerts Improvements From visibility to action: The power of cloud detection and response 🚀 Suggested Labs: Workload Protections Agentless container vulnerability assessment scanning Microsoft Defender for Cloud database protection Protecting On-Prem Servers in Defender for Cloud Defender for Storage Module 7 – Streaming Alerts and Recommendations to a SIEM Solution Continuous Export capability in Microsoft Defender for Cloud Deploying Continuous Export using Azure Policy Connecting Microsoft Sentinel with Microsoft Defender for Cloud Closing an Incident in Azure Sentinel and Dismissing an Alert in Microsoft Defender for Cloud Microsoft Sentinel bi-directional alert synchronization 🚀 Suggested Lab: Exporting Microsoft Defender for Cloud information to a SIEM Module 8 – Integrations and APIs Integration with Tenable Integrate security solutions in Microsoft Defender for Cloud Defender for Cloud integration with Defender EASM Defender for Cloud integration with Defender TI REST APIs for Microsoft Defender for Cloud Obtaining Secure Score via REST API Using Graph Security API to Query Alerts in Microsoft Defender for Cloud Automate(d) Security with Microsoft Defender for Cloud and Logic Apps Automating Cloud Security Posture and Cloud Workload Protection Responses Module 9 – DevOps Security Overview of Microsoft Defender for Cloud DevOps Security DevOps Security Interactive Guide Configure the Microsoft Security DevOps Azure DevOps extension Configure the Microsoft Security DevOps GitHub action Automate SecOps to Developer Communication with Defender for DevOps Compliance for Exposed Secrets Discovered by DevOps Security Automate DevOps Security Recommendation Remediation DevOps Security Workbook Remediating Security Issues in Code with Pull Request Annotations Code to Cloud Security using Microsoft Defender for DevOps GitHub Advanced Security for Azure DevOps alerts in Defender for Cloud Securing your GitLab Environment with Microsoft Defender for Cloud Bridging the Gap Between Code and Cloud with Defender for Cloud Integrate Defender for Cloud CLI with CI/CD pipelines Code Reachability Analysis 🚀 Suggested Labs: Onboarding Azure DevOps to Defender for Cloud Onboarding GitHub to Defender for Cloud Module 10 – Defender for APIs What is Microsoft Defender for APIs? Onboard Defender for APIs Validating Microsoft Defender for APIs Alerts API Security with Defender for APIs Microsoft Defender for API Security Dashboard Exempt functionality now available for Defender for APIs recommendations Create sample alerts for Defender for APIs detections Defender for APIs reach GA Increasing API Security Testing Visibility Boost Security with API Security Posture Management 🚀 Suggested Lab: Defender for APIs Module 11 – AI Posture Management and Workload Protection Secure your AI applications from code to runtime with Microsoft Defender for Cloud AI security posture management AI threat protection Secure your AI applications from code to runtime Data and AI security dashboard Protecting Azure AI Workloads using Threat Protection for AI in Defender for Cloud Plug, Play, and Prey: The security risks of the Model Context Protocol Secure AI by Design Series: Embedding Security and Governance Across the AI Lifecycle (09/30/2025) Exposing hidden threats across the AI development lifecycle in the cloud Learn Live: Enable advanced threat protection for AI workloads with Microsoft Defender for Cloud Microsoft AI Security Story: Protection Across the Platform 🚀 Suggested Lab: Security for AI workloads Are you ready to take your knowledge check? If so, click here. If you score 80% or more in the knowledge check, request your participation certificate here. If you achieved less than 80%, please review the questions that you got it wrong, study more and take the assessment again. Note: it can take up to 24 hours for you to receive your certificate via email. Other Resources Microsoft Defender for Cloud Labs Become an Microsoft Sentinel Ninja Become an MDE Ninja Cross-product lab (Defend the Flag) Release notes (updated every month) Important upcoming changes Have a great time ramping up in Microsoft Defender for Cloud and becoming a Microsoft Defender for Cloud Ninja!! Reviewer: Tom Janetscheck, Senior PM
Defender for Storage: Malware Automated Remediation - From Security to Protection
In our previous Defender for Cloud Storage Security blog, we likened cloud storage to a high-tech museum - housing your organization’s most valuable artifacts, from sensitive data to AI training sets. That metaphor resonated with many readers, highlighting the need for strong defenses and constant vigilance. But as every museum curator knows, security is never static. New threats emerge, and the tools we use to protect our treasures must evolve. Today, we are excited to share the next chapter in our journey: the introduction of malware automated remediation as part of our Defender for Cloud Storage Security solution (Microsoft Defender for Storage). This feature marks a pivotal shift - from simply detecting threats to actively preventing their spread, ensuring your “museum” remains not just secure, but truly protected. The Shift: From Storage Security to Storage Protection Cloud storage has become the engine room of digital transformation. It powers collaboration, fuels AI innovation, and stores the lifeblood of modern business. But with this centrality comes risk: attackers are increasingly targeting storage accounts, often using file uploads as their entry point. Historically, our storage security strategy focused on detection - surfacing risks and alerting security teams to suspicious activity. This was like installing state-of-the-art cameras and alarms in our museum, but still relying on human guards to respond to every incident. With the launch of malware automated remediation, we’re taking the next step: empowering Defender for Storage to act instantly, blocking malicious files before they can move through your environment. We are elevating our storage security solution from detection-only to a detection and response solution, which includes both malware detection and distribution prevention. Why Automated Remediation Matters Detection alone is no longer enough. Security teams are overwhelmed by alerts, and manual/custom developed response pipelines are slow and error-prone. In today’s threat landscape, speed is everything - a single malicious file can propagate rapidly, causing widespread damage before anyone has a chance to react. Automated remediation bridges this gap. When a file is uploaded to your storage account, or if on-demand scanning is initiated, Defender for Storage now not only detects malicious files and alerts security teams, but it can automatically (soft) delete the file (allowing file recovery) or trigger automated workflows for further investigation. This built-in automation closes the gap between detection and mitigation, reducing manual effort and helping organizations meet compliance and hygiene requirements. How It Works: From Detection to Protection The new automated remediation feature is designed for simplicity and effectiveness: Enablement: Customers can enable automated remediation at the storage account or subscription level, either through the Azure Portal or via API. Soft Delete: When a malicious blob is detected, Defender for Storage checks if the soft delete property is enabled. If not, it enables it with a default retention of 7 days (adjustable between 1 and 365 days). Action: The malicious file is soft-deleted, and a security alert is generated. If deletion fails (e.g., due to permissions or configuration), the alert specifies the reason, so you can quickly remediate. Restoration: If a file was deleted in error, it can be restored from soft delete The feature is opt-in, giving you control over your remediation strategy. And because it’s built into Defender for Storage, there’s no need for complex custom pipelines or third-party integrations. For added flexibility, soft delete works seamlessly with your existing retention policies, ensuring compliance with your organization’s data governance requirements. Additionally, all malware remediation alerts are fully integrated into the Defender XDR portal, so your security teams can investigate and respond using the same unified experience as the rest of your Microsoft security stack. Use Case: Preventing Malware from Spreading Through File Uploads Let’s revisit a scenario that’s become all too common: a customer-facing portal allows users to upload files and documents. Without robust protection, a single weaponized file can enter your environment and propagate - moving from storage to backend services, and potentially across your network. With Defender for Storage’s malware automated remediation: Malware is detected at the point of upload - before it can be accessed or processed Soft delete remediation action is triggered instantly, stopping the threat from spreading Security teams are notified and can review or restore files as needed This not only simplifies and protects your data pipeline but also strengthens compliance and trust. In industries like healthcare, finance, and customer service - where file uploads are common and data hygiene is critical - this feature is a game changer. Customer Impact and Feedback Early adopters have praised the simplicity and effectiveness of automated remediation. One customer shared that the feature “really simplified their future pipelines,” eliminating the need for custom quarantine workflows and reducing operational overhead. By moving from detection to protection, Defender for Storage helps organizations: Reduce the risk of malware spread and lateral movement Increase trust with customers and stakeholders Simplify solution management and improve user experience Meet compliance and data hygiene requirements with less manual effort Looking Ahead: The Future of Storage Protection Malware automated remediation is just the beginning. As we continue to evolve our storage security solution, our goal is to deliver holistic, built-in protection that keeps pace with the changing threat landscape. Whether you’re storing business-critical data or fueling innovation with AI, you can trust Defender for Cloud to help you start secure, stay secure, and keep your cloud storage truly safe. Ready to move from security to protection? Enable automated remediation in Defender for Storage today and experience the next generation of cloud storage defense. Learn more about Defender for Cloud storage security: Microsoft Defender for Cloud | Microsoft Security Start a free Azure trial. Read more about Microsoft Defender for Cloud Storage Security here.Planning your move to Microsoft Defender portal for all Microsoft Sentinel customers
In November 2023, Microsoft announced our strategy to unify security operations by bringing the best of XDR and SIEM together. Our first step was bringing Microsoft Sentinel into the Microsoft Defender portal, giving teams a single, comprehensive view of incidents, reducing queue management, enriching threat intel, streamlining response and enabling SOC teams to take advantage of Gen AI in their day-to-day workflow. Since then, considerable progress has been made with thousands of customers using this new unified experience; to enhance the value customers gain when using Sentinel in the Defender portal, multi-tenancy and multi-workspace support was added to help customers with more sophisticated deployments. Our mission is to unify security operations by bringing all your data, workflows, and people together to unlock new capabilities and drive better security outcomes. As a strong example of this, last year we added extended posture management, delivering powerful posture insights to the SOC team. This integration helps build a closed-loop feedback system between your pre- and post-breach efforts. Exposure Management is just one example. By bringing everything together, we can take full advantage of AI and automation to shift from a reactive to predictive SOC that anticipates threats and proactively takes action to defend against them. Beyond Exposure Management, Microsoft has been constantly innovating in the Defender experience, adding not just SIEM but also Security Copilot. The Sentinel experience within the Defender portal is the focus of our innovation energy and where we will continue to add advanced Sentinel capabilities going forward. Onboarding to the new unified experience is easy and doesn’t require a typical migration. Just a few clicks and permissions. Customers can continue to use Sentinel in the Azure portal while it is available even after choosing to transition. Today, we’re announcing that we are moving to the next phase of the transition with a target to retire the Azure portal for Microsoft Sentinel by July 1, 2026. Customers not yet using the Defender portal should plan their transition accordingly. “Really amazing to see that coming, because cross querying with tables in one UI is really cool! Amazing, big step forward to the unified [Defender] portal.” Glueckkanja AG “The biggest benefit of a unified security operations solution (Microsoft Sentinel + Microsoft Defender XDR) has been the ability to combine data in Defender XDR with logs from third party security tools. Another advantage developed has been to eliminate the need to switch between Defender XDR and Microsoft Sentinel portals, now having a single pane of glass, which the team has been wanting for some years.” Robel Kidane, Group Information Security Manager, Renishaw PLC Delivering the SOC of the future Unifying threat protection, exposure management and security analytics capabilities in one pane of glass not only streamlines the user experience, but also enables Sentinel customers to realize security outcomes more efficiently: Analyst efficiency: A single portal reduces context switching, simplifies workflows, reduces training overhead, and improves team agility. Integrated insights: SOC-focused case management, threat intelligence, incident correlation, advanced hunting, exposure management, and a prioritized incident queue enriched with business and sensitivity context—enabling faster, more informed detection and response across all products. SOC optimization: Security controls that can be adjusted as threats and business priorities change to control costs and provide better coverage and utilization of data, thus maximizing ROI from the SIEM. Accelerated response: AI-driven detection and response which reduces mean time to respond (MTTR) by 30%, increases security response efficiency by 60%, and enables embedded Gen AI and agentic workflows. What’s next: Preparing for the retirement of the Sentinel Experience in the Azure Portal Microsoft is committed to supporting every single customer in making that transition over the next 12 months. Beginning July 1, 2026, Sentinel users will be automatically redirected to the Defender portal. After helping thousands of customers smoothly make the transition, we recommend that security teams begin planning their migration and change management now to ensure continuity and avoid disruption. While the technical process is very straightforward, we have found that early preparation allows time for workflow validation, training, and process alignment to take full advantage of the new capabilities and experience. Tips for a Successful Migration to Microsoft Defender 1. Leverage Microsoft’s help: Leverage Microsoft documentation, instructional videos, guidance, and in-product support to help you be successful. A good starting point is the documentation on Microsoft Learn. 2. Plan early: Engage stakeholders early including SOC and IT Security leads, MSSPs, and compliance teams to align on timing, training and organizational needs. Make sure you have an actionable timeline and agreement in the organization around when you can prioritize this transition to ensure access to the full potential of the new experience. 3. Prepare your environment: Plan and design your environment thoroughly. This includes understanding the prerequisites for onboarding Microsoft Sentinel workspaces, reviewing and deciding on access controls, and planning the architecture of your tenant and workspace. Proper planning will ensure a smooth transition and help avoid any disruptions to your security operations. 4. Leverage Advanced Threat Detection: The Defender portal offers enhanced threat detection capabilities with advanced AI and machine learning for Microsoft Sentinel. Make sure to leverage these features for faster and more accurate threat detection and response. This will help you identify and address critical threats promptly, improving your overall security posture. 5. Utilize Unified Hunting and Incident Management: Take advantage of the enhanced hunting, incident, and investigation capabilities in Microsoft Defender. This provides a comprehensive view for more efficient threat detection and response. By consolidating all security incidents, alerts, and investigations into a single unified interface, you can streamline your operations and improve efficiency. 6. Optimize Cost and Data Management The Defender portal offers cost and data optimization features, such as SOC Optimization and Summary Rules. Make sure to utilize these features to optimize your data management, reduce costs, and increase coverage and SIEM ROI. This will help you manage your security operations more effectively and efficiently. Unleash the full potential of your Security team The unified SecOps experience available in the Defender portal is designed to support the evolving needs of modern SOCs. The Defender portal is not just a new home for Microsoft Sentinel - it’s a foundation for integrated, AI-driven security operations. We’re committed to helping you make this transition smoothly and confidently. If you haven’t already joined the thousands of security organizations that have done so, now is the time to begin. Resources AI-Powered Security Operations Platform | Microsoft Security Microsoft Sentinel in the Microsoft Defender portal | Microsoft Learn Shifting your Microsoft Sentinel Environment to the Defender Portal | Microsoft Learn Microsoft Sentinel is now in Defender | YouTube
Introducing the new File Integrity Monitoring with Defender for Endpoint integration
As the final and most complex piece of this puzzle is the release of File Integrity Monitoring (FIM) powered by Defender for Endpoint, marks a significant milestone in the Defender for Servers simplification journey. The new FIM solution based on Defender for Endpoint offers real-time monitoring on critical file paths and system files, ensuring that any changes indicating a potential attack are detected immediately. In addition, FIM offers built-in support for relevant security regulatory compliance standards, such as PCI-DSS, CIS, NIST, and others, allowing you to maintain compliance.Microsoft Sentinel’s New Data Lake: Cut Costs & Boost Threat Detection
Microsoft Sentinel is leveling up! Already a trusted cloud-native Security Information and Event Management (SIEM) and Security Orchestration, Automation and Response (SOAR) solution, it empowers security teams to detect, investigate, and respond to threats with speed and precision. Now, with the introduction of its new Data Lake architecture, Sentinel is transforming how security data is stored, accessed, and analyzed, bringing unmatched flexibility and scale to threat investigation. Unlike Microsoft Fabric OneLake, which supports analytics across the organization, Sentinel’s Data Lake is purpose-built for security. It centralizes raw structured, semi-structured, and unstructured data in its original format, enabling advanced analytics without rigid schemas. This article is written by someone who’s spent years helping security teams navigate Microsoft’s evolving ecosystem, translating complex capabilities into practical strategies. What follows is a hands-on look at the key features, benefits, and challenges of Sentinel’s Data Lake, designed to help you make the most of this powerful new architecture. Current Sentinel Features To tackle the challenges security teams, face today—like explosive data growth, integration of varied sources, and tight compliance requirements—organizations need scalable, efficient architectures. Legacy SIEMs often become costly and slow when analyzing multi-year data or correlating diverse events. Security data lakes address these issues by enabling seamless ingestion of logs from any source, schema-on-read flexibility, and parallelized queries over massive datasets. This schema-on-read allows SOC analysts to define how data is interpreted at the time of analysis, rather than when it is stored. This means analysts can flexibly adapt queries and threat detection logic to evolving threats, without reformatting historical data making investigations more agile and responsive to change. This empowers security operations to conduct deep historical analysis, automate enrichment, and apply advanced analytics, such as machine learning, while retaining strict control over data access and residency. Ultimately, decoupling storage and compute allows teams to boost detection and response speed, maintain compliance, and adapt their Security Operation Center (SOC) to future security demands. As organizations manage increasing data and limited budgets, many are moving from legacy SIEMs to advanced cloud-native options. Microsoft Sentinel’s Data Lake separates storage from computing, offering scalable and cost-effective analytics and compliance. For instance, storing 500 TB of logs in Sentinel Data Lake can cut costs by 60–80% compared to Log Analytics, due to lower storage costs and flexible retention. Integration with modern tools and open formats enables efficient threat response and regulatory compliance. Microsoft Sentinel data lake pricing (preview) Sentinel Data Lake Use Cases Log Retention: Long-term retention of security logs for compliance and forensic investigations Hunting: Advanced threat hunting using historical data Interoperability: Integration with Microsoft Fabric and other analytics platforms Cost: Efficient storage prices for high-volume data sources How Microsoft Sentinel Data Lake Helps Microsoft Sentinel’s Data Lake introduces a powerful paradigm shift for security operations by architecting the separation of storage and compute, enabling organizations to achieve petabyte-scale data retention without the traditional overhead and cost penalties of legacy SIEM solutions. Built atop highly scalable, cloud-native infrastructure, Sentinel Data Lake empowers SOCs to ingest telemetry from virtually unlimited sources ranging from on-premises firewalls, proxies, and endpoint logs to SaaS, IaaS, and PaaS environments—while leveraging schema-on-read, a method that allows analysts to define how data is interpreted at query time rather than when it is stored, offering greater flexibility in analytics. For example, a security analyst can adapt to the way historical data is examined as new threats emerge, without needing to reformat or restructure the data stored in the Data Lake. From Microsoft Learn – Retention and data tiering Storing raw security logs in open formats like Parquet (this is a columnar storage file format optimized for efficient data compression and retrieval, commonly used in big data processing frameworks like Apache Spark and Hadoop) enables easy integration with analytics tools and Microsoft Fabric, letting analysts efficiently query historical data using KQL, SQL, or Spark. This approach eliminates the need for complex ETL and archived data rehydration, making incident response faster; for instance, a SOC analyst can quickly search for years of firewall logs for threat detection. From Microsoft Learn – Flexible querying with Kusto Query Language Granular data governance and access controls allow organizations to manage sensitive information and meet legal requirements. Storing raw security logs in open formats enables fast investigations of long-term data incidents, while automated lifecycle management reduces costs and ensures compliance. Data Lakes integrate with Microsoft platforms and other tools for unified analytics and security. Machine learning helps detect unusual login activity across years, overcoming previous storage issues. From Microsoft Learn – Powerful analytics using Jupyter notebooks Pros and Cons The following table highlights the advantages and potential opportunities that Microsoft Sentinel Data Lake offers. This follows the same Pay-As-You-Go pricing model as currently available with Sentinel. Pros Cons License Needed Scalable, cost-effective long-term retention of security data Requires adaptation to new architecture Pay-As-You-Go model Seamless integration with Microsoft Fabric and open data formats Initial setup and integration may involve a learning curve Pay-As-You-Go model Efficient processing of petabyte-scale datasets Transitioning existing workflows may require planning Pay-As-You-Go model Advanced analytics, threat hunting, and AI/ML across historical data Some features may depend on integration with other services Pay-As-You-Go model Supports compliance use cases with robust data governance and audit trails Complexity in new data governance features Pay-As-You-Go model Microsoft Sentinel Data Lake solution advances cloud-native security by overcoming traditional SIEM limitations, allowing organizations to better retain, analyze, and respond to security data. As cyber threats grow, Sentinel Data Lake offers flexible, cost-efficient storage for long-term retention, supporting detection, compliance, and audits without significant expense or complexity. Quick Guide: Deploy Microsoft Sentinel Data Lake Assess Needs: Identify your security data volume, retention, and compliance requirements - Sentinel Data Lake Overview. Prepare Environment: Ensure Azure permissions and workspace readiness - Onboarding Guide. Enable Data Lake: Use Azure CLI or Defender portal to activate - Setup Instructions. Ingest & Import Data: Connect sources and migrate historical logs - Microsoft Sentinel Data Connectors. Integrate Analytics: Use KQL, notebooks, and Microsoft Fabric for scalable analysis - Fabric Overview Train & Optimize: Educate your team and monitor performance - Best Practices. About the Author: Hi! Jacques “Jack” here, I’m a Microsoft Technical Trainer at Microsoft. I wanted to share this as it’s something I often asked during my Security Trainings. This improves the already impressive Microsoft Sentinel feature stack helping the Defender Community to secure their environment in this ever-growing hacked world. I’ve been working with Microsoft Sentinel since September 2019, and I have been teaching learners about this SIEM since March 2020. I have experience using Security Copilot and Security AI Agents, which have been effective in improving my incident response and compromise recovery times.Hacking Made Easy, Patching Made Optional: A Modern Cyber Tragedy
In today’s cyber threat landscape, the tools and techniques required to compromise enterprise environments are no longer confined to highly skilled adversaries or state-sponsored actors. While artificial intelligence is increasingly being used to enhance the sophistication of attacks, the majority of breaches still rely on simple, publicly accessible tools and well-established social engineering tactics. Another major issue is the persistent failure of enterprises to patch common vulnerabilities in a timely manner—despite the availability of fixes and public warnings. This negligence continues to be a key enabler of large-scale breaches, as demonstrated in several recent incidents. The Rise of AI-Enhanced Attacks Attackers are now leveraging AI to increase the credibility and effectiveness of their campaigns. One notable example is the use of deepfake technology—synthetic media generated using AI—to impersonate individuals in video or voice calls. North Korean threat actors, for instance, have been observed using deepfake videos and AI-generated personas to conduct fraudulent job interviews with HR departments at Western technology companies. These scams are designed to gain insider access to corporate systems or to exfiltrate sensitive intellectual property under the guise of legitimate employment. Social Engineering: Still the Most Effective Entry Point And yet, many recent breaches have begun with classic social engineering techniques. In the cases of Coinbase and Marks & Spencer, attackers impersonated employees through phishing or fraudulent communications. Once they had gathered sufficient personal information, they contacted support desks or mobile carriers, convincingly posing as the victims to request password resets or SIM swaps. This impersonation enabled attackers to bypass authentication controls and gain initial access to sensitive systems, which they then leveraged to escalate privileges and move laterally within the network. Threat groups such as Scattered Spider have demonstrated mastery of these techniques, often combining phishing with SIM swap attacks and MFA bypass to infiltrate telecom and cloud infrastructure. Similarly, Solt Thypoon (formerly DEV-0343), linked to North Korean operations, has used AI-generated personas and deepfake content to conduct fraudulent job interviews—gaining insider access under the guise of legitimate employment. These examples underscore the evolving sophistication of social engineering and the need for robust identity verification protocols. Built for Defense, Used for Breach Despite the emergence of AI-driven threats, many of the most successful attacks continue to rely on simple, freely available tools that require minimal technical expertise. These tools are widely used by security professionals for legitimate purposes such as penetration testing, red teaming, and vulnerability assessments. However, they are also routinely abused by attackers to compromise systems Case studies for tools like Nmap, Metasploit, Mimikatz, BloodHound, Cobalt Strike, etc. The dual-use nature of these tools underscores the importance of not only detecting their presence but also understanding the context in which they are being used. From CVE to Compromise While social engineering remains a common entry point, many breaches are ultimately enabled by known vulnerabilities that remain unpatched for extended periods. For example, the MOVEit Transfer vulnerability (CVE-2023-34362) was exploited by the Cl0p ransomware group to compromise hundreds of organizations, despite a patch being available. Similarly, the OpenMetadata vulnerability (CVE-2024-28255, CVE-2024-28847) allowed attackers to gain access to Kubernetes workloads and leverage them for cryptomining activity days after a fix had been issued. Advanced persistent threat groups such as APT29 (also known as Cozy Bear) have historically exploited unpatched systems to maintain long-term access and conduct stealthy operations. Their use of credential harvesting tools like Mimikatz and lateral movement frameworks such as Cobalt Strike highlights the critical importance of timely patch management—not just for ransomware defense, but also for countering nation-state actors. Recommendations To reduce the risk of enterprise breaches stemming from tool misuse, social engineering, and unpatched vulnerabilities, organizations should adopt the following practices: 1. Patch Promptly and Systematically Ensure that software updates and security patches are applied in a timely and consistent manner. This involves automating patch management processes to reduce human error and delay, while prioritizing vulnerabilities based on their exploitability and exposure. Microsoft Intune can be used to enforce update policies across devices, while Windows Autopatch simplifies the deployment of updates for Windows and Microsoft 365 applications. To identify and rank vulnerabilities, Microsoft Defender Vulnerability Management offers risk-based insights that help focus remediation efforts where they matter most. 2. Implement Multi-Factor Authentication (MFA) To mitigate credential-based attacks, MFA should be enforced across all user accounts. Conditional access policies should be configured to adapt authentication requirements based on contextual risk factors such as user behavior, device health, and location. Microsoft Entra Conditional Access allows for dynamic policy enforcement, while Microsoft Entra ID Protection identifies and responds to risky sign-ins. Organizations should also adopt phishing-resistant MFA methods, including FIDO2 security keys and certificate-based authentication, to further reduce exposure. 3. Identity Protection Access Reviews and Least Privilege Enforcement Conducting regular access reviews ensures that users retain only the permissions necessary for their roles. Applying least privilege principles and adopting Microsoft Zero Trust Architecture limits the potential for lateral movement in the event of a compromise. Microsoft Entra Access Reviews automates these processes, while Privileged Identity Management (PIM) provides just-in-time access and approval workflows for elevated roles. Just-in-Time Access and Risk-Based Controls Standing privileges should be minimized to reduce the attack surface. Risk-based conditional access policies can block high-risk sign-ins and enforce additional verification steps. Microsoft Entra ID Protection identifies risky behaviors and applies automated controls, while Conditional Access ensures access decisions are based on real-time risk assessments to block or challenge high-risk authentication attempts. Password Hygiene and Secure Authentication Promoting strong password practices and transitioning to passwordless authentication enhances security and user experience. Microsoft Authenticator supports multi-factor and passwordless sign-ins, while Windows Hello for Business enables biometric authentication using secure hardware-backed credentials. 4. Deploy SIEM and XDR for Detection and Response A robust detection and response capability is vital for identifying and mitigating threats across endpoints, identities, and cloud environments. Microsoft Sentinel serves as a cloud-native SIEM that aggregates and analyses security data, while Microsoft Defender XDR integrates signals from multiple sources to provide a unified view of threats and automate response actions. 5. Map and Harden Attack Paths Organizations should regularly assess their environments for attack paths such as privilege escalation and lateral movement. Tools like Microsoft Defender for Identity help uncover Lateral Movement Paths, while Microsoft Identity Threat Detection and Response (ITDR) integrates identity signals with threat intelligence to automate response. These capabilities are accessible via the Microsoft Defender portal, which includes an attack path analysis feature for prioritizing multicloud risks. 6. Stay Current with Threat Actor TTPs Monitor the evolving tactics, techniques, and procedures (TTPs) employed by sophisticated threat actors. Understanding these behaviours enables organizations to anticipate attacks and strengthen defenses proactively. Microsoft Defender Threat Intelligence provides detailed profiles of threat actors and maps their activities to the MITRE ATT&CK framework. Complementing this, Microsoft Sentinel allows security teams to hunt for these TTPs across enterprise telemetry and correlate signals to detect emerging threats. 7. Build Organizational Awareness Organizations should train staff to identify phishing, impersonation, and deepfake threats. Simulated attacks help improve response readiness and reduce human error. Use Attack Simulation Training, in Microsoft Defender for Office 365 to run realistic phishing scenarios and assess user vulnerability. Additionally, educate users about consent phishing, where attackers trick individuals into granting access to malicious apps. Conclusion The democratization of offensive security tooling, combined with the persistent failure to patch known vulnerabilities, has significantly lowered the barrier to entry for cyber attackers. Organizations must recognize that the tools used against them are often the same ones available to their own security teams. The key to resilience lies not in avoiding these tools, but in mastering them—using them to simulate attacks, identify weaknesses, and build a proactive defense. Cybersecurity is no longer a matter of if, but when. The question is: will you detect the attacker before they achieve their objective? Will you be able to stop them before reaching your most sensitive data? Additional read: Gartner Predicts 30% of Enterprises Will Consider Identity Verification and Authentication Solutions Unreliable in Isolation Due to AI-Generated Deepfakes by 2026 Cyber security breaches survey 2025 - GOV.UK Jasper Sleet: North Korean remote IT workers’ evolving tactics to infiltrate organizations | Microsoft Security Blog MOVEit Transfer vulnerability Solt Thypoon Scattered Spider SIM swaps Attackers exploiting new critical OpenMetadata vulnerabilities on Kubernetes clusters | Microsoft Security Blog Microsoft Defender Vulnerability Management - Microsoft Defender Vulnerability Management | Microsoft Learn Zero Trust Architecture | NIST tactics, techniques, and procedures (TTP) - Glossary | CSRC https://learn.microsoft.com/en-us/security/zero-trust/deploy/overview
Microsoft Defender for Cloud expands U.S. Gov Cloud support for CSPM and server security
U.S. government organizations face unique security and compliance challenges as they migrate essential workloads to the cloud. To help meet these needs, Microsoft Defender for Cloud has expanded support in the Government Cloud with Defender cloud security posture management (CSPM) and Defender for Servers Plan 2. This expansion helps strengthen security posture with advanced threat protection, vulnerability management, and contextual risk insights across hybrid and multi-cloud environments. Defender CSPM and Defender for Servers are available in the following Microsoft Government Clouds: Microsoft Azure Government (MAG) – FedRamp High, DISA IL4, DISA IL5 Government Community Cloud High (GCCH) – FedRamp High, DISA IL4 Defender for Cloud offers support for CSPM in U.S. Government Cloud First, Defender CSPM is generally available for U.S. Government cloud customers. This expansion brings advanced cloud security posture management capabilities to U.S. federal and government agencies—including the Department of Defense (DoD) and civilian agencies—helping them strengthen their security posture and compliance in the cloud. Defender CSPM empowers agencies to continuously discover, assess, monitor, and improve their cloud security posture, including the ability to monitor and correct configuration drift, ensuring they meet regulatory requirements and proactively manage risk in highly regulated environments. Additional benefits for government agencies: Continuous Compliance Assurance Unlike static audits, Defender CSPM provides real-time visibility into the security posture of cloud environments. This enables agencies to demonstrate ongoing compliance with federal standards—anytime, not just during audit windows Risk-Based Prioritization Defender CSPM uses contextual insights and attack path analysis to help security teams focus on the most critical risks first—maximizing impact while optimizing limited resources Agentless Monitoring With agentless scanning, agencies can assess workloads without deploying additional software—ideal for sensitive or legacy systems Security recommendations in Defender CSPM To learn more about Defender CSPM, visit our technical documentation. Defender for Cloud now offers full feature parity for server security in U.S. Government Cloud In addition to Defender CSPM, we’re also expanding our support for server security in the U.S. GovCloud. Government agencies face mounting challenges in securing the servers that support their critical operations and sensitive data. As server environments expand across on-premises, hybrid, and multicloud platforms, maintaining consistent security controls and compliance with federal standards like FedRAMP and NIST SP 800-53 becomes increasingly difficult. Manual processes and periodic audits can’t keep up with configuration drift, unpatched vulnerabilities, and evolving threats—leaving agencies exposed to breaches and compliance risks. Defender for Servers provides continuous, automated threat protection, vulnerability management, and compliance monitoring across all server environments, enabling agencies to safeguard their infrastructure and maintain a strong security posture. We are excited to share that all capabilities in Defender for Servers Plan 2 are now available in U.S. GovCloud, including these newly added capabilities: Agent-based and agentless vulnerability assessment recommendations Secrets detection recommendations EDR detection recommendations Agentless malware detection File integrity monitoring Baseline recommendations Customers can start using all capabilities of Defender for Servers Plan 2 in U.S. Government Cloud starting today. To learn more about Defender for Servers, visit our technical documentation. Get started today! To gain access to the robust capabilities provided by Defender CSPM and Defender for Servers, you need to enable the plans on your subscription. To enable the Defender CSPM and Defender for Servers plans on your subscription: Sign in to the Azure portal. Search for and select Microsoft Defender for Cloud. In the Defender for Cloud menu, select Environment settings. Select the relevant Azure subscription On the Defender plans page, toggle the Defender CSPM plan and/or Defender for Servers to On. Select Save.
