SOC Weekly Brief The week in the Microsoft security stack, distilled

← Home

Week 1 · 4 min read

December 29, 2025 – January 5, 2026

Act by

  • 1 Jul 2026 — Microsoft Sentinel standardizes how account entities are named in incidents and alerts. The Account value now resolves by priority: UPN prefix (the part before @), then Name, then Display Name. This can break analytics rules, automation rules, playbooks, workbooks, and hunting queries that key off the old value. Audit your detections and automation now, and rewrite lookups to be precedence-aware, e.g. coalesce(Account.UPNprefix, Account.Name, Account.DisplayName), testing in a non-production workspace first. (Microsoft Learn)

What changed

The 29 December – 5 January holiday window itself produced no dated in-scope posts on the Microsoft Sentinel, Defender XDR, Entra, MSRC, or Microsoft Security blogs — Microsoft's end-of-year wrap-ups landed earlier in December. The substantive news a returning SOC meets this week is in Microsoft's January 2026 what's-new pages, which carry these items without pinpoint dates; they are grouped here as the earliest January issue.

Microsoft moved the retirement date for Microsoft Sentinel in the Azure portal to 31 March 2027 — a push out from the previously stated July 2026. Sentinel is generally available in the unified Defender portal (including for customers without Defender XDR or an E5 license), and after that date the Azure-portal experience will no longer be supported and remaining users are redirected. The later date buys planning room, but the direction is fixed: if your team still runs Sentinel in the Azure portal, use the quiet period to scope the move to the Defender portal rather than treat the deadline as far off. (Microsoft Learn)

Sentinel's UEBA behaviors layer entered public preview. Instead of anomaly scores, it aggregates and sequences raw, high-volume logs into human-readable behaviors — for example "Inbound remote management session from external address" — each mapped to MITRE ATT&CK tactics and traceable back to the underlying events. It can be enabled independently of UEBA anomaly detection, and the preview supports AWS CloudTrail, CommonSecurityLog (CyberArk Vault, Palo Alto Threats), and GCP audit logs. For an analyst, this turns "who did what to whom" from a manual log-correlation exercise into a starting point for investigation and detection. (Microsoft Learn)

Two smaller UEBA quality-of-life changes shipped alongside it: a UEBA widget on the Defender portal home page (preview) that surfaces anomalous user behavior up front, and the ability to enable UEBA directly from a data connector's configuration page (preview) so you onboard a source to UEBA in the same step you connect it, closing the coverage gaps that come from a separate configuration screen. (Microsoft Learn)

Defender XDR added Near Real-Time (NRT) frequency for custom detection rules that run on Microsoft Sentinel data (preview), so a detection built on Sentinel tables can fire close to event time rather than on the standard scheduled cadence — useful for the identity and access patterns where minutes matter. In advanced hunting, the BehaviorInfo and BehaviorEntities tables gained additional columns tying UEBA behaviors to their related alerts and entities, and queries that exceed the 64-MB result limit now return a partial result set with a clear truncation notice instead of failing outright. (Microsoft Learn)

Sentinel's solution for SAP BTP picked up new analytics rules spanning the Integration Suite, Cloud Identity Service, Build Work Zone, and BTP audit logging — covering unauthorized changes to integration artifacts, risky identity and SAML/OIDC configuration changes, mass role deletions, and audit-log ingestion gaps. Niche unless you run SAP BTP, but if you do it closes real control-plane and identity blind spots. (Microsoft Learn)

Worth knowing

Returning from the break, the thing worth catching up on is December's Security Copilot agent wave in Defender. The Threat Intelligence Briefing Agent reached general availability (tailored threat briefings generated in minutes from actor activity plus internal and external vulnerability data); the Threat Hunting Agent (preview) runs full natural-language hunting sessions — generating queries, interpreting results, and surfacing insights conversationally; and the Dynamic Threat Detection Agent (preview) is an always-on backend service that looks for missed threats across Defender and Sentinel. Sentinel's MCP server also became consumable from GitHub Copilot, Copilot Studio, Microsoft Foundry, and ChatGPT agent builders, and Defender for Endpoint data can now flow directly into the Sentinel data lake. Know which of these your org has turned on before you lean on an agent's verdict. (Microsoft Defender XDR, Microsoft Sentinel blog)

The Defender-portal migration remains the background theme into 2026, and the practical snag after onboarding is almost always permissions. A useful read from just before this window walks through how Sentinel and Defender XDR permissions map together in the unified portal — the most common source of "why can't I see this incident" confusion once a workspace is onboarded. Pair it with the 31 March 2027 Azure-portal retirement date above when you plan the move. (Microsoft Sentinel blog)

No Patch Tuesday falls in this window. The January 2026 security update release lands on the second Tuesday, 13 January, so expect the monthly Microsoft CVE batch — and any actively-exploited items — next week rather than this one. Use the quiet shift to confirm your update-ring and emergency-patch process is ready before the first release of the year. (MSRC Security Update Guide)