Week 3 · 6 min read
January 12 – January 19, 2026
Act by
- 13 Jan 2026 — January Patch Tuesday shipped fixes for roughly 113 CVEs (trackers count 112–114 depending on how third-party items are tallied), including CVE-2026-20805, a Desktop Window Manager information-disclosure flaw Microsoft reports as exploited in the wild, plus two other publicly disclosed zero-days. The DWM bug scores only CVSS 5.5, but info-leak flaws like it are typically chained to defeat ASLR and turn an unreliable memory-corruption exploit into a repeatable one, so don't deprioritise it on score alone. Deploy the January cumulative update across your Windows fleet and use Defender Vulnerability Management to confirm which devices are still exposed. (MSRC Security Update Guide)
What changed
Microsoft Sentinel now supports ingesting Microsoft Defender for Office 365 (MDO) and Defender for Cloud Apps tables directly into the Sentinel data lake tier, extending the direct ingestion previously available for Defender for Endpoint. You select the data lake tier when configuring retention in the built-in table management experience in the Defender portal, keeping long-term email and cloud-app telemetry available for historical hunting without paying analytics-tier cost. On shift this means cheaper, longer-window hunts over MDO and cloud-app signals that would otherwise age out. (What's new in Microsoft Sentinel: January 2026)
The AI-powered SIEM migration experience now supports QRadar-to-Sentinel migrations, adding to existing Splunk support. It maps detection rules and enables the required data connectors so teams can move to Sentinel's cloud-native SIEM with less manual rewriting, and eligible customers can get free migration help through the Cloud Accelerate Factory program. Relevant if your org is consolidating or retiring a legacy SIEM onto Sentinel. (A dedicated deep-dive followed the next week — see the 19–26 Jan issue.) (What's new in Microsoft Sentinel: January 2026)
Sentinel's new UEBA behaviors layer is in public preview. It sits between raw logs and alerts, aggregating and sequencing high-volume telemetry into human-readable "behaviors" that describe who did what to whom, each mapped to MITRE ATT&CK tactics and techniques — for example, "Inbound remote management session from external address" summarising many raw events. Preview coverage includes AWS CloudTrail, CommonSecurityLog (CyberArk Vault, Palo Alto Threats), and GCPAuditLogs, and it can be enabled independently of UEBA anomaly detection. For analysts, it cuts the time spent reconstructing an entity's activity from individual raw events during triage and hunting. (What's new in Microsoft Sentinel: January 2026)
UEBA also got easier to turn on and see. You can now enable UEBA for supported data sources directly from the data connector configuration page (preview), instead of navigating to a separate settings page — which reduces the coverage gaps that appear when a new connector goes live but never gets wired into UEBA. Separately, the Defender portal home page gains a UEBA widget (preview) that surfaces anomalous user behavior up front so analysts spot which identities to prioritise without hunting for it. Both are small workflow wins that make the behavioral signal show up where analysts already work. (What's new in Microsoft Sentinel)
Defender for Cloud Apps permissions are now integrated with Microsoft Defender XDR Unified RBAC, available worldwide. Instead of managing cloud-app-security roles separately, admins grant Defender for Cloud Apps access through the same unified role model as the rest of Defender XDR. For a SOC this is the fix for the recurring "why can't I see cloud-app alerts" access confusion after unified-portal onboarding — check that your analyst roles carry the right Unified RBAC permissions. (Defender XDR — Monthly news, January 2026)
Defender for Cloud Apps app governance added an unused-app insights capability (now available for most commercial customers) that flags Microsoft 365-connected OAuth apps that are no longer used, so admins can review and remove them under policy-based governance, with advanced-hunting queries to back the review. Stale, over-permissioned OAuth app registrations are a well-worn persistence and data-exfiltration path, so pruning dormant ones shrinks a real attack surface. (Defender XDR — Monthly news, January 2026)
Custom detection rules in Microsoft Defender now support Near-Real-Time (NRT) frequency on Microsoft Sentinel data (preview). Detection engineers can run KQL custom detections that key off Sentinel-ingested tables at NRT cadence rather than waiting for the standard scheduled interval, tightening the gap between a logged event and an alert for time-sensitive detections. Worth knowing when you're deciding whether a rule needs NRT or can live on the normal schedule. (What's new in Microsoft Defender XDR)
Microsoft Entra reached general availability for service-principal creation audit logs built for alerting and monitoring. New audit-log properties surface why a service principal was created and who or what triggered it — the provisioning mechanism, the SKUs or service plans that enabled just-in-time creation, and the home tenant of the app registration — letting you distinguish Microsoft-driven provisioning from tenant-driven activity. Newly created service principals are a classic identity-persistence vector, so this makes the "unexpected app/SP appeared" hunt far cleaner. (Microsoft Entra releases and announcements)
The Advanced Security Information Model (ASIM) received a schema refresh that aligns all ASIM schemas to the latest standard, following ASIM reaching general availability in September. Consistent normalization matters because detections, hunting queries, and workbooks built on ASIM parsers behave predictably across data sources; review any custom parsers or queries that assumed older field shapes. (What's new in Microsoft Sentinel: January 2026)
The Sentinel solution for SAP BTP gained new built-in analytics rules that expand detection over high-risk control-plane, integration, and identity activity — unauthorized changes to Integration Suite artifacts and data sources, Cloud Identity Service user deletions and SAML/OIDC config changes, mass role deletions in Build Work Zone, and audit-logging gaps. Only relevant if your estate runs SAP BTP, but if it does, this is meaningful new coverage to enable from Content hub. (What's new in Microsoft Sentinel)
Worth knowing
Beyond the exploited DWM flaw, January Patch Tuesday included eight Critical vulnerabilities, most of them remote code execution, and three zero-days in total. Of particular interest to a Microsoft estate are critical RCEs in Windows Routing and Remote Access Service (RRAS), LSASS, and SharePoint Server — the SharePoint on-premises RCE is worth flagging to server owners given the ongoing history of internet-facing SharePoint being targeted. Pair the patch push with a Defender Vulnerability Management sweep so you can evidence remediation rather than assume it. (MSRC Security Update Guide)
The Defender-portal migration clock got a concrete update this month: Microsoft now says Sentinel in the Azure portal will be retired after 31 March 2027, with remaining customers redirected to the Defender portal (this replaces the earlier July 2026 date). Sentinel is already GA in the unified Defender portal, including for tenants without Defender XDR or an E5 license, so the runway is real but finite — if your team still lives in the Azure portal, treat 2026 as planning-and-migration time rather than waiting for a forced cutover. (What's new in Microsoft Sentinel)
For threat hunters, the January Defender XDR monthly news recapped a batch of advanced-hunting upgrades that GA'd around the turn of the year: the hunting graph is now generally available with new predefined threat scenarios that render a hunt as an interactive graph, and advanced hunting now supports custom functions with tabular parameters, letting you pass whole tables as inputs to build modular, reusable KQL. Both are quality-of-life gains that make complex, repeatable hunts easier to write and share across the team. (Defender XDR — Monthly news, January 2026)