Week 4 · 4 min read
January 19 – January 26, 2026
What changed
Microsoft published a dedicated deep-dive bringing the AI-powered SIEM migration experience's QRadar-to-Sentinel support into public preview, extending the Splunk support shown at Ignite 2025. Beyond syntax translation it does intent-based mapping of legacy detections onto out-of-the-box Sentinel analytics, flags missing data connectors so coverage isn't lost, and structures the move across four pillars: discovery and planning, detections, data sources, and validation. Microsoft cites up to a 50% cut in migration time against the 15 months a legacy SIEM migration can take, and eligible customers can get hands-on help through the Cloud Accelerate Factory program for both Splunk and QRadar. If your org is retiring QRadar, this is the guided path onto Sentinel's cloud-native SIEM — the same feature the January "what's new" flagged, now with the full walkthrough. (Microsoft Sentinel Blog)
Defender for Office 365 now lets admins block malicious external senders and domains in Microsoft Teams directly from the Defender portal, with the block propagating into the Teams Admin Center blocked-domains-and-users list. When you spot an abusive external org, the block halts new external chats, invites, and channel messages from those senders in near real time and deletes existing ones — so SOC teams no longer have to bounce to a separate admin console mid-incident to cut off a Teams-based phishing sender. (What's new in Microsoft Defender for Office 365)
Microsoft also extended two Teams protections to Defender for Office 365 Plan 1: zero-hour auto-purge (ZAP) for Teams messages and admin management of quarantined Teams messages are now on by default for Plan 1. That brings a post-delivery layer to lower-tier tenants — malicious Teams messages can be retroactively pulled after delivery, and analysts can triage quarantined Teams content from the portal. Worth knowing which SKU a tenant runs, because this changes what post-delivery Teams response you can expect on shift. (What's new in Microsoft Defender for Office 365)
The Microsoft Sentinel solution for SAP BTP gained new built-in analytics rules this month, expanding detection coverage across the SAP control plane and identity surface. The additions flag unauthorized changes to SAP Integration Suite artifacts and data sources, user deletions and SAML/OIDC config changes in SAP Cloud Identity Service, mass role deletions in SAP Build Work Zone, and gaps or disruptions in BTP audit logging that could hide stealthy activity. If your estate includes SAP BTP, these are ready-to-enable detections for high-risk integration, identity, and audit-tampering activity. (What's new in Microsoft Sentinel)
Sentinel's UEBA surfaced further in the Defender portal this month: a new home-page UEBA widget (preview) gives analysts immediate visibility into anomalous user behavior without opening a separate page, and you can now enable UEBA for a supported source directly from the data connector configuration rather than a separate settings blade, which prevents coverage gaps when onboarding new connectors. Both build on the UEBA behaviors layer from the January release and shorten the path from "connector on" to "behavior visible during triage." (What's new in Microsoft Sentinel)
The Sentinel team continued its Automating Microsoft Sentinel blog series with Part 4, a hands-on walkthrough of building a playbook from scratch: the incident, alert, and entity trigger types, running playbooks as managed identities, the Logic Apps designer flow, and when to build your own instead of pulling a prebuilt playbook from the Content Hub. It's a practical primer for interns getting started with SOAR in Sentinel. (Microsoft Sentinel Blog)
Worth knowing
Microsoft Defender researchers detailed a resurgent multi-stage adversary-in-the-middle (AiTM) phishing and BEC campaign hitting multiple energy-sector organizations. The attackers abused SharePoint file-sharing to deliver phishing links, used AiTM to steal session tokens and bypass MFA, then created inbox rules to hide their activity and rode the compromised, trusted internal identities to run large-scale intra-org and external phishing; they even read and replied to recipients who questioned the emails' authenticity before deleting the exchange to stay hidden. On shift the takeaway is that remediation has to go past a password reset and MFA re-registration — revoke active sessions, hunt for and remove malicious inbox and forwarding rules, and check the mailbox for onward phishing before closing the incident. The campaign's reliance on trusted collaboration surfaces (SharePoint, OneDrive, and Teams) is exactly why this month's Teams sender-blocking and ZAP-to-Plan-1 changes matter. (Microsoft Security Blog)
No Microsoft Patch Tuesday fell in this window. The January 2026 security updates released on 13 January — including the actively exploited Desktop Window Manager flaw CVE-2026-20805 and critical SharePoint Server, RRAS, and LSASS RCEs — so if any of those are still unpatched in your fleet, they remain the priority; February's updates land on 10 February. Use Defender Vulnerability Management to confirm which devices are still exposed to the January CVEs rather than assuming the cumulative update reached everything. (MSRC Security Update Guide)
A pattern in this month's releases worth internalizing: the net-new SOC features — the Teams sender blocking, the UEBA home-page widget, playbook authoring — all land in the Defender portal, not the Azure portal. Microsoft has confirmed the Azure-portal Sentinel experience is on a path to retirement, with new capabilities shipping only in the unified Defender portal. Treat the Defender portal as where your day-to-day SecOps work lives and get comfortable there now. (What's new for Microsoft's unified security operations)