Week 8 · 8 min read
February 16 – February 23, 2026
Act by
Entra is closing a hybrid-identity attack path: beginning June 1, 2026, Microsoft Entra Connect Sync and Cloud Sync will be blocked by default from hard-matching a newly synced on-premises AD user to an existing cloud-managed Entra user that holds a Microsoft Entra role. The change stops an attacker who controls Active Directory from taking over the Source of Authority of a privileged cloud account by manipulating on-prem attributes. Soft match and hard match for non-role-holding users are unaffected. If you run Entra Connect or Cloud Sync, inventory which role-holding cloud users still carry an onPremisesImmutableId, and expect hard-match errors after the enforcement date for anything that trips the new guard. (Microsoft Entra: What's new)
What changed
Microsoft Sentinel's UEBA Behaviors Workbook is now available as part of the UEBA Essentials solution, building on the UEBA behaviors layer that reached GA this month. The workbook ships prebuilt, customizable views across three SOC workflows: an Overview for trends and situational awareness, an Investigation view with entity-centric timelines, and a Hunting view driven by anomaly detection and attack-chain analysis. For analysts it turns normalized behavior data into ready-made dashboards, so you can pivot from a raw behavior to an entity timeline without hand-building queries. (Microsoft Sentinel Blog)
Microsoft Sentinel took multi-tenant content distribution to general availability, letting you centrally define and replicate analytics rules, automation rules, workbooks, and alert-tuning rules across tenants from the Defender portal. For an MSSP — or any SOC running more than one Sentinel tenant — this replaces per-tenant copy-paste with a managed baseline, cutting the configuration drift that leaves one tenant blind to something the others already detect. (What's new in Microsoft Sentinel: February 2026)
February's Sentinel recap also shipped a wave of new data connectors, including CrowdStrike, Vectra XDR, Palo Alto Networks Cloud NGFW, and Proofpoint, alongside a Microsoft 365 Copilot connector in preview. For a SOC these widen what you can correlate in one place — third-party EDR, NDR, firewall, and email-security telemetry landing next to Defender and Entra signals — while the Copilot connector brings Microsoft 365 Copilot activity into Sentinel so AI-tool usage becomes something you can monitor and hunt over. (What's new in Microsoft Sentinel: February 2026)
Microsoft released a public preview of an AI-assisted SOAR playbook generator for Microsoft Sentinel. It creates Python-based automation workflows through a conversational experience coauthored with Cline, an AI coding agent — you describe the response you want and it drafts the playbook. On shift this lowers the barrier to standing up or adjusting automation for repetitive response steps, though generated playbooks still need review and testing before you wire them to live incidents. (Microsoft Sentinel Blog)
Four identity-centric advanced hunting tables moved to general availability in Microsoft Defender XDR this month, giving detection engineers a stable, documented schema to build on. IdentityAccountInfo consolidates account details from sources including Entra ID and links each account to the identity that owns it; EntraIdSignInEvents covers interactive and non-interactive sign-ins; EntraIdSpnSignInEvents covers service principal and managed identity sign-ins; and GraphApiAuditEvents captures Microsoft Graph API requests against tenant resources. For a SOC, the service-principal and Graph API tables are the notable additions — they make workload-identity sign-ins and Graph-based reconnaissance or abuse huntable in KQL without stitching together separate logs. (What's new in Microsoft Defender XDR)
Microsoft Defender for Identity added a batch of new detections this month, several aimed squarely at abuse of the Entra Connect sync path. The new Entra ID alerts flag suspicious user-configuration changes, Graph API requests, and sign-ins originating from the Entra ID sync application, plus anomalous OAuth device-code authentication; on the Active Directory side, new alerts cover a possible golden ticket (suspicious ticket) and a Kerberos key-list attack. The sync-application alerts are the ones to note: they detect an attacker operating through the directory-sync service account — the same hybrid seam the June hard-match block hardens — so an attempt to ride Entra Connect now surfaces as a signal in your incident queue rather than sitting silent. (What's new in Microsoft Defender for Identity)
Microsoft Defender for Cloud added two container-runtime prevention capabilities in preview on 22 Feb. Container runtime anti-malware detection and blocking provides real-time malware detection and prevention across AKS, EKS, and GKE, with rules that define the conditions for alerting versus blocking. Alongside it, binary drift policies can now block — not just detect — unauthorized or tampered binaries executing at runtime. For a SOC watching containerized workloads, both shift container threat handling from detect-and-alert toward in-line prevention, so tune rules carefully to avoid blocking legitimate workloads. (Defender for Cloud release notes)
Defender for Endpoint's Effective settings tab reached GA under the device inventory's Configuration management view. It shows the actual value and configuration source of each security setting on a device, so you can spot policies that were intended but never took effect — the silent gaps where a protection you think is on isn't actually enforced. When you're validating that a hardening baseline or attack-surface-reduction rule really landed on a host during an investigation, this is where you confirm it. (New features in Microsoft Defender for Endpoint)
Defender for Endpoint also added library management for live response in preview. You can now view, upload, and delete the files and scripts used in live response sessions from a centralized view in the Defender portal, outside of an active session. For responders this means the tooling you reach for during containment — collection scripts, remediation binaries — is managed and vetted ahead of time rather than uploaded ad hoc mid-incident. (New features in Microsoft Defender for Endpoint)
Defender for Office 365 extended user reporting of Microsoft Teams messages to Plan 1. Users can now report external and intra-org Teams messages — from chats, standard/shared/private channels, and meeting conversations — as security risks to the configured reporting mailbox, Microsoft, or both. As Teams becomes a real phishing and social-engineering surface, this puts Teams-borne reports into the same submissions pipeline SOCs already triage for email, and it's now available without a Plan 2 license. (What's new in Defender for Office 365)
Microsoft took External MFA (external authentication methods) to general availability in Entra ID. It lets organizations satisfy MFA requirements using a preferred third-party provider while Entra ID stays the control plane — performing full policy evaluation and access decisions on every sign-in, including real-time Conditional Access enforcement and sign-in risk assessment. For SOC teams this means third-party MFA no longer sits outside Entra's risk and Conditional Access signals, so those sign-ins remain visible to identity-based detections. (Microsoft Entra: What's new)
Worth knowing
The Defender-portal migration timeline is the one to keep current: the retirement of the Microsoft Sentinel experience in the Azure portal was extended to March 31, 2027, after which Sentinel runs only in the Defender portal (available even without Defender XDR or an E5 license). The extra runway doesn't change direction — use it to validate the Defender portal experience, permissions, and any Azure-portal-only workflows your playbooks still depend on. (Microsoft Sentinel Blog)
February's Entra and identity changes read as a coordinated hardening push. Alongside the June 1 hard-match block above, Microsoft Authenticator began rolling out jailbreak/root detection for Entra credentials this month, progressing from warning mode to blocking mode; users on rooted or jailbroken devices will need to move to compliant devices, and existing credentials on flagged devices are wiped. Read the new Defender for Identity sync-application detections in the same light: the June block removes a privilege-takeover path, and the detections catch an attacker probing it in the meantime. Treat these as upstream controls that shrink specific attack paths (AD-to-cloud privilege takeover, compromised-device token theft) rather than as things that generate alerts you triage.
The four Entra tables reaching GA are worth a detection-engineering pass while they're fresh. EntraIdSpnSignInEvents makes service principal and managed-identity sign-ins first-class hunting data — useful for spotting a workload identity signing in from unexpected IPs or after a suspicious credential add — and GraphApiAuditEvents lets you hunt Graph API calls that map to reconnaissance or consent abuse. Both pair naturally with the UEBA behaviors work above: normalized behaviors for the human-readable timeline, raw Entra tables for the precise KQL. (What's new in Microsoft Defender XDR)
Two more February items round out the data plane. Microsoft Sentinel's integration with Purview Data Security Investigations reached GA, combining data-centric insights with Sentinel's threat graph so an investigation can pivot from a threat signal to the sensitive data actually at risk. And for SAP estates, the Sentinel solution for SAP BTP gained new analytics rules across Integration Suite, Cloud Identity Service, Build Work Zone, and BTP audit logging — detecting unauthorized integration-artifact changes, risky identity and privilege changes, mass role deletions, and audit-log ingestion gaps. Neither is core email-and-endpoint SOC work, but both extend where your Sentinel detections can reach. (What's new in Microsoft Sentinel)