Week 9 · 8 min read
February 23 – March 2, 2026
Act by
- 1 Jul 2026 — Microsoft Sentinel is standardizing how the account entity's Account Name is populated in analytics-rule alerts, incidents, and automation. When a full UPN (
user@domain.com) is mapped to Account Name, it will always resolve to the UPN prefix only (user), and newUserPrincipalNameandUPNSuffixfields are added to the account entity. This can silently break automation rules and Logic Apps playbooks that do strict equality checks on the full UPN. Audit your rules now and switch toContains/Starts withcomparisons (orcoalesce(Account.UPNprefix, Account.Name, Account.DisplayName)in KQL) before the change lands. (Microsoft Learn)
What changed
Microsoft published a practitioner-focused guide on getting value out of the Microsoft Sentinel data lake, walking through how to centralize signals, retain years of telemetry cheaply, and run graph-powered analytics and agentic workflows over historical data. The pitch is aimed at teams that have been forced to drop or short-retain logs to control ingestion cost, which leaves investigation blind spots. On shift this matters when a hunt needs to reach back further than the analytics tier keeps: the data lake tier is where long-range correlation and retrospective IOC sweeps live, so knowing what it can (and can't) do shapes how you scope an investigation. (Microsoft Sentinel Blog)
The UEBA behaviors layer in Sentinel reached general availability, alongside a prebuilt behaviors workbook in the UEBA Essentials solution. The layer aggregates and sequences raw, high-volume logs into normalized, human-readable behaviors — "who did what to whom" — mapped to MITRE ATT&CK, so instead of reading individual CloudTrail or firewall events you see a summarized behavior like "inbound remote management session from external address." The workbook ships Overview, Investigation, and Hunting views on top of that data. For an analyst this is the layer that turns noisy telemetry into something you can triage without hand-correlating events. (Microsoft Learn)
Several identity-focused advanced hunting tables went GA: IdentityAccountInfo (account details across sources, with a link to the owning identity), EntraIdSignInEvents (interactive and non-interactive sign-ins), EntraIdSpnSignInEvents (service principal and managed identity sign-ins), and GraphApiAuditEvents (Microsoft Graph API requests against tenant resources). These are the tables you'll actually query when triaging identity incidents — service-principal abuse, token replay, and Graph-based reconnaissance — so it's worth learning their schema now that they're supported rather than preview. (What's new in Microsoft Defender XDR)
Two cloud-focused advanced hunting tables entered preview in the same month's Defender XDR updates: CloudDnsEvents, which captures DNS activity from cloud infrastructure environments, and CloudPolicyEnforcementEvents, which records policy enforcement decisions and the metadata of security gating events for cloud platforms protected by Defender for Cloud. For a SOC watching cloud workloads, cloud DNS is a classic channel for C2 and exfiltration, and the enforcement table tells you why a cloud action was allowed or blocked — both are new KQL surfaces to fold into cloud-threat hunts as they stabilize. (What's new in Microsoft Defender XDR)
Lake-only ingestion for Defender advanced hunting tables is now generally available, letting you land Defender hunting data directly in the Sentinel data lake without paying to push it through the analytics tier first. For cost-conscious SOCs this is a real lever: high-volume, low-signal tables can be retained cheaply for long-range hunting and retrospective analysis, while you keep the analytics tier for what drives live detections. (Microsoft Defender XDR Blog)
Defender for Endpoint added a batch of Microsoft Secure Score hardening recommendations aimed at cutting off common attack techniques. One blocks outbound network connections from the Microsoft HTML Application Host (mshta.exe) — a trusted Windows binary that ClickFix and other living-off-the-land campaigns abuse to run malicious scripts and reach command-and-control. Two more target lateral movement and credential relay: Block file transfer over RDP stops attackers staging or exfiltrating files inside Remote Desktop sessions, and SMB server security hardening against authentication relay attacks enforces Extended Protection for Authentication, SMB signing, and SMB encryption. For an intern, these are worth reading as a map of the techniques Microsoft expects you to see — and each is a preventive control you can point posture conversations at rather than a new alert to triage. (New features in Microsoft Defender for Endpoint)
Library management for live response reached GA in Microsoft Defender for Endpoint. You can now centrally manage the scripts and files used during live response sessions from the Defender portal — upload, view, and delete them outside an active session — instead of re-uploading tooling every time you connect to a device. For responders this means your investigation and remediation scripts are version-managed in one place, ready to run the moment you open a live response session on a compromised host. (New features in Microsoft Defender for Endpoint)
The Effective settings tab for device configuration is now GA in Defender for Endpoint. Under a device's Configuration management, it shows the actual value and configuration source of each security setting — the real enforced state, not just the admin's intended policy. This closes a common gap where an intended protection (say, an ASR rule or tamper protection) never actually took effect on the endpoint. When you're investigating why a device wasn't protected, this is the tab that tells you whether the control was really on. (New features in Microsoft Defender for Endpoint)
Defender for Endpoint also previewed an enhanced Windows deployment tool that bundles the onboarding package directly into the tool's executable, generates a key required to run it, and lets you set an expiry date on the package to reduce the risk of unauthorized use — with a new Deployment packages page in the Defender portal for centralized visibility into every package and its status. Onboarding packages are sensitive artifacts (they enroll a device into your tenant), so treating them like credentials — scoped, keyed, and expiring — is a small but real supply-chain-hygiene improvement for the teams that stand up endpoints. (New features in Microsoft Defender for Endpoint)
Defender for Office 365 extended user reporting of Microsoft Teams to calls and added message context. Building on February's expansion of Teams reporting to Plan 1, users can now report completed or missed one-to-one Teams calls from their call history as scam or malicious, and when a Teams message is reported to Microsoft, up to fifteen messages before and after it are shared for analysis. As Teams becomes a real phishing and social-engineering surface — including voice-based scams — this widens what lands in the submissions pipeline SOCs already triage and gives analysts the surrounding conversation instead of a single decontextualized message. (What's new in Defender for Office 365)
Custom Guidebooks (standard operating procedures) for Copilot Guided Response reached general availability. Teams can encode their own investigation and response playbooks so that Security Copilot's guided-response suggestions follow the organization's SOPs rather than generic defaults. For a SOC this is a way to bake tribal knowledge and required steps into the assisted-response flow, so junior analysts get consistent, org-approved next actions on an incident. (Microsoft Defender XDR Blog)
Worth knowing
Defender-portal consolidation kept moving this month. The March roundup confirms Microsoft is extending the sunset for managing Sentinel in the Azure portal to March 31, 2027 — Sentinel is already GA in the Defender portal (including for tenants without Defender XDR or an E5 license), so new SOC work should land in the unified portal, but there's no forced cutover this week. The same roundup notes Defender for Cloud is expanding into the Defender portal to give a single cloud-and-code security experience, another step in collapsing the workloads into one console. (Microsoft Defender XDR Blog)
On the identity side, February's Entra updates flagged an upcoming Entra Connect security change that blocks hard-match takeover of privileged cloud users. Starting June 1, 2026, Entra Connect Sync and Cloud Sync will no longer be able to hard-match an incoming Active Directory user to an existing cloud-managed Entra user that holds Entra roles. This shuts down an attack path where an on-prem foothold is used to manipulate AD attributes and seize control of a privileged cloud account through sync. It's worth knowing which of your privileged Entra identities are hybrid-matched before the block turns on, so a legitimate sync doesn't trip the new guardrail. (Microsoft Entra What's new)
A couple of portal-workflow changes are worth noting for how you read the console. Defender XDR added incident-graph filtering (preview) — on very large incidents with many alerts and entities you can now filter or hide specific entities to simplify the graph and keep an investigation focused on what matters. Separately, some recommendations previously scored under the Cloud apps category in Microsoft Secure Score are now counted as Identity; your total Secure Score is unchanged, but the individual identity and app sub-scores may shift, so don't read a moved number as a regression. (What's new in Microsoft Defender XDR)
A smaller operational note from the roundup: Defender Experts for Hunting customers can now set notification contacts — the individuals or groups Microsoft reaches out to for critical incidents or service updates. If your team uses the managed hunting service, make sure those contacts point at a monitored on-call channel, not a single analyst's mailbox. (Microsoft Defender XDR Blog)