SOC Weekly Brief The week in the Microsoft security stack, distilled

← Home

Week 10 · 9 min read

March 2 – March 9, 2026

Act by

  • 1 Jun 2026 — Legacy Microsoft Sentinel repositories (content-as-code) API versions retire in June 2026, and Source Control create/manage calls on the old versions will start failing. If you drive repo connections through the REST API or pipelines, move to API version 2025-09-01, 2025-06-01, or 2025-07-01-preview before this date. Existing repository connections keep operating; only API calls on the retired versions break. (Microsoft Learn)

What changed

Microsoft Defender for Identity landed a large identity-security release centered on a new Identity Security dashboard (preview) and a Coverage and maturity page that scores your identity posture across Connected, Protected, Fortified, and Resilient levels with prioritized setup tasks. The Identity inventory now splits human and non-human identities into separate tabs — the Non-human identities tab (preview) surfaces Entra ID apps, Active Directory service accounts, and Google Workspace/Salesforce apps — and a new identity risk score (0–100, preview) estimates likelihood of compromise and blast-radius impact, flows into Entra ID for Conditional Access decisions, and gets a dedicated Risk score tab on the identity page. A Domain investigation page and cross-provider identity security recommendations round it out. For a SOC, this turns identity from a scattered set of signals into a single prioritized surface, and the non-human inventory finally gives you eyes on service-account and app-identity sprawl. (Microsoft Learn)

Proactive user containment ("contain user") reached general availability as part of Defender XDR's predictive shielding. Instead of waiting for a confirmed compromise, it fuses activity data with exposure data to spot credentials that are exposed and likely to be reused for malicious activity, then contains the user from the network. That gives analysts a pre-emptive lever during an unfolding incident rather than a purely reactive one — useful for cutting off lateral movement before an attacker pivots on harvested creds. (Microsoft Learn)

Microsoft Entra Backup and Recovery entered public preview — a built-in, always-on safety net that automatically backs up critical directory objects (users, groups, applications, service principals, managed identities, Conditional Access policies, named locations, Agent IDs, and authentication/authorization policy) so you can roll the tenant back to a known-good state after an accidental or malicious change. During preview it takes one daily snapshot (retained five days with Entra ID P1/P2); admins can view snapshots, generate difference reports to see exactly what changed, and run recovery jobs. For a SOC this is a concrete recovery lever for identity-based attacks: if an adversary tampers with a Conditional Access policy or a named location, you can diff and restore it rather than reconstruct it from memory. (Microsoft Learn)

The Microsoft Sentinel playbook generator now lets you build fully functional, code-based playbooks by describing the workflow in natural language instead of stitching together templates and a fixed action library. You define an Integration Profile (base URL, auth method, credentials) and it produces a Python playbook — with docs and a visual flowchart — that can call Microsoft and third-party APIs without predefined connectors, then validate against real alerts. For analysts, this lowers the bar to automating repetitive triage and enrichment steps directly in your SOAR layer. (Microsoft Sentinel Blog)

CCF Push entered public preview, letting data sources send security telemetry straight into a Sentinel workspace in real time over the Log Ingestion API. Instead of hand-building Data Collection Endpoints, Data Collection Rules, Entra app registrations, and RBAC assignments, you deploy the connector and Sentinel provisions the resources for you; it supports high-throughput ingestion, in-flight transformation, and delivery to system tables. Partners such as Keeper Security, Obsidian Security, and Varonis are already streaming data this way, so expect more push-based connectors to land in your content hub. (Microsoft Sentinel Blog)

A dedicated Google Kubernetes Engine (GKE) connector reached general availability in the Sentinel content hub, built on the Codeless Connector Framework. It ingests GKE cluster activity, workload behavior, and security events into the GKEAudit table, with DCR support, data-lake-only ingestion, and workspace transformations, bringing GKE monitoring in line with how AKS is handled today. For SOCs whose workloads span clouds, this means the same Sentinel analytics, workbooks, and hunting queries now cover Kubernetes threats regardless of whether clusters run on Azure or Google Cloud. (Microsoft Sentinel Blog)

Microsoft Sentinel repositories are now generally available. The content-as-code feature — connecting a Sentinel workspace to a GitHub or Azure DevOps repo to deploy analytics rules, hunting queries, workbooks, and automation through CI/CD — is out of preview. This is the same feature whose older REST API versions are being retired (see Act by), so if you manage detections as code, this is the moment to standardize on the GA experience and the supported API versions. (Microsoft Learn)

Custom Guidebooks (SOPs) for Copilot Guided Response reached general availability, letting you bring your own standard operating procedures directly into the Security Copilot Guided Response experience in the Defender portal. Rather than the generic recommended steps, Copilot can now walk analysts through your organization's own runbook for a given incident type — handy for keeping newer shift staff aligned to house process during triage. (Microsoft Defender XDR Blog)

Two endpoint-response quality-of-life changes shipped for Microsoft Defender for Endpoint: Library Management for live response (public preview) lets you centrally manage live-response scripts and files in the Defender portal instead of uploading them ad hoc inside each session, and Effective Settings Reporting (GA) shows the security settings actually enforced on a device rather than just the admin's intended policy — closing a common gap when you're chasing why a control didn't apply on a specific host. (Microsoft Defender XDR Blog)

Defender for Endpoint also added several Microsoft Secure Score recommendations aimed squarely at common initial-access and lateral-movement techniques. New recommendations block outbound network connections from the HTML Application host mshta.exe — a trusted, living-off-the-land binary that ClickFix-style campaigns abuse to run malicious scripts, pull payloads, and reach command-and-control — block file transfer over RDP sessions, and harden SMB against authentication-relay attacks by enforcing Extended Protection for Authentication (EPA), SMB signing, and SMB encryption. These are cheap, high-value hardening wins an intern can help drive, and each maps directly to an attack pattern you'll actually see in incidents. (Microsoft Learn)

Defender for Office 365 extended user reporting in Microsoft Teams. Users can now report completed or missed one-to-one Teams calls from their call history as scam or non-scam — sent to your reporting mailbox and/or Microsoft — and when users report Teams messages from chats, channels, or meetings, up to fifteen messages before and after the reported one are now shared for analysis. That gives analysts conversational context around a reported chat instead of a single stripped-out message, which matters as Teams becomes a bigger social-engineering channel feeding your submissions queue. (Microsoft Learn)

Microsoft Defender for Cloud began converting grouped recommendations into individual recommendations in the Azure portal (preview, 4 March), scoring and prioritizing each finding — vulnerability, exposed secret, or misconfiguration — separately instead of nesting them under a parent. On the same date, the older grouped container and container-image vulnerability recommendations were put on a deprecation path (removal starting 13 April 2026). If your automation, governance rules, or workbooks key off the grouped recommendation names, plan to repoint them at the individual recommendations and security categories. (Microsoft Learn)

Worth knowing

Microsoft Threat Intelligence published "AI as tradecraft: how threat actors operationalize AI" (6 March), a detailed look — some of it done in collaboration with OpenAI — at how named actors are folding generative AI into real operations. North Korean clusters feature heavily: Emerald Sleet used LLMs to research publicly reported vulnerabilities including the MSDT "Follina" bug (CVE-2022-30190), Sapphire Sleet and Moonstone Sleet used AI for malware scripting and C2 development, and the Jasper/Coral Sleet IT-worker operations used it to fabricate identities with AI-generated photos and voice cloning — researchers even spotted emoji markers and conversational code comments in Coral Sleet's OtterCookie payload. The practical takeaway for a SOC: AI mostly makes existing tradecraft faster and better-localized rather than inventing new attack classes, so keep the fundamentals (phishing-resistant MFA, patching known-exploited CVEs, service-account hygiene) tight. (Microsoft Security Blog)

The Defender Monthly news — March 2026 digest is worth a skim for portal-consolidation context: Microsoft Defender for Cloud is expanding into the Defender portal in public preview, continuing the push toward one console for cloud and code security alongside the rest of Defender. It also lands amid the broader migration reminder that Microsoft Sentinel in the Azure portal sunsets 31 March 2027, after which the Defender portal is the only interface — so any Azure-portal-specific runbooks, bookmarks, or automation you still rely on should be on your migration backlog. (Microsoft Defender XDR Blog)

On the identity side, the March Entra release notes bring synced passkeys to general availability — FIDO2 credentials that can live in built-in or third-party passkey providers and roam across a user's devices, managed through passkey profiles in the authentication methods policy (now GA in their own right) — reinforcing the phishing-resistant-auth direction the threat research above argues for. Separately, RSA published an agentic integration that pipes RSA ID Plus administrative identity telemetry into the Sentinel data lake for cheap long-term retention, then uses Security Copilot agents to flag anomalous admin behavior automatically; it's a partner solution rather than a first-party feature, but a useful pattern for correlating identity risk alongside broader Sentinel telemetry without manual joins. (Microsoft Learn) (Microsoft Sentinel Blog)

A few smaller operational changes in the Defender portal's March updates are worth knowing for day-to-day work. Microsoft recalculated some Secure Score categories so that several recommendations previously counted under Cloud apps are now treated as Identity — your total Secure Score is unchanged, but individual identity and app category scores may move, so don't read a category swing this month as a real posture change. Advanced hunting gained two new preview tables — CloudDnsEvents (DNS activity from cloud infrastructure) and CloudPolicyEnforcementEvents (policy-enforcement and gating decisions for platforms protected by Defender for Cloud) — and the incident graph can now be filtered, or have specific entities hidden, on very large incidents, which finally makes the sprawling graphs on multi-alert incidents navigable during an investigation. (Microsoft Learn)