SOC Weekly Brief The week in the Microsoft security stack, distilled

← Home

Week 11 · 8 min read

March 9 – March 16, 2026

What changed

On-demand malware scanning for Azure Files entered public preview in Microsoft Defender for Storage on 10 March, extending the existing on-demand scan feature so you can now scan whole storage accounts containing both blobs and Azure Files shares. Scans run from the Azure portal or the REST API and can be automated with Logic Apps, Azure Automation, or PowerShell; each scan uses Microsoft Defender Antivirus with current definitions and shows an upfront cost estimate before it runs. For a SOC, this is a practical way to sweep a suspect file share during an incident instead of waiting on on-upload scanning to catch something already at rest. (Microsoft Learn)

Defender for Cloud added code-to-runtime enrichment for recommendations in preview (10 March), tracing a runtime security issue back through registries and pipelines to the source code that introduced it. It also does blast-radius analysis — how many assets a single code change affects — so you can fix at the source rather than chasing recurring runtime symptoms. It leans DevSecOps, but the runtime-to-source tracing is useful when triaging a container vulnerability and deciding whether the fix belongs with the SOC or the app team. (Microsoft Learn)

Defender for Cloud now applies severity-based risk to recommendations that previously showed as "Not evaluated" (11 March). Those recommendations inherit a risk level from their severity, so they get prioritized in the recommendations list and — importantly — are now folded into Secure Score calculations. Expect Secure Score and recommendation status to shift for tenants that had unevaluated items, even without Defender CSPM enabled; full contextual, environment-aware risk still requires CSPM on the subscription. Analysts who track posture off Secure Score should know this is a scoring-model change, not a real drop in hygiene. (Microsoft Learn)

Kubernetes gated deployment for AKS Automatic clusters reached general availability in Defender for Containers on 12 March. Gated deployment blocks non-compliant container images from being deployed, and this GA extends it to AKS Automatic; to use it you install the Defender sensor via Helm in the kube-system namespace, and the install script will disable an existing AKS add-on sensor and redeploy through Helm. For teams standardizing on AKS Automatic, this closes an admission-control gap that previously only applied to standard AKS. (Microsoft Learn)

March's Defender XDR update centered on a broad identity-security build-out in the Defender portal. A new Identity Security dashboard summarizes coverage across identity providers, on-premises and SaaS identities, PAM/IGA integrations, and non-human identities; a Coverage and maturity page scores your identity posture through Connected → Protected → Fortified → Resilient levels with prioritized setup tasks; and the Identity inventory now splits human and non-human identities into separate tabs, so Entra ID app registrations, Active Directory service accounts, and even Google Workspace and Salesforce apps are enumerated as identities you can investigate. Most of this is rolling out gradually and in preview, but it is the connective tissue a SOC needs to see which identities exist and which are unmonitored. (Microsoft Learn)

Alongside it, Defender XDR added an identity risk score (0–100) that rates the likelihood and potential impact of an identity's compromise based on criticality and privileged roles, with a dedicated Risk score tab on the identity page breaking down the contributing factors and trend. The score is surfaced in Microsoft Entra ID, where it can feed Conditional Access policies and Identity Protection workflows — so a high-risk classification in the SOC can drive an enforcement decision at sign-in. A new Domain investigation page and consolidated identity security recommendations (drawing from Active Directory, Entra ID, and SaaS providers) shipped in the same wave. (Microsoft Learn)

The contain-user response action ("proactive user containment") reached general availability this month as part of Defender's predictive-shielding capability. It combines activity data with exposure data to spot credentials at risk of being compromised and reused, and blocks the suspect account's lateral movement across onboarded devices before an analyst has fully scoped the incident. For a SOC this is a fast, reversible containment lever for a user you suspect but haven't yet confirmed — the identity equivalent of isolating a device. (Microsoft Learn)

Microsoft Defender for Endpoint's March release added new Secure Score recommendations that pre-emptively block common attack techniques at the endpoint. The standouts for a SOC: block outbound network connections from mshta.exe (the trusted Windows binary abused by ClickFix-style campaigns to pull payloads and reach C2), block file transfer over RDP to stop attackers staging or exfiltrating files through remote sessions, and SMB server hardening against authentication-relay attacks by enforcing Extended Protection for Authentication (EPA), SMB signing, and SMB encryption. These are configuration levers you can push from Secure Score rather than detections you have to chase after the fact. (Microsoft Learn)

Microsoft Defender for Identity's March updates bring sensor v3.x support for domain controllers running Microsoft Entra Connect (detections plus ISPM recommendations), and let you migrate sensors from v2.x to v3.x directly from the Defender portal with no downtime — the v2.x sensor keeps running until the v3.x sensor is ready, and eligible servers show up as "Ready for migration." The Entra Connect support requires Windows Server 2019+ with at least the March 2026 cumulative update (KB5078766, shipped this Patch Tuesday). For hybrid-identity SOCs, getting MDI coverage onto the Entra Connect box closes a long-standing blind spot on the exact server attackers target to pivot on-prem-to-cloud. (Microsoft Learn)

Defender for Office 365 extended user reporting in Microsoft Teams this month: users can now report one-to-one Teams calls from call history as scam or non-scam to the reporting mailbox and/or Microsoft, and when a user reports a Teams message, up to fifteen messages before and after it are now shared for analysis. With Teams-based vishing and scam calls a live intrusion vector, this gives analysts richer reported-message context and a reporting path for malicious calls that previously had none. (Microsoft Learn)

Microsoft Entra shipped Backup and Recovery in public preview this month — a built-in, always-on safety net that takes a daily backup of critical directory objects, including users, groups, applications, service principals, managed identities, Conditional Access policies, named locations, and agent IDs (P1/P2 tenants retain five days of snapshots). Admins can diff snapshots to see exactly what changed and run recovery jobs to roll objects back to a known-good state. For incident response, this is the difference between "an attacker or a bad change wiped our Conditional Access policies" and a bounded, reversible event — worth knowing exists before you need it. (Microsoft Learn)

Entra also moved phishing-resistant authentication forward: synced passkeys and passkey profiles both reached general availability, and device-bound Entra passkeys on Windows (registered in the Windows Hello container) entered preview. Synced passkeys are FIDO2 credentials that roam across a user's devices, while passkey profiles let admins define different attestation and authenticator requirements for, say, admins versus standard users and target them by group. For a SOC pushing toward phishing-resistant MFA, this is the tenant-side control surface that makes a passkey rollout enforceable rather than best-effort. (Microsoft Learn)

Worth knowing

March Patch Tuesday shipped on 10 March 2026, addressing roughly 79 vulnerabilities with three rated Critical. The two to prioritize on a Microsoft estate are CVE-2026-26113 and CVE-2026-26110, both Microsoft Office remote-code-execution flaws that can trigger from the Outlook Preview Pane with no click, plus a Critical Excel information-disclosure bug (CVE-2026-26144). A SQL Server flaw (CVE-2026-21262) was publicly disclosed ahead of the fix; Microsoft did not flag a confirmed in-the-wild exploited flaw this month, but several Windows elevation-of-privilege CVEs are rated "more likely" to be exploited, so watch endpoint patch compliance in MDE's vulnerability management. The same Windows cumulative update (KB5078766) is a prerequisite for the new MDI v3.x sensor support on Entra Connect DCs, so patching and that identity-coverage change move together. (MSRC Security Update Guide)

While you're watching Secure Score, note a second, unrelated scoring change this month: Defender XDR recategorized some "Cloud apps" recommendations as "Identity", so your total Secure Score is unchanged but the individual Identity and Cloud-apps category scores can move. Combined with the Defender for Cloud severity-based-risk change above, March is a month where Secure Score numbers shift for model reasons rather than because posture actually changed — flag that to anyone who tracks the score as a KPI before they read a dip as a regression. (Microsoft Learn)

For threat-research reading, Microsoft Threat Intelligence's "AI as tradecraft: how threat actors operationalize AI" (published 6 March, just ahead of this window) documents how nation-state actors — including North Korea's Jasper Sleet and Coral Sleet — are folding LLMs into real operations: role-play jailbreaks, LLM-assisted vulnerability research, and AI-generated malware and lures. It is useful background for interns because it grounds the "AI threat" abstraction in concrete tradecraft you may see reflected in phishing quality and tooling, and it pairs with the defensive AI features (predictive shielding, contain-user, Copilot agents) Microsoft is shipping across Defender. (Microsoft Security Blog)

This was a deliberately light week immediately before RSAC 2026 — Microsoft's Pre-Day was Sunday 22 March in San Francisco — so the larger Sentinel, Defender, and Entra announcements cluster in the following week's brief. If you are planning portal work, remember the backdrop: managing Microsoft Sentinel in the Azure portal is being retired 31 March 2027, and the Defender portal is where new SOC workflows (and most of the features above — the identity-security dashboard, contain-user, MDI migration) now live. (Microsoft Learn)