SOC Weekly Brief The week in the Microsoft security stack, distilled

← Home

Week 12 · 5 min read

March 16 – March 23, 2026

What changed

Microsoft Defender for Identity announced a batch of new detections at RSAC. A new Event Tracing for Windows (ETW) Kerberos sensor on domain controllers lets MDI inspect ticket details while a ticket is in use without decrypting it, and the first detection built on it — "Possible golden ticket attack (suspicious ticket)" — is generally available. Microsoft also added detections for post-breach attacks on Entra ID as a platform: four for anomalies against the Entra ID sync application in hybrid environments, two for suspicious device registration or join across Entra and Intune, and one for the in-the-wild "ConsentFix" OAuth authorization-flow abuse. For analysts, these close visibility gaps on the exact forged-ticket and hybrid-identity techniques attackers use to pivot from on-prem to cloud. (Microsoft Defender XDR Blog)

Defender now calculates a unified identity risk score that aggregates signals across all linked human and non-human accounts into a single score per identity, surfaced in a new identity security dashboard alongside a non-human identity inventory and account correlation across SaaS and cloud. Crucially, Entra ID customers can consume this aggregated risk directly inside risk-based Conditional Access policies, so a compromise signal seen in the SOC can immediately tighten access at sign-in. New integrations with SailPoint and CyberArk extend coverage to PAM and identity-governance sources. This gives identity and SOC teams one shared risk signal instead of reconciling separate alert streams. (Microsoft Defender XDR Blog)

Microsoft extended Security Copilot's Security Alert Triage Agent to identity and cloud alerts (public preview), so it autonomously triages high-volume identity alerts — password spray, BEC-related suspicious inbox rules, and accounts likely compromised after a password spray — and returns explainable verdicts. Predictive shielding, the just-in-time hardening in automatic attack disruption, now covers identity attacks with RemoteOps hardening (restricting high-risk RPC-based remote admin operations) and Remote Registry hardening, applied only to the specific at-risk assets rather than tenant-wide. Microsoft also announced a Security Analyst Agent that runs deep, multi-step investigations across Defender and Sentinel telemetry, and a Security Copilot chat experience coming to the Defender portal. For a stretched SOC this pushes first-pass identity triage and containment toward machine speed. (Microsoft Defender XDR Blog)

Defender extended collaboration protection beyond email to voice-based social engineering in Microsoft Teams. New Teams calling protection surfaces suspicious and malicious calls, delivers real-time in-call warnings when a caller appears to impersonate a trusted contact, and lets SOC teams investigate and correlate call activity using Advanced Hunting. With vishing and help-desk impersonation now a common intrusion vector, this gives analysts a hunting surface for a channel that was previously a blind spot. (Microsoft Defender XDR Blog)

Sentinel added ingest-time data filtering and splitting directly in the Defender portal (public preview, rolling out March 30). Analysts can write simple KQL transformations in the UI to drop low-value events before they land and to route data between the analytics tier and the cheaper data lake tier, without hand-editing Data Collection Rule JSON. This is a practical lever for cutting ingestion noise and cost while keeping high-signal data in the analytics tier where detections run. (Microsoft Sentinel Blog)

Sentinel is rolling out GDAP, unified RBAC, and row-level RBAC within tables (public preview from April 1). Granular Delegated Admin Privileges let MSSPs and multi-tenant operators manage governed tenants from a primary account; unified RBAC brings analytics-tier and data-lake permissions under one model in the Defender portal; and row-level RBAC scopes access to specific rows in a shared table so multiple SOC teams can query only the data they are authorized to see without splitting workspaces. For shared-SOC and MSSP setups this reduces the permission sprawl that tends to end in over-broad access. (Microsoft Sentinel Blog)

Sentinel's MCP entity analyzer reaches general availability (April 1), returning explainable, multi-signal risk verdicts for a URL or user identity across threat intelligence, prevalence, and organizational context — consumable by AI agents through the Sentinel MCP server or by SOAR through Logic Apps, and used as the foundation for the Defender Triage Agent. A separate custom Claude MCP connector (public preview April 1) lets Anthropic Claude query a Sentinel MCP server to summarize incidents and reason over signals while data stays inside Microsoft's security boundary. Note both meter usage — entity analyzer bills on Security Compute Units from April 1. For analysts, entity analyzer is a ready-made enrichment call instead of hand-built reputation logic. (Microsoft Sentinel Blog)

Microsoft Entra Internet Access made Shadow AI detection and prompt injection protection generally available. Shadow AI detection complements Defender for Cloud Apps to discover unsanctioned AI applications, track usage, and enforce Conditional Access to allow or block them; prompt injection protection blocks malicious AI prompts inline. Entra also brought adaptive risk remediation to GA (April 2026) for self-service account recovery, and previewed Backup and Recovery and Tenant Governance for identity resilience across multi-tenant estates. As employees adopt AI tools faster than governance keeps up, this gives the SOC discovery and blocking for a growing unsanctioned-app surface. (Microsoft Entra Blog)

Worth knowing

Nearly all of the above landed as RSAC 2026 announcements on 20 March, during a conference week that opened with Microsoft's Pre-Day on Sunday 22 March and a main-stage keynote from CVP Vasu Jakkal on Monday 23 March. Many items are announcements with staggered rollout dates across April and May 2026, so track the per-feature preview and GA dates rather than assuming everything is live now. Also worth noting: the Microsoft Security Store is now embedded directly inside Entra and Purview (GA around 23–31 March), surfacing partner identity and data-security agents in-portal — useful context when a team evaluates third-party Copilot agents alongside first-party tooling. (Microsoft Sentinel Blog)