SOC Weekly Brief The week in the Microsoft security stack, distilled

← Home

Week 14 · 5 min read

March 30 – April 6, 2026

Act by

  • 1 Apr 2026 — Microsoft Sentinel begins charging Security Compute Units (SCUs) for the entity analyzer tool in the Sentinel MCP data-exploration collection. If your team picked up entity analyzer for out-of-the-box URL and identity risk assessments after its RSAC-week GA, those runs now draw down SCUs; review MCP usage so agent-driven queries don't surprise your Sentinel bill. (Microsoft Learn)
  • 1 Apr 2026 — In Azure Government (Fairfax), Defender for Cloud announced an enhanced agent for the Defender for SQL Server on machines plan that uses existing SQL infrastructure instead of the Azure Monitor Agent (AMA). If you enabled this plan before April 2026, update the plan configuration; protection-status verification for your SQL instances is expected to start around May 2026. (Microsoft Learn)
  • 13 Apr 2026 — Defender for Cloud deprecates the preview grouped container vulnerability recommendations (the "Containers running in Azure/AWS/GCP should have vulnerability findings resolved" set and their registry equivalents), replacing them with per-finding individual recommendations. If any governance rules, exemptions, workbooks, or automation query the old grouped recommendation keys, migrate them to the individual-recommendation format and securityresources KQL now, before the keys disappear. (Microsoft Learn)
  • 1 Jul 2026 — Flagged in the April 2026 Sentinel updates: Microsoft is standardizing the Account Name entity value for analytics-rule alerts so a mapped full UPN is always the prefix only (user), with new UserPrincipalName, UPNSuffix, and prefix fields added to SecurityAlert. Any automation rule or Logic Apps playbook that does strict equality on the full UPN will break; switch to Starts with / Contains on the prefix and match the suffix separately before the July cutover. (Microsoft Learn)

What changed

Defender for Cloud made automated malware remediation in Defender for Storage generally available on 31 March. When on-upload or on-demand scanning flags a malicious blob, Defender for Cloud can now automatically soft-delete it — the blob is quarantined but recoverable for investigation — and you toggle the behavior per subscription or per storage account in the portal or via API. For a SOC, this shortens the window between detection and containment for storage-borne malware without a custom playbook, though the soft-delete-and-recover model means you still want a process for triaging quarantined blobs. (Microsoft Learn)

Also on 31 March, Defender for APIs and API security posture management (Defender CSPM) expanded to 15 additional Azure regions, including Sweden Central, the two Germany regions, Italy North, France Central/South, both Norway and Switzerland regions, the two Korea regions, and South Africa North/West. Teams with Azure API Management, Function Apps, or Logic Apps in those regions can now get API discovery and posture coverage that was previously unavailable there; the capability remains in preview. If you deferred onboarding APIs because your region wasn't supported, re-check. (Microsoft Learn)

Defender for Cloud brought container security capabilities to general availability in the Azure Government cloud on 1 April. The Defender for Containers plan in Fairfax now matches the commercial offering: agentless Kubernetes discovery, inventory, attack path analysis, risk hunting, vulnerability assessment, compliance, and runtime protection. For SOC teams supporting U.S. federal or DoD tenants, this closes the feature gap that previously left government Kubernetes estates with thinner coverage than commercial ones. (Microsoft Learn)

Also on 1 April, Defender for Cloud posted an update to the Defender for SQL Server on machines plan for Fairfax customers, with an enhanced agent rolling out at the end of April. The new solution drops the AMA dependency and rides the existing SQL infrastructure, simplifying onboarding and coverage. The practical impact is operational: government-cloud teams running this plan need to update configuration and re-verify SQL instance protection rather than assume coverage carries over unchanged (see Act by). (Microsoft Learn)

Worth knowing

This window sits in the lull after RSAC 2026. The large Sentinel and Defender announcement wave — entity analyzer and AI-powered SIEM migration GA, data federation, custom security graphs, row-level scoping, and the rest — was published in the What's new in Microsoft Sentinel: RSAC 2026 post on 20 March, which lands in the prior week rather than this one, and the consolidated Monthly news – April 2026 roundup (built-in alert tuning GA, attack-disruption activity tracking, and the month's Defender/Entra/MDO changes) posts on 7 April, so it belongs to next week's brief. Only Defender for Cloud shipped dated, in-window product changes this week. (Microsoft Sentinel Blog)

The week's most SOC-actionable item is threat research: on 6 April the Microsoft Defender Security Research team detailed an AI-enabled device code phishing campaign. Attackers stood up automation (on platforms such as Railway.com) to mint OAuth device codes on demand so the code was still valid when a victim clicked the hyper-personalized, AI-generated lure, then harvested access tokens to exfiltrate mail and plant malicious inbox rules against finance and executive targets. The write-up ships concrete detections: for Defender, enable Safe Links and watch the high-confidence device-code alerts; for Sentinel, apply the TI Mapping analytics and hunt for suspicious inbox-rule creation and "suspicious email items accessed," and correlate URL clicks with risky sign-ins carrying error code 50199. Device code phishing remains a favored MFA-bypass path, so these queries are worth landing in your workspace regardless of whether you have current indicators. (Microsoft Security Blog)

Two forward-looking notes for planning. April's Patch Tuesday falls on 14 April, just outside this window — expect the Microsoft security-update analysis in next week's brief rather than here. And a longer-horizon reminder that reappears in the Sentinel what's-new: after 31 March 2027, Microsoft Sentinel will no longer be supported in the Azure portal and will run only in the Microsoft Defender portal. That's a year out, but if your team still builds and operates in the Azure portal, the RSAC-era features landing Defender-portal-first (custom graphs, scoping, entity analyzer) are the direction of travel to start rehearsing now. (Microsoft Learn)