SOC Weekly Brief The week in the Microsoft security stack, distilled

← Home

Week 16 · 6 min read

April 13 – April 20, 2026

Act by

  • 1 Jul 2026 — Microsoft Sentinel is changing how the Account Name field is populated for analytics-rule alerts: it will now consistently be the UPN prefix (the part before the @) rather than the full UPN. If any of your automation rules or Logic Apps compare Account Name against a full UPN with strict equality, they will silently stop matching. Repoint them before 1 July 2026 — split the comparison into UPN-prefix and UPN-suffix checks, and prefer Contains / Starts with over exact equality so the logic survives both before and after the change. (Microsoft Learn)

What changed

Microsoft Sentinel data federation entered public preview, letting you query data in Microsoft Fabric, Azure Data Lake Storage (ADLS) Gen2, and Azure Databricks directly from Sentinel without copying or ingesting it. You can hunt across federated and native Sentinel data in one experience using the usual tools — KQL, notebooks, and custom graphs — then selectively ingest only what warrants full detections and automation. Federation adds no ingestion or storage fees; you are billed only when you run analytics or queries against the federated data, on the data lake compute and analytics meters. For a SOC, this widens hunting reach across data that previously sat outside Sentinel without paying to duplicate it first. (Microsoft Sentinel Blog)

Cost-limit enforcement for the Microsoft Sentinel data lake shipped on 15 April, turning the data-lake cost policies from alert-only into hard guardrails. You can now set thresholds that actually block new KQL queries, jobs, and notebook sessions once a limit is hit, across two capability categories — Data Lake Query (interactive KQL queries and KQL jobs) and Advanced Data Insights (notebook runs and jobs). Work already running finishes normally, the analyst gets a clear message explaining what happened, and a SOC manager can lift the guardrail temporarily, adjust the threshold, or disable enforcement on the fly from Cost management > Configure Policies in the Defender portal. This is the safety net that makes it realistic to let junior analysts hunt at scale over the data lake without fear of a runaway query racking up surprise compute spend. (Microsoft Sentinel Blog)

Curated open-source intelligence (OSINT) arrived in Threat Analytics, announced in the April Sentinel update. Alongside Microsoft-authored Threat Analytics reports, you can now consume curated OSINT articles in the same place, so analysts don't have to switch tools to pull in external reporting on an active threat. The same update lands new first-party data connectors — a CrowdStrike API connector (pulling hosts, detections, incidents, alerts, and vulnerabilities) and an Imperva Cloud WAF connector (web-application traffic and threats, ingested via AWS S3) — plus AWS and Logstash connectors, giving broader out-of-the-box coverage for mixed estates. (Microsoft Sentinel Blog)

The Entity analyzer in the Sentinel MCP data-exploration tool reached public preview this month, giving out-of-the-box, explainable entity risk assessments for URLs and identities built from threat intelligence, prevalence, and your own organizational context. Instead of a bare reputation score, analysts get the reasoning behind the verdict, which is easier to act on and to learn from during triage. Note the billing change that came with it: as of 1 April 2026 you're charged the Security Compute Units (SCUs) consumed when running the entity analyzer, so factor that into the data-lake cost policies above. (Microsoft Learn)

Defender for Storage integration in Azure Storage Center reached general availability on 20 April, surfacing threat-protection and security-posture coverage next to your storage resources in the native storage management experience. Storage Center now gives a storage-native view of which accounts are protected, partly protected, or unprotected, where malware scanning, activity monitoring, and sensitive-data discovery are enabled, and where gaps exist across Azure Blob and Azure Files. It is a posture-at-scale view rather than a new detection, but it makes it faster to spot an unprotected storage account before it becomes an incident. (Microsoft Learn)

Built-in alert-tuning rules reached general availability in Defender XDR. These rules suppress alerts from common benign activity in Defender for Endpoint and Defender for Office 365 out of the box, and — importantly — they do so without affecting Automated Investigation and Response (AIR) or email notifications. For a SOC drowning in known-benign noise, this trims the queue without the risk of hand-built suppression rules quietly swallowing something AIR should still act on. (Microsoft Learn)

Defender XDR can now show the live status of automatic attack disruption and predictive-shielding actions on an incident (preview), in a new Activities tab on the incident page. It covers the Contain user, GPO hardening, and Safeboot hardening response actions, so during a fast-moving incident an analyst can see exactly which automated containment steps fired, on which entities, and whether they're still in effect — rather than inferring it from scattered signals. (Microsoft Learn)

Defender for Office 365 added a least-privilege RBAC permission for alert-linked email. A new granular Unified RBAC permission — Email & collaboration content: Emails associated with alerts (read) — lets analysts preview or download the specific messages tied to a security alert without granting the much broader "read all email" permission. That's a clean way to give tier-1 responders exactly the mailbox visibility an investigation needs and nothing more. (Microsoft Learn)

Microsoft Entra ID Governance gained account discovery for connected applications (public preview). It generates discovery reports directly from the provisioning experience that surface all accounts existing in a connected app — including orphan accounts not assigned to the enterprise application in Entra. For a SOC, orphaned and unmanaged app accounts are exactly the stale-identity blind spots attackers reuse, so having a first-party way to enumerate them is useful attack-surface reduction. It requires an Entra ID Governance or Entra Suite license. (Microsoft Learn)

Worth knowing

April Patch Tuesday landed on 14 April 2026, a heavy release of roughly 163 CVEs with eight rated Critical. Two matter most on a Microsoft estate: CVE-2026-32201, a Microsoft SharePoint Server spoofing vulnerability that is being actively exploited in the wild by unauthenticated attackers, and CVE-2026-33825, a Microsoft Defender Antimalware Platform elevation-of-privilege bug (tracked publicly as "BlueHammer") that was disclosed with proof-of-concept code before a fix shipped. Also notable are Critical RCEs across Windows TCP/IP, Windows Active Directory, the Windows Internet Key Exchange (IKE) service, Microsoft Word/Office, and the Remote Desktop client. Prioritize the SharePoint patch on internet-facing farms and confirm the Defender platform update rolled out through MDE, then watch endpoint patch compliance in vulnerability management. (MSRC Security Update Guide)

Microsoft Threat Intelligence published "Dissecting Sapphire Sleet's macOS intrusion from lure to compromise" on 16 April, detailing a campaign by the North Korean state actor Sapphire Sleet that leans on new macOS-focused execution patterns. The chain is familiar in shape but Mac-native in detail: social engineering leads a target to run something themselves (user-initiated execution), after which the actor establishes persistence, harvests credentials, and exfiltrates data. The practical reminder for a mixed-fleet SOC is that Macs are first-class targets for well-resourced nation-state crews, so endpoint coverage, phishing-resistant MFA, and hunting for user-initiated execution should extend to macOS, not just Windows. (Microsoft Security Blog)

On the hardening side, Defender for Endpoint added a new Microsoft Secure Score recommendation this month — "Ensure devices are updated to Secure Boot 2023 certificates and boot manager" (preview) — that flags devices still on the older Secure Boot certificates ahead of their June 2026 expiration. Devices that don't transition may stop receiving new early-boot security protections once the certificates lapse, so this is worth treating as a real deadline: use the recommendation for centralized visibility into rollout status, prioritize remediation on devices lagging behind, and track progress at scale before the June cutover. (Microsoft Learn)