SOC Weekly Brief The week in the Microsoft security stack, distilled

← Home

Week 17 · 6 min read

April 20 – April 27, 2026

Act by

  • Jun 2026 — Windows Secure Boot 2011 certificates expire. Devices still trusting only the 2011 certificates keep booting but stop receiving new early-boot protections, weakening their root of trust over time. Use the new Defender Secure Boot 2023 certificate recommendation to identify exposed devices and drive the transition to the Windows UEFI CA 2023 certificate and updated boot manager before the deadline. (Microsoft Defender for Endpoint Blog)

What changed

Microsoft Defender added a Secure Boot 2023 certificate assessment (preview), a new Secure Score / Defender Vulnerability Management recommendation that gives centralized, at-scale visibility into which devices have transitioned to the Windows UEFI CA 2023 certificate and signed boot manager. It buckets devices into Exposed (still trusting only older certificates), Compliant (relying on the 2023 certificates), and Not applicable (Secure Boot disabled or unsupported), and lets you drill into exposed devices, filter by OS and device context, and export the list for infrastructure teams. With the 2011 certificates expiring in June 2026, this gives the SOC a concrete way to track remediation and flag boot-level trust gaps that attackers could otherwise exploit below the visibility of the OS. (Microsoft Defender for Endpoint Blog)

In Microsoft's April 2026 Sentinel updates, row-level access using Microsoft Sentinel scoping (row-level RBAC) entered public preview. You can now restrict access to specific subsets of Sentinel data without splitting workspaces: administrators define logical scopes, tag data at ingestion time, and assign users or groups to scopes through Unified RBAC, all configured in the Microsoft Defender portal. For a SOC this is a cleaner way to let multiple teams — say, a regional analyst group or a partner MSSP — work inside one shared Sentinel environment while only seeing the rows they're entitled to, instead of maintaining separate workspaces just to enforce a data boundary. (What's new in Microsoft Sentinel)

Also in the April Sentinel updates, filter and split data transformation reached public preview in the Defender portal. It lets you shape data before ingestion — dropping noisy or low-value events with filters and routing the rest between the analytics tier and the data lake tier — so you decide what gets analyzed at full cost versus what's simply retained cheaply for later hunting. Combined with the data-lake cost controls landing the same month, it gives the team a native lever to cut ingestion spend and queue noise without standing up an external pipeline. (What's new in Microsoft Sentinel)

Microsoft Entra's April 2026 updates made Conditional Access reauthentication on every PIM activation generally available. You can now require a fresh Conditional Access check — for example an MFA prompt bound to an authentication context — each time a user activates an eligible privileged role, rather than relying on the session token they signed in with earlier. For a SOC this closes a real gap: an attacker who rides an existing session or a not-recently-reauthenticated token can no longer silently elevate into a privileged role, and each activation now leaves a clean, policy-enforced authentication event to hunt on. (Microsoft Entra: What's new)

Entra also changed how the Authentication Methods Policy audit logs are written starting in April 2026. The Authentication Methods Policy Update and Reset activities previously dumped the entire policy payload into both the old-value and new-value fields on every change; they now surface only the properties that actually changed, with their before/after values. If your detections or hunting queries watch for tampering with authentication-method policy — a favored persistence and MFA-weakening move — this makes the signal far easier to parse, but it also means any rule that assumed the full-payload shape needs revisiting so it still fires on the trimmed entries. (Microsoft Entra: What's new)

The Microsoft Entra Agent ID platform reached general availability in the same April wave, providing an identity and authorization framework built specifically for AI agents — agent identities with enterprise-grade authentication, authorization, and governance over standard protocols (OAuth 2.0, MCP, A2A). It's more of a platform/governance milestone than a shift-floor change, but as teams stand up autonomous agents it means those agents get first-class, auditable identities you can scope and monitor rather than shared secrets or borrowed user accounts — worth knowing about before agent activity starts showing up in your identity telemetry. (Microsoft Entra: What's new)

Worth knowing

Microsoft Threat Intelligence published detection strategies against North Korea-aligned IT workers (tracked as Jasper Sleet), who use stolen or fabricated identities and AI-assisted deception to get hired into remote technical roles for revenue generation and, in some cases, data theft or extortion. The guidance walks the early job-discovery phase — actors surveying external career sites and hiring portals, often those fronted by HR SaaS like Workday, and using generative AI to tailor applications — and shows how to hunt the activity across Microsoft Defender XDR using identity and cloud signals plus Workday event logs. For SOC analysts this is a practical hunting playbook for an insider-adjacent threat that mostly lives in identity and HR/SaaS telemetry rather than endpoint alerts. (Microsoft Security Blog)

In a strategy post on AI-powered defense for an AI-accelerated threat landscape, Microsoft outlined folding frontier AI models into its Security Development Lifecycle and vulnerability discovery, with Defender detections intended to ship alongside the corresponding fixes for AI-discovered vulnerabilities and a multi-model scanning harness slated for preview in June 2026. The concrete takeaway for a shift is unchanged fundamentals: as AI compresses the time from disclosure to exploitation, patch latency and exposure reduction matter more, so keep MDE vulnerability management and exposure recommendations current. (Microsoft Security Blog)

This is the last full week of April, before the consolidated monthly roundups land. The dated "What's new in Microsoft Sentinel: April 2026" recap and the Defender Monthly news post publish at the turn of the month, so their headline items — curated OSINT in Threat Analytics, data-lake cost enforcement, the CrowdStrike connector, built-in alert-tuning GA — fall into next week's brief rather than this one; the items above are the April changes already visible in the Microsoft Learn what's-new pages. April's Patch Tuesday analysis (14 April, including the actively-exploited SharePoint spoofing flaw CVE-2026-32201) was covered in the prior brief, so this week carries no new Microsoft security-update load. A standing reminder still worth rehearsing: after 31 March 2027 Microsoft Sentinel runs only in the Microsoft Defender portal, and the April features above — row-level scoping, filter/split, and Sentinel's own graph work — are all Defender-portal-first, so teams still operating in the Azure portal should treat that as the direction of travel. (What's new in Microsoft Sentinel)