SOC Weekly Brief The week in the Microsoft security stack, distilled

← Home

Week 18 · 6 min read

April 27 – May 4, 2026

Act by

  • 1 Jul 2026 — Microsoft Sentinel standardizes the account entity's Account Name to the UPN prefix only (user, not user@domain.com) for analytics rule alerts, and adds UserPrincipalName and UPNSuffix fields to SecurityAlert. Audit any automation rules, Logic Apps playbooks, workbooks, or hunting queries that compare against a full UPN and switch strict equality to Contains / Starts with plus a separate UPNSuffix check before the change lands. (What's new in Microsoft Sentinel: April 2026)
  • Jun 2026 — Secure Boot 2023 certificates expire. Microsoft Secure Score now surfaces the "Ensure devices are updated to Secure Boot 2023 certificates and boot manager" recommendation so you can find endpoints that haven't transitioned; work the list before the expiration or affected devices lose Secure Boot trust. (Monthly news - May 2026)

What changed

Defender advanced hunting shipped a batch of scale and usability enhancements. The results ceiling rose from 30,000 to 100,000 records, a new records-limitation picker lets you cap rows from the editor toolbar (with your choice persisting across sessions), and queries that hit the 64 MB size limit now return partial results with a message bar instead of failing outright (GA). A new query-execution details side pane exposes timing, data sources, scopes, and error diagnostics for every run. For analysts moving hunts from Sentinel in the Azure portal into the Defender portal, these remove the mid-query dead ends that used to force a rewrite-and-rerun. (Microsoft Defender: New Advanced hunting enhancements)

Built-in alert tuning rules reached general availability. These are Microsoft-authored suppression rules that quiet common benign activity in Defender for Endpoint and Defender for Office 365 without disabling Automated Investigation and Response (AIR) or email notifications. It's a lower-effort way to cut queue noise than hand-building tuning rules, and because AIR still runs underneath, suppressed benign alerts don't blind your automation. (Monthly news - May 2026)

Defender XDR now lets you see the status of automatic attack disruption and predictive shielding actions on an incident (preview). The Activities tab of the incident page shows what containment the platform already executed — disruption actions, and the predictive-shielding moves that harden the environment ahead of attacker progression — so an analyst picking up the incident can tell at a glance what has and hasn't been contained before deciding the next manual step. (Monthly news - May 2026)

Sentinel data lake cost policies now support hard enforcement (preview): you can set limits that block new KQL queries, jobs, and notebook sessions once a threshold is crossed, rather than only alerting after the spend. Anything already running finishes, and analysts get a clear message plus the option to lift guardrails temporarily. On a data-lake tenant this prevents a runaway hunt or heavy notebook from generating a surprise bill mid-investigation. (What's new in Microsoft Sentinel: April 2026)

Curated OSINT reports now appear in Threat Analytics (preview) alongside Microsoft-authored reports. Each OSINT article ships with a summary and link to the original research, extracted IOCs, mapped MITRE ATT&CK techniques, and Microsoft enrichment where available. Having open-source intel land in the same Defender surface as first-party Threat Analytics cuts the context-switching when you're triaging a named campaign and want indicators to pivot on. (What's new in Microsoft Sentinel: April 2026)

The Sentinel MCP entity analyzer reached general availability. It returns explainable, out-of-the-box risk verdicts for URLs and user identities by reasoning over threat intelligence, prevalence, and organizational context, and it's reachable from AI agents via the Sentinel MCP server or from SOAR through Logic Apps. It also underpins the Defender Triage Agent's alert classifications. Note it bills on Security Compute Unit (SCU) consumption, so factor that in before wiring it into high-volume automation. (What's new in Microsoft Sentinel: April 2026)

Sentinel added custom security graphs (preview): you can build tailored graphs across the data lake and third-party data to surface attack paths, blast radius, and hidden relationships, then work them in the Defender portal's graphs section under Microsoft Sentinel — running Graph Query Language (GQL) queries, viewing the schema, visualizing results, and traversing to the next hop with a click. These graphs also become a foundation for advanced investigations and AI agents. For a hunter chasing lateral movement, it's a way to model the relationships in your own environment instead of relying only on the predefined scenarios. (What's new in Microsoft Sentinel: April 2026)

The advanced-hunting AIAgentsInfo table gained additional columns (preview) that widen visibility into AI agents running in your Microsoft 365 environment. Coverage now extends beyond Copilot Studio to all agent types — Microsoft Foundry, third-party marketplace, and custom line-of-business agents — so you can inventory and hunt over agent activity from KQL. As autonomous agents start acting inside the tenant, this is where their identities and actions become queryable telemetry rather than a blind spot. (Monthly news - May 2026)

Sentinel added several data connectors: the CrowdStrike API connector (GA) pulls hosts, detections, incidents, alerts, and vulnerabilities from CrowdStrike; Imperva Cloud WAF and AWS Elastic Load Balancer logs (both preview) arrive via S3; and the Logstash output plugin was rebuilt in Java under the Secure Future Initiative, writing through the Logs Ingestion API with DCRs into either analytics tables or the data lake. For SOCs running mixed estates, these broaden what you can correlate against Microsoft signals without a custom pipeline. (What's new in Microsoft Sentinel: April 2026)

Defender for Identity added custom account correlation rules (preview), letting you link accounts that belong to the same identity even when they share no strong identifier (SID, object ID, UPN) — for example privileged accounts with a distinct naming convention — by matching on UPN prefix, UPN suffix, domain UPN, or employee ID. Automatic Windows event-auditing for sensor v3.x also went GA, applying the required audit policy to new sensors and fixing misconfigured ones. Better account stitching means fewer fragmented identity timelines when you're chasing lateral movement across an admin's regular and privileged accounts. (Monthly news - May 2026)

Worth knowing

Microsoft's monthly "What's new in Microsoft Security" highlights post (30 Apr) called out Defender for Cloud's GitHub Advanced Security integration reaching GA, Purview Data Security Investigations, and the Agent 365 tooling gateway for AI-agent security — mostly DevSecOps and AI-governance angles, but worth a skim if your remit touches cloud posture or agent identities. (Microsoft Security Blog)

The April Sentinel roundup also carried a cluster of architecture-and-planning items worth a read before your next cost or migration conversation. Sentinel data federation (preview) lets you query data in Microsoft Fabric, Azure Data Lake Storage Gen2, and Azure Databricks directly — without ingesting it — then selectively pull in what matters; the AI-powered SIEM migration tool went GA for Splunk and QRadar moves; and a new cost estimation tool (preview) gives customers and partners meter-level, three-year Sentinel spend projections. None of these change the shift floor day to day, but they shape where your hunt data lives and what it costs to reach. (What's new in Microsoft Sentinel: April 2026)

This is a month-boundary week with no Patch Tuesday of its own — April's updates landed on the 14th and May's arrive on the 12th — so the load here is the consolidated roundups rather than a fresh CVE batch. Note the direction of travel underneath most of the week's items: advanced hunting's new panes, custom graphs, entity analyzer, and the incident-timeline action status are all Defender-portal-first, and after 31 March 2027 Sentinel runs only in the Defender portal, so teams still working in the Azure portal should keep treating that migration as the baseline for where these capabilities will actually appear. (What's new in Microsoft Defender XDR)