SOC Weekly Brief The week in the Microsoft security stack, distilled

← Home

Week 25 · 7 min read

June 15 – June 22, 2026

Act by

  • Summer 2026 — The ASIM ProcessEvent parsers deprecate the legacy targetusername parameter of _Im_ProcessCreate; the documented name is now targetusername_has. Both are accepted today, so update analytic rules and hunting queries that call the process-create parser before the old parameter is removed. (Microsoft Sentinel Blog)
  • 1 Jul 2026 — Sentinel's account-entity naming standardization takes effect: Account Name resolves by precedence and defaults to the UPN prefix (the part before "@"). Rules, automation, playbooks, workbooks and hunting queries that match on the full UPN break unless updated — this fires whether or not you have moved to the Defender portal. (Microsoft Learn — What's new in Sentinel)

What changed

The Migrate Sentinel to Defender blog series published its "Anatomy of the change" installment, a structural walkthrough of what actually moves when Sentinel runs inside the Defender portal — how incidents, entities, and data are represented once the two consoles unify, and why the shift is an architecture decision rather than a UI reskin. For a SOC that still lives in the Azure portal, this is the reference for understanding where your incident queue, entity pages, and data residency land after the cutover, and it sets up the RBAC and automation planning the rest of the series covers. With Sentinel slated to be supported in the Defender portal only starting July 2026, reading this before you touch role assignments or playbooks is time well spent. (Microsoft Sentinel Blog — Anatomy of the change)

The same series followed with "Detection and automation, reimagined," aimed squarely at detection engineers. Existing analytics rules, playbooks, and workbooks keep working after the move, but the scope widens: endpoint, identity, email, cloud-app, and Sentinel data sit together, so you query across all of them in one KQL experience, work a single incident queue, and automate with richer native Defender response actions. Custom detections gain near-real-time evaluation with native response actions, Security Copilot can draft playbooks from natural-language prompts, and advanced hunting spans Defender and Sentinel data together — a meaningful expansion of what a hunter can pivot across. It reads as the practical companion to "Anatomy of the change": what your detection content does after the portal unifies, not just where it lives. (Microsoft Sentinel Blog — Detection and automation, reimagined)

Microsoft shipped the Agent Identities Asset Connector for Microsoft Sentinel in public preview, bringing AI-agent identity context into the Sentinel data lake to sit alongside the activity signals the Agent 365 and M365 Copilot connectors already collect. The connector adds four asset tables — Agent Users (the human owners/sponsors), Agent Identities (the agent as a first-class identity), and their blueprints and permissions — so a hunter can pivot from what an agent did to what it is, who owns it, and what it can access. For a SOC investigating anomalous agent activity, this closes the gap where an autonomous agent previously looked like an opaque service principal. (Microsoft Sentinel Blog)

Microsoft detailed non-human identity (NHI) protection in Microsoft Defender, extending the unified identity inventory and investigation experience to service principals, on-prem service accounts, and SaaS-connected OAuth apps. Defender now surfaces NHI risk across pivots analysts already use for humans — unused identities that still hold standing permissions, over-privileged identities where granted access far exceeds observed usage, ownership gaps, and which NHIs are actually powering AI agents — with governance and threat-detection built on top. Given that NHIs authenticate programmatically and cannot be protected by MFA (the Midnight Blizzard playbook), this puts a large, previously blind slice of the identity estate into the same queue an analyst already works. (Microsoft Defender XDR Blog)

On the identity side, the Entra team laid out how Entra and Defender are converging on unified identity security against AI-accelerated attacks, centered on the unified identity risk score unveiled at RSA. The score correlates signals across related accounts, sessions, workloads, and applications into a single evaluation that can drive real-time access decisions, aimed at shrinking the gap between detection and response when attackers automate reconnaissance and credential abuse. For SOC and IAM teams that run separate tools today, this is the direction identity signals will flow into the shared incident view. (Microsoft Entra Blog)

ASIM got a large parser and schema update. New native parsers cover Azure Firewall resource-specific tables (AZFWDnsQuery, AZFWNetworkRule, AZFWApplicationRule), Azure Key Vault (AZKVAuditLogs), Azure SQL/Synapse audit events, and AWS CloudTrail EC2/S3/IAM activity, plus 10+ third-party sources including Okta, Palo Alto PAN-OS and GlobalProtect, FortiGate, and several Cisco products. Two new schemas — Asset Entities and AI Agent Events — normalize asset inventory and autonomous-agent telemetry into common form. This means one analytic rule reaches more sources without per-source rewrites; note the ProcessEvent breaking change flagged in Act by. (Microsoft Sentinel Blog)

Defender XDR tightened the blast radius of its built-in Copilot agents: the Phishing Triage Agent and Security Alert Triage Agent now run with a narrower email permission — "Email & collaboration content: Emails associated with alerts (read)" instead of the broad "All Emails (read)." The agents can still read the messages tied to the alerts they triage, but no longer have standing read access to the whole mailbox estate, so a compromised or misused agent has far less to reach. If you run these agents, it's a least-privilege improvement that applies automatically; worth noting when you document what the automated triage layer can see. (Microsoft Learn — What's new in Defender XDR)

Worth knowing

Microsoft Threat Intelligence disclosed a large-scale npm supply-chain compromise affecting 140+ packages across the mastra and @mastra scopes, and on 19 June attributed it with high confidence to Sapphire Sleet, a North Korean state actor (the same group behind the April 2026 Axios npm compromise). A takeover of the ehindero maintainer account was used to publish poisoned versions that pulled in easy-day-js, a typosquat of dayjs; its postinstall hook disabled TLS verification, called C2, and ran a hidden second-stage payload. Because the payload fires during installation, any workstation or CI/CD pipeline that ran npm install/npm update after the compromised versions shipped was exposed regardless of whether the package was imported — check build agents and developer endpoints, not just application dependencies. Microsoft Defender Antivirus, Defender for Endpoint, and Defender XDR ship detections and hunting coverage. (Microsoft Security Blog)

Microsoft's Incident Response team (DART) published a case study — "One intrusion, two cyberattackers" — on an engagement that opened as a routine ransomware investigation and turned out to hold two unrelated actors operating in the same environment at once. The primary actor, Storm-2603, had been exploiting on-prem SharePoint since mid-2025 and was probing for local-file-inclusion footholds (requests for win.ini, web.config); a second, unattributed actor ran in parallel. Between them they abused the legitimate Velociraptor forensic tool at SYSTEM level to map the environment, opened multiple remote channels via Cloudflare tunnels, Zoho Assist, and SSH-over-VS-Code, created rogue local and domain admin accounts, and used DLL sideloading and a vulnerable driver to disable protections and tamper with memory. The SOC lessons are concrete: alert on unexpected Velociraptor and remote-access tunneling, watch for out-of-band admin-account creation, and keep centralized telemetry long enough to untangle overlapping actors — a single intrusion is not always a single adversary. (Microsoft Security Blog)

Two Microsoft research posts sharpen the AI-agent attack surface that this month's inventory and governance features are trying to defend. In "AutoJack," Microsoft showed an exploit chain in AutoGen Studio where attacker-controlled web content rendered by a browsing agent reaches a local MCP WebSocket and spawns arbitrary processes on the host — three weaknesses combine (the socket trusts localhost, auth middleware skips MCP paths, and the endpoint runs a command straight from a request parameter with no allowlist), with the lesson that "localhost is no longer a trust boundary" once an agent browses untrusted pages. The affected surface was never in a PyPI release and the upstream branch was hardened after Microsoft reported it to MSRC, but the pattern generalizes to any agent wired to a privileged local control plane. Separately, "Guarding AI memory" describes agent-memory attacks — malicious instructions planted in shared documents that lie dormant in an agent's persisted memory and fire later during unrelated conversations — and Microsoft's layered defenses, including prompt-injection classifiers and task-adherence checks on write, M365 compliance controls on storage, and, usefully for a SOC, memory-update audit logging that surfaces in Defender advanced hunting and Sentinel. (Microsoft Security Blog — AutoJack)