<?xml version="1.0" encoding="utf-8"?>
<feed xmlns="http://www.w3.org/2005/Atom" xml:lang="en">
  
  <title>SOC Weekly Brief</title>
  <subtitle>The week in the Microsoft security stack, distilled</subtitle>
  <link href="https://soc-brief.pages.dev/feed.xml" rel="self" />
  <link href="https://soc-brief.pages.dev/" />
  <updated>2026-07-06T00:00:00Z</updated>
  <id>https://soc-brief.pages.dev/</id>
  <author>
    <name>Laroy Shtotland</name>
  </author>
  <entry>
    <title>June 29 – July 6, 2026</title>
    <link href="https://soc-brief.pages.dev/briefs/2026-07-06-week/" />
    <updated>2026-07-06T00:00:00Z</updated>
    <id>https://soc-brief.pages.dev/briefs/2026-07-06-week/</id>
    <content type="html">&lt;h2&gt;Act by&lt;/h2&gt;
&lt;ul&gt;
&lt;li&gt;&lt;strong&gt;1 Jul 2026&lt;/strong&gt; — The &lt;code&gt;AIAgentsInfo&lt;/code&gt; advanced hunting table is retired and replaced by the unified &lt;code&gt;AgentsInfo&lt;/code&gt; table (public preview), which covers agent inventory and governance across Copilot Studio, Microsoft Foundry, M365 Copilot, third-party, and endpoint-discovered agents. Any saved hunts, custom detections, or workbooks still referencing &lt;code&gt;AIAgentsInfo&lt;/code&gt; stop returning results after this date — repoint them to &lt;code&gt;AgentsInfo&lt;/code&gt;. (&lt;a href=&quot;https://techcommunity.microsoft.com/blog/microsoftthreatprotectionblog/monthly-news---july-2026/4532402&quot;&gt;Defender monthly, Jul 2026&lt;/a&gt;)&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;1 Jul 2026&lt;/strong&gt; — Sentinel standardizes the Account Name entity: the &lt;code&gt;Name&lt;/code&gt; field now consistently holds only the UPN prefix (the part before &lt;code&gt;@&lt;/code&gt;), with the full UPN and suffix moved to dedicated fields. Analytics rules, automation rules, playbooks, and hunting queries that compare &lt;code&gt;Name&lt;/code&gt; against a full UPN silently stop matching. Rebuild the full value from &lt;code&gt;Name&lt;/code&gt; + &lt;code&gt;UPNSuffix&lt;/code&gt;, or use &lt;code&gt;coalesce()&lt;/code&gt; to set a precedence order. (&lt;a href=&quot;https://techcommunity.microsoft.com/blog/microsoftsentinelblog/update-changing-the-account-name-entity-mapping-in-microsoft-sentinel/4489040&quot;&gt;Microsoft Sentinel Blog&lt;/a&gt;)&lt;/li&gt;
&lt;/ul&gt;
&lt;h2&gt;What changed&lt;/h2&gt;
&lt;p&gt;Custom Detections can now be managed as code in Microsoft Sentinel Repositories, the same way analytics rules, playbooks, parsers, and workbooks already are. Connect a GitHub or Azure DevOps repo to the workspace and detections placed in the repo are reconciled on every commit; a standalone Bicep path via the Microsoft Security Bicep extension supports deployment from any CI/CD pipeline. This closes the content-as-code gap for Defender-portal custom detections, so the whole detection estate lands in the same PR-reviewed, versioned workflow. (&lt;a href=&quot;https://techcommunity.microsoft.com/blog/microsoftthreatprotectionblog/monthly-news---july-2026/4532402&quot;&gt;Defender monthly, Jul 2026&lt;/a&gt;)&lt;/p&gt;
&lt;p&gt;Three cloud advanced-hunting schema tables reached general availability: &lt;code&gt;CloudAuditEvents&lt;/code&gt; (control-plane audit events across platforms protected by Defender for Cloud), &lt;code&gt;CloudDnsEvents&lt;/code&gt; (DNS activity from cloud infrastructure), and &lt;code&gt;CloudProcessEvents&lt;/code&gt; (process events in multicloud hosted environments). For a Microsoft-stack SOC these are ready-made raw material for cloud-control-plane, DNS-exfiltration, and multicloud process hunts without standing up custom ingestion. (&lt;a href=&quot;https://techcommunity.microsoft.com/blog/microsoftthreatprotectionblog/monthly-news---july-2026/4532402&quot;&gt;Defender monthly, Jul 2026&lt;/a&gt;)&lt;/p&gt;
&lt;p&gt;Defender for Endpoint added two AI-agent capabilities in public preview. Local AI agent discovery automatically finds supported AI agents running on onboarded Windows and macOS devices and surfaces them in the AI agent inventory, exposure map, and advanced hunting. Local AI agent runtime protection (Windows) inspects the agent loop — user prompts, tool calls, and tool responses — and can block risky activity before it executes, targeting prompt injection and unsafe agent actions at the device level, with blocked and audited events raised as alerts for correlation. This is the endpoint-level mirror of the agent-security telemetry now flowing into Sentinel. (&lt;a href=&quot;https://techcommunity.microsoft.com/blog/microsoftthreatprotectionblog/monthly-news---july-2026/4532402&quot;&gt;Defender monthly, Jul 2026&lt;/a&gt;)&lt;/p&gt;
&lt;p&gt;The Salesforce connector for Defender for Cloud Apps was upgraded in response to recent ShinyHunters attacks that weaponize OAuth tokens and connected apps to bypass MFA at scale. It now delivers richer connected-app context and investigation-ready signals to detect this activity faster. Existing connector users should enable the additional events in the Salesforce console; eligible non-users are advised to connect. (&lt;a href=&quot;https://techcommunity.microsoft.com/blog/microsoftthreatprotectionblog/monthly-news---july-2026/4532402&quot;&gt;Defender monthly, Jul 2026&lt;/a&gt;)&lt;/p&gt;
&lt;p&gt;Defender Vulnerability Management shipped a new exposure score model to GA that incorporates EPSS exploit-prediction data and asset context (internet-facing status, criticality) for sharper risk prioritization, and Secure Score gained a &amp;quot;Reduce unnecessary inbound internet exposure&amp;quot; recommendation that flags devices reachable from the public internet. Selective Response Actions also went GA, giving precise control over how high-impact response actions apply to Tier-0 systems and other high-value assets during onboarding. Together these sharpen exposure triage and reduce the blast radius of automated response on critical hosts. (&lt;a href=&quot;https://techcommunity.microsoft.com/blog/microsoftthreatprotectionblog/monthly-news---july-2026/4532402&quot;&gt;Defender monthly, Jul 2026&lt;/a&gt;)&lt;/p&gt;
&lt;p&gt;Two Workbooks capabilities went GA in the unified Defender portal: an Advanced Hunting connector that builds custom dashboards directly on XDR advanced-hunting tables, and a workspace filter / multi-workspace experience that scopes workbooks by workspace from within the workbook itself. MTO Tenant Groups also arrived, letting MSSPs and large enterprises organize their multitenant Defender view by region, business unit, or customer cohort. (&lt;a href=&quot;https://techcommunity.microsoft.com/blog/microsoftthreatprotectionblog/monthly-news---july-2026/4532402&quot;&gt;Defender monthly, Jul 2026&lt;/a&gt;)&lt;/p&gt;
&lt;p&gt;The Identity Security dashboard gained a Human identities card (public preview) showing human identities by source — Entra ID, SaaS, and on-premises — in one view, plus an Observed column and &amp;quot;Show Only Observed Applications&amp;quot; toggle on the SaaS coverage panel. New Defender for Identity alerts were also added across Entra ID, Active Directory, and other identity providers. Useful for closing identity-coverage gaps and for the new detections landing in the MDI queue. (&lt;a href=&quot;https://techcommunity.microsoft.com/blog/microsoftthreatprotectionblog/monthly-news---july-2026/4532402&quot;&gt;Defender monthly, Jul 2026&lt;/a&gt;)&lt;/p&gt;
&lt;p&gt;The June &amp;quot;What&#39;s new in Sentinel&amp;quot; recap (published 30 Jun) consolidated the month&#39;s SIEM and data-lake work. ASIM parsers and schemas reached GA with broader normalization across Azure, AWS CloudTrail, and third-party firewall/identity/proxy sources, plus two new schemas — Asset Entities and AI Agent Events. In the data lake, the Agent Identities Asset Connector (preview) adds four asset tables forming an owner-to-permissions agent identity graph, and Sentinel MCP graph tools (preview) let analysts walk the exposure path across identities, devices, alerts, and signals from a single alert. (&lt;a href=&quot;https://techcommunity.microsoft.com/blog/microsoftsentinelblog/what%E2%80%99s-new-in-microsoft-sentinel-june-2026/4531902&quot;&gt;Microsoft Sentinel Blog&lt;/a&gt;)&lt;/p&gt;
&lt;p&gt;Microsoft Entra Backup and Recovery reached general availability, rolling out to all workforce tenants for customers licensed for Entra ID P1 or P2. It automatically backs up core directory objects daily — users, groups, applications, service principals, managed identities, Conditional Access policies, named locations, and authentication/authorization policy — and restores them after accidental or malicious changes. For a SOC this is a concrete recovery path when an identity-tier compromise tampers with Conditional Access or privileged objects. (&lt;a href=&quot;https://techcommunity.microsoft.com/blog/microsoft-entra-blog/microsoft-entra-backup-and-recovery-is-now-generally-available/4521997&quot;&gt;Microsoft Entra Blog&lt;/a&gt;)&lt;/p&gt;
&lt;p&gt;Entra PIM added custom extensions (preview) that inject business logic into privileged-role activation. Extensions are invoked synchronously at the pre-approval stage, so activation can validate ticket numbers, enforce HR or compliance status, or apply dynamic approval logic in real time, with each interaction fully auditable via an &lt;code&gt;evaluationId&lt;/code&gt;, outcome, and reason. This tightens the gate on privileged access and gives investigators a clean trail for why a given activation was allowed. (&lt;a href=&quot;https://techcommunity.microsoft.com/blog/microsoft-entra-blog/bring-business-logic-into-pim-role-activation-workflows/4531380&quot;&gt;Microsoft Entra Blog&lt;/a&gt;)&lt;/p&gt;
&lt;p&gt;Microsoft extended data-loss prevention to the network layer in public preview, pairing Microsoft Purview classification with identity-aware enforcement through Microsoft Entra. It detects and blocks sensitive data flowing to shadow AI tools, unmanaged SaaS apps, and personal cloud storage in real time based on identity, activity, and data context, and correlates identity, data, and insider-risk signals across Purview, Entra, and Defender. Relevant on shift as coverage for the prompt-and-paste exfiltration path into generative-AI apps that endpoint and SaaS DLP miss. (&lt;a href=&quot;https://techcommunity.microsoft.com/blog/microsoft-entra-blog/protect-sensitive-data-in-motion-across-saas-and-ai-apps-with-microsoft-purview-/4529310&quot;&gt;Microsoft Entra Blog&lt;/a&gt;)&lt;/p&gt;
&lt;h2&gt;Worth knowing&lt;/h2&gt;
&lt;p&gt;The Defender monthly flagged three actionable threat reports for the SOC: AI tools shifting from reading to acting as an agent-security concern; a Chromium extension using AI-related branding to hijack browser search; and a &amp;quot;photo ZIP&amp;quot; campaign against the hospitality industry that delivers a Node.js implant for persistent access. Each carries hunting guidance in the linked insights. (&lt;a href=&quot;https://techcommunity.microsoft.com/blog/microsoftthreatprotectionblog/monthly-news---july-2026/4532402&quot;&gt;Defender monthly, Jul 2026&lt;/a&gt;)&lt;/p&gt;
&lt;p&gt;The Sentinel-to-Defender migration drumbeat continues: the recap restated the 31 March 2027 deadline for all Sentinel customers to transition to the Defender portal, backed by a six-part enablement series covering the strategic shift, incident and data changes, detection and automation, the governance/RBAC shift, a readiness playbook, and the AI-first SOC. Analytics rules, playbooks, workbooks, the Log Analytics workspace, and access assignments all carry forward, but the URBAC groundwork is on the critical path — start scoping now rather than at cutover. (&lt;a href=&quot;https://techcommunity.microsoft.com/blog/microsoftsentinelblog/what%E2%80%99s-new-in-microsoft-sentinel-june-2026/4531902&quot;&gt;Microsoft Sentinel Blog&lt;/a&gt;)&lt;/p&gt;
</content>
  </entry>
  <entry>
    <title>June 22 – June 29, 2026</title>
    <link href="https://soc-brief.pages.dev/briefs/2026-06-29-week/" />
    <updated>2026-06-29T00:00:00Z</updated>
    <id>https://soc-brief.pages.dev/briefs/2026-06-29-week/</id>
    <content type="html">&lt;h2&gt;Act by&lt;/h2&gt;
&lt;ul&gt;
&lt;li&gt;
&lt;p&gt;&lt;strong&gt;1 Jul 2026&lt;/strong&gt; — Account-entity naming standardization takes effect in Sentinel. Account Name is resolved by precedence (UPN prefix → Name → Display Name) and defaults to the UPN prefix (the part before &amp;quot;@&amp;quot;), so analytics rules, automation rules, playbooks, workbooks, and hunting queries that pin entities on the strict full UPN will silently stop matching. Audit any content that compares against the full UPN and switch to a precedence-aware pattern — Microsoft recommends &lt;code&gt;coalesce(Account.UPNprefix, Account.Name, Account.DisplayName)&lt;/code&gt; and &lt;code&gt;Contains&lt;/code&gt;/&lt;code&gt;Starts with&lt;/code&gt; instead of strict equality — before midweek, or expect entity conditions to fail, automation to skip, and duplicate entities to appear. (&lt;a href=&quot;https://learn.microsoft.com/en-us/azure/sentinel/whats-new&quot;&gt;Microsoft Learn&lt;/a&gt;)&lt;/p&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;p&gt;&lt;strong&gt;1 Jul 2026&lt;/strong&gt; — The &lt;code&gt;AIAgentsInfo&lt;/code&gt; advanced-hunting table is being retired in favor of the new unified &lt;code&gt;AgentsInfo&lt;/code&gt; table in Microsoft Defender. &lt;code&gt;AIAgentsInfo&lt;/code&gt; stays accessible only until 1 July; any custom detections, hunting queries, or workbooks that read it need to move to &lt;code&gt;AgentsInfo&lt;/code&gt;, which carries a single schema across Copilot Studio, Microsoft Foundry, Microsoft 365 Copilot, third-party, and endpoint-discovered agents. Update queries this week to avoid broken agent-governance content. (&lt;a href=&quot;https://learn.microsoft.com/en-us/defender-xdr/whats-new&quot;&gt;Microsoft Learn&lt;/a&gt;)&lt;/p&gt;
&lt;/li&gt;
&lt;/ul&gt;
&lt;h2&gt;What changed&lt;/h2&gt;
&lt;p&gt;Microsoft published a hands-on guide to threat hunting with Sentinel custom graph, showing how to turn the relationship-first graph experience (in public preview) into working investigations instead of stitching evidence together with complex table joins. Entities — users, devices, emails, IPs, applications — and their activities become a navigable structure you traverse across multiple hops to surface blast radius, non-obvious pivots, and attack paths, with visualization to communicate findings. Graphs are authored in Visual Studio Code using the Microsoft Sentinel extension&#39;s graph-authoring tool and GitHub Copilot, and out-of-the-box samples (for example, a compromised-account blast-radius graph over SignInLogs, non-interactive sign-ins, DeviceLogon, on-prem AD, IdentityInfo, and risky-user signals) give a starting point. It needs the Sentinel data lake enabled plus read/write on the lake and Security Operator or Security Admin to save a graph in the tenant. For a SOC this turns lateral-movement and exposure questions that used to be multi-query investigations into a single traversal. (&lt;a href=&quot;https://techcommunity.microsoft.com/blog/microsoftsentinelblog/a-guide-to-innovating-threat-hunting-with-microsoft-sentinel-custom-graph/4530287&quot;&gt;Microsoft Sentinel Blog&lt;/a&gt;)&lt;/p&gt;
&lt;p&gt;Sentinel&#39;s MCP server gained a graph-tool collection for reasoning over graphs (Preview). Where custom graph is authored in VS Code, the new graph tools in the Microsoft Sentinel Model Context Protocol server let an agent — or an analyst working through natural language — explore relationships across identities, devices, threats, and signals to assess detection coverage, dependencies, and configuration gaps. Starting from an alert, you can follow the exposure path across connected entities, trace lateral movement, and identify where controls are missing, all from one interactive workspace rather than hand-writing joins. It&#39;s the same graph substrate surfaced to the agentic tooling layer, which is where Microsoft is steering investigation workflows. (&lt;a href=&quot;https://learn.microsoft.com/en-us/azure/sentinel/whats-new&quot;&gt;Microsoft Learn&lt;/a&gt;)&lt;/p&gt;
&lt;p&gt;UEBA behavior results can now be linked to incidents in advanced hunting (Preview). You can take a behavior-based query result from the &lt;code&gt;BehaviorInfo&lt;/code&gt; table and attach it to a new or existing incident directly from advanced hunting; the wizard auto-populates alert metadata and entities from the selected behavior record. This closes a gap in the UEBA behaviors workflow — the human-readable &amp;quot;who did what to whom&amp;quot; summaries that Sentinel derives from raw logs can now feed incident context instead of living only in hunting queries, so a hunter who spots an anomalous behavior can escalate it into a tracked investigation in one step. (&lt;a href=&quot;https://learn.microsoft.com/en-us/azure/sentinel/whats-new&quot;&gt;Microsoft Learn&lt;/a&gt;)&lt;/p&gt;
&lt;p&gt;An Agent Identities Asset Connector reached public preview for the Sentinel data lake. Activity connectors like Agent 365 and Microsoft 365 Copilot already show what AI agents &lt;em&gt;do&lt;/em&gt;, but not who owns an agent, what permissions it holds, or how it is governed. The new connector fills that gap with four asset tables covering agent owners, agent identities, agent blueprints, and the service principals tied to those blueprints — the identity context a SOC needs when an agent shows up in an investigation. As AI agents accumulate standing access to mailboxes, files, and Graph, this is the inventory layer for treating them as first-class identities in hunting and detection. (&lt;a href=&quot;https://techcommunity.microsoft.com/blog/microsoftsentinelblog/announcing-public-preview-agent-identities-asset-connector-for-microsoft-sentine/4527960&quot;&gt;Microsoft Sentinel Blog&lt;/a&gt;)&lt;/p&gt;
&lt;p&gt;Sentinel&#39;s Advanced Security Information Model (ASIM) expanded its normalization coverage. In the June updates, ASIM broadened so a single analytic rule can reach more sources with less per-source work, and two new schemas bring asset inventory and AI-agent telemetry into normalized form. For detection engineers this is the unglamorous but high-leverage kind of change: parser-level normalization means one well-written rule generalizes across vendors instead of being rewritten per connector, and it extends that leverage to the newer asset and agent data now landing in the lake. (&lt;a href=&quot;https://techcommunity.microsoft.com/blog/microsoftsentinelblog/what%E2%80%99s-new-in-microsoft-sentinel-june-2026/4531902&quot;&gt;Microsoft Sentinel Blog&lt;/a&gt;)&lt;/p&gt;
&lt;p&gt;Defender XDR added a Threat Intelligence Insights tab to entity pages (Preview). Entity pages for IP addresses, domains, URLs, and files now surface Microsoft Threat Intelligence enrichment inline — reputation scores, attributed threat reports, infrastructure relationships, and sandbox analysis — so an analyst investigating an indicator no longer has to pivot to a separate TI tool mid-investigation. Having attribution and infrastructure links one click from the entity keeps triage in a single pane and shortens the loop between &amp;quot;is this IOC bad?&amp;quot; and the evidence behind the verdict. (&lt;a href=&quot;https://learn.microsoft.com/en-us/defender-xdr/whats-new&quot;&gt;Microsoft Learn&lt;/a&gt;)&lt;/p&gt;
&lt;p&gt;Four cloud-focused advanced-hunting tables reached GA in Defender XDR. &lt;code&gt;DisruptionAndResponseEvents&lt;/code&gt; (automatic attack-disruption block and policy actions), &lt;code&gt;CloudAuditEvents&lt;/code&gt;, &lt;code&gt;CloudDnsEvents&lt;/code&gt;, and &lt;code&gt;CloudProcessEvents&lt;/code&gt; (audit, DNS, and process telemetry from multicloud environments protected by Defender for Cloud) are now generally available in advanced hunting. Two practical wins: you can build production detections and custom detection rules on top of these tables without preview caveats, and &lt;code&gt;DisruptionAndResponseEvents&lt;/code&gt; gives the SOC an auditable record of exactly what attack disruption blocked or isolated, which matters when you have to reconstruct or justify an automated response after the fact. (&lt;a href=&quot;https://learn.microsoft.com/en-us/defender-xdr/whats-new&quot;&gt;Microsoft Learn&lt;/a&gt;)&lt;/p&gt;
&lt;p&gt;Defender began discovering and protecting local AI agents on endpoints (Preview). Microsoft&#39;s June updates extended the Defender AI-agent experience down to Windows endpoints: Defender now automatically discovers supported local AI agents — coding agents and IDE extensions, desktop assistants, local runtimes, and agent platforms (Microsoft cites more than 25 types, including GitHub Copilot CLI and Claude Code) — and surfaces them as assets in the AI-agent inventory, exposure map, and advanced hunting. Runtime protection inspects the agent loop (user prompts, tool calls, tool responses) and can block risky activity such as prompt injection before it executes, with blocked and audited events raised as alerts for correlation. For SOCs, agents now doing real work on the endpoint become a monitored, huntable surface rather than a blind spot. (&lt;a href=&quot;https://www.microsoft.com/en-us/security/blog/2026/06/30/whats-new-in-microsoft-security-june-2026/&quot;&gt;Microsoft Security Blog&lt;/a&gt;)&lt;/p&gt;
&lt;h2&gt;Worth knowing&lt;/h2&gt;
&lt;p&gt;Microsoft&#39;s Digital Crimes Unit disrupted the infrastructure behind the StealC and Amadey infostealers, seizing or blocking more than 200 command-and-control domains and IPs through court orders and provider notifications. StealC harvests passwords, stored credentials, and digital identities for resale and fraud, while Amadey acts as a first-stage loader that pulls in follow-on malware; in the first two weeks of May 2026 the pair were linked to over 140,000 infected machines worldwide. Notably, DCU used Microsoft Copilot to accelerate binary analysis and generate string-decryption tooling. Infostealer credentials feed directly into identity-based intrusions, so refresh detections for these families and watch for stolen-credential sign-ins even as the infrastructure goes dark. (&lt;a href=&quot;https://www.microsoft.com/en-us/security/blog/2026/06/24/stealc-and-amadey-breaking-down-infostealers-and-the-cybercrime-services-that-deliver-them/&quot;&gt;Microsoft Security Blog&lt;/a&gt;)&lt;/p&gt;
&lt;p&gt;Part 4 of Microsoft&#39;s six-part &amp;quot;USX Transition&amp;quot; series on moving Sentinel into the Defender portal focuses on the governance mechanics that quietly decide whether a unified SOC works as designed. The key reassurance: everything is normal on day one — existing Azure RBAC assignments keep functioning, Sentinel data stays where it is, and MSSP delegations remain intact. The substance is what changes as you adopt Unified RBAC (URBAC) — role mapping, data-tiering, and multi-tenant operation — and the sequencing traps around service principals and automation roles, which is the groundwork practitioners flag before any portal cutover. Worth reading if your team owns the migration runbook, especially with the Azure portal for Sentinel now on a March 2027 retirement clock. (&lt;a href=&quot;https://techcommunity.microsoft.com/blog/microsoftsentinelblog/the-governance-shift-rbac-urbac-data-lake-and-mssp/4528607&quot;&gt;Microsoft Sentinel Blog&lt;/a&gt;)&lt;/p&gt;
&lt;p&gt;The recurring theme across the month&#39;s releases is AI agents becoming both a defended surface and a governed identity class — Defender discovering agents on endpoints, Sentinel&#39;s Agent Identities connector inventorying who owns them, the unified &lt;code&gt;AgentsInfo&lt;/code&gt; table, and new ASIM schemas for agent telemetry all point the same way. Microsoft&#39;s end-of-June security roundup rounds out the picture with adjacent items a Microsoft-estate SOC should note: Entra ID Backup and Recovery reached GA (Microsoft-managed, always-on identity backups with point-in-time restore), Defender for Cloud&#39;s expanded multicloud coverage went GA on 30 June (about 90 new AWS/GCP resource types and 200+ recommendations, which will move Cloud secure scores as scope widens), and Microsoft previewed &amp;quot;MDASH,&amp;quot; a multi-agent system for discovering and validating software vulnerabilities. If you own detections or scorecards, expect the agent-identity data and the widened cloud-posture scope to change what your dashboards show over the coming weeks. (&lt;a href=&quot;https://www.microsoft.com/en-us/security/blog/2026/06/30/whats-new-in-microsoft-security-june-2026/&quot;&gt;Microsoft Security Blog&lt;/a&gt;)&lt;/p&gt;
</content>
  </entry>
  <entry>
    <title>June 15 – June 22, 2026</title>
    <link href="https://soc-brief.pages.dev/briefs/2026-06-22-week/" />
    <updated>2026-06-22T00:00:00Z</updated>
    <id>https://soc-brief.pages.dev/briefs/2026-06-22-week/</id>
    <content type="html">&lt;h2&gt;Act by&lt;/h2&gt;
&lt;ul&gt;
&lt;li&gt;&lt;strong&gt;Summer 2026&lt;/strong&gt; — The ASIM &lt;code&gt;ProcessEvent&lt;/code&gt; parsers deprecate the legacy &lt;code&gt;targetusername&lt;/code&gt; parameter of &lt;code&gt;_Im_ProcessCreate&lt;/code&gt;; the documented name is now &lt;code&gt;targetusername_has&lt;/code&gt;. Both are accepted today, so update analytic rules and hunting queries that call the process-create parser before the old parameter is removed. (&lt;a href=&quot;https://techcommunity.microsoft.com/blog/microsoftsentinelblog/introducing-new-additions-to-microsoft-sentinel-normalization-and-asim/4524584&quot;&gt;Microsoft Sentinel Blog&lt;/a&gt;)&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;1 Jul 2026&lt;/strong&gt; — Sentinel&#39;s account-entity naming standardization takes effect: Account Name resolves by precedence and defaults to the UPN prefix (the part before &amp;quot;@&amp;quot;). Rules, automation, playbooks, workbooks and hunting queries that match on the full UPN break unless updated — this fires whether or not you have moved to the Defender portal. (&lt;a href=&quot;https://learn.microsoft.com/en-us/azure/sentinel/whats-new&quot;&gt;Microsoft Learn — What&#39;s new in Sentinel&lt;/a&gt;)&lt;/li&gt;
&lt;/ul&gt;
&lt;h2&gt;What changed&lt;/h2&gt;
&lt;p&gt;The Migrate Sentinel to Defender blog series published its &amp;quot;Anatomy of the change&amp;quot; installment, a structural walkthrough of what actually moves when Sentinel runs inside the Defender portal — how incidents, entities, and data are represented once the two consoles unify, and why the shift is an architecture decision rather than a UI reskin. For a SOC that still lives in the Azure portal, this is the reference for understanding where your incident queue, entity pages, and data residency land after the cutover, and it sets up the RBAC and automation planning the rest of the series covers. With Sentinel slated to be supported in the Defender portal only starting July 2026, reading this before you touch role assignments or playbooks is time well spent. (&lt;a href=&quot;https://techcommunity.microsoft.com/blog/microsoftsentinelblog/anatomy-of-the-change/4527934&quot;&gt;Microsoft Sentinel Blog — Anatomy of the change&lt;/a&gt;)&lt;/p&gt;
&lt;p&gt;The same series followed with &amp;quot;Detection and automation, reimagined,&amp;quot; aimed squarely at detection engineers. Existing analytics rules, playbooks, and workbooks keep working after the move, but the scope widens: endpoint, identity, email, cloud-app, and Sentinel data sit together, so you query across all of them in one KQL experience, work a single incident queue, and automate with richer native Defender response actions. Custom detections gain near-real-time evaluation with native response actions, Security Copilot can draft playbooks from natural-language prompts, and advanced hunting spans Defender and Sentinel data together — a meaningful expansion of what a hunter can pivot across. It reads as the practical companion to &amp;quot;Anatomy of the change&amp;quot;: what your detection content &lt;em&gt;does&lt;/em&gt; after the portal unifies, not just where it lives. (&lt;a href=&quot;https://techcommunity.microsoft.com/blog/microsoftsentinelblog/detection-and-automation-reimagined/4527933&quot;&gt;Microsoft Sentinel Blog — Detection and automation, reimagined&lt;/a&gt;)&lt;/p&gt;
&lt;p&gt;Microsoft shipped the Agent Identities Asset Connector for Microsoft Sentinel in public preview, bringing AI-agent identity context into the Sentinel data lake to sit alongside the activity signals the Agent 365 and M365 Copilot connectors already collect. The connector adds four asset tables — Agent Users (the human owners/sponsors), Agent Identities (the agent as a first-class identity), and their blueprints and permissions — so a hunter can pivot from what an agent did to what it is, who owns it, and what it can access. For a SOC investigating anomalous agent activity, this closes the gap where an autonomous agent previously looked like an opaque service principal. (&lt;a href=&quot;https://techcommunity.microsoft.com/blog/microsoftsentinelblog/announcing-public-preview-agent-identities-asset-connector-for-microsoft-sentine/4527960&quot;&gt;Microsoft Sentinel Blog&lt;/a&gt;)&lt;/p&gt;
&lt;p&gt;Microsoft detailed non-human identity (NHI) protection in Microsoft Defender, extending the unified identity inventory and investigation experience to service principals, on-prem service accounts, and SaaS-connected OAuth apps. Defender now surfaces NHI risk across pivots analysts already use for humans — unused identities that still hold standing permissions, over-privileged identities where granted access far exceeds observed usage, ownership gaps, and which NHIs are actually powering AI agents — with governance and threat-detection built on top. Given that NHIs authenticate programmatically and cannot be protected by MFA (the Midnight Blizzard playbook), this puts a large, previously blind slice of the identity estate into the same queue an analyst already works. (&lt;a href=&quot;https://techcommunity.microsoft.com/blog/microsoftthreatprotectionblog/securing-the-invisible-workforce/4528611&quot;&gt;Microsoft Defender XDR Blog&lt;/a&gt;)&lt;/p&gt;
&lt;p&gt;On the identity side, the Entra team laid out how Entra and Defender are converging on unified identity security against AI-accelerated attacks, centered on the unified identity risk score unveiled at RSA. The score correlates signals across related accounts, sessions, workloads, and applications into a single evaluation that can drive real-time access decisions, aimed at shrinking the gap between detection and response when attackers automate reconnaissance and credential abuse. For SOC and IAM teams that run separate tools today, this is the direction identity signals will flow into the shared incident view. (&lt;a href=&quot;https://techcommunity.microsoft.com/blog/microsoft-entra-blog/ai-is-accelerating-cyberattacks%E2%80%94here%E2%80%99s-how-to-stay-ahead/4528592&quot;&gt;Microsoft Entra Blog&lt;/a&gt;)&lt;/p&gt;
&lt;p&gt;ASIM got a large parser and schema update. New native parsers cover Azure Firewall resource-specific tables (AZFWDnsQuery, AZFWNetworkRule, AZFWApplicationRule), Azure Key Vault (AZKVAuditLogs), Azure SQL/Synapse audit events, and AWS CloudTrail EC2/S3/IAM activity, plus 10+ third-party sources including Okta, Palo Alto PAN-OS and GlobalProtect, FortiGate, and several Cisco products. Two new schemas — Asset Entities and AI Agent Events — normalize asset inventory and autonomous-agent telemetry into common form. This means one analytic rule reaches more sources without per-source rewrites; note the &lt;code&gt;ProcessEvent&lt;/code&gt; breaking change flagged in Act by. (&lt;a href=&quot;https://techcommunity.microsoft.com/blog/microsoftsentinelblog/introducing-new-additions-to-microsoft-sentinel-normalization-and-asim/4524584&quot;&gt;Microsoft Sentinel Blog&lt;/a&gt;)&lt;/p&gt;
&lt;p&gt;Defender XDR tightened the blast radius of its built-in Copilot agents: the Phishing Triage Agent and Security Alert Triage Agent now run with a narrower email permission — &amp;quot;Email &amp;amp; collaboration content: Emails associated with alerts (read)&amp;quot; instead of the broad &amp;quot;All Emails (read).&amp;quot; The agents can still read the messages tied to the alerts they triage, but no longer have standing read access to the whole mailbox estate, so a compromised or misused agent has far less to reach. If you run these agents, it&#39;s a least-privilege improvement that applies automatically; worth noting when you document what the automated triage layer can see. (&lt;a href=&quot;https://learn.microsoft.com/en-us/defender-xdr/whats-new&quot;&gt;Microsoft Learn — What&#39;s new in Defender XDR&lt;/a&gt;)&lt;/p&gt;
&lt;h2&gt;Worth knowing&lt;/h2&gt;
&lt;p&gt;Microsoft Threat Intelligence disclosed a large-scale npm supply-chain compromise affecting 140+ packages across the &lt;code&gt;mastra&lt;/code&gt; and &lt;code&gt;@mastra&lt;/code&gt; scopes, and on 19 June attributed it with high confidence to Sapphire Sleet, a North Korean state actor (the same group behind the April 2026 Axios npm compromise). A takeover of the &lt;code&gt;ehindero&lt;/code&gt; maintainer account was used to publish poisoned versions that pulled in &lt;code&gt;easy-day-js&lt;/code&gt;, a typosquat of &lt;code&gt;dayjs&lt;/code&gt;; its &lt;code&gt;postinstall&lt;/code&gt; hook disabled TLS verification, called C2, and ran a hidden second-stage payload. Because the payload fires during installation, any workstation or CI/CD pipeline that ran &lt;code&gt;npm install&lt;/code&gt;/&lt;code&gt;npm update&lt;/code&gt; after the compromised versions shipped was exposed regardless of whether the package was imported — check build agents and developer endpoints, not just application dependencies. Microsoft Defender Antivirus, Defender for Endpoint, and Defender XDR ship detections and hunting coverage. (&lt;a href=&quot;https://www.microsoft.com/en-us/security/blog/2026/06/17/postinstall-payload-inside-mastra-npm-supply-chain-compromise/&quot;&gt;Microsoft Security Blog&lt;/a&gt;)&lt;/p&gt;
&lt;p&gt;Microsoft&#39;s Incident Response team (DART) published a case study — &amp;quot;One intrusion, two cyberattackers&amp;quot; — on an engagement that opened as a routine ransomware investigation and turned out to hold two unrelated actors operating in the same environment at once. The primary actor, Storm-2603, had been exploiting on-prem SharePoint since mid-2025 and was probing for local-file-inclusion footholds (requests for &lt;code&gt;win.ini&lt;/code&gt;, &lt;code&gt;web.config&lt;/code&gt;); a second, unattributed actor ran in parallel. Between them they abused the legitimate Velociraptor forensic tool at SYSTEM level to map the environment, opened multiple remote channels via Cloudflare tunnels, Zoho Assist, and SSH-over-VS-Code, created rogue local and domain admin accounts, and used DLL sideloading and a vulnerable driver to disable protections and tamper with memory. The SOC lessons are concrete: alert on unexpected Velociraptor and remote-access tunneling, watch for out-of-band admin-account creation, and keep centralized telemetry long enough to untangle overlapping actors — a single intrusion is not always a single adversary. (&lt;a href=&quot;https://www.microsoft.com/en-us/security/blog/2026/06/22/one-intrusion-two-cyberattackers-uncovering-parallel-threat-activity/&quot;&gt;Microsoft Security Blog&lt;/a&gt;)&lt;/p&gt;
&lt;p&gt;Two Microsoft research posts sharpen the AI-agent attack surface that this month&#39;s inventory and governance features are trying to defend. In &amp;quot;AutoJack,&amp;quot; Microsoft showed an exploit chain in AutoGen Studio where attacker-controlled web content rendered by a browsing agent reaches a local MCP WebSocket and spawns arbitrary processes on the host — three weaknesses combine (the socket trusts localhost, auth middleware skips MCP paths, and the endpoint runs a command straight from a request parameter with no allowlist), with the lesson that &amp;quot;localhost is no longer a trust boundary&amp;quot; once an agent browses untrusted pages. The affected surface was never in a PyPI release and the upstream branch was hardened after Microsoft reported it to MSRC, but the pattern generalizes to any agent wired to a privileged local control plane. Separately, &amp;quot;Guarding AI memory&amp;quot; describes agent-memory attacks — malicious instructions planted in shared documents that lie dormant in an agent&#39;s persisted memory and fire later during unrelated conversations — and Microsoft&#39;s layered defenses, including prompt-injection classifiers and task-adherence checks on write, M365 compliance controls on storage, and, usefully for a SOC, memory-update audit logging that surfaces in Defender advanced hunting and Sentinel. (&lt;a href=&quot;https://www.microsoft.com/en-us/security/blog/2026/06/18/autojack-single-page-rce-host-running-ai-agent/&quot;&gt;Microsoft Security Blog — AutoJack&lt;/a&gt;)&lt;/p&gt;
</content>
  </entry>
  <entry>
    <title>June 8 – June 15, 2026</title>
    <link href="https://soc-brief.pages.dev/briefs/2026-06-15-week/" />
    <updated>2026-06-15T00:00:00Z</updated>
    <id>https://soc-brief.pages.dev/briefs/2026-06-15-week/</id>
    <content type="html">&lt;h2&gt;Act by&lt;/h2&gt;
&lt;ul&gt;
&lt;li&gt;&lt;strong&gt;15 Jun 2026&lt;/strong&gt; — Older Sentinel repositories (content-as-code) Source Control API versions become unsupported after today. CI/CD tooling that creates or manages repo connections must move to API version 2025-09-01, 2025-06-01, or 2025-07-01-preview; existing connections keep operating. If your team deploys analytics rules and playbooks from GitHub or Azure DevOps, confirm the pipeline is on a supported API version. (&lt;a href=&quot;https://learn.microsoft.com/en-us/azure/sentinel/whats-new&quot;&gt;Microsoft Learn&lt;/a&gt;)&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;1 Jul 2026&lt;/strong&gt; — The advanced-hunting &lt;code&gt;AIAgentsInfo&lt;/code&gt; table retires and is replaced by &lt;code&gt;AgentsInfo&lt;/code&gt;, a unified schema covering all agent types (Copilot Studio, Microsoft Foundry, Microsoft 365 Copilot, third-party, and endpoint-discovered agents). &lt;code&gt;AIAgentsInfo&lt;/code&gt; stays accessible until this date. Update any custom detections, hunting queries, or workbooks that reference the old table before it goes away. (&lt;a href=&quot;https://learn.microsoft.com/en-us/defender-xdr/whats-new&quot;&gt;Microsoft Learn — What&#39;s new in Defender XDR&lt;/a&gt;)&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;1 Jul 2026&lt;/strong&gt; — Account-entity naming standardization takes effect. Sentinel resolves Account Name by precedence and defaults to the UPN prefix (the part before &amp;quot;@&amp;quot;). Analytics rules, automation rules, playbooks, workbooks, and hunting queries that rely on strict full-UPN matching break unless updated — regardless of whether you have migrated to the Defender portal. Audit your queries for hard-coded full-UPN account matches now. (&lt;a href=&quot;https://learn.microsoft.com/en-us/azure/sentinel/whats-new&quot;&gt;Microsoft Learn&lt;/a&gt;)&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;1 Jul 2026&lt;/strong&gt; — Unified RBAC migration groundwork before the Defender-portal cutover (heads-up). Legacy Sentinel Azure roles do not carry into the Defender portal, so plan URBAC migration to avoid permission gaps; Workspace Manager deprecation pushes MSSPs toward CI/CD via GitHub or Azure DevOps. (&lt;a href=&quot;https://learn.microsoft.com/en-us/unified-secops/whats-new&quot;&gt;Microsoft Learn&lt;/a&gt;)&lt;/li&gt;
&lt;/ul&gt;
&lt;h2&gt;What changed&lt;/h2&gt;
&lt;p&gt;June Patch Tuesday landed on 9 June 2026 and was Microsoft&#39;s largest ever, addressing roughly 200 CVEs (tracker counts range 198–208) with about three dozen rated Critical — the Critical set is dominated by remote-code-execution bugs, including multiple in Office and eleven in the Remote Desktop client. Microsoft flagged six zero-days: five publicly disclosed before patch day — a Windows Collaborative Translation Framework (CTFMON) elevation-of-privilege bug (CVE-2026-45586, &amp;quot;GreenPlasma&amp;quot;), two BitLocker security-feature bypasses (CVE-2026-45585 &amp;quot;YellowKey&amp;quot; and CVE-2026-50507 &amp;quot;Bitskrieg&amp;quot;), an HTTP.sys HTTP/2 denial-of-service flaw (CVE-2026-49160, &amp;quot;HTTP/2 Bomb&amp;quot;), and a Cloud Files driver EoP — plus at least one exploited in the wild. Trackers disagree on which: BleepingComputer cites an Exchange Server spoofing bug (CVE-2026-42897) that runs arbitrary JavaScript in Outlook Web Access when a crafted mail is opened, while Tenable flags a Defender for Endpoint EoP (CVE-2026-41091, &amp;quot;RedSun&amp;quot;) later added to CISA&#39;s KEV. SharePoint took 23 fixes and Exchange 7, and there is a separate critical HTTP.sys RCE (CVE-2026-47291) alongside the disclosed DoS. On a Microsoft estate the practical work is confirming Defender-delivered updates roll out through MDE, watching endpoint patch compliance in vulnerability management, and prioritizing internet-facing OWA/Exchange, SharePoint, and HTTP.sys hosts. (&lt;a href=&quot;https://www.bleepingcomputer.com/news/microsoft/microsoft-june-2026-patch-tuesday-fixes-6-zero-days-200-flaws/&quot;&gt;BleepingComputer&lt;/a&gt;)&lt;/p&gt;
&lt;p&gt;Defender XDR added threat-intelligence enrichment on entity pages (preview). IP address, domain, URL, and file entity pages now carry a Threat Intelligence Insights tab that surfaces Microsoft Threat Intelligence data — reputation scores, attributed threat reports, infrastructure relationships, and sandbox analysis — inline in the investigation. For an analyst this removes a context switch: the reputation and attribution lookup you would otherwise run in a separate TI tool now sits on the entity you are already pivoting through. (&lt;a href=&quot;https://learn.microsoft.com/en-us/defender-xdr/whats-new&quot;&gt;Microsoft Learn — What&#39;s new in Defender XDR&lt;/a&gt;)&lt;/p&gt;
&lt;p&gt;Four advanced-hunting schema tables reached general availability in Defender XDR this month: &lt;code&gt;DisruptionAndResponseEvents&lt;/code&gt; (automatic attack-disruption block and policy events) and the multicloud trio &lt;code&gt;CloudAuditEvents&lt;/code&gt;, &lt;code&gt;CloudDnsEvents&lt;/code&gt;, and &lt;code&gt;CloudProcessEvents&lt;/code&gt; fed from Defender for Cloud. GA means these are stable enough to build production detections and scheduled hunts on rather than one-off queries — disruption events let you audit what attack disruption actually did, and the cloud tables extend KQL hunting into audit, DNS, and process activity across cloud workloads. (&lt;a href=&quot;https://learn.microsoft.com/en-us/defender-xdr/whats-new&quot;&gt;Microsoft Learn — What&#39;s new in Defender XDR&lt;/a&gt;)&lt;/p&gt;
&lt;p&gt;In Defender Vulnerability Management the reworked exposure score went GA, and a new Microsoft Secure Score recommendation, &amp;quot;Reduce unnecessary inbound internet exposure on internet-facing devices,&amp;quot; shipped alongside it. The new score model factors in exploit-prediction data (EPSS) and asset context such as internet-facing status and criticality, so prioritization tilts toward vulnerabilities that are both likely to be exploited and on assets that matter. Paired with the internet-exposure recommendation, this gives a SOC a sharper worklist the same week a record Patch Tuesday lands with internet-facing HTTP.sys and Exchange bugs to triage. (&lt;a href=&quot;https://learn.microsoft.com/en-us/defender-endpoint/whats-new-in-microsoft-defender-endpoint&quot;&gt;Microsoft Learn — What&#39;s new in Microsoft Defender for Endpoint&lt;/a&gt;)&lt;/p&gt;
&lt;p&gt;Microsoft brought Selective Response Actions to GA in Defender for Endpoint. During onboarding you can now scope which high-impact response actions (isolation, live response, and similar) are permitted on Tier-0 systems and other high-value assets, so an automated or analyst-triggered containment cannot inadvertently take down a domain controller or critical server while still allowing full protection elsewhere. Useful guardrail if your automation or SOAR playbooks fire response actions broadly. (&lt;a href=&quot;https://learn.microsoft.com/en-us/defender-endpoint/whats-new-in-microsoft-defender-endpoint&quot;&gt;Microsoft Learn — What&#39;s new in Microsoft Defender for Endpoint&lt;/a&gt;)&lt;/p&gt;
&lt;p&gt;On the identity side, Entra&#39;s June release notes extend Conditional Access to AI-agent user accounts (preview). Admins can now target individual agents or dynamically group them via Custom Security Attributes, gate on Agent Risk, and require compliant devices or trusted network conditions for agents running on managed endpoints (including Windows 365 for Agents). This carries the same Zero Trust controls SOC and IAM teams already apply to human accounts onto autonomous agents — the population that connectors like the Sentinel Agent Identities asset connector are now surfacing for investigation. (&lt;a href=&quot;https://learn.microsoft.com/en-us/entra/fundamentals/whats-new&quot;&gt;Microsoft Learn — What&#39;s new in Microsoft Entra&lt;/a&gt;)&lt;/p&gt;
&lt;p&gt;Entra also made tenant Backup and Recovery generally available. Always-on by default, it takes a daily snapshot of critical directory objects — users, groups, applications, service principals, managed identities, Conditional Access policies, named locations, agent IDs, and auth/authorization policy — with 7-day retention on P1/P2, plus difference reports and recovery jobs. For a SOC this is a concrete recovery path after a malicious or accidental directory change (rogue CA policy edits, mass group tampering): you can diff against a known-good snapshot and restore rather than rebuild by hand. (&lt;a href=&quot;https://learn.microsoft.com/en-us/entra/fundamentals/whats-new&quot;&gt;Microsoft Learn — What&#39;s new in Microsoft Entra&lt;/a&gt;)&lt;/p&gt;
&lt;p&gt;Two smaller Entra hardening changes shipped the same month: jailbreak/root detection in Microsoft Authenticator went GA (secure by default, no admin config — rooted or jailbroken devices are blocked from adding or using work/school accounts), and AD group enforcement entered preview, letting you designate provisioned AD groups so membership changes are only accepted through the Entra provisioning service and out-of-band edits are blocked. Both close small abuse paths — a tampered authenticator device and drift-based privilege changes in on-prem groups. (&lt;a href=&quot;https://learn.microsoft.com/en-us/entra/fundamentals/whats-new&quot;&gt;Microsoft Learn — What&#39;s new in Microsoft Entra&lt;/a&gt;)&lt;/p&gt;
&lt;p&gt;Microsoft Sentinel&#39;s June updates added two hunting-side previews. Behavior results can now be linked to incidents in advanced hunting: query results from the UEBA &lt;code&gt;BehaviorInfo&lt;/code&gt; table can be attached to a new or existing incident, with alert metadata and entities auto-populated from the behavior record — a direct path from a UEBA anomaly to an actioned incident. Separately, a graph tool collection in the Sentinel MCP server lets you explore relationships across identities, devices, threats, and signals as a graph to spot coverage and configuration gaps. (&lt;a href=&quot;https://learn.microsoft.com/en-us/azure/sentinel/whats-new&quot;&gt;Microsoft Learn&lt;/a&gt;)&lt;/p&gt;
&lt;h2&gt;Worth knowing&lt;/h2&gt;
&lt;p&gt;This June Patch Tuesday is worth treating as a scheduling event, not just a checklist. At a record ~200 CVEs it is too large to push in one wave, so rank by exposure: internet-facing first (the exploited Exchange OWA spoofing bug and both HTTP.sys flaws, the DoS and the separate critical RCE), then the widely reachable server-side bugs (23 SharePoint CVEs, the rest of Exchange), then client-side RCE in Office and the eleven Remote Desktop client fixes that need a crafted server or relay to land. The BitLocker bypasses (YellowKey, Bitskrieg) matter most for physically exposed or lost devices. Because Microsoft ships several of these through Defender-delivered channels, verify rollout in MDE and use the new EPSS-plus-context exposure score to sequence the long tail rather than patching alphabetically. (&lt;a href=&quot;https://msrc.microsoft.com/update-guide/releaseNote/2026-Jun&quot;&gt;MSRC Security Update Guide&lt;/a&gt;)&lt;/p&gt;
&lt;p&gt;Outside Patch Tuesday this was a quiet week for dated announcements — the Sentinel, Defender XDR, and Entra blogs published nothing between 9 and 15 June, and the month&#39;s feature wave (the Agent Identities asset connector, ASIM&#39;s schema additions, and non-human-identity protection in Defender) begins landing from 16 June, so those fall into the following week&#39;s brief. The items above come from the June release notes, which are month-granular rather than day-stamped. (&lt;a href=&quot;https://learn.microsoft.com/en-us/azure/sentinel/whats-new&quot;&gt;Microsoft Learn&lt;/a&gt;)&lt;/p&gt;
&lt;p&gt;Keep the Defender-portal migration on your radar while the week is calm. Microsoft Sentinel in the Azure portal is slated to be supported in the Defender portal only starting July 2026, with remaining Azure-portal customers automatically redirected — now weeks, not months, away. Combined with the 1 July account-entity naming change and the unified RBAC gap noted in &lt;em&gt;Act by&lt;/em&gt;, the practical message is that detection logic, automation, and role assignments all need a pass before the cutover; a quiet week is a good time to run that audit rather than doing it under redirect pressure. (&lt;a href=&quot;https://learn.microsoft.com/en-us/azure/sentinel/whats-new&quot;&gt;Microsoft Learn&lt;/a&gt;)&lt;/p&gt;
</content>
  </entry>
  <entry>
    <title>June 1 – June 8, 2026</title>
    <link href="https://soc-brief.pages.dev/briefs/2026-06-08-week/" />
    <updated>2026-06-08T00:00:00Z</updated>
    <id>https://soc-brief.pages.dev/briefs/2026-06-08-week/</id>
    <content type="html">&lt;h2&gt;Act by&lt;/h2&gt;
&lt;ul&gt;
&lt;li&gt;&lt;strong&gt;6 Jul 2026&lt;/strong&gt; — Conditional Access enforcement for the &lt;em&gt;Register security information&lt;/em&gt; action extends to Windows Hello for Business provisioning and macOS Platform SSO registration, closing a long-standing gap where those flows were unenforced. The same week, an SSPR registration campaign begins. Test any CA policies scoped to registration flows in report-only mode before the rollout so device setup does not start failing for users who cannot satisfy the policy. (&lt;a href=&quot;https://techcommunity.microsoft.com/blog/microsoft-entra-blog/microsoft-entra-id-security-updates-what-organizations-need-to-do-now/4522024&quot;&gt;Microsoft Entra Blog&lt;/a&gt;)&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;7 Sep 2026&lt;/strong&gt; — Self-service password reset stops accepting authentication methods that were never explicitly registered. Directory-sourced phone numbers and email addresses will no longer work for SSPR — only registered methods. Drive users through the July registration campaign so they are not locked out of reset when this flips. (&lt;a href=&quot;https://techcommunity.microsoft.com/blog/microsoft-entra-blog/microsoft-entra-id-security-updates-what-organizations-need-to-do-now/4522024&quot;&gt;Microsoft Entra Blog&lt;/a&gt;)&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;30 Sep 2026&lt;/strong&gt; — Entra Custom controls retire (end of life May 2027). Third-party MFA integrations wired through Custom controls must move to External MFA to stay supported. Existing configs keep working through the transition, but start migration planning now. (&lt;a href=&quot;https://techcommunity.microsoft.com/blog/microsoft-entra-blog/microsoft-entra-id-security-updates-what-organizations-need-to-do-now/4522024&quot;&gt;Microsoft Entra Blog&lt;/a&gt;)&lt;/li&gt;
&lt;/ul&gt;
&lt;h2&gt;What changed&lt;/h2&gt;
&lt;p&gt;Microsoft extended Defender to secure AI agents running locally on managed Windows and macOS devices (public preview). Defender now discovers 20+ agent types — coding CLIs (Claude Code, GitHub Copilot CLI, Codex, Gemini), agentic IDE extensions (Cursor, Windsurf, Cline), desktop assistants, local runtimes like Ollama, and MCP servers — surfacing each as a first-class asset with user identity, process relationships, trust indicators, and risky settings such as &amp;quot;auto-approve.&amp;quot; It adds inline runtime protection to block malicious agent behavior — including prompt-injection attempts against a coding agent before the malicious action executes (starting with Claude Code and GitHub Copilot CLI) — an exposure view across reachable identities and resources, and an Advanced Hunting surface for the activity. For a SOC this is the first real visibility into agents that previously ran as opaque OS processes yet can reach source code, secrets, SharePoint, and email through the user&#39;s identity. (&lt;a href=&quot;https://techcommunity.microsoft.com/blog/microsoftthreatprotectionblog/the-next-frontier-in-endpoint-security-securing-local-ai-agents-with-microsoft-d/4524651&quot;&gt;Microsoft Defender XDR Blog&lt;/a&gt;)&lt;/p&gt;
&lt;p&gt;At Build 2026 (June 2–3), Microsoft put its multi-model agentic scanning harness (codename MDASH) into an expanded preview and brought the native integration between Microsoft Defender and GitHub Code Security (the former GitHub Advanced Security suite) to general availability. MDASH orchestrates 100+ specialized AI agents across an ensemble of models to find, validate, and prove exploitability in code — Microsoft cites 96.55% on the CyberGym benchmark — and the Defender tie-in enriches those findings with production signal (internet exposure, data sensitivity), routes AI-assisted fixes through GitHub Copilot Autofix, and surfaces exploitable code risk in the same queue as endpoint and identity alerts. Relevant if your org is folding code-security findings into SOC triage rather than leaving them in a separate developer tool. (&lt;a href=&quot;https://www.microsoft.com/en-us/security/blog/2026/06/02/microsoft-build-2026-securing-code-agents-and-models-across-the-development-lifecycle/&quot;&gt;Microsoft Security Blog&lt;/a&gt;)&lt;/p&gt;
&lt;p&gt;Also at Build, Defender AI model scanning entered preview. It detects and blocks potentially vulnerable or compromised AI models across model registries, workspaces, and CI/CD pipelines, verifying model integrity before deployment. For a SOC standing up coverage for AI workloads, this pushes supply-chain checks left of runtime — a tampered or backdoored model is caught at the registry or pipeline stage rather than after it is serving in production, and the signal lands in Defender alongside the rest of the estate. (&lt;a href=&quot;https://www.microsoft.com/en-us/security/blog/2026/06/02/microsoft-build-2026-securing-code-agents-and-models-across-the-development-lifecycle/&quot;&gt;Microsoft Security Blog&lt;/a&gt;)&lt;/p&gt;
&lt;p&gt;Microsoft Purview extended data-protection controls to coding agents at Build (preview). The controls prevent data exfiltration and add agentic risk detection for coding agents (Claude Code, GitHub Copilot, OpenAI Codex, and others), DSPM risk discovery for where agents reach sensitive data, and — with Agent 365 — runtime DLP for agent prompts that detects, blocks, and audits sensitive data before the agent processes it; Purview data-risk signals in the Foundry control plane went GA alongside. For a SOC that owns Purview, this is the data-layer complement to Defender&#39;s endpoint view of the same agents: visibility into what data a local agent touches and a runtime block on sensitive content entering a prompt. (&lt;a href=&quot;https://www.microsoft.com/en-us/security/blog/2026/06/02/microsoft-build-2026-securing-code-agents-and-models-across-the-development-lifecycle/&quot;&gt;Microsoft Security Blog&lt;/a&gt;)&lt;/p&gt;
&lt;p&gt;Microsoft disclosed a critical remote code execution flaw in Microsoft 365 Copilot (CVE-2026-45497, CVSS 7.7) on 4 June as one of its &amp;quot;June 2026 Early Security Updates.&amp;quot; The root cause was command injection that could let an attacker break out of the Copilot service boundary and reach into the surrounding Microsoft 365 environment; a related critical Exchange Online information-disclosure bug (CVE-2026-48579, CVSS 9.1) was disclosed in the same batch. Microsoft fixed both server-side before publishing the advisories, so there is nothing to patch — but the SOC actions are real: review Entra sign-in and audit logs for anomalous Copilot access, confirm audit logging captures Copilot activity, and rotate credentials that a service-boundary escape could have exposed. These cloud CVEs are separate from the on-prem Patch Tuesday rollup that lands 9 June. (&lt;a href=&quot;https://www.myabt.com/blog/microsoft-365-copilot-rce-june-2026-financial-institutions&quot;&gt;Microsoft 365 Copilot RCE analysis&lt;/a&gt;)&lt;/p&gt;
&lt;p&gt;Build also shipped an Agent 365 governance and isolation stack. The Agent 365 SDK went GA (observability, access controls, and compliance enforcement in the development workflow); the Agent 365 Agent Registry surfaces unmanaged local agents discovered by Defender, Entra, and Intune; Windows 365 for Agents reached GA to run agents in fully isolated, policy-governed Cloud PC environments; and the Microsoft Execution Container (MXC) SDK entered early preview for OS-level process and session isolation of agent execution. For a SOC, the registry closes the shadow-agent discovery gap and the isolation options give a containment answer for agents that would otherwise run with the user&#39;s full reach on a managed endpoint. (&lt;a href=&quot;https://www.microsoft.com/en-us/security/blog/2026/06/02/microsoft-build-2026-securing-code-agents-and-models-across-the-development-lifecycle/&quot;&gt;Microsoft Security Blog&lt;/a&gt;)&lt;/p&gt;
&lt;p&gt;Microsoft Entra ID posted three near-term identity-hardening changes. Custom controls are being deprecated in favor of External MFA; Conditional Access will be enforced consistently during credential registration (including WHfB and macOS Platform SSO); and SSPR will require explicitly registered authentication methods rather than accepting directory-sourced phone/email. The dates land in Q3 (see Act by), but the analyst-facing point is that CA enforcement is getting more uniform and SSPR fallback paths attackers could abuse are closing — expect fewer silent gaps and more registration prompts. (&lt;a href=&quot;https://techcommunity.microsoft.com/blog/microsoft-entra-blog/microsoft-entra-id-security-updates-what-organizations-need-to-do-now/4522024&quot;&gt;Microsoft Entra Blog&lt;/a&gt;)&lt;/p&gt;
&lt;p&gt;Microsoft published a Global Secure Access Operations Guide on Microsoft Learn — a prescriptive day-2 playbook for running GSA in production. It ships a RACI matrix, capability-specific playbooks for Private Access, Internet Access, Remote Networks, and Microsoft Traffic, and alert-first monitoring routines built to act on Microsoft Sentinel and Azure Monitor signals before dashboards show trouble, plus daily health-check templates and Sentinel/Graph/PowerShell automation. Useful if your SOC owns any GSA monitoring or alerting, since it maps each alert to a defined action. (&lt;a href=&quot;https://techcommunity.microsoft.com/blog/microsoft-entra-blog/run-global-secure-access-with-confidence-introducing-the-gsa-operations-guide/4524891&quot;&gt;Microsoft Entra Blog&lt;/a&gt;)&lt;/p&gt;
&lt;h2&gt;Worth knowing&lt;/h2&gt;
&lt;p&gt;Microsoft Threat Intelligence detailed how threat actors are riding the AI hype as social-engineering bait. Since early 2026 it has tracked malvertising using AI-themed lures (&amp;quot;Flux Pro AI&amp;quot; and similar) in popups, malware filenames, and GitHub repo names, attributed to initial-access broker Storm-3075, with campaigns moving from launch to mass impact within hours. It also observed brand-impersonation phishing: an Anthropic/Claude-themed campaign hitting 2,000+ organizations (Apr 20–22, mostly US/UK/India) and a ChatGPT-themed credential/credit-card phishing run of ~4,500 emails on May 5 (97% South Africa). Worth flagging AI-branded domains and lures in your phishing and malvertising detections. (&lt;a href=&quot;https://www.microsoft.com/en-us/security/blog/2026/06/08/ai-brands-as-bait-how-threat-actors-are-using-the-ai-hype-in-social-engineering/&quot;&gt;Microsoft Security Blog&lt;/a&gt;)&lt;/p&gt;
&lt;p&gt;Build week&#39;s through-line is that AI agents and Copilot are now a first-class SOC surface, defended and attacked on the same footing as endpoints and identities. On the defense side the pieces landed together — Defender discovers and blocks local agents, Purview governs the data they touch, and Agent 365 registers and isolates them — while the two server-side Copilot CVEs (the 4 June M365 Copilot RCE and the paired Exchange Online disclosure) are the reminder that the managed AI services themselves carry exploitable flaws. Because Microsoft remediates those in its own cloud, the analyst job shifts from patching to detection and governance: make sure Copilot and agent activity is captured in your audit and sign-in telemetry now, so that when the next agent or Copilot advisory drops you can actually hunt for whether it was abused rather than discovering you had no logs.&lt;/p&gt;
&lt;p&gt;On patching cadence there was no Patch Tuesday in this window — the early Copilot and Exchange Online cloud fixes are separate cloud-service advisories, and the on-prem June rollup lands 9 June (next issue), where trackers expect a record-size batch with an exploited Exchange zero-day. If you own the estate&#39;s patch sequencing, treat this quiet week as prep: confirm Defender-delivered update channels are healthy in MDE and stage your internet-facing triage list before the 9th, rather than reacting to it cold. (&lt;a href=&quot;https://www.microsoft.com/en-us/security/blog/2026/06/02/microsoft-build-2026-securing-code-agents-and-models-across-the-development-lifecycle/&quot;&gt;Microsoft Security Blog&lt;/a&gt;)&lt;/p&gt;
</content>
  </entry>
  <entry>
    <title>May 25 – June 1, 2026</title>
    <link href="https://soc-brief.pages.dev/briefs/2026-06-01-week/" />
    <updated>2026-06-01T00:00:00Z</updated>
    <id>https://soc-brief.pages.dev/briefs/2026-06-01-week/</id>
    <content type="html">&lt;h2&gt;Act by&lt;/h2&gt;
&lt;ul&gt;
&lt;li&gt;&lt;strong&gt;1 Jun 2026&lt;/strong&gt; — Microsoft Entra ID begins blocking Entra Connect Sync and Cloud Sync from &lt;em&gt;hard-matching&lt;/em&gt; a newly synced on-premises Active Directory user onto an existing cloud-managed Entra user that holds an Entra role. It closes a Source-of-Authority takeover path where an on-prem foothold manipulates AD attributes to seize a privileged cloud account. Soft match, and hard match for non-role-holding users, are unaffected. If you run hybrid sync, confirm no privileged cloud accounts still depend on hard-match behavior before today, or legitimate syncs will start throwing hard-match errors. (&lt;a href=&quot;https://learn.microsoft.com/en-us/entra/fundamentals/whats-new&quot;&gt;Microsoft Entra: What&#39;s new&lt;/a&gt;)&lt;/li&gt;
&lt;/ul&gt;
&lt;h2&gt;What changed&lt;/h2&gt;
&lt;p&gt;Tenant Groups entered public preview in the Microsoft Defender multitenant (MTO) portal on 27 May, letting you organize the tenants you manage into logical groups (by customer segment, geography, criticality, or onboarding stage) and switch the whole Defender view to just that set of tenants with one click. The view is permissions-aware — a group can list tenants you lack access to, but you only ever see the ones where you hold B2B/GDAP rights — so existing access controls stay in charge. Note the naming change: the old &amp;quot;Tenant groups&amp;quot; feature used for content distribution is now called Deployment profiles, and &amp;quot;Tenant Groups&amp;quot; refers to this new grouping experience. For MSSP and multi-tenant SOC teams, this cuts cross-tenant noise when investigating incidents or hunting against a specific customer tier or region. (&lt;a href=&quot;https://techcommunity.microsoft.com/blog/microsoftthreatprotectionblog/organize-your-multitenant-view-with-tenant-groups-in-microsoft-defender/4522992&quot;&gt;Microsoft Defender XDR Blog&lt;/a&gt;)&lt;/p&gt;
&lt;p&gt;Sentinel RBAC and row-level scoping reached general availability, per the May Sentinel recap, giving security teams a single, granular permissions model that spans Microsoft Sentinel and the Defender portal. Scoping lets you tag data at ingestion, define logical scopes, and assign users or groups to those scopes through Unified RBAC — so multiple teams can work inside one shared workspace without spinning up separate workspaces to enforce data boundaries. For a SOC that runs tiered analysts, regional teams, or MSSP-style separation, this is the mechanism to keep each group to the rows it should see while keeping detections and hunting in one place. (&lt;a href=&quot;https://techcommunity.microsoft.com/blog/microsoftsentinelblog/what%E2%80%99s-new-in-microsoft-sentinel-may-2026/4523419&quot;&gt;What&#39;s new in Microsoft Sentinel: May 2026&lt;/a&gt;)&lt;/p&gt;
&lt;p&gt;Generate playbooks using AI in Microsoft Sentinel became generally available this month. The SOAR playbook generator builds Python-based automation workflows through a conversational experience with Cline, an AI coding agent, so responders can describe the response they want and get a working playbook instead of hand-authoring Logic Apps from scratch. For teams short on SOAR-engineering hours, it lowers the bar to automating routine containment and enrichment steps. (&lt;a href=&quot;https://learn.microsoft.com/en-us/azure/sentinel/whats-new&quot;&gt;What&#39;s new in Microsoft Sentinel&lt;/a&gt;)&lt;/p&gt;
&lt;p&gt;Sentinel UEBA gained three enhancements. A new UEBA tab in the Sentinel settings page consolidates UEBA and Behaviors settings behind one entry point; Okta anomalies now read the newer OktaV2_CL table alongside the legacy Okta_CL, extending the existing Anomalous Activity and Anomalous MFA Failures detections to tenants on the V2 Okta connector (no new anomaly types, just wider coverage); and UEBA added five new GCP Audit Logs anomaly detections covering unusual logins, privileged actions, resource deployments, secret/KMS key access, and infrastructure usage. For analysts, the practical wins are cleaner UEBA administration and anomaly coverage that now reaches Okta-V2 and GCP identity activity. (&lt;a href=&quot;https://learn.microsoft.com/en-us/azure/sentinel/whats-new&quot;&gt;What&#39;s new in Microsoft Sentinel&lt;/a&gt;)&lt;/p&gt;
&lt;p&gt;Automatic attack disruption can now isolate a compromised device from the network (preview) when high-confidence incident analysis shows the device is being used as an active foothold. Isolation blocks attacker communication and lateral movement while keeping the device reachable by security services; the action is time-limited, scoped to devices involved in the incident, and releasable by an operator at any time. This extends attack disruption beyond user containment and account/token actions to cutting off the machine itself, buying a SOC time on an active intrusion without waiting for a human to pull the device. (&lt;a href=&quot;https://learn.microsoft.com/en-us/defender-xdr/whats-new&quot;&gt;What&#39;s new in Microsoft Defender XDR&lt;/a&gt;)&lt;/p&gt;
&lt;p&gt;The advanced-hunting Take action wizard added email-scoped blocking. From query results, analysts can now allow or block top-level domains and file-attachment hashes in email, turning a hunting query straight into a containment control for a phishing or malware-delivery campaign. It shortens the loop between finding a malicious sender pattern or attachment in hunting and blocking it across mail flow. (&lt;a href=&quot;https://learn.microsoft.com/en-us/defender-xdr/whats-new&quot;&gt;What&#39;s new in Microsoft Defender XDR&lt;/a&gt;)&lt;/p&gt;
&lt;p&gt;The advanced-hunting graph added identity-focused predefined scenarios that map attack paths, privilege-escalation routes, and credential-access risks across on-premises and cloud. The new scenarios include Kerberoast and AS-REP roast paths, domain-compromise routes, OAuth application risks, and guest-user access to cloud resources. Instead of hand-building queries to trace how a credential-theft technique could pivot through the environment, an analyst gets a ready graph to walk the exposure — useful for both incident scoping and proactive identity hunting. (&lt;a href=&quot;https://learn.microsoft.com/en-us/defender-xdr/whats-new&quot;&gt;What&#39;s new in Microsoft Defender XDR&lt;/a&gt;)&lt;/p&gt;
&lt;p&gt;Defender Chat entered preview — an open-prompt chat assistant built into the Microsoft Defender portal that lets analysts investigate threats, explore incidents, and answer security questions in plain language without navigating multiple screens or writing KQL. It sits alongside the more scoped Security Copilot agents as a general-purpose, in-portal way to ask questions of your Defender data during triage. (&lt;a href=&quot;https://learn.microsoft.com/en-us/defender-xdr/whats-new&quot;&gt;What&#39;s new in Microsoft Defender XDR&lt;/a&gt;)&lt;/p&gt;
&lt;p&gt;On-demand malware scanning of Azure Files reached general availability in Microsoft Defender for Storage on 26 May. On-demand scanning now covers storage accounts that hold both blobs and files, and scans can be started from the Azure portal or the REST API and automated with Logic Apps, Automation runbooks, or PowerShell. For a SOC, this gives an analyst a way to scan a suspect file share on demand during an investigation rather than waiting on upload-triggered scans only. (&lt;a href=&quot;https://learn.microsoft.com/en-us/azure/defender-for-cloud/release-notes&quot;&gt;Microsoft Learn&lt;/a&gt;)&lt;/p&gt;
&lt;p&gt;Defender for Containers extended sensor-based protection to private clusters in public preview on 31 May, adding gated deployment, binary drift detection, and malware detection for cluster scenarios that were previously uncovered. This closes a visibility gap for Kubernetes estates that run private (non-public-endpoint) clusters, so drift and malware on those workloads now surface in the same Defender experience as the rest of your container fleet. (&lt;a href=&quot;https://learn.microsoft.com/en-us/azure/defender-for-cloud/release-notes&quot;&gt;Microsoft Learn&lt;/a&gt;)&lt;/p&gt;
&lt;h2&gt;Worth knowing&lt;/h2&gt;
&lt;p&gt;This was the last quiet week before Microsoft Build 2026 (June 2–3, San Francisco), where the larger Sentinel, Defender, and identity wave lands — expect next week&#39;s brief to carry it. The AI-agent-security thread running through this month&#39;s releases is the tell: the May Sentinel recap headlines an Agent 365 connector (preview) that pulls AI-agent telemetry into the data lake as first-class signals, and Defender&#39;s local-AI-agent discovery and runtime protection arrive right after Build. If your org is starting to run coding agents and MCP servers on endpoints, that is the coverage gap to watch fill over the next fortnight.&lt;/p&gt;
&lt;p&gt;Also on 31 May, Defender for Cloud extended Kubernetes node malware detection beyond AKS to EKS and GKE nodes; that is multicloud-only and out of scope here, but it is part of the same containers push as the private-clusters preview above. On the patching cadence, there was no Patch Tuesday in this window — May&#39;s shipped on the 12th (covered last issue) and the next drops 9 June, so the near-term identity deadline to plan around is today&#39;s Entra Connect hard-match enforcement, not a new CVE batch. (&lt;a href=&quot;https://learn.microsoft.com/en-us/azure/defender-for-cloud/release-notes&quot;&gt;Microsoft Learn&lt;/a&gt;)&lt;/p&gt;
</content>
  </entry>
  <entry>
    <title>May 18 – May 25, 2026</title>
    <link href="https://soc-brief.pages.dev/briefs/2026-05-25-week/" />
    <updated>2026-05-25T00:00:00Z</updated>
    <id>https://soc-brief.pages.dev/briefs/2026-05-25-week/</id>
    <content type="html">&lt;h2&gt;What changed&lt;/h2&gt;
&lt;p&gt;Cloud security reporting in the Microsoft Defender portal entered public preview on 20 May, adding built-in and custom reports for Defender for Cloud data under a new Reporting &amp;gt; Cloud tab. Analysts get predefined views such as the CNAPP Executive Summary (threat detection, secure-score trends, vulnerability management, recommendations, investigation and response activity, and regulatory compliance) and Cloud Posture, and can duplicate and customize sections, export to PDF, and control access with Private, Tenant-level, or Public visibility. For a SOC, this puts cloud posture and CNAPP signals into shareable reports without pushing data into a separate BI tool. (&lt;a href=&quot;https://learn.microsoft.com/en-us/azure/defender-for-cloud/release-notes&quot;&gt;Microsoft Learn&lt;/a&gt;)&lt;/p&gt;
&lt;p&gt;Defender for Cloud vulnerability scanning now covers Docker Hardened container images in preview (19 May), using Microsoft Defender Vulnerability Management to identify vulnerabilities so teams can confirm they ship the most secure builds. The rollout is gradual and requires no user action, though scanning more image types may increase cost. For analysts triaging container findings, it closes a blind spot in registries that rely on hardened base images. (&lt;a href=&quot;https://learn.microsoft.com/en-us/azure/defender-for-cloud/release-notes&quot;&gt;Microsoft Learn&lt;/a&gt;)&lt;/p&gt;
&lt;p&gt;Microsoft Purview Data Security Posture Management (DSPM) reached general availability, per the 21 May Microsoft Security roundup, with a reworked experience that unifies discovery, protection, and remediation in one workflow. Goal-oriented flows, deeper remediation, expanded reporting, and third-party visibility (partner solutions and the Data Security Posture Agent stay in preview) let teams discover sensitive data, assess risk, and act at scale from the same place; the release also adds support for administrative units. For a SOC, DSPM is where data-exposure risk gets surfaced and triaged before it becomes an exfiltration incident. (&lt;a href=&quot;https://www.microsoft.com/en-us/security/blog/2026/05/21/whats-new-in-microsoft-security-may-2026/&quot;&gt;Microsoft Security Blog&lt;/a&gt;)&lt;/p&gt;
&lt;p&gt;Microsoft Purview Data Security Investigations added optical character recognition (OCR) and custom examinations. OCR extracts text from images, bringing previously unreadable visual content into scope for AI-powered deep content analysis, and custom examinations let investigators define their own analysis focus beyond the built-in credential, risk, and PII checks. This gives an analyst running a data-incident investigation broader coverage and more tailored scoping. (&lt;a href=&quot;https://www.microsoft.com/en-us/security/blog/2026/05/21/whats-new-in-microsoft-security-may-2026/&quot;&gt;Microsoft Security Blog&lt;/a&gt;)&lt;/p&gt;
&lt;p&gt;Microsoft Purview visibility extended to Anthropic&#39;s Claude through a new Claude Compliance API and an Anthropic Claude data connector (connector in preview). Purview surfaces Claude Enterprise interactions and audit-log signals so security and compliance teams can detect and investigate Claude usage alongside Copilot, Copilot Studio, ChatGPT Enterprise, and other AI apps — including who used Claude, when, and what kinds of content were involved, viewable in Activity Explorer. For analysts, it brings a widely used third-party AI tool into the same audit and investigation surface as the rest of the estate. (&lt;a href=&quot;https://www.microsoft.com/en-us/security/blog/2026/05/21/whats-new-in-microsoft-security-may-2026/&quot;&gt;Microsoft Security Blog&lt;/a&gt;)&lt;/p&gt;
&lt;p&gt;Microsoft Entra ID Account recovery provides an advanced recovery path for users who have lost access to all their registered authentication methods. Unlike a traditional password reset, it centers on identity verification and trust re-establishment before new authentication methods are issued. For a SOC, a verification-gated recovery flow narrows the help-desk social-engineering path attackers use to seize accounts and makes recovery after a confirmed compromise safer. (&lt;a href=&quot;https://www.microsoft.com/en-us/security/blog/2026/05/21/whats-new-in-microsoft-security-may-2026/&quot;&gt;Microsoft Security Blog&lt;/a&gt;)&lt;/p&gt;
&lt;p&gt;Entra Connect Sync configuration changes will require interactive admin authorization, announced in the May Entra recap. Going forward, changing sync settings — enabling or disabling features via the Connect wizard or PowerShell, and cloud-side changes during uninstall — will require a verified, interactive sign-in from an authorized cloud administrator, with the cloud treated as the source of truth for sync feature state. For a SOC defending hybrid identity, this raises the bar on a path an on-prem foothold could otherwise use to quietly flip sync behavior; end-user experience and sync functionality are unchanged. (&lt;a href=&quot;https://learn.microsoft.com/en-us/entra/fundamentals/whats-new&quot;&gt;Microsoft Entra: What&#39;s new&lt;/a&gt;)&lt;/p&gt;
&lt;p&gt;Entra phishing-resistant sign-in got two upgrades this month. System-preferred authentication expanded to the first factor (GA) in Microsoft-managed configurations, so the system now picks the highest-ranked registered method at each step — users with passkeys can be signed in without a password. Separately, Microsoft registration campaigns now support passkeys (FIDO2) (GA), letting admins nudge users to register a passkey during sign-in to drive adoption at scale. For a SOC, both push the tenant toward credentials that resist the AiTM and password-replay attacks that dominate identity incidents. (&lt;a href=&quot;https://learn.microsoft.com/en-us/entra/fundamentals/whats-new&quot;&gt;Microsoft Entra: What&#39;s new&lt;/a&gt;)&lt;/p&gt;
&lt;p&gt;Azure role assignments can now be governed through Entitlement Management (preview), announced in the May Entra recap. You can put eligible and active assignments to Azure roles at the Management Group, Subscription, and Resource Group levels into access packages, bringing them into the same request, approval, and lifecycle model — and just-in-time, least-privilege posture — already used for apps and groups. For analysts, standing Azure RBAC that once lived outside any review process becomes something with an owner, an expiry, and an audit trail. (&lt;a href=&quot;https://learn.microsoft.com/en-us/entra/fundamentals/whats-new&quot;&gt;Microsoft Entra: What&#39;s new&lt;/a&gt;)&lt;/p&gt;
&lt;p&gt;Sensitivity labels for Entra security groups entered public preview, announced in the May Entra recap. Administrators can apply Microsoft Purview sensitivity labels to Entra cloud security groups to govern settings such as guest access, using the same labels and policies that already apply to Microsoft 365 groups, managed from Purview and applied through the Entra admin center, Azure portal, or Graph. For a SOC, this extends a consistent guest-access guardrail to the security groups that frequently gate sensitive resource access. (&lt;a href=&quot;https://learn.microsoft.com/en-us/entra/fundamentals/whats-new&quot;&gt;Microsoft Entra: What&#39;s new&lt;/a&gt;)&lt;/p&gt;
&lt;p&gt;Windows 365 for Agents expanded in public preview as a governed place for AI agents to run: managed Cloud PCs that let an agent operate its own desktop and applications inside a fully managed, auditable environment, controlled through existing identity, policy, and management tools such as Entra ID and Intune. Paired with Microsoft Agent 365 (which governs what an agent is authorized to do) and Purview&#39;s runtime DLP for agent prompts, it&#39;s the &amp;quot;where it executes&amp;quot; half of the emerging agent-security model. For a SOC starting to see autonomous agents in the environment, it&#39;s the difference between an agent running loose on a user&#39;s box and one running somewhere you can scope, log, and investigate. (&lt;a href=&quot;https://www.microsoft.com/en-us/security/blog/2026/05/21/whats-new-in-microsoft-security-may-2026/&quot;&gt;Microsoft Security Blog&lt;/a&gt;)&lt;/p&gt;
&lt;h2&gt;Worth knowing&lt;/h2&gt;
&lt;p&gt;This was a lighter week ahead of Microsoft Build 2026 (June 2–3, San Francisco), where the larger Sentinel, Defender, and identity announcements land — expect the next few briefs to carry the Build wave. The tell in this week&#39;s releases is that AI-agent security is becoming its own discipline: Microsoft Agent 365 went GA earlier in May, Windows 365 for Agents is previewing the runtime environment, Purview added runtime DLP for agent prompts and the Claude audit connector, and Defender&#39;s local-AI-agent discovery and runtime protection arrive right after Build. If your org is starting to run coding agents, MCP servers, and Copilot-Studio agents, that is the coverage area to watch fill over the coming weeks — and the reason so much of a &amp;quot;quiet&amp;quot; week is really about governing non-human identities. (&lt;a href=&quot;https://www.microsoft.com/en-us/security/blog/2026/05/21/whats-new-in-microsoft-security-may-2026/&quot;&gt;Microsoft Security Blog&lt;/a&gt;)&lt;/p&gt;
&lt;p&gt;On the patching cadence, there was no Patch Tuesday in this window — May&#39;s shipped on the 12th (covered two issues back, ~130 CVEs and, for the first time in nearly two years, no zero-days) and the next drops 9 June, so the near-term calendar item is Build, not a new CVE batch. Worth folding into hunting time instead: recent Microsoft threat research on a stealthy intrusion through a compromised third-party IT services provider (mid-May) walks a real chain of legitimate-tool abuse, credential theft, and persistence — a useful reference for anyone building detections around supply-chain and remote-management-tool misuse. (&lt;a href=&quot;https://www.microsoft.com/en-us/security/blog/2026/05/12/undermining-the-trust-boundary-investigating-a-stealthy-intrusion-through-third-party-compromise/&quot;&gt;Microsoft Security Blog&lt;/a&gt;)&lt;/p&gt;
&lt;p&gt;Context for interns on where these features live: cloud security reporting, the CNAPP views, and the Docker Hardened scanning all sit in the unified Defender portal, part of the ongoing consolidation of Microsoft&#39;s security tooling into one console at security.microsoft.com — Defender for Cloud finished integrating there on 5 May. That migration has a hard edge worth remembering: Microsoft Sentinel in the Azure portal sunsets 31 March 2027, after which the Defender portal is the only interface. If you&#39;re learning the ropes now, learn them in the unified portal rather than the older Azure-portal blades. (&lt;a href=&quot;https://learn.microsoft.com/en-us/azure/defender-for-cloud/release-notes&quot;&gt;Microsoft Learn&lt;/a&gt;)&lt;/p&gt;
</content>
  </entry>
  <entry>
    <title>May 11 – May 18, 2026</title>
    <link href="https://soc-brief.pages.dev/briefs/2026-05-18-week/" />
    <updated>2026-05-18T00:00:00Z</updated>
    <id>https://soc-brief.pages.dev/briefs/2026-05-18-week/</id>
    <content type="html">&lt;h2&gt;What changed&lt;/h2&gt;
&lt;p&gt;Automatic attack disruption can now isolate a compromised device from the network on its own (preview). When high-confidence incident analysis indicates a device is being used as an active foothold, Defender isolates it automatically — blocking attacker communication and lateral movement while keeping the device connected to security services. The action is time-limited, scoped to devices involved in the incident, and a security operator can release it at any time. For a SOC, this pushes containment ahead of a human decision on the fastest-moving cases, so an attacker loses the box before the on-call analyst has even opened the incident; the trade-off is that you should know where to find and lift the isolation when it fires on something you&#39;d rather investigate live. (&lt;a href=&quot;https://learn.microsoft.com/en-us/defender-xdr/whats-new&quot;&gt;Microsoft Learn&lt;/a&gt;)&lt;/p&gt;
&lt;p&gt;Microsoft Defender Experts for Servers became available as a managed extended detection and response (XDR) option for server workloads (18 May). Microsoft analysts plus automation detect, prioritize, and respond to threats on machines protected by Defender for Servers Plan 1 or Plan 2 across Azure, AWS, GCP, and on-premises, and the offering bundles Defender Experts for Hunting and Ask Defender Experts. Sold separately, it is the same managed service previously offered only as an add-on, now positioned as a standalone way to hand off server-side detection and response. For a SOC without 24/7 coverage on its server estate, this is the option to escalate hands-on-keyboard server threats to Microsoft rather than carrying them alone. (&lt;a href=&quot;https://learn.microsoft.com/en-us/azure/defender-for-cloud/release-notes&quot;&gt;Microsoft Learn&lt;/a&gt;)&lt;/p&gt;
&lt;p&gt;SQL Vulnerability Assessment Express Configuration entered public preview for Azure SQL Managed Instance and Azure Synapse Analytics workspaces (17 May), extending the Microsoft-managed baseline-and-results experience that already existed for Azure SQL Database. Express Configuration lets you enable SQL VA without standing up a customer-managed storage account, at no extra cost, and a new unified REST API now covers SQL VA across Azure SQL Database, Managed Instance, Synapse, and SQL on machines. For analysts tracking database misconfiguration and drift as part of exposure management, this removes the storage-account friction that often left SQL VA unconfigured on MI and Synapse. (&lt;a href=&quot;https://learn.microsoft.com/en-us/azure/defender-for-cloud/release-notes&quot;&gt;Microsoft Learn&lt;/a&gt;)&lt;/p&gt;
&lt;p&gt;The advanced hunting graph added identity-focused predefined scenarios. The interactive hunting graph in the Defender portal now ships built-in scenarios that surface attack paths, privilege-escalation routes, and credential-access risks across on-premises and cloud — including Kerberoast and AS-REP roast paths, domain-compromise routes, OAuth application risks, and guest-user access to cloud resources. Instead of writing the traversal query yourself, you pick the scenario and read the graph. For an intern learning how identity attacks actually chain together, these double as a teaching aid: each scenario maps a real technique to the accounts and resources in your own tenant. (&lt;a href=&quot;https://learn.microsoft.com/en-us/defender-xdr/whats-new&quot;&gt;Microsoft Learn&lt;/a&gt;)&lt;/p&gt;
&lt;p&gt;The advanced hunting Take action wizard can now block malicious email indicators straight from query results. After a hunt over email data, you can select rows and allow or block top-level domains and file-attachment hashes in email directly from the wizard, without pivoting to a separate policy blade. For analysts working a phishing or malspam wave, this shortens the loop from &amp;quot;found the bad sender infrastructure&amp;quot; to &amp;quot;blocked it&amp;quot; to a single query-and-action, which matters when you&#39;re trying to cut off an active campaign before more users click. (&lt;a href=&quot;https://learn.microsoft.com/en-us/defender-xdr/whats-new&quot;&gt;Microsoft Learn&lt;/a&gt;)&lt;/p&gt;
&lt;p&gt;Defender Vulnerability Management previewed a new exposure-score model that reprioritizes risk using exploit-prediction (EPSS) data and asset-context factors such as whether a device is internet-facing and how critical it is. Rather than ranking by raw CVE count or CVSS alone, the score weights what is actually likely to be exploited on the machines that matter most. For a SOC driving remediation, this is a better first cut at &amp;quot;what do we patch this week&amp;quot; — a critical CVE on an exposed, internet-facing server should now float above the same CVE buried on an isolated workstation. (&lt;a href=&quot;https://learn.microsoft.com/en-us/defender-endpoint/whats-new-in-microsoft-defender-endpoint&quot;&gt;Microsoft Learn&lt;/a&gt;)&lt;/p&gt;
&lt;p&gt;A plain-language Defender Chat assistant arrived in the Defender portal (preview). Defender Chat is an open-prompt chat experience built into Microsoft Defender that helps analysts investigate threats, explore incidents, and answer security questions in natural language — without navigating multiple screens or hand-writing KQL. It&#39;s the Security Copilot pattern brought to the everyday triage surface; for newer shift staff it lowers the barrier to &amp;quot;why did this incident fire and what&#39;s connected to it&amp;quot; before they&#39;re fluent in advanced hunting. (&lt;a href=&quot;https://learn.microsoft.com/en-us/defender-xdr/whats-new&quot;&gt;Microsoft Learn&lt;/a&gt;)&lt;/p&gt;
&lt;p&gt;Two endpoint-control changes shipped for Microsoft Defender for Endpoint. Custom data collection reached general availability, letting you expand telemetry beyond the defaults with rule-based filtering for specific events, and the per-rule ceiling rose from 25,000 to 75,000 events per device within a rolling 24 hours — useful when you need deeper visibility on a subset of hosts for a hunt or investigation. Separately, Selective Response Actions entered preview, giving you precise control over how high-impact response actions apply to Tier-0 systems and other high-value assets during onboarding, so containment on a domain controller or jump host doesn&#39;t take down something you can&#39;t afford to knock offline. (&lt;a href=&quot;https://learn.microsoft.com/en-us/defender-endpoint/whats-new-in-microsoft-defender-endpoint&quot;&gt;Microsoft Learn&lt;/a&gt;)&lt;/p&gt;
&lt;h2&gt;Worth knowing&lt;/h2&gt;
&lt;p&gt;May Patch Tuesday landed on 12 May 2026 with roughly 130 CVEs (30 rated Critical) and — for the first time in nearly two years — no zero-days either exploited in the wild or publicly disclosed. Two unauthenticated, no-interaction Windows RCEs top the priority list for a Microsoft estate: CVE-2026-41089 (Netlogon, CVSS 9.8), which lets an attacker run code on a domain controller via a crafted network request, and CVE-2026-41096 (DNS Client, CVSS 9.8), triggerable by a malicious DNS response from an attacker able to influence name resolution. Also worth prioritizing: four Critical Microsoft Word RCEs (CVE-2026-40361/40364/40366/40367) and two Office RCEs (CVE-2026-40358/40363) that all list the Preview Pane as an attack vector, plus an authenticated SharePoint Server RCE (CVE-2026-40365). Watch endpoint and DC patch compliance in Defender Vulnerability Management — and note the new EPSS-weighted exposure score above should help you rank these against everything else already outstanding. (&lt;a href=&quot;https://msrc.microsoft.com/update-guide/releaseNote/2026-May&quot;&gt;MSRC Security Update Guide&lt;/a&gt;)&lt;/p&gt;
&lt;p&gt;This was a genuinely lighter week bracketed by RSAC 2026 and Microsoft Build (June 2–3), so the monthly Defender, Sentinel, and Entra roundups cluster in the surrounding weeks and the big platform announcements land on either side. The month&#39;s endpoint updates also carried a couple of smaller items worth a glance: scheduled antivirus scans for Defender for Endpoint on Linux entered preview (hourly/interval quick scans and weekly full scans, configurable via managed JSON, the portal, or the &lt;code&gt;mdatp&lt;/code&gt; CLI), and the Defender endpoint security solution for legacy Windows 7 SP1 and Windows Server 2008 R2 SP1 reached GA via the Defender deployment tool — relevant only if you still carry that debt, but better than leaving those hosts dark. (&lt;a href=&quot;https://learn.microsoft.com/en-us/defender-endpoint/whats-new-in-microsoft-defender-endpoint&quot;&gt;Microsoft Learn&lt;/a&gt;)&lt;/p&gt;
&lt;p&gt;Context for interns on where these features live: several of this week&#39;s items (Defender Chat, the hunting-graph scenarios, the Take action wizard) are Defender-portal experiences, part of the ongoing consolidation of Microsoft&#39;s security tooling into one console at security.microsoft.com. That migration has a hard edge worth remembering — Microsoft Sentinel in the Azure portal sunsets 31 March 2027, after which the Defender portal is the only interface — so if you&#39;re learning the ropes now, learn them in the unified portal rather than the older Azure-portal blades. (&lt;a href=&quot;https://learn.microsoft.com/en-us/defender-xdr/whats-new&quot;&gt;Microsoft Learn&lt;/a&gt;)&lt;/p&gt;
</content>
  </entry>
  <entry>
    <title>May 4 – May 11, 2026</title>
    <link href="https://soc-brief.pages.dev/briefs/2026-05-11-week/" />
    <updated>2026-05-11T00:00:00Z</updated>
    <id>https://soc-brief.pages.dev/briefs/2026-05-11-week/</id>
    <content type="html">&lt;h2&gt;Act by&lt;/h2&gt;
&lt;ul&gt;
&lt;li&gt;&lt;strong&gt;31 Jul 2026&lt;/strong&gt; — Legacy grouped recommendations are removed from the Azure portal. They now show as &amp;quot;Set for deprecation&amp;quot;; the individual recommendations that replace them are GA. Re-point any automation, exemptions, or workbooks that key off the old grouped recommendation IDs before the cutoff. (&lt;a href=&quot;https://learn.microsoft.com/en-us/azure/defender-for-cloud/release-notes&quot;&gt;Microsoft Learn&lt;/a&gt;)&lt;/li&gt;
&lt;/ul&gt;
&lt;h2&gt;What changed&lt;/h2&gt;
&lt;p&gt;Microsoft Defender for Cloud is now generally available inside the Microsoft Defender portal (5 May). Cloud posture management and threat protection sit alongside XDR in one console, with a unified cloud dashboard, a centralized cloud asset inventory enriched with risk and coverage data, and posture management (secure score, recommendations, attack paths, vulnerabilities) surfaced through Microsoft Security Exposure Management across Azure, AWS, and GCP. A risk-based Cloud secure score is available only in the Defender portal. For an analyst on shift this means cloud alerts and attack paths correlate against endpoint and identity signals in the same incident view instead of a separate Azure blade. (&lt;a href=&quot;https://learn.microsoft.com/en-us/azure/defender-for-cloud/release-notes&quot;&gt;Microsoft Learn&lt;/a&gt;)&lt;/p&gt;
&lt;p&gt;Individual recommendations for Defender for Cloud reached GA in the Azure portal (5 May), replacing the older grouped recommendation types with one finding per issue. Classic secure score is designed to stay functionally stable through the switch since each individual recommendation replaces its grouped equivalent, but in the Defender portal these granular findings now contribute to the risk-based Cloud secure score on their own context-aware merits. When you triage a posture gap, expect finer-grained, per-resource recommendations rather than a single rolled-up item. (&lt;a href=&quot;https://learn.microsoft.com/en-us/azure/defender-for-cloud/release-notes&quot;&gt;Microsoft Learn&lt;/a&gt;)&lt;/p&gt;
&lt;p&gt;Daily Cloud secure score is now an end-of-day snapshot rather than an average across the day (5 May), so a score value lines up with the posture at that point in time and is easier to correlate with a specific change. Microsoft recalculated historical values to match the new definition, so expect small differences when comparing trends across the transition. If you track secure score over time for reporting, this is a calculation change, not a real posture shift. (&lt;a href=&quot;https://learn.microsoft.com/en-us/azure/defender-for-cloud/release-notes&quot;&gt;Microsoft Learn&lt;/a&gt;)&lt;/p&gt;
&lt;p&gt;Conditional Access enforcement on Privileged Identity Management role activation reached general availability in Entra ID. Administrators can now require MFA or other Conditional Access controls at the moment a user activates a privileged role, so elevation is gated on fresh authentication signals instead of the session the user already holds. This closes a common gap where an eligible admin could activate a role from a stale or lower-assurance session. (&lt;a href=&quot;https://techcommunity.microsoft.com/blog/microsoft-entra-blog/whats-new-in-microsoft-entra-may-2026/4517884&quot;&gt;Microsoft Entra Blog&lt;/a&gt;)&lt;/p&gt;
&lt;p&gt;Scoped identity-response actions for SOC analysts entered public preview via an extended Entra Security Operator role. From the Microsoft Defender RBAC experience, an analyst can disable users, revoke sessions, mark users compromised, force password resets (including cloud-only accounts), and delete individual authentication methods — without holding broad Entra admin roles or escalating IAM during an incident. Permissions are scoped to non-admin users and a limited set of admin roles, which shortens containment while keeping least-privilege boundaries and an audit trail. (&lt;a href=&quot;https://techcommunity.microsoft.com/blog/microsoft-entra-blog/whats-new-in-microsoft-entra-may-2026/4517884&quot;&gt;Microsoft Entra Blog&lt;/a&gt;)&lt;/p&gt;
&lt;p&gt;Predictive shielding took proactive user containment to general availability, per the May Defender XDR roundup. The &amp;quot;contain user&amp;quot; action infuses activity data with exposure data to spot credentials that are exposed and at risk of being stolen and reused, then pre-emptively contains that user before the account is confirmed compromised — the identity equivalent of getting ahead of the attacker rather than reacting to a fired alert. Alongside it, the incident page&#39;s Activities tab now shows the live status of automatic attack disruption and predictive shielding actions for that incident, so an analyst can see exactly what the platform contained and when. For a SOC, this makes the automated containment auditable at a glance and gives you a clear place to review or reverse an action. (&lt;a href=&quot;https://techcommunity.microsoft.com/blog/microsoftthreatprotectionblog/monthly-news---may-2026/4516764&quot;&gt;Microsoft Defender XDR — Monthly news May 2026&lt;/a&gt;)&lt;/p&gt;
&lt;p&gt;AI-agent visibility in advanced hunting expanded. The &lt;code&gt;AIAgentsInfo&lt;/code&gt; table gained more columns and now reaches beyond Copilot Studio to agents from Microsoft Foundry, third-party marketplace solutions, and custom line-of-business agents, and a new unified &lt;code&gt;AgentsInfo&lt;/code&gt; table entered preview to cover agent inventory and governance across Copilot Studio, Foundry, Microsoft 365 Copilot, third-party, and endpoint-discovered agents in one schema (&lt;code&gt;AIAgentsInfo&lt;/code&gt; stays available until 1 July 2026). As organizations start running coding agents and MCP-connected tools, this is the hunting surface for asking which agents exist, who owns them, and what they can touch — a blind spot most SOCs don&#39;t yet have coverage for. (&lt;a href=&quot;https://techcommunity.microsoft.com/blog/microsoftthreatprotectionblog/monthly-news---may-2026/4516764&quot;&gt;Microsoft Defender XDR — Monthly news May 2026&lt;/a&gt;)&lt;/p&gt;
&lt;p&gt;The Defender for Containers sensor now installs via a direct Helm chart instead of the previous installation scripts (6 May), with environment-specific Helm commands for AKS, EKS, and GKE. It is a deployment-mechanics change rather than a detection change, but teams standing up or re-onboarding container sensors should use the updated commands. (&lt;a href=&quot;https://learn.microsoft.com/en-us/azure/defender-for-cloud/release-notes&quot;&gt;Microsoft Learn&lt;/a&gt;)&lt;/p&gt;
&lt;p&gt;Entra pushed phishing-resistant sign-in further into the default path. In the May updates, system-preferred authentication extended to the first factor in Microsoft-managed configurations (GA): the system now picks the highest-ranked registered method at each step, so a user with a passkey can be signed in without a password at all. In the same wave, passkey (FIDO2) support went GA in the Entra registration campaign, letting admins nudge users to enroll passkeys during sign-in, and the passkey policy got a dedicated 20-KB allocation with the per-tenant passkey-profile limit raised from 3 to 10. For a SOC, wider passkey coverage is the durable fix for the credential-theft and MFA-fatigue cases that fill the queue — worth tracking adoption as a leading indicator of fewer identity incidents. (&lt;a href=&quot;https://learn.microsoft.com/en-us/entra/fundamentals/whats-new&quot;&gt;Microsoft Entra — What&#39;s new&lt;/a&gt;)&lt;/p&gt;
&lt;h2&gt;Worth knowing&lt;/h2&gt;
&lt;p&gt;Microsoft&#39;s May Entra roundup reiterated the move from Entra Connect Sync to the cloud-native Entra Cloud Sync as the primary hybrid identity synchronization solution. Starting July 2026, tenants will be notified of their assigned transition window through the Microsoft 365 Message Center, Entra Connect Health, and targeted email, with hybrid authentication experiences unchanged. In the same May updates, Entra Connect Sync also gained interactive admin authorization for configuration changes — enabling or disabling a sync feature, via the wizard or PowerShell, will now require a fresh authorized cloud-admin sign-in, closing a path where sync settings could be altered without a strong, attributable approval. Identity and SOC teams that depend on on-premises sync should watch the Message Center for their window and plan a readiness check. (&lt;a href=&quot;https://techcommunity.microsoft.com/blog/microsoft-entra-blog/whats-new-in-microsoft-entra-may-2026/4517884&quot;&gt;Microsoft Entra Blog&lt;/a&gt;)&lt;/p&gt;
&lt;p&gt;Two small navigation and consolidation notes worth knowing for interns learning the portal. Defender Experts for XDR customers now get Defender Experts as its own entry in the Defender portal navigation rather than only a home-page status card — a minor change, but it makes the managed-service surface easier to find during an escalation. More broadly, the Defender for Cloud GA above is another step in the ongoing consolidation of Microsoft&#39;s security tooling into one console at security.microsoft.com; that migration has a hard edge worth remembering, since Microsoft Sentinel in the Azure portal sunsets 31 March 2027, after which the Defender portal is the only interface. If you&#39;re learning the ropes now, learn them in the unified portal. (&lt;a href=&quot;https://techcommunity.microsoft.com/blog/microsoftthreatprotectionblog/monthly-news---may-2026/4516764&quot;&gt;Microsoft Defender XDR — Monthly news May 2026&lt;/a&gt;)&lt;/p&gt;
&lt;p&gt;On the patch cadence, there was no Patch Tuesday in this window — May&#39;s release lands 12 May (covered in the next issue), and no out-of-band Microsoft advisory shipped between 5 and 11 May. The through-line across this week&#39;s releases is AI-agent security moving from concept to tooling: the &lt;code&gt;AgentsInfo&lt;/code&gt; hunting schema, predictive shielding acting on exposed credentials, and the Sentinel data-lake work landing later in the month all point at the same gap. If your org is beginning to run coding agents and MCP servers on endpoints and in M365, that is the coverage area to watch fill over the coming weeks. (&lt;a href=&quot;https://techcommunity.microsoft.com/blog/microsoftthreatprotectionblog/monthly-news---may-2026/4516764&quot;&gt;Microsoft Defender XDR — Monthly news May 2026&lt;/a&gt;)&lt;/p&gt;
</content>
  </entry>
  <entry>
    <title>April 27 – May 4, 2026</title>
    <link href="https://soc-brief.pages.dev/briefs/2026-05-04-week/" />
    <updated>2026-05-04T00:00:00Z</updated>
    <id>https://soc-brief.pages.dev/briefs/2026-05-04-week/</id>
    <content type="html">&lt;h2&gt;Act by&lt;/h2&gt;
&lt;ul&gt;
&lt;li&gt;&lt;strong&gt;1 Jul 2026&lt;/strong&gt; — Microsoft Sentinel standardizes the account entity&#39;s Account Name to the UPN prefix only (&lt;code&gt;user&lt;/code&gt;, not &lt;code&gt;user@domain.com&lt;/code&gt;) for analytics rule alerts, and adds &lt;code&gt;UserPrincipalName&lt;/code&gt; and &lt;code&gt;UPNSuffix&lt;/code&gt; fields to &lt;code&gt;SecurityAlert&lt;/code&gt;. Audit any automation rules, Logic Apps playbooks, workbooks, or hunting queries that compare against a full UPN and switch strict equality to Contains / Starts with plus a separate &lt;code&gt;UPNSuffix&lt;/code&gt; check before the change lands. (&lt;a href=&quot;https://techcommunity.microsoft.com/blog/microsoftsentinelblog/what%E2%80%99s-new-in-microsoft-sentinel-april-2026/4516354&quot;&gt;What&#39;s new in Microsoft Sentinel: April 2026&lt;/a&gt;)&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Jun 2026&lt;/strong&gt; — Secure Boot 2023 certificates expire. Microsoft Secure Score now surfaces the &amp;quot;Ensure devices are updated to Secure Boot 2023 certificates and boot manager&amp;quot; recommendation so you can find endpoints that haven&#39;t transitioned; work the list before the expiration or affected devices lose Secure Boot trust. (&lt;a href=&quot;https://techcommunity.microsoft.com/blog/microsoftthreatprotectionblog/monthly-news---may-2026/4516764&quot;&gt;Monthly news - May 2026&lt;/a&gt;)&lt;/li&gt;
&lt;/ul&gt;
&lt;h2&gt;What changed&lt;/h2&gt;
&lt;p&gt;Defender advanced hunting shipped a batch of scale and usability enhancements. The results ceiling rose from 30,000 to 100,000 records, a new records-limitation picker lets you cap rows from the editor toolbar (with your choice persisting across sessions), and queries that hit the 64 MB size limit now return partial results with a message bar instead of failing outright (GA). A new query-execution details side pane exposes timing, data sources, scopes, and error diagnostics for every run. For analysts moving hunts from Sentinel in the Azure portal into the Defender portal, these remove the mid-query dead ends that used to force a rewrite-and-rerun. (&lt;a href=&quot;https://techcommunity.microsoft.com/blog/microsoftthreatprotectionblog/microsoft-defender-new-advanced-hunting-enhancements/4514654&quot;&gt;Microsoft Defender: New Advanced hunting enhancements&lt;/a&gt;)&lt;/p&gt;
&lt;p&gt;Built-in alert tuning rules reached general availability. These are Microsoft-authored suppression rules that quiet common benign activity in Defender for Endpoint and Defender for Office 365 without disabling Automated Investigation and Response (AIR) or email notifications. It&#39;s a lower-effort way to cut queue noise than hand-building tuning rules, and because AIR still runs underneath, suppressed benign alerts don&#39;t blind your automation. (&lt;a href=&quot;https://techcommunity.microsoft.com/blog/microsoftthreatprotectionblog/monthly-news---may-2026/4516764&quot;&gt;Monthly news - May 2026&lt;/a&gt;)&lt;/p&gt;
&lt;p&gt;Defender XDR now lets you see the status of automatic attack disruption and predictive shielding actions on an incident (preview). The Activities tab of the incident page shows what containment the platform already executed — disruption actions, and the predictive-shielding moves that harden the environment ahead of attacker progression — so an analyst picking up the incident can tell at a glance what has and hasn&#39;t been contained before deciding the next manual step. (&lt;a href=&quot;https://techcommunity.microsoft.com/blog/microsoftthreatprotectionblog/monthly-news---may-2026/4516764&quot;&gt;Monthly news - May 2026&lt;/a&gt;)&lt;/p&gt;
&lt;p&gt;Sentinel data lake cost policies now support hard enforcement (preview): you can set limits that block new KQL queries, jobs, and notebook sessions once a threshold is crossed, rather than only alerting after the spend. Anything already running finishes, and analysts get a clear message plus the option to lift guardrails temporarily. On a data-lake tenant this prevents a runaway hunt or heavy notebook from generating a surprise bill mid-investigation. (&lt;a href=&quot;https://techcommunity.microsoft.com/blog/microsoftsentinelblog/what%E2%80%99s-new-in-microsoft-sentinel-april-2026/4516354&quot;&gt;What&#39;s new in Microsoft Sentinel: April 2026&lt;/a&gt;)&lt;/p&gt;
&lt;p&gt;Curated OSINT reports now appear in Threat Analytics (preview) alongside Microsoft-authored reports. Each OSINT article ships with a summary and link to the original research, extracted IOCs, mapped MITRE ATT&amp;amp;CK techniques, and Microsoft enrichment where available. Having open-source intel land in the same Defender surface as first-party Threat Analytics cuts the context-switching when you&#39;re triaging a named campaign and want indicators to pivot on. (&lt;a href=&quot;https://techcommunity.microsoft.com/blog/microsoftsentinelblog/what%E2%80%99s-new-in-microsoft-sentinel-april-2026/4516354&quot;&gt;What&#39;s new in Microsoft Sentinel: April 2026&lt;/a&gt;)&lt;/p&gt;
&lt;p&gt;The Sentinel MCP entity analyzer reached general availability. It returns explainable, out-of-the-box risk verdicts for URLs and user identities by reasoning over threat intelligence, prevalence, and organizational context, and it&#39;s reachable from AI agents via the Sentinel MCP server or from SOAR through Logic Apps. It also underpins the Defender Triage Agent&#39;s alert classifications. Note it bills on Security Compute Unit (SCU) consumption, so factor that in before wiring it into high-volume automation. (&lt;a href=&quot;https://techcommunity.microsoft.com/blog/microsoftsentinelblog/what%E2%80%99s-new-in-microsoft-sentinel-april-2026/4516354&quot;&gt;What&#39;s new in Microsoft Sentinel: April 2026&lt;/a&gt;)&lt;/p&gt;
&lt;p&gt;Sentinel added custom security graphs (preview): you can build tailored graphs across the data lake and third-party data to surface attack paths, blast radius, and hidden relationships, then work them in the Defender portal&#39;s graphs section under Microsoft Sentinel — running Graph Query Language (GQL) queries, viewing the schema, visualizing results, and traversing to the next hop with a click. These graphs also become a foundation for advanced investigations and AI agents. For a hunter chasing lateral movement, it&#39;s a way to model the relationships in your own environment instead of relying only on the predefined scenarios. (&lt;a href=&quot;https://techcommunity.microsoft.com/blog/microsoftsentinelblog/what%E2%80%99s-new-in-microsoft-sentinel-april-2026/4516354&quot;&gt;What&#39;s new in Microsoft Sentinel: April 2026&lt;/a&gt;)&lt;/p&gt;
&lt;p&gt;The advanced-hunting &lt;code&gt;AIAgentsInfo&lt;/code&gt; table gained additional columns (preview) that widen visibility into AI agents running in your Microsoft 365 environment. Coverage now extends beyond Copilot Studio to all agent types — Microsoft Foundry, third-party marketplace, and custom line-of-business agents — so you can inventory and hunt over agent activity from KQL. As autonomous agents start acting inside the tenant, this is where their identities and actions become queryable telemetry rather than a blind spot. (&lt;a href=&quot;https://techcommunity.microsoft.com/blog/microsoftthreatprotectionblog/monthly-news---may-2026/4516764&quot;&gt;Monthly news - May 2026&lt;/a&gt;)&lt;/p&gt;
&lt;p&gt;Sentinel added several data connectors: the CrowdStrike API connector (GA) pulls hosts, detections, incidents, alerts, and vulnerabilities from CrowdStrike; Imperva Cloud WAF and AWS Elastic Load Balancer logs (both preview) arrive via S3; and the Logstash output plugin was rebuilt in Java under the Secure Future Initiative, writing through the Logs Ingestion API with DCRs into either analytics tables or the data lake. For SOCs running mixed estates, these broaden what you can correlate against Microsoft signals without a custom pipeline. (&lt;a href=&quot;https://techcommunity.microsoft.com/blog/microsoftsentinelblog/what%E2%80%99s-new-in-microsoft-sentinel-april-2026/4516354&quot;&gt;What&#39;s new in Microsoft Sentinel: April 2026&lt;/a&gt;)&lt;/p&gt;
&lt;p&gt;Defender for Identity added custom account correlation rules (preview), letting you link accounts that belong to the same identity even when they share no strong identifier (SID, object ID, UPN) — for example privileged accounts with a distinct naming convention — by matching on UPN prefix, UPN suffix, domain UPN, or employee ID. Automatic Windows event-auditing for sensor v3.x also went GA, applying the required audit policy to new sensors and fixing misconfigured ones. Better account stitching means fewer fragmented identity timelines when you&#39;re chasing lateral movement across an admin&#39;s regular and privileged accounts. (&lt;a href=&quot;https://techcommunity.microsoft.com/blog/microsoftthreatprotectionblog/monthly-news---may-2026/4516764&quot;&gt;Monthly news - May 2026&lt;/a&gt;)&lt;/p&gt;
&lt;h2&gt;Worth knowing&lt;/h2&gt;
&lt;p&gt;Microsoft&#39;s monthly &amp;quot;What&#39;s new in Microsoft Security&amp;quot; highlights post (30 Apr) called out Defender for Cloud&#39;s GitHub Advanced Security integration reaching GA, Purview Data Security Investigations, and the Agent 365 tooling gateway for AI-agent security — mostly DevSecOps and AI-governance angles, but worth a skim if your remit touches cloud posture or agent identities. (&lt;a href=&quot;https://www.microsoft.com/en-us/security/blog/2026/04/30/whats-new-updated-or-recently-released-in-microsoft-security/&quot;&gt;Microsoft Security Blog&lt;/a&gt;)&lt;/p&gt;
&lt;p&gt;The April Sentinel roundup also carried a cluster of architecture-and-planning items worth a read before your next cost or migration conversation. Sentinel data federation (preview) lets you query data in Microsoft Fabric, Azure Data Lake Storage Gen2, and Azure Databricks directly — without ingesting it — then selectively pull in what matters; the AI-powered SIEM migration tool went GA for Splunk and QRadar moves; and a new cost estimation tool (preview) gives customers and partners meter-level, three-year Sentinel spend projections. None of these change the shift floor day to day, but they shape where your hunt data lives and what it costs to reach. (&lt;a href=&quot;https://techcommunity.microsoft.com/blog/microsoftsentinelblog/what%E2%80%99s-new-in-microsoft-sentinel-april-2026/4516354&quot;&gt;What&#39;s new in Microsoft Sentinel: April 2026&lt;/a&gt;)&lt;/p&gt;
&lt;p&gt;This is a month-boundary week with no Patch Tuesday of its own — April&#39;s updates landed on the 14th and May&#39;s arrive on the 12th — so the load here is the consolidated roundups rather than a fresh CVE batch. Note the direction of travel underneath most of the week&#39;s items: advanced hunting&#39;s new panes, custom graphs, entity analyzer, and the incident-timeline action status are all Defender-portal-first, and after 31 March 2027 Sentinel runs only in the Defender portal, so teams still working in the Azure portal should keep treating that migration as the baseline for where these capabilities will actually appear. (&lt;a href=&quot;https://learn.microsoft.com/en-us/defender-xdr/whats-new&quot;&gt;What&#39;s new in Microsoft Defender XDR&lt;/a&gt;)&lt;/p&gt;
</content>
  </entry>
  <entry>
    <title>April 20 – April 27, 2026</title>
    <link href="https://soc-brief.pages.dev/briefs/2026-04-27-week/" />
    <updated>2026-04-27T00:00:00Z</updated>
    <id>https://soc-brief.pages.dev/briefs/2026-04-27-week/</id>
    <content type="html">&lt;h2&gt;Act by&lt;/h2&gt;
&lt;ul&gt;
&lt;li&gt;&lt;strong&gt;Jun 2026&lt;/strong&gt; — Windows Secure Boot 2011 certificates expire. Devices still trusting only the 2011 certificates keep booting but stop receiving new early-boot protections, weakening their root of trust over time. Use the new Defender Secure Boot 2023 certificate recommendation to identify exposed devices and drive the transition to the Windows UEFI CA 2023 certificate and updated boot manager before the deadline. (&lt;a href=&quot;https://techcommunity.microsoft.com/blog/MicrosoftDefenderATPBlog/assess-secure-boot-status-with-microsoft-defender/4510356&quot;&gt;Microsoft Defender for Endpoint Blog&lt;/a&gt;)&lt;/li&gt;
&lt;/ul&gt;
&lt;h2&gt;What changed&lt;/h2&gt;
&lt;p&gt;Microsoft Defender added a Secure Boot 2023 certificate assessment (preview), a new Secure Score / Defender Vulnerability Management recommendation that gives centralized, at-scale visibility into which devices have transitioned to the Windows UEFI CA 2023 certificate and signed boot manager. It buckets devices into Exposed (still trusting only older certificates), Compliant (relying on the 2023 certificates), and Not applicable (Secure Boot disabled or unsupported), and lets you drill into exposed devices, filter by OS and device context, and export the list for infrastructure teams. With the 2011 certificates expiring in June 2026, this gives the SOC a concrete way to track remediation and flag boot-level trust gaps that attackers could otherwise exploit below the visibility of the OS. (&lt;a href=&quot;https://techcommunity.microsoft.com/blog/MicrosoftDefenderATPBlog/assess-secure-boot-status-with-microsoft-defender/4510356&quot;&gt;Microsoft Defender for Endpoint Blog&lt;/a&gt;)&lt;/p&gt;
&lt;p&gt;In Microsoft&#39;s April 2026 Sentinel updates, row-level access using Microsoft Sentinel scoping (row-level RBAC) entered public preview. You can now restrict access to specific subsets of Sentinel data without splitting workspaces: administrators define logical scopes, tag data at ingestion time, and assign users or groups to scopes through Unified RBAC, all configured in the Microsoft Defender portal. For a SOC this is a cleaner way to let multiple teams — say, a regional analyst group or a partner MSSP — work inside one shared Sentinel environment while only seeing the rows they&#39;re entitled to, instead of maintaining separate workspaces just to enforce a data boundary. (&lt;a href=&quot;https://learn.microsoft.com/en-us/azure/sentinel/whats-new&quot;&gt;What&#39;s new in Microsoft Sentinel&lt;/a&gt;)&lt;/p&gt;
&lt;p&gt;Also in the April Sentinel updates, filter and split data transformation reached public preview in the Defender portal. It lets you shape data before ingestion — dropping noisy or low-value events with filters and routing the rest between the analytics tier and the data lake tier — so you decide what gets analyzed at full cost versus what&#39;s simply retained cheaply for later hunting. Combined with the data-lake cost controls landing the same month, it gives the team a native lever to cut ingestion spend and queue noise without standing up an external pipeline. (&lt;a href=&quot;https://learn.microsoft.com/en-us/azure/sentinel/whats-new&quot;&gt;What&#39;s new in Microsoft Sentinel&lt;/a&gt;)&lt;/p&gt;
&lt;p&gt;Microsoft Entra&#39;s April 2026 updates made Conditional Access reauthentication on every PIM activation generally available. You can now require a fresh Conditional Access check — for example an MFA prompt bound to an authentication context — each time a user activates an eligible privileged role, rather than relying on the session token they signed in with earlier. For a SOC this closes a real gap: an attacker who rides an existing session or a not-recently-reauthenticated token can no longer silently elevate into a privileged role, and each activation now leaves a clean, policy-enforced authentication event to hunt on. (&lt;a href=&quot;https://learn.microsoft.com/en-us/entra/fundamentals/whats-new&quot;&gt;Microsoft Entra: What&#39;s new&lt;/a&gt;)&lt;/p&gt;
&lt;p&gt;Entra also changed how the Authentication Methods Policy audit logs are written starting in April 2026. The &lt;em&gt;Authentication Methods Policy Update&lt;/em&gt; and &lt;em&gt;Reset&lt;/em&gt; activities previously dumped the entire policy payload into both the old-value and new-value fields on every change; they now surface only the properties that actually changed, with their before/after values. If your detections or hunting queries watch for tampering with authentication-method policy — a favored persistence and MFA-weakening move — this makes the signal far easier to parse, but it also means any rule that assumed the full-payload shape needs revisiting so it still fires on the trimmed entries. (&lt;a href=&quot;https://learn.microsoft.com/en-us/entra/fundamentals/whats-new&quot;&gt;Microsoft Entra: What&#39;s new&lt;/a&gt;)&lt;/p&gt;
&lt;p&gt;The Microsoft Entra Agent ID platform reached general availability in the same April wave, providing an identity and authorization framework built specifically for AI agents — agent identities with enterprise-grade authentication, authorization, and governance over standard protocols (OAuth 2.0, MCP, A2A). It&#39;s more of a platform/governance milestone than a shift-floor change, but as teams stand up autonomous agents it means those agents get first-class, auditable identities you can scope and monitor rather than shared secrets or borrowed user accounts — worth knowing about before agent activity starts showing up in your identity telemetry. (&lt;a href=&quot;https://learn.microsoft.com/en-us/entra/fundamentals/whats-new&quot;&gt;Microsoft Entra: What&#39;s new&lt;/a&gt;)&lt;/p&gt;
&lt;h2&gt;Worth knowing&lt;/h2&gt;
&lt;p&gt;Microsoft Threat Intelligence published detection strategies against North Korea-aligned IT workers (tracked as Jasper Sleet), who use stolen or fabricated identities and AI-assisted deception to get hired into remote technical roles for revenue generation and, in some cases, data theft or extortion. The guidance walks the early job-discovery phase — actors surveying external career sites and hiring portals, often those fronted by HR SaaS like Workday, and using generative AI to tailor applications — and shows how to hunt the activity across Microsoft Defender XDR using identity and cloud signals plus Workday event logs. For SOC analysts this is a practical hunting playbook for an insider-adjacent threat that mostly lives in identity and HR/SaaS telemetry rather than endpoint alerts. (&lt;a href=&quot;https://www.microsoft.com/en-us/security/blog/2026/04/21/detection-strategies-cloud-identities-against-infiltrating-it-workers/&quot;&gt;Microsoft Security Blog&lt;/a&gt;)&lt;/p&gt;
&lt;p&gt;In a strategy post on AI-powered defense for an AI-accelerated threat landscape, Microsoft outlined folding frontier AI models into its Security Development Lifecycle and vulnerability discovery, with Defender detections intended to ship alongside the corresponding fixes for AI-discovered vulnerabilities and a multi-model scanning harness slated for preview in June 2026. The concrete takeaway for a shift is unchanged fundamentals: as AI compresses the time from disclosure to exploitation, patch latency and exposure reduction matter more, so keep MDE vulnerability management and exposure recommendations current. (&lt;a href=&quot;https://www.microsoft.com/en-us/security/blog/2026/04/22/ai-powered-defense-for-an-ai-accelerated-threat-landscape/&quot;&gt;Microsoft Security Blog&lt;/a&gt;)&lt;/p&gt;
&lt;p&gt;This is the last full week of April, before the consolidated monthly roundups land. The dated &amp;quot;What&#39;s new in Microsoft Sentinel: April 2026&amp;quot; recap and the Defender Monthly news post publish at the turn of the month, so their headline items — curated OSINT in Threat Analytics, data-lake cost enforcement, the CrowdStrike connector, built-in alert-tuning GA — fall into next week&#39;s brief rather than this one; the items above are the April changes already visible in the Microsoft Learn what&#39;s-new pages. April&#39;s Patch Tuesday analysis (14 April, including the actively-exploited SharePoint spoofing flaw CVE-2026-32201) was covered in the prior brief, so this week carries no new Microsoft security-update load. A standing reminder still worth rehearsing: after 31 March 2027 Microsoft Sentinel runs only in the Microsoft Defender portal, and the April features above — row-level scoping, filter/split, and Sentinel&#39;s own graph work — are all Defender-portal-first, so teams still operating in the Azure portal should treat that as the direction of travel. (&lt;a href=&quot;https://learn.microsoft.com/en-us/azure/sentinel/whats-new&quot;&gt;What&#39;s new in Microsoft Sentinel&lt;/a&gt;)&lt;/p&gt;
</content>
  </entry>
  <entry>
    <title>April 13 – April 20, 2026</title>
    <link href="https://soc-brief.pages.dev/briefs/2026-04-20-week/" />
    <updated>2026-04-20T00:00:00Z</updated>
    <id>https://soc-brief.pages.dev/briefs/2026-04-20-week/</id>
    <content type="html">&lt;h2&gt;Act by&lt;/h2&gt;
&lt;ul&gt;
&lt;li&gt;&lt;strong&gt;1 Jul 2026&lt;/strong&gt; — Microsoft Sentinel is changing how the Account Name field is populated for analytics-rule alerts: it will now consistently be the UPN prefix (the part before the &lt;code&gt;@&lt;/code&gt;) rather than the full UPN. If any of your automation rules or Logic Apps compare &lt;code&gt;Account Name&lt;/code&gt; against a full UPN with strict equality, they will silently stop matching. Repoint them before 1 July 2026 — split the comparison into UPN-prefix and UPN-suffix checks, and prefer Contains / Starts with over exact equality so the logic survives both before and after the change. (&lt;a href=&quot;https://learn.microsoft.com/en-us/azure/sentinel/whats-new&quot;&gt;Microsoft Learn&lt;/a&gt;)&lt;/li&gt;
&lt;/ul&gt;
&lt;h2&gt;What changed&lt;/h2&gt;
&lt;p&gt;Microsoft Sentinel data federation entered public preview, letting you query data in Microsoft Fabric, Azure Data Lake Storage (ADLS) Gen2, and Azure Databricks directly from Sentinel without copying or ingesting it. You can hunt across federated and native Sentinel data in one experience using the usual tools — KQL, notebooks, and custom graphs — then selectively ingest only what warrants full detections and automation. Federation adds no ingestion or storage fees; you are billed only when you run analytics or queries against the federated data, on the data lake compute and analytics meters. For a SOC, this widens hunting reach across data that previously sat outside Sentinel without paying to duplicate it first. (&lt;a href=&quot;https://techcommunity.microsoft.com/blog/microsoftsentinelblog/microsoft-sentinel-data-federation-expand-visibility-while-preserving-governance/4511258&quot;&gt;Microsoft Sentinel Blog&lt;/a&gt;)&lt;/p&gt;
&lt;p&gt;Cost-limit enforcement for the Microsoft Sentinel data lake shipped on 15 April, turning the data-lake cost policies from alert-only into hard guardrails. You can now set thresholds that actually block new KQL queries, jobs, and notebook sessions once a limit is hit, across two capability categories — Data Lake Query (interactive KQL queries and KQL jobs) and Advanced Data Insights (notebook runs and jobs). Work already running finishes normally, the analyst gets a clear message explaining what happened, and a SOC manager can lift the guardrail temporarily, adjust the threshold, or disable enforcement on the fly from Cost management &amp;gt; Configure Policies in the Defender portal. This is the safety net that makes it realistic to let junior analysts hunt at scale over the data lake without fear of a runaway query racking up surprise compute spend. (&lt;a href=&quot;https://techcommunity.microsoft.com/blog/microsoftsentinelblog/enforce-cost-limits-on-kql-queries-and-notebooks-in-the-microsoft-sentinel-data-/4511329&quot;&gt;Microsoft Sentinel Blog&lt;/a&gt;)&lt;/p&gt;
&lt;p&gt;Curated open-source intelligence (OSINT) arrived in Threat Analytics, announced in the April Sentinel update. Alongside Microsoft-authored Threat Analytics reports, you can now consume curated OSINT articles in the same place, so analysts don&#39;t have to switch tools to pull in external reporting on an active threat. The same update lands new first-party data connectors — a CrowdStrike API connector (pulling hosts, detections, incidents, alerts, and vulnerabilities) and an Imperva Cloud WAF connector (web-application traffic and threats, ingested via AWS S3) — plus AWS and Logstash connectors, giving broader out-of-the-box coverage for mixed estates. (&lt;a href=&quot;https://techcommunity.microsoft.com/blog/microsoftsentinelblog/what%E2%80%99s-new-in-microsoft-sentinel-april-2026/4516354&quot;&gt;Microsoft Sentinel Blog&lt;/a&gt;)&lt;/p&gt;
&lt;p&gt;The Entity analyzer in the Sentinel MCP data-exploration tool reached public preview this month, giving out-of-the-box, explainable entity risk assessments for URLs and identities built from threat intelligence, prevalence, and your own organizational context. Instead of a bare reputation score, analysts get the reasoning behind the verdict, which is easier to act on and to learn from during triage. Note the billing change that came with it: as of 1 April 2026 you&#39;re charged the Security Compute Units (SCUs) consumed when running the entity analyzer, so factor that into the data-lake cost policies above. (&lt;a href=&quot;https://learn.microsoft.com/en-us/azure/sentinel/whats-new&quot;&gt;Microsoft Learn&lt;/a&gt;)&lt;/p&gt;
&lt;p&gt;Defender for Storage integration in Azure Storage Center reached general availability on 20 April, surfacing threat-protection and security-posture coverage next to your storage resources in the native storage management experience. Storage Center now gives a storage-native view of which accounts are protected, partly protected, or unprotected, where malware scanning, activity monitoring, and sensitive-data discovery are enabled, and where gaps exist across Azure Blob and Azure Files. It is a posture-at-scale view rather than a new detection, but it makes it faster to spot an unprotected storage account before it becomes an incident. (&lt;a href=&quot;https://learn.microsoft.com/en-us/azure/defender-for-cloud/release-notes&quot;&gt;Microsoft Learn&lt;/a&gt;)&lt;/p&gt;
&lt;p&gt;Built-in alert-tuning rules reached general availability in Defender XDR. These rules suppress alerts from common benign activity in Defender for Endpoint and Defender for Office 365 out of the box, and — importantly — they do so without affecting Automated Investigation and Response (AIR) or email notifications. For a SOC drowning in known-benign noise, this trims the queue without the risk of hand-built suppression rules quietly swallowing something AIR should still act on. (&lt;a href=&quot;https://learn.microsoft.com/en-us/defender-xdr/whats-new&quot;&gt;Microsoft Learn&lt;/a&gt;)&lt;/p&gt;
&lt;p&gt;Defender XDR can now show the live status of automatic attack disruption and predictive-shielding actions on an incident (preview), in a new Activities tab on the incident page. It covers the Contain user, GPO hardening, and Safeboot hardening response actions, so during a fast-moving incident an analyst can see exactly which automated containment steps fired, on which entities, and whether they&#39;re still in effect — rather than inferring it from scattered signals. (&lt;a href=&quot;https://learn.microsoft.com/en-us/defender-xdr/whats-new&quot;&gt;Microsoft Learn&lt;/a&gt;)&lt;/p&gt;
&lt;p&gt;Defender for Office 365 added a least-privilege RBAC permission for alert-linked email. A new granular Unified RBAC permission — Email &amp;amp; collaboration content: Emails associated with alerts (read) — lets analysts preview or download the specific messages tied to a security alert without granting the much broader &amp;quot;read all email&amp;quot; permission. That&#39;s a clean way to give tier-1 responders exactly the mailbox visibility an investigation needs and nothing more. (&lt;a href=&quot;https://learn.microsoft.com/en-us/defender-office-365/defender-for-office-365-whats-new&quot;&gt;Microsoft Learn&lt;/a&gt;)&lt;/p&gt;
&lt;p&gt;Microsoft Entra ID Governance gained account discovery for connected applications (public preview). It generates discovery reports directly from the provisioning experience that surface all accounts existing in a connected app — including orphan accounts not assigned to the enterprise application in Entra. For a SOC, orphaned and unmanaged app accounts are exactly the stale-identity blind spots attackers reuse, so having a first-party way to enumerate them is useful attack-surface reduction. It requires an Entra ID Governance or Entra Suite license. (&lt;a href=&quot;https://learn.microsoft.com/en-us/entra/fundamentals/whats-new&quot;&gt;Microsoft Learn&lt;/a&gt;)&lt;/p&gt;
&lt;h2&gt;Worth knowing&lt;/h2&gt;
&lt;p&gt;April Patch Tuesday landed on 14 April 2026, a heavy release of roughly 163 CVEs with eight rated Critical. Two matter most on a Microsoft estate: CVE-2026-32201, a Microsoft SharePoint Server spoofing vulnerability that is being actively exploited in the wild by unauthenticated attackers, and CVE-2026-33825, a Microsoft Defender Antimalware Platform elevation-of-privilege bug (tracked publicly as &amp;quot;BlueHammer&amp;quot;) that was disclosed with proof-of-concept code before a fix shipped. Also notable are Critical RCEs across Windows TCP/IP, Windows Active Directory, the Windows Internet Key Exchange (IKE) service, Microsoft Word/Office, and the Remote Desktop client. Prioritize the SharePoint patch on internet-facing farms and confirm the Defender platform update rolled out through MDE, then watch endpoint patch compliance in vulnerability management. (&lt;a href=&quot;https://msrc.microsoft.com/update-guide/releaseNote/2026-Apr&quot;&gt;MSRC Security Update Guide&lt;/a&gt;)&lt;/p&gt;
&lt;p&gt;Microsoft Threat Intelligence published &amp;quot;Dissecting Sapphire Sleet&#39;s macOS intrusion from lure to compromise&amp;quot; on 16 April, detailing a campaign by the North Korean state actor Sapphire Sleet that leans on new macOS-focused execution patterns. The chain is familiar in shape but Mac-native in detail: social engineering leads a target to run something themselves (user-initiated execution), after which the actor establishes persistence, harvests credentials, and exfiltrates data. The practical reminder for a mixed-fleet SOC is that Macs are first-class targets for well-resourced nation-state crews, so endpoint coverage, phishing-resistant MFA, and hunting for user-initiated execution should extend to macOS, not just Windows. (&lt;a href=&quot;https://www.microsoft.com/en-us/security/blog/2026/04/16/dissecting-sapphire-sleets-macos-intrusion-from-lure-to-compromise/&quot;&gt;Microsoft Security Blog&lt;/a&gt;)&lt;/p&gt;
&lt;p&gt;On the hardening side, Defender for Endpoint added a new Microsoft Secure Score recommendation this month — &amp;quot;Ensure devices are updated to Secure Boot 2023 certificates and boot manager&amp;quot; (preview) — that flags devices still on the older Secure Boot certificates ahead of their June 2026 expiration. Devices that don&#39;t transition may stop receiving new early-boot security protections once the certificates lapse, so this is worth treating as a real deadline: use the recommendation for centralized visibility into rollout status, prioritize remediation on devices lagging behind, and track progress at scale before the June cutover. (&lt;a href=&quot;https://learn.microsoft.com/en-us/defender-endpoint/whats-new-in-microsoft-defender-endpoint&quot;&gt;Microsoft Learn&lt;/a&gt;)&lt;/p&gt;
</content>
  </entry>
  <entry>
    <title>April 6 – April 13, 2026</title>
    <link href="https://soc-brief.pages.dev/briefs/2026-04-13-week/" />
    <updated>2026-04-13T00:00:00Z</updated>
    <id>https://soc-brief.pages.dev/briefs/2026-04-13-week/</id>
    <content type="html">&lt;h2&gt;Act by&lt;/h2&gt;
&lt;ul&gt;
&lt;li&gt;
&lt;p&gt;&lt;strong&gt;15 Jun 2026&lt;/strong&gt; — Older Microsoft Sentinel repositories (content-as-code) API versions stop being supported. If you deploy analytics rules, hunting queries, or automation to Sentinel through a Git-connected repository, move the repository connection / deployment pipeline to API version 2025-09-01, 2025-06-01, or 2025-07-01-preview before this date, or Source Control API calls on the retired versions will fail. Existing connections keep operating; only API calls on the old versions break. (&lt;a href=&quot;https://learn.microsoft.com/en-us/azure/sentinel/whats-new&quot;&gt;Microsoft Learn&lt;/a&gt;)&lt;/p&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;p&gt;&lt;strong&gt;1 Jul 2026&lt;/strong&gt; — Sentinel is standardizing the account entity&#39;s Account Name for analytics-rule alerts: when a full UPN (&lt;code&gt;user@domain.com&lt;/code&gt;) is mapped to Account Name, the value will always be the UPN prefix only (&lt;code&gt;user&lt;/code&gt;), and new &lt;code&gt;UserPrincipalName&lt;/code&gt; / &lt;code&gt;UPNSuffix&lt;/code&gt; fields are added to the &lt;code&gt;SecurityAlert&lt;/code&gt; table. Automation rules or Logic Apps playbooks that do a strict equality check against the full UPN will break. Replace equality checks with Contains / Starts with on the prefix plus a separate &lt;code&gt;UPNSuffix&lt;/code&gt; comparison before this date. (&lt;a href=&quot;https://techcommunity.microsoft.com/blog/microsoftsentinelblog/update-changing-the-account-name-entity-mapping-in-microsoft-sentinel/4489040&quot;&gt;Microsoft Sentinel Blog&lt;/a&gt;)&lt;/p&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;p&gt;&lt;strong&gt;1 Jun 2026&lt;/strong&gt; — Microsoft Entra ID will block Connect Sync / Cloud Sync from hard-matching a new Active Directory user object to an existing cloud-managed Entra user that holds Entra roles. This closes a Source-of-Authority takeover path where a synced on-prem object could seize control of a privileged cloud account. If you run hybrid sync, confirm no privileged cloud accounts depend on hard-match behavior before the enforcement date. (&lt;a href=&quot;https://learn.microsoft.com/en-us/entra/fundamentals/whats-new&quot;&gt;Microsoft Learn&lt;/a&gt;)&lt;/p&gt;
&lt;/li&gt;
&lt;/ul&gt;
&lt;h2&gt;What changed&lt;/h2&gt;
&lt;p&gt;Microsoft posted its Defender monthly roundup for 7 April 2026, consolidating the changes that shipped across March and the RSAC 2026 wave. The items worth an intern&#39;s attention are mostly things you can use on shift now: proactive user containment (contain user) reached GA as part of predictive shielding — it correlates activity data with exposure data to spot exposed credentials at risk of reuse and lets you contain the user before the account spreads; library management for live response went GA, giving a central place to manage the scripts and files you push during a live-response session; a chat experience for Security Copilot inside the Defender portal entered preview, so you can hold an ongoing, two-way conversation across an incident&#39;s alerts, identities, devices, and IPs instead of firing one-shot prompts; and agentic triage expanded to identity and cloud alerts, so the Security Alert Triage Agent now autonomously works phishing, identity, and cloud alerts in one place. The roundup also flags two new advanced-hunting tables in preview — &lt;code&gt;CloudDnsEvents&lt;/code&gt; (cloud DNS activity) and &lt;code&gt;CloudPolicyEnforcementEvents&lt;/code&gt; (cloud security-gating decisions) — that are useful when a hunt crosses into Defender for Cloud territory. (&lt;a href=&quot;https://techcommunity.microsoft.com/blog/microsoftthreatprotectionblog/monthly-news---april-2026/4508050&quot;&gt;Microsoft Defender XDR Blog&lt;/a&gt;)&lt;/p&gt;
&lt;p&gt;Built-in alert tuning rules reached general availability in Defender XDR. These first-party tuning rules suppress alerts from common benign activity in Defender for Endpoint and Defender for Office 365 without touching Automated Investigation and Response (AIR) investigations or email notifications — so the noise drops out of the queue but the underlying automation and audit trail stay intact. For an analyst drowning in known-good detections, this is queue hygiene you get without hand-writing suppression logic. (&lt;a href=&quot;https://learn.microsoft.com/en-us/defender-xdr/whats-new&quot;&gt;Microsoft Learn&lt;/a&gt;)&lt;/p&gt;
&lt;p&gt;Defender XDR added an action-status view for automatic attack disruption and predictive shielding (preview): the incident page&#39;s Activities tab now shows the current status of the automated containment actions taken on that incident. When disruption isolates a device or contains a user mid-attack, you no longer have to reconstruct what the platform did — the tab tells you which actions fired and where they stand, which matters when you&#39;re deciding whether to release a containment or escalate. (&lt;a href=&quot;https://learn.microsoft.com/en-us/defender-xdr/whats-new&quot;&gt;Microsoft Learn&lt;/a&gt;)&lt;/p&gt;
&lt;p&gt;Sentinel added native filter and split data transformation (preview) in the Defender portal. You can now drop noise before ingestion and route data between the analytics and data-lake tiers — keeping high-value telemetry hot for detections while sending bulk or low-signal logs to cheaper data-lake retention. For a SOC watching ingestion cost, this is a lever to cut spend without losing the data outright, applied at the pipeline instead of after the bill lands. (&lt;a href=&quot;https://learn.microsoft.com/en-us/azure/sentinel/whats-new&quot;&gt;Microsoft Learn&lt;/a&gt;)&lt;/p&gt;
&lt;p&gt;Sentinel scoping (row-level RBAC) entered public preview, letting you control access to specific subsets of Sentinel data without splitting into separate workspaces. Administrators define logical scopes, tag data at ingestion time, and assign users or groups to scopes through Unified RBAC, so multiple teams — or multiple tenants under an MSSP — can work inside one shared Sentinel environment while each sees only its slice. It&#39;s configured in the Defender portal and removes a common reason teams used to stand up extra workspaces just for data isolation. (&lt;a href=&quot;https://learn.microsoft.com/en-us/azure/sentinel/whats-new&quot;&gt;Microsoft Learn&lt;/a&gt;)&lt;/p&gt;
&lt;p&gt;AI-agent governance picked up surface on both sides of the stack. On the identity side, the Microsoft Entra Agent ID platform reached GA — an identity and authorization framework purpose-built for AI agents in the enterprise, so agents get first-class identities with real authentication, authorization, and governance over OAuth 2.0, MCP, and A2A rather than borrowing a service account. On the hunting side, the Defender &lt;code&gt;AIAgentsInfo&lt;/code&gt; advanced-hunting table gained additional columns (preview) that extend visibility beyond Copilot Studio to all agent types, including Microsoft Foundry, third-party marketplace, and custom line-of-business agents. Together they mean the AI agents running in your tenant are becoming inventoried, queryable assets instead of a blind spot. (&lt;a href=&quot;https://learn.microsoft.com/en-us/entra/fundamentals/whats-new&quot;&gt;Microsoft Learn&lt;/a&gt;) (&lt;a href=&quot;https://learn.microsoft.com/en-us/defender-xdr/whats-new&quot;&gt;Microsoft Learn&lt;/a&gt;)&lt;/p&gt;
&lt;p&gt;Sentinel also shipped a VS Code connector builder agent (preview) — an AI-powered, low-code helper that builds Sentinel data connectors in minutes instead of hand-authoring the connector definition. For detection engineers, it lowers the effort to bring a new data source online, which is usually the slow step before any new coverage can be written against it. (&lt;a href=&quot;https://learn.microsoft.com/en-us/azure/sentinel/whats-new&quot;&gt;Microsoft Learn&lt;/a&gt;)&lt;/p&gt;
&lt;h2&gt;Worth knowing&lt;/h2&gt;
&lt;p&gt;Microsoft Threat Intelligence published &amp;quot;Investigating Storm-2755: &#39;Payroll pirate&#39; attacks targeting Canadian employees&amp;quot; on 9 April. The financially motivated actor uses malvertising and search-poisoning to land victims on a fake Microsoft 365 login, then runs an adversary-in-the-middle (AiTM) proxy to capture the session cookie and OAuth token — bypassing legacy MFA that was never designed to be phishing-resistant. What makes this one instructive for a SOC is the post-compromise tradecraft: the group replays the stolen token roughly every 30 minutes using the Axios HTTP client (1.7.9) as the user-agent, refreshes tokens around 5:00 AM local time to dodge business-hours eyes, searches mailboxes for &amp;quot;payroll&amp;quot;/&amp;quot;finance&amp;quot;/&amp;quot;admin,&amp;quot; and plants inbox rules that auto-hide &amp;quot;direct deposit&amp;quot; and &amp;quot;bank&amp;quot; emails so the victim never sees the change-of-deposit request. The defensive takeaways map straight to detections you can build: hunt for anomalous user-agents like Axios in sign-in logs, alert on inbox rules that hide payroll keywords, deploy phishing-resistant MFA (FIDO2/WebAuthn) and Continuous Access Evaluation to kill replayed tokens fast. (&lt;a href=&quot;https://www.microsoft.com/en-us/security/blog/2026/04/09/investigating-storm-2755-payroll-pirate-attacks-targeting-canadian-employees/&quot;&gt;Microsoft Security Blog&lt;/a&gt;)&lt;/p&gt;
&lt;p&gt;The April Defender roundup also notes a Secure Score category recalculation: some recommendations previously counted as Cloud apps are now treated as Identity recommendations. The total Secure Score is unchanged, but individual Identity and Cloud-apps sub-scores will shift — so if a dashboard or a scheduled score-trend report moves this month, it&#39;s the reclassification, not a real posture change. Worth a heads-up to anyone who tracks Secure Score deltas. (&lt;a href=&quot;https://techcommunity.microsoft.com/blog/microsoftthreatprotectionblog/monthly-news---april-2026/4508050&quot;&gt;Microsoft Defender XDR Blog&lt;/a&gt;)&lt;/p&gt;
&lt;p&gt;On the hybrid-identity front, the April Entra release notes open the transition from Entra Connect Sync to the cloud-native Entra Cloud Sync. Nothing forces action this week — customer-specific transition windows won&#39;t be announced until July 2026 (via Message Center, Connect Health, and email), and early waves target tenants whose sync needs Cloud Sync already fully covers. But it&#39;s the direction of travel: if you still run on-prem Connect Sync, this is the cue to start reviewing your configuration against Cloud Sync&#39;s capabilities so you&#39;re in the &amp;quot;straightforward&amp;quot; bucket rather than the deferred one. It sits alongside the broader Defender-portal consolidation push, with Sentinel in the Azure portal retiring after 31 March 2027. (&lt;a href=&quot;https://learn.microsoft.com/en-us/entra/fundamentals/whats-new&quot;&gt;Microsoft Learn&lt;/a&gt;)&lt;/p&gt;
</content>
  </entry>
  <entry>
    <title>March 30 – April 6, 2026</title>
    <link href="https://soc-brief.pages.dev/briefs/2026-04-06-week/" />
    <updated>2026-04-06T00:00:00Z</updated>
    <id>https://soc-brief.pages.dev/briefs/2026-04-06-week/</id>
    <content type="html">&lt;h2&gt;Act by&lt;/h2&gt;
&lt;ul&gt;
&lt;li&gt;&lt;strong&gt;1 Apr 2026&lt;/strong&gt; — Microsoft Sentinel begins charging Security Compute Units (SCUs) for the entity analyzer tool in the Sentinel MCP data-exploration collection. If your team picked up entity analyzer for out-of-the-box URL and identity risk assessments after its RSAC-week GA, those runs now draw down SCUs; review MCP usage so agent-driven queries don&#39;t surprise your Sentinel bill. (&lt;a href=&quot;https://learn.microsoft.com/en-us/azure/sentinel/whats-new&quot;&gt;Microsoft Learn&lt;/a&gt;)&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;1 Apr 2026&lt;/strong&gt; — In Azure Government (Fairfax), Defender for Cloud announced an enhanced agent for the Defender for SQL Server on machines plan that uses existing SQL infrastructure instead of the Azure Monitor Agent (AMA). If you enabled this plan before April 2026, update the plan configuration; protection-status verification for your SQL instances is expected to start around May 2026. (&lt;a href=&quot;https://learn.microsoft.com/en-us/azure/defender-for-cloud/release-notes&quot;&gt;Microsoft Learn&lt;/a&gt;)&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;13 Apr 2026&lt;/strong&gt; — Defender for Cloud deprecates the preview grouped container vulnerability recommendations (the &amp;quot;Containers running in Azure/AWS/GCP should have vulnerability findings resolved&amp;quot; set and their registry equivalents), replacing them with per-finding individual recommendations. If any governance rules, exemptions, workbooks, or automation query the old grouped recommendation keys, migrate them to the individual-recommendation format and &lt;code&gt;securityresources&lt;/code&gt; KQL now, before the keys disappear. (&lt;a href=&quot;https://learn.microsoft.com/en-us/azure/defender-for-cloud/release-notes&quot;&gt;Microsoft Learn&lt;/a&gt;)&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;1 Jul 2026&lt;/strong&gt; — Flagged in the April 2026 Sentinel updates: Microsoft is standardizing the Account Name entity value for analytics-rule alerts so a mapped full UPN is always the prefix only (&lt;code&gt;user&lt;/code&gt;), with new &lt;code&gt;UserPrincipalName&lt;/code&gt;, &lt;code&gt;UPNSuffix&lt;/code&gt;, and prefix fields added to &lt;code&gt;SecurityAlert&lt;/code&gt;. Any automation rule or Logic Apps playbook that does strict equality on the full UPN will break; switch to &lt;em&gt;Starts with&lt;/em&gt; / &lt;em&gt;Contains&lt;/em&gt; on the prefix and match the suffix separately before the July cutover. (&lt;a href=&quot;https://learn.microsoft.com/en-us/azure/sentinel/whats-new&quot;&gt;Microsoft Learn&lt;/a&gt;)&lt;/li&gt;
&lt;/ul&gt;
&lt;h2&gt;What changed&lt;/h2&gt;
&lt;p&gt;Defender for Cloud made automated malware remediation in Defender for Storage generally available on 31 March. When on-upload or on-demand scanning flags a malicious blob, Defender for Cloud can now automatically soft-delete it — the blob is quarantined but recoverable for investigation — and you toggle the behavior per subscription or per storage account in the portal or via API. For a SOC, this shortens the window between detection and containment for storage-borne malware without a custom playbook, though the soft-delete-and-recover model means you still want a process for triaging quarantined blobs. (&lt;a href=&quot;https://learn.microsoft.com/en-us/azure/defender-for-cloud/release-notes&quot;&gt;Microsoft Learn&lt;/a&gt;)&lt;/p&gt;
&lt;p&gt;Also on 31 March, Defender for APIs and API security posture management (Defender CSPM) expanded to 15 additional Azure regions, including Sweden Central, the two Germany regions, Italy North, France Central/South, both Norway and Switzerland regions, the two Korea regions, and South Africa North/West. Teams with Azure API Management, Function Apps, or Logic Apps in those regions can now get API discovery and posture coverage that was previously unavailable there; the capability remains in preview. If you deferred onboarding APIs because your region wasn&#39;t supported, re-check. (&lt;a href=&quot;https://learn.microsoft.com/en-us/azure/defender-for-cloud/release-notes&quot;&gt;Microsoft Learn&lt;/a&gt;)&lt;/p&gt;
&lt;p&gt;Defender for Cloud brought container security capabilities to general availability in the Azure Government cloud on 1 April. The Defender for Containers plan in Fairfax now matches the commercial offering: agentless Kubernetes discovery, inventory, attack path analysis, risk hunting, vulnerability assessment, compliance, and runtime protection. For SOC teams supporting U.S. federal or DoD tenants, this closes the feature gap that previously left government Kubernetes estates with thinner coverage than commercial ones. (&lt;a href=&quot;https://learn.microsoft.com/en-us/azure/defender-for-cloud/release-notes&quot;&gt;Microsoft Learn&lt;/a&gt;)&lt;/p&gt;
&lt;p&gt;Also on 1 April, Defender for Cloud posted an update to the Defender for SQL Server on machines plan for Fairfax customers, with an enhanced agent rolling out at the end of April. The new solution drops the AMA dependency and rides the existing SQL infrastructure, simplifying onboarding and coverage. The practical impact is operational: government-cloud teams running this plan need to update configuration and re-verify SQL instance protection rather than assume coverage carries over unchanged (see Act by). (&lt;a href=&quot;https://learn.microsoft.com/en-us/azure/defender-for-cloud/release-notes&quot;&gt;Microsoft Learn&lt;/a&gt;)&lt;/p&gt;
&lt;h2&gt;Worth knowing&lt;/h2&gt;
&lt;p&gt;This window sits in the lull after RSAC 2026. The large Sentinel and Defender announcement wave — entity analyzer and AI-powered SIEM migration GA, data federation, custom security graphs, row-level scoping, and the rest — was published in the What&#39;s new in Microsoft Sentinel: RSAC 2026 post on 20 March, which lands in the prior week rather than this one, and the consolidated Monthly news – April 2026 roundup (built-in alert tuning GA, attack-disruption activity tracking, and the month&#39;s Defender/Entra/MDO changes) posts on 7 April, so it belongs to next week&#39;s brief. Only Defender for Cloud shipped dated, in-window product changes this week. (&lt;a href=&quot;https://techcommunity.microsoft.com/blog/microsoftsentinelblog/what%E2%80%99s-new-in-microsoft-sentinel-rsac-2026/4503971&quot;&gt;Microsoft Sentinel Blog&lt;/a&gt;)&lt;/p&gt;
&lt;p&gt;The week&#39;s most SOC-actionable item is threat research: on 6 April the Microsoft Defender Security Research team detailed an AI-enabled device code phishing campaign. Attackers stood up automation (on platforms such as Railway.com) to mint OAuth device codes on demand so the code was still valid when a victim clicked the hyper-personalized, AI-generated lure, then harvested access tokens to exfiltrate mail and plant malicious inbox rules against finance and executive targets. The write-up ships concrete detections: for Defender, enable Safe Links and watch the high-confidence device-code alerts; for Sentinel, apply the TI Mapping analytics and hunt for suspicious inbox-rule creation and &amp;quot;suspicious email items accessed,&amp;quot; and correlate URL clicks with risky sign-ins carrying error code 50199. Device code phishing remains a favored MFA-bypass path, so these queries are worth landing in your workspace regardless of whether you have current indicators. (&lt;a href=&quot;https://www.microsoft.com/en-us/security/blog/2026/04/06/ai-enabled-device-code-phishing-campaign-april-2026/&quot;&gt;Microsoft Security Blog&lt;/a&gt;)&lt;/p&gt;
&lt;p&gt;Two forward-looking notes for planning. April&#39;s Patch Tuesday falls on 14 April, just outside this window — expect the Microsoft security-update analysis in next week&#39;s brief rather than here. And a longer-horizon reminder that reappears in the Sentinel what&#39;s-new: after 31 March 2027, Microsoft Sentinel will no longer be supported in the Azure portal and will run only in the Microsoft Defender portal. That&#39;s a year out, but if your team still builds and operates in the Azure portal, the RSAC-era features landing Defender-portal-first (custom graphs, scoping, entity analyzer) are the direction of travel to start rehearsing now. (&lt;a href=&quot;https://learn.microsoft.com/en-us/azure/sentinel/whats-new&quot;&gt;Microsoft Learn&lt;/a&gt;)&lt;/p&gt;
</content>
  </entry>
  <entry>
    <title>March 23 – March 30, 2026</title>
    <link href="https://soc-brief.pages.dev/briefs/2026-03-30-week/" />
    <updated>2026-03-30T00:00:00Z</updated>
    <id>https://soc-brief.pages.dev/briefs/2026-03-30-week/</id>
    <content type="html">&lt;h2&gt;Act by&lt;/h2&gt;
&lt;ul&gt;
&lt;li&gt;&lt;strong&gt;1 Apr 2026&lt;/strong&gt; — Custom Sentinel graph API usage (creating and querying graphs) starts billing on the Sentinel graph meter, and GDAP plus unified and row-level RBAC for Sentinel enter public preview the same day. The MCP entity analyzer also begins charging Security Compute Units from this date. If your team scripts graph creation or queries through the custom Graph API, or calls entity analyzer from playbooks, expect metered cost from 1 April; note that federated-data analytics is only billed when you actually run queries, not when data is federated. (&lt;a href=&quot;https://techcommunity.microsoft.com/blog/microsoftsentinelblog/what%E2%80%99s-new-in-microsoft-sentinel-rsac-2026/4503971&quot;&gt;Microsoft Sentinel Blog&lt;/a&gt;)&lt;/li&gt;
&lt;/ul&gt;
&lt;h2&gt;What changed&lt;/h2&gt;
&lt;p&gt;Microsoft published detection, investigation, and hunting guidance for the Trivy supply-chain compromise on 24 March. Attackers (tracked as TeamPCP) force-pushed malicious commits onto existing tags of the Trivy scanner and its &lt;code&gt;trivy-action&lt;/code&gt; and &lt;code&gt;setup-trivy&lt;/code&gt; GitHub Actions, then pushed an infected binary to official channels — the campaign later extended to Bitwarden CLI, Checkmarx KICS, and LiteLLM. The malware kept each tool working while stealing cloud credentials (AWS, GCP, Azure), Kubernetes secrets, CI/CD tokens, and SSH keys, encrypting them into &lt;code&gt;tpcp.tar.gz&lt;/code&gt; archives and exfiltrating to typosquatted C2 domains such as &lt;code&gt;scan.aquasecurtiy[.]org&lt;/code&gt;. Microsoft maps coverage to Defender for Endpoint (entry-point stealers, suspicious &lt;code&gt;curl&lt;/code&gt; and credential access), Defender for Cloud (metadata-service access and secret reconnaissance), and Defender for Identity (C2 DNS lookups), and ships advanced-hunting queries over &lt;code&gt;CloudProcessEvents&lt;/code&gt; and &lt;code&gt;DeviceProcessEvents&lt;/code&gt; plus IOC lists. For any SOC whose developers run Trivy in pipelines, this is an immediate hunt: check ingested versions, rotate exposed CI/CD secrets, and pin Actions to commit SHAs rather than mutable tags. (&lt;a href=&quot;https://www.microsoft.com/en-us/security/blog/2026/03/24/detecting-investigating-defending-against-trivy-supply-chain-compromise/&quot;&gt;Microsoft Security Blog&lt;/a&gt;)&lt;/p&gt;
&lt;p&gt;Microsoft used RSAC 2026 to consolidate identity into a single security surface, headlined by a new identity security dashboard and a unified identity risk score in Microsoft Defender, detailed in a 25 March post. The dashboard shows where identity risk concentrates across human and non-human identities, account types, and providers, while the risk score correlates identity behavior, access risk, and threat signals into one 0–100 value that can drive risk-based Conditional Access. Coverage now extends to non-human identities and third-party platforms including SailPoint and CyberArk, and a new coverage-and-maturity view scores your posture and prioritizes gaps. For a SOC, this is the practical payoff of the &amp;quot;identity is the new attack surface&amp;quot; message — a single place to see blast radius and act, though these previews are rolling out gradually and may not be in your tenant yet. (&lt;a href=&quot;https://www.microsoft.com/en-us/security/blog/2026/03/25/identity-security-is-the-new-pressure-point-for-modern-cyberattacks/&quot;&gt;Microsoft Security Blog&lt;/a&gt;)&lt;/p&gt;
&lt;p&gt;The same identity wave added adaptive risk remediation to Microsoft Entra ID Protection and extended the Security Copilot triage agent to identity. Adaptive remediation tailors the self-service recovery path to the type of threat and the credentials involved, letting risked users regain access with less help-desk dependence; the identity triage agent filters signal overload, surfaces high-confidence identity alerts, and explains why they matter to guide analyst response. Both are aimed squarely at cutting the manual toil and alert fatigue that identity investigations generate on shift. (&lt;a href=&quot;https://www.microsoft.com/en-us/security/blog/2026/03/25/identity-security-is-the-new-pressure-point-for-modern-cyberattacks/&quot;&gt;Microsoft Security Blog&lt;/a&gt;)&lt;/p&gt;
&lt;p&gt;Expanded multicloud posture coverage for AWS and GCP entered preview in Microsoft Defender for Cloud on 29 March, adding asset discovery and roughly 150 new recommendations across compute, databases, storage, networking, identity, secrets, DevOps, and AI/ML resource types. For Microsoft-stack SOCs that already run Defender for Cloud as their CSPM, this widens what shows up in the asset inventory for non-Azure estates; be aware that compliance results may shift as the new recommendations evaluate, and preview recommendations do not affect Secure Score. (&lt;a href=&quot;https://learn.microsoft.com/en-us/azure/defender-for-cloud/release-notes&quot;&gt;Microsoft Learn&lt;/a&gt;)&lt;/p&gt;
&lt;p&gt;AI model security for Azure Machine Learning entered public preview in Microsoft Defender for Cloud on 30 March. It discovers custom AI models across Azure ML registries and workspaces, scans supported model artifacts for malware and unsafe operators, and surfaces findings in Defender for Cloud, with a CLI option for CI/CD pipelines. As teams start hosting home-grown models, this gives the SOC a way to catch a poisoned or trojanized model artifact before it ships to production rather than after it runs. (&lt;a href=&quot;https://learn.microsoft.com/en-us/azure/defender-for-cloud/release-notes&quot;&gt;Microsoft Learn&lt;/a&gt;)&lt;/p&gt;
&lt;p&gt;Defender&#39;s March updates recategorized some Secure Score recommendations from Cloud apps to Identity. Several recommendations previously counted under the Cloud apps category are now treated as identity-related and grouped under Identity; the total Secure Score is unchanged, but individual identity and app subscores may move. It is a small change with a practical footprint — if you track Secure Score category trends for reporting, expect a one-time step in the Identity and Apps lines that reflects the reclassification, not a real posture change. (&lt;a href=&quot;https://learn.microsoft.com/en-us/defender-xdr/whats-new&quot;&gt;Microsoft Defender XDR what&#39;s new&lt;/a&gt;)&lt;/p&gt;
&lt;p&gt;Advanced hunting gained two new cloud tables in preview in the March Defender XDR updates: &lt;code&gt;CloudDnsEvents&lt;/code&gt; (DNS activity from cloud infrastructure) and &lt;code&gt;CloudPolicyEnforcementEvents&lt;/code&gt; (policy-enforcement and security-gating decisions across cloud platforms protected by Defender for Cloud). Paired with the broader AWS/GCP coverage above, these give threat hunters queryable cloud DNS and enforcement telemetry alongside the existing &lt;code&gt;CloudProcessEvents&lt;/code&gt; and &lt;code&gt;CloudAuditEvents&lt;/code&gt; tables — useful for the same supply-chain and credential-theft hunts the Trivy guidance calls for. (&lt;a href=&quot;https://learn.microsoft.com/en-us/defender-xdr/whats-new&quot;&gt;Microsoft Defender XDR what&#39;s new&lt;/a&gt;)&lt;/p&gt;
&lt;h2&gt;Worth knowing&lt;/h2&gt;
&lt;p&gt;RSAC 2026 ran the week before this window — Microsoft&#39;s Pre-Day was Sunday 22 March, with the conference through mid-week — and most of the headline Sentinel, Defender, and Entra roundups published on 19–20 March. The through-line that carried into this post-conference week was identity: the Defender identity security dashboard, unified risk score, coverage-and-maturity view, and non-human identity inventory all appear as March previews on the Defender XDR what&#39;s-new page, so expect Secure Score and identity views to keep moving as these light up in your tenant. (&lt;a href=&quot;https://learn.microsoft.com/en-us/defender-xdr/whats-new&quot;&gt;Microsoft Defender XDR what&#39;s new&lt;/a&gt;)&lt;/p&gt;
&lt;p&gt;The Trivy compromise is the visible edge of a wider CI/CD supply-chain wave — the same actor&#39;s tooling reached Bitwarden CLI, Checkmarx KICS, and LiteLLM by reusing access from an earlier, incompletely remediated incident. The durable lesson for a Microsoft-stack SOC is less about any one package and more about the pattern: build pipelines hold long-lived cloud and registry credentials, and a trusted scanner running with those credentials is an ideal theft vector. Treat developer and CI/CD identities as tier-0, pin third-party Actions to commit SHAs, scope pipeline tokens to least privilege, and make &amp;quot;which build agents ran this package, and what secrets could they see&amp;quot; a standing hunt rather than an incident-only question. (&lt;a href=&quot;https://www.microsoft.com/en-us/security/blog/2026/03/24/detecting-investigating-defending-against-trivy-supply-chain-compromise/&quot;&gt;Microsoft Security Blog&lt;/a&gt;)&lt;/p&gt;
&lt;p&gt;On the platform side, Microsoft Sentinel repositories reached general availability this month, letting you manage analytics and custom content as code from GitHub or Azure DevOps — the detection-as-code path that pairs naturally with the supply-chain hygiene above. Two dates are worth putting on the calendar now: Sentinel&#39;s Account Name entity mapping changes on 1 July 2026 (Account Name becomes the UPN prefix only, with new &lt;code&gt;UserPrincipalName&lt;/code&gt;/&lt;code&gt;UPNSuffix&lt;/code&gt; fields), which can break automation rules and Logic Apps that compare against the full UPN; and Microsoft Sentinel in the Azure portal retires on 31 March 2027, so any workspace still driven from the Azure portal should be planning its move to the Defender portal. (&lt;a href=&quot;https://learn.microsoft.com/en-us/azure/sentinel/whats-new&quot;&gt;Microsoft Sentinel what&#39;s new&lt;/a&gt;)&lt;/p&gt;
</content>
  </entry>
  <entry>
    <title>March 16 – March 23, 2026</title>
    <link href="https://soc-brief.pages.dev/briefs/2026-03-23-week/" />
    <updated>2026-03-23T00:00:00Z</updated>
    <id>https://soc-brief.pages.dev/briefs/2026-03-23-week/</id>
    <content type="html">&lt;h2&gt;What changed&lt;/h2&gt;
&lt;p&gt;Microsoft Defender for Identity announced a batch of new detections at RSAC. A new Event Tracing for Windows (ETW) Kerberos sensor on domain controllers lets MDI inspect ticket details while a ticket is in use without decrypting it, and the first detection built on it — &amp;quot;Possible golden ticket attack (suspicious ticket)&amp;quot; — is generally available. Microsoft also added detections for post-breach attacks on Entra ID as a platform: four for anomalies against the Entra ID sync application in hybrid environments, two for suspicious device registration or join across Entra and Intune, and one for the in-the-wild &amp;quot;ConsentFix&amp;quot; OAuth authorization-flow abuse. For analysts, these close visibility gaps on the exact forged-ticket and hybrid-identity techniques attackers use to pivot from on-prem to cloud. (&lt;a href=&quot;https://techcommunity.microsoft.com/blog/microsoftthreatprotectionblog/redefining-identity-security-for-the-modern-enterprise/4503129&quot;&gt;Microsoft Defender XDR Blog&lt;/a&gt;)&lt;/p&gt;
&lt;p&gt;Defender now calculates a unified identity risk score that aggregates signals across all linked human and non-human accounts into a single score per identity, surfaced in a new identity security dashboard alongside a non-human identity inventory and account correlation across SaaS and cloud. Crucially, Entra ID customers can consume this aggregated risk directly inside risk-based Conditional Access policies, so a compromise signal seen in the SOC can immediately tighten access at sign-in. New integrations with SailPoint and CyberArk extend coverage to PAM and identity-governance sources. This gives identity and SOC teams one shared risk signal instead of reconciling separate alert streams. (&lt;a href=&quot;https://techcommunity.microsoft.com/blog/microsoftthreatprotectionblog/redefining-identity-security-for-the-modern-enterprise/4503129&quot;&gt;Microsoft Defender XDR Blog&lt;/a&gt;)&lt;/p&gt;
&lt;p&gt;Microsoft extended Security Copilot&#39;s Security Alert Triage Agent to identity and cloud alerts (public preview), so it autonomously triages high-volume identity alerts — password spray, BEC-related suspicious inbox rules, and accounts likely compromised after a password spray — and returns explainable verdicts. Predictive shielding, the just-in-time hardening in automatic attack disruption, now covers identity attacks with RemoteOps hardening (restricting high-risk RPC-based remote admin operations) and Remote Registry hardening, applied only to the specific at-risk assets rather than tenant-wide. Microsoft also announced a Security Analyst Agent that runs deep, multi-step investigations across Defender and Sentinel telemetry, and a Security Copilot chat experience coming to the Defender portal. For a stretched SOC this pushes first-pass identity triage and containment toward machine speed. (&lt;a href=&quot;https://techcommunity.microsoft.com/blog/microsoftthreatprotectionblog/rsa-2026-what%E2%80%99s-new-in-microsoft-defender/4503046&quot;&gt;Microsoft Defender XDR Blog&lt;/a&gt;)&lt;/p&gt;
&lt;p&gt;Defender extended collaboration protection beyond email to voice-based social engineering in Microsoft Teams. New Teams calling protection surfaces suspicious and malicious calls, delivers real-time in-call warnings when a caller appears to impersonate a trusted contact, and lets SOC teams investigate and correlate call activity using Advanced Hunting. With vishing and help-desk impersonation now a common intrusion vector, this gives analysts a hunting surface for a channel that was previously a blind spot. (&lt;a href=&quot;https://techcommunity.microsoft.com/blog/microsoftthreatprotectionblog/rsa-2026-what%E2%80%99s-new-in-microsoft-defender/4503046&quot;&gt;Microsoft Defender XDR Blog&lt;/a&gt;)&lt;/p&gt;
&lt;p&gt;Sentinel added ingest-time data filtering and splitting directly in the Defender portal (public preview, rolling out March 30). Analysts can write simple KQL transformations in the UI to drop low-value events before they land and to route data between the analytics tier and the cheaper data lake tier, without hand-editing Data Collection Rule JSON. This is a practical lever for cutting ingestion noise and cost while keeping high-signal data in the analytics tier where detections run. (&lt;a href=&quot;https://techcommunity.microsoft.com/blog/microsoftsentinelblog/what%E2%80%99s-new-in-microsoft-sentinel-rsac-2026/4503971&quot;&gt;Microsoft Sentinel Blog&lt;/a&gt;)&lt;/p&gt;
&lt;p&gt;Sentinel is rolling out GDAP, unified RBAC, and row-level RBAC within tables (public preview from April 1). Granular Delegated Admin Privileges let MSSPs and multi-tenant operators manage governed tenants from a primary account; unified RBAC brings analytics-tier and data-lake permissions under one model in the Defender portal; and row-level RBAC scopes access to specific rows in a shared table so multiple SOC teams can query only the data they are authorized to see without splitting workspaces. For shared-SOC and MSSP setups this reduces the permission sprawl that tends to end in over-broad access. (&lt;a href=&quot;https://techcommunity.microsoft.com/blog/microsoftsentinelblog/what%E2%80%99s-new-in-microsoft-sentinel-rsac-2026/4503971&quot;&gt;Microsoft Sentinel Blog&lt;/a&gt;)&lt;/p&gt;
&lt;p&gt;Sentinel&#39;s MCP entity analyzer reaches general availability (April 1), returning explainable, multi-signal risk verdicts for a URL or user identity across threat intelligence, prevalence, and organizational context — consumable by AI agents through the Sentinel MCP server or by SOAR through Logic Apps, and used as the foundation for the Defender Triage Agent. A separate custom Claude MCP connector (public preview April 1) lets Anthropic Claude query a Sentinel MCP server to summarize incidents and reason over signals while data stays inside Microsoft&#39;s security boundary. Note both meter usage — entity analyzer bills on Security Compute Units from April 1. For analysts, entity analyzer is a ready-made enrichment call instead of hand-built reputation logic. (&lt;a href=&quot;https://techcommunity.microsoft.com/blog/microsoftsentinelblog/what%E2%80%99s-new-in-microsoft-sentinel-rsac-2026/4503971&quot;&gt;Microsoft Sentinel Blog&lt;/a&gt;)&lt;/p&gt;
&lt;p&gt;Microsoft Entra Internet Access made Shadow AI detection and prompt injection protection generally available. Shadow AI detection complements Defender for Cloud Apps to discover unsanctioned AI applications, track usage, and enforce Conditional Access to allow or block them; prompt injection protection blocks malicious AI prompts inline. Entra also brought adaptive risk remediation to GA (April 2026) for self-service account recovery, and previewed Backup and Recovery and Tenant Governance for identity resilience across multi-tenant estates. As employees adopt AI tools faster than governance keeps up, this gives the SOC discovery and blocking for a growing unsanctioned-app surface. (&lt;a href=&quot;https://techcommunity.microsoft.com/blog/microsoft-entra-blog/microsoft-entra-innovations-announced-at-rsac-2026/4502146&quot;&gt;Microsoft Entra Blog&lt;/a&gt;)&lt;/p&gt;
&lt;h2&gt;Worth knowing&lt;/h2&gt;
&lt;p&gt;Nearly all of the above landed as RSAC 2026 announcements on 20 March, during a conference week that opened with Microsoft&#39;s Pre-Day on Sunday 22 March and a main-stage keynote from CVP Vasu Jakkal on Monday 23 March. Many items are announcements with staggered rollout dates across April and May 2026, so track the per-feature preview and GA dates rather than assuming everything is live now. Also worth noting: the Microsoft Security Store is now embedded directly inside Entra and Purview (GA around 23–31 March), surfacing partner identity and data-security agents in-portal — useful context when a team evaluates third-party Copilot agents alongside first-party tooling. (&lt;a href=&quot;https://techcommunity.microsoft.com/blog/microsoftsentinelblog/what%E2%80%99s-new-in-microsoft-sentinel-rsac-2026/4503971&quot;&gt;Microsoft Sentinel Blog&lt;/a&gt;)&lt;/p&gt;
</content>
  </entry>
  <entry>
    <title>March 9 – March 16, 2026</title>
    <link href="https://soc-brief.pages.dev/briefs/2026-03-16-week/" />
    <updated>2026-03-16T00:00:00Z</updated>
    <id>https://soc-brief.pages.dev/briefs/2026-03-16-week/</id>
    <content type="html">&lt;h2&gt;What changed&lt;/h2&gt;
&lt;p&gt;On-demand malware scanning for Azure Files entered public preview in Microsoft Defender for Storage on 10 March, extending the existing on-demand scan feature so you can now scan whole storage accounts containing both blobs and Azure Files shares. Scans run from the Azure portal or the REST API and can be automated with Logic Apps, Azure Automation, or PowerShell; each scan uses Microsoft Defender Antivirus with current definitions and shows an upfront cost estimate before it runs. For a SOC, this is a practical way to sweep a suspect file share during an incident instead of waiting on on-upload scanning to catch something already at rest. (&lt;a href=&quot;https://learn.microsoft.com/en-us/azure/defender-for-cloud/release-notes&quot;&gt;Microsoft Learn&lt;/a&gt;)&lt;/p&gt;
&lt;p&gt;Defender for Cloud added code-to-runtime enrichment for recommendations in preview (10 March), tracing a runtime security issue back through registries and pipelines to the source code that introduced it. It also does blast-radius analysis — how many assets a single code change affects — so you can fix at the source rather than chasing recurring runtime symptoms. It leans DevSecOps, but the runtime-to-source tracing is useful when triaging a container vulnerability and deciding whether the fix belongs with the SOC or the app team. (&lt;a href=&quot;https://learn.microsoft.com/en-us/azure/defender-for-cloud/release-notes&quot;&gt;Microsoft Learn&lt;/a&gt;)&lt;/p&gt;
&lt;p&gt;Defender for Cloud now applies severity-based risk to recommendations that previously showed as &amp;quot;Not evaluated&amp;quot; (11 March). Those recommendations inherit a risk level from their severity, so they get prioritized in the recommendations list and — importantly — are now folded into Secure Score calculations. Expect Secure Score and recommendation status to shift for tenants that had unevaluated items, even without Defender CSPM enabled; full contextual, environment-aware risk still requires CSPM on the subscription. Analysts who track posture off Secure Score should know this is a scoring-model change, not a real drop in hygiene. (&lt;a href=&quot;https://learn.microsoft.com/en-us/azure/defender-for-cloud/release-notes&quot;&gt;Microsoft Learn&lt;/a&gt;)&lt;/p&gt;
&lt;p&gt;Kubernetes gated deployment for AKS Automatic clusters reached general availability in Defender for Containers on 12 March. Gated deployment blocks non-compliant container images from being deployed, and this GA extends it to AKS Automatic; to use it you install the Defender sensor via Helm in the &lt;code&gt;kube-system&lt;/code&gt; namespace, and the install script will disable an existing AKS add-on sensor and redeploy through Helm. For teams standardizing on AKS Automatic, this closes an admission-control gap that previously only applied to standard AKS. (&lt;a href=&quot;https://learn.microsoft.com/en-us/azure/defender-for-cloud/release-notes&quot;&gt;Microsoft Learn&lt;/a&gt;)&lt;/p&gt;
&lt;p&gt;March&#39;s Defender XDR update centered on a broad identity-security build-out in the Defender portal. A new Identity Security dashboard summarizes coverage across identity providers, on-premises and SaaS identities, PAM/IGA integrations, and non-human identities; a Coverage and maturity page scores your identity posture through Connected → Protected → Fortified → Resilient levels with prioritized setup tasks; and the Identity inventory now splits human and non-human identities into separate tabs, so Entra ID app registrations, Active Directory service accounts, and even Google Workspace and Salesforce apps are enumerated as identities you can investigate. Most of this is rolling out gradually and in preview, but it is the connective tissue a SOC needs to see which identities exist and which are unmonitored. (&lt;a href=&quot;https://learn.microsoft.com/en-us/defender-xdr/whats-new&quot;&gt;Microsoft Learn&lt;/a&gt;)&lt;/p&gt;
&lt;p&gt;Alongside it, Defender XDR added an identity risk score (0–100) that rates the likelihood and potential impact of an identity&#39;s compromise based on criticality and privileged roles, with a dedicated Risk score tab on the identity page breaking down the contributing factors and trend. The score is surfaced in Microsoft Entra ID, where it can feed Conditional Access policies and Identity Protection workflows — so a high-risk classification in the SOC can drive an enforcement decision at sign-in. A new Domain investigation page and consolidated identity security recommendations (drawing from Active Directory, Entra ID, and SaaS providers) shipped in the same wave. (&lt;a href=&quot;https://learn.microsoft.com/en-us/defender-xdr/whats-new&quot;&gt;Microsoft Learn&lt;/a&gt;)&lt;/p&gt;
&lt;p&gt;The contain-user response action (&amp;quot;proactive user containment&amp;quot;) reached general availability this month as part of Defender&#39;s predictive-shielding capability. It combines activity data with exposure data to spot credentials at risk of being compromised and reused, and blocks the suspect account&#39;s lateral movement across onboarded devices before an analyst has fully scoped the incident. For a SOC this is a fast, reversible containment lever for a user you suspect but haven&#39;t yet confirmed — the identity equivalent of isolating a device. (&lt;a href=&quot;https://learn.microsoft.com/en-us/defender-xdr/whats-new&quot;&gt;Microsoft Learn&lt;/a&gt;)&lt;/p&gt;
&lt;p&gt;Microsoft Defender for Endpoint&#39;s March release added new Secure Score recommendations that pre-emptively block common attack techniques at the endpoint. The standouts for a SOC: block outbound network connections from &lt;code&gt;mshta.exe&lt;/code&gt; (the trusted Windows binary abused by ClickFix-style campaigns to pull payloads and reach C2), block file transfer over RDP to stop attackers staging or exfiltrating files through remote sessions, and SMB server hardening against authentication-relay attacks by enforcing Extended Protection for Authentication (EPA), SMB signing, and SMB encryption. These are configuration levers you can push from Secure Score rather than detections you have to chase after the fact. (&lt;a href=&quot;https://learn.microsoft.com/en-us/defender-endpoint/whats-new-in-microsoft-defender-endpoint&quot;&gt;Microsoft Learn&lt;/a&gt;)&lt;/p&gt;
&lt;p&gt;Microsoft Defender for Identity&#39;s March updates bring sensor v3.x support for domain controllers running Microsoft Entra Connect (detections plus ISPM recommendations), and let you migrate sensors from v2.x to v3.x directly from the Defender portal with no downtime — the v2.x sensor keeps running until the v3.x sensor is ready, and eligible servers show up as &amp;quot;Ready for migration.&amp;quot; The Entra Connect support requires Windows Server 2019+ with at least the March 2026 cumulative update (KB5078766, shipped this Patch Tuesday). For hybrid-identity SOCs, getting MDI coverage onto the Entra Connect box closes a long-standing blind spot on the exact server attackers target to pivot on-prem-to-cloud. (&lt;a href=&quot;https://learn.microsoft.com/en-us/defender-for-identity/whats-new&quot;&gt;Microsoft Learn&lt;/a&gt;)&lt;/p&gt;
&lt;p&gt;Defender for Office 365 extended user reporting in Microsoft Teams this month: users can now report one-to-one Teams calls from call history as scam or non-scam to the reporting mailbox and/or Microsoft, and when a user reports a Teams message, up to fifteen messages before and after it are now shared for analysis. With Teams-based vishing and scam calls a live intrusion vector, this gives analysts richer reported-message context and a reporting path for malicious calls that previously had none. (&lt;a href=&quot;https://learn.microsoft.com/en-us/defender-office-365/defender-for-office-365-whats-new&quot;&gt;Microsoft Learn&lt;/a&gt;)&lt;/p&gt;
&lt;p&gt;Microsoft Entra shipped Backup and Recovery in public preview this month — a built-in, always-on safety net that takes a daily backup of critical directory objects, including users, groups, applications, service principals, managed identities, Conditional Access policies, named locations, and agent IDs (P1/P2 tenants retain five days of snapshots). Admins can diff snapshots to see exactly what changed and run recovery jobs to roll objects back to a known-good state. For incident response, this is the difference between &amp;quot;an attacker or a bad change wiped our Conditional Access policies&amp;quot; and a bounded, reversible event — worth knowing exists before you need it. (&lt;a href=&quot;https://learn.microsoft.com/en-us/entra/fundamentals/whats-new&quot;&gt;Microsoft Learn&lt;/a&gt;)&lt;/p&gt;
&lt;p&gt;Entra also moved phishing-resistant authentication forward: synced passkeys and passkey profiles both reached general availability, and device-bound Entra passkeys on Windows (registered in the Windows Hello container) entered preview. Synced passkeys are FIDO2 credentials that roam across a user&#39;s devices, while passkey profiles let admins define different attestation and authenticator requirements for, say, admins versus standard users and target them by group. For a SOC pushing toward phishing-resistant MFA, this is the tenant-side control surface that makes a passkey rollout enforceable rather than best-effort. (&lt;a href=&quot;https://learn.microsoft.com/en-us/entra/fundamentals/whats-new&quot;&gt;Microsoft Learn&lt;/a&gt;)&lt;/p&gt;
&lt;h2&gt;Worth knowing&lt;/h2&gt;
&lt;p&gt;March Patch Tuesday shipped on 10 March 2026, addressing roughly 79 vulnerabilities with three rated Critical. The two to prioritize on a Microsoft estate are CVE-2026-26113 and CVE-2026-26110, both Microsoft Office remote-code-execution flaws that can trigger from the Outlook Preview Pane with no click, plus a Critical Excel information-disclosure bug (CVE-2026-26144). A SQL Server flaw (CVE-2026-21262) was publicly disclosed ahead of the fix; Microsoft did not flag a confirmed in-the-wild exploited flaw this month, but several Windows elevation-of-privilege CVEs are rated &amp;quot;more likely&amp;quot; to be exploited, so watch endpoint patch compliance in MDE&#39;s vulnerability management. The same Windows cumulative update (KB5078766) is a prerequisite for the new MDI v3.x sensor support on Entra Connect DCs, so patching and that identity-coverage change move together. (&lt;a href=&quot;https://msrc.microsoft.com/update-guide/releaseNote/2026-Mar&quot;&gt;MSRC Security Update Guide&lt;/a&gt;)&lt;/p&gt;
&lt;p&gt;While you&#39;re watching Secure Score, note a second, unrelated scoring change this month: Defender XDR recategorized some &amp;quot;Cloud apps&amp;quot; recommendations as &amp;quot;Identity&amp;quot;, so your total Secure Score is unchanged but the individual Identity and Cloud-apps category scores can move. Combined with the Defender for Cloud severity-based-risk change above, March is a month where Secure Score numbers shift for model reasons rather than because posture actually changed — flag that to anyone who tracks the score as a KPI before they read a dip as a regression. (&lt;a href=&quot;https://learn.microsoft.com/en-us/defender-xdr/whats-new&quot;&gt;Microsoft Learn&lt;/a&gt;)&lt;/p&gt;
&lt;p&gt;For threat-research reading, Microsoft Threat Intelligence&#39;s &amp;quot;AI as tradecraft: how threat actors operationalize AI&amp;quot; (published 6 March, just ahead of this window) documents how nation-state actors — including North Korea&#39;s Jasper Sleet and Coral Sleet — are folding LLMs into real operations: role-play jailbreaks, LLM-assisted vulnerability research, and AI-generated malware and lures. It is useful background for interns because it grounds the &amp;quot;AI threat&amp;quot; abstraction in concrete tradecraft you may see reflected in phishing quality and tooling, and it pairs with the defensive AI features (predictive shielding, contain-user, Copilot agents) Microsoft is shipping across Defender. (&lt;a href=&quot;https://www.microsoft.com/en-us/security/blog/2026/03/06/ai-as-tradecraft-how-threat-actors-operationalize-ai/&quot;&gt;Microsoft Security Blog&lt;/a&gt;)&lt;/p&gt;
&lt;p&gt;This was a deliberately light week immediately before RSAC 2026 — Microsoft&#39;s Pre-Day was Sunday 22 March in San Francisco — so the larger Sentinel, Defender, and Entra announcements cluster in the following week&#39;s brief. If you are planning portal work, remember the backdrop: managing Microsoft Sentinel in the Azure portal is being retired 31 March 2027, and the Defender portal is where new SOC workflows (and most of the features above — the identity-security dashboard, contain-user, MDI migration) now live. (&lt;a href=&quot;https://learn.microsoft.com/en-us/unified-secops/whats-new&quot;&gt;Microsoft Learn&lt;/a&gt;)&lt;/p&gt;
</content>
  </entry>
  <entry>
    <title>March 2 – March 9, 2026</title>
    <link href="https://soc-brief.pages.dev/briefs/2026-03-09-week/" />
    <updated>2026-03-09T00:00:00Z</updated>
    <id>https://soc-brief.pages.dev/briefs/2026-03-09-week/</id>
    <content type="html">&lt;h2&gt;Act by&lt;/h2&gt;
&lt;ul&gt;
&lt;li&gt;&lt;strong&gt;1 Jun 2026&lt;/strong&gt; — Legacy Microsoft Sentinel repositories (content-as-code) API versions retire in June 2026, and Source Control create/manage calls on the old versions will start failing. If you drive repo connections through the REST API or pipelines, move to API version 2025-09-01, 2025-06-01, or 2025-07-01-preview before this date. Existing repository connections keep operating; only API calls on the retired versions break. (&lt;a href=&quot;https://learn.microsoft.com/en-us/azure/sentinel/whats-new&quot;&gt;Microsoft Learn&lt;/a&gt;)&lt;/li&gt;
&lt;/ul&gt;
&lt;h2&gt;What changed&lt;/h2&gt;
&lt;p&gt;Microsoft Defender for Identity landed a large identity-security release centered on a new Identity Security dashboard (preview) and a Coverage and maturity page that scores your identity posture across Connected, Protected, Fortified, and Resilient levels with prioritized setup tasks. The Identity inventory now splits human and non-human identities into separate tabs — the Non-human identities tab (preview) surfaces Entra ID apps, Active Directory service accounts, and Google Workspace/Salesforce apps — and a new identity risk score (0–100, preview) estimates likelihood of compromise and blast-radius impact, flows into Entra ID for Conditional Access decisions, and gets a dedicated Risk score tab on the identity page. A Domain investigation page and cross-provider identity security recommendations round it out. For a SOC, this turns identity from a scattered set of signals into a single prioritized surface, and the non-human inventory finally gives you eyes on service-account and app-identity sprawl. (&lt;a href=&quot;https://learn.microsoft.com/en-us/defender-xdr/whats-new&quot;&gt;Microsoft Learn&lt;/a&gt;)&lt;/p&gt;
&lt;p&gt;Proactive user containment (&amp;quot;contain user&amp;quot;) reached general availability as part of Defender XDR&#39;s predictive shielding. Instead of waiting for a confirmed compromise, it fuses activity data with exposure data to spot credentials that are exposed and likely to be reused for malicious activity, then contains the user from the network. That gives analysts a pre-emptive lever during an unfolding incident rather than a purely reactive one — useful for cutting off lateral movement before an attacker pivots on harvested creds. (&lt;a href=&quot;https://learn.microsoft.com/en-us/defender-xdr/whats-new&quot;&gt;Microsoft Learn&lt;/a&gt;)&lt;/p&gt;
&lt;p&gt;Microsoft Entra Backup and Recovery entered public preview — a built-in, always-on safety net that automatically backs up critical directory objects (users, groups, applications, service principals, managed identities, Conditional Access policies, named locations, Agent IDs, and authentication/authorization policy) so you can roll the tenant back to a known-good state after an accidental or malicious change. During preview it takes one daily snapshot (retained five days with Entra ID P1/P2); admins can view snapshots, generate difference reports to see exactly what changed, and run recovery jobs. For a SOC this is a concrete recovery lever for identity-based attacks: if an adversary tampers with a Conditional Access policy or a named location, you can diff and restore it rather than reconstruct it from memory. (&lt;a href=&quot;https://learn.microsoft.com/en-us/entra/fundamentals/whats-new&quot;&gt;Microsoft Learn&lt;/a&gt;)&lt;/p&gt;
&lt;p&gt;The Microsoft Sentinel playbook generator now lets you build fully functional, code-based playbooks by describing the workflow in natural language instead of stitching together templates and a fixed action library. You define an Integration Profile (base URL, auth method, credentials) and it produces a Python playbook — with docs and a visual flowchart — that can call Microsoft and third-party APIs without predefined connectors, then validate against real alerts. For analysts, this lowers the bar to automating repetitive triage and enrichment steps directly in your SOAR layer. (&lt;a href=&quot;https://techcommunity.microsoft.com/blog/microsoftsentinelblog/what%E2%80%99s-new-in-microsoft-sentinel-march-2026/4499508&quot;&gt;Microsoft Sentinel Blog&lt;/a&gt;)&lt;/p&gt;
&lt;p&gt;CCF Push entered public preview, letting data sources send security telemetry straight into a Sentinel workspace in real time over the Log Ingestion API. Instead of hand-building Data Collection Endpoints, Data Collection Rules, Entra app registrations, and RBAC assignments, you deploy the connector and Sentinel provisions the resources for you; it supports high-throughput ingestion, in-flight transformation, and delivery to system tables. Partners such as Keeper Security, Obsidian Security, and Varonis are already streaming data this way, so expect more push-based connectors to land in your content hub. (&lt;a href=&quot;https://techcommunity.microsoft.com/blog/microsoftsentinelblog/what%E2%80%99s-new-in-microsoft-sentinel-march-2026/4499508&quot;&gt;Microsoft Sentinel Blog&lt;/a&gt;)&lt;/p&gt;
&lt;p&gt;A dedicated Google Kubernetes Engine (GKE) connector reached general availability in the Sentinel content hub, built on the Codeless Connector Framework. It ingests GKE cluster activity, workload behavior, and security events into the &lt;code&gt;GKEAudit&lt;/code&gt; table, with DCR support, data-lake-only ingestion, and workspace transformations, bringing GKE monitoring in line with how AKS is handled today. For SOCs whose workloads span clouds, this means the same Sentinel analytics, workbooks, and hunting queries now cover Kubernetes threats regardless of whether clusters run on Azure or Google Cloud. (&lt;a href=&quot;https://techcommunity.microsoft.com/blog/microsoftsentinelblog/what%E2%80%99s-new-in-microsoft-sentinel-march-2026/4499508&quot;&gt;Microsoft Sentinel Blog&lt;/a&gt;)&lt;/p&gt;
&lt;p&gt;Microsoft Sentinel repositories are now generally available. The content-as-code feature — connecting a Sentinel workspace to a GitHub or Azure DevOps repo to deploy analytics rules, hunting queries, workbooks, and automation through CI/CD — is out of preview. This is the same feature whose older REST API versions are being retired (see Act by), so if you manage detections as code, this is the moment to standardize on the GA experience and the supported API versions. (&lt;a href=&quot;https://learn.microsoft.com/en-us/azure/sentinel/whats-new&quot;&gt;Microsoft Learn&lt;/a&gt;)&lt;/p&gt;
&lt;p&gt;Custom Guidebooks (SOPs) for Copilot Guided Response reached general availability, letting you bring your own standard operating procedures directly into the Security Copilot Guided Response experience in the Defender portal. Rather than the generic recommended steps, Copilot can now walk analysts through your organization&#39;s own runbook for a given incident type — handy for keeping newer shift staff aligned to house process during triage. (&lt;a href=&quot;https://techcommunity.microsoft.com/blog/microsoftthreatprotectionblog/monthly-news---march-2026/4498458&quot;&gt;Microsoft Defender XDR Blog&lt;/a&gt;)&lt;/p&gt;
&lt;p&gt;Two endpoint-response quality-of-life changes shipped for Microsoft Defender for Endpoint: Library Management for live response (public preview) lets you centrally manage live-response scripts and files in the Defender portal instead of uploading them ad hoc inside each session, and Effective Settings Reporting (GA) shows the security settings actually enforced on a device rather than just the admin&#39;s intended policy — closing a common gap when you&#39;re chasing why a control didn&#39;t apply on a specific host. (&lt;a href=&quot;https://techcommunity.microsoft.com/blog/microsoftthreatprotectionblog/monthly-news---march-2026/4498458&quot;&gt;Microsoft Defender XDR Blog&lt;/a&gt;)&lt;/p&gt;
&lt;p&gt;Defender for Endpoint also added several Microsoft Secure Score recommendations aimed squarely at common initial-access and lateral-movement techniques. New recommendations block outbound network connections from the HTML Application host mshta.exe — a trusted, living-off-the-land binary that ClickFix-style campaigns abuse to run malicious scripts, pull payloads, and reach command-and-control — block file transfer over RDP sessions, and harden SMB against authentication-relay attacks by enforcing Extended Protection for Authentication (EPA), SMB signing, and SMB encryption. These are cheap, high-value hardening wins an intern can help drive, and each maps directly to an attack pattern you&#39;ll actually see in incidents. (&lt;a href=&quot;https://learn.microsoft.com/en-us/defender-endpoint/whats-new-in-microsoft-defender-endpoint&quot;&gt;Microsoft Learn&lt;/a&gt;)&lt;/p&gt;
&lt;p&gt;Defender for Office 365 extended user reporting in Microsoft Teams. Users can now report completed or missed one-to-one Teams calls from their call history as scam or non-scam — sent to your reporting mailbox and/or Microsoft — and when users report Teams messages from chats, channels, or meetings, up to fifteen messages before and after the reported one are now shared for analysis. That gives analysts conversational context around a reported chat instead of a single stripped-out message, which matters as Teams becomes a bigger social-engineering channel feeding your submissions queue. (&lt;a href=&quot;https://learn.microsoft.com/en-us/defender-office-365/defender-for-office-365-whats-new&quot;&gt;Microsoft Learn&lt;/a&gt;)&lt;/p&gt;
&lt;p&gt;Microsoft Defender for Cloud began converting grouped recommendations into individual recommendations in the Azure portal (preview, 4 March), scoring and prioritizing each finding — vulnerability, exposed secret, or misconfiguration — separately instead of nesting them under a parent. On the same date, the older grouped container and container-image vulnerability recommendations were put on a deprecation path (removal starting 13 April 2026). If your automation, governance rules, or workbooks key off the grouped recommendation names, plan to repoint them at the individual recommendations and security categories. (&lt;a href=&quot;https://learn.microsoft.com/en-us/azure/defender-for-cloud/release-notes&quot;&gt;Microsoft Learn&lt;/a&gt;)&lt;/p&gt;
&lt;h2&gt;Worth knowing&lt;/h2&gt;
&lt;p&gt;Microsoft Threat Intelligence published &amp;quot;AI as tradecraft: how threat actors operationalize AI&amp;quot; (6 March), a detailed look — some of it done in collaboration with OpenAI — at how named actors are folding generative AI into real operations. North Korean clusters feature heavily: Emerald Sleet used LLMs to research publicly reported vulnerabilities including the MSDT &amp;quot;Follina&amp;quot; bug (CVE-2022-30190), Sapphire Sleet and Moonstone Sleet used AI for malware scripting and C2 development, and the Jasper/Coral Sleet IT-worker operations used it to fabricate identities with AI-generated photos and voice cloning — researchers even spotted emoji markers and conversational code comments in Coral Sleet&#39;s OtterCookie payload. The practical takeaway for a SOC: AI mostly makes existing tradecraft faster and better-localized rather than inventing new attack classes, so keep the fundamentals (phishing-resistant MFA, patching known-exploited CVEs, service-account hygiene) tight. (&lt;a href=&quot;https://www.microsoft.com/en-us/security/blog/2026/03/06/ai-as-tradecraft-how-threat-actors-operationalize-ai/&quot;&gt;Microsoft Security Blog&lt;/a&gt;)&lt;/p&gt;
&lt;p&gt;The Defender Monthly news — March 2026 digest is worth a skim for portal-consolidation context: Microsoft Defender for Cloud is expanding into the Defender portal in public preview, continuing the push toward one console for cloud and code security alongside the rest of Defender. It also lands amid the broader migration reminder that Microsoft Sentinel in the Azure portal sunsets 31 March 2027, after which the Defender portal is the only interface — so any Azure-portal-specific runbooks, bookmarks, or automation you still rely on should be on your migration backlog. (&lt;a href=&quot;https://techcommunity.microsoft.com/blog/microsoftthreatprotectionblog/monthly-news---march-2026/4498458&quot;&gt;Microsoft Defender XDR Blog&lt;/a&gt;)&lt;/p&gt;
&lt;p&gt;On the identity side, the March Entra release notes bring synced passkeys to general availability — FIDO2 credentials that can live in built-in or third-party passkey providers and roam across a user&#39;s devices, managed through passkey profiles in the authentication methods policy (now GA in their own right) — reinforcing the phishing-resistant-auth direction the threat research above argues for. Separately, RSA published an agentic integration that pipes RSA ID Plus administrative identity telemetry into the Sentinel data lake for cheap long-term retention, then uses Security Copilot agents to flag anomalous admin behavior automatically; it&#39;s a partner solution rather than a first-party feature, but a useful pattern for correlating identity risk alongside broader Sentinel telemetry without manual joins. (&lt;a href=&quot;https://learn.microsoft.com/en-us/entra/fundamentals/whats-new&quot;&gt;Microsoft Learn&lt;/a&gt;) (&lt;a href=&quot;https://techcommunity.microsoft.com/blog/microsoftsentinelblog/what%E2%80%99s-new-in-microsoft-sentinel-march-2026/4499508&quot;&gt;Microsoft Sentinel Blog&lt;/a&gt;)&lt;/p&gt;
&lt;p&gt;A few smaller operational changes in the Defender portal&#39;s March updates are worth knowing for day-to-day work. Microsoft recalculated some Secure Score categories so that several recommendations previously counted under Cloud apps are now treated as Identity — your total Secure Score is unchanged, but individual identity and app category scores may move, so don&#39;t read a category swing this month as a real posture change. Advanced hunting gained two new preview tables — CloudDnsEvents (DNS activity from cloud infrastructure) and CloudPolicyEnforcementEvents (policy-enforcement and gating decisions for platforms protected by Defender for Cloud) — and the incident graph can now be filtered, or have specific entities hidden, on very large incidents, which finally makes the sprawling graphs on multi-alert incidents navigable during an investigation. (&lt;a href=&quot;https://learn.microsoft.com/en-us/defender-xdr/whats-new&quot;&gt;Microsoft Learn&lt;/a&gt;)&lt;/p&gt;
</content>
  </entry>
  <entry>
    <title>February 23 – March 2, 2026</title>
    <link href="https://soc-brief.pages.dev/briefs/2026-03-02-week/" />
    <updated>2026-03-02T00:00:00Z</updated>
    <id>https://soc-brief.pages.dev/briefs/2026-03-02-week/</id>
    <content type="html">&lt;h2&gt;Act by&lt;/h2&gt;
&lt;ul&gt;
&lt;li&gt;&lt;strong&gt;1 Jul 2026&lt;/strong&gt; — Microsoft Sentinel is standardizing how the account entity&#39;s Account Name is populated in analytics-rule alerts, incidents, and automation. When a full UPN (&lt;code&gt;user@domain.com&lt;/code&gt;) is mapped to Account Name, it will always resolve to the UPN prefix only (&lt;code&gt;user&lt;/code&gt;), and new &lt;code&gt;UserPrincipalName&lt;/code&gt; and &lt;code&gt;UPNSuffix&lt;/code&gt; fields are added to the account entity. This can silently break automation rules and Logic Apps playbooks that do strict equality checks on the full UPN. Audit your rules now and switch to &lt;code&gt;Contains&lt;/code&gt;/&lt;code&gt;Starts with&lt;/code&gt; comparisons (or &lt;code&gt;coalesce(Account.UPNprefix, Account.Name, Account.DisplayName)&lt;/code&gt; in KQL) before the change lands. (&lt;a href=&quot;https://learn.microsoft.com/en-us/azure/sentinel/whats-new&quot;&gt;Microsoft Learn&lt;/a&gt;)&lt;/li&gt;
&lt;/ul&gt;
&lt;h2&gt;What changed&lt;/h2&gt;
&lt;p&gt;Microsoft published a practitioner-focused guide on getting value out of the Microsoft Sentinel data lake, walking through how to centralize signals, retain years of telemetry cheaply, and run graph-powered analytics and agentic workflows over historical data. The pitch is aimed at teams that have been forced to drop or short-retain logs to control ingestion cost, which leaves investigation blind spots. On shift this matters when a hunt needs to reach back further than the analytics tier keeps: the data lake tier is where long-range correlation and retrospective IOC sweeps live, so knowing what it can (and can&#39;t) do shapes how you scope an investigation. (&lt;a href=&quot;https://techcommunity.microsoft.com/blog/microsoftsentinelblog/unlocking-value-with-microsoft-sentinel-data-lake/4497660&quot;&gt;Microsoft Sentinel Blog&lt;/a&gt;)&lt;/p&gt;
&lt;p&gt;The UEBA behaviors layer in Sentinel reached general availability, alongside a prebuilt behaviors workbook in the UEBA Essentials solution. The layer aggregates and sequences raw, high-volume logs into normalized, human-readable behaviors — &amp;quot;who did what to whom&amp;quot; — mapped to MITRE ATT&amp;amp;CK, so instead of reading individual CloudTrail or firewall events you see a summarized behavior like &amp;quot;inbound remote management session from external address.&amp;quot; The workbook ships Overview, Investigation, and Hunting views on top of that data. For an analyst this is the layer that turns noisy telemetry into something you can triage without hand-correlating events. (&lt;a href=&quot;https://learn.microsoft.com/en-us/azure/sentinel/whats-new&quot;&gt;Microsoft Learn&lt;/a&gt;)&lt;/p&gt;
&lt;p&gt;Several identity-focused advanced hunting tables went GA: &lt;code&gt;IdentityAccountInfo&lt;/code&gt; (account details across sources, with a link to the owning identity), &lt;code&gt;EntraIdSignInEvents&lt;/code&gt; (interactive and non-interactive sign-ins), &lt;code&gt;EntraIdSpnSignInEvents&lt;/code&gt; (service principal and managed identity sign-ins), and &lt;code&gt;GraphApiAuditEvents&lt;/code&gt; (Microsoft Graph API requests against tenant resources). These are the tables you&#39;ll actually query when triaging identity incidents — service-principal abuse, token replay, and Graph-based reconnaissance — so it&#39;s worth learning their schema now that they&#39;re supported rather than preview. (&lt;a href=&quot;https://learn.microsoft.com/en-us/defender-xdr/whats-new&quot;&gt;What&#39;s new in Microsoft Defender XDR&lt;/a&gt;)&lt;/p&gt;
&lt;p&gt;Two cloud-focused advanced hunting tables entered preview in the same month&#39;s Defender XDR updates: &lt;code&gt;CloudDnsEvents&lt;/code&gt;, which captures DNS activity from cloud infrastructure environments, and &lt;code&gt;CloudPolicyEnforcementEvents&lt;/code&gt;, which records policy enforcement decisions and the metadata of security gating events for cloud platforms protected by Defender for Cloud. For a SOC watching cloud workloads, cloud DNS is a classic channel for C2 and exfiltration, and the enforcement table tells you &lt;em&gt;why&lt;/em&gt; a cloud action was allowed or blocked — both are new KQL surfaces to fold into cloud-threat hunts as they stabilize. (&lt;a href=&quot;https://learn.microsoft.com/en-us/defender-xdr/whats-new&quot;&gt;What&#39;s new in Microsoft Defender XDR&lt;/a&gt;)&lt;/p&gt;
&lt;p&gt;Lake-only ingestion for Defender advanced hunting tables is now generally available, letting you land Defender hunting data directly in the Sentinel data lake without paying to push it through the analytics tier first. For cost-conscious SOCs this is a real lever: high-volume, low-signal tables can be retained cheaply for long-range hunting and retrospective analysis, while you keep the analytics tier for what drives live detections. (&lt;a href=&quot;https://techcommunity.microsoft.com/blog/microsoftthreatprotectionblog/monthly-news---march-2026/4498458&quot;&gt;Microsoft Defender XDR Blog&lt;/a&gt;)&lt;/p&gt;
&lt;p&gt;Defender for Endpoint added a batch of Microsoft Secure Score hardening recommendations aimed at cutting off common attack techniques. One blocks outbound network connections from the Microsoft HTML Application Host (&lt;code&gt;mshta.exe&lt;/code&gt;) — a trusted Windows binary that ClickFix and other living-off-the-land campaigns abuse to run malicious scripts and reach command-and-control. Two more target lateral movement and credential relay: Block file transfer over RDP stops attackers staging or exfiltrating files inside Remote Desktop sessions, and SMB server security hardening against authentication relay attacks enforces Extended Protection for Authentication, SMB signing, and SMB encryption. For an intern, these are worth reading as a map of the techniques Microsoft expects you to see — and each is a preventive control you can point posture conversations at rather than a new alert to triage. (&lt;a href=&quot;https://learn.microsoft.com/en-us/defender-endpoint/whats-new-in-microsoft-defender-endpoint&quot;&gt;New features in Microsoft Defender for Endpoint&lt;/a&gt;)&lt;/p&gt;
&lt;p&gt;Library management for live response reached GA in Microsoft Defender for Endpoint. You can now centrally manage the scripts and files used during live response sessions from the Defender portal — upload, view, and delete them outside an active session — instead of re-uploading tooling every time you connect to a device. For responders this means your investigation and remediation scripts are version-managed in one place, ready to run the moment you open a live response session on a compromised host. (&lt;a href=&quot;https://learn.microsoft.com/en-us/defender-endpoint/whats-new-in-microsoft-defender-endpoint&quot;&gt;New features in Microsoft Defender for Endpoint&lt;/a&gt;)&lt;/p&gt;
&lt;p&gt;The Effective settings tab for device configuration is now GA in Defender for Endpoint. Under a device&#39;s Configuration management, it shows the &lt;em&gt;actual&lt;/em&gt; value and configuration source of each security setting — the real enforced state, not just the admin&#39;s intended policy. This closes a common gap where an intended protection (say, an ASR rule or tamper protection) never actually took effect on the endpoint. When you&#39;re investigating why a device wasn&#39;t protected, this is the tab that tells you whether the control was really on. (&lt;a href=&quot;https://learn.microsoft.com/en-us/defender-endpoint/whats-new-in-microsoft-defender-endpoint&quot;&gt;New features in Microsoft Defender for Endpoint&lt;/a&gt;)&lt;/p&gt;
&lt;p&gt;Defender for Endpoint also previewed an enhanced Windows deployment tool that bundles the onboarding package directly into the tool&#39;s executable, generates a key required to run it, and lets you set an expiry date on the package to reduce the risk of unauthorized use — with a new Deployment packages page in the Defender portal for centralized visibility into every package and its status. Onboarding packages are sensitive artifacts (they enroll a device into your tenant), so treating them like credentials — scoped, keyed, and expiring — is a small but real supply-chain-hygiene improvement for the teams that stand up endpoints. (&lt;a href=&quot;https://learn.microsoft.com/en-us/defender-endpoint/whats-new-in-microsoft-defender-endpoint&quot;&gt;New features in Microsoft Defender for Endpoint&lt;/a&gt;)&lt;/p&gt;
&lt;p&gt;Defender for Office 365 extended user reporting of Microsoft Teams to calls and added message context. Building on February&#39;s expansion of Teams reporting to Plan 1, users can now report completed or missed one-to-one Teams calls from their call history as scam or malicious, and when a Teams message is reported to Microsoft, up to fifteen messages before and after it are shared for analysis. As Teams becomes a real phishing and social-engineering surface — including voice-based scams — this widens what lands in the submissions pipeline SOCs already triage and gives analysts the surrounding conversation instead of a single decontextualized message. (&lt;a href=&quot;https://learn.microsoft.com/en-us/defender-office-365/defender-for-office-365-whats-new&quot;&gt;What&#39;s new in Defender for Office 365&lt;/a&gt;)&lt;/p&gt;
&lt;p&gt;Custom Guidebooks (standard operating procedures) for Copilot Guided Response reached general availability. Teams can encode their own investigation and response playbooks so that Security Copilot&#39;s guided-response suggestions follow the organization&#39;s SOPs rather than generic defaults. For a SOC this is a way to bake tribal knowledge and required steps into the assisted-response flow, so junior analysts get consistent, org-approved next actions on an incident. (&lt;a href=&quot;https://techcommunity.microsoft.com/blog/microsoftthreatprotectionblog/monthly-news---march-2026/4498458&quot;&gt;Microsoft Defender XDR Blog&lt;/a&gt;)&lt;/p&gt;
&lt;h2&gt;Worth knowing&lt;/h2&gt;
&lt;p&gt;Defender-portal consolidation kept moving this month. The March roundup confirms Microsoft is extending the sunset for managing Sentinel in the Azure portal to March 31, 2027 — Sentinel is already GA in the Defender portal (including for tenants without Defender XDR or an E5 license), so new SOC work should land in the unified portal, but there&#39;s no forced cutover this week. The same roundup notes Defender for Cloud is expanding into the Defender portal to give a single cloud-and-code security experience, another step in collapsing the workloads into one console. (&lt;a href=&quot;https://techcommunity.microsoft.com/blog/microsoftthreatprotectionblog/monthly-news---march-2026/4498458&quot;&gt;Microsoft Defender XDR Blog&lt;/a&gt;)&lt;/p&gt;
&lt;p&gt;On the identity side, February&#39;s Entra updates flagged an upcoming Entra Connect security change that blocks hard-match takeover of privileged cloud users. Starting June 1, 2026, Entra Connect Sync and Cloud Sync will no longer be able to hard-match an incoming Active Directory user to an existing cloud-managed Entra user that holds Entra roles. This shuts down an attack path where an on-prem foothold is used to manipulate AD attributes and seize control of a privileged cloud account through sync. It&#39;s worth knowing which of your privileged Entra identities are hybrid-matched before the block turns on, so a legitimate sync doesn&#39;t trip the new guardrail. (&lt;a href=&quot;https://learn.microsoft.com/en-us/entra/fundamentals/whats-new&quot;&gt;Microsoft Entra What&#39;s new&lt;/a&gt;)&lt;/p&gt;
&lt;p&gt;A couple of portal-workflow changes are worth noting for how you read the console. Defender XDR added incident-graph filtering (preview) — on very large incidents with many alerts and entities you can now filter or hide specific entities to simplify the graph and keep an investigation focused on what matters. Separately, some recommendations previously scored under the Cloud apps category in Microsoft Secure Score are now counted as Identity; your total Secure Score is unchanged, but the individual identity and app sub-scores may shift, so don&#39;t read a moved number as a regression. (&lt;a href=&quot;https://learn.microsoft.com/en-us/defender-xdr/whats-new&quot;&gt;What&#39;s new in Microsoft Defender XDR&lt;/a&gt;)&lt;/p&gt;
&lt;p&gt;A smaller operational note from the roundup: Defender Experts for Hunting customers can now set notification contacts — the individuals or groups Microsoft reaches out to for critical incidents or service updates. If your team uses the managed hunting service, make sure those contacts point at a monitored on-call channel, not a single analyst&#39;s mailbox. (&lt;a href=&quot;https://techcommunity.microsoft.com/blog/microsoftthreatprotectionblog/monthly-news---march-2026/4498458&quot;&gt;Microsoft Defender XDR Blog&lt;/a&gt;)&lt;/p&gt;
</content>
  </entry>
  <entry>
    <title>February 16 – February 23, 2026</title>
    <link href="https://soc-brief.pages.dev/briefs/2026-02-23-week/" />
    <updated>2026-02-23T00:00:00Z</updated>
    <id>https://soc-brief.pages.dev/briefs/2026-02-23-week/</id>
    <content type="html">&lt;h2&gt;Act by&lt;/h2&gt;
&lt;p&gt;Entra is closing a hybrid-identity attack path: beginning June 1, 2026, Microsoft Entra Connect Sync and Cloud Sync will be blocked by default from hard-matching a newly synced on-premises AD user to an existing cloud-managed Entra user that holds a Microsoft Entra role. The change stops an attacker who controls Active Directory from taking over the Source of Authority of a privileged cloud account by manipulating on-prem attributes. Soft match and hard match for non-role-holding users are unaffected. If you run Entra Connect or Cloud Sync, inventory which role-holding cloud users still carry an &lt;code&gt;onPremisesImmutableId&lt;/code&gt;, and expect hard-match errors after the enforcement date for anything that trips the new guard. (&lt;a href=&quot;https://learn.microsoft.com/en-us/entra/fundamentals/whats-new&quot;&gt;Microsoft Entra: What&#39;s new&lt;/a&gt;)&lt;/p&gt;
&lt;h2&gt;What changed&lt;/h2&gt;
&lt;p&gt;Microsoft Sentinel&#39;s UEBA Behaviors Workbook is now available as part of the UEBA Essentials solution, building on the UEBA behaviors layer that reached GA this month. The workbook ships prebuilt, customizable views across three SOC workflows: an Overview for trends and situational awareness, an Investigation view with entity-centric timelines, and a Hunting view driven by anomaly detection and attack-chain analysis. For analysts it turns normalized behavior data into ready-made dashboards, so you can pivot from a raw behavior to an entity timeline without hand-building queries. (&lt;a href=&quot;https://techcommunity.microsoft.com/blog/microsoftsentinelblog/accelerate-your-ueba-journey-introducing-the-microsoft-sentinel-behaviors-workbo/4488278&quot;&gt;Microsoft Sentinel Blog&lt;/a&gt;)&lt;/p&gt;
&lt;p&gt;Microsoft Sentinel took multi-tenant content distribution to general availability, letting you centrally define and replicate analytics rules, automation rules, workbooks, and alert-tuning rules across tenants from the Defender portal. For an MSSP — or any SOC running more than one Sentinel tenant — this replaces per-tenant copy-paste with a managed baseline, cutting the configuration drift that leaves one tenant blind to something the others already detect. (&lt;a href=&quot;https://techcommunity.microsoft.com/blog/microsoftsentinelblog/what%E2%80%99s-new-in-microsoft-sentinel-february-2026/4494218&quot;&gt;What&#39;s new in Microsoft Sentinel: February 2026&lt;/a&gt;)&lt;/p&gt;
&lt;p&gt;February&#39;s Sentinel recap also shipped a wave of new data connectors, including CrowdStrike, Vectra XDR, Palo Alto Networks Cloud NGFW, and Proofpoint, alongside a Microsoft 365 Copilot connector in preview. For a SOC these widen what you can correlate in one place — third-party EDR, NDR, firewall, and email-security telemetry landing next to Defender and Entra signals — while the Copilot connector brings Microsoft 365 Copilot activity into Sentinel so AI-tool usage becomes something you can monitor and hunt over. (&lt;a href=&quot;https://techcommunity.microsoft.com/blog/microsoftsentinelblog/what%E2%80%99s-new-in-microsoft-sentinel-february-2026/4494218&quot;&gt;What&#39;s new in Microsoft Sentinel: February 2026&lt;/a&gt;)&lt;/p&gt;
&lt;p&gt;Microsoft released a public preview of an AI-assisted SOAR playbook generator for Microsoft Sentinel. It creates Python-based automation workflows through a conversational experience coauthored with Cline, an AI coding agent — you describe the response you want and it drafts the playbook. On shift this lowers the barrier to standing up or adjusting automation for repetitive response steps, though generated playbooks still need review and testing before you wire them to live incidents. (&lt;a href=&quot;https://techcommunity.microsoft.com/blog/microsoftsentinelblog/introducing-the-next-generation-of-soc-automation-sentinel-soar-playbook-generat/4494438&quot;&gt;Microsoft Sentinel Blog&lt;/a&gt;)&lt;/p&gt;
&lt;p&gt;Four identity-centric advanced hunting tables moved to general availability in Microsoft Defender XDR this month, giving detection engineers a stable, documented schema to build on. &lt;code&gt;IdentityAccountInfo&lt;/code&gt; consolidates account details from sources including Entra ID and links each account to the identity that owns it; &lt;code&gt;EntraIdSignInEvents&lt;/code&gt; covers interactive and non-interactive sign-ins; &lt;code&gt;EntraIdSpnSignInEvents&lt;/code&gt; covers service principal and managed identity sign-ins; and &lt;code&gt;GraphApiAuditEvents&lt;/code&gt; captures Microsoft Graph API requests against tenant resources. For a SOC, the service-principal and Graph API tables are the notable additions — they make workload-identity sign-ins and Graph-based reconnaissance or abuse huntable in KQL without stitching together separate logs. (&lt;a href=&quot;https://learn.microsoft.com/en-us/defender-xdr/whats-new&quot;&gt;What&#39;s new in Microsoft Defender XDR&lt;/a&gt;)&lt;/p&gt;
&lt;p&gt;Microsoft Defender for Identity added a batch of new detections this month, several aimed squarely at abuse of the Entra Connect sync path. The new Entra ID alerts flag suspicious user-configuration changes, Graph API requests, and sign-ins originating from the Entra ID sync application, plus anomalous OAuth device-code authentication; on the Active Directory side, new alerts cover a possible golden ticket (suspicious ticket) and a Kerberos key-list attack. The sync-application alerts are the ones to note: they detect an attacker operating through the directory-sync service account — the same hybrid seam the June hard-match block hardens — so an attempt to ride Entra Connect now surfaces as a signal in your incident queue rather than sitting silent. (&lt;a href=&quot;https://learn.microsoft.com/en-us/defender-for-identity/whats-new&quot;&gt;What&#39;s new in Microsoft Defender for Identity&lt;/a&gt;)&lt;/p&gt;
&lt;p&gt;Microsoft Defender for Cloud added two container-runtime prevention capabilities in preview on 22 Feb. Container runtime anti-malware detection and blocking provides real-time malware detection and prevention across AKS, EKS, and GKE, with rules that define the conditions for alerting versus blocking. Alongside it, binary drift policies can now block — not just detect — unauthorized or tampered binaries executing at runtime. For a SOC watching containerized workloads, both shift container threat handling from detect-and-alert toward in-line prevention, so tune rules carefully to avoid blocking legitimate workloads. (&lt;a href=&quot;https://learn.microsoft.com/en-us/azure/defender-for-cloud/release-notes&quot;&gt;Defender for Cloud release notes&lt;/a&gt;)&lt;/p&gt;
&lt;p&gt;Defender for Endpoint&#39;s Effective settings tab reached GA under the device inventory&#39;s Configuration management view. It shows the actual value and configuration source of each security setting on a device, so you can spot policies that were intended but never took effect — the silent gaps where a protection you think is on isn&#39;t actually enforced. When you&#39;re validating that a hardening baseline or attack-surface-reduction rule really landed on a host during an investigation, this is where you confirm it. (&lt;a href=&quot;https://learn.microsoft.com/en-us/defender-endpoint/whats-new-in-microsoft-defender-endpoint&quot;&gt;New features in Microsoft Defender for Endpoint&lt;/a&gt;)&lt;/p&gt;
&lt;p&gt;Defender for Endpoint also added library management for live response in preview. You can now view, upload, and delete the files and scripts used in live response sessions from a centralized view in the Defender portal, outside of an active session. For responders this means the tooling you reach for during containment — collection scripts, remediation binaries — is managed and vetted ahead of time rather than uploaded ad hoc mid-incident. (&lt;a href=&quot;https://learn.microsoft.com/en-us/defender-endpoint/whats-new-in-microsoft-defender-endpoint&quot;&gt;New features in Microsoft Defender for Endpoint&lt;/a&gt;)&lt;/p&gt;
&lt;p&gt;Defender for Office 365 extended user reporting of Microsoft Teams messages to Plan 1. Users can now report external and intra-org Teams messages — from chats, standard/shared/private channels, and meeting conversations — as security risks to the configured reporting mailbox, Microsoft, or both. As Teams becomes a real phishing and social-engineering surface, this puts Teams-borne reports into the same submissions pipeline SOCs already triage for email, and it&#39;s now available without a Plan 2 license. (&lt;a href=&quot;https://learn.microsoft.com/en-us/defender-office-365/defender-for-office-365-whats-new&quot;&gt;What&#39;s new in Defender for Office 365&lt;/a&gt;)&lt;/p&gt;
&lt;p&gt;Microsoft took External MFA (external authentication methods) to general availability in Entra ID. It lets organizations satisfy MFA requirements using a preferred third-party provider while Entra ID stays the control plane — performing full policy evaluation and access decisions on every sign-in, including real-time Conditional Access enforcement and sign-in risk assessment. For SOC teams this means third-party MFA no longer sits outside Entra&#39;s risk and Conditional Access signals, so those sign-ins remain visible to identity-based detections. (&lt;a href=&quot;https://learn.microsoft.com/en-us/entra/fundamentals/whats-new&quot;&gt;Microsoft Entra: What&#39;s new&lt;/a&gt;)&lt;/p&gt;
&lt;h2&gt;Worth knowing&lt;/h2&gt;
&lt;p&gt;The Defender-portal migration timeline is the one to keep current: the retirement of the Microsoft Sentinel experience in the Azure portal was extended to March 31, 2027, after which Sentinel runs only in the Defender portal (available even without Defender XDR or an E5 license). The extra runway doesn&#39;t change direction — use it to validate the Defender portal experience, permissions, and any Azure-portal-only workflows your playbooks still depend on. (&lt;a href=&quot;https://techcommunity.microsoft.com/blog/microsoftsentinelblog/update-new-timeline-for-transitioning-sentinel-experience-to-defender-portal/4490464&quot;&gt;Microsoft Sentinel Blog&lt;/a&gt;)&lt;/p&gt;
&lt;p&gt;February&#39;s Entra and identity changes read as a coordinated hardening push. Alongside the June 1 hard-match block above, Microsoft Authenticator began rolling out jailbreak/root detection for Entra credentials this month, progressing from warning mode to blocking mode; users on rooted or jailbroken devices will need to move to compliant devices, and existing credentials on flagged devices are wiped. Read the new Defender for Identity sync-application detections in the same light: the June block removes a privilege-takeover path, and the detections catch an attacker probing it in the meantime. Treat these as upstream controls that shrink specific attack paths (AD-to-cloud privilege takeover, compromised-device token theft) rather than as things that generate alerts you triage.&lt;/p&gt;
&lt;p&gt;The four Entra tables reaching GA are worth a detection-engineering pass while they&#39;re fresh. &lt;code&gt;EntraIdSpnSignInEvents&lt;/code&gt; makes service principal and managed-identity sign-ins first-class hunting data — useful for spotting a workload identity signing in from unexpected IPs or after a suspicious credential add — and &lt;code&gt;GraphApiAuditEvents&lt;/code&gt; lets you hunt Graph API calls that map to reconnaissance or consent abuse. Both pair naturally with the UEBA behaviors work above: normalized behaviors for the human-readable timeline, raw Entra tables for the precise KQL. (&lt;a href=&quot;https://learn.microsoft.com/en-us/defender-xdr/whats-new&quot;&gt;What&#39;s new in Microsoft Defender XDR&lt;/a&gt;)&lt;/p&gt;
&lt;p&gt;Two more February items round out the data plane. Microsoft Sentinel&#39;s integration with Purview Data Security Investigations reached GA, combining data-centric insights with Sentinel&#39;s threat graph so an investigation can pivot from a threat signal to the sensitive data actually at risk. And for SAP estates, the Sentinel solution for SAP BTP gained new analytics rules across Integration Suite, Cloud Identity Service, Build Work Zone, and BTP audit logging — detecting unauthorized integration-artifact changes, risky identity and privilege changes, mass role deletions, and audit-log ingestion gaps. Neither is core email-and-endpoint SOC work, but both extend where your Sentinel detections can reach. (&lt;a href=&quot;https://learn.microsoft.com/en-us/azure/sentinel/whats-new&quot;&gt;What&#39;s new in Microsoft Sentinel&lt;/a&gt;)&lt;/p&gt;
</content>
  </entry>
  <entry>
    <title>February 9 – February 16, 2026</title>
    <link href="https://soc-brief.pages.dev/briefs/2026-02-16-week/" />
    <updated>2026-02-16T00:00:00Z</updated>
    <id>https://soc-brief.pages.dev/briefs/2026-02-16-week/</id>
    <content type="html">&lt;h2&gt;What changed&lt;/h2&gt;
&lt;p&gt;Microsoft Sentinel added nine new out-of-the-box data connectors to general availability, including Mimecast Audit Logs, CrowdStrike Falcon Endpoint Protection, Vectra XDR, Palo Alto Networks Cloud NGFW, Proofpoint on Demand Email Security, and MongoDB. For a SOC, this means less custom-connector plumbing to onboard common third-party telemetry — you get supported ingestion, parsing, and content packages from the content hub instead of hand-rolled log pipelines. (&lt;a href=&quot;https://techcommunity.microsoft.com/blog/microsoftsentinelblog/what%E2%80%99s-new-in-microsoft-sentinel-february-2026/4494218&quot;&gt;What&#39;s new in Microsoft Sentinel: February 2026&lt;/a&gt;)&lt;/p&gt;
&lt;p&gt;A Microsoft 365 Copilot data connector is in public preview, pulling Microsoft 365 Copilot audit logs and activity data into Sentinel. Once ingested, that data can drive analytics rules, custom detections, hunting, and automation, giving analysts a way to spot Copilot misuse, anomalous prompts, and policy violations — and it can be routed to the Sentinel data lake for cheaper retention and graph/MCP scenarios. As Copilot adoption grows, this is the audit surface you&#39;ll be asked to monitor. (&lt;a href=&quot;https://techcommunity.microsoft.com/blog/microsoftsentinelblog/what%E2%80%99s-new-in-microsoft-sentinel-february-2026/4494218&quot;&gt;What&#39;s new in Microsoft Sentinel: February 2026&lt;/a&gt;)&lt;/p&gt;
&lt;p&gt;Multi-tenant content distribution is now in public preview from the Microsoft Defender portal. Partners and SOCs managing multiple Sentinel tenants can centrally replicate analytics rules, automation rules, workbooks, and alert tuning rules across tenants instead of rebuilding detections one environment at a time. This cuts configuration drift and speeds tenant onboarding while keeping detection execution local to each target tenant. (&lt;a href=&quot;https://techcommunity.microsoft.com/blog/microsoftsentinelblog/what%E2%80%99s-new-in-microsoft-sentinel-february-2026/4494218&quot;&gt;What&#39;s new in Microsoft Sentinel: February 2026&lt;/a&gt;)&lt;/p&gt;
&lt;p&gt;The UEBA Essentials solution got a public-preview refresh that extends anomaly detection across Azure, AWS, GCP, and Okta, with new queries powered by the anomalies table and 30+ prebuilt UEBA queries deployable from the content hub. Behavior analytics can be enabled automatically from the connectors page as data sources are added, and activity is mapped to MITRE ATT&amp;amp;CK. For analysts, it means faster surfacing of high-risk behavior across cloud and identity without stitching together noisy signals by hand. (&lt;a href=&quot;https://techcommunity.microsoft.com/blog/microsoftsentinelblog/what%E2%80%99s-new-in-microsoft-sentinel-february-2026/4494218&quot;&gt;What&#39;s new in Microsoft Sentinel: February 2026&lt;/a&gt;)&lt;/p&gt;
&lt;p&gt;Microsoft Purview Data Security Investigations (DSI) is now generally available integrated with the Sentinel graph. It combines Purview&#39;s AI-driven content analysis with Sentinel&#39;s activity-centric graph analytics so a single investigation can show what sensitive data was touched, who accessed it, and how it moved. This gives SOC and data-security teams a blast-radius view that connects the data side of an incident to the identity and activity side. (&lt;a href=&quot;https://techcommunity.microsoft.com/blog/microsoftsentinelblog/what%E2%80%99s-new-in-microsoft-sentinel-february-2026/4494218&quot;&gt;What&#39;s new in Microsoft Sentinel: February 2026&lt;/a&gt;)&lt;/p&gt;
&lt;p&gt;Microsoft Defender for Cloud introduced a database-level recommendations experience for SQL Vulnerability Assessment in public preview on 10 February. Instead of aggregating findings at the server or instance level, each SQL VA rule now generates a separate assessment per affected database, surfaced as individual recommendations on the Defender for Cloud Recommendations page — across PaaS and IaaS SQL, Express and Classic. Scanning logic, rules, schedules, and pricing are unchanged; it only makes findings easier to consume and remediate, and (during preview) database-level assessments contribute to Secure Score in the Defender portal. For a SOC, per-database granularity means a vulnerable database no longer hides behind a green server-level rollup. (&lt;a href=&quot;https://learn.microsoft.com/en-us/azure/defender-for-cloud/release-notes&quot;&gt;Microsoft Defender for Cloud release notes&lt;/a&gt;)&lt;/p&gt;
&lt;p&gt;Also on 10 February, Defender for Cloud extended its container-image vulnerability scanning (powered by Microsoft Defender Vulnerability Management) to Minimus and Photon OS images and reached general availability. As minimal and hardened base images become more common in production pipelines, coverage of these distributions closes a scanning blind spot — though note that scanning additional image types can increase your bill. If your workloads run on Photon OS (common on VMware/Tanzu) or Minimus images, their CVE findings now flow into the same recommendations and exposure view as the rest of your registry. (&lt;a href=&quot;https://learn.microsoft.com/en-us/azure/defender-for-cloud/release-notes&quot;&gt;Microsoft Defender for Cloud release notes&lt;/a&gt;)&lt;/p&gt;
&lt;p&gt;Microsoft Defender for Identity added two new identity security posture assessments this month: one that lists Active Directory service accounts with direct or nested membership in privileged groups, and one that locates accounts in built-in Operator groups (Account, Server, Backup, and Print Operators). Both surface standing privilege that&#39;s easy to lose track of — service accounts quietly nested into Domain Admins, or legacy operator-group membership that grants more than anyone remembers. For an identity-focused SOC, these are ready-made hunting leads for privilege-reduction work before an attacker finds the same paths. (&lt;a href=&quot;https://learn.microsoft.com/en-us/defender-for-identity/whats-new&quot;&gt;What&#39;s new in Microsoft Defender for Identity&lt;/a&gt;)&lt;/p&gt;
&lt;p&gt;Microsoft extended the deadline to retire the Microsoft Sentinel experience in the Azure portal to March 31, 2027. Sentinel is generally available in the Defender portal (including for customers without Defender XDR or an E5 license), and after that date it will only be available there. The extra runway doesn&#39;t change the direction — use it to validate the Defender portal experience, permissions, and any Azure-portal-only workflows your playbooks still depend on. (&lt;a href=&quot;https://techcommunity.microsoft.com/blog/microsoftsentinelblog/what%E2%80%99s-new-in-microsoft-sentinel-february-2026/4494218&quot;&gt;What&#39;s new in Microsoft Sentinel: February 2026&lt;/a&gt;)&lt;/p&gt;
&lt;h2&gt;Worth knowing&lt;/h2&gt;
&lt;p&gt;February&#39;s Patch Tuesday (10 February 2026) was heavy: Microsoft fixed roughly 58 vulnerabilities, and six of them are being actively exploited as zero-days — three of which were also publicly disclosed before the fix. The exploited set is CVE-2026-21510 (Windows Shell — a SmartScreen/security-prompt bypass via a malicious link or shortcut), CVE-2026-21513 (MSHTML framework protection-mechanism bypass), CVE-2026-21514 (Microsoft Word OLE mitigation bypass, publicly disclosed), CVE-2026-21519 (Desktop Window Manager elevation of privilege to SYSTEM), CVE-2026-21533 (Remote Desktop Services elevation of privilege), and CVE-2026-21525 (Remote Access Connection Manager denial of service). The three security-feature-bypass flaws (21510, 21513, 21514) are the ones to verify first — they&#39;re the browser/Office delivery bugs attackers chain into initial access — followed by the two local EoPs on hosts an attacker already reached. Confirm patch coverage on internet-facing and RDP-exposed systems before you start hunting for exploitation. (&lt;a href=&quot;https://msrc.microsoft.com/update-guide&quot;&gt;Microsoft Security Update Guide&lt;/a&gt;)&lt;/p&gt;
&lt;p&gt;Microsoft Threat Intelligence published research on &amp;quot;AI Recommendation Poisoning,&amp;quot; a form of AI memory-poisoning attack where hidden instructions are embedded behind helpful-looking &amp;quot;Summarize with AI&amp;quot; buttons and share links. When a user clicks, the assistant silently processes a pre-filled prompt — laced with commands like &amp;quot;remember,&amp;quot; &amp;quot;in future conversations,&amp;quot; and &amp;quot;as a trusted source&amp;quot; — that biases the AI&#39;s stored memory so it steers later answers, even in unrelated chats, toward attacker-chosen products or outcomes. Notably, the cases Microsoft found involved real companies promoting themselves rather than classic malware operators, and off-the-shelf tools to build these poisoned links are already circulating. Treat agent memory and tool outputs as an attack surface, and keep the new Copilot/agent audit signals (see the Sentinel connector above) in scope for detection. (&lt;a href=&quot;https://www.microsoft.com/en-us/security/blog/2026/02/10/ai-recommendation-poisoning/&quot;&gt;Microsoft Security Blog&lt;/a&gt;)&lt;/p&gt;
&lt;p&gt;Two threads from this window are worth reading together for a Microsoft estate. The AI-poisoning research and the M365 Copilot audit connector point the same way — as Copilot and agents embed into daily workflows, their prompts and activity become telemetry you&#39;re expected to monitor, not a side channel. Meanwhile the platform keeps consolidating into the Defender portal: with the Azure-portal Sentinel retirement now set for March 2027 and features like multi-tenant content distribution and Purview DSI landing Defender-portal-first, the unified experience is where new capability ships. If your team still lives partly in the Azure portal, February is a good month to close that gap while the migration runway is long. (&lt;a href=&quot;https://techcommunity.microsoft.com/blog/microsoftsentinelblog/what%E2%80%99s-new-in-microsoft-sentinel-february-2026/4494218&quot;&gt;What&#39;s new in Microsoft Sentinel: February 2026&lt;/a&gt;)&lt;/p&gt;
</content>
  </entry>
  <entry>
    <title>February 2 – February 9, 2026</title>
    <link href="https://soc-brief.pages.dev/briefs/2026-02-09-week/" />
    <updated>2026-02-09T00:00:00Z</updated>
    <id>https://soc-brief.pages.dev/briefs/2026-02-09-week/</id>
    <content type="html">&lt;h2&gt;Act by&lt;/h2&gt;
&lt;ul&gt;
&lt;li&gt;&lt;strong&gt;1 Jun 2026&lt;/strong&gt; — Microsoft Entra ID begins blocking Entra Connect Sync / Cloud Sync from &lt;em&gt;hard-matching&lt;/em&gt; a new on-premises Active Directory user object onto an existing cloud-managed Entra user that holds an Entra role. It&#39;s a safeguard against attackers taking over a privileged cloud account by manipulating AD attributes. Only hybrid tenants that sync privileged users are affected; if you rely on hard-match for role-holding accounts, plan the change now. (&lt;a href=&quot;https://learn.microsoft.com/en-us/entra/fundamentals/whats-new&quot;&gt;Microsoft Entra releases and announcements&lt;/a&gt;)&lt;/li&gt;
&lt;/ul&gt;
&lt;h2&gt;What changed&lt;/h2&gt;
&lt;p&gt;The Microsoft Copilot data connector for Microsoft Sentinel entered public preview on 3 February. It ingests Copilot audit logs and activities (via the Purview Unified Audit Log) into Sentinel and the Sentinel data lake, so Copilot usage can drive analytics rules, custom detections, workbooks, automation, and data-lake scenarios like custom graphs and the MCP server. The connector is single-tenant and only returns data for tenants that actually have Copilot licenses and SCUs in use; enabling it needs Global Administrator or Security Administrator. For a SOC, this removes the trip to the Purview portal to see Copilot activity and lets you hunt for misuse, data exposure, and anomalous prompts directly in Sentinel — record types include CopilotInteraction, the CopilotPlugin create/update/delete operations, and agent-management events. (&lt;a href=&quot;https://techcommunity.microsoft.com/blog/microsoftsentinelblog/the-microsoft-copilot-data-connector-for-microsoft-sentinel-is-now-in-public-pre/4491986&quot;&gt;Microsoft Sentinel Blog&lt;/a&gt;)&lt;/p&gt;
&lt;p&gt;Microsoft Defender for Cloud extended its AI threat protection to Microsoft Foundry agents (public preview, announced 3 February). The Defender for AI Services plan now covers agents built with the Foundry Agent Service, adding runtime detection for agent-specific risks — memory poisoning, indirect prompt injection through tools and data sources, and abuse of agent-to-agent orchestration — on top of the existing protections for custom AI apps, aligned to OWASP guidance for LLM and agentic systems. Alerts surface in the Defender portal alongside the rest of your incidents, so agentic AI workloads become another signal source an analyst can triage rather than a blind spot. (&lt;a href=&quot;https://learn.microsoft.com/en-us/azure/defender-for-cloud/release-notes&quot;&gt;Microsoft Defender for Cloud release notes&lt;/a&gt;)&lt;/p&gt;
&lt;p&gt;Microsoft Sentinel&#39;s UEBA behaviors layer reached general availability this month. The behaviors layer aggregates and sequences high-volume raw logs into normalized, human-readable &amp;quot;behaviors&amp;quot; — so instead of correlating individual AWS CloudTrail or firewall events by hand, an analyst sees something like &lt;em&gt;&amp;quot;Inbound remote management session from external address&amp;quot;&lt;/em&gt; mapped to MITRE ATT&amp;amp;CK tactics. It ships with a new behaviors workbook in the UEBA essentials solution with Overview, Investigation, and Hunting views. For shift work this is a faster path from noise to &amp;quot;who did what to whom,&amp;quot; and the workbook gives detection engineers prebuilt building blocks rather than a blank canvas. (&lt;a href=&quot;https://learn.microsoft.com/en-us/azure/sentinel/whats-new&quot;&gt;What&#39;s new in Microsoft Sentinel&lt;/a&gt;)&lt;/p&gt;
&lt;p&gt;AI-assisted playbook generation arrived in Microsoft Sentinel (public preview) this month. The SOAR playbook generator builds Python-based automation workflows through a conversational experience with Cline, an AI coding agent, lowering the barrier to writing response automation. For an intern learning SOAR, it&#39;s a way to scaffold a working playbook from a plain-language description and then read and tune the generated logic instead of starting from scratch — useful for turning a repetitive triage step into automation. (&lt;a href=&quot;https://learn.microsoft.com/en-us/azure/sentinel/whats-new&quot;&gt;What&#39;s new in Microsoft Sentinel&lt;/a&gt;)&lt;/p&gt;
&lt;p&gt;Four identity and Microsoft Graph advanced-hunting tables reached general availability in Defender XDR this month. &lt;code&gt;IdentityAccountInfo&lt;/code&gt; (account data from sources including Entra ID, linked to the owning identity), &lt;code&gt;EntraIdSignInEvents&lt;/code&gt; (interactive and non-interactive sign-ins), &lt;code&gt;EntraIdSpnSignInEvents&lt;/code&gt; (service principal and managed-identity sign-ins), and &lt;code&gt;GraphApiAuditEvents&lt;/code&gt; (Microsoft Graph API requests against tenant resources) all move out of preview. For anyone writing KQL, this is a stable foundation for identity hunting — service-principal sign-ins and Graph API calls are exactly where token-theft and consent-abuse activity shows up, and GA means the schema is supported for production detections rather than experimental. (&lt;a href=&quot;https://learn.microsoft.com/en-us/defender-xdr/whats-new&quot;&gt;What&#39;s new in Microsoft Defender XDR&lt;/a&gt;)&lt;/p&gt;
&lt;p&gt;Defender for Cloud made SQL simulated alerts generally available on 9 February. Simulated alerts generate realistic SQL threat alerts with full SQL and machine context on Azure VMs or Arc-connected machines, produced locally through a safe script extension with no external payloads and no impact to production. For a SOC it&#39;s a way to validate SQL detections, automated-response playbooks, and analyst runbooks end to end without waiting for a real attack — useful for onboarding new hires or proving a detection actually fires before you depend on it. (&lt;a href=&quot;https://learn.microsoft.com/en-us/azure/defender-for-cloud/release-notes&quot;&gt;Microsoft Defender for Cloud release notes&lt;/a&gt;)&lt;/p&gt;
&lt;p&gt;External authentication methods in Microsoft Entra ID reached general availability, renamed External Multifactor Authentication (External MFA). Organizations can meet MFA requirements while keeping their preferred third-party MFA provider, with Entra ID still the control plane — it runs full policy evaluation, real-time Conditional Access enforcement, and sign-in risk assessment on every sign-in. On shift, that means an external MFA provider no longer means an MFA blind spot: the sign-in risk and CA decisions still flow through Entra where you can see and hunt them. (&lt;a href=&quot;https://learn.microsoft.com/en-us/entra/fundamentals/whats-new&quot;&gt;Microsoft Entra releases and announcements&lt;/a&gt;)&lt;/p&gt;
&lt;p&gt;Microsoft Authenticator is rolling out jailbreak/root detection for Entra credentials on Android, starting this month. The rollout moves from warning mode to blocking mode; users on jailbroken or rooted devices must move to a compliant device to keep using their Entra accounts in Authenticator. This closes a path where a compromised mobile OS could undermine the MFA method itself — expect a small number of users on rooted devices to hit prompts, and be ready to explain that the block is by design. (&lt;a href=&quot;https://learn.microsoft.com/en-us/entra/fundamentals/whats-new&quot;&gt;Microsoft Entra releases and announcements&lt;/a&gt;)&lt;/p&gt;
&lt;p&gt;Defender for Office 365 extended Microsoft Teams message reporting to Plan 1 this month. Users on MDO Plan 1 can now report external and intra-org Teams messages — from chats, standard/shared/private channels, and meeting conversations — as a security risk, routed to Microsoft, to your custom reporting mailbox, or both. That puts Teams phish on the same user-reporting rails as email, so suspicious chat messages become submissions an analyst can review rather than screenshots in a side channel. (&lt;a href=&quot;https://learn.microsoft.com/en-us/defender-office-365/defender-for-office-365-whats-new&quot;&gt;What&#39;s new in Microsoft Defender for Office 365&lt;/a&gt;)&lt;/p&gt;
&lt;h2&gt;Worth knowing&lt;/h2&gt;
&lt;p&gt;The Defender Monthly news — February 2026 digest (published 3 February, recapping January) is worth a skim. Two items stand out for shift work: AI-powered incident prioritization is now in public preview for all Defender customers, and built-in alert tuning rules automatically handle informational and low-severity noise so the queue reflects real threats. The same post reiterates that managing Microsoft Sentinel in the Azure portal is now sunsetting 31 March 2027 (extended from July 2026); the Defender portal becomes the sole interface, so keep planning your migration. (&lt;a href=&quot;https://techcommunity.microsoft.com/blog/microsoftthreatprotectionblog/monthly-news---february-2026/4491826&quot;&gt;Microsoft Defender XDR Blog&lt;/a&gt;)&lt;/p&gt;
&lt;p&gt;The What&#39;s new in Microsoft Sentinel: February 2026 recap is the other one to read. Beyond the Copilot connector, it leads with multi-tenant content distribution — you can replicate analytics rules, automation rules, workbooks, and alert-tuning rules across tenants instead of rebuilding the same detections one environment at a time, which matters if you work in an MSSP or a multi-tenant estate. It also flags the shift of data connectors from Azure Function-based to the codeless connector framework (CCF) — SaaS-managed, with built-in health monitoring and centralized credential management — plus partner-built agentic experiences surfacing through the Microsoft Security Store. (&lt;a href=&quot;https://techcommunity.microsoft.com/blog/microsoftsentinelblog/what%E2%80%99s-new-in-microsoft-sentinel-february-2026/4494218&quot;&gt;What&#39;s new in Microsoft Sentinel: February 2026&lt;/a&gt;)&lt;/p&gt;
&lt;p&gt;No Microsoft Patch Tuesday falls in this window — the February 2026 security updates release on 10 February, one day after this issue closes. If you triage vulnerability work, this is the calm before a heavy month: February&#39;s release fixes roughly 58 vulnerabilities including six actively exploited zero-days (three of them publicly disclosed) — CVE-2026-21510 (Windows Shell), CVE-2026-21513 (MSHTML), CVE-2026-21514 (Word), CVE-2026-21519 (Desktop Window Manager EoP), CVE-2026-21525 (RAS Connection Manager DoS), and CVE-2026-21533 (Remote Desktop Services EoP). Pre-stage your patch-verification and hunting plans now rather than scrambling on the 10th. (&lt;a href=&quot;https://msrc.microsoft.com/update-guide&quot;&gt;MSRC Security Update Guide&lt;/a&gt;)&lt;/p&gt;
</content>
  </entry>
  <entry>
    <title>January 26 – February 2, 2026</title>
    <link href="https://soc-brief.pages.dev/briefs/2026-02-02-week/" />
    <updated>2026-02-02T00:00:00Z</updated>
    <id>https://soc-brief.pages.dev/briefs/2026-02-02-week/</id>
    <content type="html">&lt;h2&gt;Act by&lt;/h2&gt;
&lt;ul&gt;
&lt;li&gt;&lt;strong&gt;16 Feb 2026&lt;/strong&gt; — CISA&#39;s deadline for U.S. federal (FCEB) agencies to patch CVE-2026-21509, an actively exploited Microsoft Office security-feature-bypass zero-day that Microsoft fixed in an out-of-band update on 26 January. It isn&#39;t a legal mandate for private orgs, but it&#39;s a useful forcing function: the flaw affects Microsoft 365 Apps and Office 2016 / 2019 / LTSC 2021 / LTSC 2024 and sits on CISA&#39;s Known Exploited Vulnerabilities list. Prioritize pushing the out-of-band Office update across your estate. (&lt;a href=&quot;https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-21509&quot;&gt;MSRC Security Update Guide&lt;/a&gt;)&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;15 Jun 2026&lt;/strong&gt; — Conditional Access enforcement for &lt;em&gt;All resources&lt;/em&gt; policies that carry resource exclusions begins. Only tenants with such a policy are affected; if you own custom apps that request only OIDC or a limited set of directory scopes, confirm they can handle CA challenges (MFA / device compliance) before this date. (&lt;a href=&quot;https://techcommunity.microsoft.com/blog/microsoft-entra-blog/upcoming-conditional-access-change-improved-enforcement-for-policies-with-resour/4488925&quot;&gt;Microsoft Entra Blog&lt;/a&gt;)&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;31 Mar 2027&lt;/strong&gt; — Managing Microsoft Sentinel in the Azure portal is sunset (extended from 1 Jul 2026). Begin planning the move to the Defender portal now; new capabilities ship there only. (&lt;a href=&quot;https://techcommunity.microsoft.com/blog/microsoftsentinelblog/update-new-timeline-for-transitioning-sentinel-experience-to-defender-portal/4490464&quot;&gt;Microsoft Sentinel Blog&lt;/a&gt;)&lt;/li&gt;
&lt;/ul&gt;
&lt;h2&gt;What changed&lt;/h2&gt;
&lt;p&gt;Microsoft pushed the deadline for managing Microsoft Sentinel in the Azure portal from 1 July 2026 to 31 March 2027, citing feedback from customers running Sentinel at scale. The Azure portal experience still works until then, but capabilities like Security Copilot, the Sentinel data lake and graph, attack disruption over sources such as AWS and Proofpoint, and future SOAR/case-management work are Defender-portal only. For interns, this means the unified Defender portal is where net-new SOC tooling lands — treat Azure-portal Sentinel as legacy and get comfortable in the Defender portal. (&lt;a href=&quot;https://techcommunity.microsoft.com/blog/microsoftsentinelblog/update-new-timeline-for-transitioning-sentinel-experience-to-defender-portal/4490464&quot;&gt;Microsoft Sentinel Blog&lt;/a&gt;)&lt;/p&gt;
&lt;p&gt;Microsoft announced a Conditional Access enforcement change for policies that target &lt;em&gt;All resources&lt;/em&gt; and include one or more resource exclusions. Today, a sign-in from a client requesting only OIDC scopes or a limited set of directory scopes bypasses such a policy; after enforcement (now 15 June 2026), the policy applies regardless of the scopes requested. Most tenants see no change because most apps request broader scopes, but affected tenants get Microsoft 365 Message Center notices. It matters on shift because it closes a quiet CA bypass path — expect new MFA/compliance challenges on a narrow set of flows and be ready to explain the change if users report unexpected prompts. You can also opt in early or override the behavior per-policy while you test. (&lt;a href=&quot;https://techcommunity.microsoft.com/blog/microsoft-entra-blog/upcoming-conditional-access-change-improved-enforcement-for-policies-with-resour/4488925&quot;&gt;Microsoft Entra Blog&lt;/a&gt;)&lt;/p&gt;
&lt;p&gt;Microsoft Purview Data Security Investigations (DSI) reached general availability on 27 January. DSI lets data-security teams scope investigation-relevant data across Microsoft 365 — emails, Teams messages, documents, and even Copilot prompts and responses — run AI-powered deep content analysis to surface sensitive data and risk, and act on it in one workflow, including a new purge mitigation action that deletes overshared or sensitive content without leaving the investigation. It targets scenarios a SOC increasingly inherits: data breach and leak investigations, credential exposure, insider fraud, and sensitive data exposed in Teams. GA also brings usage-based pricing — billed separately for investigation storage and for the compute consumed during AI analysis — and access flows through existing Microsoft Purview role groups, so treat it as a capability to reach for on a data-exposure incident rather than one to leave running blind. (&lt;a href=&quot;https://techcommunity.microsoft.com/blog/microsoft-security-blog/microsoft-purview-data-security-investigations-is-now-generally-available/4489363&quot;&gt;Microsoft Security Blog&lt;/a&gt;)&lt;/p&gt;
&lt;p&gt;Defender for Cloud reworked its Cloud Infrastructure Entitlement Management (CIEM) recommendation logic across Azure, AWS, and GCP (effective 2 February). Inactive-identity detection now evaluates unused role assignments instead of sign-in activity, the inactivity lookback extends from 45 to 90 days, identities under 90 days old are skipped, and the Permissions Creep Index (PCI) metric is deprecated. Onboarding no longer needs elevated high-risk permissions, and AWS SAML/SSO and GCP identities require CloudTrail / Cloud Logging ingestion in the Defender CSPM plan to be fully evaluated. Expect your inactive-identity and over-permissioned-role recommendation counts to shift after this change — don&#39;t read the movement as a real posture change without checking the new logic. (&lt;a href=&quot;https://learn.microsoft.com/en-us/azure/defender-for-cloud/release-notes&quot;&gt;Microsoft Defender for Cloud release notes&lt;/a&gt;)&lt;/p&gt;
&lt;p&gt;Defender for Cloud added threat protection for AI agents built with Azure AI Foundry (2 February), in preview as part of the Defender for AI Services plan. It covers agents from development through runtime and targets threats aligned to OWASP guidance for LLM and agentic AI systems. As organizations stand up Foundry-based agents, this extends Defender coverage to a new attack surface the SOC will increasingly see in alerts. (&lt;a href=&quot;https://learn.microsoft.com/en-us/azure/defender-for-cloud/release-notes&quot;&gt;Microsoft Defender for Cloud release notes&lt;/a&gt;)&lt;/p&gt;
&lt;p&gt;Defender for Office 365 extended sender-blocking to Microsoft Teams. Admins can now block malicious external domains and email addresses directly from the Defender portal&#39;s Tenant Allow/Block List, and those entries flow through to the Teams Admin Center blocked domains and users list. Blocking is near-real-time: new external chat messages, meeting invites, and channel communications from a flagged organization are halted and existing messages from those senders are removed. For a SOC this closes a response gap — when a Teams-based phishing or impersonation campaign is identified, you can shut down the abusing external org from the same console you triage email in instead of pivoting to Teams admin. It shipped in the January/early-February updates and rolls out to tenants from mid-February. (&lt;a href=&quot;https://learn.microsoft.com/en-us/defender-office-365/defender-for-office-365-whats-new&quot;&gt;Defender for Office 365 what&#39;s new&lt;/a&gt;, &lt;a href=&quot;https://learn.microsoft.com/en-us/defender-office-365/tenant-allow-block-list-teams-domains-configure&quot;&gt;Block domains and addresses in Teams&lt;/a&gt;)&lt;/p&gt;
&lt;p&gt;Two Teams post-delivery protections that were previously reserved for Defender for Office 365 Plan 2 became available to Plan 1 by default: zero-hour auto purge (ZAP) for Teams, which retroactively removes messages found malicious after delivery, and admin management of quarantined Teams messages from the Defender portal. This brings a post-delivery safety net to Plan 1 tenants — malicious Teams messages that slip past initial filtering can be auto-purged or pulled from quarantine without a Plan 2 license. (&lt;a href=&quot;https://learn.microsoft.com/en-us/defender-office-365/defender-for-office-365-whats-new&quot;&gt;Defender for Office 365 what&#39;s new&lt;/a&gt;)&lt;/p&gt;
&lt;h2&gt;Worth knowing&lt;/h2&gt;
&lt;p&gt;The Sentinel-to-Defender move is the piece to internalize this week. The 30 January extension to 31 March 2027 buys planning time, not a reprieve: net-new SIEM capability — Security Copilot, the data lake and graph, attack disruption across sources like AWS and Proofpoint, and future SOAR and case-management work — ships in the Defender portal only, and the Azure-portal experience is now legacy. Analytics rules, playbooks, workbooks, and the underlying Log Analytics workspace all carry forward, but the unified RBAC (URBAC) groundwork sits on the critical path, so the practical takeaway for interns is to get fluent in the Defender portal now rather than at cutover. (&lt;a href=&quot;https://techcommunity.microsoft.com/blog/microsoftsentinelblog/update-new-timeline-for-transitioning-sentinel-experience-to-defender-portal/4490464&quot;&gt;Microsoft Sentinel Blog&lt;/a&gt;)&lt;/p&gt;
&lt;p&gt;Two identity-hardening changes bracket the window. Alongside the Conditional Access enforcement change above, Microsoft began rolling out jailbreak/root detection for Microsoft Entra credentials in the Microsoft Authenticator app from February 2026, progressing from warning mode to blocking mode — users on jailbroken or rooted devices will eventually be unable to use Entra accounts in Authenticator. Both changes raise the baseline for how much a compromised or tampered client can do, and both are worth flagging to users before the prompts and blocks appear. (&lt;a href=&quot;https://learn.microsoft.com/en-us/entra/fundamentals/whats-new&quot;&gt;Microsoft Entra what&#39;s new&lt;/a&gt;)&lt;/p&gt;
&lt;p&gt;No scheduled Microsoft Patch Tuesday fell in this window — the January 2026 updates released on 13 January and February&#39;s land on 10 February — but the lull wasn&#39;t quiet. On 26 January Microsoft shipped an out-of-band emergency patch for CVE-2026-21509, an actively exploited Office security-feature-bypass zero-day (CVSS 7.8) that bypasses the OLE mitigations protecting users from vulnerable COM/OLE controls. Exploitation needs a user to open a specially crafted Office file — the Preview Pane isn&#39;t an attack vector — and it affects Microsoft 365 Apps and Office 2016 through LTSC 2024. CISA added it to the Known Exploited Vulnerabilities catalog with a 16 February federal patch deadline. Use the gap between cycles to confirm both January&#39;s fixes and this out-of-band Office update are fully deployed across the estate — Defender Vulnerability Management will show which devices are still exposed — and to stage patch-verification and hunting for the 10 February release. (&lt;a href=&quot;https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-21509&quot;&gt;MSRC Security Update Guide&lt;/a&gt;)&lt;/p&gt;
</content>
  </entry>
  <entry>
    <title>January 19 – January 26, 2026</title>
    <link href="https://soc-brief.pages.dev/briefs/2026-01-26-week/" />
    <updated>2026-01-26T00:00:00Z</updated>
    <id>https://soc-brief.pages.dev/briefs/2026-01-26-week/</id>
    <content type="html">&lt;h2&gt;What changed&lt;/h2&gt;
&lt;p&gt;Microsoft published a dedicated deep-dive bringing the AI-powered SIEM migration experience&#39;s QRadar-to-Sentinel support into public preview, extending the Splunk support shown at Ignite 2025. Beyond syntax translation it does intent-based mapping of legacy detections onto out-of-the-box Sentinel analytics, flags missing data connectors so coverage isn&#39;t lost, and structures the move across four pillars: discovery and planning, detections, data sources, and validation. Microsoft cites up to a 50% cut in migration time against the 15 months a legacy SIEM migration can take, and eligible customers can get hands-on help through the Cloud Accelerate Factory program for both Splunk and QRadar. If your org is retiring QRadar, this is the guided path onto Sentinel&#39;s cloud-native SIEM — the same feature the January &amp;quot;what&#39;s new&amp;quot; flagged, now with the full walkthrough. (&lt;a href=&quot;https://techcommunity.microsoft.com/blog/microsoftsentinelblog/accelerate-your-move-to-microsoft-sentinel-with-the-new-ai-powered-siem-migratio/4488505&quot;&gt;Microsoft Sentinel Blog&lt;/a&gt;)&lt;/p&gt;
&lt;p&gt;Defender for Office 365 now lets admins block malicious external senders and domains in Microsoft Teams directly from the Defender portal, with the block propagating into the Teams Admin Center blocked-domains-and-users list. When you spot an abusive external org, the block halts new external chats, invites, and channel messages from those senders in near real time and deletes existing ones — so SOC teams no longer have to bounce to a separate admin console mid-incident to cut off a Teams-based phishing sender. (&lt;a href=&quot;https://learn.microsoft.com/en-us/defender-office-365/defender-for-office-365-whats-new&quot;&gt;What&#39;s new in Microsoft Defender for Office 365&lt;/a&gt;)&lt;/p&gt;
&lt;p&gt;Microsoft also extended two Teams protections to Defender for Office 365 Plan 1: zero-hour auto-purge (ZAP) for Teams messages and admin management of quarantined Teams messages are now on by default for Plan 1. That brings a post-delivery layer to lower-tier tenants — malicious Teams messages can be retroactively pulled after delivery, and analysts can triage quarantined Teams content from the portal. Worth knowing which SKU a tenant runs, because this changes what post-delivery Teams response you can expect on shift. (&lt;a href=&quot;https://learn.microsoft.com/en-us/defender-office-365/defender-for-office-365-whats-new&quot;&gt;What&#39;s new in Microsoft Defender for Office 365&lt;/a&gt;)&lt;/p&gt;
&lt;p&gt;The Microsoft Sentinel solution for SAP BTP gained new built-in analytics rules this month, expanding detection coverage across the SAP control plane and identity surface. The additions flag unauthorized changes to SAP Integration Suite artifacts and data sources, user deletions and SAML/OIDC config changes in SAP Cloud Identity Service, mass role deletions in SAP Build Work Zone, and gaps or disruptions in BTP audit logging that could hide stealthy activity. If your estate includes SAP BTP, these are ready-to-enable detections for high-risk integration, identity, and audit-tampering activity. (&lt;a href=&quot;https://learn.microsoft.com/en-us/azure/sentinel/whats-new&quot;&gt;What&#39;s new in Microsoft Sentinel&lt;/a&gt;)&lt;/p&gt;
&lt;p&gt;Sentinel&#39;s UEBA surfaced further in the Defender portal this month: a new home-page UEBA widget (preview) gives analysts immediate visibility into anomalous user behavior without opening a separate page, and you can now enable UEBA for a supported source directly from the data connector configuration rather than a separate settings blade, which prevents coverage gaps when onboarding new connectors. Both build on the UEBA behaviors layer from the January release and shorten the path from &amp;quot;connector on&amp;quot; to &amp;quot;behavior visible during triage.&amp;quot; (&lt;a href=&quot;https://learn.microsoft.com/en-us/azure/sentinel/whats-new&quot;&gt;What&#39;s new in Microsoft Sentinel&lt;/a&gt;)&lt;/p&gt;
&lt;p&gt;The Sentinel team continued its Automating Microsoft Sentinel blog series with Part 4, a hands-on walkthrough of building a playbook from scratch: the incident, alert, and entity trigger types, running playbooks as managed identities, the Logic Apps designer flow, and when to build your own instead of pulling a prebuilt playbook from the Content Hub. It&#39;s a practical primer for interns getting started with SOAR in Sentinel. (&lt;a href=&quot;https://techcommunity.microsoft.com/blog/microsoftsentinelblog/automating-microsoft-sentinel-a-blog-series-on-enabling-smart-security/4487260&quot;&gt;Microsoft Sentinel Blog&lt;/a&gt;)&lt;/p&gt;
&lt;h2&gt;Worth knowing&lt;/h2&gt;
&lt;p&gt;Microsoft Defender researchers detailed a resurgent multi-stage adversary-in-the-middle (AiTM) phishing and BEC campaign hitting multiple energy-sector organizations. The attackers abused SharePoint file-sharing to deliver phishing links, used AiTM to steal session tokens and bypass MFA, then created inbox rules to hide their activity and rode the compromised, trusted internal identities to run large-scale intra-org and external phishing; they even read and replied to recipients who questioned the emails&#39; authenticity before deleting the exchange to stay hidden. On shift the takeaway is that remediation has to go past a password reset and MFA re-registration — revoke active sessions, hunt for and remove malicious inbox and forwarding rules, and check the mailbox for onward phishing before closing the incident. The campaign&#39;s reliance on trusted collaboration surfaces (SharePoint, OneDrive, and Teams) is exactly why this month&#39;s Teams sender-blocking and ZAP-to-Plan-1 changes matter. (&lt;a href=&quot;https://www.microsoft.com/en-us/security/blog/2026/01/21/multistage-aitm-phishing-bec-campaign-abusing-sharepoint/&quot;&gt;Microsoft Security Blog&lt;/a&gt;)&lt;/p&gt;
&lt;p&gt;No Microsoft Patch Tuesday fell in this window. The January 2026 security updates released on 13 January — including the actively exploited Desktop Window Manager flaw CVE-2026-20805 and critical SharePoint Server, RRAS, and LSASS RCEs — so if any of those are still unpatched in your fleet, they remain the priority; February&#39;s updates land on 10 February. Use Defender Vulnerability Management to confirm which devices are still exposed to the January CVEs rather than assuming the cumulative update reached everything. (&lt;a href=&quot;https://msrc.microsoft.com/update-guide/releaseNote/2026-Jan&quot;&gt;MSRC Security Update Guide&lt;/a&gt;)&lt;/p&gt;
&lt;p&gt;A pattern in this month&#39;s releases worth internalizing: the net-new SOC features — the Teams sender blocking, the UEBA home-page widget, playbook authoring — all land in the Defender portal, not the Azure portal. Microsoft has confirmed the Azure-portal Sentinel experience is on a path to retirement, with new capabilities shipping only in the unified Defender portal. Treat the Defender portal as where your day-to-day SecOps work lives and get comfortable there now. (&lt;a href=&quot;https://learn.microsoft.com/en-us/unified-secops-platform/whats-new&quot;&gt;What&#39;s new for Microsoft&#39;s unified security operations&lt;/a&gt;)&lt;/p&gt;
</content>
  </entry>
  <entry>
    <title>January 12 – January 19, 2026</title>
    <link href="https://soc-brief.pages.dev/briefs/2026-01-19-week/" />
    <updated>2026-01-19T00:00:00Z</updated>
    <id>https://soc-brief.pages.dev/briefs/2026-01-19-week/</id>
    <content type="html">&lt;h2&gt;Act by&lt;/h2&gt;
&lt;ul&gt;
&lt;li&gt;&lt;strong&gt;13 Jan 2026&lt;/strong&gt; — January Patch Tuesday shipped fixes for roughly 113 CVEs (trackers count 112–114 depending on how third-party items are tallied), including CVE-2026-20805, a Desktop Window Manager information-disclosure flaw Microsoft reports as exploited in the wild, plus two other publicly disclosed zero-days. The DWM bug scores only CVSS 5.5, but info-leak flaws like it are typically chained to defeat ASLR and turn an unreliable memory-corruption exploit into a repeatable one, so don&#39;t deprioritise it on score alone. Deploy the January cumulative update across your Windows fleet and use Defender Vulnerability Management to confirm which devices are still exposed. (&lt;a href=&quot;https://msrc.microsoft.com/update-guide/releaseNote/2026-Jan&quot;&gt;MSRC Security Update Guide&lt;/a&gt;)&lt;/li&gt;
&lt;/ul&gt;
&lt;h2&gt;What changed&lt;/h2&gt;
&lt;p&gt;Microsoft Sentinel now supports ingesting Microsoft Defender for Office 365 (MDO) and Defender for Cloud Apps tables directly into the Sentinel data lake tier, extending the direct ingestion previously available for Defender for Endpoint. You select the data lake tier when configuring retention in the built-in table management experience in the Defender portal, keeping long-term email and cloud-app telemetry available for historical hunting without paying analytics-tier cost. On shift this means cheaper, longer-window hunts over MDO and cloud-app signals that would otherwise age out. (&lt;a href=&quot;https://techcommunity.microsoft.com/blog/microsoftsentinelblog/what%E2%80%99s-new-in-microsoft-sentinel-january-2026/4486109&quot;&gt;What&#39;s new in Microsoft Sentinel: January 2026&lt;/a&gt;)&lt;/p&gt;
&lt;p&gt;The AI-powered SIEM migration experience now supports QRadar-to-Sentinel migrations, adding to existing Splunk support. It maps detection rules and enables the required data connectors so teams can move to Sentinel&#39;s cloud-native SIEM with less manual rewriting, and eligible customers can get free migration help through the Cloud Accelerate Factory program. Relevant if your org is consolidating or retiring a legacy SIEM onto Sentinel. (A dedicated deep-dive followed the next week — see the 19–26 Jan issue.) (&lt;a href=&quot;https://techcommunity.microsoft.com/blog/microsoftsentinelblog/what%E2%80%99s-new-in-microsoft-sentinel-january-2026/4486109&quot;&gt;What&#39;s new in Microsoft Sentinel: January 2026&lt;/a&gt;)&lt;/p&gt;
&lt;p&gt;Sentinel&#39;s new UEBA behaviors layer is in public preview. It sits between raw logs and alerts, aggregating and sequencing high-volume telemetry into human-readable &amp;quot;behaviors&amp;quot; that describe who did what to whom, each mapped to MITRE ATT&amp;amp;CK tactics and techniques — for example, &amp;quot;Inbound remote management session from external address&amp;quot; summarising many raw events. Preview coverage includes AWS CloudTrail, CommonSecurityLog (CyberArk Vault, Palo Alto Threats), and GCPAuditLogs, and it can be enabled independently of UEBA anomaly detection. For analysts, it cuts the time spent reconstructing an entity&#39;s activity from individual raw events during triage and hunting. (&lt;a href=&quot;https://techcommunity.microsoft.com/blog/microsoftsentinelblog/what%E2%80%99s-new-in-microsoft-sentinel-january-2026/4486109&quot;&gt;What&#39;s new in Microsoft Sentinel: January 2026&lt;/a&gt;)&lt;/p&gt;
&lt;p&gt;UEBA also got easier to turn on and see. You can now enable UEBA for supported data sources directly from the data connector configuration page (preview), instead of navigating to a separate settings page — which reduces the coverage gaps that appear when a new connector goes live but never gets wired into UEBA. Separately, the Defender portal home page gains a UEBA widget (preview) that surfaces anomalous user behavior up front so analysts spot which identities to prioritise without hunting for it. Both are small workflow wins that make the behavioral signal show up where analysts already work. (&lt;a href=&quot;https://learn.microsoft.com/en-us/azure/sentinel/whats-new&quot;&gt;What&#39;s new in Microsoft Sentinel&lt;/a&gt;)&lt;/p&gt;
&lt;p&gt;Defender for Cloud Apps permissions are now integrated with Microsoft Defender XDR Unified RBAC, available worldwide. Instead of managing cloud-app-security roles separately, admins grant Defender for Cloud Apps access through the same unified role model as the rest of Defender XDR. For a SOC this is the fix for the recurring &amp;quot;why can&#39;t I see cloud-app alerts&amp;quot; access confusion after unified-portal onboarding — check that your analyst roles carry the right Unified RBAC permissions. (&lt;a href=&quot;https://techcommunity.microsoft.com/blog/microsoftthreatprotectionblog/monthly-news---january-2026/4484885&quot;&gt;Defender XDR — Monthly news, January 2026&lt;/a&gt;)&lt;/p&gt;
&lt;p&gt;Defender for Cloud Apps app governance added an unused-app insights capability (now available for most commercial customers) that flags Microsoft 365-connected OAuth apps that are no longer used, so admins can review and remove them under policy-based governance, with advanced-hunting queries to back the review. Stale, over-permissioned OAuth app registrations are a well-worn persistence and data-exfiltration path, so pruning dormant ones shrinks a real attack surface. (&lt;a href=&quot;https://techcommunity.microsoft.com/blog/microsoftthreatprotectionblog/monthly-news---january-2026/4484885&quot;&gt;Defender XDR — Monthly news, January 2026&lt;/a&gt;)&lt;/p&gt;
&lt;p&gt;Custom detection rules in Microsoft Defender now support Near-Real-Time (NRT) frequency on Microsoft Sentinel data (preview). Detection engineers can run KQL custom detections that key off Sentinel-ingested tables at NRT cadence rather than waiting for the standard scheduled interval, tightening the gap between a logged event and an alert for time-sensitive detections. Worth knowing when you&#39;re deciding whether a rule needs NRT or can live on the normal schedule. (&lt;a href=&quot;https://learn.microsoft.com/en-us/defender-xdr/whats-new&quot;&gt;What&#39;s new in Microsoft Defender XDR&lt;/a&gt;)&lt;/p&gt;
&lt;p&gt;Microsoft Entra reached general availability for service-principal creation audit logs built for alerting and monitoring. New audit-log properties surface &lt;em&gt;why&lt;/em&gt; a service principal was created and &lt;em&gt;who or what&lt;/em&gt; triggered it — the provisioning mechanism, the SKUs or service plans that enabled just-in-time creation, and the home tenant of the app registration — letting you distinguish Microsoft-driven provisioning from tenant-driven activity. Newly created service principals are a classic identity-persistence vector, so this makes the &amp;quot;unexpected app/SP appeared&amp;quot; hunt far cleaner. (&lt;a href=&quot;https://learn.microsoft.com/en-us/entra/fundamentals/whats-new&quot;&gt;Microsoft Entra releases and announcements&lt;/a&gt;)&lt;/p&gt;
&lt;p&gt;The Advanced Security Information Model (ASIM) received a schema refresh that aligns all ASIM schemas to the latest standard, following ASIM reaching general availability in September. Consistent normalization matters because detections, hunting queries, and workbooks built on ASIM parsers behave predictably across data sources; review any custom parsers or queries that assumed older field shapes. (&lt;a href=&quot;https://techcommunity.microsoft.com/blog/microsoftsentinelblog/what%E2%80%99s-new-in-microsoft-sentinel-january-2026/4486109&quot;&gt;What&#39;s new in Microsoft Sentinel: January 2026&lt;/a&gt;)&lt;/p&gt;
&lt;p&gt;The Sentinel solution for SAP BTP gained new built-in analytics rules that expand detection over high-risk control-plane, integration, and identity activity — unauthorized changes to Integration Suite artifacts and data sources, Cloud Identity Service user deletions and SAML/OIDC config changes, mass role deletions in Build Work Zone, and audit-logging gaps. Only relevant if your estate runs SAP BTP, but if it does, this is meaningful new coverage to enable from Content hub. (&lt;a href=&quot;https://learn.microsoft.com/en-us/azure/sentinel/whats-new&quot;&gt;What&#39;s new in Microsoft Sentinel&lt;/a&gt;)&lt;/p&gt;
&lt;h2&gt;Worth knowing&lt;/h2&gt;
&lt;p&gt;Beyond the exploited DWM flaw, January Patch Tuesday included eight Critical vulnerabilities, most of them remote code execution, and three zero-days in total. Of particular interest to a Microsoft estate are critical RCEs in Windows Routing and Remote Access Service (RRAS), LSASS, and SharePoint Server — the SharePoint on-premises RCE is worth flagging to server owners given the ongoing history of internet-facing SharePoint being targeted. Pair the patch push with a Defender Vulnerability Management sweep so you can evidence remediation rather than assume it. (&lt;a href=&quot;https://msrc.microsoft.com/update-guide/releaseNote/2026-Jan&quot;&gt;MSRC Security Update Guide&lt;/a&gt;)&lt;/p&gt;
&lt;p&gt;The Defender-portal migration clock got a concrete update this month: Microsoft now says Sentinel in the Azure portal will be retired after 31 March 2027, with remaining customers redirected to the Defender portal (this replaces the earlier July 2026 date). Sentinel is already GA in the unified Defender portal, including for tenants without Defender XDR or an E5 license, so the runway is real but finite — if your team still lives in the Azure portal, treat 2026 as planning-and-migration time rather than waiting for a forced cutover. (&lt;a href=&quot;https://learn.microsoft.com/en-us/azure/sentinel/whats-new&quot;&gt;What&#39;s new in Microsoft Sentinel&lt;/a&gt;)&lt;/p&gt;
&lt;p&gt;For threat hunters, the January Defender XDR monthly news recapped a batch of advanced-hunting upgrades that GA&#39;d around the turn of the year: the hunting graph is now generally available with new predefined threat scenarios that render a hunt as an interactive graph, and advanced hunting now supports custom functions with tabular parameters, letting you pass whole tables as inputs to build modular, reusable KQL. Both are quality-of-life gains that make complex, repeatable hunts easier to write and share across the team. (&lt;a href=&quot;https://techcommunity.microsoft.com/blog/microsoftthreatprotectionblog/monthly-news---january-2026/4484885&quot;&gt;Defender XDR — Monthly news, January 2026&lt;/a&gt;)&lt;/p&gt;
</content>
  </entry>
  <entry>
    <title>January 5 – January 12, 2026</title>
    <link href="https://soc-brief.pages.dev/briefs/2026-01-12-week/" />
    <updated>2026-01-12T00:00:00Z</updated>
    <id>https://soc-brief.pages.dev/briefs/2026-01-12-week/</id>
    <content type="html">&lt;h2&gt;What changed&lt;/h2&gt;
&lt;p&gt;Microsoft launched the Microsoft Defender Experts Suite, a bundled managed-services offering that combines Defender Experts for XDR (24x7 managed detection and response plus Defender Experts for Hunting), Microsoft Incident Response (proactive and reactive), and Enhanced Designated Engineering — a designated Microsoft security advisor. It&#39;s positioned for organizations that co-source SOC work rather than a new product capability, and eligible customers can save up to 66% on the suite during 2026. If your org buys in, expect triage, hunting leads, and posture recommendations to arrive from Defender Experts inside the Defender portal, so know who owns escalations before an incident hits. (&lt;a href=&quot;https://www.microsoft.com/en-us/security/blog/2026/01/06/introducing-the-microsoft-defender-experts-suite-elevate-your-security-with-expert-led-services/&quot;&gt;Microsoft Security Blog&lt;/a&gt;)&lt;/p&gt;
&lt;p&gt;Microsoft also outlined refreshed Microsoft Incident Response proactive services — IR planning, readiness assessments, simulation exercises, and advisory work meant to build resilience before a breach. These are the engagements that produce the runbooks, tabletop findings, and response playbooks an analyst actually executes during a live incident, so it&#39;s worth knowing whether your environment has been through one. (&lt;a href=&quot;https://www.microsoft.com/en-us/security/blog/2026/01/07/explore-the-latest-microsoft-incident-response-proactive-services-for-enhanced-resilience/&quot;&gt;Microsoft Security Blog&lt;/a&gt;)&lt;/p&gt;
&lt;p&gt;January&#39;s Microsoft Defender for Identity update adds a large batch of new detection alerts, most of them squarely in scope for a SOC watching hybrid-identity attacks. On the Entra ID side they include a possible adversary-in-the-middle (AiTM) attack (ConsentFix), OAuth code theft through consent abuse, skipped MFA on a remembered device from an uncommon ISP, and suspicious sign-ins tied to the Entra ID sync application. On the Active Directory side they cover Pass-the-Ticket (now generally available), AD Certificate Services enumeration, AD enumeration via ADWS, suspicious NTLM authentication, Kerberoasting via a stealthy LDAP search, and a suspicious Kerberos TGT-request-using-TGS-REQ. Expect these to surface as new alert titles in the Defender portal incident queue; review your suppression and automation rules so the new detections aren&#39;t unintentionally muted. (&lt;a href=&quot;https://learn.microsoft.com/en-us/defender-for-identity/whats-new&quot;&gt;What&#39;s new in Microsoft Defender for Identity&lt;/a&gt;)&lt;/p&gt;
&lt;p&gt;Also in the January Defender for Identity release, the Identity inventory enhancements reached general availability. A new Accounts tab consolidates every account tied to a single identity — Active Directory, Microsoft Entra ID, and supported non-Microsoft providers — you can manually link or unlink accounts to correct correlation, and you can now run identity-level remediation (disable accounts, reset passwords) across the linked accounts from one place. Advanced hunting gains the matching &lt;code&gt;IdentityAccountInfo&lt;/code&gt; table so you can pivot from an account to the owning identity in KQL. The same release adds new posture assessments worth running against AD: stale accounts (no logon in 90 days), Entra ID privileged users who are &lt;em&gt;also&lt;/em&gt; privileged in AD, service accounts sitting in privileged groups, and accounts in built-in Operator groups. (&lt;a href=&quot;https://learn.microsoft.com/en-us/defender-for-identity/whats-new&quot;&gt;What&#39;s new in Microsoft Defender for Identity&lt;/a&gt;)&lt;/p&gt;
&lt;p&gt;On the Entra side, service principal creation audit logs for alerting and monitoring reached general availability this month. New audit-log properties surface &lt;em&gt;why&lt;/em&gt; a service principal was created and &lt;em&gt;who or what&lt;/em&gt; triggered it — the provisioning mechanism, the specific SKUs or service plans that enabled just-in-time creation, and the home tenant of the app registration. That lets you distinguish Microsoft-driven provisioning from tenant-driven activity when a newly created service principal shows up, which is exactly the signal you want when hunting for consent-grant abuse and rogue app registrations. (&lt;a href=&quot;https://learn.microsoft.com/en-us/entra/fundamentals/whats-new&quot;&gt;Microsoft Entra releases and announcements&lt;/a&gt;)&lt;/p&gt;
&lt;p&gt;Entra Conditional Access also tightened enforcement this month: policies that target All resources with one or more resource exclusions (or that explicitly target Azure AD Graph) will now be enforced in a narrow set of sign-in flows where the client requests only OIDC or specific directory scopes — flows that previously slipped past those policies. It&#39;s a security-strengthening change, but if you rely on resource-exclusion CA policies, review them now so the newly-enforced behavior doesn&#39;t surprise you with unexpected blocks. (&lt;a href=&quot;https://learn.microsoft.com/en-us/entra/fundamentals/whats-new&quot;&gt;Microsoft Entra releases and announcements&lt;/a&gt;)&lt;/p&gt;
&lt;p&gt;For detection engineers, custom detection rules in Microsoft Defender now support Near Real-Time (NRT) frequency on Microsoft Sentinel data (public preview), extending continuous NRT scheduling to rules that run over Sentinel tables. NRT closes the gap between an event landing and a detection firing for the highest-priority queries, so it&#39;s a candidate for your most time-sensitive Sentinel-backed custom detections rather than a blanket default. (&lt;a href=&quot;https://learn.microsoft.com/en-us/defender-xdr/whats-new&quot;&gt;What&#39;s new in Microsoft Defender XDR&lt;/a&gt;)&lt;/p&gt;
&lt;h2&gt;Worth knowing&lt;/h2&gt;
&lt;p&gt;Microsoft Threat Intelligence published analysis of phishing actors abusing complex mail-routing scenarios and misconfigured spoof protections to deliver messages that appear to be sent internally (same address in the To and From fields). This is not a Direct Send vulnerability: it only affects tenants whose MX records are &lt;em&gt;not&lt;/em&gt; pointed directly to Office 365 and that haven&#39;t strictly enforced spoof protections. Most campaigns ride the Tycoon2FA phishing-as-a-service platform (AiTM, MFA-bypass), with voicemail, password-expiry, HR, and fake-invoice/BEC lures. The fix is strict DMARC reject plus SPF hard fail (not soft fail) and correctly configured third-party connectors with enhanced filtering; on the detection side the post ships ready-to-run &lt;code&gt;EmailEvents&lt;/code&gt; and ASIM (&lt;code&gt;_Im_NetworkSession&lt;/code&gt; / &lt;code&gt;_Im_WebSession&lt;/code&gt;) hunting queries plus IOCs — worth running against your workspace and checking header values like &lt;code&gt;reason=905&lt;/code&gt;/&lt;code&gt;reason=451&lt;/code&gt; and &lt;code&gt;compauth=fail&lt;/code&gt;. (&lt;a href=&quot;https://www.microsoft.com/en-us/security/blog/2026/01/06/phishing-actors-exploit-complex-routing-and-misconfigurations-to-spoof-domains/&quot;&gt;Microsoft Security Blog&lt;/a&gt;)&lt;/p&gt;
&lt;p&gt;Two threads tie this week&#39;s identity news together on the Defender-portal side. The new Defender for Identity alerts and the GA identity inventory both live in the unified Microsoft Defender portal, and the ConsentFix/OAuth-consent-abuse detections above map directly onto the same AiTM and MFA-bypass tradecraft that the MTI phishing post describes — so a Tycoon2FA-style intrusion should now light up both the email and the identity sides of an incident. If your team still triages Entra sign-in risk and identity alerts in separate consoles, the January releases are another nudge to consolidate the investigation in the unified portal where the account-to-identity correlation and remediation actions now live.&lt;/p&gt;
&lt;p&gt;Heads-up for next shift: January Patch Tuesday lands Tuesday 13 Jan 2026, one day outside this window — review the release notes and prioritize any actively exploited Microsoft CVEs across your estate. (&lt;a href=&quot;https://msrc.microsoft.com/update-guide/releaseNote/2026-Jan&quot;&gt;MSRC Security Update Guide&lt;/a&gt;)&lt;/p&gt;
</content>
  </entry>
  <entry>
    <title>December 29, 2025 – January 5, 2026</title>
    <link href="https://soc-brief.pages.dev/briefs/2026-01-05-week/" />
    <updated>2026-01-05T00:00:00Z</updated>
    <id>https://soc-brief.pages.dev/briefs/2026-01-05-week/</id>
    <content type="html">&lt;h2&gt;Act by&lt;/h2&gt;
&lt;ul&gt;
&lt;li&gt;&lt;strong&gt;1 Jul 2026&lt;/strong&gt; — Microsoft Sentinel standardizes how account entities are named in incidents and alerts. The &lt;code&gt;Account&lt;/code&gt; value now resolves by priority: UPN prefix (the part before &lt;code&gt;@&lt;/code&gt;), then Name, then Display Name. This can break analytics rules, automation rules, playbooks, workbooks, and hunting queries that key off the old value. Audit your detections and automation now, and rewrite lookups to be precedence-aware, e.g. &lt;code&gt;coalesce(Account.UPNprefix, Account.Name, Account.DisplayName)&lt;/code&gt;, testing in a non-production workspace first. (&lt;a href=&quot;https://learn.microsoft.com/en-us/azure/sentinel/whats-new&quot;&gt;Microsoft Learn&lt;/a&gt;)&lt;/li&gt;
&lt;/ul&gt;
&lt;h2&gt;What changed&lt;/h2&gt;
&lt;p&gt;The 29 December – 5 January holiday window itself produced no dated in-scope posts on the Microsoft Sentinel, Defender XDR, Entra, MSRC, or Microsoft Security blogs — Microsoft&#39;s end-of-year wrap-ups landed earlier in December. The substantive news a returning SOC meets this week is in Microsoft&#39;s January 2026 what&#39;s-new pages, which carry these items without pinpoint dates; they are grouped here as the earliest January issue.&lt;/p&gt;
&lt;p&gt;Microsoft moved the retirement date for Microsoft Sentinel in the Azure portal to 31 March 2027 — a push out from the previously stated July 2026. Sentinel is generally available in the unified Defender portal (including for customers without Defender XDR or an E5 license), and after that date the Azure-portal experience will no longer be supported and remaining users are redirected. The later date buys planning room, but the direction is fixed: if your team still runs Sentinel in the Azure portal, use the quiet period to scope the move to the Defender portal rather than treat the deadline as far off. (&lt;a href=&quot;https://learn.microsoft.com/en-us/azure/sentinel/whats-new&quot;&gt;Microsoft Learn&lt;/a&gt;)&lt;/p&gt;
&lt;p&gt;Sentinel&#39;s UEBA behaviors layer entered public preview. Instead of anomaly scores, it aggregates and sequences raw, high-volume logs into human-readable behaviors — for example &amp;quot;Inbound remote management session from external address&amp;quot; — each mapped to MITRE ATT&amp;amp;CK tactics and traceable back to the underlying events. It can be enabled independently of UEBA anomaly detection, and the preview supports AWS CloudTrail, CommonSecurityLog (CyberArk Vault, Palo Alto Threats), and GCP audit logs. For an analyst, this turns &amp;quot;who did what to whom&amp;quot; from a manual log-correlation exercise into a starting point for investigation and detection. (&lt;a href=&quot;https://learn.microsoft.com/en-us/azure/sentinel/whats-new&quot;&gt;Microsoft Learn&lt;/a&gt;)&lt;/p&gt;
&lt;p&gt;Two smaller UEBA quality-of-life changes shipped alongside it: a UEBA widget on the Defender portal home page (preview) that surfaces anomalous user behavior up front, and the ability to enable UEBA directly from a data connector&#39;s configuration page (preview) so you onboard a source to UEBA in the same step you connect it, closing the coverage gaps that come from a separate configuration screen. (&lt;a href=&quot;https://learn.microsoft.com/en-us/azure/sentinel/whats-new&quot;&gt;Microsoft Learn&lt;/a&gt;)&lt;/p&gt;
&lt;p&gt;Defender XDR added Near Real-Time (NRT) frequency for custom detection rules that run on Microsoft Sentinel data (preview), so a detection built on Sentinel tables can fire close to event time rather than on the standard scheduled cadence — useful for the identity and access patterns where minutes matter. In advanced hunting, the &lt;code&gt;BehaviorInfo&lt;/code&gt; and &lt;code&gt;BehaviorEntities&lt;/code&gt; tables gained additional columns tying UEBA behaviors to their related alerts and entities, and queries that exceed the 64-MB result limit now return a partial result set with a clear truncation notice instead of failing outright. (&lt;a href=&quot;https://learn.microsoft.com/en-us/defender-xdr/whats-new&quot;&gt;Microsoft Learn&lt;/a&gt;)&lt;/p&gt;
&lt;p&gt;Sentinel&#39;s solution for SAP BTP picked up new analytics rules spanning the Integration Suite, Cloud Identity Service, Build Work Zone, and BTP audit logging — covering unauthorized changes to integration artifacts, risky identity and SAML/OIDC configuration changes, mass role deletions, and audit-log ingestion gaps. Niche unless you run SAP BTP, but if you do it closes real control-plane and identity blind spots. (&lt;a href=&quot;https://learn.microsoft.com/en-us/azure/sentinel/whats-new&quot;&gt;Microsoft Learn&lt;/a&gt;)&lt;/p&gt;
&lt;h2&gt;Worth knowing&lt;/h2&gt;
&lt;p&gt;Returning from the break, the thing worth catching up on is December&#39;s Security Copilot agent wave in Defender. The Threat Intelligence Briefing Agent reached general availability (tailored threat briefings generated in minutes from actor activity plus internal and external vulnerability data); the Threat Hunting Agent (preview) runs full natural-language hunting sessions — generating queries, interpreting results, and surfacing insights conversationally; and the Dynamic Threat Detection Agent (preview) is an always-on backend service that looks for missed threats across Defender and Sentinel. Sentinel&#39;s MCP server also became consumable from GitHub Copilot, Copilot Studio, Microsoft Foundry, and ChatGPT agent builders, and Defender for Endpoint data can now flow directly into the Sentinel data lake. Know which of these your org has turned on before you lean on an agent&#39;s verdict. (&lt;a href=&quot;https://learn.microsoft.com/en-us/defender-xdr/whats-new&quot;&gt;Microsoft Defender XDR&lt;/a&gt;, &lt;a href=&quot;https://techcommunity.microsoft.com/blog/microsoftsentinelblog/what%E2%80%99s-new-in-microsoft-sentinel-december-2025/4477063&quot;&gt;Microsoft Sentinel blog&lt;/a&gt;)&lt;/p&gt;
&lt;p&gt;The Defender-portal migration remains the background theme into 2026, and the practical snag after onboarding is almost always permissions. A useful read from just before this window walks through how Sentinel and Defender XDR permissions map together in the unified portal — the most common source of &amp;quot;why can&#39;t I see this incident&amp;quot; confusion once a workspace is onboarded. Pair it with the 31 March 2027 Azure-portal retirement date above when you plan the move. (&lt;a href=&quot;https://techcommunity.microsoft.com/blog/microsoftsentinelblog/managing-microsoft-sentinel-and-microsoft-defender-xdr-permissions-in-microsoft-/4480583&quot;&gt;Microsoft Sentinel blog&lt;/a&gt;)&lt;/p&gt;
&lt;p&gt;No Patch Tuesday falls in this window. The January 2026 security update release lands on the second Tuesday, 13 January, so expect the monthly Microsoft CVE batch — and any actively-exploited items — next week rather than this one. Use the quiet shift to confirm your update-ring and emergency-patch process is ready before the first release of the year. (&lt;a href=&quot;https://msrc.microsoft.com/update-guide/releaseNote/2026-Jan&quot;&gt;MSRC Security Update Guide&lt;/a&gt;)&lt;/p&gt;
</content>
  </entry>
</feed>