Microsoft Defender Monthly News (March 2026): New Sentinel UEBA, Copilot Guidebooks, and XDR Upgrades

Microsoft is kicking off March 2026 (see February 2026) with a packed slate of security updates across Microsoft Defender, Sentinel, and Copilot, giving SOC teams new AI‑driven tools, better visibility, and more unified experiences for cloud and endpoint protection.

Unified Defender and Sentinel experiences

Microsoft is expanding Microsoft Defender for Cloud into the Defender portal in public preview, moving toward a unified security experience across cloud and code environments. Some Defender for Cloud capabilities are already exposed in the Defender portal today, with additional features set to roll out over time once admins enable the preview experience in XDR. This month’s changes are summarized in the “Monthly news – March 2026” post on the Microsoft Defender XDR Blog, which pulls together all the February 2026 updates in one place for security teams.

Microsoft Sentinel also gains several important updates. The sunset date for managing Sentinel in the Azure portal has been extended to March 31, 2027, giving customers extra time to fully transition to the modern experience. In addition, an upcoming Sentinel update will standardize Account Name handling in analytics, incidents, and automation: starting July 1, 2026, UPN‑based mappings will show only the prefix as “Account Name,” with new fields breaking out the full UPN and suffix for clearer identity context.

AI-powered automation and Copilot data

AI is playing a larger role in security operations this month. A new SOAR playbook generator in Microsoft Sentinel (public preview) lets teams generate Python‑based automation workflows through a conversational experience with Cline, an AI coding agent, turning natural language prompts into ready‑to‑use playbooks. Microsoft is also introducing a new Microsoft Copilot Data Connector for Sentinel in public preview, allowing audit logs and Copilot activity to flow into Sentinel and its data lake so that security teams can build detections, dashboards, and automations around AI usage patterns.

On the guided response side, Custom Guidebooks for Copilot in Microsoft Defender are now generally available, enabling organizations to upload their own standard operating procedures and have Copilot’s guided responses follow internal playbooks instead of generic defaults. A new Custom Guidebooks settings page in the Defender portal lets security teams upload SOP documents, review the parsed tasks, and approve them so guided response steps stay aligned with their own investigation and remediation processes.

Sentinel UEBA, connectors, and data lake enhancements

Behavior analytics in Microsoft Sentinel take a major step forward this month. The UEBA behaviors layer is now generally available, converting high‑volume, raw security logs into clear, human‑readable behavioral insights that explain “who did what to whom” without requiring manual correlation. These behaviors are summarized in a dedicated behaviors layer that sequences related events into normalized patterns, helping analysts quickly understand risky user or entity activity.

To make those insights usable from day one, Microsoft is shipping a new behaviors workbook as part of the UEBA Essentials solution for Sentinel. The workbook offers guided views and prebuilt analytics tailored to three core SOC workflows, turning UEBA data into practical dashboards and detections instead of just raw tables. At the same time, Sentinel’s codeless connector framework (CCF) Push feature is in public preview, enabling partners and customers to push security data into Sentinel without custom code so teams can see and respond to threats in near real‑time.

Advanced hunting and data lake capabilities are also evolving. Lake‑only ingestion for Microsoft Defender Advanced Hunting tables is now generally available, allowing customers to ingest advanced hunting data directly into the Sentinel data lake without also sending it into the Sentinel Analytics tier. This helps organizations control costs while still keeping rich telemetry available for hunting, analytics, and long‑term investigations.

Defender for Endpoint, Vulnerability Management, Identity, and Office 365

Endpoint and vulnerability management teams get several long‑requested improvements. Library Management for Live Response in Microsoft Defender is now in public preview, allowing teams to centrally manage scripts and files for live response sessions directly in the Defender portal instead of handling them ad‑hoc during investigations. The new Effective Settings report for device security settings has reached general availability, giving admins a clear view of the actual enforced configuration on each device, including the winning source for each setting and any configuration attempts that were not applied.

Defender Vulnerability Management also gains broader coverage and a refreshed experience. The former “Vulnerable components” page has been renamed “Software components” to reflect its expanded scope across all software components detected in an environment. Microsoft now collects software product vulnerability data for Windows 7 devices as well, extending coverage across all supported Windows versions. To simplify change tracking, the “what’s new” and OS‑specific release notes have been consolidated: a renamed “New features in Microsoft Defender for Endpoint” page lists new capabilities alongside links to the latest release notes, while a unified release notes page now groups Defender updates by platform and date.

On the identity and collaboration front, Microsoft is highlighting a recorded webinar, “Identity Control Plane Under Attack: Consent Abuse and Hybrid Sync Risks,” which walks through how attackers abuse legitimate authentication flows to gain access without stealing passwords, and how Defender for Identity helps protect Entra Connect Sync and Cloud Sync as Tier‑0 assets. Defender for Office 365 is expanding user reporting in Microsoft Teams for Plan 1 customers, allowing users to report external and internal Teams messages as malicious directly from chats, channels, and meeting conversations using user‑reported message settings.

Finally, Defender for Cloud Apps customers should prepare for Secure Score changes in March 2026: Microsoft is updating security recommendation categories to improve accuracy, which may shift both identity and app Secure Scores as the new categorization rolls out.

Recent Posts You Might Like

• • Microsoft Sentinel Just Changed How Security Teams Automate Threats in 2026 — AI SOAR Playbooks Are Here
  • SharePoint at 25: Microsoft Turns Its Classic Platform into a Dynamic AI Knowledge Engine
  • Microsoft Schedules An Exciting Surface Copilot+ PC Portfolio Briefing for Today, March 3: What Partners Should Expect
  • March 2026 Microsoft 365 Changes: The Definitive Guide for IT Pros and SMB Admins
  • Microsoft Sentinel March 2026: AI-Powered Automation, Powerful Real-Time Data, and Deeper Multicloud Visibility