Blog Post

Microsoft Defender XDR Blog
3 MIN READ

Monthly news - January 2026

HeikeRitter's avatar
HeikeRitter
Icon for Microsoft rankMicrosoft
Jan 13, 2026

Microsoft Defender
Monthly news - January 2026 Edition

This is our monthly "What's new" blog post, summarizing product updates and various new assets we released over the past month across our Defender products. In this edition, we are looking at all the goodness from December 2025. Defender for Cloud has its own Monthly News post, have a look at their blog space. 

🚀 New Virtual Ninja Show episode:

Microsoft Defender

  • (Public Preview) The following advanced hunting schema tables are now available for preview:
    • The CampaignInfo table contains contains information about email campaigns identified by Microsoft Defender for Office 365
    • The FileMaliciousContentInfo table contains information about files that were processed by Microsoft Defender for Office 365 in SharePoint Online, OneDrive, and Microsoft Teams
  • General Availability of the Phishing Triage Agent: this agent autonomously analyzes user‑reported phishing emails to determine whether they’re true threats or false positives, dramatically reducing manual triage workload. It continuously learns from analyst feedback and provides clear, natural‑language explanations for every verdict, giving SOC teams both speed and transparency. We're excited to share it is now generally available and, very soon, will expand to also triage cloud and identity alerts! Learn more on our docs.
  • Public Preview of Dynamic Threat Detection Agent: Announced at Ignite, this always‑on agent hunts for unseen threats by continuously correlating telemetry and creating new, context‑aware detections on the fly—closing gaps traditional rules can’t see. We're excited to share it is now in Public Preview! Learn more on our docs
  • Public Preview of Threat Hunting Agent: Announced at Ignite, this agent gives every analyst the power to investigate like an expert by turning natural‑language questions into guided, real‑time hunts that surface hidden patterns, reveal meaningful pivots, and eliminate the need to write complex queries. We're excited to share it is now in Public Preview! Learn more on our docs.
  • General Availability of the Threat Intelligence Briefing Agent: this agent delivers daily, tailored intelligence briefings directly in Microsoft Defender—automatically synthesizing Microsoft’s global threat insights with your organization’s context to surface prioritized risks, clear recommendations, and relevant assets so teams can shift from reactive research to proactive defense in minutes. We're excited to share it is now generally available! Learn more on our docs.
  • (General Availability) The hunting graph in advanced hunting is now generally available. It also now has two new predefined threat scenarios that you can use to render your hunts as interactive graphs.
  • (General Availability) Advanced hunting now supports custom functions that use tabular parameters. With tabular parameters, you can pass entire tables as inputs. This approach lets you build more modular, reusable, and expressive logic across your hunting queries. Learn more

Microsoft Defender for Endpoint

  • (Public Preview) Triage collection: Use triage collection to prioritize incidents and hunt threats with the Sentinel Model Context Protocol (MCP) server.

Microsoft Defender for Identity

  • New ADWS LDAP search activity is now available in the 'IdentityQueryEvents' table in Advanced Hunting. This can provides visibility into directory queries performed through ADWS, helping customers track these operations and create custom detection based on this data.
  • (Public Preview) New properties for 'sensorCandidate' resource type in Graph-API. Learn more here.

Microsoft Defender for Cloud Apps

Updated Jan 13, 2026
Version 1.0
defender news
microsoft defender xdr
ninja training
xdr