Microsoft Defender XDR Monthly news February 2025 Edition
This is our monthly "What's new" blog post, summarizing product updates and various new assets we released over the past month across our Defender products. In this edition, we are looking at all the goodness from January 2025. Defender for Cloud has it's own Monthly News post, have a look at their blog space.
Unified Security Operations Platform: Microsoft Defender XDR & Microsoft Sentinel
(Public Preview) Creating a unified, security-focused case management system. We are excited to be introducing a new solution for case management, built specifically for SecOps teams, and integrated into the experience of Microsoft Sentinel and Defender XDR in the unified SecOps platform. With new case management functionality, available for any customer who has Microsoft Sentinel, customers can benefit from a purpose-built approach to managing and collaborating across security cases.
(Public Preview) Device activity events from Microsoft Sentinel's device entity pages are now visible in the Timeline tab on the Device entity page in the Defender portal, in addition to remaining visible on the Sentinel events tab.
These device activity events now include blocked, dropped, or denied network traffic originating from a given device.
(General Available) Advanced hunting context panes are now available in custom detection experiences. This allows you to access the advanced hunting feature without leaving your current workflow.
For incidents and alerts generated by custom detections, you can select Run query to explore the results of the related custom detection.
In the custom detection wizard's Set rule logic step, you can select View query results to verify the results of the query you are about to set.
(General Available) The Link to incident feature in Microsoft Defender advanced hunting now allows linking of Microsoft Sentinel query results. In both the Microsoft Defender unified experience and in Defender XDR advanced hunting, you can now specify whether an entity is an impacted asset or related evidence.
(General Available) Migrating custom detection queries to Continuous (near real-time or NRT) frequency is now generally available in advanced hunting. Using the Continuous (NRT) frequency increases your organization's ability to identify threats faster. It has minimal to no impact to your resource usage, and should thus be considered for any qualified custom detection rule in your organization. Migrate compatible KQL queries by following the steps in Continuous (NRT) frequency.
Microsoft Sentinel
Threat intelligence for Microsoft Sentinel in the Defender portal has changed! We've renamed the page Intel management and moved it with other threat intelligence workflows. There's no change for customers using Microsoft Sentinel in the Azure experience. Learn more on our docs.
Unlock advanced hunting with new STIX objects by opting in to new threat intelligence tables. Tables supporting the new STIX object schema are in private preview. In order to view threat intelligence for STIX objects and unlock the hunting model that uses them, request to opt in with this form. Ingest your threat intelligence into the new tables, ThreatIntelIndicator and ThreatIntelObjects alongside with or instead of the current table, ThreatIntelligenceIndicator, with this opt-in process.
Both premium and standard Microsoft Defender Threat Intelligence data connectors are now generally available (GA) in content hub. For more information, see the following articles:
(Public Preview) Bicep template support for repositories. Use Bicep templates alongside or as a replacement of ARM JSON templates in Microsoft Sentinel repositories. Bicep provides an intuitive way to create templates of Azure resources and Microsoft Sentinel content items. Not only is it easier to develop new content items, Bicep makes reviewing and updating content easier for anyone that's a part of the continuous integration and delivery of your Microsoft Sentinel content.
View granular solution content in the Microsoft Sentinel content hub.
You can now view the individual content available in a specific solution directly from the Content hub, even before you've installed the solution. This new visibility helps you understand the content available to you, and more easily identify, plan, and install the specific solutions you need.
Get visibility into your DeepSeek use with Defender for Cloud Apps.
Defender for Cloud Apps helps you discover and protect more than 800 generative AI applications, now including DeepSeek. It provides the necessary overview of an app's usage in your organization, combined with the potential risk that the app poses for your organization. In fact, it profiles more than 90 separate risk attributes for each application in the Cloud App Catalog so you can make informed choices in a unified experience. Learn more in this blog post.
Microsoft Defender for Identity
Introducing the new Defender for Identity sensor management API. This blog discusses the new Defender for Identity sensor management API.This blog discusses
Microsoft Security Exposure Management
Metrics enhancements The metrics have been enhanced to show the improvement of the exposure levels with a progress bar, progressing from left to right and from 0% (indicating high exposure) to 100% (indicating no exposure).
In addition, the metrics weight is now displayed as high, medium, or low, based on the metric's importance to the initiative. The weight can also be defined as risk accepted.
Use the built-in Report button in Outlook: The built-in Report button in Outlook for iOS and Android version 4.2446 or later now supports the user reported settings experience to report messages as Phishing, Junk, and Not Junk.
Build custom email security reports and dashboards with workbooks in Microsoft Sentinel. In this blog, we will showcase how you can use workbooks in Microsoft Sentinel to build a custom dashboard for Defender for Office 365. We will also share an example workbook that is now available and can be customized based on your organization’s needs.
Microsoft Defender for Endpoint
(Public Preview) Aggregated reporting in Defender for Endpoint: Aggregated reporting extends signal reporting intervals to significantly reduce the size of reported events while preserving essential event properties. This feature is available for Defender for Endpoint Plan 2. For more information, seeAggregated reporting in Defender for Endpoint.
(Public Preview) Defender for Endpoint extends support to ARM-based Linux servers.
As the demand for ARM64 servers continues to rise, we are thrilled to announce that Microsoft Defender for Endpoint now supports ARM64 based Linux servers in Public Preview. This update marks a new milestone in our commitment to providing comprehensive endpoint security across all devices and platforms. More details in this announcement blog.
Microsoft Defender for IoT
Aggregating multiple alerts violations with the same parameters. To reduce alert fatigue, multiple versions of the same alert violation and with the same parameters are grouped together and listed in the alerts table as one item. The alert details pane lists each of the identical alert violations in the Violations tab and the appropriate remediation actions are listed in the Take action tab. For more information, see our docs.
Microsoft