Monthly news - March 2026

Microsoft Defender
Monthly news - March 2026 Edition

This is our monthly "What's new" blog post, summarizing product updates and various new assets we released over the past month across our Defender products. In this edition, we are looking at all the goodness from February 2026. We are now including news related to Defender for Cloud in the Defender portal. For all other Defender for Cloud news, have a look at the dedicated Defender for Cloud Monthly News here. 

🚀 New Virtual Ninja Show episode:

• New AI-powered SIEM migration experience

Microsoft Defender

• (Public Preview) Microsoft Defender for Cloud is expanding to the Defender portal to provide a unified security experience across cloud and code environments. As part of this expansion, some features are now available in the Microsoft Defender Portal, and additional capabilities will be added to the Defender portal over time. Follow instructions provided here to enable Defender for Cloud experience in XDR. Learn more on how to enable preview features in the Defender portal. 

• (Public Preview) Generate playbooks using AI in Microsoft Sentinel: The SOAR playbook generator creates python based automation workflows coauthored through a conversational experience with Cline, an AI coding agent. For more information, see the Playbook Generation blog post.

• (Public Preview) The Microsoft Copilot Data Connector for Microsoft Sentinel. This new connector allows for audit logs and activities generated by Copilot to be ingested into Microsoft Sentinel and Microsoft Sentinel data lake. The data can be used in analytic rules/custom detections, Workbooks, automation, and more.

• Update: We are extending the sunset date for managing Microsoft Sentinel in the Azure portal to March 31, 2027.

• The upcoming Sentinel update standardizes Account Name in analytics, incidents, and automation. Starting July 1, 2026 for UPN-based mappings, Account Name will show only the UPN prefix, with new fields for full UPN and UPN suffix.

• Microsoft Defender Experts for Hunting customers can now set up Notification contacts. These contacts are the individuals or groups that Microsoft needs to notify if there are critical incidents or service updates. Learn more on our docs.

• The following advanced hunting schema tables are now generally available:

  • IdentityAccountInfo

  • EntraIdSignInEvents

  • EntraIdSpnSignInEvents

  • GraphApiAuditEvents

• Lake only ingestion for Microsoft Defender Advanced Hunting tables is now General Available. You can now ingest Advanced Hunting data into Sentinel Data lake without the need to ingest into the Microsoft Sentinel Analytics tier.

• Custom Guidebooks (SOP) for Copilot Guided Response is now Generally Available! Custom Guidebooks enable organizations to bring their own Standard Operating Procedures (SOPs) directly into the Copilot Guided Response experience, helping ensure investigations and remediation steps align with internal processes and best practices. Please find more information in our documentation.
  

  On the new Custom Guidebookssettings page in the portal, users can upload guidebooks and review the parsed tasks generated from their SOP files.

   

• (Public Preview) The Sentinel Codeless Connector Framework (CCF) Push feature. CCF addresses a critical need: enabling seamless, automated, and immediate delivery of security data to Microsoft Sentinel, so teams can respond to threats as they happen.

• The UEBA behaviors layer in Microsoft Sentinel is now generally available, summarizing clear, human‑readable behavioral insights from high-volume, raw security logs. The behaviors layer aggregates and sequences related events into normalized behaviors, helping analysts more quickly understand who did what to whom without manually correlating raw logs. For more information, see Translate raw security logs to behavioral insights using UEBA behaviors in Microsoft Sentinel.
  Watch the UEBA behaviors webinar for a full overview and demo of the UEBA behaviors layer.

• To help SOC teams get value from behaviors from day one, Microsoft Sentinel now provides the behaviors workbook as part of the UEBA essentials solution. The workbook offers guided views and prebuilt, customizable analytics that turn rich behavioral data into actionable insights across three core SOC workflows. For more information about the workbook, see the Microsoft Sentinel Behaviors Workbook blog post.

Microsoft Defender for Endpoint / Microsoft Defender Vulnerability Management

• (Public Preview) Microsoft Defender now has a Library Management for live response! This is addressing a long standing pain point. You can now centrally manage Live Response scripts and files directly in the Defender portal, not just during a live response session. Read more details in this blog post.

• (General Availability) Effective Settings: Effective Settings Reporting for device security settings is now available in GA! This report presents the actual security settings enforced on a specific device, capturing the real configuration rather than just the admin’s intent.
  This visibility empowers admins to easily track applied configurations and swiftly identify discrepancies.

  A new tab, named "Effective Settings", is now enabled on the device page, under the "Configuration Management" section. This tab displays:

  • The actual value of each security setting

  • The configuring source for each setting

  • Configuration attempts from other sources that were not effectively applied

• (General Availability) To reflect Defender Vulnerability Management's visibility into all software components identified in your organization, the Vulnerable components page is now named Software components.
• (General Availability) To provide comprehensive vulnerability management capabilities across all supported Windows versions, Microsoft Defender Vulnerability Management now gathers software product vulnerability data on Windows 7 devices.
• The what's new and OS-specific release notes pages are now updated to provide better visibility and access to new features, improvements, and fixes:
  • The what's new page is now named New features in Microsoft Defender for Endpoint and includes both features and links to latest release notes.
  • The Release notes page now consolidates release details for all supported operating systems, including Windows Antivirus. The new page groups updates by platform and date, making it easier to find specific information.
  • All previous release notes pages redirect to the consolidated release notes page.

Microsoft Defender for Identity

• Webinar recording: Identity Control Plane Under Attack: Consent Abuse and Hybrid Sync Risks (YouTube)
  

  A new wave of identity attacks abuses legitimate authentication flows, allowing attackers to gain access without stealing passwords or breaking MFA. In this webinar recording the team breaks down how attackers trick users into approving malicious apps, how this leads to silent account takeover, and why traditional phishing defenses often miss it. They also dive into the identity sync layer at the heart of hybrid environments. You’ll learn how Entra Connect Sync and Cloud Sync are protected as Tier-0 assets, how Microsoft Defender for Identity secures synchronization flows, and how the new application-based authentication model strengthens Entra Connect Sync against modern threats.

Microsoft Defender for Office 365

• Expanding User reporting in Teams to Defender for Office 365 Plan 1: Users can report external and intra-org Microsoft Teams messages from chats, standard, shared, and private channels, meeting conversations to Microsoft as malicious (security risk) the specified reporting mailbox, or both via user reported settings.

Microsoft Defender for Cloud Apps

• As part of Microsoft's ongoing efforts to increase accuracy in Secure Score, security recommendation categories will be updated in March 2026. As a result, identity and app Secure Scores may be impacted.