Microsoft Defender for IoT - General Release Update
Today we are excited to announce that our first General Availability (GA) release, version 22.1, is now available with additional Public Preview features via Azure portal to scale large environments and control the security components from a single pane of glass. This version follows up our December announcement for the Unified Device Inventory via Azure portal. In this release, the Defender for IoT sensor console has been re-designed to create a unified Microsoft Azure experience and enhanced and simplified workflows. Microsoft Defender for IoT's OT Sensor is a key component for deep packet inspection and OT environment analysis. The latest release emphasizes accessibility and reduces time to value by minimizing installation times for faster and more efficient deployment. Lastly, we have leveraged our detection capabilities to get broader security coverage, with an emphasis on customizing the alert engine to detect even the most minor changes in your business-critical environments. With this release we are introducing revamped unified user experience on both the sensor console as well as the Azure portal when performing detailed incident investigation and response. What's New ? OT sensor features for Defender for IoT in the Azure portal (Public Preview) Easily connect sensors to Defender for IoT by using a new, fast connectivity model that presents a secure, plug-and-play experience Customizable reports for enhanced visibility of your environment security posture Automated updating of threat intelligence to keep your sensors up-to-date with the latest threats. Microsoft Defender for Endpoint can easily be integrated with Defender for IoT, allowing you to analyze how IoT devices relate to security exposures for better results. Detecting threats using MITRE ATT&CK for ICS. Use insight into the tactics and techniques associated with your alerts to analyze and interpret them. Using these additional alert enhancements will allow you to better understand attackers' characteristics, the actions they are likely to take within the OT network, and respond accordingly (supported also via Microsoft Sentinel). OT Sensor version 22.1 User experience has been completely revamped across the entire system based on feedback from our enterprise customers collected over the last five years. Among the new features is a detailed device page with advanced information that appears on the New Device Inventory page. We've also implemented global readiness and accessibility features to comply with Microsoft standards. These updates include localization for over 15 languages. The Overview page now includes data that better highlights system deployment details, critical network monitoring health, top alerts, and important trends and statistics. Utilize the new sensor installation wizard, which verifies if traffic is being collected appropriately during installation. Alerts are now available from the new Alerts page of Defender for IoT in the Azure portal. Improve the security and operational efficiency of your IoT/OT network using alerts. View contextual information regarding each alert, for example, similar events occurring around the same time, or a map of all connected devices. Use our tailored threat detection engine with flexible custom alerts and advanced Deep Packet Inspection, (DPI) to detect specific changes in your production lines and schedule custom rules to run and detect threats outside of regular working hours Improved support for high resolution screens and themes, including high contrast and dark modes. About Microsoft Defender for IoT Microsoft Defender for IoT provides agentless, network-layer security, provides security for diverse industrial equipment, and interoperates with Microsoft Sentinel and other SOC tools. Continuous asset discovery, vulnerability management, and threat detection for Internet of Things (IoT) devices, operational technology (OT) and Industrial Control Systems (ICS) can be deployed on-premises or in Azure-connected environments. To learn more, visit Microsoft Defender for IoT Release Notes | Microsoft Docs Download links available at Defender for IoT Management Portal - Microsoft Azure. 'Enabling IoT/OT Threat Monitoring in Your SOC with Microsoft Sentinel
Recent ransomware attacks that shut down a US gas pipeline and global food processor have raised board-level awareness about IoT and Operational Technology (OT) risk, including safety risks and lost revenue from production downtime. To help jump-start IoT/OT detection and response in your SOC, we've created a new Microsoft Sentinel solution that leverages telemetry from Microsoft Defender for IoT — our agentless IoT/OT security monitoring technology — that provides pre-built, IoT/OT-specific analytics rules, workbooks, SOAR playbooks, and mappings to the MITRE ATT&CK for ICS (industrial control systems) framework.Security Guidance Series: CAF 4.0 Understanding Threat From Awareness to Intelligence-Led Defence
The updated CAF 4.0 raises expectations around control A2.b - Understanding Threat. Rather than focusing solely on awareness of common cyber-attacks, the framework now calls for a sector-specific, intelligence-informed understanding of the threat landscape. According to the NCSC, CAF 4.0 emphasizes the need for detailed threat analysis that reflects the tactics, techniques, and resources of capable adversaries, and requires that this understanding directly shapes security and resilience decisions. For public sector authorities, this means going beyond static risk registers to build a living threat model that evolves alongside digital transformation and service delivery. Public sector authorities need to know which systems and datasets are most exposed, from citizen records and clinical information to education systems, operational platforms, and payment gateways, and anticipate how an attacker might exploit them to disrupt essential services. To support this higher level of maturity, Microsoft’s security ecosystem helps public sector authorities turn threat intelligence into actionable understanding, directly aligning with CAF 4.0’s Achieved criteria for control A2.b. Microsoft E3 - Building Foundational Awareness Microsoft E3 provides public sector authorities with the foundational capabilities to start aligning with CAF 4.0 A2.b by enabling awareness of common threats and applying that awareness to risk decisions. At this maturity level, organizations typically reach Partially Achieved, where threat understanding is informed by incidents rather than proactive analysis. How E3 contributes to Contributing Outcome A2.b: Visibility of basic threats: Defender for Endpoint Plan 1 surfaces malware and unsafe application activity, giving organizations insight into how adversaries exploit endpoints. This telemetry helps identify initial attacker entry points and informs reactive containment measures. Identity risk reduction: Entra ID P1 enforces MFA and blocks legacy authentication, mitigating common credential-based attacks. These controls reduce the likelihood of compromise at early stages of an attacker’s path. Incident-driven learning: Alerts and Security & Compliance Centre reports allow organizations to review how attacks unfolded, supporting documentation of observed techniques and feeding lessons into risk decisions. What’s missing for Achieved: To fully meet the contributing outcomes A2.b, public sector organizations must evolve from incident-driven awareness to structured, intelligence-led threat analysis. This involves anticipating probable attack methods, developing plausible scenarios, and maintaining a current threat picture through proactive hunting and threat intelligence. These capabilities extend beyond the E3 baseline and require advanced analytics and dedicated platforms. Microsoft E5 – Advancing to Intelligence-Led Defence Where E3 establishes the foundation for identifying and documenting known threats, Microsoft E5 helps public sector organizations to progress toward the Achieved level of CAF control A2.b by delivering continuous, intelligence-driven analysis across every attack surface. How E5 aligns with Contributing Outcome A2.b: Detailed, up-to-date view of attacker paths: At the core of E5 is Defender XDR, which correlates telemetry from Defender for Endpoint Plan 2, Defender for Office 365 Plan 2, Defender for Identity, and Defender for Cloud Apps. This unified view reveals how attackers move laterally between devices, identities, and SaaS applications - directly supporting CAF’s requirement to understand probable attack methods and the steps needed to reach critical targets. Advanced hunting and scenario development: Defender for Endpoint P2 introduces advanced hunting via Kusto Query Language (KQL) and behavioural analytics. Analysts can query historical data to uncover persistence mechanisms or privilege escalation techniques, assisting organizations to anticipate attack chains and develop plausible scenarios, a key expectation under A2.b. Email and collaboration threat modelling: Defender for Office 365 P2 detects targeted phishing, business email compromise, and credential harvesting campaigns. Attack Simulation Training adds proactive testing of social engineering techniques, helping organizations maintain awareness of evolving attacker tradecraft and refine mitigations. Identity-focused threat analysis: Defender for Identity and Entra ID P2 expose lateral movement, credential abuse, and risky sign-ins. By mapping tactics and techniques against frameworks like MITRE ATT&CK, organizations can gain the attacker’s perspective on identity systems - fulfilling CAF’s call to view networks from a threat actor’s lens. Cloud application risk visibility: Defender for Cloud Apps highlights shadow IT and potential data exfiltration routes, helping organizations to document and justify controls at each step of the attack chain. Continuous threat intelligence: Microsoft Threat Intelligence enriches detections with global and sector-specific insights on active adversary groups, emerging malware, and infrastructure trends. This sustained feed helps organizations maintain a detailed understanding of current threats, informing risk decisions and prioritization. Why this meets Achieved: E5 capabilities help organizations move beyond reactive alerting to a structured, intelligence-led approach. Threat knowledge is continuously updated, scenarios are documented, and controls are justified at each stage of the attacker path, supporting CAF control A2.b’s expectation that threat understanding informs risk management and defensive prioritization. Sentinel While Microsoft E5 delivers deep visibility across endpoints, identities, and applications, Microsoft Sentinel acts as the unifying layer that helps transform these insights into a comprehensive, evidence-based threat model, a core expectation of Achieved maturity under CAF 4.0 A2.b. How Sentinel enables Achieved outcomes: Comprehensive attack-chain visibility: As a cloud-native SIEM and SOAR, Sentinel ingests telemetry from Microsoft and non-Microsoft sources, including firewalls, OT environments, legacy servers, and third-party SaaS platforms. By correlating these diverse signals into a single analytical view, Sentinel allows defenders to visualize the entire attack chain, from initial reconnaissance through lateral movement and data exfiltration. This directly supports CAF’s requirement to understand how capable, well-resourced actors could systematically target essential systems. Attacker-centric analysis and scenario building: Sentinel’s Analytics Rules and MITRE ATT&CK-aligned detections provide a structured lens on tactics and techniques. Security teams can use Kusto Query Language (KQL) and advanced hunting to identify anomalies, map adversary behaviours, and build plausible threat scenarios, addressing CAF’s expectation to anticipate probable attack methods and justify mitigations at each step. Threat intelligence integration: Sentinel enriches local telemetry with intelligence from trusted sources such as the NCSC and Microsoft’s global network. This helps organizations maintain a current, sector-specific understanding of threats, applying that knowledge to prioritize risk treatment and policy decisions, a defining characteristic of Achieved maturity. Automation and repeatable processes: Sentinel’s SOAR capabilities operationalize intelligence through automated playbooks that contain threats, isolate compromised assets, and trigger investigation workflows. These workflows create a documented, repeatable process for threat analysis and response, reinforcing CAF’s emphasis on continuous learning and refinement. This video brings CAF A2.b – Understanding Threat – to life, showing how public sector organizations can use Microsoft security tools to build a clear, intelligence-led view of attacker behaviour and meet the expectations of CAF 4.0. Why this meets Achieved: By consolidating telemetry, threat intelligence, and automated response into one platform, Sentinel elevates public sector organizations from isolated detection to an integrated, intelligence-led defence posture. Every alert, query, and playbook contributes to an evolving organization-wide threat model, supporting CAF A2.b’s requirement for detailed, proactive, and documented threat understanding. CAF 4.0 challenges every public-sector organization to think like a threat actor, to understand not just what could go wrong, but how and why. Does your organization have the visibility, intelligence, and confidence to turn that understanding into proactive defence? To illustrate how this contributing outcome can be achieved in practice, the one-slider and demo show how Microsoft’s security capabilities help organizations build the detailed, intelligence-informed threat picture expected by CAF 4.0. These examples turn A2.b’s requirements into actionable steps for organizations. In the next article, we’ll explore C2 - Threat Hunting: moving from detection to anticipation and embedding proactive resilience as a daily capability.Ignite 2025: What's new in Microsoft Defender?
This Ignite we are focused on giving security teams the edge they need to meet adversaries head on in the era of AI. The modern Security Operations Center (SOC) is undergoing a fundamental transformation, placing AI at the forefront of innovation - not just as an added feature, but as a driving force at every layer of the stack. While much attention is rightly focused on the development of security agents, we fundamentally believe that AI must also evolve the very foundation of our security solutions. This means building solutions that more effectively uncover novel threats, act dynamically to defend the organization during attacks, and reduce the workload for the security team. As organizations adopt AI at an unprecedented speed, we also want to make sure they can do so securely. To meet these security needs of the AI era, we are excited to announce a series of innovations that will help organizations shift to an autonomous defense and an agentic SOC. New agents to help scale and accelerate security operations Evolving Microsoft Defender’s autonomous defense capabilities for better protection Secure your low-code and pro-code AI agents with Microsoft Defender Today, we are taking the first step in shifting security operations from static controls to autonomous defense and from manual toil to agentic operations. But we have an ambitious vision to augment and evolve these AI capabilities and agents across the entire SOC lifecycle and are excited to share some of that vision, as shown in the below graphic, with you at Microsoft Ignite. The Agentic SOC: Scaling expertise and accelerating defense We are excited to introduce four new Security Copilot agents in Microsoft Defender that bring autonomous intelligence across different stages of the SOC lifecycle. These agents combine context, reasoning, and complex workflows to help defenders anticipate attacks sooner, detect smarter, and investigate faster than ever before. Phishing Triage Agent: In March 2025, we introduced the Phishing Triage Agent, built to autonomously handle user-submitted phishing reports at scale. The agent reviews and classifies incoming alerts, resolves false positives and escalates only the malicious cases that require human expertise. Early data shows that analysts working with the agent caught up to 6.5x more malicious emails compared to professional graders. Today, we’re excited to announce that the agent’s triage capabilities will soon extend beyond phishing to cover identity and cloud alerts. Secondly, we are also improving our phish admin reporting process with a new agentic email grading system. It replaces a manual review process with advanced large language models and agentic workflows to deliver rapid, transparent verdicts and clear explanations to customers for every reported email. Learn more about the agentic email grading system. Threat Hunting Agent – this agent reimagines the investigation process. Instead of requiring analysts to master complex query languages or sift through mountains of data, the Threat Hunting Agent enables natural language investigations with contextual insight. Analysts can vibe with the agent by asking questions in plain English, receive direct answers, and be guided through comprehensive hunting sessions. This levels up the current NL2KQL experience by enabling analysts to explore patterns, pivot intuitively and uncover hidden signals in real time for a fluid, context-aware experience. This not only accelerates investigations but makes advanced threat hunting accessible to every member of the SOC, regardless of experience level. Dynamic Threat Detection Agent – One of the hardest challenges in detection engineering is finding and fixing false negatives. The Dynamic Threat Detection Agent proactively hunts for false negatives and blind spots that traditional alerting might miss. When a critical incident happens, Copilot will kick off an automated hunt to uncover undetected threats—like unusual residual activity around a sensitive identity. This agent turns ‘probably fine’ into proven secure—hunting the quiet persistence that slips past alerts and closing the gap before it becomes tomorrow’s breach. Threat Intelligence (TI) Briefing Agent – Now native in the Defender portal. Generate tailored, AI‑authored threat briefings in minutes—synthesizing global intel with your environment’s context—without leaving the incident pane. Figure 1. The Threat Hunting Agent showing insights on an incident that contained a high risk binary To make the agents easily accessible and help security teams get started more quickly, we are excited to announce that Security Copilot will be available to all Microsoft 365 E5 customers. Rollout starts today for existing Security Copilot customers with Microsoft 365 E5 and will continue in the upcoming months for all Microsoft 365 E5 customers. Customers will receive 30-day advanced notification before activation. Learn more. Autonomous Defense at Platform Scale Threat actors are automating everything. Ransomware campaigns can encrypt an entire environment in under an hour. Adversaries evade detection and pivot across identities, endpoints, and cloud resources faster than human teams can triage alerts. Traditional SOC models—built on manual workflows and fragmented tools—simply can’t keep pace. Every second of delay gives attackers an advantage. Microsoft Defender now counters that speed by delivering autonomous defense at scale. Defender shifts security from reactive firefighting to proactive protection, embedding AI into the foundation of our protection solutions for instant detection, disruption, and containment—before threats escalate. In 2023, we introduced automatic attack disruption, which autonomously stops attacks in progress—like ransomware or business email compromise—with policy-bound actions that isolate endpoints, disable compromised accounts, and block malicious IPs at machine speed. Today, we’re taking the next step. New capabilities show how AI and agentic technology are transforming security to better protect customers: Unleash automatic attack disruption across your SIEM data: We are expanding the disruption capabilities of Microsoft Defender to some of the most critical data sources customer connect via Microsoft Sentinel including AWS, Proofpoint and Okta. This enables real-time detection and automatic containment of threats like phishing and identity compromise on top of your log data, fundamentally turning your SIEM into a threat protection solution. While these capabilities leverage the power of our platform, Defender is not a requirement for customers to realize this value in Microsoft Sentinel. Figure 2. Attack disruption initiated on an AWS attack Predictive shielding – This brand-new automatic attack disruption capability activates immediately after an attack is first contained. Our first of its kind capability combines graph insights, AI, and threat intelligence to predict potential attack paths for where the adversary might go next. It then applies just-in-time hardening techniques that proactively block the attacker from pivoting. Some of the hardening tactics that will automatically be applied by Microsoft Defender include disabling SafeBoot and enforcing Group Policy Objects, putting a hard stop to the attacker’s movements and ability to execute common techniques for compromise. Learn more about predictive shielding and other endpoint security news. Protect your low-code and pro-code AI agents Generative AI and agents are rapidly transforming how we work, but these powerful new tools also introduce new risks. And with the democratization of agent creation across pro-code, low-code, and no-code building platforms, building agents is now accessible to everyone, many without extensive developer or security knowledge. To help security teams better manage these risks we are excited to announce that we are extending the capabilities and experiences in Microsoft Defender to the protection of agents. From agent security posture management, to attack path analysis, and threat protection for Copilot Studio, Azure Foundry, and agents built and connected via the Microsoft Agent 365 SDK. Learn more about how Microsoft Defender can help protect your agents against threats like prompt injections and more. There is so much more innovation we are introducing in Microsoft Defender today, including expanded endpoint security coverage for legacy systems, improvements to how you can investigate identity-centric threats, and we are bringing cloud security posture management into the Defender portal. Check out the other Defender news blogs for more details. Join us in San Francisco, November 17–21, or online, November 18–20, for deep dives and practical labs to help you maximize your Microsoft Defender investments and to get more from the Microsoft capabilities you already use. Featured sessions: Microsoft Defender: Building the agentic SOC with guest Allie Mellen Blueprint for building the SOC of the future Empowering the SOC: Security Copilot and the rise of agentic defense Identity Under Siege: Modern ITDR from Microsoft AI vs AI: Protect email and collaboration tools with Microsoft Defender AI-powered defense for cloud workloads Endpoint security in the AI era: What's new in Defender
How to stop incidents merging under new incident (MultiStage) in defender.
Dear All We are experiencing a challenge with the integration between Microsoft Sentinel and the Defender portal where multiple custom rule alerts and analytic rule incidents are being automatically merged into a single incident named "Multistage." This automatic incident merging affects the granularity and context of our investigations, especially for important custom use cases such as specific admin activities and differentiated analytic logic. Key concerns include: Custom rule alerts from Sentinel merging undesirably into a single "Multistage" incident in Defender, causing loss of incident-specific investigation value. Analytic rules arising from different data sources and detection logic are merged, although they represent distinct security events needing separate attention. Customers require and depend on distinct, non-merged incidents for custom use cases, and the current incident correlation and merging behavior undermines this requirement. We understand that Defender’s incident correlation engine merges incidents based on overlapping entities, timelines, and behaviors but would like guidance or configuration best practices to disable or minimize this automatic merging behavior for our custom and analytic rule incidents. Our goal is to maintain independent incidents corresponding exactly to our custom alerts so that hunting, triage, and response workflows remain precise and actionable. Any recommendations or advanced configuration options to achieve this separation would be greatly appreciated. Thank you for your assistance. Best regardsMonthly news - December 2025
Microsoft Defender Monthly news - December 2025 Edition This is our monthly "What's new" blog post, summarizing product updates and various new assets we released over the past month across our Defender products. In this edition, we are looking at all the goodness from October 2025. Defender for Cloud has its own Monthly News post, have a look at their blog space. 😎 Microsoft Ignite 2025 - now on-demand! 🚀 New Virtual Ninja Show episode: Advancements in Attack Disruption Vulnerability Remediation Agent in Microsoft Intune Microsoft Defender Ignite 2025: What's new in Microsoft Defender? This blog summarizes our big announcements we made at Ignite. (Public Preview) Defender XDR now includes the predictive shielding capability, which uses predictive analytics and real-time insights to dynamically infer risk, anticipate attacker progression, and harden your environment before threats materialize. Learn more about predictive shielding. Security Copilot for SOC: bringing agentic AI to every defender. This blog post gives a great overview of the various agents supporting SOC teams. Account correlation links related accounts and corresponding insights to provide identity-level visibility and insights to the SOC. Coordinated response allows Defenders to take action comprehensively across connected accounts, accelerating response and minimizing the potential for lateral movement. Enhancing visibility into your identity fabric with Microsoft Defender. This blog describes new enhancements to the identity security experience within Defender that will help enrich your security team’s visibility and understanding into your unique identity fabric. (Public Preview) The IdentityAccountInfo table in advanced hunting is now available for preview. This table contains information about account information from various sources, including Microsoft Entra ID. It also includes information and link to the identity that owns the account. Microsoft Sentinel customers using the Defender portal, or the Azure portal with the Microsoft Sentinel Defender XDR data connector, now also benefit from Microsoft Threat Intelligence alerts that highlight activity from nation-state actors, major ransomware campaigns, and fraudulent operations. For more information, see Incidents and alerts in the Microsoft Defender portal. (Public Preview) New Entity Behavior Analytics (UEBA) experiences in the Defender portal! Microsoft Sentinel introduces new UEBA experiences in the Defender portal, bringing behavioral insights directly into key analyst workflows. These enhancements help analysts prioritize investigations and apply UEBA context more effectively. Learn more on our docs. (Public Preview) A new Restrict pod access response action is now available when investigating container threats in the Defender portal. This response action blocks sensitive interfaces that allow lateral movement and privilege escalation. (Public Preview) Threat analytics now has an Indicators tab that provides a list of all indicators of compromise (IOCs) associated with a threat. Microsoft researchers update these IOCs in real time as they find new evidence related to the threat. This information helps your security operations center (SOC) and threat intelligence analysts with remediation and proactive hunting. Learn more. In addition the overview section of threat analytics now includes additional details about a threat, such as alias, origin, and related intelligence, providing you with more insights on what the threat is and how it might impact your organization. Microsoft Defender for Identity (Public Preview) In addition to the GA release of scoping by Active Directory domains a few months ago, you can now scope by Organizational Units (OUs) as part of XDR User Role-Based Access Control. This enhancement provides even more granular control over which entities and resources are included in security analysis. For more information, see Configure scoped access for Microsoft Defender for Identity. (Public Preview). New security posture assessment: Change password for on-prem account with potentially leaked credentials. The new security posture assessment lists users whose valid credentials have been leaked. For more information, see: Change password for on-prem account with potentially leaked credentials. Defender for Identity is slowly rolling out automatic Windows event auditing for sensors v3.x, streamlining deployment by applying required auditing settings to new sensors and fixing misconfigurations on existing ones. As it becomes available, you will be able to enable automatic Windows event-auditing in the Advanced settings section in the Defender portal, or using the Graph API. Identity Inventory enhancements: Accounts tab, manual account linking and unlinking, and expanded remediation actions are now available. Learn more in our docs. Microsoft Defender for Cloud Apps (Public Preview) Defender for Cloud Apps automatically discovers AI agents created in Microsoft Copilot Studio and Azure AI Foundry, collects audit logs, continuously monitors for suspicious activity, and integrates detections and alerts into the XDR Incidents and Alerts experience with a dedicated Agent entity. For more information, see Protect your AI agents. Microsoft Defender for Endpoint Ignite 2025: Microsoft Defender now prevents threats on endpoints during an attack. This year at Microsoft Ignite, Microsoft Defender is announcing exciting innovations for endpoint protection that help security teams deploy faster, gain more visibility, and proactively block attackers during active attacks. (Public Preview) Defender for Endpoint now includes the GPO hardening and Safeboot hardening response actions. These actions are part of the predictive shielding feature, which anticipates and mitigates potential threats before they materialize. (Public Preview) Custom data collection enables organizations to expand and customize telemetry collection beyond default configurations to support specialized threat hunting and security monitoring needs. (Public Preview) Native root detection support for Microsoft Defender on Android. This enables proactive detection of rooted devices without requiring Intune policies, ensuring stronger security and validating that Defender is running on an uncompromised device, ensuring more reliable telemetry that is not vulnerable to attacker manipulation. (Public Preview) The new Defender deployment tool is a lightweight, self-updating application that streamlines onboarding devices to the Defender endpoint security solution. The tool takes care of prerequisites, automates migrations from older solutions, and removes the need for complex onboarding scripts, separate downloads, and manual installations. It currently supports Windows and Linux devices. Defender deployment tool: for Windows devices for Linux devices (Public Preview) Defender endpoint security solution for Windows 7 SP1 and Windows Server 2008 R2 SP1. A Defender for endpoint security solution is now available for legacy Windows 7 SP1 and Windows Server 2008 R2 SP1 devices. The solution provides advanced protection capabilities and improved functionality for these devices compared to other solutions. The new solution is available using the new Defender deployment tool. Microsoft Defender Vulnerability Management (Public Preview) The Vulnerability Management section in the Microsoft Defender portal is now located under Exposure management. This change is part of the vulnerability management integration to Microsoft Security Exposure Management, which significantly expands the scope and capabilities of the platform. Learn more. (General Availability) Microsoft Secure Score now includes new recommendations to help organizations proactively prevent common endpoint attack techniques. Require LDAP client signing and Require LDAP server signing - help ensure integrity of directory requests so attackers can't tamper with or manipulate group memberships or permissions in transit. Encrypt LDAP client traffic - prevents exposure of credentials and sensitive user information by enforcing encrypted communication instead of clear-text LDAP. Enforce LDAP channel binding - prevents man-in-the-middle relay attacks by ensuring the authentication is cryptographically tied to the TLS session. If the TLS channel changes, the bind fails, stopping credential replay. (General Availability) These Microsoft Secure Score recommendations are now generally available: Block web shell creation on servers Block use of copied or impersonated system tools Block rebooting a machine in Safe Mode Microsoft Defender for Office 365 Microsoft Ignite 2025: Transforming Phishing Response with Agentic Innovation. This blog post summarizes the following announcements: General Availability of the Security Copilot Phishing Triage Agent Agentic Email Grading System in Microsoft Defender Cisco and VIPRE Security Group join the Microsoft Defender ICES ecosystem. A separate blog explains these best practices in more detail and outline three other routing techniques commonly used across ICES vendors. Blog series: Best practices from the Microsoft Community Microsoft Defender for Office 365: Fine-Tuning: This blog covers our top recommendations for fine-tuning Microsoft Defender for Office 365 configuration from hundreds of deployments and recovery engagements, by Microsoft MVP Joe Stocker. You may be right after all! Disputing Submission Responses in Microsoft Defender for Office 365: Microsoft MVP Mona Ghadiri spotlights a new place AI has been inserted into a workflow to make it better… a feature that elevates the transparency and responsiveness of threat management: the ability to dispute a submission response directly within Microsoft Defender for Office 365. Blog post: Strengthening calendar security through enhanced remediation.Build less, secure more: Simplify security data management with Microsoft Sentinel data lake
Most DIY security data lakes start with good intentions—promising flexibility, control, and cost savings. But in reality, they lead to endless data ingestion fixes, schema drift battles, and soaring costs. They fail because they lack the capabilities to manage security data that’s not just massive, but complex, dynamic, and compliance heavy. Ingestion chaos: Every team implements its own pipelines for diverse data sets like firewalls, endpoint, network, threat intelligence feeds, and more. Normalization gaps: Each team uses its own schema; Therefore queries, detections, and ML models can’t be reused. Operational drag: Constant tuning for compression, tiering, and schema evolution. Scaling costs: What began as $1K per month becomes $100K per month as data doubles every quarter. Fragmented analytics: Detection in one data store, hunting in another, and investigation in a third. Security data isn’t just telemetry. It must be unified, normalized, cross-correlated, and enriched with context— in near real time. A security data lake needs more than raw storage—it needs intelligence. You need a centralized platform that goes beyond storing data to deliver actionable insights. Microsoft Sentinel data lake does exactly that. It is more than a storage solution, it’s the foundation for modern, AI-powered security operations. Whether you're scaling your SOC, building deeper analytics, or preparing for future threats, the Sentinel data lake is ready to support your journey. Empowering security teams with a unified, security data lake With Sentinel data lake, there’s no need to build your own security data lake. This fully managed, cloud-native solution—purpose-built for security—redefines how teams manage, analyze, and act on all their security data, cost-effectively. Since its launch, organizations across industries have embraced Sentinel data lake for its transformative impact on security operations. Customers highlight its ability to unify data from diverse sources, enabling faster threat detection and deeper investigations. Cost efficiency is a standout benefit, thanks to tiered storage and flexible retention options that help reduce expenses. With petabytes of data already ingested, users are gaining real-time and historical insights at scale—empowering security teams like never before. Sentinel data lake advantages Sentinel data lake allows multiple analytics engines like Kusto, Spark, and ML to run on a single copy of data, simplifying management, reducing costs, and supporting deeper security analysis. Security-aware data model: Out-of-the-box normalization aligned to the Microsoft Security graph schema, Kusto Query Language (KQL) and Structured Query Language (SQL). Native integration: Directly connects to Sentinel graph, Security Copilot, and Model Context Protocol (MCP) Tools with no ETL or duplication. Query at any scale: Store petabytes, query in seconds using both KQL and SQL endpoints. Governance by design: Inherits Fabric’s unified data governance, lineage, and RBAC already secured for compliance. AI-ready: Enables natural-language hunting and threat reasoning through Security Copilot agents over the same data. In short, Sentinel data lake is a data fabric, built for security. Why does this matter? It matters because the advantages of a data lake for security are only realized when all the security data is: Unified: No more fragmented analytics across multiple silos. Normalized: Consistent schema for queries, detections, and ML models. Scalable: Elastic compute and storage without manual tuning. Integrated: Works seamlessly with SIEM, SOAR, and AI tools. Governed: Compliance and RBAC baked in from day one. AI-Enhanced: Enables graph-based reasoning and MCP tool integration for advanced threat detection. Sentinel delivers all of this and much more without the operational burden. Get started with Microsoft Sentinel data lake today Connect Your Data Sources Start by plugging into your existing security telemetry. Sentinel provides built-in connectors for Microsoft 365, Defender, Entra, and many third-party tools. Instead of writing custom ingestion scripts or managing brittle pipelines, data flows automatically into your Sentinel data lake workspace. This means your SOC can begin analyzing logs within minutes, not weeks. No schema headaches and no manual ETL. Just secure, governed ingestion at scale. Query Natively Using KQL or SQL Once your data is in the lake, you can query it natively using Kusto Query Language (KQL) or SQL. This dual-query capability is a game changer because analysts can pivot from detection to investigation to hunting without exporting or rehydrating data. Imagine running a KQL query to find suspicious sign-ins, then switching to SQL for a compliance report on the same dataset. No duplication and no latency. It is analytics without boundaries. Build Cross-System Analytics Your SOC does not operate in isolation. Many organizations run multiple SIEMs such as Splunk, QRadar, or Chronicle alongside Sentinel. With Sentinel data lake, you can centralize normalized data and expose it through open APIs and Delta Parquet. This allows you to build cross-system analytics without painful data wrangling. Want to correlate a Splunk alert with Defender telemetry? Or enrich Chronicle detections with Microsoft threat intelligence? Sentinel data lake makes it possible in a secure and scalable way. Enable AI and Graph Intelligence Security is not just about raw data, it is about context. Sentinel data lake integrates with Sentinel graph, enabling relational reasoning across entities like users, devices, IPs, and alerts. Add Security Copilot and MCP Tools, and you unlock AI-driven hunting and threat reasoning. Scale Confidently Finally, scale without fear. Traditional DIY lakes demand constant tuning for partitioning, compression, and schema evolution. Sentinel data lake, built on Microsoft Fabric, handles elasticity for you. Whether you are ingesting gigabytes or petabytes, compute and storage scale automatically. No more late-night calls to fix performance bottlenecks. No more surprise bills from uncontrolled growth. You get predictable performance and cost efficiency so your team can focus on threats, not plumbing. A new chapter for security teams For years, security engineers have poured countless hours into building and maintaining custom data lakes. They have stitched together pipelines, fought schema drift, and tuned performance just to keep the lights on. Every new data source or compliance requirement meant starting the cycle all over again. This is exhausting, and it distracts teams from what truly matters: stopping threats. Sentinel data lake changes that story. Instead of spending nights fixing ingestion scripts or weekends scaling storage, you can focus on AI-powered detection, investigation, and response. The heavy lifting is already done for you. Your data is unified, queryable, and ready for AI-driven insights the moment it lands. This is not just another tool. It is a foundation for modern security operations. A data lake that speaks the language of security, integrates with the multi-cloud, multiplatform ecosystems, and scales as fast as your data grows. No more plumbing. No more patchwork. Just a clear path to faster threat detection and smarter defense. The old way was about building. The new way is about protecting. Microsoft Sentinel data lake was built so you can do exactly that. Get started today Microsoft Sentinel—AI-Ready Platform | Microsoft Security Sentinel data lake onboarding Microsoft Sentinel data lake is now generally available | Microsoft Community Hub Microsoft Sentinel data lake FAQ | Microsoft Community Hub Plan costs and understand pricing and billing - Microsoft Sentinel | Microsoft Learn Microsoft Sentinel data lake ninja training Behind this post are the brilliant minds of vkokkengada chaitra_satish whose ideas inspired this content. Proud to share their expertise with a wider audience.
