What’s new in Microsoft Defender XDR at Secure 2025
Protecting your organization against cybersecurity threats is more challenging than ever before. As part of our 2025 Microsoft Secure cybersecurity conference announcements, we’re sharing new product features that spotlight our AI-first, end-to-end security innovations designed to help - including autonomous AI agents in the Security Operations Center (SOC), as well as automatic detection and response capabilities. We also share information on how you can expand your protection by bringing data security and collaboration tools closer to the SOC. Read on to learn more about how these capabilities can help your organization stay ahead of today’s advanced threat actors. Expanding AI-Driven Capabilities for Smarter SOC Operations Introducing Microsoft Security Copilot’s Phishing Triage Agent Today, we are excited to introduce Security Copilot agents, a major step in bringing AI-driven automation to Microsoft Security solutions. As part of this, we’re unveiling our newest innovation in Microsoft Defender: the Phishing Triage Agent. Acting as a force multiplier for SOC analysts, it streamlines the triage of user-submitted phishing incidents by autonomously identifying and resolving false positives with over 95% accuracy. This allows teams to focus on the remaining incidents – those that pose the most critical threats. Phishing submissions are among the highest-volume alerts that security teams handle daily, and our data shows that at least 9 in 10 reported emails turn out to be harmless bulk mail or spam. As a result, security teams must sift through hundreds of these incidents weekly, often spending up to 30 minutes per case determining whether it represents a real threat. This manual triage effort not only adds operational strain but also delays the response to actual phishing attacks, potentially impacting protection levels. The Phishing Triage Agent transforms this process by leveraging advanced LLM-driven analysis to conduct sophisticated assessments –such as examining the semantic content of emails– to autonomously determine whether an incident is a genuine phishing attempt or a false alarm. By intelligently cutting through the noise, the agent alleviates the burden on SOC teams, allowing them to focus on high-priority threats. Figure 1. A phishing incident triaged by the Security Copilot Phishing Triage Agent To help analysts gain trust in its decision-making, the agent provides natural language explanations for its classifications, along with a visual representation of its reasoning process. This transparency enables security teams to understand why an incident was classified in a certain way, making it easier to validate verdicts. Analysts can also provide feedback in plain language, allowing the agent to learn from these interactions, refine its accuracy, and adapt to the organization’s unique threat landscape. Over time, this continuous feedback loop fine-tunes the agent’s behavior, aligning it more closely with organizational nuances and reducing the need for manual verification. The Security Copilot Phishing Triage Agent is designed to transform SOC operations with autonomous, AI-driven capabilities. As phishing threats grow increasingly sophisticated and SOC analysts face mounting demands, this agent alleviates the burden of repetitive tasks, allowing teams to shift their focus to proactive security measures that strengthen the organization’s overall defense. Read more about Microsoft Security Copilot agent announcements here. New protection across Microsoft Defender XDR workloads To strengthen core protection across Microsoft Defender XDR workloads, we're introducing new capabilities while building upon existing integrations for enhanced protection. This ensures a more comprehensive and seamless defense against evolving threats. Introducing collaboration security for Microsoft Teams Email remains a prevalent entry point for attackers. But the fast adoption of collaboration tools like Microsoft Teams has opened new attack surfaces for cybercriminals. Our advancements within Defender for Office 365 allow organizations to continue to protect users in Microsoft Teams against phishing and other emerging cyberthreats with inline protection against malicious URLs, safe attachments, brand impersonation protection, and more. And to ensure seamless investigation and response at the incident level, everything is centralized across our SOC workflows in the unified security operations platform. Read the announcement here. Introducing Microsoft Purview Data Security Investigations for the SOC Understanding the extent of the data that has been impacted to better prioritize incidents has been a challenge for security teams. As data remains the main target for attackers it’s critical to dismantle silos between security and data security teams to enhance response times. At Microsoft, we’ve made significant investments in bringing SOC and data security teams closer together by integrating Microsoft Defender XDR and Microsoft Purview. We are continuing to build upon the rich set of capabilities and today, we are excited to announce that Microsoft Purview Data Security Investigations (DSI) can be initiated from the incident graph in Defender XDR. Ensuring robust data security within the SOC has always been important, as it helps protect sensitive information from breaches and unauthorized access. Data Security Investigations significantly accelerates the process of analyzing incident related data such as emails, files, and messages. With AI-powered deep content analysis, DSI reveals the key security and sensitive data risks. This integration allows analysts to further analyze the data involved in the incident, learn which data is at risk of compromise, and take action to respond and mitigate the incident faster, to keep the organization’s data protected. Read the announcement here. Figure 2. An incident that shows the ability to launch a data security investigation. OAuth app insights are now available in Exposure Management In recent years, we’ve witnessed a substantial surge in attackers exploiting OAuth applications to gain access to critical data in business applications like Microsoft Teams, SharePoint, and Outlook. To address this threat, Microsoft Defender for Cloud Apps is now integrating OAuth apps and their connections into Microsoft Security Exposure Management, enhancing both attack path and attack surface map experiences. Additionally, we are introducing a unified application inventory to consolidate all app interactions into a single location. This will address the following use cases: Visualize and remediate attack paths that attackers could potentially exploit using high-privilege OAuth apps to access M365 SaaS applications or sensitive Azure resources. Investigate OAuth applications and their connections to the broader ecosystem in Attack Surface Map and Advanced Hunting. Explore OAuth application characteristics and actionable insights to reduce risk from our new unified application inventory. Figure 3. An attack path infused with OAuth app insights Read the latest announcement here AI & TI are critical for effective detection & response To effectively combat emerging threats, AI has become critical in enabling faster detection and response. By combining this with the latest threat analytics, security teams can quickly pinpoint emerging risks and respond in real-time, providing organizations with proactive protection against sophisticated attacks. Disrupt more attacks with automatic attack disruption In this era of multi-stage, multi-domain attacks, the SOC need solutions that enable both speed and scale when responding to threats. That’s where automatic attack disruption comes in—a self-defense capability that dynamically pivots to anticipate and block an attacker’s next move using multi-domain signals, the latest TI, and AI models. We’ve made significant advancements in attack disruption, such as threat intelligence-based disruption announced at Ignite, expansion to OAuth apps, and more. Today, we are thrilled to share our next innovation in attack disruption—the ability to disrupt more attacks through a self-learning architecture that enables much earlier and much broader disruption. At its core, this technology monitors a vast array of signals, ranging from raw telemetry data to alerts and incidents across Extended Detection and Response (XDR) and Security Information and Event Management (SIEM) systems. This extensive range of data sources provides an unparalleled view of your security environment, helping to ensure potential threats do not go unnoticed. What sets this innovation apart is its ability learn from historical events and previously seen attack types to identify and disrupt new attacks. By recognizing similar patterns across data and stitching them together into a contextual sequence, it processes information through machine learning models and enables disruption to stop the attack much earlier in the attack sequence, stopping significantly more attacks in volume and variety. Comprehensive Threat Analytics are now available across all Threat Intelligence reports Organizations can now leverage the full suite of Threat Analytics features (related incidents, impacted assets, endpoints exposure, recommended actions) on all Microsoft Threat Intelligence reports. Previously only available for a limited set of threats, these features are now available for all threats Microsoft has published in Microsoft Defender Threat Intelligence (MDTI), offering comprehensive insights and actionable intelligence to help you ensure your security measures are robust and responsive. Some of these key features include: IOCs with historical hunting: Access IOCs after expiration to investigate past threats and aid in remediation and proactive hunting. MITRE TTPs: Build detections based on threat techniques, going beyond IOCs to block and alert on specific tactics. Targeted Industries: Filter threats by industry, aligning security efforts with sector-specific challenges. We’re proud of our new AI-first innovations that strengthen security protections for our customers and help us further our pledge to customers and our community to prioritize cyber safety above all else. Learn more about the innovations designed to help your organization protect data, defend against cyber threats, and stay compliant. Join Microsoft leaders online at Microsoft Secure on April 9. We hope you’ll also join us in San Francisco from April 27th-May 1 st 2025 at the RSA Conference 2025 to learn more. At the conference, we’ll share live, hands-on demos and theatre sessions all week at the Microsoft booth at Moscone Center. Secure your spot today.
Behavior Analytics, investigation Priority
Hello, Regarding the field investigation Priority in the Behavior Analytics table, what would be the value that Microsoft considers to be high/critical to look into the user's account? By analyzing the logs i would say, 7 or higher, if someone could tell me, and thank you in advance.
Update content package Metadata
Hello Sentinel community and Microsoft. Ive been working on a script where i use this command: https://learn.microsoft.com/en-us/rest/api/securityinsights/content-package/install?view=rest-securityinsights-2024-09-01&tabs=HTTP Ive managed to successfully create everything from retrieving whats installed, uninstalling, reinstalling and lastly updating (updating needed to be "list, delete, install" however :'), there was no flag for "update available"). However, now to my issue. As this work like a charm through powershell, the metadata and hyperlinking is not being deployed - at all. So i have my 40 content packages successfully installed through the REST-api, but then i have to visit the content hub in sentinel in the GUI, filter for "installed" and mark them all, then press "install". When i do this the metadata and hyperlinking is created. (Its most noticeable that the analytic rules for the content hubs are not available under analytic rules -> Rule templates after installing through the rest api). But once you press install button in the GUI, they appear. So i looked in to the request that is made when pressing the button. It uses another API version, fine, i can add that to my script. But it also uses 2 variables that are not documented and encrypted-data. they are called c and t: Im also located in EU and it makes a request to SentinelUS. im OK with that, also as mentioned, another API version (2020-06-01) while the REST APi to install content packages above has 2024-09-01. NP. But i can not simulate this last request as the variables are encrypted and not available through the install rest api. They are also not possible to simulate. it ONLY works in the GUI when pressing install. Lastly i get another API version back when it successfully ran through install in GUI, so in total its 3 api versions. Here is my code snippet i tried (it is basically a mimic of the post request in the network tab of the browser then pressing "install" on the package in content hub, after i successfully installed it through the official rest api). function Refresh-WorkspaceMetadata { param ( [Parameter(Mandatory = $true)] [string]$SubscriptionId, [Parameter(Mandatory = $true)] [string]$ResourceGroup, [Parameter(Mandatory = $true)] [string]$WorkspaceName, [Parameter(Mandatory = $true)] [string]$AccessToken ) # Use the API version from the portal sample $apiVeri = "?api-version=" $RefreshapiVersion = "2020-06-01" # Build the batch endpoint URL with the query string on the batch URI $batchUri = "https://management.azure.com/\$batch$apiVeri$RefreshapiVersion" # Construct a relative URL for the workspace resource. # Append dummy t and c parameters to mimic the portal's request. $workspaceUrl = "/subscriptions/$SubscriptionId/resourceGroups/$ResourceGroup/providers/Microsoft.OperationalInsights/workspaces/$WorkspaceName$apiVeri$RefreshapiVersion&t=123456789&c=dummy" # Create a batch payload with several GET requests $requests = @() for ($i = 0; $i -lt 5; $i++) { $requests += @{ httpMethod = "GET" name = [guid]::NewGuid().ToString() requestHeaderDetails = @{ commandName = "Microsoft_Azure_SentinelUS.ContenthubWorkspaceClient/get" } url = $workspaceUrl } } $body = @{ requests = $requests } | ConvertTo-Json -Depth 5 try { $response = Invoke-RestMethod -Uri $batchUri -Method Post -Headers @{ "Authorization" = "Bearer $AccessToken" "Content-Type" = "application/json" } -Body $body Write-Host "[+] Workspace metadata refresh triggered successfully." -ForegroundColor Green } catch { Write-Host "[!] Failed to trigger workspace metadata refresh. Error: $_" -ForegroundColor Red } } Refresh-WorkspaceMetadata -SubscriptionId $subscriptionId -ResourceGroup $resourceGroup -WorkspaceName $workspaceName -AccessToken $accessToken (note: i have variables higher up in my script for subscriptionid, resourcegroup, workspacename and token etc). Ive tried with and without mimicing the T and C variable. none works. So for me, currently, installing content hub packages for sentinel is always: Install through script to get all 40 packages Visit webpage, filter for 'Installed', mark them and press 'Install' You now have all metadata and hyperlinking available to you in your Sentinel (such as hunting rules, analytic rules, workbooks, playbooks -templates). Anyone else manage to get around this or is it "GUI" gated ? Greatly appreciated.Level up your defense: protect against attacks using stale user accounts
Maintaining a robust security posture is essential for any organization. Strong security not only protects sensitive information and assets from cyber threats but also ensures business continuity and fosters trust among clients and stakeholders. By implementing comprehensive security strategies, organizations can proactively identify and mitigate potential vulnerabilities, ultimately safeguarding their operations and reputation. To combat against attacks that take advantage of poor posture and vulnerabilities, Microsoft has a suite of detection and response capabilities to address this. Specifically, Microsoft Defender XDR’s automatic attack disruption protects against threats in real-time, many of which could have been prevented by a good security posture. This includes protection against different types of threats, such as ransomware, business email compromise, identity-threat-related attacks and more. While we continue to expand our disruption coverage (e.g., via TITAN) and a significantly larger number of incidents are automatically contained, we have observed a common phenomenon: we found that organizations, particularly in the education sector, are more likely to face identity-related attacks, such as account compromises through methods like password spraying, compared to other industries. In these incidents, attack disruption protected against a high volume of incidents by disabling the compromised user account. In most cases, the SOC would re-enable the user account after completing a post-incident analysis. However, in one example, our research found that 44% of these accounts were never re-enabled, even two weeks later, suggesting that they were no longer needed. By disabling these accounts, we found that the security posture of the organization was improved by deactivating stale accounts, which prevented them from being compromised again. As a result, the number of attacks decreased over time. Example use case of a stale account being compromised and remains disabled after being contained by attack disruption While the protection Defender XDR delivers contributes to these organizations’ posture via attack disruption, having a good security posture would prevent many of these cases to begin with. As this is particularly apparent in the education sector, such as colleges and universities around the world, we call out educational organizations to review their environments and address posture gaps, specifically around identities. Learn more See the following for learning more about Microsoft security capabilities: Automatic attack disruption in Microsoft Defender XDR - Microsoft Defender XDR | Microsoft Learn Security posture assessments - Microsoft Defender for Identity | Microsoft Learn Secure your Microsoft Entra identity infrastructure - Microsoft Entra ID | Microsoft Learn
Defending Against OAuth-Based Attacks with Automatic Attack Disruption
In today’s digital landscape, SaaS and OAuth applications have revolutionized the way we work, collaborate, and innovate. However, they also introduce significant risks related to security, privacy and compliance. As the SaaS landscape grows, IT leaders must balance enabling productivity with managing risk. A key to managing risk is automated tools that provide real-time context and remediation capabilities to help Security Operations Center (SOC) teams outpace sophisticated attackers and limit lateral movement and damage. The Rise of OAuth App Attacks Over the past two years, there has been a significant increase in OAuth app attacks. Employees often create app-to-app connections without considering security risks. With just one click granting permissions, new apps can read and write emails, set rules, and gain authorization to perform nearly any action. These overprivileged apps are more at risk for compromise, and Microsoft internal research shows that 1 in 3 OAuth apps are overprivileged. 1 A common attack involves using phishing to compromise a user account, then creating a malicious OAuth app with elevated privileges or hijacking an existing OAuth app and manipulating it for malicious use. Once threat actors gain persistence in the environment, they can also deploy virtual machines or run spam campaigns resulting in data breaches, financial and reputational losses. Automatic Attack Disruption Microsoft’s Automatic attack disruption capabilities disrupt sophisticated in-progress attacks and prevent them from spreading, now including OAuth app-based attacks. Attack disruption is an automated response capability that stops in-progress attacks by analyzing the attacker’s intent, identifying compromised assets, and containing them in real time. This built-in, self-defense capability uses the correlated signals in XDR, the latest threat intelligence, and AI and machine learning backed models to accurately predict the attack path used and block an attacker’s next move before it happens with above 99% confidence. This includes response actions such as containing devices, disabling user accounts, or disabling malicious OAuth apps. The benefits of attack disruption include: Speed of response: attack disruption can disrupt attacks like ransomware in an average time of 3 minutes Reduced Impact of Attacks: by minimizing the time attackers have to cause damage, attack disruption limits the lateral movement of threat actors within your network, reducing the overall impact of the threat. This means less downtime, fewer compromised systems, and lower recovery costs. Enhanced Security Operations: attack disruption allows security operations teams to focus on investigating and remediating other potential threats, improving their efficiency and overall effectiveness. Real-World Attacks Microsoft Threat Intelligence has noted a significant increase in OAuth app attacks over the past two years. In most cases a compromised user provides the attacker initial access, while the malicious activities and persistence are carried out using OAuth applications. Here’s a real-world example of an OAuth phishing campaign that we’ve seen across many customers’ environments. Previous methods to resolve this type of attack would have taken hours for SOC teams to manually hunt and resolve. Initial Access: A user received an email that looks legitimate but contains a phishing link that redirects to an adversary-in-the-middle (AiTM) phishing kit. Figure 1. An example of an AiTM controlled proxy that impersonates a login page to steal credentials. Credential Access: When the user clicks on that link, they are redirected to an AiTM controlled proxy that impersonates a login page to steal the user credentials and an access token which grants the attacker the ability to create or modify OAuth apps. Persistence and Defense Evasion: The attacker created multiple ma malicious OAuth apps across various tenants which grants read and write access to the user’s e-mail, files and other resources. Next the attacker created an inbox forwarding rule to exfiltrate emails. An additional rule was created to empty the sent box, thus deleting any evidence that the user was compromised. Most organizations are completely blind-sighted when this happens. Automatic Attack Disruption: Defender XDR gains insights from many different sources including endpoints, identities, email, collaboration tools, and SaaS apps and correlates the signals into a single, high-confidence incident. In this attack, XDR identifies assets controlled by the attacker and it automatically takes response actions across relevant Microsoft Defender products disable affected assets and stop the attack in real-time. SOC Remediation: After the risk is mitigated, Microsoft Defender admins can manually unlock the users that had been automatically locked by the attack disruption response. The ability to manually unlock users is available from the Microsoft Defender action center, and only for users that were locked by attack disruption. Figure 2. Timeline to disrupt an OAuth attack comparing manual intervention vs. automatic attack disruption. Enhanced Security with Microsoft Defender for Cloud Apps Microsoft Defender for Cloud Apps enables the necessary integration and monitoring capabilities required to detect and disrupt malicious OAuth applications. To ensure SOC teams have full control, they can configure automatic attack disruption and easily revert any action from the security portal. Figure 3. An example of a contained malicious OAuth application, with attack disruption tag Conclusion Microsoft Defender XDR's automatic disruption capability leverages AI and machine learning for real-time threat mitigation and enhanced security operations. Want to learn more about how Defender for Cloud Apps can help you manage OAuth attacks and SaaS-based threats? Dive into our resources for a deeper conversation. Get started now. Get started Make sure your organization fulfils the Microsoft Defender pre-requisites (Mandatory). Connect “Microsoft 365 connector” in Microsoft Defender for Cloud Apps (Mandatory). Check out our documentation to learn more about Microsoft 365 Defender attack disruption prerequisites, available controls, and indications. Learn more about other scenarios supported by automatic attack disruption Not a customer, yet? Start a free trial today. 1Microsoft Internal Research, May 2024, N=502The Future of AI: Unleashing the Potential of AI Translation
The Co-op Translator automates the translation of markdown files and text within images using Azure AI Foundry. This open-source tool leverages advanced Large Language Model (LLM) technology through Azure OpenAI Services and Azure AI Vision to provide high-quality translations. Designed to break language barriers, the Co-op Translator features an easy-to-use command line interface and Python package, making technical content globally accessible with minimal manual effort.
Need insight to domain join failures for session host configuration
We are trying to use the session host configuration for a new AVD host pool. We have confirmed that it can join computer to the specified OU without difficulty when we do it manually, and that the key vault access is intact since the local admin is created without issue. But any new session hosts fail to join to the domain. They're created with all other specifications. If we try to add them manually it seems to create some kind of instability in the FSLogix where it will then permanently hang for users when trying to log off. It would be good if we had insight to the domain join failures so we don't have to manually join them. In the deployment I can see the network, the VM, and a DSC, but that DSC is only for joining to the AVD Host pool. I don't see anything in it to join using the key vault credentials.
Add Search Results to alert details in Microsoft Sentinel
Hi everyone, I’m working with Microsoft Sentinel and looking to enhance my alerts by appending search results to the alert details. Specifically, I want to include the events that triggered these alerts in the SecurityAlert table for better context during investigations and for archival purposes. I came across this guide: Customize alert details in Microsoft Sentinel, which explains how to customize alert details. However, it doesn’t clarify whether it’s possible to add search results directly to the alert details. Is there a way to achieve this? If so, what would be the best approach? I’d really appreciate any insights, best practices, or examples from those who have done something similar. Thanks in advance!
Whitelisting Pentesting tools
Hello everyone. I'm coming to you with a question that I think is pertinent. We use a pentesting tool in our environment. It generates a lot of incidents and alerts in Microsoft Defender. We have on-prem accounts (one user, one admin) so that the tool can perform this pentesting. Do you have any ideas on how to whitelist incidents linked to this user, these actions or the node machine he uses to initiate connections? So that it no longer generates or the incidents linked to these activities are automatically resolved. Thank you for your help. HKN
