Monthly news - April 2026
Microsoft Defender Monthly news - April 2026 Edition This is our monthly "What's new" blog post, summarizing product updates and various new assets we released over the past month across our Defender products. In this edition, we are looking at all the goodness from March 2026. We are now including news related to Defender for Cloud in the Defender portal. For all other Defender for Cloud news, have a look at the dedicated Defender for Cloud Monthly News here. đ New Virtual Ninja Show episode: New skills in Microsoft Defender Autonomous AI Agents in Microsoft Defender Beyond KQL: Unlocking SOC Insights with Sentinel data lake Jupyter Notebooks Extending Attack Disruption beyond Microsoft: thirdâparty signals in action A new home for Microsoft Defender for Cloud RSA blog posts: Security Copilot in Defender: empowering the SOC with assistive and autonomous AI RSA 2026: Whatâs new in Microsoft Defender? Microsoft Defender Weâre introducing a chat experience for Security Copilot directly within Microsoft Defender. Copilot is already embedded across Microsoft Defender experiences today, but now you can interact with it through an ongoing, two-way conversation. Ask questions, explore hypotheses, and follow your investigation threads across incidents, alerts, identities, devices, IPs, and other evidence. Read more about it in this blog post. We are expanding agentic triage to identity and cloud alerts - bringing triage for phish, identity and cloud together within a single agent. The Security Alert Triage Agent helps you autonomously determine whether these alerts represent real threats or false alarms, delivering natural language findings and transparent, step-by-step decision analysis. Read more about it in this blog post. Identity security enhancements: New identity security capabilities help you monitor and manage identity security for human and non-human identities: (Public Preview) Identity Security dashboard: The Identity Security dashboard provides summary cards for identity providers, on-premises identities, SaaS identities, PAM and IGA integrations, and non-human identities. For more information, see The Identity Security dashboard. The Identity Security dashboard is being rolled out gradually to customers, and might not yet be available in your organization. (Public Preview) Coverage and maturity page: The Coverage and maturity page shows your organization's identity security coverage with maturity levels, including Connected, Protected, Fortified, and Resilient, and prioritized setup tasks. For more information, see Coverage and maturity. The Coverage and maturity page is being rolled out gradually to customers, and might not yet be available in your organization. If you don't see this feature in your environment yet, check back soon. Identity inventory: The Identity inventory page now shows human and non-human identities in separate tabs. Insight cards help you classify critical assets, view highly privileged identities, identify critical Active Directory service accounts, and view cloud application accounts. For more information, see View the Identity inventory. (Preview) Non-human identities: The Non-human identities tab shows non-human identities, including Microsoft Entra ID apps, Active Directory service accounts, Google Workspace apps, and Salesforce apps. For more information, see Identity inventory and Investigate non-human identities. (Public Preview) Identity risk score: A new risk score for identities, ranging from 0 to 100, that indicates the likelihood of compromise and the potential impact based on criticality and privileged roles. The risk score is available in Microsoft Entra ID, where it can be used to inform conditional access policies and identity protection workflows. A new Risk score tab on the Identity page provides a detailed breakdown of the risk factors, including percentile comparison and risk trends. For more information, see Investigate an identity. (Public Preview) Domain investigation page: The Domain investigation page shows Active Directory domain security, including domain properties, deployment health, identity summary, service account breakdown, sensitive entities, active recommendations, group policies, and trust relationships. For more information, see Investigate a domain. (Public Preview)Identity security recommendations: View recommendations from Active Directory, Microsoft Entra ID, SaaS applications, and supported non-Microsoft identity providers. For more information, see Identity security recommendations. Call to action: update older Microsoft Sentinel content as code (Sentinel repositories) API versions before June 15, 2026 (Public Preview) The following advanced hunting schema tables are now available for preview: The CloudDnsEvents table contains information about DNS activity events from cloud infrastructure environments. The CloudPolicyEnforcementEvents table contains policy enforcement evaluation decisions and metadata of security gating events for various cloud platforms protected by the organization's Microsoft Defender for Cloud. To improve accuracy and better protect organizational identities, we've made updates to the Secure Score category calculations. Some security recommendations categorized as Cloud apps recommendations are now considered identityârelated and grouped under the Identity category. While the total Secure Score remains unchanged, individual identity and app scores may change. (Public Preview) Customers can now use filters on very large incidents with many alerts and entities or hide specific entities to simplify complex incident graphs. By simplifying the graphs, they can focus their investigations on what matters most. Learn more The proactive user containment (contain user) action as part of the predictive shielding feature is now generally available. This action infuses activity data with exposure data to identify exposed credentials at risk of being compromised and reused to conduct malicious activity. Microsoft Defender for Endpoint / Microsoft Defender Vulnerability Management Library management for live response is now generally available. This feature provides a centralized view for managing files and scripts used during live response sessions. Microsoft Secure Score now includes new recommendations: Block outbound network connections from Microsoft HTML Application Host (mshta.exe): Helps mitigate attacks that leverage mshta.exe (a trusted Windows binary) to execute malicious scripts and communicate with external command-and-control (C2) infrastructure. Blocking outbound connections from mshta.exe disrupts common attack chains, prevents payload download and data exfiltration, and reduces the risk of living-off-the-land attacks. This is relevant for emerging attack campaigns, for example, ClickFix campaigns, where attackers abuse legitimate tools like mshta.exe to execute malicious content delivered through user interaction. Block file transfer over RDP: Restricts file transfer capabilities in Remote Desktop Protocol (RDP) sessions. This helps prevent attackers from using RDP sessions to transfer malicious files into the environment or exfiltrate sensitive data. SMB server security hardening against authentication relay attacks: Helps protect servers from credential relay attacks by strengthening Server Message Block (SMB) authentication protections, including enforcing Extended Protection for Authentication (EPA), SMB signing, and SMB encryption to ensure authentication integrity and protect SMB traffic from tampering or interception. The proactive user containment (contain user) action as part of the predictive shielding feature is now generally available. This action infuses activity data with exposure data to identify exposed credentials at risk of being compromised and reused to conduct malicious activity. Microsoft Defender for Identity New identity security capabilities help you monitor and manage identity security for human and non-human identities: (Public Preview) Identity Security dashboard: The Identity Security dashboard provides summary cards for identity providers, on-premises identities, SaaS identities, PAM and IGA integrations, and non-human identities. Widgets show deployment status, highly privileged identities, users at risk, and domains with unsecured configurations. For more information, see The Identity Security dashboard. The Identity Security dashboard is being rolled out gradually to customers, and might not yet be available in your organization. (Public Preview) The Coverage and maturity page shows your organization's identity security coverage for identity providers, on-premises identities, SaaS identities, and PAM and IGA integrations. Each source displays a maturity level, including Connected, Protected, Fortified, and Resilient, with identity counts, coverage scores, and prioritized setup tasks. For more information, see Coverage and maturity. The Coverage and maturity page is being rolled out gradually to customers, and might not yet be available in your organization. If you don't see this feature in your environment yet, check back soon. The Identity inventory page now shows human and non-human identities in separate tabs. Insight cards help you classify critical assets, view highly privileged identities, identify critical Active Directory service accounts, and view cloud application accounts. For more information, see View the Identity inventory. (Public Preview) The Non-human identities tab on the Identity inventory page shows non-human identities, including Microsoft Entra ID apps, Active Directory service accounts, Google Workspace apps, and Salesforce apps. The tab includes statistics for risky, highly privileged, overprivileged, unused, and externally published identities. A separate investigation page lets you view details for each identity. For more information, see Identity inventory and Investigate non-human identities. (Public Preview) A new risk score for identities, ranging from 0 to 100, that indicates the likelihood of compromise and the potential impact based on criticality and privileged roles. The risk score is available in Microsoft Entra ID, where it can be used to inform conditional access policies and identity protection workflows. A new Risk score tab on the Identity page provides a detailed breakdown of the risk factors, including percentile comparison and risk trends. For more information, see Investigate an identity. (Public Preview) Identity security recommendations: View recommendations for Active Directory, Microsoft Entra ID, and SaaS applications such as Microsoft, Atlassian, GitHub, Google Workspace, Salesforce, and ServiceNow. Recommendations are also available for non-Microsoft identity providers such as Okta, PingOne, CyberArk, and SailPoint. For more information, see Identity security recommendations. (Public Preview) Domain investigation page: The Domain investigation page shows Active Directory domain security, including domain properties, deployment health, identity summary, service account breakdown, sensitive entities, active recommendations, group policies, and trust relationships. For more information, see Investigate a domain. (Public Preview) Password protection page: The Password protection page shows identity password risk from Active Directory, Microsoft Entra ID, and Okta, with tabs for password hygiene, password policies, leaked credentials, and exposed passwords. For more information, see Password protection. To improve accuracy and better protect organizational identities, we've made updates to the Secure Score category calculations. Some security recommendations categorized as Cloud apps recommendations are now considered identityârelated and grouped under the Identity category. While the total Secure Score remains unchanged, individual identity and app scores may change. The Suspected pass-the-ticket attack alert is now generally available. This alert was previously available in public preview as Pass-the-Ticket (PtT) attack. For more information, see Lateral movement alerts. These new alerts were added to the Defender for Identity security alerts: New alerts related to Entra ID: Attempt to disable Defender for Identity service principal observed Suspicious Entra account enablement after disruption Suspicious Intune device registration activity Suspicious OS switch sign-in Suspicious shared client infrastructure activity Suspicious sign-in from unusual user agent and IP address using PowerShell Suspicious sign-in from unusual user agent and IP address using device code flow New alerts related to Active Directory: Suspicious on-premises account enablement after disruption Suspicious resource-based constrained delegation (RBCD) attribute change Suspicious resource-based constrained delegation (RBCD) authentication Microsoft Defender for Office 365 Expanding User reporting in Teams to include Calls: Users can reported completed or missed one-to-one Microsoft Teams calls from the call history as malicious (scam) or non malicious (non-scam) to the specified reporting mailbox, or Microsoft and the reporting mailbox via user reported settings. Added support for contextual Teams messages in User reported Teams Messages: When Users report Microsoft Teams messages from chats, channels (standard, shared, and private), and meeting conversations to Microsoft as malicious (security risk), up to fifteen messages before and after the reported message are shared for analysis. Microsoft Defender for Cloud Apps To improve accuracy and better protect organizational identities, some security recommendations categorized as Cloud apps recommendations are now considered identityârelated and grouped under the Identity category. While the total Secure Score remains unchanged, individual identity and app scores may change.Monthly news - March 2026
Microsoft Defender Monthly news - March 2026 Edition This is our monthly "What's new" blog post, summarizing product updates and various new assets we released over the past month across our Defender products. In this edition, we are looking at all the goodness from February 2026. We are now including news related to Defender for Cloud in the Defender portal. For all other Defender for Cloud news, have a look at the dedicated Defender for Cloud Monthly News here. đ New Virtual Ninja Show episode: New AI-powered SIEM migration experience Microsoft Defender (Public Preview) Microsoft Defender for Cloud is expanding to the Defender portal to provide a unified security experience across cloud and code environments. As part of this expansion, some features are now available in the Microsoft Defender Portal, and additional capabilities will be added to the Defender portal over time. Follow instructions provided here to enable Defender for Cloud experience in XDR. Learn more on how to enable preview features in the Defender portal. (Public Preview) Generate playbooks using AI in Microsoft Sentinel: The SOAR playbook generator creates python based automation workflows coauthored through a conversational experience with Cline, an AI coding agent. For more information, see the Playbook Generation blog post. (Public Preview) The Microsoft Copilot Data Connector for Microsoft Sentinel. This new connector allows for audit logs and activities generated by Copilot to be ingested into Microsoft Sentinel and Microsoft Sentinel data lake. The data can be used in analytic rules/custom detections, Workbooks, automation, and more. Update: We are extending the sunset date for managing Microsoft Sentinel in the Azure portal to March 31, 2027. The upcoming Sentinel update standardizes Account Name in analytics, incidents, and automation. Starting July 1, 2026 for UPN-based mappings, Account Name will show only the UPN prefix, with new fields for full UPN and UPN suffix. Microsoft Defender Experts for Hunting customers can now set up Notification contacts. These contacts are the individuals or groups that Microsoft needs to notify if there are critical incidents or service updates. Learn more on our docs. The following advanced hunting schema tables are now generally available: IdentityAccountInfo EntraIdSignInEvents EntraIdSpnSignInEvents GraphApiAuditEvents Lake only ingestion for Microsoft Defender Advanced Hunting tables is now General Available. You can now ingest Advanced Hunting data into Sentinel Data lake without the need to ingest into the Microsoft Sentinel Analytics tier. Custom Guidebooks (SOP) for Copilot Guided Response is now Generally Available! Custom Guidebooks enable organizations to bring their own Standard Operating Procedures (SOPs) directly into the Copilot Guided Response experience, helping ensure investigations and remediation steps align with internal processes and best practices. Please find more information in our documentation. Custom Guidebookssettings page in the portal, users can upload guidebooks and review the parsed tasks generated from their SOP files. (Public Preview) The Sentinel Codeless Connector Framework (CCF) Push feature. CCF addresses a critical need: enabling seamless, automated, and immediate delivery of security data to Microsoft Sentinel, so teams can respond to threats as they happen. The UEBA behaviors layer in Microsoft Sentinel is now generally available, summarizing clear, humanâreadable behavioral insights from high-volume, raw security logs. The behaviors layer aggregates and sequences related events into normalized behaviors, helping analysts more quickly understand who did what to whom without manually correlating raw logs. For more information, see Translate raw security logs to behavioral insights using UEBA behaviors in Microsoft Sentinel. Watch the UEBA behaviors webinar for a full overview and demo of the UEBA behaviors layer. To help SOC teams get value from behaviors from day one, Microsoft Sentinel now provides the behaviors workbook as part of the UEBA essentials solution. The workbook offers guided views and prebuilt, customizable analytics that turn rich behavioral data into actionable insights across three core SOC workflows. For more information about the workbook, see the Microsoft Sentinel Behaviors Workbook blog post. Microsoft Defender for Endpoint / Microsoft Defender Vulnerability Management (Public Preview) Microsoft Defender now has a Library Management for live response! This is addressing a long standing pain point. You can now centrally manage Live Response scripts and files directly in the Defender portal, not just during a live response session. Read more details in this blog post. (General Availability) Effective Settings: Effective Settings Reporting for device security settings is now available in GA! This report presents the actual security settings enforced on a specific device, capturing the real configuration rather than just the adminâs intent. This visibility empowers admins to easily track applied configurations and swiftly identify discrepancies. A new tab, named "Effective Settings", is now enabled on the device page, under the "Configuration Management" section. This tab displays: The actual value of each security setting The configuring source for each setting Configuration attempts from other sources that were not effectively applied (General Availability) To reflect Defender Vulnerability Management's visibility into all software components identified in your organization, the Vulnerable components page is now named Software components. (General Availability) To provide comprehensive vulnerability management capabilities across all supported Windows versions, Microsoft Defender Vulnerability Management now gathers software product vulnerability data on Windows 7 devices. The what's new and OS-specific release notes pages are now updated to provide better visibility and access to new features, improvements, and fixes: The what's new page is now named New features in Microsoft Defender for Endpoint and includes both features and links to latest release notes. The Release notes page now consolidates release details for all supported operating systems, including Windows Antivirus. The new page groups updates by platform and date, making it easier to find specific information. All previous release notes pages redirect to the consolidated release notes page. Microsoft Defender for Identity Webinar recording: Identity Control Plane Under Attack: Consent Abuse and Hybrid Sync Risks (YouTube) A new wave of identity attacks abuses legitimate authentication flows, allowing attackers to gain access without stealing passwords or breaking MFA. In this webinar recording the team breaks down how attackers trick users into approving malicious apps, how this leads to silent account takeover, and why traditional phishing defenses often miss it. They also dive into the identity sync layer at the heart of hybrid environments. Youâll learn how Entra Connect Sync and Cloud Sync are protected as Tier-0 assets, how Microsoft Defender for Identity secures synchronization flows, and how the new application-based authentication model strengthens Entra Connect Sync against modern threats. Microsoft Defender for Office 365 Expanding User reporting in Teams to Defender for Office 365 Plan 1: Users can report external and intra-org Microsoft Teams messages from chats, standard, shared, and private channels, meeting conversations to Microsoft as malicious (security risk) the specified reporting mailbox, or both via user reported settings. Microsoft Defender for Cloud Apps As part of Microsoft's ongoing efforts to increase accuracy in Secure Score, security recommendation categories will be updated in March 2026. As a result, identity and app Secure Scores may be impacted.Monthly news - February 2026
Microsoft Defender Monthly news - February 2026 Edition This is our monthly "What's new" blog post, summarizing product updates and various new assets we released over the past month across our Defender products. In this edition, we are looking at all the goodness from January 2026. Defender for Cloud has its own Monthly News post, have a look here. đ New Virtual Ninja Show episode: Discovering Microsoft Sentinel MCP server Microsoft Sentinel for SAP: What's New, What's Gone, and What's Next Unlocking Security Context with Microsoft Sentinel Graph Inside OAuth App: Risks, Real Attacks, and How Microsoft Defender Shuts Them Down Technical AI Agent foundations and Microsoft Entra Agent ID Microsoft Defender (Public Preview) Microsoft Defender now supports Entra Agent IDs! Microsoft Entra Agent ID extends the comprehensive security capabilities of Microsoft Entra to agents, enabling organizations to build, discover, govern, and protect agent identities. Until now agents use User OBO (User on behalf of), but now you can specify an Entra agent ID, a dedicated identity for your agents. Learn more about Entra Agent IDs here. (Public Preview) The BehaviorInfo and BehaviorEntities tables in advanced hunting now include additional columns and information about behavior data types and alerts from User and Entity Behavior Analytics (UEBA), providing more insights on the relationships between identified behaviors and entities. Learn more about UEBA behaviors (Public Preview) Streamline Incident Management with Microsoft Defenderâs New Built-In Alert Tuning Rules. Builtâin alert tuning rules help SOC teams focus on highâquality, actionable incidents that reflect real threats - while automatically handling informational and lowâseverity alerts in the background. At Microsoft Ignite last November, we announced a new capability in Microsoft Defender designed to solve exactly this problem: AI-powered incident prioritization. Today, weâre excited to share that AI-powered incident prioritization is now available in public preview for all Microsoft Defender customers! This is about helping SOC teams cut through noise, focus on what matters most, and move faster with confidence. Read more details in this blog post. (Public Preview) In advanced hunting, if the query result exceeds the 64-MB size limit, the portal now returns the maximum number of records it can within this limit and displays a message indicating that the displayed results are partial due to size constraints. Learn more. (Public Preview) Alert tuning set as behavior - reclassifies certain alerts as behaviors so they donât appear in the open alerts queue or generate incidents - yet remain available for investigation and hunting when needed. Recording: Spotlight the latest innovations and enhancements, including improvements to the Microsoft Defender portal that deepen its integration with Microsoft Sentinel. Watch it on YouTube Updated date: Microsoft Sentinel in the Azure portal to be retired March 2027. Microsoft Sentinel is generally available in the Microsoft Defender portal, including for customers without Microsoft Defender XDR or an E5 license. This means that you can use Microsoft Sentinel in the Defender portal even if you aren't using other Microsoft Defender services. After March 31, 2027, Microsoft Sentinel will no longer be supported in the Azure portal and will be available only in the Microsoft Defender portal. Learn more in this blog post and get useful resources. 2 Part Webinar: walk through a day in the life of a SOC, showing how integration and simplicity make security operations smoother in the unified portal Part 1: Stop Waiting, Start Onboarding: Get Sentinel DefenderâReady Today Part 2: Donât Get Left Behind: Complete Your Sentinel Move to Defender (General Availability) The option to disable incident correlation for analytics rules is now general available. Learn more about it here. (Public Preview) Content distribution in Defender's multi-tenant management now supports the distribution of Analytics Rules, Automation Rules, and Workbooks. This allows multi-tenant customers to quickly onboard new tenants and maintain a consistent security baseline. Read the blog to learn more. Blog post: Accelerate your move to Microsoft Sentinel with the new AI Powered SIEM migration experience. (Public Preview) You can now enable UEBA for supported data sources directly from the data connector configuration page, reducing management time and preventing coverage gaps. (Public Preview) UEBA behaviors layer aggregates actionable insights from raw logs in near-real time. Microsoft Sentinel introduces a UEBA behaviors layer that transforms high-volume, low-level security logs into clear, human-readable behavioral insights in the Defender portal. This AI-powered capability aggregates and sequences raw events from supported data sources into normalized behaviors that explain "who did what to whom" with MITRE ATT&CK context. Learn more here. (Public Preview) The Triage MCP is a collection (server) on the Sentinel MCP platform and provides access to a set of APIs that enable incident and alert triage. You can use these tools to carry out autonomous triage and investigation, or build your own agentic workflows, on top of Microsoft Defender and Microsoft Sentinel alerts and incidents. New detections for Sentinel solution for SAP BTP. This update expands detection coverage for SAP BTP, strengthening visibility into highârisk control plane, integration, and identity activities. Microsoft Defender Vulnerability Management (General Availability) New Microsoft Secure Score recommendations: Disable Remote Registry service on Windows: Prevents remote access to the Windows registry, reducing attack surface and blocking unauthorized configuration changes, privilege escalation, and lateral movement. Disable NTLM authentication for Windows workstations: Helps prevent credential theft and lateral movement attacks by removing support for an outdated and insecure protocol. New Technology LAN Manager (NTLM) can be exploited with techniques like Pass-the-Hash and NTLM relay, allowing attackers to bypass password complexity and compromise domains. (Public Preview) To simplify and streamline the Device vulnerabilities report experience, the Vulnerable devices report now includes the following changes and enhancements (These changes are not yet visible to government cloud customers. The changes will be visible in late January 2026): The Vulnerable devices by Windows 10/11 version over time section has been removed. The reportâs filters have been simplified to only include the Device group filter. The reportâs history is now limited to the last 30 days. Microsoft Defender for Office 365 Blog post: Secure collaboration in Microsoft Teams with efficient and automated Threat Protection and response. Block communication from sender email address and domains in Teams: Admins can directly block malicious domains and email addresses from within the Microsoft Defender portal, seamlessly adding targeted entries to the Teams Admin Center (TAC) blocked domains and users list. This capability enables near real-time protection. When suspicious or abusive external organizations are identified, SOC teams can immediately block them, effectively halting new external chat messages, invites, and channel communications from those domains and senders while deleting existing ones. Expanding ZAP and Teams Admin quarantine to Plan 1: Zero-hour-auto-purge (ZAP) and admin management of quarantined Teams messages is available to Microsoft Defender for Plan 1 by default, bringing a post-delivery protection layer. Microsoft Defender for Cloud Apps The Workday connector now requires only âViewâ permissions to function. We have removed the âModifyâ permission requirement to better align with the principle of least privilege. While existing configurations will continue to work, admins are encouraged to update the Workday account settings to remove these unnecessary rights as a security best practice. For more information see: How Defender for Cloud Apps helps protect your Workday environment. Microsoft Defender for Identity (General Availability) The following Identity inventory enhancements are now generally available: Accounts tab in Identity Inventory: The new Accounts tab provides a consolidated view of all accounts associated with an identity, including accounts from Active Directory, Microsoft Entra ID, and supported non-Microsoft identity providers. For more information, see Manage related identities and accounts. Manually link and unlink accounts: Manually link or unlink accounts from an identity directly in the Accounts tab. This capability helps you correlate identity components from different directory sources and provides a complete identity context during investigations. For more information, see Manage related identities and accounts. Identity-level remediation actions: You can now perform remediation actions such as disabling accounts or resetting passwords on one or more accounts linked to an identity. For more information, see Remediation actions. New advanced hunting table: Advanced hunting in Microsoft Defender now includes the IdentityAccountInfo table. This table provides account information from various sources, including Microsoft Entra ID, and links to the identity that owns the account. As part of the ongoing transition to a unified alerting experience across Microsoft Defender products, some alerts were converted from the Microsoft Defender for Identity classic format to the Microsoft Defender XDR alert format. Keep in mind that all alerts are based on detections from Defender for Identity sensors. See Microsoft Defender for Identity XDR security alerts for the full list of XDR alerts. Alert names in the XDR structure are different than the alert names in the classic structure, but alert IDs stay consistent between the two alert structures. Enhanced RPC auditing is required for some Microsoft Defender for Identity advanced identity detections. A new health alert helps identify v3.x sensors where this configuration is either missing or incorrectly applied. The alert is being rolled out gradually to customers. For more information, see Configure RPC on sensors v3.x. (Public Preview) Weâre gradually rolling out automatic Windows event-auditing configuration for sensors v3.x, along with related health alerts. This update streamlines deployment by automatically applying the required auditing settings to new sensors and correcting misconfigurations on existing ones. For more information, see Configure automatic windows auditing.Monthly news - January 2026
Microsoft Defender Monthly news - January 2026 Edition This is our monthly "What's new" blog post, summarizing product updates and various new assets we released over the past month across our Defender products. In this edition, we are looking at all the goodness from December 2025. Defender for Cloud has its own Monthly News post, have a look at their blog space. đ New Virtual Ninja Show episode: Advancements in Attack Disruption Vulnerability Remediation Agent in Microsoft Intune Microsoft Defender (Public Preview) The following advanced hunting schema tables are now available for preview: The CampaignInfo table contains contains information about email campaigns identified by Microsoft Defender for Office 365 The FileMaliciousContentInfo table contains information about files that were processed by Microsoft Defender for Office 365 in SharePoint Online, OneDrive, and Microsoft Teams General Availability of the Phishing Triage Agent: this agent autonomously analyzes userâreported phishing emails to determine whether theyâre true threats or false positives, dramatically reducing manual triage workload. It continuously learns from analyst feedback and provides clear, naturalâlanguage explanations for every verdict, giving SOC teams both speed and transparency. We're excited to share it is now generally available and, very soon, will expand to also triage cloud and identity alerts! Learn more on our docs. Public Preview of Dynamic Threat Detection Agent: Announced at Ignite, this alwaysâon agent hunts for unseen threats by continuously correlating telemetry and creating new, contextâaware detections on the flyâclosing gaps traditional rules canât see. We're excited to share it is now in Public Preview! Learn more on our docs. Public Preview of Threat Hunting Agent: Announced at Ignite, this agent gives every analyst the power to investigate like an expert by turning naturalâlanguage questions into guided, realâtime hunts that surface hidden patterns, reveal meaningful pivots, and eliminate the need to write complex queries. We're excited to share it is now in Public Preview! Learn more on our docs. General Availability of the Threat Intelligence Briefing Agent: this agent delivers daily, tailored intelligence briefings directly in Microsoft Defenderâautomatically synthesizing Microsoftâs global threat insights with your organizationâs context to surface prioritized risks, clear recommendations, and relevant assets so teams can shift from reactive research to proactive defense in minutes. We're excited to share it is now generally available! Learn more on our docs. (General Availability) The hunting graph in advanced hunting is now generally available. It also now has two new predefined threat scenarios that you can use to render your hunts as interactive graphs. (General Availability) Advanced hunting now supports custom functions that use tabular parameters. With tabular parameters, you can pass entire tables as inputs. This approach lets you build more modular, reusable, and expressive logic across your hunting queries. Learn more Microsoft Defender for Endpoint (Public Preview) Triage collection: Use triage collection to prioritize incidents and hunt threats with the Sentinel Model Context Protocol (MCP) server. Microsoft Defender for Identity New ADWS LDAP search activity is now available in the 'IdentityQueryEvents' table in Advanced Hunting. This can provides visibility into directory queries performed through ADWS, helping customers track these operations and create custom detection based on this data. (Public Preview) New properties for 'sensorCandidate' resource type in Graph-API. Learn more here. Microsoft Defender for Cloud Apps Integration of Defender for Cloud Apps permissions with Microsoft Defender XDR Unified RBAC is now available worldwide. For more information, see Map Microsoft Defender for Cloud Apps permissions to the Microsoft Defender XDR Unified RBAC permissions. To activate the Defender for Cloud Apps workload, see Activate Microsoft Defender XDR Unified RBAC. (Public Preview) The Defender for Cloud Apps app governance unused app insights feature helps administrators identify and manage unused Microsoft 365-connected OAuth apps, enforce policy-based governance, and use advanced hunting queries for better security. This feature is now available for most commercial cloud customers. For more information, see Secure apps with app hygiene features.Monthly news - December 2025
Microsoft Defender Monthly news - December 2025 Edition This is our monthly "What's new" blog post, summarizing product updates and various new assets we released over the past month across our Defender products. In this edition, we are looking at all the goodness from November 2025. Defender for Cloud has its own Monthly News post, have a look at their blog space. đ Microsoft Ignite 2025 - now on-demand! đ New Virtual Ninja Show episode: Advancements in Attack Disruption Vulnerability Remediation Agent in Microsoft Intune Microsoft Defender Ignite 2025: What's new in Microsoft Defender? This blog summarizes our big announcements we made at Ignite. (Public Preview) Defender XDR now includes the predictive shielding capability, which uses predictive analytics and real-time insights to dynamically infer risk, anticipate attacker progression, and harden your environment before threats materialize. Learn more about predictive shielding. Security Copilot for SOC: bringing agentic AI to every defender. This blog post gives a great overview of the various agents supporting SOC teams. Account correlation links related accounts and corresponding insights to provide identity-level visibility and insights to the SOC. Coordinated response allows Defenders to take action comprehensively across connected accounts, accelerating response and minimizing the potential for lateral movement. Enhancing visibility into your identity fabric with Microsoft Defender. This blog describes new enhancements to the identity security experience within Defender that will help enrich your security teamâs visibility and understanding into your unique identity fabric. (Public Preview) The IdentityAccountInfo table in advanced hunting is now available for preview. This table contains information about account information from various sources, including Microsoft Entra ID. It also includes information and link to the identity that owns the account. Microsoft Sentinel customers using the Defender portal, or the Azure portal with the Microsoft Sentinel Defender XDR data connector, now also benefit from Microsoft Threat Intelligence alerts that highlight activity from nation-state actors, major ransomware campaigns, and fraudulent operations. For more information, see Incidents and alerts in the Microsoft Defender portal. (Public Preview) New Entity Behavior Analytics (UEBA) experiences in the Defender portal! Microsoft Sentinel introduces new UEBA experiences in the Defender portal, bringing behavioral insights directly into key analyst workflows. These enhancements help analysts prioritize investigations and apply UEBA context more effectively. Learn more on our docs. (Public Preview) A new Restrict pod access response action is now available when investigating container threats in the Defender portal. This response action blocks sensitive interfaces that allow lateral movement and privilege escalation. (Public Preview) Threat analytics now has an Indicators tab that provides a list of all indicators of compromise (IOCs) associated with a threat. Microsoft researchers update these IOCs in real time as they find new evidence related to the threat. This information helps your security operations center (SOC) and threat intelligence analysts with remediation and proactive hunting. Learn more. In addition the overview section of threat analytics now includes additional details about a threat, such as alias, origin, and related intelligence, providing you with more insights on what the threat is and how it might impact your organization. Microsoft Defender for Identity (Public Preview) In addition to the GA release of scoping by Active Directory domains a few months ago, you can now scope by Organizational Units (OUs) as part of XDR User Role-Based Access Control. This enhancement provides even more granular control over which entities and resources are included in security analysis. For more information, see Configure scoped access for Microsoft Defender for Identity. (Public Preview). New security posture assessment: Change password for on-prem account with potentially leaked credentials. The new security posture assessment lists users whose valid credentials have been leaked. For more information, see: Change password for on-prem account with potentially leaked credentials. Defender for Identity is slowly rolling out automatic Windows event auditing for sensors v3.x, streamlining deployment by applying required auditing settings to new sensors and fixing misconfigurations on existing ones. As it becomes available, you will be able to enable automatic Windows event-auditing in the Advanced settings section in the Defender portal, or using the Graph API. Identity Inventory enhancements: Accounts tab, manual account linking and unlinking, and expanded remediation actions are now available. Learn more in our docs. Microsoft Defender for Cloud Apps (Public Preview) Defender for Cloud Apps automatically discovers AI agents created in Microsoft Copilot Studio and Azure AI Foundry, collects audit logs, continuously monitors for suspicious activity, and integrates detections and alerts into the XDR Incidents and Alerts experience with a dedicated Agent entity. For more information, see Protect your AI agents. Microsoft Defender for Endpoint Ignite 2025: Microsoft Defender now prevents threats on endpoints during an attack. This year at Microsoft Ignite, Microsoft Defender is announcing exciting innovations for endpoint protection that help security teams deploy faster, gain more visibility, and proactively block attackers during active attacks. (Public Preview) Defender for Endpoint now includes the GPO hardening and Safeboot hardening response actions. These actions are part of the predictive shielding feature, which anticipates and mitigates potential threats before they materialize. (Public Preview) Custom data collection enables organizations to expand and customize telemetry collection beyond default configurations to support specialized threat hunting and security monitoring needs. (Public Preview) Native root detection support for Microsoft Defender on Android. This enables proactive detection of rooted devices without requiring Intune policies, ensuring stronger security and validating that Defender is running on an uncompromised device, ensuring more reliable telemetry that is not vulnerable to attacker manipulation. (Public Preview) The new Defender deployment tool is a lightweight, self-updating application that streamlines onboarding devices to the Defender endpoint security solution. The tool takes care of prerequisites, automates migrations from older solutions, and removes the need for complex onboarding scripts, separate downloads, and manual installations. It currently supports Windows and Linux devices. Defender deployment tool: for Windows devices for Linux devices (Public Preview) Defender endpoint security solution for Windows 7 SP1 and Windows Server 2008 R2 SP1. A Defender for endpoint security solution is now available for legacy Windows 7 SP1 and Windows Server 2008 R2 SP1 devices. The solution provides advanced protection capabilities and improved functionality for these devices compared to other solutions. The new solution is available using the new Defender deployment tool. Microsoft Defender Vulnerability Management (Public Preview) The Vulnerability Management section in the Microsoft Defender portal is now located under Exposure management. This change is part of the vulnerability management integration to Microsoft Security Exposure Management, which significantly expands the scope and capabilities of the platform. Learn more. (General Availability) Microsoft Secure Score now includes new recommendations to help organizations proactively prevent common endpoint attack techniques. Require LDAP client signing and Require LDAP server signing - help ensure integrity of directory requests so attackers can't tamper with or manipulate group memberships or permissions in transit. Encrypt LDAP client traffic - prevents exposure of credentials and sensitive user information by enforcing encrypted communication instead of clear-text LDAP. Enforce LDAP channel binding - prevents man-in-the-middle relay attacks by ensuring the authentication is cryptographically tied to the TLS session. If the TLS channel changes, the bind fails, stopping credential replay. (General Availability) These Microsoft Secure Score recommendations are now generally available: Block web shell creation on servers Block use of copied or impersonated system tools Block rebooting a machine in Safe Mode Microsoft Defender for Office 365 Microsoft Ignite 2025: Transforming Phishing Response with Agentic Innovation. This blog post summarizes the following announcements: General Availability of the Security Copilot Phishing Triage Agent Agentic Email Grading System in Microsoft Defender Cisco and VIPRE Security Group join the Microsoft Defender ICES ecosystem. A separate blog explains these best practices in more detail and outline three other routing techniques commonly used across ICES vendors. Blog series: Best practices from the Microsoft Community Microsoft Defender for Office 365: Fine-Tuning: This blog covers our top recommendations for fine-tuning Microsoft Defender for Office 365 configuration from hundreds of deployments and recovery engagements, by Microsoft MVP Joe Stocker. You may be right after all! Disputing Submission Responses in Microsoft Defender for Office 365: Microsoft MVP Mona Ghadiri spotlights a new place AI has been inserted into a workflow to make it better⌠a feature that elevates the transparency and responsiveness of threat management: the ability to dispute a submission response directly within Microsoft Defender for Office 365. Blog post: Strengthening calendar security through enhanced remediation.Ignite 2025: What's new in Microsoft Defender?
This Ignite we are focused on giving security teams the edge they need to meet adversaries head on in the era of AI. The modern Security Operations Center (SOC) is undergoing a fundamental transformation, placing AI at the forefront of innovation - not just as an added feature, but as a driving force at every layer of the stack. While much attention is rightly focused on the development of security agents, we fundamentally believe that AI must also evolve the very foundation of our security solutions. This means building solutions that more effectively uncover novel threats, act dynamically to defend the organization during attacks, and reduce the workload for the security team. As organizations adopt AI at an unprecedented speed, we also want to make sure they can do so securely. To meet these security needs of the AI era, we are excited to announce a series of innovations that will help organizations shift to an autonomous defense and an agentic SOC. New agents to help scale and accelerate security operations Evolving Microsoft Defenderâs autonomous defense capabilities for better protection Secure your low-code and pro-code AI agents with Microsoft Defender Today, we are taking the first step in shifting security operations from static controls to autonomous defense and from manual toil to agentic operations. But we have an ambitious vision to augment and evolve these AI capabilities and agents across the entire SOC lifecycle and are excited to share some of that vision, as shown in the below graphic, with you at Microsoft Ignite. The Agentic SOC: Scaling expertise and accelerating defense We are excited to introduce four new Security Copilot agents in Microsoft Defender that bring autonomous intelligence across different stages of the SOC lifecycle. These agents combine context, reasoning, and complex workflows to help defenders anticipate attacks sooner, detect smarter, and investigate faster than ever before. Phishing Triage Agent: In March 2025, we introduced the Phishing Triage Agent, built to autonomously handle user-submitted phishing reports at scale. The agent reviews and classifies incoming alerts, resolves false positives and escalates only the malicious cases that require human expertise. Early data shows that analysts working with the agent caught up to 6.5x more malicious emails compared to professional graders. Today, weâre excited to announce that the agentâs triage capabilities will soon extend beyond phishing to cover identity and cloud alerts. Secondly, we are also improving our phish admin reporting process with a new agentic email grading system. It replaces a manual review process with advanced large language models and agentic workflows to deliver rapid, transparent verdicts and clear explanations to customers for every reported email. Learn more about the agentic email grading system. Threat Hunting Agent â this agent reimagines the investigation process. Instead of requiring analysts to master complex query languages or sift through mountains of data, the Threat Hunting Agent enables natural language investigations with contextual insight. Analysts can vibe with the agent by asking questions in plain English, receive direct answers, and be guided through comprehensive hunting sessions. This levels up the current NL2KQL experience by enabling analysts to explore patterns, pivot intuitively and uncover hidden signals in real time for a fluid, context-aware experience. This not only accelerates investigations but makes advanced threat hunting accessible to every member of the SOC, regardless of experience level. Dynamic Threat Detection Agent â One of the hardest challenges in detection engineering is finding and fixing false negatives. The Dynamic Threat Detection Agent proactively hunts for false negatives and blind spots that traditional alerting might miss. When a critical incident happens, Copilot will kick off an automated hunt to uncover undetected threatsâlike unusual residual activity around a sensitive identity. This agent turns âprobably fineâ into proven secureâhunting the quiet persistence that slips past alerts and closing the gap before it becomes tomorrowâs breach. Threat Intelligence (TI) Briefing Agent â Now native in the Defender portal. Generate tailored, AIâauthored threat briefings in minutesâsynthesizing global intel with your environmentâs contextâwithout leaving the incident pane. Figure 1. The Threat Hunting Agent showing insights on an incident that contained a high risk binary To make the agents easily accessible and help security teams get started more quickly, we are excited to announce that Security Copilot will be available to all Microsoft 365 E5 customers. Rollout starts today for existing Security Copilot customers with Microsoft 365 E5 and will continue in the upcoming months for all Microsoft 365 E5 customers. Customers will receive 30-day advanced notification before activation. Learn more. Autonomous Defense at Platform Scale Threat actors are automating everything. Ransomware campaigns can encrypt an entire environment in under an hour. Adversaries evade detection and pivot across identities, endpoints, and cloud resources faster than human teams can triage alerts. Traditional SOC modelsâbuilt on manual workflows and fragmented toolsâsimply canât keep pace. Every second of delay gives attackers an advantage. Microsoft Defender now counters that speed by delivering autonomous defense at scale. Defender shifts security from reactive firefighting to proactive protection, embedding AI into the foundation of our protection solutions for instant detection, disruption, and containmentâbefore threats escalate. In 2023, we introduced automatic attack disruption, which autonomously stops attacks in progressâlike ransomware or business email compromiseâwith policy-bound actions that isolate endpoints, disable compromised accounts, and block malicious IPs at machine speed. Today, weâre taking the next step. New capabilities show how AI and agentic technology are transforming security to better protect customers: Unleash automatic attack disruption across your SIEM data: We are expanding the disruption capabilities of Microsoft Defender to some of the most critical data sources customer connect via Microsoft Sentinel including AWS, Proofpoint and Okta. This enables real-time detection and automatic containment of threats like phishing and identity compromise on top of your log data, fundamentally turning your SIEM into a threat protection solution. While these capabilities leverage the power of our platform, Defender is not a requirement for customers to realize this value in Microsoft Sentinel. Figure 2. Attack disruption initiated on an AWS attack Predictive shielding â This brand-new automatic attack disruption capability activates immediately after an attack is first contained. Our first of its kind capability combines graph insights, AI, and threat intelligence to predict potential attack paths for where the adversary might go next. It then applies just-in-time hardening techniques that proactively block the attacker from pivoting. Some of the hardening tactics that will automatically be applied by Microsoft Defender include disabling SafeBoot and enforcing Group Policy Objects, putting a hard stop to the attackerâs movements and ability to execute common techniques for compromise. Learn more about predictive shielding and other endpoint security news. Protect your low-code and pro-code AI agents Generative AI and agents are rapidly transforming how we work, but these powerful new tools also introduce new risks. And with the democratization of agent creation across pro-code, low-code, and no-code building platforms, building agents is now accessible to everyone, many without extensive developer or security knowledge. To help security teams better manage these risks we are excited to announce that we are extending the capabilities and experiences in Microsoft Defender to the protection of agents. From agent security posture management, to attack path analysis, and threat protection for Copilot Studio, Azure Foundry, and agents built and connected via the Microsoft Agent 365 SDK. Learn more about how Microsoft Defender can help protect your agents against threats like prompt injections and more. There is so much more innovation we are introducing in Microsoft Defender today, including expanded endpoint security coverage for legacy systems, improvements to how you can investigate identity-centric threats, and we are bringing cloud security posture management into the Defender portal. Check out the other Defender news blogs for more details. Join us in San Francisco, November 17â21, or online, November 18â20, for deep dives and practical labs to help you maximize your Microsoft Defender investments and to get more from the Microsoft capabilities you already use. Featured sessions: Microsoft Defender: Building the agentic SOC with guest Allie Mellen Blueprint for building the SOC of the future Empowering the SOC: Security Copilot and the rise of agentic defense Identity Under Siege: Modern ITDR from Microsoft AI vs AI: Protect email and collaboration tools with Microsoft Defender AI-powered defense for cloud workloads Endpoint security in the AI era: What's new in DefenderSecurity Copilot for SOC: bringing agentic AI to every defender
Cybersecurity has entered an era of relentless complexity. As threat actors increasingly leverage artificial intelligence to automate attacks, evade detection, and scale their tactics, defenders are challenged to keep up. In this new era, security operations centers (SOCs) must transform to not just react, but to anticipate, disrupt, and outpace the next wave of cyberthreats. Microsoftâs goal is to empower every organization to meet this challenge head-on by transforming how security operates. We believe the future of the SOC is more than just agentic: itâs predictive and proactive. This means moving beyond fragmented tools and manual processes, and instead embracing a unified, intelligent approach where AI-driven skills and agents work in concert with human expertise. To bring this vision to life, itâs essential to look at the SOC through the lens of its lifecycleâa dynamic continuum that spans from anticipation and prevention through to recovery and optimizationâand to recognize the unique challenges and opportunities within each stage. With Security Copilotâs GenAI and agentic capabilities woven across this lifecycle, Microsoft is delivering an integrated defense platform that enables defenders to move faster, act smarter, and stay ahead of adversaries. Introducing agentic innovation across the SOC lifecycle At Ignite, our agentic innovations are concentrated in three of the five SOC lifecycle pillars, and each one represents a leap forward in how analysts anticipate, detect, triage and investigate threats. Predict and prevent Threat Intelligence Briefing Agent: Introduced in March, this agent has already helped security teams move from reactive to anticipatory defense. At Ignite, weâre announcing that the Threat Intelligence Briefing Agent is now fully embedded in the Microsoft Defender portal, delivering daily, tailored briefings that synthesize Microsoftâs unparalleled global intelligence with organization-specific context in just minutes. Teams no longer need to spend hours gathering TI from disparate sourcesâthe agent automates this process, offering the most current and relevant insights. Analysts can reference the summary to prioritize action, using the agentâs risk assessments, clear recommendations, and links to vulnerable assets to proactively address exposures. Detect and disrupt Dynamic Threat Detection Agent: Detections have long been bottlenecked by the limitations of traditional alerting systems, which rely on predefined logic that canât scale fast enough to match the speed and variability of modern attacksâ resulting in blind spots and missed threats. The Dynamic Threat Detection Agent addresses this challenge head-on. Instead of depending on static rules or isolated input, it continuously analyzes incidents and telemetry, searching for gaps in coverage and correlating signals across the entire security stack. For example, this is how it surfaced a recent AWS attack: a threat actor used an EntraID account to federate into an AWS admin account to exfiltrate sensitive data. The Dynamic Threat Detection Agent generated an alert before the intruder even authenticated into the single sign-on flow, driven by a correlated signal from Sentinel. That alert didnât exist beforehand; the agent created it on the fly to stop the attack. The result is an adaptive system that extends Microsoftâs industry-leading, research-based detections with context-aware alerts tailored to each organization, closing gaps and revealing threats that legacy systems miss. Triage and investigate Phishing Triage Agent: In March 2025, we introduced the Phishing Triage Agent, built to autonomously handle user-submitted phishing reports at scale. The agent classifies incoming alerts and resolves false positives, escalating only the malicious cases that require human expertise. At Microsoft Ignite, weâre announcing its general availability, backed by strong early results: the agent identifies 6.5 times more malicious alerts, improves verdict accuracy by 77%, and frees analysts to spend 53% more time investigating real threats. St. Lukeâs even said itâs saving their team nearly 200 hours each month. Coming soon, weâll be extending these autonomous triage capabilities beyond phishing to identity and cloud alerts, bringing the same precision and scale to more SOC workflows. Threat Hunting Agent: this agent reimagines the investigation process. Instead of requiring analysts to master complex query languages or sift through mountains of data, Threat Hunting Agent enables natural language investigations with contextual insight. Analysts can vibe with the agent by asking questions in plain English, receive direct answers, and be guided through comprehensive hunting sessions. It levels up the existing Security Copilot NL2KQL capability by enabling teams to explore patterns, pivot intuitively and uncover hidden signals in real time for a fluid, context-aware experience. This not only accelerates investigations but makes advanced threat hunting accessible to every member of the SOC, regardless of experience level. Agents built into your workflows To make the agents easily accessible and help security teams get started more quickly, we are excited to announce that Security Copilot will be available to all Microsoft 365 E5 customers. Rollout starts today for existing Security Copilot customers with Microsoft 365 E5 and will continue in the upcoming months for all Microsoft 365 E5 customers. Customers will receive 30-day advanced notice before activation. Learn more: https://aka.ms/SCP-Ignite25 Discover more: the Security Store The Security Store, now generally available, is the central hub for discovering, deploying, and managing first-party and third-party security agents. Today, it provides instant access to 20+ agents deployable directly in the Microsoft Defender portal, all within a broader ecosystem of 100+ trusted security solutions. Whether you're investigating incidents, hunting threats, or automating response, the Security Store extends Defender with vetted, scenario-aligned tools that can be set up in minutes. Learn more in this blog. Introducing new GenAI embedded capabilities Security Copilot isnât just growing through agentsâitâs also gaining new embedded capabilities: GenAI skills that help SOC teams work faster, operate at greater scale, and get upleveled directly inside Microsoft Defender. Today, weâre excited to introduce new innovations: Analyst Notes represent a meaningful shift in how investigation work is captured and shared. For organizations that choose to opt into this capability, Copilot automatically reconstructs an analystâs investigation sessionâfrom the moment they open an incident to the moment they close itâand turns that activity into clear, structured notes. The system can even track multiple sessions in parallel and attribute actions to the right incident, and analysts can fully review and edit the generated notes before saving them. This not only saves teams valuable time and effort, it preserves the actual investigation path with far greater accuracy and consistency than manual documentation ever could. The result is a living, cumulative record of how the SOC investigates threats: easier handoffs, stronger auditability, faster onboarding, and a deeper shared understanding of how incidents unfold across multiple SecOps members and phases. Standard Operating Procedures (SOPs) for guided response allows organizations to upload their own internal procedures so Security Copilot can align its recommendations with established guidebooks and compliance requirements. Guided response is one of the ways Copilot helps analysts navigate an incident: it offers one-click actions across triage, containment, investigation and remediation that teams can take immediately. With SOPs uploaded, these recommendations draw directly from organizational workflows and policy standards, ensuring they are contextually relevant and trusted. For defenders, this translates into greater confidence and faster, more consistent decision-making. Weâre also eager to share that weâre introducing auto-generated content configuration for Security Copilotâs incident summaries. This new feature allows security admins to decide how and when summaries are produced, choosing between always auto-generating, manual trigger only, or auto-generating based on incident severity. The configuration is managed directly in the Microsoft Defender portal, giving organizations flexibility to fine-tune Copilotâs outputs to their operational needs. Join us at Ignite We invite you to learn more and see these innovations in action at Microsoft Ignite. Donât miss our featured sessions: Microsoft Defender: Building the agentic SOC with guest Allie Mellen on Wednesday, November 19 th with Allie Mellen, Corina Feuerstein, and Rob Lefferts. Learn more. Empowering the SOC: Security Copilot and the rise of Agentic Defense on Friday, November 21 st with Corina Feuerstein and Cristina da Gama. Learn more. Join us to discover how Microsoft is shaping the future of cybersecurityâmaking intelligent, agentic defense accessible to every organization.Monthly news - November 2025
Microsoft Defender Monthly news - November 2025 Edition This is our monthly "What's new" blog post, summarizing product updates and various new assets we released over the past month across our Defender products. In this edition, we are looking at all the goodness from October 2025. Defender for Cloud has its own Monthly News post, have a look at their blog space. â° Microsoft Ignite 2025 November 18-20, register now! đ New Virtual Ninja Show episode: Whatâs new for Microsoft Teams protection in Defender for Office 365 Microsoft Defender Custom detections are now the unified experience for creating detections in Microsoft Defender! Read this blog for all the details. How Microsoft Defender helps security teams detect prompt injection attacks in Microsoft 365 Copilot. Weâre excited to share that Microsoft Defender now provides visibility into prompt injection attempts within Microsoft 365 Copilot and helps security teams detect and respond to prompt injection attacks more efficiently and at a broader context, with insights that go beyond individual interaction. Microsoft Defender Experts for Hunting reports now include an Emerging threats section that details the proactive, hypothesis-based hunts we conducted in your environment. Each report also now includes investigation summaries for nearly every hunt that Defender Experts conduct in your environment, regardless of whether they identified a confirmed threat. Microsoft Defender Experts for XDR reports now include a Trends tab provides you with the monthly volume of investigated and resolved incidents for the last six months, visualized according to the incidents' severity, MITRE tactic, and threat type. This section gives you insight into how Defender Experts are tangibly improving your security operations by showing important operational metrics on a month-over-month basis. Threat Intelligence Export is now available in Microsoft Sentinel. Traditionally, Microsoft Sentinel has supported importing threat intel from external sources (partners, governments, ISACs, or internal tenants) via Structured Threat Information eXpression (STIX) via Trusted Automated eXchange of Intelligence Information (TAXII). With this new export feature, you can now share curated threat intel back to trusted destinations. This empowers security teams to contribute threat intel to other organizations in support of collective defense, or to their own central platform to add or enrich threat intelligence. Microsoft Defender for Identity Weâre excited to announce that the Defender for Identity Unified Sensor (v3.x) is now generally available (GA). The unified sensor provides enhanced coverage, improved performance across your environment and offering easier deployment and management for domain controllers. Learn more on how to active it in our docs.. Microsoft Defender for Office 365 đ Email Authentication SecOps Guide (New learn doc) - visit & bookmark our short link: https://aka.ms/authguide The following docs article has been updated with with Compauth Codes: Message Headers Reference New blog series: Best practices from the Microsoft Community Defender for Office 365: Migration & Onboarding Onboarding to Microsoft Defender for Office 365 is often treated as a quick setup task, but it should be seen as a critical opportunity to establish strong security foundations. In my roles supporting incident response and security operations in Microsoft 365, I have observed that onboarding is often underestimated. - Purav Desai, Dual Microsoft Security MVP (Most Valuable Professional) This blog covers four key areas that are frequently missed, but they are essential for a secure and auditable deployment of Defender for Office 365. Before diving into the technical details, it is important to clarify a common misconception about Defender for Office 365 protections. Safeguarding Microsoft Teams with Microsoft Defender for Office 365 As organizations rely more on Microsoft Teams for daily collaboration, securing this platform has become a top priority. Threat actors are increasingly targeting Teams chats and channels with phishing links and malicious files, making it critical for IT admins and security professionals to extend protection beyond email. Enter Microsoft Defender for Office 365, now armed with dedicated Teams protection capabilities. Microsoft Defender for Office 365 enables users to report suspicious messages, brings time-of-click scanning of URLs and files into Teams conversations, and provides rich alerts and hunting insights for SecOps teams. As a collaborative piece between Pierre Thoor, a Microsoft Security MVP, and the Defender for Office 365 Product Engineering Team, this guides with accompanying videos emphasize a proactive, user-driven approach to threat detection and response, turning everyday Teams interactions into actionable security signals for SecOps. Microsoft Defender for Endpoint End of Windows 10 Support: What Defender Customers Need to Know As of October 14, 2025, Microsoft officially ended support for Windows 10. This means that Windows 10 devices will no longer receive security or feature updates, nor technical support from Microsoft. While these devices will continue to operate, the lack of regular security updates increases vulnerability to cyber threats, including malware and viruses. Applications running on Windows 10 may also lose support as the platform stops receiving updates. Endpoint Security Policies can now be distributed via MTO's (Multi Tenant Organization) Content Distribution capability. This capability moved from Public Preview to General Availability (GA). With this capability, you can create content distribution profiles in the multi-tenant portal that allow you to seamlessly replicate existing content - such as custom detection rules and now, endpoint security policies - from a source tenant to designated target tenants. Once distributed, the content runs on the target tenant, enabling centralized control with localized execution. You can read the announcement blog for public preview, as the content shares valuable insights. (Public Preview) Streamlined connectivity support for US government environments (GCC, GCC High, DoD). Learn more in our docs. (General Availability) Isolation exclusions. The Isolation exclusions feature is now generally available. Isolation exclusions allow designated processes or endpoints to bypass the restrictions of network isolation, ensuring essential functions continue while limiting broader network exposure. Learn more in our docs. Microsoft Defender Vulnerability Management (Public Preview) Microsoft Secure Score now includes three new Attack Surface Reduction (ASR) based proactive recommendations that help organizations prevent common endpoint attack techniques including web-shell persistence, misuse of system tools, and Safe Mode based evasion. (Public Preview) You can now use CVE exceptions to exclude specific Common Vulnerabilities and Exposures (CVEs) from analysis in your environment. CVE exceptions allow you to control what type of data is relevant to your organization and to selectively exclude certain data from your remediation efforts. For more information, see Exceptions in Microsoft Defender Vulnerability Management and Create, view, and manage exceptions. For more information, see Exceptions in Microsoft Defender Vulnerability Management and Create, view, and manage exceptions. Microsoft Security Blogs The new Microsoft Security Store unites partners and innovation On September 30, 2025, Microsoft announced a bold new vision for security: a unified, AI-powered platform designed to help organizations defend against todayâs most sophisticated cyberthreats. But an equally important storyâone thatâs just beginning to unfoldâis how the Microsoft Security Store is bringing this vision to life through a vibrant ecosystem of partners, developers, and innovatorsâall contributing together to deliver more value and security to our customers. Security Store is the gateway for customers to easily discover, buy, and deploy trusted security solutions and AI agents from leading partnersâall verified by Microsoft Security product teams to work seamlessly with Microsoft Security products. Inside the attack chain: Threat activity targeting Azure Blob Storage Azure Blob Storage is a high-value target for threat actors due to its critical role in storing and managing massive amounts of unstructured data at scale across diverse workloads and is increasingly targeted through sophisticated attack chains that exploit misconfigurations, exposed credentials, and evolving cloud tactics. Investigating targeted âpayroll pirateâ attacks affecting US universities Microsoft Threat Intelligence has identified a financially motivated threat actor that we track as Storm-2657 compromising employee accounts to gain unauthorized access to employee profiles and divert salary payments to attacker-controlled accounts, attacks that have been dubbed âpayroll pirateâ. Disrupting threats targeting Microsoft Teams Threat actors seek to abuse Microsoft Teams features and capabilities across the attack chain, underscoring the importance for defenders to proactively monitor, detect, and respond effectively. Harden your identity defense with improved protection, deeper correlation, and richer context Expanded ITDR featuresâincluding the new Microsoft Defender for Identity sensor, now generally availableâbring improved protection, correlation, and context to help customers modernize their identity defense.Monthly news - October 2025
Microsoft Defender Monthly news - October 2025 Edition This is our monthly "What's new" blog post, summarizing product updates and various new assets we released over the past month across our Defender products. In this edition, we are looking at all the goodness from September 2025. Defender for Cloud has it's own Monthly News post, have a look at their blog space. â° Microsoft Ignite 2025 November 18-20, register now! đ New Virtual Ninja Show episodes: Defender for Endpoint: Customize settings for optimum performance The new Defender for Identity sensor explained Expanding Microsoft Sentinel UEBA Transitioning the Sentinel SIEM experience from Azure to the Defender portal Microsoft Defender Move your Microsoft Sentinel experience into Microsoft Defender to streamline security operations into a single, AI-powered interface. This move enhances analyst efficiency, integrates threat insights, and improves response times through automation and advanced posture management. Customers are encouraged to begin planning their migration now to ensure a smooth transition and maximize the benefits of the new experience. Learn more about panning your move to the Defender portal here. Microsoft Defender delivered 242% return on investment over three yearsââ. âThe latest 2025 commissioned Forrester Consulting Total Economic Impact⢠(TEI) study reveals a 242% ROI over three years for organizations that chose Microsoft Defender. Read more in our blog. Custom detection rules get a boost. If you are a Microsoft Sentinel user and have connected your Sentinel workspace to Microsoft Defender, you are probably more familiar with analytics rules in Microsoft Sentinel and are looking to explore the capabilities and benefits of custom detections. Understanding and leveraging custom detection rules can significantly enhance your organization's security posture. This blog will delve into the benefits of custom detections and showcase scenarios that highlight their capabilities, helping you make the most of this robust feature. (Public Preview) In advanced hunting, you can now hunt using the hunting graph, which renders rendering predefined threat scenarios as interactive graphs. (Public Preview) You can investigate incidents using Blast radius analysis, which is an advanced graph visualization built on the Microsoft Sentinel data lake and graph infrastructure. This feature generates an interactive graph showing possible propagation paths from the selected node to predefined critical targets scoped to the userâs permissions. Microsoft Defender for Cloud Apps (Public Preview) Protect Copilot Studio AI Agents in Real Time with Microsoft Defender. Microsoft Defender offers real-time protection during runtime for AI agents built with Microsoft Copilot Studio. This capability automatically blocks the agentâs response during runtime if a suspicious behavior like a prompt injection attack is detected, and notifies security teams with a detailed alert in the Microsoft Defender portal. Learn more about it in this blog. Protect against OAuth Attacks in Salesforce with Microsoft Defender. In this blog, we will delve only into one of the Salesforce OAuth attack campaign and provide guidance on how organizations can use Microsoft Defender to protect against this and similar SaaS attack campaigns. Microsoft Defender for Identity Defender for Identity data centers are now also deployed in the United Arab Emirates, North and Central regions. For the most current list of regional deployments, see Defender for Identity data locations. (Public Preview) We are excited to announce the availability of a new Graph-based API for managing unified agent server actions in Defender for Identity. This capability is currently in preview and available in API Beta version. This API allows customers to: Monitor the status of unified agent servers Enable or disable the automatic activation of eligible servers Activate or deactivate the agent on eligible serversâ For more information, see Managing unified agent actions through Graph API. Several Defender for Identity detections are being updated to reduce noise and improve accuracy, making alerts more reliable and actionable. As the rollout continues, you might see a decrease in the number of alerts raised. Learn more on our docs page. We've added a new tab on the Identity profile page that contains all active identity-related identity security posture assessments (ISPMs). This feature consolidates all identity-specific security posture assessments into a single contextual view, helping security teams quickly spot weaknesses and take targeted actions. Learn more on our docs page. (Public Preview) Defender for Identity supports the Unified connectors experience, starting with the Okta Single Sign-On connector. This enables Defender for Identity to collect Okta system logs once and share them across supported Microsoft security products, reducing API usage and improving connector efficiency. For more information, see: Connect Okta to Microsoft Defender for Identity Microsoft Defender for Office 365 Near real-time URL protection in Teams messages: - Known, malicious URLs in Teams messages are delivered with a warning. Messages found to contain malicious URLs up to 48 hours after delivery also receive a warning. The warning is added to messages in internal and external chats and channels for all URL verdicts (not just malware or high confidence phishing). Users can report external and intra-org Microsoft Teams messages as non-malicious (not a security risk) from the following locations: Chats Standard, shared, and private channels Meeting conversations User reported settings determine whether reported messages are sent to the specified reporting mailbox, to Microsoft, or both. Also added support for Teams message reporting on Teams mobile client. Microsoft Security Exposure Management Cloud Attack Paths now reflect real, externally driven and exploitable risks that adversaries could use to compromise your organization, helping you cut through the noise and act faster. The paths now focus on external entry points and how attackers could progress through your environment reaching business-critical targets. Read more about it in this blog: Refining Attack Paths: Prioritizing Real-World, Exploitable Threats The legacy Azure AD Connect asset rule has been removed from Critical Assets. Its associated device role, AzureADConnectServer, will be deprecated in December 2025. Ensure all relevant custom rules are transitioned to use the new device role, EntraConnectServer, to maintain compliance and visibility. For more information, see Predefined classification. New predefined classifications: predefined Device classification rules for SharePoint Server and Microsoft Entra ID Cloud Sync were added to the critical assets list. For more information, see Predefined classification. We have added new data connectors for Wiz and Palo Alto Prisma. These connectors enable seamless integration of vulnerability and asset data from leading cloud security platforms into Microsoft Security Exposure Management, providing enhanced visibility and context for your environments. For more information, see: Wiz data connector, Palo Alto Prisma data connector. Microsoft Security Blogs https://www.microsoft.com/en-us/security/blog/2025/09/24/ai-vs-ai-detecting-an-ai-obfuscated-phishing-campaign/ Microsoft Threat Intelligence recently detected and blocked a credential phishing campaign that likely used AI-generated code to obfuscate its payload and evade traditional defenses, demonstrating a broader trend of attackers leveraging AI to increase the effectiveness of their operations and underscoring the need for defenders to understand and anticipate AI-driven threats. XCSSET evolves again: Analyzing the latest updates to XCSSETâs inventory Microsoft Threat Intelligence has uncovered a new variant of the XCSSET malware, which is designed to infect Xcode projects, typically used by software developers building Apple or macOS-related applications.Monthly news - September 2025
Microsoft Defender Monthly news - September 2025 Edition This is our monthly "What's new" blog post, summarizing product updates and various new assets we released over the past month across our Defender products. In this edition, we are looking at all the goodness from August 2025. Defender for Cloud has it's own Monthly News post, have a look at their blog space. New Virtual Ninja Show episodes: Announcing Microsoft Sentinel data lake. Inside the new Phishing Triage Agent in Security Copilot. Microsoft Defender Public Preview items in advanced hunting: The new CloudStorageAggregatedEvents table is now available and brings aggregated storage activity logs, such as operations, authentication details, access sources, and success/failure counts, from Defender for Cloud into a single, queryable schema. You can now investigate Microsoft Defender for Cloud behaviors. For more information, see Investigate behaviors with advanced hunting. The IdentityEvents table contains information about identity events obtained from other cloud identity service providers. You can now enrich your custom detection rules in advanced hunting by creating dynamic alert titles and descriptions, select more impacted entities, and add custom details to display in the alert side panel. Microsoft Sentinel customers that are onboarded to Microsoft Defender also now have the option to customize the alert frequency when the rule is based only on data that is ingested to Sentinel. The number of query results displayed in the Microsoft Defender portal has been increased to 100,000. General Availability item in advanced hunting: you can now view all your user-defined rules - both custom detection rules and analytics rules - in the Detection rules page. This feature also brings the following improvements: You can now filter for every column (in addition to Frequency and Organizational scope). For multiworkspace organizations that have onboarded multiple workspaces to Microsoft Defender, you can now view the Workspace ID column and filter by workspace. You can now view the details pane even for analytics rules. You can now perform the following actions on analytics rules: Turn on/off, Delete, Edit. (General Availability) Defender Experts for XDR and Defender Experts for Hunting customers can now expand their service coverage to include server and cloud workloads protected by Defender for Cloud through the respective add-ons, Microsoft Defender Experts for Servers and Microsoft Defender Experts for Hunting - Servers. Learn more (General Availability) Defender Experts for XDR customers can now incorporate third-party network signals for enrichment, which could allow our security analysts to not only gain a more comprehensive view of an attack's path that allows for faster and more thorough detection and response, but also provide customers with a more holistic view of the threat in their environments. (General Availability) The Sensitivity label filter is now available in the Incidents and Alerts queues in the Microsoft Defender portal. This filter lets you filter incidents and alerts based on the sensitivity label assigned to the affected resources. For more information, see Filters in the incident queue and Investigate alerts. (Public Preview) Suggested prompts for incident summaries. Suggested prompts enhance the incident summary experience by automatically surfacing relevant follow-up questions based on the most crucial information in a given incident. With a single click, you can request deeper insight (e.g. device details, identity information, threat intelligence) and obtain plain language summaries from Security Copilot. This intuitive, interactive experience simplifies investigations and speeds up access to critical insights, empowering you to focus on key priorities and accelerate threat response. Microsoft Defender for Endpoint (Public Preview) Multi-tenant endpoint security policies distribution is now in Public Preview. Defender for Endpoint security policies can now be distributed across multiple tenants from the Defender multi-tenant portal. (Public Preview) Custom installation path support for Defender for Endpoint on Linux is available in public preview. (Public Preview) Offline security intelligence update support for Defender for Endpoint on macOS is in public preview. Microsoft Defender for Identity (Public Preview) Entra ID risk level is now available on the Identity Inventory assets page, the identity details page, and in the IdentityInfo table in advanced hunting, and includes the Entra ID risk score. SOC analysts can use this data to correlate risky users with sensitive or highly privileged users, create custom detections based on current or historical user risk, and improve investigation context. (Public Preview) Defender for Identity now includes a new security assessment that helps you identify and remove inactive service accounts in your organization. This assessment lists Active Directory service accounts that have been inactive (stale) for the past 180 days, to help you mitigate security risks associated with unused accounts. For more information, see: Security Assessment: Remove Inactive Service Accounts (Public Preview) A new Graph-based API is now in preview for initiating and managing remediation actions in Defender for Identity. For more information, see Managing response actions through Graph API. (General Availability) Identity scoping is now generally available across all environments. Organizations can now define and refine the scope of Defender for Identity monitoring and gain granular control over which entities and resources are included in security analysis. For more information, see Configure scoped access for Microsoft Defender for Identity. (Public Preview) The new security posture assessment highlights unsecured Active Directory attributes that contain passwords or credential clues and recommends steps to remove them, helping reduce the risk of identity compromise. For more information, see: Security Assessment: Remove discoverable passwords in Active Directory account attributes. Detection update: Suspected Brute Force attack (Kerberos, NTLM). Improved detection logic to include scenarios where accounts were locked during attacks. As a result, the number of triggered alerts might increase. Microsoft Defender for Office 365 SecOps can now dispute Microsoft's verdict on previously submitted email or URLs when they believe the result is incorrect. Disputing an item links back to the original submission and triggers a reevaluation with full context and audit history. Learn more. Microsoft Security Blogs Dissecting PipeMagic: Inside the architecture of a modular backdoor framework A comprehensive technical deep dive on PipeMagic, a highly modular backdoor used by Storm-2460 masquerading as a legitimate open-source ChatGPT Desktop Application. Think before you Click(Fix): Analyzing the ClickFix social engineering technique The ClickFix social engineering technique has been growing in popularity, with campaigns targeting thousands of enterprise and end-user devices daily. Storm-0501âs evolving techniques lead to cloud-based ransomware Financially motivated threat actor Storm-0501 has continuously evolved their campaigns to achieve sharpened focus on cloud-based tactics, techniques, and procedures (TTPs).
