Announcing General Availability: Unified identity and endpoint sensor
This milestone streamlines the deployment of on-premises identity security by unifying our endpoint and identity protection into a single sensor, pre-installed and ready for activation on Domain Controllers running Windows Server 2019 or newer. What Is a sensor? What’s new about this version? Viewed through a cybersecurity lens, a “sensor” is a software component that monitors and protects critical infrastructure. Serving as one of the first lines of defense against threat actors, they continuously scan corporate resources for malicious activity or misconfigurations to ensure your organization remains secure. Like many security solutions, Microsoft Defender relies on sensors to gain visibility into the endpoints and on-premises identity infrastructure within your environment. The telemetry they provide — plus unmatched Microsoft Threat Intelligence — enables us to help security professionals better detect and respond to potential threats targeting their domains. Individually, the insights into the endpoints and users are extremely valuable. But when used in tandem, they provide a holistic view and protection for identity infrastructure. V3.x takes this co-existence a step further and merges the components, eliminating the need for installing and maintaining two distinct sensors. For qualifying Domain Controllers, it’s fast and simple to activate with a click of a button, optimized for performance, and is embedded within the Windows operating system. What does this mean for customers? New customers can now easily activate identity protections on critical on-premises identity infrastructure by deploying v3.x to eligible Domain Controllers in a matter of clicks. This streamlined approach reduces deployment complexity, minimizes configuration errors, and accelerates time-to-protection. It also allows security teams to focus on threat detection and response instead of managing infrastructure prerequisites. Additional benefits include: Built into the OS – The sensor is now part of Windows Server 2019 and later (with the latest cumulative update), eliminating many of the prerequisites required by earlier sensor versions. “One-click” activation – Once your domain controller is onboarded to Defender for Endpoint for Servers, enabling identity protections can be done in just a matter of clicks within the Defender portal. You no longer need to download and distribute the sensor deployment packages, installing .NET dependencies, configuring NPCAP for interoperability, or opening ports for Network Name Resolution (NNR). Increased automation – You can even enable automatic activation for all domain controllers that meet the requirements, ensuring continuous protection with zero extra effort. How to get started: Review the prerequisites listed within our documentation to determine if you are eligible to deploy v3.x If you meet all the pre-requisites, use the detailed activation guide here to activate v3.x. Once activated we recommend you opt-in to apply unified sensor Remote Procedure Call (RPC) audit tags. By applying these tag, you enable advanced identity detections that rely on RPC monitoring via the Windows Filtering Platform (WFP). This unlocks additional alerts and visibility for identity-based threats. What's next? Join us at Microsoft Ignite in San Francisco on November 17–21, or online, November 18–20, for deep dives and practical labs to help you maximize your Microsoft Defender investments and to get more from the Microsoft capabilities you already use. Security is a core focus at Ignite this year, with the Security Forum on November 17th, deep dive technical sessions, theater talks, and hands-on labs designed for security leaders and practitioners Featured sessions BRK237: Identity Under Siege: Modern ITDR from Microsoft Join experts in Identity and Security to hear how Microsoft is streamlining collaboration across teams and helping customers better protect, detect, and respond to threats targeting your identity fabric. BRK240 – Endpoint security in the AI era: What's new in Defender Discover how Microsoft Defender’s AI-powered endpoint security empowers you to do more, better, faster. BRK236 – Your SOC’s ally against cyber threats, Microsoft Defender Experts See how Defender Experts detect, halt, and manage threats for you, with real-world outcomes and demos. LAB541 – Defend against threats with Microsoft Defender Get hands-on with Defender for Office 365 and Defender for Endpoint, from onboarding devices to advanced attack mitigation. Explore and filter the full security catalog by topic, format, and role: aka.ms/SessionCatalogSecurity. Why attend? Ignite is the place to learn about the latest Defender capabilities, including new agentic AI integrations and unified threat protection. We will also share future-facing innovations in Defender, as part of our ongoing commitment to autonomous defense. Security Forum—Make day 0 count (November 17) Kick off with an immersive, in person preday focused on strategic security discussions and real-world guidance from Microsoft leaders and industry experts. Select Security Forum during registration. Register for Microsoft Ignite >Introducing the new PowerShell Module for Microsoft Defender for Identity
Today, I am excited to introduce a new PowerShell module designed to help further simplify the deployment and configuration of Microsoft Defender for Identity. This tool will make it easier than ever to protect your organization from identity-based cyber-threats.
Host Microsoft Defender data locally in the United Arab Emirates
We are pleased to announce that local data residency support in the UAE is now generally available for Microsoft Defender for Endpoint and Microsoft Defender for Identity. This announcement reinforces our ongoing commitment to delivering secure, compliant services aligned with local data sovereignty requirements. Customers can now confidently onboard to Defender for Endpoint and Defender for Identity in the UAE, knowing that this Defender data will remain at rest within the UAE data boundary. This allows customers to meet their regulatory obligations and maintain control over their data. For more details on the Defender data storage and privacy policies, refer to Microsoft Defender for Endpoint data storage and privacy and Microsoft Defender for Identity data security and privacy. Note: Defender for Endpoint and Defender for Identity may potentially use other Microsoft services (i.e. Microsoft Intune for security settings management). Each Microsoft service is governed by its own data storage and privacy policies and may have varying regional availability. For more information, refer to our Online Product Terms. In addition to the UAE, Defender data residency capabilities are available in the United States, the European Union, the United Kingdom, Australia, Switzerland and India (see our recent announcement for local data hosting in India). Customers with Existing deployments for Defender for Endpoint and/or Defender for Identity Existing customers can check their deployment geo within the portal by going to Settings -> Microsoft Defender XDR-> Account; and see where the service is storing your data at rest. For example, in the image below, the service location for the Defender XDR tenant is UAE. ation information If you would like to update your service location, please reach out to Customer Service and Support for a tenant reset. Support can be accessed by clicking on the “?” icon in the top right corner of the portal when signed in as an Admin (see image below). If you are a Microsoft Unified support customer, please reach out to your Customer Success Account Manager for assistance with the migration process. More information: Ready to go local? Read our documentation for more information on how to get started. Microsoft Defender XDR data center location Not yet a customer? Take Defender XDR for a spin via a 90-day trial for Office 365 E5 or Defender for Endpoint via a 90-day trial for Defender for Endpoint Check out the Defender for Endpoint website to learn more about our industry leading Endpoint protection platform Check out the Defender for Identity website to learn how to keep your organization safe against rising identity threatsMonthly news - October 2025
Microsoft Defender Monthly news - October 2025 Edition This is our monthly "What's new" blog post, summarizing product updates and various new assets we released over the past month across our Defender products. In this edition, we are looking at all the goodness from September 2025. Defender for Cloud has it's own Monthly News post, have a look at their blog space. ⏰ Microsoft Ignite 2025 November 18-20, register now! 🚀 New Virtual Ninja Show episodes: Defender for Endpoint: Customize settings for optimum performance The new Defender for Identity sensor explained Expanding Microsoft Sentinel UEBA Transitioning the Sentinel SIEM experience from Azure to the Defender portal Microsoft Defender Move your Microsoft Sentinel experience into Microsoft Defender to streamline security operations into a single, AI-powered interface. This move enhances analyst efficiency, integrates threat insights, and improves response times through automation and advanced posture management. Customers are encouraged to begin planning their migration now to ensure a smooth transition and maximize the benefits of the new experience. Learn more about panning your move to the Defender portal here. Microsoft Defender delivered 242% return on investment over three years. The latest 2025 commissioned Forrester Consulting Total Economic Impact™ (TEI) study reveals a 242% ROI over three years for organizations that chose Microsoft Defender. Read more in our blog. Custom detection rules get a boost. If you are a Microsoft Sentinel user and have connected your Sentinel workspace to Microsoft Defender, you are probably more familiar with analytics rules in Microsoft Sentinel and are looking to explore the capabilities and benefits of custom detections. Understanding and leveraging custom detection rules can significantly enhance your organization's security posture. This blog will delve into the benefits of custom detections and showcase scenarios that highlight their capabilities, helping you make the most of this robust feature. (Public Preview) In advanced hunting, you can now hunt using the hunting graph, which renders rendering predefined threat scenarios as interactive graphs. (Public Preview) You can investigate incidents using Blast radius analysis, which is an advanced graph visualization built on the Microsoft Sentinel data lake and graph infrastructure. This feature generates an interactive graph showing possible propagation paths from the selected node to predefined critical targets scoped to the user’s permissions. Microsoft Defender for Cloud Apps (Public Preview) Protect Copilot Studio AI Agents in Real Time with Microsoft Defender. Microsoft Defender offers real-time protection during runtime for AI agents built with Microsoft Copilot Studio. This capability automatically blocks the agent’s response during runtime if a suspicious behavior like a prompt injection attack is detected, and notifies security teams with a detailed alert in the Microsoft Defender portal. Learn more about it in this blog. Protect against OAuth Attacks in Salesforce with Microsoft Defender. In this blog, we will delve only into one of the Salesforce OAuth attack campaign and provide guidance on how organizations can use Microsoft Defender to protect against this and similar SaaS attack campaigns. Microsoft Defender for Identity Defender for Identity data centers are now also deployed in the United Arab Emirates, North and Central regions. For the most current list of regional deployments, see Defender for Identity data locations. (Public Preview) We are excited to announce the availability of a new Graph-based API for managing unified agent server actions in Defender for Identity. This capability is currently in preview and available in API Beta version. This API allows customers to: Monitor the status of unified agent servers Enable or disable the automatic activation of eligible servers Activate or deactivate the agent on eligible servers For more information, see Managing unified agent actions through Graph API. Several Defender for Identity detections are being updated to reduce noise and improve accuracy, making alerts more reliable and actionable. As the rollout continues, you might see a decrease in the number of alerts raised. Learn more on our docs page. We've added a new tab on the Identity profile page that contains all active identity-related identity security posture assessments (ISPMs). This feature consolidates all identity-specific security posture assessments into a single contextual view, helping security teams quickly spot weaknesses and take targeted actions. Learn more on our docs page. (Public Preview) Defender for Identity supports the Unified connectors experience, starting with the Okta Single Sign-On connector. This enables Defender for Identity to collect Okta system logs once and share them across supported Microsoft security products, reducing API usage and improving connector efficiency. For more information, see: Connect Okta to Microsoft Defender for Identity Microsoft Defender for Office 365 Near real-time URL protection in Teams messages: - Known, malicious URLs in Teams messages are delivered with a warning. Messages found to contain malicious URLs up to 48 hours after delivery also receive a warning. The warning is added to messages in internal and external chats and channels for all URL verdicts (not just malware or high confidence phishing). Users can report external and intra-org Microsoft Teams messages as non-malicious (not a security risk) from the following locations: Chats Standard, shared, and private channels Meeting conversations User reported settings determine whether reported messages are sent to the specified reporting mailbox, to Microsoft, or both. Also added support for Teams message reporting on Teams mobile client. Microsoft Security Exposure Management Cloud Attack Paths now reflect real, externally driven and exploitable risks that adversaries could use to compromise your organization, helping you cut through the noise and act faster. The paths now focus on external entry points and how attackers could progress through your environment reaching business-critical targets. Read more about it in this blog: Refining Attack Paths: Prioritizing Real-World, Exploitable Threats The legacy Azure AD Connect asset rule has been removed from Critical Assets. Its associated device role, AzureADConnectServer, will be deprecated in December 2025. Ensure all relevant custom rules are transitioned to use the new device role, EntraConnectServer, to maintain compliance and visibility. For more information, see Predefined classification. New predefined classifications: predefined Device classification rules for SharePoint Server and Microsoft Entra ID Cloud Sync were added to the critical assets list. For more information, see Predefined classification. We have added new data connectors for Wiz and Palo Alto Prisma. These connectors enable seamless integration of vulnerability and asset data from leading cloud security platforms into Microsoft Security Exposure Management, providing enhanced visibility and context for your environments. For more information, see: Wiz data connector, Palo Alto Prisma data connector. Microsoft Security Blogs https://www.microsoft.com/en-us/security/blog/2025/09/24/ai-vs-ai-detecting-an-ai-obfuscated-phishing-campaign/ Microsoft Threat Intelligence recently detected and blocked a credential phishing campaign that likely used AI-generated code to obfuscate its payload and evade traditional defenses, demonstrating a broader trend of attackers leveraging AI to increase the effectiveness of their operations and underscoring the need for defenders to understand and anticipate AI-driven threats. XCSSET evolves again: Analyzing the latest updates to XCSSET’s inventory Microsoft Threat Intelligence has uncovered a new variant of the XCSSET malware, which is designed to infect Xcode projects, typically used by software developers building Apple or macOS-related applications.Monthly news - September 2025
Microsoft Defender Monthly news - September 2025 Edition This is our monthly "What's new" blog post, summarizing product updates and various new assets we released over the past month across our Defender products. In this edition, we are looking at all the goodness from August 2025. Defender for Cloud has it's own Monthly News post, have a look at their blog space. New Virtual Ninja Show episodes: Announcing Microsoft Sentinel data lake. Inside the new Phishing Triage Agent in Security Copilot. Microsoft Defender Public Preview items in advanced hunting: The new CloudStorageAggregatedEvents table is now available and brings aggregated storage activity logs, such as operations, authentication details, access sources, and success/failure counts, from Defender for Cloud into a single, queryable schema. You can now investigate Microsoft Defender for Cloud behaviors. For more information, see Investigate behaviors with advanced hunting. The IdentityEvents table contains information about identity events obtained from other cloud identity service providers. You can now enrich your custom detection rules in advanced hunting by creating dynamic alert titles and descriptions, select more impacted entities, and add custom details to display in the alert side panel. Microsoft Sentinel customers that are onboarded to Microsoft Defender also now have the option to customize the alert frequency when the rule is based only on data that is ingested to Sentinel. The number of query results displayed in the Microsoft Defender portal has been increased to 100,000. General Availability item in advanced hunting: you can now view all your user-defined rules - both custom detection rules and analytics rules - in the Detection rules page. This feature also brings the following improvements: You can now filter for every column (in addition to Frequency and Organizational scope). For multiworkspace organizations that have onboarded multiple workspaces to Microsoft Defender, you can now view the Workspace ID column and filter by workspace. You can now view the details pane even for analytics rules. You can now perform the following actions on analytics rules: Turn on/off, Delete, Edit. (General Availability) Defender Experts for XDR and Defender Experts for Hunting customers can now expand their service coverage to include server and cloud workloads protected by Defender for Cloud through the respective add-ons, Microsoft Defender Experts for Servers and Microsoft Defender Experts for Hunting - Servers. Learn more (General Availability) Defender Experts for XDR customers can now incorporate third-party network signals for enrichment, which could allow our security analysts to not only gain a more comprehensive view of an attack's path that allows for faster and more thorough detection and response, but also provide customers with a more holistic view of the threat in their environments. (General Availability) The Sensitivity label filter is now available in the Incidents and Alerts queues in the Microsoft Defender portal. This filter lets you filter incidents and alerts based on the sensitivity label assigned to the affected resources. For more information, see Filters in the incident queue and Investigate alerts. (Public Preview) Suggested prompts for incident summaries. Suggested prompts enhance the incident summary experience by automatically surfacing relevant follow-up questions based on the most crucial information in a given incident. With a single click, you can request deeper insight (e.g. device details, identity information, threat intelligence) and obtain plain language summaries from Security Copilot. This intuitive, interactive experience simplifies investigations and speeds up access to critical insights, empowering you to focus on key priorities and accelerate threat response. Microsoft Defender for Endpoint (Public Preview) Multi-tenant endpoint security policies distribution is now in Public Preview. Defender for Endpoint security policies can now be distributed across multiple tenants from the Defender multi-tenant portal. (Public Preview) Custom installation path support for Defender for Endpoint on Linux is available in public preview. (Public Preview) Offline security intelligence update support for Defender for Endpoint on macOS is in public preview. Microsoft Defender for Identity (Public Preview) Entra ID risk level is now available on the Identity Inventory assets page, the identity details page, and in the IdentityInfo table in advanced hunting, and includes the Entra ID risk score. SOC analysts can use this data to correlate risky users with sensitive or highly privileged users, create custom detections based on current or historical user risk, and improve investigation context. (Public Preview) Defender for Identity now includes a new security assessment that helps you identify and remove inactive service accounts in your organization. This assessment lists Active Directory service accounts that have been inactive (stale) for the past 180 days, to help you mitigate security risks associated with unused accounts. For more information, see: Security Assessment: Remove Inactive Service Accounts (Public Preview) A new Graph-based API is now in preview for initiating and managing remediation actions in Defender for Identity. For more information, see Managing response actions through Graph API. (General Availability) Identity scoping is now generally available across all environments. Organizations can now define and refine the scope of Defender for Identity monitoring and gain granular control over which entities and resources are included in security analysis. For more information, see Configure scoped access for Microsoft Defender for Identity. (Public Preview) The new security posture assessment highlights unsecured Active Directory attributes that contain passwords or credential clues and recommends steps to remove them, helping reduce the risk of identity compromise. For more information, see: Security Assessment: Remove discoverable passwords in Active Directory account attributes. Detection update: Suspected Brute Force attack (Kerberos, NTLM). Improved detection logic to include scenarios where accounts were locked during attacks. As a result, the number of triggered alerts might increase. Microsoft Defender for Office 365 SecOps can now dispute Microsoft's verdict on previously submitted email or URLs when they believe the result is incorrect. Disputing an item links back to the original submission and triggers a reevaluation with full context and audit history. Learn more. Microsoft Security Blogs Dissecting PipeMagic: Inside the architecture of a modular backdoor framework A comprehensive technical deep dive on PipeMagic, a highly modular backdoor used by Storm-2460 masquerading as a legitimate open-source ChatGPT Desktop Application. Think before you Click(Fix): Analyzing the ClickFix social engineering technique The ClickFix social engineering technique has been growing in popularity, with campaigns targeting thousands of enterprise and end-user devices daily. Storm-0501’s evolving techniques lead to cloud-based ransomware Financially motivated threat actor Storm-0501 has continuously evolved their campaigns to achieve sharpened focus on cloud-based tactics, techniques, and procedures (TTPs).Scope Identity Protection with Defender for Identity is Now Generally Available
I am excited to announce the general availability (GA) of domain-based scoping for Active Directory within Microsoft Defender for Identity. This is a foundational step in extending role-based access control (RBAC) as part of the broader XDR URBAC initiative. This new capability enables SOC analysts to define and refine the scope of Microsoft Defender for Identity monitoring, providing more granular control over which entities and resources are included in security analysis. What is “scoping” and why does it matter? As organizations grow, so does their identity fabric and as security professionals look to manage these increasingly complex identity environments, the ability to control who can access what -and where- is critical. Whether for legal or efficiency reasons many organizations need a way to delegate access based on responsibility or ownership. The new scoping capability is part of Microsoft Defender's unified role-based access control (URBAC) model which allows customers to refine investigation and administration experiences by Active Directory domains, providing: Optimize performance - improve efficiency by focusing analysts on critical assets without the noise of other non-essential alerts and data outside their purview. Enhance visibility control - visibility on specific Active Directory domains. Support operational boundaries - align access and responsibility across SOC analysts, identity admins, and regional teams. This enhancement is part of Microsoft Defender XDR’s unified role-based access control (URBAC) model and sets the foundation for even more granular controls in the future. What can be scoped? Users assigned to scoped roles will only see data, such as alerts, identities, and activities, related to the Active Directory domains included in the assignment in the XDR role. This ensures that security teams can focus on the assets they are responsible for, without being exposed to information from outside their organizational boundaries. Today this includes: Alerts and incidents: Analysts will only see alerts and incidents related to identities within the scoped Active Directory domains within their queue. Entity pages: Users can only access the account details of identities within the Active Directory domains they are scoped for. Advanced hunting and investigations: Data is automatically filtered to include only scoped data. For the full list of supported experiences, see our documentation. How to configure scoping rules: This release is part of our ongoing XDR URBAC effort, bringing consistent and unified role-based access control across Microsoft Defender products. Domain-based scoping is now available for public preview in Microsoft Defender for Identity and aligns with the same RBAC principles used across the XDR platform. To enable the feature, follow these steps: Navigate to XDR permissions page --> Microsoft Defender XDR --> Roles. You can edit existing roles or create a new custom role Add an assignment and create a scoping role with the same set of permissions Define Entra ID user or groups to be assigned to the role Choose Microsoft Defender for Identity as a data source and select User groups (AD domains) that will be scoped to the assignment. Once configured, customers can restrict SOC analysts to viewing only specific entities, ensuring they have access only to the data relevant to their responsibilities and improving security control. Before enabling scoping, ensure that: You have Microsoft Defender for Identity sensor installed. The Identity workload for URBAC is activated. To manage roles without Global Administrator or Security Administrator privileges, customers must configure Authorization permissions through URBAC. Learn more here. What’s next Some experiences are still in progress and will be expanded over time. For setup guidance and more details, visit the Defender for Identity documentation. To stay informed about upcoming enhancements and expanded support for scoping experiences, follow our What’s New documentation page.
Leaving the key under the doormat: How Microsoft Defender uses AI to spot exposed credentials
Imagine locking your front door, only to leave the key under the doormat. It’s a habit many know is risky, but it’s still surprisingly common. In cybersecurity terms this is the equivalent of storing credentials in plain text fields within Active Directory. Microsoft Defender can now help eliminate this vulnerability with a new, AI-powered posture alert that uses layers of intelligence to spot exposed credentials. Understanding free text fields in identity systems: Within identity systems like Active Directory (AD) and Microsoft Entra ID, free text fields are customizable attributes that allow administrators to store unstructured or semi-structured data. Because they are flexible and not tightly governed by schema constraints, free text fields can also be used to support integrations with HR systems, email signature tools, or Privileged Access Management (PAM) solutions. In hybrid identity environments clear text fields play a pivotal role in bridging operational gaps. Administrators rely on them to carry over business-critical context such as cost centers, project tags, or legacy system references during synchronization. Their unstructured nature however, also introduces risk. If sensitive data like credentials or personal identifiers are stored in these fields without proper controls, they can become a vector for exposure. Non-human identities (NHI) are often disproportionately impacted by this issue. And it makes sense, in addition to substantially outnumbering their human counterparts, NHI’s cannot interact with systems through traditional authentication methods like MFA. Administrators, under pressure to maintain uptime and ensure seamless automation, may store the credentials for these accounts in clear text fields. For example, a service account used by an application might have its password stored in the description or info field of an AD object to simplify troubleshooting or integration. These practices, while expedient, create a high-value target for attackers. NHI also often operate with elevated privileges and are frequently overlooked in traditional security models making them an even more tantalizing target for would be attackers. But it’s not just NHI that are at risk. In our initial research and testing we identified more than 40,000 exposed credentials across 2,500 tenants. More importantly we increasingly see bad actors and red teams targeting these fields to gain access and move laterally and thanks to the speed, scale and precision of AI-powered enumeration tools the time to exploit them has shifted from hours to seconds. Turning the tables with layered intelligence Microsoft is leveling the playing field with a powerful new posture alert in Defender that can help detect exposed credentials with unprecedented precision. This alert is part of a broader initiative to help organizations proactively identify and remediate identity misconfigurations before they’re exploited, but what sets it apart is its layered AI-driven detection model. First, a detailed scan of identity directories flags potential credential exposures. This includes everything from base64-encoded secrets to strings that match known password structures. Once complete, a more advanced AI model steps in to analyze the context, language, and structure. Looking at everything from the type of identity its associated with, if the value is static or recently changed and whether it’s referenced in automation scripts or log. This additional layer dramatically reduces false positives and ensures that alerts are both high-confidence and actionable. By embedding AI directly into posture management, Microsoft is giving security teams the same speed and scale that attackers have been using only now it’s to help stop compromise before an attack ever occurs. Getting started: This new posture recommendation is now in public preview and available to all Defender for Identity customers. To learn more about the recommendation check out our documentation here or to see if any credentials were left under your digital doormat, navigate to the “Exposure Management” section within the Defender portal and search for the recommendation.Monthly news - August 2025
Microsoft Defender XDR Monthly news - August 2025 Edition This is our monthly "What's new" blog post, summarizing product updates and various new assets we released over the past month across our Defender products. In this edition, we are looking at all the goodness from July 2025. Defender for Cloud has it's own Monthly News post, have a look at their blog space. Microsoft Defender Microsoft Sentinel is moving to the Microsoft Defender portal to deliver a unified, AI-powered security operations experience. Many customers have already made the move. Learn how to plan your transition and take advantage of new capabilities in the this blog post. Introducing Microsoft Sentinel data lake. We announced a significant expansion of Microsoft Sentinel’s capabilities through the introduction of Sentinel data lake, now rolling out in public preview. Read this blog post for a look at some of Sentinel data lake’s core features. (Public Preview) The GraphApiAuditEvents table in advanced hunting is now available for preview. This table contains information about Microsoft Entra ID API requests made to Microsoft Graph API for resources in the tenant. (Public Preview) The DisruptionAndResponseEvents table, now available in advanced hunting, contains information about automatic attack disruption events in Microsoft Defender XDR. These events include both block and policy application events related to triggered attack disruption policies, and automatic actions that were taken across related workloads. Increase your visibility and awareness of active, complex attacks disrupted by attack disruption to understand the attacks' scope, context, impact, and actions taken. Introducing Summary Rules Templates: Streamlining Data Aggregation in Microsoft Sentinel. Microsoft Sentinel’s new Summary Rules Templates offer a structured and efficient approach to aggregating verbose data - enabling security teams to extract meaningful insights while optimizing resource usage. Automating Microsoft Sentinel: Playbook Fundamentals. This is the third entry of the blog series on automating Microsoft Sentinel. In this post, we’re going to start talking about Playbooks which can be used for automating just about anything. Customer success story: Kuwait Credit Bank boosts threat detection and response with Microsoft Defender. To modernize its security posture, the bank unified its security operations under Microsoft Defender XDR, integrating Microsoft Sentinel and Microsoft Purview. Microsoft Defender for Cloud Apps App Governance is now also available in Brazil, Sweden, Norway, Switzerland, South Africa, South Korea, Arab Emirates and Asia Pacific. For more details, see our documentation.. Updated network requirements for GCC and Gov customers. To support ongoing security enhancements and maintain service availability, Defender for Cloud Apps now requires updated firewall configurations for customers in GCC and Gov environments. To avoid service disruption, take action by August 25, 2025, and update your firewall configuration as described here. Discover and govern ChatGPT and other AI apps accessing Microsoft 365 with Defender for Cloud Apps. In this blog post, we’ll explore how Defender for Cloud Apps helps security teams gain enhanced visibility into the permissions granted to AI applications like ChatGPT as they access Microsoft 365 data. We’ll also share best practices for app governance to help security teams make informed decisions and take proactive steps to enable secure usage of AI apps accessing Microsoft 365 data. Microsoft Defender for Endpoint (General Availability) Microsoft Defender Core service is now generally available on Windows Server 2019 or later which helps with the stability and performance of Microsoft Defender Antivirus. Microsoft Defender for Identity Expanded coverage in ITDR deployment health widget. With this update, the widget also includes deployment status for ADFS, ADCS, and Entra Connect servers - making it easier to track and ensure full sensor coverage across all supported identity infrastructure. Time limit added to Recommended test mode. Recommended test mode configuration on the Adjust alert thresholds page, now requires you to set an expiration time (up to 60 days) when enabling it. The end time is shown next to the toggle while test mode is active. For customers who already had Recommended test mode enabled, a 60-day expiration was automatically applied. Identity scoping is now available in Governance environments. Organizations can now define and refine the scope of Defender for Identity monitoring and gain granular control over which entities and resources are included in security analysis. For more information, see Configure scoped access for Microsoft Defender for Identity. New security posture assessments for unmonitored identity servers. Defender for Identity has three new security posture assessments that detect when Microsoft Entra Connect, Active Directory Federation Services (ADFS), or Active Directory Certificate Services (ADCS) servers are present in your environment but aren't monitored. Learn more in our documentation. Microsoft Defender for Office 365 Protection against multi-modal attacks with Microsoft Defender. This blog post showcases how Microsoft Defender can detect and correlate certain hybrid, multi-modal attacks that span across email, Teams, identity, and endpoint vectors; and how these insights surface in the Microsoft Defender portal. Users can report external and intra-org Microsoft Teams messages from chats, standard and private channels, meeting conversations to Microsoft, the specified reporting mailbox, or both via user reported settings. Microsoft Security Blogs Frozen in transit: Secret Blizzard’s AiTM campaign against diplomats. Microsoft Threat Intelligence has uncovered a cyberespionage campaign by the Russian state actor we track as Secret Blizzard that has been ongoing since at least 2024, targeting embassies in Moscow using an adversary-in-the-middle (AiTM) position to deploy their custom ApolloShadow malware. Sploitlight: Analyzing a Spotlight-based macOS TCC vulnerability. Microsoft Threat Intelligence has discovered a macOS vulnerability, tracked as CVE-2025-31199, that could allow attackers to steal private data of files normally protected by Transparency, Consent, and Control (TCC), including the ability to extract and leak sensitive information cached by Apple Intelligence. Disrupting active exploitation of on-premises SharePoint vulnerabilities. Microsoft has observed two named Chinese nation-state actors, Linen Typhoon and Violet Typhoon, exploiting vulnerabilities targeting internet-facing SharePoint servers.Microsoft Defender for Identity extends ITDR capabilities to Okta identities
Identities are the organization’s new security perimeter and are a prime target for cyber-criminals. However, with today’s ever-evolving digital landscape, security leaders often wrestle with a tapestry of different identity solutions spanning multiple environments and vendors, making identity protection more challenging than ever. Because of this, security professionals understand that identity threat detection and response (ITDR) is a fundamental piece of their security practice that helps them to comprehensively secure their unique identity fabric across identity solutions, environments, and vendors. What is changing? Today, I am excited to announce that Microsoft Defender for Identity is extending its identity protection to protect Okta identities, that’s in addition to the already robust protection for on-premises Active Directory and Entra ID identities. As a leader in both Identity (IAM) and security, Microsoft provides comprehensive visibility, posture recommendations, and detection and response capabilities for our customer’s unique identity fabric - now including Okta. With these new protections from Defender, our customers will benefit from enhanced visibility and control for their Okta environments, including: Holistic identity visibility – A unified identity inventory with correlated view of accounts across Active Directory, Entra ID, and Okta. For instance, a user with an Entra ID and an Okta account would appear as one entity - meaning SOC professionals can easily zoom into a specific identity to see all their related accounts, their privileges, and any related security alerts. This holistic perspective is crucial for maintaining robust security postures and allows IT and security teams to identify potential vulnerabilities across different platforms seamlessly. Identity Threat Detection and Response (ITDR) – Alert on identity threats in Okta and trigger corresponding response actions, including detection of lateral movement between on-premises and cloud environments. This capability is crucial for mitigating sophisticated attacks that seek to exploit the transition between different identity platforms. The integration will also surface Okta logs and data within the Advanced Hunting like we already do for Active Directory and Entra ID, allowing security teams to delve into threats across the different platforms in a single place. Identity-specific posture recommendations (ISPM) - Expand the already robust set of identity security posture recommendations to include recommendations for Okta identities (e.g. dormant Okta accounts), and map how those posture gaps can be leveraged into attack paths. Adhering to these posture recommendations enables organizations to proactively prevent threats, rather than responding reactively. How can I take advantage of these new capabilities? Defender for Identity customers looking to take advantage of these new capabilities can read more here. Be advised that to get the full potential of enhanced integration, make sure your organization has Okta for Workforce with Identity Enterprise license.
