Introducing AI-powered incident prioritization in Microsoft Defender
Co-Authored by: Scott Freitas & Maayan Magenheim Every SOC analyst knows the moment when the incident queue fills up fast. Multiple alerts arrive with the same severity but different sources. When everything looks equally urgent, the real question becomes what do you investigate first? And how do you address it consistently across shifts, analysts, and tool stacks? At Microsoft Ignite last November, we announced a new capability in Microsoft Defender designed to solve exactly this problem: AI-powered incident prioritization. Today, we’re excited to share that AI-powered incident prioritization is now available in public preview for all Microsoft Defender customers. This is about helping SOC teams cut through noise, focus on what matters most, and move faster with confidence. A new and improved incident queue experience Microsoft Defender aggregates related alerts and automated investigations into an incident. That correlation matters because some activity is only clearly malicious when you connect the dots across multiple products and telemetry sources. Instead of chasing isolated alerts, analysts get the broader narrative: what happened, what it touched, and how it progressed. Prior to the new incident queue experience, incidents were prioritized using factors like alert severity, tags, and MITRE techniques. We’ve since expanded this approach to incorporate additional high‑signal inputs which include automatic attack disruption signals, high‑profile threats (such as ransomware or nation‑state activity), asset criticality, threat analytics, and more. This enhanced prioritization model is designed to work across signals from Defender, Sentinel, and custom alerts, ensuring a more accurate and comprehensive assessment of incident priority. To help teams act on that story quickly, the incident queue now includes AI-powered incident prioritization (see Figure 1). It applies a machine learning prioritization model to surface the incidents that matter most, assigning each incident a priority score from 0–100 and explains the key factors behind the ranking. That explainability is what turns a score into something analysts can trust and use to drive consistent triage decisions. To make the queue scannable at a glance, score ranges are color-coded: Red: Top priority (> 85%) Orange: Medium priority (15–85%) Gray: Low priority (< 15%) This makes it easy to focus immediately on the highest-impact work, while still keeping medium/low priority incidents visible for coverage and hygiene. Built for analyst flow, not just ranking. Selecting an incident row opens a summary pane that keeps analysts in the moment of triage (see Figure 2). It shows the factors that went into prioritization such as: The priority assessment The factors influencing the priority score Key incident details Recommended actions Related threats By default, the queue shows incidents from the last week, but the time selector above the queue lets you switch time frames—for shift handoffs, retrospectives, validation after detection changes, or responding to a specific time-bound campaign. What prioritization done well delivers for a SOC When prioritization is done well, it’s not automation for automation’s sake, it’s a force multiplier, delivering: Faster triage: less time sorting, more time investigating Higher confidence: analysts understand why an incident rose to the top Better outcomes: high-impact incidents involving critical assets, rare signals, or active threat campaigns get attention first Effective prioritization enhances SOC protection. It ensures analysts see high impact incidents, can disrupt attacks earlier in the kill chain, reduce dwell time, and avoid getting blindsided by fast‑moving or stealthy threats. The AI-powered incident queue experience is designed to make the unified Defender portal not only a place where incidents are aggregated—but a place where analysts can reliably decide what to do next, even under heavy volume. Learn more and get started Check out our resources to learn more about our new incident queue experience: Check out Microsoft Ignite announcement and demo Read the documentationRSA 2026: What’s new in Microsoft Defender?
Modern attacks increasingly exploit the sprawl of today’s digital environments. In the identity space alone, over half of today’s organizations say each person now has more than 21 distinct accounts. Each one of these accounts is a potential entry point that an attacker can exploit. As organizations adopt cloud, SaaS, AI, and autonomous agents, the rapid growth of non‑human identities accelerates sprawl, expanding the attack surface and increasing gaps in protection. At the same time, agents help accelerate the SOC by automating high‑volume tasks, reducing noise, and enabling analysts to act faster and more consistently. This shift demands a new approach: comprehensive identity security paired with agentic AI to help the SOC better reason across signals, predict risk, and act earlier, while augmenting human analysts to keep pace with increasingly fast and complex attacks. At RSA, we’re excited to announce innovations in Microsoft Defender and Security Copilot to help customers defend against the latest threats. These include: Identity Security: expanded capabilities and enhanced experiences to help the SOC better prepare for, detect and autonomously respond to identity-related threats. Collaboration Security: protect against voice‑based attacks in Teams with real‑time user warnings, SOC‑ready investigation, and new threat & posture insights reporting. Accelerate the SOC with Security Copilot: expansion of the Security Triage Agent to identity and cloud alerts, a new Security Analyst agent to uncover risk and a new chat experience directly in Microsoft Defender. Cloud Security: expansion of multi-cloud visibility to new AWS and GCP services, near real-time container runtime protection to eliminate binary drift, and introducing AI model scanning. Learn more here. Reshaping Identity Security Today’s identity landscape is no longer defined by a single directory and a single set of users. It’s a fast-changing fabric of human, non-human, and emerging agentic identities spread across cloud services, SaaS apps, and on-premises infrastructure—that attackers actively target. To meet this new reality, we’re reshaping identity security in Microsoft Defender to move beyond point defenses and reactive investigation to an autonomous, end-to-end approach that continuously strengthens identity posture, stops active threats while they’re happening, and helps the SOC act faster with less manual effort. To start, we’re broadening our coverage across modern identity fabrics, making posture and activity easier to understand quickly, and tightening the operational loop between identity and the SOC. To do this were delivering new detections, a unified risk score that assesses risk across all accounts and identity types, and updated experiences like the new identity security dashboard that brings your most important posture gaps, active exposures, and identity risk into one place - so security teams can move from fragmented signals to shared context and coordinated action. On top of this improved foundation we are also unveiling autonomous ITDR in two complementary ways. First, we’re extending Security Copilot’s agentic triage capabilities to identity. With the new Security Alert Triage Agent, Defender can autonomously evaluate high‑volume identity alerts, distinguish true threats from noise, and surface clear, explainable verdicts so analysts can focus immediately on what requires action. Second, we’re bringing the AI-powered just-in-time hardening of predictive shielding to identity allowing Defender to not only disrupt threats but also anticipate an attacker’s next move and automatically enforces targeted controls to block credential- and token-driven pivots before they succeed. Together, these innovations empower security teams to understand their identity footprint, prioritize what matters most, and stop identity-driven attacks earlier: Expanded coverage across modern identity fabrics with new identity-specific detections Identity-level insights that turn sprawl into clarity via an updated dashboard that provides a unified inventory and improved correlation across SaaS apps and identity types—elevating the SOC view from accounts to the identity. Streamlined protections and aligned workflows across Defender and Entra, including a new identity-level risk score to help identity and SOC teams prioritize and act from shared signals. Predictive shielding applies precise, just-in-time hardening actions used during identity attacks including RemoteOps hardening and Remote Registry hardening —helping prevent lateral movement. Autonomous triage for identity alerts with Security Copilot, expanding the Security Triage Agent so identity alerts can be investigated consistently and at scale, with clear verdicts and explainable reasoning to speed up response. Learn more about these innovations here. Protect collaboration threats and prove security outcomes As collaboration platforms become a new front door for attackers, Microsoft Defender extends protection beyond email to detect and respond to voice‑based social engineering in Microsoft Teams. New Teams calling protection surfaces suspicious and malicious calls, enables SOC teams to investigate and correlate call activity using Advanced Hunting, and delivers real‑time in‑call warnings when a call appears to impersonate a trusted contact, closing the gap between what users experience and what analysts can investigate. To help organizations clearly measure and communicate the impact of these protections, Microsoft Defender is introducing the Protection & Posture Insights report. It gives customers a tenant‑specific view of the threats targeting their environment, highlighting spam, phishing, and malware campaigns observed against users. The report delivers personalized insights and policy recommendations to reduce exposure, while enabling teams to validate results, and share credible, executive‑ready security outcomes—without manual data assembly. Read more here. Accelerate your security operations at scale with Security Copilot Adversaries are using AI to accelerate attacks and increase sophistication. At RSA Conference 2026, we’re expanding our innovation around autonomous and assistive AI in Microsoft Defender with Security Copilot—helping defenders operate with the speed, scale, and intelligence required to stay ahead of modern threats across the entire SOC lifecycle. In addition to expanding agentic triage to identity alerts, we’re extending that same capability to cloud—bringing phish, identity and cloud triage together within a single agent. The Security Alert Triage Agent helps analysts autonomously determine whether these alerts represent real threats or false alarms, delivering natural language verdicts and transparent, step-by-step decision reasoning. We’re also announcing the Security Analyst Agent, designed to help security teams uncover hidden risk. This agent performs deep, multi-step investigations across Microsoft Defender and Sentinel telemetry to surface high-impact threats, cut through the noise, and deliver prioritized insights in minutes. Every finding is accompanied by transparent reasoning and supporting evidence. Lastly, we’re bringing a chat experience for Security Copilot directly within Microsoft Defender. Analysts can ask questions, explore hypotheses, and follow investigative threads across incidents, alerts, identities, devices, IPs, and other evidence without switching tools or manually piecing together context. You can learn more about Microsoft Security Copilot news at RSA Conference 2026 here. Looking ahead The Microsoft Defender announcements at RSA 2026 reflect a clear shift toward agentic and autonomous security, while augmenting the SOC with Security Copilot–driven workflows. Together, these capabilities give defenders clearer context, tighter control, and the ability to stop attacks earlier, before adversaries can escalate privileges or move laterally. Microsoft’s continued investment signals a longer-term evolution toward agentic security operations that anticipate attacker behavior, adapt in real time, and steadily reduce risk as environments and threats continue to evolve. Learn more at RSA Conference 2026! To learn more about Microsoft Defender and Security Copilot, visit us at booth # at RSA Conference 2026. Our team will be demonstrating how autonomous agents and assistive AI experiences are helping SOC teams move faster through alert triage, investigation, and response. You can join our booth sessions: Empowering the SOC with assistive and autonomous AI with Yuval Derman | March 23rd at 5.15PM Predictive Shielding: Protecting identities before attackers pivot | March 24th at 4.30PM Identity Security with Microsoft | March 25 at 3:30PM For a full list of all the ways to connect with us at RSA, check out our dedicated RSAC 2026 page.Announcing public preview: Uncovering hidden threats with the Dynamic Threat Detection Agent
Co-author: Amir Gharib At Ignite, we announced the Security Copilot Dynamic Threat Detection Agent in Microsoft Defender: an always on, adaptive backend agent that uncovers hidden threats across Defender and Microsoft Sentinel environments. Today we are excited to share that the customers who meet the prerequisites will now enter public preview of this agent. Running in the Defender backend, the agent delivers Copilot-sourced alerts directly into familiar workflows—complete with natural language explanations, mapped MITRE techniques, and tailored remediation steps. Why adaptive AI-driven detection changes the game Traditional rule-based and machine learning (ML) systems struggle to keep pace with ever-evolving threats. Attackers now leverage AI to evade detection, leaving organizations exposed. The Dynamic Threat Detection Agent addresses this through: Adaptive AI that finds what rules miss – GenAI-driven detection continuously investigates across Defender and Sentinel telemetry to uncover false negatives and blind spots, providing always-on protection with clear risk context and concrete next steps (see Figure 1 below). Reduce noise, increase confidence – The agent minimizes SOC noise and boosts analyst confidence, with customer-validated precision above 85% in recent months across thousands of alerts and 28 threat types (e.g., Initial Access, Privilege Escalation, Lateral Movement). Hyperscale TI + UEBA driven entity risk scoring – The agent fuses Threat Intelligence Tracking via Adaptive Networks (TITAN)’s hyperscale, ML-driven threat intelligence with UEBA risk signals to continuously score accounts, devices, and IPs. This combination of global TI, customer-specific context, and behavioral anomalies surfaces genuinely risky behaviors earlier while filtering noise and providing key context during the agent’s investigations. Always on, zero-touch—with customer control – Because the agent runs in the Defender backend, it automatically generates alerts into your existing XDR workflows with no tuning or onboarding required. During public preview it’s enabled by default for eligible customers, and starting in July it will be available for E5 customers through the Security Copilot inclusion. Once billing begins, customers can disable it at any time and manage usage through detailed consumption reporting. Deep integration across the Microsoft security ecosystem – The agent works with Security Copilot, Sentinel, and Defender, correlating native and third-party telemetry to surface missed behaviors and deliver richer context across your SOC workflows. Inside the Dynamic Threat Detection engine Under the hood, the Dynamic Threat Detection Agent runs a five-step investigation loop at machine scale—starting from signals you already care about, building a rich activity timeline, testing hypotheses, and closing detection gaps with explainable, actionable alerts. This loop executes across thousands of parallel investigations, delivering detections in near–real time for your SOC. Start with an incident – Running continuously in the Defender backend, the agent monitors for security activity you care about: incidents with a high priority score, critical assets, disruption signals, threat actor notifications, and more. Build a focused timeline – From that incident, it builds a unified activity timeline that stitches together alerts, events, UEBA anomalies, and threat intelligence. Iterative Q/A loop – Given the incident and its unified timeline, the agent automatically generates attack-specific hypotheses (e.g., “Was this account compromised via phishing from this IP?”) and runs its own chain of targeted questions over relevant entities and events. Without any manual prompts or intervention, the agent investigates its hypotheses, rules out alternate explanations, and autonomously converges on a single, well-supported triage decision with an explicit, transparent reasoning trace. Close detection gaps with explainable, actionable alerts – When evidence converges on a true positive, the agent automatically emits a dynamic alert—complete with title, description, severity, mapped MITRE techniques, and remediation steps—directly into your Defender workflows with Security Copilot as the detection source. Alongside the structured fields, the agent generates a natural language narrative that explains why the activity is risky, which entities and signals drove the decision, and how the attack unfolded, giving analysts a transparent window into its reasoning. Learn and improve continuously – Your grading feedback (TP/FP/BP) is leveraged to recalibrate seed points, refine table selection, tune hypothesis questions, and adjust thresholds so detection quality improves over time. This feedback continuously sharpens the agent’s ability to detect meaningful threats and reduce alert noise. Answering the questions security experts ask first Before adopting a new detection capability, security teams want more than features—they want clear answers on noise, effort, cost, explainability, and how it fits with their existing tools and compliance posture. The Dynamic Threat Detection Agent is built with those questions in mind, so from day one you know how it behaves in your SOC, how it’s governed, and what value it delivers. What’s the value? The agent uncovers hidden threats (i.e., false negative alerts), enriching investigations with context so analysts can resolve incidents faster and with greater confidence. Will this add noise? The agent is tuned for high precision—measured at 85+% over the past few months across thousands of alerts and numerous threat types (e.g., Initial Access, Privilege Escalation, Lateral Movement). How much effort is required? Zero setup—it runs in the Defender backend and delivers alerts into your current workflows. What about cost and control? Public Preview is free for Security Copilot customers. At General Availability (July 2026), the agent transitions to the Security Copilot SCU-based model; you’ll have consumption reporting and the ability to disable the agent if desired. Microsoft Security Copilot is now included for all eligible Microsoft 365 E5 customers. Learn more. Is it explainable? Every alert includes a custom description, mapped MITRE techniques, and tailored remediation actions. Alongside the structured fields, it generates a natural language narrative that explains why the activity is risky, which entities and signals drove the decision, and how the attack unfolded, giving analysts a transparent window into the agent’s reasoning Does it respect data residency? The service runs region local, ensuring that customer data and required telemetry stay inside the designated geographic boundary. How does it fit with Sentinel and Security Copilot? The agent uses Sentinel to correlate third-party and native telemetry, and runs as part of the Security Copilot platform—surfacing its alerts as Copilot-sourced detections in Defender. How fast and at what scale? The agent is built for massive scale with Azure Synapse, capable of running thousands of parallel investigations and delivering detections in near–real time for your SOC. The future of dynamic threat detection in your SOC The Dynamic Threat Detection Agent is a milestone in adaptive security—bringing GenAI to detection at scale, integrated across Defender and Sentinel, and delivered through Security Copilot. We’re just getting started: expect continued enhancements in coverage, contextual explainability, and integration with your SOC workflows. Public Preview starts now. The Dynamic Threat Detection Agent is available as a free Public Preview for Security Copilot customers. General Availability (GA) planned for late 2026, the agent will transition to the Security Copilot SCU-based consumption model. Microsoft Security Copilot is now included for all eligible Microsoft 365 E5 customers, and this agent will be included as part of that entitlement. Learn more and get started Check out our resources to learn more about the new Security Copilot Dynamic Threat Detection Agent: Check out Microsoft Ignite announcement and demo Read the documentation on the new agent experience hereUnlocking Real-World Security: Defending against Crypto mining attacks
In this anonymized case study, we explore a crypto mining attack that starts with a password spray, escalates through privilege abuse, and culminates in cloud resource exploitation. This scenario demonstrates how Defender for Cloud, in collaboration with other Microsoft Security solutions, not only detects and responds to threats but also disrupts attacks in real time to prevent further damage and lateral movement.Hyperscale ML threat intelligence for early detection & disruption
Co-author: Amir Gharib In today's rapidly evolving cybersecurity landscape, the ability to swiftly identify and mitigate threats is more critical than ever. Attackers are increasingly well-resourced, enabling them to keep adding new components to their toolkits that keep their infrastructure fresh and hard to detect. Traditional labeling methods used to identify and block malicious infrastructure are struggling to keep up. At Microsoft, we recognize the pressing need for innovative solutions that not only keep pace with these threats but stay ahead of them. This past Ignite, we announced Threat Intelligence Tracking via Dynamic Networks (TITAN)—a groundbreaking approach that uses the power of machine learning to transform threat intelligence and attack disruption by automatically neutralizing malicious activity at scale. By leveraging real-time ML-driven analytics, TITAN uncovers previously hidden threat actor infrastructure, enabling the disruption capabilities built into our unified security operations platform to detect and stop attacks significantly earlier in the attack chain (Figure 1). The power of machine-scale threat intelligence TITAN represents a new wave of innovation built on Microsoft threat intelligence capabilities, introducing a real-time, adaptive threat intelligence (TI) graph that integrates first and third-party telemetry from the unified security operations platform, Microsoft Defender for Threat Intelligence, Microsoft Defender for Experts, and customer feedback. This graph employs guilt-by-association techniques to propagate known TI labels to unknown neighboring entities (e.g., IP, file, email) at machine scale. By analyzing relationships between entities, TITAN can identify attacker infrastructure before they are leveraged in attacks, providing an invaluable window of opportunity to prevent harm. Figure 1. Architectural overview of TITAN, comprising four key steps: (1) constructing a graph using telemetry from 1 st and 3 rd party detectors in the Unified Security Operations Platform, (2) integrating known threat intelligence from across Microsoft, (3) applying reputation propagation algorithms to classify previously unknown entities as either benign or malicious, and (4) updating the reputation score for each entity in the graph. By leveraging guilt-by-association methods, TITAN can swiftly identify hidden threat actor infrastructure through cross-organizational associations with known malicious entities within the TI graph. Specifically, we employ a semi-supervised label propagation technique that iteratively assigns reputation scores to nodes based on their neighbors’ scores, refining the graph’s score distribution until convergence. These high-confidence entity reputation scores empower the unified security operations platform to implement proactive containment and remediation actions via attack disruption. A key advantage of our constantly evolving threat intelligence is that we can provide clear and explainable reputation scores for each entity by examining the neighboring entities that contribute to the overall score. Preventing attacks before they happen Consider a scenario where TITAN detects unusual activity from a seemingly benign IP address that has connections to known malicious domains. Traditional systems might not flag this IP until after malicious activity is confirmed. However, TITAN's guilt-by-association techniques elevate the reputation score of the IP address, immediately triggering detection and disruption rules that block the threat before any damage occurs. With an impressive average macro-F1 score of 0.89 and a precision-recall AUC of 0.94, TITAN identifies millions of high-risk entities each week, enabling a 6x increase in non-file threat intelligence. Since its deployment, TITAN has reduced the time to disrupt by a factor of 1.9x while maintaining 99% precision, as confirmed by customer feedback and thorough manual evaluation by security experts—ultimately saving customers from costly security breaches. Dynamic threat intelligence graph construction At the heart of TITAN is a dynamic, time-evolving threat intelligence graph that captures complex relationships between millions of interlinked entities, alerts, and incidents. By combining telemetry across both 1 st and 3 rd party sources in the unified security operations platform, TITAN is uniquely positioned for comprehensive view of the threat landscape, essential for early detection and disruption. Key features include: Real-time updates – In cybersecurity, speed is critical. TITAN operates in real-time, with graph creation and reputation propagation algorithms running every hour. This frequency ensures that security teams receive fresh and active threat intelligence, enabling swift and effective responses to emerging threats. The ability to act quickly can mean the difference between thwarting an attack and being breached. Infusing security domain knowledge via edge weights – Edges in the TI graph carry weights that signify the strength or relevance of the relationships between entities. We introduce edge weight decay functions that automatically reduce edge weights based on the time elapsed since the edge was formed. This ensures that newer and more relevant relationships have a greater impact on reputation assessments, aligning the dynamic graph with the real-time nature of security incidents. Pruning outdated nodes and edges – To maintain the relevance and efficiency of the TI graph, we implement pruning mechanisms that remove nodes and edges when their weights fall below certain thresholds. This approach keeps the graph focused on the most current and meaningful connections, ensuring optimal performance. Evolving cybersecurity defense with TI TITAN represents a monumental step forward in the mission to protect organizations from cyber threats. By infusing the power of AI with advanced threat intelligence, we are equipping security teams with the tools they need to stay ahead of the attackers. This is only possible with a unified platform that consolidates threat intelligence across 1 st and 3 rd party workloads and products, organizations benefit not only from streamlining their security operations but also gain deeper insights into potential threats and vulnerabilities. TITAN is just one of the many examples of how powerful bringing together the full capabilities of an industry-leading cloud-native security information and event management (SIEM), comprehensive extended detection and response (XDR), and generative AI built specifically for cybersecurity. Integrating all of this data, advanced analysis, threat intel and automation enables an entirely new era of defense for security teams and we’re so energized by the potential. TITAN is just the start – look forward to new capabilities announced in the coming months. Learn More Check out our resources to learn more about our new approach to AI-driven threat intelligence, and our recent security announcements: See TITAN in action in the session delivered at Ignite Read the full paper on the TITAN architecture Read the Copilot for Security Guided Response paper & blog Read the unified security operations platform GA announcementMonthly news - January 2026
Microsoft Defender Monthly news - January 2026 Edition This is our monthly "What's new" blog post, summarizing product updates and various new assets we released over the past month across our Defender products. In this edition, we are looking at all the goodness from December 2025. Defender for Cloud has its own Monthly News post, have a look at their blog space. 🚀 New Virtual Ninja Show episode: Advancements in Attack Disruption Vulnerability Remediation Agent in Microsoft Intune Microsoft Defender (Public Preview) The following advanced hunting schema tables are now available for preview: The CampaignInfo table contains contains information about email campaigns identified by Microsoft Defender for Office 365 The FileMaliciousContentInfo table contains information about files that were processed by Microsoft Defender for Office 365 in SharePoint Online, OneDrive, and Microsoft Teams General Availability of the Phishing Triage Agent: this agent autonomously analyzes user‑reported phishing emails to determine whether they’re true threats or false positives, dramatically reducing manual triage workload. It continuously learns from analyst feedback and provides clear, natural‑language explanations for every verdict, giving SOC teams both speed and transparency. We're excited to share it is now generally available and, very soon, will expand to also triage cloud and identity alerts! Learn more on our docs. Public Preview of Dynamic Threat Detection Agent: Announced at Ignite, this always‑on agent hunts for unseen threats by continuously correlating telemetry and creating new, context‑aware detections on the fly—closing gaps traditional rules can’t see. We're excited to share it is now in Public Preview! Learn more on our docs. Public Preview of Threat Hunting Agent: Announced at Ignite, this agent gives every analyst the power to investigate like an expert by turning natural‑language questions into guided, real‑time hunts that surface hidden patterns, reveal meaningful pivots, and eliminate the need to write complex queries. We're excited to share it is now in Public Preview! Learn more on our docs. General Availability of the Threat Intelligence Briefing Agent: this agent delivers daily, tailored intelligence briefings directly in Microsoft Defender—automatically synthesizing Microsoft’s global threat insights with your organization’s context to surface prioritized risks, clear recommendations, and relevant assets so teams can shift from reactive research to proactive defense in minutes. We're excited to share it is now generally available! Learn more on our docs. (General Availability) The hunting graph in advanced hunting is now generally available. It also now has two new predefined threat scenarios that you can use to render your hunts as interactive graphs. (General Availability) Advanced hunting now supports custom functions that use tabular parameters. With tabular parameters, you can pass entire tables as inputs. This approach lets you build more modular, reusable, and expressive logic across your hunting queries. Learn more Microsoft Defender for Endpoint (Public Preview) Triage collection: Use triage collection to prioritize incidents and hunt threats with the Sentinel Model Context Protocol (MCP) server. Microsoft Defender for Identity New ADWS LDAP search activity is now available in the 'IdentityQueryEvents' table in Advanced Hunting. This can provides visibility into directory queries performed through ADWS, helping customers track these operations and create custom detection based on this data. (Public Preview) New properties for 'sensorCandidate' resource type in Graph-API. Learn more here. Microsoft Defender for Cloud Apps Integration of Defender for Cloud Apps permissions with Microsoft Defender XDR Unified RBAC is now available worldwide. For more information, see Map Microsoft Defender for Cloud Apps permissions to the Microsoft Defender XDR Unified RBAC permissions. To activate the Defender for Cloud Apps workload, see Activate Microsoft Defender XDR Unified RBAC. (Public Preview) The Defender for Cloud Apps app governance unused app insights feature helps administrators identify and manage unused Microsoft 365-connected OAuth apps, enforce policy-based governance, and use advanced hunting queries for better security. This feature is now available for most commercial cloud customers. For more information, see Secure apps with app hygiene features.Monthly news - December 2025
Microsoft Defender Monthly news - December 2025 Edition This is our monthly "What's new" blog post, summarizing product updates and various new assets we released over the past month across our Defender products. In this edition, we are looking at all the goodness from November 2025. Defender for Cloud has its own Monthly News post, have a look at their blog space. 😎 Microsoft Ignite 2025 - now on-demand! 🚀 New Virtual Ninja Show episode: Advancements in Attack Disruption Vulnerability Remediation Agent in Microsoft Intune Microsoft Defender Ignite 2025: What's new in Microsoft Defender? This blog summarizes our big announcements we made at Ignite. (Public Preview) Defender XDR now includes the predictive shielding capability, which uses predictive analytics and real-time insights to dynamically infer risk, anticipate attacker progression, and harden your environment before threats materialize. Learn more about predictive shielding. Security Copilot for SOC: bringing agentic AI to every defender. This blog post gives a great overview of the various agents supporting SOC teams. Account correlation links related accounts and corresponding insights to provide identity-level visibility and insights to the SOC. Coordinated response allows Defenders to take action comprehensively across connected accounts, accelerating response and minimizing the potential for lateral movement. Enhancing visibility into your identity fabric with Microsoft Defender. This blog describes new enhancements to the identity security experience within Defender that will help enrich your security team’s visibility and understanding into your unique identity fabric. (Public Preview) The IdentityAccountInfo table in advanced hunting is now available for preview. This table contains information about account information from various sources, including Microsoft Entra ID. It also includes information and link to the identity that owns the account. Microsoft Sentinel customers using the Defender portal, or the Azure portal with the Microsoft Sentinel Defender XDR data connector, now also benefit from Microsoft Threat Intelligence alerts that highlight activity from nation-state actors, major ransomware campaigns, and fraudulent operations. For more information, see Incidents and alerts in the Microsoft Defender portal. (Public Preview) New Entity Behavior Analytics (UEBA) experiences in the Defender portal! Microsoft Sentinel introduces new UEBA experiences in the Defender portal, bringing behavioral insights directly into key analyst workflows. These enhancements help analysts prioritize investigations and apply UEBA context more effectively. Learn more on our docs. (Public Preview) A new Restrict pod access response action is now available when investigating container threats in the Defender portal. This response action blocks sensitive interfaces that allow lateral movement and privilege escalation. (Public Preview) Threat analytics now has an Indicators tab that provides a list of all indicators of compromise (IOCs) associated with a threat. Microsoft researchers update these IOCs in real time as they find new evidence related to the threat. This information helps your security operations center (SOC) and threat intelligence analysts with remediation and proactive hunting. Learn more. In addition the overview section of threat analytics now includes additional details about a threat, such as alias, origin, and related intelligence, providing you with more insights on what the threat is and how it might impact your organization. Microsoft Defender for Identity (Public Preview) In addition to the GA release of scoping by Active Directory domains a few months ago, you can now scope by Organizational Units (OUs) as part of XDR User Role-Based Access Control. This enhancement provides even more granular control over which entities and resources are included in security analysis. For more information, see Configure scoped access for Microsoft Defender for Identity. (Public Preview). New security posture assessment: Change password for on-prem account with potentially leaked credentials. The new security posture assessment lists users whose valid credentials have been leaked. For more information, see: Change password for on-prem account with potentially leaked credentials. Defender for Identity is slowly rolling out automatic Windows event auditing for sensors v3.x, streamlining deployment by applying required auditing settings to new sensors and fixing misconfigurations on existing ones. As it becomes available, you will be able to enable automatic Windows event-auditing in the Advanced settings section in the Defender portal, or using the Graph API. Identity Inventory enhancements: Accounts tab, manual account linking and unlinking, and expanded remediation actions are now available. Learn more in our docs. Microsoft Defender for Cloud Apps (Public Preview) Defender for Cloud Apps automatically discovers AI agents created in Microsoft Copilot Studio and Azure AI Foundry, collects audit logs, continuously monitors for suspicious activity, and integrates detections and alerts into the XDR Incidents and Alerts experience with a dedicated Agent entity. For more information, see Protect your AI agents. Microsoft Defender for Endpoint Ignite 2025: Microsoft Defender now prevents threats on endpoints during an attack. This year at Microsoft Ignite, Microsoft Defender is announcing exciting innovations for endpoint protection that help security teams deploy faster, gain more visibility, and proactively block attackers during active attacks. (Public Preview) Defender for Endpoint now includes the GPO hardening and Safeboot hardening response actions. These actions are part of the predictive shielding feature, which anticipates and mitigates potential threats before they materialize. (Public Preview) Custom data collection enables organizations to expand and customize telemetry collection beyond default configurations to support specialized threat hunting and security monitoring needs. (Public Preview) Native root detection support for Microsoft Defender on Android. This enables proactive detection of rooted devices without requiring Intune policies, ensuring stronger security and validating that Defender is running on an uncompromised device, ensuring more reliable telemetry that is not vulnerable to attacker manipulation. (Public Preview) The new Defender deployment tool is a lightweight, self-updating application that streamlines onboarding devices to the Defender endpoint security solution. The tool takes care of prerequisites, automates migrations from older solutions, and removes the need for complex onboarding scripts, separate downloads, and manual installations. It currently supports Windows and Linux devices. Defender deployment tool: for Windows devices for Linux devices (Public Preview) Defender endpoint security solution for Windows 7 SP1 and Windows Server 2008 R2 SP1. A Defender for endpoint security solution is now available for legacy Windows 7 SP1 and Windows Server 2008 R2 SP1 devices. The solution provides advanced protection capabilities and improved functionality for these devices compared to other solutions. The new solution is available using the new Defender deployment tool. Microsoft Defender Vulnerability Management (Public Preview) The Vulnerability Management section in the Microsoft Defender portal is now located under Exposure management. This change is part of the vulnerability management integration to Microsoft Security Exposure Management, which significantly expands the scope and capabilities of the platform. Learn more. (General Availability) Microsoft Secure Score now includes new recommendations to help organizations proactively prevent common endpoint attack techniques. Require LDAP client signing and Require LDAP server signing - help ensure integrity of directory requests so attackers can't tamper with or manipulate group memberships or permissions in transit. Encrypt LDAP client traffic - prevents exposure of credentials and sensitive user information by enforcing encrypted communication instead of clear-text LDAP. Enforce LDAP channel binding - prevents man-in-the-middle relay attacks by ensuring the authentication is cryptographically tied to the TLS session. If the TLS channel changes, the bind fails, stopping credential replay. (General Availability) These Microsoft Secure Score recommendations are now generally available: Block web shell creation on servers Block use of copied or impersonated system tools Block rebooting a machine in Safe Mode Microsoft Defender for Office 365 Microsoft Ignite 2025: Transforming Phishing Response with Agentic Innovation. This blog post summarizes the following announcements: General Availability of the Security Copilot Phishing Triage Agent Agentic Email Grading System in Microsoft Defender Cisco and VIPRE Security Group join the Microsoft Defender ICES ecosystem. A separate blog explains these best practices in more detail and outline three other routing techniques commonly used across ICES vendors. Blog series: Best practices from the Microsoft Community Microsoft Defender for Office 365: Fine-Tuning: This blog covers our top recommendations for fine-tuning Microsoft Defender for Office 365 configuration from hundreds of deployments and recovery engagements, by Microsoft MVP Joe Stocker. You may be right after all! Disputing Submission Responses in Microsoft Defender for Office 365: Microsoft MVP Mona Ghadiri spotlights a new place AI has been inserted into a workflow to make it better… a feature that elevates the transparency and responsiveness of threat management: the ability to dispute a submission response directly within Microsoft Defender for Office 365. Blog post: Strengthening calendar security through enhanced remediation.
Custom detection rules get a boost—explore what’s new in Microsoft Defender
Co-author - Jeremy Tan In today's rapidly evolving cybersecurity landscape, staying ahead of threats is crucial. Microsoft Defender's custom detection rules offer a powerful way to proactively monitor and respond to security threats. These user-defined rules can be configured to run at regular intervals to detect security threats—generating alerts and triggering response actions when threats are detected. If you are a Microsoft Sentinel user and have connected your Sentinel workspace to Microsoft Defender, you are probably more familiar with analytics rules in Microsoft Sentinel and are looking to explore the capabilities and benefits of custom detections. Understanding and leveraging custom detection rules can significantly enhance your organization's security posture. This blog will delve into the benefits of custom detections and showcase scenarios that highlight their capabilities, helping you make the most of this robust feature. We are excited to release these brand-new enhancements that are now available in public preview. What’s new in custom detections? The improvements in custom detections aim to enhance their functionality and usability, making it easier to manage and respond to security threats effectively. Unified user defined detection list: Manage all your user-defined detections from Microsoft Defender XDR and Microsoft Sentinel in one place. Filtering capabilities for every column. Search freely using rule title or rule ID. View the new workspace ID column (filterable) for multi-workspace organizations that onboarded multiple workspaces to the unified SOC platform. Manage all detections from MTO portal across all your tenants. Show details pane for every rule (whether custom detection or analytics rule). Perform the following actions on rules: Turn on/off Delete Edit Run (only for custom detections) Open rule’s page (only for custom detections) Migrate eligible scheduled custom detections to near real-time custom detections with one click using the new migration tool. Dynamic alert titles and descriptions: Dynamically craft your alert’s title and description using the results of your query to make them accurate and indicative. Advanced entity mapping: Link a wide range of entity types to your alerts. Enrich alerts with custom details: Surface details to display in the alert side panel. Support Sentinel-only data: Custom detections support Microsoft Sentinel data only without dependency on Microsoft Defender XDR data. Flexible and high frequency support for Sentinel data: Custom detections support high and flexible frequency for Microsoft Sentinel data. The benefits of custom detections Let’s examine some of the key benefits of custom detections: Query data from Defender XDR and Sentinel seamlessly: You can create custom detection rules that query data from both Microsoft Sentinel and Defender XDR tables seamlessly, without the need of sending Defender XDR data to Sentinel. Cost efficiency: Save on ingestion costs if you don’t need to retain Microsoft Defender XDR data in analytics tier for more than 30 days but have detection use cases involving both Defender XDR and Sentinel data. Detect threats immediately and remove dependency on quick ingestion: near real time (NRT) custom detections monitor events as they stream, while standard custom detections evaluate both the event ingestion time and the time the event was generated. Unlimited NRT detections: NRT custom detections are unlimited, you can create as many as you need. Since they are based on a streaming technology, they are not generating any load on the system. Native remediation actions: You can configure custom detection rule to automatically take actions on devices, files, users, or emails that are returned by the query when your detection query is correlating Defender XDR and Microsoft Sentinel data, or Defender XDR data only. Entity mapping: Entities are automatically mapped to the alert for all XDR tables. Out of the box alert de-duplication: To reduce alert fatigue when alert generated with the same impacted entities, custom details, title and description - they will merge to the same alert (keeping all raw events linked to the single alert). With this capability you don’t need to worry about duplicated alerts – we take care of it for you. Built-in functions: You can leverage built-in enrichment functions when you build your custom detection queries, such as FileProfile(), SeenBy(), DeviceFromIP() and AssignedIPAddresses(). Extended lookback period: Custom detections have a long lookback period of up to 30 days for rules that run once a day, ideal for historical trending detections. Common scenarios To truly understand the power and versatility of custom detection rules in Microsoft Defender, it's essential to see them in action. In this section, we'll explore several common use cases that demonstrate how these new capabilities can be leveraged to enhance your organization's security posture. These scenarios highlight the benefits of the capabilities, providing you with actionable insights to implement in your own environment. Use Case – detecting potential malicious activity In this use case, we aim to detect potential malicious activity by monitoring logon attempts from different IP addresses. We will implement a custom detection rule that: Monitors successful logon by a user from one IP address and a failed logon attempt from a different IP address (may indicate a malicious attempt at password guessing with a known account). Enriches alerts with user's information from Microsoft Defender for Identity’s IdentityInfo table, including Job title, Department, Manager’s name, and assigned roles. If the user has been found in the 'Terminated Employees’ watchlist, indicating that the user has been notified for termination or marked as terminated, reflect this in the alert name and description. Runs once a day with a lookback period of 30 days, avoiding duplicate alerts on subsequent intervals. Let’s walk through the creation of the custom detection rule and examine the outcome. 1. Here is the sample KQL query we will run in advanced hunting page to create the custom detection. let logonDiff = 10m; let Terminated_Watchlist = _GetWatchlist("TerminatedEmployees") | project tolower(SearchKey);// Get the TerminiatedEmploees Watchlist let aadFunc = (tableName:string) { table(tableName) | where ResultType == "0" | where AppDisplayName !in ("Office 365 Exchange Online", "Skype for Business Online") // To remove false-positives, add more Apps to this array | extend SuccessIPv6Block = strcat(split(IPAddress, ":")[0], ":", split(IPAddress, ":")[1], ":", split(IPAddress, ":")[2], ":", split(IPAddress, ":")[3]) | extend SuccessIPv4Block = strcat(split(IPAddress, ".")[0], ".", split(IPAddress, ".")[1]) | project SuccessLogonTime = TimeGenerated, UserPrincipalName, SuccessIPAddress = IPAddress, SuccessLocation = Location, AppDisplayName, SuccessIPBlock = iff(IPAddress contains ":", strcat(split(IPAddress, ":")[0], ":", split(IPAddress, ":")[1]), strcat(split(IPAddress, ".")[0], ".", split(IPAddress, ".")[1])), Type | join kind= inner ( table(tableName) | where ResultType !in ("0", "50140") | where ResultDescription !~ "Other" | where AppDisplayName !in ("Office 365 Exchange Online", "Skype for Business Online") | project FailedLogonTime = TimeGenerated, UserPrincipalName, FailedIPAddress = IPAddress, FailedLocation = Location, AppDisplayName, ResultType, ResultDescription, Type ) on UserPrincipalName, AppDisplayName | where SuccessLogonTime < FailedLogonTime and FailedLogonTime - SuccessLogonTime <= logonDiff and FailedIPAddress !startswith SuccessIPBlock // Compare the success and failed logon time | summarize FailedLogonTime = max(FailedLogonTime), SuccessLogonTime = max(SuccessLogonTime) by UserPrincipalName, SuccessIPAddress, SuccessLocation, AppDisplayName, FailedIPAddress, FailedLocation, ResultType, ResultDescription, Type | extend Timestamp = SuccessLogonTime | extend UserInTerminatedWatchlist = iif(UserPrincipalName in (Terminated_Watchlist), 'True', 'False') // Check if the impacted user is found in the Watchlist | extend AlertName = iif(UserInTerminatedWatchlist == 'True', "Successful logon by a 'Terminated Employees Watchlist' user from one IP and a failed logon attempt from a different IP","Successful logon from IP and failure from a different IP") // This is the define the dynamic alert value | extend AlertDescription = iif(UserInTerminatedWatchlist == 'True', "A Successful logon by a 'Terminated Employees Watchlist' user onto an Azure App from one IP and within 10 mins failed to logon to the same App via a different IP (may indicate a malicious attempt at password guessing with known account). ","A user account successfully logs onto an Azure App from one IP and within 10 mins failed to logon to the same App via a different IP (may indicate a malicious attempt at password guessing with known account).") // This is to define the dynamic alert description | extend UserPrincipalName = tolower(UserPrincipalName)}; let aadSignin = aadFunc("SigninLogs"); let aadNonInt = aadFunc("AADNonInteractiveUserSignInLogs"); union isfuzzy=true aadSignin, aadNonInt | extend Name = tostring(split(UserPrincipalName,'@',0)[0]), UPNSuffix = tostring(split(UserPrincipalName,'@',1)[0]) | join kind=leftouter ( IdentityInfo // Correlate with IdentityInfo table | summarize arg_max (TimeGenerated,AccountObjectId, Department, JobTitle, Manager, AssignedRoles, ReportId, IsAccountEnabled) by AccountUpn | extend UserPrincipalName=tolower(AccountUpn) ) on UserPrincipalName 2. On the top right corner of the advance hunting page, select ‘create custom detection’ under Manage rules. 3. Populate the relevant rule’s information. 4. Specify alert title and description by referencing the AlertName and AlertDescription fields defined in the query, as we will dynamically craft the alert title and description, depending on whether the impacted user is found in the 'Terminated Employees’ watchlist. 5. In the entity mapping section, you will find some entity mappings that we have pre-populated for you, which would save you some time and effort. You can update or add the mappings as you wish. 6. Let’s add some additional mappings. In this example, I will add IP entities under Related Evidence. 7. In the Custom details section, I will add the following key-value pairs to surface additional information of the impact user in the alert. 8. On the Automated actions page, because we are correlating Sentinel data with Defender XDR table (IdentityInfo), you have the option to select first-party remediation actions, which is ‘Mark user as compromised’ in our case. 9. Review the configuration of the rule and click Submit. 10. Now, let’s examine how the incident/alert would look. Below is a sample incident triggered. 11. Select the alert and you will find the custom details on the right pane, surfacing additional information such as Job title, Department, Manager’s name and Assigned roles that we configured. 12. The impacted user from the above incident was not found in the 'Terminated Employees’ watchlist. Now, let’s examine how the incident/alert would look when the impacted user is found in the watchlist. 13. In my environment, I have configured the watchlist and will be using ‘MeganB’ for simulation. 14. Notice how the alert title and description is different from the one generated earlier, to reflect user found in the watchlist. 15. The rule will run once a day with a look back period of 30 days. However, custom detection will not create duplicate alerts if the same impacted entities are found in the subsequent runs. Instead, you will find the Last activity time being updated and more events showing up in the result table of the alert page. Conclusion Custom detection rules in Microsoft Defender offer a powerful and flexible way to enhance your organization's security posture. By leveraging these user-defined rules, you can proactively monitor and respond to security threats, generating detailed and actionable alerts. The recent enhancements—such as unified detection lists, dynamic alert titles, and advanced entity mapping—further improve the functionality and usability of custom detections. Ready to enhance your threat detection capabilities? Start exploring and implementing custom detection rules in Microsoft Defender today to safeguard your digital assets and maintain a strong security posture. Useful links Overview of custom detections in Microsoft Defender XDR - Microsoft Defender XDR | Microsoft Learn Create and manage custom detection rules in Microsoft Defender XDR - Microsoft Defender XDR | Microsoft Learn
Host Microsoft Defender data locally in the United Arab Emirates
We are pleased to announce that local data residency support in the UAE is now generally available for Microsoft Defender for Endpoint and Microsoft Defender for Identity. This announcement reinforces our ongoing commitment to delivering secure, compliant services aligned with local data sovereignty requirements. Customers can now confidently onboard to Defender for Endpoint and Defender for Identity in the UAE, knowing that this Defender data will remain at rest within the UAE data boundary. This allows customers to meet their regulatory obligations and maintain control over their data. For more details on the Defender data storage and privacy policies, refer to Microsoft Defender for Endpoint data storage and privacy and Microsoft Defender for Identity data security and privacy. Note: Defender for Endpoint and Defender for Identity may potentially use other Microsoft services (i.e. Microsoft Intune for security settings management). Each Microsoft service is governed by its own data storage and privacy policies and may have varying regional availability. For more information, refer to our Online Product Terms. In addition to the UAE, Defender data residency capabilities are available in the United States, the European Union, the United Kingdom, Australia, Switzerland and India (see our recent announcement for local data hosting in India). Customers with Existing deployments for Defender for Endpoint and/or Defender for Identity Existing customers can check their deployment geo within the portal by going to Settings -> Microsoft Defender XDR-> Account; and see where the service is storing your data at rest. For example, in the image below, the service location for the Defender XDR tenant is UAE. ation information If you would like to update your service location, please reach out to Customer Service and Support for a tenant reset. Support can be accessed by clicking on the “?” icon in the top right corner of the portal when signed in as an Admin (see image below). If you are a Microsoft Unified support customer, please reach out to your Customer Success Account Manager for assistance with the migration process. More information: Ready to go local? Read our documentation for more information on how to get started. Microsoft Defender XDR data center location Not yet a customer? Take Defender XDR for a spin via a 90-day trial for Office 365 E5 or Defender for Endpoint via a 90-day trial for Defender for Endpoint Check out the Defender for Endpoint website to learn more about our industry leading Endpoint protection platform Check out the Defender for Identity website to learn how to keep your organization safe against rising identity threats
