Automating Microsoft Sentinel: Part 2: Automate the mundane away
Welcome to the second entry of our blog series on automating Microsoft Sentinel. In this series, we’re showing you how to automate various aspects of Microsoft Sentinel, from simple automation of Sentinel Alerts and Incidents to more complicated response scenarios with multiple moving parts. So far, we’ve covered Part 1: Introduction to Automating Microsoft Sentinel where we talked about why you would want to automate as well as an overview of the different types of automation you can do in Sentinel. Here is a preview of what you can expect in the upcoming posts [we’ll be updating this post with links to new posts as they happen]: Part 1: Introduction to Automating Microsoft Sentinel Part 2: Automation Rules [You are here] – Automate the mundane away Part 3: Playbooks 1 – Playbooks Part I – Fundamentals Part 4: Playbooks 2 – Playbooks Part II – Diving Deeper Part 5: Azure Functions / Custom Code Part 6: Capstone Project (Art of the Possible) – Putting it all together Part 2: Automation Rules – Automate the mundane away Automation rules can be used to automate Sentinel itself. For example, let’s say there is a group of machines that have been classified as business critical and if there is an alert related to those machines, then the incident needs to be assigned to a Tier 3 response team and the severity of the alert needs to be raised to at least “high”. Using an automation rule, you can take one analytic rule, apply it to the entire enterprise, but then have an automation rule that only applies to those business-critical systems to make those changes. That way only the items that need that immediate escalation receive it, quickly and efficiently. Automation Rules In Depth So, now that we know what Automation Rules are, let’s dive in to them a bit deeper to better understand how to configure them and how they work. Creating Automation Rules There are three main places where we can create an Automation Rule: 1) Navigating to Automation under the left menu 2) In an existing Incident via the “Actions” button 3) When writing an Analytic Rule, under the “Automated response” tab The process for each is generally the same, except for the Incident route and we’ll break that down more in a bit. When we create an Automation Rule, we need to give the rule a name. It should be descriptive and indicative of what the rule is going to do and what conditions it applies to. For example, a rule that automatically resolves an incident based on a known false positive condition on a server named SRV02021 could be titled “Automatically Close Incident When Affected Machine is SRV02021” but really it’s up to you to decide what you want to name your rules. Trigger The next thing we need to define for our Automation Rule is the Trigger. Triggers are what cause the automation rule to begin running. They can fire when an incident is created or updated, or when an alert is created. Of the two options (incident based or alert based), it’s preferred to use incident triggers as they’re potentially the aggregation of multiple alerts and the odds are that you’re going to want to take the same automation steps for all of the alerts since they’re all related. It’s better to reserve alert-based triggers for scenarios where an analytic rule is firing an alert, but is set to not create an incident. Conditions Conditions are, well, the conditions to which this rule applies. There are two conditions that are always present: The Incident provider and the Analytic rule name. You can choose multiple criterion and steps. For example, you could have it apply to all incident providers and all rules (as shown in the picture above) or only a specific provider and all rules, or not apply to a particular provider, etc. etc. You can also add additional Conditions that will either include or exclude the rule from running. When you create a new condition, you can build it out by multiple properties ranging from information about the Incident all the way to information about the Entities that are tagged in the incident Remember our earlier Automation Rule title where we said this was a false positive about a server name SRV02021? This is where we make the rule match that title by setting the Condition to only fire this automation if the Entity has a host name of “SRV2021” By combining AND and OR group clauses with the built in conditional filters, you can make the rule as specific as you need it to be. You might be thinking to yourself that it seems like while there is a lot of power in creating these conditions, it might be a bit onerous to create them for each condition. Recall earlier where I said the process for the three ways of creating Automation Rules was generally the same except using the Incident Action route? Well, that route will pre-fill variables for that selected instance. For example, for the image below, the rule automatically took the rule name, the rules it applies to as well as the entities that were mapped in the incident. You can add, remove, or modify any of the variables that the process auto-maps. NOTE: In the new Unified Security Operations Platform (Defender XDR + Sentinel) that has some new best practice guidance: If you've created an automation using "Title" use "Analytic rule name" instead. The Title value could change with Defender's Correlation engine. The option for "incident provider" has been removed and replaced by "Alert product names" to filter based on the alert provider. Actions Now that we’ve tuned our Automation Rule to only fire for the situations we want, we can now set up what actions we want the rule to execute. Clicking the “Actions” drop down list will show you the options you can choose When you select an option, the user interface will change to map to your selected option. For example, if I choose to change the status of the Incident, the UX will update to show me a drop down menu with options about which status I would like to set. If I choose other options (Run playbook, change severity, assign owner, add tags, add task) the UX will change to reflect my option. You can assign multiple actions within one Automation Rule by clicking the “Add action” button and selecting the next action you want the system to take. For example, you might want to assign an Incident to a particular user or group, change its severity to “High” and then set the status to Active. Notably, when you create an Automation rule from an Incident, Sentinel automatically sets a default action to Change Status. It sets the automation up to set the Status to “Closed” and a “Benign Positive – Suspicious by expected”. This default action can be deleted and you can then set up your own action. In a future episode of this blog we’re going to be talking about Playbooks in detail, but for now just know that this is the place where you can assign a Playbook to your Automation Rules. There is one other option in the Actions menu that I wanted to specifically talk about in this blog post though: Incident Tasks Incident Tasks Like most cybersecurity teams, you probably have a run book of the different tasks or steps that your analysts and responders should take for different situations. By using Incident Tasks, you can now embed those runbook steps directly in the Incident. Incident tasks can be as lightweight or as detailed as you need them to be and can include rich formatting, links to external content, images, etc. When an incident with Tasks is generated, the SOC team will see these tasks attached as part of the Incident and can then take the defined actions and check off that they’ve been completed. Rule Lifetime and Order There is one last section of Automation rules that we need to define before we can start automating the mundane away: when should the rule expire and in what order should the rule run compared to other rules. When you create a rule in the standalone automation UX, the default is for the rule to expire at an indefinite date and time in the future, e.g. forever. You can change the expiration date and time to any date and time in the future. If you are creating the automation rule from an Incident, Sentinel will automatically assume that this rule should have an expiration date and time and sets it automatically to 24 hours in the future. Just as with the default action when created from an incident, you can change the date and time of expiration to any datetime in the future, or set it to “Indefinite” by deleting the date. Conclusion In this blog post, we talked about Automation Rules in Sentinel and how you can use them to automate mundane tasks in Sentinel as well as leverage them to help your SOC analysts be more effective and consistent in their day-to-day with capabilities like Incident Tasks. Stay tuned for more updates and tips on automating Microsoft Sentinel!Microsoft Purview Data Security Investigations is now generally available
Every data security investigation starts with the same question: What data security risks are buried in this data? Exposed credentials in thousands of files across a data estate. Evidence of fraud hidden in vendor communications. Sensitive documents accidentally shared to a large group. Finding these risks manually — reviewing content file by file, message by message — is no longer viable when organizations are managing 220 zettabytes of data[1] and facing over 12,000 confirmed breaches annually[2]. That's why we built Microsoft Purview Data Security Investigations, now generally available. Microsoft Purview Data Security Investigations enables data security teams to identify investigation-relevant data, investigate that data with AI-powered deep content analysis, and mitigate risk — all within one unified solution. Teams can quickly analyze data at scale to surface sensitive data and security risks, then collaborate securely to address them. By streamlining complex, time‑consuming investigative workflows, admins can resolve investigations in hours instead of weeks or months. Proactive and reactive investigation scenarios Organizations are using Data Security Investigations to tackle diverse data security challenges — from reactive incident response to proactive risk assessment. Some of our top use cases from preview include: Data breach and leak: Understand severity, sensitivity, and significance of data that has been leaked or breached, including risks buried in impacted data, to take action and mitigate its impact to the organization. Credentials exposure: Proactively scan thousands of SharePoint sites to identify files containing credentials like passwords, which can give a threat actor prolonged access to an organization's environment. Internal fraud and bribery: Uncover suspicious communications tied to vendor payments or client interactions, uncovering hard-to-find patterns in large volumes of emails and messages. Sensitive data exposure in Teams: Determine who accessed classified documents after accidental sharing — and whether that data was further distributed. Inappropriate content investigations: Quickly find what was posted, where, and by whom, even when teams only know a timeframe or channel name. Investigations that once took weeks — or weren’t possible at all — can now be completed in hours. By eliminating manual effort and surfacing hidden risks across sprawling data estates, Data Security Investigations empowers teams to investigate more efficiently and confidently, making deep, scalable investigations a reality. What Microsoft Purview Data Security Investigations does – and what’s new Since launching public preview, we've listened closely to customer feedback and made significant enhancements to help teams investigate faster, mitigate more effectively, and manage costs with confidence. Data Security Investigations addresses three critical stages of an investigation: Identify impacted data Data Security admins can efficiently identify relevant data by searching their Microsoft 365 data estate to locate emails, Teams messages, Copilot prompts and responses, and documents. Investigators can also launch pre-scoped investigations from a Microsoft Defender XDR incident or a Microsoft Purview Insider Risk Management case. We’ve recently added a new integration that allows admins to launch a Data Security Investigation from Microsoft Purview Data Security Posture Management as well. This capability can help a data security admin investigate an objective, such as preventing data exfiltration. Investigate using deep content analysis Once the investigation is scoped, the solution's generative AI capabilities allow admins to gain deeper insights into the data, analyzing across 95+ languages to uncover critical sensitive data and security risks. Teams can quickly answer three questions: What data security risks exist within the data? Why do they matter? And what actions can be taken to mitigate them? To help answer these questions, two new investigative capabilities, AI search and AI context input, as well as enhancements to existing features were added in November. Data Security Investigations help admins scale their impact and accelerate investigations with the following features: AI search: Using a new AI-powered natural language search experience, admins can find key risks using keywords, metadata, and semantic embeddings — making it easier to locate investigation-relevant content across large data estates. Categorization: By automatically classifying investigation data into meaningful categories, admins can quickly understand incident severity, what types of content is at risk, and trends within an investigation. Vector search: Using semantic search, admins can find contextually related content — even when exact keywords don't match. Risk examination: Using deep content analysis, admins can examine content for sensitive data and security risks, providing a risk score, recommended mitigation steps, and AI-generated rationale for each analyzed asset. AI context input: Admins can now add investigation-specific context before analysis, resulting in more efficient, higher-quality insights tailored to the specific incident. AI search in action, finding credentials present in the dataset being investigated. Mitigate identified risks Investigators can use Data Security Investigations to securely collaborate with partner teams to mitigate identified risks, simplifying tasks that have traditionally been time consuming and complex. In September, we launched an integration with the Microsoft Sentinel graph, the data risk graph, allowing admins to visualize correlations between investigation data, users, and their activities. This automatically combines unified audit logs, Entra audit logs, and threat intelligence, which would otherwise need to be manually correlated, saving time, providing critical context, and allowing investigators to understand all nodes in their investigation. At the start of January 2026, we launched a new mitigation action, purge, that helps admins quickly and efficiently delete sensitive or overshared content directly within the investigation workflow in the product interface. This reduces exposure immediately and keeps incidents from escalating or recurring. Built-in cost management tools To help customers predict and manage costs associated with using Data Security Investigations, we recently released a lightweight cost estimator and usage dashboard. The in-product cost estimator is now available to help analysts model and forecast both storage and compute unit costs based on specific use cases, enabling more accurate budget planning. Additionally, the usage dashboard provides granular breakdowns of billed storage and compute unit usage, empowering data security admins to identify cost-saving opportunities and optimize resource allocation. For detailed guidance on managing costs, see https://aka.ms/DSIcostmanagementtips. Refined business model for general availability These cost management tools are designed to support our updated business model, which offers greater flexibility and transparency. Customers need the freedom to scale investigations without overcommitting resources. To better align with how customers investigate data risk at scale, we refined the Data Security Investigations business model as part of general availability. The product now uses two consumptive meters: Data Security Investigations Storage Meter – For storing investigation-related data, charged by GB Data Security Investigations Compute Meter – For the computational capacity required to complete AI-powered data analysis and actions, charged by Compute Units (CUs) Monthly charges are determined by the amount of data stored and the number of CUs consumed per hour. This pay-as-you-go model ensures customers only pay for what they need when they need it, providing the flexibility, scalability, and cost efficiency needed for both urgent incident response and proactive data security hygiene assessments. Find more information on pricing at aka.ms/purviewpricing. Get started today As data security threats evolve, so must the way we investigate them. Microsoft Purview Data Security Investigations is now generally available, giving organizations a modern, AI-powered approach to uncovering and mitigating risk — without the complexity of disconnected tools or manual workflows. Whether investigating an active breach or proactively hunting for hidden risks, Data Security Investigations gives data security teams the speed and precision needed to act decisively in today's threat landscape. Join for a live Ask Me Anything with the people behind the product on Thursday February 5th at 10am PST, more details here: aka.ms/PurviewDSIAMA2 Learn more about Data Security Investigations at aka.ms/DSIdocs View pricing details at aka.ms/purviewpricing Try Data Security Investigations today! Visit the product https://purview.microsoft.com/dsi and find setup instructions at aka.ms/DSIsetup [1] Worldwide IDC Global DataSphere Forecast, 2025–2029 [2] 2025-dbir-data-breach-investigations-report.pdfMonthly news - January 2026
Microsoft Defender Monthly news - January 2026 Edition This is our monthly "What's new" blog post, summarizing product updates and various new assets we released over the past month across our Defender products. In this edition, we are looking at all the goodness from December 2025. Defender for Cloud has its own Monthly News post, have a look at their blog space. 🚀 New Virtual Ninja Show episode: Advancements in Attack Disruption Vulnerability Remediation Agent in Microsoft Intune Microsoft Defender (Public Preview) The following advanced hunting schema tables are now available for preview: The CampaignInfo table contains contains information about email campaigns identified by Microsoft Defender for Office 365 The FileMaliciousContentInfo table contains information about files that were processed by Microsoft Defender for Office 365 in SharePoint Online, OneDrive, and Microsoft Teams General Availability of the Phishing Triage Agent: this agent autonomously analyzes user‑reported phishing emails to determine whether they’re true threats or false positives, dramatically reducing manual triage workload. It continuously learns from analyst feedback and provides clear, natural‑language explanations for every verdict, giving SOC teams both speed and transparency. We're excited to share it is now generally available and, very soon, will expand to also triage cloud and identity alerts! Learn more on our docs. Public Preview of Dynamic Threat Detection Agent: Announced at Ignite, this always‑on agent hunts for unseen threats by continuously correlating telemetry and creating new, context‑aware detections on the fly—closing gaps traditional rules can’t see. We're excited to share it is now in Public Preview! Learn more on our docs. Public Preview of Threat Hunting Agent: Announced at Ignite, this agent gives every analyst the power to investigate like an expert by turning natural‑language questions into guided, real‑time hunts that surface hidden patterns, reveal meaningful pivots, and eliminate the need to write complex queries. We're excited to share it is now in Public Preview! Learn more on our docs. General Availability of the Threat Intelligence Briefing Agent: this agent delivers daily, tailored intelligence briefings directly in Microsoft Defender—automatically synthesizing Microsoft’s global threat insights with your organization’s context to surface prioritized risks, clear recommendations, and relevant assets so teams can shift from reactive research to proactive defense in minutes. We're excited to share it is now generally available! Learn more on our docs. (General Availability) The hunting graph in advanced hunting is now generally available. It also now has two new predefined threat scenarios that you can use to render your hunts as interactive graphs. (General Availability) Advanced hunting now supports custom functions that use tabular parameters. With tabular parameters, you can pass entire tables as inputs. This approach lets you build more modular, reusable, and expressive logic across your hunting queries. Learn more Microsoft Defender for Endpoint (Public Preview) Triage collection: Use triage collection to prioritize incidents and hunt threats with the Sentinel Model Context Protocol (MCP) server. Microsoft Defender for Identity New ADWS LDAP search activity is now available in the 'IdentityQueryEvents' table in Advanced Hunting. This can provides visibility into directory queries performed through ADWS, helping customers track these operations and create custom detection based on this data. (Public Preview) New properties for 'sensorCandidate' resource type in Graph-API. Learn more here. Microsoft Defender for Cloud Apps Integration of Defender for Cloud Apps permissions with Microsoft Defender XDR Unified RBAC is now available worldwide. For more information, see Map Microsoft Defender for Cloud Apps permissions to the Microsoft Defender XDR Unified RBAC permissions. To activate the Defender for Cloud Apps workload, see Activate Microsoft Defender XDR Unified RBAC. (Public Preview) The Defender for Cloud Apps app governance unused app insights feature helps administrators identify and manage unused Microsoft 365-connected OAuth apps, enforce policy-based governance, and use advanced hunting queries for better security. This feature is now available for most commercial cloud customers. For more information, see Secure apps with app hygiene features.Introducing AI-powered incident prioritization in Microsoft Defender
Every SOC analyst knows the moment when the incident queue fills up fast. Multiple alerts arrive with the same severity but different sources. When everything looks equally urgent, the real question becomes what do you investigate first? And how do you address it consistently across shifts, analysts, and tool stacks? At Microsoft Ignite last November, we announced a new capability in Microsoft Defender designed to solve exactly this problem: AI-powered incident prioritization. Today, we’re excited to share that AI-powered incident prioritization is now available in public preview for all Microsoft Defender customers. This is about helping SOC teams cut through noise, focus on what matters most, and move faster with confidence. A new and improved incident queue experience Microsoft Defender aggregates related alerts and automated investigations into an incident. That correlation matters because some activity is only clearly malicious when you connect the dots across multiple products and telemetry sources. Instead of chasing isolated alerts, analysts get the broader narrative: what happened, what it touched, and how it progressed. Prior to the new incident queue experience, incidents were prioritized using factors like alert severity, tags, and MITRE techniques. We’ve since expanded this approach to incorporate additional high‑signal inputs which include automatic attack disruption signals, high‑profile threats (such as ransomware or nation‑state activity), asset criticality, threat analytics, and more. This enhanced prioritization model is designed to work across signals from Defender, Sentinel, and custom alerts, ensuring a more accurate and comprehensive assessment of incident priority. To help teams act on that story quickly, the incident queue now includes AI-powered incident prioritization (see Figure 1). It applies a machine learning prioritization model to surface the incidents that matter most, assigning each incident a priority score from 0–100 and explains the key factors behind the ranking. That explainability is what turns a score into something analysts can trust and use to drive consistent triage decisions. To make the queue scannable at a glance, score ranges are color-coded: Red: Top priority (> 85%) Orange: Medium priority (15–85%) Gray: Low priority (< 15%) This makes it easy to focus immediately on the highest-impact work, while still keeping medium/low priority incidents visible for coverage and hygiene. Built for analyst flow, not just ranking. Selecting an incident row opens a summary pane that keeps analysts in the moment of triage (see Figure 2). It shows the factors that went into prioritization such as: The priority assessment The factors influencing the priority score Key incident details Recommended actions Related threats By default, the queue shows incidents from the last week, but the time selector above the queue lets you switch time frames—for shift handoffs, retrospectives, validation after detection changes, or responding to a specific time-bound campaign. What prioritization done well delivers for a SOC When prioritization is done well, it’s not automation for automation’s sake, it’s a force multiplier, delivering: Faster triage: less time sorting, more time investigating Higher confidence: analysts understand why an incident rose to the top Better outcomes: high-impact incidents involving critical assets, rare signals, or active threat campaigns get attention first Effective prioritization enhances SOC protection. It ensures analysts see high impact incidents, can disrupt attacks earlier in the kill chain, reduce dwell time, and avoid getting blindsided by fast‑moving or stealthy threats. The AI-powered incident queue experience is designed to make the unified Defender portal not only a place where incidents are aggregated—but a place where analysts can reliably decide what to do next, even under heavy volume. Learn more and get started Check out our resources to learn more about our new incident queue experience: Check out Microsoft Ignite announcement and demo Read the documentationMonthly news - December 2025
Microsoft Defender Monthly news - December 2025 Edition This is our monthly "What's new" blog post, summarizing product updates and various new assets we released over the past month across our Defender products. In this edition, we are looking at all the goodness from November 2025. Defender for Cloud has its own Monthly News post, have a look at their blog space. 😎 Microsoft Ignite 2025 - now on-demand! 🚀 New Virtual Ninja Show episode: Advancements in Attack Disruption Vulnerability Remediation Agent in Microsoft Intune Microsoft Defender Ignite 2025: What's new in Microsoft Defender? This blog summarizes our big announcements we made at Ignite. (Public Preview) Defender XDR now includes the predictive shielding capability, which uses predictive analytics and real-time insights to dynamically infer risk, anticipate attacker progression, and harden your environment before threats materialize. Learn more about predictive shielding. Security Copilot for SOC: bringing agentic AI to every defender. This blog post gives a great overview of the various agents supporting SOC teams. Account correlation links related accounts and corresponding insights to provide identity-level visibility and insights to the SOC. Coordinated response allows Defenders to take action comprehensively across connected accounts, accelerating response and minimizing the potential for lateral movement. Enhancing visibility into your identity fabric with Microsoft Defender. This blog describes new enhancements to the identity security experience within Defender that will help enrich your security team’s visibility and understanding into your unique identity fabric. (Public Preview) The IdentityAccountInfo table in advanced hunting is now available for preview. This table contains information about account information from various sources, including Microsoft Entra ID. It also includes information and link to the identity that owns the account. Microsoft Sentinel customers using the Defender portal, or the Azure portal with the Microsoft Sentinel Defender XDR data connector, now also benefit from Microsoft Threat Intelligence alerts that highlight activity from nation-state actors, major ransomware campaigns, and fraudulent operations. For more information, see Incidents and alerts in the Microsoft Defender portal. (Public Preview) New Entity Behavior Analytics (UEBA) experiences in the Defender portal! Microsoft Sentinel introduces new UEBA experiences in the Defender portal, bringing behavioral insights directly into key analyst workflows. These enhancements help analysts prioritize investigations and apply UEBA context more effectively. Learn more on our docs. (Public Preview) A new Restrict pod access response action is now available when investigating container threats in the Defender portal. This response action blocks sensitive interfaces that allow lateral movement and privilege escalation. (Public Preview) Threat analytics now has an Indicators tab that provides a list of all indicators of compromise (IOCs) associated with a threat. Microsoft researchers update these IOCs in real time as they find new evidence related to the threat. This information helps your security operations center (SOC) and threat intelligence analysts with remediation and proactive hunting. Learn more. In addition the overview section of threat analytics now includes additional details about a threat, such as alias, origin, and related intelligence, providing you with more insights on what the threat is and how it might impact your organization. Microsoft Defender for Identity (Public Preview) In addition to the GA release of scoping by Active Directory domains a few months ago, you can now scope by Organizational Units (OUs) as part of XDR User Role-Based Access Control. This enhancement provides even more granular control over which entities and resources are included in security analysis. For more information, see Configure scoped access for Microsoft Defender for Identity. (Public Preview). New security posture assessment: Change password for on-prem account with potentially leaked credentials. The new security posture assessment lists users whose valid credentials have been leaked. For more information, see: Change password for on-prem account with potentially leaked credentials. Defender for Identity is slowly rolling out automatic Windows event auditing for sensors v3.x, streamlining deployment by applying required auditing settings to new sensors and fixing misconfigurations on existing ones. As it becomes available, you will be able to enable automatic Windows event-auditing in the Advanced settings section in the Defender portal, or using the Graph API. Identity Inventory enhancements: Accounts tab, manual account linking and unlinking, and expanded remediation actions are now available. Learn more in our docs. Microsoft Defender for Cloud Apps (Public Preview) Defender for Cloud Apps automatically discovers AI agents created in Microsoft Copilot Studio and Azure AI Foundry, collects audit logs, continuously monitors for suspicious activity, and integrates detections and alerts into the XDR Incidents and Alerts experience with a dedicated Agent entity. For more information, see Protect your AI agents. Microsoft Defender for Endpoint Ignite 2025: Microsoft Defender now prevents threats on endpoints during an attack. This year at Microsoft Ignite, Microsoft Defender is announcing exciting innovations for endpoint protection that help security teams deploy faster, gain more visibility, and proactively block attackers during active attacks. (Public Preview) Defender for Endpoint now includes the GPO hardening and Safeboot hardening response actions. These actions are part of the predictive shielding feature, which anticipates and mitigates potential threats before they materialize. (Public Preview) Custom data collection enables organizations to expand and customize telemetry collection beyond default configurations to support specialized threat hunting and security monitoring needs. (Public Preview) Native root detection support for Microsoft Defender on Android. This enables proactive detection of rooted devices without requiring Intune policies, ensuring stronger security and validating that Defender is running on an uncompromised device, ensuring more reliable telemetry that is not vulnerable to attacker manipulation. (Public Preview) The new Defender deployment tool is a lightweight, self-updating application that streamlines onboarding devices to the Defender endpoint security solution. The tool takes care of prerequisites, automates migrations from older solutions, and removes the need for complex onboarding scripts, separate downloads, and manual installations. It currently supports Windows and Linux devices. Defender deployment tool: for Windows devices for Linux devices (Public Preview) Defender endpoint security solution for Windows 7 SP1 and Windows Server 2008 R2 SP1. A Defender for endpoint security solution is now available for legacy Windows 7 SP1 and Windows Server 2008 R2 SP1 devices. The solution provides advanced protection capabilities and improved functionality for these devices compared to other solutions. The new solution is available using the new Defender deployment tool. Microsoft Defender Vulnerability Management (Public Preview) The Vulnerability Management section in the Microsoft Defender portal is now located under Exposure management. This change is part of the vulnerability management integration to Microsoft Security Exposure Management, which significantly expands the scope and capabilities of the platform. Learn more. (General Availability) Microsoft Secure Score now includes new recommendations to help organizations proactively prevent common endpoint attack techniques. Require LDAP client signing and Require LDAP server signing - help ensure integrity of directory requests so attackers can't tamper with or manipulate group memberships or permissions in transit. Encrypt LDAP client traffic - prevents exposure of credentials and sensitive user information by enforcing encrypted communication instead of clear-text LDAP. Enforce LDAP channel binding - prevents man-in-the-middle relay attacks by ensuring the authentication is cryptographically tied to the TLS session. If the TLS channel changes, the bind fails, stopping credential replay. (General Availability) These Microsoft Secure Score recommendations are now generally available: Block web shell creation on servers Block use of copied or impersonated system tools Block rebooting a machine in Safe Mode Microsoft Defender for Office 365 Microsoft Ignite 2025: Transforming Phishing Response with Agentic Innovation. This blog post summarizes the following announcements: General Availability of the Security Copilot Phishing Triage Agent Agentic Email Grading System in Microsoft Defender Cisco and VIPRE Security Group join the Microsoft Defender ICES ecosystem. A separate blog explains these best practices in more detail and outline three other routing techniques commonly used across ICES vendors. Blog series: Best practices from the Microsoft Community Microsoft Defender for Office 365: Fine-Tuning: This blog covers our top recommendations for fine-tuning Microsoft Defender for Office 365 configuration from hundreds of deployments and recovery engagements, by Microsoft MVP Joe Stocker. You may be right after all! Disputing Submission Responses in Microsoft Defender for Office 365: Microsoft MVP Mona Ghadiri spotlights a new place AI has been inserted into a workflow to make it better… a feature that elevates the transparency and responsiveness of threat management: the ability to dispute a submission response directly within Microsoft Defender for Office 365. Blog post: Strengthening calendar security through enhanced remediation.Announcing public preview: Uncovering hidden threats with the Dynamic Threat Detection Agent
At Ignite, we announced the Security Copilot Dynamic Threat Detection Agent in Microsoft Defender: an always on, adaptive backend agent that uncovers hidden threats across Defender and Microsoft Sentinel environments. Today we are excited to share that the customers who meet the prerequisites will now enter public preview of this agent. Running in the Defender backend, the agent delivers Copilot-sourced alerts directly into familiar workflows—complete with natural language explanations, mapped MITRE techniques, and tailored remediation steps. Why adaptive AI-driven detection changes the game Traditional rule-based and machine learning (ML) systems struggle to keep pace with ever-evolving threats. Attackers now leverage AI to evade detection, leaving organizations exposed. The Dynamic Threat Detection Agent addresses this through: Adaptive AI that finds what rules miss – GenAI-driven detection continuously investigates across Defender and Sentinel telemetry to uncover false negatives and blind spots, providing always-on protection with clear risk context and concrete next steps (see Figure 1 below). Reduce noise, increase confidence – The agent minimizes SOC noise and boosts analyst confidence, with customer-validated precision above 85% in recent months across thousands of alerts and 28 threat types (e.g., Initial Access, Privilege Escalation, Lateral Movement). Hyperscale TI + UEBA driven entity risk scoring – The agent fuses Threat Intelligence Tracking via Adaptive Networks (TITAN)’s hyperscale, ML-driven threat intelligence with UEBA risk signals to continuously score accounts, devices, and IPs. This combination of global TI, customer-specific context, and behavioral anomalies surfaces genuinely risky behaviors earlier while filtering noise and providing key context during the agent’s investigations. Always on, zero-touch—with customer control – Because the agent runs in the Defender backend, it automatically generates alerts into your existing XDR workflows with no tuning or onboarding required. During public preview it’s enabled by default for eligible customers, and starting in July it will be available for E5 customers through the Security Copilot inclusion. Once billing begins, customers can disable it at any time and manage usage through detailed consumption reporting. Deep integration across the Microsoft security ecosystem – The agent works with Security Copilot, Sentinel, and Defender, correlating native and third-party telemetry to surface missed behaviors and deliver richer context across your SOC workflows. Inside the Dynamic Threat Detection engine Under the hood, the Dynamic Threat Detection Agent runs a five-step investigation loop at machine scale—starting from signals you already care about, building a rich activity timeline, testing hypotheses, and closing detection gaps with explainable, actionable alerts. This loop executes across thousands of parallel investigations, delivering detections in near–real time for your SOC. Start with an incident – Running continuously in the Defender backend, the agent monitors for security activity you care about: incidents with a high priority score, critical assets, disruption signals, threat actor notifications, and more. Build a focused timeline – From that incident, it builds a unified activity timeline that stitches together alerts, events, UEBA anomalies, and threat intelligence. Iterative Q/A loop – Given the incident and its unified timeline, the agent automatically generates attack-specific hypotheses (e.g., “Was this account compromised via phishing from this IP?”) and runs its own chain of targeted questions over relevant entities and events. Without any manual prompts or intervention, the agent investigates its hypotheses, rules out alternate explanations, and autonomously converges on a single, well-supported triage decision with an explicit, transparent reasoning trace. Close detection gaps with explainable, actionable alerts – When evidence converges on a true positive, the agent automatically emits a dynamic alert—complete with title, description, severity, mapped MITRE techniques, and remediation steps—directly into your Defender workflows with Security Copilot as the detection source. Alongside the structured fields, the agent generates a natural language narrative that explains why the activity is risky, which entities and signals drove the decision, and how the attack unfolded, giving analysts a transparent window into its reasoning. Learn and improve continuously – Your grading feedback (TP/FP/BP) is leveraged to recalibrate seed points, refine table selection, tune hypothesis questions, and adjust thresholds so detection quality improves over time. This feedback continuously sharpens the agent’s ability to detect meaningful threats and reduce alert noise. Answering the questions security experts ask first Before adopting a new detection capability, security teams want more than features—they want clear answers on noise, effort, cost, explainability, and how it fits with their existing tools and compliance posture. The Dynamic Threat Detection Agent is built with those questions in mind, so from day one you know how it behaves in your SOC, how it’s governed, and what value it delivers. What’s the value? The agent uncovers hidden threats (i.e., false negative alerts), enriching investigations with context so analysts can resolve incidents faster and with greater confidence. Will this add noise? The agent is tuned for high precision—measured at 85+% over the past few months across thousands of alerts and numerous threat types (e.g., Initial Access, Privilege Escalation, Lateral Movement). How much effort is required? Zero setup—it runs in the Defender backend and delivers alerts into your current workflows. What about cost and control? Public Preview is free for Security Copilot customers. At General Availability (July 2026), the agent transitions to the Security Copilot SCU-based model; you’ll have consumption reporting and the ability to disable the agent if desired. Microsoft Security Copilot is now included for all eligible Microsoft 365 E5 customers. Learn more. Is it explainable? Every alert includes a custom description, mapped MITRE techniques, and tailored remediation actions. Alongside the structured fields, it generates a natural language narrative that explains why the activity is risky, which entities and signals drove the decision, and how the attack unfolded, giving analysts a transparent window into the agent’s reasoning Does it respect data residency? The service runs region local, ensuring that customer data and required telemetry stay inside the designated geographic boundary. How does it fit with Sentinel and Security Copilot? The agent uses Sentinel to correlate third-party and native telemetry, and runs as part of the Security Copilot platform—surfacing its alerts as Copilot-sourced detections in Defender. How fast and at what scale? The agent is built for massive scale with Azure Synapse, capable of running thousands of parallel investigations and delivering detections in near–real time for your SOC. The future of dynamic threat detection in your SOC The Dynamic Threat Detection Agent is a milestone in adaptive security—bringing GenAI to detection at scale, integrated across Defender and Sentinel, and delivered through Security Copilot. We’re just getting started: expect continued enhancements in coverage, contextual explainability, and integration with your SOC workflows. Public Preview starts now. The Dynamic Threat Detection Agent is available as a free Public Preview for Security Copilot customers. General Availability (GA) planned for late 2026, the agent will transition to the Security Copilot SCU-based consumption model. Microsoft Security Copilot is now included for all eligible Microsoft 365 E5 customers, and this agent will be included as part of that entitlement. Learn more and get started Check out our resources to learn more about the new Security Copilot Dynamic Threat Detection Agent: Check out Microsoft Ignite announcement and demo Read the documentation on the new agent experience here
Custom detection rules get a boost—explore what’s new in Microsoft Defender
Co-author - Jeremy Tan In today's rapidly evolving cybersecurity landscape, staying ahead of threats is crucial. Microsoft Defender's custom detection rules offer a powerful way to proactively monitor and respond to security threats. These user-defined rules can be configured to run at regular intervals to detect security threats—generating alerts and triggering response actions when threats are detected. If you are a Microsoft Sentinel user and have connected your Sentinel workspace to Microsoft Defender, you are probably more familiar with analytics rules in Microsoft Sentinel and are looking to explore the capabilities and benefits of custom detections. Understanding and leveraging custom detection rules can significantly enhance your organization's security posture. This blog will delve into the benefits of custom detections and showcase scenarios that highlight their capabilities, helping you make the most of this robust feature. We are excited to release these brand-new enhancements that are now available in public preview. What’s new in custom detections? The improvements in custom detections aim to enhance their functionality and usability, making it easier to manage and respond to security threats effectively. Unified user defined detection list: Manage all your user-defined detections from Microsoft Defender XDR and Microsoft Sentinel in one place. Filtering capabilities for every column. Search freely using rule title or rule ID. View the new workspace ID column (filterable) for multi-workspace organizations that onboarded multiple workspaces to the unified SOC platform. Manage all detections from MTO portal across all your tenants. Show details pane for every rule (whether custom detection or analytics rule). Perform the following actions on rules: Turn on/off Delete Edit Run (only for custom detections) Open rule’s page (only for custom detections) Migrate eligible scheduled custom detections to near real-time custom detections with one click using the new migration tool. Dynamic alert titles and descriptions: Dynamically craft your alert’s title and description using the results of your query to make them accurate and indicative. Advanced entity mapping: Link a wide range of entity types to your alerts. Enrich alerts with custom details: Surface details to display in the alert side panel. Support Sentinel-only data: Custom detections support Microsoft Sentinel data only without dependency on Microsoft Defender XDR data. Flexible and high frequency support for Sentinel data: Custom detections support high and flexible frequency for Microsoft Sentinel data. The benefits of custom detections Let’s examine some of the key benefits of custom detections: Query data from Defender XDR and Sentinel seamlessly: You can create custom detection rules that query data from both Microsoft Sentinel and Defender XDR tables seamlessly, without the need of sending Defender XDR data to Sentinel. Cost efficiency: Save on ingestion costs if you don’t need to retain Microsoft Defender XDR data in analytics tier for more than 30 days but have detection use cases involving both Defender XDR and Sentinel data. Detect threats immediately and remove dependency on quick ingestion: near real time (NRT) custom detections monitor events as they stream, while standard custom detections evaluate both the event ingestion time and the time the event was generated. Unlimited NRT detections: NRT custom detections are unlimited, you can create as many as you need. Since they are based on a streaming technology, they are not generating any load on the system. Native remediation actions: You can configure custom detection rule to automatically take actions on devices, files, users, or emails that are returned by the query when your detection query is correlating Defender XDR and Microsoft Sentinel data, or Defender XDR data only. Entity mapping: Entities are automatically mapped to the alert for all XDR tables. Out of the box alert de-duplication: To reduce alert fatigue when alert generated with the same impacted entities, custom details, title and description - they will merge to the same alert (keeping all raw events linked to the single alert). With this capability you don’t need to worry about duplicated alerts – we take care of it for you. Built-in functions: You can leverage built-in enrichment functions when you build your custom detection queries, such as FileProfile(), SeenBy(), DeviceFromIP() and AssignedIPAddresses(). Extended lookback period: Custom detections have a long lookback period of up to 30 days for rules that run once a day, ideal for historical trending detections. Common scenarios To truly understand the power and versatility of custom detection rules in Microsoft Defender, it's essential to see them in action. In this section, we'll explore several common use cases that demonstrate how these new capabilities can be leveraged to enhance your organization's security posture. These scenarios highlight the benefits of the capabilities, providing you with actionable insights to implement in your own environment. Use Case – detecting potential malicious activity In this use case, we aim to detect potential malicious activity by monitoring logon attempts from different IP addresses. We will implement a custom detection rule that: Monitors successful logon by a user from one IP address and a failed logon attempt from a different IP address (may indicate a malicious attempt at password guessing with a known account). Enriches alerts with user's information from Microsoft Defender for Identity’s IdentityInfo table, including Job title, Department, Manager’s name, and assigned roles. If the user has been found in the 'Terminated Employees’ watchlist, indicating that the user has been notified for termination or marked as terminated, reflect this in the alert name and description. Runs once a day with a lookback period of 30 days, avoiding duplicate alerts on subsequent intervals. Let’s walk through the creation of the custom detection rule and examine the outcome. 1. Here is the sample KQL query we will run in advanced hunting page to create the custom detection. let logonDiff = 10m; let Terminated_Watchlist = _GetWatchlist("TerminatedEmployees") | project tolower(SearchKey);// Get the TerminiatedEmploees Watchlist let aadFunc = (tableName:string) { table(tableName) | where ResultType == "0" | where AppDisplayName !in ("Office 365 Exchange Online", "Skype for Business Online") // To remove false-positives, add more Apps to this array | extend SuccessIPv6Block = strcat(split(IPAddress, ":")[0], ":", split(IPAddress, ":")[1], ":", split(IPAddress, ":")[2], ":", split(IPAddress, ":")[3]) | extend SuccessIPv4Block = strcat(split(IPAddress, ".")[0], ".", split(IPAddress, ".")[1]) | project SuccessLogonTime = TimeGenerated, UserPrincipalName, SuccessIPAddress = IPAddress, SuccessLocation = Location, AppDisplayName, SuccessIPBlock = iff(IPAddress contains ":", strcat(split(IPAddress, ":")[0], ":", split(IPAddress, ":")[1]), strcat(split(IPAddress, ".")[0], ".", split(IPAddress, ".")[1])), Type | join kind= inner ( table(tableName) | where ResultType !in ("0", "50140") | where ResultDescription !~ "Other" | where AppDisplayName !in ("Office 365 Exchange Online", "Skype for Business Online") | project FailedLogonTime = TimeGenerated, UserPrincipalName, FailedIPAddress = IPAddress, FailedLocation = Location, AppDisplayName, ResultType, ResultDescription, Type ) on UserPrincipalName, AppDisplayName | where SuccessLogonTime < FailedLogonTime and FailedLogonTime - SuccessLogonTime <= logonDiff and FailedIPAddress !startswith SuccessIPBlock // Compare the success and failed logon time | summarize FailedLogonTime = max(FailedLogonTime), SuccessLogonTime = max(SuccessLogonTime) by UserPrincipalName, SuccessIPAddress, SuccessLocation, AppDisplayName, FailedIPAddress, FailedLocation, ResultType, ResultDescription, Type | extend Timestamp = SuccessLogonTime | extend UserInTerminatedWatchlist = iif(UserPrincipalName in (Terminated_Watchlist), 'True', 'False') // Check if the impacted user is found in the Watchlist | extend AlertName = iif(UserInTerminatedWatchlist == 'True', "Successful logon by a 'Terminated Employees Watchlist' user from one IP and a failed logon attempt from a different IP","Successful logon from IP and failure from a different IP") // This is the define the dynamic alert value | extend AlertDescription = iif(UserInTerminatedWatchlist == 'True', "A Successful logon by a 'Terminated Employees Watchlist' user onto an Azure App from one IP and within 10 mins failed to logon to the same App via a different IP (may indicate a malicious attempt at password guessing with known account). ","A user account successfully logs onto an Azure App from one IP and within 10 mins failed to logon to the same App via a different IP (may indicate a malicious attempt at password guessing with known account).") // This is to define the dynamic alert description | extend UserPrincipalName = tolower(UserPrincipalName)}; let aadSignin = aadFunc("SigninLogs"); let aadNonInt = aadFunc("AADNonInteractiveUserSignInLogs"); union isfuzzy=true aadSignin, aadNonInt | extend Name = tostring(split(UserPrincipalName,'@',0)[0]), UPNSuffix = tostring(split(UserPrincipalName,'@',1)[0]) | join kind=leftouter ( IdentityInfo // Correlate with IdentityInfo table | summarize arg_max (TimeGenerated,AccountObjectId, Department, JobTitle, Manager, AssignedRoles, ReportId, IsAccountEnabled) by AccountUpn | extend UserPrincipalName=tolower(AccountUpn) ) on UserPrincipalName 2. On the top right corner of the advance hunting page, select ‘create custom detection’ under Manage rules. 3. Populate the relevant rule’s information. 4. Specify alert title and description by referencing the AlertName and AlertDescription fields defined in the query, as we will dynamically craft the alert title and description, depending on whether the impacted user is found in the 'Terminated Employees’ watchlist. 5. In the entity mapping section, you will find some entity mappings that we have pre-populated for you, which would save you some time and effort. You can update or add the mappings as you wish. 6. Let’s add some additional mappings. In this example, I will add IP entities under Related Evidence. 7. In the Custom details section, I will add the following key-value pairs to surface additional information of the impact user in the alert. 8. On the Automated actions page, because we are correlating Sentinel data with Defender XDR table (IdentityInfo), you have the option to select first-party remediation actions, which is ‘Mark user as compromised’ in our case. 9. Review the configuration of the rule and click Submit. 10. Now, let’s examine how the incident/alert would look. Below is a sample incident triggered. 11. Select the alert and you will find the custom details on the right pane, surfacing additional information such as Job title, Department, Manager’s name and Assigned roles that we configured. 12. The impacted user from the above incident was not found in the 'Terminated Employees’ watchlist. Now, let’s examine how the incident/alert would look when the impacted user is found in the watchlist. 13. In my environment, I have configured the watchlist and will be using ‘MeganB’ for simulation. 14. Notice how the alert title and description is different from the one generated earlier, to reflect user found in the watchlist. 15. The rule will run once a day with a look back period of 30 days. However, custom detection will not create duplicate alerts if the same impacted entities are found in the subsequent runs. Instead, you will find the Last activity time being updated and more events showing up in the result table of the alert page. Conclusion Custom detection rules in Microsoft Defender offer a powerful and flexible way to enhance your organization's security posture. By leveraging these user-defined rules, you can proactively monitor and respond to security threats, generating detailed and actionable alerts. The recent enhancements—such as unified detection lists, dynamic alert titles, and advanced entity mapping—further improve the functionality and usability of custom detections. Ready to enhance your threat detection capabilities? Start exploring and implementing custom detection rules in Microsoft Defender today to safeguard your digital assets and maintain a strong security posture. Useful links Overview of custom detections in Microsoft Defender XDR - Microsoft Defender XDR | Microsoft Learn Create and manage custom detection rules in Microsoft Defender XDR - Microsoft Defender XDR | Microsoft Learn
Host Microsoft Defender data locally in the United Arab Emirates
We are pleased to announce that local data residency support in the UAE is now generally available for Microsoft Defender for Endpoint and Microsoft Defender for Identity. This announcement reinforces our ongoing commitment to delivering secure, compliant services aligned with local data sovereignty requirements. Customers can now confidently onboard to Defender for Endpoint and Defender for Identity in the UAE, knowing that this Defender data will remain at rest within the UAE data boundary. This allows customers to meet their regulatory obligations and maintain control over their data. For more details on the Defender data storage and privacy policies, refer to Microsoft Defender for Endpoint data storage and privacy and Microsoft Defender for Identity data security and privacy. Note: Defender for Endpoint and Defender for Identity may potentially use other Microsoft services (i.e. Microsoft Intune for security settings management). Each Microsoft service is governed by its own data storage and privacy policies and may have varying regional availability. For more information, refer to our Online Product Terms. In addition to the UAE, Defender data residency capabilities are available in the United States, the European Union, the United Kingdom, Australia, Switzerland and India (see our recent announcement for local data hosting in India). Customers with Existing deployments for Defender for Endpoint and/or Defender for Identity Existing customers can check their deployment geo within the portal by going to Settings -> Microsoft Defender XDR-> Account; and see where the service is storing your data at rest. For example, in the image below, the service location for the Defender XDR tenant is UAE. ation information If you would like to update your service location, please reach out to Customer Service and Support for a tenant reset. Support can be accessed by clicking on the “?” icon in the top right corner of the portal when signed in as an Admin (see image below). If you are a Microsoft Unified support customer, please reach out to your Customer Success Account Manager for assistance with the migration process. More information: Ready to go local? Read our documentation for more information on how to get started. Microsoft Defender XDR data center location Not yet a customer? Take Defender XDR for a spin via a 90-day trial for Office 365 E5 or Defender for Endpoint via a 90-day trial for Defender for Endpoint Check out the Defender for Endpoint website to learn more about our industry leading Endpoint protection platform Check out the Defender for Identity website to learn how to keep your organization safe against rising identity threatsSecurity Guidance Series: CAF 4.0 Threat Hunting From Detection to Anticipation
The CAF 4.0 update reframes C2 (Threat Hunting) as a cornerstone of proactive cyber resilience. According to the NCSC CAF 4.0, this principle is no longer about occasional investigations or manual log reviews; it now demands structured, frequent, and intelligence-led threat hunting that evolves in line with organizational risk. The expectation is that UK public sector organizations will not just respond to alerts but will actively search for hidden or emerging threats that evade standard detection technologies, documenting their findings and using them to strengthen controls and response. In practice, this represents a shift from detection to anticipation. Threat hunting under CAF 4.0 should be hypothesis-driven, focusing on attacker tactics, techniques, and procedures (TTPs) rather than isolated indicators of compromise (IoCs). Organizations must build confidence that their hunting processes are repeatable, measurable, and continuously improving, leveraging automation and threat intelligence to expand coverage and consistency. Microsoft E3 Microsoft E3 equips organizations with the baseline capabilities to begin threat investigation, forming the starting point for Partially Achieved maturity under CAF 4.0 C2. At this level, hunting is ad hoc and event-driven, but it establishes the foundation for structured processes. How E3 contributes to the following objectives in C2: Reactive detection for initial hunts: Defender for Endpoint Plan 1 surfaces alerts on phishing, malware, and suspicious endpoint activity. Analysts can use these alerts to triage incidents and document steps taken, creating the first iteration of a hunting methodology. Identity correlation and manual investigation: Entra ID P1 provides Conditional Access and MFA enforcement, while audit telemetry in the Security & Compliance Centre supports manual reviews of identity anomalies. These capabilities allow organizations to link endpoint and identity signals during investigations. Learning from incidents: By recording findings from reactive hunts and feeding lessons into risk decisions, organizations begin to build repeatable processes, even if hunts are not yet hypothesis-driven or frequent enough to match risk. What’s missing for Achieved: Under E3, hunts remain reactive, lack documented hypotheses, and do not routinely convert findings into automated detections. Achieving full maturity typically requires regular, TTP-focused hunts, automation, and integration with advanced analytics, capabilities found in higher-tier solutions. Microsoft E5 Microsoft E5 elevates threat hunting from reactive investigation to a structured, intelligence-driven discipline, a defining feature of Achieved maturity under CAF 4.0, C2. Distinctive E5 capabilities for C2: Hypothesis-driven hunts at scale: Defender Advanced Hunting (KQL) enables analysts to test hypotheses across correlated telemetry from endpoints, identities, email, and SaaS applications. This supports hunts focused on adversary TTPs, not just atomic IoCs, as CAF requires. Turning hunts into detections: Custom hunting queries can be converted into alert rules, operationalizing findings into automated detection and reducing reliance on manual triage. Threat intelligence integration: Microsoft Threat Intelligence feeds real-time actor tradecraft and sector-specific campaigns into the hunting workflow, ensuring hunts anticipate emerging threats rather than react to incidents. Identity and lateral movement focus: Defender for Identity surfaces Kerberos abuse, credential replay, and lateral movement patterns, enabling hunts that span beyond endpoints and email. Documented and repeatable process: E5 supports recording hunt queries and outcomes via APIs and portals, creating evidence for audits and driving continuous improvement, a CAF expectation. By embedding hypothesis-driven hunts, automation, and intelligence into business-as-usual operations, E5 helps public sector organizations meet CAF C2’s requirement for regular, documented hunts that proactively reduce risk, and evolve with the threat landscape. Sentinel Microsoft Sentinel takes threat hunting beyond the Microsoft ecosystem, unifying telemetry from endpoints, firewalls, OT systems, and third-party SaaS into a single cloud-native SIEM and SOAR platform. This consolidation helps enable hunts that span the entire attack surface, a critical step toward achieving maturity under CAF 4.0 C2. Key capabilities for control C2: Attacker-centric analysis: MITRE ATT&CK-aligned analytics and KQL-based hunting allow teams to identify stealthy behaviours, simulate breach paths, and validate detection coverage. Threat intelligence integration: Sentinel enriches hunts with national and sector-specific intelligence (e.g. NCSC advisories), ensuring hunts target the most relevant TTPs. Automation and repeatability: SOAR playbooks convert post-hunt findings into automated workflows for containment, investigation, and documentation, meeting CAF’s requirement for structured, continuously improving hunts. Evidence-driven improvement: Recorded hunts and automated reporting create a feedback loop that strengthens posture and demonstrates compliance. By combining telemetry, intelligence, and automation, Sentinel helps organizations embed threat hunting as a routine, scalable process, turning insights into detections and ensuring hunts evolve with the threat landscape. The video below shows how E3, E5 and Sentinel power real C2 threat hunts. Bringing it all Together By progressing from E3’s reactive investigation to E5’s intelligence-led correlation and Sentinel’s automated hunting and orchestration, organizations can develop an end-to-end capability that not only detects but anticipates and helps prevent disruption to essential public services across the UK. This is the operational reality of Achieved under CAF 4.0 C2 (Threat Hunting) - a structured, data-driven, and intelligence-informed approach that transforms threat hunting from an isolated task into an ongoing discipline of proactive defence. To demonstrate what effective, CAF-aligned threat hunting looks like, the following one-slider and demo walk through how Microsoft’s security tools support structured, repeatable hunts that match organizational risk. These examples help translate C2’s expectations into practical, operational activity. CAF 4.0 challenges public-sector defenders to move beyond detection and embrace anticipation. How mature is your organization’s ability to uncover the threats that have not yet been seen? In this final post of the series, the message is clear - true cyber resilience moves beyond reactivity towards a predictive approach.Security Guidance Series: CAF 4.0 Understanding Threat From Awareness to Intelligence-Led Defence
The updated CAF 4.0 raises expectations around control A2.b - Understanding Threat. Rather than focusing solely on awareness of common cyber-attacks, the framework now calls for a sector-specific, intelligence-informed understanding of the threat landscape. According to the NCSC, CAF 4.0 emphasizes the need for detailed threat analysis that reflects the tactics, techniques, and resources of capable adversaries, and requires that this understanding directly shapes security and resilience decisions. For public sector authorities, this means going beyond static risk registers to build a living threat model that evolves alongside digital transformation and service delivery. Public sector authorities need to know which systems and datasets are most exposed, from citizen records and clinical information to education systems, operational platforms, and payment gateways, and anticipate how an attacker might exploit them to disrupt essential services. To support this higher level of maturity, Microsoft’s security ecosystem helps public sector authorities turn threat intelligence into actionable understanding, directly aligning with CAF 4.0’s Achieved criteria for control A2.b. Microsoft E3 - Building Foundational Awareness Microsoft E3 provides public sector authorities with the foundational capabilities to start aligning with CAF 4.0 A2.b by enabling awareness of common threats and applying that awareness to risk decisions. At this maturity level, organizations typically reach Partially Achieved, where threat understanding is informed by incidents rather than proactive analysis. How E3 contributes to Contributing Outcome A2.b: Visibility of basic threats: Defender for Endpoint Plan 1 surfaces malware and unsafe application activity, giving organizations insight into how adversaries exploit endpoints. This telemetry helps identify initial attacker entry points and informs reactive containment measures. Identity risk reduction: Entra ID P1 enforces MFA and blocks legacy authentication, mitigating common credential-based attacks. These controls reduce the likelihood of compromise at early stages of an attacker’s path. Incident-driven learning: Alerts and Security & Compliance Centre reports allow organizations to review how attacks unfolded, supporting documentation of observed techniques and feeding lessons into risk decisions. What’s missing for Achieved: To fully meet the contributing outcomes A2.b, public sector organizations must evolve from incident-driven awareness to structured, intelligence-led threat analysis. This involves anticipating probable attack methods, developing plausible scenarios, and maintaining a current threat picture through proactive hunting and threat intelligence. These capabilities extend beyond the E3 baseline and require advanced analytics and dedicated platforms. Microsoft E5 – Advancing to Intelligence-Led Defence Where E3 establishes the foundation for identifying and documenting known threats, Microsoft E5 helps public sector organizations to progress toward the Achieved level of CAF control A2.b by delivering continuous, intelligence-driven analysis across every attack surface. How E5 aligns with Contributing Outcome A2.b: Detailed, up-to-date view of attacker paths: At the core of E5 is Defender XDR, which correlates telemetry from Defender for Endpoint Plan 2, Defender for Office 365 Plan 2, Defender for Identity, and Defender for Cloud Apps. This unified view reveals how attackers move laterally between devices, identities, and SaaS applications - directly supporting CAF’s requirement to understand probable attack methods and the steps needed to reach critical targets. Advanced hunting and scenario development: Defender for Endpoint P2 introduces advanced hunting via Kusto Query Language (KQL) and behavioural analytics. Analysts can query historical data to uncover persistence mechanisms or privilege escalation techniques, assisting organizations to anticipate attack chains and develop plausible scenarios, a key expectation under A2.b. Email and collaboration threat modelling: Defender for Office 365 P2 detects targeted phishing, business email compromise, and credential harvesting campaigns. Attack Simulation Training adds proactive testing of social engineering techniques, helping organizations maintain awareness of evolving attacker tradecraft and refine mitigations. Identity-focused threat analysis: Defender for Identity and Entra ID P2 expose lateral movement, credential abuse, and risky sign-ins. By mapping tactics and techniques against frameworks like MITRE ATT&CK, organizations can gain the attacker’s perspective on identity systems - fulfilling CAF’s call to view networks from a threat actor’s lens. Cloud application risk visibility: Defender for Cloud Apps highlights shadow IT and potential data exfiltration routes, helping organizations to document and justify controls at each step of the attack chain. Continuous threat intelligence: Microsoft Threat Intelligence enriches detections with global and sector-specific insights on active adversary groups, emerging malware, and infrastructure trends. This sustained feed helps organizations maintain a detailed understanding of current threats, informing risk decisions and prioritization. Why this meets Achieved: E5 capabilities help organizations move beyond reactive alerting to a structured, intelligence-led approach. Threat knowledge is continuously updated, scenarios are documented, and controls are justified at each stage of the attacker path, supporting CAF control A2.b’s expectation that threat understanding informs risk management and defensive prioritization. Sentinel While Microsoft E5 delivers deep visibility across endpoints, identities, and applications, Microsoft Sentinel acts as the unifying layer that helps transform these insights into a comprehensive, evidence-based threat model, a core expectation of Achieved maturity under CAF 4.0 A2.b. How Sentinel enables Achieved outcomes: Comprehensive attack-chain visibility: As a cloud-native SIEM and SOAR, Sentinel ingests telemetry from Microsoft and non-Microsoft sources, including firewalls, OT environments, legacy servers, and third-party SaaS platforms. By correlating these diverse signals into a single analytical view, Sentinel allows defenders to visualize the entire attack chain, from initial reconnaissance through lateral movement and data exfiltration. This directly supports CAF’s requirement to understand how capable, well-resourced actors could systematically target essential systems. Attacker-centric analysis and scenario building: Sentinel’s Analytics Rules and MITRE ATT&CK-aligned detections provide a structured lens on tactics and techniques. Security teams can use Kusto Query Language (KQL) and advanced hunting to identify anomalies, map adversary behaviours, and build plausible threat scenarios, addressing CAF’s expectation to anticipate probable attack methods and justify mitigations at each step. Threat intelligence integration: Sentinel enriches local telemetry with intelligence from trusted sources such as the NCSC and Microsoft’s global network. This helps organizations maintain a current, sector-specific understanding of threats, applying that knowledge to prioritize risk treatment and policy decisions, a defining characteristic of Achieved maturity. Automation and repeatable processes: Sentinel’s SOAR capabilities operationalize intelligence through automated playbooks that contain threats, isolate compromised assets, and trigger investigation workflows. These workflows create a documented, repeatable process for threat analysis and response, reinforcing CAF’s emphasis on continuous learning and refinement. This video brings CAF A2.b – Understanding Threat – to life, showing how public sector organizations can use Microsoft security tools to build a clear, intelligence-led view of attacker behaviour and meet the expectations of CAF 4.0. Why this meets Achieved: By consolidating telemetry, threat intelligence, and automated response into one platform, Sentinel elevates public sector organizations from isolated detection to an integrated, intelligence-led defence posture. Every alert, query, and playbook contributes to an evolving organization-wide threat model, supporting CAF A2.b’s requirement for detailed, proactive, and documented threat understanding. CAF 4.0 challenges every public-sector organization to think like a threat actor, to understand not just what could go wrong, but how and why. Does your organization have the visibility, intelligence, and confidence to turn that understanding into proactive defence? To illustrate how this contributing outcome can be achieved in practice, the one-slider and demo show how Microsoft’s security capabilities help organizations build the detailed, intelligence-informed threat picture expected by CAF 4.0. These examples turn A2.b’s requirements into actionable steps for organizations. In the next article, we’ll explore C2 - Threat Hunting: moving from detection to anticipation and embedding proactive resilience as a daily capability.
