Monthly news - September 2025
Microsoft Defender Monthly news - September 2025 Edition This is our monthly "What's new" blog post, summarizing product updates and various new assets we released over the past month across our Defender products. In this edition, we are looking at all the goodness from August 2025. Defender for Cloud has it's own Monthly News post, have a look at their blog space. New Virtual Ninja Show episodes: Announcing Microsoft Sentinel data lake. Inside the new Phishing Triage Agent in Security Copilot. Microsoft Defender Public Preview items in advanced hunting: The new CloudStorageAggregatedEvents table is now available and brings aggregated storage activity logs, such as operations, authentication details, access sources, and success/failure counts, from Defender for Cloud into a single, queryable schema. You can now investigate Microsoft Defender for Cloud behaviors. For more information, see Investigate behaviors with advanced hunting. The IdentityEvents table contains information about identity events obtained from other cloud identity service providers. You can now enrich your custom detection rules in advanced hunting by creating dynamic alert titles and descriptions, select more impacted entities, and add custom details to display in the alert side panel. Microsoft Sentinel customers that are onboarded to Microsoft Defender also now have the option to customize the alert frequency when the rule is based only on data that is ingested to Sentinel. The number of query results displayed in the Microsoft Defender portal has been increased to 100,000. General Availability item in advanced hunting: you can now view all your user-defined rules - both custom detection rules and analytics rules - in the Detection rules page. This feature also brings the following improvements: You can now filter for every column (in addition to Frequency and Organizational scope). For multiworkspace organizations that have onboarded multiple workspaces to Microsoft Defender, you can now view the Workspace ID column and filter by workspace. You can now view the details pane even for analytics rules. You can now perform the following actions on analytics rules: Turn on/off, Delete, Edit. (General Availability) Defender Experts for XDR and Defender Experts for Hunting customers can now expand their service coverage to include server and cloud workloads protected by Defender for Cloud through the respective add-ons, Microsoft Defender Experts for Servers and Microsoft Defender Experts for Hunting - Servers. Learn more (General Availability) Defender Experts for XDR customers can now incorporate third-party network signals for enrichment, which could allow our security analysts to not only gain a more comprehensive view of an attack's path that allows for faster and more thorough detection and response, but also provide customers with a more holistic view of the threat in their environments. (General Availability) The Sensitivity label filter is now available in the Incidents and Alerts queues in the Microsoft Defender portal. This filter lets you filter incidents and alerts based on the sensitivity label assigned to the affected resources. For more information, see Filters in the incident queue and Investigate alerts. (Public Preview) Suggested prompts for incident summaries. Suggested prompts enhance the incident summary experience by automatically surfacing relevant follow-up questions based on the most crucial information in a given incident. With a single click, you can request deeper insight (e.g. device details, identity information, threat intelligence) and obtain plain language summaries from Security Copilot. This intuitive, interactive experience simplifies investigations and speeds up access to critical insights, empowering you to focus on key priorities and accelerate threat response. Microsoft Defender for Endpoint (Public Preview) Multi-tenant endpoint security policies distribution is now in Public Preview. Defender for Endpoint security policies can now be distributed across multiple tenants from the Defender multi-tenant portal. (Public Preview) Custom installation path support for Defender for Endpoint on Linux is available in public preview. (Public Preview) Offline security intelligence update support for Defender for Endpoint on macOS is in public preview. Microsoft Defender for Identity (Public Preview) Entra ID risk level is now available on the Identity Inventory assets page, the identity details page, and in the IdentityInfo table in advanced hunting, and includes the Entra ID risk score. SOC analysts can use this data to correlate risky users with sensitive or highly privileged users, create custom detections based on current or historical user risk, and improve investigation context. (Public Preview) Defender for Identity now includes a new security assessment that helps you identify and remove inactive service accounts in your organization. This assessment lists Active Directory service accounts that have been inactive (stale) for the past 180 days, to help you mitigate security risks associated with unused accounts. For more information, see: Security Assessment: Remove Inactive Service Accounts (Public Preview) A new Graph-based API is now in preview for initiating and managing remediation actions in Defender for Identity. For more information, see Managing response actions through Graph API. (General Availability) Identity scoping is now generally available across all environments. Organizations can now define and refine the scope of Defender for Identity monitoring and gain granular control over which entities and resources are included in security analysis. For more information, see Configure scoped access for Microsoft Defender for Identity. (Public Preview) The new security posture assessment highlights unsecured Active Directory attributes that contain passwords or credential clues and recommends steps to remove them, helping reduce the risk of identity compromise. For more information, see: Security Assessment: Remove discoverable passwords in Active Directory account attributes. Detection update: Suspected Brute Force attack (Kerberos, NTLM). Improved detection logic to include scenarios where accounts were locked during attacks. As a result, the number of triggered alerts might increase. Microsoft Defender for Office 365 SecOps can now dispute Microsoft's verdict on previously submitted email or URLs when they believe the result is incorrect. Disputing an item links back to the original submission and triggers a reevaluation with full context and audit history. Learn more. Microsoft Security Blogs Dissecting PipeMagic: Inside the architecture of a modular backdoor framework A comprehensive technical deep dive on PipeMagic, a highly modular backdoor used by Storm-2460 masquerading as a legitimate open-source ChatGPT Desktop Application. Think before you Click(Fix): Analyzing the ClickFix social engineering technique The ClickFix social engineering technique has been growing in popularity, with campaigns targeting thousands of enterprise and end-user devices daily. Storm-0501’s evolving techniques lead to cloud-based ransomware Financially motivated threat actor Storm-0501 has continuously evolved their campaigns to achieve sharpened focus on cloud-based tactics, techniques, and procedures (TTPs).The Best of Microsoft Sentinel — Now in Microsoft Defender
Just over a year ago, we introduced the unified security operations (SecOps) experience within Microsoft Defender, bringing together the full stack of threat protection capabilities across” Security Incident Event Management (SIEM), Extended Detection and Response (XDR), Extended Security Posture Management (XSPM), Cloud Security, Threat Intelligence (TI), and Security Copilot. Thousands of organizations have already embraced this unified SecOps experience to streamline analyst workflows, enhance operational efficiency, and accelerate incident response across their security environments. Today, we are proud to share that the most advanced and integrated SIEM experience from Microsoft Sentinel is now fully available within the Microsoft Defender portal as one unified experience. This experience encompasses all SIEM features and is accessible to every customer, including large-scale enterprises and partners with complex security environments. With the general availability of multi-tenant and multi-workspace capabilities, security teams can now seamlessly collaborate, investigate threats, and manage incidents across multiple Microsoft Sentinel tenants—all from a single, unified queue. This advancement empowers analysts to operate more efficiently and effectively in today’s dynamic threat landscape. Why Customers Are Making the Move Thousands of organizations have already made the move—and they’re seeing real results. Work smarter: Manage incidents, alerts, and investigations across tenants and workspaces in one unified view. Detect faster: AI-driven insights reduce false positives by 85%* and boost alert correlation speed by 50%*. Respond instantly: Security Copilot delivers guided investigations and automated summaries. Hunt deeper: Investigate threats across Microsoft Sentinel and Defender XDR—no switching, no silos. “The Defender portal is a game-changer. Our team is faster, more focused, and finally working in one place.” — Security Operations Lead, Global Financial Services What’s New—and Why it Matters Advanced Hunting Enhancements Unified queries across Microsoft Sentinel and Defender data, with Security Copilot-assisted KQL generation allows for threat hunting across all data sources from a single portal without context switching and delays. For more information, see Advanced hunting in the Microsoft Defender portal and Security Copilot in advanced hunting. Case Management Use native case workflows in Defender to manage complex investigations efficiently. Features include custom statuses, task assignments, due dates, and multi-incident linking, all while maintaining security context. For more information, see Manage cases natively in Microsoft Defender experience. SOC Optimization Tools Get actionable, tailored recommendations to reduce costs, close data gaps, improve coverage, strengthen your security posture, and maximize ROI. To learn more about the different types of recommendations, see SOC optimization reference. Expanded Threat Intelligence Import indicators in bulk, visualize data better, and map to MITRE ATT&CK. Enrich investigations with deeper context and better visibility into attacker behavior. For more information, see Threat detection features across the Microsoft unified security platform. Embedded Security Copilot The GenAI power of Security Copilot built to the experience. Utilize AI-powered tools to summarize incidents, analyze scripts/files, and generate incident reports directly within the portal. Accelerate response times and reduce analyst fatigue with intelligent automation. For more information, see Security Copilot in Defender. Seamless, Zero-Disruption Onboarding Connecting your Microsoft Sentinel workspace to Defender is fast, simple, and non-disruptive. Your data stays intact, and you can continue using the classic Azure experience while unlocking the full power of Defender. And going forward, all new features and innovations will be delivered exclusively through the Microsoft Defender portal—ensuring you always have access to the most advanced tools in the Microsoft Security ecosystem. Take Action Now Transform your SecOps with Microsoft Defender and take advantage of the latest innovations. Get started today: https://security.microsoft.com Begin the process of onboarding your Microsoft Sentinel workspaces to the Defender portal Transition Guide Pre-recorded webinar Register for upcoming webinars here. *Source: Microsoft internal researchMonthly news - July 2025
Microsoft Defender XDR Monthly news - July 2025 Edition This is our monthly "What's new" blog post, summarizing product updates and various new assets we released over the past month across our Defender products. In this edition, we are looking at all the goodness from May 2025. Defender for Cloud has it's own Monthly News post, have a look at their blog space. Microsoft Defender (General Availability) In advanced hunting, Microsoft Defender portal users can now use the adx() operator to query tables stored in Azure Data Explorer. You no longer need to go to log analytics in Microsoft Sentinel to use this operator if you're already in Microsoft Defender. Learn more on our docs. Introducing TITAN powered recommendations in Security Copilot guided response. This blog post explains the power of Guided Response with Security Copilot and and the integration of Threat Intelligence Tracking via Adaptive Networks (TITAN). (General Availability) Case management now supports multiple tenants in Microsoft Defender experience. We’re excited to share that multi-tenant support is now generally available in our case management experience. This new capability empowers security teams to view and manage incidents across all their tenants from a single, unified interface—directly within the Microsoft Defender Multi-Tenant (MTO) portal. You can read this blog for more information. Microsoft Defender for Cloud Apps (General Availability) The Behaviors data type significantly enhances overall threat detection accuracy by reducing alerts on generic anomalies and surfacing alerts only when observed patterns align with real security scenarios. This data type is now generally available. Learn more on how to use Behaviors and new detections in this blog post. New Dynamic Threat Detection model. Defender for Cloud Apps new dynamic threat detection model continuously adapts to the ever-changing SaaS apps threat landscape. This approach ensures your organization remains protected with up-to-date detection logic without the need for manual policy updates or reconfiguration. Microsoft Defender for Endpoint (General Availability) Global exclusions on Linux are now generally available. We just published a new blog post, that discussed how you can manage global exclusion policies for Linux across both AV and EDR. (General Availability) Support for Alma Linux and Rocky Linux is now generally available for Linux. (General Availability) Behavior monitoring on macOS is now generally available. Read this blog post to learn more about it and how it improves the early detection and prevention of suspicious and malicious activities targeting macOS users. (Public Preview) Selective Isolation allows you to exclude specific devices, processes, IP addresses, or services from isolation actions. More details in this blog post "Maintain connectivity for essential services with selective network isolation" Microsoft Defender for Identity (Public Preview) Domain-based scoping for Active Directory is now available in public preview. This new capability enables SOC analysts to define and refine the scope of Defender for Identity monitoring, providing more granular control over which entities and resources are included in security analysis. Read this announcement blog for more details. (Public Preview) Defender for Identity is extending its identity protection to protect Okta identities, that’s in addition to the already robust protection for on-premises Active Directory and Entra ID identities. For more details, have a look at this announcement blog post. Microsoft Defender for Office 365 Introducing the Defender for Office 365 ICES Vendor Ecosystem - a unified framework that enables seamless integration with trusted third-party vendors. Learn more about this exciting announcement in this blog post. (General Availability) Auto-Remediation of malicious messages in Automated Investigation and Response is now generally available. Have a look at this detailed blog post on how it works. Mail bombing is now an available Detection technology value in Threat Explorer, the Email entity page, and the Email summary panel. Mail bombing is also an available DetectionMethods value in Advanced Hunting. For more information, see MC1096885. AI-powered Submissions Response introduces generative AI explanations for admin email submissions to Microsoft. For more information, see Submission result definitions. Microsoft Security Exposure Management (Public Preview) Enhanced External Attack Surface Management integration with Exposure Management. This new integration allows you to incorporate detailed external attack surface data from Defender External Attack Surface Management into Exposure Management. Learn more on our docs. Microsoft Security Blogs Unveiling RIFT: Enhancing Rust malware analysis through pattern matching As threat actors are adopting Rust for malware development, RIFT, an open-source tool, helps reverse engineers analyze Rust malware, solving challenges in the security industry. Jasper Sleet: North Korean remote IT workers’ evolving tactics to infiltrate organizations Since 2024, Microsoft Threat Intelligence has observed remote IT workers deployed by North Korea leveraging AI to improve the scale and sophistication of their operations, steal data, and generate revenue for the North Korean government. Threat Analytics (Access to the Defender Portal needed) Tool Profile: Qilin ransomware. Qilin (also called Agenda) is a ransomware as a service (RaaS) offering that was first observed in 2022. It has been used by multiple cybercriminal groups, including Pistachio Tempest, Octo Tempest, and most recently Moonstone Sleet. While the ransom attacks appear to be opportunistic rather than targeted, they have had notable impacts against healthcare and media companies. Activity Profile: Emerald Sleet using QR codes for credential harvesting. In May 2025, Microsoft Threat Intelligence observed the North Korean threat actor that Microsoft tracks as Emerald Sleet using QR (quick response) codes designed to lure recipients to credential-harvesting sites in phishing emails. Vulnerability profile: CVE-2025-34028 – Commvault Command Center Innovation Release. According to the National Institute of Standards and Technology (NIST), “the Commvault Command Center Innovation Release allows an unauthenticated actor to upload ZIP files that represent install packages that, when expanded by the target server, are vulnerable to path traversal vulnerability that can result in Remote Code Execution via malicious JSP. This issue affects Command Center Innovation Release: 11.38.0 to 11.38.20. The vulnerability is fixed in 11.38.20 with SP38-CU20-433 and SP38-CU20-436 and also fixed in 11.38.25 with SP38-CU25-434 and SP38-CU25-438.” Activity Profile: Forest Blizzard trojanizes Ukraine software to deliver new variant of Blipslide downloader. Since March, Microsoft Threat intelligence observed the Russian military intelligence threat actor Forest Blizzard infect devices in Ukraine with a new variant of BlipSlide malware, a downloader that the threat actor uses for command and control (C2). Actor Profile: Storm-2416. The threat actor that Microsoft tracks as Storm-2416 is a nation-state activity group based out of China. Storm-2416 is known to primarily target information technology (IT), government, and other business entities in Europe, Asia, Oceania, and South and North America. Activity Profile: Suspicious OAuth applications used to retrieve and send emails. In late February 2025, Microsoft discovered a set of malicious Open Authorization (OAuth) applications, including one that impersonated Outlook, that can retrieve and send emails. Actor Profile: Storm-0126. The threat actor that Microsoft tracks as Storm-0126 is a nation-state activity group based out of China. Storm-0126 is known to primarily target defense industry enterprises, public institutions, research institutes, and military-industrial organizations worldwide. Actor Profile: Storm-2001. Microsoft assesses with high confidence that the threat actor Microsoft tracks as Storm-2001 is a Russian state-sponsored actor. It is known to primarily target defense organizations in the North Atlantic Treaty Organization (NATO) alliance—specifically, member states that form NATO’s Enhanced Forward Presence (EFP) program, recent NATO members, and other related organizations that engage in NATO-related communications and planning. Activity profile: Storm-2561 distributes trojanized SonicWall NetExtender SilentRoute. In late May 2025, Storm-2561 began distributing malware that Microsoft detects as SilentRoute. The malware is a trojanized version of SonicWall’s SSL VPN NetExtender application that transmits the user’s VPN configuration data to a hardcoded IP address.Blog Series: Limitless Advanced Hunting with Azure Data Explorer (ADX)
Leverage the power of Azure Data Explorer (ADX) to extend your Microsoft 365 Defender (XDR) / Microsoft Defender For Endpoint advanced hunting data for as long as you want (10 years!). If you enjoy rewriting queries just to look through old data and spending time and money rehydrating it, this post isn't for you!Monthly news - August 2025
Microsoft Defender XDR Monthly news - August 2025 Edition This is our monthly "What's new" blog post, summarizing product updates and various new assets we released over the past month across our Defender products. In this edition, we are looking at all the goodness from July 2025. Defender for Cloud has it's own Monthly News post, have a look at their blog space. Microsoft Defender Microsoft Sentinel is moving to the Microsoft Defender portal to deliver a unified, AI-powered security operations experience. Many customers have already made the move. Learn how to plan your transition and take advantage of new capabilities in the this blog post. Introducing Microsoft Sentinel data lake. We announced a significant expansion of Microsoft Sentinel’s capabilities through the introduction of Sentinel data lake, now rolling out in public preview. Read this blog post for a look at some of Sentinel data lake’s core features. (Public Preview) The GraphApiAuditEvents table in advanced hunting is now available for preview. This table contains information about Microsoft Entra ID API requests made to Microsoft Graph API for resources in the tenant. (Public Preview) The DisruptionAndResponseEvents table, now available in advanced hunting, contains information about automatic attack disruption events in Microsoft Defender XDR. These events include both block and policy application events related to triggered attack disruption policies, and automatic actions that were taken across related workloads. Increase your visibility and awareness of active, complex attacks disrupted by attack disruption to understand the attacks' scope, context, impact, and actions taken. Introducing Summary Rules Templates: Streamlining Data Aggregation in Microsoft Sentinel. Microsoft Sentinel’s new Summary Rules Templates offer a structured and efficient approach to aggregating verbose data - enabling security teams to extract meaningful insights while optimizing resource usage. Automating Microsoft Sentinel: Playbook Fundamentals. This is the third entry of the blog series on automating Microsoft Sentinel. In this post, we’re going to start talking about Playbooks which can be used for automating just about anything. Customer success story: Kuwait Credit Bank boosts threat detection and response with Microsoft Defender. To modernize its security posture, the bank unified its security operations under Microsoft Defender XDR, integrating Microsoft Sentinel and Microsoft Purview. Microsoft Defender for Cloud Apps App Governance is now also available in Brazil, Sweden, Norway, Switzerland, South Africa, South Korea, Arab Emirates and Asia Pacific. For more details, see our documentation.. Updated network requirements for GCC and Gov customers. To support ongoing security enhancements and maintain service availability, Defender for Cloud Apps now requires updated firewall configurations for customers in GCC and Gov environments. To avoid service disruption, take action by August 25, 2025, and update your firewall configuration as described here. Discover and govern ChatGPT and other AI apps accessing Microsoft 365 with Defender for Cloud Apps. In this blog post, we’ll explore how Defender for Cloud Apps helps security teams gain enhanced visibility into the permissions granted to AI applications like ChatGPT as they access Microsoft 365 data. We’ll also share best practices for app governance to help security teams make informed decisions and take proactive steps to enable secure usage of AI apps accessing Microsoft 365 data. Microsoft Defender for Endpoint (General Availability) Microsoft Defender Core service is now generally available on Windows Server 2019 or later which helps with the stability and performance of Microsoft Defender Antivirus. Microsoft Defender for Identity Expanded coverage in ITDR deployment health widget. With this update, the widget also includes deployment status for ADFS, ADCS, and Entra Connect servers - making it easier to track and ensure full sensor coverage across all supported identity infrastructure. Time limit added to Recommended test mode. Recommended test mode configuration on the Adjust alert thresholds page, now requires you to set an expiration time (up to 60 days) when enabling it. The end time is shown next to the toggle while test mode is active. For customers who already had Recommended test mode enabled, a 60-day expiration was automatically applied. Identity scoping is now available in Governance environments. Organizations can now define and refine the scope of Defender for Identity monitoring and gain granular control over which entities and resources are included in security analysis. For more information, see Configure scoped access for Microsoft Defender for Identity. New security posture assessments for unmonitored identity servers. Defender for Identity has three new security posture assessments that detect when Microsoft Entra Connect, Active Directory Federation Services (ADFS), or Active Directory Certificate Services (ADCS) servers are present in your environment but aren't monitored. Learn more in our documentation. Microsoft Defender for Office 365 Protection against multi-modal attacks with Microsoft Defender. This blog post showcases how Microsoft Defender can detect and correlate certain hybrid, multi-modal attacks that span across email, Teams, identity, and endpoint vectors; and how these insights surface in the Microsoft Defender portal. Users can report external and intra-org Microsoft Teams messages from chats, standard and private channels, meeting conversations to Microsoft, the specified reporting mailbox, or both via user reported settings. Microsoft Security Blogs Frozen in transit: Secret Blizzard’s AiTM campaign against diplomats. Microsoft Threat Intelligence has uncovered a cyberespionage campaign by the Russian state actor we track as Secret Blizzard that has been ongoing since at least 2024, targeting embassies in Moscow using an adversary-in-the-middle (AiTM) position to deploy their custom ApolloShadow malware. Sploitlight: Analyzing a Spotlight-based macOS TCC vulnerability. Microsoft Threat Intelligence has discovered a macOS vulnerability, tracked as CVE-2025-31199, that could allow attackers to steal private data of files normally protected by Transparency, Consent, and Control (TCC), including the ability to extract and leak sensitive information cached by Apple Intelligence. Disrupting active exploitation of on-premises SharePoint vulnerabilities. Microsoft has observed two named Chinese nation-state actors, Linen Typhoon and Violet Typhoon, exploiting vulnerabilities targeting internet-facing SharePoint servers.Monthly news - January 2025
Microsoft Defender XDR Monthly news January 2025 Edition This is our monthly "What's new" blog post, summarizing product updates and various new assets we released over the past month across our Defender products. In this edition, we are looking at all the goodness from December 2024. Defender for Cloud has it's own Monthly News post, have a look at their blog space. Unified Security Operations Platform: Microsoft Defender XDR & Microsoft Sentinel (Preview) The Link to incident feature in advanced hunting now allows linking of Microsoft Sentinel query results. (Preview) You can now use the adx() operator to query tables stored in Azure Data Explorer. (GA) In advanced hunting, you can now add your frequently used schema tables, functions, queries, and detection rules in the Favorites sections under each tab for quicker access. Learn more on our docs. Hyperscale ML threat intelligence for early detection & disruption. This blog talks about Threat Intelligence Tracking via Dynamic Networks (TITAN) - a groundbreaking approach that uses the power of machine learning to transform threat intelligence and attack disruption by automatically neutralizing malicious activity at scale. You can now view Microsoft Sentinel Workbooks directly from Unified SOC Operations Platform. Learn more about it here. (Preview) Recommendations based on similar organizations - a first-of-its-kind capability for SOC optimizations. Recommendations based on similar organizations use peer-based insights to guide and accelerate your decision-making process. New documentation library for Microsoft's unified security operations platform. Find centralized documentation about Microsoft's unified SecOps platform in the Microsoft Defender portal. Microsoft's unified SecOps platform brings together the full capabilities of Microsoft Sentinel, Microsoft Defender XDR, Microsoft Security Exposure Management, and generative AI into the Defender portal. Learn about the features and functionality available with Microsoft's unified SecOps platform, then start to plan your deployment. SOC Optimization and Auxiliary Logs collaboration. We’re excited to announce the release of our updated recommendation, which now incorporates Auxiliary Logs! Previously, our recommendation focused on identifying unused tables and suggesting users either increase their utilization or switch the tables’ commitment tier to Basic Logs. With this update, we now recommend eligible tables be moved to Auxiliary Logs. The following new privacy documents for Microsoft Sentinel and Microsoft Defender XDR have been added: Data security and retention in Microsoft Defender XDR Geographical availability and data residency in Microsoft Sentinel Ninja Show Episodes: Attack Disruption: Live demo This episode features Threat Hunter and Microsoft MVP Mattias Borg as he explains the anatomy of an attack. Through a live demo of an attack in action, gain exclusive insights into what attackers do behind the scenes, the tools they use and how Microsoft Defender steps up to counter these threats, offering a robust defense to help keep your organization secure. Defender XDR’s Data Security Context with Insider Risk Management Join us as product experts Maayan Magenheim and Sravan Kumar Mera showcase the Public Preview of Microsoft Purview Insider Risk Management (IRM) integration into Defender XDR. Learn how Insider Risk and SOC analysts can now distinguish internal and external threats and gain critical insights, including exfiltration context and user activity tracking. Through a valuable demo, we explore the benefits for incident investigation, threat hunting, the correlation of IRM alerts with other DLP and identity protection alerts and more. Follow up LIVE AMA session Unlocking Advanced Cloud Detection & Response capabilities for containers Learn how the Microsoft Cloud Detection & Response solution empowers SOCs with faster, deeper investigations through near real-time detections, new cloud-native responses, and rich log collection. In this episode Product Managers Maayan Magenheim and Daniel Davrayev demo a real container related incident to show how these new capabilities enhance the entire incident response process, bridging knowledge gaps and proactively securing containerized workloads across multi-cloud environments. Threat Analytics - New Tool profile: SectopRAT (You need access to the Defender portal to read this profile.) Microsoft Sentinel (Preview) New AWS WAF connector. Use the Amazon Web Services (AWS) S3-based Web Application Firewall (WAF) connector to ingest AWS WAF logs, collected in AWS S3 buckets, to Microsoft Sentinel. Learn more on our docs. Agentless deployment for SAP applications. Microsoft Sentinel for SAP’s latest new capability re-uses the SAP Cloud Connector to profit from already existing setups, established integration processes, and well-understood SAP components. Ninja Show Episode Microsoft Sentinel Data tiering best practices In this episode product experts Yael Bergman and Maria de Sousa-Valadas introduce the powerful new Auxiliary Logs tier, now in Public Preview and explain how to use Summary rules to aggregate data from any log tier in Microsoft Sentinel and Log Analytics. Tune in to learn the full potential of these features, as well as practical tips and use cases to help you reduce ingestion costs and gain more insights from your verbose logs. Upcoming webinar Feb 20, 9AM PT: Mastering API Integration with Sentinel & Unified Security Platform Learn how to effectively integrate APIs with Sentinel and Unified Security Platform. This webinar will cover when to use APIs, how to set them up, potential challenges, and feature live demos to guide you through the process. Microsoft Defender Experts for XDR Defender Experts for XDR now offers scoped coverage for customers who wish to define a specific set of devices and/or users, based on geography, subsidiary, or function, for which they'd like Defender Experts to provide support. Experts on demand via Message Center. Select Ask Defender Experts directly inside the Microsoft 365 security portal to get swift and accurate responses to all your threat hunting questions. Experts can provide insight to better understand the complex threats your organization might face. Microsoft Defender for Identity New security posture assessment: Prevent Certificate Enrollment with arbitrary Application Policies (ESC15). Defender for Identity has added the new Prevent Certificate Enrollment with arbitrary Application Policies (ESC15) recommendation in Microsoft Secure Score. Learn more on our docs. Microsoft Security Exposure Management The following predefined classification rules were added to the critical assets list: Classification Description Locked Azure Kubernetes Service cluster This rule applies to Azure Kubernetes Service clusters that are safeguarded by a lock. Premium tier Azure Kubernetes Service cluster This rule applies to premium tier Azure Kubernetes Service clusters. Azure Kubernetes Service cluster with multiple nodes This rule applies to Azure Kubernetes Service clusters with multiple nodes. Azure Arc Kubernetes cluster with multiple nodes This rule applies to Azure Arc clusters with multiple nodes. For more information, see, Predefined classifications Microsoft Defender for Office 365 Considerations for integrating non-Microsoft security services with Microsoft 365: Considerations and recommendations for deploying a defense-in-depth email security strategy using third-party security services. Defender for Office 365 now detects BEC attacks using large language model (LLM)-based filters to analyze an email's language and infer intent. Read this blog to learn more about it. Microsoft Defender for Endpoint Defender for Endpoint on iOS now supports iOS/iPadOS 16.x as the minimum version. Defender for Endpoint is ending support for iOS/iPadOS 15 on January 31, 2025. Moving forward, only devices running iOS/iPadOS 16 and later are supported. Learn more on our docs. Android low-touch onboarding is now General Available. Key benefits Faster setup on Android devices – Simplified Android onboarding supports silent sign-on and autogranting of certain permissions on a user's device. As such, users are required to grant only the necessary permissions to onboard to Defender for Endpoint. Intuitive guidance - A clear and intuitive flow to guide users through each step. Broad coverage with support across multiple Android profiles – Android enterprise BYOD, COPE, and fully managed. Configuring low-touch onboarding Although low-touch onboarding is disabled by default, security administrators can enable it through app configuration policies in Intune. See Android low-touch onboarding. . Ninja Show Episode: Defender for Endpoint RDP Telemetry In this episode Cyber Security Researcher Danielle Kuznets Nohi and Senior Product Manager Saar Cohen join us to discuss the importance of Remote Desktop Protocol in Human Operated Attacks considering the current threat landscape. Through a demo, witness critical visibility enhancements made to this important layer of telemetry and learn the powerful capabilities of this tool to identify vulnerable assets and provide deeper threat insights.Security Copilot: A game changer for modern SOC
In today's rapidly evolving threat landscape, Security Operations Centers (SOCs) face relentless pressure to swiftly and accurately detect, investigate, and respond to security incidents. As frontline defenders of an organization’s cybersecurity, security analysts need real-time intelligent insights to boost investigation and response. Microsoft Security Copilot empowers security teams with gen AI-powered capabilities that streamline workflows, automate tasks and upskill teams, enhancing overall SOC efficiency. A recent study showed customers could achieve 30% reduction in MTTR for security incidents. We are committed to continuously improving our products based on valuable customer feedback. By listening to our users and understanding their needs, we have enhanced numerous features and introduced new skills that significantly improve the efficiency and effectiveness of SOC teams. AI-powered insights to accelerate investigation and response When SOC analysts investigate and respond to incidents, Security Copilot offers a comprehensive description of the attack, affected systems, and event timelines, paired with clear, actionable steps for swift remediation and mitigation. Some of our recent innovations include: Enhancement! The Microsoft Sentinel Incident Summary, available in the Copilot standalone experience has been enhanced and now aligns with the Defender incident summaries, offering detailed, step-by-step descriptions of the attack. The summary includes key information such as the attack's start time, timelines, involved assets, indicators of compromise (IOCs), kill chain steps, and a direct link to the incident page. These improvements enable you to request a summary of a Microsoft Sentinel incident from either the standalone or the unified security operations platform embedded experience. Microsoft Sentinel incident summary in standalone experience Enhancement! Users can request Copilot to list incidents in Defender and/or Microsoft Sentinel through a prompt in the standalone portal, filtering by assignment, classification, creation time, determination, last update time, severity, and status. List of incidents In addition, users can also retrieve a list of entities for a specified incident. Figure 3: List of entities for an incident These enhancements allow analysts to efficiently retrieve incidents and entities on demand and apply additional filters for more targeted actions. Enhancement! A recent enhancement to Guided Response enables security analysts to easily communicate with end users, a common activity in the SOC that is particularly helpful for incident triage. Copilot now dynamically generates text for analysts to use, describing the observed user activity under investigation. Analysts can contact the user directly via Teams using the readily available Guided Response recommendation button or copy the generated text to their preferred communication tool. Dynamicallygenerated text for analysts to use This allows for quick and efficient communication with end users, accelerating the incident investigation process and saving the analyst from the tedious task of crafting the message with all the necessary information about the incident. New! During incident investigations, analysts commonly review details about participating assets and entities. In addition to the already available insightful Device Summary, the new Identity Summary provides a comprehensive overview of user identities, highlighting behavioral anomalies and potential misconfigurations. This feature is crucial for SOC analysts as it offers clear, contextual insights into identity-related activities, enabling quicker identification and resolution of security issues. By summarizing key information such as login locations, role changes, and authentication methods, the Identity Summary helps analysts understand the full scope of identity behaviors and risks Figure 5: Identity Summary Enhancement! The script and file analysis features in Security Copilot simplify complex investigations by translating what a script does into natural language and streamlining the analysis of multiple executable files. With the new addition of relevant MITRE ATT&CK techniques to the analysis, SOC analysts can quickly understand the attack tactics and techniques used by adversaries and provide faster and better response. Figure 6: MITRE techniques used Enhancement! The Security Copilot incident report compiles all response activities into a detailed report of the security incident. It includes what happened, the actions taken, by whom and when, and the reason for classification. Initially, the incident report gathered its data from Defender and Microsoft Sentinel, including incident management actions like status changes and assignments, comments from the activity log, actions and playbooks performed on entities within the incident, and more. To further streamline report sharing and provide a more holistic view, the incident report now also integrates with the third-party case management system ServiceNow to include in the report incident investigation and remediation steps logged in ServiceNow tickets. This integration requires the bidirectional connector between Microsoft Sentinel and ServiceNow to be installed. Strengthen your security with improved Threat Intelligence content Copilot integrated with Threat Intelligence empowers security teams with comprehensive information about threat actors, threat tools, indicators of compromise (IOCs) related to vulnerabilities and incidents, providing contextual threat intelligence directly from Microsoft Defender Threat Intelligence (Defender TI) to detect, analyze, and respond to threats more effectively. At Ignite, customers will see exciting enhancements to this experience, including: New! The ten new MDTI indicator skills can leverage the full corpus of raw and finished threat intelligence in MDTI to link any IoC (indicator of compromise) to all related data and content, providing critical context to attacks and enabling advanced research and preemptive hunting capabilities, including threat infrastructure chaining and analysis, offering defenders a head start on adversaries. Gain critical context with MDTI Enhancement! Copilot can now leverage vulnerability and asset intelligence from Microsoft Defender External Attack Surface Management (MDEASM), Defender Vulnerability Management (MDVM), and Threat Analytics for a more complete view of vulnerabilities and a better understanding of how known threats covered in Microsoft threat intelligence impact the organization. This capability helps customers prioritize vulnerabilities and have an in-depth understanding of the impact of this vulnerability on the organization. Overview of vulnerability Improved Copilot sidecar with better user control The recent updates to the Copilot side panel in the embedded experience provide more flexibility, allowing you to open or close Copilot based on your preference. This helps optimize screen space while investigating incidents or entities, using Advanced Hunting, or navigating the Threat Intelligence pages. Once you close the Copilot side panel in any of these scenarios, it will remember your preference and stay closed. gure 9: Close Copilot based on preference You can reopen the Copilot panel anytime for AI-powered insights to aid your SOC workflows. Microsoft recommends keeping the Copilot panel open to ensure you are receiving real time insights to stay ahead of threats. Reopen Copilot panel Looking forward Security Copilot is revolutionizing the way security teams operate by providing advanced AI-driven capabilities that not only enhance their efficiency and effectiveness but also empowers them to stay ahead of threats and protect their organizations at the speed and scale of AI. Microsoft is committed to delivering industry-leading innovation with precise insights for faster and more effective threat detection and response. We are working closely with our customers to collect feedback and will continue to add more functionality. As always, we would love to hear your thoughts. Resources Microsoft Copilot in Microsoft Defender - Microsoft Defender XDR | Microsoft Learn Microsoft Copilot for Security | Microsoft Security Microsoft Copilot for Security - Pricing | Microsoft Azure What’s new in Defender: How Copilot for Security can transform your SOC | Microsoft Community Hub Operationalizing Microsoft Security Copilot to Reinvent SOC Productivity What’s New at Ignite: Unified Threat Intelligence Experience in CopilotMonthly news - June 2025
Microsoft Defender XDR Monthly news - June 2025 Edition This is our monthly "What's new" blog post, summarizing product updates and various new assets we released over the past month across our Defender products. In this edition, we are looking at all the goodness from May 2025. Defender for Cloud has it's own Monthly News post, have a look at their blog space. Unified Security Operations Platform: Microsoft Defender XDR & Microsoft Sentinel From on-premises to cloud: Graph-powered detection of hybrid attacks with Microsoft exposure graph. In this blog, we explain how the exposure graph, an integral part of our pre-breach security exposure solution, supercharges our post-breach threat protection capabilities to detect and respond to such multi-faceted threats. (Public Preview) Unified detections rules list that includes both analytics rules and custom detections is in public preview. Learn more in our docs. The Best of Microsoft Sentinel — Now in Microsoft Defender. We are proud to share that the most advanced and integrated SIEM experience from Microsoft Sentinel is now fully available within the Microsoft Defender portal as one unified experience. (General Available) Multi workspace for single and multi tenant is now in General Available. (Public Preview) Case management now available for the Defender multitenant portal. For more information, see View and manage cases across multiple tenants in the Microsoft Defender multitenant portal. (Public Preview) You can now highlight your security operations achievements and the impact of Microsoft Defender using the unified security summary. For more information, see Visualize security impact with the unified security summary. (Public Preview) New Microsoft Teams table: The MessageEvents table contains details about messages sent and received within your organization at the time of delivery (Public Preview) New Microsoft Teams table: The MessagePostDeliveryEvents table contains information about security events that occurred after the delivery of a Microsoft Teams message in your organization (Public Preview) New Microsoft Teams table: The MessageUrlInfo table contains information about URLs sent through Microsoft Teams messages in your organization Unified IdentityInfo table in advanced hunting now includes the largest possible set of fields common to both Defender and Azure portals. Microsoft Defender for Endpoint (Webinar - YouTube Link) Secure Your Servers with Microsoft's Server Protection Solution- This webinar offers an in-depth exploration of Microsoft Defender for Endpoint on Linux. Defender for Endpoint successfully passes the AV-Comparatives 2025 Anti-Tampering Test. Discover how automatic attack disruption protects critical assets while ensuring business continuity. Microsoft Defender for Office 365 Part 2: Build custom email security reports and dashboards with workbooks in Microsoft Sentinel New deployment guide: Quickly configure Microsoft Teams protection in Defender for Office 365 Plan 2 New SecOps guide: Security Operations Guide for Teams protection in Defender for Office 365 Video - Ninja Show: Advanced Threat Detection with Defender XDR Community Queries Video- Mastering Microsoft Defender for Office 365: Configuration Best Practices Video - Ninja Show: Protecting Microsoft Teams with Defender for Office 365 This blog discussed the new Defender for Office 365 Language AI for Phish Model. SafeLinks Protection for Links Generated by M365 Copilot Chat and Office Apps. Microsoft Defender for Cloud Apps New Applications inventory page now available in Defender XDR. The new Applications page in Microsoft Defender XDR provides a unified inventory of all SaaS and connected OAuth applications across your environment. For more information, see Application inventory overview. The Cloud app catalog page has been revamped to meet security standards. The new design includes improved navigation, making it easier for you to discover and manage your cloud applications. Note: As part of our ongoing convergence process across Defender workloads, Defender for Cloud Apps SIEM agents will be deprecated starting November 2025. Learn more. Microsoft Defender for Identity (Public Preview) Expanded New Sensor Deployment Support for Domain Controllers. Learn more. Active Directory Service Accounts Discovery Dashboard. Learn more. Improved Visibility into Defender for Identity New Sensor Eligibility in the Activation page. The Activation Page now displays all servers from your device inventory, including those not currently eligible for the new Defender for Identity sensor. Note: Local administrators collection (using SAM-R queries) feature will be disabled. Microsoft Security Blogs Analyzing CVE-2025-31191: A macOS security-scoped bookmarks-based sandbox escape Marbled Dust leverages zero-day in Output Messenger for regional espionage Lumma Stealer: Breaking down the delivery techniques and capabilities of a prolific infostealer New Russia-affiliated actor Void Blizzard targets critical sectors for espionage Defending against evolving identity attack techniques Threat Analytics (Access to the Defender Portal needed) Activity profile - AITM campaign with brand impersonated OAUTH applications Threat overview: SharePoint Server and Exchange Server threats Vulnerability profile: CVE-2025-24813 – Apache Tomcat Path Equivalence Vulnerability Actor profile: Storm-0593 [TA update] Actor profile: Storm-0287 Activity Profile: Marbled Dust leverages zero-day to conduct regional espionage [TA update] Technique profile: ClickFix technique leverages clipboard to run malicious commands Technique profile: LNK file UI feature abuse Technique profile: Azure Blob Storage threats Activity profile: Lumma Stealer: Breaking down the delivery techniques and capabilities of a prolific infostealer Vulnerability profile - CVE-2025-30397 Activity profile: Recent OSINT trends in information stealersAnnouncing Rich Text for Case Management
In the dynamic world of SecOps, managing and communicating information efficiently is vital. Rich Text for Case Management introduces capabilities that allow you to enrich your case documentation with various formatting options, including bold, italics, underlining, code blocks, links, tables, and more. Key Benefits of Rich Text for Case Management Improve Communication Across All Case Elements: Rich text enhances the clarity and impact of case descriptions, comments, tasks, and closing notes. Formatting options help highlight critical information, ensuring important details are not missed, leading to more efficient case handling and better outcomes. Share Queries and Results Using Code Blocks and Tables: Efficient data sharing and analysis are crucial in SecOps. Rich text allows embedding code blocks and tables within case documentation, presenting queries and results clearly and organized, facilitating better analysis and decision-making. Link to Related Content: Rich text supports hyperlinks, enabling direct links to relevant resources, documents, and websites. This ensures all necessary information is easily accessible, enhancing the efficiency of case management. Leveraging Rich Text for Case Management ensures your written content is clear, organized, and effective, ultimately leading to better case outcomes and improved communication within your organization.Monthly news - March 2025
Microsoft Defender XDR Monthly news March 2025 Edition This is our monthly "What's new" blog post, summarizing product updates and various new assets we released over the past month across our Defender products. In this edition, we are looking at all the goodness from February 2025. Defender for Cloud has it's own Monthly News post, have a look at their blog space. Unified Security Operations Platform: Microsoft Defender XDR & Microsoft Sentinel (Public Preview) IP addresses can now be excluded from automated responses in attack disruption. This feature allows you to exclude specific IPs from automated containment actions triggered by attack disruption. For more information, see Exclude assets from automated responses in automatic attack disruption. (Public Preview) The PrivilegedEntraPimRoles column is available for preview in the advanced hunting IdentityInfo table. (General Available) You can now view how Security Copilot came up with the query suggestion in its responses in Microsoft Defender advanced hunting. Select See the logic behind the query below the query text to validate that the query aligns with your intent and needs, even if you don't have an expert-level understanding of KQL. We are excited to announce that we increase the Multi Tenant Organization (MTO) tenant limit - and now you can manage up to 100 tenants to your MTO view. With that, you can view incident, hunt, and see and manage all your data from one single pane of glass. This is only the first step to improve management at scale. Learn more in our docs. (General Available) Sentinel only is now in General Available for Unified Security Operations platform. Customers with no E5 license can now onboard their workspace and work in the unified platform for all features (single workspace only, for single tenant and for multi tenant) (General Available) Gov Clouds/ GCCH and DoD is now in General Available for Unified Security Operations platform. Customers with single workspace (for both multi tenant and single tenant) are now able to work in the unified platform on all features. Query assistant - KQL response explanation. The Security Copilot Query Assistant in Advanced Hunting generates KQL queries from requests in natural language, allowing hunting for threats, without having a deep knowledge in KQL and schema. With this new feature, it is possible to review the logic behind the KQL queries generated by Copilot, including a breakdown of the query. This enhancement helps validate the query aligns with the intent and needs, even without deep understanding of KQL. (Public Preview) IP addresses can now be excluded from automated containment responses triggered by automatic attack disruption. Microsoft Sentinel Threat Intelligence Ingestion rules: This feature lets you fine-tune your threat intelligence (TI) feeds before they are ingested to Microsoft Sentinel. You can now set custom conditions and actions on Indicators of Compromise (IoCs), Threat Actors, Attack Patterns, Identities, and their Relationships. Learn more in this blog post. Missed the live session? Watch our recorded webinar on "SIEM as Code", a transformative approach shaping the future of SIEM. Learn how to implement it in Microsoft Sentinel using the repositories feature and explore best practices for automation and scalability. Microsoft Defender Experts for XDR Published Scoped coverage in Microsoft Defender Experts for XDR. Microsoft Defender Experts for XDR offers scoped coverage for customers who wish to have Defender Experts cover only a section of their organization (for example, specific geography, subsidiary, or function) that requires security operations center (SOC) support or where their security support is limited. Learn more on our docs. Microsoft Defender for Identity (General Available) New Identity Guide Tour We've added an interactive guide tour in the Defender XDR portal to help you navigate identity security features, investigate alerts, and enhance your security posture with ease. (General Available) New attack paths tab on the Identity profile page. This tab provides visibility into potential attack paths leading to a critical identity or involving it within the path, helping assess security risks. For more information, see Overview of attack path within Exposure Management. (General Available) New and updated events in the Advanced hunting IdentityDirectoryEvents table. We have added and updated various events in the IdentityDirectoryEvents table in Advanced Hunting. Learn more on our docs. (General Available) Identity page enhancements such as user timeline side panel, password last change field on the UI, devices tab filters and so on. Defender for Identity integration with Entra Privileged Identity Management (PIM) - SOC can now view identities in the Defender XDR portal that are eligible to elevate to privileged roles via Entra PIM. New tag and list of user's Entra privileged roles (eligible and assigned) were added to user page and side panel in the Defender XDR portal and Identity Info table. Privileged Access Management (PAM) vendors integration with MDI – CyberArk, Delinea and BeyondTrus. The integration provide the SOC with visibility for on-prem / Entra ID privileged identities managed in the PAM solution, adding new tag on privileged identities in Defender XDR user page, side panel and Identity Info table, allowing for incident prioritization, custom detections, advanced hunting and more. SOC can also initate a remediation action to 'enforce password rotation' on compromised privileged identity directly in the XDR Defender portal. Intagration need to be enabled by the customer in the Partners portal. Go to XDR Technical Partners catalog to see the new partners integrations, and access the PAM vendors marketplace. 2 New Entra Detections and on-prem detection improvement. Entra new detections: "suspicious multiple TAP creation for the same user account" and "suspicious alternative phone number addition". Detection improvement in on-prem: "Blood hound python" - version udpate to cover FN. New recommendations for Identity Security Posture. In this blog we will focus on some key things to consider for your Active Directory (AD) footprints. Active Directory is a critical element of user authentication, and its complexity leaves many opportunities for potential misconfigurations, making it a prime target for attackers. To address these vulnerabilities, we’ve added 10 new recommendations aimed at strengthening your identity security posture and protecting against evolving threats. Microsoft Security Exposure Management The following predefined classification rules were added to the critical assets list: Azure Key Vault with high number of operations: This rule identifies and classifies Azure Key Vaults that experience a high volume of operations, indicating their criticality within the cloud environment. Security Operations Admin Device: This rule applies to critical devices used to configure, manage, and monitor the security within an organization are vital for security operations administration and are at high risk of cyber threats. They require top-level security measures to prevent unauthorized access. For more information, see, Predefined classifications Microsoft Defender for Endpoint (General Available) Aggregated reporting in Microsoft Defender for Endpoint is now generally available. For more information, see Aggregated reporting in Microsoft Defender for Endpoint. Guidance for penetration testing and breach-and-attack-simulation scenarios with Defender for Endpoint. This new article describes common challenges and potential misconfigurations that might arise during penetration testing (pen testing) or using breach and attack simulation (BAS) tools. This article also describes how to submit potential false negatives for investigation. This article describes how to use Microsoft Defender for Endpoint Security Settings Management to manage Microsoft Defender Antivirus. Microsoft Blogs Code injection attacks using publicly disclosed ASP.NET machine keys. The BadPilot campaign: Seashell Blizzard subgroup conducts multiyear global access operation Storm-2372 conducts device code phishing campaign. Threat Analytics Reports (access to the Defender XDR portal required) Activity Profile: Emerald Sleet using PowerShell to exploit targets Actor Profile: Storm-1660 Technique Profile: Code injection attacks using disclosed ASP.NET machine keys Tool Profile: GoldBackdoor Activity Profile: Forest Blizzard targeting Western civilian transportation Activity Profile: BadPilot campaign - Seashell Blizzard subgroup conducts multiyear global access operation Activity Profile: Sapphire Sleet uses fraudulent Zoom domains in recent spear-phishing activities Activity Profile: Malvertising campaign leads to info stealers hosted on GitHub Activity Profile: New Zigzag Hail phishing campaigns adapt long-running malware operation to continue targeting Japan Actor Profile: Storm-1830 Activity Profile: Phishing campaign impersonates Booking.com, delivers multiple commodity malware Activity Profile: Storm-2372 conducts device code phishing campaign Activity Profile: Threat landscape for the information technology sector in 2024 Vulnerability Profile: CVE-2025-21333 Multiple vulnerabilities found in Windows Hyper-V NT Kernel Integration VSP Vulnerability Profile: CVE-2025-21391 Activity Profile: IronSentry PhaaS launches after NakedPages shuts down Vulnerability Profile: CVE-2024-43583 - Winlogon Tool Profile: FusionDrive Vulnerability Profile: CVE-2025-21420 Vulnerability Profile: CVE-2025-21419 Activity Profile: Salt Typhoon targets telecommunications and internet service providers
