Roadmap, security and documentation changes captured for Microsoft Defender XDR.
PreviewMicrosoft Defender XDR
Entity enrichments with threat intelligence: Entity pages for IP addresses, domains, URLs, and files now include a Threat Intelligence Insights tab that surfaces enrichment data from Microsoft Threat Intelligence directly in the investigation workflow. Enrichments include reputation scores, attributed threat reports, infrastructure relationships, and sandbox analysis, eliminating the need to switch between separate tools during investigations. For more information, see View threat intelligence in entity pages.
PreviewMicrosoft Defender XDR
The Identity Security dashboard now includes a new Human identities card that shows your human identities by source (Entra ID, SaaS, and on-premises), giving you a single view of where your human identities live. For more information, see Identity Security dashboard.
PreviewMicrosoft Defender XDR
On the Coverage and maturity page, the Review and improve coverage side panel for SaaS Identities now includes an Observed column and a Show Only Observed Applications toggle. By default, the panel shows only SaaS applications detected in your environment. Turn off the toggle to see other supported SaaS applications you can onboard to expand your identity coverage. For more information, see Coverage and maturity.
PreviewMicrosoft Defender XDRAdvanced Hunting
Local AI agent discovery on Windows endpoints: as part of the Defender AI agents experience, Microsoft Defender now automatically discovers supported local AI agents running on onboarded Windows devices - including coding agents and IDE extensions, desktop AI assistants, local AI runtimes, and agent platforms. Discovered agents appear as assets in the AI agent inventory, exposure map, and advanced hunting, giving security teams visibility into local AI agent usage across the organization. For more information, see Discover local AI agents.
PreviewMicrosoft Defender XDRDefender for Endpoint
Local AI agent runtime protection on Windows endpoints: as part of the Defender AI agents experience, runtime protection for supported local AI agents on Windows endpoints is now available in public preview. Microsoft Defender inspects the agent loop (user prompts, tool calls, and tool responses) and can block risky activity before it executes, helping stop prompt injection and unsafe agent actions at the device level. Blocked and audited events appear as alerts in Microsoft Defender to support incident correlation and investigation workflows. For more information, see Set up AI agent runtime protection with Microsoft Defender for Endpoint.
GAMicrosoft Defender XDRDefender for CloudAdvanced Hunting
The following advanced hunting schema tables are now generally available: The `CloudAuditEvents` table contains information about cloud audit events for various cloud platforms protected by the organization's Microsoft Defender for Cloud. The `CloudDnsEvents` table contains information about DNS activity events from cloud infrastructure environments. The `CloudProcessEvents` table contains information about process events in multicloud hosted environments.
PreviewMicrosoft Defender XDRAdvanced Hunting
The `AgentsInfo` table in advanced hunting is now available in preview. The `AIAgentsInfo` table is transitioning to this new table, which provides a unified schema that supports agent inventory and governance for all agent types, including Copilot Studio, Microsoft Foundry, Microsoft 365 Copilot, third-party, and endpoint-discovered agents. Microsoft Agent 365 customers should use the `AgentsInfo` table today. The `AIAgentsInfo` table remains accessible until July 1, 2026. Update your queries to use `AgentsInfo` before this date. For more information, see Advanced hunting schema - Naming changes.
defenderMicrosoft Defender XDRDefender for Cloud
Microsoft Defender Experts for Servers and Microsoft Defender Experts for Hunting - Servers are now offered as standalone offerings for customers who wish to avail managed extended detection and response and threat hunting services for their on-premises and multicloud servers protected by Microsoft Defender for Cloud. These services were previously offered as add-ons to Microsoft Defender Experts for XDR and Microsoft Defender Experts for Hunting, respectively. Learn more.
PreviewMicrosoft Defender XDR
Automatic attack disruption can now isolate compromised devices from the network when high-confidence incident analysis indicates the device is being used as an active foothold. Isolation blocks attacker communication and lateral movement while keeping the device connected to security services. The action is time-limited, scoped to devices involved in the incident, and can be released by security operators at any time. Learn more
defenderMicrosoft Defender XDRAdvanced Hunting
In advanced hunting, the Take action wizard now lets customers allow or block top-level domains and files attachment hashes in emails based on query results. Learn more.
defenderMicrosoft Defender XDRAdvanced Hunting
The hunting graph in advanced hunting now includes new identity-focused predefined scenarios. These scenarios help you discover attack paths, privilege escalation routes, and credential access risks across on-premises and cloud environments, including Kerberoast and AS-REP roast paths, domain compromise routes, OAuth application risks, and guest user access to cloud resources.
defenderMicrosoft Defender XDR
Defender Chat experience (Preview) is an open prompt chat assistant built into Microsoft Defender. It helps SOC analysts investigate threats, explore incidents, and answer security questions in plain language, without needing to navigate multiple screens or write complex queries.
PreviewMicrosoft Defender XDR
You can now view the current status of automatic attack disruption and predictive shielding actions related to a specific incident. You view this data in the Activities tab of the incident page. Learn more
PreviewMicrosoft Defender XDRAdvanced Hunting
The `AIAgentsInfo` table in advanced hunting now includes additional columns that provide deeper visibility into AI agents operating in your Microsoft 365 environment. These fields expand coverage beyond Copilot Studio to all agent types, including Microsoft Foundry, third-party marketplace, and custom line-of-business agents.
GAMicrosoft Defender XDRDefender for EndpointDefender for Office 365
Built-in alert tuning rules are now generally available. Built-in alert tuning rules suppress alerts from common benign activity in Defender for Endpoint and Defender for Office 365 without affecting Automated Investigation and Response (AIR) investigations and email notifications.
defenderMicrosoft Defender XDR
Microsoft Defender Experts for XDR customers can now see Defender Experts as a distinct entry in the Microsoft Defender portal navigation menu. This feature adds to the existing home page status card as in-portal experiences that provide consistent and predictable access to the service. Learn more
defenderMicrosoft Defender XDR
Identity security enhancements: New identity security capabilities help you monitor and manage identity security for human and non-human identities: (Preview) Identity Security dashboard: The Identity Security dashboard provides summary cards for identity providers, on-premises identities, SaaS identities, PAM and IGA integrations, and non-human identities. For more information, see The Identity Security dashboard. The Identity Security dashboard is being rolled out gradually to customers, and might not yet be available in your organization. (Preview) Coverage and maturity page: The Coverage and maturity page shows your organization's identity security coverage with maturity levels, including Connected, Protected, Fortified, and Resilient, and prioritized setup tasks. For more information, see Coverage and maturity. The Coverage and maturity page is being rolled out gradually to customers, and might not yet be available in your organization. If you don't see this feature in your environment yet, check back soon. Identity inventory: The Identity inventory page now shows human and non-human identities in separate tabs. Insight cards help you classify critical assets, view highly privileged identities, identify critical Active Directory service accounts, and view cloud application accounts. For more information, see View the Identity inventory. (Preview) Non-human identities: The Non-human identities tab shows non-human identities, including Microsoft Entra ID apps, Active Directory service accounts, Google Workspace apps, and Salesforce apps. For more information, see Identity inventory and Investigate non-human identities. (Preview) Identity risk score: A new risk score for identities, ranging from 0 to 100, that indicates the likelihood of compromise and the potential impact based on criticality and privileged roles. The risk score is available in Microsoft Entra ID, where it can be used to inform conditional access policies and identity protection workflows. A new Risk score tab on the Identity page provides a detailed breakdown of the risk factors, including percentile comparison and risk trends. For more information, see Investigate an identity. (Preview) Domain investigation page: The Domain investigation page shows Active Directory domain security, including domain properties, deployment health, identity summary, service account breakdown, sensitive entities, active recommendations, group policies, and trust relationships. For more information, see Investigate a domain. (Preview) Identity security recommendations: View recommendations from Active Directory, Microsoft Entra ID, SaaS applications, and supported non-Microsoft identity providers. For more information, see Identity security recommendations.
PreviewMicrosoft Defender XDRDefender for CloudAdvanced Hunting
The following advanced hunting schema tables are now available for preview: The `CloudDnsEvents` table contains information about DNS activity events from cloud infrastructure environments. The `CloudPolicyEnforcementEvents` table contains policy enforcement evaluation decisions and metadata of security gating events for various cloud platforms protected by the organization's Microsoft Defender for Cloud.
defenderMicrosoft Defender XDR
To improve accuracy and better protect organizational identities, we've made updates to the Secure Score category calculations. Some security recommendations categorized as Cloud apps recommendations are now considered identity‑related and grouped under the Identity category. While the total Secure Score remains unchanged, individual identity and app scores may change.
PreviewMicrosoft Defender XDR
Customers can now use filters on very large incidents with many alerts and entities or hide specific entities to simplify complex incident graphs. By simplifying the graphs, security teams can focus their investigations on what matters most. Learn more
defenderMicrosoft Defender XDR
The proactive user containment (contain user) action as part of the predictive shielding feature is now generally available. This action infuses activity data with exposure data to identify exposed credentials at risk of being compromised and reused to conduct malicious activity.
defenderMicrosoft Defender XDR
Microsoft Defender Experts for Hunting customers can now set up Notification contacts. These contacts are the individuals or groups that Microsoft needs to notify if there are critical incidents or service updates.
GAMicrosoft Defender XDRAdvanced Hunting
The following advanced hunting schema tables are now generally available: The `IdentityAccountInfo` table contains information about account information from various sources, including Microsoft Entra ID. It also includes information and link to the identity that owns the account. The `EntraIdSignInEvents` table contains information about Microsoft Entra interactive and non-interactive sign-ins. The `EntraIdSpnSignInEvents` table contains information about Microsoft Entra service principal and managed identity sign-ins. The `GraphApiAuditEvents` table provides information about Microsoft Entra ID API requests made to Microsoft Graph API for resources in the tenant.
PreviewMicrosoft Defender XDR
Custom detection rules in Microsoft Defender now support Near Real-Time (NRT) configuration on Microsoft Sentinel data.
PreviewMicrosoft Defender XDRAdvanced Hunting
In advanced hunting, if the query result exceeds the 64-MB size limit, the portal now returns the maximum number of records it can within this limit and displays a message indicating that the displayed results are partial due to size constraints. Learn more
PreviewMicrosoft Defender XDRAdvanced Hunting
The `BehaviorInfo` and `BehaviorEntities` tables in advanced hunting now include additional columns and information about behavior data types and alerts from User and Entity Behavior Analytics (UEBA), providing more insights on the relationships between identified behaviors and entities. Learn more about UEBA behaviors
PreviewMicrosoft Defender XDRSecurity Copilot
Microsoft Security Copilot in Microsoft Defender now includes the Dynamic Threat Detection Agent, an always-on, adaptive backend service that uncovers hidden threats across Defender and Microsoft Sentinel environments. Learn more
GAMicrosoft Defender XDRSecurity Copilot
The Microsoft Security Copilot Threat Intelligence Briefing Agent in Microsoft Defender is now generally available. It generates threat intelligence briefings based on the latest threat actor activity and both internal and external vulnerability information in a matter of minutes, helping security teams save time by creating customized, relevant reports.
PreviewMicrosoft Defender XDRSecurity Copilot
Microsoft Security Copilot in Microsoft Defender now lets you hunt for threats by using natural language with the Threat Hunting Agent. This agent delivers a complete, conversational threat hunting experience by not only generating queries but also interpreting results, surfacing insights, and guiding you through full hunting sessions.
PreviewMicrosoft Defender XDRDefender for Office 365Advanced Hunting
The following advanced hunting schema tables are now available for preview: The `CampaignInfo` table contains information about email campaigns identified by Microsoft Defender for Office 365. The `FileMaliciousContentInfo` table contains information about files that Microsoft Defender for Office 365 processed in SharePoint Online, OneDrive, and Microsoft Teams.
GAMicrosoft Defender XDRAdvanced Hunting
The hunting graph in advanced hunting is now generally available. It also now has two new predefined threat scenarios that you can use to render your hunts as interactive graphs.
GAMicrosoft Defender XDRAdvanced Hunting
Advanced hunting now supports custom functions that use tabular parameters. By using tabular parameters, you can pass entire tables as inputs. This approach lets you build more modular, reusable, and expressive logic across your hunting queries. Learn more
defenderMicrosoft Defender XDR
Microsoft Sentinel customers using the Defender portal, or the Azure portal with the Microsoft Sentinel Defender XDR data connector, now also benefit from Microsoft Threat Intelligence alerts that highlight activity from nation-state actors, major ransomware campaigns, and fraudulent operations. To view these alert types, you must have the Security Administrator or higher role. The Service Source, Detection Source, and Product Name values for these alerts are listed as *Microsoft Threat Intelligence*. For more information, see Incidents and alerts in the Microsoft Defender portal.
PreviewMicrosoft Defender XDR
Defender XDR now includes the predictive shielding capability, which uses predictive analytics and real-time insights to dynamically infer risk, anticipate attacker progression, and harden your environment before threats materialize. Learn more
PreviewMicrosoft Defender XDR
A new Restrict pod access response action is now available when investigating container threats in the Defender portal. This response action blocks sensitive interfaces that allow lateral movement and privilege escalation.
PreviewMicrosoft Defender XDRAdvanced Hunting
The `IdentityAccountInfo` table in advanced hunting is now available for preview. This table contains information about account information from various sources, including Microsoft Entra ID. It also includes information and link to the identity that owns the account.
PreviewMicrosoft Defender XDR
Threat analytics now has an Indicators tab that provides a list of all indicators of compromise (IOCs) associated with a threat. Microsoft researchers update these IOCs in real time as they find new evidence related to the threat. This information helps your security operations center (SOC) and threat intelligence analysts with remediation and proactive hunting. Learn more
PreviewMicrosoft Defender XDR
The overview section of threat analytics now includes additional details about a threat, such as alias, origin, and related intelligence, providing you with more insights on what the threat is and how it might impact your organization.
defenderMicrosoft Defender XDR
Microsoft Defender Experts for XDR reports now include a Trends tab that provides you with the monthly volume of investigated and resolved incidents for the last six months. The tab visualizes the data according to the incidents' severity, MITRE tactic, and threat type. This section gives you insight into how Defender Experts are tangibly improving your security operations by showing important operational metrics on a month-over-month basis.
defenderMicrosoft Defender XDR
Microsoft Defender Experts for Hunting reports now include an Emerging threats section that details the proactive, hypothesis-based hunts Defender Experts conducted in your environment. Each report also now includes investigation summaries for nearly every hunt that Defender Experts conduct in your environment, regardless of whether they identified a confirmed threat.
PreviewMicrosoft Defender XDRSecurity Copilot
Use tasks in the Microsoft Defender portal to break down incident investigations into actionable steps and assign them across your operations teams. Tasks are displayed alongside Security Copilot insights, guided responses, and reports - giving your team a unified view of progress and next steps. When you onboard Microsoft Sentinel to the Defender portal, tasks you create in Microsoft Sentinel through the Azure portal are automatically synchronized to the Defender portal. For more information, see Streamline incident response using tasks in the Microsoft Defender portal (Preview)
PreviewMicrosoft Defender XDR
Investigate incidents by using Blast radius analysis, which is an advanced graph visualization built on the Microsoft Sentinel data lake and graph infrastructure. This feature generates an interactive graph showing possible propagation paths from the selected node to predefined critical targets scoped to the user’s permissions.
PreviewMicrosoft Defender XDRAdvanced Hunting
In advanced hunting, you can now hunt by using the hunting graph, which renders predefined threat scenarios as interactive graphs.
PreviewMicrosoft Defender XDRAdvanced Hunting
In advanced hunting, you can now enrich your custom detection rules by creating dynamic alert titles and descriptions, select more impacted entities, and add custom details to display in the alert side panel. Microsoft Sentinel customers that are onboarded to Microsoft Defender also now have the option to customize the alert frequency when the rule is based only on data that is ingested to Sentinel.
PreviewMicrosoft Defender XDRAdvanced Hunting
The following advanced hunting schema tables are now available for preview: The `CloudStorageAggregatedEvents` table contains information about storage activity and related events The `IdentityEvents` table contains information about identity events obtained from other cloud identity service providers
PreviewMicrosoft Defender XDRDefender for CloudAdvanced Hunting
Advanced hunting now lets you investigate Microsoft Defender for Cloud behaviors. For more information, see Investigate behaviors with advanced hunting.
PreviewMicrosoft Defender XDRAdvanced Hunting
In advanced hunting, the number of query results displayed in the Microsoft Defender portal has been increased to 100,000.
GAMicrosoft Defender XDRDefender for Cloud
Microsoft Defender Experts for XDR and Microsoft Defender Experts for Hunting customers can now expand their service coverage to include server and cloud workloads protected by Microsoft Defender for Cloud through the respective add-ons, Microsoft Defender Experts for Servers and Microsoft Defender Experts for Hunting - Servers. Learn more
GAMicrosoft Defender XDR
Defender Experts for XDR customers can now incorporate third-party network signals for enrichment. This feature allows our security analysts to gain a more comprehensive view of an attack's path that allows for faster and more thorough detection and response. It also provides customers with a more holistic view of the threat in their environments.
GAMicrosoft Defender XDRAdvanced Hunting
In advanced hunting, you can now view all your user-defined rules—both custom detection rules and analytics rules—in the Detection rules page. This feature also brings the following improvements: You can now filter for *every* column (in addition to Frequency and Organizational scope). For multiworkspace organizations that onboard multiple workspaces to Microsoft Defender, you can now view the Workspace ID column and filter by workspace. You can now view the details pane even for analytics rules. You can now perform the following actions on analytics rules: Turn on/off, Delete, Edit. (GA) The Sensitivity label filter is now available in the Incidents and Alerts queues in the Microsoft Defender portal. This filter lets you filter incidents and alerts based on the sensitivity label assigned to the affected resources. For more information, see Filters in the incident queue and Investigate alerts.
PreviewMicrosoft Defender XDRAdvanced Hunting
The `GraphApiAuditEvents` table in advanced hunting is now available for preview. This table contains information about Microsoft Entra ID API requests made to Microsoft Graph API for resources in the tenant.
PreviewMicrosoft Defender XDRAdvanced Hunting
The `DisruptionAndResponseEvents` table, now available in advanced hunting, contains information about automatic attack disruption events in Microsoft Defender XDR. These events include both block and policy application events related to triggered attack disruption policies, and automatic actions that were taken across related workloads. Increase your visibility and awareness of active, complex attacks disrupted by attack disruption to understand the attacks' scope, context, impact, and actions taken.
PreviewMicrosoft Defender XDRSecurity Copilot
Microsoft Copilot now provides suggested prompts as part of incident summaries in the Microsoft Defender portal. Suggested prompts help you get more insights into the specific assets involved in an incident. For more information, see Summarize incidents with Microsoft Copilot in Microsoft Defender.
GAMicrosoft Defender XDRAdvanced Hunting
In advanced hunting, Microsoft Defender portal users can now use the `adx()` operator to query tables stored in Azure Data Explorer. You no longer need to go to log analytics in Microsoft Sentinel to use this operator if you're already in Microsoft Defender.
PreviewMicrosoft Defender XDRAdvanced Hunting
In advanced hunting, you can now view all your user-defined rules—both custom detection rules and analytics rules—in the Detection rules page. This feature also brings the following improvements: You can now filter for *every* column (in addition to Frequency and Organizational scope). For multiworkspace organizations that onboard multiple workspaces to Microsoft Defender, you can now view the Workspace ID column and filter by workspace. You can now view the details pane even for analytics rules. You can now perform the following actions on analytics rules: Turn on/off, Delete, Edit.
PreviewMicrosoft Defender XDR
You can now highlight your security operations achievements and the impact of Microsoft Defender by using the unified security summary. The unified security summary is available in the Microsoft Defender portal and streamlines the process for SOC teams to generate security reports, saving time usually spent on collecting data from various sources and creating reports. For more information, see Visualize security impact with the unified security summary.
defenderMicrosoft Defender XDRAdvanced Hunting
Defender portal users who onboard Microsoft Sentinel and enable the User and Entity Behavior Analytics (UEBA) can now take advantage of the new unified `IdentityInfo` table in advanced hunting. This latest version now includes the largest possible set of fields common to both Defender and Azure portals.
PreviewMicrosoft Defender XDRAdvanced Hunting
The following advanced hunting schema tables are now available for preview to help you look through Microsoft Teams events and related information: The MessageEvents table contains details about messages sent and received within your organization at the time of delivery The MessagePostDeliveryEvents table contains information about security events that occurred after the delivery of a Microsoft Teams message in your organization The MessageUrlInfo table contains information about URLs sent through Microsoft Teams messages in your organization