What's new in Microsoft 365 Defender

Lists the new features and functionality in Microsoft 365 Defender.

RSS feed: Get notified when this page is updated by copying and pasting the following URL into your feed reader:


For more information on what's new with other Microsoft Defender security products, see:

You can also get product updates and important notifications through the message center.

May 2023

  • (GA) Alert tuning is now generally available. Alert tuning lets you fine-tune alerts to reduce investigation time and focus on resolving high priority alerts. Alert tuning replaces the Alert suppression feature.
  • (Preview) Custom functions are now available in advanced hunting. You can now create your own custom functions so you can reuse any query logic when you hunt in your environment.

April 2023

March 2023

  • (Preview) Microsoft Defender Threat Intelligence (Defender TI) is now available in the Microsoft 365 Defender portal. This change introduces a new navigation menu within the Microsoft 365 Defender portal named Threat Intelligence. Learn more
  • (Preview) Complete device reports for the DeviceInfo table in advanced hunting are now sent every hour (instead of the previous daily cadence). In addition, complete device reports are also sent whenever there is a change to any previous report. New columns were also added to the DeviceInfo table, along with several improvements to existing data in DeviceInfo and DeviceNetworkInfo tables.
  • (Preview) Near real-time custom detection is now available for public preview in advanced hunting custom detections. There is a new Continuous (NRT) frequency, which checks data from events as they are collected and processed in near real-time.
  • (Preview) Behaviors in Microsoft Defender for Cloud Apps is now available for public preview. Preview customers can now also hunt for behaviors in advanced hunting using the BehaviorEntities and BehaviorInfo tables.

February 2023

January 2023

  • The new version of Microsoft Defender Experts for Hunting report is now available. The report's new interface now lets customers have more contextual details about the suspicious activities Defender Experts have observed in their environments. It also shows which suspicious activities have been continuously trending from month to month. For details, see Understand the Defender Experts for Hunting report in Microsoft 365 Defender.

  • (GA) Live Response is now generally available for macOS and Linux.

  • (GA) Identity timeline is now generally available as part of the new Identity page in Microsoft 365 Defender. The updated User page has a new look, an expanded view of related assets and a new dedicated timeline tab. The timeline represents activities and alerts from the last 30 days. It unifies a user’s identity entries across all available workloads: Microsoft Defender for Identity, Microsoft Defender for Cloud Apps, and Microsoft Defender for Endpoint. Using the timeline helps you easily focus on a user's activities (or activities performed on them) in specific timeframes.

December 2022

  • (Preview) The new Microsoft 365 Defender role-based access control (RBAC) model is now available for preview. The new RBAC model enables security admins to centrally manage privileges across multiple security solutions within a single system with a greater efficiency, currently supporting Microsoft Defender for Endpoint, Microsoft Defender for Office 365, and Microsoft Defender for Identity. The new model is fully compatible with the existing individual RBAC models currently supported in Microsoft 365 Defender. For more information, see Microsoft 365 Defender role-based access control (RBAC).

November 2022

  • (Preview) Microsoft Defender Experts for XDR (Defender Experts for XDR) is now available for preview. Defender Experts for XDR is a managed detection and response service that helps your security operations centers (SOCs) focus and accurately respond to incidents that matter. It provides extended detection and response for customers who use Microsoft 365 Defender workloads: Microsoft Defender for Endpoint, Microsoft Defender for Office 365, Microsoft Defender for Identity, Microsoft Defender for Cloud Apps, and Azure Active Directory (Azure AD). For details, refer to Expanded Microsoft Defender Experts for XDR preview.
  • (Preview) The query resource report is now available in advanced hunting. The report shows your organization's consumption of CPU resources for hunting based on queries that ran in the last 30 days using any of the hunting interfaces. See View query resources report to find inefficient queries.

August 2022

  • (GA) Microsoft Defender Experts for Hunting is now generally available. If you're a Microsoft 365 Defender customer with a robust security operations center but want Microsoft to help you proactively hunt for threats across endpoints, Office 365, cloud applications, and identity using Microsoft Defender data, then learn more about applying, setting up, and using the service. Defender Experts for Hunting is sold separately from other Microsoft 365 Defender products.
  • (Preview) Guided mode is now available for public preview in advanced hunting. Analysts can now start querying their database for endpoint, identities, email & collaboration, and cloud apps data without knowing Kusto Query Language (KQL). Guided mode features a friendly, easy-to-use, building-block style of constructing queries through dropdown menus containing available filters and conditions. See Get started with query builder.

July 2022

  • (Preview) Microsoft Defender Experts for Hunting public preview participants can now look forward to receiving monthly reports to help them understand the threats the hunting service surfaced in their environment, along with the alerts generated by their Microsoft 365 Defender products. For details, refer to Understand the Defender Experts for Hunting report in Microsoft 365 Defender.

June 2022

  • (Preview) The DeviceTvmInfoGathering and DeviceTvmInfoGatheringKB tables are now available in the advanced hunting schema. Use these tables to hunt through assessment events in Defender Vulnerability Management including the status of various configurations and attack surface area states of devices.

  • The newly introduced Automated investigation & response card in the Microsoft 365 Defender portal provides an overview on pending remediation actions. The security operations team can view all actions pending approval, and the stipulated time to approve those actions in the card itself. The security team can quickly navigate to the Action center and take appropriate remediation actions. The Automated investigation & response card also has a link to the Full Automation page. This enables the security operations team to effectively manage alerts and complete remediation actions in a timely manner.

May 2022

  • (Preview) In line with the recently announced expansion into a new service category called Microsoft Security Experts, we're introducing the availability of Microsoft Defender Experts for Hunting (Defender Experts for Hunting) for public preview. Defender Experts for Hunting is for customers who have a robust security operations center but want Microsoft to help them proactively hunt for threats across Microsoft Defender data, including endpoints, Office 365, cloud applications, and identity.

April 2022

  • (Preview) Actions can now be taken on email messages straight from hunting query results. Emails can be moved to other folders or deleted permanently.
  • (Preview) The new UrlClickEvents table in advanced hunting can be used to hunt for threats like phishing campaigns and suspicious links based on information coming from Safe Links clicks in email messages, Microsoft Teams, and Office 365 apps.

March 2022

  • (Preview) The incident queue has been enhanced with several features designed to help your investigations. Enhancements include capabilities such as ability to search for incidents by ID or name, specify a custom time range, and others.

December 2021

  • (GA) The DeviceTvmSoftwareEvidenceBeta table was added on a short-term basis in advanced hunting to allow you to view evidence of where a specific software was detected on a device.

November 2021

  • (Preview) The application governance add-on feature to Defender for Cloud Apps is now available in Microsoft 365 Defender. App governance provides a security and policy management capability designed for OAuth-enabled apps that access Microsoft 365 data through Microsoft Graph APIs. App governance delivers full visibility, remediation, and governance into how these apps and their users access, use, and share your sensitive data stored in Microsoft 365 through actionable insights and automated policy alerts and actions. Learn more about application governance.
  • (Preview) The advanced hunting page now has multitab support, smart scrolling, streamlined schema tabs, quick edit options for queries, a query resource usage indicator, and other improvements to make querying smoother and easier to fine-tune.
  • (Preview) You can now use the link to incident feature to include events or records from the advanced hunting query results right into a new or existing incident that you are investigating.

October 2021

  • (GA) In advanced hunting, more columns were added in the CloudAppEvents table. You can now include AccountType, IsExternalUser, IsImpersonated, IPTags, IPCategory, and UserAgentTags to your queries.

September 2021

  • (GA) Microsoft Defender for Office 365 event data is available in the Microsoft 365 Defender event streaming API. You can see the availability and status of event types in the Supported Microsoft 365 Defender event types in streaming API.

  • (GA) Microsoft Defender for Office 365 data available in advanced hunting is now generally available.

  • (GA) Assign incidents and alerts to user accounts

    You can assign an incident, and all the alerts associated with it, to a user account from Assign to: on the Manage incident pane of an incident or the Manage alert pane of an alert.

August 2021

  • (Preview) Microsoft Defender for Office 365 data available in advanced hunting

    New columns in email tables can provide more insight into email-based threats for more thorough investigations using advanced hunting. You can now include the AuthenticationDetails column in EmailEvents, FileSize in EmailAttachmentInfo, and ThreatTypes and DetectionMethods in EmailPostDeliveryEvents tables.

  • (Preview) Incident graph

    A new Graph tab on the Summary tab of an incident shows the full scope of the attack, how the attack spread through your network over time, where it started, and how far the attacker went.

July 2021

  • Professional services catalog

    Enhance the detection, investigation, and threat intelligence capabilities of the platform with supported partner connections.

June 2021

  • (Preview) View reports per threat tags

    Threat tags help you focus on specific threat categories and review the most relevant reports.

  • (Preview) Streaming API

    Microsoft 365 Defender supports streaming all the events available through Advanced Hunting to an Event Hubs and/or Azure storage account.

  • (Preview) Take action in advanced hunting

    Quickly contain threats or address compromised assets that you find in advanced hunting.

  • (Preview) In-portal schema reference

    Get information about advanced hunting schema tables directly in the security center. In addition to table and column descriptions, this reference includes supported event types (ActionType values) and sample queries.

  • (Preview) DeviceFromIP() function

    Get information about which devices have been assigned a specific IP address or addresses at a given time range.

May 2021

April 2021

  • Microsoft 365 Defender

    The improved Microsoft 365 Defender portal is now available. This new experience brings together Defender for Endpoint, Defender for Office 365, Defender for Identity, and more into a single portal. This is the new home to manage your security controls. Learn what's new.

  • Microsoft 365 Defender threat analytics report

    Threat analytics helps you respond to and minimize the impact of active attacks. You can also learn about attack attempts blocked by Microsoft 365 Defender solutions and take preventive actions that mitigate the risk of further exposure and increase resiliency. As part of the unified security experience, threat analytics is now available for Microsoft Defender for Endpoint and Microsoft Defender for Office E5 license holders.

March 2021

  • CloudAppEvents table

    Find information about events in various cloud apps and services covered by Microsoft Defender for Cloud Apps. This table also includes information previously available in the AppFileEvents table.