What's new in Microsoft 365 Defender
Lists the new features and functionality in Microsoft 365 Defender.
RSS feed: Get notified when this page is updated by copying and pasting the following URL into your feed reader:
For more information on what's new with other Microsoft Defender security products, see:
- What's new in Microsoft Defender for Office 365
- What's new in Microsoft Defender for Endpoint
- What's new in Microsoft Defender for Identity
- What's new in Microsoft Defender for Cloud Apps
You can also get product updates and important notifications through the message center.
- (Preview) Custom detections using data from Microsoft Defender for Identity and Microsoft Defender for Cloud Apps, specifically the
IdentityQueryEventstables can now be run in near real-time Continuous (NRT) frequency.
- Guides to responding to your first incident for new users are now live. Understand incidents and learn to triage and prioritize, analyze your first incident using tutorials and videos, and remediate attacks by understanding actions available in the portal.
- (Preview) Asset rule management - Dynamic rules for devices is now in public preview. Dynamic rules can help manage device context by assigning tags and device values automatically based on certain criteria.
- (Preview) The DeviceInfo table in advanced hunting now also includes the columns
DeviceDynamicTagsin public preview to surface both manually and dynamically assigned tags related to the device you are investigating.
- The Guided response feature in Microsoft Defender Experts for XDR has been renamed to Managed response. We have also added a new FAQ section on incident updates.
- (GA) The Attack story in incidents is now generally available. The attack story provides the full story of the attack and allows incident response teams to view the details and apply remediation.
- A new URL and domain page is now available in Microsoft 365 Defender. The updated URL and domain page provides a single place to view all the information about a URL or a domain, including its reputation, the users who clicked it, the devices that accessed it, and emails where the URL or domain was seen. For details, see Investigate URLs in Microsoft 365 Defender.
- (GA) Microsoft Defender Experts for XDR is now generally available. Defender Experts for XDR augments your security operations center by combining automation and Microsoft's security analyst expertise, helping you detect and respond to threats with confidence and improve your security posture. Microsoft Defender Experts for XDR is sold separately from other Microsoft 365 Defender products. If you're a Microsoft 365 Defender customer and are interested in purchasing Defender Experts for XDR, see Overview of Microsoft Defender Experts for XDR.
- (GA) Alert tuning is now generally available. Alert tuning lets you fine-tune alerts to reduce investigation time and focus on resolving high priority alerts. Alert tuning replaces the Alert suppression feature.
- (GA) Automatic attack disruption is now generally available. This capability automatically disrupts human-operated ransomware (HumOR), business email compromise (BEC), and adversary-in-the-middle (AiTM) attacks.
- (Preview) Custom functions are now available in advanced hunting. You can now create your own custom functions so you can reuse any query logic when you hunt in your environment.
- (GA) The unified Assets tab in the Incidents page is now generally available.
- Microsoft is using a new weather-based naming taxonomy for threat actors. This new naming schema will provide more clarity and will be easier to reference. Learn more about the new naming taxonomy.
- (Preview) Microsoft Defender Threat Intelligence (Defender TI) is now available in the Microsoft 365 Defender portal.
This change introduces a new navigation menu within the Microsoft 365 Defender portal named Threat Intelligence. Learn more
- (Preview) Complete device reports for the
DeviceInfotable in advanced hunting are now sent every hour (instead of the previous daily cadence). In addition, complete device reports are also sent whenever there is a change to any previous report. New columns were also added to the
DeviceInfotable, along with several improvements to existing data in
DeviceInfoand DeviceNetworkInfo tables.
- (Preview) Near real-time custom detection is now available for public preview in advanced hunting custom detections. There is a new Continuous (NRT) frequency, which checks data from events as they are collected and processed in near real-time.
- (Preview) Behaviors in Microsoft Defender for Cloud Apps is now available for public preview. Preview customers can now also hunt for behaviors in advanced hunting using the BehaviorEntities and BehaviorInfo tables.
- (GA) The query resources report in advanced hunting is now generally available.
- (Preview) The automatic attack disruption capability now disrupts business email compromise (BEC).
The new version of Microsoft Defender Experts for Hunting report is now available. The report's new interface now lets customers have more contextual details about the suspicious activities Defender Experts have observed in their environments. It also shows which suspicious activities have been continuously trending from month to month. For details, see Understand the Defender Experts for Hunting report in Microsoft 365 Defender.
(GA) Live Response is now generally available for macOS and Linux.
(GA) Identity timeline is now generally available as part of the new Identity page in Microsoft 365 Defender. The updated User page has a new look, an expanded view of related assets and a new dedicated timeline tab. The timeline represents activities and alerts from the last 30 days. It unifies a user’s identity entries across all available workloads: Microsoft Defender for Identity, Microsoft Defender for Cloud Apps, and Microsoft Defender for Endpoint. Using the timeline helps you easily focus on a user's activities (or activities performed on them) in specific timeframes.
- (Preview) The new Microsoft 365 Defender role-based access control (RBAC) model is now available for preview. The new RBAC model enables security admins to centrally manage privileges across multiple security solutions within a single system with a greater efficiency, currently supporting Microsoft Defender for Endpoint, Microsoft Defender for Office 365, and Microsoft Defender for Identity. The new model is fully compatible with the existing individual RBAC models currently supported in Microsoft 365 Defender. For more information, see Microsoft 365 Defender role-based access control (RBAC).
- (Preview) Microsoft Defender Experts for XDR (Defender Experts for XDR) is now available for preview. Defender Experts for XDR is a managed detection and response service that helps your security operations centers (SOCs) focus and accurately respond to incidents that matter. It provides extended detection and response for customers who use Microsoft 365 Defender workloads: Microsoft Defender for Endpoint, Microsoft Defender for Office 365, Microsoft Defender for Identity, Microsoft Defender for Cloud Apps, and Azure Active Directory (Azure AD). For details, refer to Expanded Microsoft Defender Experts for XDR preview.
- (Preview) The query resource report is now available in advanced hunting. The report shows your organization's consumption of CPU resources for hunting based on queries that ran in the last 30 days using any of the hunting interfaces. See View query resources report to find inefficient queries.
- (Preview) The new automatic attack disruption capability is now in preview. This capability combines security research insights and advances AI models to automatically contain attacks in progress. Automatic attack disruption also provides more time to security operations centers (SOCs) to fully remediate an attack and limits an attack's impact to organizations. This preview automatically disrupts ransomware attacks.
- (GA) Microsoft Defender Experts for Hunting is now generally available. If you're a Microsoft 365 Defender customer with a robust security operations center but want Microsoft to help you proactively hunt for threats across endpoints, Office 365, cloud applications, and identity using Microsoft Defender data, then learn more about applying, setting up, and using the service. Defender Experts for Hunting is sold separately from other Microsoft 365 Defender products.
- (Preview) Guided mode is now available for public preview in advanced hunting. Analysts can now start querying their database for endpoint, identities, email & collaboration, and cloud apps data without knowing Kusto Query Language (KQL). Guided mode features a friendly, easy-to-use, building-block style of constructing queries through dropdown menus containing available filters and conditions. See Get started with query builder.
- (Preview) Microsoft Defender Experts for Hunting public preview participants can now look forward to receiving monthly reports to help them understand the threats the hunting service surfaced in their environment, along with the alerts generated by their Microsoft 365 Defender products. For details, refer to Understand the Defender Experts for Hunting report in Microsoft 365 Defender.
(Preview) The DeviceTvmInfoGathering and DeviceTvmInfoGatheringKB tables are now available in the advanced hunting schema. Use these tables to hunt through assessment events in Defender Vulnerability Management including the status of various configurations and attack surface area states of devices.
The newly introduced Automated investigation & response card in the Microsoft 365 Defender portal provides an overview on pending remediation actions.
The security operations team can view all actions pending approval, and the stipulated time to approve those actions in the card itself. The security team can quickly navigate to the Action center and take appropriate remediation actions. The Automated investigation & response card also has a link to the Full Automation page. This enables the security operations team to effectively manage alerts and complete remediation actions in a timely manner.
- (Preview) In line with the recently announced expansion into a new service category called Microsoft Security Experts, we're introducing the availability of Microsoft Defender Experts for Hunting (Defender Experts for Hunting) for public preview. Defender Experts for Hunting is for customers who have a robust security operations center but want Microsoft to help them proactively hunt for threats across Microsoft Defender data, including endpoints, Office 365, cloud applications, and identity.
- (Preview) Actions can now be taken on email messages straight from hunting query results. Emails can be moved to other folders or deleted permanently.
- (Preview) The new
UrlClickEventstable in advanced hunting can be used to hunt for threats like phishing campaigns and suspicious links based on information coming from Safe Links clicks in email messages, Microsoft Teams, and Office 365 apps.
- (Preview) The incident queue has been enhanced with several features designed to help your investigations. Enhancements include capabilities such as ability to search for incidents by ID or name, specify a custom time range, and others.
- (GA) The
DeviceTvmSoftwareEvidenceBetatable was added on a short-term basis in advanced hunting to allow you to view evidence of where a specific software was detected on a device.
- (Preview) The application governance add-on feature to Defender for Cloud Apps is now available in Microsoft 365 Defender. App governance provides a security and policy management capability designed for OAuth-enabled apps that access Microsoft 365 data through Microsoft Graph APIs. App governance delivers full visibility, remediation, and governance into how these apps and their users access, use, and share your sensitive data stored in Microsoft 365 through actionable insights and automated policy alerts and actions. Learn more about application governance.
- (Preview) The advanced hunting page now has multitab support, smart scrolling, streamlined schema tabs, quick edit options for queries, a query resource usage indicator, and other improvements to make querying smoother and easier to fine-tune.
- (Preview) You can now use the link to incident feature to include events or records from the advanced hunting query results right into a new or existing incident that you are investigating.
- (GA) In advanced hunting, more columns were added in the CloudAppEvents table. You can now include
UserAgentTagsto your queries.
(GA) Microsoft Defender for Office 365 event data is available in the Microsoft 365 Defender event streaming API. You can see the availability and status of event types in the Supported Microsoft 365 Defender event types in streaming API.
(GA) Microsoft Defender for Office 365 data available in advanced hunting is now generally available.
(GA) Assign incidents and alerts to user accounts
You can assign an incident, and all the alerts associated with it, to a user account from Assign to: on the Manage incident pane of an incident or the Manage alert pane of an alert.
(Preview) Microsoft Defender for Office 365 data available in advanced hunting
New columns in email tables can provide more insight into email-based threats for more thorough investigations using advanced hunting. You can now include the
AuthenticationDetailscolumn in EmailEvents,
FileSizein EmailAttachmentInfo, and
DetectionMethodsin EmailPostDeliveryEvents tables.
(Preview) Incident graph
A new Graph tab on the Summary tab of an incident shows the full scope of the attack, how the attack spread through your network over time, where it started, and how far the attacker went.
Enhance the detection, investigation, and threat intelligence capabilities of the platform with supported partner connections.
(Preview) View reports per threat tags
Threat tags help you focus on specific threat categories and review the most relevant reports.
(Preview) Streaming API
Microsoft 365 Defender supports streaming all the events available through Advanced Hunting to an Event Hubs and/or Azure storage account.
(Preview) Take action in advanced hunting
Quickly contain threats or address compromised assets that you find in advanced hunting.
(Preview) In-portal schema reference
Get information about advanced hunting schema tables directly in the security center. In addition to table and column descriptions, this reference includes supported event types (
ActionTypevalues) and sample queries.
(Preview) DeviceFromIP() function
Get information about which devices have been assigned a specific IP address or addresses at a given time range.
Provides enhanced information for the context into an attack. You can see which other triggered alert caused the current alert and all the affected entities and activities involved in the attack, including files, users and mailboxes. See Investigate alerts for more information.
Determine if there are several alerts for a single incident or that your organization is under attack with several different incidents. See Prioritize incidents for more information.
Microsoft 365 Defender
The improved Microsoft 365 Defender portal is now available. This new experience brings together Defender for Endpoint, Defender for Office 365, Defender for Identity, and more into a single portal. This is the new home to manage your security controls. Learn what's new.
Threat analytics helps you respond to and minimize the impact of active attacks. You can also learn about attack attempts blocked by Microsoft 365 Defender solutions and take preventive actions that mitigate the risk of further exposure and increase resiliency. As part of the unified security experience, threat analytics is now available for Microsoft Defender for Endpoint and Microsoft Defender for Office E5 license holders.
Find information about events in various cloud apps and services covered by Microsoft Defender for Cloud Apps. This table also includes information previously available in the
Do you want to learn more? Engage with the Microsoft Security community in our Tech Community: Microsoft 365 Defender Tech Community.