What's new in Microsoft 365 Defender
Lists the new features and functionality in Microsoft 365 Defender.
RSS feed: Get notified when this page is updated by copying and pasting the following URL into your feed reader:
For more information on what's new with other Microsoft Defender security products, see:
- What's new in Microsoft Defender for Office 365
- What's new in Microsoft Defender for Endpoint
- What's new in Microsoft Defender for Identity
- What's new in Microsoft Defender for Cloud Apps
You can also get product updates and important notifications through the message center.
The new Microsoft Defender Experts for Hunting report is now available. The report's new interface now lets customers have more contextual details about the suspicious activities Defender Experts have observed in their environments. It also shows which suspicious activities have been continuously trending from month to month. For details, see Understand the Defender Experts for Hunting report in Microsoft 365 Defender.
(GA) Live Response is now generally available for macOS and Linux.
(GA) Identity timeline is now generally available as part of the new Identity page in Microsoft 365 Defender. The updated User page has a new look, an expanded view of related assets and a new dedicated timeline tab. The timeline represents activities and alerts from the last 30 days. It unifies a user’s identity entries across all available workloads: Microsoft Defender for Identity, Microsoft Defender for Cloud Apps, and Microsoft Defender for Endpoint. Using the timeline helps you easily focus on a user's activities (or activities performed on them) in specific timeframes.
- (Preview) The new Microsoft 365 Defender role-based access control (RBAC) model is now available for preview. The new RBAC model enables security admins to centrally manage privileges across multiple security solutions within a single system with a greater efficiency, currently supporting Microsoft Defender for Endpoint, Microsoft Defender for Office 365, and Microsoft Defender for Identity. The new model is fully compatible with the existing individual RBAC models currently supported in Microsoft 365 Defender. For more information, see Microsoft 365 Defender role-based access control (RBAC).
- (Preview) Microsoft Defender Experts for XDR (Defender Experts for XDR) is now available for preview. Defender Experts for XDR is a managed detection and response service that helps your security operations centers (SOCs) focus and accurately respond to incidents that matter. It provides extended detection and response for customers who use Microsoft 365 Defender workloads: Microsoft Defender for Endpoint, Microsoft Defender for Office 365, Microsoft Defender for Identity, Microsoft Defender for Cloud Apps, and Azure Active Directory (Azure AD). For details, refer to Expanded Microsoft Defender Experts for XDR preview.
- (Preview) The query resource report is now available in advanced hunting. The report shows your organization's consumption of CPU resources for hunting based on queries that ran in the last 30 days using any of the hunting interfaces. See View query resources report to find inefficient queries.
- (GA) Microsoft Defender Experts for Hunting is now generally available. If you're a Microsoft 365 Defender customer with a robust security operations center but want Microsoft to help you proactively hunt for threats across endpoints, Office 365, cloud applications, and identity using Microsoft Defender data, then learn more about applying, setting up, and using the service. Defender Experts for Hunting is sold separately from other Microsoft 365 Defender products.
- (Preview) Guided mode is now available for public preview in advanced hunting. Analysts can now start querying their database for endpoint, identities, email & collaboration, and cloud apps data without knowing Kusto Query Language (KQL). Guided mode features a friendly, easy-to-use, building-block style of constructing queries through dropdown menus containing available filters and conditions. See Get started with query builder.
- (Preview) Microsoft Defender Experts for Hunting public preview participants can now look forward to receiving monthly reports to help them understand the threats the hunting service surfaced in their environment, along with the alerts generated by their Microsoft 365 Defender products. For details, refer to Understand the Defender Experts for Hunting report in Microsoft 365 Defender.
(Preview) The DeviceTvmInfoGathering and DeviceTvmInfoGatheringKB tables are now available in the advanced hunting schema. Use these tables to hunt through assessment events in Defender Vulnerability Management including the status of various configurations and attack surface area states of devices.
The newly introduced Automated investigation & response card in the Microsoft 365 Defender portal provides an overview on pending remediation actions. The security operations team can view all actions pending approval, and the stipulated time to approve those actions in the card itself. The security team can quickly navigate to the Action center and take appropriate remediation actions. The Automated investigation & response card also has a link to the Full Automation page. This enables the security operations team to effectively manage alerts and complete remediation actions in a timely manner.
- (Preview) In line with the recently announced expansion into a new service category called Microsoft Security Experts, we're introducing the availability of Microsoft Defender Experts for Hunting (Defender Experts for Hunting) for public preview. Defender Experts for Hunting is for customers who have a robust security operations center but want Microsoft to help them proactively hunt for threats across Microsoft Defender data, including endpoints, Office 365, cloud applications, and identity.
- (Preview) Actions can now be taken on email messages straight from hunting query results. Emails can be moved to other folders or deleted permanently.
- (Preview) The new
UrlClickEventstable in advanced hunting can be used to hunt for threats like phishing campaigns and suspicious links based on information coming from Safe Links clicks in email messages, Microsoft Teams, and Office 365 apps.
- (Preview) The incident queue has been enhanced with several features designed to help your investigations. Enhancements include capabilities such as ability to search for incidents by ID or name, specify a custom time range, and others.
- (GA) The
DeviceTvmSoftwareEvidenceBetatable was added on a short-term basis in advanced hunting to allow you to view evidence of where a specific software was detected on a device.
- (Preview) The application governance add-on feature to Defender for Cloud Apps is now available in Microsoft 365 Defender. App governance provides a security and policy management capability designed for OAuth-enabled apps that access Microsoft 365 data through Microsoft Graph APIs. App governance delivers full visibility, remediation, and governance into how these apps and their users access, use, and share your sensitive data stored in Microsoft 365 through actionable insights and automated policy alerts and actions. Learn more about application governance.
- (Preview) The advanced hunting page now has multitab support, smart scrolling, streamlined schema tabs, quick edit options for queries, a query resource usage indicator, and other improvements to make querying smoother and easier to fine-tune.
- (Preview) You can now use the link to incident feature to include events or records from the advanced hunting query results right into a new or existing incident that you are investigating.
- (GA) In advanced hunting, more columns were added in the CloudAppEvents table. You can now include
UserAgentTagsto your queries.
(GA) Microsoft Defender for Office 365 event data is available in the Microsoft 365 Defender event streaming API. You can see the availability and status of event types in the Supported Microsoft 365 Defender event types in streaming API.
(GA) Microsoft Defender for Office 365 data available in advanced hunting is now generally available.
(GA) Assign incidents and alerts to user accounts
You can assign an incident, and all the alerts associated with it, to a user account from Assign to: on the Manage incident pane of an incident or the Manage alert pane of an alert.
(Preview) Microsoft Defender for Office 365 data available in advanced hunting
New columns in email tables can provide more insight into email-based threats for more thorough investigations using advanced hunting. You can now include the
AuthenticationDetailscolumn in EmailEvents,
FileSizein EmailAttachmentInfo, and
DetectionMethodsin EmailPostDeliveryEvents tables.
(Preview) Incident graph
A new Graph tab on the Summary tab of an incident shows the full scope of the attack, how the attack spread through your network over time, where it started, and how far the attacker went.
Enhance the detection, investigation, and threat intelligence capabilities of the platform with supported partner connections.
(Preview) View reports per threat tags
Threat tags help you focus on specific threat categories and review the most relevant reports.
(Preview) Streaming API
Microsoft 365 Defender supports streaming all the events available through Advanced Hunting to an Event Hubs and/or Azure storage account.
(Preview) Take action in advanced hunting
Quickly contain threats or address compromised assets that you find in advanced hunting.
(Preview) In-portal schema reference
Get information about advanced hunting schema tables directly in the security center. In addition to table and column descriptions, this reference includes supported event types (
ActionTypevalues) and sample queries.
(Preview) DeviceFromIP() function
Get information about which devices have been assigned a specific IP address or addresses at a given time range.
Provides enhanced information for the context into an attack. You can see which other triggered alert caused the current alert and all the affected entities and activities involved in the attack, including files, users and mailboxes. See Investigate alerts for more information.
Determine if there are several alerts for a single incident or that your organization is under attack with several different incidents. See Prioritize incidents for more information.
Microsoft 365 Defender
The improved Microsoft 365 Defender portal is now available. This new experience brings together Defender for Endpoint, Defender for Office 365, Defender for Identity, and more into a single portal. This is the new home to manage your security controls. Learn what's new.
Threat analytics helps you respond to and minimize the impact of active attacks. You can also learn about attack attempts blocked by Microsoft 365 Defender solutions and take preventive actions that mitigate the risk of further exposure and increase resiliency. As part of the unified security experience, threat analytics is now available for Microsoft Defender for Endpoint and Microsoft Defender for Office E5 license holders.
Find information about events in various cloud apps and services covered by Microsoft Defender for Cloud Apps. This table also includes information previously available in the