What's new in Microsoft 365 Defender

Lists the new features and functionality in Microsoft 365 Defender.

RSS feed: Get notified when this page is updated by copying and pasting the following URL into your feed reader:

https://learn.microsoft.com/api/search/rss?search=%22Lists+the+new+features+and+functionality+in+Microsoft+365+defender%22&locale=en-us

For more information on what's new with other Microsoft Defender security products, see:

You can also get product updates and important notifications through the message center.

August 2022

  • (GA) Microsoft Defender Experts for Hunting is now generally available. If you're a Microsoft 365 Defender customer with a robust security operations center but want Microsoft to help you proactively hunt for threats across endpoints, Office 365, cloud applications, and identity using Microsoft Defender data, then learn more about applying, setting up, and using the service. Defender Experts for Hunting is sold separately from other Microsoft 365 Defender products.
  • (Preview) Guided mode is now available for public preview in advanced hunting. Analysts can now start querying their database for endpoint, identities, email & collaboration, and cloud apps data without knowing Kusto Query Language (KQL). Guided mode features a friendly, easy-to-use, building-block style of constructing queries through dropdown menus containing available filters and conditions. See Get started with query builder.

July 2022

  • (Preview) Microsoft Defender Experts for Hunting public preview participants can now look forward to receiving monthly reports to help them understand the threats the hunting service surfaced in their environment, along with the alerts generated by their Microsoft 365 Defender products. For details, refer to Understand the Defender Experts for Hunting report in Microsoft 365 Defender.

June 2022

  • (Preview) The DeviceTvmInfoGathering and DeviceTvmInfoGatheringKB tables are now available in the advanced hunting schema. Use these tables to hunt through assessment events in Defender Vulnerability Management including the status of various configurations and attack surface area states of devices.

  • The newly introduced Automated investigation & response card in the Microsoft 365 Defender portal provides an overview on pending remediation actions. The security operations team can view all actions pending approval, and the stipulated time to approve those actions in the card itself. The security team can quickly navigate to the Action center and take appropriate remediation actions. The Automated investigation & response card also has a link to the Full Automation page. This enables the security operations team to effectively manage alerts and complete remediation actions in a timely manner.

May 2022

  • (Preview) In line with the recently announced expansion into a new service category called Microsoft Security Experts, we're introducing the availability of Microsoft Defender Experts for Hunting (Defender Experts for Hunting) for public preview. Defender Experts for Hunting is for customers who have a robust security operations center but want Microsoft to help them proactively hunt for threats across Microsoft Defender data, including endpoints, Office 365, cloud applications, and identity.

April 2022

  • (Preview) Actions can now be taken on email messages straight from hunting query results. Emails can be moved to other folders or deleted permanently.
  • (Preview) The new UrlClickEvents table in advanced hunting can be used to hunt for threats like phishing campaigns and suspicious links based on information coming from Safe Links clicks in email messages, Microsoft Teams, and Office 365 apps.

March 2022

  • (Preview) The incident queue has been enhanced with several features designed to help your investigations. Enhancements include capabilities such as ability to search for incidents by ID or name, specify a custom time range, and others.

December 2021

  • (GA) The DeviceTvmSoftwareEvidenceBeta table was added on a short-term basis in advanced hunting to allow you to view evidence of where a specific software was detected on a device.

November 2021

  • (Preview) The application governance add-on feature to Defender for Cloud Apps is now available in Microsoft 365 Defender. App governance provides a security and policy management capability designed for OAuth-enabled apps that access Microsoft 365 data through Microsoft Graph APIs. App governance delivers full visibility, remediation, and governance into how these apps and their users access, use, and share your sensitive data stored in Microsoft 365 through actionable insights and automated policy alerts and actions. Learn more about application governance.
  • (Preview) The advanced hunting page now has multitab support, smart scrolling, streamlined schema tabs, quick edit options for queries, a query resource usage indicator, and other improvements to make querying smoother and easier to fine-tune.
  • (Preview) You can now use the link to incident feature to include events or records from the advanced hunting query results right into a new or existing incident that you are investigating.

October 2021

  • (GA) In advanced hunting, more columns were added in the CloudAppEvents table. You can now include AccountType, IsExternalUser, IsImpersonated, IPTags, IPCategory, and UserAgentTags to your queries.

September 2021

  • (GA) Microsoft Defender for Office 365 event data is available in the Microsoft 365 Defender event streaming API. You can see the availability and status of event types in the Supported Microsoft 365 Defender event types in streaming API.

  • (GA) Microsoft Defender for Office 365 data available in advanced hunting is now generally available.

  • (GA) Assign incidents and alerts to user accounts

    You can assign an incident, and all the alerts associated with it, to a user account from Assign to: on the Manage incident pane of an incident or the Manage alert pane of an alert.

August 2021

  • (Preview) Microsoft Defender for Office 365 data available in advanced hunting

    New columns in email tables can provide more insight into email-based threats for more thorough investigations using advanced hunting. You can now include the AuthenticationDetails column in EmailEvents, FileSize in EmailAttachmentInfo, and ThreatTypes and DetectionMethods in EmailPostDeliveryEvents tables.

  • (Preview) Incident graph

    A new Graph tab on the Summary tab of an incident shows the full scope of the attack, how the attack spread through your network over time, where it started, and how far the attacker went.

July 2021

  • Professional services catalog

    Enhance the detection, investigation, and threat intelligence capabilities of the platform with supported partner connections.

June 2021

  • (Preview) View reports per threat tags

    Threat tags help you focus on specific threat categories and review the most relevant reports.

  • (Preview) Streaming API

    Microsoft 365 Defender supports streaming all the events available through Advanced Hunting to an Event Hubs and/or Azure storage account.

  • (Preview) Take action in advanced hunting

    Quickly contain threats or address compromised assets that you find in advanced hunting.

  • (Preview) In-portal schema reference

    Get information about advanced hunting schema tables directly in the security center. In addition to table and column descriptions, this reference includes supported event types (ActionType values) and sample queries.

  • (Preview) DeviceFromIP() function

    Get information about which devices have been assigned a specific IP address or addresses at a given time range.

May 2021

April 2021

  • Microsoft 365 Defender

    The improved Microsoft 365 Defender portal is now available. This new experience brings together Defender for Endpoint, Defender for Office 365, Defender for Identity, and more into a single portal. This is the new home to manage your security controls. Learn what's new.

  • Microsoft 365 Defender threat analytics report

    Threat analytics helps you respond to and minimize the impact of active attacks. You can also learn about attack attempts blocked by Microsoft 365 Defender solutions and take preventive actions that mitigate the risk of further exposure and increase resiliency. As part of the unified security experience, threat analytics is now available for Microsoft Defender for Endpoint and Microsoft Defender for Office E5 license holders.

March 2021

  • CloudAppEvents table

    Find information about events in various cloud apps and services covered by Microsoft Defender for Cloud Apps. This table also includes information previously available in the AppFileEvents table.