Edit

Share via


What's new in Microsoft Defender XDR

Lists the new features and functionality in Microsoft Defender XDR.

For more information on what's new with other Microsoft Defender security products and Microsoft Sentinel, see:

You can also get product updates and important notifications through the message center.

September 2025

  • (Preview) You can now use tasks in the Microsoft Defender portal to break down incident investigations into actionable steps and assign them across your operations teams. Tasks are displayed alongside Security Copilot insights, guided responses, and reports - giving your team a unified view of progress and next steps. When you onboard Microsoft Sentinel to the Defender portal, tasks you create in Microsoft Sentinel through the Azure portal are automatically synchronized to the Defender portal. For more information, see Streamline incident response using tasks in the Microsoft Defender portal (Preview)
  • (Preview) You can investigate incidents using Blast radius analysis, which is an advanced graph visualization built on the Microsoft Sentinel data lake and graph infrastructure. This feature generates an interactive graph showing possible propagation paths from the selected node to predefined critical targets scoped to the user’s permissions.
  • (Preview) In advanced hunting, you can now hunt using the hunting graph, which renders rendering predefined threat scenarios as interactive graphs.

August 2025

  • (Preview) In advanced hunting, you can now enrich your custom detection rules by creating dynamic alert titles and descriptions, select more impacted entities, and add custom details to display in the alert side panel. Microsoft Sentinel customers that are onboarded to Microsoft Defender also now have the option to customize the alert frequency when the rule is based only on data that is ingested to Sentinel.
  • (Preview) The following advanced hunting schema tables are now available for preview:
    • The CloudStorageAggregatedEvents table contains information about storage activity and related events
    • The IdentityEvents table contains information about identity events obtained from other cloud identity service providers
  • (Preview) Advanced hunting now lets you investigate Microsoft Defender for Cloud behaviors. For more information, see Investigate behaviors with advanced hunting.
  • (Preview) In advanced hunting, the number of query results displayed in the Microsoft Defender portal has been increased to 100,000.
  • (GA) Microsoft Defender Experts for XDR and Microsoft Defender Experts for Hunting customers can now expand their service coverage to include server and cloud workloads protected by Microsoft Defender for Cloud through the respective add-ons, Microsoft Defender Experts for Servers and Microsoft Defender Experts for Hunting - Servers. Learn more
  • (GA) Defender Experts for XDR customers can now incorporate third-party network signals for enrichment, which could allow our security analysts to not only gain a more comprehensive view of an attack's path that allows for faster and more thorough detection and response, but also provide customers with a more holistic view of the threat in their environments.
  • (GA) In advanced hunting, you can now view all your user-defined rules—both custom detection rules and analytics rules—in the Detection rules page. This feature also brings the following improvements:
    • You can now filter for every column (in addition to Frequency and Organizational scope).
    • For multiworkspace organizations that have onboarded multiple workspaces to Microsoft Defender, you can now view the Workspace ID column and filter by workspace.
    • You can now view the details pane even for analytics rules.
    • You can now perform the following actions on analytics rules: Turn on/off, Delete, Edit.
  • (GA) The Sensitivity label filter is now available in the Incidents and Alerts queues in the Microsoft Defender portal. This filter lets you filter incidents and alerts based on the sensitivity label assigned to the affected resources. For more information, see Filters in the incident queue and Investigate alerts.

July 2025

  • (Preview) The GraphApiAuditEvents table in advanced hunting is now available for preview. This table contains information about Microsoft Entra ID API requests made to Microsoft Graph API for resources in the tenant.

  • (Preview) The DisruptionAndResponseEvents table, now available in advanced hunting, contains information about automatic attack disruption events in Microsoft Defender XDR. These events include both block and policy application events related to triggered attack disruption policies, and automatic actions that were taken across related workloads. Increase your visibility and awareness of active, complex attacks disrupted by attack disruption to understand the attacks' scope, context, impact, and actions taken.

June 2025

  • (Preview) Microsoft Copilot now provides suggested prompts as part of incident summaries in the Microsoft Defender portal. Suggested prompts help you get more insights into the specific assets involved in an incident. For more information, see Summarize incidents with Microsoft Copilot in Microsoft Defender.
  • (GA) In advanced hunting, Microsoft Defender portal users can now use the adx() operator to query tables stored in Azure Data Explorer. You no longer need to go to log analytics in Microsoft Sentinel to use this operator if you're already in Microsoft Defender.

May 2025

  • (Preview) In advanced hunting, you can now view all your user-defined rules—both custom detection rules and analytics rules—in the Detection rules page. This feature also brings the following improvements:

    • You can now filter for every column (in addition to Frequency and Organizational scope).
    • For multiworkspace organizations that have onboarded multiple workspaces to Microsoft Defender, you can now view the Workspace ID column and filter by workspace.
    • You can now view the details pane even for analytics rules.
    • You can now perform the following actions on analytics rules: Turn on/off, Delete, Edit.
  • (Preview) You can now highlight your security operations achievements and the impact of Microsoft Defender using the unified security summary. The unified security summary is available in the Microsoft Defender portal and streamlines the process for SOC teams to generate security reports, saving time usually spent on collecting data from various sources and creating reports. For more information, see Visualize security impact with the unified security summary.

  • Defender portal users who have onboarded Microsoft Sentinel and have enabled the User and Entity Behavior Analytics (UEBA) can now take advantage of the new unified IdentityInfo table in advanced hunting. This latest version now includes the largest possible set of fields common to both Defender and Azure portals.

  • (Preview) The following advanced hunting schema tables are now available for preview to help you look through Microsoft Teams events and related information:

    • The MessageEvents table contains details about messages sent and received within your organization at the time of delivery
    • The MessagePostDeliveryEvents table contains information about security events that occurred after the delivery of a Microsoft Teams message in your organization
    • The MessageUrlInfo table contains information about URLs sent through Microsoft Teams messages in your organization

April 2025

  • (Preview) You can now create data security investigations in the Microsoft Defender portal with the integration of Microsoft Purview Data Security Investigations (preview) and Microsoft Defender XDR. This integration allows security operations center (SOC) teams to enhance their investigation and response to potential data security incidents like data breaches or data leaks. For more information, see Create data security investigations in the Microsoft Defender portal.

  • (Preview) Contain IP addresses of undiscovered devices: Containing IP addresses associated with devices that are undiscovered or are not onboarded to Defender for Endpoint is now in preview. Containing an IP address prevents attackers from spreading attacks to other non-compromised devices. See Contain IP addresses of undiscovered devices for more information.

  • (Preview) The OAuthAppInfo table is now available for preview in advanced hunting. The table contains information about Microsoft 365-connected OAuth applications registered with Microsoft Entra ID and available in the Defender for Cloud Apps app governance capability.

  • The OnboardingStatus and NetworkAdapterDnsSuffix columns are now available in the DeviceNetworkInfo table in advanced hunting.

March 2025

  • (Preview) The incident description has moved within the incident page. The incident description is now displayed after the incident details. For more information, see Incident details.

  • The Microsoft 365 alert policies can now only be managed in the Microsoft Defender portal. For more information, see Alert policies in Microsoft 365.

  • You can now link Threat analytics reports when setting up custom detections. Learn more

February 2025

  • (Preview) IP addresses can now be excluded from automated responses in attack disruption. This feature allows you to exclude specific IPs from automated containment actions triggered by attack disruption. For more information, see Exclude assets from automated responses in automatic attack disruption.

  • (Preview) The PrivilegedEntraPimRoles column is available for preview in the advanced hunting IdentityInfo table.

  • (GA) You can now view how Security Copilot came up with the query suggestion in its responses in Microsoft Defender advanced hunting. Select See the logic behind the query below the query text to validate that the query aligns with your intent and needs, even if you don't have an expert-level understanding of KQL.