What’s new in DefenderXDR? 01/26

Status: Preview

Summary:
Triage Collection in the Microsoft Sentinel Model Context Protocol (MCP) server enables integration of your AI models with APIs for incident triage and threat hunting. This feature helps prioritize incidents and hunt across your own data, reducing mean time to resolution, risk exposure, and dwell time.

Key Details

• Core Scenarios:

  • Incident Triage:

    • Fetch incidents, alerts, and related evidence.

    • Reduce mean time to resolution by leveraging AI prioritization.

  • Hunting:

    • Run hunting queries over your own data.

    • Minimize risk exposure and dwell time during investigations.

‍Learn more:

Triage tool collection in Microsoft Sentinel MCP server - Microsoft Security | Microsoft Learn‍

Status: Public Preview

Summary:

Microsoft introduced new Secure Score recommendations for Defender for Endpoint (MDE) to help organizations strengthen their security posture. These recommendations aim to proactively block common attack techniques and improve endpoint protection.

Key Details

• Licensing Requirements: Defender for Endpoint Plan 2 (P2).

• What’s New:

  • New recommendations appear in Microsoft Secure Score.

  • Including:

    • Disable NTLM authentication for Windows workstations.

    • Disable Remote Registry Service on Windows.

• Secure Score updates dynamically based on implementation of these actions.

Learn more:

https://admin.cloud.microsoft/?ref=MessageCenter/:/messages/MC1192254

https://admin.cloud.microsoft/?ref=MessageCenter/:/messages/MC1191616

Status: General Availability

Summary:
Microsoft Defender for Identity (MDI) v2.x sensors will start using new IP addresses from the published range associated with the service tag AzureAdvancedThreatProtection.

Key Details

• Rollout Timeline: Gradual rollout began mid-December 2025.

• Who Is Affected: Organizations using MDI v2.x sensors and restricting outbound traffic by IP address.

• What’s Changing:

  • Sensors will communicate only through IPs in the AzureAdvancedThreatProtection service tag range.

  • No addresses outside the published range will be used.

  • If IP restrictions are not updated, sensors may lose connectivity to the MDI cloud.

Impact:

Organizations already allowing the full published range: No action needed.
Organizations with restrictive firewall/network policies: Update required!

Learn more:

‍https://admin.cloud.microsoft/?ref=MessageCenter/:/messages/MC1194061

Azure service tags overview | Microsoft Learn

Status: Preview (API Beta Version)

Summary:
Microsoft Graph API introduces new properties for the sensorCandidate resource type, providing additional context for Defender for Identity sensors. This enhancement improves visibility and management of sensor candidates during deployment and troubleshooting.

Key Details

• New Properties:

  • domainName(String)

    • Represents the domain name of the sensor.

  • senseClientVersion(String)

    • Indicates the version of the Defender for Identity sensor client.

Learn more:

‍sensorCandidate resource type - Microsoft Graph beta | Microsoft Learn‍

Status: Available

Summary:
A new activity type for ADWS LDAP search is now in the IdentityQueryEvents table within Advanced Hunting. This provides visibility into directory queries performed through Active Directory Web Services (ADWS), enabling security teams to track these operations and build custom detections.

Key Details

• Where to Find It:

  • IdentityQueryEvents table in Advanced Hunting.

• Purpose:

  • Gain insight into LDAP search operations executed via ADWS.

  • Enhance detection capabilities for suspicious directory queries.

Status: Rollout Paused (Updated December 23, 2025)

Summary:
Microsoft planned to retire SIEM (Security Information and Event Management) agents from Defender for Cloud Apps as part of the convergence process for all Defender workloads. The rollout, originally scheduled for late December 2025 through early January 2026, has been paused. Microsoft will announce the new timeline via Message Center.

Key Details

• Original Plan:

  • Retirement of SIEM agents in late December 2025 (previously mid-November) through early January 2026.

• Current Status:

  • Rollout paused as of December 23, 2025.

  • Updates will be communicated via Message Center.

Impact:

Organizations using SIEM agents for Defender for Cloud Apps should prepare for transition.

Learn more:

https://admin.cloud.microsoft/?ref=MessageCenter/:/messages/MC1077861

Status: General Availability (Worldwide)

Summary:
Microsoft Defender for Cloud Apps permissions are now integrated with Microsoft Defender XDR Unified Role-Based Access Control (RBAC). This integration simplifies permission management across Defender workloads, providing a unified experience for administrators.

Key Details

• What’s New:

  • Cloud Apps permissions can now be managed through the Defender XDR Unified RBAC model.

  • Activation of Unified role management is available in the Microsoft Defender portal.

• How to Activate:

  • Sign in to the Microsoft Defender portal.

  • Navigate to Permissions → Roles under Microsoft Defender XDR.

  • Use Activate workloads to enable RBAC for Cloud Apps workload.

• Mapping:

  • Cloud Apps permissions mapped to Defender XDR Unified RBAC roles:

  • Reference: Map Microsoft Defender XDR Unified role-based access control (RBAC) permissions - Microsoft Defender XDR | Microsoft Learn

• Why It Matters:

  • Centralized permission management reduces complexity.

  • Aligns with Defender XDR’s unified security approach.

Status: Preview

Summary:
The Microsoft Defender for Cloud Apps App Governance Unused App Insights feature helps administrators identify and manage unused Microsoft 365-connected OAuth apps. It supports policy-based governance and advanced hunting queries for improved security posture. This capability is now available for most commercial cloud customers.

Key Details

• Purpose:

  • Detect unused OAuth apps connected to Microsoft 365.

  • Enforce governance policies to reduce risk.

  • Leverage advanced hunting for deeper insights.

Learn more:

‍Secure apps with app governance hygiene features - Microsoft Defender for Cloud Apps | Microsoft Learn

‍ ‍

Status: General Availability

Summary:
An integration between Microsoft Teams and Microsoft Defender for Office 365 now allows security admins to manage blocked external users and domains for Teams through the Tenant Allow/Block List (TABL) in the Microsoft Defender portal. This centralized approach enhances security and compliance by controlling external user access across Microsoft 365 services.

Key Details

• Rollout Timeline:

  • Begins early January 2026, completes mid-January 2026.

• Who Is Affected:

  • Organizations using Microsoft Teams and Defender for Office 365 Plan 1 or Plan 2.

• What’s New:

  • Security admins can add, delete, and view blocked external users and domains for Teams directly in the Defender portal.

  • Incoming communications (chats, channels, meetings, calls) from blocked users will be prevented.

  • Existing communications from blocked users will be automatically deleted.

  • Audit logs track all block actions for compliance.

  • Entry limits:

    • Up to 4,000 blocked domains

    • Up to 200 email addresses

  • Applies to all Teams clients and Defender XDR web portal.

  • Existing federation and domain blocks in Teams admin center remain unaffected.

• What You Can Do:

  • Enable these settings in Teams Admin Center:

    • Block specific users from communicating with people in my organization (default: Off).

    • Allow my security team to manage blocked domains and blocked users (default: Off).

  • Grant security team access to manage blocked domains and users.

Learn more:

‍https://admin.cloud.microsoft/?ref=MessageCenter/:/messages/MC1200058‍

Status: Preview

Summary:
Microsoft Defender for Office 365 introduces two new schema tables in Advanced Hunting, providing deeper visibility into email campaigns and malicious file content across Microsoft 365 services.

Key Details

• New Tables:

  • CampaignInfo: Contains information about email campaigns identified by Microsoft Defender for Office 365.

  • FileMaliciousContentInfo: Contains details about files processed by Defender for Office 365 in SharePoint Online, OneDrive, and Microsoft Teams.

Status: Mixed (Preview & GA)

Summary:
Microsoft Security Copilot in Microsoft Defender introduces several new capabilities to enhance threat detection, intelligence, and hunting workflows. These updates leverage AI-driven agents to streamline security operations and improve efficiency.

Key Details

• Dynamic Threat Detection Agent (Preview):

  • Always-on, adaptive backend service that uncovers hidden threats across Defender and Microsoft Sentinel environments.

• Threat Intelligence Briefing Agent (GA):

  • Generates tailored threat intelligence briefings in minutes.

  • Incorporates latest threat actor activity and vulnerability data from internal and external sources.

• Threat Hunting Agent (Preview):

  • Enables natural language-based threat hunting.

  • Provides a conversational experience: generates queries, interprets results, surfaces insights, and guides full hunting sessions.