What’s new in DefenderXDR? 12/25

Status: Preview
Summary: A proactive security feature in Defender XDR that predicts attacker movement and applies protections before critical assets are compromised.
Key Details:

• Proactive Defense: Anticipates and disrupts attack progression during an ongoing attack.

• How It Works:

  • Uses predictive analytics, threat intelligence, and real-time insights.

  • Dynamically hardens assets based on posture and activity context.

• Core Components:

  • Prediction: Identifies risk on non-compromised assets using exposure graphs.

  • Enforcement: Applies preventative controls in real time.

• Controls: SafeBoot Hardening, GPO Hardening, Proactive User Containment.

Learn more: Predictive shielding in Microsoft Defender - Microsoft Defender XDR | Microsoft Learn

Status: Preview
Summary: Enables organizations to extend telemetry beyond default settings for advanced threat hunting, compliance monitoring, and forensic investigations.
Key Details:

• Custom Rules: Define filters for event properties (folder paths, process names, network connections).

• How It Works:

  • Rule-based filtering captures specific endpoint events.

  • Data routes to Microsoft Sentinel for analysis and hunting.

• Supported Event Tables:

  • DeviceCustomProcessEvents

  • DeviceCustomImageLoadEvents

  • DeviceCustomFileEvents

  • DeviceCustomNetworkEvents

  • DeviceCustomScriptEvents

• Integration: Requires Defender for Endpoint P2 and connected Sentinel workspace.

• Limits: Up to 25,000 events per device per 24 hours.

• Use Cases: Specialized threat hunting, compliance monitoring, forensic investigations.

Learn more: Custom data collection in Microsoft Defender for Endpoint - Microsoft Defender for Endpoint | Microsoft Learn

Status: Preview
Summary: A lightweight, self-updating application that simplifies onboarding to Defender for Endpoint across Windows and Linux environments.
Key Details:

• Streamlined Deployment: Works across all supported versions without complex scripts or manual steps.

• Prerequisite Handling: Automatically installs requirements.

• Migration Support: Automates transition from older security solutions.

• Additional Capabilities:

  • Offline onboarding/offboarding

  • VDI identity consistency

  • Passive mode for servers and Windows 7 when coexisting with other AV solutions

  • Wide range of command-line options for automation

  • Reusable configs for bulk deployments

Learn more: Deploy Microsoft Defender endpoint security to Windows devices using the Defender deployment tool (preview) - Microsoft Defender for Endpoint | Microsoft Learn

Status: Preview
Summary: Defender for Endpoint now supports down-level Windows versions without requiring MMA, bringing modern protection to legacy systems.
Key Details:

• Supported OS: Windows 7 SP1 and Windows Server 2008 R2 SP1.

• Onboarding Options:

  • Recommended: Defender Deployment Tool

  • Alternative: MMA/SCEP for other scenarios

• Limitations:

  • Network Protection, Attack Surface Reduction Rules, Controlled Folder Access, and IP/URL indicators not supported.

  • Response actions like isolate device, block/get files, collect investigation packages, and AV scan are not supported.

• Integration: Regular updates and attack disruption supported for legacy endpoints.

Learn more: Onboard previous versions of Windows on Microsoft Defender for Endpoint - Microsoft Defender for Endpoint | Microsoft Learn

Status: GA
Summary: Identifies users whose valid credentials have been exposed on the dark web or public sites, helping prevent credential-based attacks.
Key Details:

• Microsoft monitors public sources, dark web, and collaborates with researchers, law enforcement, and trusted partners.

• Detects leaked username/password pairs and flags affected accounts.

• Benefit: Enables admins to enforce password resets and mitigate risk before attackers exploit compromised credentials.

Learn more:Accounts security posture assessment - Microsoft Defender for Identity | Microsoft Learn

Status: Rollout starting January 2026
Summary: Introduces a new health alert for RPC configuration on v3.x sensors, improving detection accuracy and security posture.
Key Details:

• What It Does:

  • Monitors RPC configuration status across v3.x sensors.

  • Applying the Unified Sensor RPC Audit tag enforces correct configuration and unlocks advanced identity detections.

• Visibility: Tag appears in Device Inventory and Advanced Hunting for transparency and auditing.

• Benefits: Enhances detection accuracy and overall security coverage.
  Admin Actions:

• Navigate to Microsoft Defender portal → System → Settings → Microsoft Defender XDR → Asset Rule Management.

• Create a new rule, set conditions (Device name, Domain, Device tag), and apply the tag Unified Sensor RPC Audit.

Status: Preview
Summary: Adds support for scoping by Organizational Units (OUs) in XDR Role-Based Access Control (Unified RBAC), enabling more granular access control.
Key Details:

• Builds on previous GA release of scoping by Active Directory domains.

• Provides fine-grained control over which entities and resources are included in security analysis.

Ideal for large or complex environments with distributed responsibilities.

Learn more: Configure scoped access for Microsoft Defender for Identity - Microsoft Defender for Identity | Microsoft Learn

Status: Rollout mid-December 2025 → early January 2026
Summary: Classic Microsoft Defender for Identity alerts will move to the XDR detection platform, improving detection accuracy and performance.
Key Details:

• What Changes:

  • Classic MDI alerts transition to XDR-based detection.

  • Detector IDs will change for specific alerts.

  • Alert exclusions must be reconfigured using XDR Alert Tuning rules.

• Affected Alerts & New Detector IDs:

  • Suspected brute-force attack (Kerberos, NTLM) → xdr_OnPremBruteforce

  • Suspected password spray attack (Kerberos, NTLM) → xdr_OnPremPasswordSpray

  • Anomalous SAMR activity → xdr_SamrReconnaissanceSecurityAlert

• Action Required:

  • Update workflows and automation to use new Detector IDs.

  • Reconfigure alert exclusions in XDR.

Learn more: MC1187386

Status: Rollout starting mid-December 2025
Summary: Introduces an opt-in feature that automatically applies required Windows event-auditing settings on unified sensors, simplifying deployment and ensuring consistent policy enforcement.
Key Details:

• What It Does:

  • Automatically configures auditing during new sensor activation.

  • For existing sensors: applies settings only if misconfigured and dismisses related health issues.

• Scope: Applies to all unified sensors in the tenant once enabled.

• Not Enabled by Default: Requires admin action via UI or Graph API.

• Auditing Issues Covered:

  • NTLM auditing not enabled

  • Directory Services Advanced/Object Auditing missing

  • Auditing on Configuration and ADFS containers not enabled
    Admin Actions:

• Enable opt-in via Defender for Identity Settings → Advanced Features or Graph API.

• Review deployment strategy and communicate changes to IT/security teams.

Learn more: MC1187403

Status: Preview
Summary: Introduces proactive exposure management and advanced threat detection for AI agents in Copilot Studio and Azure AI Foundry.
Key Details:

• Discovery & Monitoring:

  • Automatically detects AI agents created in Copilot Studio and Azure AI Foundry.

  • Collects audit logs and continuously monitors for suspicious activity.

• Integration with XDR:

  • Alerts integrated into XDR incidents with a dedicated Agent entity.

  • Advanced Hunting support for custom queries.

• Copilot Studio Agents:

  • Real-time runtime protection and harmful action blocking.

• Azure AI Foundry Agents:

  • Detects misconfigurations and vulnerabilities.

  • Provides actionable security recommendations via Exposure Management.

Learn more: Protect your Microsoft Copilot Studio AI agents (Preview) - Microsoft Defender for Cloud Apps | Microsoft Learn

Status: GA starting January 6, 2026
Summary: ZAP will automatically remove malicious messages from internal Microsoft Teams chats and channels, moving them to admin quarantine in the Microsoft 365 Security portal.
Key Details:

• Scope: Applies to all tenants using Defender for Office 365 Plan 1 with Microsoft Teams.

• Behavior:

  • ZAP protection for Teams will be ON by default starting January 6, 2026.

  • Malicious messages (phishing/malware URLs) are quarantined; end users won’t see them in Teams.

  • Admins can review and manage quarantined content in the Security portal.

• Action Required:

  • Review ZAP settings before January 6, 2026.

  • Opt out (if needed) via Security portal between Dec 6, 2025 – Jan 5, 2026.

Communicate changes to helpdesk and update internal documentation.

Learn more: MC1187837

Status: Rollout in progress (starting December 2025)
Summary: Security Copilot is now part of Microsoft 365 E5 at no additional cost, providing agentic defense capabilities across Microsoft Defender, Entra, Intune, and Purview.
Key Details:

• What’s Included:

  • Built-in agents integrated into Defender, Entra, Intune, Purview workflows.

  • Developer tools and APIs for custom agents and integrations.

• Entitlement:

  • 400 Security Compute Units (SCUs)/month per 1,000 paid users (up to 10,000 SCUs/month).

  • Scales with user count; additional SCUs available later at $6 per SCU.

• Rollout:

  • Existing E5 customers with Security Copilot: available now.

  • All other E5 customers: phased rollout with 30-day prior notification.

Benefits: Adaptive protection, automation, and advanced hunting powered by AI agents.

Learn more: Learn about Security Copilot inclusion in Microsoft 365 E5 subscription | Microsoft Learn