What's new in Microsoft 365 Defender

Important

The improved Microsoft 365 Defender portal is now available. This new experience brings Defender for Endpoint, Defender for Office 365, Microsoft 365 Defender, and more into the Microsoft 365 Defender portal. Learn what's new.

Want to experience Microsoft 365 Defender? You can evaluate it in a lab environment or run your pilot project in production.

The following features are in preview or generally available (GA) in the latest release of Microsoft 365 Defender.

RSS feed: Get notified when this page is updated by copying and pasting the following URL into your feed reader:

https://docs.microsoft.com/api/search/rss?search=%22Lists+the+new+features+and+functionality+in+Microsoft+365+defender%22&locale=en-us

For more information on what's new with other Microsoft Defender security products, see:

November 2021

  • (Preview) The application governance add-on feature to Defender for Cloud Apps is now available in Microsoft 365 Defender. App governance provides a security and policy management capability designed for OAuth-enabled apps that access Microsoft 365 data through Microsoft Graph APIs. App governance delivers full visibility, remediation, and governance into how these apps and their users access, use, and share your sensitive data stored in Microsoft 365 through actionable insights and automated policy alerts and actions. Learn more about application governance.
  • (Preview) The advanced hunting page now has multitab support, smart scrolling, streamlined schema tabs, quick edit options for queries, a query resource usage indicator, and other improvements to make querying smoother and easier to fine-tune.
  • (Preview) You can now use the link to incident feature to include events or records from the advanced hunting query results right into a new or existing incident that you are investigating.

October 2021

  • (GA) In advanced hunting, more columns were added in the CloudAppEvents table. You can now include AccountType, IsExternalUser, IsImpersonated, IPTags, IPCategory, and UserAgentTags to your queries.

September 2021

  • (GA) Microsoft Defender for Office 365 event data is available in the Microsoft 365 Defender event streaming API. You can see the availability and status of event types in the Supported Microsoft 365 Defender event types in streaming API.
  • (GA) Microsoft Defender for Office 365 data available in advanced hunting is now generally available.
  • (Preview) Assign incidents and alerts to user accounts
    You can assign an incident, and all the alerts associated with it, to a user account from Assign to: on the Manage incident pane of an incident or the Manage alert pane of an alert.

August 2021

  • (Preview) Microsoft Defender for Office 365 data available in advanced hunting
    New columns in email tables can provide more insight into email-based threats for more thorough investigations using advanced hunting. You can now include the AuthenticationDetails column in EmailEvents, FileSize in EmailAttachmentInfo, and ThreatTypes and DetectionMethods in EmailPostDeliveryEvents tables.

  • (Preview) Incident graph
    A new Graph tab on the Summary tab of an incident shows the full scope of the attack, how the attack spread through your network over time, where it started, and how far the attacker went.

July 2021

  • Professional services catalog
    Enhance the detection, investigation, and threat intelligence capabilities of the platform with supported partner connections.

June 2021

  • (Preview) View reports per threat tags
    Threat tags help you focus on specific threat categories and review the most relevant reports.
  • (Preview) Streaming API
    Microsoft 365 Defender supports streaming all the events available through Advanced Hunting to an Event Hubs and/or Azure storage account.
  • (Preview) Take action in advanced hunting
    Quickly contain threats or address compromised assets that you find in advanced hunting.
  • (Preview) In-portal schema reference
    Get information about advanced hunting schema tables directly in the security center. In addition to table and column descriptions, this reference includes supported event types (ActionType values) and sample queries.
  • (Preview) DeviceFromIP() function
    Get information about which devices have been assigned a specific IP address or addresses at a given time range.

May 2021

April 2021

  • Microsoft 365 Defender
    The improved Microsoft 365 Defender portal is now available. This new experience brings together Defender for Endpoint, Defender for Office 365, Defender for Identity, and more into a single portal. This is the new home to manage your security controls. Learn what's new.

  • Microsoft 365 Defender threat analytics report
    Threat analytics helps you respond to and minimize the impact of active attacks. You can also learn about attack attempts blocked by Microsoft 365 Defender solutions and take preventive actions that mitigate the risk of further exposure and increase resiliency. As part of the unified security experience, threat analytics is now available for Microsoft Defender for Endpoint and Microsoft Defender for Office E5 license holders.

March 2021

  • CloudAppEvents table
    Find information about events in various cloud apps and services covered by Microsoft Cloud App Security. This table also includes information previously available in the AppFileEvents table.

February 2021