What's new in Microsoft 365 Defender
The improved Microsoft 365 Defender portal is now available. This new experience brings Defender for Endpoint, Defender for Office 365, Microsoft 365 Defender, and more into the Microsoft 365 Defender portal. Learn what's new.
The following features are in preview or generally available (GA) in the latest release of Microsoft 365 Defender.
RSS feed: Get notified when this page is updated by copying and pasting the following URL into your feed reader:
For more information on what's new with other Microsoft Defender security products, see:
- What's new in Microsoft Defender for Office 365
- What's new in Microsoft Defender for Endpoint
- What's new in Microsoft Defender for Identity
- What's new in Microsoft Cloud App Security
- (Preview) The application governance add-on feature to Defender for Cloud Apps is now available in Microsoft 365 Defender. App governance provides a security and policy management capability designed for OAuth-enabled apps that access Microsoft 365 data through Microsoft Graph APIs. App governance delivers full visibility, remediation, and governance into how these apps and their users access, use, and share your sensitive data stored in Microsoft 365 through actionable insights and automated policy alerts and actions. Learn more about application governance.
- (Preview) The advanced hunting page now has multitab support, smart scrolling, streamlined schema tabs, quick edit options for queries, a query resource usage indicator, and other improvements to make querying smoother and easier to fine-tune.
- (Preview) You can now use the link to incident feature to include events or records from the advanced hunting query results right into a new or existing incident that you are investigating.
- (GA) In advanced hunting, more columns were added in the CloudAppEvents table. You can now include
UserAgentTagsto your queries.
- (GA) Microsoft Defender for Office 365 event data is available in the Microsoft 365 Defender event streaming API. You can see the availability and status of event types in the Supported Microsoft 365 Defender event types in streaming API.
- (GA) Microsoft Defender for Office 365 data available in advanced hunting is now generally available.
- (Preview) Assign incidents and alerts to user accounts
You can assign an incident, and all the alerts associated with it, to a user account from Assign to: on the Manage incident pane of an incident or the Manage alert pane of an alert.
(Preview) Microsoft Defender for Office 365 data available in advanced hunting
New columns in email tables can provide more insight into email-based threats for more thorough investigations using advanced hunting. You can now include the
AuthenticationDetailscolumn in EmailEvents,
FileSizein EmailAttachmentInfo, and
DetectionMethodsin EmailPostDeliveryEvents tables.
(Preview) Incident graph
A new Graph tab on the Summary tab of an incident shows the full scope of the attack, how the attack spread through your network over time, where it started, and how far the attacker went.
- Professional services catalog
Enhance the detection, investigation, and threat intelligence capabilities of the platform with supported partner connections.
- (Preview) View reports per threat tags
Threat tags help you focus on specific threat categories and review the most relevant reports.
- (Preview) Streaming API
Microsoft 365 Defender supports streaming all the events available through Advanced Hunting to an Event Hubs and/or Azure storage account.
- (Preview) Take action in advanced hunting
Quickly contain threats or address compromised assets that you find in advanced hunting.
- (Preview) In-portal schema reference
Get information about advanced hunting schema tables directly in the security center. In addition to table and column descriptions, this reference includes supported event types (
ActionTypevalues) and sample queries.
- (Preview) DeviceFromIP() function
Get information about which devices have been assigned a specific IP address or addresses at a given time range.
- New alert page in the Microsoft 365 Defender portal
Provides enhanced information for the context into an attack. You can see which other triggered alert caused the current alert and all the affected entities and activities involved in the attack, including files, users and mailboxes. See Investigate alerts for more information.
- Trend graph for incidents and alerts in the Microsoft 365 Defender portal
Determine if there are several alerts for a single incident or that your organization is under attack with several different incidents. See Prioritize incidents for more information.
Microsoft 365 Defender
The improved Microsoft 365 Defender portal is now available. This new experience brings together Defender for Endpoint, Defender for Office 365, Defender for Identity, and more into a single portal. This is the new home to manage your security controls. Learn what's new.
Microsoft 365 Defender threat analytics report
Threat analytics helps you respond to and minimize the impact of active attacks. You can also learn about attack attempts blocked by Microsoft 365 Defender solutions and take preventive actions that mitigate the risk of further exposure and increase resiliency. As part of the unified security experience, threat analytics is now available for Microsoft Defender for Endpoint and Microsoft Defender for Office E5 license holders.
- CloudAppEvents table
Find information about events in various cloud apps and services covered by Microsoft Cloud App Security. This table also includes information previously available in the
- (Preview) The enhanced Microsoft 365 Defender portal (https://security.microsoft.com) is now available in public preview. This new experience brings Defender for Endpoint and Defender for Office 365 to the center. Learn more about what's changed.
- (Preview) Microsoft 365 Defender APIs - The top-level Microsoft 365 Defender APIs will enable you to automate workflows based on the shared incident and advanced hunting tables.