Microsoft 365 Defender preview features


The preview versions are provided without a service level agreement, and it's not recommended for production workloads. Certain features might not be supported or might have constrained capabilities.

Applies to:

  • Microsoft 365 Defender

The Microsoft 365 Defender service is constantly being updated to include new feature enhancements and capabilities.

Learn about new features in the Microsoft 365 Defender preview release and be among the first to try upcoming features by turning on the preview experience.

For more information on new capabilities that are generally available, see What's new in Microsoft 365 Defender.

Turn on preview features

You'll have access to upcoming features that you can provide feedback on to help improve the overall experience before features are generally available.

Turn on the preview experience setting to be among the first to try upcoming features.

  1. In the navigation pane, select Settings.

  2. Select Microsoft 365 Defender.

  3. Select Preview features > Turn on preview features.

  4. Select Save.

You'll know you have preview features turned on when you see that the Turn on preview features check box is selected.

Preview features

The following features and enhancements are currently available on preview:

  • Microsoft 365 Defender APIs - The lop-level Microsoft 365 Defender APIs will enable you to automate workflows based on the shared incident and advanced hunting tables.
  • Take action in advanced hunting—Quickly contain threats or address compromised assets that you find in advanced hunting.
  • In-portal schema reference—Get information about advanced hunting schema tables directly in the security center. In addition to table and column descriptions, this reference includes supported event types (ActionType values) and sample queries.
  • DeviceFromIP() function—Get information about which devices have been assigned a specific IP address or addresses at a given time range.