What’s new in DefenderXDR? 03/26
This time, Defender XDR brings several interesting changes that have a impact on how detections, investigations, and response workflows behave. Overall the focus is less on new big elements and more on some foundational capabilities that affect day‑to‑day SecOps work. But nonetheless there are some highlights once again !
My personal Highlights
Live response library management
Centralized management of live response scripts and files sounds small, but it removes a lot of operational friction. Being able to upload, review, and clean up live response artifacts outside of an active session makes incident response more predictable and reusable especially in mature SOC environments.
Proactive user containment (contain user)
Proactive user containment as part of predictive shielding is a step toward identity‑centric attack disruption. Blocking high‑risk users early, before credentials are reused at scale, can reduce blast radius, particularly in ransomware and hands‑on‑keyboard scenarios. This (and generally for predictive shielding) is one of those things where understanding the behavior really matters in my opinion.
Defender for Endpoint
-
Status: Preview
Summary
You can now view and manage files and scripts used during live response sessions directly in the Microsoft Defender portal. This provides a centralized library for handling live response artifacts outside of an active session.
Key Details
Impact
Files and scripts used for live response are no longer limited to in-session management
Centralized visibility into all uploaded files and their properties
Files can be uploaded, viewed, and deleted independently of an active live response session
Who’s affected
Security teams using Live Response in Microsoft Defender for Endpoint
Organizations maintaining reusable scripts or binaries for incident response
Required Actions
Review existing live response workflows
Evaluate whether centralized library management should replace ad-hoc, session-based file handling
-
Status: GA
Summary
The Effective settings tab under the Device inventory → Configuration management section is now generally available. It shows the actual applied value of each security setting on a device, along with the configuration source.
Key Details
Impact
Visibility into the effective value of each security setting on a device
Identification of configuration attempts that did not take effect
Clear attribution of which configuration source applied a setting
Helps eliminate gaps where intended protections are not enforced
Who’s affected
Security and endpoint teams managing device configurations in Microsoft Defender
Organizations troubleshooting conflicting or ineffective security settings
Required Actions
Use the Effective settings tab to validate applied security configurations
Learn more: Investigate devices in the Defender for Endpoint Devices list - Microsoft Defender for Endpoint | Microsoft Learn
-
Status: GA
Summary
The proactive user containment (contain user) action, part of predictive shielding, is now generally available. It identifies exposed credentials by correlating activity and exposure data and helps prevent their reuse for malicious activity.
Key Details
Impact
Identifies high‑risk user identities based on activity and exposure signals
Containment blocks common attack paths and limits lateral movement
Especially effective in ransomware and credential‑abuse scenarios
Contain user behavior
When a user is contained:
Network logons and attack-related protocols (RPC, SMB, RDP) are blocked
Ongoing remote sessions are terminated
Existing RDP sessions are logged off
Legitimate traffic remains allowed
Platform support
Windows 10/11 (Sense 8740+)
Windows Server 2019+
Windows Server 2012 R2 / 2016 with modern agent
Important note
Enforcing containment on a domain controller triggers a change to the Default Domain Controller Policy
This causes a normal AD GPO synchronization
Reverting containment restores the previous GPO state
Defender for Identity
-
Status: GA
Summary
Microsoft has added new Defender for Identity security alerts to improve detection of suspicious activity related to Entra ID and on‑premises Active Directory.
Key Details
Impact
Expanded visibility into suspicious identity-related activity
Improved detection of abuse scenarios involving Entra ID sync, OAuth, and Kerberos
Earlier detection of credential abuse and identity-based attacks
New alerts Entra ID
Suspicious user configuration change activity from Entra ID sync application
Anomalous OAuth device code authentication activity
Suspicious Graph API request made from Entra ID sync application
Suspicious sign-in observed from Entra ID sync application
Suspicious sign-in with CSRF speedbump trigger
New alerts Active Directory
Possible golden ticket attack (suspicious ticket)
Possible Kerberos key list attack
Learn mroe: Microsoft Defender for Identity XDR security alerts - Microsoft Defender for Identity | Microsoft Learn
-
Status: Announced
Summary
Microsoft is retiring the “Suspected identity theft (pass‑the‑ticket)” classic alert (External ID: 2018) as part of the move toward unified Microsoft Defender XDR detections. The “Pass‑the‑Ticket (PtT) attack” XDR alert (Detector ID: xdr_PassTheTicketAttack) will replace it going forward.
Key Details
Timeline
Retirement window: March 18–22, 2026
Impact
The classic alert will stop generating new alerts after retirement
Existing historical alerts will remain accessible
The XDR PtT detector continues and receives ongoing improvements
No changes outside security operations workflows
Who’s affected
Organizations using Microsoft Defender for Identity within Defender XDR
SOC teams relying on classic alerting and detector IDs
Required Actions
Update alert triage, workflows, and automation to reference XDR detector IDs
Reconfigure alert exclusions or tuning using XDR Alert Tuning
Inform SOC teams about the alert retirement
Update internal documentation to reference the new alert and detector ID
Learn more: MC1234542
Defender for Cloud Apps
Defender for Office365
-
Status: GA
Summary
User‑reported message capabilities in Microsoft Teams are being expanded to Defender for Office 365 Plan 1. Users can report Teams messages as malicious directly to Microsoft, a designated reporting mailbox, or both.
Key Details
Impact
Users can report Microsoft Teams messages as malicious (security risk)
Reporting is supported across:
Chats
Standard channels
Shared channels
Private channels
Meeting conversations
Reports can be sent to:
Microsoft
A configured reporting mailbox
Or both, based on user‑reported settings
Who’s affected
Organizations using Defender for Office 365 Plan 1
Security teams relying on user‑reported signals
Required Actions
Review and configure user‑reported settings for Teams
Learn more: User reported message settings in Teams - Microsoft Defender for Office 365 | Microsoft Learn
-
Status: Announced
Summary
Microsoft is introducing a new granular permission to control access to quarantined email content in Microsoft Defender for Office 365. The change applies to Defender XDR Unified RBAC (URBAC) and limits who can preview or download quarantined messages.
Key Details
Timeline
Rollout start: Late March 2026
Expected completion: Mid‑April 2026
Impact
New permission introduced: Email and collaboration content: Quarantine emails (read)
Admins must have this permission to:
Preview quarantined email content
Download quarantined messages
Admins without this permission:
Can view metadata only
No changes to:
Threat detection
Verdicts
Mail flow
User quarantine experience
Who’s affected
Microsoft 365 administrators and security operators using Defender XDR Unified RBAC
Admins currently assigned:
Security operations
Security data
Email and collaboration quarantine (manage)
Security data basics (read)
This change does not apply to legacy RBAC
Automatic assignment
Admins with existing quarantine access will be auto‑assigned the new permission to maintain parity
Required Actions
Review which admins require access to quarantined email content
Update role assignments in the Microsoft Defender portal if needed
Learn more: MC1234569
-
Status: GA
Summary
Microsoft Defender for Office 365 (MDO) URL click alerting is being extended to Microsoft Teams. Security teams will now receive alerts when users click malicious or suspicious URLs in Teams messages, directly in the Microsoft Defender portal.
Key Details
Timeline
Public Preview (Worldwide): Late Feb 2026 – Early Mar 2026
GA (Worldwide): Early Mar 2026 – Mid‑Mar 2026
GA (GCC, GCCH, DoD): Early May 2026 – Late May 2026
Impact
Existing MDO alerts now also trigger for Teams URL clicks:
A user clicked through to a potentially malicious URL
A potentially malicious URL click was detected
Alerts appear alongside existing Defender alerts
Teams messages are included as evidence in alerts and incidents
Teams signals participate in incident correlation across email and Teams
Automated investigation and response (AIR) is not supported for Teams URL clicks
Feature is enabled by default for eligible tenants
No change to end‑user workflows
Who’s affected
Organizations licensed for:
Microsoft Defender for Office 365 Plan 2
Microsoft 365 E5
SOC teams monitoring alerts in the Microsoft Defender portal
Users sending or receiving Teams messages with URLs
Required Actions
No action required; feature is enabled automatically
Learn more: MC1239187
DefenderXDR
-
Status: GA
Summary
Microsoft is introducing two new remediation actions in Advanced Hunting for email investigations. Security teams can now block malicious attachments and top‑level URL domains directly from hunting results, enabling faster response from detection to mitigation.
Key Details
Timeline
GA (Worldwide, GCC, GCC High, DoD): Early March 2026 – End of March 2026
Impact
New remediation actions available from Advanced Hunting:
Block malicious email attachments
Block top‑level URL domains linked to phishing or malware campaigns
Actions are triggered via the Take action wizard
Feature is enabled by default
No impact to user workflows unless a blocking action is executed
Technical notes
Attachment blocking requires:
Query results including the Attachment column
Join with EmailAttachmentInfo on NetworkMessageId
Some actions may be unavailable if required columns are missing
Use Show empty columns before selecting Take action if needed
Who’s affected
SecOps teams using Advanced Hunting in Defender for Office 365
Organizations licensed for:
Microsoft Defender for Office 365 Plan 2
Required Actions
No action required to enable the feature
Learn more: MC1237728
-
Status: GA
Summary
Several Advanced Hunting schema tables are now generally available, expanding visibility into identity, sign‑in, and Microsoft Graph API activity across Microsoft Entra ID.
Key Details
Impact
Improved identity‑centric investigations in Advanced Hunting
Correlation of account, sign‑in, and API activity within a single hunting workflow
Better visibility into Entra ID–based authentication and Graph API usage
New tables
IdentityAccountInfo
EntraIdSignInEvents
EntraIdSpnSignInEvents
GraphApiAuditEvents
Learn more: Overview - Advanced hunting - Microsoft Defender XDR | Microsoft Learn
