Microsoft Defender Monthly News – February 2026 Edition: Updates & New Features

Microsoft Bolsters Defender Suite with AI-Powered Prioritization and Enhanced Identity Management

Microsoft is rolling out a series of updates across its Defender security portfolio, focusing on streamlining security operations, enhancing threat detection, and improving identity management. The changes, detailed in recent blog posts and roadmap updates, span Microsoft Defender for Office 365, Microsoft Defender for Identity, Microsoft Defender for Cloud Apps, and Microsoft Sentinel, with several features now generally available or entering public preview as of February 4, 2026.

AI-Powered Incident Prioritization Now Generally Available

A key development is the general availability of AI-powered incident prioritization within Microsoft Defender. Announced at Microsoft Ignite in November 2025, this feature aims to reduce noise for security operations center (SOC) teams by focusing attention on high-quality, actionable incidents. The system leverages artificial intelligence to analyze and rank incidents, automatically handling lower-severity alerts in the background. Microsoft highlighted this capability as a solution to help SOC teams “cut through noise, focus on what matters most, and move faster with confidence.” Further details are available in a dedicated blog post.

Enhanced Threat Detection with New Advanced Hunting Schemas

Microsoft Defender XDR is gaining new capabilities in advanced hunting, with the public preview of the BehaviorInfo and BehaviorEntities tables. These tables provide additional columns and information related to User and Entity Behavior Analytics (UEBA) data, offering deeper insights into the relationships between identified behaviors and entities. The UEBA behaviors layer aggregates actionable insights from raw logs in near-real time, presenting a human-readable view of security events with MITRE ATT&CK context. Microsoft is also making UEBA available for direct configuration from data connector pages, reducing management overhead and preventing coverage gaps.

Streamlined Incident Management and Alert Tuning

Microsoft is introducing several features designed to streamline incident management. A new built-in alert tuning rules capability, currently in public preview, automatically handles informational and low-severity alerts, freeing up SOC teams to focus on genuine threats. A public preview of alert tuning set as behavior allows reclassification of certain alerts as behaviors, removing them from the active alert queue while still making them available for investigation and hunting. The Triage MCP, also in public preview, provides APIs for autonomous triage and investigation, enabling the development of agentic workflows.

Microsoft Defender for Identity Updates Focus on Identity Governance

Significant updates are coming to Microsoft Defender for Identity, with a focus on enhancing identity inventory and remediation capabilities. Generally available enhancements include a new “Accounts” tab in Identity Inventory, providing a consolidated view of accounts across Active Directory, Microsoft Entra ID, and supported third-party identity providers. Users can now manually link and unlink accounts, and perform remediation actions like disabling accounts or resetting passwords directly from the interface. A new advanced hunting table, IdentityAccountInfo, has also been added.

Microsoft is transitioning alerts from the classic Microsoft Defender for Identity format to the Microsoft Defender XDR alert format, while maintaining consistent alert IDs. The company is also rolling out enhanced RPC auditing requirements for advanced identity detections, accompanied by health alerts to identify misconfigured sensors. Automatic Windows event-auditing configuration for sensors v3.x is also being rolled out in public preview, streamlining deployment and correcting misconfigurations.

Microsoft Defender Vulnerability Management Enhancements

Microsoft Defender Vulnerability Management is receiving new Secure Score recommendations, including disabling the Remote Registry service on Windows to reduce attack surface and disabling NTLM authentication for Windows workstations to prevent credential theft. The Vulnerable devices report has been simplified, removing the “Vulnerable devices by Windows 10/11 version over time” section and limiting filters to Device Group, with a history limited to the last 30 days. These changes are currently not visible to government cloud customers, with visibility expected in late January 2026.

Microsoft Defender for Office 365 and Cloud Apps Updates

Microsoft Defender for Office 365 continues to receive updates, though specific details were not provided beyond the inclusion in the broader Defender monthly news. In Microsoft Defender for Cloud Apps, the Workday connector now requires only “View” permissions, aligning with the principle of least privilege. Administrators are encouraged to update Workday account settings to remove unnecessary “Modify” permissions.

Microsoft Sentinel Transition to Defender Portal

Microsoft is continuing the transition of Microsoft Sentinel to the Microsoft Defender portal. Microsoft Sentinel in the Azure portal will be retired on March 31, 2027, after which it will be available exclusively in the Microsoft Defender portal. This transition is already generally available, even for customers without Microsoft Defender XDR or an E5 license. Microsoft is providing resources to assist with the migration.

These updates represent a continued investment by Microsoft in its Defender security suite, aiming to provide a more comprehensive, streamlined, and AI-powered security experience for organizations of all sizes.