The January 2026 edition of Microsoft Defender Monthly News (covering December 2025 releases) brings major progress across AI-powered threat hunting, automated triage, and advanced detection capabilities. These updates continue Microsoft’s push toward proactive, analyst-assisted security operations
AI-Driven Threat Detection and Hunting Advancements
Microsoft introduced multiple new Security Copilot–powered agents across Defender, significantly reducing manual effort for SOC teams:
- Phishing Triage Agent (General Availability) Now GA, this agent autonomously analyzes user-reported phishing emails, distinguishes real threats from false positives, and explains verdicts in natural language. It dramatically reduces triage workload and will soon expand to cloud and identity alerts.
- Dynamic Threat Detection Agent (Public Preview) An always-on agent that continuously correlates telemetry to uncover previously unseen threats— closing detection gaps traditional rules can’t catch.
- Threat Hunting Agent (Public Preview) Enables analysts to conduct expertlevel threat hunts using natural-language questions, eliminating the need to write complex queries while revealing hidden attack patterns.
- Threat Intelligence Briefing Agent (General Availability) Delivers daily, tailored intelligence briefings directly inside Microsoft Defender—prioritizing risks and recommendations based on your organization’s context.
Advanced Hunting Enhancements
Advanced hunting continues to mature with new schemas and capabilities:
- New schema tables (Public Preview) for deeper email and file-based investigations in Defender for Office 365
- Hunting graph (General Availability) with interactive visualizations and new predefined threat scenarios
- Custom functions with tabular parameters (GA) enabling more modular, reusable, and scalable hunting queries
These updates give security teams greater flexibility, clarity, and speed in investigations.
Product-Specific Updates Across Defender Portfolio
- Microsoft Defender for Endpoint Introduced Triage Collection (Public Preview) to help prioritize incidents and hunt threats using the Sentinel Model Context Protocol (MCP)
- Microsoft Defender for Identity Added new ADWS LDAP search activity visibility in Advanced Hunting and expanded Graph API properties for deeper identity monitoring.
- Microsoft Defender for Cloud Apps Defender for Cloud Apps permissions are now fully integrated with Microsoft Defender XDR Unified RBAC, improving centralized access control. A new unused app insights feature (Public Preview) helps identify and govern unused OAuth apps across Microsoft 365 environments.
What This Means for Security Teams
January’s updates reinforce Microsoft’s strategy of AI-assisted security at scale—where agents handle repetitive analysis, hunting, and intelligence synthesis, allowing human analysts to focus on decision-making and response. These capabilities help organizations move from reactive security operations to proactive defense with greater speed, transparency, and confidence.
Source: Microsoft Defender XDR Blog