Recorded Future: Defender Portal Migration Breaks Incident Creation -- Playbooks Redesigned Around Analytic Rules

Recorded Future v3.2.20 removes direct incident creation from four playbooks (now incompatible with the unified Microsoft Defender portal) and introduces new Analytic Rules to restore incident generation from custom log tables. Read More →

AI Agents Hunting Queries Migrated to Unified AgentsInfo Table -- Connector-Split Queries Retired

Seven consolidated AI agent hunting queries now target the unified Defender XDR AgentsInfo table, replacing 26 connector-specific queries split across the A365 and Copilot Studio connectors; existing deployments still running the old AIAgentsInfo-based queries have had no effective hunting coverage since the table split was introduced. Read More →

New Workbook: Hybrid Attack Kill-Chain Hunting Across Cloud and On-Prem Identity

A new behavior-led hunting workbook registers in Microsoft Sentinel covering end-to-end hybrid identity attack scenarios across 7 MITRE ATT&CK phases, correlating signals from Entra ID, Azure, on-prem AD, and Defender XDR. Read More →

Microsoft Defender XDR: Email Hunting Queries Fixed to Reference Correct Connector, Three New Teams/Phish Queries Added

Three email-focused Hunting Queries had a broken connector reference (OfficeATP instead of MicrosoftThreatProtection), suppressing results for orgs using the Defender XDR connector; three new queries covering RMM-via-Teams, alert correlation with Teams messages, and phish-reporter identity are also added. Read More →

Microsoft Defender XDR: OAuth and Device-Code Phishing Hunting Queries Unblocked After ARM-TTK Pipeline Failure

Two Defender XDR hunting queries targeting OAuth consent and device-code phishing were blocked from pipeline validation due to ARM-TTK hardcoded URI false positives; KQL refactored to construct URLs via strcat(), restoring deployment and preserving detection semantics. Read More →

Microsoft Defender XDR: New Hunting Query for Delegate Mailbox Phish Reporting Analysis

New hunting query helps identify the actual user who reported a phishing message when recipients and actors differ in delegate or shared mailbox scenarios. Read More →

Microsoft Sentinel to Defender Portal Migration Readiness Tool

New PowerShell assessment tool identifies migration blockers for Sentinel-to-Defender portal transitions. Read More →

Teams Social Engineering Detection: New Hunting Queries for RMM-Based Attacks

Two new hunting queries detect Teams phishing campaigns that lure victims into launching remote access tools, addressing the Storm-1811 / Black Basta cross-tenant attack pattern. Read More →

SAP: New Agentless User Blocking Playbook for Defender XDR Integration

New SAP playbook enables automated user blocking via Teams adaptive cards with enhanced support for complex multi-alert incidents from Microsoft Defender XDR. Read More →

ASIM AlertEvent Parser: Microsoft Defender XDR Missing AlertOriginalStatus Field Restored

Critical data fidelity fix restores missing AlertOriginalStatus field in Microsoft Defender XDR ASIM AlertEvent parser, resolving alert status visibility gap. Read More →

Microsoft Defender XDR Solution: Punycode Hunting Query Added for Lookalike Domain Detection

Microsoft Defender XDR solution v3.0.14 adds hunting query targeting Punycode character abuse in lookalike domain attacks. Read More →

ASIM AlertEvent: Microsoft Defender XDR Parser Enhanced with Improved Field Mappings

Microsoft Defender XDR AlertEvent parsers updated with optimized KQL logic, corrected field mappings, and enhanced IP address collection. Read More →

Microsoft Defender XDR: New Hunting Query for Punycode Lookalike Domain Phishing

Advanced hunting query detects punycode domains using Cyrillic, Greek, and fullwidth ASCII characters to visually impersonate legitimate domains in email and Teams. Read More →

Microsoft Defender XDR: SUNSPOT Detection Rule Documentation Update

Updated SUNSPOT malware detection rule with corrected reference link formatting and MITRE technique mapping fixes across multiple solutions. Read More →

Microsoft Defender XDR: Teams Hunting Queries Version Number Fix

Corrected malformed version numbers in Microsoft Teams threat hunting queries from invalid “l.0.0” to proper “1.0.0” format. Read More →

Multi-Solution Link Updates: MITRE Technique Corrections and Reference Refreshes

Updated outdated links and corrected MITRE ATT&CK technique mapping in detection rules across Microsoft Business Applications, Microsoft Defender XDR, and Windows Security Events solutions. Read More →

ZeroFox CCF Connector: KQL Query Restoration and Multi-Solution Maintenance

ZeroFox CCF connector receives missing KQL query fixes alongside packaging updates across 8+ solutions. Read More →

Microsoft Defender XDR Workbook Version 3: Enhanced Visualizations and Insights

Updated Microsoft Defender for Office 365 workbook to version 3 with new visuals and improved insights based on user feedback. Read More →

Microsoft Teams Security: 9 Additional Hunting Queries for Advanced Threat Detection

Extended Teams protection hunting coverage with queries for partner impersonation, admin submissions, and external sender analysis. Read More →

Open Systems Connector: aiohttp Security Update 3.10.11→3.12.14 Plus Multi-Solution Changes

Open Systems connector updated aiohttp dependency addressing potential security vulnerabilities, bundled with extensive solution packaging updates. Read More →