check before: 2026-01-25
Product:
Defender, Defender for Office 365, Defender XDR
Platform:
Online, World tenant
Status:
Change type:
User impact, Admin impact
Links:
Details:
Summary:
Starting January 25, 2026, Microsoft Defender XDR introduces built-in alert tuning rules focusing on low-severity Office 365 alerts, with automated triage and reopening if needed. Active from February 5, these rules help SOCs prioritize alerts, with an opt-out window until February 5 and multi-tenant management support.
Details:
Introduction
We're improving how alerts show up in Microsoft Defender XDR incidents to help your SOC prioritize actionable work and keep investigations moving efficiently. Starting January 25, 2026, administrators will see the new built in alert tuning experience in the portal UI. During this initial period, the experience is visible, but the built-in tuning won't be active yet.
The review & opt out window runs from January 25 through February 5. During this time, you can review the new settings and decide whether to keep the default experience enabled or disable it for your organization.
What's going live on February 5, 2026
On February 5, 2026, the functionality becomes active:
Initial rule set: The initial set of rules focuses on Microsoft Defender for Office 365 (MDO), with 12 built in rules designed for informational and low severity Defender for Office alerts. More built-in rules will be added over time, expanding coverage to additional workloads. You'll receive advance notification so you can review upcoming additions and opt out before they take effect in your environment.
Automated triage with AIR: For selected alerts with Automated Investigation and Response (AIR) playbooks, Defender will automatically run an immediate investigation to help determine whether SOC attention is required.
Reopen when needed: If the investigation indicates that additional review is needed, the alert will reopen as "New" and return to your queue for analyst action.
Included in this release (MDO alert types)
The 12 built in rules in this release apply to the following alert types:
User requested to release a quarantined message
Email reported by user as junk
Email reported by user as not junk
Email reported by user as malware or phish
Tenant Allow/Block List entry is about to expire
Removed an entry in Tenant Allow/Block List
Email messages removed after delivery
Email messages from a campaign removed after delivery
Email messages containing malicious file removed after delivery
Email messages containing malicious URL removed after delivery
Admin Submission Result Completed
Admin triggered manual investigation of email
Change Category:
XXXXXXX ... free basic plan only
Scope:
XXXXXXX ... free basic plan only
Release Phase:
Created:
2026-01-28
updated:
2026-01-28
Task Type
XXXXXXX ... free basic plan only
Docu to Check
XXXXXXX ... free basic plan only
MS How does it affect me
XXXXXXX ... free basic plan only
MS Preperations
XXXXXXX ... free basic plan only
MS Urgency
XXXXXXX ... free basic plan only
MS workload name
XXXXXXX ... free basic plan only
summary for non-techies**
Starting January 25, 2026, Microsoft Defender XDR will implement new alert tuning rules to help SOCs manage alert queues by prioritizing critical issues, with a review window until February 5, after which the rules become active and can be managed across multiple tenants.
Direct effects for Operations**
Automated Triage Impact
If the built-in alert tuning rules are activated without proper preparation, SOC analysts may miss critical alerts that require immediate attention due to automated triage prioritizing low-severity alerts.
- roles: SOC Analyst, IT Security Manager
- references: https://aka.ms/builtintuningblog, https://aka.ms/built-in-tuning-rules
User Experience with Alerts
Users may experience delays in response to legitimate security threats as automated investigations could lead to alerts being deprioritized or overlooked, impacting overall security posture.
- roles: End User, IT Support Specialist
- references: https://aka.ms/builtintuningblog, https://aka.ms/built-in-tuning-rules
Configutation Options**
XXXXXXX ... paid membership only
IT Security**
XXXXXXX ... paid membership only
explanation for non-techies**
XXXXXXX ... free basic plan only
** AI generated content. This information must be reviewed before use.
a free basic plan is required to see more details. Sign up here
A cloudsocut.one plan is required to see all the changed details. If you are already a customer, choose login.
If you are new to cloudscout.one please choose a plan.
Last updated 23 hours ago ago
