Microsoft Defender Experts for Servers and Microsoft Defender Experts for Hunting

May 2026

• Microsoft Defender Experts for Servers and Microsoft Defender Experts for Hunting - Servers are now offered as standalone offerings for customers who wish to avail managed extended detection and response and threat hunting services for their on-premises and multicloud servers protected by Microsoft Defender for Cloud. These services were previously offered as add-ons to Microsoft Defender Experts for XDR and Mircosoft Defender Experts for Hunting, respectively. Learn more.
• (Preview) Automatic attack disruption can now isolate compromised devices from the network when high-confidence incident analysis indicates the device is being used as an active foothold. Isolation blocks attacker communication and lateral movement while keeping the device connected to security services. The action is time-limited, scoped to devices involved in the incident, and can be released by security operators at any time. Learn more
• In advanced hunting, the Take action wizard now lets customers allow or block top-level domains and files attachment hashes in emails based on query results. Learn more.
• The hunting graph in advanced hunting now includes new identity-focused predefined scenarios. These scenarios help you discover attack paths, privilege escalation routes, and credential access risks across on-premises and cloud environments, including Kerberoast and AS-REP roast paths, domain compromise routes, OAuth application risks, and external user access to cloud resources.