the number of query results displayed in the Microsoft Defender portal has been increased to 100,000.

August 2025

• (Preview) In advanced hunting, you can now enrich your custom detection rules by creating dynamic alert titles and descriptions, select more impacted entities, and add custom details to display in the alert side panel. Microsoft Sentinel customers that are onboarded to Microsoft Defender also now have the option to customize the alert frequency when the rule is based only on data that is ingested to Sentinel.
• (Preview) The following advanced hunting schema tables are now available for preview:

1. The CloudStorageAggregatedEvents table contains information about storage activity and related events
2. The IdentityEvents table contains information about identity events obtained from other cloud identity service providers

• (Preview) Advanced hunting now lets you investigate Microsoft Defender for Cloud behaviors. For more information, see Investigate behaviors with advanced hunting.
• (Preview) In advanced hunting, the number of query results displayed in the Microsoft Defender portal has been increased to 100,000.
• (GA) Microsoft Defender Experts for XDR and Microsoft Defender Experts for Hunting customers can now expand their service coverage to include server and cloud workloads protected by Microsoft Defender for Cloud through the respective add-ons, Microsoft Defender Experts for Servers and Microsoft Defender Experts for Hunting - Servers. Learn more
• (GA) Defender Experts for XDR customers can now incorporate third-party network signals for enrichment, which could allow our security analysts to not only gain a more comprehensive view of an attack's path that allows for faster and more thorough detection and response, but also provide customers with a more holistic view of the threat in their environments.
• (GA) In advanced hunting, you can now view all your user-defined rules—both custom detection rules and analytics rules—in the Detection rules page. This feature also brings the following improvements:

1. You can now filter for every column (in addition to Frequency and Organizational scope).
2. For multiworkspace organizations that have onboarded multiple workspaces to Microsoft Defender, you can now view the Workspace ID column and filter by workspace.
3. You can now view the details pane even for analytics rules.
4. You can now perform the following actions on analytics rules: Turn on/off, Delete, Edit.

• (GA) The Sensitivity label filter is now available in the Incidents and Alerts queues in the Microsoft Defender portal. This filter lets you filter incidents and alerts based on the sensitivity label assigned to the affected resources. For more information, see Filters in the incident queue and Investigate alerts.