What's new in Defender for Cloud features

This article summarizes what's new in Microsoft Defender for Cloud. It includes information about new features in preview or in general availability (GA), feature updates, upcoming feature plans, and deprecated functionality.

• This page is updated frequently with the latest updates in Defender for Cloud.

• Find the latest information about security recommendations and alerts in What's new in recommendations and alerts.

March 2026

Deprecation of preview of container and container images vulnerability recommendations

March 04, 2026

As part of the transition to individual recommendations, Microsoft Defender for Cloud is deprecating existing grouped container vulnerability recommendations. This change enables more granular visibility, prioritization, and governance of container security findings.

Grouped recommendations previously aggregated multiple findings under a single recommendation. These findings are now surfaced as individual recommendations, created per software update, vulnerability, secret, or issue type.

During the transition period, grouped and individual recommendations may appear side by side. Grouped recommendations are on a deprecation path and will be removed in phases.

The following grouped container vulnerability recommendations will be deprecated on April 13, 2026:

Container recommendations

• [Preview] Containers running in Azure should have vulnerability findings resolved

Container image recommendations

• [Preview] Container images in Azure registry should have vulnerability findings resolved

Customers should update any queries, automation, governance rules, or workflows that rely on grouped recommendation keys to use individual recommendations and security categories instead.

When querying individual recommendations, the same logic can be applied across cloud providers by adjusting the Source value.

Example: Container vulnerability recommendations

The following query allows customers to identify the new individual container vulnerability recommendations for containers running in Azure.

securityresources
| where type == "microsoft.security/assessments"
| where properties.metadata.recommendationCategory == "SoftwareUpdate"
| where properties.resourceDetails.ResourceType == "K8s-container"
| where properties.resourceDetails.Source == "Azure"

Example: Container image vulnerability recommendations

The following query allows customers to identify the new individual container image vulnerability recommendations in Azure container registries. To target AWS or GCP registries, update the Source value accordingly.

securityresources
| where type == "microsoft.security/assessments"
| where properties.metadata.recommendationCategory == "SoftwareUpdate"
| where properties.resourceDetails.ResourceType == ".containerimage"
| where properties.resourceDetails.Source == "Azure"

Learn more about security recommendations and New individual recommendations format in Azure portal (Preview).

October 2025

Deprecation notice: update outbound rules for Microsoft Defender for Containers

Microsoft Defender for Containers updated the outbound network requirements for the Defender sensor. You must update your outbound rules to maintain proper functionality.

This change affects all subscriptions using Microsoft Defender for Containers. If you're not using the Defender sensor, no action is required.

Beginning now, the Defender for Containers sensor requires outbound traffic to the following fully qualified domain name (FQDN) and port:

*.cloud.defender.microsoft.com (HTTPS: port 443)

Recommended actions

1. Add the new FQDN and port to your allowed traffic in your outbound restriction method, such as a proxy or firewall.

2. If you don't block egress traffic from your clusters, no action is required.

3. To verify connectivity to Microsoft Defender for Containers endpoints, run the connectivity test script to confirm network accessibility from your cluster.

Deadline

To avoid service disruption, complete any necessary updates of GKE and EKS by September 30, 2026. If no action is taken where required, the Defender for Containers sensor won't function as expected.

GitHub application permissions update

October 23, 2025

Defender for Cloud is updating its GitHub connector to request a new permission: artifact_metadata:write. This enables new capabilities that support artifact attestations - providing verifiable build provenance and strengthening your software supply chain security. The permission is narrowly scoped, aligning with least privilege principles to support faster and easier security approvals.

How to approve the new permission:

• Via GitHub settings: In your GitHub organization, go to Settings > GitHub Apps, select the Microsoft Security DevOps application, and approve the pending permission request.

• Via email (for organization owners): GitHub sends an automated email to organization owners with the subject "Review permissions request for Microsoft Security DevOps". Select Review permission request to approve or reject the change.

Didn’t get the email? Only GitHub organization owners receive this notification. If you're not an owner, please contact one in your organization to approve the request via GitHub settings.

Note: existing connectors will continue to work without this permission, but the new functionality will only be available once the permission is approved.

August 2025

Storage aggregated logs in XDR's Advanced Hunting (Preview)

August 5, 2025

The new CloudStorageAggregatedEvents table is now available in Microsoft Defender XDR’s Advanced Hunting experience. It brings aggregated storage activity logs, such as operations, authentication details, access sources, and success/failure counts, from Defender for Cloud into a single, queryable schema. The aggregation reduces noise, improves performance, and provides a high-level view of storage access patterns to support more effective threat detection and investigation.

The logs are available at no additional cost as part of the new per-storage account plan in Defender for Storage. For more information, visit CloudStorageAggregatedEvents (Preview).

July 2025

Four new Regulatory Compliance Standards

July 15, 2025

Microsoft Defender for Cloud's Regulatory Compliance is expanding its support to include four new frameworks across Azure environment:

1. Digital Operational Resilience Act (DORA)
2. European Union Artificial Intelligence Act (EU AI Act)
3. Korean Information Security Management System for Public Cloud (k-ISMS-P)
4. Center for Internet Security (CIS) Microsoft Azure Foundations Benchmark v3.0

These frameworks are now available in preview and can be enabled via the Regulatory Compliance dashboard in Microsoft Defender for Cloud.

For more information see: Regulatory compliance standards in Microsoft Defender for Cloud.

Scanning support for Chainguard container images and Wolfi

July 3, 2025

Microsoft Defender for Cloud's vulnerability scanner, powered by Microsoft Defender Vulnerability Management, is extending its scanning coverage to Chainguard container images, and identify vulnerabilities in Chainguard Images and Wolfi to validate that they're shipping the most secure builds possible. As additional image types are being scanned, your bill might increase. For all supported distributions, see Registries and images support for vulnerability assessment.

Next steps

Check What's new in security recommendations and alerts.