What's new in Defender for Cloud features

This article summarizes what's new in Microsoft Defender for Cloud. It includes information about new features in preview or in general availability (GA), feature updates, upcoming feature plans, and deprecated functionality.

• This page is updated frequently with the latest updates in Defender for Cloud.

• Find the latest information about security recommendations and alerts in What's new in recommendations and alerts.

October 2025

Deprecation notice: update outbound rules for Microsoft Defender for Containers

Microsoft Defender for Containers updated the outbound network requirements for the Defender sensor. You must update your outbound rules to maintain proper functionality.

This change affects all subscriptions using Microsoft Defender for Containers. If you're not using the Defender sensor, no action is required.

Beginning now, the Defender for Containers sensor requires outbound traffic to the following fully qualified domain name (FQDN) and port:

*.cloud.defender.microsoft.com (HTTPS: port 443)

Recommended actions

1. Add the new FQDN and port to your allowed traffic in your outbound restriction method, such as a proxy or firewall.

2. If you don't block egress traffic from your clusters, no action is required.

3. To verify connectivity to Microsoft Defender for Containers endpoints, run the connectivity test script to confirm network accessibility from your cluster.

Deadline

To avoid service disruption, complete any necessary updates of GKE and EKS by September 30, 2026. If no action is taken where required, the Defender for Containers sensor won't function as expected.

GitHub application permissions update

October 23, 2025

Defender for Cloud is updating its GitHub connector to request a new permission: artifact_metadata:write. This enables new capabilities that support artifact attestations - providing verifiable build provenance and strengthening your software supply chain security. The permission is narrowly scoped, aligning with least privilege principles to support faster and easier security approvals.

How to approve the new permission:

• Via GitHub settings: In your GitHub organization, go to Settings > GitHub Apps, select the Microsoft Security DevOps application, and approve the pending permission request.

• Via email (for organization owners): GitHub sends an automated email to organization owners with the subject "Review permissions request for Microsoft Security DevOps". Click Review permission request to approve or reject the change.

Didn’t get the email? Only GitHub organization owners receive this notification. If you're not an owner, please contact one in your organization to approve the request via GitHub settings.

Note: existing connectors will continue to work without this permission, but the new functionality will only be available once the permission is approved.

August 2025

Storage aggregated logs in XDR's Advanced Hunting (Preview)

August 5, 2025

The new CloudStorageAggregatedEvents table is now available in Microsoft Defender XDR’s Advanced Hunting experience. It brings aggregated storage activity logs, such as operations, authentication details, access sources, and success/failure counts, from Defender for Cloud into a single, queryable schema. The aggregation reduces noise, improves performance, and provides a high-level view of storage access patterns to support more effective threat detection and investigation.

The logs are available at no additional cost as part of the new per-storage account plan in Defender for Storage. For more information, visit CloudStorageAggregatedEvents (Preview).

July 2025

Four new Regulatory Compliance Standards

July 15, 2025

Microsoft Defender for Cloud's Regulatory Compliance is expanding its support to include four new frameworks across Azure environment:

1. Digital Operational Resilience Act (DORA)
2. European Union Artificial Intelligence Act (EU AI Act)
3. Korean Information Security Management System for Public Cloud (k-ISMS-P)
4. Center for Internet Security (CIS) Microsoft Azure Foundations Benchmark v3.0

These frameworks are now available in public preview and can be enabled via the Regulatory Compliance dashboard in Microsoft Defender for Cloud.

For more information see: Regulatory compliance standards in Microsoft Defender for Cloud.

Scanning support for Chainguard container images and Wolfi

July 3, 2025

Microsoft Defender for Cloud's vulnerability scanner, powered by Microsoft Defender Vulnerability Management, is extending its scanning coverage to Chainguard container images, and identify vulnerabilities in Chainguard Images and Wolfi to validate that they're shipping the most secure builds possible. As additional image types are being scanned, your bill might increase. For all supported distributions, see Registries and images support for vulnerability assessment.

May 2025

Active User (Public Preview)

The Active User feature assists security administrators quickly identify and assign recommendations to the most relevant users based on recent control plane activity. For each recommendation, up to three potential active users are suggested at the resource, resource group, or subscription level. Administrators can select a user from the list, assign the recommendation, and set a due date—triggering a notification to the assigned user. This streamlines remediation workflows, reduces investigation time, and strengthens overall security posture.

April 2025

Update to Defender for SQL servers on Machines plan

April 28, 2025

The Defender for SQL Server on machines plan in Microsoft Defender for Cloud protects SQL Server instances hosted on Azure, AWS, GCP, and on-premises machines.

Starting today, we're gradually releasing an enhanced agent solution for the plan. The agent-based solution eliminates the need to deploy the Azure Monitor Agent (AMA) and instead uses the existing SQL infrastructure. The solution is designed to make the onboarding processes easier and improve protection coverage.

Required customer actions:

1. Update Defender for SQL Servers on Machines plan configuration: Customers who enabled Defender for SQL Server on machines plan before today are required to follow these instructions to update their configuration, following the enhanced agent release.

2. Verify SQL Server instances protection status: With an estimated starting date of May 2025, customers must verify the protection status of their SQL Server instances across their environments. Learn how to troubleshoot any deployment issues Defender for SQL on machines configuration.

Enhancements for Defender for app service alerts

April 7, 2025

On April 30, 2025, Defender for App Service alerting capabilities will be enhanced. We'll add alerts for suspicious code executions and access to internal or remote endpoints. Additionally, we have improved coverage and reduced noise from relevant alerts by expanding our logic and removing alerts that were causing unnecessary noise. As part of this process, the alert "Suspicious WordPress theme invocation detected" will be deprecated.

March 2025

Upcoming change to the recommendation severity levels

March 11, 2025

We're enhancing the severity levels of recommendations to improve risk assessment and prioritization. As part of this update, we reevaluated all severity classifications and introduced a new level — Critical. Previously, recommendations were categorized into three levels: Low, Medium, and High. With this update, there are now four distinct levels: Low, Medium, High, and Critical, providing a more granular risk evaluation to help customers focus on the most urgent security issues.

As a result, customers might notice changes in the severity of existing recommendations. Additionally, the risk level evaluation, which is available for Defender CSPM customers only, might also be affected as both recommendation severity and asset context are taken into consideration. These adjustments could affect the overall risk level.

The projected change will take place on March 25, 2025.

Next steps

Check What's new in security recommendations and alerts.