What's new in Defender for Cloud features

This article summarizes what's new in Microsoft Defender for Cloud. It includes information about new features in preview or in general availability (GA), feature updates, upcoming feature plans, and deprecated functionality.

• This page is updated frequently with the latest updates in Defender for Cloud.

• Find the latest information about security recommendations and alerts in What's new in recommendations and alerts.

August 2025

Storage aggregated logs in XDR's Advanced Hunting (Preview)

August 5, 2025

The new CloudStorageAggregatedEvents table is now available in Microsoft Defender XDR’s Advanced Hunting experience. It brings aggregated storage activity logs, such as operations, authentication details, access sources, and success/failure counts, from Defender for Cloud into a single, queryable schema. The aggregation reduces noise, improves performance, and provides a high-level view of storage access patterns to support more effective threat detection and investigation.

The logs are available at no additional cost as part of the new per-storage account plan in Defender for Storage. For more information, visit CloudStorageAggregatedEvents (Preview).

July 2025

Four new Regulatory Compliance Standards

July 15, 2025

Microsoft Defender for Cloud's Regulatory Compliance is expanding its support to include four new frameworks across Azure environment:

1. Digital Operational Resilience Act (DORA)
2. European Union Artificial Intelligence Act (EU AI Act)
3. Korean Information Security Management System for Public Cloud (k-ISMS-P)
4. Center for Internet Security (CIS) Microsoft Azure Foundations Benchmark v3.0

These frameworks are now available in public preview and can be enabled via the Regulatory Compliance dashboard in Microsoft Defender for Cloud.

For more information see: Regulatory compliance standards in Microsoft Defender for Cloud.

Scanning support for Chainguard container images and Wolfi

July 3, 2025

Microsoft Defender for Cloud's vulnerability scanner, powered by Microsoft Defender Vulnerability Management, is extending its scanning coverage to Chainguard container images, and identify vulnerabilities in Chainguard Images and Wolfi to validate that they're shipping the most secure builds possible. As additional image types are being scanned, your bill might increase. For all supported distributions, see Registries and images support for vulnerability assessment.

May 2025

Active User (Public Preview)

The Active User feature assists security administrators quickly identify and assign recommendations to the most relevant users based on recent control plane activity. For each recommendation, up to three potential active users are suggested at the resource, resource group, or subscription level. Administrators can select a user from the list, assign the recommendation, and set a due date—triggering a notification to the assigned user. This streamlines remediation workflows, reduces investigation time, and strengthens overall security posture.

April 2025

Update to Defender for SQL servers on Machines plan

April 28, 2025

The Defender for SQL Server on machines plan in Microsoft Defender for Cloud protects SQL Server instances hosted on Azure, AWS, GCP, and on-premises machines.

Starting today, we're gradually releasing an enhanced agent solution for the plan. The agent-based solution eliminates the need to deploy the Azure Monitor Agent (AMA) and instead uses the existing SQL infrastructure. The solution is designed to make the onboarding processes easier and improve protection coverage.

Required customer actions

1. Update Defender for SQL Servers on Machines plan configuration: Customers who enabled Defender for SQL Server on machines plan before today are required to follow these instructions to update their configuration, following the enhanced agent release.

2. Verify SQL Server instances protection status: With an estimated starting date of May 2025, customers must verify the protection status of their SQL Server instances across their environments. Learn how to troubleshoot any deployment issues Defender for SQL on machines configuration.

Enhancements for Defender for app service alerts

April 7, 2025

On April 30, 2025, Defender for App Service alerting capabilities will be enhanced. We'll add alerts for suspicious code executions and access to internal or remote endpoints. Additionally, we have improved coverage and reduced noise from relevant alerts by expanding our logic and removing alerts that were causing unnecessary noise. As part of this process, the alert "Suspicious WordPress theme invocation detected" will be deprecated.

March 2025

Upcoming change to the recommendation severity levels

March 11, 2025

We're enhancing the severity levels of recommendations to improve risk assessment and prioritization. As part of this update, we reevaluated all severity classifications and introduced a new level — Critical. Previously, recommendations were categorized into three levels: Low, Medium, and High. With this update, there are now four distinct levels: Low, Medium, High, and Critical, providing a more granular risk evaluation to help customers focus on the most urgent security issues.

As a result, customers might notice changes in the severity of existing recommendations. Additionally, the risk level evaluation, which is available for Defender CSPM customers only, might also be affected as both recommendation severity and asset context are taken into consideration. These adjustments could affect the overall risk level.

The projected change will take place on March 25, 2025.

Next steps

Check What's new in security recommendations and alerts.