Skip to Content

MC1228325 (Public Preview) New built in alert tuning rules for Microsoft Defender for Endpoint in Microsoft Defender XDR

By: Author Alex Lim

Posted on

Categories Update

Home » Update » MC1228325 (Public Preview) New built in alert tuning rules for Microsoft Defender for Endpoint in Microsoft Defender XDR

Summary

  • Six new Microsoft-curated built-in alert tuning rules will be added to Microsoft Defender for Endpoint to reduce low-priority endpoint alerts.
  • Alerts matching the new rules will be handled automatically, resulting in fewer low severity alerts in queues.
  • Some alerts will be reclassified and won’t appear in alert queues or generate incidents but remain available for investigation.
  • Admins can review and disable any of the new rules at any time in the settings.
  • No action is needed for the default experience, but admins can opt out of the new rules during the designated review period.

Admin Impact: Medium
User Impact: Low
Release Start: 08 Feb 2026
Release End: 18 Feb 2026
Services: Defender XDR
Category: Stay informed
Tags: Admin Action

History

2/6/2026 Item Added to Message Center

Microsoft Message

Introduction

Microsoft Defender XDR is adding six new Microsoft-curated built-in alert tuning rules for Microsoft Defender for Endpoint (MDE) to help reduce low-priority endpoint alerts reaching your queues.

When this will happen

  • February 8, 2026: Rules become visible in the portal (Preview) for review.
  • February 8–February 18, 2026: Rules are visible but not active, so you can review and opt out if needed.
  • February 18, 2026: Rules become active by default.

How this affects your organization

Who is affected: Admins using Microsoft Defender XDR with MDE.

What will happen:

  • With the default experience, you should see fewer informational or low severity endpoint alerts in your incident/alert queues, because matching alerts will be handled automatically.
  • Some rules use Resolve and others use Set as Behavior, which reclassifies an alert as a behavior record. These alerts will not appear in open alert queues. They also will not generate incidents, while still remaining available for investigation and hunting.
  • You stay in control: all built in rules are visible in Settings > Microsoft Defender XDR > Alert Tuning, and you can disable any rule anytime.

What you can do to prepare

  • No action required if you want the default experience.
  • To opt out, review and disable any of the new MDE rules during February 8–February 18, 2026 (you can still disable later, but the rules will be on by default starting February 18, 2026).
  • If you manage multiple tenants, you can manage rule enablement at scale using Multi-Tenant Organization (MTO) content distribution.

Learn more

  • Microsoft Defender XDR Alert Tuning documentation
  • Tech Community blog

Compliance considerations

No compliance considerations identified; review as appropriate for your organization.