Table of Contents
Summary
- Microsoft Defender XDR will introduce a new alert tuning experience to enhance prioritization of actionable work for SOC teams.
- The initial set includes 12 rules focused on low-severity alerts from Microsoft Defender for Office 365.
- Automated triage will be implemented for selected alerts, allowing immediate investigations to reduce the need for manual reviews.
- Organizations can review and opt out of the built-in tuning experience during the designated opt-out window.
- Built-in alert tuning rules can be managed at scale for those overseeing multiple tenants using the MTO portal.
Admin Impact: High
User Impact: Low
Release Start: 22 Feb 2026
Release End: 03 Mar 2026
Services: Defender XDR
Category: Plan for change
Tags: Feature Update, Admin Action
History
2/20/2026 Item Added to Message Center
Microsoft Message
Introduction
We’re improving how alerts show up in Microsoft Defender XDR incidents to help your SOC prioritize actionable work and keep investigations moving efficiently. Starting February 22, 2026, administrators will see the new built in alert tuning experience in the portal UI. During this initial period, the experience is visible, but the built-in tuning won’t be active yet.
The review & opt out window runs from February 22 through March 3. During this time, you can review the new settings and decide whether to keep the default experience enabled or disable it for your organization.
What’s going live on March 3, 2026
On March 3, 2026, the functionality becomes active:
- Initial rule set: The initial set of rules focuses on Microsoft Defender for Office 365 (MDO), with 12 built in rules designed for informational and low severity Defender for Office alerts. More built-in rules will be added over time, expanding coverage to additional workloads. You’ll receive advance notification so you can review upcoming additions and opt out before they take effect in your environment.
- Automated triage with AIR: For selected alerts with Automated Investigation and Response (AIR) playbooks, Defender will automatically run an immediate investigation to help determine whether SOC attention is required.
- Reopen when needed: If the investigation indicates that additional review is needed, the alert will reopen as “New” and return to your queue for analyst action.
Included in this release (MDO alert types)
The 12 built in rules in this release apply to the following alert types:
- User requested to release a quarantined message
- Email reported by user as junk
- Email reported by user as not junk
- Email reported by user as malware or phish
- Tenant Allow/Block List entry is about to expire
- Removed an entry in Tenant Allow/Block List
- Email messages removed after delivery
- Email messages from a campaign removed after delivery
- Email messages containing malicious file removed after delivery
- Email messages containing malicious URL removed after delivery
- Admin Submission Result Completed
- Admin triggered manual investigation of email
How this affects your organization
Default experience: Built in tuning is designed so analysts can focus on alerts most likely to require action, while automated triage runs in the background for eligible alerts.
Customer control: You remain in control – built in rules are visible in the portal and can be disabled at any time in Alert Tuning.
What you need to do to prepare
No action is required if you want to use the default experience and benefit from more streamlined queues and faster prioritization.
If your SOC prefers to manually review every alert without automated triage, use the opt out window (Feb 22–March 3) to disable built in tuning in Alert Tuning.
Multi-Tenant Management (MTO) content distribution
If you manage multiple tenants, you can manage built in alert tuning rules at scale using the MTO portal content distribution capability. Configure which built in rules are enabled/disabled in a source tenant and distribute that configuration across your managed tenants for consistent settings everywhere.
Learn more
Public documentation: Built-in alert tuning rules
Announcement blog: Microsoft Defender XDR Blog