Microsoft Defender XDR now has a new alert tuning system that helps manage incident and alert queues for Security Operations Centers (SOCs). This feature, which transitioned from a preview phase to active status today, will help admins automate the triage process for low-severity alerts to reduce manual workloads.
This deployment follows a review and opt-out window that began on January 25, 2026, that gave administrators time to examine the logic before the rules became operational. As this period is now over, it is too late to review it before deployment. If your team has been struggling with alerts, this new feature should help to block out the things that can be handled automatically.
Microsoft is starting out with 12 initial rules that specifically target Microsoft Defender for Office 365 (MDO) alerts. These rules will help security analysts prioritize important threats by suppressing less important notifications that frequently clutter dashboards.
The rules cover 12 MDO alert types including user reports of emails being junk or malware, quarantined message release requests, and notifications regarding the Tenant Allow/Block List. These alerts are listed as "informational" or "low-severity", so they are ideal candidates for this initial rollout.
Microsoft decided to integrate this new feature with Automated Investigation and Response (AIR) playbooks which can trigger background investigations for selected alerts. If these automated checks find that a threat requires human intervention, the alert is automatically reopened with a “New” status so it returns to the analyst’s queue.
The Redmond giant said that the coverage of alert tuning will expand beyond Office 365 to include other Defender XDR workloads in future updates. Organizations will get a warning about these so that they can review the changes before they take effect.
Enterprises that are working with multiple environments can now use the Multi-Tenant Management (MTO) portal to configure these settings at scale. It allows admins to set a configuration in a source tenant and push these settings across all managed tenants to ensure consistency.