MC1222979: New Built-in Alert Tuning Rules optimize your incident and alert queues
Starting January 25, 2026, Microsoft Defender XDR introduces built-in alert tuning rules focusing on low-severity Office 365 alerts, with automated triage and reopening if needed. Active from February 5, these rules help SOCs prioritize alerts, with an opt-out window until February 5 and multi-te...
Introduction
We’re improving how alerts show up in Microsoft Defender XDR incidents to help your SOC prioritize actionable work and keep investigations moving efficiently. Starting January 25, 2026, administrators will see the new built in alert tuning experience in the portal UI. During this initial period, the experience is visible, but the built-in tuning won’t be active yet.
The review & opt out window runs from January 25 through February 5. During this time, you can review the new settings and decide whether to keep the default experience enabled or disable it for your organization.
What’s going live on February 5, 2026
On February 5, 2026, the functionality becomes active:
- Initial rule set: The initial set of rules focuses on Microsoft Defender for Office 365 (MDO), with 12 built in rules designed for informational and low severity Defender for Office alerts. More built-in rules will be added over time, expanding coverage to additional workloads. You’ll receive advance notification so you can review upcoming additions and opt out before they take effect in your environment.
- Automated triage with AIR: For selected alerts with Automated Investigation and Response (AIR) playbooks, Defender will automatically run an immediate investigation to help determine whether SOC attention is required.
- Reopen when needed: If the investigation indicates that additional review is needed, the alert will reopen as “New” and return to your queue for analyst action.
Included in this release (MDO alert types)
The 12 built in rules in this release apply to the following alert types:
- User requested to release a quarantined message
- Email reported by user as junk
- Email reported by user as not junk
- Email reported by user as malware or phish
- Tenant Allow/Block List entry is about to expire
- Removed an entry in Tenant Allow/Block List
- Email messages removed after delivery
- Email messages from a campaign removed after delivery
- Email messages containing malicious file removed after delivery
- Email messages containing malicious URL removed after delivery
- Admin Submission Result Completed
- Admin triggered manual investigation of email
How this affects your organization
- Default experience: Built in tuning is designed so analysts can focus on alerts most likely to require action, while automated triage runs in the background for eligible alerts.
- Customer control: You remain in control - built in rules are visible in the portal and can be disabled at any time in Alert Tuning.
What you need to do to prepare
- No action is required if you want to use the default experience and benefit from more streamlined queues and faster prioritization.
- If your SOC prefers to manually review every alert without automated triage, use the opt out window (Jan 25–Feb 5) to disable built in tuning in Alert Tuning.
Multi-Tenant Management (MTO) content distribution
If you manage multiple tenants, you can manage built in alert tuning rules at scale using the MTO portal content distribution capability. Configure which built in rules are enabled/disabled in a source tenant and distribute that configuration across your managed tenants for consistent settings everywhere.
Learn more
- Public documentation: Built-in alert tuning rules
- Announcement blog: Microsoft Defender XDR Blog