MC1228325: (Public Preview) New built in alert tuning rules for Microsoft Defender for Endpoint in Microsoft Defender XDR

[Introduction]

Microsoft Defender XDR is adding six new Microsoft-curated built-in alert tuning rules for Microsoft Defender for Endpoint (MDE) to help reduce low-priority endpoint alerts reaching your queues.

[When this will happen:]

• February 8, 2026: Rules become visible in the portal (Preview) for review.
• February 8–February 18, 2026: Rules are visible but not active, so you can review and opt out if needed.
• February 18, 2026: Rules become active by default.

[How this affects your organization:]

Who is affected: Admins using Microsoft Defender XDR with MDE.

What will happen:

• With the default experience, you should see fewer informational or low severity endpoint alerts in your incident/alert queues, because matching alerts will be handled automatically.
• Some rules use Resolve and others use Set as Behavior, which reclassifies an alert as a behavior record. These alerts will not appear in open alert queues. They also will not generate incidents, while still remaining available for investigation and hunting.
• You stay in control: all built in rules are visible in Settings > Microsoft Defender XDR > Alert Tuning, and you can disable any rule anytime.

[What you can do to prepare:]

• No action required if you want the default experience.
• To opt out, review and disable any of the new MDE rules during February 8–February 18, 2026 (you can still disable later, but the rules will be on by default starting February 18, 2026).
• If you manage multiple tenants, you can manage rule enablement at scale using Multi-Tenant Organization (MTO) content distribution.

Learn more

• Microsoft Defender XDR Alert Tuning documentation
• Tech Community blog

[Compliance considerations:]

No compliance considerations identified; review as appropriate for your organization.