Microsoft Introduces AI-Powered Threat Hunting in Defender for Endpoint

Microsoft has launched an AI-powered autonomous threat hunting capability in Microsoft Defender for Endpoint that continuously analyzes endpoint telemetry data using advanced machine learning models to proactively identify and respond to sophisticated attacks without requiring human analyst intervention.

The new feature, called "Defender AutoHunt," uses a specialized large language model trained on Microsoft's threat intelligence data spanning over 78 trillion signals processed daily. The AI system can formulate and execute complex hunting queries, correlate seemingly unrelated events, and identify attack patterns that would typically require senior threat hunters to detect.

In controlled testing across Microsoft's customer base, AutoHunt identified 34% more true positive threats than traditional rule-based detection systems, while reducing false positives by 62%. The average time from initial compromise to detection was reduced from 287 hours to 4.2 hours.

The system operates with configurable autonomy levels: in "assisted" mode, it presents findings to human analysts for review; in "semi-autonomous" mode, it can isolate compromised endpoints and block malicious processes; in "fully autonomous" mode, it can execute complete incident response playbooks.

The feature is available to all Microsoft Defender for Endpoint P2 subscribers at no additional cost. Competitors including CrowdStrike, SentinelOne, and Palo Alto Networks have announced similar AI-driven hunting capabilities in their product roadmaps.