MC1169078 – Microsoft Defender for Cloud Apps: Improvements to threat protection capabilities (archived)

Product:

Defender, Defender for Cloud Apps, Defender XDR, SharePoint

Platform:

Online, US Instances, World tenant

Status:

Change type:

Feature update, User impact, Admin impact

Links:

MC1061724

Details:

Summary:
Microsoft Defender for Cloud Apps will expand its dynamic threat detection model in November 2025, replacing legacy policies with more accurate, research-driven detections. This update improves threat detection accuracy and responsiveness, requires no admin action before rollout, and includes new detections enabled by default.

Details:
[Introduction:]
To improve threat detection accuracy and responsiveness, Microsoft Defender for Cloud Apps is expanding its dynamic model for threat protection. This update enhances the signal-to-noise ratio (SNR) of detections and enables faster adaptation to emerging threats, helping security teams stay ahead of evolving risks.
This rollout continues the migration of legacy threat detection policies, following the first batch announced in Message center post MC1061724. The second batch introduces new detections that replace several legacy policies, further aligning with our goal of delivering more precise, research-driven protection.
[When this will happen:]
General Availability (Worldwide, GCC, GCC High, DoD): Rollout begins early November 2025 and is expected to complete by the end of November 2025.

Change Category:
XXXXXXX ... free basic plan only

Scope:
XXXXXXX ... free basic plan only

Release Phase:

Created:
2025-10-10

updated:
2025-10-10

Task Type

XXXXXXX ... free basic plan only

Docu to Check

XXXXXXX ... free basic plan only

MS How does it affect me

XXXXXXX ... free basic plan only

MS Preperations

XXXXXXX ... free basic plan only

MS Urgency

XXXXXXX ... free basic plan only

MS workload name

XXXXXXX ... free basic plan only

linked item details

XXXXXXX ... free basic plan only

Pictures

XXXXXXX ... free basic plan only

summary for non-techies**

XXXXXXX ... free basic plan only

Direct effects for Operations**

Legacy Policy Migration
The migration of legacy policies to new dynamic detections may lead to temporary gaps in threat detection capabilities, potentially exposing the organization to undetected threats during the transition period.
   - roles: Security Operations Center (SOC) Analyst, IT Administrator
   - references: https://learn.microsoft.com/defender-cloud-apps/anomaly-detection-policy

Governance Actions
Governance actions configured on legacy policies will be disabled, which may result in a lack of automated responses to certain threats until policies are re-enabled manually.
   - roles: Security Operations Center (SOC) Analyst, Compliance Officer
   - references: https://learn.microsoft.com/defender-cloud-apps/anomaly-detection-policy

User Experience
Users may experience increased alerts or notifications due to the new dynamic detections, which could lead to confusion or alert fatigue if not properly communicated.
   - roles: End User, Helpdesk Support
   - references: https://learn.microsoft.com/defender-cloud-apps/anomaly-detection-policy

Configutation Options**

XXXXXXX ... paid membership only

Opportunities**

Enhanced Threat Detection Accuracy
The new dynamic model for threat detection will improve the accuracy and responsiveness of threat alerts, allowing security teams to react more swiftly to genuine threats. This means fewer false positives and more relevant alerts, enhancing the overall security posture of the organization.
   - next-steps: Evaluate the effectiveness of the new detections post-rollout by analyzing alert data and user feedback. Implement regular reviews of the detection outcomes to ensure continuous improvement.
   - roles: Security Operations Center (SOC) Team, IT Security Manager, Compliance Officer
   - references: https://learn.microsoft.com/defender-cloud-apps/anomaly-detection-policy

Improved User Experience with Reduced Noise
By migrating to a dynamic model, the number of irrelevant alerts will decrease, leading to a better experience for users who rely on security tools. This reduction in noise can help users focus on critical tasks without being distracted by false alerts.
   - next-steps: Communicate the changes to all users and provide training on how to interpret and respond to the new alerts. Gather user feedback to further refine the user experience.
   - roles: End Users, IT Support Staff, Training Coordinator
   - references: https://learn.microsoft.com/defender-cloud-apps/anomaly-detection-policy

Streamlined IT Operations and Documentation
The transition to a new dynamic model will necessitate an update of internal documentation and processes related to security policies. This presents an opportunity to streamline and improve existing documentation practices and operational workflows.
   - next-steps: Review and update all internal documentation to reflect the new detection policies. Establish a regular review cycle for documentation to ensure it remains current and relevant.
   - roles: IT Administrators, Documentation Specialists, Compliance Officer
   - references: https://learn.microsoft.com/defender-cloud-apps/anomaly-detection-policy

Potentional Risks**

XXXXXXX ... paid membership only

IT Security**

XXXXXXX ... paid membership only

explanation for non-techies**

Imagine you're in charge of security at a large event, like a concert. You have a team of security personnel who are trained to spot and respond to any potential threats. Over time, you've noticed that some of the security protocols you've been using are outdated and not as effective as they could be. So, you decide to upgrade your security measures to be more responsive and accurate in identifying real threats.

This is similar to what Microsoft is doing with its Defender for Cloud Apps. They are updating their threat detection system to be more dynamic and research-driven. Think of it as replacing older security measures with smarter, more adaptable ones that can quickly identify and respond to new types of threats, much like how a security team might use new technology to spot suspicious behavior at a concert.

The good news is that these changes are being implemented automatically, so there's no need for IT administrators to do anything before the rollout. It's like having a new security system installed at your event venue without needing to close down or disrupt operations. Once the new system is in place, it will work more efficiently to keep everything secure.

For those involved in managing security or IT, it's important to inform your teams about these updates. This way, everyone is aware of the new protocols and can adjust their practices accordingly. It's like briefing your security team on the new measures so they know what to look out for and how to respond.

Overall, these updates aim to enhance security by making threat detection more precise and timely, ensuring that your organization's digital environment is as safe as possible.