check before: 2025-03-01
Product:
Defender, Defender for Cloud Apps, Defender for Endpoint, Defender XDR, Microsoft Graph, Stream
Platform:
Developer, Online, US Instances, World tenant
Status:
Change type:
Admin impact, Feature update, Updated message
Links:
Details:
Summary:
Microsoft Defender for Cloud Apps will update alert sources to provide more precise information, starting in March 2025. This change affects new alerts only and will be reflected in various systems and APIs. Administrators should update custom rules and notify users. No admin action is required before the rollout.
Details:
Updated February 19, 2025: We have updated the content. Thank you for your patience.
Coming soon for Microsoft Defender for Cloud Apps:
A change to alerts generated by events originating from Defender for Cloud Apps that are generated in the Microsoft Defender XDR detection engine
This rollout aims to provide more accurate and precise information on the origin of these alerts, enabling customers to identify, manage, and respond to alerts more effectively.
[When this will happen:]
General Availability (GCC, GCC High, DoD, Production, DoD): We will begin rolling out early March 2025 and expect to complete by early April 2025.
Change Category:
XXXXXXX ... free basic plan only
Scope:
XXXXXXX ... free basic plan only
Release Phase:
Created:
2025-01-30
updated:
2025-02-20
Task Type
XXXXXXX ... free basic plan only
Docu to Check
XXXXXXX ... free basic plan only
MS How does it affect me
XXXXXXX ... free basic plan only
MS Preperations
XXXXXXX ... free basic plan only
MS Urgency
XXXXXXX ... free basic plan only
MS workload name
XXXXXXX ... free basic plan only
summary for non-techies**
XXXXXXX ... free basic plan only
Direct effects for Operations**
Alert Source Changes
Changes to alert sources may lead to confusion among users if they are not informed about the new alert identifiers and their meanings, potentially resulting in misinterpretation of alerts.
- roles: Security Administrators, End Users
- references: https://learn.microsoft.com/defender-xdr/investigate-alerts?tabs=settings#alert-sources
Custom Rules and Automations
If administrators do not update custom alert rules and automations, alerts may not trigger correctly, leading to missed security incidents and delayed responses.
- roles: Security Administrators, Incident Response Teams
- references: https://learn.microsoft.com/defender-xdr/investigate-alerts?tabs=settings#alert-sources
User Notification and Documentation
Failure to notify users about the changes may result in users being unaware of the new alert formats, leading to decreased trust in the alerting system and potential operational disruptions.
- roles: Security Administrators, End Users
- references: https://learn.microsoft.com/defender-xdr/investigate-alerts?tabs=settings#alert-sources
Configutation Options**
XXXXXXX ... paid membership only
Opportunities**
Improved Alert Management
With the new alert sources providing more precise information, organizations can enhance their incident response processes. This allows for quicker identification and remediation of security threats, reducing potential downtime and damage.
- next-steps: Train IT security staff on the new alert formats and implement a review process for incident response to leverage the improved data.
- roles: IT Security Team, Incident Response Team, System Administrators
- references: https://learn.microsoft.com/defender-xdr/investigate-alerts?tabs=settings#alert-sources" target="_blank" rel="nofollow noopener noreferrer">https://learn.microsoft.com/defender-xdr/investigate-alerts?tabs=settings#alert-sources, https://learn.microsoft.com/defender-xdr/streaming-api
Custom Rule Optimization
Administrators will need to update custom alert rules and automations to reflect the new alert source values. This provides an opportunity to optimize these rules for better accuracy and efficiency in alert handling.
- next-steps: Conduct an audit of existing custom rules and playbooks to identify those that require updates, and streamline them to improve performance and relevance.
- roles: System Administrators, Security Operations Center (SOC) Analysts
- references: https://learn.microsoft.com/defender-xdr/investigate-alerts?tabs=settings#alert-sources" target="_blank" rel="nofollow noopener noreferrer">https://learn.microsoft.com/defender-xdr/investigate-alerts?tabs=settings#alert-sources
Enhanced User Communication
Notifying users about the changes in alert sources can improve user awareness and response to alerts. This enhances the overall security posture by ensuring users are informed about potential threats and changes in alert management.
- next-steps: Develop a communication plan that includes details of the changes, the importance of alert awareness, and how users can respond to alerts effectively.
- roles: IT Managers, Communications Team, User Support Team
- references: https://learn.microsoft.com/defender-xdr/investigate-alerts?tabs=settings#alert-sources" target="_blank" rel="nofollow noopener noreferrer">https://learn.microsoft.com/defender-xdr/investigate-alerts?tabs=settings#alert-sources
Potentional Risks**
XXXXXXX ... paid membership only
IT Security**
XXXXXXX ... paid membership only
explanation for non-techies**
XXXXXXX ... free basic plan only
** AI generated content. This information must be reviewed before use.
a free basic plan is required to see more details. Sign up here
A cloudsocut.one plan is required to see all the changed details. If you are already a customer, choose login.
If you are new to cloudscout.one please choose a plan.
change history
| Date | Property | old | new |
| 2025-02-20 | MC prepare | This rollout will happen automatically by the specified date with no admin action required before the rollout.
Administrators should review and update any custom alert rules, playbooks, or automations involving the alerts mentioned above (Service sources = Microsoft Defender XDR and Detection sources = Defender XDR, or Service sources = App governance), to ensure they reflect the new value. You may also want to notify your users about this change and update any relevant documentation. As a reminder, detection sources will remain unchanged, so if you only filter on detection sources, everything should continue to function as normal. https://learn.microsoft.com/defender-xdr/investigate-alerts?tabs=settings#alert-sources https://learn.microsoft.com/defender-xdr/streaming-api https://learn.microsoft.com/graph/api/resources/security-alert?view=graph-rest-1.0 | This rollout will happen automatically by the specified date with no admin action required before the rollout.
Administrators should review and update any custom alert rules, playbooks, or automations involving the alerts mentioned above (Service sources = Microsoft Defender XDR and Detection sources = Defender XDR, to ensure they reflect the new value. You may also want to notify your users about this change and update any relevant documentation. As a reminder, detection sources will remain unchanged, so if you only filter on detection sources, everything should continue to function as normal. https://learn.microsoft.com/defender-xdr/investigate-alerts?tabs=settings#alert-sources https://learn.microsoft.com/defender-xdr/streaming-api https://learn.microsoft.com/graph/api/resources/security-alert?view=graph-rest-1.0 |
| 2025-02-20 | MC MessageTagNames | Feature update, Admin impact | Updated message, Feature update, Admin impact |
| 2025-02-20 | MC Summary | Microsoft Defender for Cloud Apps will update alert sources to provide more precise information, starting in March 2025. This change affects new alerts only and will be reflected in various systems and APIs. Administrators should update custom rules and notify users. No admin action is required before the rollout. | |
| 2025-02-20 | MC Last Updated | 01/30/2025 01:33:40 | 2025-02-19T19:32:30Z |
| 2025-02-20 | MC Messages | Coming soon for Microsoft Defender for Cloud Apps:
A change to alerts generated by events originating from Defender for Cloud Apps that are generated in the Microsoft Defender XDR detection engine A change to App governance alerts This rollout aims to provide more accurate and precise information on the origin of these alerts, enabling customers to identify, manage, and respond to alerts more effectively. [When this will happen:] General Availability (GCC, GCC High, DoD, Production, DoD): We will begin rolling out early March 2025 and expect to complete by early April 2025. | Updated February 19, 2025: We have updated the content. Thank you for your patience.
Coming soon for Microsoft Defender for Cloud Apps: A change to alerts generated by events originating from Defender for Cloud Apps that are generated in the Microsoft Defender XDR detection engine This rollout aims to provide more accurate and precise information on the origin of these alerts, enabling customers to identify, manage, and respond to alerts more effectively. [When this will happen:] General Availability (GCC, GCC High, DoD, Production, DoD): We will begin rolling out early March 2025 and expect to complete by early April 2025. |
| 2025-02-20 | MC Title | Microsoft Defender: Changes to Defender for Cloud Apps alerts | (Updated) Microsoft Defender: Changes to Defender for Cloud Apps alerts |
| 2025-02-20 | MC How Affect | We will change the field indicating the alert source in the alert data itself. Note: The rollout will only affect new alerts generated after the rollout and will not alter existing alerts.
This rollout will be reflected in all experiences where alerts are represented, including Incidents & alerts queues in the XDR portal, Advanced hunting, and the correlating APIs and SIEM systems. In the Defender XDR portal, the change will be reflected in the Service sources field, replacing the current Microsoft Defender XDR and App governance values with the new value Defender for Cloud Apps. The detection sources will remain unchanged and will continue to indicate the detections are generated in the XDR detection engine, App governance policy, or App governance detection. The alert ID prepended characters of some of the alerts will also be changed to comply with the Defender XDR mapping. Service/Detection sources filter in the Incidents queue. Left: Before the change. Right: After the change: Learn more about the different alert sources in Defender XDR in the Alert sources section of Investigate alerts in Microsoft Defender XDR - Microsoft Defender XDR | Microsoft Learn In the Microsoft Graph API, Microsoft Defender for Endpoint streaming API, and the Microsoft Azure Events Hub, the change will be reflected in the alert resource type under the property serviceSource, and the previous values of microsoft365Defender and microsoftAppGovernance will change to microsoftDefenderForCloudApps. Learn more about the Graph API alert resource: alert resource type - Microsoft Graph v1.0 | Microsoft Learn Learn more about Streaming API: Stream Microsoft Defender XDR events - Microsoft Defender XDR | Microsoft Learn | We will change the field indicating the alert source in the alert data itself. Note: The rollout will only affect new alerts generated after the rollout and will not alter existing alerts.
This rollout will be reflected in all experiences where alerts are represented, including Incidents & alerts queues in the XDR portal, Advanced hunting, and the correlating APIs and SIEM systems. In the Defender XDR portal, the change will be reflected in the Service sources field, replacing the current Microsoft Defender XDR values with the new value Defender for Cloud Apps. The detection sources will remain unchanged and will continue to indicate the detections are generated in the XDR detection engine. The alert ID prepended characters of some of the alerts will also be changed to comply with the Defender XDR mapping. Learn more about the different alert sources in Defender XDR in the Alert sources section of Investigate alerts in Microsoft Defender XDR - Microsoft Defender XDR | Microsoft Learn In the Microsoft Graph API, Microsoft Defender for Endpoint streaming API, and the Microsoft Azure Events Hub, the change will be reflected in the alert resource type under the property serviceSource, and the previous values of microsoft365Defender will change to microsoftDefenderForCloudApps. Learn more about the Graph API alert resource: alert resource type - Microsoft Graph v1.0 | Microsoft Learn Learn more about Streaming API: Stream Microsoft Defender XDR events - Microsoft Defender XDR | Microsoft Learn |
Last updated 4 weeks ago
