check before: 2023-05-28
Product:
Defender, Defender for Cloud Apps, Microsoft 365 Defender, Power BI
Platform:
World tenant, Online
Status:
Change type:
Admin impact, Feature update, Updated message, User impact
Links:
Details:
Updated May 23, 2023: We have updated the content below with additional information. Thank you for your patience.
We're making some changes to the default Microsoft Defender for Cloud Apps threat protection policies.
[When this will happen:]
Beginning May 28, 2023, policies that are generating "behaviors" in Microsoft 365 Defender advanced hunting will be disabled from generating alerts. The policies will continue generating "behaviors" regardless of being enabled or disabled in the tenant's configuration.
Change Category:
XXXXXXX ... free basic plan only
Scope:
XXXXXXX ... free basic plan only
Release Phase:
Created:
2023-05-04
updated:
2023-05-24
Task Type
XXXXXXX ... free basic plan only
Docu to Check
XXXXXXX ... free basic plan only
MS How does it affect me
XXXXXXX ... free basic plan only
MS Preperations
XXXXXXX ... free basic plan only
MS Urgency
XXXXXXX ... free basic plan only
MS workload name
XXXXXXX ... free basic plan only
More Info URL
XXXXXXX ... free basic plan only
** AI generated content. This information is not reliable.
the free basic plan is required to see all details. Sign up here
change history
Date | Property | old | new |
2023-05-24 | MC Messages | We're making some changes to the default Microsoft Defender for Cloud Apps threat protection policies.
[When this will happen:] Beginning May 28, 2023, policies that are generating "behaviors" in Microsoft 365 Defender advanced hunting will be disabled from generating alerts. The policies will continue generating "behaviors" regardless of being enabled or disabled in the tenant's configuration. | Updated May 23, 2023: We have updated the content below with additional information. Thank you for your patience.
We're making some changes to the default Microsoft Defender for Cloud Apps threat protection policies. [When this will happen:] Beginning May 28, 2023, policies that are generating "behaviors" in Microsoft 365 Defender advanced hunting will be disabled from generating alerts. The policies will continue generating "behaviors" regardless of being enabled or disabled in the tenant's configuration. |
2023-05-24 | MC Title | Configuration Change - Microsoft Defender for Cloud Apps threat protection policies | (Updated) Configuration Change - Microsoft Defender for Cloud Apps threat protection policies |
2023-05-24 | MC How Affect | The following policies will be disabled by default:
Impossible travel activity Activity from infrequent country Mass delete Multiple failed login attempts Mass download Suspicious administrative activity Suspicious Power BI report sharing Mass share Suspicious OAuth app file download activities Multiple Power BI report sharing activities Suspicious impersonated activity Multiple delete VM activities Multiple VM creation activities Unusual addition of credentials to an OAuth app The disablement of the policies is happening because they are now sent as "behaviors", a new data type that represent them better than alerts. Now that Microsoft Defender for Cloud Apps is a part of Microsoft 365 Defender XDR, those signals can be enriched and correlated with other signals and trigger alerts when the correlation indicates threats with higher confidence. You will still have ways to create alerts that apply to the policies logic, by re-enabling the policies manually, or by creating Microsoft 365 Defender advanced hunting custom detection on the relevant behaviors. With the transition to "behaviors" we also introduce more security-scenarios focused detections that will be available in Microsoft 365 Defender, that will cover high confidence scenarios out of the scenarios that were covered by some of the detections, together with new detections that will cover more scenarios such as suspicious activities done by risky users, crypto-mining patterns and business email compromise (BEC) attacks, and provide the next level of cloud applications out of-the-box-threat protection. Behaviors will also generate alerts and correlate to relevant incidents in Microsoft 365 Defender if there is a relevant trigger, such as an alert generated on a same user in a short period of time. More information about "behaviors", including how to query and create custom detections out of them can be found in this documentation. In later phases in the future Microsoft Defender for Cloud Apps is also expected to shift from policy-based out-of-the-box threat detections to a cloud-managed detections model that will provide higher agility and ability to respond faster and more accurate to evolving threats. Note: Re-enabling the policies will be relevant only as long as policies exist, as a transition phase before full cloud-managed threat detection model that is expected to be implemented in the future, with no concrete date at the moment (prior notification will be sent before the change happens). | The following policies will be disabled by default:
Alert NamePolicy name Activity from infrequent countryActivity from infrequent country Impossible travel activityImpossible travel Mass deleteUnusual file deletion activity (by user) Mass downloadUnusual file download (by user) Mass shareUnusual file share activity (by user) Multiple delete VM activitiesMultiple delete VM activities Multiple failed login attemptsMultiple failed login attempts Multiple Power BI report sharing activitiesMultiple Power BI report sharing activities Multiple VM creation activitiesMultiple VM creation activities Suspicious administrative activityUnusual administrative activity (by user) Suspicious impersonated activityUnusual impersonated activity (by user) Suspicious OAuth app file download activitiesSuspicious OAuth app file download activities Suspicious Power BI report sharingSuspicious Power BI report sharing Unusual addition of credentials to an OAuth appUnusual addition of credentials to an OAuth app The disablement of the policies is happening because they are now sent as "behaviors", a new data type that represent them better than alerts. Now that Microsoft Defender for Cloud Apps is a part of Microsoft 365 Defender XDR, those signals can be enriched and correlated with other signals and trigger alerts when the correlation indicates threats with higher confidence. You will still have ways to create alerts that apply to the policies logic, by re-enabling the policies manually, or by creating Microsoft 365 Defender advanced hunting custom detection on the relevant behaviors. With the transition to "behaviors" we also introduce more security-scenarios focused detections that will be available in Microsoft 365 Defender, that will cover high confidence scenarios out of the scenarios that were covered by some of the detections, together with new detections that will cover more scenarios such as suspicious activities done by risky users, crypto-mining patterns and business email compromise (BEC) attacks, and provide the next level of cloud applications out of-the-box-threat protection. Behaviors will also generate alerts and correlate to relevant incidents in Microsoft 365 Defender if there is a relevant trigger, such as an alert generated on a same user in a short period of time. More information about "behaviors", including how to query and create custom detections out of them can be found in this documentation. In later phases in the future Microsoft Defender for Cloud Apps is also expected to shift from policy-based out-of-the-box threat detections to a cloud-managed detections model that will provide higher agility and ability to respond faster and more accurate to evolving threats. Note: Re-enabling the policies will be relevant only as long as policies exist, as a transition phase before full cloud-managed threat detection model that is expected to be implemented in the future, with no concrete date at the moment (prior notification will be sent before the change happens). |
2023-05-24 | MC Last Updated | 05/03/2023 23:19:29 | 2023-05-23T20:39:12Z |
2023-05-24 | MC MessageTagNames | Feature update, User impact, Admin impact | Updated message, Feature update, User impact, Admin impact |
Last updated 4 months ago