MC550086 – (Updated) Configuration Change – Microsoft Defender for Cloud Apps threat protection policies (archived)

Power BI icon

check before: 2023-05-28

Product:

Defender, Defender for Cloud Apps, Microsoft 365 Defender, Power BI

Platform:

World tenant, Online

Status:

Change type:

Admin impact, Feature update, Updated message, User impact

Links:

Details:

Updated May 23, 2023: We have updated the content below with additional information. Thank you for your patience.
We're making some changes to the default Microsoft Defender for Cloud Apps threat protection policies.
[When this will happen:]
Beginning May 28, 2023, policies that are generating "behaviors" in Microsoft 365 Defender advanced hunting will be disabled from generating alerts. The policies will continue generating "behaviors" regardless of being enabled or disabled in the tenant's configuration.

Change Category:
XXXXXXX ... free basic plan only

Scope:
XXXXXXX ... free basic plan only

Release Phase:

Created:
2023-05-04

updated:
2023-05-24

Task Type

XXXXXXX ... free basic plan only

Docu to Check

XXXXXXX ... free basic plan only

MS How does it affect me

XXXXXXX ... free basic plan only

MS Preperations

XXXXXXX ... free basic plan only

MS Urgency

XXXXXXX ... free basic plan only

MS workload name

XXXXXXX ... free basic plan only

More Info URL

XXXXXXX ... free basic plan only

** AI generated content. This information is not reliable.

the free basic plan is required to see all details. Sign up here


change history

DatePropertyoldnew
2023-05-24MC MessagesWe're making some changes to the default Microsoft Defender for Cloud Apps threat protection policies.
[When this will happen:]
Beginning May 28, 2023, policies that are generating "behaviors" in Microsoft 365 Defender advanced hunting will be disabled from generating alerts. The policies will continue generating "behaviors" regardless of being enabled or disabled in the tenant's configuration.
Updated May 23, 2023: We have updated the content below with additional information. Thank you for your patience.
We're making some changes to the default Microsoft Defender for Cloud Apps threat protection policies.
[When this will happen:]
Beginning May 28, 2023, policies that are generating "behaviors" in Microsoft 365 Defender advanced hunting will be disabled from generating alerts. The policies will continue generating "behaviors" regardless of being enabled or disabled in the tenant's configuration.
2023-05-24MC TitleConfiguration Change - Microsoft Defender for Cloud Apps threat protection policies(Updated) Configuration Change - Microsoft Defender for Cloud Apps threat protection policies
2023-05-24MC How AffectThe following policies will be disabled by default:
Impossible travel activity
Activity from infrequent country
Mass delete
Multiple failed login attempts
Mass download
Suspicious administrative activity
Suspicious Power BI report sharing
Mass share
Suspicious OAuth app file download activities
Multiple Power BI report sharing activities
Suspicious impersonated activity
Multiple delete VM activities
Multiple VM creation activities
Unusual addition of credentials to an OAuth app
The disablement of the policies is happening because they are now sent as "behaviors", a new data type that represent them better than alerts. Now that Microsoft Defender for Cloud Apps is a part of Microsoft 365 Defender XDR, those signals can be enriched and correlated with other signals and trigger alerts when the correlation indicates threats with higher confidence. You will still have ways to create alerts that apply to the policies logic, by re-enabling the policies manually, or by creating Microsoft 365 Defender advanced hunting custom detection on the relevant behaviors.
With the transition to "behaviors" we also introduce more security-scenarios focused detections that will be available in Microsoft 365 Defender, that will cover high confidence scenarios out of the scenarios that were covered by some of the detections, together with new detections that will cover more scenarios such as suspicious activities done by risky users, crypto-mining patterns and business email compromise (BEC) attacks, and provide the next level of cloud applications out of-the-box-threat protection.
Behaviors will also generate alerts and correlate to relevant incidents in Microsoft 365 Defender if there is a relevant trigger, such as an alert generated on a same user in a short period of time.
More information about "behaviors", including how to query and create custom detections out of them can be found in this documentation.

In later phases in the future Microsoft Defender for Cloud Apps is also expected to shift from policy-based out-of-the-box threat detections to a cloud-managed detections model that will provide higher agility and ability to respond faster and more accurate to evolving threats.
Note: Re-enabling the policies will be relevant only as long as policies exist, as a transition phase before full cloud-managed threat detection model that is expected to be implemented in the future, with no concrete date at the moment (prior notification will be sent before the change happens).
The following policies will be disabled by default:
Alert NamePolicy name
Activity from infrequent countryActivity from infrequent country
Impossible travel activityImpossible travel
Mass deleteUnusual file deletion activity (by user)
Mass downloadUnusual file download (by user)
Mass shareUnusual file share activity (by user)
Multiple delete VM activitiesMultiple delete VM activities
Multiple failed login attemptsMultiple failed login attempts
Multiple Power BI report sharing activitiesMultiple Power BI report sharing activities
Multiple VM creation activitiesMultiple VM creation activities
Suspicious administrative activityUnusual administrative activity (by user)
Suspicious impersonated activityUnusual impersonated activity (by user)
Suspicious OAuth app file download activitiesSuspicious OAuth app file download activities
Suspicious Power BI report sharingSuspicious Power BI report sharing
Unusual addition of credentials to an OAuth appUnusual addition of credentials to an OAuth app



The disablement of the policies is happening because they are now sent as "behaviors", a new data type that represent them better than alerts. Now that Microsoft Defender for Cloud Apps is a part of Microsoft 365 Defender XDR, those signals can be enriched and correlated with other signals and trigger alerts when the correlation indicates threats with higher confidence. You will still have ways to create alerts that apply to the policies logic, by re-enabling the policies manually, or by creating Microsoft 365 Defender advanced hunting custom detection on the relevant behaviors.
With the transition to "behaviors" we also introduce more security-scenarios focused detections that will be available in Microsoft 365 Defender, that will cover high confidence scenarios out of the scenarios that were covered by some of the detections, together with new detections that will cover more scenarios such as suspicious activities done by risky users, crypto-mining patterns and business email compromise (BEC) attacks, and provide the next level of cloud applications out of-the-box-threat protection.
Behaviors will also generate alerts and correlate to relevant incidents in Microsoft 365 Defender if there is a relevant trigger, such as an alert generated on a same user in a short period of time.
More information about "behaviors", including how to query and create custom detections out of them can be found in this documentation.

In later phases in the future Microsoft Defender for Cloud Apps is also expected to shift from policy-based out-of-the-box threat detections to a cloud-managed detections model that will provide higher agility and ability to respond faster and more accurate to evolving threats.
Note: Re-enabling the policies will be relevant only as long as policies exist, as a transition phase before full cloud-managed threat detection model that is expected to be implemented in the future, with no concrete date at the moment (prior notification will be sent before the change happens).
2023-05-24MC Last Updated05/03/2023 23:19:292023-05-23T20:39:12Z
2023-05-24MC MessageTagNamesFeature update, User impact, Admin impactUpdated message, Feature update, User impact, Admin impact

Last updated 4 months ago

Share to MS Teams

Login to your account

Welcome Back, We Missed You!