MC906487 – (Updated) Microsoft Defender XDR: InitiatingProcessFolderPath changes to include file names (archived)

Product:

Defender, Defender for Endpoint, Defender XDR

Platform:

Online, World tenant

Status:

Change type:

Admin impact, Feature update, Updated message

Links:

Details:

Summary:
Microsoft Defender for Endpoint will update the InitiatingProcessFolderPath to include file names, affecting all Advanced Hunting tables. Rollout begins November 18, 2024. Organizations should adjust custom detection rules and queries accordingly. The change applies only to Windows activity.

Details:
Updated November 5, 2024: We have updated the rollout timeline below. Thank you for your patience.
Coming soon: Microsoft Defender for Endpoint will modify the InitiatingProcessFolderPath column across all relevant Advanced Hunting tables to include the initiating process file name. This message applies to Windows activity only.
[When this will happen:]
General Availability (Worldwide): We will roll out to all Microsoft Defender for Endpoint customers on November 18, 2024 (previously November 4).

Change Category:
XXXXXXX ... free basic plan only

Scope:
XXXXXXX ... free basic plan only

Release Phase:

Created:
2024-10-08

updated:
2024-11-06

Task Type

XXXXXXX ... free basic plan only

Docu to Check

XXXXXXX ... free basic plan only

MS How does it affect me

XXXXXXX ... free basic plan only

MS Preperations

XXXXXXX ... free basic plan only

MS Urgency

XXXXXXX ... free basic plan only

MS workload name

XXXXXXX ... free basic plan only

summary for non-techies**

XXXXXXX ... free basic plan only

Direct effects for Operations**

Custom Detection Rules
Existing custom detection rules may fail or produce incorrect results due to the change in the InitiatingProcessFolderPath format.
   - roles: Security Analyst, IT Administrator
   - references: https://techcommunity.microsoft.com/t5/security-compliance-and-identity/microsoft-defender-for-endpoint-advanced-hunting/ba-p/123456

Advanced Hunting Queries
Advanced Hunting queries that rely on the old format of InitiatingProcessFolderPath will need to be updated, leading to potential data retrieval issues.
   - roles: Security Analyst, Data Analyst
   - references: https://techcommunity.microsoft.com/t5/security-compliance-and-identity/microsoft-defender-for-endpoint-advanced-hunting/ba-p/123456

User Experience
Users may experience delays in threat detection and response due to the need for adjustments in detection rules and queries.
   - roles: End User, Security Analyst
   - references: https://techcommunity.microsoft.com/t5/security-compliance-and-identity/microsoft-defender-for-endpoint-advanced-hunting/ba-p/123456

Documentation Updates
Documentation related to detection rules and queries may become outdated, leading to confusion among users and analysts.
   - roles: IT Administrator, Documentation Specialist
   - references: https://techcommunity.microsoft.com/t5/security-compliance-and-identity/microsoft-defender-for-endpoint-advanced-hunting/ba-p/123456

Training Needs
Staff may require additional training to understand the new format and its implications on detection and hunting processes.
   - roles: Security Analyst, IT Trainer
   - references: https://techcommunity.microsoft.com/t5/security-compliance-and-identity/microsoft-defender-for-endpoint-advanced-hunting/ba-p/123456

Configutation Options**

XXXXXXX ... paid membership only

Opportunities**

Enhanced Custom Detection Rules
With the update to include file names in the InitiatingProcessFolderPath, organizations can refine their custom detection rules to improve the accuracy of threat detection. This will allow for more precise identification of malicious activities based on specific file executions, enhancing overall security posture.
   - next-steps: Review and update all existing custom detection rules and queries to incorporate the new format. Conduct testing to ensure the updated rules function as intended before the rollout date.
   - roles: Security Analysts, IT Administrators, Compliance Officers
   - references: https://techcommunity.microsoft.com/t5/security-compliance-identity/announcing-microsoft-defender-for-endpoint-advanced-hunting/ba-p/3679930

Improved Advanced Hunting Queries
The inclusion of file names in the InitiatingProcessFolderPath will allow for more granular and effective advanced hunting queries. This will enhance the ability to investigate incidents and perform forensic analysis by linking specific processes to their execution paths.
   - next-steps: Audit existing advanced hunting queries for reliance on the InitiatingProcessFolderPath. Update queries to reflect the new structure and ensure they capture the necessary data for analysis.
   - roles: Security Operations Center (SOC) Analysts, Incident Response Teams, Threat Hunters
   - references: https://techcommunity.microsoft.com/t5/security-compliance-identity/announcing-microsoft-defender-for-endpoint-advanced-hunting/ba-p/3679930

Documentation and Training Updates
With the changes to the InitiatingProcessFolderPath, there will be a need to update internal documentation and provide training for staff on the new query structure and detection capabilities. This will ensure that all team members are aligned and understand the implications of the changes.
   - next-steps: Develop a communication plan to inform all relevant stakeholders about the changes. Update internal documentation and provide training sessions to ensure everyone understands the new functionalities and how to utilize them effectively.
   - roles: IT Trainers, Documentation Specialists, Security Team Leads
   - references: https://techcommunity.microsoft.com/t5/security-compliance-identity/announcing-microsoft-defender-for-endpoint-advanced-hunting/ba-p/3679930

Potentional Risks**

XXXXXXX ... paid membership only

IT Security**

XXXXXXX ... paid membership only

explanation for non-techies**

XXXXXXX ... free basic plan only