MC992217 – Microsoft Defender: Changes to Defender for Cloud Apps alerts

Product:

Defender, Defender for Cloud Apps, Defender for Endpoint, Defender XDR, Microsoft Graph, Stream

Platform:

Developer, Online, US Instances, World tenant

Status:

Change type:

Feature update, Admin impact

Links:

Details:

Coming soon for Microsoft Defender for Cloud Apps:
A change to alerts generated by events originating from Defender for Cloud Apps that are generated in the Microsoft Defender XDR detection engine
A change to App governance alerts
This rollout aims to provide more accurate and precise information on the origin of these alerts, enabling customers to identify, manage, and respond to alerts more effectively.
[When this will happen:]
General Availability (GCC, GCC High, DoD, Production, DoD): We will begin rolling out early March 2025 and expect to complete by early April 2025.

Change Category:
XXXXXXX ... free basic plan only

Scope:
XXXXXXX ... free basic plan only

Release Phase:

Created:
2025-01-30

updated:
2025-01-30

Task Type

XXXXXXX ... free basic plan only

Docu to Check

XXXXXXX ... free basic plan only

MS How does it affect me

XXXXXXX ... free basic plan only

MS Preperations

XXXXXXX ... free basic plan only

MS Urgency

XXXXXXX ... free basic plan only

MS workload name

XXXXXXX ... free basic plan only

Pictures

XXXXXXX ... free basic plan only

summary for non-techies**

XXXXXXX ... free basic plan only

Direct effects for Operations**

Alert Source Changes
Changes to the alert source field may lead to confusion among users and administrators if they are not prepared for the new values, potentially causing misinterpretation of alerts.
   - roles: Security Administrators, IT Support Staff
   - references: https://learn.microsoft.com/defender-xdr/investigate-alerts?tabs=settings#alert-sources

Custom Alert Rules
Existing custom alert rules may become ineffective or generate incorrect alerts if not updated to reflect the new service source values, leading to missed or false alerts.
   - roles: Security Administrators, Incident Response Teams
   - references: https://learn.microsoft.com/defender-xdr/investigate-alerts?tabs=settings#alert-sources

User Notification and Documentation
Failure to notify users about the changes may result in users being unaware of the new alert formats, leading to confusion and potential delays in response to security incidents.
   - roles: IT Support Staff, End Users
   - references: https://learn.microsoft.com/defender-xdr/investigate-alerts?tabs=settings#alert-sources

Configutation Options**

XXXXXXX ... paid membership only

Opportunities**

Improved Alert Management
With the changes to the alert sources in Microsoft Defender for Cloud Apps, administrators can more accurately identify the origin of alerts, leading to improved response times and management of security incidents. This will enhance the overall security posture of the organization by allowing quicker and more informed decision-making.
   - next-steps: Review and update existing alert management protocols to incorporate the new alert source values. Train security teams on how to utilize the new alert information effectively.
   - roles: Security Administrators, IT Managers, Compliance Officers
   - references: https://learn.microsoft.com/defender-xdr/investigate-alerts?tabs=settings#alert-sources

Enhanced Documentation and User Training
The changes in alert sources necessitate an update to internal documentation and training materials. By proactively informing users and providing updated resources, organizations can ensure that teams are well-prepared to adapt to the new alert structures and maintain operational efficiency.
   - next-steps: Develop a communication plan to inform users about the changes, and schedule training sessions to go over the updated alert sources and their implications for incident response.
   - roles: IT Support Staff, Training Coordinators, Security Analysts
   - references: https://learn.microsoft.com/defender-xdr/investigate-alerts?tabs=settings#alert-sources

Automation of Alert Processing
The new alert structure allows for better integration with existing automation tools and processes. By updating custom alert rules and playbooks to reflect the new alert sources, organizations can enhance their incident response automation, reducing manual effort and increasing response speed.
   - next-steps: Audit current automation scripts and playbooks for compatibility with the new alert source values. Implement necessary updates and test the revised automations to ensure they function as intended.
   - roles: DevOps Engineers, Security Operations Center (SOC) Analysts, IT Administrators
   - references: https://learn.microsoft.com/defender-xdr/streaming-api, https://learn.microsoft.com/graph/api/resources/security-alert?view=graph-rest-1.0

Potentional Risks**

XXXXXXX ... paid membership only

IT Security**

XXXXXXX ... paid membership only

explanation for non-techies**

XXXXXXX ... free basic plan only