check before: 2025-03-01
Product:
Defender, Defender for Cloud Apps, Defender for Endpoint, Defender XDR, Microsoft Graph, Stream
Platform:
Developer, Online, US Instances, World tenant
Status:
Change type:
Admin impact, Feature update, Updated message
Links:
Details:
Summary:
Microsoft Defender for Cloud Apps will update the alert source field in new alerts generated after the rollout, starting early March 2025 and completing by late June 2025. This change affects various systems and requires administrators to update custom rules and notify users. No admin action is required before the rollout.
Details:
Updated June 5, 2025: We have updated the timeline below. Thank you for your patience.
Coming soon for Microsoft Defender for Cloud Apps:
A change to alerts generated by events originating from Defender for Cloud Apps that are generated in the Microsoft Defender XDR detection engine
This rollout aims to provide more accurate and precise information on the origin of these alerts, enabling customers to identify, manage, and respond to alerts more effectively.
[When this will happen:]
General Availability (GCC, GCC High, DoD, Production, DoD): We will begin rolling out early March 2025 and expect to complete by late June 2025 (previously late May).
Change Category:
XXXXXXX ... free basic plan only
Scope:
XXXXXXX ... free basic plan only
Release Phase:
Created:
2025-01-30
updated:
2025-06-06
Task Type
XXXXXXX ... free basic plan only
Docu to Check
XXXXXXX ... free basic plan only
MS How does it affect me
XXXXXXX ... free basic plan only
MS Preperations
XXXXXXX ... free basic plan only
MS Urgency
XXXXXXX ... free basic plan only
MS workload name
XXXXXXX ... free basic plan only
summary for non-techies**
Microsoft is updating alert labels in Microsoft Defender for Cloud Apps from March to June 2025, affecting new alerts and requiring updates to custom rules and processes to recognize the new "Defender for Cloud Apps" label in systems like Microsoft Graph API and Azure Events Hub.
Direct effects for Operations**
Alert Source Changes
Changes to the alert source field may lead to confusion among users if they are not informed, potentially resulting in misinterpretation of alerts.
- roles: Security Administrator, End User
- references: https://learn.microsoft.com/defender-xdr/investigate-alerts?tabs=settings#alert-sources
Custom Rules and Automations
Failure to update custom alert rules and automations may lead to alerts not being processed correctly, causing delays in incident response.
- roles: Security Administrator, Incident Response Team
- references: https://learn.microsoft.com/defender-xdr/investigate-alerts?tabs=settings#alert-sources
User Notification
Not notifying users about the changes may result in increased support queries and user frustration due to unexpected alert behaviors.
- roles: IT Support, End User
- references: https://learn.microsoft.com/defender-xdr/investigate-alerts?tabs=settings#alert-sources
Configutation Options**
XXXXXXX ... paid membership only
Opportunities**
Improved Alert Management
The change in alert source field will enhance the accuracy of alerts, allowing for better identification and management of security incidents. This leads to more effective incident response and minimizes potential security risks.
- next-steps: Conduct training sessions for security teams on the new alert structures and how to interpret them effectively. Update incident response protocols to incorporate the changes in alert management.
- roles: Security Analysts, Incident Response Teams, IT Administrators
- references: https://learn.microsoft.com/defender-xdr/investigate-alerts?tabs=settings#alert-sources
Automation of Alert Rules
Administrators can leverage the updated alert sources to refine and automate alert rules, enhancing the efficiency of monitoring and response processes. This will reduce manual oversight and improve operational efficiency.
- next-steps: Review existing custom alert rules and automate the update process to align with the new alert source values. Consider using scripts or tools to streamline this process.
- roles: IT Administrators, DevOps Engineers
- references: https://learn.microsoft.com/defender-xdr/streaming-api
User Notification and Documentation Updates
The change necessitates notifying users about the new alert structures, which can improve user awareness and compliance regarding security alerts and actions.
- next-steps: Draft and distribute a communication plan to inform users about the changes. Update internal documentation and training materials to reflect the new alert structures and their implications.
- roles: IT Administrators, Training Coordinators, Security Awareness Teams
- references: https://learn.microsoft.com/graph/api/resources/security-alert?view=graph-rest-1.0
Potentional Risks**
XXXXXXX ... paid membership only
IT Security**
XXXXXXX ... paid membership only
explanation for non-techies**
XXXXXXX ... free basic plan only
** AI generated content. This information must be reviewed before use.
a free basic plan is required to see more details. Sign up here
A cloudsocut.one plan is required to see all the changed details. If you are already a customer, choose login.
If you are new to cloudscout.one please choose a plan.
change history
| Date | Property | old | new |
| 2025-06-06 | MC Messages | Updated March 24, 2025: We have updated the rollout timeline below. Thank you for your patience.
Coming soon for Microsoft Defender for Cloud Apps: A change to alerts generated by events originating from Defender for Cloud Apps that are generated in the Microsoft Defender XDR detection engine This rollout aims to provide more accurate and precise information on the origin of these alerts, enabling customers to identify, manage, and respond to alerts more effectively. [When this will happen:] General Availability (GCC, GCC High, DoD, Production, DoD): We will begin rolling out early March 2025 and expect to complete by late May 2025 (previously early April). | Updated June 5, 2025: We have updated the timeline below. Thank you for your patience.
Coming soon for Microsoft Defender for Cloud Apps: A change to alerts generated by events originating from Defender for Cloud Apps that are generated in the Microsoft Defender XDR detection engine This rollout aims to provide more accurate and precise information on the origin of these alerts, enabling customers to identify, manage, and respond to alerts more effectively. [When this will happen:] General Availability (GCC, GCC High, DoD, Production, DoD): We will begin rolling out early March 2025 and expect to complete by late June 2025 (previously late May). |
| 2025-06-06 | MC Last Updated | 03/24/2025 22:28:00 | 2025-06-05T16:56:32Z |
| 2025-06-06 | MC Summary | Microsoft Defender for Cloud Apps will update the alert source field in new alerts starting March 2025, completing by late May 2025. This change aims to improve alert accuracy and will affect various systems including the XDR portal and APIs. No admin action is required, but custom rules and documentation should be updated. | Microsoft Defender for Cloud Apps will update the alert source field in new alerts generated after the rollout, starting early March 2025 and completing by late June 2025. This change affects various systems and requires administrators to update custom rules and notify users. No admin action is required before the rollout. |
| 2025-03-25 | MC Messages | Updated February 19, 2025: We have updated the content. Thank you for your patience.
Coming soon for Microsoft Defender for Cloud Apps: A change to alerts generated by events originating from Defender for Cloud Apps that are generated in the Microsoft Defender XDR detection engine This rollout aims to provide more accurate and precise information on the origin of these alerts, enabling customers to identify, manage, and respond to alerts more effectively. [When this will happen:] General Availability (GCC, GCC High, DoD, Production, DoD): We will begin rolling out early March 2025 and expect to complete by early April 2025. | Updated March 24, 2025: We have updated the rollout timeline below. Thank you for your patience.
Coming soon for Microsoft Defender for Cloud Apps: A change to alerts generated by events originating from Defender for Cloud Apps that are generated in the Microsoft Defender XDR detection engine This rollout aims to provide more accurate and precise information on the origin of these alerts, enabling customers to identify, manage, and respond to alerts more effectively. [When this will happen:] General Availability (GCC, GCC High, DoD, Production, DoD): We will begin rolling out early March 2025 and expect to complete by late May 2025 (previously early April). |
| 2025-03-25 | MC Last Updated | 02/19/2025 19:32:30 | 2025-03-24T22:28:00Z |
| 2025-03-25 | MC Summary | Microsoft Defender for Cloud Apps will update alert sources to provide more precise information, starting in March 2025. This change affects new alerts only and will be reflected in various systems and APIs. Administrators should update custom rules and notify users. No admin action is required before the rollout. | Microsoft Defender for Cloud Apps will update the alert source field in new alerts starting March 2025, completing by late May 2025. This change aims to improve alert accuracy and will affect various systems including the XDR portal and APIs. No admin action is required, but custom rules and documentation should be updated. |
| 2025-02-20 | MC prepare | This rollout will happen automatically by the specified date with no admin action required before the rollout.
Administrators should review and update any custom alert rules, playbooks, or automations involving the alerts mentioned above (Service sources = Microsoft Defender XDR and Detection sources = Defender XDR, or Service sources = App governance), to ensure they reflect the new value. You may also want to notify your users about this change and update any relevant documentation. As a reminder, detection sources will remain unchanged, so if you only filter on detection sources, everything should continue to function as normal. https://learn.microsoft.com/defender-xdr/investigate-alerts?tabs=settings#alert-sources https://learn.microsoft.com/defender-xdr/streaming-api https://learn.microsoft.com/graph/api/resources/security-alert?view=graph-rest-1.0 | This rollout will happen automatically by the specified date with no admin action required before the rollout.
Administrators should review and update any custom alert rules, playbooks, or automations involving the alerts mentioned above (Service sources = Microsoft Defender XDR and Detection sources = Defender XDR, to ensure they reflect the new value. You may also want to notify your users about this change and update any relevant documentation. As a reminder, detection sources will remain unchanged, so if you only filter on detection sources, everything should continue to function as normal. https://learn.microsoft.com/defender-xdr/investigate-alerts?tabs=settings#alert-sources https://learn.microsoft.com/defender-xdr/streaming-api https://learn.microsoft.com/graph/api/resources/security-alert?view=graph-rest-1.0 |
| 2025-02-20 | MC MessageTagNames | Feature update, Admin impact | Updated message, Feature update, Admin impact |
| 2025-02-20 | MC Summary | Microsoft Defender for Cloud Apps will update alert sources to provide more precise information, starting in March 2025. This change affects new alerts only and will be reflected in various systems and APIs. Administrators should update custom rules and notify users. No admin action is required before the rollout. | |
| 2025-02-20 | MC Last Updated | 01/30/2025 01:33:40 | 2025-02-19T19:32:30Z |
| 2025-02-20 | MC Messages | Coming soon for Microsoft Defender for Cloud Apps:
A change to alerts generated by events originating from Defender for Cloud Apps that are generated in the Microsoft Defender XDR detection engine A change to App governance alerts This rollout aims to provide more accurate and precise information on the origin of these alerts, enabling customers to identify, manage, and respond to alerts more effectively. [When this will happen:] General Availability (GCC, GCC High, DoD, Production, DoD): We will begin rolling out early March 2025 and expect to complete by early April 2025. | Updated February 19, 2025: We have updated the content. Thank you for your patience.
Coming soon for Microsoft Defender for Cloud Apps: A change to alerts generated by events originating from Defender for Cloud Apps that are generated in the Microsoft Defender XDR detection engine This rollout aims to provide more accurate and precise information on the origin of these alerts, enabling customers to identify, manage, and respond to alerts more effectively. [When this will happen:] General Availability (GCC, GCC High, DoD, Production, DoD): We will begin rolling out early March 2025 and expect to complete by early April 2025. |
| 2025-02-20 | MC Title | Microsoft Defender: Changes to Defender for Cloud Apps alerts | (Updated) Microsoft Defender: Changes to Defender for Cloud Apps alerts |
| 2025-02-20 | MC How Affect | We will change the field indicating the alert source in the alert data itself. Note: The rollout will only affect new alerts generated after the rollout and will not alter existing alerts.
This rollout will be reflected in all experiences where alerts are represented, including Incidents & alerts queues in the XDR portal, Advanced hunting, and the correlating APIs and SIEM systems. In the Defender XDR portal, the change will be reflected in the Service sources field, replacing the current Microsoft Defender XDR and App governance values with the new value Defender for Cloud Apps. The detection sources will remain unchanged and will continue to indicate the detections are generated in the XDR detection engine, App governance policy, or App governance detection. The alert ID prepended characters of some of the alerts will also be changed to comply with the Defender XDR mapping. Service/Detection sources filter in the Incidents queue. Left: Before the change. Right: After the change: Learn more about the different alert sources in Defender XDR in the Alert sources section of Investigate alerts in Microsoft Defender XDR - Microsoft Defender XDR | Microsoft Learn In the Microsoft Graph API, Microsoft Defender for Endpoint streaming API, and the Microsoft Azure Events Hub, the change will be reflected in the alert resource type under the property serviceSource, and the previous values of microsoft365Defender and microsoftAppGovernance will change to microsoftDefenderForCloudApps. Learn more about the Graph API alert resource: alert resource type - Microsoft Graph v1.0 | Microsoft Learn Learn more about Streaming API: Stream Microsoft Defender XDR events - Microsoft Defender XDR | Microsoft Learn | We will change the field indicating the alert source in the alert data itself. Note: The rollout will only affect new alerts generated after the rollout and will not alter existing alerts.
This rollout will be reflected in all experiences where alerts are represented, including Incidents & alerts queues in the XDR portal, Advanced hunting, and the correlating APIs and SIEM systems. In the Defender XDR portal, the change will be reflected in the Service sources field, replacing the current Microsoft Defender XDR values with the new value Defender for Cloud Apps. The detection sources will remain unchanged and will continue to indicate the detections are generated in the XDR detection engine. The alert ID prepended characters of some of the alerts will also be changed to comply with the Defender XDR mapping. Learn more about the different alert sources in Defender XDR in the Alert sources section of Investigate alerts in Microsoft Defender XDR - Microsoft Defender XDR | Microsoft Learn In the Microsoft Graph API, Microsoft Defender for Endpoint streaming API, and the Microsoft Azure Events Hub, the change will be reflected in the alert resource type under the property serviceSource, and the previous values of microsoft365Defender will change to microsoftDefenderForCloudApps. Learn more about the Graph API alert resource: alert resource type - Microsoft Graph v1.0 | Microsoft Learn Learn more about Streaming API: Stream Microsoft Defender XDR events - Microsoft Defender XDR | Microsoft Learn |
Last updated 1 month ago
