MC797115: Microsoft Defender for Identity: "Honeytoken was queried via SAM-R alert" retires June 30, 2024

Announcement IDMC797115Published Date05-30-2024
ServiceMicrosoft365DefenderLast Updated05-30-2024
CategoryPlan for changeExpiration Date07-31-2024
Roadmap IDAction Required by Date
TagsMajor update, Admin impact, Retirement


Summary
                The "Honeytoken was queried via SAM-R" feature in Microsoft Defender for Identity will retire on June 30, 2024. Users should use advanced hunting queries for custom detection. After retirement, alerts for honeytoken queries using SAM-R protocol will stop. Users need to prepare by adapting to the recommended query method.


More Information

We will be retiring the feature Honeytoken was queried via SAM-R from Microsoft Defender for Identity on June 30, 2024. Instead, we recommend using hunting activities to generate custom detection when required.

How this will affect your organization:

You are receiving this message because our reporting indicates one or more users in your organization are using Microsoft Defender for Identity.

After this feature retires, honeytoken users will no longer receive alerts when honeytoken is queried using SAM-R protocol.

What you need to do to prepare:

Instead of using Honeytoken was queried via SAM-R alert, we recommend using this advanced hunting query to generate custom detection based on your environment configuration:

let users = pack_array("User1_SID", "User2_SID");

IdentityQueryEvents

| where ActionType =='SAMR query'

| extend TargetSid = AdditionalFields.'TargetAccountSid'

| extend tostring(TargetSid)

| where isnotempty(TargetSid) and isnotempty(AccountUpn)

| where TargetSid in (users)

    Previous Post Next Post