MC906487: Microsoft Defender XDR: InitiatingProcessFolderPath changes to include file names

Announcement IDMC906487Published Date10-07-2024
ServiceMicrosoft365DefenderLast Updated11-05-2024
CategoryPlan for changeExpiration Date01-31-2025
Roadmap IDAction Required by Date
TagsAdmin impact, Feature update


Summary
                Microsoft Defender for Endpoint will update the InitiatingProcessFolderPath to include file names, affecting all Advanced Hunting tables. Rollout begins November 18, 2024. Organizations should adjust custom detection rules and queries accordingly. The change applies only to Windows activity.


More Information

Coming soon: Microsoft Defender for Endpoint will modify the InitiatingProcessFolderPath column across all relevant Advanced Hunting tables to include the initiating process file name. This message applies to Windows activity only.

When this will happen:

General Availability (Worldwide): We will roll out to all Microsoft Defender for Endpoint customers on November 18, 2024 (previously November 4).

How this will affect your organization:

Before this rollout, the InitiatingProcessFolderPath column is inconsistent across action types. Some columns include the file name, and other columns do not include the file name.

After the rollout, all Microsoft Defender for Endpoint action types across all tables will report the full path including the file name of the initiating process in the InitiatingProcessFolderPath column.

Consider the following example to be the new normal, InitiatingProcessFolderPath == c:\temp\file.exe

An example of a possible current implementation that will be retired with this change: InitiatingProcessFolderPath == c:\temp\

Custom detection rules and queries considering the InitiatingProcessFolderPath may be affected.

If you know your custom detection rules or Advanced Hunting queries include this column, please modify them to consider the new convention:

  • To modify your custom detection rules, go to the Defender portal > Investigation & response > Hunting > Custom detection rules
  • To modify other Advanced Hunting queries, go to the Defender portal > Investigation & response > Hunting > Advanced hunting

To learn more, go to the Shema reference button in the top right of the Advanced hunting page.

This change is on by default.

What you need to do to prepare:

Before November 4, 2024, map your affected custom detection rules and KQL functions and prepare a fix. Where possible, we recommend updating your queries before the release.

This rollout will happen automatically by the specified date. You may want to notify your admins about this change and update any relevant documentation.

Previous Post Next Post