MC940078: Upcoming changes to Defender for Identity activities and alerts in Defender for Cloud Apps experiences

Announcement IDMC940078Published Date11-22-2024
ServiceMicrosoft365DefenderLast Updated11-22-2024
CategoryPlan for changeExpiration Date04-07-2025
Roadmap IDAction Required by Date
TagsMajor update, Admin impact, Retirement


Summary
                MC940078: Upcoming changes to Defender for Identity activities and alerts in Defender for Cloud Apps experiences


More Information

As part of the convergence of both Microsoft Defender for Identity and Microsoft Defender for Cloud Apps into Microsoft Defender XDR services, we are continuing to move away from legacy experiences and enhancing the unified experiences.

Therefore, we will gradually retire Defender for Identity's Active Directory and alerts data from Defender for Cloud Apps dedicated experiences. All data, as well as all functionality of the affected experiences, remain available through Microsoft Defender XDR unified experiences, where we will continue to invest our development resources.

When this will happen: 

General Availability (Worldwide, GCC, GCC High, DoD): This retirement will begin rolling out in late January 2025 and is expected to complete in early March 2025. 

How this will affect your organization:

You are receiving this message because the following changes may affect your organization:

Active directory activities coming from Defender for Identity will no longer be available in Defender for Cloud Apps activity logs. Consequently, Defender for Cloud Apps activity policies will cease from triggering based on Active Directory data.

All Active Directory activities data remains available through Advanced Hunting, in the following tables:

  • IdentityLogonEvents
  • IdentityDirectoryEvents
  • IdentityQueryEvents

New Active Directory activities, as well as Defender for Identity's alerts data, will no longer be available through Defender for Cloud Apps Activities API, Alerts API, or dedicated SIEM agents.

All activities and alerts data remains available through Defender XDR Streaming API and Event Hubs.

The Identities page under 'Assets' in the XDR portal will be updated to better support the new experiences. The page will be divided into two distinct tabs: First-party identities and Third-party accounts. 

What you need to do to prepare:

To ensure a seamless experience, create new custom detections for any activity policies based on active directory data in Advanced Hunting.Suggested queries related to Active Directory activities are available through the portal under Advanced Hunting > Community Queries

If you are still using Defender for Cloud Apps dedicated API and SIEM agents to consume Defender for Identity activities or alerts, make sure to update your resources according to the above information.

Previous Post Next Post