Announcement ID | MC940078 | Published Date | 11-22-2024 | |
Service | Microsoft365Defender | Last Updated | 11-22-2024 | |
Category | Plan for change | Expiration Date | 04-07-2025 | |
Roadmap ID | Action Required by Date | |||
Tags | Major update, Admin impact, Retirement |
Summary |
---|
MC940078: Upcoming changes to Defender for Identity activities and alerts in Defender for Cloud Apps experiences |
More Information |
---|
As part of the convergence of both Microsoft Defender for Identity and Microsoft Defender for Cloud Apps into Microsoft Defender XDR services, we are continuing to move away from legacy experiences and enhancing the unified experiences. Therefore, we will gradually retire Defender for Identity's Active Directory and alerts data from Defender for Cloud Apps dedicated experiences. All data, as well as all functionality of the affected experiences, remain available through Microsoft Defender XDR unified experiences, where we will continue to invest our development resources. When this will happen:General Availability (Worldwide, GCC, GCC High, DoD): This retirement will begin rolling out in late January 2025 and is expected to complete in early March 2025. How this will affect your organization:You are receiving this message because the following changes may affect your organization: Active directory activities coming from Defender for Identity will no longer be available in Defender for Cloud Apps activity logs. Consequently, Defender for Cloud Apps activity policies will cease from triggering based on Active Directory data. All Active Directory activities data remains available through Advanced Hunting, in the following tables:
New Active Directory activities, as well as Defender for Identity's alerts data, will no longer be available through Defender for Cloud Apps Activities API, Alerts API, or dedicated SIEM agents. All activities and alerts data remains available through Defender XDR Streaming API and Event Hubs. The Identities page under 'Assets' in the XDR portal will be updated to better support the new experiences. The page will be divided into two distinct tabs: First-party identities and Third-party accounts. What you need to do to prepare:To ensure a seamless experience, create new custom detections for any activity policies based on active directory data in Advanced Hunting.Suggested queries related to Active Directory activities are available through the portal under Advanced Hunting > Community Queries. If you are still using Defender for Cloud Apps dedicated API and SIEM agents to consume Defender for Identity activities or alerts, make sure to update your resources according to the above information. |