MC906487 - Microsoft Defender XDR: InitiatingProcessFolderPath changes to include file names

Service

Microsoft Defender XDR

Last Updated

Nov 5, 2024

Published Oct 7, 2024

Tag

Updated message
Feature update
Admin impact

Act by

Nov 3, 2024

Summary

Microsoft Defender for Endpoint will update the InitiatingProcessFolderPath to include file names, affecting all Advanced Hunting tables. Rollout begins November 18, 2024. Organizations should adjust custom detection rules and queries accordingly. The change applies only to Windows activity.

More information

Updated November 5, 2024: We have updated the rollout timeline below. Thank you for your patience.

Coming soon: Microsoft Defender for Endpoint will modify the InitiatingProcessFolderPath column across all relevant Advanced Hunting tables to include the initiating process file name. This message applies to Windows activity only.

When this will happen:

General Availability (Worldwide): We will roll out to all Microsoft Defender for Endpoint customers on November 18, 2024 (previously November 4).

How this will affect your organization:

Before this rollout, the InitiatingProcessFolderPath column is inconsistent across action types. Some columns include the file name, and other columns do not include the file name.

After the rollout, all Microsoft Defender for Endpoint action types across all tables will report the full path including the file name of the initiating process in the InitiatingProcessFolderPath column.

Consider the following example to be the new normal, InitiatingProcessFolderPath == c:\temp\file.exe

An example of a possible current implementation that will be retired with this change: InitiatingProcessFolderPath == c:\temp\

Custom detection rules and queries considering the InitiatingProcessFolderPath may be affected.

If you know your custom detection rules or Advanced Hunting queries include this column, please modify them to consider the new convention:

  • To modify your custom detection rules, go to the Defender portal > Investigation & response > Hunting > Custom detection rules
  • To modify other Advanced Hunting queries, go to the Defender portal > Investigation & response > Hunting > Advanced hunting

To learn more, go to the Shema reference button in the top right of the Advanced hunting page.

This change is on by default.

What you need to do to prepare:

Before November 4, 2024, map your affected custom detection rules and KQL functions and prepare a fix. Where possible, we recommend updating your queries before the release.

This rollout will happen automatically by the specified date. You may want to notify your admins about this change and update any relevant documentation.