Microsoft Defender for Endpoint will update the InitiatingProcessFolderPath to include file names in all tables, affecting Windows activity. This change will be globally available on November 4, 2024, requiring updates to custom detection rules and queries.
Coming soon: Microsoft Defender for Endpoint will modify the InitiatingProcessFolderPath column across all relevant Advanced Hunting tables to include the initiating process file name. This message applies to Windows activity only.
When this will happen:
General Availability (Worldwide): We will roll out to all Microsoft Defender for Endpoint customers on November 4, 2024.
How this will affect your organization:
Before this rollout, the InitiatingProcessFolderPath column is inconsistent across action types. Some columns include the file name, and other columns do not include the file name.
After the rollout, all Microsoft Defender for Endpoint action types across all tables will report the full path including the file name of the initiating process in the InitiatingProcessFolderPath column.
Consider the following example to be the new normal, InitiatingProcessFolderPath == c:\temp\file.exe
An example of a possible current implementation that will be retired with this change: InitiatingProcessFolderPath == c:\temp\
Custom detection rules and queries considering the InitiatingProcessFolderPath may be affected.
If you know your custom detection rules or Advanced Hunting queries include this column, please modify them to consider the new convention:
To learn more, go to the Shema reference button in the top right of the Advanced hunting page.
This change is on by default.
What you need to do to prepare:
Before November 4, 2024, map your affected custom detection rules and KQL functions and prepare a fix. Where possible, we recommend updating your queries before the release.
This rollout will happen automatically by the specified date. You may want to notify your admins about this change and update any relevant documentation.