Published Jan 30, 2025
Microsoft Defender for Cloud Apps will update alert sources to provide more precise information, starting in March 2025. This change affects new alerts only and will be reflected in various systems and APIs. Administrators should update custom rules and notify users. No admin action is required before the rollout.
Updated February 19, 2025: We have updated the content. Thank you for your patience.
Coming soon for Microsoft Defender for Cloud Apps:
This rollout aims to provide more accurate and precise information on the origin of these alerts, enabling customers to identify, manage, and respond to alerts more effectively.
When this will happen:
General Availability (GCC, GCC High, DoD, Production, DoD): We will begin rolling out early March 2025 and expect to complete by early April 2025.
How this will affect your organization:
We will change the field indicating the alert source in the alert data itself. Note: The rollout will only affect new alerts generated after the rollout and will not alter existing alerts.
This rollout will be reflected in all experiences where alerts are represented, including Incidents & alerts queues in the XDR portal, Advanced hunting, and the correlating APIs and SIEM systems.
In the Defender XDR portal, the change will be reflected in the Service sources field, replacing the current Microsoft Defender XDR values with the new value Defender for Cloud Apps. The detection sources will remain unchanged and will continue to indicate the detections are generated in the XDR detection engine.
The alert ID prepended characters of some of the alerts will also be changed to comply with the Defender XDR mapping.
Learn more about the different alert sources in Defender XDR in the Alert sources section of Investigate alerts in Microsoft Defender XDR - Microsoft Defender XDR | Microsoft Learn
In the Microsoft Graph API, Microsoft Defender for Endpoint streaming API, and the Microsoft Azure Events Hub, the change will be reflected in the alert resource type under the property serviceSource, and the previous values of microsoft365Defender will change to microsoftDefenderForCloudApps.
Learn more about the Graph API alert resource: alert resource type - Microsoft Graph v1.0 | Microsoft Learn
Learn more about Streaming API: Stream Microsoft Defender XDR events - Microsoft Defender XDR | Microsoft Learn
What you need to do to prepare:
This rollout will happen automatically by the specified date with no admin action required before the rollout.
Administrators should review and update any custom alert rules, playbooks, or automations involving the alerts mentioned above (Service sources = Microsoft Defender XDR and Detection sources = Defender XDR, to ensure they reflect the new value. You may also want to notify your users about this change and update any relevant documentation.
As a reminder, detection sources will remain unchanged, so if you only filter on detection sources, everything should continue to function as normal.