Configuration Change – Microsoft Defender for Cloud Apps threat protection policies

Originally posted by Microsoft May 4, 2023 Uncategorized 0 Comments

We’re making some changes to the default Microsoft Defender for Cloud Apps threat protection policies. 

When this will happen:

We’re making some changes to the default Microsoft Defender for Cloud Apps threat protection policies. 

How this will affect your organization:

The following policies will be disabled by default:

• Impossible travel activity
• Activity from infrequent country
• Mass delete
• Multiple failed login attempts
• Mass download
• Suspicious administrative activity
• Suspicious Power BI report sharing
• Mass share
• Suspicious OAuth app file download activities
• Multiple Power BI report sharing activities
• Suspicious impersonated activity
• Multiple delete VM activities
• Multiple VM creation activities
• Unusual addition of credentials to an OAuth app

The disablement of the policies is happening because they are now sent as “behaviors”, a new data type that represent them better than alerts. Now that Microsoft Defender for Cloud Apps is a part of Microsoft 365 Defender XDR, those signals can be enriched and correlated with other signals and trigger alerts when the correlation indicates threats with higher confidence. You will still have ways to create alerts that apply to the policies logic, by re-enabling the policies manually, or by creating Microsoft 365 Defender advanced hunting custom detection on the relevant behaviors.

With the transition to “behaviors” we also introduce more security-scenarios focused detections that will be available in Microsoft 365 Defender, that will cover high confidence scenarios out of the scenarios that were covered by some of the detections, together with new detections that will cover more scenarios such as suspicious activities done by risky users, crypto-mining patterns and business email compromise (BEC) attacks, and provide the next level of cloud applications out of-the-box-threat protection.

Behaviors will also generate alerts and correlate to relevant incidents in Microsoft 365 Defender if there is a relevant trigger, such as an alert generated on a same user in a short period of time.

More information about “behaviors”, including how to query and create custom detections out of them can be found in this documentation.

In later phases in the future Microsoft Defender for Cloud Apps is also expected to shift from policy-based out-of-the-box threat detections to a cloud-managed detections model that will provide higher agility and ability to respond faster and more accurate to evolving threats.

Note: Re-enabling the policies will be relevant only as long as policies exist, as a transition phase before full cloud-managed threat detection model that is expected to be implemented in the future, with no concrete date at the moment (prior notification will be sent before the change happens).

What you need to do to prepare:

When this change takes effect, you will need to re-evaluate the out-of-the-box policies above and understand how you want to consume them. Our recommendation would be to keep them disabled and create custom detections or re-enable policies after May 29, 2023, only if you have specific detections that are relevant to your tenant to be consumed as alerts and not as behaviors.

For more information, please visit this documentation.

Message ID: MC550086