MicrosoftMicrosoft
MicrosoftHi Mike_Watson
There are farther logics in Microsoft 365 Defender that are based on behaviors, for example "impossible travel", and create alerts out of them when they correlate with other signals that together indicate an attack with higher confidence. We always want to learn and improve, and in case those didn't trigger in a case of a true attack, I encourage you to open a support ticket to report a false negative, with farther details that will enable us tunning the correlations better to also cover such case.
To learn more on how to create custom detections based on behaviors, you can see the documentation here: Investigate behaviors with advanced hunting - Microsoft Defender for Cloud Apps | Microsoft Learn
The change was done on May 2023, and was informed via banners in the portal (both the legacy Defender for Cloud Apps portal and security.microsot.com), and via the Microsoft 365 Message Center: https://admin.microsoft.com/AdminPortal/Home#/messagecenter ,
There you can sign up for email notifications according to your preferences.