Advanced hunting product name changes

Published 12-22-2020 04:21 AM 2,833 Views
Microsoft

As announced in Ignite, we have updated our Microsoft 365 threat detection portfolio. We have made the following branding changes to align these solutions:

 

Microsoft 365 Defender (previously Microsoft Threat Protection).

Microsoft Defender for Endpoint (previously Microsoft Defender Advanced Threat Protection).

Microsoft Defender for Office 365 (previously Office 365 Advanced Threat Protection).

Microsoft Defender for Identity (previously Azure Advanced Threat Protection).

 

With this change, values in the AlertInfo and AlertEvidence tables in the advanced hunting schema for Microsoft 365 Defender will also need to change. On Jan 25, 2021 we will update the values in the ServiceSource and DetectionSource columns as shown in the tables below.

 

ServiceSource values

 

Old value

New value

Microsoft Defender ATP

Microsoft Defender for Endpoint

Microsoft Cloud App Security

Microsoft Cloud App Security

Microsoft Threat Protection

Microsoft 365 Defender

Office 365 ATP

Microsoft Defender for Office 365

Azure ATP

Microsoft Defender for Identity

 

DetectionSource values

 

Old value

New value

MCAS

Cloud App Security

 

WindowsDefenderAtp

EDR

WindowsDefenderAv

Antivirus

WindowsDefenderSmartScreen

SmartScreen

CustomerTI

Custom TI

OfficeATP

Microsoft Defender for Office 365

MTP

Microsoft 365 Defender

AzureATP

Microsoft Defender for Identity

CustomDetection

Custom Detection

AutomatedInvestigation

Automated investigation

ThreatExperts

Microsoft Threat Experts

3rd party TI

3rd Party sensors

 

You’ll need to update queries that search for these values. For example:

 

AlertInfo
| where ServiceSource == "Microsoft Defender ATP" 

 

Within 30 days of the change, you should update this query to include both new and old values. This will match both existing alerts and newly logged alerts.

 

AlertInfo
| where ServiceSource in ("Microsoft Defender ATP", "Microsoft Defender for Endpoint")

 

Beyond 30 days of the change, you can switch to using just the new names:

 

AlertInfo
| where ServiceSource == "Microsoft Defender for Endpoint"

 

Please make sure to update all your saved queries, custom detection rules, and queries you run using the API.

1 Comment
Contributor
Nice!
%3CLINGO-SUB%20id%3D%22lingo-sub-2009233%22%20slang%3D%22en-US%22%3EAdvanced%20hunting%20product%20name%20changes%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2009233%22%20slang%3D%22en-US%22%3E%3CP%3EAs%20announced%20in%20Ignite%2C%20we%20have%20updated%20our%20Microsoft%20365%20threat%20detection%20portfolio.%20We%20have%20made%20the%20following%20branding%20changes%20to%20align%20these%20solutions%3A%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EMicrosoft%20365%20Defender%20(previously%20Microsoft%20Threat%20Protection).%3C%2FP%3E%0A%3CP%3EMicrosoft%20Defender%20for%20Endpoint%20(previously%20Microsoft%20Defender%20Advanced%20Threat%20Protection).%3C%2FP%3E%0A%3CP%3EMicrosoft%20Defender%20for%20Office%20365%20(previously%20Office%20365%20Advanced%20Threat%20Protection).%3C%2FP%3E%0A%3CP%3EMicrosoft%20Defender%20for%20Identity%20(previously%20Azure%20Advanced%20Threat%20Protection).%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EWith%20this%20change%2C%20values%20in%20the%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fmicrosoft-365%2Fsecurity%2Fmtp%2Fadvanced-hunting-alertinfo-table%3Fview%3Do365-worldwide%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3E%3CSTRONG%3EAlertInfo%3C%2FSTRONG%3E%3C%2FA%3E%20and%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fmicrosoft-365%2Fsecurity%2Fmtp%2Fadvanced-hunting-alertevidence-table%3Fview%3Do365-worldwide%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3E%3CSTRONG%3EAlertEvidence%3C%2FSTRONG%3E%3C%2FA%3E%20tables%20in%20the%20advanced%20hunting%20schema%20for%20Microsoft%20365%20Defender%20will%20also%20need%20to%20change.%20On%20Jan%2025%2C%202021%20we%20will%20update%20the%20values%20in%20the%20%3CSTRONG%3EServiceSource%3C%2FSTRONG%3E%20and%20%3CSTRONG%3EDetectionSource%3C%2FSTRONG%3E%20columns%20as%20shown%20in%20the%20tables%20below.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3EServiceSource%20values%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3E%26nbsp%3B%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CTABLE%3E%0A%3CTBODY%3E%0A%3CTR%3E%0A%3CTD%20width%3D%22199%22%3E%3CP%3E%3CSTRONG%3EOld%20value%3C%2FSTRONG%3E%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22191%22%3E%3CP%3E%3CSTRONG%3ENew%20value%3C%2FSTRONG%3E%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%20width%3D%22199%22%3E%3CP%3EMicrosoft%20Defender%20ATP%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22191%22%3E%3CP%3EMicrosoft%20Defender%20for%20Endpoint%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%20width%3D%22199%22%3E%3CP%3EMicrosoft%20Cloud%20App%20Security%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22191%22%3E%3CP%3EMicrosoft%20Cloud%20App%20Security%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%20width%3D%22199%22%3E%3CP%3EMicrosoft%20Threat%20Protection%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22191%22%3E%3CP%3EMicrosoft%20365%20Defender%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%20width%3D%22199%22%3E%3CP%3EOffice%20365%20ATP%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22191%22%3E%3CP%3EMicrosoft%20Defender%20for%20Office%20365%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%20width%3D%22199%22%3E%3CP%3EAzure%20ATP%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22191%22%3E%3CP%3EMicrosoft%20Defender%20for%20Identity%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3C%2FTBODY%3E%0A%3C%2FTABLE%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3EDetectionSource%20values%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CTABLE%3E%0A%3CTBODY%3E%0A%3CTR%3E%0A%3CTD%20width%3D%22202%22%3E%3CP%3E%3CSTRONG%3EOld%20value%3C%2FSTRONG%3E%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22185%22%3E%3CP%3E%3CSTRONG%3ENew%20value%3C%2FSTRONG%3E%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%20width%3D%22202%22%3E%3CP%3EMCAS%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22185%22%3E%3CP%3ECloud%20App%20Security%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%20width%3D%22202%22%3E%3CP%3EWindowsDefenderAtp%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22185%22%3E%3CP%3EEDR%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%20width%3D%22202%22%3E%3CP%3EWindowsDefenderAv%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22185%22%3E%3CP%3EAntivirus%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%20width%3D%22202%22%3E%3CP%3EWindowsDefenderSmartScreen%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22185%22%3E%3CP%3ESmartScreen%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%20width%3D%22202%22%3E%3CP%3ECustomerTI%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22185%22%3E%3CP%3ECustom%20TI%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%20width%3D%22202%22%3E%3CP%3EOfficeATP%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22185%22%3E%3CP%3EMicrosoft%20Defender%20for%20Office%20365%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%20width%3D%22202%22%3E%3CP%3EMTP%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22185%22%3E%3CP%3EMicrosoft%20365%20Defender%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%20width%3D%22202%22%3E%3CP%3EAzureATP%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22185%22%3E%3CP%3EMicrosoft%20Defender%20for%20Identity%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%20width%3D%22202%22%3E%3CP%3ECustomDetection%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22185%22%3E%3CP%3ECustom%20Detection%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%20width%3D%22202%22%3E%3CP%3EAutomatedInvestigation%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22185%22%3E%3CP%3EAutomated%20investigation%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%20width%3D%22202%22%3E%3CP%3EThreatExperts%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22185%22%3E%3CP%3EMicrosoft%20Threat%20Experts%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%20width%3D%22202%22%3E%3CP%3E3%3CSUP%3Erd%3C%2FSUP%3E%20party%20TI%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22185%22%3E%3CP%3E3%3CSUP%3Erd%3C%2FSUP%3E%20Party%20sensors%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3C%2FTBODY%3E%0A%3C%2FTABLE%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EYou%E2%80%99ll%20need%20to%20update%20queries%20that%20search%20for%20these%20values.%20For%20example%3A%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CPRE%3EAlertInfo%3CBR%20%2F%3E%7C%20where%20ServiceSource%20%3D%3D%20%22Microsoft%20Defender%20ATP%22%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FPRE%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EWithin%2030%20days%20of%20the%20change%2C%20you%20should%20update%20this%20query%20to%20include%20both%20new%20and%20old%20values.%20This%20will%20match%20both%20existing%20alerts%20and%20newly%20logged%20alerts.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CPRE%3EAlertInfo%3CBR%20%2F%3E%7C%20where%20ServiceSource%20in%20(%22Microsoft%20Defender%20ATP%22%2C%20%22Microsoft%20Defender%20for%20Endpoint%22)%3C%2FPRE%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EBeyond%2030%20days%20of%20the%20change%2C%20you%20can%20switch%20to%20using%20just%20the%20new%20names%3A%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CPRE%3EAlertInfo%3CBR%20%2F%3E%7C%20where%20ServiceSource%20%3D%3D%20%22Microsoft%20Defender%20for%20Endpoint%22%3C%2FPRE%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EPlease%20make%20sure%20to%20update%20all%20your%20saved%20queries%2C%20custom%20detection%20rules%2C%20and%20queries%20you%20run%20using%20the%20API.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-TEASER%20id%3D%22lingo-teaser-2009233%22%20slang%3D%22en-US%22%3E%3CP%3EAs%20announced%20in%20Ignite%2C%20we%20have%20updated%20our%20Microsoft%20365%20threat%20detection%20portfolio.%20We%20have%20made%20the%20following%20branding%20changes%20to%20align%20these%20solutions.%26nbsp%3BWith%20this%20change%2C%20values%20in%20the%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fmicrosoft-365%2Fsecurity%2Fmtp%2Fadvanced-hunting-alertinfo-table%3Fview%3Do365-worldwide%22%20rel%3D%22noopener%20noreferrer%22%20target%3D%22_blank%22%3E%3CSTRONG%3EAlertInfo%3C%2FSTRONG%3E%3C%2FA%3E%20and%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fmicrosoft-365%2Fsecurity%2Fmtp%2Fadvanced-hunting-alertevidence-table%3Fview%3Do365-worldwide%22%20rel%3D%22noopener%20noreferrer%22%20target%3D%22_blank%22%3E%3CSTRONG%3EAlertEvidence%3C%2FSTRONG%3E%3C%2FA%3E%20tables%20in%20the%20advanced%20hunting%20schema%20for%20Microsoft%20365%20Defender%20will%20also%20need%20to%20change.%20On%20Jan%2025%2C%202021%20we%20will%20update%20the%20values%20in%20the%20%3CSTRONG%3EServiceSource%3C%2FSTRONG%3E%20and%20%3CSTRONG%3EDetectionSource%3C%2FSTRONG%3E%20columns%20as%20shown%20in%20the%20tables%20below.%3C%2FP%3E%3C%2FLINGO-TEASER%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2011170%22%20slang%3D%22en-US%22%3ERE%3A%20Advanced%20hunting%20product%20name%20changes%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2011170%22%20slang%3D%22en-US%22%3ENice!%3C%2FLINGO-BODY%3E
Version history
Last update:
‎Dec 22 2020 04:23 AM
Updated by: