Advanced hunting product name changes

As announced in Ignite, we have updated our Microsoft 365 threat detection portfolio. We have made the following branding changes to align these solutions:

Microsoft 365 Defender (previously Microsoft Threat Protection).

Microsoft Defender for Endpoint (previously Microsoft Defender Advanced Threat Protection).

Microsoft Defender for Office 365 (previously Office 365 Advanced Threat Protection).

Microsoft Defender for Identity (previously Azure Advanced Threat Protection).

With this change, values in the AlertInfo and AlertEvidence tables in the advanced hunting schema for Microsoft 365 Defender will also need to change. On Jan 25, 2021 we will update the values in the ServiceSource and DetectionSource columns as shown in the tables below.

ServiceSource values

DetectionSource values

You’ll need to update queries that search for these values. For example:

AlertInfo
| where ServiceSource == "Microsoft Defender ATP" 

Within 30 days of the change, you should update this query to include both new and old values. This will match both existing alerts and newly logged alerts.

AlertInfo
| where ServiceSource in ("Microsoft Defender ATP", "Microsoft Defender for Endpoint")

Beyond 30 days of the change, you can switch to using just the new names:

AlertInfo
| where ServiceSource == "Microsoft Defender for Endpoint"

Please make sure to update all your saved queries, custom detection rules, and queries you run using the API.