This article is contributed. See the original author and article here.

As announced in Ignite, we have updated our Microsoft 365 threat detection portfolio. We have made the following branding changes to align these solutions:


 


Microsoft 365 Defender (previously Microsoft Threat Protection).


Microsoft Defender for Endpoint (previously Microsoft Defender Advanced Threat Protection).


Microsoft Defender for Office 365 (previously Office 365 Advanced Threat Protection).


Microsoft Defender for Identity (previously Azure Advanced Threat Protection).


 


With this change, values in the AlertInfo and AlertEvidence tables in the advanced hunting schema for Microsoft 365 Defender will also need to change. On Jan 25, 2021 we will update the values in the ServiceSource and DetectionSource columns as shown in the tables below.


 


ServiceSource values


 






























Old value



New value



Microsoft Defender ATP



Microsoft Defender for Endpoint



Microsoft Cloud App Security



Microsoft Cloud App Security



Microsoft Threat Protection



Microsoft 365 Defender



Office 365 ATP



Microsoft Defender for Office 365



Azure ATP



Microsoft Defender for Identity



 


DetectionSource values


 


























































Old value



New value



MCAS



Cloud App Security


 



WindowsDefenderAtp



EDR



WindowsDefenderAv



Antivirus



WindowsDefenderSmartScreen



SmartScreen



CustomerTI



Custom TI



OfficeATP



Microsoft Defender for Office 365



MTP



Microsoft 365 Defender



AzureATP



Microsoft Defender for Identity



CustomDetection



Custom Detection



AutomatedInvestigation



Automated investigation



ThreatExperts



Microsoft Threat Experts



3rd party TI



3rd Party sensors



 


You’ll need to update queries that search for these values. For example:


 


AlertInfo
| where ServiceSource == “Microsoft Defender ATP” 

 


Within 30 days of the change, you should update this query to include both new and old values. This will match both existing alerts and newly logged alerts.


 


AlertInfo
| where ServiceSource in (“Microsoft Defender ATP”, “Microsoft Defender for Endpoint”)

 


Beyond 30 days of the change, you can switch to using just the new names:


 


AlertInfo
| where ServiceSource == “Microsoft Defender for Endpoint”

 


Please make sure to update all your saved queries, custom detection rules, and queries you run using the API.

Brought to you by Dr. Ware, Microsoft Office 365 Silver Partner, Charleston SC.

%d bloggers like this: