← Back
(Updated) Microsoft Defender: Changes to Defender for Cloud Apps alerts
MC992217 · build prod-20251231-200323
Category
planForChange
Severity
normal
Major change
False
Last modified
2025-06-05 14:56:32
Summary source
Azure OpenAI (gpt-4.1)
Action by (Graph)
Action by (AI)
Services
Microsoft Defender XDR
Tags
Updated message, Feature update, Admin impact
Master tags
Security
Roadmap IDs

One-line summary

Defender for Cloud Apps alerts in Defender XDR will update alert source fields and alert ID prefixes for new alerts, affecting APIs, SIEM, and custom automations; rollout completes by late June 2025.

Similar updates

More like this
MC1077861 (Updated) Microsoft Defender for Cloud Apps: SIEM agents will retire
(Updated) Microsoft Defender for Cloud Apps: SIEM agents will retire Retirement of SIEM agents for Microsoft Defender for Cloud Apps is paused; no new SIEM agents can be configured after June 19, 2025. ...rt of our ongoing convergence process for all Microsoft Defender workloads, we planned to retire SIEM (Security Information and Event.
MC1169078 Microsoft Defender for Cloud Apps: Improvements to threat protection capabilities
Microsoft Defender for Cloud Apps: Improvements to threat protection capabilities Defender for Cloud Apps expands dynamic threat detection, replacing legacy policies with new, research-driven detections; rollout starts early November 2025 and completes by end of November. [Introduction:] To improve threat detection accuracy and responsiveness,.
MC1187386 Microsoft Defender for Identity alerts transitioning to XDR-based detection platform
Microsoft Defender for Identity alerts transitioning to XDR-based detection platform Defender for Identity classic alerts will shift to the XDR detection platform starting mid-December 2025; update workflows and alert exclusions to use new XDR Detector IDs. [Introduction] Microsoft Defender for Identity classic alerts will transition to the XDR.
MC1147387 Microsoft Defender for Office 365: Alert experience enhancements for faster triage
Microsoft Defender for Office 365: Alert experience enhancements for faster triage Defender for Office 365 will consolidate related alerts into richer, single alerts starting mid-September 2025, reducing alert fatigue and improving triage without changing detection or workflows. Introduction We’re improving the alert experience in Microsoft.
MC1191616 Microsoft Secure Score: New recommendations for Microsoft Defender for Endpoint
Microsoft Secure Score: New recommendations for Microsoft Defender for Endpoint New Microsoft Secure Score recommendations for Defender for Endpoint will roll out in public preview starting late November 2025, helping block attack... Learn more:  Microsoft Defender XDR | Microsoft Defender | Microsoft Learn Microsoft Secure Score | Microsoft.
MC1042925 (Updated) Microsoft Defender for Office 365: Enhancing page load performance
(Updated) Microsoft Defender for Office 365: Enhancing page load performance Defender for Office 365 will improve portal page load times, starting with Submission page in March 2025; no downtime or required admin action during phased rollout. Updated July 9, 2025: We have updated the timeline below. At Microsoft Defender for Office 365, we are.

Details

Summary
Microsoft Defender for Cloud Apps will update the alert source field in new alerts generated after the rollout, starting early March 2025 and completing by late June 2025. This change affects various systems and requires administrators to update custom rules and notify users. No admin action is required before the rollout.

Body (from Message Center)

Updated June 5, 2025: We have updated the timeline below. Thank you for your patience.

Coming soon for Microsoft Defender for Cloud Apps:

  • A change to alerts generated by events originating from Defender for Cloud Apps that are generated in the Microsoft Defender XDR detection engine

This rollout aims to provide more accurate and precise information on the origin of these alerts, enabling customers to identify, manage, and respond to alerts more effectively.

[When this will happen:]

General Availability (GCC, GCC High, DoD, Production, DoD): We will begin rolling out early March 2025 and expect to complete by late June 2025 (previously late May).

[How this will affect your organization:]

We will change the field indicating the alert source in the alert data itself. Note: The rollout will only affect new alerts generated after the rollout and will not alter existing alerts.

This rollout will be reflected in all experiences where alerts are represented, including Incidents & alerts queues in the XDR portal, Advanced hunting, and the correlating APIs and SIEM systems.

In the Defender XDR portal, the change will be reflected in the Service sources field, replacing the current Microsoft Defender XDR values with the new value Defender for Cloud Apps. The detection sources will remain unchanged and will continue to indicate the detections are generated in the XDR detection engine.

The alert ID prepended characters of some of the alerts will also be changed to comply with the Defender XDR mapping.

Learn more about the different alert sources in Defender XDR in the Alert sources section of Investigate alerts in Microsoft Defender XDR - Microsoft Defender XDR | Microsoft Learn

In the Microsoft Graph API, Microsoft Defender for Endpoint streaming API, and the Microsoft Azure Events Hub, the change will be reflected in the alert resource type under the property serviceSource, and the previous values of microsoft365Defender will change to microsoftDefenderForCloudApps.

Learn more about the Graph API alert resource: alert resource type - Microsoft Graph v1.0 | Microsoft Learn

Learn more about Streaming API: Stream Microsoft Defender XDR events - Microsoft Defender XDR | Microsoft Learn

[What you need to do to prepare:]

This rollout will happen automatically by the specified date with no admin action required before the rollout.

Administrators should review and update any custom alert rules, playbooks, or automations involving the alerts mentioned above (Service sources = Microsoft Defender XDR and Detection sources = Defender XDR, to ensure they reflect the new value. You may also want to notify your users about this change and update any relevant documentation.

As a reminder, detection sources will remain unchanged, so if you only filter on detection sources, everything should continue to function as normal.

Raw JSON (for debugging)

Expand/collapse the full payload below.
Show/hide raw 
{
  "snapshot_item": {
    "action_required_by": null,
    "ai_action_required_by": null,
    "ai_actions": [
      "Review and update custom alert rules, playbooks, and automations using alert source fields",
      "Notify users and update documentation as needed"
    ],
    "ai_master_tags": [
      "Security"
    ],
    "ai_model": "gpt-4.1",
    "ai_summary": "Defender for Cloud Apps alerts in Defender XDR will update alert source fields and alert ID prefixes for new alerts, affecting APIs, SIEM, and custom automations; rollout completes by late June 2025.",
    "ai_topics": [
      "Defender"
    ],
    "category": "planForChange",
    "details_map": {
      "Summary": "Microsoft Defender for Cloud Apps will update the alert source field in new alerts generated after the rollout, starting early March 2025 and completing by late June 2025. This change affects various systems and requires administrators to update custom rules and notify users. No admin action is required before the rollout."
    },
    "id": "MC992217",
    "importance": 1,
    "is_major_change": false,
    "last_modified": "2025-06-05T14:56:32Z",
    "ms_products": [
      "Defender"
    ],
    "platforms": null,
    "roadmap_ids": [],
    "services": [
      "Microsoft Defender XDR"
    ],
    "severity": "normal",
    "tags": [
      "Updated message",
      "Feature update",
      "Admin impact"
    ],
    "title": "(Updated) Microsoft Defender: Changes to Defender for Cloud Apps alerts"
  }
}