Microsoft Defender for Cloud Apps: Improvements to threat protection capabilities

🚨 The Signal: Microsoft Defender for Cloud Apps is upgrading its threat detection for deprovisioned users, moving from static to dynamic, AI-driven models. This improves accuracy and reduces false positives, enhancing the ability to detect risky activity from former employees.

The Impact

Security operations teams are affected by improved detection of risky activity from deprovisioned users, reducing false positives and enhancing threat response.

  • Security Operations: Improved accuracy in detecting malicious activity by former employees.
  • IT Security Teams: Reduced false positives, leading to more efficient alert triage.
  • Compliance Officers: Better assurance of monitoring for insider threats post-termination.

The Action

  1. Review existing Defender for Cloud Apps policies related to 'Activity performed by terminated user' to understand the transition.
  2. Familiarize security operations staff with the new 'Activity by a deprovisioned user' detection logic and alert structure.
  3. Update incident response playbooks to reflect the enhanced detection capabilities for deprovisioned users.

Domain: Defender · Impact: medium · Workload: Microsoft Defender