Microsoft Defender for Cloud Apps Alerting and Behaviors

Background:

On May 28th, 2023, Microsoft began moving away from using Alerts in Microsoft Defender for Cloud Apps into using Behaviors to track anomalous activities. This was done with the intention to improve the quality of alerts being received. The deployment was done in stages. Stage one was generating behaviors in parallel to alerts. This stage has been fully completed for all tenants according to Microsoft’s rollout status. 

An issue started to arise in the recently rolling out stage two. This stage disabled the existing alert rules by default. These alert rules are what Unified Security Management (USM) products, like AlienVault, uses to generate alarms. Additionally, while stage 1 configured sending behaviors in parallel to alerts, it does not seem like new detection rules were configured off these new behaviors. 

What This Means:

Fortunately, Microsoft Entra ID Conditional Access policies based on user and sign-in risk should still work as expected but, you will likely still need to act on this issue. If your company relies on the impossible travel alerts from Defender, you will not receive them until you take one of two steps.  

The first and simplest option is to re-enable the old alerting rule. This may end up leading to more noise or less accurate information, but it will guarantee that the alerts you are used to receiving will still work. To do this, log into your Microsoft Defender console at https://security.microsoft.com/. From here navigate to Cloud Apps à Policies à Policy Management and search for Impossible Travel. Click the three dots on the side and click Enable. 

The other option is to configure new detection rules from the new behavior metric. While this is where Microsoft intends these kinds of detections to take place in the future, the feature is currently in preview and has not been fully rolled out. Additionally, these alerts may not be properly captured and normalized by your existing USM causing certain alarms to not be forwarded. If you would like to get the jump on adoption Microsoft provides some example queries you can start looking at and tweaking implementation on in their announcement on behaviors here (https://learn.microsoft.com/en-us/defender-cloud-apps/behaviors). 

Conclusion:

Due to the current preview status of Behaviors, as well as the possibility of missing alarms we currently recommend re-enabling the existing alerting rules for the activities you would like to monitor. Behaviors present an interesting path forward from Microsoft and will likely lead to better quality alerting in the future, however, until they have left the preview stage aspects of the alerting could change making integrating them with other notifications and solutions very difficult.