{"id":17028,"date":"2026-06-24T08:02:35","date_gmt":"2026-06-23T23:02:35","guid":{"rendered":"https:\/\/m365jp.net\/?p=17028"},"modified":"2026-06-24T08:08:51","modified_gmt":"2026-06-23T23:08:51","slug":"mc1402307-microsoft-defender-for-cloud-apps-improvements-to-threat-protection-capabilities","status":"publish","type":"post","link":"https:\/\/m365jp.net\/index.php\/2026-06-24-mc1402307-microsoft-defender-for-cloud-apps-improvements-to-threat-protection-capabilities","title":{"rendered":"MC1402307 | Microsoft Defender for Cloud Apps: Improvements to threat protection capabilities"},"content":{"rendered":"<div class=\"postie-post\">\n<div>\n<hr>\n<table id=\"section\">\n<tbody>\n<tr>\n<th width=\"95%\">MC1402307 | Microsoft Defender for Cloud Apps: Improvements to threat protection capabilities<\/th>\n<\/tr>\n<\/tbody>\n<\/table>\n<hr>\n<table id=\"data\">\n<tbody>\n<tr>\n<th>Classification<\/th>\n<td>planForChange<\/td>\n<\/tr>\n<tr>\n<th>Last Updated<\/th>\n<td>06\/23\/2026 22:07:28<\/td>\n<\/tr>\n<tr>\n<th>Start Time<\/th>\n<td>06\/23\/2026 22:07:15<\/td>\n<\/tr>\n<tr>\n<th>End Time<\/th>\n<td>08\/07\/2026 07:00:00<\/td>\n<\/tr>\n<tr>\n<th>Message Content<\/th>\n<td>\n<p><b>[What and Why]<\/b><\/p>\n<p>Microsoft Defender for Cloud Apps is enhancing its threat protection capabilities by migrating legacy detection policies to a new dynamic detection model. This update improves detection accuracy, reduces false positives, and enables faster response to evolving   threats by using research-driven detections maintained by Microsoft security experts.<\/p>\n<p>As part of this change, the legacy alert <b>\u201cActivity performed by terminated user&#8221;<\/b>&nbsp;is being replaced by a detection built on the new dynamic detection model. This updated detection is designed to more precisely identify risky activity associated with   users who have left the organization while continuously adapting to changes in the threat landscape.<\/p>\n<p>This change also introduces a shift from static detection logic to continuously updated detection logic, which may evolve over time to improve signal quality and accuracy.<\/p>\n<p><b>[Rollout Schedule]<\/b><\/p>\n<p><b>General Availability (Worldwide, GCC, GCC High, DoD):<\/b> We will begin rolling out in  <b>late June 2026<\/b> and expect to complete by <b>early July 2026<\/b>.<\/p>\n<p><b>[Impact on your organization]<\/b><\/p>\n<p><i>Who is affected<\/i><\/p>\n<ul>\n<li>Organizations using Microsoft Defender for Cloud Apps threat protection capabilities<\/li>\n<li>Security operations center and IT security teams<\/li>\n<\/ul>\n<p><i>Platforms and services<\/i><\/p>\n<ul>\n<li>Microsoft Defender for Cloud Apps, part of Microsoft Defender XDR<\/li>\n<\/ul>\n<p><i>What will happen<\/i><\/p>\n<ul>\n<li>The legacy alert <b>\u201cActivity performed by terminated user\u201d <\/b>will be replaced by a detection built on the new dynamic detection model, titled &#8220;<b>Activity by a deprovisioned user (preview).<\/b>&#8221; The suffix will be removed next month.<\/li>\n<li>The updated detection will:\n<ul>\n<li>Be enabled by default<\/li>\n<li>Be automatically maintained and updated by Microsoft<\/li>\n<li>Continuously evolve to improve detection accuracy and adapt to emerging threats<\/li>\n<\/ul>\n<\/li>\n<li>Detection behavior, alert patterns, or alert volume may change over time as the model adapts.<\/li>\n<li>No manual configuration is required.<\/li>\n<li>During rollout:\n<ul>\n<li>Disabled legacy policies may remain temporarily visible, and&nbsp;<\/li>\n<li>Legacy policies will be removed after migration completes as part of the retirement of the legacy detection model.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p><i>Screenshot 1:<\/i><\/p>\n<p><i>&nbsp;<\/i><img decoding=\"async\" style=\"width: 400px\" src=\"https:\/\/cxcs.microsoft.net\/static\/public\/messagecenter\/neutral\/ee9fd3e2-3d5b-418e-9ecc-128cd281271a\/aea644643844ce5c1189357df707e7d48a9afd80.png\"><\/p>\n<p><i>Screenshot 2:<\/i><\/p>\n<p><i>&nbsp;<\/i><img decoding=\"async\" style=\"width: 400px\" src=\"https:\/\/cxcs.microsoft.net\/static\/public\/messagecenter\/neutral\/4d0b4b87-357c-4e66-82ae-2fc83d502a7a\/ec9366a59043c2f088e010b9f25daba00868d782.png\"><\/p>\n<p><b>[Action Required\/Recommendations]<\/b><\/p>\n<p>No action is required.<\/p>\n<p>Recommended steps:<\/p>\n<ul>\n<li>Notify SOC and helpdesk teams about this change.<\/li>\n<li>Update internal documentation that references the legacy alert <b>\u201cActivity performed by terminated user.\u201d  <\/b>and the new alert <b>&#8220;Activity by a deprovisioned user (preview)&#8221;<\/b>.<\/li>\n<li>Review and validate any alert-based automation, workflows, or incident response processes after rollout.<\/li>\n<li>Monitor alerts after rollout to understand updated detection behavior and tuning needs.<\/li>\n<\/ul>\n<p><b>Learn more: <\/b>(To be updated closer to rollout.) <a href=\"https:\/\/learn.microsoft.com\/defender-cloud-apps\/anomaly-detection-policy\" target=\"_blank\">  Create Defender for Cloud Apps anomaly detection policies | Microsoft Defender for Cloud Apps | Microsoft Learn<\/a><\/p>\n<p><b>[Compliance considerations]<\/b><\/p>\n<table class=\"table table-bordered\">\n<tbody>\n<tr>\n<td>Question<\/td>\n<td>Answer<\/td>\n<\/tr>\n<tr>\n<td>Does the change alter how existing customer data is processed, stored, or accessed?<\/td>\n<td>Yes. The change updates the detection logic used to analyze existing activity data in Microsoft Defender for Cloud Apps to identify potential threats.<\/td>\n<\/tr>\n<tr>\n<td>Does the change alter how admins can monitor, report on, or demonstrate compliance activities?<\/td>\n<td>Yes. Alerts will be generated using a dynamic detection model, which may affect how administrators monitor, interpret, and report on threat-related activity.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table><\/div>\n<\/div>\n","protected":false},"excerpt":{"rendered":"<p>MC1402307 | Microsoft Defender for Cloud Apps: Improvements to threat protection capabilities Classification p [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-17028","post","type-post","status-publish","format-standard","hentry","category-uncategorized"],"_links":{"self":[{"href":"https:\/\/m365jp.net\/index.php\/wp-json\/wp\/v2\/posts\/17028","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/m365jp.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/m365jp.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/m365jp.net\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/m365jp.net\/index.php\/wp-json\/wp\/v2\/comments?post=17028"}],"version-history":[{"count":0,"href":"https:\/\/m365jp.net\/index.php\/wp-json\/wp\/v2\/posts\/17028\/revisions"}],"wp:attachment":[{"href":"https:\/\/m365jp.net\/index.php\/wp-json\/wp\/v2\/media?parent=17028"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/m365jp.net\/index.php\/wp-json\/wp\/v2\/categories?post=17028"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/m365jp.net\/index.php\/wp-json\/wp\/v2\/tags?post=17028"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}