Important upcoming changes to Microsoft Defender for Cloud
Important
The information on this page relates to pre-release products or features, which might be substantially modified before they are commercially released, if ever. Microsoft makes no commitments or warranties, express or implied, with respect to the information provided here.
On this page, you can learn about changes that are planned for Defender for Cloud. It describes planned modifications to the product that might affect things like your secure score or workflows.
Planned changes
| Planned change | Announcement date | Estimated date for change |
|---|---|---|
| Consolidation of Defender for Cloud's Service Level 2 names | November 1, 2023 | December 2023 |
| Changes to how Microsoft Defender for Cloud's costs are presented in Microsoft Cost Management | October 25, 2023 | November 2023 |
| Replacing the "Key Vaults should have purge protection enabled" recommendation with combined recommendation "Key Vaults should have deletion protection enabled" | June 2023 | |
| Change to the Log Analytics daily cap | September 2023 | |
| Deprecating two security incidents | November 2023 | |
| Defender for Cloud plan and strategy for the Log Analytics agent deprecation | August 2024 |
Consolidation of Defender for Cloud's Service Level 2 names
Announcement date: November 1, 2023
Estimated date for change: December 2023
We're consolidating the legacy Service Level 2 names for all Defender for Cloud plans into a single new Service Level 2 name, Microsoft Defender for Cloud.
Today, there are four Service Level 2 names: Azure Defender, Advanced Threat Protection, Advanced Data Security, and Security Center. The various meters for Microsoft Defender for Cloud are grouped across these separate Service Level 2 names, creating complexities when using Cost Management + Billing, invoicing, and other Azure billing-related tools.
The change simplifies the process of reviewing Defender for Cloud charges and provides better clarity in cost analysis.
To ensure a smooth transition, we've taken measures to maintain the consistency of the Product/Service name, SKU, and Meter IDs. Impacted customers will receive an informational Azure Service Notification to communicate the changes.
Organizations that retrieve cost data by calling our APIs, will need to update the values in their calls to accommodate the change. For example, in this filter function, the values will return no information:
"filter": {
"dimensions": {
"name": "MeterCategory",
"operator": "In",
"values": [
"Advanced Threat Protection",
"Advanced Data Security",
"Azure Defender",
"Security Center"
]
}
}
The change is planned to go into effect on December 1, 2023.
| OLD Service Level 2 name | NEW Service Level 2 name | Service Tier - Service Level 4 (No change) |
|---|---|---|
| Advanced Data Security | Microsoft Defender for Cloud | Defender for SQL |
| Advanced Threat Protection | Microsoft Defender for Cloud | Defender for Container Registries |
| Advanced Threat Protection | Microsoft Defender for Cloud | Defender for DNS |
| Advanced Threat Protection | Microsoft Defender for Cloud | Defender for Key Vault |
| Advanced Threat Protection | Microsoft Defender for Cloud | Defender for Kubernetes |
| Advanced Threat Protection | Microsoft Defender for Cloud | Defender for MySQL |
| Advanced Threat Protection | Microsoft Defender for Cloud | Defender for PostgreSQL |
| Advanced Threat Protection | Microsoft Defender for Cloud | Defender for Resource Manager |
| Advanced Threat Protection | Microsoft Defender for Cloud | Defender for Storage |
| Azure Defender | Microsoft Defender for Cloud | Defender for External Attack Surface Management |
| Azure Defender | Microsoft Defender for Cloud | Defender for Azure Cosmos DB |
| Azure Defender | Microsoft Defender for Cloud | Defender for Containers |
| Azure Defender | Microsoft Defender for Cloud | Defender for MariaDB |
| Security Center | Microsoft Defender for Cloud | Defender for App Service |
| Security Center | Microsoft Defender for Cloud | Defender for Servers |
| Security Center | Microsoft Defender for Cloud | Defender CSPM |
Changes to how Microsoft Defender for Cloud's costs are presented in Microsoft Cost Management
Announcement date: October 26, 2023
Estimated date for change: November 2023
In November there will be a change as to how Microsoft Defender for Cloud's costs are presented in Cost Management and in Subscriptions invoices.
Costs will be presented for each protected resource instead of as an aggregation of all resources on the subscription.
If a resource has a tag applied, which are often used by organizations to perform financial chargeback processes, it will be added to the appropriate billing lines.
Replacing the "Key Vaults should have purge protection enabled" recommendation with combined recommendation "Key Vaults should have deletion protection enabled"
Estimated date for change: June 2023
The Key Vaults should have purge protection enabled recommendation is deprecated from the (regulatory compliance dashboard/Azure security benchmark initiative) and replaced with a new combined recommendation Key Vaults should have deletion protection enabled.
| Recommendation name | Description | Effect(s) | Version |
|---|---|---|---|
| Key vaults should have deletion protection enabled | A malicious insider in your organization can potentially delete and purge key vaults. Purge protection protects you from insider attacks by enforcing a mandatory retention period for soft deleted key vaults. No one inside your organization or Microsoft will be able to purge your key vaults during the soft delete retention period. | audit, deny, disabled | 2.0.0 |
See the full index of Azure Policy built-in policy definitions for Key Vault.
Preview alerts for DNS servers to be deprecated
Estimated date for change: August 2023
Following quality improvement process, security alerts for DNS servers are set to be deprecated in August. For cloud resources, use Azure DNS to receive the same security value.
The following table lists the alerts to be deprecated:
| AlertDisplayName | AlertType |
|---|---|
| Communication with suspicious random domain name (Preview) | DNS_RandomizedDomain |
| Communication with suspicious domain identified by threat intelligence (Preview) | DNS_ThreatIntelSuspectDomain |
| Digital currency mining activity (Preview) | DNS_CurrencyMining |
| Network intrusion detection signature activation (Preview) | DNS_SuspiciousDomain |
| Attempted communication with suspicious sinkholed domain (Preview) | DNS_SinkholedDomain |
| Communication with possible phishing domain (Preview) | DNS_PhishingDomain |
| Possible data transfer via DNS tunnel (Preview) | DNS_DataObfuscation |
| Possible data exfiltration via DNS tunnel (Preview) | DNS_DataExfiltration |
| Communication with suspicious algorithmically generated domain (Preview) | DNS_DomainGenerationAlgorithm |
| Possible data download via DNS tunnel (Preview) | DNS_DataInfiltration |
| Anonymity network activity (Preview) | DNS_DarkWeb |
| Anonymity network activity using web proxy (Preview) | DNS_DarkWebProxy |
Change to the Log Analytics daily cap
Azure monitor offers the capability to set a daily cap on the data that is ingested on your Log analytics workspaces. However, Defenders for Cloud security events are currently not supported in those exclusions.
Starting on September 18, 2023 the Log Analytics Daily Cap will no longer exclude the following set of data types:
- WindowsEvent
- SecurityAlert
- SecurityBaseline
- SecurityBaselineSummary
- SecurityDetection
- SecurityEvent
- WindowsFirewall
- MaliciousIPCommunication
- LinuxAuditLog
- SysmonEvent
- ProtectionStatus
- Update
- UpdateSummary
- CommonSecurityLog
- Syslog
At that time, all billable data types will be capped if the daily cap is met. This change improves your ability to fully contain costs from higher-than-expected data ingestion.
Learn more about workspaces with Microsoft Defender for Cloud.
Key strategy points
- The Azure monitoring Agent (AMA) won’t be a requirement of the Defender for Servers offering, but will remain required as part of Defender for SQL.
- Defender for Servers MMA-based features and capabilities will be deprecated in their Log Analytics version in August 2024, and delivered over alternative infrastructures, before the MMA deprecation date.
- In addition, the currently shared autoprovisioning process that provides the installation and configuration of both agents (MMA/AMA), will be adjusted accordingly.
Defender for Servers
The following table explains how each capability will be provided after the Log Analytics agent retirement:
| Feature | Deprecation plan | Alternative |
|---|---|---|
| Defender for Endpoint/Defender for Cloud integration for down level machines (Windows Server 2012 R2, 2016) | Defender for Endpoint integration that uses the legacy Defender for Endpoint sensor and the Log Analytics agent (for Windows Server 2016 and Windows Server 2012 R2 machines) won’t be supported after August 2024. | Enable the GA unified agent integration to maintain support for machines, and receive the full extended feature set. |
| OS-level threat detection (agent-based) | OS-level threat detection based on the Log Analytics agent won’t be available after August 2024. A full list of deprecated detections will be provided soon. | OS-level detections are provided by Defender for Endpoint integration and are already GA. |
| Adaptive application controls | The current GA version based on the Log Analytics agent will be deprecated in August 2024, along with the preview version based on the Azure monitoring agent. | Adaptive Application Controls feature as it is today will be discontinued, and new capabilities in the application control space (on top of what Defender for Endpoint and Windows Defender Application Control offer today) will be considered as part of future Defender for Servers roadmap. |
| Missing OS patches (system updates) | Recommendations to apply system updates based on the Log Analytics agent won’t be available after August 2024. The preview version available today over Guest Configuration agent will be deprecated when the alternative is provided over Microsoft Defender Vulnerability Management premium capabilities. Support of this feature for Docker-hub and VMMS will be deprecated in Aug 2024 and will be considered as part of future Defender for Servers roadmap. | New recommendations, based on integration with Update Manager, are already in GA, with no agent dependencies. |
| OS misconfigurations (Azure Security Benchmark recommendations) | The current GA version based on the Log Analytics agent won’t be available after August 2024. The current preview version that uses the Guest Configuration agent will be deprecated as the Microsoft Defender Vulnerability Management integration becomes available. | A new version, based on integration with Premium Microsoft Defender Vulnerability Management, will be available early in 2024, as part of Defender for Servers plan 2. |
| File integrity monitoring | The current GA version based on the Log Analytics agent won’t be available after August 2024. | A new version of this feature will be provided based on Microsoft Defender for Endpoint integration by April 2024. |
| The 500-MB benefit for data ingestion | The 500-MB benefit for data ingestion over the defined tables will remain supported via the AMA agent for the machines under subscriptions covered by Defender for Servers P2. Every machine is eligible for the benefit only once, even if both Log Analytics agent and Azure Monitor agent are installed on it. |
Defender for SQL Server on machines
The Defender for SQL Server on machines plan relies on the Log Analytics agent (MMA) / Azure monitoring agent (AMA) to provide Vulnerability Assessment and Advanced Threat Protection to IaaS SQL Server instances. The plan supports Log Analytics agent autoprovisioning in GA, and Azure Monitoring agent autoprovisioning in Public Preview.
The following section describes the planned introduction of a new and improved SQL Server-targeted Azure monitoring agent (AMA) autoprovisioning process and the deprecation procedure of the Log Analytics agent (MMA). On-premises SQL servers using MMA will require the Azure Arc agent when migrating to the new process due to AMA requirements. Customers who use the new autoprovisioning process will benefit from a simple and seamless agent configuration, reducing onboarding errors and providing broader protection coverage.
| Milestone | Date | More information |
|---|---|---|
| SQL-targeted AMA autoprovisioning Public Preview release | October 2023 | The new autoprovisioning process will only target Azure registered SQL servers (SQL Server on Azure VM/ Arc-enabled SQL Server). The current AMA autoprovisioning process and its related policy initiative will be deprecated. It can still be used customers, but they won't be eligible for support. |
| SQL-targeted AMA autoprovisioning GA release | December 2023 | GA release of a SQL-targeted AMA autoprovisioning process. Following the release, it will be defined as the default option for all new customers. |
| MMA deprecation | August 2024 | The current MMA autoprovisioning process and its related policy initiative will be deprecated. It can still be used customers, but they won't be eligible for support. |
Deprecating two security incidents
Estimated date for change: November 2023
Following quality improvement process, the following security incidents are set to be deprecated: Security incident detected suspicious virtual machines activity and Security incident detected on multiple machines.