Merge pull request #272590 from dcurwin/wi-245361-fileless-alerts-april18-2024

prmerger-automator[bot] · web-flow · commit 7d12e5b7ad86 · 2024-04-18T14:44:45.000Z
Fileless attack alerts deprecation
diff --git a/articles/defender-for-cloud/upcoming-changes.md b/articles/defender-for-cloud/upcoming-changes.md
@@ -25,6 +25,7 @@ If you're looking for the latest release notes, you can find them in the [What's
 
 | Planned change | Announcement date | Estimated date for change |
 |--|--|--|
+| [Deprecation of fileless attack alerts](#deprecation-of-fileless-attack-alerts) | April 18, 2024 | May 2024 |
 | [Change in CIEM assessment IDs](#change-in-ciem-assessment-ids) | April 16.2024 | May 2024 |
 | [Deprecation of encryption recommendation](#deprecation-of-encryption-recommendation) | April 3, 2024 | May 2024 |
 | [Deprecating of virtual machine recommendation](#deprecating-of-virtual-machine-recommendation) | April 2, 2024 | April 30, 2024 |
@@ -46,6 +47,25 @@ If you're looking for the latest release notes, you can find them in the [What's
 | [Deprecating two security incidents](#deprecating-two-security-incidents) |  | November 2023 |
 | [Defender for Cloud plan and strategy for the Log Analytics agent deprecation](#defender-for-cloud-plan-and-strategy-for-the-log-analytics-agent-deprecation) |  | August 2024 |
 
+## Deprecation of fileless attack alerts
+
+**Announcement date: April 18, 2024**
+
+**Estimated date for change: May 2024**
+
+In May 2024, to enhance the quality of security alerts for Defender for Servers, the fileless attack alerts specific to Windows and Linux virtual machines will be discontinued. These alerts will instead be generated by Defender for Endpoint:
+
+- Fileless attack toolkit detected (VM_FilelessAttackToolkit.Windows)
+- Fileless attack technique detected (VM_FilelessAttackTechnique.Windows)
+- Fileless attack behavior detected (VM_FilelessAttackBehavior.Windows)
+- Fileless Attack Toolkit Detected (VM_FilelessAttackToolkit.Linux)
+- Fileless Attack Technique Detected (VM_FilelessAttackTechnique.Linux)
+- Fileless Attack Behavior Detected (VM_FilelessAttackBehavior.Linux)
+
+All security scenarios covered by the deprecated alerts are fully covered Defender for Endpoint threat alerts.
+
+If you already have the Defender for Endpoint integration enabled, there's no action required on your part. In May 2024 you might experience a decrease in your alerts volume, but still remain protected. If you don't currently have Defender for Endpoint integration enabled in Defender for Servers, you need to enable integration to maintain and improve your alert coverage. All Defender for Server customers can access the full value of Defender for Endpoint's integration at no additional cost. For more information, see [Enable Defender for Endpoint integration](enable-defender-for-endpoint.md).
+
 ## Change in CIEM assessment IDs
 
 **Announcement date: April 16, 2024**
