Expel incident

Stopped Ingesting Microsoft Defender for Identity

Notice Resolved View vendor source →

Expel experienced a notice incident on March 27, 2025 affecting Alert ingestion, lasting 31d 17h. The incident has been resolved; the full update timeline is below.

Started
Mar 27, 2025, 09:29 PM UTC
Resolved
Apr 28, 2025, 02:32 PM UTC
Duration
31d 17h
Detected by Pingoru
Mar 27, 2025, 09:29 PM UTC

Affected components

Alert ingestion

Update timeline

  1. identified Mar 27, 2025, 09:29 PM UTC

    As part of a previously communicated Microsoft deprecation, Expel is no longer ingesting Microsoft Defender for Identity alerts (via the Microsoft Defender for Cloud Apps integration). Any customers who have onboarded a Microsoft Defender XDR device will have coverage restored shortly and begin reprocessing alerts. We recommend that customers who have the Microsoft Defender for Cloud Apps integration, but have not yet onboarded Microsoft XDR to Workbench, complete the onboarding as soon as possible. We will provide a status update once we have enabled all onboarded Defender XDR devices. In the meantime, please contact your Customer Success Manager if you need assistance with onboarding or if you have additional questions.

  2. monitoring Mar 27, 2025, 10:40 PM UTC

    We have confirmed all Microsoft Defender XDR devices are enabled and ingesting data, and we are working to reprocess alerts. We recommend that customers who have the Microsoft Defender for Cloud Apps integration, but have not yet onboarded Microsoft XDR to Workbench, complete the onboarding as soon as possible. (https://support.expel.io/hc/en-us/articles/38928860545299-Microsoft-Defender-XDR-Setup-for-Workbench) Please contact your Customer Success Manager if you need assistance with onboarding or if you have additional questions.

  3. monitoring Mar 28, 2025, 01:38 PM UTC

    As part of a previously communicated Microsoft deprecation, Expel is no longer ingesting Microsoft Defender for Identity alerts (via the Microsoft Defender for Cloud Apps integration). Any customers who have onboarded a Microsoft Defender XDR device have coverage and alerts are being processed. We recommend that customers who have the Microsoft Defender for Cloud Apps integration, but have not yet onboarded Microsoft XDR to Workbench, complete the onboarding as soon as possible (https://support.expel.io/hc/en-us/articles/38928860545299-Microsoft-Defender-XDR-Setup-for-Workbench). Please contact your Customer Success Manager if you need assistance with onboarding or if you have additional questions.

  4. resolved Apr 28, 2025, 02:32 PM UTC

    As part of a previously communicated Microsoft deprecation, Expel is no longer ingesting Microsoft Defender for Identity alerts (via the Microsoft Defender for Cloud Apps integration). Any customers who have onboarded a Microsoft Defender XDR device have coverage and alerts are being processed. We recommend that customers who have the Microsoft Defender for Cloud Apps integration, but have not yet onboarded Microsoft XDR to Workbench, complete the onboarding as soon as possible (https://support.expel.io/hc/en-us/articles/38928860545299-Microsoft-Defender-XDR-Setup-for-Workbench). Please contact your Customer Success Manager if you need assistance with onboarding or if you have additional questions.