Today we will be discovering XDR with Microsoft 365 Defender. It will be an central hub for many different scenarios. Although you will have interfaces inside Azure portal for Sentinel and Defender for Cloud but you can get those signals to Defender to get an holistic view on the security posture.
So let’s begin our journey!
Table of Contents
Manage incidents across Microsoft 365 Defender products
These are the architectural components for Defender, just to give an overview on where the signals come from and why Microsoft 365 Defender is an important tool for your security posture.
And the different components of the Defender family and their abbreviations:
- Microsoft Defender for Endpoint (MDE)
- Microsoft Defender for Identity (MDI)
- Microsoft Defender for Office 365 (MDO)
- Microsoft Defender for Cloud Apps (MDA)
The other services that can send alerts:
- Microsoft Purview Data Loss Prevention (DLP)
- Azure Active Directory Identity Protection (AADIP)
Microsoft 365 Defender generates alerts in addition to collecting alerts from these components and other services. All of these alerts are used to create incidents, which are then sent to Microsoft Sentinel.
So, maybe the most important integration is with Sentinel.
Sentinel will be covered in this study guide later on but here is an excellent Learn article on how to Integrate Defender with Sentinel workspace.
And here the list of supported data types for different products
Manage investigation and remediation actions in the Action Center
Then to more actionable items. Let’s see how to work with Action center.
Required permissions for Action center tasks
To perform tasks, such as approving or rejecting pending actions in the Action center, you must have permissions assigned as listed in the following table:
Remediation action | Required roles and permissions |
---|---|
Microsoft Defender for Endpoint remediation (devices) | Security Administrator role assigned in either Azure Active Directory (Azure AD) (https://portal.azure.com) or the Microsoft 365 admin center (https://admin.microsoft.com) — or — Active remediation actions role assigned in Microsoft Defender for Endpoint To learn more, see the following resources: – Azure AD built-in roles – Create and manage roles for role-based access control (Microsoft Defender for Endpoint) |
Microsoft Defender for Office 365 remediation (Office content and email) | Security Administrator role assigned in either Azure AD (https://portal.azure.com) or the Microsoft 365 admin center (https://admin.microsoft.com) — and — Search and Purge role assigned in the Microsoft 365 Defender > Email & collaboration roles IMPORTANT: If you have the Security Administrator role assigned only in the Microsoft 365 Defender > Email & collaboration roles, you will not be able to access the Action center or Microsoft 365 Defender capabilities. You must have the Security Administrator role assigned in Azure AD or the Microsoft 365 admin center. |
You can send action for Approval to Action center in example under the Device that has incidents and alerts
Actions tracked in the Action center
All actions, whether they’re pending approval or were already taken, are tracked in the Action center. Available actions include the following:
- Collect investigation package
- Isolate device (this action can be undone)
- Offboard machine
- Release code execution
- Release from quarantine
- Request sample
- Restrict code execution (this action can be undone)
- Run antivirus scan
- Stop and quarantine
- Contain devices from the network
Tab | Description |
---|---|
Pending | Displays a list of actions that require attention. You can approve or reject actions one at a time, or select multiple actions if they have the same type of action (such as Quarantine file). Make sure to review and approve (or reject) pending actions as soon as possible so that your automated investigations can complete in a timely manner. |
History | Serves as an audit log for actions that were taken, such as: – Remediation actions that were taken as a result of automated investigations – Remediation actions that were taken on suspicious or malicious email messages, files, or URLs – Remediation actions that were approved by your security operations team – Commands that were run and remediation actions that were applied during Live Response sessions – Remediation actions that were taken by your antivirus protection Provides a way to undo certain actions (see Undo completed actions). |
So, if you have pending actions, they will under Pending
Viewing action source details
(NEW!) The improved Action center now includes an Action source column that tells you where each action came from. The following table describes possible Action source values:
Action source value | Description |
---|---|
Manual device action | A manual action taken on a device. Examples include device isolation or file quarantine. |
Manual email action | A manual action taken on email. An example includes soft-deleting email messages or remediating an email message. |
Automated device action | An automated action taken on an entity, such as a file or process. Examples of automated actions include sending a file to quarantine, stopping a process, and removing a registry key. (See Remediation actions in Microsoft Defender for Endpoint.) |
Automated email action | An automated action taken on email content, such as an email message, attachment, or URL. Examples of automated actions include soft-deleting email messages, blocking URLs, and turning off external mail forwarding. (See Remediation actions in Microsoft Defender for Office 365.) |
Advanced hunting action | Actions taken on devices or email with advanced hunting. |
Explorer action | Actions taken on email content with Explorer. |
Manual live response action | Actions taken on a device with live response. Examples include deleting a file, stopping a process, and removing a scheduled task. |
Live response action | Actions taken on a device with Microsoft Defender for Endpoint APIs. Examples of actions include isolating a device, running an antivirus scan, and getting information about a file. |
Undo completed actions
If you’ve determined that a device or a file is not a threat, you can undo any remediation actions that were performed, whether automatically or manually. You can undo any of the following actions in the Action center’s History tab.
Action source | Supported Actions |
---|---|
– Automated investigation – Microsoft Defender Antivirus – Manual response actions | – Isolate device – Restrict code execution – Quarantine a file – Remove a registry key – Stop a service – Disable a driver – Remove a scheduled task |
You can undo one action or multiple of the same category
And select undo. If you already undone and one not, you cannot perform undo for them.
Investigation details view
View detailed information about an incident on an incident details page, including any triggered alerts and information about any affected devices, user accounts, or mailboxes.
Tab | Description |
---|---|
Investigation graph | Provides a visual representation of the investigation. Depicts entities and lists threats found, along with alerts and whether any actions are awaiting approval. You can select an item on the graph to view more details. For example, selecting the Evidence icon takes you to the Evidence tab, where you can see detected entities and their verdicts. |
Alerts | Lists alerts associated with the investigation. Alerts can come from threat protection features on a user’s device, in Office apps, Microsoft Defender for Cloud Apps, and other Microsoft 365 Defender features. If you see Unsupported alert type, it means that automated investigation capabilities cannot pick up that alert to run an automated investigation. However, you can investigate these alerts manually. |
Devices | Lists devices included in the investigation along with their remediation level. (Remediation levels correspond to the automation level for device groups.) |
Mailboxes | Lists mailboxes that are impacted by detected threats. |
Users | Lists user accounts that are impacted by detected threats. |
Evidence | Lists pieces of evidence raised by alerts or investigations. Includes verdicts (Malicious, Suspicious, Unknown, or No threats found) and remediation status. |
Entities | Provides details about each analyzed entity, including a verdict for each entity type (Malicious, Suspicious, or No threats found). |
Log | Provides a chronological, detailed view of all the investigation actions taken after an alert was triggered. |
Pending actions history | Lists items that require approval to proceed. Go to the Action center (https://security.microsoft.com/action-center) to approve pending actions. |
Once you click the incident, you can see the attack story and the investigations.
And inside investigations the different triggered alerts and their status, source, entity, start date and duration
See more from this Learn article
And you can also report false positives
Perform threat hunting
Advanced hunting is a query-based threat hunting tool that allows you to search through up to 30 days of raw data. You can inspect network events proactively to find threat indicators and entities. The unrestricted access to data allows for unrestricted hunting for both known and potential threats.
Advanced hunting supports queries that check a broader data set coming from:
- Microsoft Defender for Endpoint
- Microsoft Defender for Office 365
- Microsoft Defender for Cloud Apps
- Microsoft Defender for Identity
Advanced hunting is available in two modes: guided and advanced.
- If you are unfamiliar with Kusto Query Language (KQL) or prefer the convenience of a query builder, use guided mode.
- If you are familiar with using KQL to create queries from scratch, use advanced mode.
Guided mode
Here you can see the different options, query builder works for even the not that KQL sawy people.
In the Query builder you see some of the Basic filter sbut when you switch “Toggle to see more…”
You can select the Data domains to use
And ready samples for you to load
See more on the Guided mode on Learn
Advanced mode
More training on KQL queries
And I was surprised that there was no mention of Mr. KQL’s GitHub, well here you go.
Rod Trent is the go to guy for learning KQL and there is also an assessment for you to measure those skills.
See here for example query that you can use to discover Zero-Hour auto purge (ZAP) that weren’t boxed inside isolation.
1 2 3 4 5 6 7 8 9 10 11 |
EmailPostDeliveryEvents | where Timestamp > ago(7d) //List malicious emails that were not zapped successfullyconverge-2-endpoints-new.png | where ActionType has "ZAP" and ActionResult == "Error" | project ZapTime = Timestamp, ActionType, NetworkMessageId , RecipientEmailAddress //Get logon activity of recipients using RecipientEmailAddress and AccountUpn | join kind=inner IdentityLogonEvents on $left.RecipientEmailAddress == $right.AccountUpn | where Timestamp between ((ZapTime-24h) .. (ZapTime+24h)) //Show only pertinent info, such as account name, the app or service, protocol, the target device, and type of logon | project ZapTime, ActionType, NetworkMessageId , RecipientEmailAddress, AccountUpn, LogonTime = Timestamp, AccountDisplayName, Application, Protocol, DeviceName, LogonType |
See here from the whole scenario
Identify and remediate security risks using Microsoft Secure Score
Following the Secure Score recommendations can help to protect your company from threats. Organizations can monitor and work on the security of their Microsoft 365 identities, apps, and devices from a centralized dashboard in the Microsoft 365 Defender portal.
Microsoft Secure Score is a numerical representation of your security posture based on system configurations, user behavior, and other security-related metrics. It is not an absolute indicator of how likely your system or data will be compromised. Rather, it denotes the extent to which you have implemented security controls in your Microsoft environment to help mitigate the risk of a breach. No online service is immune to security breaches, and a secure score should not be interpreted in any way as a guarantee against security breaches.
Secure Score assists organizations in the following ways:
- Provide an update on the organization’s security posture.
- Provide discoverability, visibility, guidance, and control to improve their security posture.
- Establish key performance indicators and compare them to benchmarks (KPIs).
Visualizations of metrics and trends
And you can see the detailed actions under the implementation
How it works
You’re given points for the following actions:
- Configuring recommended security features
- Doing security-related tasks
- Addressing the recommended action with a third-party application or software, or an alternate mitigation
Products included in Secure Score
Currently there are recommendations for the following products:
- Microsoft 365 (including Exchange Online)
- Azure Active Directory
- Microsoft Defender for Endpoint
- Microsoft Defender for Identity
- Microsoft Defender for Cloud Apps
- Microsoft Teams
See the required permissions here
Analyze threat analytics
Threat analytics is a threat intelligence solution built into Microsoft’s products by expert security researchers. It is intended to help security teams be as efficient as possible while dealing with emerging threats such as:
- Threat actors in action and their campaigns
- Popular and novel attack methods
- Vulnerabilities that are critical
- Surfaces of attack that are commonly used
- Malware is widely used.
View the threat analytics dashboard
The threat analytics dashboard can be accessed from https://security.microsoft.com/threatanalytics3
And it will display highlights the reports that are most relevant to your organization. It summarizes the threats in the following sections:
- The most recently published or updated threat reports are listed, as well as the number of active and resolved alerts.
- High-impact threats—a list of the threats with the greatest impact on your organization. This section prioritizes threats with the most active and resolved alerts.
- Threats with the highest exposure levels are listed first. The threat’s exposure level is calculated using two pieces of information: the severity of the vulnerabilities associated with the threat and the number of devices in your organization that could be exploited by those vulnerabilities.
View a threat analytics report
Each threat analytics report provides information in several sections:
- Overview
- Analyst report
- Related incidents
- Impacted assets
- Prevented email attempts
- Exposure & mitigations
Email notifications for report updates
You can set up email notifications that will send you updates on threat analytics reports.
Analyst report
Each section of the analyst report is designed to provide actionable information. While reports vary, most reports include the sections described in the following table.
Report section | Description |
---|---|
Executive summary | Overview of the threat, including when it was first seen, its motivations, notable events, major targets, and distinct tools and techniques. You can use this information to further assess how to prioritize the threat in the context of your industry, geographic location, and network. |
Analysis | Technical information about the threats, including the details of an attack and how attackers might utilize a new technique or attack surface |
MITRE ATT&CK techniques observed | How observed techniques map to the MITRE ATT&CK attack framework |
Mitigations | Recommendations that can stop or help reduce the impact of the threat. This section also includes mitigations that aren’t tracked dynamically as part of the threat analytics report. |
Detection details | Specific and generic detections provided by Microsoft security solutions that can surface activity or components associated with the threat. |
Advanced hunting | Advanced hunting queries for proactively identifying possible threat activity. Most queries are provided to supplement detections, especially for locating potentially malicious components or behaviors that couldn’t be dynamically assessed to be malicious. |
References | Microsoft and third-party publications referenced by analysts during the creation of the report. Threat analytics content is based on data validated by Microsoft researchers. Information from publicly available, third-party sources are identified clearly as such. |
Change log | The time the report was published and when significant changes were made to the report. |
Configure and manage custom detections and alerts
Custom detections allow you to proactively monitor and respond to a variety of events and system states, such as suspected breach activity and misconfigured endpoints. Customizable detection rules that automatically trigger alerts and response actions enable this.
Custom detections work in conjunction with advanced hunting, which provides a powerful, flexible query language that covers a wide range of network event and system information. You can configure them to run at regular intervals, generating alerts and taking action whenever there are matches.
Custom detections provide:
- Alerts for rule-based detections built from advanced hunting queries
- Automatic response actions
Permissions
Security settings (manage) – Users who have this Microsoft 365 Defender permission can manage security settings in the Microsoft 365 Defender portal.
Security administrator – Users with this Azure Active Directory role can manage security settings in the Microsoft 365 Defender portal, as well as other portals and services.
Security operator – Users with this Azure Active Directory role have global read-only access to security-related features, including all information in the Microsoft 365 Defender portal. Only if role-based access control (RBAC) is disabled in Microsoft Defender for Endpoint is this role sufficient for managing custom detections. If RBAC is enabled, you must also grant Defender for Endpoint the manage security settings permission.
Creating detection rules
Again the easiest way (if you are not an KQL expert or didn’t go through Rod’s content) is to use Guided mode.
Once you have the filters, just hit “Edit in KQL” and see the magic happen
Magic! and then you can choose to create that Custom Detection rule
You can select MITRE methods if you want
Frequencies you can choose:
- Every 24 hours – runs every 24 hours, checking data from the past 30 days
- Every 12 hours – runs every 12 hours, checking data from the past 48 hours
- Every 3 hours – runs every 3 hours, checking data from the past 12 hours
- Every hour – runs hourly, checking data from the past 4 hours
- Continuous (NRT) – runs continuously, checking data from events as they are collected and processed in near real-time
If you choose the continuous frequency, make sure that the query references one table only and uses an operator from the list of supported KQL operators. You cannot use unions or joins. The externaldata
operator is not supported.
Because we create a query with multiple tables, NRT isn’t visible.
And press next to select your action based on the detection. In example for the user we can to the following.
And now we can see our freshly made Custom detection rule
Testing
And you can modify it with clicking the rule
Or open the incident page, now there isn’t any.
Closure
Different components of the Defender family and their abbreviations:
- Microsoft Defender for Endpoint (MDE)
- Microsoft Defender for Identity (MDI)
- Microsoft Defender for Office 365 (MDO)
- Microsoft Defender for Cloud Apps (MDA)
The other services that can send alerts:
- Microsoft Purview Data Loss Prevention (DLP)
- Azure Active Directory Identity Protection (AADIP)
Actions that can be tracked
- Collect investigation package
- Isolate device (this action can be undone)
- Offboard machine
- Release code execution
- Release from quarantine
- Request sample
- Restrict code execution (this action can be undone)
- Run antivirus scan
- Stop and quarantine
- Contain devices from the network
What action you can undo from remediation?
Advanced hunting supports queries that check a broader data set coming from:
- Microsoft Defender for Endpoint
- Microsoft Defender for Office 365
- Microsoft Defender for Cloud Apps
- Microsoft Defender for Identity
Advanced hunting is available in two modes: guided and advanced.
- If you are unfamiliar with Kusto Query Language (KQL) or prefer the convenience of a query builder, use guided mode.
- If you are familiar with using KQL to create queries from scratch, use advanced mode.
Secure Score currently has recommendations for the following products:
- Microsoft 365 (including Exchange Online)
- Azure Active Directory
- Microsoft Defender for Endpoint
- Microsoft Defender for Identity
- Microsoft Defender for Cloud Apps
- Microsoft Teams
What is inside Analyst report?
How to create Custom Detection Rules?
Frequencies you can choose for Custom Detection Rules:
- Every 24 hours – runs every 24 hours, checking data from the past 30 days
- Every 12 hours – runs every 12 hours, checking data from the past 48 hours
- Every 3 hours – runs every 3 hours, checking data from the past 12 hours
- Every hour – runs hourly, checking data from the past 4 hours
- Continuous (NRT) – runs continuously, checking data from events as they are collected and processed in near real-time
If you choose the continuous frequency, make sure that the query references one table only and uses an operator from the list of supported KQL operators. You cannot use unions or joins. The externaldata
operator is not supported.
See here for Microsoft defined SecOps test use cases