Analyze your first incident in Microsoft Defender XDR
Article
Applies to:
Microsoft Defender XDR
Understanding the context that surrounds incidents is essential in analyzing attacks. Combining your expertise and experience with Microsoft Defender XDR's features and capabilities ensure faster resolution of incidents and your organization's safety from cyber attacks.
Today's threats on data security - business email compromise (BEC), malware like backdoors and ransomware, organizational breaches, and nation-state attacks – require quick, intelligent, and decisive action from incident responders. Tools like Microsoft Defender XDR allow response teams to detect, triage, and investigate incidents through its single-pane-of-glass experience and find the information needed to make these timely decisions.
Investigation tasks
Investigations usually involve responders viewing several apps while simultaneously checking various threat intelligence sources. Sometimes investigations are extended to hunting down other threats. Documenting facts and solutions in an attack investigation is an additional important task that provides history and context for other investigators' use or for later investigations. These investigation tasks are simplified when using Microsoft Defender XDR through the following:
Pivoting – the portal aggregates important attack information contextualized across the Defender workloads enabled in your organization. The portal consolidates all information across a single attack's components (file, URL, mailbox, a user account, or device), showing relationships and timeline of activities. With all the information available in a page, the portal allows incident responders to pivot across related entities and events to find the information they need to make decisions.
Hunting – threat hunters can find known and possible threats within an organization through the portal's advanced hunting capability using Kusto queries. If you're new to Kusto, use the guided mode to hunt for threats.
Insight – where applicable, incident responders can view actions to previously detected event and alerts to aid present investigations. Additional insights are also automatically added to events and alerts through Microsoft's own threat intelligence efforts and from sources like the MITRE ATT&CK® framework and VirusTotal.
Collaboration – security operations teams can view each team members' decisions and actions on past and present incidents and alerts through portal features like comments, tagging, flagging, and assignment. Further collaboration with Microsoft's managed detection and response service through Defender Experts for XDR and Defender Experts for Hunting are also available when an organization requires an augmented response.
Attack overview
The attack story provides incident responders a full, contextualized overview what happened in an attack. Responders can view all related alerts and events, including the automated remediation actions taken by Microsoft Defender XDR to mitigate an attack.
From the attack story, you can dive deeper into the details of an attack by exploring the tabs available on the incident page. You can quickly remediate common attacks like phishing, password spray, and malicious app compromise through incident response playbooks accessible within the portal. These playbooks contain detection, response, and mitigation guidance that support incident investigations.
Complex threats like adversary-in-the-middle attacks and ransomware often require manual investigation. An incident responder tackling these complicated attacks looks for the following crucial information:
Presence of malware or suspicious use of tools and apps
Clues about any communication channels or entry points used by any malicious or suspicious entity
Clues pointing to possible identity compromise
Identifying what the impact is on the organization's data and security posture
The following sections contain tutorials and videos of Microsoft Defender XDR features that aid incident response teams in investigating various complex attacks.
Ransomware investigations
Ransomware continues to be a significant threat to organizations. Microsoft has the following resources to help you investigate and respond to ransomware attacks:
Identifying and tracking modified, created, or stolen identities are essential to investigating phishing and BEC attacks. Use the following resources when investigating these attacks:
A malicious file's information and capabilities are key to investigating malware. Microsoft Defender XDR, in most cases, can detonate the file to show critical data including hash, metadata, prevalence within the organization, and file capabilities based on MITRE ATT&CK® techniques. This removes the need to do black box testing or static analysis of files. You can view file information from the incident graph, or by viewing an alert process tree, an artifact timeline, or a device timeline.
The following resources provide details on how to use the portal's capabilities in investigating files:
Risky apps analysis and cloud-based threats prevention
Malicious actors can exploit cloud-based apps. Apps can inadvertently leak sensitive information through abuse or misuse. Incident responders investigating and protecting apps in cloud environments can use the following resources where Defender for Cloud Apps is deployed in their organizations:
Discover how you can protect your cloud apps in real time with this video of the Defender for Cloud Apps workload:
Video: Protecting cloud apps and related files through Defender for Cloud Apps
Breach analysis
Nation-state attacks, attacks against critical infrastructure, and organizational breaches often require an attacker to establish communication points once they are in a network. Incident responders look for clues by identifying suspicious traffic or exchanges between a source and a destination. Microsoft has the following tutorials for investigating communication components:
Attackers often use vulnerabilities to gain access to an organization. Some ransomware attacks initially take advantage of unpatched vulnerabilities like the Log4Shell vulnerability. The following resources help incident responders identify vulnerabilities and vulnerable devices in their organization through the Defender for Vulnerability Management service:
Video: Threat and vulnerability management via Defender Vulnerability Management
Breaches also happen through various devices like phones and tablets that connect to your organization's network. Incident responders can further investigate these devices within the portal. The following video talks about the top threats from mobile devices and how you can investigate these:
Mobile threat defense in Microsoft Defender XDR
Resources for threat intelligence and hunting
Microsoft Defender XDR's built-in threat intelligence capabilities and hunting aid incident response teams in performing proactive protection against emerging threats and attacks. You have direct access to the latest information on emerging threats and attacks through the portal's Threat analytics.
Use the intelligence in Threat analytics to deep dive into new threats with the following video:
Proactively hunt for threats within the organization using the portal's built-in advanced hunting capability.
The following resources provide more information on how to use advanced hunting:
Collaborate with Microsoft's experts for incident response and threat hunting to enhance your security operations teams' capabilities. Know more about our experts and how to engage them in the following resources:
To earn this Microsoft Applied Skills credential, learners demonstrate the ability to use Microsoft Defender XDR to detect and respond to cyberthreats. Candidates for this credential should be familiar with investigating and gathering evidence about attacks on endpoints. They should also have experience using Microsoft Defender for Endpoint and Kusto Query Language (KQL).