Using Microsoft 365 Defender Threat Analytics to Improve Security

In this article, I’m going to describe how to use Microsoft 365 Defender Threat Analytics to improve security in your organization. Over three Petri articles, we’ve dived into what Microsoft Defender for Endpoint (MDE) is, how you can migrate to it, and how it should be configured.

One thing remains: how you should use it in your ongoing security operations. This is where things extend beyond ‘just’ MDE and onto Microsoft 365 Defender as the larger extended detection and response (XDR) platform and security portal. This is important because to truly leverage MDE’s capabilities, we must understand how it integrates with the rest of the platform, and protect against threats as they move across the environment.

What is Extended Detection and Response (XDR) in Microsoft 365 Defender?

Extended Detection and Response (XDR) is a feature in Microsoft 365 Defender that unifies the protection, response, and protective capabilities of four core security services:

Microsoft Defender for Endpoint (MDE)
- Covered in-depth over the last three parts of this series, MDE ultimately focuses on protecting your endpoints such as client computers, servers, and mobile devices.
Microsoft Defender for Identity (MDI)
- Agents are deployed to your on-premises Active Directory environment to alert you about known attacks and suspicious behavior as they pertain to identity. For example, suspicious object access or movement of accounts across the domain.
Microsoft Defender for Office 365 (MDO)
- MDO is often compared to conventional email security gateways but it can be so much more. In addition to protecting against dangerous email, it can do the same for SharePoint Online/OneDrive for Business files, as well as educate your users with phishing training.
Microsoft Cloud App Security (MCAS)
- As SaaS usage grows, MCAS offers a way to monitor your multi-cloud estate and proactively control it. You can also integrate MCAS with your endpoints and network appliances to monitor traffic for shadow IT use.

By combining signals across these, attacks that transverse just one “entity” can be monitored for a big picture view of what’s going on, with improved response capabilities. Additionally, Exchange Online Protection and Azure Active Directory (AD) Identity Protection are integrated, providing signals and remediation. These XDR capabilities are then managed in the Microsoft 365 Defender portal at security.microsoft.com.

Microsoft 365 Defender alerts vs incidents

Think of a Microsoft 365 Defender alert as the lowest level of something worth knowing about. For example, a single instance of a suspicious Task Scheduler entry being created, or an abnormal number of files being deleted in Office 365. Alerts can be across the list of services described above. On their own, alerts may not mean much and, at any great scale, would become hard to manage and correlate.

This is where incidents come into play. These are aggregations of alerts into a container that associates them all, using threat intelligence, for easier management and response. For example, if the same user is involved in the alerts for suspicious Task Scheduler items and abnormal levels of file deletion, and these alerts happen in close succession, this might form an incident.

Jumping into an incident, you’ll find a ton of data on what Microsoft 365 Defender has identified. In the summary of an incident, you can see:

high-level information on the MITRE ATT&CK tactics involved
the scope of the attack based on what types of entities are involved
evidence that includes the telemetry gathered to indicate a threat
perhaps most illustrative in the summary tab, a timeline of events

As part of your ongoing security management, incidents should be reviewed frequently – at least daily – including diving into the tabs within them. Key amongst these include the investigations tab, which reports back Defender’s automated investigation status, graph tab, which offers a “story of the attack”.

Using the example of a malicious Word document that has dropped a trojan and created a scheduled task, the graph does the job of painting the picture of what’s happened. It presents this in chronological order via the attack story and visualizes it by depicting the evidence, entities, and how they relate to each other in the attack.

Meanwhile, if on a supported platform, and for a supported alert type, the investigations tab will report the status of automated investigations.

Automated investigations aim to reduce the load security teams face by doing some of the legwork for you. The investigation will review areas such as drivers, network communication, services, and persistence methods – known common areas of attack so that you, the security administrator, has less to do during the firefighting.

Then, based on discoveries, the investigation system can remediate by killing processes, quarantining dangerous files, or, in the case of our example, removing a scheduled task. The work the investigation does is logged for you to review the evidence, and a log that contains what was investigated and done.

The remediation is controlled by the settings you configure. For example, on certain devices, you may wish to review the recommendation action prior to it happening.

What is advanced threat hunting?

Advanced threat hunting is a term used to describe a feature in Microsoft 365 Defender that allows SecOps (Security and Operations) teams to use a database query to search the raw data collected by the protection, response, and protective capabilities in Microsoft 365. Instead of relying on just the incidents and alerts provided by Microsoft 365 Defender, security teams can look at the actual data collected to surface threat indicators and entities. If your investigation requires you to go beyond the alert and investigation functions, you can leverage advanced hunting.

Advanced hunting gives you almost raw access to the telemetry gathered by and stored in Microsoft 365 Defender. Using Kusto query language (KQL), you’ll have thirty days of log information to investigate with. Note that these thirty days cannot be changed and differ from the up to six months available for alerts and investigations.

Advanced threat hunting schema and KQL

While a full dive into how KQL works to build such queries deserves its own blog (and is used in Microsoft 365/Azure elsewhere; not just Defender), here’s an introduction to the advanced hunting schema. Within Microsoft 365 Defender, you’ll find a number of tables that build up what’s available to be queried. For example, the alerts table, EmailEvents, DeviceFileEvents, and DeviceTvmSoftwareVulnerabilities tables. These mostly do what they say on the tin, containing columns relevant to that area of the XDR. Of course, with database tables we don’t always find what we need in one, so we can leverage KQL to combine tables and do all sorts of transformations to get the investigative results we’re after.

Of particular interest to beginners may be the shared queries within advanced hunting, which include community-created queries and are useful for understanding how you can leverage them for your bespoke needs.

These queries can be used to further automate your security processes. Using the custom detection rules capability, a security administrator/operator can have queries run on a schedule (every 1, 3, 12, or 24 hours) and create alerts based on the results. For this to work, you’ll need it to report back both the timestamp and report ID, and also an entity to associate it with, such as the device, email address, or account. As well as just alerting, you can automate an action based on the entity. For example, if you specify something like a file hash as the impacted entity, you can quarantine it or create an indicator; specifying a device opens up options such as antivirus scans or restricting app execution; and users can be marked as compromised.

What is Microsoft 365 Defender Threat Analytics?

Microsoft 365 Defender Threat Analytics is a security feature that tracks prevalent threats that have been discovered or are making the news, and gets you up to speed on them. Look at Microsoft 365 Defender Threat Analytics as providing two key benefits:

You are given paywalled access to detailed analyst reports created by Microsoft security research into recently surfaced vulnerabilities, bad actors, and their campaigns.
These reports contain detailed explanations about what’s going on and how you can investigate or remediate. I like to think of this as a great window into “current events” in security, as they pertain to Microsoft in particular, and so you are educated enough to then speak about these when needed.
How these threats are applicable to your environment is reported by threat analytics.
For example, you can review the devices impacted based on which had the software installed. Additionally, threat analytics reports any incidents associated with the threat, and even if phishing emails, etc., were prevented that may have led to a threat in question. This data can be reviewed at either the threat level (“tell me which devices are exposed to this threat”) or the organizational level (“tell me how many threats have alerts in total”).

Reviewing and responding to incidents and leveraging advanced hunting are likely to be daily tasks for security teams. Additionally, those teams should be checking out Microsoft 365 Defender’s Threat Analytics feature.

Vulnerability management

Threat Analytics is one way of proactively protecting your environment, and it leverages a feature of Microsoft Defender for Endpoint, managed via Microsoft 365 Defender, that requires additional explanation: threat and vulnerability management (TVM). It’s a given that unpatched software poses a risk, and TVM helps here by surfacing what software is outdated across our onboarded devices and what to do about it. TVM goes a step beyond just out-of-date or CVE-attached software, though, and also reports on the security posture of things like OS defaults.

What this translates to is a very useful page in Microsoft 365 Defender called vulnerability management recommendations. This provides you with a to-do list on hardening and updating your environment. The recommendations tell you what to do rather than just telling you what the problem is. For example, you’ll see hardening recommendations such as disable ‘always install with elevated privileges’, as well as patching recommendations like update Adobe Acrobat Reader DC. If the software is recognized as at end of life, you’ll even get advice to completely uninstall it.

Within recommendations, you can harness Endpoint Manager integration with the request remediation option. This creates a ticket for Azure AD joined devices in Microsoft Endpoint Manager (MEM) to manage the recommendation through to completion: particularly useful in environments where different teams manage different elements.

Be proactive, leveraging capabilities like Threat Analytics and TVM

Managing your security posture and responding to threats is an ongoing operation. Deploying Microsoft Defender for Endpoint and starting with Microsoft 365 Defender is just that: the start. There are no “install it and its done” solutions to the ongoing security problems our industry faces.

Through this blog series, however, you’ve hopefully learned how to start with Microsoft Defender for Endpoint. Alerts and investigations will keep you in the loop with what threats MDE has identified (and, potentially, auto-remediated), but you’ll probably need to go one step further and dive into advanced hunting to stay ahead of the game. Be proactive, leveraging capabilities like Threat Analytics and TVM too: the easiest threats to manage are ones you’ve already mitigated against.

Ru Campbell Petri Contributor

Ru (Ruairidh) Campbell is a Microsoft MVP and Microsoft security solutions architect, helping customers with security, compliance, identity, and modern device management. Specializing in Azure AD, Enterprise Mobility + Security, and Microsoft Defende...