Part 2: Incident Response with Microsoft XDR
In this second blog post, I will share my view on how Microsoft XDR can boost your incident response and management approach. I will cover the benefits of Microsoft XDR, such as unified visibility, automated analysis, and built-in orchestration, and provide some best practices for leveraging its features to reduce the time and effort needed to respond and be proactive to security incidents.
Agenda:
- Introduction
- Incident Response with Microsoft XDR
- My recommendation
- Conclusion
Introduction:
Incident response is a critical aspect of any security operation. It involves identifying, containing, analyzing, and resolving security incidents that compromise the confidentiality, integrity, or availability of an organization's assets. However, traditional incident response tools and processes often face challenges such as siloed data sources, manual workflows, inconsistent procedures, and limited visibility across domains.
In this blog post, I will introduce you to Microsoft XDR, a unified pre- and post-breach enterprise defense suite that natively coordinates detection, prevention, investigation, and response across endpoints, identities, email, and applications. I will also share some best practices for how to leverage Microsoft XDR for efficient incident response and management.
Incident Response with Microsoft XDR
Microsoft XDR integrates threat signals from various products, enabling you to assess the complete threat landscape, including entry points, affected areas, and current impact on the organization. It automatically responds to and mitigates attacks while initiating self-healing for affected mailboxes, endpoints, and user identities.
Microsoft XDR is not just a collection of individual products, but a holistic security approach that leverages the power of the cloud and the Microsoft intelligence network to deliver unified visibility, automation, and orchestration across domains within your organization. Some of the key changes that Microsoft XDR brings to the incident response process are:
Cross-product single pane of glass in the Microsoft Defender portal: a central view for all information on detections, impacted assets, automated actions taken, and related evidence in a single queue and a single pane in the Microsoft Defender portal.
Combined incidents queue: a feature that helps security professionals focus on what is critical by ensuring the full attack scope, impacted assets, and automated remediation actions are grouped together and surfaced in a timely manner.
Automatic response to threats: a capability that allows critical threat information to be shared in real time between the Microsoft XDR products to help stop the progression of an attack.
Self-healing for compromised devices, user identities, and mailboxes: a feature that uses AI-powered automatic actions and playbooks to remediate impacted assets back to a secure state.
Cross-product threat hunting: a feature that enables security teams to leverage their unique organizational knowledge to hunt for signs of compromise by creating their own custom queries over the raw data collected by the various protection products.
The impact of Microsoft XDR on the incident response process is significant, as it provides several benefits for security teams, such as:
Improved efficiency and productivity: Microsoft XDR reduces the complexity and manual effort involved in incident response by providing a unified and streamlined workflow, eliminating the need to switch between multiple tools and consoles, and automating repetitive tasks and workflows.
Enhanced detection and response capabilities: Microsoft XDR increases the accuracy and speed of threat detection and response by correlating signals from multiple sources, providing rich context and insights, and enabling fast and effective actions.
Better security posture and resilience: Microsoft XDR helps security teams improve their security posture and resilience by providing continuous monitoring and assessment, proactive threat hunting, and actionable recommendations.
Initial investigation
Before getting into the specifics, review the characteristics and the full attack scenario of the incident.
The summary pane shows the timeline of the incident, which gives you a chronological view of the alerts and activities related to the attack (Incident). You can use the timeline to filter the alerts by time range or by specific entities, such as devices, users, or files. You can also see the alert status, whether it is active, resolved, or dismissed. Here's an example of the timeline.
You can begin by choosing the incident from the column with the check mark. Here's a sample.
A summary pane with key incident details, such as severity, assignee, and MITRE ATT&CK™ categories, opens when you do. Here's an example.
To get more details about each alert in the timeline, you can hover over the alert icon and see a tooltip with the alert title, description, and timestamp. You can also click on the alert icon to open a side panel with more information, such as the alert evidence, related entities, and recommended actions. Here's an example of the side panel.
Next, you can choose Open incident page. This takes you to the main page for the incident where you can see the complete attack story information and tabs for alerts, devices, users, investigations, and evidence.
The main page for the incident also shows you the attack story, which is a graphical representation of the attack timeline and sequence. The attack story gives you a clear and concise view of how the attack unfolded, what alerts were triggered, what entities were involved, and what actions were taken by the attacker or the defender. You can use the attack story to quickly understand the scope and impact of the attack, as well as to identify any gaps or weaknesses in your security posture. Here's an example of the attack story.
You can also access the main page for an incident by picking the incident ID from the incident queue.
Attack story
Attack stories enable you to easily examine, investigate, and resolve attacks while seeing the complete story of the attack on the same tab. You can also view the details of the entity and perform remediation actions, such as removing a file or isolating a device without switching tabs.
Attack stories are useful for understanding the context and impact of an attack, as well as the actions taken by the attackers and the defenders. They show you the sequence of events that led to the detection of an incident, as well as the related alerts and entities involved in the attack. Attack stories also provide you with recommendations and options for responding to an incident and preventing similar attacks in the future.
The attack story includes the alert page and the incident graph.
The alert page has these sections:
Alert story, which contains:
What occurred
Actions taken
Related events
Alert properties in the right pane (state, details, description, and others)
Note that some alerts may not have all of the subsections listed in the Alert story section.
The Attack Story pane displays the full extent of the attack, how the attack moved through your network over time, where it originated, and how far the attacker reached. It links the different suspicious entities that are part of the attack with their related assets such as users, devices, and mailboxes.
From the Attack Story, you can:
Play the alerts and the nodes on the graph as they happened over time to understand the sequence of the attack.
Open an entity pane, allowing you to review the entity details and act on remediation actions, such as deleting a file or isolating a device.
Highlight the alerts based on the entity to which they are related.
Hunt for entity information of a device, file, IP address, or URL.
The go hunt option uses the advanced hunting feature to search for relevant information about an entity. The go hunt query looks at relevant schema tables for any events or alerts related to the specific entity you're investigating. You can choose any of the options to find relevant information about the entity:
See all available queries – the option shows all available queries for the entity type you're investigating.
All Activity – the query shows all activities linked to an entity, giving you a complete view of the incident's context.
Related Alerts – the query finds and shows all security alerts involving a specific entity, making sure you don't miss any information.
The resulting logs or alerts can be linked to an incident by selecting a result and then selecting Link to incident.
Summary
On the Summary page, you can see the severity of the incident and easily find the related alerts and affected entities. The Summary page shows you the main things to know about the incident.
To understand the root cause and impact of the incident, you can use the Summary page as a starting point for your investigation. The Summary page provides a high-level overview of the incident, including its status, severity, duration, and resolution time. You can also see the related alerts that triggered the incident, and the affected entities that experienced performance issues or errors. From the Summary page, you can drill down into more details by using the tabs at the top of the incident page.
Information is organized in these sections:
Alerts and categories:
A visual and numeric view of how advanced the attack has progressed against the kill chain. As with other Microsoft security products, Microsoft Defender XDR is aligned to the MITRE ATT&CK™ framework. The alerts timeline shows the chronological order in which the alerts occurred and for each, their status and name.
Scope
Displays the number of impacted devices, users, and mailboxes and lists the entities in order of risk level and investigation priority.
Evidence
Displays the number of entities affected by the incident.
Incident information
Displays the properties of the incident, such as tags, status, and severity.
Alerts
The Alerts tab shows you the alert queue for alerts that are connected to the incident and other details about them such as:
Severity.
The entities that were involved in the alert.
The source of the alerts (Microsoft Defender for Identity, Microsoft Defender for Endpoint, Microsoft Defender for Office 365, Defender for Cloud Apps, and the app governance add-on).
The reason they were linked together.
Here's an example.
The alerts are sorted by time to show you the sequence of the attack. When you choose an alert within an incident it will then display the alert information that relates to the whole incident.
You can see the events of the alert, what other alerts caused the current alert, and all the impacted entities and activities in the attack, such as devices, files, users, and mailboxes.
Here's an example.
Assets
The new Assets tab lets you see and handle all your assets in one place. This includes Devices, Users, Mailboxes and Apps. The Assets tab shows how many assets you have in total and in different categories.
Devices
The Devices view lists all the devices related to the incident. Here's an example.
From the list, choose a device to open a bar with device management options. You can export, tag, investigate, and more. Check a device to see its details, directory data, alerts, and users. Click the device name to see more details in the Defender for Endpoint inventory. Here's an example.
The device page shows you more details (see example below) about the device, like related alerts, timeline, risk level and security improvements suggestions. For instance, from the Timeline tab, you can look through the device timeline and see all events and behaviors that happened on the machine in time order, flagged with when the alerts triggered.
Users
The Users view shows all the users that have been involved or connected to the incident. Here's an example.
You can choose the check mark for a user to view the user account threat, exposure, and contact information. Select the user name to view more user account details.
Find out how to see more user information and manage the users of an incident in investigate users.
Mailboxes
The Mailboxes view shows all the mailboxes that are involved in or connected to the incident. Here's an example.
To see active alerts, choose the check mark for a mailbox. To see more mailbox details on the Explorer page for Defender for Office 365, choose the mailbox name.
Apps
The Apps view lists all the apps identified to be part of or related to the incident. Here's an example.
To view active alerts, check an app. To see more details on the Explorer page for Defender for Cloud Apps, select the app name.
Investigations
The Investigations tab shows all the automated investigations started. Automated investigations will either do remediation actions or ask for analyst approval of actions, depending on how you set up your automated investigations to work on Defender for Endpoint and Defender for Office 365.
To see the full details of an investigation and its remediation status, choose an investigation to go to its details page. If the investigation has any actions that need your approval, they will show up in the Pending actions history tab. You can approve or reject these actions as part of the incident remediation.
You can also view the Investigation graph tab, which displays:
How the alerts are linked to the affected assets in your organization.
How the entities that are involved in the alerts are related to each other and how they contribute to the story of the attack.
The alerts for the incident.
The investigation graph helps you quickly grasp the full extent of the attack by showing the different entities that are suspicious and how they are connected to their associated assets such as users, devices, and mailboxes.
Evidence and Response
The Evidence and Response tab displays all the events and entities with evidence in the incident alerts. For example.
Microsoft Defender XDR probes all the supported events and dubious entities in the alerts for every incident, giving you details about the relevant emails, files, processes, services, IP Addresses, and more. This helps you rapidly identify and stop possible threats in the incident.
Each of the examined entities is labeled with a verdict (Malicious, Suspicious, Clean) and a remediation status. This helps you comprehend the remediation status of the whole incident and what further actions can be done.
Approve or reject remediation actions
For incidents with a remediation status of Pending approval, you can approve or reject a remediation action from within the incident.
1. In the navigation pane, go to Incidents & alerts > Incidents.
2. Filter on Pending action for the Automated investigation state (optional).
3. Select an incident name to open its summary page.
4. Select the Evidence and Response tab.
5. Select an item in the list to open its flyout pane.
6. Review the information, and then take one of the following steps:
Select the Approve pending action option to initiate a pending action.
Select the Reject pending action option to prevent a pending action from being taken.
My recommendation
My advice and recommendation include some tips for triaging and investigating security alerts from Defender XDR products.
Here are some key points:
Use EDR (MDE) and IAM products together to find evidence across the environment.
Search IPs and prevalence rather than hashes, and look at the TTPs and context of each MDE alert.
Use the Incident/Alert Correlation engine and the Evidence tab to group and hunt related alerts.
Be aware of the limitations of the MDE Timelines and use other sources of data as well.
Use the Device Timeline, Identity Timeline, and UAL Audit page for interactive investigation, and export CSVs with filters and flags.
Use NRT Custom Detections and Conditional Access Rules to stop attackers quickly.
Don't clear an alert just because MDE blocked something. Investigate further.
Learn Advanced Hunting Skills and practice how to query the tables, collect IOC's, find related evidence, and build accurate timelines.
Remember that Defender XDR is a tool, not a guarantee, and it will miss things sometimes.
As an IT pro, I am always looking for ways to improve the security of organizations. I have been using Microsoft Defender for years, and I am impressed by how it has transformed both my incident response process and the organizations I work with. I can now easily see all the relevant information about an incident in one place and take quick and decisive actions to contain and resolve it. I have also seen how the intelligence and automation that Microsoft XDR provides helps organizations. It helps them identify and prioritize the most critical threats and reduce the workload and complexity of their security operations.
One of the features that I like the most about Microsoft XDR is the automation part. It allows me to respond to incidents as soon as they happen, and not when I have time. With Microsoft XDR, I can automate common tasks such as isolating a compromised device, blocking a malicious domain, or running an antivirus scan. This saves me a lot of time and effort, and also reduces the risk of human error.
Therefore, I strongly recommend all organizations to start using the automation capabilities of Microsoft XDR as soon as possible. Automation can help you accelerate your response time, reduce your manual workload, and enhance your security posture. With Microsoft XDR, you can leverage the power of custom detection rules to automate and orchestrate your security workflows, and integrate them with your existing tools and processes. Automation is not only a nice-to-have feature, but a necessity in today's fast-paced and evolving threat landscape.
But this is just the beginning. Microsoft XDR can be even more powerful when combined with Microsoft Sentinel, the cloud-native SIEM and SOAR solution. Sentinel can collect and analyze data from Microsoft XDR, as well as from other sources, to provide a comprehensive view of the entire threat landscape. Microsoft Sentinel can also leverage the automation capabilities of Microsoft XDR to execute playbooks and take actions across different domains and platforms. By integrating Microsoft XDR and Microsoft Sentinel, security teams can achieve a higher level of security operations maturity and efficiency. I will talk more about this integration and its benefits in a later blog post, so stay tuned.
Conclusion
Microsoft XDR is a game-changer for incident response and management. It provides a unified pre- and post-breach enterprise defense suite that natively coordinates detection, prevention, investigation, and response across endpoints, identities, email, and applications. By using Microsoft XDR, security teams can achieve better visibility, efficiency, and effectiveness in protecting and detecting their organizations from sophisticated attacks.
Start your journey today, and have automation in mind when you start.