Managed detection and response
Applies to:
Tip
For managed detection and response instructions, check out this short video: https://www.youtube.com/watch?v=fYzquW2hE5I
Through a combination of automation and human expertise, Microsoft Defender Experts for XDR triages Microsoft Defender XDR incidents, prioritizes them on your behalf, filters out the noise, carries out detailed investigations, and provides actionable managed response to your security operations center (SOC) teams.
Incident updates
Once our experts start investigating an incident, the incident's Assigned to and Status fields are updated to Defender Experts and In progress, respectively.
When our experts conclude their investigation on an incident, the incident's Classification field is updated to one of the following, depending on the experts' findings:
- True Positive
- False Positive
- Informational, Expected Activity
The Determination field corresponding to each classification is also updated to provide more insights on the findings that led our experts to determine the said classification.
If an incident is classified as False Positive or Informational, Expected Activity, then the incident's Status field gets updated to Resolved. Our experts then conclude their work on this incident and the Assigned to field gets updated to Unassigned. Our experts may share updates from their investigation and their conclusion when resolving an incident. These updates are posted in the incident's Comments and history flyout panel.
Note
Incident comments are one-way posts. Defender Experts can't respond to any comments or questions you add in the Comments and history panel. For more information about how to correspond with our experts, see Communicating with experts in the Microsoft Defender Experts for XDR service.
Otherwise, if an incident is classified as True Positive, our experts then identify the required response actions that need to be performed. The method in which the actions are performed depends on the permissions and access levels you have given the Defender Experts for XDR service. Learn more about granting permissions to our experts.
If you have granted Defender Experts for XDR the recommended Security Operator access permissions, our experts could perform the required response actions on the incident on your behalf. These actions, along with an Investigation summary, show up in the incident's Managed response flyout panel in your Microsoft Defender portal for you or your SOC team to review. All actions that are completed by Defender Experts for XDR appear under the Completed actions section. Any pending actions that require you or you SOC team to complete are listed under the Pending actions section. For more information, see the Actions section. Once our experts have taken all the necessary actions on the incident, its Status field is then updated to Resolved and the Assigned to field is updated to Unassigned.
If you have granted Defender Experts for XDR the default Security Reader access, then the required response actions, along with an Investigation summary, show up in the incident's Managed response flyout panel under the Pending actions section in your Microsoft Defender portal for you or your SOC team to perform. For more information, see the Actions section. To identify this handover, the incident's Status field is updated to Awaiting Customer Action and the Assigned to field is updated to Customer.
You can check the number of incidents that require your action in the Defender Experts banner at the top of the Microsoft Defender homepage.
To view the incidents our experts have investigated or are currently investigating, filter the incident queue in your Microsoft Defender portal using the Defender Experts tag.
How to use managed response in Microsoft Defender XDR
In the Microsoft Defender portal, an incident that requires your attention using managed response has the Status field set to Awaiting Customer Action, the Assigned to field set to Customer and a task card on top of the Incidents pane. Your designated incident contacts also receives a corresponding email notification with a link to the Defender portal to view the incident. Learn more about notification contacts. You will also receive a Teams notification informaing you about the updates. Learn more about setting up Teams
Select View managed response on the task card or on the top of the portal page (Managed response tab) to open a flyout panel where you can read our experts' investigation summary, complete pending actions identified by our experts, or engage with them through chat.
Investigation summary
The Investigation summary section provides you with more context about the incident analyzed by our experts to provide you with visibility about its severity and potential impact if not addressed immediately. It could include the device timeline, indicators of attack, and indicators of compromise (IOCs) observed, and other details.
Actions
The Actions tab displays task cards that contain response actions recommended by our experts.
Defender Experts for XDR currently supports the following one-click managed response actions:
Action | Description |
---|---|
Isolate device | Isolates a device, which helps prevent an attacker from controlling it and performing further activities such as data exfiltration and lateral movement. The isolated device will still be connected to Microsoft Defender for Endpoint. |
Quarantine file | Stops running processes, quarantines the files, and deletes persistent data such as registry keys. |
Restrict app execution | Restricts the execution of potentially malicious programs and locks down the device to prevent further attempts. |
Release from isolation | Undoes isolation of a device. |
Remove app restriction | Undoes release from isolation. |
Apart from these one-click actions, you can also receive managed responses from our experts that you need to perform manually.
Note
Before performing any of the recommended managed response actions, make sure that they are not already being addressed by your automated investigation and response configurations. Learn more about automated investigation and response capabilities in Microsoft Defender XDR.
To view and perform the managed response actions:
- Select the arrow buttons in an action card to expand it and read more information about the required action.
- For cards with one-click response actions, select the required action. The Action status in the card changes to In progress, then to Failed or Completed, depending on the action's outcome.
Tip
You can also monitor the status of in-portal response actions in the Action center. If a response action fails, try doing it again from the View device details page or initiate a chat with Defender Experts.
- For cards with required actions that you need to perform manually, select I've completed this action once you've performed them, then select Yes, I've done it in the confirmation dialog box that appears.
- If you don't want to complete a required action right away, select Skip, then select Yes, skip this action in the confirmation dialog box that appears.
Important
If you notice that any of the buttons on the action cards are grayed out, it could indicate that you don't have the necessary permissions to perform the action. Make sure that you're signed into the Microsoft Defender XDR portal with the appropriate permissions. Most managed response actions require that you have at least the Security Operator access. If you still encounter this issue even with the appropriate permissions, navigate to View device details and complete the steps from there.
Get visibility to Defender Experts investigations in your SIEM or ITSM application
As Defender Experts for XDR investigate incidents and come up with remediation actions, you can have visibility to their work on incidents in your security information and event management (SIEM) and IT service management (ITSM) applications, including applications that are available out of the box.
Microsoft Sentinel
You can get incident visibility in Microsoft Sentinel by turning on its out-of-the-box Microsoft Defender XDR data connector. Learn more.
Once you have turned on the connector, updates by Defender Experts to the Status, Assigned to, Classification, and Determination fields in Microsoft Defender XDR will show up in the corresponding Status, Owner, and Reason for closing fields in Sentinel.
Note
The status of incidents investigated by Defender Experts in Microsoft Defender XDR typically transitions from Active to In progress to Awaiting Customer Action to Resolved, while in Sentinel, it follows the New to Active to Resolved path. The Microsoft Defender XDR Status Awaiting Customer Action doesn't have an equivalent field in Sentinel; instead, it's displayed as a tag in an incident in Sentinel.
The following section describes how an incident handled by our experts is updated in Sentinel as it progresses through the investigation journey:
- An incident being investigated by our experts has the Status listed as Active and the Owner listed as Defender Experts.
- An incident that our experts have confirmed as a True Positive has a managed response posted in Microsoft Defender XDR, and a Tag Awaiting Customer Action and the Owner is listed as Customer. You need to act on the incident based on using the provided managed response.
- Once our experts have concluded their investigation and closed an incident as False Positive or Informational, Expected Activity, the incident's Status is updated to Resolved, the Owner is updated to Unassigned, and a Reason for closing is provided.
Other applications
You could obtain visibility into incidents in your SIEM or ITSM application by using the Microsoft Defender XDR API or connectors in Sentinel.
After configuring a connector, the updates by Defender Experts to an incident's Status, Assigned to, Classification, and Determination fields in Microsoft Defender XDR can be synchronized with the third-party SIEM or ITSM applications, depending on how the field mapping has been implemented. To illustrate, you can take a look at the connector available from Sentinel to ServiceNow.
See also
- Understanding and managing Defender Experts for XDR incident notifications
- Understanding managed response
- Get real-time visibility with Defender Experts for XDR reports
Tip
Do you want to learn more? Engage with the Microsoft Security community in our Tech Community: Microsoft Defender XDR Tech Community.
Tagasiside
https://aka.ms/ContentUserFeedback.
Varsti tulekul: 2024. aasta jooksul tühistame GitHubi probleemide funktsiooni sisutagasiside mehhanismina ja asendame selle uue tagasisidesüsteemiga. Lisateabe saamiseks vtEsita ja vaata tagasisidet