A real world example of Microsoft Threat Protection & XDR
Microsoft Threat Protection (MTP) is a cross-service Security product with a single view for all Microsoft 365 E5 Security features (threat protection & vulnerability management). The products that are part of the Microsoft 365 E5 Security license are:
- Azure ATP
- Microsoft Defender ATP
- Office 365 ATP
- Microsoft Cloud App Security (including Azure AD Identity Protection)
- Microsoft Threat Protection
Microsoft Azure AD Privileged Identity Management (PIM) is also part of the E5 Security license but is not part of Microsoft Threat Protection.
Microsoft Threat Protection correlates Incidents from multiple services into one single Incident for optimal triage, mitigation and RCA (Root Cause Analysis). While Incidents are passive in nature, Hunting is the pro-active approach which also has cross-service support.
The Incident page provides an option to only see correlated alerts: enable the filter ‘Multiple service sources.
Let’s look at two examples from our Cloud SOC (Security Operations Center) and highlight the power of MTP and XDR.
Example #1 — Malicious URL opened in e-mail
Microsoft Threat Protection
Example #2 — Malicious file opened in e-mail
Microsoft Threat Protection
The cross-service Incidents are correlated into one single Incident which provides all insights for triage, mitigate and help to understand and write the RCA (Root Cause Analyses).
Advanced hunting is the pro-active feature to hunt for malicious behavior or threats.
The language used is KQL (Kusto Query Language), the same language used in Azure Sentinel. The advanced hunting cross-service options are:
- Alerts (MTP)
- Apps & identities (Azure AD & MCAS)
- Email (Office 365 ATP
- Devices (MDATP)
- Threat & Vulnerability Management (MDATP)
Let’s continue from the malicious e-mails above and hunt the environment for logon attempts (within 30 minutes) after the user received a known malicious e-mail via the KQL query below.
//Define new table for malicious emails
//List emails detected as malware, getting only pertinent columns
| where MalwareFilterVerdict == “Malware”
| project TimeEmail = Timestamp, Subject, SenderFromAddress, AccountName = tostring(split(RecipientEmailAddress, “@”));
| join (
//Merge malicious emails with logon events to find logons by recipients
| project LogonTime = Timestamp, AccountName, DeviceName
) on AccountName
//Check only logons within 30 minutes of receipt of an email
| where (LogonTime — TimeEmail) between (0min.. 30min)
Triage the output for possible compromised accounts.
The examples above underline the power of XDR (eXtended Detection & Response), the integration of the E5 Security products.
Let’s explain the malicious attachments example.
- A user receives an e-mail with an (malicious) attachment
- Office 365 ATP scans the e-mail but the ‘Indicator of Compromise’ percentage do not mark the e-mail as malicious (e.g. 80% or above is malicious but the analyze score was 78%).
- The mail is delivered to the mailbox, and the attachment is opened on the Endpoint (device)
- Microsoft Defender ATP has in-depth scanning capabilities and marks the attachment as malicious.
- The hash of the attachment is shared with Office 365 ATP (Exchange EOP)
- All new malicious e-mail(s) with the same attachment are blocked
- All existing e-mail(s) with the same attachment are cleared via the ZAP (zero-auto purge) feature
Here you can see the true power of one holistic Security solution. If we had a different endpoint AV/EDR or e-mail AV solution, the malware could have entered the organization and provide damage (e.g. IP theft by competitor, malware for financial gains or data destruction by nation state actors).