EDR, XDR and AIR — The Basics (and updated Microsoft Defender naming scheme)

Derk van der Woude
4 min readSep 22, 2020

--

History

Traditional protection solutions like AV (Anti-Virus) are install-to-disk and signature-based (hash) detection solutions.

The anti-virus signatures (but also the software in general due to vulnerabilities) have to be up-to-date (the internet helps with that) and still that doesn’t provide enough protection against modern attacks like file-less, polymorphic (fast mutation) or lateral-movement attacks as an example.

EDR — Microsoft Defender for Endpoint (previous Microsoft Defender ATP)

EDR (Endpoint Detection and Response) is the process of detecting of suspicious activities (anomaly-based) and response to the advanced threats.

Microsoft Defender for Endpoint (previous Microsoft Defender ATP) is the post-breach EDR solution from Microsoft. The product has an agent on the endpoint(s) is connected to the Cloud (always up-to-date). Multiple alerts linked by an entity (e.g. attack technique) are aggregated into an incident.

XDR — Microsoft 365 Defender (previous MTP)

XDR (eXtended Detection and Response) is the next level of advanced protection by correlating security signals cross-product. The assets of a Modern Workplace are identity, devices, apps & data.

Defense in-depth signal sharing between the Microsoft 365 E5 (ATP) Security alerts (e.g. Microsoft Defender for Identity, previous Azure ATP) into correlated Incidents in Microsoft 365 Defender (previous Microsoft Threat Protection).

Incidents

Incidents (reactive approach) in Microsoft 365 Defender are single- and/or cross-products alerts.

The single product alerts from the Microsoft E5 Security products on average are false-positives (requires fine-tuning of the Security baseline) where the cross-product incidents in 99% of the cases is a true-positive alert due to the correlation of different alerts into one Incident (easy to see the source of the attack aka patient zero).

Hunting

Hunting is the pro-active approach to threat detection. The example below checks if files from a known malicious sender (Microsoft Defender for Office 365) are found on devices (Microsoft Defender for Endpoint).

Source https://docs.microsoft.com/nl-nl/microsoft-365/security/mtp/advanced-hunting-query-emails-devices

AIR

AIR (Automated Investigation and Response) is the response part of Microsoft Defender for Endpoint (EDR), Microsoft Defender for Office 365 (previous Office 365 ATP) and Microsoft 365 Defender (XDR). AIR leverages security playbooks (inspection algorithm and processes used by SOC analysts) to examine the (known) alert and takes action to remediate the alert.

The process is as follows:

Alert > incident > automated investigation > verdict > remediation action

· Alert(s) are grouped into Incidents
· Collects Evidence (entities) of Compromise across all assets
· Verdict¹ for each entity of evidence
· Remediate action (e.g. quarantine file or e-mail, stop process, block URL, etc.)
· Continue the cycle and add more assets / entities if required to the Incident

¹ the verdict is set (Malicious, Suspicious, and No threats found)

Microsoft Defender for Office 365 AIR requires approve or reject remediation action. Microsoft Defender for Endpoint AIR can be set to Semi (Approve or Reject) or Full (Full; self-healing is the preferred method).

Tenants created on or after August 16 are set to Full by default

This virtual SOC (Tier 1 / 2) analyst works 24x7 and helps to reduce the number of (known) alerts.

--

--

Derk van der Woude
Derk van der Woude

Written by Derk van der Woude

Chief Technology Officer @ Nedscaper

No responses yet