In the previous chapter, the focus was on Microsoft Defender Vulnerability Management and Secure Score. This chapter will focus on eXtended detection and response (XDR) with Microsoft 365 Defender (M365D), what it is, and what separates it from other security tools such as Endpoint Detection and Response (EDR), Network Detection and Response (NDR), and Security Information and Event Management (SIEM).

By following this chapter, you will gain knowledge on how to operate M365D as an XDR for use in real-world scenarios when your organization comes under attack from a malicious actor.

We will cover these main topics throughout the chapter:

• Introducing XDR
• How M365D works as an XDR
• Understanding incident response and management

How M365D differs from a traditional SIEM solution

XDR is a compilation of tools and technologies that work together to monitor and mitigate cyber security threats in an environment. Much like SIEM, it relies heavily on collecting data from multiple sources such as endpoints, servers, cloud workloads, and collaboration services. An EDR solution only monitors the endpoints onboarded to that solution, which will leave blind spots in comparison to an XDR. An XDR solution will then analyze and correlate said data to provide visibility and context and help reveal other threats using correlated data to help you identify in a more granular way what happened, which devices and users were involved in the incident, and whether there are any other cases that match that correlation throughout your environment.

So basically, an XDR is a security tool that helps you gain insights into your current environment and helps you mitigate threats found within it. Think of it as the next step in security, unifying all security services...

M365D automatically collects, correlates, and analyzes alert and threat data from across your endpoints onboarded to MDE, your emails from MDO, your applications from MDA, and your identities from Azure Active Directory (AD) Identity Protection and MDI. M365D uses artificial intelligence (AI) and automation to help you stop attacks automatically and remediate affected entities into a compliant state once more.

Unlike the EDR part of M365D (Defender for Endpoint), which is a post-breach security service, the XDR service is a unified pre- and post-breach security service.

The following diagram illustrates an ongoing attack, starting with a phishing email arriving in an unsuspecting user’s mailbox. The user unknowingly opens the attachment, installing malware on the user’s endpoint, which is then used to move laterally within the environment gaining higher privileges and ultimately exfiltrating data:

Figure 18.1...

An incident in M365D is a collection of correlated alerts and data that together makes up the story of an attack. As mentioned throughout this book, Microsoft 365 services and applications generate alerts when they detect suspicious or malicious activity occurring. While individual alerts do provide valuable information on a completed or active attack, a modern attack often relies on using various techniques against different types of entities. The result is several alerts for several entities in your environment.

Piecing this information together manually to gain the necessary insights can be both time-consuming and challenging, which is why M365D aggregates the alerts and the associated information into an incident, as illustrated in the following diagram:

Figure 18.2 – The correlation of entities, associated information, and alerts with an incident

By grouping the alerts into an incident, it provides...

Earlier in this chapter, we explored responding to incidents. Let’s now explore, in more depth, some of the actions we can perform in the Microsoft 365 Defender portal. We can break these down into three response action types: device, file, and user.

Device response actions

To respond to investigations, incidents, and threats, an administrator can invoke the following types of response actions to an onboarded device from the Device page or any reference to a device in the investigation and alert interfaces. Let’s check out the full list before exploring the key ones in more detail:

• Run Antivirus Scan
• Collect Investigation Package
• Restrict App Execution
• Initiate Automated Investigation
• Initiate Live Response Session
• Isolate Device

There are others that are a bit more intuitive and, therefore, we’ll skip over them (such as Exclude and Report device inaccuracy), and you...

M365D differs from a traditional SIEM or a niche SOAR solution in several key ways.

First, M365D leverages a broad and integrated suite of Microsoft products, including MDE, MDO, and MDA, to provide end-to-end security coverage for organizations. This approach allows for a deeper and more comprehensive analysis of security events, as signals from different sources are correlated and analyzed together. In contrast, traditional SIEMs and niche SOAR solutions often rely on point products or limited integrations, which can result in blind spots and a lack of visibility.

Second, M365D’s built-in automated response capabilities allow for immediate and real-time action to be taken against threats. The automated attack disruption feature, for example, leverages AI models to counteract the complexities of advanced attacks and contain them in real time, limiting their impact on an organization’s assets...

This chapter has been all about the XDR capabilities of M365D. We covered key aspects of XDR with Microsoft 365, focusing on using XDR to detect and respond to threats. Additionally, the chapter provides insights into best practices for optimizing XDR performance. By following the instructions in this chapter, organizations can enhance their security posture by effectively leveraging XDR capabilities within the Microsoft 365 environment. And I hope that you now know a lot more about how to operate the XDR parts in M365D than previously.

In the next chapter, we will take a deep dive into how to perform advanced hunting queries with KQL, and as a bonus, we will look at how to construct some custom detections as well.

To make sure you understand the extended detection and response subjects covered in this chapter, why not test yourself with the following questions?

1. Which of the following is a device response action? Choose all that apply:
   1. Isolate device
   2. Run an antivirus scan
   3. Delete the device
   4. Collect investigation package
2. Which of the following describes how an XDR differs from a SIEM solution?
   1. XDR platforms integrate with SaaS platform logs, but SIEM solutions cannot
   2. XDR platforms do not have native response capabilities, but traditional SIEM solutions do
   3. An XDR can be offered as a managed service but a traditional SIEM solution cannot
   4. An XDR also adds the response capability, which a traditional SIEM solution doesn’t provide natively
3. Which of the following is the last stage of incident response, and not one really covered by Microsoft 365 Defender?
   1. Forensics
   2. Automated actions
   3. Recovery

You may refer to the following links to expand your knowledge on the topics explored in this chapter:

• https://learn.microsoft.com/en-us/microsoft-365/security/defender/incident-response-overview?view=o365-worldwide
• https://learn.microsoft.com/en-us/microsoft-365/security/defender/m365d-autoir?view=o365-worldwide
• https://learn.microsoft.com/en-us/microsoft-365/security/defender/automatic-attack-disruption?view=o365-worldwide