Integration Workflows

Microsoft Defender for 365 into your security workflows and threat hunting practices can provide deep insights and improved protection across the Microsoft 365 environment. Here's how you can leverage its capabilities effectively in a threat hunting workflow:

1. Automated Investigation and Response (AIR)

  • Use case: You can automate common investigation steps such as analyzing email attachments or links that are suspected of being malicious.

  • Workflow: Once Defender for 365 detects a threat (e.g., a phishing email), it automatically starts an investigation, analyzing the email, sender, and any associated URLs or attachments. If the threat is confirmed, remediation steps such as blocking the sender or removing malicious attachments can be automated.

2. Threat Explorer and Real-Time Detection

  • Use case: Threat Explorer is your go-to dashboard for visualizing all the threats across your organization, from phishing attempts to malware attacks.

  • Workflow: When hunting for specific types of attacks (e.g., spear-phishing campaigns), you can use Threat Explorer to search for emails that contain certain suspicious patterns or keywords. You can filter by:

    • Message sender/recipient

    • Time received

    • IP addresses or geolocation of the sender

    • Attachments or links included in emails

  • This gives you visibility into ongoing or past attacks, making it easier to track attack vectors or targeted users.

3. Safe Attachments and Safe Links

  • Use case: During threat hunting, it’s essential to understand how malicious attachments or URLs are being distributed across your organization.

  • Workflow:

    • Safe Attachments scans email attachments in real-time before they are delivered. You can use this to review the analysis report of attachments to understand how they behave in the sandbox environment.

    • Safe Links rewrites all email links and scans them when clicked. You can analyze the logs of clicked links to identify which users may have been exposed to malicious sites.

    • You can also monitor user behavior and investigate incidents where users clicked on dangerous URLs but didn’t suffer any immediate effects. This helps you understand the threat landscape better.

4. Attack Simulation Training

  • Use case: Running phishing simulations or spear-phishing exercises helps in identifying potential gaps in user awareness and response to email-based threats.

  • Workflow:

    • You can use Attack Simulation Training to simulate phishing or credential-harvesting attacks, then analyze how well your users respond.

    • Gather data on how many users clicked on the link, provided credentials, or reported the email. This data allows you to tailor your incident response and user training based on real-world weaknesses.

5. Automated Remediation

  • Use case: After identifying compromised users or malware-infected devices, automated remediation can help contain and eliminate the threat.

  • Workflow:

    • Defender for 365 can be configured to automatically remove malicious emails from user inboxes once a threat is identified.

    • AIR features allow automatic isolation of affected mailboxes or users, which reduces the time to contain the threat.

    • You can review these automated actions, investigate further, and make adjustments to the automated responses based on new threat intelligence.

6. Alert and Incident Management

  • Use case: Alerts generated by Defender for 365 feed into the broader Microsoft 365 Defender ecosystem. You can correlate them with alerts from other tools, like Defender for Endpoint, for a complete picture.

  • Workflow:

    • Incidents in Defender for 365 provide a consolidated view of related alerts across Microsoft 365 services, helping to prioritize and manage complex security incidents.

    • For example, if multiple users receive a phishing email, you’ll receive a single incident instead of multiple alerts, allowing you to manage it as one security event.

    • You can review the incident, analyze the timeline, and determine how far the threat has spread.

7. Threat Intelligence Integration

  • Use case: Defender for 365 integrates with Microsoft Threat Intelligence to enhance your understanding of external threats.

  • Workflow:

    • You can leverage Threat Intelligence to gain insights into the sender’s reputation or track down known malicious IP addresses or domains.

    • Integrate external threat feeds or indicators of compromise (IoCs) with Defender for 365 to proactively hunt for indicators within your organization.

8. Hunting for Threat Actors Using KQL in Microsoft 365 Defender

  • Use case: Using Kusto Query Language (KQL), you can dive deeper into logs from Defender for 365 and perform custom threat-hunting queries.

  • Workflow:

    • For example, you can write KQL queries to search for users that received malicious attachments or suspicious links over a specific time period.

    • Example query to identify emails containing suspicious attachments:

      EmailEvents
| where MalwareDetectionName != "None"
| project RecipientEmail, SenderFromAddress, Subject, MalwareDetectionName, NetworkMessageId, DeliveryAction

    • Example query to track users that clicked on Safe Links that were identified as malicious:

      EmailEvents
| where UrlClickAction == "Blocked" 
| project RecipientEmail, SenderFromAddress, UrlClickAction, UrlThreatsType, ThreatDeli
PreviousKey FeaturesNextMicrosoft Cloud App Security

Last updated