Managed detection and response

Applies to:

For managed detection and response instructions, check out this short video.

Through a combination of automation and human expertise, Microsoft Defender Experts for XDR triages Microsoft Defender XDR incidents, prioritizes them on your behalf, filters out the noise, carries out detailed investigations, and provides actionable managed response to your security operations center (SOC) teams.

Incident updates

Once our experts start investigating an incident, the incident's Assigned to and Status fields are updated to Defender Experts and In progress, respectively.

When our experts conclude their investigation on an incident, the incident's Classification field is updated to one of the following, depending on the experts' findings:

  • True Positive
  • False Positive
  • Informational, Expected Activity

The Determination field corresponding to each classification is also updated to provide more insights on the findings that led our experts to determine the said classification.

Screenshot of Incidents page showing the Tags, Status, Assigned to, Classification, and Determination fields.

If an incident is classified as False Positive or Informational, Expected Activity, then the incident's Status field gets updated to Resolved. Our experts then conclude their work on this incident and the Assigned to field gets updated to Unassigned. Our experts might share updates from their investigation and their conclusion when resolving an incident. These updates are posted under Investigation Summary in the incident's Managed response flyout panel.

Otherwise, if an incident is classified as True Positive, our experts then identify the required response actions that need to be performed. The method in which the actions are performed depends on the permissions and access levels you have given the Defender Experts for XDR service. Learn more about granting permissions to our experts.

  • If you have granted Defender Experts for XDR the recommended Security Operator access permissions, our experts could perform the required response actions on the incident on your behalf. These actions, along with an Investigation summary, show up in the incident's Managed response flyout panel in your Microsoft Defender portal for you or your SOC team to review. All actions that are completed by Defender Experts for XDR appear under the Completed actions section. Any pending actions that require you or you SOC team to complete are listed under the Pending actions section. For more information, see the Actions section. Once our experts have taken all the necessary actions on the incident, its Status field is then updated to Resolved and the Assigned to field is updated to Customer.

  • If you have granted Defender Experts for XDR the default Security Reader access, then the required response actions, along with an Investigation summary, show up in the incident's Managed response flyout panel under the Pending actions section in your Microsoft Defender portal for you or your SOC team to perform. For more information, see the Actions section. To identify this handover, the incident's Status field is updated to Awaiting Customer Action and the Assigned to field is updated to Customer.

You can check the number of incidents that require your action in the Defender Experts banner at the top of the Microsoft Defender homepage.

Screenshot of the Defender Experts card in Microsoft Defender portal showing the number of incidents awaiting customer action.

You can view the incidents related to Defender Experts by filtering the incident queue in your Microsoft Defender portal using several filter sets. Learn more about adding incident queue filters

  • To view the incidents our experts are currently investigating, use the Incident assignment filter, select Assigned To Defender Experts.

  • To view the incidents our experts have investigated and handed over to your team to act on pending remediation actions, using the Incident assignment filter, choose Assigned To customer team.

    Screenshot of the Incidents queue filtered to only show those with the Assigned to Defender Experts tag.

  • To view the incidents our experts have investigated and handed over to your team to act on pending remediation actions, using the Status filter, choose Awaiting Customer Action.

    Screenshot of the Incidents queue in Microsoft Defender portal filtered to only show those with the Awaiting customer action tag.

  • To view the incidents our experts have completed their investigation on (and either directly resolved or assigned to your team for pending remediation actions), using the Tags filter, choose Defender Experts.

    Screenshot of the Incidents queue in Microsoft Defender portal filtered to only show the Defender Experts tag.

How to use managed response in Microsoft Defender XDR

In the Microsoft Defender portal, an incident that requires your attention using managed response has the Status field set to Awaiting Customer Action, the Assigned to field set to Customer and a task card on top of the Incidents pane. Your designated incident contacts also receives a corresponding email notification with a link to the Defender portal to view the incident. Learn more about notification contacts. You will also receive a Teams notification informing you about the updates. Learn more about setting up Teams

Select View managed response on the task card or on the top of the portal page (Managed response tab) to open a flyout panel where you can read our experts' investigation summary, complete pending actions identified by our experts, or engage with them through chat.

Investigation summary

The Investigation summary section provides you with more context about the incident analyzed by our experts to provide you with visibility about its severity and potential impact if not addressed immediately. It could include the device timeline, indicators of attack, and indicators of compromise (IOCs) observed, and other details.

Screenshot of managed response investigation summary.

Actions

The Actions tab displays task cards that contain response actions recommended by our experts.

Defender Experts for XDR currently supports the following one-click managed response actions:

Action Description
Isolate device Isolates a device, which helps prevent an attacker from controlling it and performing further activities such as data exfiltration and lateral movement. The isolated device will still be connected to Microsoft Defender for Endpoint.
Quarantine file Stops running processes, quarantines the files, and deletes persistent data such as registry keys.
Restrict app execution Restricts the execution of potentially malicious programs and locks down the device to prevent further attempts.
Release from isolation Undoes isolation of a device.
Remove app restriction Undoes release from isolation.
Disable user Disable an identity from accessing the network and different endpoints.

Apart from these one-click actions, you can also receive managed responses from our experts that you need to perform manually.

Note

Before performing any of the recommended managed response actions, make sure that they are not already being addressed by your automated investigation and response configurations. Learn more about automated investigation and response capabilities in Microsoft Defender XDR.

To view and perform the managed response actions:

  1. Select the arrow buttons in an action card to expand it and read more information about the required action.

    Screenshot of managed response action to isolate the device prod server.

  2. For cards with one-click response actions, select the required action. The Action status in the card changes to In progress, then to Failed or Completed, depending on the action's outcome.

    Screenshot of managed response action showing in-progress to isolate the device prod server.

Tip

You can also monitor the status of in-portal response actions in the Action center. If a response action fails, try doing it again from the View device details page or initiate a chat with Defender Experts.

  1. For cards with required actions that you need to perform manually, select I've completed this action once you've performed them, then select Yes, I've done it in the confirmation dialog box that appears.

    Screenshot of managed response action to confirm action completion.

  2. If you don't want to complete a required action right away, select Skip, then select Yes, skip this action in the confirmation dialog box that appears.

Important

If you notice that any of the buttons on the action cards are grayed out, it could indicate that you don't have the necessary permissions to perform the action. Make sure that you're signed into the Microsoft Defender XDR portal with the appropriate permissions. Most managed response actions require that you have at least the Security Operator access. If you still encounter this issue even with the appropriate permissions, navigate to View device details and complete the steps from there.

Get visibility to Defender Experts investigations in your SIEM or ITSM application

As Defender Experts for XDR investigate incidents and come up with remediation actions, you can have visibility to their work on incidents in your security information and event management (SIEM) and IT service management (ITSM) applications, including applications that are available out of the box.

Microsoft Sentinel

You can get incident visibility in Microsoft Sentinel by turning on its out-of-the-box Microsoft Defender XDR data connector. Learn more.

Once you have turned on the connector, updates by Defender Experts to the Status, Assigned to, Classification, and Determination fields in Microsoft Defender XDR will show up in the corresponding Status, Owner, and Reason for closing fields in Sentinel.

Note

The status of incidents investigated by Defender Experts in Microsoft Defender XDR typically transitions from Active to In progress to Awaiting Customer Action to Resolved, while in Sentinel, it follows the New to Active to Resolved path. The Microsoft Defender XDR Status Awaiting Customer Action doesn't have an equivalent field in Sentinel; instead, it's displayed as a tag in an incident in Sentinel.

The following section describes how an incident handled by our experts is updated in Sentinel as it progresses through the investigation journey:

  1. An incident being investigated by our experts has the Status listed as Active and the Owner listed as Defender Experts.

  2. An incident that our experts have confirmed as a True Positive has a managed response posted in Microsoft Defender XDR, and a Tag Awaiting Customer Action and the Owner is listed as Customer. You need to act on the incident based on using the provided managed response in the Defender portal.

  3. An incident that our experts have confirmed as a True Positive, with all remediation actions taken by Defender Experts, has the incident's Status updated to Resolved and the Owner is listed as Customer. You can review the actions completed on the incident using the provided managed response in the Defender portal.

  4. Once our experts have concluded their investigation and closed an incident as False Positive or Informational, Expected Activity, the incident's Status is updated to Resolved, the Owner is updated to Unassigned, and a Reason for closing is provided.

    Screenshot of Microsoft Sentinel incidents.

Other applications

You could obtain visibility into incidents in your SIEM or ITSM application by using the Microsoft Defender XDR API or connectors in Sentinel.

After configuring a connector, the updates by Defender Experts to an incident's Status, Assigned to, Classification, and Determination fields in Microsoft Defender XDR can be synchronized with the third-party SIEM or ITSM applications, depending on how the field mapping has been implemented. To illustrate, you can take a look at the connector available from Sentinel to ServiceNow.

See also

Tip

Do you want to learn more? Engage with the Microsoft Security community in our Tech Community: Microsoft Defender XDR Tech Community.