Investigate behaviors with advanced hunting (Preview)
While some anomaly detections focus primarily on detecting problematic security scenarios, others can help identifying and investigating anomalous user behavior that doesn't necessarily indicate a compromise. In such cases, Microsoft Defender for Cloud Apps uses a separate data type, called behaviors.
This article describes how to investigate Defender for Cloud Apps behaviors with Microsoft Defender XDR advanced hunting.
Have feedback to share? Fill out our feedback form!
Behaviors are attached to MITRE attack categories and techniques, and provide a deeper understanding about an event than is provided by the raw event data. Behavior data lies between raw event data and the alerts generated by an event.
While behaviors might be related to security scenarios, they're not necessarily a sign of malicious activity or a security incident. Each behavior is based on one or more raw events, and provides contextual insights into what occurred at a specific time, using information that Defender for Cloud Apps as learned or identified.
Behaviors currently support low-fidelity, Defender for Cloud Apps detections, that may not meet the standard for alerts but are still useful in providing context during an investigation. Currently supported detections include:
Alert name | Policy name |
---|---|
Activity from infrequent country | Activity from infrequent country/region |
Impossible travel activity | Impossible travel |
Mass delete | Unusual file deletion activity (by user) |
Mass download | Unusual file download (by user) |
Mass share | Unusual file share activity (by user) |
Multiple delete VM activities | Multiple delete VM activities |
Multiple failed login attempts | Multiple failed sign-in attempts |
Multiple Power BI report sharing activities | Multiple Power BI report sharing activities |
Multiple VM creation activities | Multiple VM creation activities |
Suspicious administrative activity | Unusual administrative activity (by user) |
Suspicious impersonated activity | Unusual impersonated activity (by user) |
Suspicious OAuth app file download activities | Suspicious OAuth app file download activities |
Suspicious Power BI report sharing | Suspicious Power BI report sharing |
Unusual addition of credentials to an OAuth app | Unusual addition of credentials to an OAuth app |
To enhance the quality of alerts generated by Defender for Cloud Apps, and lower the number of false positives, Defender for Cloud Apps is currently transitioning security content from alerts to behaviors.
This process aims to remove policies from alerts that give low-quality detections, while still creating security scenarios that focus on out-of-the-box detections. In parallel, Defender for Cloud Apps sends behaviors to aid you in your investigations.
The transition process from alerts to behaviors includes the following phases:
(Complete) Defender for Cloud Apps sends behaviors in parallel to alerts.
(Currently in Preview) Policies that generate behaviors are now disabled by default, and don't send alerts.
Move to a cloud-managed detection model, removing customer-facing policies completely. This phase is planned to provide both custom detections and selected alerts generated by internal policies for high-fidelity, security-focused scenarios.
The transition to behaviors also includes enhancements for supported behavior types and adjustments for policy-generated alerts for optimal accuracy.
Note
The scheduling of the last phase is undetermined. Customers will be notified of any changes through notifications in the Message Center.
For more information, see our TechCommunity blog.
Access behaviors in the Microsoft Defender XDR Advanced hunting page, and use behaviors by querying behavior tables and creating custom detection rules that include behavior data.
The behaviors schema in the Advanced hunting page is similar to the alerts schema, and includes the following tables:
Table name | Description |
---|---|
BehaviorInfo | Record per behavior with its metadata, including behavior title, MITRE Attack categories, and techniques. (Not available for GCC.) |
BehaviorEntities | Information on the entities that were part of the behavior. Can be multiple records per behavior. (Not available for GCC.) |
To get complete information on a behavior and its entities, use BehaviorId
as the primary key for the join. For example:
BehaviorInfo
| where BehaviorId == "INSERT VALUE"
| join BehaviorEntities on BehaviorId
This section provides sample scenarios for using behavior data in the Microsoft Defender XDR Advanced hunting page, and relevant code samples.
Tip
Create custom detection rules for any detection that you want to continue appearing as an alert, if an alert no longer is generated by default.
Scenario: You want to be alerted when a mass download is done by a specific user or a list of users that are prone to be compromised or to internal risk.
To do so, create a custom detection rule based on the following query:
BehaviorEntities
| where ActionType == "MassDownload"
| where EntityType == “User” and AccountName in (“username1”, “username2”… )
For more information, see Create and manage custom detection rules in Microsoft Defender XDR.
Scenario: You want to query 100 recent behaviors related to the MITRE attack technique Valid Accounts (T1078).
Use the following query:
BehaviorInfo
| where AttackTechniques has "Valid Accounts (T1078)"
| order by Timestamp desc
| take 100
Scenario: Investigate all behaviors related to a specific user after understanding the user may have been compromised.
Use the following query, where username is the name of the user you want to investigate:
BehaviorInfo
| where ServiceSource == "Microsoft Cloud App Security"
| where AccountUpn == "*username*"
| join BehaviorEntities on BehaviorId
| project Timestamp, BehaviorId, ActionType, Description, Categories, AttackTechniques, ServiceSource, AccountUpn, AccountObjectId, EntityType, EntityRole, RemoteIP, AccountName, AccountDomain, Application
Scenario: Investigate all behaviors where one of the entities is a suspicious IP address.
Use the following query, where suspicious IP* is the IP you want to investigate.
BehaviorEntities
| where EntityType == "Ip"
| where RemoteIP == "*suspicious IP*"
| where ServiceSource == "Microsoft Cloud App Security"
| project Timestamp, BehaviorId, ActionType, Categories, ServiceSource, AccountUpn, AccountObjectId, EntityType, EntityRole, RemoteIP, AccountName, AccountDomain
If you run into any problems, we're here to help. To get assistance or support for your product issue, please open a support ticket..