Investigate behaviors with advanced hunting (Preview)
Note
Microsoft Defender for Cloud Apps is now part of Microsoft 365 Defender and can be accessed through its portal at: https://security.microsoft.com. Microsoft 365 Defender correlates signals from the Microsoft Defender suite across endpoints, identities, email, and SaaS apps to provide incident-level detection, investigation, and powerful response capabilities. It improves your operational efficiency with better prioritization and shorter response times which protect your organization more effectively. For more information about these changes, see Microsoft Defender for Cloud Apps in Microsoft 365 Defender.
While some of anomaly detections focus primarily on detecting problematic security scenarios, others can help identifying and investigating anomalous user behavior that may not necessarily indicate a compromise. For such detections, we created another data type called "behaviors", which is available in the Microsoft 365 Defender advanced hunting experience.
Definition of a behavior
A behavior represents an abstraction above the raw data level that offers a deeper understanding of events, and is attached to MITRE attack categories and techniques. This level of data lies between raw events and alerts, and may be related to security scenarios, but is not necessarily a sign of malicious activity or a security incident. It's based on one or more raw events and provides contextual insights into what occurred at a specific point in time, using what the service has learned or identified.
This new data layer in Microsoft 365 Defender has been created to provide insights into these behaviors. This simplifies the investigation experience by showing what happened in the environment in a more descriptive way that includes MITRE tactics and techniques. Such activities can be events that weren't reflected in advanced hunting.
Defender for Cloud Apps detections sent as behaviors
During the initial phase, behaviors will encompass low-fidelity detections from Microsoft Defender for Cloud Apps that may not meet the standard for alerts, however, they can still be useful in providing relevant context for an investigation.
The relevant detections are:
| Alert name | Policy name |
|---|---|
| Activity from infrequent country | Activity from infrequent country |
| Impossible travel activity | Impossible travel |
| Mass delete | Unusual file deletion activity (by user) |
| Mass download | Unusual file download (by user) |
| Mass share | Unusual file share activity (by user) |
| Multiple delete VM activities | Multiple delete VM activities |
| Multiple failed login attempts | Multiple failed login attempts |
| Multiple Power BI report sharing activities | Multiple Power BI report sharing activities |
| Multiple VM creation activities | Multiple VM creation activities |
| Suspicious administrative activity | Unusual administrative activity (by user) |
| Suspicious impersonated activity | Unusual impersonated activity (by user) |
| Suspicious OAuth app file download activities | Suspicious OAuth app file download activities |
| Suspicious Power BI report sharing | Suspicious Power BI report sharing |
| Unusual addition of credentials to an OAuth app | Unusual addition of credentials to an OAuth app |
Transition from alerts to behaviors
To enhance the quality of alerts generated by Microsoft Defender for Cloud Apps and lower the number of false positives, we're developing a newly improved threat protection experience. Our goal is to eliminate policies that give low-quality detections, while still creating security scenarios that focus on out-of-the-box detections. In parallel, we'll keep sending meaningful insights, such as behaviors, that can help with investigation scenarios.
We plan for the change to happen in these phases:
- Send behaviors in parallel to alerts. This is the current phase.
- Disable by default policies that generate behaviors, so they'll keep sending behaviors but stop sending alerts.
- Removing policies and move to a full cloud-managed detection model, supporting creation of custom detections in parallel to high-fidelity security-focused scenarios of alerts generated by our out-of-the-box policies.
The scheduling of these phases is currently undetermined, but you'll be informed of any changes through notifications in the Message Center. Additionally, we plan to add more behavior types and adjust policy-generated alerts for optimal accuracy.
Using behaviors in Microsoft 365 Defender advanced hunting
Behaviors are now available in Microsoft 365 Defender advanced hunting, and can be used by querying the behaviors tables, and by creating custom detection rules with them.
The behaviors schema in advanced hunting is similar to the alerts schema. The behaviors data is exposed in the following table:
| Table name | Description |
|---|---|
| BehaviorInfo | Record per behavior with its metadata, including behavior title, MITRE Attack categories, and techniques. |
| BehaviorEntities | Information on the entities that were part of the behavior. Can be multiple records per behavior. |
To get complete information on a behavior and its entities, use BehaviorId as the primary key for the join:
BehaviorInfo
| where BehaviorId == "INSERT VALUE"
| join BehaviorEntities on BehaviorId
Example scenario 1: You want to be alerted when a mass download is performed by a specific user or a list of users that are prone to be compromised or to internal risk. To do so, you can create the following query in Microsoft 365 Defender Advanced Hunting:
BehaviorEntities
| where ActionType == "MassDownload"
| where EntityType == “User” and AccountName in (“username1”, “username2”… )
And then you can create a custom detection rule based on the query. For more information on creating custom detection rules, see Create and manage custom detection rules in Microsoft 365 Defender.
Example scenario 2: You want to query 100 recent behaviors related to the MITRE attack technique Valid Accounts (T1078):
BehaviorInfo
| where AttackTechniques has "Valid Accounts (T1078)"
| order by Timestamp desc
| take 100
Example scenario 3: Investigate all behaviors related to a specific user after understanding the user may have been compromised:
BehaviorInfo
| where ServiceSource == "Microsoft Cloud App Security"
| where AccountUpn == "*username*"
| join BehaviorEntities on BehaviorId
| project Timestamp, BehaviorId, ActionType, Description, Categories, AttackTechniques, ServiceSource, AccountUpn, AccountObjectId, EntityType, EntityRole, RemoteIP, AccountName, AccountDomain, Application
Example scenario 4: Investigate all behaviors where one of the entities is a suspicious IP address:
BehaviorEntities
| where EntityType == "Ip"
| where RemoteIP == "*suspicious IP*"
| where ServiceSource == "Microsoft Cloud App Security"
| project Timestamp, BehaviorId, ActionType, Categories, ServiceSource, AccountUpn, AccountObjectId, EntityType, EntityRole, RemoteIP, AccountName, AccountDomain
If you wish for some of the previous detections to appear as alerts, you can create custom detection rules in advanced hunting to trigger alerts when specific behaviors occur with more control over the conditions per query. Have feedback to share? Please fill in the feedback form.
Next steps
If you run into any problems, we're here to help. To get assistance or support for your product issue, please open a support ticket..
Feedback
Submit and view feedback for