Investigate behaviors with advanced hunting (Preview)


Microsoft Defender for Cloud Apps is now part of Microsoft 365 Defender and can be accessed through its portal at: Microsoft 365 Defender correlates signals from the Microsoft Defender suite across endpoints, identities, email, and SaaS apps to provide incident-level detection, investigation, and powerful response capabilities. It improves your operational efficiency with better prioritization and shorter response times which protect your organization more effectively. For more information about these changes, see Microsoft Defender for Cloud Apps in Microsoft 365 Defender.

While some of anomaly detections focus primarily on detecting problematic security scenarios, others can help identifying and investigating anomalous user behavior that may not necessarily indicate a compromise. For such detections, we created another data type called "behaviors", which is available in the Microsoft 365 Defender advanced hunting experience.

Definition of a behavior

A behavior represents an abstraction above the raw data level that offers a deeper understanding of events, and is attached to MITRE attack categories and techniques. This level of data lies between raw events and alerts, and may be related to security scenarios, but is not necessarily a sign of malicious activity or a security incident. It's based on one or more raw events and provides contextual insights into what occurred at a specific point in time, using what the service has learned or identified.

This new data layer in Microsoft 365 Defender has been created to provide insights into these behaviors. This simplifies the investigation experience by showing what happened in the environment in a more descriptive way that includes MITRE tactics and techniques. Such activities can be events that weren't reflected in advanced hunting.

Defender for Cloud Apps detections sent as behaviors

During the initial phase, behaviors will encompass low-fidelity detections from Microsoft Defender for Cloud Apps that may not meet the standard for alerts, however, they can still be useful in providing relevant context for an investigation.

The relevant detections are:

Alert name Policy name
Activity from infrequent country Activity from infrequent country 
Impossible travel activity Impossible travel
Mass delete Unusual file deletion activity (by user)
Mass download Unusual file download (by user)
Mass share Unusual file share activity (by user)
Multiple delete VM activities Multiple delete VM activities
Multiple failed login attempts Multiple failed login attempts
Multiple Power BI report sharing activities Multiple Power BI report sharing activities
Multiple VM creation activities Multiple VM creation activities
Suspicious administrative activity Unusual administrative activity (by user)
Suspicious impersonated activity Unusual impersonated activity (by user)
Suspicious OAuth app file download activities Suspicious OAuth app file download activities
Suspicious Power BI report sharing Suspicious Power BI report sharing 
Unusual addition of credentials to an OAuth app Unusual addition of credentials to an OAuth app

Transition from alerts to behaviors

To enhance the quality of alerts generated by Microsoft Defender for Cloud Apps and lower the number of false positives, we're developing a newly improved threat protection experience. Our goal is to eliminate policies that give low-quality detections, while still creating security scenarios that focus on out-of-the-box detections. In parallel, we'll keep sending meaningful insights, such as behaviors, that can help with investigation scenarios.

We plan for the change to happen in these phases:

  1. Send behaviors in parallel to alerts. This is the current phase.
  2. Disable by default policies that generate behaviors, so they'll keep sending behaviors but stop sending alerts.
  3. Removing policies and move to a full cloud-managed detection model, supporting creation of custom detections in parallel to high-fidelity security-focused scenarios of alerts generated by our out-of-the-box policies.

The scheduling of these phases is currently undetermined, but you'll be informed of any changes through notifications in the Message Center. Additionally, we plan to add more behavior types and adjust policy-generated alerts for optimal accuracy.

Using behaviors in Microsoft 365 Defender advanced hunting

Behaviors are now available in Microsoft 365 Defender advanced hunting, and can be used by querying the behaviors tables, and by creating custom detection rules with them.

The behaviors schema in advanced hunting is similar to the alerts schema. The behaviors data is exposed in the following table:

Table name Description
BehaviorInfo Record per behavior with its metadata, including behavior title, MITRE Attack categories, and techniques.
BehaviorEntities Information on the entities that were part of the behavior. Can be multiple records per behavior.

To get complete information on a behavior and its entities, use BehaviorId as the primary key for the join:

| where BehaviorId == "INSERT VALUE"
| join BehaviorEntities on BehaviorId

Example scenario 1: You want to be alerted when a mass download is performed by a specific user or a list of users that are prone to be compromised or to internal risk. To do so, you can create the following query in Microsoft 365 Defender Advanced Hunting:

| where ActionType == "MassDownload" 
| where EntityType == “User” and AccountName in (“username1”, “username2”…  ) 

And then you can create a custom detection rule based on the query. For more information on creating custom detection rules, see Create and manage custom detection rules in Microsoft 365 Defender.

Example scenario 2: You want to query 100 recent behaviors related to the MITRE attack technique Valid Accounts (T1078):

| where AttackTechniques has "Valid Accounts (T1078)"
| order by Timestamp desc 
| take 100

Example scenario 3: Investigate all behaviors related to a specific user after understanding the user may have been compromised:

| where ServiceSource == "Microsoft Cloud App Security"
| where AccountUpn == "*username*"
| join BehaviorEntities on BehaviorId
| project Timestamp, BehaviorId, ActionType, Description, Categories, AttackTechniques, ServiceSource, AccountUpn, AccountObjectId, EntityType, EntityRole, RemoteIP, AccountName, AccountDomain, Application

Example scenario 4: Investigate all behaviors where one of the entities is a suspicious IP address:

| where EntityType == "Ip"
| where RemoteIP == "*suspicious IP*"
| where ServiceSource == "Microsoft Cloud App Security"
| project Timestamp, BehaviorId, ActionType, Categories, ServiceSource, AccountUpn, AccountObjectId, EntityType, EntityRole, RemoteIP, AccountName, AccountDomain

If you wish for some of the previous detections to appear as alerts, you can create custom detection rules in advanced hunting to trigger alerts when specific behaviors occur with more control over the conditions per query. Have feedback to share? Please fill in the feedback form.

Next steps

If you run into any problems, we're here to help. To get assistance or support for your product issue, please open a support ticket..