Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Applies to:
- Microsoft Defender Experts for XDR
- Microsoft Defender Experts for Servers
- Microsoft Defender Experts for Hunting
- Microsoft Defender Experts for Hunting - Servers
Some Microsoft Defender Experts customers (Microsoft Defender Experts for Hunting or Microsoft Defender Experts for XDR) might also use services from another managed security services provider (MSSP). This service combination often happens when a customer's security operations center (SOC) isn't fully staffed, or when the MSSP partner manages other security products and services on behalf of the customer.
This article shows how MSSP partners can work together with Microsoft Defender Experts on different areas. If you're an MSSP partner supporting a customer, contact the Security Delivery Expert (SDX) from Defender Experts for more information.
Work with Defender Experts for Hunting
The following table lists the scope of work and responsibilities the Defender Experts for Hunting and MSSP partners have in various scenarios:
| Area | Defender Experts | Customer SOC (in-house or MSSP) | Notes on access | Notes for MSSP partners |
|---|---|---|---|---|
| Onboarding | Onboarding isn't needed to start the Defender Experts service. | Onboarding isn't needed to start the Defender Experts service, but as optional step, MSSP partners can be added as notification contacts. | For continuous access to Defender Experts features in the Microsoft Defender portal or Microsoft Graph API:
|
Partners can access Defender Experts features in the Defender portal or Graph API through granular delegated admin privileges (GDAP). Only the customer user can add notification contacts. |
| Hunting | Conduct proactive and reactive hunts, and post these hunts in the Reports section of the Defender portal. These hunts surface true positive, false positive, and benign positive threats. Defender Experts add the true positive threats they found in the Defender portal incident queue. | Review and respond to hunting-generated true positive incidents as needed. | Defender portal: True positive incidents generated by Defender Experts hunting show up in the incident queue with the Microsoft Defender Experts tag in the Detection source field. Additional information about the threat can also be found in the Executive summary, Recommended actions and Advanced hunting queries fields.Graph API: True positive incidents generated by Defender Experts hunting show up in the incident queue with the microsoftThreatExperts tag in the Detection source field. Additional information about the threat can also be found in the description, recommendedActions, and recommendedHuntingQueries fields. |
Partners can review and respond in the Defender portal or Graph API through GDAP. |
| Co-hunting | Conduct reactive hunts based on hunting inquiries sent by customers or partners through Ask Defender Experts |
|
This scenario is available in the Defender portal only. | Partners can submit inquiries and respond to follow-up on behalf of customer in Defender portal through GDAP. |
| Reporting | Post monthly reports on managed threat hunting done by Defender Experts | Review the report. | This scenario is available in the Defender portal only. | Partners can review the Defender Experts report in the Defender portal through GDAP. They can create custom reports as needed. |
Important
Microsoft recommends that you use roles with the fewest permissions. This helps improve security for your organization. Global Administrator is a highly privileged role that should be limited to emergency scenarios when you can't use an existing role.
Work with Defender Experts for XDR
The following table lists the scope of work and responsibilities the Defender Experts for XDR and MSSP partners have in various scenarios:
| Area | Defender Experts | Customer SOC (in-house or MSSP) | Notes on access | Notes for MSSP partners |
|---|---|---|---|---|
| Onboarding | Kick off onboarding meeting |
|
For continuous access to Defender Experts features in the Microsoft Defender portal or Microsoft Graph API:
|
Partners can access Defender Experts features in the Defender portal or Graph API through GDAP. Only the customer user can perform the other onboarding steps. |
| Hunting | Conduct proactive and reactive hunts, and post these hunts in the Reports section of the Defender portal. These hunts surface true positive, false positive, and benign positive threats. Defender Experts add the true positive threats they found in the Defender portal incident queue. | Review and respond to hunting-generated true positive incidents as needed. | Defender portal: True positive incidents generated by Defender Experts hunting show up in the incident queue with the Microsoft Defender Experts tag in the Detection source field. Additional information about the threat can also be found in the Executive summary, Recommended actions and Advanced hunting queries fields.Graph API: True positive incidents generated by Defender Experts hunting show up in the incident queue with the microsoftThreatExperts tag in the Detection source field. Additional information about the threat can also be found in the description, recommendedActions, and recommendedHuntingQueries fields. |
Partners can review and respond in the Defender portal or Graph API through GDAP. |
| Co-hunting | Conduct reactive hunts based on hunting inquiries sent by customers or partners through Ask Defender Experts |
|
This scenario is available in the Defender portal only. | Partners can submit inquiries and respond to follow-up on behalf of customer in Defender portal through GDAP. |
| Incident triage | Assign in-scope incidents in Defender queue to Defender Experts. | (no action) | In-scope incidents appear in the Defender portal and Graph API with the Defender Experts tag in the Assigned to field. |
Partners can assign to themselves incidents that aren't in-scope for Defender Experts by checking the Assigned to field in the Defender portal or in Graph API through GDAP. |
| Incident investigation |
|
|
Defender portal: When Defender Experts start their investigation on an incident, its Status field is updated to In Progress. Additional information about the investigation can be found in the Investigation summary on the Managed response flyout panel.Graph API: When Defender Experts start their investigation on an incident, its Status field is updated to In Progress. Additional information about the investigation can be found in the the description field. |
Partners can investigate incidents that aren't in-scope for Defender Experts by checking the Assigned to field in the Defender portal or in Graph API through GDAP. |
| Incident remediation | If given the Security operator role: Respond with remediation actions. If given Security reader role, for excluded devices and users, and for remediation actions that can't be taken through API: Post remediation actions for the customer SOC in the Managed response details of an incident in the Defender portal. |
Act on and resolve incidents awaiting remediation actions. | Defender portal: Incidents awaiting remediation actions have their Status fields updated to Awaiting Customer Action. Additional information about the remediation actions can be found in the Actions section in the Managed response flyout panel.Graph API: Incidents awaiting remediation actions have their Status fields updated to Awaiting Customer Action. Additional information about the remediation actions can be found in the incidentTasks field. |
Partners can act on incidents awaiting remediation actions on behalf of customer in the Defender portal or in Graph API through GDAP. |
| Incident chat | Respond to customer or partner questions, if any, about the remediation actions. | Post questions to Defender Experts, if any, on the remediation actions through chat in the Managed response flyout panel. | This scenario is available in the Defender portal only. However, notifications and messages are synced to the Defender Experts Teams channel. | Partners can participate in the chat in the Defender portal through GDAP. |
| Teams chat |
|
|
Users outside the customer tenant can get added into the Teams channel as Entra ID B2B Guest. | Partners can be added to Teams channel to receive notifications and chat if they have an Entra ID B2B account in the customer tenant. |
| Email notifications | Send automated notifications on incidents awaiting remediation action and on chat or inquiry replies. | Add additional email contacts if any. | User outside customer tenant can get added as email contacts. | Partners contacts can be added for email notifications. |
| Reporting | Post monthly reports on managed threat hunting done by Defender Experts | Review the report. | This scenario is available in the Defender portal only. | Partners can review the Defender Experts report in the Defender portal through GDAP. They can create custom reports as needed. |
| Service review | Conduct monthly service reviews. | Attend monthly service review meetings. Provide feedback and feature requests if any. | Online meeting | Partners aren't included in this meeting. |