Start using Microsoft Defender Experts for Hunting
If you're new to Microsoft Defender XDR and Defender Experts for Hunting:
- Upon getting your welcome email, select Log into Microsoft 365 Defender.
- Sign in if you already have a Microsoft account. If none, create one.
- The Microsoft Defender XDR quick tour will get you familiar with the security suite, where the capabilities are and how important they are. Select Take a quick tour.
- Read the short descriptions about what the Microsoft Defender Experts service is and the capabilities it provides. Select Next. You'll see the welcome page:
Receive Defender Experts Notifications
The Defender Experts Notifications service includes:
- Threat monitoring and analysis, reducing dwell time and the risk to your business
- Hunter-trained artificial intelligence to discover and target both known attacks and emerging threats
- Identification of the most pertinent risks, helping SOCs maximize their effectiveness
- Help in scoping compromises and as much context as can be quickly delivered to enable a swift SOC response
Refer to the following screenshot to see a sample Defender Experts Notification:
Where you'll find Defender Experts Notifications
You can receive Defender Experts Notifications from Defender Experts through the following mediums:
- The Microsoft Defender portal's Incidents page
- The Microsoft Defender portal's Alerts page
- OData alerting API and REST API
- DeviceAlertEvents table in Advanced hunting
- Your email if you configure an email notifications rule
Filter to view just the Defender Experts Notifications
You can filter your incidents and alerts if you want to only see the Defender Experts Notifications amongst the many alerts. To do so:
- On the navigation menu, go to Incidents & alerts > Incidents > select the icon.
- Scroll down to the Tags field > select the Defender Experts check box.
- Select Apply.
Set up Defender Experts email notifications
You can set up Microsoft Defender XDR to notify you or your staff with an email about new incidents or updates to existing incidents, including those observed by Microsoft Defender Experts. Learn more about getting incident notifications by email
- In the Microsoft Defender XDR navigation pane, select Settings > Microsoft 365 Defender > Email notifications > Incidents.
- Update your existing email notification rules or create a new one. Learn more about creating a rule for email notifications
- On the rule's Notification settings page, make sure to configure the following:
- Source – Choose Microsoft Defender Experts under Microsoft 365 Defender and Microsoft Defender for Endpoint
- Alert severity – Choose the alert severities that will trigger an incident notification. For example, if you only want to be informed about high-severity incidents, select High.
Generate sample Defender Experts Notifications
You can generate a sample Defender Experts Notification to start experiencing the Defender Experts for Hunting service without having to wait for an actual critical activity to happen in your environment. Generating a sample notification also lets you test the email notifications you might have previously configured in the Microsoft Defender XDR portal for this service, as well as test the configuration of playbooks (if configured for such notifications) and rules in your Security Information and Event Management (SIEM) environment.
A sample Defender Experts Notification shows up in your Incidents page with the title Defender Experts: Test Notification from Microsoft Defender Experts. The contents of the notification are placeholder texts, while the other elements such as alerts are randomly generated from events present in your tenant and aren’t actually impacted.
To generate a sample notification:
- In your Microsoft Defender XDR navigation pane, go to Settings > Defender Experts and then select Sample DEN.
- Select Generate a sample DEN. A green status message appears, confirming that your sample notification is ready for review.
- Under Recently generated Defender Experts Notifications, select a link from the list to view its corresponding generated sample notification. The most recent sample appears on the top of the list. Selecting a link redirects you to the Incidents page.
Collaborate with Experts on Demand
Experts on Demand is included in your Defender Experts for Hunting subscription with monthly allocations. However, it's not a security incident response service. It's intended to provide a better understanding of complex threats affecting your organization. Engage with your own security incident response team to address urgent security incident response issues. If you don't have your own security incident response team and would like Microsoft's help, create a support request in the Premier Services Hub.
Select Ask Defender Experts directly inside the Microsoft 365 security portal to get swift and accurate responses to all your threat hunting questions. Experts can provide insight to better understand the complex threats your organization may face. Experts on Demand can help to:
- Gather additional information on alerts and incidents, including root causes and scope
- Gain clarity into suspicious devices, alerts, or incidents and take next steps if faced with an advanced attacker
- Determine risks and available protections related to threat actors, campaigns, or emerging attacker techniques
The option to Ask Defender Experts is available in several places throughout the portal:
- Device page actions menu
- Device inventory page flyout menu
- Alerts page flyout menu
- Incidents page actions menu
If you'd like to track the status of your Experts on Demand cases through Microsoft Services Hub, reach out to your Customer Success Account Manager. Watch this video for a quick overview of the Microsoft Services Hub.
Sample questions you can ask from Defender Experts
- We saw a new type of alert for a living-off-the-land binary. We can provide the alert ID. Can you tell us more about this alert and if it's related to any incident and how we can investigate it further?
- We've observed two similar attacks, which both try to execute malicious PowerShell scripts but generate different alerts. One is "Suspicious PowerShell command line" and the other is "A malicious file was detected based on indication provided by Office 365." What is the difference?
- We received an odd alert today about an abnormal number of failed logins from a high profile user's device. We can't find any further evidence for these attempts. How can Microsoft Defender XDR see these attempts? What type of logins are being monitored?
- Can you give more context or insight about the alert and any related incidents, "Suspicious behavior by a system utility was observed"?
- I observed an alert titled "Creation of forwarding/redirect rule". I believe the activity is benign. Can you tell me why I received an alert?
Possible device compromise
- Can you help explain why we see a message or alert for "Unknown process observed" on many devices in our organization? We appreciate any input to clarify whether this message or alert is related to malicious activity or incidents.
- Can you help validate a possible compromise on the following system, dating from last week? It's behaving similarly as a previous malware detection on the same system six months ago.
Threat intelligence details
- We detected a phishing email that delivered a malicious Word document to a user. The document caused a series of suspicious events, which triggered multiple alerts for a particular malware family. Do you have any information on this malware? If yes, can you send us a link?
- We recently saw a blog post about a threat that is targeting our industry. Can you help us understand what protection Microsoft Defender XDR provides against this threat actor?
- We recently observed a phishing campaign conducted against our organization. Can you tell us if this was targeted specifically to our company or vertical?
Microsoft Defender Experts for Hunting alert communications
- Can your incident response team help us address the Defender Experts Notification that we got?
- We received this Defender Experts Notification from Microsoft Defender Experts for Hunting. We don't have our own incident response team. What can we do now, and how can we contain the incident?
- We received a Defender Experts Notification from Microsoft Defender Experts for Hunting. What data can you provide to us that we can pass on to our incident response team?
Do you want to learn more? Engage with the Microsoft Security community in our Tech Community: Microsoft Defender XDR Tech Community.