แก้ไข

แชร์ผ่าน


Understanding and managing Defender Experts for XDR incident updates

Applies to:

The following section lists down questions your SOC team might have regarding the receipt of incident notifications.

In Microsoft Defender portal and Graph Security API

Questions Answers
How do I know whether a Defender Experts analyst has started working on an incident? When a Defender Experts analyst starts working on an incident, the incident's Assigned to field is updated to Defender Experts.
How do I know whether a Defender Experts analyst has resolved an incident? When a Defender Experts analyst has resolved an incident, the incident's Status field is updated to Resolved.
How do I know what conclusion led a Defender Experts analyst to resolve an incident? When Defender Experts analysts resolve an incident, they modify the incident's Classification and Determination fields and provide a concise summary in its Comments section.

If an incident is classified as a True Positive, a comprehensive Investigation summary appears in the Managed response flyout panel in your Microsoft Defender portal.
How do I know what actions a Defender Experts analyst took in my tenant when investigating an incident? For each incident they investigate, the Defender Experts analyst summarizes any actions they performed within your tenant in the incident's Investigation summary located in the Managed response flyout panel in your Microsoft Defender portal.

You can also retrieve information about these actions, and the times they signed into your tenant, by searching your audit logs either on the Microsoft Purview compliance portal or through the Office 365 Management Activity API.
How do I know whether a Defender Experts analyst has sent any response actions for my SOC team? The Defender Experts analyst publishes the response actions they recommend your SOC team to perform on an incident in an incident's Managed response flyout panel in your Microsoft Defender portal.

At this time, the incident's Assigned to field is updated to Customer and its Status is updated to Awaiting Customer Action.

Your incident contacts, which you have designated in Settings > Defender Experts > Notification contacts in your Microsoft Defender portal, also receive a corresponding email notification if there are response actions requiring your attention.You will also receive a Teams notifications if you have set it up in Settings > Defender Experts > Teams in your Microsoft Defender portal.
How do I ask a Defender Experts analyst questions about an investigation or response action? After a Defender Experts analyst publishes their investigation summary and recommended response actions in the Managed response flyout panel of a True Positive incident, you can use the Chat tab in the same panel to ask the Defender Experts team questions about the incident and their investigation.

Alternatively, your designated incident contacts can directly respond to the Teams or email notification they received from Defender Experts to ask any questions you might have.
How do I know which incidents have pending response actions? The Defender Experts card in your Microsoft Defender portal home page includes a link that displays a message (for example, 3 incidents awaiting your action). Selecting this link directs you to a filtered list of incidents specifically requiring your attention.

You can filter the incident queue in your Microsoft Defender portal by selecting Assigned to as Customer or Status as Awaiting Customer Action.

In Microsoft Sentinel

Questions Answers
How do I get Defender Experts updates in Sentinel? If you have enabled the data connector between Microsoft Defender XDR and Microsoft Sentinel, updates made by Defender Experts in Defender to incidents are synchronized with Microsoft Sentinel. Learn more.

The Assigned to, Status, and Classification fields in Microsoft Defender XDR incidents are mapped to the corresponding fields in Sentinel, namely Owner, Status, and Reason for closing.
How do I get Defender Experts updates in Sentinel to automatically trigger a playbook? To get Defender Experts updates, first, set up automation rules in Sentinel that are triggered with the following Defender Experts updates:
  • When the Owner field in Microsoft Sentinel is updated to Defender Experts or Customer.
  • When the Status field in Microsoft Sentinel is updated to Active or Closed, which corresponds to Microsoft Defender XDR Status Active and In Progress respectively.
  • When Sentinel Tag Awaiting Customer Action gets added, which corresponds to Microsoft Defender XDR Status Awaiting Customer Action.
Next, set up playbooks in Microsoft Sentinel to automatically sync incident updates or send incident notifications into other apps.
  • Send email, or Teams message, or Slack message to your SOC team when a Defender Experts analyst is assigned to an incident.
  • Send SMS or phone call via Azure Communications Services or Twilio connector to your SOC lead when Defender Experts publishes response action for your team.
  • Create a task or ticket in apps such as Azure DevOps, ServiceNow, Jira, ZenDesk, FreshService, PagerDuty, etc. for your IT Ops team.
How can I access managed response actions published by Defender Experts from Sentinel? Once Defender Experts publish managed response actions for an incident in your Microsoft Defender portal, the Owner field is updated to Customer automatically, and the tag Awaiting Customer Action is available in Sentinel. You can use these field changes as a trigger to review the managed response panel for the corresponding incident in the Microsoft Defender portal.

In third-party SIEM, SOAR, or ITSM apps

Questions Answers
How do I get Defender Experts updates from Microsoft Defender XDR to sync into third-party security information and event management (SIEM), security orchestration, automation and response (SOAR), or IT service management (ITSM) apps? You can get Defender Experts updates from Microsoft Defender XDR through the Graph Security API (microsoft.graph.security.incident).

To initiate the synchronization process:
  1. Establish the mapping between fields in Microsoft Defender XDR and the corresponding fields in the desired application. Determine whether the sync should be uni- or bi-directional and ensure that the other application supports that.
  2. Develop, test, and deploy your sync integration. In most cases, it's recommended to periodically poll the Graph Security API every minute or so to check for updates.
  3. Periodically validate that the field mapping is up to date.
Can I sync managed response actions published by Defender Experts in Microsoft Defender portal to third-party SIEM, SOAR, or ITSM apps? Once Defender Experts publish managed response actions for an incident in your Microsoft Defender portal, the Assigned to field is changed to Customer and the Status field is updated to Awaiting Customer Action. You can sync these fields via the Graph Security API and then use these changes as a trigger to review the managed response actions in the Microsoft Defender portal.

Managed response actions are expected to be available in the Graph Security API later this year, at which time it will be possible to sync them with your third-party apps.

In other communication services

Questions Answers
Can I get Defender Experts updates from Microsoft Defender XDR in email? Once a Defender Experts analyst publishes recommended response actions to an incident, your designated incident contacts will receive a corresponding email notification to the email addresses specified in Settings > Defender Experts > Notification contacts in your Microsoft Defender portal.

Additionally, you can configure a Logic App to send all incident updates to your designated email address(es) automatically.
Can I get Defender Experts updates from Microsoft Defender XDR in Microsoft Teams? A two-way chat functionality is accessible through an incident's Managed response flyout panel in your Microsoft Defender portal.

Additionally, you get notifications when a Managed response is posted and can engage in real-time chat conversations with Defender Experts directly within Microsoft Teams. Learn more about setting up Teams
Can I get Defender Experts updates from Microsoft Defender XDR as SMS or phone call updates, or in third-party communications services such as Slack? You can configure a Logic App to do this to send notifications from communication services such as Slack, Twilio, Azure Communication Services, etc.

See also

Managed detection and response

Tip

Do you want to learn more? Engage with the Microsoft Security community in our Tech Community: Microsoft Defender XDR Tech Community.