Blog Post

Microsoft Defender XDR Blog

4 MIN READ

Transform the way you investigate by using Behaviors & new detections in XDR, starting w/SaaS apps

Microsoft

May 23, 2023

Security teams have conducted their investigation using two layers of data – raw activities and alerts which previously gave them the insight they needed to effectively respond to an alert. However, with attacks becoming more advanced and spanning across multiple vectors, this has led to Security Operations Centers (SOC) being overloaded with signals resulting in alert fatigue. We are thrilled to introduce a brand-new data type, called Behaviors in Microsoft 365 Defender, that will transform how you investigate alerts across all your workloads, starting with SaaS apps. In combination with Behaviors, we're continuing to build on our SaaS Security offering, Defender for Cloud Apps, that goes beyond the CASB built-in detections and focuses on real scenarios seen in the wild.

What are Behaviors?

Behaviors are a new data layer available in Microsoft 365 Defender, they represent an abstraction above the raw data level to offer a deeper understanding of events. Like alerts, they are attached to the MITRE attack categories and techniques. Security teams can consume them by creating queries or custom detections using the Behaviors tables in advanced hunting.

Organizations will benefit from Behaviors in the following ways:

Focus on scenario-based alerts, such as “Suspicious inbox manipulation rule” that detects specific patterns of inbox rules created by adversaries.
Use anomaly detection data that doesn’t have security ramifications as part of your investigation and custom detections.
Enrich the context of related incidents, anomalies will be correlated to existing incidents when they are relevant, for example when an impossible travel behavior is detected before a “Risky user created global admin” XDR detection.

Within Defender for Cloud Apps, we have identified some detections that are better suited as Behaviors and where you will see them used to detect malicious activities in various scenarios.

Detection	Scenario
Impossible travel	Impossible Travel alert will be trigger based on ‘Impossible Travel’ behavior correlated with other risky indicators, such AAD IP signals, highly suspicious pattern of activities and anomalies in the user’s behavior.
Infrequent country activity	Infrequent country activity alert will be triggered based on ‘Infrequent country’ behavior correlated with other risky indicators, such AAD IP signals, highly suspicious pattern of activities and anomalies in the user’s behavior.
Multiple Failed Logins	Multiple Failed Logins alert will be trigger based on ‘Multiple Failed Logins’ behavior and will focus only on successful attempts, followed by highly suspicious pattern of failed attempts correlated with anomalies in the users behavior.

New SaaS app out-of-the-box detections

In addition to Behaviors, we’ve added detections that cover new attack patterns threatening cloud app assets, like token theft detections for Slack, Okta, AWS and Google Workspace, email service abuse and crypto-mining.

These detections have already stopped attacks in their tracks:

Cryptocurrency mining: where an Azure AD Global Admin account was compromised and utilized to cause massive financial loss in the organization. During this incident, the actor created a new account and provided ‘Global Admin’ permissions to it. This account could be later used by the actor as a ‘backdoor’ account and enabled ‘Elevate Access’ option to gain permissions over Azure. It deployed a mass number of computing resources to gain profit. Both the “Risky user created global admin” and “Access elevation by risky user” alerts were disrupted the attack and avoided financial loss.
Email service abuse - another financially motivated campaign that used compromised Global Admin accounts without MFA, resulting in the creation of a malicious OAuth app. The actor’s sign-in was tagged as high risk, which triggered “Azure AD app registration by risky user” alert which was used to recognize the malicious activity and disrupt the actor’s activity.

New detections that combine AzureAD Identity Protection & SaaS app data

Organizations using Azure AD Identity Protection and Defender for Cloud Apps are now protected with a set of risk-based detections. The new detections are based on real attack techniques being used by nation-state threat actors, financially motivated attackers, and other types of cybercriminals. They use the risk score signal in combination with events audited from multiple different data sources to trigger meaningful alerts, and detect known attack patterns in the environment, like cloud resource hijacking, cryptocurrency mining, and email service abuse.

You will seem them appear in the Microsoft 365 Defender alerts queue:

Detection	Scenario
Suspicious Azure activities related to possible cryptocurrency mining	Detect potential crypto-mining activities done in one or more of the tenant’s subscriptions.
New external user account created by risky user	Detect when risky user invited new external account to the tenant.
Azure AD app registration by risky user	Detect potential malicious application set up and admin contested by risky user (usually to maintain persistence in that context).
Risky user created global admin	Detect potential malicious global admin backdoor account that was set up by the attacker.
Access elevation by risky user	Detect potentially compromised global admin that escalates privileges to manage Azure resources.
Risky user added permissions over other mailboxes	Detecting when potentially compromised privileged exchange account adds powerful permissions over other mailboxes in the organization.
Suspicious role assignment by a risky user	Detect when potentially compromised user performed role assignment with suspicious characteristics.
Unusual activities by AAD Connect sync account	Detect unusual activities by AAD Connect sync account. This might indicate the user is compromised and used for malicious activities.

Being natively integrated with Microsoft 365 Defender, provides a comprehensive investigation experience across all your security workloads. By shifting from built-in anomalies to real-world scenario-based detections, you'll find relief that your SOC is fully equipped to protect against even the most advanced attacks.

Resources

Investigate behaviors with advanced hunting (Preview)

BehaviorEntities table in advanced hunting

BehaviorInfo table in advanced hunting

Microsoft shifts to a comprehensive SaaS security solution - Microsoft Security Blog

Have feedback? We’d love to know! Please fill this Form.

Updated Oct 29, 2024

Version 5.0

microsoft defender for cloud apps

assafyatziv

Microsoft

Joined May 09, 2021

View Profile

Microsoft Defender XDR Blog

Follow this blog board to get notified when there's new activity

8 Comments

assafyatziv
Microsoft
Oct 31, 2023
Hi Mike_Watson

There are farther logics in Microsoft 365 Defender that are based on behaviors, for example "impossible travel", and create alerts out of them when they correlate with other signals that together indicate an attack with higher confidence. We always want to learn and improve, and in case those didn't trigger in a case of a true attack, I encourage you to open a support ticket to report a false negative, with farther details that will enable us tunning the correlations better to also cover such case.

To learn more on how to create custom detections based on behaviors, you can see the documentation here: Investigate behaviors with advanced hunting - Microsoft Defender for Cloud Apps | Microsoft Learn

The change was done on May 2023, and was informed via banners in the portal (both the legacy Defender for Cloud Apps portal and security.microsot.com), and via the Microsoft 365 Message Center: https://admin.microsoft.com/AdminPortal/Home#/messagecenter ,

There you can sign up for email notifications according to your preferences.
Mike_Watson
Copper Contributor
Oct 30, 2023
How does one get alerted to these changes? I have been dealing with a compromised account for the last week, which I would have noticed from the old Impossible Travel alert. Turning this off for your customers in favor of a system that does not provide alerting is a terrible decision. I understand you want to make continuous product improvements, but you cannot look at deprecating a key feature. Most organizations do not have a team dedicated to Hunting, instead, we rely on the alerts to let us know when there is an issue and we can respond.
assafyatziv
Microsoft
Oct 30, 2023
Hi Jon_Weatherhead

Will you be able to open a support ticket so that the relevant engineers will be able to examine the issue?

Thanks,

Assaf.
Jon_Weatherhead
Copper Contributor
Oct 30, 2023
I see where some alerts are now missing from the template options, presumably because they are now a behavior. However, when I look in the Advanced hunting page in my console, I don't have the Behavioral Schema nor any of the behavioral tables. Do these have to be enabled somewhere?

The example query for looking at the last 100 valid account logins (https://learn.microsoft.com/en-us/defender-cloud-apps/behaviors#query-100-recent-behaviors) gives me the following error, which makes sense because the table and column don't even exist as far as I can tell:
'where' operator: Failed to resolve table or column expression named 'BehaviorInfo'

Thanks,
assafyatziv
Microsoft
Sep 11, 2023
DavidWanderer there is nothing concrete we can share at the moment, but we're aware of the need to easily enable alerts based on the insights of behaviors and we are considering it as part of our future plans.
DavidWanderer
Iron Contributor
Sep 10, 2023
Thank you. Are there any long-term plans to add pre-made detections that can be easily configured similar to the alert policies that were disabled in cloud app security? I appreciate the need to hunt for these behaviors, but the alerts are useful and provide a proactive way to start hunting.
assafyatziv
Microsoft
Sep 10, 2023
Hi DavidWanderer , at the moment, re-enabling the policy as part of Defender for Cloud Apps policies is still possible, and in this case you can set it to send a notification via email.

Another option is to create a custom detection in Microsoft 365 Defender advanced hunting, and define email notification here: https://security.microsoft.com/securitysettings/defender/email_notifications
DavidWanderer
Iron Contributor
Sep 10, 2023
I appreciate the shift to behaviors but am confused as to what the easiest way is to set up an email alert when one gets triggered. The "impossible travel" policy in cloud app security was useful but it has since been enabled. What path should I follow in order to receive an email alert for impossible travel?

Thank you.