While Microsoft’s Extended Detection and Response (XDR) solution helps prioritize response activities and provides a unified experience that allows for more effective investigation at the incident level, the increasing volume and speed of sophisticated attacks, still challenges the capacity of most security teams.
Automation is growing in importance to close the gap to the speed needed to respond to more attacks faster. Automating the response actions to common alerts in can help you stay ahead of threats, protect your organization more effectively, significantly reduce response times, and save manual work for the Security Operations Center (SOC).
In this blog post, we'll explain how you can set up automatic response actions for any built-in alerts in Microsoft 365 Defender using Advanced hunting custom detections. This simple method will enable you to take quick, decisive, automatic action on impacted entities and stay ahead of potential threats in your organization.
Think about your day-to-day activities – are there recurring alerts in your environment that you typically take the same set of simple actions on to address them? These repetitive activities are good candidates for automated response actions to lighten the load of the SOC team.
So let’s take a look at how you can get started with the automation of response actions in Microsoft 365 Defender.
First, navigate to the Advanced hunting screen You will need to create a new custom detection for a KQL query such as:
| where Title == "Suspicious URL clicked"
Next, in your custom detection, you can specify the lookback timeframe, e.g. the past three hours. You can keep it simple and stop here or expand your KQL to include more conditions beyond the alert type, if you want to trigger the automatic response only on a subset of these alerts.
Once you’ve determined the scope of the alert, it’s time to automate the response and define subsequent actions. To do that, choose the entities in the alert that you would like to take an action on by ticking the checkboxes for those entities, and choose which automatic actions to apply to each entity.
Image 1: Microsoft 365 Defender dashboard – Navigate to “Advanced Hunting” screen
Here you can choose from a wide range of actions such as isolating the affected asset, quarantining a file that was identified as malicious, triggering an investigation and more. In our example, we’ll choose to isolate the device associated with the alert but you can find a complete list of available response actions here.
GIF 1: Creating custom detections and defining automatic response actions walkthrough.
Using these types of custom detections in combination with KQL queries allow you to easily set up automated playbooks for alerts without the need for complex integrations or development efforts. We’ve seen these especially helpful for smaller SOC teams who don't have a Security, Orchestration, Automation, and Response (SOAR) product, as it allows them to easily add automation to their toolset in a way that is best suited for their organization. However, they are impactful to organizations of any size looking to centralize some of their basic response actions directly within their XDR solution.
By automating repetitive tasks in your XDR, you shorten response times and free up the SOC team from mundane and repetitive tasks so they can focus on more important security efforts.