Microsoft Defender ATP alerts include an alert category, which loosely identifies the kill chain stage associated with the alerted activity. For example, an alert like “Suspicious communication to an IP address” will be categorized as “Command and Control”, while “Use of living-off-the-land binary” will be categorized as “Execution”. Using the alert categories, security operators can:
- Better understand the purpose of an alerted activity and its potential effect
- Assess the risk associated with a device or an incident, and use this risk to prioritize action
- Determine the scope of a breach by observing the categories of the alerts the threat triggered in its way. For example, “Lateral Movement” alerts can indicate multiple devices involved, and “Exfiltration” alerts could indicate data leak.
We’ve recently completed a set of improvements to our alert categorization, simplifying and standardizing the alert categories to align with MITRE ATT&CK Framework Tactics.
We believe this alignment will help users better understand threat activities, correlate with additional data sources, and benefit from community enrichments to these categories over time.
Alert categories appear in different areas of the portal where alerts are displayed, queried or, used.
First, the alert category appears on each alert page:
It also appears in lists of alerts—in the alert queue and in alert lists for incidents and other entities—enabling easy filtering of alerts by their categories:
Alert categories are available in advanced hunting, where you can query for alerts based on categories:
And when creating your own alerts (i.e., custom detections) from advanced hunting queries, you get to pick an appropriate category for your custom detection as well.
Finally, the Threat Protection reports include a report of alert activity in the last 30 days, sliced by the different alert categories:
Two other Microsoft Defender ATP features where alert categories appear are particularly notable—you might have processes or systems that use the actual alert category values and might need to perform a one-time adjustment to use the new values:
- SIEM integration—when alerts are forwarded to a SIEM, their category is also included in the feed and can be used to drive prioritization and categorization in the SIEM channels. If you are employing such logic in your SIEM, you should adjust it to the new category values.
- Alert API—similarly, the Microsoft Defender ATP Alert API also includes the alert category and, for newer alerts, will reflect the new set of category values going forward. If you are using the Alert API to pull alerts into other systems or processes, evaluate your scenario to see if there are adjustments needed there too.
Note: To allow for a period of adjustment to the new categories and preserve reporting, filtering, hunting etc., the Microsoft Defender ATP portal will continue to show both old and new categories for the next 30 days. As a result, you may notice a longer list of categories (e.g. in the alerts filters pane) representing both old and new together. After this adjustment period, old categories will be removed from view and only the new category values will appear.
We believe Security Operations teams will benefit from this alignment in alert categories, and we look forward to introducing more areas where we leverage the MITRE ATT&CK framework throughout Microsoft Defender ATP over the coming months.
@Corina Feuerstein @Hadar Feldman
Microsoft Defender ATP Team