RSA news: What's new in Defender XDR?
Published May 06 2024 09:00 AM 6,518 Views

In today's threat landscape, the realm of cyberattacks is in a constant state of flux, evolving at an unprecedented pace. Attack vectors, methodologies, and vulnerabilities are continuously changing, presenting a formidable challenge to cybersecurity teams worldwide. To effectively combat this ever-changing landscape of attacks, security teams must equip themselves with tools that are innovating and adapting based on new threats. Foundational security tools play a crucial role in modern security and they must continuously invest in improving and enhancing their offerings to ensure they remain resilient against emerging threats.

Moreover, the disruptive force of AI is reshaping the cybersecurity landscape, both for attackers who are leveraging AI-powered tools to launch more sophisticated and automated attacks, and for security teams harnessing AI for prevention, detection, and response. To help our customers with these challenges, we are excited to announce the following capabilities in Microsoft Defender XDR:

  • AI-powered disruption of SaaS attacks: Microsoft Defender XDR is expanding its attack disruption capabilities to new scenarios that include OAuth app compromise within SaaS apps, disabling a malicious OAuth app & broadened compromised user coverage.
  • Native support for Data Security & Operational Technology (OT): OT security is now integrated into XDR along with new insider risk management insights from Microsoft Purview that further brings Data Security into the SOC.
  • End to end protection in the unified security operations platform: new features that benefit both Microsoft Sentinel & Defender XDR customers like unified custom detections, automation rules, and more, as well as new in-browser protection using Microsoft Edge to protect access to SaaS apps.

AI-powered disruption of SaaS attacks: Automatic attack disruption is a game-changing feature first released at Ignite 2022. It is an on by default, powered by AI/ML capability that uses the correlated workload signal in XDR to detect & stop in-progress attacks (i.e. ransomware, BEC, AiTM) in real time with a high level of confidence. Over the last couple of years, Defender XDR has made significant investments in additional scenarios like disrupting attacks that use SAP data with signals from Microsoft Sentinel.

Today, we are excited to share that attack disruption has expanded to disrupt attacks that include malicious OAuth apps. This is enabled through the use of Microsoft’s vast threat intelligence, combined with sophisticated AI models that are layered on top of the broad, native and 3rd party signals within the platform.  


OAuth apps have become a prominent attack vector for adversaries. Back in December, Microsoft observed an attack using an high privileged OAuth app to deploy virtual machines for cryptocurrency mining, and ultimately began spamming user email accounts for financial fraud. Because OAuth apps are often a “set and forget,” action, most users don’t realize the level of permissions and privileges they’ve delegated to them.


Once an attacker has gained access to an OAuth app with high permissions, they can create new ones that look credible on the surface but are being used to exfiltrate sensitive data. With the AI-powered disruption of SaaS attacks, Defender XDR will now disable the compromised OAuth app which will shut the attacker out from further misuse using its direct integration with Microsoft Defender for Cloud Apps. Not only has attack disruption broadened its coverage, but it can significantly stop more scenarios that involve a compromised user such as leaked credentials, stuffing & guessing.


Figure 1. OAuth app disruption in the Defender portal


Native support for Data Security & Operational Technology (OT) in Defender XDR

Defender XDR now includes native protection for Operational Technology (OT) and Industrial Control Systems (ICS), as we have natively integrated Microsoft Defender for IoT into the Defender portal. Security teams can now detect and respond to cyber threats across OT environments and get key insights into their OT security posture, detect threats, and understand them in context of broader incidents. Through the new integration of OT organizations benefit from:

  • Device discovery allows you to access all devices, per site, in the unified device inventory. By using finite-state machines (FSMs) model to baseline device behavior, cyber-physical systems can be secured using behavior profiles and anomaly detection.
  • OT insights are included in Microsoft Copilot for Security to allow organizations to quickly identify vulnerabilities, threats, and make informed decisions regarding device maintenance and upgrades.
  • Vulnerability management across OT devices is integrated into the existing experience in Defender and allows the SOC to model security risks in a targeted and efficient manner.



Figure 2. A triggered detection for a potentially impacted OT device in a human operated ransomware attack


In addition to OT signals, Defender XDR further enhances its integration with Microsoft Purview by bringing in critical Insider Risk management (IRM) insights into the SOC investigation experience. The IRM insights add context to the existing user page in XDR and provide visibility into activities that make a user high risk from a data security perspective. Because data has become a main target for attackers, it’s important to build data security into existing SOC processes for effective incident management and alert prioritization. Think about implementing the following within your SOC processes:

  • Investigation: Ensure DLP and other data-centric and insider risk alerts are correlated into your threat incidents
  • Hunting: Build proactive hunting practices that consider data sensitivity as part of the investigation as you search audit logs across files, locations, and users.
  • Customization: Customize your incident queue and prioritize based on data sensitivity of involved files.
  • Remediation: Built remediation workflows that enable you to apply sensitivity or retention labels, mark users as compromised, require the user to sign-in again, and more.  

To learn more about the insider risk management feature, check out the latest blog from Microsoft Purview.



Figure 3. A multi-stage incident that involves DLP with insider risk information on user severity


End to end protection in the unified security operations platform

Microsoft’s unified security operations platform, in public preview since April 4, is designed to offer end-to-end protection by consolidating various security operations tools and experiences into a single, coherent system. Now, customers of Microsoft Sentinel and Defender XDR can leverage comprehensive capabilities with more out of the box value, flexibility and better protection.

Building on this announcement, we have additional capabilities now ready for customers to use on the unified SOC platform. These include:

  • Unified custom detections: build custom detections using both XDR & data ingested by Microsoft Sentinel.
  • Unified automation rules: automatically execute a playbook based on certain conditions, such as the creation or updating of an incident, or when an alert meets specific criteria.
  • Global search: search across all entities and incidents in SIEM and XDR through the search bar at the top of the portal.


In addition to the shared capabilities between Defender and Microsoft Sentinel, today we are also delivering a new way to manage secure session access for SaaS apps. Microsoft Defender for Cloud Apps now provides new in-browser protection capabilities via Microsoft Edge that enable security teams to seamlessly manage how a user can interact with in-app data based on their risk profile. The in-browser protection reduces the need for proxies, improving both security and productivity, based on session policies that are applied directly to the browser settings.

Based on the user’s risk profile, admins can limit their app access to read only, or build granular policies that prevent downloads and uploads during a session. Protected users get a smooth experience when using the cloud apps that doesn’t impact their productivity – through the native integration with Edge there are no latency or app compatibility issues, and it provides more flexibility in protecting your valuable data across SaaS apps.


To enable these policies today, check out our documentation:



Figure 4. A block message from Defender for Cloud Apps to prevent the download of a sensitive file within the Edge browser


Looking ahead

Staying ahead of security threats is critical. Its important to embrace the latest security innovations to keep your organization secure whether if its across new attack vectors like a malicious OAuth app, taking advantage of native support for new areas in protection, or seeing the benefits of moving to a unified platform for all your SOC needs.

To learn more about these Defender XDR announcements, join us at the RSA conference from May 6-9 in San Francisco, attend main stage and booth session.

You can find more information and resources below.

  • Live Ninja show featuring automatic attack disruption on May 29
  • Unified security operations platform Ask me Anything
  • Microsoft Purview Insider risk management blog
  • Know the value of compromised data in your incidents video
Version history
Last update:
‎May 22 2024 08:36 AM
Updated by: