Microsoft Defender Experts for XDR is a managed extended detection and response service that augments security operations centers (SOCs) for customers who use Microsoft 365 Defender services – Microsoft Defender for Endpoint, Microsoft Defender for Office 365, Microsoft Defender for Identity, Microsoft Defender for Cloud Apps, and Microsoft Entra AD. Through a combination of automation and human expertise, it triages Microsoft 365 Defender incidents, prioritizes them on your behalf, filters out the noise, carries out detailed investigations, and provides actionable response to your SOC.
In this blogpost, we share how you can get incident updates from the investigation and response work Defender Experts do – right into the SOC tools you already use.
Incident updates available from Defender Experts
Once our experts begin to perform comprehensive response work on your behalf, you'll start receiving updates about incidents that we are investigating, those that we have resolved for you, and those that require remediation actions from your SOC team.
The Microsoft 365 Defender portal is the primary way to see the latest updates from the Defender Experts work on incidents in your tenant. Check out the Defender Experts on the home page to view a quick summary.
Figure 1. This screenshot shows the count of incidents that are awaiting your action and a link to view them, the count of incidents resolved in the last 30 days, and a link to a detailed report.
Or directly navigate to the Incidents & alerts > Incidents page to see view latest updates in the context of the incidents queue. You will see the incident Assigned To, Status, Classification, Determination fields updated as Defender Experts do their work.
Figure 2. This screenshot shows a new unassigned incident, one that a Defender Expert analyst is assigned to and is actively investigating, one that is awaiting action from your SOC team, and an incident that is resolved.
You can also get these updates from the Graph Security API.
The following frequently asked questions cover more on what incident updates you will see when Defender Experts investigate and remediate incidents.
Check out these frequently asked questions on which incident updates you will see when – including how you can see investigation summary and response actions from Defender Experts.
Getting incident updates in third-party apps
SOC teams can use a variety of tools for work management, so we've made it possible to sync incident updates from Defender Experts into various ITSM, Helpdesk and SIEM/SOAR
You can get Defender Experts updates posted to the Microsoft 365 Defender portal in the Graph Security API at the namespace: microsoft.graph.security under resource type: incident. The following properties in the API will get incident updates from Defender Experts – assignedTo, status, classification, and determination – but you may want to also include other incident fields – such as displayName, id, severity, incidentWebUrl, customTags, etc. – in the sync for more context.
This will enable you to stay on top of incident updates from Defender Experts in the SOC tools you already use. As an example, you can sync incident updates by building integrations with ServiceNow, JIRA, and QRadar (Note: these external links to respective solutions’ documentation on integrating REST APIs such as Microsoft Graph are current as of the publication date of this blog – refer to respective websites for latest information).
Stay tuned for the investigation summary and response actions published in Microsoft 365 Defender portal from Defender Experts to also be available in the Graph Security API later this year. At that time, you will be able to sync these into your SOC apps. This will also enable you to execute 1-click response actions directly from those apps. This article will be updated when investigation summary and response actions are available in the Graph Security API.
Viewing incident updates and running playbooks in Microsoft Sentinel
You will get updates from our Defender Experts’ work in Sentinel – if that's what you use for incident management – without any additional effort.
Figure 3. This screenshot shows incident Owner, Status, and Reason for closing fields updated from Microsoft 365 Defender.
Defender Experts updates to incidents in Microsoft 365 Defender are synced into Sentinel if you have turned on the data connector between Defender and Sentinel. Check out Microsoft 365 Defender integration with Microsoft Sentinel if you want to learn more on how connect the two. The Microsoft 365 Defender incident Assigned To, Status, and Classification fields are mapped into Sentinel fields of Owner, Status, and Closing Reason.
This also enables you to use Defender Experts updates in Sentinel to automatically trigger playbooks. Start by first setting up automation rules in Sentinel that get triggered with Defender Experts updates to Sentinel Owner, Status, or Tag as listed in this article. Next, set up playbooks in Sentinel to automatically run based on these triggers.
If you are a current customer of Defender Experts for XDR who has suggestions on more ways that you would like to get incident updates from Defender Experts, reach out to your assigned Defender Experts analyst or your service delivery manager (SDM). To learn more about this service, visit the Microsoft Defender Experts for XDR web page and visit the Microsoft Defender Experts for XDR documentation page.