Security teams have conducted their investigation using two layers of data – raw activities and alerts which previously gave them the insight they needed to effectively respond to an alert. However, with attacks becoming more advanced and spanning across multiple vectors, this has led to Security Operations Centers (SOC) being overloaded with signals resulting in alert fatigue. We are thrilled to introduce a brand-new data type, called Behaviors in Microsoft 365 Defender, that will transform how you investigate alerts across all your workloads, starting with SaaS apps. In combination with Behaviors, we're continuing to build on our SaaS Security offering, Defender for Cloud Apps, that goes beyond the CASB built-in detections and focuses on real scenarios seen in the wild.
Behaviors are a new data layer available in Microsoft 365 Defender, they represent an abstraction above the raw data level to offer a deeper understanding of events. Like alerts, they are attached to the MITRE attack categories and techniques. Security teams can consume them by creating queries or custom detections using the Behaviors tables in advanced hunting.
Organizations will benefit from Behaviors in the following ways:
Within Defender for Cloud Apps, we have identified some detections that are better suited as Behaviors and where you will see them used to detect malicious activities in various scenarios.
Detection |
Scenario |
Impossible travel |
Impossible Travel alert will be trigger based on ‘Impossible Travel’ behavior correlated with other risky indicators, such AAD IP signals, highly suspicious pattern of activities and anomalies in the user’s behavior. |
Infrequent country activity |
Infrequent country activity alert will be triggered based on ‘Infrequent country’ behavior correlated with other risky indicators, such AAD IP signals, highly suspicious pattern of activities and anomalies in the user’s behavior. |
Multiple Failed Logins |
Multiple Failed Logins alert will be trigger based on ‘Multiple Failed Logins’ behavior and will focus only on successful attempts, followed by highly suspicious pattern of failed attempts correlated with anomalies in the users behavior. |
In addition to Behaviors, we’ve added detections that cover new attack patterns threatening cloud app assets, like token theft detections for Slack, Okta, AWS and Google Workspace, email service abuse and crypto-mining.
These detections have already stopped attacks in their tracks:
Organizations using Azure AD Identity Protection and Defender for Cloud Apps are now protected with a set of risk-based detections. The new detections are based on real attack techniques being used by nation-state threat actors, financially motivated attackers, and other types of cybercriminals. They use the risk score signal in combination with events audited from multiple different data sources to trigger meaningful alerts, and detect known attack patterns in the environment, like cloud resource hijacking, cryptocurrency mining, and email service abuse.
You will seem them appear in the Microsoft 365 Defender alerts queue:
Detection |
Scenario |
Suspicious Azure activities related to possible cryptocurrency mining |
Detect potential crypto-mining activities done in one or more of the tenant’s subscriptions. |
New external user account created by risky user |
Detect when risky user invited new external account to the tenant. |
Azure AD app registration by risky user |
Detect potential malicious application set up and admin contested by risky user (usually to maintain persistence in that context). |
Risky user created global admin |
Detect potential malicious global admin backdoor account that was set up by the attacker. |
Access elevation by risky user |
Detect potentially compromised global admin that escalates privileges to manage Azure resources. |
Risky user added permissions over other mailboxes |
Detecting when potentially compromised privileged exchange account adds powerful permissions over other mailboxes in the organization. |
Suspicious role assignment by a risky user |
Detect when potentially compromised user performed role assignment with suspicious characteristics. |
Unusual activities by AAD Connect sync account |
Detect unusual activities by AAD Connect sync account. This might indicate the user is compromised and used for malicious activities. |
Being natively integrated with Microsoft 365 Defender, provides a comprehensive investigation experience across all your security workloads. By shifting from built-in anomalies to real-world scenario-based detections, you'll find relief that your SOC is fully equipped to protect against even the most advanced attacks.
Investigate behaviors with advanced hunting (Preview)
BehaviorEntities table in advanced hunting
BehaviorInfo table in advanced hunting
Microsoft shifts to a comprehensive SaaS security solution - Microsoft Security Blog
Have feedback? We’d love to know! Please fill this Form.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.