Security teams have conducted their investigation using two layers of data – raw activities and alerts which previously gave them the insight they needed to effectively respond to an alert. However, with attacks becoming more advanced and spanning across multiple vectors, this has led to Security Operations Centers (SOC) being overloaded with signals resulting in alert fatigue. We are thrilled to introduce a brand-new data type, called Behaviors in Microsoft 365 Defender, that will transform how you investigate alerts across all your workloads, starting with SaaS apps. In combination with Behaviors, we're continuing to build on our SaaS Security offering, Defender for Cloud Apps, that goes beyond the CASB built-in detections and focuses on real scenarios seen in the wild.
What are Behaviors?
Behaviors are a new data layer available in Microsoft 365 Defender, they represent an abstraction above the raw data level to offer a deeper understanding of events. Like alerts, they are attached to the MITRE attack categories and techniques. Security teams can consume them by creating queries or custom detections using the Behaviors tables in advanced hunting.
Organizations will benefit from Behaviors in the following ways:
Focus on scenario-based alerts, such as “Suspicious inbox manipulation rule” that detects specific patterns of inbox rules created by adversaries.
Use anomaly detection data that doesn’t have security ramifications as part of your investigation and custom detections.
Enrich the context of related incidents, anomalies will be correlated to existing incidents when they are relevant, for example when an impossible travel behavior is detected before a “Risky user created global admin” XDR detection.
Impossible Travel alert will be trigger based on ‘Impossible Travel’ behavior correlated with other risky indicators, such AAD IP signals, highly suspicious pattern of activities and anomalies in the user’s behavior.
Infrequent country activity
Infrequent country activity alert will be triggered based on ‘Infrequent country’ behavior correlated with other risky indicators, such AAD IP signals, highly suspicious pattern of activities and anomalies in the user’s behavior.
Multiple Failed Logins
Multiple Failed Logins alert will be trigger based on ‘Multiple Failed Logins’ behavior and will focus only on successful attempts, followed by highly suspicious pattern of failed attempts correlated with anomalies in the users behavior.
New SaaS app out-of-the-box detections
In addition to Behaviors, we’ve added detections that cover new attack patterns threatening cloud app assets, like token theft detections for Slack, Okta, AWS and Google Workspace, email service abuse and crypto-mining.
These detections have already stopped attacks in their tracks:
Cryptocurrency mining: where an Azure AD Global Admin account was compromised and utilized to cause massive financial loss in the organization. During this incident, the actor created a new account and provided ‘Global Admin’ permissions to it. This account could be later used by the actor as a ‘backdoor’ account and enabled ‘Elevate Access’ option to gain permissions over Azure. It deployed a mass number of computing resources to gain profit. Both the “Risky user created global admin” and “Access elevation by risky user” alerts were disrupted the attack and avoided financial loss.
Email service abuse - another financially motivated campaign that used compromised Global Admin accounts without MFA, resulting in the creation of a malicious OAuth app. The actor’s sign-in was tagged as high risk, which triggered “Azure AD app registration by risky user” alert which was used to recognize the malicious activity and disrupt the actor’s activity.
New detections that combine AzureAD Identity Protection & SaaS app data
Organizations using Azure AD Identity Protection and Defender for Cloud Apps are now protected with a set of risk-based detections. The new detections are based on real attack techniques being used by nation-state threat actors, financially motivated attackers, and other types of cybercriminals.They use the risk score signal in combination with events audited from multiple different data sources to trigger meaningful alerts, and detect known attack patterns in the environment, like cloud resource hijacking, cryptocurrency mining, and email service abuse.
You will seem them appear in the Microsoft 365 Defender alerts queue:
Suspicious Azure activities related to possible cryptocurrency mining
Detect potential crypto-mining activities done in one or more of the tenant’s subscriptions.
New external user account created by risky user
Detect when risky user invited new external account to the tenant.
Azure AD app registration by risky user
Detect potential malicious application set up and admin contested by risky user (usually to maintain persistence in that context).
Risky user created global admin
Detect potential malicious global admin backdoor account that was set up by the attacker.
Access elevation by risky user
Detect potentially compromised global admin that escalates privileges to manage Azure resources.
Risky user added permissions over other mailboxes
Detecting when potentially compromised privileged exchange account adds powerful permissions over other mailboxes in the organization.
Suspicious role assignment by a risky user
Detect when potentially compromised user performed role assignment with suspicious characteristics.
Unusual activities by AAD Connect sync account
Detect unusual activities by AAD Connect sync account.
This might indicate the user is compromised and used for malicious activities.
Being natively integrated with Microsoft 365 Defender, provides a comprehensive investigation experience across all your security workloads. By shifting from built-in anomalies to real-world scenario-based detections, you'll find relief that your SOC is fully equipped to protect against even the most advanced attacks.