Since the general availability of Microsoft Defender Experts for XDR, our extended managed detection and response (MXDR) service, in June 2023, our Defender Experts team has been busy providing around the clock service to our customers and soliciting their feedback on how we can make our service better. As the cyberthreat landscape continues to grow in complexity, the workforce gap has followed, with an increase of 13% from 2022 to roughly four million cybersecurity professionals needed worldwide.[1] Our goal is to address these challenges by becoming an extension of our customers’ SOC team and providing human-led proactive defense to safeguard their digital assets. With the latest enhancements being rolled out in the Defender Experts for XDR service, we continue to help our customers address cybersecurity skills gaps and disrupt evolving cyberthreats to elevate their security posture.
Customize your managed response for your unique environment
The latest Defender Experts for XDR enhancements give customers more power and flexibility with their managed response settings and provide more visibility into the actions taken on their behalf. Our new exclusions capability allows customers to define which devices and users they want to exclude from Defender Experts for XDR scope. Customers can also exclude high value devices (Device value: High in Microsoft Defender for Endpoint) and high value users (user tagged as “Sensitive” on Microsoft Defender for Identity or “Priority account” on Microsoft Defender for Office 365). For those devices and users excluded from the service, the Defender Experts team will continue to provide the necessary remediation guidance that the SOC team can act on to mitigate the cyberthreat and resolve the incident.
Figure 1. This screenshot shows how Defender Experts for XDR customers can define which devices and users to exclude from the remediation actions taken by Defender Experts.
In addition, we’ve improved visibility with an enhanced incident page that provides more granular details on the actions taken on a customer’s behalf by the Defender Experts team as well as detailed investigation summaries.
Figure 2. This screenshot shows the managed response details for a particular incident from the Defender Experts team, including a detailed investigation summary, completed actions, and pending actions assigned to the customer.
Customers now have insights into how the team works to investigate suspicious behavior that may not qualify as an incident, resolving countless incidents that would have otherwise burdened resource-constrained SOC teams, and much more.
Sync Defender Experts incident updates into the tools you use
Defender Experts for XDR now includes API integration for third party SIEM and case management solutions. This integration allows customers to sync their Defender Experts incident updates into the third-party tools they use for their SOC operations.
Figure 3. This screenshot shows an example of how Defender Experts for XDR customers can use our API integration to see an investigation summary from the Defender Experts for XDR service in their ServiceNow® Service Management tool.
Customers can now read investigation summaries, view the actions the Defender Experts team took on their behalf, and execute any required actions from their third-party tools.
Get access to our experts on the go
Microsoft Defender Experts for XDR is introducing an integrated chat experience with a new Teams app to notify customers in the event action is needed to remediate a cyberthreat and extend customers’ access to Defender Experts for questions on incidents and alerts.
Figure 4. This graphic shows a conversation between the Defender Experts team and a customer in the Microsoft Teams desktop and mobile apps.
The new Teams app for Defender Experts for XDR will be integrated into a customer’s channel in Microsoft Teams and will be available on both desktop and mobile versions. The Teams app will notify customers in the event they need to take action and allows them to chat directly with the Defender Experts team.
Jumpstart your SOC with expedited onboarding and enhanced reporting
Our new onboarding and reporting enhancements provide customers with more flexibility and visibility to enrich their overall experience. Customers can now conduct a self-service readiness assessment for their Defender configurations and expedite the onboarding process to get the Defender Experts team working for them quickly. From setting device and user exclusions to setting communication preferences and completing the actions needed to start the service, onboarding is fast and easy.
Figure 5. This screenshot shows a step in the Defender Experts for XDR onboarding process where the customer is informed that their attention is needed to complete all outstanding actions before the service can go live.
In addition, our reporting now includes new actionable insights that show customers their most targeted users and devices. Customers can see how many incidents their most targeted assets were involved in, and drill down to see the corresponding incidents and the managed response actions carried out by Defender Experts. The improved reporting also breaks down incidents based on service source, giving our customers real-time visibility into the volume of incidents detected by individual Microsoft Defender products.
Figure 6. This screenshot shows a section of a Defender Experts report that includes incidents by service source and most impacted assets.
Experience Defender Experts above the fold
A new full-width banner featuring Defender Experts is now featured on the Microsoft Defender home page. The new banner can help our customers understand what incidents require their immediate attention and provide a brief summary of what Defender Experts has resolved for them lately. If you’re a SOC analyst or manager, you can quickly see what Defender Experts has done for you, and then get back to what matters most.
Figure 7. This screenshot shows the Defender Experts home page banner in Microsoft Defender.
See the Defender Experts team in action
In addition to our recent enhancements to the Defender Experts for XDR service, you can also see the team in action at upcoming events. Our Microsoft Ignite hybrid event is happening this week, with an in-person experience in Seattle on November 14-17, 2003, and an online experience on November 15-16, 2023. You can still register for the online experience here and catch many great sessions, including “Jumpstart your SOC with Microsoft Defender Experts for XDR.” You can watch our session here.
Following Ignite, the Microsoft Security Tech Accelerator virtual event will be held on Wednesday, December 6, 2023 on the Microsoft Tech Community web site and will feature demos and technical deep dives. We will be featured in one of the sessions “Defender Experts in-depth: running a modern SOC in the age of LLMs” at 11:30am PST. You can register for our session here and access all of the event sessions on-demand here.
To learn more about our service, visit the Microsoft Defender Experts for XDR web page, read the Defender Experts for XDR docs page, download the datasheet, or watch our explainer video.
________________________________________________
[1] ISC2 Cybersecurity Workforce Study, 2023