Tag Archive: Microsoft Defender XDR

Assigning severity to incidents and other features are now GA

The speed of how new useful functionalities in Microsoft Defender XDR, previously Microsoft 365 Defender, are being developed is very high. From this perspective it is super important to send feedback, not only things that may not work as you expected or if there is an error, but also new feature requests.

Some new features which was released in GA in February is within the incident management space.

Change incident severity

When a incident is being generated, the severity is based on the alert with highest severity. If the severity is wrong, you can change it by opening the manage incident which will open the incident pane.

Assign incident to a group

Instead of only assign the incident to a specific individual (who might be on a leave), it is now possible to assign the incident to a group by opening the manage incident which will open the incident pane.

Go hunt directly from attack story

When selecting an item in the attack story, you will get an option for “Go Hunt” which will give you the options to choose between All activities, Related alerts and See all available queries

When selecting a query, you will have the response in the same window. The positive thing with this is that you don’t have to move away from the incident view. If you want to continue the hunting you have the option to “Open in advanced hunting”

Happy Hunting!

Microsoft Defender XDR Deceptions Feature

Last year Microsoft announced a deception capability in Microsoft Defender for Endpoint. The idea with the deception is that adversaries access a Decoys or Lure which will trigger an incident for the response team to act on.

In Settings > Endpoints > Advanced features

Enable Deception

To create Deception rules

In Settings > Endpoints > Deception rules

It is possible to scope this specific deception rule to Devices with a specific tag

The system will automatically generate Alias or Hostnames which can be edited to better fit your organization

Lures can be autogenerated or use custom lures (file size up to 10MB)

A Lure can be of any filetype except PE files (exe and dll)
It is recommended that the lure contains information of decoys.

Happy Hunting!