diff --git a/ATPDocs/investigate-assets.md b/ATPDocs/investigate-assets.md index 06d49a3830..7714f01846 100644 --- a/ATPDocs/investigate-assets.md +++ b/ATPDocs/investigate-assets.md @@ -45,7 +45,9 @@ Find identity information in the following Microsoft Defender XDR areas: For example, the following image shows the details on an identity details page: -:::image type="content" source="media/investigate-assets/identity-details.png" alt-text="Screenshot of an identity details page." lightbox="media/investigate-assets/identity-details.png"::: +![Screenshot of a specific user's page in the Microsoft Defender portal.](media/investigate-assets/image.png) + + ### Identity details @@ -60,6 +62,10 @@ When you investigate a specific identity, you'll see the following details on an |[Identity timeline](/microsoft-365/security/defender/investigate-users#timeline) | The timeline represents activities and alerts observed from a user's identity from the last 180 days, unifying identity entries across Microsoft Defender for Identity, Microsoft Defender for Cloud Apps, and Microsoft Defender for Endpoint.

Use the timeline to focus on activities a user performed or were performed on them in specific timeframes. Select the default **30 days** to change the time range to another built-in value, or to a custom range. | |[Remediation actions](/microsoft-365/security/defender/investigate-users#remediation-actions) | Respond to compromised users by disabling their accounts or resetting their password. After taking action on users, you can check on the activity details in the Microsoft Defender XDR **Action center.| +> [!NOTE] +> **Investigation Priority Score** has been deprecated on December 3, 2025. As a result, both the Investigation Priority Score breakdown and the scored activity timeline cards have been removed from the UI. + + For more information, see [Investigate users](/microsoft-365/security/defender/investigate-users) in the Microsoft Defender XDR documentation. ## Investigation steps for suspicious groups diff --git a/ATPDocs/media/investigate-assets/image.png b/ATPDocs/media/investigate-assets/image.png new file mode 100644 index 0000000000..fc046a0db6 Binary files /dev/null and b/ATPDocs/media/investigate-assets/image.png differ diff --git a/CloudAppSecurityDocs/app-governance-anomaly-detection-alerts.md b/CloudAppSecurityDocs/app-governance-anomaly-detection-alerts.md index 4a15f8ff06..546a731c2e 100644 --- a/CloudAppSecurityDocs/app-governance-anomaly-detection-alerts.md +++ b/CloudAppSecurityDocs/app-governance-anomaly-detection-alerts.md @@ -20,6 +20,31 @@ For more information, see [App governance in Microsoft Defender for Cloud Apps]( > - [Access Microsoft Graph activity logs](/graph/microsoft-graph-activity-logs-overview) > - [Analyze activity logs using Log Analytics](/entra/identity/monitoring-health/howto-analyze-activity-logs-log-analytics) > +## General investigation steps + +### Finding App Governance Related Alerts + +To locate alerts specifically related to App Governance, navigate to the XDR portal Alerts page. In the alerts list, use the "Service/detection sources" field to filter alerts. Set the value of this field to "App Governance" to view all alerts generated by App Governance. + +### General Guidelines + +Use the following general guidelines when investigating any type of alert to gain a clearer understanding of the potential threat before applying the recommended action. + +- Review the app severity level and compare with the rest of the apps in your tenant. This review helps you identify which Apps in your tenant pose the greater risk. +- If you identify a TP, review all the App activities to gain an understanding of the impact. For example, review the following App information: + + - Scopes granted access + - Unusual behavior + - IP address and location + +## Security alert classifications + +Following proper investigation, all app governance alerts can be classified as one of the following activity types: + +- **True positive (TP)**: An alert on a confirmed malicious activity. +- **Benign true positive (B-TP)**: An alert on suspicious but not malicious activity, such as a penetration test or other authorized suspicious action. +- **False positive (FP)**: An alert on a non-malicious activity. + ## MITRE ATT&CK To make it easier to map the relationship between app governance alerts and the familiar MITRE ATT&CK Matrix, we've categorized the alerts by their corresponding MITRE ATT&CK tactic. This extra reference makes it easier to understand the suspected attacks technique potentially in use when app governance alert is triggered. @@ -38,25 +63,6 @@ This guide provides information about investigating and remediating app governan - [Exfiltration](#exfiltration-alerts) - [Impact](#impact-alerts) -## Security alert classifications - -Following proper investigation, all app governance alerts can be classified as one of the following activity types: - -- **True positive (TP)**: An alert on a confirmed malicious activity. -- **Benign true positive (B-TP)**: An alert on suspicious but not malicious activity, such as a penetration test or other authorized suspicious action. -- **False positive (FP)**: An alert on a nonmalicious activity. - -## General investigation steps - -Use the following general guidelines when investigating any type of alert to gain a clearer understanding of the potential threat before applying the recommended action. - -- Review the app severity level and compare with the rest of the apps in your tenant. This review helps you identify which Apps in your tenant pose the greater risk. -- If you identify a TP, review all the App activities to gain an understanding of the impact. For example, review the following App information: - - - Scopes granted access - - Unusual behavior - - IP address and location - ## Initial access alerts This section describes alerts indicating that a malicious app may be attempting to maintain their foothold in your organization. diff --git a/defender-xdr/advanced-hunting-defender-use-custom-rules.md b/defender-xdr/advanced-hunting-defender-use-custom-rules.md index 389e9f1b6f..937c5d3a93 100644 --- a/defender-xdr/advanced-hunting-defender-use-custom-rules.md +++ b/defender-xdr/advanced-hunting-defender-use-custom-rules.md @@ -43,8 +43,23 @@ For editable functions, more options are available when you select the vertical - **Edit details** – opens the function side pane to allow you to edit details about the function (except folder names for Sentinel functions) - **Delete** – deletes the function +### Use adx() operator for Azure Data Explorer queries (Preview) +Use the `adx()` operator to query tables stored in Azure Data Explorer. Read [What is Azure Data Explorer?](/azure/data-explorer/data-explorer-overview) for more details. + +This feature was previously only available in log analytics in Microsoft Sentinel. Users can now use the operator in advanced hunting in the unified Microsoft Defender portal without needing to manually open a Microsoft Sentinel window. + +In the query editor, enter the query in the following format: +```Kusto +adx('/'). +``` + +For example, to get the first 10 rows of data from the `StormEvents` table stored in a certain URI: + +:::image type="content" source="/defender-xdr/media/adx-sample.png" alt-text="Screenshot of adx operator in advanced hunting." lightbox="/defender-xdr/media/adx-sample.png"::: + + ### Use arg() operator for Azure Resource Graph queries -The *arg()* operator can be used to query across deployed Azure resources like subscriptions, virtual machines, CPU, storage, and the like. +The `arg()` operator can be used to query across deployed Azure resources like subscriptions, virtual machines, CPU, storage, and the like. This feature was previously only available in log analytics in Microsoft Sentinel. In the Microsoft Defender portal, the `arg()` operator works over Microsoft Sentinel data (that is, Defender XDR tables are not supported). This allows users to use the operator in advanced hunting without needing to manually open a Microsoft Sentinel window. diff --git a/defender-xdr/investigate-users.md b/defender-xdr/investigate-users.md index 977a41e5cb..2327ba1205 100644 --- a/defender-xdr/investigate-users.md +++ b/defender-xdr/investigate-users.md @@ -43,7 +43,8 @@ Wherever user entities appear in these views, select the entity to view the **Us When you investigate a specific user entity, you see the following tabs on its entity page: -- [Overview](#overview), including entity details, incidents and alerts visual view, investigation priority, and scored timeline +- [Overview](#overview), including entity details, incidents and alerts visual view, user account control flags and so on. + - [Incidents and alerts](#incidents-and-alerts) tab - [Observed in organization](#observed-in-organization) tab - [Timeline](#timeline) tab @@ -58,26 +59,21 @@ The user page shows the Microsoft Entra organization as well as groups, helping The **Entity details** panel on the left side of the page provides information about the user, such as the Microsoft Entra identity risk level, the insider risk severity level (Preview), the number of devices the user is signed in to, when the user was first and last seen, the user's accounts, groups that the user belongs to, contact information, and more. You see other details depending on the integration features you enabled. +> [!NOTE] +> **Investigation Priority Score** has been deprecated on December 3, 2025. As a result, both the Investigation Priority Score breakdown and the Scored activities cards have been removed from the UI. + > [!NOTE] > (Preview) Microsoft Defender XDR users with access to [Microsoft Purview Insider Risk Management](/purview/insider-risk-management-solution-overview) can now see a user's insider risk severity and gain insights on a user's suspicious activities in the user page. Select the **insider risk severity** under Entity details to see the risk insights about the user. ### Visual view of incidents and alerts This card includes all incidents and alerts associated with the user entity, grouped by severity. -### Investigation priority - -This card includes the user entity's calculated investigation priority score breakdown, and a two-week trend for that score, including the percentile of the score in relation to the tenant. - ### Active directory account controls This card surfaces Microsoft Defender for Identity security settings that may need your attention. You can see important flags about the user's account settings, such as if the user can press enter to bypass the password, and if the user has a password that never expires, etc. For more information, see [User Account Control flags](/windows/win32/adschema/a-useraccountcontrol). -### Scored activities - -This card includes all activities and alerts contributing to the entity's investigation priority score over the last seven days. - ### Organization tree This section shows the user entity's place in the organizational hierarchy as reported by Microsoft Defender for Identity. @@ -90,7 +86,7 @@ Microsoft Defender for Identity pulls tags out of Active Directory to give you a |-----|-------------| | **New** | Indicates that the entity was created less than 30 days ago. | | **Deleted** | Indicates that the entity was permanently deleted from Active Directory. | -| **Disabled** | Indicates that the entity is currently disabled in Active Directory. The *disabled* attribute is an Active Directory flag that's available for user accounts, computer accounts, and other objects to indicate that the object is not currently in use.

When an object is disabled, it can't be used to sign in or perform actions in the domain.| +| **Disabled** | Indicates that the entity is currently disabled in Active Directory. The *disabled* attribute is an Active Directory flag that's available for user accounts, computer accounts, and other objects to indicate that the object is not currently in use.

When an object is disabled, it can't be used to sign in or perform actions in the domain.| | **Enabled** | Indicates that the entity is currently enabled in Active Directory, indicating that the entity is currently in use, and can be used to sign in or perform actions in the domain. | | **Expired** | Indicates that the entity is expired in Active Directory. When a user account is expired, the user is no longer able to log in to the domain or access any network resources. The expired account is essentially treated as if it were disabled, but with an explicit expiration date set.

Any services or applications that the user was authorized to access may also be affected, depending on how they are configured. | | **Honeytoken** | Indicates that the entity is manually tagged as a honeytoken. | @@ -104,7 +100,7 @@ For more information, see [Defender for Identity entity tags in Microsoft Defend > [!NOTE] > The organization tree section and the account tags are available when a Microsoft Defender for Identity license is available. -:::image type="content" source="/defender/media/investigate-users/user-incident-overview.png" alt-text="Screenshot of a specific user's page in the Microsoft Defender portal" lightbox="/defender/media/investigate-users/user-incident-overview.png"::: +![Screenshot of a specific user's page in the Microsoft Defender portal.](media/investigate-users/image.png) ## Incidents and alerts @@ -247,10 +243,11 @@ From the Overview page, you can do these additional actions: - Enable, disable, or suspend the user in Microsoft Entra ID - Direct user to do certain actions such as require the user to sign in again or force password reset -- Reset investigation priority score for the user - View Microsoft Entra account settings, related governance, the user's owned files, or the user's shared files -:::image type="content" source="/defender/media/investigate-users/user-incident-actions.png" alt-text="Screenshot of the actions for remediation for a user in the Microsoft Defender portal" lightbox="/defender/media/investigate-users/user-incident-actions.png"::: +![Screenshot of the actions for remediation for a user in the Microsoft Defender portal.](media/investigate-users/picture1111.png) + + For more information, see [Remediation actions in Microsoft Defender for Identity](/defender-for-identity/remediation-actions). diff --git a/defender-xdr/media/adx-sample.png b/defender-xdr/media/adx-sample.png new file mode 100644 index 0000000000..2bd7ef2dd6 Binary files /dev/null and b/defender-xdr/media/adx-sample.png differ diff --git a/defender-xdr/media/investigate-users/image.png b/defender-xdr/media/investigate-users/image.png new file mode 100644 index 0000000000..480edf62e0 Binary files /dev/null and b/defender-xdr/media/investigate-users/image.png differ diff --git a/defender-xdr/media/investigate-users/picture1111.png b/defender-xdr/media/investigate-users/picture1111.png new file mode 100644 index 0000000000..718deb6f71 Binary files /dev/null and b/defender-xdr/media/investigate-users/picture1111.png differ diff --git a/defender-xdr/whats-new.md b/defender-xdr/whats-new.md index 9b648c2d0a..993ebebd54 100644 --- a/defender-xdr/whats-new.md +++ b/defender-xdr/whats-new.md @@ -29,6 +29,9 @@ For more information on what's new with other Microsoft Defender security produc You can also get product updates and important notifications through the [message center](https://admin.microsoft.com/Adminportal/Home#/MessageCenter). +## December 2024 +- (Preview) In [advanced hunting](advanced-hunting-defender-use-custom-rules.md#use-adx-operator-for-azure-data-explorer-queries-preview), Microsoft Defender portal users can now use the `adx()` operator to query tables stored in Azure Data Explorer. You no longer need to go to log analytics in Microsoft Sentinel to use this operator if you are already in Microsoft Defender. + ## November 2024 - (Preview) **Attack paths** in the incident graph are now available in the Microsoft Defender portal. The attack story now includes potential attack paths that show the paths that attackers can potentially take after compromising a device. This feature helps you prioritize your response efforts. For more information, see [attack paths in the attack story](investigate-incidents.md#attack-paths). @@ -42,7 +45,7 @@ You can also get product updates and important notifications through the [messag ## October 2024 - [Microsoft Unified RBAC roles](experts-on-demand.md#required-permissions-for-using-ask-defender-experts) are added with new permission levels for Microsoft Threat Experts customers to use Ask Defender experts capability. -- (Preview) In [advanced hunting](advanced-hunting-defender-use-custom-rules.md#use-arg-operator-for-azure-resource-graph-queries), Microsoft Defender portal users can now use the *arg()* operator for Azure Resource Graph queries to search over Azure resources. You no longer need to go to Log Analytics in Microsoft Sentinel to use this operator if you are already in Microsoft Defender. +- (Preview) In [advanced hunting](advanced-hunting-defender-use-custom-rules.md#use-arg-operator-for-azure-resource-graph-queries), Microsoft Defender portal users can now use the `arg()` operator for Azure Resource Graph queries to search over Azure resources. You no longer need to go to Log Analytics in Microsoft Sentinel to use this operator if you are already in Microsoft Defender. ## September 2024