Skip to main content
Microsoft Security

Inside Microsoft 365 Defender: Correlating and consolidating attacks into incidents

Cybersecurity incidents are never contained to just one of your organization’s assets. Most attacks involve multiple elements across domains, including email, endpoints, identities, and applications. To rapidly understand and address incidents, your Security Operations Center (SOC) analysts need to be able to see and track all the signals from each domain, correlate and group alerts that are related, prioritize them based on their severity level, and remediate all affected assets to return them and your workforce to a secure state.

Getting a unified view of an attack is a top SOC analyst priority in quickly building the end-to-end picture of attacks and tracking all relevant details necessary for effective remediation. Navigating multiple products and switching between tools introduce friction that slows down investigations, giving attackers more time to inflict damage.

Microsoft 365 Defender (previously Microsoft Threat Protection) addresses this critical SOC need through incidents, which empower SOC analysts by automatically fusing attack evidence and providing a consolidated view of an attack chain and affected assets, as well as a single-click remediation with easy-to-read analyst workflows. Microsoft 365 Defender harnesses the power of multiple solutions in the Microsoft 365 security portfolio – Microsoft Defender for Office 365 (previously Office 365 Advanced Threat Protection), Microsoft Defender for Identity (previously Azure Advanced Threat Protection), Microsoft Defender for Endpoint (previously Microsoft Defender Advanced Threat Protection), and Microsoft Defender for Cloud Apps (previously Microsoft Cloud App Security) – to deliver cross-domain visibility and coordinated defense.

A complete look at the attack chain to prevent attack sprawl

A typical attack starts with a phishing email that installs malware on an endpoint. The malware then steals the user’s credentials, which the attackers utilize to access resources on other endpoints, on-premises applications, and cloud services. Individual security solutions that focus on only one domain may alert on and remediate a portion of the attack but will likely miss other parts of the attacker operations, putting an organization at risk while creating a false sense of security.

The incidents view in Microsoft 365 Defender solves this challenge by providing a single place to view and investigate an attack across stages, from initial access to impact. Based on individual detection leads, Microsoft 365 Defender uses artificial intelligence (AI) to automatically expand an investigation, like an experienced analyst would, and gather related telemetry and other alerts that belong to the same attack. Microsoft 365 Defender also uses AI to continually analyze the vast amount of available data and, if necessary, suggest more evidence for the analyst to add to the incident. This enables your SOC analysts to focus on what matters, while Microsoft 365 Defender saves them time and helps discover undetected evidence.

Even if you don’t have all the Microsoft 365 security solutions in your organization, Microsoft 365 Defender incidents correlate threat data for the services you have deployed, reducing the clutter and providing one view of the attack, including all relevant alerts, impacted assets and associated risk levels, remediation actions and status.

Screenshot of Microsoft 365 security center showing the overview tab of the Incidents view

Streamlining investigations across domains

Microsoft 365 Defender simplifies the complex task of investigating end-to-end attacks by allowing SOC analysts to pivot and see entities – devices, files, users, emails, and processes – in the right context within a single view.

Microsoft 365 Defender breaks down the silos and combines all alerts and insights automatically across Microsoft 365 services to reveal the full picture, helping ease digital forensics work for SOC analysts. This also enables analysts to gain comprehensive understanding of attacks that they wouldn’t otherwise get from isolated out-of-context alerts.

But Microsoft 365 Defender doesn’t stop there. To help support effective triage processes, Microsoft 365 Defender prioritizes incidents, illustrates the attack chain progression, shows the attack timeline, and generates a comprehensive name for the incident. With just one click, analysts can answer questions like: Does a file observed on one device exist on other devices? Which email messages did a file come from, and was this file also shared through a cloud app?

In addition, SOC analysts can easily search for additional related activities with Go hunt, which automatically creates and runs an advanced hunting query based on information from the incident. SOC analysts can also use attack-specific insights gained during hunting to capture fine-tuned logic and nuances in a custom detection. Custom detections continuously hunt for new activities and pull new findings to the relevant incident automatically, further enriching your view of the attack.

A clear view of the remediation status

When your organization is under attack, it’s essential to act swiftly but thoughtfully through a thorough understanding at any point in time of the remediation status of all affected assets and entities. Microsoft 365 Defender incidents play a critical part in remediation by:

When the investigation is complete, Microsoft 365 Defender incidents capture the investigation comments for record-keeping and knowledge-sharing with peers, with easy and in-context information for reference.

Microsoft 365 Defender provides the SOC with a complete picture of attacks in real-time

The incidents view in Microsoft 365 Defender correlates alerts and all affected entities into a cohesive view that enables your SOC to determine the full scope of threats across your Microsoft 365 services. Armed with a complete picture of attacks in real-time, your SOCs are better empowered to defend your organization against threats.

Microsoft 365 Defender delivers coordinated defense by leveraging the power of multiple Microsoft 365 security solutions. Through automation, built-in intelligence, and end-to-end visibility into malicious activities, Microsoft 365 Defender detects, correlates, blocks, remediates, and prevents attacks.

Microsoft 365 Defender harnesses the power of Microsoft 365 security products to deliver unparalleled coordinated defense that detects, correlates, blocks, remediates, and prevents attacks across an organization’s Microsoft 365 environment. Existing Microsoft 365 licenses provide access to Microsoft 365 Defender features in Microsoft 365 security center without additional cost. To start using Microsoft 365 Defender, go to security.microsoft.com.

Learn how Microsoft 365 Defender can help your organization to stop attacks with coordinated defense. Read these blog posts in the Inside Microsoft 365 Defender series:

Idan Pelleg

Microsoft 365 Defender Team


Talk to us

Questions, concerns, or insights on this story? Join discussions at the Microsoft 365 Defender tech community.

Read all Microsoft security intelligence blog posts.

Follow us on Twitter @MsftSecIntel.