diff --git a/rules/promotions/m365_defender_alert_external_alerts.toml b/rules/promotions/m365_defender_alert_external_alerts.toml new file mode 100644 index 00000000000..626acd07735 --- /dev/null +++ b/rules/promotions/m365_defender_alert_external_alerts.toml @@ -0,0 +1,134 @@ +[metadata] +creation_date = "2026/06/30" +integration = ["m365_defender"] +maturity = "production" +promotion = true +updated_date = "2026/07/01" + +[rule] +author = ["Elastic"] +description = """ +Generates a detection alert for each Microsoft Defender XDR alert written to the configured indices. Microsoft Defender +emits multiple update events for the same alert over its lifecycle, all sharing a stable alert identifier. This rule +suppresses those update events so that a single, continuous Elastic alert is maintained per Defender alert rather than a +new alert per update. Enabling this rule allows you to immediately begin investigating Microsoft Defender XDR alerts in +the app. +""" +from = "now-2m" +index = ["logs-m365_defender.alert-*"] +interval = "1m" +language = "kuery" +license = "Elastic License v2" +max_signals = 1000 +name = "Microsoft Defender XDR Alert External Alerts" +note = """## Triage and analysis + +### Investigating Microsoft Defender XDR Alert External Alerts + +Microsoft Defender XDR is a unified pre- and post-breach enterprise defense suite that natively coordinates detection, prevention, investigation, and response across endpoints, identities, email, and applications. The alert data stream (`logs-m365_defender.alert-*`) carries pre-correlated alerts already triaged by Defender. This rule promotes each Defender alert into an Elastic detection alert so analysts can investigate without leaving the app. + +Microsoft Defender emits several update events for the same alert as its status, classification, and evidence evolve. Every update shares the same stable Defender alert identifier (`m365_defender.alert.id`, which the integration also copies into `event.id`). The rule groups on that identifier so subsequent updates accumulate into the existing Elastic alert rather than creating duplicates. + +If you also collect Microsoft Defender alerts through the Microsoft 365 Unified Audit Log (`logs-o365.audit-*`) rather than the native integration data stream, the M365 Defender Alerts Signal (UAL) building block rule (rule_id: 054853f3-2ce0-41f3-a6eb-4a4867f39cdc) generates correlation signals from that source and can be used alongside this promotion rule. + +### Possible investigation steps + +- Review `m365_defender.alert.title`, `m365_defender.alert.category`, and `m365_defender.alert.threat_display_name` to understand what Defender detected. +- Pivot to the Defender portal using `m365_defender.alert.incident_web_url.original` for the full evidence graph, process tree, and remediation status. +- Examine the evidence fields under `m365_defender.alert.evidence.*` (host, file, process, user account, URL, sender) to scope the impacted entities. +- Check `m365_defender.alert.incident_id` to correlate the alert with its parent Defender incident and any sibling alerts. +- Review `m365_defender.alert.status` and `m365_defender.alert.classification` to see whether Defender has already resolved or classified the alert. + +### False positive analysis + +- Defender alerts are pre-correlated and tuned by Microsoft, so true false positives are uncommon. When they occur, confirm with the responsible team before excluding. +- Alerts involving known and trusted administrative tools, security assessments, or scheduled automation may be benign. Validate intent before adding an exception. +- Use `m365_defender.alert.classification` and `m365_defender.alert.determination` to filter out activity Defender itself has marked as a false positive. + +### Response and remediation + +- Isolate affected endpoints or disable affected accounts if malicious behavior is confirmed. +- Use the Defender portal to action native response options (quarantine, automated investigation, account remediation) for the alert. +- Investigate how the threat entered the environment and close any exploited gaps. +- Reset credentials for compromised accounts or escalate to incident response. +- Document the findings and tune the upstream Defender policy or add an Elastic exception as appropriate. +""" +references = ["https://docs.elastic.co/en/integrations/m365_defender"] +risk_score = 47 +rule_id = "c2a0e42b-ac3d-468f-82a5-0082066e1b59" +rule_name_override = "m365_defender.alert.title" +setup = """## Setup + +### Microsoft Defender XDR Alert Integration +This rule is designed to capture alert events generated by the Microsoft Defender XDR integration and promote them as Elastic detection alerts. + +To capture Microsoft Defender XDR alerts, install and configure the Microsoft Defender XDR integration to ingest alert events into the `logs-m365_defender.alert-*` index pattern. + +### Alert suppression and the Defender update lifecycle + +Microsoft Defender writes multiple update events per alert during its lifecycle, all sharing the same stable identifier (`m365_defender.alert.id`, copied to `event.id`). This rule suppresses on that identifier so updates accumulate into one Elastic alert. Note the following alert suppression semantics: + +- Suppression applies going forward from when the suppressing alert is created; it does not retroactively merge alerts created before the rule was enabled. +- Updates are aggregated into the existing alert only while that alert is open and within the suppression window. If an analyst closes the suppressing alert, a later Defender update will open a new Elastic alert. +- The suppression window (default 1 day) is tunable. Size it to your environment's typical Defender alert lifecycle; extending it keeps a single alert open longer but delays new-alert creation for late updates. + +### Avoiding duplicate alerts + +To avoid double-counting, enable either this alert-level rule or the Microsoft Defender XDR Incident External Alerts rule (incident-level), not both: a Defender incident's child alerts appear in both data streams. Choose incident-level for the least noise (one Elastic alert per Defender incident) or alert-level for finer-grained, per-alert triage. + +### Additional notes + +For information on troubleshooting the maximum alerts warning please refer to this [guide](https://www.elastic.co/guide/en/security/current/alerts-ui-monitor.html#troubleshoot-max-alerts). +""" +severity = "medium" +tags = [ + "Data Source: Microsoft Defender XDR", + "Use Case: Threat Detection", + "Resources: Investigation Guide", + "Promotion: External Alerts", +] +timestamp_override = "event.ingested" +type = "query" + +query = ''' +event.kind: alert and data_stream.dataset: m365_defender.alert +''' + + +[[rule.risk_score_mapping]] +field = "event.risk_score" +operator = "equals" +value = "" + +[[rule.severity_mapping]] +field = "event.severity" +operator = "equals" +severity = "low" +value = "21" + +[[rule.severity_mapping]] +field = "event.severity" +operator = "equals" +severity = "medium" +value = "47" + +[[rule.severity_mapping]] +field = "event.severity" +operator = "equals" +severity = "high" +value = "73" + +[[rule.severity_mapping]] +field = "event.severity" +operator = "equals" +severity = "critical" +value = "99" + +[rule.alert_suppression] +group_by = ["m365_defender.alert.id", "m365_defender.alert.tenant_id"] +missing_fields_strategy = "doNotSuppress" + +[rule.alert_suppression.duration] +unit = "h" +value = 24 + diff --git a/rules/promotions/m365_defender_incident_external_alerts.toml b/rules/promotions/m365_defender_incident_external_alerts.toml new file mode 100644 index 00000000000..7d61be3361f --- /dev/null +++ b/rules/promotions/m365_defender_incident_external_alerts.toml @@ -0,0 +1,134 @@ +[metadata] +creation_date = "2026/06/30" +integration = ["m365_defender"] +maturity = "production" +promotion = true +updated_date = "2026/07/01" + +[rule] +author = ["Elastic"] +description = """ +Generates a detection alert for each Microsoft Defender XDR incident written to the configured indices. Microsoft +Defender emits multiple update events for the same incident as its member alerts and status evolve, all sharing a stable +incident identifier. This rule suppresses those update events so that a single, continuous Elastic alert is maintained +per Defender incident rather than a new alert per update. Enabling this rule allows you to immediately begin +investigating Microsoft Defender XDR incidents in the app. +""" +from = "now-2m" +index = ["logs-m365_defender.incident-*"] +interval = "1m" +language = "kuery" +license = "Elastic License v2" +max_signals = 1000 +name = "Microsoft Defender XDR Incident External Alerts" +note = """## Triage and analysis + +### Investigating Microsoft Defender XDR Incident External Alerts + +Microsoft Defender XDR correlates related alerts across endpoints, identities, email, and applications into a single incident, providing the full attack story in one place. The incident data stream (`logs-m365_defender.incident-*`) carries these pre-correlated incidents. This rule promotes each Defender incident into an Elastic detection alert so analysts can investigate the correlated story without leaving the app. + +Microsoft Defender emits several update events for the same incident as member alerts are added and status, classification, and evidence evolve. Every update shares the same stable Defender incident identifier (`m365_defender.incident.id`, which the integration also copies into `event.id`). The rule groups on that identifier so subsequent updates accumulate into the existing Elastic alert rather than creating duplicates. + +The member alerts that make up an incident may also arrive through the Microsoft 365 Unified Audit Log (`logs-o365.audit-*`) rather than the native integration data stream. In that case the M365 Defender Alerts Signal (UAL) building block rule (rule_id: 054853f3-2ce0-41f3-a6eb-4a4867f39cdc) generates correlation signals from that source and can be used alongside this promotion rule. + +### Possible investigation steps + +- Review `m365_defender.incident.display_name`, `m365_defender.incident.severity`, and `m365_defender.incident.tags` to understand the scope and priority of the incident. +- Pivot to the Defender portal using `m365_defender.incident.web_url.original` for the correlated attack story, evidence graph, and recommended actions. +- Examine the member alert fields under `m365_defender.incident.alert.*` (titles, MITRE techniques, detection sources, evidence) to scope the impacted entities and behaviors. +- Review `m365_defender.incident.status`, `m365_defender.incident.classification`, and `m365_defender.incident.determination` to see whether Defender has already resolved or classified the incident. +- Check `m365_defender.incident.redirect_incident_id` to confirm the incident has not been merged into another incident. + +### False positive analysis + +- Defender incidents are pre-correlated and tuned by Microsoft, so true false positives are uncommon. When they occur, confirm with the responsible team before excluding. +- Incidents driven entirely by known and trusted administrative tools, security assessments, or scheduled automation may be benign. Validate intent before adding an exception. +- Use `m365_defender.incident.classification` and `m365_defender.incident.determination` to filter out activity Defender itself has marked as a false positive. + +### Response and remediation + +- Isolate affected endpoints or disable affected accounts if malicious behavior is confirmed across the incident's member alerts. +- Use the Defender portal to action native response options (quarantine, automated investigation, account remediation) for the incident. +- Investigate how the threat entered the environment and close any exploited gaps. +- Reset credentials for compromised accounts or escalate to incident response. +- Document the findings and tune the upstream Defender policy or add an Elastic exception as appropriate. +""" +references = ["https://docs.elastic.co/en/integrations/m365_defender"] +risk_score = 47 +rule_id = "3c99579e-6491-4562-87f4-4d10f0a822b4" +rule_name_override = "m365_defender.incident.display_name" +setup = """## Setup + +### Microsoft Defender XDR Incident Integration +This rule is designed to capture incident events generated by the Microsoft Defender XDR integration and promote them as Elastic detection alerts. + +To capture Microsoft Defender XDR incidents, install and configure the Microsoft Defender XDR integration to ingest incident events into the `logs-m365_defender.incident-*` index pattern. + +### Alert suppression and the Defender update lifecycle + +Microsoft Defender writes multiple update events per incident during its lifecycle, all sharing the same stable identifier (`m365_defender.incident.id`, copied to `event.id`). This rule suppresses on that identifier so updates accumulate into one Elastic alert. Note the following alert suppression semantics: + +- Suppression applies going forward from when the suppressing alert is created; it does not retroactively merge alerts created before the rule was enabled. +- Updates are aggregated into the existing alert only while that alert is open and within the suppression window. If an analyst closes the suppressing alert, a later Defender update will open a new Elastic alert. +- The suppression window (default 1 day) is tunable. Size it to your environment's typical Defender incident lifecycle; extending it keeps a single alert open longer but delays new-alert creation for late updates. + +### Avoiding duplicate alerts + +To avoid double-counting, enable either this incident-level rule or the Microsoft Defender XDR Alert External Alerts rule (alert-level), not both: a Defender incident's child alerts appear in both data streams. Incident-level (this rule) produces the least noise (one Elastic alert per Defender incident) and is the recommended default; alert-level provides finer-grained, per-alert triage. + +### Additional notes + +For information on troubleshooting the maximum alerts warning please refer to this [guide](https://www.elastic.co/guide/en/security/current/alerts-ui-monitor.html#troubleshoot-max-alerts). +""" +severity = "medium" +tags = [ + "Data Source: Microsoft Defender XDR", + "Use Case: Threat Detection", + "Resources: Investigation Guide", + "Promotion: External Alerts", +] +timestamp_override = "event.ingested" +type = "query" + +query = ''' +event.kind: alert and data_stream.dataset: m365_defender.incident +''' + + +[[rule.risk_score_mapping]] +field = "event.risk_score" +operator = "equals" +value = "" + +[[rule.severity_mapping]] +field = "event.severity" +operator = "equals" +severity = "low" +value = "21" + +[[rule.severity_mapping]] +field = "event.severity" +operator = "equals" +severity = "medium" +value = "47" + +[[rule.severity_mapping]] +field = "event.severity" +operator = "equals" +severity = "high" +value = "73" + +[[rule.severity_mapping]] +field = "event.severity" +operator = "equals" +severity = "critical" +value = "99" + +[rule.alert_suppression] +group_by = ["m365_defender.incident.id", "m365_defender.incident.tenant_id"] +missing_fields_strategy = "doNotSuppress" + +[rule.alert_suppression.duration] +unit = "h" +value = 24 + diff --git a/rules_building_block/initial_access_microsoft_defender_alerts_signal.toml b/rules_building_block/initial_access_microsoft_defender_alerts_signal.toml index d37cb9930cb..4e137fc421b 100644 --- a/rules_building_block/initial_access_microsoft_defender_alerts_signal.toml +++ b/rules_building_block/initial_access_microsoft_defender_alerts_signal.toml @@ -3,7 +3,7 @@ bypass_bbr_timing = true creation_date = "2026/02/20" integration = ["o365"] maturity = "production" -updated_date = "2026/04/07" +updated_date = "2026/06/30" [rule] author = ["Elastic"] @@ -11,28 +11,35 @@ building_block_type = "default" description = """ Identifies alerts generated by Microsoft Defender products including Windows Defender for Endpoint (WDATP), Microsoft Cloud App Security (MCAS), Microsoft Defender for Identity, Microsoft 365 Defender custom detections, and Defender -Experts for XDR. These cross-platform alerts indicate detected threats across endpoints, cloud applications, and -identity systems. This building block rule generates security events for correlation, threat hunting, and telemetry -collection to support comprehensive threat detection. +Experts for XDR via M365 Unified Audit Logs (UAL). These cross-platform alerts indicate detected threats across +endpoints, cloud applications, and identity systems. This building block rule generates security events for correlation, +threat hunting, and telemetry collection to support comprehensive threat detection. """ from = "now-9m" index = ["logs-o365.audit-*", "filebeat-*"] language = "kuery" license = "Elastic License v2" -name = "M365 Defender Alerts Signal" +name = "M365 Defender Alerts Signal (UAL)" +note = """## Triage and analysis + +This rule identifies Microsoft Defender alerts forwarded through the Microsoft 365 Unified Audit Log (`logs-o365.audit-*`). For alerts and incidents ingested directly from the Microsoft Defender XDR integration data streams (`logs-m365_defender.alert-*` and `logs-m365_defender.incident-*`), enable the corresponding promotion rules instead: + +- Microsoft Defender XDR Alert External Alerts (rule_id: c2a0e42b-ac3d-468f-82a5-0082066e1b59) +- Microsoft Defender XDR Incident External Alerts (rule_id: 3c99579e-6491-4562-87f4-4d10f0a822b4) +""" references = [ "https://learn.microsoft.com/en-us/defender-endpoint/", "https://learn.microsoft.com/en-us/defender-cloud-apps/", "https://learn.microsoft.com/en-us/defender-for-identity/", "https://learn.microsoft.com/en-us/office/office-365-management-api/office-365-management-activity-api-schema#enum-auditlogrecordtype---type-edmint32", ] -risk_score = 21 +risk_score = 47 rule_id = "054853f3-2ce0-41f3-a6eb-4a4867f39cdc" setup = """### Additional notes For information on troubleshooting the maximum alerts warning please refer to this [guide](https://www.elastic.co/guide/en/security/current/alerts-ui-monitor.html#troubleshoot-max-alerts). """ -severity = "low" +severity = "medium" tags = [ "Domain: Cloud", "Domain: SaaS", @@ -78,3 +85,4 @@ framework = "MITRE ATT&CK" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" +