Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
134 changes: 134 additions & 0 deletions rules/promotions/m365_defender_alert_external_alerts.toml
Original file line number Diff line number Diff line change
@@ -0,0 +1,134 @@
[metadata]
creation_date = "2026/06/30"
integration = ["m365_defender"]
maturity = "production"
promotion = true
updated_date = "2026/07/01"
Comment on lines +2 to +6

[rule]
author = ["Elastic"]
description = """
Generates a detection alert for each Microsoft Defender XDR alert written to the configured indices. Microsoft Defender
emits multiple update events for the same alert over its lifecycle, all sharing a stable alert identifier. This rule
suppresses those update events so that a single, continuous Elastic alert is maintained per Defender alert rather than a
new alert per update. Enabling this rule allows you to immediately begin investigating Microsoft Defender XDR alerts in
the app.
"""
from = "now-2m"
index = ["logs-m365_defender.alert-*"]
interval = "1m"
language = "kuery"
license = "Elastic License v2"
max_signals = 1000
name = "Microsoft Defender XDR Alert External Alerts"
note = """## Triage and analysis

### Investigating Microsoft Defender XDR Alert External Alerts

Microsoft Defender XDR is a unified pre- and post-breach enterprise defense suite that natively coordinates detection, prevention, investigation, and response across endpoints, identities, email, and applications. The alert data stream (`logs-m365_defender.alert-*`) carries pre-correlated alerts already triaged by Defender. This rule promotes each Defender alert into an Elastic detection alert so analysts can investigate without leaving the app.

Microsoft Defender emits several update events for the same alert as its status, classification, and evidence evolve. Every update shares the same stable Defender alert identifier (`m365_defender.alert.id`, which the integration also copies into `event.id`). The rule groups on that identifier so subsequent updates accumulate into the existing Elastic alert rather than creating duplicates.

If you also collect Microsoft Defender alerts through the Microsoft 365 Unified Audit Log (`logs-o365.audit-*`) rather than the native integration data stream, the M365 Defender Alerts Signal (UAL) building block rule (rule_id: 054853f3-2ce0-41f3-a6eb-4a4867f39cdc) generates correlation signals from that source and can be used alongside this promotion rule.

### Possible investigation steps

- Review `m365_defender.alert.title`, `m365_defender.alert.category`, and `m365_defender.alert.threat_display_name` to understand what Defender detected.
- Pivot to the Defender portal using `m365_defender.alert.incident_web_url.original` for the full evidence graph, process tree, and remediation status.
- Examine the evidence fields under `m365_defender.alert.evidence.*` (host, file, process, user account, URL, sender) to scope the impacted entities.
- Check `m365_defender.alert.incident_id` to correlate the alert with its parent Defender incident and any sibling alerts.
- Review `m365_defender.alert.status` and `m365_defender.alert.classification` to see whether Defender has already resolved or classified the alert.

### False positive analysis

- Defender alerts are pre-correlated and tuned by Microsoft, so true false positives are uncommon. When they occur, confirm with the responsible team before excluding.
- Alerts involving known and trusted administrative tools, security assessments, or scheduled automation may be benign. Validate intent before adding an exception.
- Use `m365_defender.alert.classification` and `m365_defender.alert.determination` to filter out activity Defender itself has marked as a false positive.

### Response and remediation

- Isolate affected endpoints or disable affected accounts if malicious behavior is confirmed.
- Use the Defender portal to action native response options (quarantine, automated investigation, account remediation) for the alert.
- Investigate how the threat entered the environment and close any exploited gaps.
- Reset credentials for compromised accounts or escalate to incident response.
- Document the findings and tune the upstream Defender policy or add an Elastic exception as appropriate.
"""
references = ["https://docs.elastic.co/en/integrations/m365_defender"]
risk_score = 47
rule_id = "c2a0e42b-ac3d-468f-82a5-0082066e1b59"
rule_name_override = "m365_defender.alert.title"
setup = """## Setup

### Microsoft Defender XDR Alert Integration
This rule is designed to capture alert events generated by the Microsoft Defender XDR integration and promote them as Elastic detection alerts.

To capture Microsoft Defender XDR alerts, install and configure the Microsoft Defender XDR integration to ingest alert events into the `logs-m365_defender.alert-*` index pattern.

### Alert suppression and the Defender update lifecycle

Microsoft Defender writes multiple update events per alert during its lifecycle, all sharing the same stable identifier (`m365_defender.alert.id`, copied to `event.id`). This rule suppresses on that identifier so updates accumulate into one Elastic alert. Note the following alert suppression semantics:

- Suppression applies going forward from when the suppressing alert is created; it does not retroactively merge alerts created before the rule was enabled.
- Updates are aggregated into the existing alert only while that alert is open and within the suppression window. If an analyst closes the suppressing alert, a later Defender update will open a new Elastic alert.
- The suppression window (default 1 day) is tunable. Size it to your environment's typical Defender alert lifecycle; extending it keeps a single alert open longer but delays new-alert creation for late updates.

### Avoiding duplicate alerts

To avoid double-counting, enable either this alert-level rule or the Microsoft Defender XDR Incident External Alerts rule (incident-level), not both: a Defender incident's child alerts appear in both data streams. Choose incident-level for the least noise (one Elastic alert per Defender incident) or alert-level for finer-grained, per-alert triage.

### Additional notes

For information on troubleshooting the maximum alerts warning please refer to this [guide](https://www.elastic.co/guide/en/security/current/alerts-ui-monitor.html#troubleshoot-max-alerts).
"""
severity = "medium"
tags = [
"Data Source: Microsoft Defender XDR",
"Use Case: Threat Detection",
"Resources: Investigation Guide",
"Promotion: External Alerts",
]
timestamp_override = "event.ingested"
type = "query"

query = '''
event.kind: alert and data_stream.dataset: m365_defender.alert
'''


[[rule.risk_score_mapping]]
field = "event.risk_score"
operator = "equals"
value = ""

[[rule.severity_mapping]]
field = "event.severity"
operator = "equals"
severity = "low"
value = "21"

[[rule.severity_mapping]]
field = "event.severity"
operator = "equals"
severity = "medium"
value = "47"

[[rule.severity_mapping]]
field = "event.severity"
operator = "equals"
severity = "high"
value = "73"

[[rule.severity_mapping]]
field = "event.severity"
operator = "equals"
severity = "critical"
value = "99"

[rule.alert_suppression]
group_by = ["m365_defender.alert.id", "m365_defender.alert.tenant_id"]
missing_fields_strategy = "doNotSuppress"

[rule.alert_suppression.duration]
unit = "h"
value = 24

134 changes: 134 additions & 0 deletions rules/promotions/m365_defender_incident_external_alerts.toml
Original file line number Diff line number Diff line change
@@ -0,0 +1,134 @@
[metadata]
creation_date = "2026/06/30"
integration = ["m365_defender"]
maturity = "production"
promotion = true
updated_date = "2026/07/01"
Comment on lines +2 to +6

[rule]
author = ["Elastic"]
description = """
Generates a detection alert for each Microsoft Defender XDR incident written to the configured indices. Microsoft
Defender emits multiple update events for the same incident as its member alerts and status evolve, all sharing a stable
incident identifier. This rule suppresses those update events so that a single, continuous Elastic alert is maintained
per Defender incident rather than a new alert per update. Enabling this rule allows you to immediately begin
investigating Microsoft Defender XDR incidents in the app.
"""
from = "now-2m"
index = ["logs-m365_defender.incident-*"]
interval = "1m"
language = "kuery"
license = "Elastic License v2"
max_signals = 1000
name = "Microsoft Defender XDR Incident External Alerts"
note = """## Triage and analysis

### Investigating Microsoft Defender XDR Incident External Alerts

Microsoft Defender XDR correlates related alerts across endpoints, identities, email, and applications into a single incident, providing the full attack story in one place. The incident data stream (`logs-m365_defender.incident-*`) carries these pre-correlated incidents. This rule promotes each Defender incident into an Elastic detection alert so analysts can investigate the correlated story without leaving the app.

Microsoft Defender emits several update events for the same incident as member alerts are added and status, classification, and evidence evolve. Every update shares the same stable Defender incident identifier (`m365_defender.incident.id`, which the integration also copies into `event.id`). The rule groups on that identifier so subsequent updates accumulate into the existing Elastic alert rather than creating duplicates.

The member alerts that make up an incident may also arrive through the Microsoft 365 Unified Audit Log (`logs-o365.audit-*`) rather than the native integration data stream. In that case the M365 Defender Alerts Signal (UAL) building block rule (rule_id: 054853f3-2ce0-41f3-a6eb-4a4867f39cdc) generates correlation signals from that source and can be used alongside this promotion rule.

### Possible investigation steps

- Review `m365_defender.incident.display_name`, `m365_defender.incident.severity`, and `m365_defender.incident.tags` to understand the scope and priority of the incident.
- Pivot to the Defender portal using `m365_defender.incident.web_url.original` for the correlated attack story, evidence graph, and recommended actions.
- Examine the member alert fields under `m365_defender.incident.alert.*` (titles, MITRE techniques, detection sources, evidence) to scope the impacted entities and behaviors.
- Review `m365_defender.incident.status`, `m365_defender.incident.classification`, and `m365_defender.incident.determination` to see whether Defender has already resolved or classified the incident.
- Check `m365_defender.incident.redirect_incident_id` to confirm the incident has not been merged into another incident.

### False positive analysis

- Defender incidents are pre-correlated and tuned by Microsoft, so true false positives are uncommon. When they occur, confirm with the responsible team before excluding.
- Incidents driven entirely by known and trusted administrative tools, security assessments, or scheduled automation may be benign. Validate intent before adding an exception.
- Use `m365_defender.incident.classification` and `m365_defender.incident.determination` to filter out activity Defender itself has marked as a false positive.

### Response and remediation

- Isolate affected endpoints or disable affected accounts if malicious behavior is confirmed across the incident's member alerts.
- Use the Defender portal to action native response options (quarantine, automated investigation, account remediation) for the incident.
- Investigate how the threat entered the environment and close any exploited gaps.
- Reset credentials for compromised accounts or escalate to incident response.
- Document the findings and tune the upstream Defender policy or add an Elastic exception as appropriate.
"""
references = ["https://docs.elastic.co/en/integrations/m365_defender"]
risk_score = 47
rule_id = "3c99579e-6491-4562-87f4-4d10f0a822b4"
rule_name_override = "m365_defender.incident.display_name"
setup = """## Setup

### Microsoft Defender XDR Incident Integration
This rule is designed to capture incident events generated by the Microsoft Defender XDR integration and promote them as Elastic detection alerts.

To capture Microsoft Defender XDR incidents, install and configure the Microsoft Defender XDR integration to ingest incident events into the `logs-m365_defender.incident-*` index pattern.

### Alert suppression and the Defender update lifecycle

Microsoft Defender writes multiple update events per incident during its lifecycle, all sharing the same stable identifier (`m365_defender.incident.id`, copied to `event.id`). This rule suppresses on that identifier so updates accumulate into one Elastic alert. Note the following alert suppression semantics:

- Suppression applies going forward from when the suppressing alert is created; it does not retroactively merge alerts created before the rule was enabled.
- Updates are aggregated into the existing alert only while that alert is open and within the suppression window. If an analyst closes the suppressing alert, a later Defender update will open a new Elastic alert.
- The suppression window (default 1 day) is tunable. Size it to your environment's typical Defender incident lifecycle; extending it keeps a single alert open longer but delays new-alert creation for late updates.

### Avoiding duplicate alerts

To avoid double-counting, enable either this incident-level rule or the Microsoft Defender XDR Alert External Alerts rule (alert-level), not both: a Defender incident's child alerts appear in both data streams. Incident-level (this rule) produces the least noise (one Elastic alert per Defender incident) and is the recommended default; alert-level provides finer-grained, per-alert triage.

### Additional notes

For information on troubleshooting the maximum alerts warning please refer to this [guide](https://www.elastic.co/guide/en/security/current/alerts-ui-monitor.html#troubleshoot-max-alerts).
"""
severity = "medium"
tags = [
"Data Source: Microsoft Defender XDR",
"Use Case: Threat Detection",
"Resources: Investigation Guide",
"Promotion: External Alerts",
]
timestamp_override = "event.ingested"
type = "query"

query = '''
event.kind: alert and data_stream.dataset: m365_defender.incident
'''


[[rule.risk_score_mapping]]
field = "event.risk_score"
operator = "equals"
value = ""

[[rule.severity_mapping]]
field = "event.severity"
operator = "equals"
severity = "low"
value = "21"

[[rule.severity_mapping]]
field = "event.severity"
operator = "equals"
severity = "medium"
value = "47"

[[rule.severity_mapping]]
field = "event.severity"
operator = "equals"
severity = "high"
value = "73"

[[rule.severity_mapping]]
field = "event.severity"
operator = "equals"
severity = "critical"
value = "99"

[rule.alert_suppression]
group_by = ["m365_defender.incident.id", "m365_defender.incident.tenant_id"]
missing_fields_strategy = "doNotSuppress"

[rule.alert_suppression.duration]
unit = "h"
value = 24

Original file line number Diff line number Diff line change
Expand Up @@ -3,36 +3,43 @@ bypass_bbr_timing = true
creation_date = "2026/02/20"
integration = ["o365"]
maturity = "production"
updated_date = "2026/04/07"
updated_date = "2026/06/30"

[rule]
author = ["Elastic"]
building_block_type = "default"
description = """
Identifies alerts generated by Microsoft Defender products including Windows Defender for Endpoint (WDATP), Microsoft
Cloud App Security (MCAS), Microsoft Defender for Identity, Microsoft 365 Defender custom detections, and Defender
Experts for XDR. These cross-platform alerts indicate detected threats across endpoints, cloud applications, and
identity systems. This building block rule generates security events for correlation, threat hunting, and telemetry
collection to support comprehensive threat detection.
Experts for XDR via M365 Unified Audit Logs (UAL). These cross-platform alerts indicate detected threats across
endpoints, cloud applications, and identity systems. This building block rule generates security events for correlation,
threat hunting, and telemetry collection to support comprehensive threat detection.
"""
from = "now-9m"
index = ["logs-o365.audit-*", "filebeat-*"]
language = "kuery"
license = "Elastic License v2"
name = "M365 Defender Alerts Signal"
name = "M365 Defender Alerts Signal (UAL)"
note = """## Triage and analysis

This rule identifies Microsoft Defender alerts forwarded through the Microsoft 365 Unified Audit Log (`logs-o365.audit-*`). For alerts and incidents ingested directly from the Microsoft Defender XDR integration data streams (`logs-m365_defender.alert-*` and `logs-m365_defender.incident-*`), enable the corresponding promotion rules instead:

- Microsoft Defender XDR Alert External Alerts (rule_id: c2a0e42b-ac3d-468f-82a5-0082066e1b59)
- Microsoft Defender XDR Incident External Alerts (rule_id: 3c99579e-6491-4562-87f4-4d10f0a822b4)
"""
references = [
"https://learn.microsoft.com/en-us/defender-endpoint/",
"https://learn.microsoft.com/en-us/defender-cloud-apps/",
"https://learn.microsoft.com/en-us/defender-for-identity/",
"https://learn.microsoft.com/en-us/office/office-365-management-api/office-365-management-activity-api-schema#enum-auditlogrecordtype---type-edmint32",
]
risk_score = 21
risk_score = 47
rule_id = "054853f3-2ce0-41f3-a6eb-4a4867f39cdc"
setup = """### Additional notes

For information on troubleshooting the maximum alerts warning please refer to this [guide](https://www.elastic.co/guide/en/security/current/alerts-ui-monitor.html#troubleshoot-max-alerts).
"""
severity = "low"
severity = "medium"
tags = [
"Domain: Cloud",
"Domain: SaaS",
Expand Down Expand Up @@ -78,3 +85,4 @@ framework = "MITRE ATT&CK"
id = "TA0005"
name = "Defense Evasion"
reference = "https://attack.mitre.org/tactics/TA0005/"

Loading