Reviewing XDR Stories for Microsoft Defender for Endpoint Alerts

This article discusses integrating data from Microsoft Defender for Endpoint to generate stories that you can review in the Cato Stories Workbench.

Overview of Endpoint Alert Stories

Using the Microsoft API, you can integrate alert data from Microsoft Defender for Endpoint to generate stories for endpoint devices. The endpoint stories help you get a more complete picture of potential threats in your network.

The Cato Endpoint Alerts engine creates a story by correlating data from Defender Alerts that occurred on the same device within a 24-hour period. Endpoint Alert stories include all relevant evidence for the Alert detected by Defender. The Stories Workbench shows the endpoint stories together with the other story types, and you can sort and filter the stories to focus on the Endpoint Alert stories.

To integrate Defender for Endpoint alert data with Cato XDR, you need to first set up API connectors for Microsoft 365 and for Defender for Endpoint. After creating the connectors, the Endpoint Alert engine retrieves and analyzes the alert data from Defender for Endpoint.

High Level Overview of Integrating Endpoint Alert Stories

This is a high level description of the workflow for integrating and reviewing Defender for Endpoint stories in the Stories Workbench:

  1. Create the Microsoft 365 parent connector.

  2. Create the Defender for Endpoint connector.

  3. Review the Endpoint Alert stories in the Stories Workbench.

Known Limitations

  • The settings in the Story Actions panel are not configurable for Endpoint Alert stories. All fields related to the actions appear as N/A. For more about the Story Actions panel, see below.

Overview of the Microsoft Connectors

To configure Cato's Microsoft Defender connector to fetch alert data, first you need to configure the Microsoft 365 connector as the parent app to give read permissions for the Defender connector. The parent app only has permissions to manage the Microsoft connectors. After configuring the Microsoft 365 connector, you can configure a Defender connector to retrieve the alert data.

If you want to import alert data from different sub-organizations within your organization, create a separate Microsoft 365 connector for each relevant Azure tenant, and then configure a Defender connector for each tenant.

Prerequisites

  • A Microsoft 365 E3 license or higher is required

  • The Microsoft 365 connector requires an admin with the global admin role to give permissions to Cato's Defender connector

Required Permissions for the Microsoft Defender Connector

To let the Defender connector retrieve the alert data from your Microsoft 365 account, the connector gives Cato the following permissions and actions with Microsoft 365:

  • Connect to the Microsoft APIs and read all Defender for Endpoint data for an organization

  • Sign in and read user profile

Configuring the Microsoft Connectors

Configure a parent Microsoft 365 connector and then define a Defender connector for the Microsoft 365 account.

If your organization already configured a Microsoft 365 parent connector for another feature, such as a Saas Security API policy for Microsoft apps, or for importing MIP labels to your DLP policy, you only need to configure a Defender connector.

Configuring the Microsoft 365 Connector

Use the Cato Management Application to create the Microsoft 365 SaaS application connector for the relevant Azure tenant. You must have the correct credentials to authenticate to Microsoft 365 to add the connector to your Cato account.

Endpoint_Connectors.png

To configure the Microsoft 365 parent endpoint connector:

  1. From the navigation menu, select Security > Connectors, and select the Connectors Settings tab.

  2. Click New. The New Connector panel opens.

  3. From the SaaS Application drop-down menu, select the Microsoft 365 app.

    MIP_New_Connector_MS365.png
  4. Enter a unique Connector Name.

  5. Click Authorize and Save.

    A new browser tab opens to the Microsoft 365 app.

  6. In the new browser tab, authenticate to the Microsoft 365 app:

    1. Select the Microsoft account for the Microsoft 365 app.

    2. Enter the password for the app and approve it.

    3. Accept the permissions to let Cato access the Microsoft 365 app.

      MIP_Labels_Parent_Connector_Permissions.png
    4. The screen shows that you have successfully applied the permissions for the app.

      Success_Connector_Permissions.png

      You can close the browser tab and return to the Cato Management Application.

  7. The Microsoft 365 SaaS application is added to the Connectors Settings page.

    Endpoint_Connectors_-_MS_365.png

    It can take Microsoft Azure several seconds to process the request, so if the Status shows Pending user consent, refresh the browser.

Configuring the Microsoft Defender for Endpoint Connector

Use the Cato Management Application to create the Microsoft Defender for Endpoint SaaS application connector for the Azure tenant with the alert data you want to use. You must have the correct credentials to authenticate to Microsoft 365 to add the connector to your Cato account.

Note

Note: When you create an API connector for a Microsoft 365 app, the connector creates an authentication certificate that is valid for 3 months, and renews the certificate 7 days before expiration.

To configure the Microsoft Defender connector:

  1. From the navigation menu, select Security > Connectors, and select the Connectors Settings tab.

  2. Click New. The New Connector panel opens.

  3. From the Saas Application drop-down menu, select the Microsoft Defender app.

    Defender_Connector.png
  4. From the Connector Tenant drop-down menu, select the parent Microsoft 365 connector for the tenant with the alert data you want to use.

  5. Enter a unique Connector Name for the Defender connector.

  6. Click Save.

  7. After the connector is successfully created, click Authorize.

    MIP_Labels_SuccessCreate_Authorize.png

    A new browser tab opens to the Microsoft 365 app.

  8. In the new browser tab, authenticate to the Microsoft 365 app:

    1. Select the Microsoft account for the Microsoft 365 app.

    2. Enter the password for the app and approve it.

    3. Accept the permissions to let Cato access the Microsoft 365 app.

      Defender_connector_permissions.png
    4. The screen shows that you have successfully applied the permissions for the app.

      Success_Connector_Permissions.png

      You can close the browser tab and return to the Cato Management Application.

  9. The Microsoft Defender SaaS application is added to the Connectors Settings page.

    Endpoint_Connectors.png

    It can take Microsoft Azure several seconds to process the request, so if the Status shows Pending user consent, refresh the browser.

Understanding the Connector Status

The Status column on the Connectors Settings page shows the status of the connection between the Microsoft app and your Cato account. These are the explanations of the statuses:

  • Connected - Your account is connected to the app and it is working correctly

  • Pending user consent - Permissions have not been granted to let Cato access the Microsoft 365 app. To resolve this issue, refresh the browser. If Status changes to Connected, the issue is resolved, if Status doesn't change, delete and recreate the connector.

  • Error - There is a connectivity, permissions, or other issue with the Microsoft connector. Delete and recreate the connector.

Showing the Stories Workbench Page

Detection_Response_Workbench_Endpoint.png

The Stories Workbench page shows a summary of the stories for the potential threats in your account.

To show the Stories Workbench page:

  • From the navigation menu, click Monitoring > Stories Workbench.

For information about the columns in the Stories Workbench see Understanding the Stories Columns

Showing the Endpoint Alert Stories

You can group and filter the stories according to the Endpoint Alert story type to quickly find stories for endpoint devices. For more about grouping and filtering stories, see Reviewing Detection & Response (XDR) Stories in the Stories Workbench.

Drilling-Down and Analyzing Endpoint Alert Stories

You can click on a story in the Stories Workbench to drill-down and investigate the details in a different page. This page contains a number of widgets that help you evaluate the potential threat identified in the story.

When you drill-down to investigate an Endpoint Alert story, you can review all the Defender Alerts that the story is based on, and examine in detail the pieces of evidence that relate to each Alert. The Evidences include processes, files, and registry values, and can be reviewed in two different ways:

  • A chronological process tree presented in the context of a specific Alert - This helps you understand the sequence of events that looked suspicious and generated the Alert

    Note

    Note: It is occasionally possible that the process tree for a story is unavailable due to Microsoft Defender API connectivity issues,

  • The Evidences table - Provides an overview of the Evidences from all the Endpoint Alert stories. This helps to assess more broadly the prevalence of specific malicious or suspicious activities on the endpoint device

Understanding the Endpoint Alert Story Drill-Down Widgets

Detection___Response_Endpoint_callouts.png

These are the story drill-down widgets:

Name

Description

Story summary (top row)

The Overview shows a summary of basic information about the story, including:

  • Indication for the detected attack

  • The Detection & Response engine that created the story

  • Severity of the threat as determined by analyst

  • Verdict for the threat as determined by analyst

  • Attack type (for example, Browser Extension, Native Application, Scanner, Web App)

  • Detailed classification of the threat as determined by analyst (for example, Port Scan, Newly Registered Domain, SMB Scan)

  • Number of compromised devices

  • Number of signals (traffic flows) associated with the attack

  • Duration of the story since it was created

  • Story status

Use the Actions drop-down menu and select Manage Story change story settings such as Analyst Verdict, Analyst Severity, Status, and Classification.

The Related Stories tab provides context for the story you're investigating by letting you quickly review stories with the same source and stories with similar characteristics involving different sources on your network.

Story timeline (second row)

Shows a timeline of the story, such as changes made to the story verdict and severity, and when new Alerts are added to the story

Details

Basic information for analyzing the story, including:

  • Criticality - Overall risk score for the story as calculated by Cato's machine learning risk analysis algorithm (values are from 1 (least critical) to 10 (most critical))

  • Created At - Time of the first traffic flow for the story

  • Updated At - Time of the latest story update, such as a new alert or changed verdict

Device

Name and operating system for the endpoint device associated with the story

User

Shows the user name and domain name for the user logged into the endpoint device

Alerts

Shows details for the Alerts related to the story.

  • Expand an Alert to show a chronological process tree for the Evidences related to the Alert, including processes, files, and registry values

  • Click an item in the process tree to drill-down further and show granular data about the Evidence

These are the columns in the Alerts table:

  • An Alert Name that describes the suspicious activity

  • Criticality - Overall risk score for the Alert as calculated by Cato's machine learning risk analysis algorithm (values are from 1 - 10)

  • MITRE Techniques - MITRE ATT&CK® techniques identified for the threat

    For more about the MITRE ATT&CK® framework, see Working with the MITRE ATT&CK® Dashboard.

  • Status - Shows whether the Alert is New or was already Resolved

  • First Activity Date - Date of initial suspicious activity detected for the Alert

  • Last Activity Date - Date of most recent suspicious activity detected for the Alert

  • Threat Name - Name of malware detected. For example: Trojan:Win32/Startpage

  • Description & Recommended Actions - Click View for a brief Alert description and recommended steps for investigating and mitigating the threat

  • Target - The URL involved in the Alert

  • Destination IP - The remote IP address involved in the story

Evidences

Aggregates details for all the Processes, Files, and Registry values identified in the evidence for the various story Alerts.

Some of the columns in the Evidences table are shared by all the types of Evidences, and some are specific per type.

These are the columns that appear for all types of Evidences:

  • Verdict - Verdict generated by Defender for the piece of evidence (Malicious, Suspicious, or No threats found)

  • Remediation Status - Shows whether the threat was remediated

  • Created - Date and time when the event was recorded

These are the specific columns for each type of Evidence:

  • Processes:

    • Process Name - Name of the executable file for the process

    • Process ID - Windows-assigned ID number for the process

    • Process Command Line - Arguments that were passed to the process in Windows. This can reveal important context about the execution of a suspicious process

    • File Path - Location on the endpoint device of the executable file for the process

  • Files:

    • File Path - Location of the file on the endpoint device

    • File Name - Name of the file including extension

    • File Size - Size of the file in bytes, kilobytes, or megabytes

  • Registry:

    • Registry key Name

    • Registry Value Type - Format of the data stored in the registry value

    • Registry Value - The value of the registry entry

Was this article helpful?

1 out of 1 found this helpful

0 comments

Add your comment