Reviewing XDR Stories for Microsoft Entra ID Protection Alerts

This article discusses how you can use the Stories Workbench to review XDR stories for sign-in anomalies detected in Microsoft Entra ID Protection alerts.

Overview

Microsoft Entra ID Protection helps organizations detect identity-based risks for their Entra ID tenant, such as anomalous sign-ins that may indicate malicious activity. Using the Microsoft API, you can integrate alert data from Microsoft Entra ID Protection to generate Cato XDR stories. This lets analysts include data from risky sign-ins within the broader context of XDR investigations. The Cato Entra Identity Alert engine creates a story by correlating data from Entra ID Protection alerts that occurred for the same user within a 24-hour period. The Stories Workbench shows the Entra Identity Alert stories together with the other story types, and you can sort and filter the stories to focus on the Entra Identity Alert stories.

You can also enrich Entra Identity Alert stories by integrating sign-in event data from Microsoft Entra ID. This provides context of the user's usual sign-in behavior which can be compared with the anomalous alert data provided by Entra ID Protection.

Prerequisites

Note

Notes:

  • If you configure only the Microsoft Entra ID Protection connector, Entra Identity Alert stories are generated, however the Sign-In Events and Sign-In Events on the User widgets show no data.

  • If you configure only the Microsoft Entra ID connector, no Entra Identity Alert stories are generated.

Showing the Stories Workbench Page

Detection_Response_Workbench_Endpoint.png

The Stories Workbench page shows a summary of the stories for the potential threats in your account.

To show the Stories Workbench page:

  • From the navigation menu, click Monitoring> Stories Workbench.

For information about the columns in the Stories Workbench see Understanding the Stories Columns

Showing the Entra Identity Alert Stories

You can group and filter the stories according to the Entra Identity Alert story type to quickly find stories for sign-in anomalies. For more about grouping and filtering stories, see Reviewing Detection & Response (XDR) Stories in the Stories Workbench.

Drilling-Down and Analyzing Entra Identity Alert Stories

You can click on a story in the Stories Workbench to drill-down and investigate the details in a different page. This page contains a number of widgets that help you evaluate the potential threat identified in the story.

When you drill-down to investigate an Entra Identity Alert story, you can review all the Entra ID Protection alerts that the story is based on, and examine the data that relates to each alert.

To add context to the alerts, you can also review data from the user's sign-in events from the day of the alert and the preceding 2 days (requires Entra ID connector. See above, Prerequisites).

Understanding the Entra Identity Alert Story Drill-Down Widgets

Detection___Response_Entra_ID_callouts.png

These are the story drill-down widgets:

Item

Name

Description

1

Story summary

A summary of basic information about the story, including:

  • Indication for the Attack Detected

  • The Detection & Response Producer (engine) that generated the story

  • Conclusions about the story that can be defined by an analyst, including:

    • Analyst Severity - Severity of the threat

    • Analyst Verdict for the threat

    • Attack Type

    • Detailed Classification of the threat

  • Associated Signals - Number of signals (traffic flows or alerts) associated with the attack

  • Duration of the story since it was created

  • Story status

Story settings such as Analyst Verdict, Analyst Severity, Status, Type, and Classification are managed with the Manage Story option under the Actions button.

2

Story timeline

Shows a timeline of the story, such as changes made to the story verdict and severity, and when new Alerts are added to the story

3

Details

Basic information for analyzing the story, including:

  • A Description of the sign-in anomaly

  • First Signal - Time of the first signal (alert) associated with the anomaly

  • Created At - Time the story was generated

  • Updated At - Time of the latest story update, such as a new alert

  • Criticality - Overall risk score for the story as calculated by Cato's machine learning risk analysis algorithm (values are from 1 (least critical) to 10 (most critical))

  • MITRE Tags - MITRE ATT&CK® techniques identified for the threat.

    For more about the MITRE ATT&CK® framework, see Working with the MITRE ATT&CK® Dashboard.

    • Click a MITRE ATT&CK® technique to read its description on the MITRE ATT&CK® website

4

Source

The user name and email address associated with the sign-ins in the alert

5

Sign-In Events

(This widget requires the Microsoft Entra ID connector)

Charts with breakdowns of data from sign-in events for the user from the day of the alert plus the preceding 2 days. Use the dropdown to choose the data type shown on the charts. These are the options:

  • Source IP - The IP address of the source detected in the sign-in event

  • Sign-In Location - The geolocation where the sign-in was performed from

  • Client Classification - The type of client used for the sign-in (for example, the browser name and version)

  • User Agent - The user agent used in the sign-in as it appears in the User Agent field in the HTTP header for the traffic. These are examples of user agent values:

    • Chrome/90.0.4430.212

    • Safari/537.36

    • Mozilla/5.0 (Windows NT 10.0; Win64; x64)

  • OS Type - The type of operating system on the device used for the sign-in (for example, Windows, macOS)

  • OS Version - The version number of the operating system on the device used for the sign-in

6

Alerts

Shows details for the alerts related to the story.

These are the columns in the Alerts table:

  • An Alert Name that describes the type of sign-in anomaly

    Alert Names include: Atypical travel, Anomalous token, Suspicious browser, Unfamiliar sign-in properties, Malicious IP address, Password spray, Impossible travel, New country, Activity from anonymous IP address, Anonymous IP address.

    For more information about the Entra ID Protection alert types, see the Microsoft documentation.

  • Criticality - Overall risk score for the Alert as calculated by Cato's machine learning risk analysis algorithm (values are from 1 - 10)

  • IP Address - The IP address of the source in the alert

  • MITRE Techniques - MITRE ATT&CK® techniques identified for the threat

    For more about the MITRE ATT&CK® framework, see Working with the MITRE ATT&CK® Dashboard.

  • Status - Shows the remediation status for the alert

  • Alert Time - Date the alert was generated

  • Country - The geolocation where the sign-in in the alert was performed from

7

Sign-In Events on the User

(This widget requires the Microsoft Entra ID connector)

Shows data from the user's sign-in events from the day of the alert and the preceding 2 days.

These are the columns in the table:

  • Time of the sign-in event

  • User Name for the sign-in

  • Source IP - The IP address of the source detected in the sign-in event

  • Sign-In Location - The geolocation where the sign-in was performed from

  • Action - Result of the sign-in attempt (values: Failed, Succeeded, Access denied)

  • Failure Reason - Explanation for sign-in results of Failed or Access denied

  • Application - The application the user attempted to sign in to

  • Client Classification - The type of client used for the sign-in (for example, the browser name and version)

  • OS Type - The type of operating system on the device used for the sign-in (for example, Windows, macOS)

  • OS Version - The version number of the operating system on the device used for the sign-in

  • User Agent - The user agent used in the sign-in as it appears in the User Agent field in the HTTP header for the traffic. These are examples of user agent values:

    • Chrome/90.0.4430.212

    • Safari/537.36

    • Mozilla/5.0 (Windows NT 10.0; Win64; x64)

Was this article helpful?

0 out of 0 found this helpful

0 comments

Add your comment