Microsoft Defender ATP Alert Aggregation and Correlation
This analytic aggregates and summarizes alerts from Microsoft Defender ATP, enriching them with MITRE ATT&CK context and risk scoring for improved correlation and risk-based alerting.
This analytic focuses on enhancing alert data originating from Microsoft Defender ATP. Instead of detecting entirely new activity, it leverages existing alerts to provide a more comprehensive picture of potential threats. The Splunk search aggregates and summarizes alerts, extracting key information like source, file names, severity levels, process command lines, IP addresses, registry keys, signatures, descriptions, unique IDs, and timestamps. The primary goal is to enable security teams to correlate Microsoft Defender ATP alerts with other data sources, contributing to a risk-based alerting strategy within Splunk Enterprise Security. A key aspect is dynamically mapping MITRE ATT&CK techniques associated with the alerts and dynamically setting risk scores based on the alert's severity as determined by Microsoft Defender ATP. The analytic also filters out any alerts where the verdict is "clean" to reduce noise.
Attack Chain
Since this analytic consumes existing alerts, the attack chain represents a generic endpoint compromise scenario that would trigger Defender ATP alerts.
- Initial Access: A user clicks a malicious link in a phishing email (T1566.001), leading to malware execution.
- Execution: The malicious attachment executes a PowerShell script (T1059.001) to download further payloads.
- Persistence: The PowerShell script creates a scheduled task (T1053.005) to ensure the malware runs after reboot.
- Defense Evasion: The malware attempts to disable Windows Defender Antivirus (T1562.001) using PowerShell commands.
- Command and Control: The malware establishes a connection to a remote C2 server (T1071.001) to receive instructions.
- Lateral Movement: The malware uses SMB (T1021.002) to spread to other machines on the network.
- Exfiltration: Sensitive data is compressed and exfiltrated (T1041) to an external server controlled by the attacker.
- Impact: Data is encrypted or deleted, resulting in a ransomware attack or data breach (T1485).
Impact
Successful exploitation can lead to data breaches, ransomware attacks, and significant business disruption. The impact depends heavily on the nature of the initial compromise and the attacker's objectives. While the number of victims is unknown, organizations relying solely on default Microsoft Defender ATP configurations without correlation and enrichment are at higher risk. The affected sectors are broad, as endpoint compromise is a common attack vector across all industries. Failure to detect and respond to these alerts promptly can result in significant financial losses, reputational damage, and legal liabilities.
Recommendation
- Deploy the provided Splunk search to your Splunk environment and tune the
ms_defender_atp_alerts_filtermacro to filter out known false positives in your environment. - Configure the Splunk Add-on for Microsoft Security to ingest alerts from Microsoft Defender ATP using the
ms:defender:atp:alertssourcetype, as detailed in the "how_to_implement" section. - Implement the Sigma rule
Detect Suspicious Defender ATP Alerts by Severityto prioritize high and critical alerts for immediate investigation. - Investigate any alerts where the risk score, dynamically calculated from the alert severity, exceeds a threshold appropriate for your organization.
Detection coverage 2
Detect Suspicious Defender ATP Alerts by Severity
highDetects alerts from Microsoft Defender ATP with high or critical severity, indicating potentially significant security incidents.
Detect Defender ATP Alerts with Network Connections
mediumDetects alerts from Microsoft Defender ATP which involve network connections, potentially indicating command and control or data exfiltration.
Detection queries are available on the platform. Get full rules →