{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/microsoft-defender-atp/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Microsoft Defender ATP"],"_cs_severities":["medium"],"_cs_tags":["endpoint","alert-correlation","risk-based-alerting"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThis analytic focuses on enhancing alert data originating from Microsoft Defender ATP. Instead of detecting entirely new activity, it leverages existing alerts to provide a more comprehensive picture of potential threats. The Splunk search aggregates and summarizes alerts, extracting key information like source, file names, severity levels, process command lines, IP addresses, registry keys, signatures, descriptions, unique IDs, and timestamps. The primary goal is to enable security teams to correlate Microsoft Defender ATP alerts with other data sources, contributing to a risk-based alerting strategy within Splunk Enterprise Security. A key aspect is dynamically mapping MITRE ATT\u0026amp;CK techniques associated with the alerts and dynamically setting risk scores based on the alert's severity as determined by Microsoft Defender ATP. The analytic also filters out any alerts where the verdict is \u0026quot;clean\u0026quot; to reduce noise.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003cp\u003eSince this analytic consumes existing alerts, the attack chain represents a generic endpoint compromise scenario that would trigger Defender ATP alerts.\u003c/p\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Access:\u003c/strong\u003e A user clicks a malicious link in a phishing email (T1566.001), leading to malware execution.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eExecution:\u003c/strong\u003e The malicious attachment executes a PowerShell script (T1059.001) to download further payloads.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePersistence:\u003c/strong\u003e The PowerShell script creates a scheduled task (T1053.005) to ensure the malware runs after reboot.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eDefense Evasion:\u003c/strong\u003e The malware attempts to disable Windows Defender Antivirus (T1562.001) using PowerShell commands.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eCommand and Control:\u003c/strong\u003e The malware establishes a connection to a remote C2 server (T1071.001) to receive instructions.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eLateral Movement:\u003c/strong\u003e The malware uses SMB (T1021.002) to spread to other machines on the network.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eExfiltration:\u003c/strong\u003e Sensitive data is compressed and exfiltrated (T1041) to an external server controlled by the attacker.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eImpact:\u003c/strong\u003e Data is encrypted or deleted, resulting in a ransomware attack or data breach (T1485).\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to data breaches, ransomware attacks, and significant business disruption. The impact depends heavily on the nature of the initial compromise and the attacker's objectives. While the number of victims is unknown, organizations relying solely on default Microsoft Defender ATP configurations without correlation and enrichment are at higher risk. The affected sectors are broad, as endpoint compromise is a common attack vector across all industries. Failure to detect and respond to these alerts promptly can result in significant financial losses, reputational damage, and legal liabilities.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the provided Splunk search to your Splunk environment and tune the \u003ccode\u003ems_defender_atp_alerts_filter\u003c/code\u003e macro to filter out known false positives in your environment.\u003c/li\u003e\n\u003cli\u003eConfigure the Splunk Add-on for Microsoft Security to ingest alerts from Microsoft Defender ATP using the \u003ccode\u003ems:defender:atp:alerts\u003c/code\u003e sourcetype, as detailed in the \u0026quot;how_to_implement\u0026quot; section.\u003c/li\u003e\n\u003cli\u003eImplement the Sigma rule \u003ccode\u003eDetect Suspicious Defender ATP Alerts by Severity\u003c/code\u003e to prioritize high and critical alerts for immediate investigation.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts where the risk score, dynamically calculated from the alert severity, exceeds a threshold appropriate for your organization.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T12:00:00Z","date_published":"2024-01-02T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-02-defender-atp-alerts/","summary":"This analytic aggregates and summarizes alerts from Microsoft Defender ATP, enriching them with MITRE ATT\u0026CK context and risk scoring for improved correlation and risk-based alerting.","title":"Microsoft Defender ATP Alert Aggregation and Correlation","url":"https://feed.craftedsignal.io/briefs/2024-01-02-defender-atp-alerts/"}],"language":"en","title":"CraftedSignal Threat Feed - Microsoft Defender ATP","version":"https://jsonfeed.org/version/1.1"}