Defender XDR


Microsoft Defender XDR and Microsoft Sentinel now in one portal/dashboard for SOC teams.
One dashboard to manage defenses. A single portal for threat investigation, detection, and response. A single command center built on a common data model to help you manage your SOC and work faster. One place to investigate all incidents. Making incident triage more straightforward, investigation more seamless and insights more holistic. One place to search and hunt for threats across all data.
Real stories incident investigations and threat hunting with Microsoft Sentinel and Defender XDR will be presented.

Run an attack simulation in Unified Security Operation with Microsoft Sentinel and Defender XDR – wraps up attack simulations for incident analysis, automated investigation, and incident resolution
🔥Fileless powershell attack with process injection and SMB recon with automatic attack disruption in Defender XDR:
I simulated an attack with an isolated and onboarded VM1-UrosWinSrv2022
– Starts with a PowerShell script, attacker is attempting to move laterally in the network
– A simulated attack code will be injected into automatically generated Notepad instance and will attempt to communicate to an external IP address (simulating the C2 server)
– Attempt reconnaissance against the domain controller through SMB.
– The new incident for the simulated attack will appear in the incident queue.
– Suspicious process injection observed:
✔️Alert1 by MDE: Suspicious process injection observed
✔️Alert2: Unexpected behavior observed by a process run with no command-line arguments
✔️Alert3: User and IP address reconnaissance (SMB)
✔️Alert4 In Defender for Endpoint, the following alert visible; “Command and Control behavior was blocked”.
Review the device timeline with Microsoft Defender for Endpoint:
– Enumeration using SMB protocol enables attackers to get recent user logon information that helps them move laterally through the network to access a specific sensitive account.
– In this detection, an alert is triggered when the SMB session enumeration runs against WS -WinSrv with automatic attack disruption in Microsoft Defender XDR
– Automated investigation and remediation triggered by Microsoft Defender for Identity and Microsoft Defender for Endpoint
– Select the alert that triggered an investigation to open the Investigation details page:
– Alert(s) that triggered the automated investigation.
– Impacted users and devices. If indicators are found on additional devices, these additional devices will be listed as well.
– List of evidence. The entities found and analyzed, such as files, processes, services, drivers, and network addresses.
– Threats found. Known threats that are found during the investigation.
After the investigation is complete and confirmed to be remediated, resolve the incident.
– From the Incident page, select Manage incident. Set the status to Resolve incident and select True alert for the classification and Security testing for the determination.

Unifying Defender XDR Sentinel and Security Copilot workshop

Microsoft Defender, XDR, Microsoft Sentinel, and Microsoft Security Copilot are available as a unified experience, all your alerts, incidents, playbooks, and policies in one place with more AI, more automation, and an unparalleled view of emerging threats enriching it all. One dashboard to manage defenses. A single portal for threat investigation, detection, and response. Simplified with help from Security Copilot, translating natural language to KQL. Copilot is generating all the queries, and these are, and you need to know KQL now.
During my presentation and hands-on lab, I will demonstrated the capabilities of Defender XDR, Microsoft Sentinel, and Security Copilot in a real attack scenario with AI-powered automation. These tools automatically disrupted the lateral movement of infected devices and suspended compromised accounts in real-time.
During this session, I spoke about how Security Copilot aids in incident forensic investigations, threat hunting and vulnerability management reports with practical use cases.