This dashboard provides a comprehensive overview of security alerts detected by Microsoft Defender XDR. It offers insights into alert severity, classification, and trends, helping security teams quickly identify and prioritize potential threats across the organization’s digital environment.
Widget Name |
Description |
|---|---|
Total Alerts |
The total number of unique triggered alerts based on their detection_id. |
Alerts by Severity |
The total number of alerts corresponding to their severity. Possible values for severity are ‘low’, ‘medium’, ‘high’. |
Alerts by Severity over Time |
Displays the alerts on a time trend based on their severity. Possible severity values are ‘unknown’, ‘informational’, ‘low’, ‘medium’, ‘high’. |
Alerts by Classification |
Displays the classification of the alerts done by the analyst representing whether it is a true threat. Possible values for classification are ‘unknown’, ‘falsePositive’, ‘truePositive’, ‘informationalExpectedActivity’ and ‘unknownFutureValue’. |
Alerts by Determination |
Displays the result of the investigation, whether the alert represents a true attack and if so, the nature of the attack. The possible values for determination are ‘unknown’, ‘apt’, ‘malware’, ‘securityPersonnel’, ‘securityTesting’, ‘unwantedSoftware’, ‘other’, ‘multiStagedAttack’, ‘compromisedUser’, ‘phishing’, ‘maliciousUserActivity’, ‘clean’, ‘insufficientData’, ‘confirmedUserActivity’, ‘lineOfBusinessApplication’, and ‘unknownFutureValue’. |
Alerts by Category |
Displays an overview on the MITRE ATT&CK tactics corresponding to the alerts. |
Top 10 Users in Multiple High Severity Alerts |
Displays the top ten users associated with multiple high severity alerts. It might indicate the possibility that the user account is compromised or a possible insider threat. |
True Positive Alerts |
Displays an overview on the true positive alerts that indicate malicious activities. It displays the time when the log was generated, title of the alert, ID of the alert, determination assigned by analyst, severity of the alert (risk_level), user involved, user_id, source_address, service source that created the alert, status of the alert and whom the alert is assigned to. |
Alerts by Detection Source |
Displays the detection technology or sensor that identified the notable component or activity. Possible values for detection source are ‘unknown’, ‘microsoftDefenderForEndpoint’, ‘antivirus’, ‘smartScreen’, ‘customTi’, ‘microsoftDefenderForOffice365’, ‘automatedInvestigation’, ‘microsoftThreatExperts’, ‘customDetection’, ‘microsoftDefenderForIdentity’, ‘cloudAppSecurity’, ‘microsoft365Defender’, ‘azureAdIdentityProtection’, ‘manual’, ‘microsoftDataLossPrevention’, ‘appGovernancePolicy’, ‘appGovernanceDetection’, and ‘unknownFutureValue’. |
Multiple Users with Same High Severity Alert |
Displays the triggered alert involving multiple users. It lists the alerts with multiple associated users. |
Alerts by Service Source |
Displays the service or product that created the alert. Possible values for event_source are ‘unknown’, ‘microsoftDefenderForEndpoint’, ‘microsoftDefenderForIdentity’, ‘microsoftDefenderForCloudApps’, ‘microsoftDefenderForOffice365’, ‘microsoft365Defender’, ‘azureAdIdentityProtection’, ‘microsoftAppGovernance’, ‘dataLossPrevention’, ‘unknownFutureValue’, ‘microsoftDefenderForCloud’, and ‘microsoftSentinel’. |
High Severity Alerts Overview |
Displays an overview on the high severity alerts. It displays time when the log was generated, title of the alert, detection ID, username, user ID, classification and determination set by the analyst, threat associated with the alert, threat family associated with the alert, verdict (decision reached by automated investigation), and status of the alert. The possible values for the verdict are: ‘unknown’, ‘suspicious’, ‘malicious’, ‘noThreatsFound’, ‘unknownFutureValue’. |
Recent Alerts Overview |
Displays an overview on the recent 30 alert rules that were triggered. It shows the time the alert was created, title of the alert, detection_id, user_id of the user involved, severity of the alert, classification, status, threat associated with the alert, and threat family associated with the alert (threat_type) in a table. Limit ‘30’ is applied, however, it can be adjusted as per the requirement. |
Alerts by Geolocation |
Displays the geolocation from where the malicious activity was carried out. |
Remarks on Alerts by Analyst |
Displays the remarks added by analyst on the triggered alert. |
This dashboard, focused on security incidents, aggregates related alerts and provides a higher-level view of ongoing security issues. It helps track incident severity, classification, and status, enabling efficient incident response and management.
Widget Name |
Description |
|---|---|
Total Incidents |
Displays the total number of incidents. |
Incidents by Severity |
Displays the severity count associated with corresponding incident. Possible values for severity are ‘unknown’, ‘informational’, ‘low’, ‘medium’, ‘high’, and ‘unknownFutureValue’. |
Incident Severity over Time |
Displays the severity of the incidents over time on a time trend. Higher severity can cause bigger impact. Possible values of severity are ‘unknown (Whose severity is not known)’, ‘informational’, ‘low’, ‘medium’, ‘high’, and ‘unknownFutureValue’. |
Recent Incidents Overview |
Displays an overview on the recent incidents. It displays the last updated time of the incident(log_ts), unique identifier of the incident(incident_id), title of the incident, severity of the incident(risk_level), classification, determination and status of the incident. |
Incidents by Classification |
Displays the specification for the incidents indicating whether it represents a true threat. Possible values for classification are ‘unknown’, ‘falsePositive’, ‘truePositive’, ‘informationalExpectedActivity’, ‘unknownFutureValue’. |
Incidents by Determination |
Displays the determination of the incidents. It displays the result of the investigation, indicating whether the incident represents a true attack. Possible values for determination are ‘unknown’, ‘apt’, ‘malware’, ‘securityPersonnel’, ‘securityTesting’, ‘unwantedSoftware’, ‘other’, ‘multiStagedAttack’, ‘compromisedUser’, ‘phishing’, ‘maliciousUserActivity’, ‘clean’, ‘insufficientData’, ‘confirmedUserActivity’, ‘lineOfBusinessApplication’, and ‘unknownFutureValue’. |
Status of Incidents |
Displays the status of the incidents. Possible values are ‘active’, ‘resolved’, ‘inProgress’, ‘redirected’, ‘unknownFutureValue’, and ‘awaitingAction’. |
Associated Alerts |
Displays the list of related alerts corresponding to the incident. It displays the incident ID, name of the incident, its corresponding level of severity, alert ID (Detection ID) and alerts related to the incident and their corresponding level of severity. For this widget to work ‘$expand=alerts’ query parameter must be used in the endpoint configuration of log_source. |
Remarks by Analyst |
Displays the overview on the comment added by the analyst on the particular incident. It displays, the unique identifier of the incident, title of the incident, level of severity of the incident, comment added by the analyst, the analyst who added the comment and the assignee whom the incident is assigned to. |
This dashboard concentrates on identity-related risks detected by Microsoft Entra ID Protection. It offers visibility into user risk levels, risky sign-ins, and overall identity threat landscape, helping to safeguard user accounts and prevent unauthorized access.
Widget Name |
Description |
|---|---|
Detected Risks |
Displays the total number of detected risks. |
Risk by Level |
Displays the distribution of risk by their corresponding risk level. It displays the total count of risk detections based on their severity. Possible values of the detected risk are low, medium, high, hidden, none, unknownFutureValue. Hidden risk indicates that there’s a possibility of a threat, but it’s not yet apparent, undetected or not fully understood. |
Risk Level over Time |
Displays the risk levels of detected threats over time on a time trend. It helps visualize how risk levels change and evolve over a given period. |
Top 10 Risky Users |
Displays the top 10 users who have been associated with the highest number of risk detections or the highest severity of risks. |
Risk by Activity |
Categorizes and displays risks based on the type of activity that triggered the risk detection, such as unusual sign-in attempts, and suspicious user behavior. |
Risk by Detection Timing Type |
Categorizes risks based on when they were detected in relation to the associated activity. This can be real-time, near real-time, or offline detection. |
User Sign-in Risk Detail |
Displays the detailed information about sign-in risks associated with specific users, including risk factors and potential threat indicators. |
Risk by Event Type |
Categorizes and displays risks based on the specific type of event that triggered the risk detection, such as impossible travel, and anonymous IP address usage. |
Risky Users Overview |
Provides a summary of users who are considered risky based on the number or severity of detected risks. It helps in identifying potential insider threats or compromised accounts. |
Risk Overview |
Displays an an overall summary of detected risks, including trends and patterns. |
Risk by State |
Categorizes and displays risks based on their current state, such as active, resolved, or dismissed. It provides a view of how risks are being managed over time. |
Risk by Geolocation |
Displays the geographical locations from where the detected risks originated, helping to identify potential regional threats. |
Go to Settings >> Knowledge Base from the navigation bar and click Dashboards.
Select VENDOR DASHBOARD from the drop-down.
Click the Add icon from Action of the required dashboard.
Click Choose Repos.
Select the repo configured to store the Dell logs and click Done.
Select the dashboard and click Ok.
You can find the Microsoft Graph dashboard under Dashboards.
This search template focuses on identity protection events and risks detected by Microsoft Entra ID. It allows users to filter and analyze identity-related security data based on specific parameters such as activity type, risk level, status, user information, and correlation ID. This template helps security teams investigate and respond to potential identity-based threats, unusual sign-in activities, and user risks across the organization.
Go to Settings >> Knowledge Base from the navigation bar and click Search Templates.
Select VENDOR SEARCH TEMPLATES from the drop-down and click LP_Entra ID Identity Protection.
In the Update Parameters, enter the required parameter(s). If you do not have a specific value for any of the parameters, use * as value to list all values.
3.1 Select Activity.
3.2 Select Risk Level.
3.3 Select Status.
3.4 Select User.
3.5 Select User ID.
3.6 Select Correlation ID
3.7 If you want to change the time range, select Override widget time range and select/configure the time range.
3.8 Select Repos.
3.3 Click Update.
After updating, you can see the search results in the widgets.
This search template analyzes security events and alerts detected by Microsoft Defender XDR in depth. It enables users to search and filter security data based on risk level, classification, determination, event source, status, and user ID. This template aids security analysts in investigating specific security incidents, tracking threats’ progression, and understanding the context of alerts across the Microsoft Defender XDR ecosystem.
Go to Settings >> Knowledge Base from the navigation bar and click Search Templates.
Select VENDOR SEARCH TEMPLATES from the drop-down and click LP_Defender XDR Security.
In the Update Parameters, enter the required parameter(s). If you do not have a specific value for any of the parameters, use * as value to list all values.
3.1 Select Risk Level.
3.2 Select Classification.
3.3 Select Determination.
3.4 Select Event Source.
3.5 Select Status.
3.4 Select User ID.
3.7 If you want to change the time range, select Override widget time range and select/configure the time range.
3.8 Select Repos.
3.3 Click Update.
After updating, you can see the search results in the widgets.
Trigger Condition: This alert is triggered whenever a user is marked as ‘atRisk’ or ‘confirmedCompromised’ in the Microsoft EntraID (Azure AD) Portal.
ATT&CK Category: Initial Access
ATT&CK Tag: Cloud Accounts
ATT&CK ID: T1078
Minimum Log Source Requirement: MicrosoftGraph
Query:
norm_id="MicrosoftGraph" api_endpoint="identityProtection/riskDetections" status IN ["atRisk", "confirmedCompromised"]
Trigger Condition: This alert is triggered whenever multiple alerts involving the same user are generated within a short period of time in Microsoft Defender XDR Portal.
ATT&CK Category: -
ATT&CK Tag: -
ATT&CK ID: -
Minimum Log Source Requirement: MicrosoftGraph
Query:
norm_id="MicrosoftGraph" api_endpoint="security/alerts_v2" | process json_parser(evidence,".[].userAccount.displayName | [0]") as user | process json_parser(evidence,".[].userAccount.azureAdUserId | [0]") as user_id | filter user=* | chart distinct_count(detection_id) as cnt by user_id, user | filter cnt > 5
Trigger Condition: This alert is triggered whenever a single host generates multiple alerts within a short period of time.
ATT&CK Category: -
ATT&CK Tag: -
ATT&CK ID: -
Minimum Log Source Requirement: MicrosoftGraph
Query:
norm_id="MicrosoftGraph" api_endpoint="security/alerts_v2" | process json_parser(evidence, ".[].deviceDnsName | [-1]") as host | filter host=* | chart distinct_count(detection_id) as cnt by host | filter cnt > 5
Trigger Condition: This alert is triggered whenever a high severity Microsoft Defender alert is created.
ATT&CK Category: -
ATT&CK Tag: -
ATT&CK ID: -
Minimum Log Source Requirement: MicrosoftGraph
Query:
norm_id=MicrosoftGraph api_endpoint="security/alerts_v2" risk_level=high | process json_parser(evidence, ".[].deviceDnsName | [-1]") as host | process json_parser(evidence, ".[].osPlatform|[0] ") as os | process json_parser(evidence,".[].userAccount.userPrincipalName") as user_principal_name | process eval("upn=mvjoin(user_principal_name,',')") | process json_parser (evidence, ".[].fileDetails |.[0].fileDetails.sha1 ") as hash_sha1 | process json_parser (evidence, ".[].fileDetails.fileName") as fileName | process eval("file=mvjoin(fileName,', ')")
Trigger Condition: This alert is triggered whenever potentially unwanted software is detected by Microsoft Defender.
ATT&CK Category: -
ATT&CK Tag: -
ATT&CK ID: -
Minimum Log Source Requirement: MicrosoftGraph
Query:
norm_id IN ["MicrosoftDefenderATP", "MicrosoftGraph"] attack_category="UnwantedSoftware"
The Entra ID Audit Activity Monitoring report offers a detailed analysis of user authentication, risk events, and directory activities. It’s designed to help administrators and security teams understand and respond to various identity-related events and potential security issues. Key components of the report include Unusual Login Activity, Failed User Authentication, User Risk Information, Risky Sign-ins, User Sign-in Details, Top Users with Multiple High-Risk Sign-ins, and Directory Audits.
Go to Report >> Report Template>> VENDOR REPORT TEMPLATES.
Click Add under Actions.
Click Run this Report under Actions.
Select Repos, Time Zone, Time Range, Export Type, and enter the Email address.
Enter Password if you want your report to be password protected.
Click Submit.
You can analyze the data using a report’s graphs, time trends, lists, and text. Report data summarizes incidents during a specific period, such as the past 24 hours or the past five minutes. While generating a report, you can customize the calendar period according to your needs. For more information on how to schedule reports, go to Scheduling.