Investigate behaviors with advanced hunting (Preview)

While some anomaly detections focus primarily on detecting problematic security scenarios, others can help identifying and investigating anomalous user behavior that doesn't necessarily indicate a compromise. In such cases, Microsoft Defender for Cloud Apps uses a separate data type, called behaviors.

This article describes how to investigate Defender for Cloud Apps behaviors with Microsoft Defender XDR advanced hunting.

Have feedback to share? Fill out our feedback form!

What is a behavior?

Behaviors are attached to MITRE attack categories and techniques, and provide a deeper understanding about an event than is provided by the raw event data. Behavior data lies between raw event data and the alerts generated by an event.

While behaviors might be related to security scenarios, they're not necessarily a sign of malicious activity or a security incident. Each behavior is based on one or more raw events, and provides contextual insights into what occurred at a specific time, using information that Defender for Cloud Apps as learned or identified.

Supported detections

Behaviors currently support low-fidelity, Defender for Cloud Apps detections, that may not meet the standard for alerts but are still useful in providing context during an investigation. Currently supported detections include:

Alert name Policy name ActionType (Hunting)
Activity from infrequent country Activity from infrequent country/region  ActivityFromInfrequentCountry
Impossible travel activity Impossible travel ImpossibleTravelActivity
Mass delete Unusual file deletion activity (by user) MassDelete
Mass download Unusual file download (by user) MassDownload
Mass share Unusual file share activity (by user) MassShare
Multiple delete VM activities Multiple delete VM activities MultipleDeleteVmActivities
Multiple failed login attempts Multiple failed sign-in attempts MultipleFailedLoginAttempts
Multiple Power BI report sharing activities Multiple Power BI report sharing activities MultiplePowerBiReportSharingActivities
Multiple VM creation activities Multiple VM creation activities MultipleVmCreationActivities
Suspicious administrative activity Unusual administrative activity (by user) SuspiciousAdministrativeActivity
Suspicious impersonated activity Unusual impersonated activity (by user) SuspiciousImpersonatedActivity
Suspicious OAuth app file download activities Suspicious OAuth app file download activities SuspiciousOauthAppFileDownloadActivities
Suspicious Power BI report sharing Suspicious Power BI report sharing  SuspiciousPowerBiReportSharing
Unusual addition of credentials to an OAuth app Unusual addition of credentials to an OAuth app UnusualAdditionOfCredentialsToAnOauthApp

Defender for Cloud Apps' transition from alerts to behaviors

To enhance the quality of alerts generated by Defender for Cloud Apps, and lower the number of false positives, Defender for Cloud Apps is currently transitioning security content from alerts to behaviors.

This process aims to remove policies from alerts that give low-quality detections, while still creating security scenarios that focus on out-of-the-box detections. In parallel, Defender for Cloud Apps sends behaviors to aid you in your investigations.

The transition process from alerts to behaviors includes the following phases:

  1. (Complete) Defender for Cloud Apps sends behaviors in parallel to alerts.

  2. (Currently in Preview) Policies that generate behaviors are now disabled by default, and don't send alerts.

  3. Move to a cloud-managed detection model, removing customer-facing policies completely. This phase is planned to provide both custom detections and selected alerts generated by internal policies for high-fidelity, security-focused scenarios.

The transition to behaviors also includes enhancements for supported behavior types and adjustments for policy-generated alerts for optimal accuracy.

Note

The scheduling of the last phase is undetermined. Customers will be notified of any changes through notifications in the Message Center.

For more information, see our TechCommunity blog.

Using behaviors in Microsoft Defender XDR advanced hunting

Access behaviors in the Microsoft Defender XDR Advanced hunting page, and use behaviors by querying behavior tables and creating custom detection rules that include behavior data.

The behaviors schema in the Advanced hunting page is similar to the alerts schema, and includes the following tables:

Table name Description
BehaviorInfo Record per behavior with its metadata, including behavior title, MITRE Attack categories, and techniques. (Not available for GCC.)
BehaviorEntities Information on the entities that were part of the behavior. Can be multiple records per behavior. (Not available for GCC.)

To get complete information on a behavior and its entities, use BehaviorId as the primary key for the join. For example:

BehaviorInfo
| where BehaviorId == "INSERT VALUE"
| join BehaviorEntities on BehaviorId

Sample scenarios

This section provides sample scenarios for using behavior data in the Microsoft Defender XDR Advanced hunting page, and relevant code samples.

Tip

Create custom detection rules for any detection that you want to continue appearing as an alert, if an alert no longer is generated by default.

Get alerts for mass downloads

Scenario: You want to be alerted when a mass download is done by a specific user or a list of users that are prone to be compromised or to internal risk.

To do so, create a custom detection rule based on the following query:

BehaviorEntities
| where ActionType == "MassDownload" 
| where EntityType == “User” and AccountName in (“username1”, “username2”…  ) 

For more information, see Create and manage custom detection rules in Microsoft Defender XDR.

Query 100 recent behaviors

Scenario: You want to query 100 recent behaviors related to the MITRE attack technique Valid Accounts (T1078).

Use the following query:

BehaviorInfo
| where AttackTechniques has "Valid Accounts (T1078)"
| order by Timestamp desc 
| take 100

Investigate behaviors for a specific user

Scenario: Investigate all behaviors related to a specific user after understanding the user may have been compromised.

Use the following query, where username is the name of the user you want to investigate:

BehaviorInfo
| where ServiceSource == "Microsoft Cloud App Security"
| where AccountUpn == "*username*"
| join BehaviorEntities on BehaviorId
| project Timestamp, BehaviorId, ActionType, Description, Categories, AttackTechniques, ServiceSource, AccountUpn, AccountObjectId, EntityType, EntityRole, RemoteIP, AccountName, AccountDomain, Application

Investigate behaviors for a specific IP address

Scenario: Investigate all behaviors where one of the entities is a suspicious IP address.

Use the following query, where suspicious IP* is the IP you want to investigate.

BehaviorEntities
| where EntityType == "Ip"
| where RemoteIP == "*suspicious IP*"
| where ServiceSource == "Microsoft Cloud App Security"
| project Timestamp, BehaviorId, ActionType, Categories, ServiceSource, AccountUpn, AccountObjectId, EntityType, EntityRole, RemoteIP, AccountName, AccountDomain

Next steps

If you run into any problems, we're here to help. To get assistance or support for your product issue, please open a support ticket..