Microsoft IT Showcase

Windows Defender ATP helps analysts

investigate and respond to threats
In the fast-paced world of cybersecurity, adversaries grow more advanced in response to the tactics that we and other
organizations use to thwart their attacks. Protecting corporate information also becomes more complex as services
move to the cloud, employees become more mobile, and new technologies are rapidly introduced.

It is important to have a threat protection solution that can adapt to change as the modern workplace evolves.
Microsoft responded to the complexity and challenges of advanced attacks against the modern workplace with the
release of Windows Defender Advanced Threat Protection (ATP).

Core Services Engineering (CSE, formerly Microsoft IT) uses Windows Defender ATP to detect, investigate, and
respond to modern threats more rapidly and effectively than ever before. As more services are moving to the cloud,
we have made a commitment to enable our mobile workforce to be more productive and secure. Windows Defender
ATP has transformed how our security analysts can respond to security threats—providing more information and
better tools that help us protect users and devices, including those that are outside the control of our corporate
network.

Since deploying Windows Defender ATP, we have seen immediate benefits:

• Intelligent alerting and improved detection. Windows Defender ATP detects behavior that other tools don’t. It
detects system-level behaviors that escape traditional detection and gives access to processes and command-line
contents.
• Speeds up time to detection. Windows Defender ATP alerts and views draw attention to important things in
near-real-time, putting relevant data right in front of our analysts—or just a click away.
• Puts responses in the hands of analysts. Windows Defender ATP provides response actions that can quarantine
and block a file, collect supplemental log data from a machine, isolate a machine, and initiate deep analysis on
executable files.
• Helps us stay current. The Windows Defender ATP product team is constantly developing new behavioral threat
detection, improving existing detection, and improving the console. These capabilities are automatically pushed
to Windows Defender ATP without any action by our analysts.

For more information on how we rapidly deployed Windows Defender ATP in our environment read, Windows
Defender ATP helps detect sophisticated threats.

Windows Defender ATP architecture

Windows Defender ATP consists of three main components: Windows Defender ATP endpoint sensors, the
Windows Defender ATP cloud services backend, and the Windows Defender ATP console in the
Windows Defender Security Center.
Page 2 | Windows Defender ATP helps analysts investigate and respond to threats

As illustrated in Figure 1, the components work together to form a coherent, centralized picture of endpoint security
and response across the company.

Figure 1. Windows Defender ATP high-level architecture

The Windows Defender ATP endpoint sensors are integrated into Windows 10 Anniversary Update, and later. There’s
two-way communication between the endpoints and security analysts through Windows Defender ATP. The sensors
enable Windows Defender ATP to gather high-fidelity, system-level data and behavioral information from devices. It
also allows analysts to collect sample files for analysis, do deeper forensic log collection on devices, and even isolate
devices if they have been compromised.
The Windows Defender ATP service is built on the power of the Azure cloud—where we and every customer have a
dedicated Windows Defender ATP tenant. The cloud location allows Windows Defender ATP to receive data from its
endpoints even when they are outside of the corporate network. Our Windows Defender ATP data is isolated and
secure in its own tenant, just as customer implementations of Windows Defender ATP are isolated and secure in their
own tenants. Data is only accessible via Azure Active Directory (Azure AD) authentication, and access is fully audited.

Our analysts use the web-based Windows Defender Security Center to access our Windows Defender ATP data and
interact with Windows Defender ATP endpoints to further research or defend against malicious activity. The Windows
Defender ATP console is where our analysis really happens—it provides a dashboard, an Alert queue, Machine view,
File view, User view, and Search—which we use to find data about machines, files, users, URLs, and IPs within the
enterprise. These console views allow our analysts to quickly see the big picture and zoom in on the most critical
alerts and events in our enterprise.

microsoft.com/itshowcase June 2017

Page 3 | Windows Defender ATP helps analysts investigate and respond to threats

Figure 2 illustrates how the Windows Defender ATP dashboard gives analysts a high-level view of alerts as well as the
critical machines at risk within our organization.

Figure 2. The Windows Defender ATP dashboard

Detection at scale
Alerts in Windows Defender ATP give our analysts unparalleled visibility into devices in our environment. At Microsoft,
we have over 250,000 active users and more than 500,000 devices in our tenant; we monitor and respond to alerts at
a massive scale. Between the size of the environment we monitor and the reliability of Windows Defender ATP alerts,
we must be able to process a huge number of events. With traditional security tools, this caused data-overload
problems for both data storage and alert analysis.

With the scalability and power of the Azure cloud driving the service, Windows Defender ATP has proven it’s capable
of handling the large volume of events generated by our endpoints. Additionally, Windows Defender ATP helps make
a heavy volume of alert analysis more manageable. Near real-time intelligence displayed in dashboards and console
views that summarize data help us focus on the most important information surrounding an alert. We can quickly
determine if an alert is real and identify the support tier that should handle the investigation and response. We also
use different threshold techniques to prioritize risks or refine the actionable alerts we see.

Intelligent alerting and improved detection

Moving past event logs and malware signatures, Windows Defender ATP uses intelligent alerting derived from
multiple indicators.

• Indicators of compromise (IOCs). Includes indicators that surface through evidence collected from past
observed attacks and industry-wide knowledge sharing.
• Indicators of attack (IOAs). Includes indicators from heuristics, behavioral rules, machine learning, and anomaly
detection algorithms honed to detect suspicious, attack-related events.
• Internal threat intelligence indicators. Derived from looking at up to six months of historical data.
• Global threat intelligence indicators. Collected through partnerships with threat intelligence organizations.

Windows Defender ATP combines these indicators to provide alerts with maximum relevance to our organization.
Additionally, this indicator set is constantly evolving, as indicator developers integrate newly discovered techniques
and feedback from our analysts.

microsoft.com/itshowcase June 2017

Page 4 | Windows Defender ATP helps analysts investigate and respond to threats

Using the Windows Defender ATP console

The Windows Defender ATP console, in the Windows Defender Security Center portal, gives our analysts a
consolidated view of Windows security alerts and data at a greater fidelity than ever before. In near real-time, we have
visibility into a system’s process history, suspicious file attributes, and what action initiated a network connection. We
can discover where a suspected malicious file is, figure out where it came from, and check our environment to see
where else it went. We use the console to view suspicious behaviors and drill down on the actions that created a
suspicious process. For each alert, we see how many machines it has been on in our environment and how many
times it has been seen worldwide. All of this happens from our analyst’s workstations, with just a few clicks.

Alert view
The Alert view provides an attack narrative overlay on top of collected raw security events. It displays essential
background information on the alert and a process tree that aggregates detections and related events into a single
view. It doesn’t simply tell us that a behavior looks suspicious; it allows us to view the underlying system activity and
see what action was suspicious. From this view alone, we have more information on each alert than we ever had
before, including:

• File information on any file in the process tree, including its signer, multiple versions of the file hash, a third-party
analysis of the hash, IP addresses and hostnames it may have contacted, and the file’s prevalence in our
environment.
• User who logged into the system most recently.
• System name and domain.
• An incident graph showing related activity on the endpoint and possibly other systems.
• A timeline showing the alert or alerts.
• Relevant hostnames or IP addresses.

Often, the Alert view has all the information we need to understand and resolve incidents without having to leave the
alert page. This helps our analysts quickly understand what caused the event and what its impact was, dramatically
reducing the time it takes to resolve cases. If an event is particularly interesting or complex, our analysts easily pivot
to views focusing on other aspects of the suspicious activity. For example, in Figure 3 below, we can see that an
executable has injected into rundll32.exe.

Figure 3. Alert view of a cross-process injection including the detailed process tree

microsoft.com/itshowcase June 2017

Page 5 | Windows Defender ATP helps analysts investigate and respond to threats

From the Alert view, our analysts can pivot to Machine, File, or User views with a single click. These views provide
detailed contextual information about the alert, allowing the analyst to easily follow suspicious activity and determine
whether it is malicious or benign.

Machine view
The Machine view provides a rich view of data and behaviors as observed on the machine, over time. It shows basic
domain membership, when the system was first and last seen, and an overview of users who have signed into the
system, even remotely. It also lists any alerts associated with that machine, both new and resolved. This allows our
analysts to quickly see any infection history or record of false positives on the system, and provides additional context
to the alert. The machine view is also where our analysts collect an investigation package of system logs from the
machine or isolate the machine completely.

The machine timeline displays raw security events recorded on the machine, in the order in which they occurred. We
expand timeline events to get detailed information about the context of the event. As show in in Figure 4 below, by
expanding the suspicious token modification event, we can quickly see that Winword.exe opened an attachment to an
email file, as well as the name of the email file and the Word document. A single click provides the likely infection
vector for this malicious activity, as well as providing file names as an additional indicator.

Figure 4. Machine timeline displaying information about Outlook opening a Word document.
Clicking the “hotspot” to the left of a file name, host name, or IP address in the timeline also opens a side tab with a
summary of the most important points of the selected item—while keeping the context of the item in the timeline. If
an email message arrived on the endpoint using Office 365 ATP, the timeline provides a link directly to Threat
Explorer to view information about the email without losing context.

Search capability within the Machine view timeline is even more powerful than the general Search in
Windows Defender ATP. It allows our analysts to search for specific paths, strings within command lines, and user
accounts, in addition to regular search items. This allows us to quickly jump to a point in the timeline that contains
events of interest. Machine view also supports hunting for suspicious activity.

microsoft.com/itshowcase June 2017

Page 6 | Windows Defender ATP helps analysts investigate and respond to threats

Machine view also offers our analysts the flexibility to collect forensic data and isolate a machine through a one-click
operation. This saves a great deal of time in responding to security events, since we no longer must contact the user
or an outside team to take action.

A Windows Defender ATP investigation package gathers specific logs from the system to supplement an
investigation. When the analyst selects this action, the endpoint collects log information in a process that is
transparent to the machine’s user. It puts the data in a compressed package that is stored securely in the cloud. Our
analyst can then download the package from their Windows Defender ATP console.

Isolating the machine is an effective way to stop an attack from spreading and moving laterally to other devices. The
Windows Defender ATP sensor uses the Windows host firewall to disconnect the machine and notify the user that the
machine has been isolated.

File view
Many Windows Defender ATP alerts come from files that are behaving in a suspicious manner that we need to
investigate. Or, we may receive information about suspicious files from an outside source and turn to
Windows Defender ATP to determine if the file is in our environment. For these tasks, we look to the File view.

File view includes a wealth of information based on the file hash, so we can quickly determine if it is legitimate. File
view provides the MD5, SHA1, and SHA256 for the file and shows information about the file’s signer. If
Windows Defender Antivirus already has identified the file as malicious, that information is displayed, as well as a
determination of the file hash’s reputation, provided by a third-party service. We can see the different names used by
the file within our organization, based on the file hash. The view also includes a description about the file’s prevalence
within our organization and worldwide (anonymously) so that we can determine if the file is custom to our
environment or is widespread. Finally, File view provides a timeline view of machines on which Windows Defender
ATP has seen the file hash, so we know which systems to remediate.
As illustrated in Figure 5, we can view information about a suspicious file and use one-click actions to halt the spread
of the file and submit it for analysis.

Figure 5. The File view in the Windows Defender ATP console

microsoft.com/itshowcase June 2017

Page 7 | Windows Defender ATP helps analysts investigate and respond to threats

We can also respond to attacks from File view using one-click options to:

• Stop and quarantine files. Contains the specific attack across the organization. Stops the malware that is
running, quarantines the file, and removes it from the environment.
• Block files. Blocks specific inbound attack files from any location on the Internet.
• Submit files for deep analysis. If the file is executable, this action detonates the file to harvest indicators, such
as callout IP addresses, files downloaded, or registry keys created or altered. Detonation occurs in a sandbox
secure to our tenant—keeping the data secure.

User view
We can easily pivot from other views to User view to gather more information about specific user accounts. This view
offers at-a-glance insight into what the user’s role is and what sort of activity we would normally expect from that
user. When investigating cases of potentially compromised credentials, pivoting on the associated user account helps
identify any lateral movement between machines with that user account. We find user account information in the
dashboard, alert queue, and in the machine details page.

microsoft.com/itshowcase June 2017

Page 8 | Windows Defender ATP helps analysts investigate and respond to threats

A user account link takes us to the user account details page. Here, we see:

• Machines the user has signed on to.

• User account details from the Azure AD tenant.
• Alerts related to this user.
• Observed in organization (machines signed on to).

As illustrated in Figure 6, User view displays account details about users on signed on to a device, and alerts that are
related to that user account. It enables the investigation of lateral movement and potential cases of credential
compromise.

Figure 6. The User view in the Windows Defender ATP console

If we believe an account is compromised, we can use this view to determine which systems the account was recently
used from. We can form a profile of the account activity before and after the suspected compromise date to better
differentiate between legitimate user activity and malicious activity.

Using Search to look for evidence of attacks

We use the Search bar in the Windows Defender ATP console to look for evidence of attacks, including file names or
hashes, IP addresses or URLs, behaviors, machines, or users. Searching and pivoting is particularly valuable to us when
“hunting” for malicious activity in the network in the absence of an actual alert. We pivot off the results of searches to
quickly scope the impact of a breach and broaden an investigation across our environment. For example, we quickly
determine whether we have seen a specific IP address or file before, or that a set of file hashes has not been seen in
our environment.

Use cases: phishing and ransomware

Windows Defender ATP detects all kinds of threat and breach activities on endpoints, including phishing and
ransomware attacks.

microsoft.com/itshowcase June 2017

Page 9 | Windows Defender ATP helps analysts investigate and respond to threats

Ransomware
Windows Defender ATP has specific built-in behavioral analytics to detect ransomware. These alerts notify us of
infection even if the malicious files have evaded anti-malware. We may use the Isolate Machine response option if
there is a risk of the malware spreading.

Each alert maps to an infection stage, enabling analysts to determine how far into its operation ransomware may have
gone. Windows Defender ATP has robust indicators and forensic data gathering capabilities that help us determine
the ransomware infection vector. We then use the indicators detected by behavioral alerting in Windows Defender
ATP to block the threat across the entire network.

Phishing
The faster we determine the intent of a phishing attack, the faster we can respond. Windows Defender ATP uses a
series of suspicious behavior alerts to detect phishing attacks on our users. Using the Windows Defender ATP console,
we have all the information we need to determine if the phishing email resulted in a file drop, malicious file download,
or visit to a credential stealing site.

• Credential stealer. Data in the Windows Defender ATP console informs whether the user visited a credential-
stealing site.
• Malicious file. We can use Windows Defender ATP to search for the file or its hash across the network.
• Malicious file download. Windows Defender ATP shows us where the file was downloaded from.

Integration with Office 365 ATP allows us to see where phishing emails came from and who else may have received it.
We then pivot off the site IP or name to determine if other users have visited it and to find new variants. We also do
retrospective analysis of the phishing indicators against up to six months of stored data to detect activity that would
otherwise have gone unnoticed.

Helping us keep up with evolving threats

Windows Defender ATP is a constantly evolving product. It has a dedicated team working to improve detections and
develop new ones based on emerging threats. The team works with malware analysis experts to understand the new
techniques that modern malware is using to try to stay hidden, and to come up with ways to detect that activity on
the endpoint.

We believe that a close interaction between Windows Defender ATP developers and our analysts has helped the
product group deliver a tool that is truly analyst-focused, and constantly improving. The Windows Defender ATP
product group worked extensively with our analysts to differentiate between legitimate, malware-like behaviors that
are benign and actual instances of malicious activity, which helped reduce the false positive rate. They have also
implemented methods of tuning alerts and allowing our analysts to suppress alerts and other events that we identify
as benign, so we are not overwhelmed with unactionable alerts. This tuning helps make Windows Defender ATP
detections better for all Windows Defender ATP tenants, not just Microsoft. They are also actively improving our
console experience.

Conclusion
Windows Defender ATP represents the next generation of security products for the modern company, and has
become our security analysts’ primary and preferred tool for detecting modern threats and analyzing machine data. It
provides better detection, enables data-driven investigations, and helps us rapidly respond. Using this Windows
Defender ATP, our analysts can respond to more alerts on more systems in less time.

microsoft.com/itshowcase June 2017

Page 10 | Windows Defender ATP helps analysts investigate and respond to threats

For more information

Microsoft IT Showcase
microsoft.com/ITShowcase

Windows Defender Advanced Threat Protection (ATP)

Windows: Keep secure: Windows Defender Advanced Threat Protection

Microsoft IT uses Windows Defender to boost malware protection

Using Windows Defender telemetry to help mitigate malware attacks

© 2017 Microsoft Corporation. This document is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR
IMPLIED, IN THIS SUMMARY. The names of actual companies and products mentioned herein may be the trademarks of their respecti ve
owners.

microsoft.com/itshowcase June 2017