heroui logo

Microsoft Defender XDR Alert External Alerts

Elastic Detection Rules

View Source
Summary
Generates a detection alert for each Microsoft Defender XDR alert written to the configured indices by promoting Defender alerts from the logs-m365_defender.alert-* data stream into Elastic detection alerts. Defender emits multiple update events for the same alert over its lifecycle; this rule groups on the stable Defender alert identifier and suppresses subsequent updates so only a single, continuous Elastic alert exists per Defender alert while it remains open. It ingests alerts via the Microsoft Defender XDR integration and uses event.id (copied from m365_defender.alert.id) together with m365_defender.alert.tenant_id to maintain aggregation across updates. Suppression semantics are configurable (default 24 hours) and are applied forward from creation, only while the alert is open; closing the alert can allow later Defender updates to reopen an Elastic alert. The rule notes interaction with the M365 Defender Alerts Signal (UAL) rule if alerts are also captured through the Unified Audit Log. For triage, analysts can inspect fields like m365_defender.alert.title, m365_defender.alert.category, and m365_defender.alert.threat_display_name, pivot to the Defender portal via m365_defender.alert.incident_web_url.original for full evidence graphs, and review m365_defender.alert.evidence.* to scope affected hosts, files, processes, users, URLs, or senders. Correlation is possible through m365_defender.alert.incident_id, while m365_defender.alert.status and m365_defender.alert.classification indicate current resolution or classification. The rule supports investigation steps, false-positive considerations, and remediation guidance (isolating endpoints, using Defender portal actions, credential resets, and tuning Defender policies or Elastic exceptions).
Categories
  • Endpoint
  • Windows
Data Sources
  • Application Log
Created: 2026-06-30