Enriching Defender Experts for XDR with third-party network signals

Applies to:

• Microsoft Defender Experts for XDR
• Microsoft Defender Experts for Servers

Microsoft Defender Experts lets you incorporate third-party network signals from Palo Alto Networks, Fortinet, and Zscaler for enrichment. By enriching Microsoft Defender incidents with these network signals, our security analysts not only gain a more comprehensive view of an attack's path that allows for faster and more thorough detection and response, they could also provide you with a more holistic view of the threat in your environment.

This enrichment has the following benefits:

• Unified threat detection: Correlate data from multiple signal sources to identify complex threats.
• Enhanced investigation: Gain deeper insights into threats with comprehensive data analysis.
• Faster response: Automate and streamline response actions across different security platforms.

How Defender Experts analysts use third-party network data to monitor customer tenants

The Defender Experts team employs a threat-centric methodology that monitors potential threats across the attack surface and critical assets in the customer’s environment. Our investigation and hunting begin with Defender incidents that alert on potential malicious activities spanning identities, email, collaboration tools, software as a service (SaaS), endpoints, servers/virtual machines in the cloud and on-premises, and data. We join these incidents with third-party network signals and Microsoft's unparalleled vast amount of global threat intelligence data to identify lateral movements, command-and-control (C2) activities, data exfiltration, and other adversary-in-the-middle attacks. These network signals allow us to view the end-to-end attack chain comprehensively, expedite investigation and hunting, and provide customers with richer threat summaries and response recommendations.

Example scenario

Scenario: Defender Experts for XDR used third-party network signals to uncover lateral movement and potential data exfiltration attempts.

1. Detection: Microsoft Defender for Identity generated an Atypical Travel alert for User A, who appeared to sign in from India and Germany within a short time period using different devices and IP addresses. While the activity suggested a potential credential compromise or session hijacking, initial reviews across standard identity and cloud monitoring systems didn't show obvious signs of compromise, unusual access to cloud applications, inbox rule changes, or privilege escalation.
2. Correlation: With third-party network signal enrichment, Defender Experts were able to see firewall logs from Palo Alto Networks, which revealed attempts to reach unauthorized remote access tools. Meanwhile, Zscaler proxy data highlighted encrypted interactions with a legacy on-premises SharePoint server that wasn’t protected by cloud access security policies.
3. Investigation: The investigation revealed that the attacker authenticated from a managed iOS device in Germany. They took advantage of token reuse and a misconfigured mobile device management compliance profile, causing the device to be mistakenly trusted, pass posture checks, and bypass Conditional Access. These allowed the attacker to access the internal on-premises SharePoint server. In this scenario, the third-party proxy data and firewall logs provided evidence of lateral movement and potential exfiltration attempts.
4. Response: Once Defender Experts confirmed malicious access, they initiated a coordinated response across identity, network, and device domains. They revoked active tokens, isolated affected devices, and hardened mobile policy configurations to enforce Conditional Access more strictly.

Ingesting third-party network signals for enrichment

If you're a Microsoft Defender XDR customer, reach out to your service delivery manager if you're interested in enabling the third-party network signal enrichment.

Prerequisites

To enable third-party network signals enrichment, you must have a Microsoft Sentinel instance onboarded to Microsoft Defender. Learn more about Defender XDR integration with Microsoft Sentinel

Your Sentinel instance must also have the following settings and configurations:

• Data ingestion is enabled, and at least one of the following supported network signals is ingested:
  • Palo Alto Networks (PAN-OS firewall)
  • Zscaler (Zscaler Internet Access and Zscaler Private Access)
  • Fortinet Firewall
• Sentinel built-in data connectors are used to ingest the third-party network signals into the CommonSecurityLog table.
• Sentinel's General Data Collection & Opt-in is turned on. It's turned on by default on all Sentinel instances but if it's turned off, in your Azure portal go to Microsoft Sentinel > Configuration > Settings > How do we use your data? to turn it on.
• Azure Lighthouse is configured on the tenant to allow Defender Experts analysts to access the customer’s Sentinel instance.

This feature is currently supported in the following regions only:

For more information, read Geographical availability and data residency in Microsoft Sentinel or contact your service delivery manager.

Frequently asked questions

Can I opt in for the third-party network coverage without an existing Defender Experts license?

No, you must have an existing Microsoft Defender XDR license to get third-party network coverage.

What type of third-party data should I choose to be ingested for network signal enrichment?

We recommend the following strategies when choosing which third-party network signals to ingest:

• Focus on high-value data types: To maximize enrichment value while managing ingestion costs, you can prioritize high-value data types. These include traffic logs, threat logs, web session data, and authentication logs. These data types are frequently used in enrichment and provide the most actionable insights. Configuration or system logs are generally not used for enrichment and can be deprioritized.
• Scope by product component: Third-party solutions providers often offer multiple products, so it’s important to tailor ingestion to the specific components relevant to your use cases to avoid unnecessary data volume and help control costs. For example, Fortinet customers might choose to ingest only FortiWeb logs if their focus is on web application threats.
• Phase ingestion gradually: Start with core event types that align with high-priority use cases, then expand as needed. This approach lets you control costs better while still getting meaningful enrichment value.

What are the common enrichment scenarios with third-party data?

The most common enrichment scenarios include the following:

• Phishing detection
• C2 or malware tracking
• Anomalous sign-ins
• Microsoft Defender for Identity case enrichment
• NetFlow tracing for lateral movement
• User-to-IP normalization for behavioral baselining
• File-based events such as ransomware
• Component-specific telemetry (for example, FortiWeb, FortiGate, and FortiMail)

Do Defender Experts analysts investigate alerts generated by third-party network products?

The coverage is only for network signal use and doesn't include the triage or investigation of incidents and alerts generated by third-party network solutions.

We initiate investigations with Microsoft Defender XDR and Microsoft Defender for Severs incidents. Upon joining a network signal with these incidents, we conduct thorough investigations on the network alerts or events that are related to the threat. Incorporating these related network signals allows us to present a more comprehensive attack chain to our customers.

What is the pricing for third-party network signal enrichment

Customers are charged for data ingestion through Microsoft Sentinel. There's no extra charge for enabling network signal enrichment in Defender Experts.

See also

• Start using Defender Experts for XDR service
• Communicating with experts in the Microsoft Defender Experts for XDR service