Investigate incidents more effectively with the new attack story view in Microsoft 365 Defender

Published Monday, November 7, 2022

One of the biggest efficiency drains for security operations center teams (SOC) is the constant switching of context – between different security tools or even between the various views within one solution when they’re looking for different types of information. These disconnected solutions and views cause SOC teams to lose valuable time while trying to manually piece together related signals.

Microsoft 365 Defender on the other hand correlates billions of signals across endpoints, cloud and on-prem identities, email, documents, and cloud apps and groups them into incidents – giving security teams a more effective way to investigate and remediate threats in a unified experience.

Today we’re excited to announce that we made the investigation experience even better with the introduction of attack story view in Microsoft 365 Defender - to help analysts stop breaches faster. In the new incident investigation experience in Microsoft 365 Defender, analysts can now easily navigate between affected assets or drill deep into the details of individual alerts, while always retaining the full context of the incident.

When you select an incident from the incident queue in Microsoft 365 Defender, the new attack story view is now the centerpiece of the investigation experience. It is a visual and interactive view of all affected resources, and it enables security analysts to understand the incident context at any point during their investigation. In addition, analysts can interact with the attack story view to determine next steps or take action from a dropdown with options.

Image 1 shows the new attack story view – it allows you to easily identify that in this case several users, files, an endpoint, an email account, as well as external domains are affected.

Image 1 – New attack story view in Microsoft 365 Defender

Image 2 shows you what interacting with the new incident page looks like and how the views dynamically adjust to your actions. On the left-hand side of image 2 you can see the list of alerts tied to this incident – as analysts select the different alerts, the attack story view automatically adjusts to zoom in on the relevant alert and the incident page adjusts to provide all relevant details tied to this alert.

Image-2 Interactive views on the new incident page

Alternatively, analysts can also engage directly with the graph to review the entity details by clicking on the relevant asset (image 3) and even select the action they want to take to further investigate or start remediation as shown in image 4.

Image 3 – Interact with the attack story view to retrieve device information

Image 4: Select any of the available actions for further investigation or to start remediation

The new attack story view changes the game for SOC teams – gone are the days of never-ending context switching and trying not to lose sight of the overall incident and affected assets. The interactive view will make the investigation and response more intuitive and most importantly - help respond to threats faster and limit the impact of an attack.

For more information, check out these resources: