New file analysis and pivoting capabilities in Microsoft 365 Defender

We’re excited to introduce a new file page that revolutionizes the way security teams can analyze and pivot across devices and cloud applications. This enhancement enables defenders to gain deeper insights into files, their prevalence across the organization, and their impact on security incidents. Let's explore the exciting new file analysis and pivot capabilities in Microsoft 365 Defender.

What’s new?

New interface: The new file page within Microsoft 365 Defender provides a range of information about files, offering insights into their prevalence and impact within your organization. You can now access valuable details, including a trendline showcasing the number of devices where the file has been observed in the past 30 days, a list of file names, cloud applications associated with the file, incidents and alerts involving the file across all Microsoft 365 Defender products, and even worldwide prevalence statistics.

Figure 1: Overview of the new file page within Microsoft 365 Defender

Enhanced pivoting: The "Observed in organization" section of the file page offers an in-depth view of devices and cloud applications where the file has been detected. Unlike the previous limited view, security teams now have a complete picture of file activities on each device. This includes information such as file execution status, first and last seen events on the device, initiating process and time, and file names associated with the device.

File history: By simply clicking on a device or event, defenders can explore the full six months' history of the file on each device and pivot to the first seen event in the device timeline with ease.

Figure 2: View of devices and cloud applications observed in the organization

A new addition to the file page is the "Cloud apps" list, which displays all the cloud applications where the file has been observed, leveraging Microsoft Defender for Cloud Apps policies. This feature enables security professionals to seamlessly pivot to the cloud app page or policy page for further investigation. By expanding the scope beyond devices, defenders can now uncover potential threats originating from cloud applications and take appropriate action.

Figure 3: View of cloud applications observed in the organization

Boosting investigation with additional capabilities and information

To enable defenders to determine file verdicts and assess their potential impact with a single click, we’ve enhanced file capabilities and added the file content feature in this release. The File capabilities feature leverage the expertise of the Microsoft research team to correlate file activities observed during detonation with MITRE ATT&CK techniques, empowering defenders to understand the potential capabilities of a file, even if it hasn't executed anywhere.
Figure 4: View of file capabilities

With File content information, security professionals gain access to detailed information about PE files, including observed execution of MITRE ATT&CK techniques. File content includes Process writes, Process creation, Network activities, File writes, File deletes, Registry reads, Registry writes, Strings, Imports and Exports.  

Figure 5: View of file content

The file page also provides seamless access to deep analysis capabilities. By simply clicking on the three dots in the top actions bar, security teams can invoke deep analysis as an action. This initiates a thorough examination of the file, providing insights into its behavior and potential risks. Defenders can monitor the status of the deep analysis submission and view the results directly on the file page and side panel, ensuring a smooth and efficient investigative workflow.

Accessing the new file page

You can access the new file page through the following entry points:

1. Global search: Use the global search feature to search for the file by name or SHA256/SHA1. The search results provide a direct link to the file page for detailed information and analysis.
2. Incidents and Alerts: When investigating security incidents or analyzing alerts, clicking on a file mentioned in an incident or alert takes you directly to its file page.
3. Device timeline: Explore the device timeline to view activities associated with a specific device. Clicking on a file within the timeline redirects you to its file page for a complete history and related incidents.

With these entry points, you can easily access the file page and leverage the enhanced file analysis and pivot capabilities in Microsoft 365 Defender.

Strengthening defenders’ file investigation

Microsoft 365 Defender's new file analysis and pivot capabilities revolutionize the way security teams investigate and respond to file-based threats. With the enhanced file page, defenders can explore detailed information about files, their prevalence, and their impact across devices and cloud applications. The upcoming features, File capabilities, and File content information further empower defenders with comprehensive insights into file behavior and execution. By leveraging these powerful capabilities, organizations can bolster their security posture and proactively mitigate threats. Stay ahead of evolving threats with Microsoft 365 Defender's cutting-edge file analysis and pivot capabilities.

Learn more

Check out the following documentation to start exploring the new file page:

• Try it out today: New file page
• Investigate files
• Take response actions on a file