Loading

Microsoft Defender XDR Alert External Alerts

Generates a detection alert for each Microsoft Defender XDR alert written to the configured indices. Microsoft Defender emits multiple update events for the same alert over its lifecycle, all sharing a stable alert identifier. This rule suppresses those update events so that a single, continuous Elastic alert is maintained per Defender alert rather than a new alert per update. Enabling this rule allows you to immediately begin investigating Microsoft Defender XDR alerts in the app.

Rule type: query
Rule indices:

  • logs-m365_defender.alert-*

Rule Severity: medium
Risk Score: 47
Runs every: 1m
Searches indices from: now-2m
Maximum alerts per execution: 1000
References:

Tags:

  • Data Source: Microsoft Defender XDR
  • Use Case: Threat Detection
  • Resources: Investigation Guide
  • Promotion: External Alerts

Version: 1
Rule authors:

  • Elastic

Rule license: Elastic License v2

This rule is designed to capture alert events generated by the Microsoft Defender XDR integration and promote them as Elastic detection alerts.

To capture Microsoft Defender XDR alerts, install and configure the Microsoft Defender XDR integration to ingest alert events into the logs-m365_defender.alert-* index pattern.

Microsoft Defender writes multiple update events per alert during its lifecycle, all sharing the same stable identifier (m365_defender.alert.id, copied to event.id). This rule suppresses on that identifier so updates accumulate into one Elastic alert. Note the following alert suppression semantics:

  • Suppression applies going forward from when the suppressing alert is created; it does not retroactively merge alerts created before the rule was enabled.
  • Updates are aggregated into the existing alert only while that alert is open and within the suppression window. If an analyst closes the suppressing alert, a later Defender update will open a new Elastic alert.
  • The suppression window (default 1 day) is tunable. Size it to your environment's typical Defender alert lifecycle; extending it keeps a single alert open longer but delays new-alert creation for late updates.

To avoid double-counting, enable either this alert-level rule or the Microsoft Defender XDR Incident External Alerts rule (incident-level), not both: a Defender incident's child alerts appear in both data streams. Choose incident-level for the least noise (one Elastic alert per Defender incident) or alert-level for finer-grained, per-alert triage.

For information on troubleshooting the maximum alerts warning please refer to this guide.

Microsoft Defender XDR is a unified pre- and post-breach enterprise defense suite that natively coordinates detection, prevention, investigation, and response across endpoints, identities, email, and applications. The alert data stream (logs-m365_defender.alert-*) carries pre-correlated alerts already triaged by Defender. This rule promotes each Defender alert into an Elastic detection alert so analysts can investigate without leaving the app.

Microsoft Defender emits several update events for the same alert as its status, classification, and evidence evolve. Every update shares the same stable Defender alert identifier (m365_defender.alert.id, which the integration also copies into event.id). The rule groups on that identifier so subsequent updates accumulate into the existing Elastic alert rather than creating duplicates.

If you also collect Microsoft Defender alerts through the Microsoft 365 Unified Audit Log (logs-o365.audit-*) rather than the native integration data stream, the M365 Defender Alerts Signal (UAL) building block rule (rule_id: 054853f3-2ce0-41f3-a6eb-4a4867f39cdc) generates correlation signals from that source and can be used alongside this promotion rule.

  • Review m365_defender.alert.title, m365_defender.alert.category, and m365_defender.alert.threat_display_name to understand what Defender detected.
  • Pivot to the Defender portal using m365_defender.alert.incident_web_url.original for the full evidence graph, process tree, and remediation status.
  • Examine the evidence fields under m365_defender.alert.evidence.* (host, file, process, user account, URL, sender) to scope the impacted entities.
  • Check m365_defender.alert.incident_id to correlate the alert with its parent Defender incident and any sibling alerts.
  • Review m365_defender.alert.status and m365_defender.alert.classification to see whether Defender has already resolved or classified the alert.
  • Defender alerts are pre-correlated and tuned by Microsoft, so true false positives are uncommon. When they occur, confirm with the responsible team before excluding.
  • Alerts involving known and trusted administrative tools, security assessments, or scheduled automation may be benign. Validate intent before adding an exception.
  • Use m365_defender.alert.classification and m365_defender.alert.determination to filter out activity Defender itself has marked as a false positive.
  • Isolate affected endpoints or disable affected accounts if malicious behavior is confirmed.
  • Use the Defender portal to action native response options (quarantine, automated investigation, account remediation) for the alert.
  • Investigate how the threat entered the environment and close any exploited gaps.
  • Reset credentials for compromised accounts or escalate to incident response.
  • Document the findings and tune the upstream Defender policy or add an Elastic exception as appropriate.
event.kind: alert and data_stream.dataset: m365_defender.alert