Note
This article was originally published on September 11, 2024.
Hunters’ Security Research team has recently conducted a thorough investigation into several existing 3rd party detectors, in an effort to improve their performance and to eliminate redundant noise. As part of this process, the team identified the below detectors and successfully revamped their aggregation and prioritization logic.
🔎 Azure AD Identity Protection Risk Detections
Detector ID: azure_ad_identity_protection_risk_detections
The Azure AD Identity Protection Risk detector is a 3rd party detector, bringing in alerts from Microsoft 365 Defender. To reduce the massive amount of leads created by this detector, which are overloading the SOC queue, the team adjusted the detector’s global scoring rule.
What changed?
Leads with High and Medium severity will have a higher confidence score.
Leads with remediated, dismissed, or confirmed as safe
risk_statewill have a lower confidence score.Leads will enter the SOC queue only if their
risk_stateisatRiskorconfirmedCompromised(for all alert severities) or in case the alert severity is high or medium and therisk_stateis unknown:noneorunknownFutureValue.The detector’s base confidence and SOC queue alerts threshold have been adjusted to better fit the alert's use cases:
Default Alerts Confidence Threshold → 6
Base Confidence → 5
These actions will reduce the number of leads from this detector in the SOC queue by 65%.
🔎 Microsoft Defender for Office 365 Alerts
Detector ID: microsoft_365_defender_office365_alerts
The Microsoft Defender for Office 365 Alerts detector is a 3rd party detector, bringing in alerts from Microsoft Defender for Office 365. To reduce the massive amount of leads created by this detector, which are overloading the SOC queue, the team adjusted the detector’s SOC queue threshold and scoring layer.
What changed?
The SOC queue alert threshold was increased to 6, while the base confidence score remained at 5.
Confidence modifiers were added to increase confidence when the alert severity attribute value is Medium or High.
Only Medium and High severity Alerts will enter the SOC queue.
These actions will reduce the number of leads from this detector in the SOC queue by 64%.
🔎 Proofpoint TAP Messages alerts
Detector ID: proofpoint_tap_messages_detection
The Proofpoint TAP Messages alerts detector is a 3rd party detector that aggregates and processes attributes from events generated by Proofpoint of messages delivered, which contained a known threat. This detector produces a massive amount of leads which are overloading the SOC queue. As a result, the team adjusted the detector’s behavior to provide better visibility to the analyst.
What changed?
The detector will filter out all blocked email message alerts by reading only from the delivered email messages alerts table. This action reduces the overall number of leads by 99% and focuses the analyst on the relevant alerts.
The detector’s base confidence and SOC queue alert threshold were adjusted to better fit the alert's use cases:
Default Alerts Confidence Threshold → 7
Base Confidence → 6
Proofpoint's scoring layer was updated to align with the alert confidence threshold change mentioned above:
Confidence modifiers were added to different cases of threat indicators found in the email alert.
Scoring was fixed to raise confidence and severity levels when the proxy logs show that the URL found in the message was accessed.
The detector’s explainability was improved:
Recommended investigation flow was added to the lead's description.
The detector’s description was improved and now includes the threat type.