Investigating "Defender: Malware Threat" findings

Overview

This guide provides helpful tips for investigating “Microsoft Defender: Malware Threat” findings using Report Builder to view logs on a host where the file was quarantined, including how to identify if the malware threat has been quarantined. Threats identified in these findings are logged by Microsoft Defender for Endpoint or Microsoft Defender Antivirus. We recommend starting investigations by scoping Defender’s actions before digging into the actions of the file itself and additional logs on the host.

Using Report Builder to investigate

Reference: See Using the Report Builder for more information about building reports.

You can use Report Builder to investigate malware threat findings in several ways, including the following:

• Reviewing logs to scope actions taken by Defender - This can reveal more information than what is in the detection to get an idea of what took place.
• Reviewing logs to scope the threat file's activity - This might give insight into anything happening before or after Defender's actions.
• Reviewing logs to scope activity on the host - This can give peace of mind and additional insight after reviewing what happened on the host around the timeframe of the Defender Malware Threat to understand the lead up and any following impacts.

Reviewing logs to scope actions taken by Defender

Start by creating a report that will allow you to do the following:

• Verify quarantine status by reviewing the action and message fields in the logs and what took place in Defender to determine the outcome of the activity and provide additional context. 
• Find Defender’s URL in the link field, which will direct you to the Defender portal where there is pertinent information about the malware threat itself and specific actions taken by Defender.

To review Defender’s malware threat and actions taken, do the following:

1. Keeping the finding’s detail page open, open Report Builder in a new browser window so you can refer to the finding while reviewing data in a separate window.
2. In Report Builder, set Time Range to include the timeframe of the finding’s activity.
3. In Data Sources, select all Microsoft Windows and Blumira Agent data sources, if available. Alternatively, you can click Edit Report then click Select All Data Sources option to expand the dataset.
4. Add a filter to the report where windows_event_id includes a list of the Microsoft Defender event IDs for the activity in question. Refer to Microsoft Defender event IDs for a complete list of event IDs that you can add to your report filter. 
   Example: windows_event_id - IN - (1116, 1117, 1118, 1006, 1007, 1008)
   
5. Add data columns to your report, such as those below, which will provide you with helpful information from your logs about Microsoft Windows actions:
   • action
   • category
   • device_address
   • devname
   • link
   • message
   • object_path
   • severity_name
   • subject_account_name
   • timestamp
   • type
   • user
   • vuln_name
   • windows_log_source
   • windows_event_id
6. Click Submit.

Reviewing logs to scope the threat file's activity

To further investigate the malware threat in question, look for behavior related to the malware threat file. This may help to quickly discern any malicious activity executed by the file in question.

To review file execution activity, do the following:

1. Using the report created above as a starting point, delete the existing filters but keep the data sources.
2. In the finding, locate and copy the file name at the end of the file path displayed in the object_path field in the finding.
3. Add filters to the report to narrow the results to logs where command field contains the file name from the object_path field in the finding, copied in Step 2.
   Example: command - Contains - file name
   
4. (Optional) Repeat Step 3, adding filters to look for process_name or parent_process_name containing the file name.
5. Add data columns to the report, such as those below, which will provide you with helpful information from your logs for Microsoft Windows actions:
   • action
   • category
   • command
   • device_address
   • devname
   • domain
   • dst_ip
   • dst_port
   • event_type
   • message
   • object_path
   • parent.cmdline
   • parent_process_name
   • process_name
   • subject_account_name
   • subject_account_domain
   • timestamp
   • type
   • user
   • windows_event_id
   • windows_log_source
6. Click Submit.

Reviewing logs to scope activity on the host

Lastly, investigate the logs of the host in question. A simple report on the devname will gather the relevant logs around this time. While reviewing the report, look for the following information:

• Behavior such as additional suspicious processes, commands, or user activity observed on the host that indicates the presence of malicious or suspicious actors.
• If activity is occurring in NETWORK_CONNECTIONS or DNS_QUERY, shown in the event_type field, to see how and to where this host is communicating.

To review host logs, do the following:

1. Using the report created above as a starting point, delete the existing filters but keep the data sources and columns.
2. To narrow the results to a manageable number of logs for review, edit Time Range to a timeframe of a couple of minutes around the finding activity.
3. In the finding, locate and copy the device’s name in the devname field.
4. Add a filter to the report where devname equals the device's name you copied above.
   Example: devname - Equal - device name
   
5. Click Submit.

Adding detection filters

We do not typically recommend adding a detection filter for this activity because it is usually a one-time occurrence for files. If exclusions are necessary, we recommend configuring them within your Defender portal to manage this at the source.