Skip to main content Link Menu Expand (external link) Document Search Copy Copied
TechWorkshop L300 XDR SOC Operations

Task 01: Turn on native automations (AIR) with approvals

Security Architecture Team

  1. Go back to your Defender XDR portal tab.

  2. In the leftmost pane, go to System > Settings.

  3. Select Email & collaboration.

  4. In the menu, select MDO automation settings.

  5. Under Message clusters, select the following:

    • Similar files
    • Similar URLs

    Automatically remediates malicious messages in these similarity clusters.

  6. Ensure Remediation action is set to Soft delete.

    2zcdmkm9.jpg

  7. Select Save.

    6ajd96py.jpg

  8. In the leftmost pane, go to System > Settings.

  9. Select Endpoints.

  10. Turn on the following:

    • Live Response
    • Live Response for Servers
    • Live Response unsigned script execution

    eo9qhehu.jpg

  11. Select Save preferences.

  12. In the Endpoints page menu, under Permissions, select Device groups, then observe the results.

Security Engineering and Administration

  1. Open your PowerShell ISE window.

  2. Select File > New.

  3. In the top pane, enter the following script, then replace the value of $SenderUPN with your licensed global admin account.

     <#
 .EXAMPLE
 This sends an HTML test-phish email from sec-eng to the pilot mailbox.
 #>

 # 1) Connect and request Mail.Send scope (interactive)
 Disconnect-MgGraph -ErrorAction SilentlyContinue
 Connect-MgGraph -Scopes "Mail.Send"

 # 2) Script variables - edit these
 $SenderUPN   = "REPLACE WITH YOUR LICENSED GLOBAL ADMIN ACCOUNT"      # account you sign in with
 $PilotUPN    = "user1@@lab.Variable(userDomain)"     # target pilot mailbox
 $Subject     = "PAYROLL UPDATE - ACTION REQUIRED"
 $BodyHtml    = @"
 <p>Hello <b>Pilot User</b>,</p>
 <p>Payroll system requires confirmation of your details. Please <a href='https://example.com/benign-info'>review payroll</a> to avoid delay.</p>
 <p><i>This is a benign test message for SOC training only.</i></p>
 <p>- Security Team</p>
 "@

 # 3) Build message hashtable expected by Send-MgUserMail
 $message = @{
     Subject = $Subject
     Body = @{
         ContentType = "HTML"
         Content     = $BodyHtml
     }
     ToRecipients = @(
         @{ EmailAddress = @{ Address = $PilotUPN } }
     )
 }

 # 4) Send the email (sends from the signed-in user by default)
 Send-MgUserMail -UserId $SenderUPN -Message $message -SaveToSentItems:$true

 Write-Host "Test-phish sent from $SenderUPN to $PilotUPN (subject: $Subject)"

  4. On the top bar, select Run Script.

    jeg0io21.jpg

    If stuck signing in. Try closing and reopening PowerShell ISE.

  5. If prompted, on the Permissions requested dialog, select Consent on behalf of your organization, then select Accept.

    The script seeds and sends a test phishing message from your global admin account to Lab User One.

SOC Analyst

  1. Go back to your Defender XDR portal tab.

  2. In the leftmost pane, go to Investigate & response > Hunting > Advanced hunting.

  3. Run the following query to find the test emails sent by Engineering:

     EmailEvents
 | where Subject contains "PAYROLL"

    bf28nqzv.jpg