Mon, Apr 24, 2023

Microsoft Threat Detection and Response: Five Key Pitfalls (and How to Address Them)

Download the eBook
MDR Microsoft

Organizations are increasingly turning to the cloud in their attempt to become more agile and efficient. Many will choose the Microsoft ecosystem and will need to become familiar with threat detection and response offered by this environment, how these technologies can be leveraged to their full potential, and what should be supplemented to avoid unnecessary risk. Gain up-to-date insights into these issues in our eBook, Microsoft Threat Detection and Response: Five Key Pitfalls (and How to Address Them).

The eBook covers:

  • Common security challenges organizations face when moving to a Microsoft cloud environment
  • How to get the most value from solutions such as Microsoft Sentinel and the Microsoft XDR solutions, Microsoft 365 Defender and Microsoft Defender for Cloud
  • Practical steps to help accelerate threat detection and response across your Microsoft estate
  • Insights from a real-life case study

We’ve listed three of the five key Microsoft Threat Detection and Response pitfalls below.

Download the eBook to learn more about all five pitfalls, our recommendations on how to avoid them, and how to optimize the native security tooling and telemetry in Microsoft endpoint and cloud technology.

Pitfall 1: Not Understanding Where to Prioritize with Your E5/Microsoft Defender License
Pitfall 2: Buying Microsoft Security Solutions Before Understanding How to Configure Them
Pitfall 3: Not Leveraging Response Automation and Native Integrations

A common challenge for many organizations is a lack of certainty around which Microsoft Defender/E5 products should be prioritized, and which solution they need to onboard first out of Microsoft Defender for Office 365, Microsoft Defender for Identity, Microsoft Defender for Endpoint, Defender for Cloud Apps. Cost effectiveness also needs to be taken into account, with differences in licensing structures between products and additional data ingestion and storage charges when too much data is consumed.

Many organizations make the error of committing financially to adopting security solutions before fully understanding the breadth of time and insight required to optimize them. Failing to ensure that effective configuration is in place in order to identify the right telemetry and activity can cause monitoring to become redundant. The good news is that Microsoft has made it simple to integrate Microsoft Defender and other E5 security solutions into Microsoft Sentinel. The bad news is that, without proper configuration and implementation of these underlying features, you won’t gain value from them.

Organizations don’t frequently automate response playbooks with on-premise environments because of the negative impacts this can have on more legacy technology which also demands specific on-site forensics. However, as the cloud is both highly accessible and fast-moving, response should be highly automated. Companies should leverage native Microsoft tools such as Azure Logic Apps and Power Automate to set up automated cloud responses and build playbooks that are native in Microsoft Sentinel.

Example Playbook

In the example playbook below, an attacker aims to access a virtual machine (VM) and starts scanning the network to get a lay of the land. This triggers an alert, pulling user, device and network information (1). From here, various response actions can be triggered such as tagging the VM as compromised (2) and taking a snapshot of that VM (3). That snapshot can be used to run point-in-time forensics and, in parallel with the automation of packet capture enabled on the VM, conduct root-cause analysis as well as ongoing hunting of the deep network activity (4) that the endpoint continues to exhibit.

Microsoft Threat Detection and Response

With the move to the cloud showing no sign of slowing down, it is imperative that organizations fully understand how best to optimize their investments in both Microsoft solutions and MDR services to get the most security value.
Marc Brawner, Global Head of Managed Services, Cyber Risk, Kroll

How to Alleviate the Challenges of Cloud Threat Detection and Response

Effective MDR services can deliver the talent, processes and expertise to ensure your organization gains the greatest value from solutions such as Microsoft Sentinel, Microsoft 365 Defender and Microsoft Defender for Cloud. However, not all Microsoft MDR providers are capable of delivering the caliber of experience and insight required to address the potential pitfalls.

To help avoid the risks, some of the criteria for assessing potential MDR providers include:

  • Microsoft-Certified Security Specialists
    Look for a provider whose services are delivered by security experts certified in Microsoft Security competencies such as AZ-500 Microsoft Azure Security Technologies and SC-200: Microsoft Security Operations Analyst.
  • Microsoft Commercial Marketplace
    Check that your prospective provider is in the Microsoft Commercial Marketplace. This makes it easier for existing Microsoft businesses to select and onboard MDR service providers using their existing enterprise plans.
  • Response Beyond Containment
    While MDR has become an effective approach for addressing the security skills gaps around detection and response, organizations have been disappointed with the “response” provided by most MDR vendors. This is because it often stops at containment, putting the onus on the client to remediate and investigate. Rather than leaving your organization hanging, response should cover the whole incident response lifecycle and enable continuous improvement. This means closing the gap between merely containing the threat to actively removing it across all affected systems and quickly understanding the root cause, so that it doesn’t happen again.

Learn More About The Five Key Pitfalls (and How to Address Them)

The rewards of Microsoft Security tools are significant but without an effective MDR provider on side, the potential risks are too great to ignore. Discover specific steps you can take to avoid the many pitfalls and how to find the right MDR provider for you in our eBook.


Kroll Responder MDR

Stop cyberattacks. Kroll Responder managed detection and response is fueled by seasoned IR experts and frontline threat intelligence to deliver unrivaled response.

Cyber Risk

Incident response, digital forensics, breach notification, managed detection services, penetration testing, cyber assessments and advisory.

Malware Analysis and Reverse Engineering

Kroll’s Malware Analysis and Reverse Engineering team draws from decades of private and public-sector experience, across all industries, to deliver actionable findings through in-depth technical analysis of benign and malicious code.


Cyber Risk Retainer

Kroll delivers more than a typical incident response retainer—secure a true cyber risk retainer with elite digital forensics and incident response capabilities and maximum flexibility for proactive and notification services.

Penetration Testing Services

Validate your cyber defenses against real-world threats. Kroll’s world-class penetration testing services bring together front-line threat intelligence, thousands of hours of cyber security assessments completed each year and a team of certified cyber experts — the foundation for our sophisticated and scalable approach.

Cloud Security Services

Kroll’s multi-layered approach to cloud security consulting services merges our industry-leading team of AWS and Azure-certified architects, cloud security experts and unrivalled incident expertise.