So this is mostly a self reference post about the action button in Defender XDR when you select rows returned from an advanced hunting query. I’ve used it in the past, but not really thought about it. I did some light digging and based on this article it’s most likely related to a preview. Some more digging shows articles talking about this feature as far back as 2022, describing it as a new feature for threat hunting.
The article documents two features in the first bulleted list, but it actually lists out three possible categories of actions you can make you can take (though there appears to be more in the Defender UI itself, with actions on users also being an option):
- Take various actions on devices
- Quarantine files
- Take various actions on emails
- Take various actions on users
The way this works is that the returned columns define what actions you can take. Example is the AADSignInEventsBeta-table (documented here.). Let’s focus on two possible actions we want to take:
- User actions
- Device actions
Now this table returns the AadDeviceId as the field for devices, while there are plenty of user data fields - for this example let’s focus on AccountUpn and AccountObjectId. If we run a query that just outputs one result, we are only able to perform a user action. Why?
Well, because the actions are related to the name of the returned field. So AadDeviceId will not work. If we create a new variable called DeviceId and set it to the value of AadDeviceId, it works:
AADSignInEventsBeta
| extend DeviceId = AadDeviceId
| take 1
This allows us to perform a device action on the output. Now over to the user action, trying to project just AccountUpn from the results will actually not allow you to take any action. Why? Well, again, because one of the specific columns that allow us to do this is the AccountObjectId. Returning this field instead, or the entire row of columns, makes it work like normal. All of the different actions have these fields that are named differently across tables (all Microsoft-native, so this should be fixed), but we can use the extend operator like I did above and just map the right value to the correct named column for output and run the action that way.
How does it look in the UI?
Head over to advanced hunting, and let’s test it. First out, to take action on a device we can query a device table, like DeviceProcessEvents:
DeviceProcessEvents
| take 1
This yields one result, but without any selection we don’t get any buttons.
If we do the same again, but this time select our result(s) - I’m doing take 1 but you can do this on multiple lines returned from a query.
Doing this will surface the “Take Actions” button:
Clicking this allows us to perform some actions, like the list below:
Trying to select some actions allows us a deeper look into what allows this to happen, I will dive a bit more into this later:
Going next allows us to choose targets:
And going next allows us to review and submit.
Conclusion
Not much to say - nice feature that I feel isn’t well enough known by people. If you want to quickly perform an action on a specific indicator being present, like if this indicator exists on the system then block and quarantine the file, mark the user as compromised and isolate the device. Something like that.
If anything, this is just a self-reference post for something everyone already knows. C’est la vie.