udpdated screenshot

Author: poliveria

defender-xdr/media/defender-xdr-report.png

@@ -45,7 +45,7 @@ The topmost section of the Defender Experts for XDR report provides the percenta
 - **Resolved** – The total number of investigated incidents that were closed.
 - **Resolved directly** – The number of investigated incidents that we were able to close directly on your behalf.
 - **Resolved with your help** – The number of investigated incidents that were resolved because of your action on one or more managed response tasks.
-- **Third-party enriched** - The number of incidents that were enriched with third-party network signals. This data is availably when you're enrolled in the [third-party network enrichment](third-party-enrichment-defender-experts.md).
+- **Third-party enriched** - The number of incidents that were enriched with third-party network signals. This data is available when you're enrolled in the [third-party network enrichment](third-party-enrichment-defender-experts.md).
 
 The **Average time to resolve incidents** section displays a bar chart of the average time, in minutes, our experts spent investigating and closing incidents in your environment and the average time you spent performing the required managed response actions.
 

defender-xdr/reports-xdr.md

@@ -37,7 +37,7 @@ This enrichment has the following benefits:
 >[!IMPORTANT]
 >The coverage is only for network signal use and doesn't include the triage or investigation of incidents and alerts generated by third-party network solutions.
 >
->This feature is currently supported in certain regions only. For more information, refer to the [Prerequisites](#prerequisites) section of this document.
+>This feature is currently supported in certain regions only. For more information, see the [Prerequisites](#prerequisites) section of this document.
 
 
 ## How Defender Experts analysts use third-party network data to monitor customer tenants
@@ -46,19 +46,19 @@ The Defender Experts team employs a threat-centric methodology that monitors pot
 
 ## Example scenario
 
-**Scenario:** Multi-stage attack involving initial access and C2 on multiple endpoints
+**Scenario:** Defender Experts for XDR used third-party network signals to uncover lateral movement and potential data exfiltration attempts. 
 
-1. **Detection:** A suspicious atypical travel alert is generated for user `User A` due to multiple sign-in attempts from geographically distant IP addresses and devices. 
-2. **Correlation:** Defender Experts correlates the alert with third-party network signals. Zscaler Internet Access (ZIA) proxy logs reveals unusual outbound traffic patterns and failed sign-in attempts from the same IP addresses, indicating possible credential misuse and reconnaissance behavior.
-3. **Investigation:** Security analysts trace most of the user's sign-in attempts to IP addresses from a single internet service provider (ISP) in the United States, and from a device that appears compliant under [Conditional Access policy](/entra/identity/conditional-access/overview). However, one attempt is traced from an IP address originating from an ISP in Germany, from a managed iOS device that bypassed the Conditional Access policy enforcement due to a misconfigured mobile device management profile. The said IP address is later observed performing unauthorized mailbox operations such as `MoveToDeletedItems`,` Move`, and `Update`. ZIA logs confirm repeated access to Microsoft 365 domains, followed by anomalous data transfer volumes. This combination of geographic anomalies, mailbox manipulation, and proxy log patterns confirm that a multi-stage attack is in progress.
-4. **Response:** Automated response actions are triggered, including revoking session tokens, isolating both devices, blocking the malicious IP addresses, and initiating a full credential reset for the affected user.
+1. **Detection:** Microsoft Defender for Identity generated an _Atypical Travel_ alert for `User A`, who appeared to sign in from India and Germany within a short time period using different devices and IP addresses. While the activity suggested a potential credential compromise or session hijacking, initial reviews across standard identity and cloud monitoring systems didn't show obvious signs of compromise, unusual access to cloud applications, inbox rule changes, or privilege escalation. 
+2. **Correlation:** With third-party network signal enrichment, Defender Experts were able to see firewall logs from Palo Alto Networks, which revealed attempts to reach unauthorized remote access tools. Meanwhile, Zscaler proxy data highlighted encrypted interactions with a legacy on-premises SharePoint server that wasn’t protected by cloud access security policies.
+3. **Investigation:** The investigation revealed that the attacker authenticated from a managed iOS device in Germany. They took advantage of token reuse and a misconfigured mobile device management compliance profile, causing the device to be mistakenly trusted, pass posture checks, and bypass [Conditional Access](/entra/identity/conditional-access/overview). These allowed the attacker to access the internal on-premises SharePoint server. In this scenario, the third-party proxy data and firewall logs provided evidence of lateral movement and potential exfiltration attempts.
+4. **Response:** Once Defender Experts confirmed malicious access, they initiated a coordinated response across identity, network, and device domains. They revoked active tokens, isolated affected devices, and hardened mobile policy configurations to enforce Conditional Access more strictly.
 
 ## Ingesting third-party network signals for enrichment
 If you're a Microsoft Defender XDR customer, [reach out to your service delivery manager](communicate-defender-experts-xdr.md#collaborating-with-your-service-delivery-manager) if you're interested in enabling the third-party network signal enrichment.
 
 ### Prerequisites
 
-To enable third-party network signals enrichment, you must have a Microsoft Sentinel instance that's onboarded to Microsoft Defender. [Learn more about Defender XDR integration with Microsoft Sentinel](/azure/sentinel/microsoft-365-defender-sentinel-integration)
+To enable third-party network signals enrichment, you must have a Microsoft Sentinel instance onboarded to Microsoft Defender. [Learn more about Defender XDR integration with Microsoft Sentinel](/azure/sentinel/microsoft-365-defender-sentinel-integration)
 
 Your Sentinel instance must also have the following settings and configurations:
 
@@ -114,7 +114,7 @@ We initiate investigations with Microsoft Defender XDR and Microsoft Defender fo
 
 **What is the pricing for third-party network signal enrichment**
 
-Customers are charged for data ingestion through Microsoft Sentinel. There is no additional charge for enabling network signal enrichment in Defender Experts.
+Customers are charged for data ingestion through Microsoft Sentinel. There's no extra charge for enabling network signal enrichment in Defender Experts.
 
 
 ### See also