LLM-Based Threat Classifications in Microsoft Defender for Office

By /

Listen to this Post

Microsoft Defender for Office now integrates LLM-based threat classifications across multiple reporting tools, enhancing threat detection and analysis capabilities.

Key Updates:

βœ… Mail Flow Status Report – Improved threat categorization using AI.
βœ… Threat Protection Status Report – Enhanced insights into email-based threats.
βœ… PowerShell Cmdlet – `Get-MailTrafficATPReport` now supports LLM classifications.

Docs:

You Should Know:

1. Check Mail Flow Threats via PowerShell

Get-MailTrafficATPReport -StartDate "01/01/2024" -EndDate "01/15/2024" | Format-Table

Output: Displays mail traffic with LLM-classified threats.

2. Export Threat Protection Data

Get-ThreatProtectionStatusReport -Category "Phishing" | Export-CSV -Path "threat_report.csv"

3. Automate Alerts with Sentinel

 Sentinel KQL query for LLM-classified threats 
SecurityIncident 
| where Classification == "LLM_Phishing" 
| project TimeGenerated, IncidentName, Severity

4. Linux Log Analysis (SIEM Integration)

 Parse Defender logs in Linux 
grep "LLM_Classification" /var/log/microsoft/defender.log | awk '{print $1, $4, $7}'

5. Windows Event Log Filtering

Get-WinEvent -LogName "Microsoft-Windows-Defender/Operational" | Where-Object { $_.Message -match "LLM" }

Open-Source LLM-Based SOC

A complementary open-source SOC framework leveraging LLMs:

πŸ”— ThinkingSOC GitHub

What Undercode Say:

Microsoft’s integration of LLMs into Defender for Office marks a shift toward AI-driven security analytics. Key takeaways:
– For Analysts: Use `Get-MailTrafficATPReport` for granular insights.
– For Admins: Automate reporting with PowerShell and Sentinel.
– For Linux Users: Defender logs can be parsed via grep/awk.
– For Threat Hunters: Correlate LLM-classified events with SIEM rules.

Pro Commands:

 Monitor real-time Defender logs (Linux) 
tail -f /var/log/microsoft/defender.log | grep "LLM_Classification" 

 Bulk classify threats via CSV 
Import-CSV "threats.csv" | ForEach-Object { Get-MailDetailATPReport -MessageId $_.Id }

Expected Output:

  • AI-classified threats in Defender reports.
  • Automated PowerShell/Sentinel workflows.
  • Open-source LLM-SOC integration options.

References:

Reported By: Markolauren Defenderforoffice – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass βœ…

Join Our Cyber World:

πŸ’¬ Whatsapp | πŸ’¬ TelegramFeatured Image

Related Posts: