> For the complete documentation index, see [llms.txt](https://docs.vectra.ai/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.vectra.ai/operations/analyst-guidance/microsoft-defender-edr-process-correlation-user-guide.md).

# Microsoft Defender EDR process correlation user guide

### Overview

EDR Process Correlation is Vectra AI's breakthrough capability that automatically identifies which process on an endpoint triggered suspicious network behavior detected by Vectra. This feature eliminates the manual correlation gap between Network Detection and Response (NDR) and Endpoint Detection and Response (EDR) systems.

EDR Process Correlation with Microsoft Defender for Endpoint is generally available in the Respond UX. Vectra plans to add support for this functionality to Quadrant UX deployments in a future release.

#### What is EDR Process Correlation?

When Vectra AI identifies suspicious network behavior, it automatically:

* Queries Microsoft Defender for Endpoint (MDE) telemetry for the specific host
* Analyzes process activity during the detection window via MDE Advanced Hunting
* Identifies the most probable process responsible
* Surfaces complete process context directly within the Vectra detection

**Result: Instant answers instead of 15–30 minutes of manual investigation.**

### What Problem Does This Solve?

#### The Investigation Gap

**Without EDR Process Correlation:**

1. Analyst receives Vectra network detection
2. Identifies affected host
3. Opens Microsoft Defender portal
4. Searches Advanced Hunting around detection timeframe
5. Correlates network timestamps with process activity
6. Validates which process is responsible

**Average time: 15–30 minutes per detection**

**With EDR Process Correlation:**

1. Analyst receives Vectra detection with process already identified
2. Reviews enriched context inline
3. Clicks directly into Microsoft Defender if deeper investigation needed

**Average time: 30–60 seconds**

#### The Missing Link

**Network Detection (NDR)** excels at spotting suspicious behaviors: C2 communication, reconnaissance, lateral movement, data exfiltration.

**Endpoint Detection (EDR)** captures process-level detail: what executed, command lines, parent processes, file hashes.

**The Gap:** Without automatic correlation, analysts must manually bridge these systems.

EDR Process Correlation eliminates this gap entirely.

### Benefits

#### For Security Analysts

* **95% reduction in investigation time** — from 15–30 minutes to 30–60 seconds
* **Immediate context** — see the complete process story without tool switching
* **Instant threat validation** — command line details expose true intent
* **One-click pivots** — jump directly to the full Microsoft Defender forensic timeline

#### For SOC Operations

* Faster Mean Time to Response (MTTR) — accelerate every investigative step
* Reduced alert fatigue — instant context means confident decisions
* Scale investigations — handle more detections with the same team
* No custom correlation logic — eliminates brittle SIEM/SOAR workflows

#### For the Organization

* Reduced attacker dwell time — faster detection to containment
* Better security posture — comprehensive visibility across network and endpoint
* Operational efficiency — maximize existing Microsoft security investments
* Attack surface understanding — complete cross-domain picture from the start

### Prerequisites

#### Required Permissions in Microsoft Defender for Endpoint

Your Azure AD / Microsoft Entra ID application registration must have the following MDE API **application permissions**:

<table><thead><tr><th width="234.73828125">Permission</th><th width="167.93359375">Required For</th><th>Description</th></tr></thead><tbody><tr><td><code>Machine.Read.All</code></td><td>Host context</td><td>Provides MDE device context; links to Defender portal; improves device identification</td></tr><tr><td><code>Machine.Isolate</code></td><td>Device Isolation (response)</td><td>Enables manual or automated response actions; required for Device Isolation feature</td></tr><tr><td><code>AdvancedQuery.Read.All</code></td><td>EDR Process Correlation</td><td>Enables automatic process stitching via Advanced Hunting API; submit and retrieve KQL queries</td></tr></tbody></table>

#### MDE Environment Selection

Select the correct MDE API endpoint based on your Microsoft Defender portal access:

<table><thead><tr><th width="283.30859375">If you log into Defender via…</th><th width="133.65625">Environment</th><th>Select this API URL</th></tr></thead><tbody><tr><td><code>https://security.microsoft.com</code></td><td>Commercial</td><td><code>api.securitycenter.microsoft.com</code></td></tr><tr><td><code>https://security.microsoft.us</code></td><td>US GCC High</td><td><code>api-gcc-high.securitycenter.microsoft.us</code></td></tr><tr><td><code>https://security.apps.mil</code></td><td>US DoD</td><td><code>api-fed.securitycenter.microsoft.us</code></td></tr></tbody></table>

### Configuration

#### Step 1: Register an Application in Microsoft Entra ID

{% hint style="info" %}
If an App Regisration already exists for integrating Microsoft Defender Host Context into Vectra a new App Registration is not required.  Select the existing App Registration and extend its permissions as per Configure API Permissions below.
{% endhint %}

**Navigate to the Azure Portal**

1. Go to `portal.azure.com` → **Microsoft Entra ID** → **App registrations**
2. Click **New registration**

**Create the App Registration**

1. Provide a descriptive name (e.g., `Vectra AI MDE Integration`)
2. Select **Accounts in this organizational directory only**
3. Click **Register**
4. Record the **Application (client) ID** and **Directory (tenant) ID** — you will need these for Vectra

**Configure API Permissions**

1. Go to **API permissions** → **Add a permission**
2. Select **APIs my organization uses** → search for `WindowsDefenderATP`
3. Choose **Application permissions** and add:
   * `Machine.Read.All`
   * `Machine.Isolate`
   * `AdvancedQuery.Read.All`
4. Click **Grant admin consent for \[your organization]** and confirm

**Create a Client Secret**

1. Go to **Certificates & secrets** → **New client secret**
2. Set an expiry period and click **Add**

> ⚠️ **CRITICAL:** Record the secret **Value** immediately. This is the only time it will be visible. If lost, you must create a new secret.

#### Step 2: Configure Vectra Integration

1. In Vectra, go to: **Settings → EDR Connections**
2. Edit the **Microsoft Defender for Endpoint** settings area
3. Toggle the integration to **On**
4. Enter connection details:
   * **MDE API URL:** Select the appropriate URL from the dropdown (see table above)
   * **Tenant ID:** Paste your Directory (tenant) ID from Step 1
   * **Application (Client) ID:** Paste the Application ID from Step 1
   * **Client Secret:** Paste the secret Value from Step 1
5. **SSL Certificate Verification:** Check **Enable SSL certificate verification** (recommended)
6. **Proxy Configuration:** If a proxy is configured in Data Sources → Network → Brain Setup → Proxy, check **Use the configured proxy in Services**
7. **Enable Device Isolation (optional):** Check **Device Isolation Enabled** to allow automated or manual containment
8. Click **Save** — Vectra will validate the connection and permissions

#### Step 3: Verify Configuration

After saving, verify that:

* MDE-managed hosts appear with enhanced context in Vectra
* Host details display MDE information (OS, sensor health, last seen)
* Process correlation data appears in new detections
* Links to the Microsoft Defender portal are functional

### How It Works

#### Automatic Process Correlation Workflow

When Vectra AI identifies suspicious network behavior:

1. **Vectra Detects Suspicious Network Behavior** — C2 communication, lateral movement, reconnaissance, data exfiltration, etc.
2. **Automatic MDE Query** — Vectra queries the MDE Advanced Hunting API for the affected host and retrieves process telemetry during the detection window.
3. **Process Analysis & Correlation** — Analyzes `DeviceNetworkEvents` and `DeviceProcessEvents` tables; correlates network connections to responsible processes; identifies the most probable culprit using signal strength.
4. **Context Enrichment** — Process name, command line, SHA256 hash, creation time, parent process, account name, file path, and full process tree context.
5. **Surfaced in Vectra Detection** — Analyst sees complete process context inline; one-click pivot to Microsoft Defender for deeper investigation; pre-built KQL queries for enterprise-wide hunting.

#### Correlation Methodology

Vectra uses IP-based correlation with signal-strength prioritization:

* **Primary correlation:** `LocalIP` from MDE `DeviceNetworkEvents` matches Vectra detection host IP
* **Signal strength:** Unique destination counts identify the most likely culprit process
* **Why IP-based?** More reliable than Device ID mapping, which can become stale due to sensor reinstalls or database lag

> **Example:** If multiple processes are active during the detection window, Vectra prioritizes the process with the strongest network signal matching the suspicious behavior pattern.

### Using the Feature

#### Viewing Process Context in Detections

When you open a Vectra detection with EDR Process Correlation, you'll see a dedicated **Microsoft Defender Context** section with:

<table><thead><tr><th width="220.578125">Field</th><th>Description &#x26; Example</th></tr></thead><tbody><tr><td><strong>Probable Process</strong></td><td>Process name (e.g., <code>MicrosoftEdgeUpdate.exe</code>)</td></tr><tr><td><strong>Process Creation Time</strong></td><td>Exact timestamp for timeline correlation (e.g., <code>2025-11-29T03:58:42Z</code>)</td></tr><tr><td><strong>Command Line</strong></td><td>Full command line arguments expose true intent</td></tr><tr><td><strong>SHA256</strong></td><td>File hash for threat intelligence correlation; enables immediate reputation checks</td></tr><tr><td><strong>File Path</strong></td><td>Complete file system location (e.g., <code>C:\ProgramData\Microsoft\EdgeUpdate\</code>)</td></tr><tr><td><strong>Account Name</strong></td><td>Execution context and privilege level (e.g., <code>NT AUTHORITY\SYSTEM</code>)</td></tr><tr><td><strong>Parent Process</strong></td><td>What spawned this process (e.g., <code>services.exe (PID: 668)</code> indicates Windows service registration)</td></tr></tbody></table>

#### Interpreting Process Context

The command line is often the most revealing indicator. Consider this example:

```
Process Name: MicrosoftEdgeUpdate.exe
Command Line: "C:\ProgramData\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"
              --connect vault-tech.org:443 --interval 300 --retry infinite

Analysis:
  Masquerading:   Mimics legitimate Microsoft updater
  C2 Beacon:      5-minute check-in intervals to external domain
  Persistence:    Infinite retry attempts
  Privilege:      SYSTEM account = maximum privileges
  Parent:         services.exe = registered as Windows service
```

This transforms *"potentially suspicious network traffic"* into **"confirmed persistent threat requiring immediate containment."**

#### Show More Processes

Click **Show More Processes** to see all process activity during the detection window.

**Use case:** Understand the complete attack progression. Example output:

* `msedge.exe` — Initial access via phishing click
* `curl.exe` — Reconnaissance: validates C2 reachability before committing to persistence
* `certutil.exe` — SSL validation to verify C2 infrastructure
* `MicrosoftEdgeUpdate.exe` — Persistent C2 tunnel with 5-minute beacons

> **Key insight:** The attack progression shows sophisticated operational security rather than opportunistic malware.

#### One-Click Microsoft Defender Pivot

Click **Investigate Device in Microsoft Defender** to:

* Open directly into the full device timeline within the Microsoft Defender portal
* Extend the timeframe to see processes before/after the detection window
* Access complete forensic context including process tree and network events
* No manual device lookups or Device ID searches required

**Use case:** When you need processes from days before the detection, evidence of attacker return with different tools, or a complete timeline for an incident report.

#### Enterprise-Wide Threat Hunting

Click **Run Query in Microsoft Defender** to get a pre-built Advanced Hunting KQL query pre-populated with:

* Device scope (default: current device)
* SHA256 hashes
* Remote IP addresses
* Command line patterns
* Process execution characteristics
* Network connection details from `DeviceNetworkEvents` and `DeviceProcessEvents`

> **Enterprise hunting:** Remove the device filter to search across your entire environment for any endpoints connecting to the same C2 domain, systems running the same malicious hash, or similar command line patterns indicating related campaigns.

### Advanced Capabilities

#### Automated Response Integration

Vectra 360 Response integrates with Microsoft Defender for Endpoint to trigger device isolation directly from the Vectra platform.

**Modes:**

* **Automatic:** Isolation triggered when privilege, threat, and certainty score thresholds are exceeded
* **Manual:** Analyst clicks **Isolate Device** button in the MDE widget

**Benefits:**

* No tool switching required
* No multi-step response playbooks
* Consistent, fast, and reliable response
* Architects get maintainable response flows without brittle custom logic

**Configuration:** Settings → EDR Integrations → Device Isolation

#### Microsoft Sentinel Integration

Vectra AI can stream network metadata and AI-enriched telemetry into Microsoft Sentinel / Defender XDR for unified SIEM analysis.

**Capabilities:**

* Cross-domain analysis: endpoint, identity, cloud, and network
* Leverage Sentinel's KQL query engine for deep investigations
* One-click pivot from Vectra detection into Sentinel
* Consolidated evidence without juggling log systems

**Analyst workflow:**

1. Receive Vectra detection
2. Pivot into Microsoft Sentinel / Defender XDR or Advanced Hunting
3. Run deeper investigations with network + endpoint + identity context
4. Visualize attack patterns across domains

### Troubleshooting

#### No Process Context Appearing

**Symptoms:** Vectra detections don't show Microsoft Defender process context

**Checks:**

* Verify MDE integration is enabled (Settings → EDR Connections)
* Confirm `AdvancedQuery.Read.All` permission is granted in the Entra ID app registration
* Verify admin consent has been granted for all API permissions
* Check that the affected device has an active Microsoft Defender for Endpoint sensor
* Verify network connectivity from Vectra Brain to the MDE API endpoint
* Review Vectra logs for API query errors

**Common causes:**

* API permissions insufficient (missing `AdvancedQuery.Read.All` scope)
* Admin consent not granted
* MDE sensor not installed or in passive mode on affected device
* Network/firewall blocking API communication
* Proxy misconfiguration

#### Device Isolation Not Working

**Symptoms:** Cannot isolate device from Vectra interface

**Checks:**

* Verify `Machine.Isolate` permission is granted in the Entra ID app registration
* Confirm **Device Isolation Enabled** is checked in Vectra Settings → EDR Connections
* Check that the MDE sensor is active and reporting on the device
* Verify device status in the Microsoft Defender portal (must not already be isolated)
* Confirm the device is not exempt from isolation policies

#### Stale or Incorrect Process Context

**Symptoms:** Process information seems outdated or doesn't match current state

**Possible causes:**

* Sensor reinstall: Device ID changed, causing mapping lag (EDR Process Correlation uses IP-based correlation to mitigate this)
* Database sync delay: Recent sensor changes not yet reflected in Advanced Hunting
* Device IP changed: Network reconfiguration affects correlation

**Resolution:**

* Wait a few minutes for data synchronization in Advanced Hunting
* Verify current device IP matches the Vectra detection
* Check the Microsoft Defender portal for sensor health status

#### Links to Microsoft Defender Not Working

**Symptoms:** Clicking **Investigate Device in Microsoft Defender** doesn't open the portal

**Checks:**

* Verify you have access to the Microsoft Defender portal
* Confirm the correct MDE API URL is configured in Vectra Settings
* Check browser popup blockers
* Test direct access to `security.microsoft.com`

#### API Rate Limiting or Throttling

**Symptoms:** Process correlation intermittently unavailable

**Resolution:**

* Microsoft Defender for Endpoint API has rate limits on Advanced Hunting queries
* Review Microsoft documentation for current rate limit thresholds
* Contact Microsoft support to review or adjust limits if needed
* Consider query batching or throttling for high detection volumes

### Best Practices

#### Investigation Workflow

1. **Start with process context** — review the probable process and command line inline
2. **Assess threat level** — use command line details to determine true intent
3. **Check attack progression** — click **Show More Processes** to see the full attack chain
4. **Pivot when needed** — use **Investigate Device in Microsoft Defender** for deep forensics
5. **Hunt enterprise-wide** — use **Run Query in Microsoft Defender** to find related activity
6. **Respond decisively** — use Device Isolation when the threat is confirmed

#### Maximizing Value

* Train analysts on interpreting command line context — this is often the most revealing indicator
* Build response playbooks around automatic process correlation data
* Integrate with Microsoft Sentinel or SOAR — use enriched process context in automated workflows
* Regularly review your app registration — ensure permissions and secrets remain current
* Monitor query performance — track API response times and adjust if needed
* Set secret expiry alerts — use Entra ID to notify before client secrets expire

#### Security Considerations

* Protect app credentials — store Client ID and Secret securely (e.g., Azure Key Vault)
* Audit app sign-in logs — review Entra ID logs for the Vectra app registration periodically
* Least privilege — only grant the three required permissions
* Rotate secrets — periodically regenerate client secrets before expiry
* Monitor integration health — alert on integration failures or degraded performance
* Review Conditional Access — ensure policies don't inadvertently block the service principal

### Additional Resources

#### Microsoft Documentation

* [Microsoft Defender for Endpoint API](https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/apis-intro)
* [Advanced Hunting Overview](https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-overview)
* [App Registration & Permissions](https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/exposed-apis-create-app-webapp)

#### Vectra Resources

* [Vectra + Microsoft Partnership](https://www.vectra.ai/partners/microsoft)

### Summary

EDR Process Correlation with Microsoft Defender for Endpoint transforms network detections from *"something suspicious happened"* into *"here's exactly what caused it, why it's malicious, and how to stop it."*

**Key takeaways:**

* ✅ **95% time savings** — from 15–30 minutes to 30–60 seconds per detection
* ✅ **Automatic correlation** — no manual tool switching or SIEM logic required
* ✅ **Complete context** — process, command line, hash, parent, privilege level
* ✅ **Instant threat validation** — command line reveals true intent
* ✅ **Enterprise hunting** — pre-built KQL queries for finding related activity
* ✅ **Integrated response** — one-click device isolation without leaving Vectra

By bridging the gap between network visibility and Microsoft Defender endpoint telemetry, EDR Process Correlation gives security teams the speed and context they need to stop attacks before they cause damage.


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter:

```
GET https://docs.vectra.ai/operations/analyst-guidance/microsoft-defender-edr-process-correlation-user-guide.md?ask=<question>&goal=<endgoal>
```

`ask` is the immediate question: it should be specific, self-contained, and written in natural language.
`goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal.

The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.