v2.2 Release Highlights

[briandelmsft]

STAT v2.2 includes the release of 2 new modules and an important update to an existing module.

Tip

Refer to the wiki for instructions on updating your deployment

Device Exposure Module (new)

This module uses the Microsoft Defender XDR exposure graph and the host entities of the Sentinel incident to look for potential exposure based on the devices associated with the incident. This module with look at the criticality of the device based on builtin and custom critical asset management rules, and look for cached credentials such as NTLM hashes and PRTs. Based on those cached credentials, the module will then look to the sensitivity of users associated with those credentials to provide an indication of the exposure those potentially compromised credentials would have.

User Exposure Module (new)

Similar to the Device Exposure Module, this module starts by looking at the account entities associated with the incident and the critical asset rules associated with them. From the linked accounts, it then looks to see which devices those credentials have elevated access to, such as local admin and the sensitivity of those devices

Threat Intelligence Module Update

Microsoft has announced changes to the way threat intelligence indicators are being stored in Sentinel. Currently in public preview with the transition to GA expected to happen July 31. This module update transitions the TI module to use the new tables/schema for threat intelligence data. No action beyond updating to the v2.2 build is needed, but you must update to the v2.2 build for this module to be functional after July 31, 2025.

On-Prem Only Account Entity support

In prior builds of STAT, if an account did not exist in the cloud, it could not be enriched and downstream modules could not consider it for analysis. Now, on-prem only accounts will be enriched as long as they are present in the IdentityInfo table which will be populated by Microsoft Defender for Identity. All relevant modules that could make use of on-prem only accounts, such as related alerts, UEBA, Watchlist and others have also been updated to support this integration

IP Address Entity Handling improvements

We have made various improvements to the handling of IP address entities throughout STAT. The first notable update is we drop any loopback IP entities such as ::1 and 127.0.0.1. These entities seem to be present in some XDR incidents and would negatively impact correlations such as via the Related Alerts module by correlating incidents on a loopback address which was not a useful correlation. We also made a performance improvement to the base module by skipping enrichment on any private IP addresses, such as 10.0.0.0/8 or fd00::/8 since enrichment is not possible anyways. These private IPs are still used by STAT for correlations.