What a blocked alert in Microsoft Defender or Sentinel can still teach your SOC — and how to turn it into attacker intelligence, enriched workflows, and decisions the team can trust.
Something gets blocked. The alert closes. Everyone moves on.
That’s the moment most SOC teams know the least about what just happened. And it’s becoming a bigger problem.
After roughly a decade of outsourcing, large enterprises are bringing malware and phishing triage back in-house. Security has become a core business risk that demands direct control. Significant XDR investments have created powerful tooling that needs active management. User-reported phishing programs are easy to launch and hard to run well.
The result is visible across most enterprise SOCs: more triage, more indicator chasing, more effort spent making sense of threats that were stopped before anyone fully understood them.
For SOC teams running [Microsoft Defender for Endpoint], [Microsoft Defender for Office 365], and [Microsoft Sentinel], the question isn’t whether the Microsoft stack works. It does. The question is what to do with everything blocked at the perimeter — the alerts that, on closer inspection, would have a lot to teach the team. As a Microsoft Intelligent Security Association (MISA) member, VMRay works directly within that ecosystem, which is where this guide starts.
Watch our webinar recording, or read on to get the summary and some of the webinar hightlights…
What blocking a threat can leave unseen
Microsoft Defender detects attacks and stops them at scale. That’s what it’s designed for, and it does it well.
But blocking a threat before it executes carries a trade-off: some of what the attacker was trying to do never gets observed.
You know something was stopped. What it would have done next is less clear. What files were waiting to download? What infrastructure was it set up to communicate with? Those answers go missing when the attack ends at the perimeter.
“When Microsoft blocks an attack, you lose visibility into what the attacker was going to do next. VMRay lets the attack run in an evasion-resistant sandbox, so you can see what the attacker was actually trying to do.” — Serge, VMRay Product Team
This is the distinction between broad context and deep context.
Broad context is what XDR sensors capture: where the sample came from, who sent the email, what network connections were made, what the user session looked like. It’s valuable. It’s how teams pivot, generate indicators, and scope incidents.
Deep context answers a different question: what would have happened if we hadn’t stopped it?
A strong XDR program goes broad. The mature ones also go deep. That’s where [evasion-resistant sandboxing] earns its place — by surfacing the behavior that never becomes visible when an attack is stopped too early.
Where VMRay fits into your Microsoft stack
VMRay sits alongside Microsoft Defender and Sentinel. It monitors alerts from Microsoft, extracts the associated file or URL, detonates it in an evasion-resistant sandbox, and feeds the results back into the tools your analysts are already using.
For Microsoft-powered SOC teams, this delivers three practical outcomes.
IOC extraction. Malicious-only indicators are pushed back to Defender for blocking, hunting, and automated response across the network.
Alert enrichment. Verdicts, threat names, and behavioral identifiers are added as comments inside the alert, so analysts can triage faster and with more confidence.
Deep investigation. From any incident, analysts pivot into the full VMRay report: MITRE ATT&CK mapping, process tree, memory dumps, and malware configuration extraction.
For teams looking at the broader integration picture, VMRay also provides a dedicated overview of its Microsoft Security integrations, including Defender for Endpoint, Defender for Office 365, and Sentinel.
What this looks like in practice
A user-reported phishing email. Defender flags it and blocks it.
In the Defender portal, VMRay’s analysis appears as a comment on the alert. The attached file is identified as REMCOS RAT — a backdoor and injector that has been actively abused by threat actors for years. VMRay matched it through YARA rules against the memory dump (only possible with dynamic analysis) and confirmed it through behavioral indicators including process hollowing and execution delays.
From that single alert, the analyst now sees the full chain: the original URL submission, the malware it was dropping, the malicious IP it was communicating with. That IP has already been pushed to Defender’s indicator list automatically, blocking it across the network.
Or take a “task malware prevented” alert from Defender for Endpoint. Without further analysis, the analyst knows something was stopped. With VMRay, the picture sharpens: the sample was VIPKeylogger, a spyware family that exfiltrates credentials via SMTP. The extracted malware configuration shows the SMTP server, the email address, and the encryption key.
For organizations handling high volumes of suspicious emails, the same logic applies to user-reported phishing analysis. The job isn’t deciding whether an email is malicious. It’s capturing the behavior, the infrastructure, and the downstream actions the SOC needs to respond with confidence.
Why IOC quality matters
A standard Word document running inside a sandbox environment generates 449 changes, including 54 entirely benign URLs.
VMRay’s filtering engine separates confirmed malicious indicators from system noise. The output: IOCs reliable enough for direct machine ingestion. Fresh, relevant, and accurate.
That precision matters when indicators feed automated blocking, threat hunting queries, firewall updates, or SOAR playbooks. A noisy feed slows analysts down. A precise one helps them move faster.
The Sentinel integration: threat intelligence where you need it
For organizations using Microsoft Sentinel as their central security operations view, VMRay’s Sentinel integration brings all generated IOCs into Sentinel’s threat intelligence store automatically, regardless of where the original sample came from. Whether a sample was submitted from Defender for Endpoint, Defender for Office, or manually by a threat intel analyst, the resulting indicators flow into Sentinel — ready to trigger automated playbooks, populate firewall block lists, and inform cross-incident correlation.
The integration also supports direct URL enrichment for incidents in Sentinel that don’t originate from Microsoft XDR. That’s relevant for organizations with mixed security stacks or third-party phishing reporting platforms. A Logic App handles the submission. What comes back is a verdict, a threat classification, a link to the full VMRay report, and the behavioral identifiers that explain exactly why the sample was flagged.
The Sentinel integration is available on GitHub now and on Azure Marketplace.
It is free of charge.
For more on how VMRay threat intelligence supports Microsoft Sentinel operations, see the Microsoft Sentinel integration page.
Why this matters for incident response
IR teams often investigate after the fact. Phishing sites go down. C2 servers get pulled offline. By the time an analyst sits down to understand what happened, that infrastructure may no longer be reachable.
VMRay’s analysis runs at the moment of the incident. C2 servers are live. Phishing sites are active. That snapshot is preserved in the report regardless of what happens afterward — so a team investigating days or weeks later can still see what the malware was communicating with, what it was trying to do, and what it would have downloaded.
The practical value isn’t blocking the threat alone. It’s having the context — when the same family comes back in a different form, targeting a different user — to respond faster.
VMRay’s Defender for Endpoint, Sentinel and the Defender for Office 365 integrations are available today. A VMRay integration with anyone of these can help you learn from the attacks against your organization via the VMRay insights into what your blocked alerts can reveal.
