Configure for Alerts & Detections

By Ashwin Venugopal -

 



Configure Advanced Features

The Advanced features area in the General Settings area provides many an on/off switch for features within the product. The following are the settings that are alert focused: 

Feature

Description

Live Response

Live Response

Live Response unsigned script execution

Enables using unsigned scripts in Live Response.

Custom network indicators

Configures devices to allow or block connections to IP addresses, domains, or URLs in your custom indicator lists.

Share endpoint alerts with Microsoft Compliance Center

Forwards endpoint security alerts and their triage status to the Microsoft Compliance Center, allowing you to enhance insider risk management policies with alerts and remediate internal risks before they cause harm. Forwarded data is processed and stored in the same location as your Office 365 data.    


Configure Alert Notifications

This feature enables you to identify a group of the individuals who will immediately be informed and can act on the alerts based on their severity. The email notifications can be configured by only those users who have 'Manage security settings' permissions while easily setting the alert severity levels that triggers the notifications and also add or remove recipients of the email notification. 

If you are using Role-based Access Control (RBAC), the recipients will only receive the notifications based on the device groups that were configured in the notification rule and the users assigned to the Global administrator role only can manage the notification rules that were configured for all the device groups.

The email notification includes basic information about the alert and a link to the portal where you can do the further investigation. 

Manage Alert Suppression

There might be the scenarios where you need to suppress alerts from appearing in the portal you can easily do this by creating the suppression rules for the specific alerts known to be innocuous, like known tools or processes in your organization. 

View existing rules

You can readily view a list of all the suppression rules and manage them in one place while also turning an alert suppression rule on or off by completing these actions:
  1. In the navigation pane, select Settings > Alert suppression. The list of suppression rules that the users in your organization have created is displayed.
  2. Select a rule by selecting a check-box beside the rule name.
  3. Select Turn rule on, Edit rule, or Delete rule. When making changes to a rule, you can choose to release alerts that it has already suppressed, regardless of whether or not these alerts match the new criteria.  

Manage Indicators

Indicator of Compromise (IoCs) matching is an essential feature in every endpoint protection solution which gives SecOps the ability to set a list of detection indicators and for blocking (prevention and response). You can create the indicators that defines the detection, prevention, and exclusion of entities. 

Currently, supported sources are cloud detection engine of Defender for Endpoint, the automated investigation and remediation engine, and the endpoint prevention engine (Microsoft Defender AV).

Cloud Detection Engine

The Defender for Endpoint's cloud detection engine regularly scans the collected data and tries to match the indicators you set and whenever there is a match, action will be taken according to the IoC settings you specified.

Endpoint Prevention Engine

The same list of indicators is honored by the prevention agent i.e. if the Microsoft Defender AV is the primary AV configured, the matched indicators will be treated according to the settings. 

Automated Investigation & Remediation Engine

It behaves the same i.e. if an indicator is set to "Allow", automated investigation and remediation will ignore a "bad" verdict for it, but if it is set to "Block", then it will treat it as "bad". 

The current supported actions are- Allow, Alert only, and Alert and block whereas you can easily create an indicator for files, IP addresses, URLs/domains, and certificates. There is a limit of 15,000 indicators per tenant.

To manage indicators:

  • In the navigation pane, select Settings > Indicators.
  • Select the tab of the entity type you'd like to manage.
  • Update the indicator details and select Save or select the Delete button if you'd like to remove the entity from the list.  

Manage Custom Detection

Custom detection rules built from advanced hunting queries allows you to proactively monitor various events and system states, including the suspected breach activity and misconfigured devices.

View existing rules

To view all the existing custom detection rules, you can navigate to Settings > Custom detections. The lists all the rules with the following run information:

  • Last run- When a rule was last run to check for query matches and generate alerts.
  • Last run status- Whether a rule ran successfully.
  • Next run- The next scheduled run.
  • Status- Whether a rule has been turned on or off.  






Comments

Post a Comment

Popular posts from this blog

Query, Visualize, & Monitor Data in Azure Sentinel

By Ashwin Venugopal -
Image
  Azure Sentinel Workbooks Several ready for use templates are provided by the Azure Sentinel that can be used to create your own workbook and then modify them as needed for Contoso. Most of the data connectors it uses to ingest data come with their own workbooks, but better insight can be obtained by simply looking into the data that is being ingested by using tables and visualizations, including bar and pie charts. You can also make your own workbook easily by using this data from the beginning instead of using the predefined templates. Workbook Page You can easily access the workbook page from the Azure Sentinel from the navigation pane which consists of the: Workbook header- You can add a new workbook and review the saved workbooks as well as templates that are available on the workbook page. Templates section- You can access existing workbook templates on the Templates tab. You can save some of the workbooks for quick access and they will appear on the My Workbooks tab.  From the
Read more

Planning for Implementing SAP Solutions on Azure (Part 2 of 5)

By Ashwin Venugopal -
Image
  To read part 1 please click  here To read part 3 please click  here To read part 4 please click  here To read part 5 please click  here Load Balancing The load balancer uses probe ports to determine as well as route the traffic to an active DBMS node, but of there's any failover then the most common SAP application architecture can automatically reconnect against the private virtual IP address without the need for the SAP application to reconfigure it, while the load balancer redirect the traffic against the private virtual IP address without any need for the SAP application to reconfigure. The loaf balancer also offers an option of DirectServerReturn which if configured, can help in directing the traffic from the DBMS VM to the SAP application layer directly to the application layer without routing through the load balancer. But, if it isn't configured, then the return traffic to the SAP application layer is routed through the load balancer. You can also use Azure Load Balan
Read more

Work with String Data Using KQL Statements

By Ashwin Venugopal -
Image
  Extract Data from Unstructured String Fields Unstructured string fields often contains the Security log data and requires parsing to extract data. There are multiple ways of pulling information from string fields in KQL and the two primary operators used are extract and parse.  Extract It gets a match for a regular expression from a text string. You can convert the extracted substring to the indicated type.  Arguments regex- A regular expression. captureGroup- A positive int constant indicating the capture group to extract. 0 stands for the entire match, 1 for the value matched by the first '('parenthesis')' in the regular expression, 2 or more for subsequent parenthesis.  text- A string to search. typeLiteral- An optional type literal. If provided, the extracted substring is converted to this type.  Returns If regex finds a match in text- the substring matched against the indicated capture group captureGroup, optionally converted to typeLiteral. If there's no mat
Read more