Configure for Alerts & Detections

By Ashwin Venugopal -

 



Configure Advanced Features

The Advanced features area in the General Settings area provides many an on/off switch for features within the product. The following are the settings that are alert focused: 

Feature

Description

Live Response

Live Response

Live Response unsigned script execution

Enables using unsigned scripts in Live Response.

Custom network indicators

Configures devices to allow or block connections to IP addresses, domains, or URLs in your custom indicator lists.

Share endpoint alerts with Microsoft Compliance Center

Forwards endpoint security alerts and their triage status to the Microsoft Compliance Center, allowing you to enhance insider risk management policies with alerts and remediate internal risks before they cause harm. Forwarded data is processed and stored in the same location as your Office 365 data.    


Configure Alert Notifications

This feature enables you to identify a group of the individuals who will immediately be informed and can act on the alerts based on their severity. The email notifications can be configured by only those users who have 'Manage security settings' permissions while easily setting the alert severity levels that triggers the notifications and also add or remove recipients of the email notification. 

If you are using Role-based Access Control (RBAC), the recipients will only receive the notifications based on the device groups that were configured in the notification rule and the users assigned to the Global administrator role only can manage the notification rules that were configured for all the device groups.

The email notification includes basic information about the alert and a link to the portal where you can do the further investigation. 

Manage Alert Suppression

There might be the scenarios where you need to suppress alerts from appearing in the portal you can easily do this by creating the suppression rules for the specific alerts known to be innocuous, like known tools or processes in your organization. 

View existing rules

You can readily view a list of all the suppression rules and manage them in one place while also turning an alert suppression rule on or off by completing these actions:
  1. In the navigation pane, select Settings > Alert suppression. The list of suppression rules that the users in your organization have created is displayed.
  2. Select a rule by selecting a check-box beside the rule name.
  3. Select Turn rule on, Edit rule, or Delete rule. When making changes to a rule, you can choose to release alerts that it has already suppressed, regardless of whether or not these alerts match the new criteria.  

Manage Indicators

Indicator of Compromise (IoCs) matching is an essential feature in every endpoint protection solution which gives SecOps the ability to set a list of detection indicators and for blocking (prevention and response). You can create the indicators that defines the detection, prevention, and exclusion of entities. 

Currently, supported sources are cloud detection engine of Defender for Endpoint, the automated investigation and remediation engine, and the endpoint prevention engine (Microsoft Defender AV).

Cloud Detection Engine

The Defender for Endpoint's cloud detection engine regularly scans the collected data and tries to match the indicators you set and whenever there is a match, action will be taken according to the IoC settings you specified.

Endpoint Prevention Engine

The same list of indicators is honored by the prevention agent i.e. if the Microsoft Defender AV is the primary AV configured, the matched indicators will be treated according to the settings. 

Automated Investigation & Remediation Engine

It behaves the same i.e. if an indicator is set to "Allow", automated investigation and remediation will ignore a "bad" verdict for it, but if it is set to "Block", then it will treat it as "bad". 

The current supported actions are- Allow, Alert only, and Alert and block whereas you can easily create an indicator for files, IP addresses, URLs/domains, and certificates. There is a limit of 15,000 indicators per tenant.

To manage indicators:

  • In the navigation pane, select Settings > Indicators.
  • Select the tab of the entity type you'd like to manage.
  • Update the indicator details and select Save or select the Delete button if you'd like to remove the entity from the list.  

Manage Custom Detection

Custom detection rules built from advanced hunting queries allows you to proactively monitor various events and system states, including the suspected breach activity and misconfigured devices.

View existing rules

To view all the existing custom detection rules, you can navigate to Settings > Custom detections. The lists all the rules with the following run information:

  • Last run- When a rule was last run to check for query matches and generate alerts.
  • Last run status- Whether a rule ran successfully.
  • Next run- The next scheduled run.
  • Status- Whether a rule has been turned on or off.  






Comments

Post a Comment

Popular posts from this blog

Deployment (Part 3)

By Ashwin Venugopal -
Image
  To read part 1, please click  here To read part 2, please click  here Microsoft Monitoring Agent (MMA) MMA is used across multiple Microsoft solutions and has undergone a few name changes as its features and functionality have evolved. If it is being considered to be used, then following areas should be covered during a Microsoft Sentinel deployment project: Consider the timelines and the strategy for a migration to AMA (Azure Monitor Agent) before the MMA end-of-life.  Consider the central deployment and management methodology for MMA. Determine which endpoints are in scope for deployment as these affect the log ingestion volume significantly.  Azure Monitor Agent (AMA) Organizations with MMA as the main Microsoft Sentinel agent should start planning the migration to AMA as soon as possible to avoid a rushed migration. One of the main advantages of AMA is the ability to control the log collection policy centrally and apply different policies against different groups of computers, re
Read more

Project Resourcing (Part 2)

By Ashwin Venugopal -
Image
  To read part 1, please click  here Engineering - SIEM The SIEM engineers configures Microsoft Sentinel, including Log Analytics, Logic Apps, workbooks, and playbooks. They are also responsible for the following high-level tasks: Initial configuration of Azure tenant, including provisioning required resources, assigning access roles, and configuring workspace parameters like log retention, resource tagging, and blueprints.  Deployment and configuration of syslog/CEF log collection agents in appropriate locations to collect logs from on-premises devices. Generally, it will be joint effort of both system engineer and SIEM engineer, involving configuration and potential troubleshooting.  Working with system owners to enable log forwarding and configuring any required parsing of log data in Log Analytics.  Working with security operations to create and deploy KQL analytic rules to offer detections for SOC/Computer Security Incident Response Team (CSRIT) use. Tuning of alert rule parameter
Read more

Design Planning (Part 3)

By Ashwin Venugopal -
Image
  To read part 1, please click  here To read part 2, please click  here Complex Organizational Structures SIEM can be an expensive security control, hence, it is common multiple businesses to contribute to the overall expense. Various organizational units may require a level of access to specific dashboards or sets of data. Microsoft Sentinel offers the ability to assign table-level permissions and limit the level of access to the minimum required to perform requisite job functions.  Role-based Access Control (RBAC) Requirements Microsoft Sentinel offers an extensive list of Azure built-in roles that can be used to provide granular access according to the job requirements and permitted level of access. Some of them are various Microsoft Sentinel dedicated roles: Microsoft Sentinel Contributor- Can perform all engineering-related configuration, such as creating alert rules, configuring data connectors, and additional similar tasks.  Microsoft Sentinel Reader- Can query the log data stor
Read more