Mitigate Incidents Using Microsoft 365 Defender (part 2)

By Ashwin Venugopal -

 


To read part 1 please click here


Use the Microsoft Security Center Portal

The Microsoft 365 Security Center is a specialized workplace designed to meet the ends of the security teams which enables you to easily investigate the alerts that affect your network, understand what they mean, and collate evidence associated with the incidents so that you can device an effective remediation plan while also simultaneouslyw bringing together signals from different sources to present a holistic view of your Microsoft 365 environment. The Microsoft 365 Security Center includes:
  • Home- Get an at-a-glance view of the overall security health of your organization.

  • Incidents- See the broader story of an attack by connecting the dots seen on an individual alerts on the entities. You'll know exactly where an attack started, what devices are impacted, who was affected, and where the threat has gone. 

  • Action center- Reduce the volume of the alerts your security team must address manually, allowing your security operations team to focus on the more sophisticated threats and the other high-value initiatives.

  • Reports- Get the detail and information you need to better protect your users, devices, apps, and more.

  • Secure score- This page provides an all-up summary of the different security features as well as capabilities you have enabled and includes recommendations for the areas to improve. 

  • Hunting- Proactively search for the malware, suspicious files, and activities in your Microsoft 365 organization.

  • Classification- Helps protect the data loss by adding labels to classify the documents, email messages, sites, and more. When a label is applied, the content or site is protected based on the settings you choose. 

  • Policies- Set up policies to manage the devices, protect against threats, and receive alerts about various activities in your organization. 

  • Permissions- Manages who in your organization has access to view the content and perform tasks in the Microsoft 365 Security Center. You can also assign the Microsoft 365 permissions in the Azure AD Portal.         

The Microsoft Security Center Portal is the central location to manage the integrated Microsoft security solutions. 

Manage Incidents

An incident is known as a collection of correlated alerts that make up the story of an attack. Microsoft 365 Defender automatically aggregates malicious and suspicious events that are found in different device, user, and the mailbox entities in the network as well as investigate and resolve the individual alerts through automation and artificial intelligence. 

Incidents from the last 30 days are shown in the incident queue and from there the security defenders can see which incident should be prioritized based on the risk level and other factors. Security Defenders can also rename the incidents, assign them to the individual analyst, classify, and add tags to incidents for a better as well as more customized incident management experience.

Prioritize Incidents

Microsoft 365 Defender applies correlation analytics and aggregates all the related alerts as well as investigations from the different products into one incident which can give your security operations analyst the broader attack story, while helping them to better understand and deal with the complex threats across the organization.

The incidents queue shows a collection of flagged incidents from across the devices, users, and mailboxes. By default, the queue in the Microsoft 365 Security Center displays incidents seen in the last 30 days which helps you to make an informed decision regarding the prioritization of the incidents to handle. 

For more clarity at a glance, automatic incident naming generates the incidents names based on the alerts attributes such as the number of the endpoints affected, users affected, detection sources, or categories which allows you to quickly understand the scope of the incident.

Use the Action Center

You can use the Action Center to see the results of the current and past investigations across your organization's devices and mailboxes. All the remediation actions, whether they are pending approval or already approved, are consolidated in the Action Center which readily provides a "single pane of Glass" experience for the tasks, such as:
  • Approving pending remediation actions
  • Viewing an audit log of already approved remediation actions
  • Reviewing completed remediation actions  

 In the Action Center, you'll see two tabs:

  • The Pending tab, which lists investigations that require review and approval by someone in your security operations team to continue. Make sure to review and take action on the pending items you see here.

  • The History tab, which lists past investigations and remediation actions that were taken automatically. You can easily view data for the past day, week, month, or six months. 

Available Actions

As remediation actions are taken, they're listed on the history tab in the Action Center. Such actions includes the following:

  • Collect investigation package
  • Isolate device (this action can be undone)
  • Offboard machine
  • Release code execution
  • Release from quarantine
  • Request sample
  • Restrict code execution (this action can be undone) 
  • Run antivirus scan
  • Stop and quarantine

Action source

The following table describes the possible Action source values:

Action source value

Description

Manual device action

A manual action taken on a device. Examples includes device isolation or file quarantine.

Manual email action

A manual action taken on an email. An example includes soft-deleting email messages or remediating an email message.

Automated device action

An automated action taken on an entity, such as a file or process. Examples of an automated action includes sending a file to quarantine, stopping a process, and removing a registry key.

Automated email action

An automated action taken on an email content, such as an email message, attachment, or URL. Examples of an automated actions includes soft-deleting email messages, blocking URLs, and turning off an external mail forwarding.  

Advanced hunting action

Actions taken on the devices or an email with advanced hunting.

Explorer action

Action taken on an email content with the explorer.

Manual live response action

Action taken on a device with live response. Examples including deleting a file, stopping process, and removing a scheduled task.

Live response action

Action taken on a device with the Microsoft Defender for Endpoint APIs. Examples of the actions includes isolating a device, running an antivirus scan, and getting information about a file.

 


To read part 1 please click here






Comments

Post a Comment

Popular posts from this blog

Query, Visualize, & Monitor Data in Azure Sentinel

By Ashwin Venugopal -
Image
  Azure Sentinel Workbooks Several ready for use templates are provided by the Azure Sentinel that can be used to create your own workbook and then modify them as needed for Contoso. Most of the data connectors it uses to ingest data come with their own workbooks, but better insight can be obtained by simply looking into the data that is being ingested by using tables and visualizations, including bar and pie charts. You can also make your own workbook easily by using this data from the beginning instead of using the predefined templates. Workbook Page You can easily access the workbook page from the Azure Sentinel from the navigation pane which consists of the: Workbook header- You can add a new workbook and review the saved workbooks as well as templates that are available on the workbook page. Templates section- You can access existing workbook templates on the Templates tab. You can save some of the workbooks for quick access and they will appear on the My Workbooks tab.  From the
Read more

Work with String Data Using KQL Statements

By Ashwin Venugopal -
Image
  Extract Data from Unstructured String Fields Unstructured string fields often contains the Security log data and requires parsing to extract data. There are multiple ways of pulling information from string fields in KQL and the two primary operators used are extract and parse.  Extract It gets a match for a regular expression from a text string. You can convert the extracted substring to the indicated type.  Arguments regex- A regular expression. captureGroup- A positive int constant indicating the capture group to extract. 0 stands for the entire match, 1 for the value matched by the first '('parenthesis')' in the regular expression, 2 or more for subsequent parenthesis.  text- A string to search. typeLiteral- An optional type literal. If provided, the extracted substring is converted to this type.  Returns If regex finds a match in text- the substring matched against the indicated capture group captureGroup, optionally converted to typeLiteral. If there's no mat
Read more

Threat Hunting in Microsoft Sentinel (part 1)

By Ashwin Venugopal -
Image
  To read part 2, please click  here To read part 3, please click  here Introducing the Microsoft Sentinel Hunting Page Threat hunting is a series activities performed while investigating and as there are no guidelines to perform it, the available tools on the Microsoft Sentinel can be introduced to perform better in your investigations. Firstly, you have to choose the Hunting link in the Microsoft Sentinel navigation menu to get to the Hunting page which is divided into the following sections: The header bar- It is located at the top of the page as usual and contains Refresh as well as timespan drop down menu. The New Query button can help you with creating a new query and the Run all queries button can run all the hunting queries in the background while also updating the hunting query list section with the number of results found.  The summary bar- Here, you can view the total number of queries available to run, the total number of bookmarks, the number of results from running live
Read more