Mitigate Incidents Using Microsoft 365 Defender (part 2)

By Ashwin Venugopal -

 


To read part 1 please click here


Use the Microsoft Security Center Portal

The Microsoft 365 Security Center is a specialized workplace designed to meet the ends of the security teams which enables you to easily investigate the alerts that affect your network, understand what they mean, and collate evidence associated with the incidents so that you can device an effective remediation plan while also simultaneouslyw bringing together signals from different sources to present a holistic view of your Microsoft 365 environment. The Microsoft 365 Security Center includes:
  • Home- Get an at-a-glance view of the overall security health of your organization.

  • Incidents- See the broader story of an attack by connecting the dots seen on an individual alerts on the entities. You'll know exactly where an attack started, what devices are impacted, who was affected, and where the threat has gone. 

  • Action center- Reduce the volume of the alerts your security team must address manually, allowing your security operations team to focus on the more sophisticated threats and the other high-value initiatives.

  • Reports- Get the detail and information you need to better protect your users, devices, apps, and more.

  • Secure score- This page provides an all-up summary of the different security features as well as capabilities you have enabled and includes recommendations for the areas to improve. 

  • Hunting- Proactively search for the malware, suspicious files, and activities in your Microsoft 365 organization.

  • Classification- Helps protect the data loss by adding labels to classify the documents, email messages, sites, and more. When a label is applied, the content or site is protected based on the settings you choose. 

  • Policies- Set up policies to manage the devices, protect against threats, and receive alerts about various activities in your organization. 

  • Permissions- Manages who in your organization has access to view the content and perform tasks in the Microsoft 365 Security Center. You can also assign the Microsoft 365 permissions in the Azure AD Portal.         

The Microsoft Security Center Portal is the central location to manage the integrated Microsoft security solutions. 

Manage Incidents

An incident is known as a collection of correlated alerts that make up the story of an attack. Microsoft 365 Defender automatically aggregates malicious and suspicious events that are found in different device, user, and the mailbox entities in the network as well as investigate and resolve the individual alerts through automation and artificial intelligence. 

Incidents from the last 30 days are shown in the incident queue and from there the security defenders can see which incident should be prioritized based on the risk level and other factors. Security Defenders can also rename the incidents, assign them to the individual analyst, classify, and add tags to incidents for a better as well as more customized incident management experience.

Prioritize Incidents

Microsoft 365 Defender applies correlation analytics and aggregates all the related alerts as well as investigations from the different products into one incident which can give your security operations analyst the broader attack story, while helping them to better understand and deal with the complex threats across the organization.

The incidents queue shows a collection of flagged incidents from across the devices, users, and mailboxes. By default, the queue in the Microsoft 365 Security Center displays incidents seen in the last 30 days which helps you to make an informed decision regarding the prioritization of the incidents to handle. 

For more clarity at a glance, automatic incident naming generates the incidents names based on the alerts attributes such as the number of the endpoints affected, users affected, detection sources, or categories which allows you to quickly understand the scope of the incident.

Use the Action Center

You can use the Action Center to see the results of the current and past investigations across your organization's devices and mailboxes. All the remediation actions, whether they are pending approval or already approved, are consolidated in the Action Center which readily provides a "single pane of Glass" experience for the tasks, such as:
  • Approving pending remediation actions
  • Viewing an audit log of already approved remediation actions
  • Reviewing completed remediation actions  

 In the Action Center, you'll see two tabs:

  • The Pending tab, which lists investigations that require review and approval by someone in your security operations team to continue. Make sure to review and take action on the pending items you see here.

  • The History tab, which lists past investigations and remediation actions that were taken automatically. You can easily view data for the past day, week, month, or six months. 

Available Actions

As remediation actions are taken, they're listed on the history tab in the Action Center. Such actions includes the following:

  • Collect investigation package
  • Isolate device (this action can be undone)
  • Offboard machine
  • Release code execution
  • Release from quarantine
  • Request sample
  • Restrict code execution (this action can be undone) 
  • Run antivirus scan
  • Stop and quarantine

Action source

The following table describes the possible Action source values:

Action source value

Description

Manual device action

A manual action taken on a device. Examples includes device isolation or file quarantine.

Manual email action

A manual action taken on an email. An example includes soft-deleting email messages or remediating an email message.

Automated device action

An automated action taken on an entity, such as a file or process. Examples of an automated action includes sending a file to quarantine, stopping a process, and removing a registry key.

Automated email action

An automated action taken on an email content, such as an email message, attachment, or URL. Examples of an automated actions includes soft-deleting email messages, blocking URLs, and turning off an external mail forwarding.  

Advanced hunting action

Actions taken on the devices or an email with advanced hunting.

Explorer action

Action taken on an email content with the explorer.

Manual live response action

Action taken on a device with live response. Examples including deleting a file, stopping process, and removing a scheduled task.

Live response action

Action taken on a device with the Microsoft Defender for Endpoint APIs. Examples of the actions includes isolating a device, running an antivirus scan, and getting information about a file.

 


To read part 1 please click here






Comments

Post a Comment

Popular posts from this blog

Deployment (Part 3)

By Ashwin Venugopal -
Image
  To read part 1, please click  here To read part 2, please click  here Microsoft Monitoring Agent (MMA) MMA is used across multiple Microsoft solutions and has undergone a few name changes as its features and functionality have evolved. If it is being considered to be used, then following areas should be covered during a Microsoft Sentinel deployment project: Consider the timelines and the strategy for a migration to AMA (Azure Monitor Agent) before the MMA end-of-life.  Consider the central deployment and management methodology for MMA. Determine which endpoints are in scope for deployment as these affect the log ingestion volume significantly.  Azure Monitor Agent (AMA) Organizations with MMA as the main Microsoft Sentinel agent should start planning the migration to AMA as soon as possible to avoid a rushed migration. One of the main advantages of AMA is the ability to control the log collection policy centrally and apply different policies against different groups of computers, re
Read more

Query, Visualize, & Monitor Data in Azure Sentinel

By Ashwin Venugopal -
Image
  Azure Sentinel Workbooks Several ready for use templates are provided by the Azure Sentinel that can be used to create your own workbook and then modify them as needed for Contoso. Most of the data connectors it uses to ingest data come with their own workbooks, but better insight can be obtained by simply looking into the data that is being ingested by using tables and visualizations, including bar and pie charts. You can also make your own workbook easily by using this data from the beginning instead of using the predefined templates. Workbook Page You can easily access the workbook page from the Azure Sentinel from the navigation pane which consists of the: Workbook header- You can add a new workbook and review the saved workbooks as well as templates that are available on the workbook page. Templates section- You can access existing workbook templates on the Templates tab. You can save some of the workbooks for quick access and they will appear on the My Workbooks tab.  From the
Read more

Project Resourcing (Part 2)

By Ashwin Venugopal -
Image
  To read part 1, please click  here Engineering - SIEM The SIEM engineers configures Microsoft Sentinel, including Log Analytics, Logic Apps, workbooks, and playbooks. They are also responsible for the following high-level tasks: Initial configuration of Azure tenant, including provisioning required resources, assigning access roles, and configuring workspace parameters like log retention, resource tagging, and blueprints.  Deployment and configuration of syslog/CEF log collection agents in appropriate locations to collect logs from on-premises devices. Generally, it will be joint effort of both system engineer and SIEM engineer, involving configuration and potential troubleshooting.  Working with system owners to enable log forwarding and configuring any required parsing of log data in Log Analytics.  Working with security operations to create and deploy KQL analytic rules to offer detections for SOC/Computer Security Incident Response Team (CSRIT) use. Tuning of alert rule parameter
Read more