Remediate Risks with Microsoft Defender for Office 365

By Ashwin Venugopal -

 



Microsoft Defender for Office 365

It is a cloud-based email filtering service that helps protect your organization against the unknown malware and viruses by providing a robust zero-day protection including the features to safeguard your organization from harmful links in real time. Microsoft Defender for Office 365 provides the following benefits:

  • Industry-leading protection- Microsoft Defender for Office 365 leverages 6.5 trillion signals daily from email alone to quickly and accurately detect threats as well as protect the users against the sophisticated attacks such as phishing and zero-day malware. 

  • Actionable insights- They are presented to the security administrators by correlating signals from a broad range of data to help identify, prioritize, and provide recommendations on how to address potential problems.

  • Automated response- Most organizations lack the expertise and resources needed for rapid investigation as well as effective remediation, but Microsoft Defender for Office 365 can easily provide advanced automated response options that the security operators can leverage saving a significant amount of time, money, and resources.

  • Training and awareness- It is critical to train end users to make the right decisions in the event of an attack and features like an attack simulator can help the administrators launch realistic threat simulations to train users to be more aware and vigilant. User reporting capabilities also empowers users to notify Microsoft of the suspicious content. 

The following are the primary ways you can use Microsoft Defender for Office 365 for message protection:

  • In the Microsoft Defender for Office 365 filtering-only scenario, it provides a cloud-based email protection for your on-premises Exchange Server environment or any other on-premises SMTP email solution.
  • Microsoft Defender for Office 365 can be enabled to protect Exchange Online cloud-hosted mailboxes. 
  • In a hybrid deployment, Microsoft Defender for Office 365 can be configured to protect messaging environment and control mail routing when you have a mix of on-premises as well as cloud mailboxes with Exchange Online Protection for inbound email filtering. 

Automate, Investigate, & Remediate (AIR)

AIR provides a set of the security playbooks that can be launched automatically, like when an alert is triggered, or manually, such as from a view in Explorer. It can also save your security operations team time as well as effort in mitigating threats effectively and efficiently. 

AIR in the Microsoft Defender for Office 365 includes certain remediation actions that include the following:

  • Soft delete email messages or clusters 
  • Block URL (time-of-click)
  • Turn off external mail forwarding
  • Turn off delegation 

Simulate Attacks

Microsoft Defender for Office 365 offers the best-of-class threat investigation and response tools that allows your organization's security team to anticipate,. understand, and prevent malicious attacks.
  • Threat trackers provides the latest intelligence on prevailing cybersecurity issues. Available trackers include Noteworthy trackers, Trending trackers, Tracked queries, and Saved queries.

  • Threat explorer (or real time detections) (also referred to as Explorer) is a real-time report that allows you to identify and analyze recent threats. You can configure Explorer to show data for custom periods. 

  • Attack simulator allows you to run realistic attack scenarios in your organization to identify vulnerabilities. Simulations of current types of attacks are available, including spear phishing, credential harvest, attachment attacks, password spray, and brute force password attacks. 

Threat explorer enables you to begin delving into the granular data for your organization. 

On the Users tab, you can see each instance that a user in the organization was sent with an attachment containing the Nemucod malware threat. The Status column tells you if the email was caught and blocked before it ever reach the user, or if it was delivered as spam and if a user have actually received and opened an email, that would also appear under Status, enabling you to reach out to the user as well as take appropriate remediation steps, such as scanning their device.





Comments

Post a Comment

Popular posts from this blog

Query, Visualize, & Monitor Data in Azure Sentinel

By Ashwin Venugopal -
Image
  Azure Sentinel Workbooks Several ready for use templates are provided by the Azure Sentinel that can be used to create your own workbook and then modify them as needed for Contoso. Most of the data connectors it uses to ingest data come with their own workbooks, but better insight can be obtained by simply looking into the data that is being ingested by using tables and visualizations, including bar and pie charts. You can also make your own workbook easily by using this data from the beginning instead of using the predefined templates. Workbook Page You can easily access the workbook page from the Azure Sentinel from the navigation pane which consists of the: Workbook header- You can add a new workbook and review the saved workbooks as well as templates that are available on the workbook page. Templates section- You can access existing workbook templates on the Templates tab. You can save some of the workbooks for quick access and they will appear on the My Workbooks tab.  From the
Read more

Work with String Data Using KQL Statements

By Ashwin Venugopal -
Image
  Extract Data from Unstructured String Fields Unstructured string fields often contains the Security log data and requires parsing to extract data. There are multiple ways of pulling information from string fields in KQL and the two primary operators used are extract and parse.  Extract It gets a match for a regular expression from a text string. You can convert the extracted substring to the indicated type.  Arguments regex- A regular expression. captureGroup- A positive int constant indicating the capture group to extract. 0 stands for the entire match, 1 for the value matched by the first '('parenthesis')' in the regular expression, 2 or more for subsequent parenthesis.  text- A string to search. typeLiteral- An optional type literal. If provided, the extracted substring is converted to this type.  Returns If regex finds a match in text- the substring matched against the indicated capture group captureGroup, optionally converted to typeLiteral. If there's no mat
Read more

Threat Hunting in Microsoft Sentinel (part 1)

By Ashwin Venugopal -
Image
  To read part 2, please click  here To read part 3, please click  here Introducing the Microsoft Sentinel Hunting Page Threat hunting is a series activities performed while investigating and as there are no guidelines to perform it, the available tools on the Microsoft Sentinel can be introduced to perform better in your investigations. Firstly, you have to choose the Hunting link in the Microsoft Sentinel navigation menu to get to the Hunting page which is divided into the following sections: The header bar- It is located at the top of the page as usual and contains Refresh as well as timespan drop down menu. The New Query button can help you with creating a new query and the Run all queries button can run all the hunting queries in the background while also updating the hunting query list section with the number of results found.  The summary bar- Here, you can view the total number of queries available to run, the total number of bookmarks, the number of results from running live
Read more