Microsoft 365 Defender (part 1)

By Ashwin Venugopal -

 




To read part 2, please click here







Microsoft Defender

It's a unified pre- and post-breach enterprise defense suite that can natively coordinates detection, prevention, investigation, and response across endpoints, identities, email, and applications to offer integrated protection against sophisticated attacks. Hence, Microsoft 365 Defender can take automatic action to prevent or stop the attack and self-heal affected mailboxes, endpoints, as well as user identities. 

Microsoft 365 Defender cross-product features includes the following:

  • Cross-product single pane of glass- Central view all information for detections, impacted assets, automated actions taken, and related evidence in a single queue as well as a single pane in security.microsoft.com.

  • Combined incidents queue- It can help the security professionals to concentrate on what's critical by making sure the full attack scope, impacted assets, as well as automated remediation actions are grouped together and surfaced in a timely manner.

  • Automatic response to threats- Critical threat information is shared in real time between Microsoft 365 Defender products to help stop the progression of an attack. For example, if a malicious file is detected on an endpoint protected by Microsoft Defender for Endpoint, it will instruct Defender for Office 365 to scan and remove the file from all e-mail messages. The file will be blocked on sight by the entire Microsoft 365 security suite.

  • Self-healing for compromised devices, user identities, and mailboxes-  AI-powered automatic actions and playbooks can be used to remediate affected assets back to a secure state. Microsoft 365 Defender leverages automatic remediation capabilities of the suite products to ensure that all the impacted assets related to an incident are automatically remediated wherever possible.

  • Cross-product threat hunting- Security teams leverages their unique organizational knowledge to look for any signs of compromise by creating their own custom queries over the raw data accumulated by the different protection products. Microsoft 365 Defender offers you a query-based access to 30 days of historic raw signals as well as alert data across endpoint and Microsoft Defender for Office 365 data. 

Microsoft Defender for Office 365

It protects your organization against malicious threats posed by email messages, links (URLs), and collaboration tools. Defender for Office 365 includes:

Defender for Office 365 Policies

These are the policies defined for your organization to determine the behavior as well as security level of predefined threats and it's options are totally flexible, for example, an organization's security teams can set fine-grained threat protection at the user, organization, recipient, and domain level. The policies must also be reviewed on regular basis as new threats and challenges emerge daily.

View Microsoft Defender for Office 365 Reports

An advanced reporting dashboard to monitor your Defender for Office 365 performance is available at Microsoft Defender for Office 365 which can be accessed at Reports > Dashboard in the Security & Compliance Center. These reports also offers recommendations and alerts about imminent threats which includes the following:

  1. Threat Explorer (or real-time detections)
  2. Threat protection status report
  3. Defender for Office 365 file types report
  4. Defender for Office 365 message disposition report

Use Threat Investigation & Response Capabilities

Microsoft Defender for Office 365 Plan 2 contains awesome threat investigation as well as response tools that allows any organization's security team to anticipate, understand, and prevent malicious attacks. 
  • Threat trackers offers the latest intelligence on prevailing cybersecurity issues like any information regarding latest malware can be viewed along with the counter measures before it becomes an actual threat to an organization. Available trackers includes Noteworthy trackers, Trending trackers, Tracked queries, and Saved queries.

  • Threat explorer (or real-time detections) also referred to as explorer is a real-time report which helps you to identify and analyze recent threats along with the configuration of the Explorer to view data for custom periods. 

  • Attack simulator helps you to run realistic attack scenarios within your organization to detect vulnerabilities. Simulations of current types of attacks are available, including spear phishing credential harvest, attachment attacks, password spray, and brute force password attacks.   

Automated Investigation Response (AIR)

As we all know, the sooner you can identify and mitigate threats, the better it will be for your organization. Hence, AIR is well-equipped with a set of security playbooks that can be launched automatically for example, when an alert is triggered automatically or manually, such as from a view in Explorer; which can save your security operation's team time and effort in mitigating threats effectively and efficiently. 










To read part 2, please click here






















Comments

Post a Comment

Popular posts from this blog

Query, Visualize, & Monitor Data in Azure Sentinel

By Ashwin Venugopal -
Image
  Azure Sentinel Workbooks Several ready for use templates are provided by the Azure Sentinel that can be used to create your own workbook and then modify them as needed for Contoso. Most of the data connectors it uses to ingest data come with their own workbooks, but better insight can be obtained by simply looking into the data that is being ingested by using tables and visualizations, including bar and pie charts. You can also make your own workbook easily by using this data from the beginning instead of using the predefined templates. Workbook Page You can easily access the workbook page from the Azure Sentinel from the navigation pane which consists of the: Workbook header- You can add a new workbook and review the saved workbooks as well as templates that are available on the workbook page. Templates section- You can access existing workbook templates on the Templates tab. You can save some of the workbooks for quick access and they will appear on the My Workbooks tab.  From the
Read more

Planning for Implementing SAP Solutions on Azure (Part 2 of 5)

By Ashwin Venugopal -
Image
  To read part 1 please click  here To read part 3 please click  here To read part 4 please click  here To read part 5 please click  here Load Balancing The load balancer uses probe ports to determine as well as route the traffic to an active DBMS node, but of there's any failover then the most common SAP application architecture can automatically reconnect against the private virtual IP address without the need for the SAP application to reconfigure it, while the load balancer redirect the traffic against the private virtual IP address without any need for the SAP application to reconfigure. The loaf balancer also offers an option of DirectServerReturn which if configured, can help in directing the traffic from the DBMS VM to the SAP application layer directly to the application layer without routing through the load balancer. But, if it isn't configured, then the return traffic to the SAP application layer is routed through the load balancer. You can also use Azure Load Balan
Read more

Work with String Data Using KQL Statements

By Ashwin Venugopal -
Image
  Extract Data from Unstructured String Fields Unstructured string fields often contains the Security log data and requires parsing to extract data. There are multiple ways of pulling information from string fields in KQL and the two primary operators used are extract and parse.  Extract It gets a match for a regular expression from a text string. You can convert the extracted substring to the indicated type.  Arguments regex- A regular expression. captureGroup- A positive int constant indicating the capture group to extract. 0 stands for the entire match, 1 for the value matched by the first '('parenthesis')' in the regular expression, 2 or more for subsequent parenthesis.  text- A string to search. typeLiteral- An optional type literal. If provided, the extracted substring is converted to this type.  Returns If regex finds a match in text- the substring matched against the indicated capture group captureGroup, optionally converted to typeLiteral. If there's no mat
Read more