Introduction
This is John Barbare and I am a Sr. Customer Engineer at Microsoft focusing on all things in the Cybersecurity space. In this blog I will go over the Microsoft 365 Defender Security Portal and go into detail of the incident overview and explain each filter setting to further your investigation. With that said, lets jump into M365 Defender and look at a particular incident and go through multiple settings while exploring each filter option.
Microsoft 365 Defender Incident Overview
Microsoft 365 Defender applies correlation analytics and aggregates all related alerts and investigations from the following M365 Defender Suite into one incident:
- Endpoints with Microsoft Defender for Endpoint
- Email and collaboration with Microsoft Defender for Office 365
- Identities with Microsoft Defender for Identity and Azure AD (ACTIVE DIRECTORY) Identity Protection
- Applications with Microsoft Cloud App security
Microsoft 365 Defender also triggers unique alerts on activities that can only be identified as malicious given the end-to-end visibility that Microsoft 365 Defender has across the entire estate and suite of products. This incident overview gives your SOC (Security Operations Center) team the wider attack story from corelated attacks/alerts and then helps them understand and deal with other threats across the current organization more efficiently. The Incidents queue shows a collection of incidents that were flagged from across devices, users, and mailboxes across your enterprise.
Incident Page
Sign into the Microsoft 365 Defender Security portal at https://security.microsoft.com/ and select the Incidents blade on the far left. In this view it is showing all alerts in the last week and this can be changed to one day, three days, one week, 30 days, or to six months by selecting the date tab. To make sure we see every Incident and also to customize the Incident page, click on the Filters tab to show more options (on the far right).
Using Filters to Customize the Incidents Page
This section will go over every setting in the Incidents filter to better understand each setting and how you can apply it to your environment. This cross-product investigation fits into one unified view, like an email issue becoming an endpoint issue, or identity compromise resulting in cloud app resources utilization.
Status, Severity, Assigned to, Multiple and Service Sources
Status – This filter, one can filter by all alerts, New alerts, In progress, and/or resolved alerts. One can select all to view all alerts or any of the below to customize the alert status view.
Severity – This filter, one can filter alerts by all Severity alerts, High, medium, low, and/or informational. More detailed Severity alert types can be found in Annex A at the bottom of the page.
Assigned to (owner) – This can be switched to assigned to anyone or any analyst or switched to assigned to me (the user currently signed in).
Multiple service sources - Filter to only see incidents that contain alerts from various sources (Microsoft Defender for Endpoint, Microsoft Cloud App Security, Microsoft Defender for Identity, Microsoft Defender for Office 365).
Service sources - By choosing a specific source, you can focus on incidents that contain at least one alert from that chosen source. These include Microsoft Defender for Endpoint, Microsoft Cloud App Security, Microsoft Defender for Identity, Microsoft Defender for Office 365. Microsoft 365 Defender has two parts – Custom detection and Microsoft 365 Defender. Microsoft Defender for Endpoint has 10 parts – EDR (Endpoint Detection and Response), Antivirus, SmartScreen, 3rd Party sensors, Custom TI (Threat Intelligence), Microsoft Defender for Office, Automated Investigation, Microsoft Threat Experts, Custom detection, and Microsoft 365 Defender.
Categories - You can specify no filters for alert categories or to filter specific alert categories based on certain types of attacks. Microsoft has redefined the alert categories to align to the enterprise attack tactics in the MITRE ATT&CK matrix.
Alerts include an alert category, which loosely identifies the kill chain stage associated with the alerted activity. For example, an alert like “Suspicious communication to an IP (Internet Protocol) address” will be categorized as “Command and Control”, while “Use of living-off-the-land binary” will be categorized as “Execution”. Using the alert categories, SOC Analysts can:
- Better understand the purpose of an alerted activity and its potential effect
- Assess the risk associated with a device or an incident, and use this risk to prioritize action
- Determine the scope of a breach by observing the categories of the alerts the threat triggered in its way. For example, “Lateral Movement” alerts can indicate multiple devices involved, and “Exfiltration” alerts could indicate data leak.
Data Sensitivity and Device Groups
Data Sensitivity - Some attacks focus on targeting to exfiltrate sensitive or valuable data. By applying a filter to see if sensitive data is involved in the incident, you can quickly determine if sensitive information has potentially been compromised and prioritize addressing those incidents. Only applicable if Microsoft Information Protection is turned on.
Device Groups - Filter by defined device groups. In an enterprise scenario, security operation teams are typically assigned a set of devices. These devices are grouped together based on a set of attributes such as their domains, computer names, or designated tags. One can use device groups to limit access to related alerts and data to specific Azure AD user groups with assigned RBAC roles. Configure different auto-remediation settings for different sets of devices. Assign specific remediation levels to apply during automated investigations.
In an investigation, filter the Devices list to just specific device groups by using the Group filter.
You can create device groups in the context of role-based access (RBAC) to control who can take specific action or see information by assigning the device group(s) to a user group. For more information, see Manage portal access using role-based access control.
OS (Operating Systems) Platform and Custom Tags
OS Platform - Limit the incident queue view by operating system. You can select all or specific ones that pertain to your environment or investigation.
Custom Tags - You can add custom tags to an incident or to create a logical group affiliation. Device tags support proper mapping of the network, enabling you to attach different tags to capture context and to enable dynamic list creation as part of an incident. You can add tags on devices using the following ways - using the API (Application Programming Interfaces), portal, and setting a registry key value.
Using the API – POST https://api-us.securitycenter.windows.com /api/machines/{machine-id }/tags
Using the portal - Select the device that you want to manage tags on. Select Manage Tags from the row of Response actions. Type to find or create tags. Tags are added to the device view and will also be reflected on the Devices list view. You can then use the Tags filter to see the relevant list of devices.
Using a registry key value - Use the following registry key entry to add a tag on a device:
Registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection\DeviceTagging\
Registry key value (REG_SZ): Group
Registry key data: Name of the tag you want to set
Note - The device tag is part of the device information report that is generated once a day. As an alternative, you may choose to restart the endpoint that would transfer a new device information report. If you need to remove a tag that was added using the above Registry key, clear the contents of the Registry key data instead of removing the 'Group' key.
Alert Classification and Investigation State
Alert Classification – One can filter by all classifications of alerts or a specific type. You can choose not to set a classification or specify whether an alert is a true alert or a false alert. It is important to provide a classification of true positive/false positives. This classification is used to monitor alert quality and make alerts more accurate. The "determination" field defines additional fidelity for a "true positive" classification.
Investigation state – One can filter by all or individual investigation states during and after the automated investigation process. Investigation details provide you with up-to-date status, and the ability to approve any pending actions. To see what each status represents, see Annex B at the bottom of the page.
Associated Threat - Use this filter to focus on alerts that are related to high profile threats. With more sophisticated adversaries and new threats emerging frequently and prevalently, it is critical to be able to quickly sort by assessing the impact of new threats, your resilience against or exposure to the threats, or by the identify the actions you can take to stop or contain the threats.
The associated threats from expert Microsoft security researchers covering the most relevant threats, including:
- Active threat actors and their campaigns
- Popular and new attack techniques
- Critical vulnerabilities
- Common attack surfaces
- Prevalent malware
Actor Groups
Actors – Microsoft groups nation state actors and their activities by classifying them in a specific “Actors” group. These Actor groups can be selected by all or just several.
These Nation-State activities are correlated with chemical element names, just some of which are shown below with the countries from which the actors operate.
Modifying the Columns and Items per Page
On the Incidents page, you have options to pick which columns you would like to see displayed and how many alerts are seen per page. By selecting the Choose Columns tab on the far right, you can select or unselect which columns to see in the view as seen below. Selecting the items per page tab will drop down the choices of 30, 50, or 100 items per page as seen below.
To make the individual columns show or hide more information, hover your mouse pointer in between two words on the top column to spread the row left or right. The mouse pointer will turn into an arrow pointing left and right and then you can slide the columns either way to see more or less information.
Annex A – Alert Type Severity
High (Red) - Alerts commonly seen associated with advanced persistent threats (APT). These alerts indicate an elevated risk because of the severity of damage they can inflict on devices. Some examples are credential theft tools activities, ransomware activities not associated with any group, tampering with security sensors, or any malicious activities indicative of a human adversary.
Medium (Orange) - Alerts from endpoint detection and response post-breach behaviors that might be a part of an advanced persistent threat (APT). This includes observed behaviors typical of attack stages, anomalous registry change, execution of suspicious files, and so forth. Although some might be part of internal security testing, it requires investigation as it might also be a part of an advanced attack.
Low (Yellow) - Alerts on threats associated with prevalent malware. For example, hack-tools, non-malware hack tools, such as running exploration commands, clearing logs, etc., that often do not indicate an advanced threat targeting the organization. It could also come from an isolated security tool tested by a user in your organization.
Informational (Grey) - Alerts that might not be considered harmful to the network but can drive organizational security awareness on potential security issues.
Annex B – Investigation Status
The investigation status indicates the progress of the analysis and actions. As the investigation runs, status changes to indicate whether threats were found, and whether actions have been approved.
Running - The investigation process has started and is underway. Malicious artifacts that are found are remediated. This state also occurs when pending actions are approved.
Waiting for device – Investigation paused. The investigation will resume as soon as the device is available.
Pending Action - The investigation has found a threat, and an action to remediate that threat is awaiting approval. The Pending Action state is triggered when any threat with a corresponding action is found. However, the list of pending actions can increase as an investigation runs. Check the investigation log (https://securitycenter.windows.com/investigations) to see if other items are still pending completion.
Failed - At least one investigation analyzer ran into a problem where it could not complete properly.
NOTE: If an investigation fails after remediation actions were approved, the remediation actions might still have succeeded. Check the investigation log (https://securitycenter.windows.com/investigations) for detailed results.
No Threats Found - The investigation has finished and no threats were identified.
If you suspect something was missed (such as a false negative), you can use advanced hunting.
Threats Found - The automated investigation found issues, but there are no specific remediation actions to resolve those issues.
Partially Remediated - The investigation resulted in remediation actions, and some were approved and completed. Other actions are still pending.
Remediated - The investigation finished and all remediation actions were approved (this is noted as fully remediated).
NOTE: Approved remediation actions can have errors that prevent the actions from being taken. Regardless of whether remediation actions are successfully completed, the investigation status does not change. Check the investigation log for detailed results.
Terminated By System - The investigation stopped. An investigation can stop for several reasons:
- The investigation's pending actions expired. Pending actions time out after awaiting approval for one week.
- There are too many actions in the list. For example, if there are too many users clicking on malicious URLs, it can exceed the investigation's ability to run all the analyzers, so the investigation halts.
Terminated By User – A user stopped the investigation before it could complete.
Conclusion
Thanks for taking the time to read this blog and I hope you have a better understanding of all the settings and features on the incident page inside Microsoft 365 Defender. With some environments switching to a unified portal to correlate all the alerts from Microsoft Defender for Endpoint,
Microsoft Defender for Office 365, Microsoft Defender for Identity, and Microsoft Cloud App security it will bring much needed value to any SOC or security team.
The next blog I will focus on investigating an incident in Microsoft 365 Defender and walk you through an alert from the time it shows up in the portal, assigning the incident, and doing a full investigation and closing it out.
Hope to see you in the next blog and always protect your endpoints!
Thanks for reading and have a great Cybersecurity day!
Follow my Microsoft Security Blogs: http://aka.ms/JohnBarbare and also on LinkedIn.
References
Incidents overview in Microsoft 365 Defender - Microsoft 365 security
Microsoft 365 Defender - Microsoft 365 security