Three of the modern security operations center (SOC) challenges are:
Imagine having a virtual analyst in your Tier 1 / Tier 2 SOC team that mimics the ideal steps that SecOps would take to investigate and remediate threats. The virtual assistant could work 24x7, with unlimited capacity. Such a virtual analyst can take on a significant load of investigations and threat remediation, significantly reducing the time to respond, and freeing up your SOC team for other important strategic .
If this all sounds like science fiction, it’s not!
Such a virtual analyst is part of your Microsoft Defender ATP suite, and its name is Automated Investigation and Remediation (AutoIR).
Let’s see what AutoIR does and how you can configure AutoIR in minutes to get immediate ROI.
What is Microsoft Defender ATP AutoIR?
AutoIR is an integral part of the Microsoft Defender ATP suite, built into Windows 10, version 1709 (RS3) and higher. AutoIR completes the protect-detect-investigate-remediate-close alert cycle automatically, with unlimited scale and provided with no additional cost. If your organization’s subscription includes Windows 10 E5, then you have automatic investigation and remediation capabilities.
Similar to how a manual SecOps investigation is done, AutoIR investigates alerts and remediates threats in 4 steps:
How to configure AutoIR for automatic threat investigation and remediation, end to end (protect-detect-investigate-remediate-close alert)
Do I have an audit log of all remediation actions?
Of course, you do! All remediation actions performed by AutoIR and Microsoft Defender Next Generation protection are listed in the Action center, on the History tab. In addition , SecOps can undo an action in case a file is determined to be legitimate in an organization.
And, an application can be added to an allow list by using Microsoft Defender ATP indicators. When you do this, an application will not be remediated again by AutoIR. To set up your allow list, see Manage indicators.
Congratulations! You now know how to complete AutoIR configuration and get a “virtual analyst” in your SOC.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.