MDATP and Incident Handling

%3CLINGO-SUB%20id%3D%22lingo-sub-799888%22%20slang%3D%22en-US%22%3EMDATP%20and%20Incident%20Handling%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-799888%22%20slang%3D%22en-US%22%3E%3CP%3EHi!%26nbsp%3B%3CIMG%20class%3D%22lia-deferred-image%20lia-image-emoji%22%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Fhtml%2Fimages%2Femoticons%2Fcool_40x40.gif%22%20alt%3D%22%3Acool%3A%22%20title%3D%22%3Acool%3A%22%20%2F%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWe%20do%20security%20incident%20handling%20based%20on%20incidents%20in%20MDATP.%20But%20we%20find%20it%20troublesome%20that%20a%20incident%20can%20contain%20several%20computers.%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20fact%20that%20alerts%20tied%20to%20the%20same%20computer%20end%20up%20in%20one%20incident%20is%20great%2C%20but%20when%20you%20start%20handing%20these%20cases%20it%20gets%20messy%20real%20fast%20if%20there%20is%2028%20computers%20in%20one%20MDATP%20Incident.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20would%20like%20the%20option%20in%20MDATP%20for%20Incidents%20to%20be%20limited%20to%20one%20machine.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThoughts%3F%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-799888%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3Eincidents%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EMDATP%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3Esuggestion%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-800304%22%20slang%3D%22en-US%22%3ERe%3A%20MDATP%20and%20Incident%20Handling%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-800304%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F157614%22%20target%3D%22_blank%22%3E%40Maximilian%20Grandahl%20L%C3%A6rum%3C%2FA%3EThat's%20the%20value%20of%20incidents!%20It%20brings%20together%20all%20related%20alerts%20of%20this%20attack.%20If%20you%20only%20want%20to%20see%20alerts%20from%20one%20specific%20machine%2C%20please%20use%20the%20machine%20page%20for%20this%20specific%20machine.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-802065%22%20slang%3D%22en-US%22%3ERe%3A%20MDATP%20and%20Incident%20Handling%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-802065%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F63582%22%20target%3D%22_blank%22%3E%40Heike%20Ritter%3C%2FA%3E%26nbsp%3BHmm..%20How%20about%20this%20senario%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESo%20say%20for%20example%20you%20have%20150%20offices%20world%20wide%2C%20and%20you%20get%20a%20Incident%20in%20MDATP%20containing%2020%20computers.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20type%20of%20malware%20requires%20additional%20actions%20to%20be%20taken%20by%20local%20IT%20per%20office.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EYou%20now%20dispatch%2020%20tickets%20containing%20the%20recommended%20actions%2C%20one%20for%20each%20office%20per%20computer.%3C%2FP%3E%3CP%3EIf%20the%20ATP%20Incident%20now%20contains%20all%20these%2020%20computers%2C%20referring%20to%20the%20ATP%20Incident%20would%20be%20messy.%20As%20you%20get%20partial%20ATP%20Incident%20completion%20when%20the%20local%20tickets%20gets%20resolved.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20guess%20you%20could%20dispatch%20tickets%20based%20on%20alerts%20instead%2C%20but%20then%20again%2C%20you%20could%20have%20several%20alerts%20per%20computer.%20That%20again%20makes%20Incidents%20containing%20one%20machine%20a%20better%20reference.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI'm%20curious%20to%20what%20MS%20sees%20as%20best%20practice%20here.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHope%20that%20made%20some%20sense%20and%20that%20I%20managed%20to%20explain%20the%20scenario%20(%E2%8C%90%E2%96%A0_%E2%96%A0)%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-822093%22%20slang%3D%22en-US%22%3ERe%3A%20MDATP%20and%20Incident%20Handling%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-822093%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F157614%22%20target%3D%22_blank%22%3E%40Maximilian%20Grandahl%20L%C3%A6rum%3C%2FA%3EI%20understand%20your%20point%2C%20however%20you%20would%20loose%20the%20benefit%20of%20a%20better%20overview%20of%20an%20incident%20if%20it%20was%20per%20machine%20based.%26nbsp%3B%3C%2FP%3E%3CP%3ESome%2Fmost%20attacks%20would%20quickly%20growth%20to%20include%20multiple%20machines%20since%20the%20attacker%20would%20pivot%20between%20target%20hosts%20and%20response%20coordination%20is%20very%20important%20to%20be%20able%20to%20respond%20to%20the%20attack.%3C%2FP%3E%3CP%3E%3CBR%20%2F%3ETherefor%20I%20believe%20it's%20important%20to%20have%20all%20information%2C%20including%20involved%20machines%2C%20tied%20in%20the%20incident%20since%20an%20critical%20incident%20would%20need%20central%20coordination.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20believe%20you%20can%20address%20your%20challenge%20with%20automation%20to%20automatically%20dispatch%20some%20of%20the%20alerts%20to%20the%20local%20IT%20depending%20on%20severity.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Occasional Contributor

Hi! :cool:

 

We do security incident handling based on incidents in MDATP. But we find it troublesome that a incident can contain several computers. 

The fact that alerts tied to the same computer end up in one incident is great, but when you start handing these cases it gets messy real fast if there is 28 computers in one MDATP Incident. 

 

I would like the option in MDATP for Incidents to be limited to one machine. 

 

Thoughts? 

3 Replies

@Maximilian Grandahl Lærum That's the value of incidents! It brings together all related alerts of this attack. If you only want to see alerts from one specific machine, please use the machine page for this specific machine.

@Heike Ritter Hmm.. How about this senario:

 

So say for example you have 150 offices world wide, and you get a Incident in MDATP containing 20 computers. 

 

The type of malware requires additional actions to be taken by local IT per office. 

 

You now dispatch 20 tickets containing the recommended actions, one for each office per computer.

If the ATP Incident now contains all these 20 computers, referring to the ATP Incident would be messy. As you get partial ATP Incident completion when the local tickets gets resolved. 

 

I guess you could dispatch tickets based on alerts instead, but then again, you could have several alerts per computer. That again makes Incidents containing one machine a better reference. 

 

I'm curious to what MS sees as best practice here. 

 

Hope that made some sense and that I managed to explain the scenario (⌐■_■)

@Maximilian Grandahl LærumI understand your point, however you would loose the benefit of a better overview of an incident if it was per machine based. 

Some/most attacks would quickly growth to include multiple machines since the attacker would pivot between target hosts and response coordination is very important to be able to respond to the attack.


Therefor I believe it's important to have all information, including involved machines, tied in the incident since an critical incident would need central coordination.

 

I believe you can address your challenge with automation to automatically dispatch some of the alerts to the local IT depending on severity.