%3CLINGO-SUB%20id%3D%22lingo-sub-1557341%22%20slang%3D%22en-US%22%3ESee%20how%20consolidated%20incidents%20improve%20SOC%20efficiency%20through%20this%20attack%20sprawl%20simulation%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1557341%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fwww.microsoft.com%2Fsecurity%2Fbusiness%2Fthreat-protection%2Fintegrated-threat-protection%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3EMicrosoft%20Threat%20Protection%3C%2FA%3E%20continuously%20and%20seamlessly%20scours%20endpoints%2C%20email%20and%20docs%2C%20cloud%20app%2C%20and%20identity%20activities%20for%20suspicious%20signals%20and%20uses%20deep%20correlation%20logic%20to%20automatically%20find%20links%20between%20related%20signals%20across%20domains.%20It%20connects%20related%20existing%20alerts%20and%20generates%20additional%20alerts%20for%20suspicious%20events%20that%20could%20otherwise%20be%20missed.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ECorrelated%20signals%2C%20alerts%2C%20and%20relevant%20entities%20are%20collected%20and%20consolidated%20into%20a%20single%20comprehensive%20%3CA%20href%3D%22https%3A%2F%2Fwww.microsoft.com%2Fsecurity%2Fblog%2F2020%2F07%2F09%2Finside-microsoft-threat-protection-correlating-and-consolidating-attacks-into-incidents%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Eincident%3C%2FA%3E%20representing%20the%20whole%20attack.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EWe%20put%20Microsoft%20Threat%20Protection%E2%80%99s%20incident%20feature%20to%20the%20test%20by%20simulating%20an%20end-to-end%20attack%20chain%20that%20involves%20various%20attacker%20techniques%20across%20multiple%20domains%2C%20including%20spear-phishing%2C%20credential%20theft%2C%20overpass-the-hash%20attack%2C%20lateral%20movement%2C%20and%20other%20techniques%20observed%20in%20actual%20investigations.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22fig1-attack-chain-overpass-the-hash-spear-phishing-lateral-movement.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F209160iA504B2E24F63E3E4%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20title%3D%22fig1-attack-chain-overpass-the-hash-spear-phishing-lateral-movement.png%22%20alt%3D%22fig1-attack-chain-overpass-the-hash-spear-phishing-lateral-movement.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ELearn%20how%20automatic%20correlations%20in%20Microsoft%20Threat%20Protection%20detected%20the%20initial%20access%2C%20lateral%20movement%2C%20and%20lateral%20phishing%20stages%20of%20the%20attack%20sprawl%20simulation.%20Read%20our%20latest%20blog%3A%20%3CA%20href%3D%22https%3A%2F%2Fwww.microsoft.com%2Fsecurity%2Fblog%2F2020%2F07%2F29%2Finside-microsoft-threat-protection-solving-cross-domain-security-incidents-through-the-power-of-correlation-analytics%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3E%3CSTRONG%3EInside%20Microsoft%20Threat%20Protection%3A%20Solving%20cross-domain%20security%20incidents%20through%20the%20power%20of%20correlation%20analytics.%3C%2FSTRONG%3E%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-TEASER%20id%3D%22lingo-teaser-1557341%22%20slang%3D%22en-US%22%3E%3CP%3EMicrosoft%20Threat%20Protection%20uses%20deep%20correlation%20logic%20to%20automatically%20find%20links%20between%20related%20signals%20across%20domains.%20It%20connects%20related%20existing%20alerts%20and%20generates%20additional%20alerts%20for%20suspicious%20events%20that%20could%20otherwise%20be%20missed.%26nbsp%3B%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22inside-MTP-automatic-correlation-tc.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F209161i341071E1359B381D%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20title%3D%22inside-MTP-automatic-correlation-tc.png%22%20alt%3D%22inside-MTP-automatic-correlation-tc.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-TEASER%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1558261%22%20slang%3D%22en-US%22%3ERe%3A%20See%20how%20consolidated%20incidents%20improve%20SOC%20efficiency%20through%20this%20attack%20sprawl%20simulation%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1558261%22%20slang%3D%22en-US%22%3E%3CP%3EThanks%20for%20Sharing%20with%20the%20Community%26nbsp%3B%3CIMG%20class%3D%22lia-deferred-image%20lia-image-emoji%22%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Fhtml%2Fimages%2Femoticons%2Fcool_40x40.gif%22%20alt%3D%22%3Acool%3A%22%20title%3D%22%3Acool%3A%22%20%2F%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E
Microsoft

Microsoft Threat Protection continuously and seamlessly scours endpoints, email and docs, cloud app, and identity activities for suspicious signals and uses deep correlation logic to automatically find links between related signals across domains. It connects related existing alerts and generates additional alerts for suspicious events that could otherwise be missed.

 

Correlated signals, alerts, and relevant entities are collected and consolidated into a single comprehensive incident representing the whole attack.

 

We put Microsoft Threat Protection’s incident feature to the test by simulating an end-to-end attack chain that involves various attacker techniques across multiple domains, including spear-phishing, credential theft, overpass-the-hash attack, lateral movement, and other techniques observed in actual investigations.

 

fig1-attack-chain-overpass-the-hash-spear-phishing-lateral-movement.png

 

Learn how automatic correlations in Microsoft Threat Protection detected the initial access, lateral movement, and lateral phishing stages of the attack sprawl simulation. Read our latest blog: Inside Microsoft Threat Protection: Solving cross-domain security incidents through the power of cor...

1 Comment

Thanks for Sharing with the Community :cool: