Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community
Unified SecOps Investigation for Hybrid Environments
Published Mar 06 2019 06:55 AM 51.8K Views
Microsoft

This post is authored by Yossi Basha, Senior Program Manager, Azure ATP

 

With 81 percent of security breaches caused by compromised user credentials, identity security is paramount for all organizations. Enterprise security operations (SecOps) analysts face an increasing volume and velocity of alerts and incidents across an ever-expanding surface area from on-premises to the cloud.

 

For analysts investigating compromised users, context is key. The ability to understand relationships between events and activities across multiple environments is central.

 

Microsoft has three identity-centric security products offering detection capabilities across on-premise and in the cloud:

  • Azure Advanced Threat Protection (Azure ATP) identifies on-premises attacks
  • Azure Active Directory Identity Protection (Azure AD Identity Protection) detects and proactively prevents user and sign-in risks to identities in the cloud
  • Microsoft Cloud App Security (MCAS) identifies attacks within a cloud session, covering not only Microsoft products but also third-party applications

We are happy to announce that we have brought these together in a unified SecOps experience, which focuses on identity-based alerts and activities for true hybrid identity threat protection.

 

Growing Risk of Hybrid Attacks

 

Because many organizations have hybrid environments, we see attacks that start in the cloud and then pivot to on-premises, meaning SecOps teams need to investigate these attacks from multiple places.

Picture1.png

 

By combining signals from cloud and on-premises sources, Microsoft empowers security analysts by providing unified identity and user information, in a single console, ending the need to toggle between security solutions. This gives your SecOps teams more time and the right information to make better decisions, and actively remediate the real identity threats and risks.

 

Understanding Top User Threats in Your Organization

 

In addition to the aggregated security awesomeness, we have simplified and boosted your ability to investigate with the new Investigation Priority Score, which provides you visibility into users that could pose the greatest risk to your organization should they be compromised.

 

Your SecOps team can immediately understand the real top user threats to your organization by Investigation Priority Score, directly verify their business impact and investigate all related activities – no matter whether they are compromised, exfiltrating data or acting as insider threats.

 

To calculate the Investigation Priority, we assess the investigation urgency of each specific user, using security alerts, abnormal activities, and potential business and asset impact related to each user.  For every Azure Active Directory user, we then build a dynamic Investigation Priority Score, based on intelligence built from Azure ATP, Microsoft Cloud App Security as well as Azure AD Identity Protection – which is continually updated based on recent behavior and impact.


Picture2.png

 

The Investigation Priority Score helps in identifying top users to investigate and surfacing those users that we recommend for review based on the user analytics engine.

 

New investigation capabilities

 

The unified portal also brings significant new investigation capabilities for cloud and on-premises information.

 

Picture3.png

 

  • Enabling security analysts to perform threat hunting with greater context over both cloud and on-premises resources.
  • Integrated user pages featuring all the information we know about the user coupled with everything we know about suggested investigation and next steps.
  • Full visibility and management of Azure AD user risk levels - incorporating the ability to confirm compromised user status which changes the Azure AD User Risk level to High, based on Azure AD conditional access policies.
  • Enhanced automation through Microsoft Flow integration for alerts (cloud and on-prem), as well task automation.

 

Get Started Today

 

If you’re one of the many enterprise customers already using Azure ATP, Microsoft Cloud App Security, and/or Azure AD Identity Protection and want to test the new identity threat investigation experience, get started by checking out our comprehensive technical documentation.

 

If you’re just starting your journey, begin a trial of Microsoft Threat Protection to experience the benefits of the most comprehensive, integrated, and secure threat protection solution for the modern workplace.

 

We would love your feedback! Find us on the Azure ATP Tech Community and send us your questions or feedback on the new experience.

3 Comments
Copper Contributor

We have ATP and MCAS . How do i access the unified Secops portal. Is there a URL. 

 

Thanks

Anand

Microsoft
Hi Anand, Investigation priority is already available for all MCAS customers. The integration of Azure ATP and MCAS is made available on top of MCAS, to connected Azure ATP to MCAS please follow this article: https://docs.microsoft.com/en-us/cloud-app-security/aatp-integration
Copper Contributor

Ti Japim Paqen Botes !

Version history
Last update:
‎May 11 2021 02:02 PM
Updated by: