In two recent articles Greg Cottingham and Jessen Kurien described investigation processes triggered by a security alert. If you haven't already done so, please read “How Azure Security Center helps reveal a Cyberattack” and “How Azure Security Center detects a Bitcoin mining attack.” This post will make a lot more sense if you've read them. In these articles, the authors describe how background information from logs helped to provide a deeper understanding of the attack. Once understood, an appropriate set of remediation actions could be identified to block the security intrusion and prevent similar incidents reoccurring.
This kind of investigation process is often difficult for customers to replicate. It requires a lot of expertise to know what to look for. Most companies don’t have security experts like Greg and Jessen on their payrolls, and from all reports, they are very expensive to hire! The process is also time-consuming, often needing hours or even days of following hints, crafting and tweaking queries, and interpreting data in order to pinpoint the attacker’s activity.