Three of the modern security operations center(SOC) challenges are:
The volume of cyber threats is growing while SOC capacity remains the same
Day-to-day work is eating SOC capacity, leaving little no time for strategic initiatives and projects
The time to respond to incoming threats is high.
Imagine having a virtual analyst in your Tier 1 / Tier 2 SOC team that mimics the ideal steps that SecOps would take to investigate and remediate threats. The virtual assistant could work 24x7, with unlimited capacity. Such a virtual analyst can take on a significant load of investigations and threat remediation, significantly reducing the time to respond, and freeing up your SOC team for other important strategic .
If this all sounds like science fiction, it’s not!
Such a virtual analyst is part of your Microsoft Defender ATP suite, and its name is Automated Investigation and Remediation (AutoIR).
Let’s see what AutoIR does and how you can configure AutoIR in minutes to get immediate ROI.
Similar to how a manual SecOps investigation is done, AutoIR investigates alerts and remediates threats in 4 steps:
Analyze all alerts on a potentially compromised device, and determine whether they are related and should be consolidated into a single investigation.
For each alert on an impacted device, collect all the evidence that triggered alerts,and collect additional evidence, based on rules, such as similarity, prevalence, create/execution time similarity, and so on.
Analyze each piece of evidence by leveraging theMicrosoft Security Graph infrastructure,withits built-in sandbox, various detection engines, Threat intelligence, reputation, machine learning algorithms, and custom indicators that together generate a concrete verdict for each piece of evidence: Clean, Malicious, or Suspicious.
For each piece of evidence type, such as file, process, service, driver, registry key, persistency method, apply an appropriate remediation action.
Update each alert investigation summary.
Resolve each alert.
Pivot to additional devices
Identify whether additional devices were impacted
Repeat steps 1-3 for each impacted device
How to configure AutoIR for automatic threat investigation and remediation, end to end (protect-detect-investigate-remediate-close alert)
Turn on Automated Investigation and Automatically resolve alerts, as shown in the following image:
In the Permissions section, select Machine groups.
Select + Add machine group,and create at least one machine group. In the Automation level list, select Full – remediate threats automatically.
Do I have an audit log of all remediation actions?
Of course, you do! All remediation actions performed by AutoIR and Microsoft Defender Next Generation protection are listed in the Action center, on the History tab. In addition , SecOps can undo an action in case a file is determined to be legitimate in an organization.
And, an application can be added to an allow list by using Microsoft Defender ATP indicators. When you do this, an application will not be remediated again by AutoIR. To set up yourallow list, see Manage indicators.
Congratulations! You now know how to complete AutoIR configuration and get a “virtual analyst” in your SOC.