Describe the Capabilities and Benefits of Microsoft Management and Automation Products – Describe the Threat Protection Solutions of Microsoft 365

1 October, 2022 Kajol Ahluwalia 0 Comments 3 categories

Describe the Capabilities and Benefits of Microsoft Management and Automation Products

Modern, internet-connected organizations are under constant threat – too many, in fact, to be able to process them effectively with security operations staff. People are good at focusing on a few activities but can quickly become overwhelmed by the speed at which threats may be manifested.

Organizations need to expand to using automation tools to help detect anomalous patterns and threats across their entire environment and scale their efforts. Microsoft offers two such products: Microsoft Sentinel and Microsoft 365 Lighthouse.

Microsoft Sentinel

Microsoft 365 Defender products can connect withMicrosoft Sentinel. By doing so, all Microsoft 365 Defender incidents and alerts are sent to Sentinel so that security admins can have all the data in one place. Microsoft Sentinel is a cloud-native SIEM and SOAR product. A SIEM works by gathering and analyzing all relevant data points, detecting any activities that deviate from the norm, and acting depending on policy configuration. SOAR is more of a set of services that work together to provide a platform for an organization’s security operations center (SOC) by providing orchestration and response automation during an incident.

SIEM versus SOAR

SIEM and SOAR technology are important to understand. For more examples and an in-depth explanation, please see https://www.microsoft.com/en-us/security/ business/security-101/what-is-soar.

MDE, MDO, MDI, and MDA can be integrated with Microsoft Sentinel. It is important to remember that a huge benefit of this integration is the bi-directional synchronization between the two tools. Microsoft 365 Defender has its own portal (security.microsoft.com) where each of the services has its own place to manage investigations, incidents, and alerts. Microsoft Sentinel (portal.azure. com) has its own portal within Azure. By providing bi-directional synchronization, a security analyst can address an incident in the Sentinel portal by, for example, updating a status. The Microsoft 365 Defender portal will sync those changes immediately so both places will display the same information.

Third-party SIEM

While the objective of this section is the integration with Microsoft Sentinel, other non-Microsoft SIEM products can also connect with Microsoft 365 Defender to accomplish a similar goal.

Sentinel is a SIEM solution for Microsoft 365 Defender alerts and incidents. As the threat landscape expands, it becomes essential for SOC and security analysts to have a dedicated platform for efficiently handling orchestration, automation, and incident response. Sentinel offers this platform by enabling the creation and execution of automation rules and playbooks.

SOC teams often grapple with the challenge of being overwhelmed by a high volume of incidents, leaving limited time for proactive threat hunting and resulting in unaddressed incidents. To address this challenge, automation rules are at your disposal, providing a means to streamline incident management. By defining a trigger, condition, and corresponding action, administrators can configure automation rules in Sentinel to manage specific incidents in a predefined manner.

For instance, suppose a fresh incident has been processed within Microsoft 365 Defender, specifically related to an Exchange Online mailbox with activity detected from a specific IP address range. In such a scenario, the incident would automatically be assigned to a specific security analyst. To break it down further, the trigger occurs when a new incident is processed through Microsoft 365 Defender,the condition(s) are met if it involves a specified Exchange Online mailbox and falls within the x.x.x.x to y.y.y.y IP address range, and the ensuing action involves assigning the incident to security analyst Mary Smith as the owner.

Automation rules

There can be many ways to leverage Sentinel’s automation rules. For a deeper understanding and a tutorial on how to create these rules, please see https://learn.microsoft.com/ en-us/azure/sentinel/create-manage-use-automation-rules.

Part of an automation rule’s action can be to start a playbook. A playbook, powered by Azure’s Logic Apps, is a collection of steps that can be taken to address specific alerts and incidents directly.

Logic Apps

Logic Apps is the engine that drives the low-code Power Platform app Power Automate. It is a service that helps create automated workflows with little to no code. Logic Apps exists in Azure with connections to first and third parties on a per-consumption or standard basis.

The use of playbooks is, for example, if there is a compromised identity, the Logic App workflow can be triggered to lock out the user and alert the SOC team so they can further investigate. Logic

Apps can be triggered manually or automatically, depending on which works best for the SOC team.

Playbooks

Learn more about playbooks here: https://learn.microsoft.com/en-us/azure/ sentinel/automate-responses-with-playbooks

Sentinel works with Microsoft 365 Defender by streaming alerts and incidents into the portal. Bi-directional synchronization helps the SOC team stay updated on all incident statuses and, with Sentinel’s SOAR capabilities, automation can be optimized to help prioritize and streamline optimization.

Category: Data lifecycle management, Microsoft Defender for Endpoint, Microsoft MS-900

Leave a Reply

Your email address will not be published. Required fields are marked *

Related Posts