Monitoring incidents in real time with Microsoft 365 Security Center

Monitoring incidents in real time with Microsoft 365 Security Center

03/08/2024

This technical and educational article aims to guide security analysts, IT administrators, and systems engineers in monitoring and managing real-time security incidents using the Microsoft 365 Defender portal (formerly known as Microsoft 365 Security Center). This portal unifies the visibility and incident response capabilities of multiple Microsoft security solutions, such as Defender for Endpoint, Defender for Office 365, Defender for Identity, and Defender for Cloud Apps, providing a centralized platform for security operations [1].

Introduction

In an ever-evolving cyber threat environment, the ability to detect, investigate and respond to security incidents quickly and efficiently is crucial to minimizing the impact of an attack. The Microsoft 365 Defender portal acts as a command and control center, correlating security alerts from different Microsoft products into cohesive incidents. This allows SecOps (Security Operations) teams to gain a holistic view of an attack, understand its kill chain, and take corrective action more effectively [2].

This how-to guide will cover how to navigate the Microsoft 365 Defender portal, monitor the incident queue, investigate correlated alerts, and manage the lifecycle of an incident. Step-by-step instructions, interface usage examples, and validation methods will be provided so that the reader can optimize their security operations and improve incident response capabilities in their Microsoft 365 environment.

Why Microsoft 365 Defender portal for incident monitoring?

  • Unified Visibility: Aggregates security alerts from multiple Defender products (Endpoint, Office 365, Identity, Cloud Apps) into a single dashboard.
  • Automatic Correlation: Automatically correlates related alerts across incidents, providing richer context about an attack.
  • Comprehensive Investigation: Provides in-depth investigation tools including timeline of events, attack graphs, and detailed information about affected entities.
  • Coordinated Response: Allows security teams to respond to incidents centrally, with automated and manual actions.
  • Automation of Response (SOAR): Integrates with SOAR capabilities to automate incident response tasks, reducing mean time to response (MTTR).

Prerequisites

To monitor incidents in real time with the Microsoft 365 Defender portal, you'll need the following items:

  1. Licensing: Appropriate licenses for Microsoft 365 Defender products (e.g. Microsoft 365 E5 Security, Microsoft 365 E5) that include access to the portal and detection capabilities [3].
  2. Administrative Access: An account with Security Administrator, Security Operator, or Security Reader permissions in the Microsoft 365 Defender portal (https://security.microsoft.com).
  3. Active Defender Products: At least one of the Defender products (Defender for Endpoint, Defender for Office 365, Defender for Identity, Defender for Cloud Apps) must be active and configured to generate alerts.
  4. Connected Data Sources: Security data must be ingested and monitored by the respective Defender products.

Step by Step: Monitoring and Managing Incidents

Let's explore the Microsoft 365 Defender portal interface and key functionalities for incident monitoring and management.

1. Accessing the Microsoft 365 Defender Portal

  1. Open your browser and navigate to https://security.microsoft.com.
  2. Log in with an account that has the necessary permissions.

2. Navigating the Incident Queue

The incident queue is the central point for SecOps teams. This is where related alerts are grouped together to provide a contextualized view of an attack.

  1. In the left navigation pane, select Incidents & Alerts > Incidents.
  2. The incident queue will display a list of all detected incidents, with information such as severity, status, affected entities, and last activity.

3. Analyzing a Specific Incident

When you click on an incident, you will have access to a detailed view that includes all correlated alerts, devices,affected users, users and files.

  1. In the incident queue, click the Name of an incident to open its details page.
  2. The incident details page is made up of several tabs:
    • Overview: Provides a summary of the incident, including severity, status, classification, affected users and devices.
    • Alerts: Lists all alerts that were correlated to this incident. You can click on each alert to see its specific details.
    • Devices: Shows all devices involved in the incident.
    • Users: Lists affected or involved users.
    • Mailboxes: Shows affected mailboxes (if there are Defender for Office 365 alerts).
    • Investigations: Displays the automated investigations that were initiated in response to the incident.
    • Evidence and response: Presents the collected evidence (files, IPs, URLs) and the recommended or taken response actions.
    • Graph: A visual representation of the attack chain, showing the relationship between alerts, entities, and events.

4. Managing the Incident Lifecycle

Incident management involves assignment, classification and resolution.

  1. Assign Incident: On the incident details page, in the Overview section, you can assign the incident to a specific analyst. Click Assign to and select a user.
  2. Change Status: Change the Status of the incident as the investigation progresses (e.g. New, In Progress, Resolved).
  3. Classify Incident: When resolving an incident, you must classify it for learning and reporting purposes. Click on Classification and select:
    • True Positive (if it is a real threat)
    • False Positive (if it is an incorrect alert)
    • Expected activity (if it is legitimate activity that triggered the alert)
    • Add a Comment to document the resolution.
  4. Add Comments: Use the Comments and History section to record investigation steps, findings, and actions taken.

5. Performing Response Actions

Based on the investigation, you can take response actions directly from the portal.

  1. In the Devices or Users tab within the incident, select an affected entity (e.g. a device).
  2. Available actions include:
    • Isolate device: Disconnects the device from the network to contain the threat.
    • Restrict application execution: Prevents unauthorized applications from running.
    • Run Antivirus Scan: Starts a full scan of the device.
    • Collect investigation package: Collects logs and forensic data from the device.
    • Disable user: Disables the user account in Azure AD.
    • Reset user password: Forces the user password to be reset.

Validation and Testing

To validate incident monitoring, it's important to simulate an attack scenario and verify that the Microsoft 365 Defender portal correctly detects and correlates it.

1. Simulate an Attack (Example: EICAR Test)

Use the EICAR (European Institute for Computer Antivirus Research) file to simulate a malware detection (as described in Article 1 - Defender for Endpoint).

  1. On a device onboarded with Defender for Endpoint, try to download or create an EICAR file (https://www.eicar.org/download/eicar.com.txt).
  2. Defender for Endpoint should detect and block the file.
  3. In the Microsoft 365 Defender portal, go to Incidents and alerts > Alerts.
  4. You should see an alert related to EICAR detection.
  5. Verify whether this alert has been correlated to an existing incident or whether a new incident has been created.

2. Check Response Time and Correlation

Observe the time it takes for an alert to be generated and correlated to an incident after the simulation. This helps you understand the effectiveness of real-time monitoring.

Security Tips and Best Practices

  • Integrate All Sources: Connect as many Defender data sources and products as possible to the Microsoft 365 Defender portal for the most complete view and best incident correlation.
  • Define Roles and Responsibilities: Clearly establish who is responsible for monitoring, investigating and responding to incidents.
  • Automate Simple Responses: Use resourcesAutomation tools (playbooks) to automatically respond to low-severity types of alerts or to collect additional information on high-severity alerts.
  • Stay Up to Date: Stay up to date with new features and capabilities in Microsoft 365 Defender as the platform is constantly being improved.
  • Ongoing Training: Invest in training your SecOps team so they are familiar with the latest tools and attack tactics.
  • Simulation Exercises: Conduct incident simulation exercises regularly to test the effectiveness of your processes and tools.

Common Troubleshooting

  • Alerts do not appear in the portal: Verify that relevant Defender products are active and configured correctly. Make sure your data connectors are working and sending logs. Check the detection rule settings on individual Defender products.
  • Uncorrelated alerts across incidents: Microsoft 365 Defender correlates automatically. If related alerts are not being grouped together, there may be a delay in log ingestion or the contextual information (user, device, IP) may not be sufficient for automatic correlation. Check audit logs and ingestion time.
  • Portal performance issues: Clear your browser cache, try using a different browser, or check your network connectivity. In cases of large data volumes, the interface may take a while to load.
  • Response actions fail: Check the permissions of the account trying to perform the action. Make sure the target device or user is online and accessible by Defender services.

Conclusion

The Microsoft 365 Defender portal is an indispensable tool for any organization seeking an effective proactive and reactive security strategy. By centralizing incident monitoring, correlating alerts from multiple sources, and providing comprehensive investigation and response capabilities, it empowers SecOps teams to protect their environments in real time. Implementing and effectively using this platform not only improves threat visibility, but also significantly reduces response time, strengthening the organization's cyber resilience against the most sophisticated attacks.

References:

[1] Microsoft Learn. Microsoft 365 Defender Portal. Available at: https://learn.microsoft.com/pt-br/microsoft-365/security/defender/microsoft-365-defender-portal?view=o365-worldwide [2] Microsoft Learn. Overview of incidents in Microsoft 365 Defender. Available at: https://learn.microsoft.com/pt-br/microsoft-365/security/defender/incidents-overview?view=o365-worldwide [3] Microsoft Learn. Microsoft 365 Defender licensing requirements. Available at: https://learn.microsoft.com/pt-br/microsoft-365/security/defender/requirements?view=o365-worldwide