In my last blog, the second of the Defender portal series, I covered Security Operations Centre (SOC) optimisation. In part three,  Jon Shectman, Principal Program Manager for Security at Microsoft and I will dive into the details incidents, alerts, and correlation.

Understanding security alerts: The foundation of protection

Alerts are the primary indicators of potential security threats in your environment. Generated based on specific detection rules and policies, they signal anomalies or suspicious activities. In the Defender ecosystem, alerts act as the first clues, offering glimpses of potential problems but not the full narrative.

To manage alerts effectively, it’s crucial to filter out noise and focus on high-quality signals. This involves fine-tuning alerts to ensure they are relevant and actionable, aligning with your organisation’s specific risk profile. By setting the right thresholds and conditions, you can minimise false positives and improve alert accuracy, ensuring that only significant threats are escalated for further investigation.

Incidents: The comprehensive view

While alerts are individual signals, incidents provide the broader context. In Defender, an incident is a collection of related alerts that together form a detailed picture of a potential security threat. Think of incidents as mosaics, where each alert is a tile contributing to the overall image. Alerts suggest that a potential “bad event” has occurred, while incidents consolidate these alerts to present a coherent story.

The transition from alerts to incidents involves aggregation and correlation, areas where Defender excels using intelligent algorithms. These algorithms connect alerts based on factors like timing, affected entities, and attack vectors, resulting in a cohesive incident timeline that offers context and clarity, enabling security teams to grasp the full scope and impact of a threat.

The importance of correlation

Correlation is the key that links alerts and incidents, transforming disparate data points into insightful information. In Defender, correlation unites related alerts into cohesive incidents, using machine learning and advanced analytics to identify patterns indicative of coordinated attacks. Defender’s ability to aggregate alerts efficiently surpasses manual methods, streamlining the correlation process.

While Defender automates most correlation tasks, there may be times when manual intervention is necessary, such as unlinking an alert from one incident and associating it with another. Although these instances are rare, understanding manual correlation processes is beneficial for handling them.

Enhanced security with Sentinel and Defender

Integrating Microsoft Sentinel and Defender in Defender boosts your organisation’s security capabilities. Defender provides access to Incidents data from Sentinel and Alerts data from Defender, enabling comprehensive analysis using Kusto Query Language (KQL) queries that draw on both datasets. This integration offers a holistic view of your security landscape, exceeding what either platform could achieve independently.

Navigating the incident lifecycle

Once incidents are formed, Defender offers a structured framework for investigation and response. Security analysts can delve into incidents to uncover root causes and assess potential damage. This investigation phase is supported by rich contextual information, including incident timelines, affected assets, and potential remediation steps.

The lifecycle of an incident involves continuous monitoring and adaptation. As new alerts are generated, they are automatically correlated with existing incidents or used to form new ones. This dynamic approach ensures security teams have an up-to-date view of the threat landscape, enabling proactive threat mitigation.

Exploring the Attack Story

Let’s take a closer look at an incident, starting with the Attack Story. This narrative describes how an attack unfolded, detailing the sequence of events and tactics used by the attacker. It provides a comprehensive view of the attack lifecycle, helping security teams understand the methods and techniques involved. This insight is crucial for developing effective defence strategies and enhancing future detection capabilities. With multi-stage attacks, the graphical interface can be incredibly helpful for visualising and understanding the attack.

Alerts

Adjacent to the Attack Story is the Alerts tab, which serves as the foundation for Incidents. These alerts are notifications triggered when potentially malicious activities are detected, based on detection rules such as Analytics rules in Sentinel and Custom detection rules in Defender. They can vary in severity and offer the initial signs of a threat, prompting further investigation. An in Advanced Hunting, alerts are correlated to form a more complete picture of an incident.

Assets

The Assets tab refers to the network resources within an organisation that may be, or have been, targeted by threats. This includes devices, users, and applications. Understanding assets is crucial for contextualising incidents and assessing the potential impact of threats. Which device was compromised? What IP was involved? Which user was targeted? By comprehending the assets, security and IT teams can better prioritise monitoring efforts and improve their security posture. (And remember, regular communication with your IT colleagues is essential.)

Investigations

The Investigations process involves scrutinising alerts and related data to ascertain the nature and scope of a potential security incident. This includes analysing logs, events, and other evidence to determine how the attack unfolded, and which assets were affected. Advanced Hunting plays a significant role here, enabling security analysts to create detailed queries that reveal hidden threats.

Evidence and Response

In the context of Advanced Hunting and Incidents, Evidence and Response pertain to the data and artifacts collected during an investigation that aid in understanding an incident. This encompasses log entries, network traffic data, file hashes, and other pertinent information. Evidence is crucial for confirming the presence of a threat and assessing its impact. Essentially, it’s the paper trail gathered by SOC analysts.

Summary

The Summary tab provides a high-level overview of the incident, detailing its scope, severity, and affected assets. It highlights key alerts, detection sources, and the timeline of malicious activity. This information assists security teams in quickly evaluating the threat and prioritising response actions. Use this tab to grasp the incident’s context and initiate investigation or remediation steps.

If you have any questions or would like to talk about anything related to the Microsoft Defender portal or Microsoft Sentinel, please get in touch.