Inside Microsoft Threat Protection: Correlating and consolidating attacks into incidents

Cybersecurity incidents are never contained to just one of your organization’s assets. Most attacks involve multiple elements across domains, including email, endpoints, identities, and applications. To rapidly understand and address incidents, your Security Operations Center (SOC) analysts need to be able to see and track all the signals from each domain, correlate and group alerts that are related, prioritize them based on their severity level, and remediate all affected assets to return them and your workforce to a secure state.

Getting a unified view of an attack is a top SOC analyst priority in quickly building the end-to-end picture of attacks and tracking all relevant details necessary for effective remediation. Navigating multiple products and switching between tools introduce friction that slows down investigations, giving attackers more time to inflict damage.

Microsoft Threat Protection (MTP) addresses this critical SOC need through incidents, which empower SOC analysts by automatically fusing attack evidence and providing a consolidated view of an attack chain and affected assets, as well as a single-click remediation with easy-to-read analyst workflows. MTP harnesses the power of multiple solutions in the Microsoft 365 security portfolio – Office 365 Advanced Threat Protection (ATP), Azure ATP, Microsoft Defender ATP, and Microsoft Cloud App Security – to deliver cross-domain visibility and coordinated defense.

A complete look at the attack chain to prevent attack sprawl

A typical attack starts with a phishing email that installs malware on an endpoint. The malware then steals the user’s credentials, which the attackers utilize to access resources on other endpoints, on-premises applications, and cloud services. Individual security solutions that focus on only one domain may alert on and remediate a portion of the attack but will likely miss other parts of the attacker operations, putting an organization at risk while creating a false sense of security.

The incidents view in Microsoft Threat Protection solves this challenge by providing a single place to view and investigate an attack across stages, from initial access to impact. Based on individual detection leads, MTP uses artificial intelligence (AI) to automatically expand an investigation, like an experienced analyst would, and gather related telemetry and other alerts that belong to the same attack. MTP also uses AI to continually analyze the vast amount of available data and, if necessary, suggest more evidence for the analyst to add to the incident. This enables your SOC analysts to focus on what matters, while MTP saves them time and helps discover undetected evidence.

Even if you don’t have all the Microsoft 365 security solutions in your organization, MTP incidents correlate threat data for the services you have deployed, reducing the clutter and providing one view of the attack, including all relevant alerts, impacted assets and associated risk levels, remediation actions and status.

Screenshot of Microsoft 365 security center showing the overview tab of the Incidents view

Streamlining investigations across domains

Microsoft Threat Protection simplifies the complex task of investigating end-to-end attacks by allowing SOC analysts to pivot and see entities – devices, files, users, emails, and processes – in the right context within a single view.

MTP breaks down the silos and combines all alerts and insights automatically across Microsoft 365 services to reveal the full picture, helping ease digital forensics work for SOC analysts. This also enables analysts to gain comprehensive understanding of attacks that they wouldn’t otherwise get from isolated out-of-context alerts.

But MTP doesn’t stop there. To help support effective triage processes, MTP prioritizes incidents, illustrates the attack chain progression, shows the attack timeline, and generates a comprehensive name for the incident. With just one click, analysts can answer questions like: Does a file observed on one device exist on other devices? Which email messages did a file come from, and was this file also shared through a cloud app?

In addition, SOC analysts can easily search for additional related activities with Go hunt, which automatically creates and runs an advanced hunting query based on information from the incident. SOC analysts can also use attack-specific insights gained during hunting to capture fine-tuned logic and nuances in a custom detection. Custom detections continuously hunt for new activities and pull new findings to the relevant incident automatically, further enriching your view of the attack.

A clear view of the remediation status

When your organization is under attack, it’s essential to act swiftly but thoughtfully through a thorough understanding at any point in time of the remediation status of all affected assets and entities. MTP incidents play a critical part in remediation by:

  • Removing some of the burden off the analysts’ shoulders by launching automated investigation and response (AIR) self-healing playbooks that conduct in-depth asset-based investigation and work to find and remediate all malicious evidence (attack tools, malware), persistence methods (Oauth apps, ASEP in devices), exfiltration activities (email FWD rules, SPO shares),
  • Orchestrating cross-asset and cross-domain playbook invocations, tracking attacker activity across the environment
  • Providing a comprehensive view of the remediation status based on actions taken by AIR, in addition to manual actions by the analyst

When the investigation is complete, MTP incidents capture the investigation comments for record-keeping and knowledge-sharing with peers, with easy and in-context information for reference.

Microsoft Threat Protection provides the SOC with a complete picture of attacks in real-time

The incidents view in Microsoft Threat Protection correlates alerts and all affected entities into a cohesive view that enables your SOC to determine the full scope of threats across your Microsoft 365 services. Armed with a complete picture of attacks in real-time, your SOCs are better empowered to defend your organization against threats.

MTP delivers coordinated defense by leveraging the power of multiple Microsoft 365 security solutions. Through automation, built-in intelligence, and end-to-end visibility into malicious activities, MTP detects, correlates, blocks, remediates, and prevents attacks.

Existing Microsoft 365 licenses provide access to Microsoft Threat Protection features in Microsoft 365 security center without additional cost or deployment. Learn how Microsoft Threat Protection can help your organization to stop attacks with coordinated defense.

To learn more about coordinated defense, read these blog posts in the Inside Microsoft Threat Protection series:

Idan Pelleg

Microsoft Threat Protection Team