{"id":35977,"date":"2020-07-09T16:00:27","date_gmt":"2020-07-09T16:00:27","guid":{"rendered":"https:\/\/www.microsoft.com\/security\/blog\/?p=91530"},"modified":"2020-07-09T16:00:27","modified_gmt":"2020-07-09T16:00:27","slug":"inside-microsoft-threat-protection-correlating-and-consolidating-attacks-into-incidents","status":"publish","type":"post","link":"https:\/\/www.threatshub.org\/blog\/inside-microsoft-threat-protection-correlating-and-consolidating-attacks-into-incidents\/","title":{"rendered":"Inside Microsoft Threat Protection: Correlating and consolidating attacks into incidents"},"content":{"rendered":"

Cybersecurity incidents are never contained to just one of your organization\u2019s assets. Most attacks involve multiple elements across domains, including email, endpoints, identities, and applications. To rapidly understand and address incidents, your Security Operations Center (SOC) analysts need to be able to see and track all the signals from each domain, correlate and group alerts that are related, prioritize them based on their severity level, and remediate all affected assets to return them and your workforce to a secure state.<\/p>\n

Getting a unified view of an attack is a top SOC analyst priority in quickly building the end-to-end picture of attacks and tracking all relevant details necessary for effective remediation. Navigating multiple products and switching between tools introduce friction that slows down investigations<\/a>, giving attackers more time to inflict damage.<\/p>\n

Microsoft Threat Protection (MTP)<\/a> addresses this critical SOC need through incidents<\/a>, which empower SOC analysts by automatically fusing attack evidence and providing a consolidated view of an attack chain and affected assets, as well as a single-click remediation with easy-to-read analyst workflows. MTP harnesses the power of multiple solutions in the Microsoft 365 security portfolio \u2013 Office 365 Advanced Threat Protection (ATP), Azure ATP, Microsoft Defender ATP, and Microsoft Cloud App Security \u2013 to deliver cross-domain visibility and coordinated defense.<\/p>\n

A complete look at the attack chain to prevent attack sprawl<\/h2>\n

A typical attack starts with a phishing email that installs malware on an endpoint. The malware then steals the user\u2019s credentials, which the attackers utilize to access resources on other endpoints, on-premises applications, and cloud services. Individual security solutions that focus on only one domain may alert on and remediate a portion of the attack but will likely miss other parts of the attacker operations, putting an organization at risk while creating a false sense of security.<\/p>\n

The incidents view in Microsoft Threat Protection solves this challenge by providing a single place to view and investigate an attack across stages, from initial access to impact. Based on individual detection leads, MTP uses artificial intelligence (AI) to automatically expand an investigation, like an experienced analyst would, and gather related telemetry and other alerts that belong to the same attack. MTP also uses AI to continually analyze the vast amount of available data and, if necessary, suggest more evidence for the analyst to add to the incident. This enables your SOC analysts to focus on what matters, while MTP saves them time and helps discover undetected evidence.<\/p>\n

Even if you don\u2019t have all the Microsoft 365 security solutions in your organization, MTP incidents correlate threat data for the services you have deployed, reducing the clutter and providing one view of the attack, including all relevant alerts, impacted assets and associated risk levels, remediation actions and status.<\/p>\n

\"Screenshot<\/p>\n

Streamlining investigations across domains<\/h2>\n

Microsoft Threat Protection simplifies the complex task of investigating end-to-end attacks by allowing SOC analysts to pivot and see entities \u2013 devices, files, users, emails, and processes \u2013 in the right context within a single view.<\/p>\n

MTP breaks down the silos and combines all alerts and insights automatically across Microsoft 365 services to reveal the full picture, helping ease digital forensics work for SOC analysts. This also enables analysts to gain comprehensive understanding of attacks that they wouldn\u2019t otherwise get from isolated out-of-context alerts.<\/p>\n

But MTP doesn\u2019t stop there. To help support effective triage processes, MTP prioritizes incidents, illustrates the attack chain progression, shows the attack timeline, and generates a comprehensive name for the incident. With just one click, analysts can answer questions like: Does a file observed on one device exist on other devices? Which email messages did a file come from, and was this file also shared through a cloud app?<\/p>\n

In addition, SOC analysts can easily search for additional related activities with Go hunt<\/a>, which automatically creates and runs an advanced hunting query<\/a> based on information from the incident. SOC analysts can also use attack-specific insights gained during hunting to capture fine-tuned logic and nuances in a custom detection<\/a>. Custom detections continuously hunt for new activities and pull new findings to the relevant incident automatically, further enriching your view of the attack.<\/p>\n

A clear view of the remediation status<\/h2>\n

When your organization is under attack, it\u2019s essential to act swiftly but thoughtfully through a thorough understanding at any point in time of the remediation status of all affected assets and entities. MTP incidents play a critical part in remediation by:<\/p>\n