Welcome to the first part of my SC-200 study guide. In this section I will go through the following content:
- Investigate, respond, and remediate threats to Microsoft Teams, SharePoint, and OneDrive
- Investigate, respond, and remediate threats to email by using Microsoft Defender for Office 365
Table of Contents
What benefits you get from Defender for Office 365?
- Advanced Threat Protection: Detects and blocks known and unknown threats before they reach users.
- Email Spam Filtering: Filters spam and unwanted messages from user’s inbox.
- Safe Attachments: Scans email attachments for malware.
- URL Inspection: Blocks malicious URLs in emails and provides warnings to users.
- Phishing Protection: Detects and blocks phishing attacks, including spear-phishing and business email compromise (BEC) attacks.
- Real-time protection: Protects users from threats in real-time, providing up-to-date protection against the latest threats.
- Integration with Microsoft 365: Seamless integration with other Microsoft 365 services, such as Exchange Online, SharePoint Online, and OneDrive for Business.
How to try out Defender?
As an existing Microsoft 365 customer, the Trials and Evaluation pages in the Microsoft 365 Defender portal at https://security.microsoft.com allow you to try the features of Microsoft Defender for Office 365 Plan 2 before you buy.
Before you try Defender for Office 365 Plan 2, there are some key questions that you need to ask yourself:
- Do I want to passively observe what Defender for Office 365 Plan 2 can do for me (audit), or do I want Defender for Office 365 Plan 2 to take direct action on issues that it finds (block)?
- Either way, how can I tell what Defender for Office 365 Plan 2 is doing for me?
- How long do I have before I need to make the decision to keep Defender for Office 365 Plan 2?
See more on Audit and Blocks mode here
Automated investigation and response (AIR) in Microsoft Defender for Office 365
Microsoft Defender for Office 365 includes AIR capabilities if your policies and alerts are configured. Set up or configure the following protection settings as directed in Protect against threats:
- Audit logging (should be turned on)
- Anti-malware protection
- Anti-phishing protection
- Anti-spam protection
- Safe Links and Safe Attachments
In addition, make sure to review your organization’s alert policies, especially the default policies in the Threat management category.
Attack simulator
With Attack simulator you can create your own Payloads (Currently only for Email) and it can be used to generate content inside the tenant that you can then analyze to learn how the products work.
When you choose email, you can select the techniques to be used
See more on Attack simulation here.
Investigate, respond, and remediate threats to Microsoft Teams, SharePoint, and OneDrive
Preliminary steps
First you should enable Safe Attachments for SharePoint, OneDrive, and Microsoft Teams
How attachments are detected?
When Safe Attachments for SharePoint, OneDrive, and Microsoft Teams is enabled and a file is identified as malicious, it is locked via direct integration with the file stores.
People cannot open, copy, move, or share the blocked file, even though it is still listed in the document library and in web, mobile, or desktop applications. They can, however, delete the blocked file.
How they are processed?
Defender for Office 365 does not scan all files in SharePoint Online, OneDrive for Business, or Microsoft Teams. This is on purpose. Asynchronous file scanning is performed. To identify malicious files, the process employs sharing and guest activity events, as well as smart heuristics and threat signals.
Check that your SharePoint sites are set up to use the Modern experience. Defender for Office 365 protection is available whether the Modern or Classic view is used; however, visual indicators that a file has been blocked are only available in the Modern experience.
How to enable Safe attachments
Access the safe attachments configuration page in the security center at https://security.microsoft.com/safeattachmentv2 Select Global settings
Ensure Defender for Office 365 is turned on for SharePoint, OneDrive, and Microsoft Teams.
And Safe links
Go to the Safe links configuration page in the security center at https://security.microsoft.com/safelinksv2
Open existing policy or create a new one an select “When users click links in Microsoft Teams, Ensure Safe Links checks a list of known, malicious links”
Teams admin center
Login to the Teams admin center at: https://admin.teams.microsoft.com/
On the left-hand navigation, expand Teams and then choose Teams settings.
Under the Email integration heading, choose to allow or disallow users to send emails to a channel email address by toggling Users can send emails to a channel email address.
Threat policies
You will find all Threat policies under https://security.microsoft.com/threatpolicy
How to investigate?
Files identified as malicious by Safe Attachments for SharePoint, OneDrive, and Microsoft Teams will appear in Microsoft Defender for Office 365 and Explorer reports (and real-time detections).
When a file is identified as malicious by Safe Attachments for SharePoint, OneDrive, and Microsoft Teams, it is quarantined and accessible only to administrators.
Alerts
From Alerts page you can see the severity, category and source of the possible threats.
When you open the Alert, you can classify it or assign to someone else
Or you can link it to an existing incident or create a new one
And it will generate an incident
Threat trackers
Threat Trackers are informative widgets and views that provide you with intelligence on different cybersecurity issues that might impact your company. For example, you can view information about trending malware campaigns using Threat Trackers.
Trackers are just a few of the many great features you get with Microsoft Defender for Office 365 Plan 2. Threat Trackers include Noteworthy trackers, Trending trackers, Tracked queries, and Saved queries.
Trackers, Threat analytics and explorer
Explorer and Trackers work together to help you investigate and track security risks and threats, whether you’re reviewing email, content, or Office activities (coming soon). Trackers provide information to protect your users by highlighting new, notable, and frequently searched issues, ensuring your business is better protected as it migrates to the cloud.
With Threat analytics you can see threats and are any of them found in your environment.
And to respond and remediate?
There is automatic or manual remediation steps that you can take.
Manual steps
- Manual file quarantine
- Manual email action, such as soft-deleting email messages
- Manual user action, such as disable user or reset user password
- Advanced hunting action on users or email
- Explorer action on email content, such as moving email to junk, soft-deleting email, or hard-deleting email
- Live response action with Microsoft Defender for Endpoint APIs to get information about a file
You can see the Incidents and under the following menu
And the alerts
There can be also human triggered alerts. In example if Analyst is tagging content as suspicious
You will get notified from it and can approve or reject the remediation.
Investigate, respond, and remediate threats to email by using Microsoft Defender for Office 365
Preliminary steps
In the Teams part I went through Teams, SPO policy enablement, in this part I want to mention Preset security policies.
From here you can enable Standard or Strict protection quite easily.
And you should also see there recommendations out before proceeding.
Safe links
In the last I went through Safe attachments, so now it’s time for Safe links.
The Microsoft Defender for Office 365 Safe Links feature guards against malicious URLs in messages or Office documents. Every time they click on a link, they are protected because malicious links are dynamically blocked while good links can be accessed.
Safe Links for URLs is available in the following apps:
- Microsoft 365 apps for enterprise on Windows or Mac
- Office for the web (Word for the web, Excel for the web, PowerPoint for the web, and OneNote for the web)
- Word, Excel, PowerPoint, and Visio on Windows, as well as Office apps on iOS and Android devices
- Microsoft Teams channels and chats
Safe links are client and location agnostic, which means that the end user’s location and device have no effect on the behavior of wrapped links. Safe links can also be configured to support links in Office 2016 clients when the user is signed in with their Office 365 credentials.
How to investigate?
What can you see with grouping objects:
- Where the assault began.
- What tactics were used.
- How deeply your tenant has been affected by the attack.
- Scope of the attack, including the number of impacted users, devices, and mailboxes.
- All information connected to the attack.
You can also export incidents to CSV. The maximum number of records you can export is 10,000.
Message trace
For Exchange you can also use message trace to see more on the traffic and what was filtered and why. You access the trace from https://admin.exchange.microsoft.com/#/messagetrace
And to respond and remediate?
Remedial actions that are currently supported by Microsoft 365 Defender are listed in the table below.
| Email remediation actions | Users (accounts) |
|---|---|
| – Block URL (time-of-click) – Soft delete email messages or clusters – Quarantine email – Quarantine an email attachment – Turn off external mail forwarding | – Disable user – Reset user password – Confirm user as compromised |
Advanced delivery
Did you know that there is also a possibility to add SecOps mailbox to collect the “good and the bad” One of the use cases for this could be.
False positives under review: You might want to temporarily allow certain messages that are still being analyzed by Microsoft via admin submissions to report known good messages that are incorrectly being marked as bad to Microsoft (false positives). As with all overrides, it’s highly recommended that these allowances are temporary.
Automated investigation and response
AIR is a mutual automated feature for all the solutions, Teams, SharePoint, OneDrive and Exchange
Remediation actions
Every piece of evidence is given a verdict at the end of an automatic investigation. Remedial measures are chosen based on the decision.
| Verdict | Affected entities | Outcomes |
|---|---|---|
| Compromised | Users | Remediation actions are taken automatically |
| Malicious | Email content (URLs or attachments) | Recommended remediation actions are pending approval |
| Suspicious | Devices or email content | Recommended remediation actions are pending approval |
| No threats found | Devices or email content | No remediation actions are needed |
Which built-in alert policies trigger automated investigations?
| Alert | Severity | How the alert is generated |
|---|---|---|
| A potentially malicious URL click was detected | High | This alert is generated when any of the following occurs:A user protected by Safe Links in your organization clicks a malicious linkVerdict changes for URLs are identified by Microsoft Defender for Office 365Users override Safe Links warning pages (based on your organization’s Safe Links policy.For more information on events that trigger this alert, see Set up Safe Links policies. |
| An email message is reported by a user as malware or phish | Informational | This alert is generated when users in your organization report messages as phishing email using the Microsoft Report Message or Report Phishing add-ins. |
| Email messages containing malicious file removed after delivery | Informational | This alert is generated when any messages containing a malicious file are delivered to mailboxes in your organization. If this event occurs, Microsoft removes the infected messages from Exchange Online mailboxes using zero-hour auto purge (ZAP). |
| Email messages containing malware are removed after delivery | Informational | This alert is generated when any email messages containing malware are delivered to mailboxes in your organization. If this event occurs, Microsoft removes the infected messages from Exchange Online mailboxes using zero-hour auto purge (ZAP). |
| Email messages containing malicious URL removed after delivery | Informational | This alert is generated when any messages containing a malicious URL are delivered to mailboxes in your organization. If this event occurs, Microsoft removes the infected messages from Exchange Online mailboxes using zero-hour auto purge (ZAP). |
| Email messages containing phish URLs are removed after delivery | Informational | This alert is generated when any messages containing phish are delivered to mailboxes in your organization. If this event occurs, Microsoft removes the infected messages from Exchange Online mailboxes using ZAP. |
| Suspicious email sending patterns are detected | Medium | This alert is generated when someone in your organization has sent suspicious email and is at risk of being restricted from sending email. The alert is an early warning for behavior that might indicate that the account is compromised, but not severe enough to restrict the user.Although it’s rare, an alert generated by this policy may be an anomaly. However, it’s a good idea to check whether the user account is compromised. |
| A user is restricted from sending email | High | This alert is generated when someone in your organization is restricted from sending outbound mail. This alert typically results when an email account is compromised.For more information about restricted users, see Remove blocked users from the Restricted Users portal in Microsoft 365. |
| Admin triggered manual investigation of email | Informational | This alert is generated when an admin triggers the manual investigation of an email from Threat Explorer. This alert notifies your organization that the investigation was started. |
| Admin triggered user compromise investigation | Medium | This alert is generated when an admin triggers the manual user compromise investigation of either an email sender or recipient from Threat Explorer. This alert notifies your organization that the user compromise investigation was started. |
Required permissions
| ask | Role(s) required |
|---|---|
| Set up AIR features | One of the following roles: Global Administrator or Security Administrator |
| Start an automated investigation or Approve or reject recommended actions | One of the following roles: Global Administrator, Security Administrator, Security Operator, Security Reader and Search and Purge (this role is assigned only in the Microsoft 365 Defender portal. |
Required licenses
Microsoft Defender for Office 365 Plan 2 licenses should be assigned to:
- Security administrators (including global administrators)
- Your organization’s security operations team (including security readers and those with the Search and Purge role)
- End users
False positive reporting
Any threat prevention solution occasionally experiences false positives or false negatives. If Microsoft 365 Defender’s automated investigation and response tools overlooked something or made a mistake in their detection.
| Item missed or wrongly detected | Service | What to do |
|---|---|---|
| – Email message – Email attachment – URL in an email message – URL in an Office file | Microsoft Defender for Office 365 | Submit suspected spam, phish, URLs, and files to Microsoft for scanning |
Lab-environment
Microsoft has made lab for you to use with your studies, reading written text is different than doing with your own hands.
Ensure that the computer you will be using for the demos has the new Microsoft Edge browser installed.
Case study
| Module | Lab |
|---|---|
| Learning Path 1 – Mitigate threats using Microsoft 365 Defender | Exercise 1 – Explore Microsoft 365 Defender |
Environments
The labs for this course require both a Microsoft 365 E5 licensed tenant as well as an Azure subscription.
Azure
- You need active Azure subscription, you can also get a trial here https://azure.microsoft.com/en-us/free/
- If you are still a student from here https://azure.microsoft.com/en-us/free/students/ and who is eligible for this offer https://learn.microsoft.com/en-us/azure/education-hub/azure-dev-tools-teaching/program-faq#who-is-eligible-for-azure-for-students-
M365
- If you are a partner and you need an time-based test tenant with licensing, you can use Customer Digital Experiences from https://demos.microsoft.com see more information here about the program and portal https://learn.microsoft.com/en-us/partner-center/mpn-demos
- If you are a developer, you can use this https://developer.microsoft.com/en-us/microsoft-365/dev-program
What you will get from the Sandbox?
Closure
In the first part we discover the different aspects of investigation and remediation. Some things to remember for the test.
- What are the benefits of Defender for Office 365?
- Licensing and permissions required
- Why and how to enable Safe attachments and Links?
- Attack simulator functionality
- How to make your Tenant secure and what are Preset security policies? https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/preset-security-policies?view=o365-worldwide
- Different places to search for possible threats, Explorer, Threat Analytics and alerts.
- Which built-in alert policies trigger automated investigations?
- What will be in the automated remediation process and what will be manual actions to take.
- How to report false positives or negatives to Microsoft
Hopefully you found this useful, then to the next one with the following topics:
- Investigate and respond to alerts generated from Data Loss Prevention policies
- Investigate and respond to alerts generated from insider risk policies
And trying to include these in the same section, let’s see.
- Identify, investigate, and remediate security risks by using Microsoft Defender for Cloud Apps
- Configure Microsoft Defender for Cloud Apps to generate alerts and reports to detect threats
RSS - Posts