Section 2 – Mitigate threats using Microsoft 365 Defender – Mitigate threats to the productivity environment by using Microsoft 365 Defender

Welcome to the second section of my SC-200 study guide. In this section I will go through the following content:

  • Investigate and respond to alerts generated from Data Loss Prevention policies
  • Investigate and respond to alerts generated from insider risk policies

And didn’t have time (space) to include the following:

  • Identify, investigate, and remediate security risks by using Microsoft Defender for Cloud Apps
  • Configure Microsoft Defender for Cloud Apps to generate alerts and reports to detect threats

And will be covering them in the next section, not to worry.

Licensing for Purview

You can test out all the premium features of Microsoft Purview for free if you’re not an E5 customer but you try it out by utilizing the 90-day Purview solutions trial.

What you will get with the Trial?

  • Audit (Premium) – Track and investigate more high-value, critical activities and retain audit logs for longer.
  • Communication Compliance – Capture, triage, and take action on sensitive or inappropriate communications.
  • Compliance Manager – Manage your compliance requirements with greater ease and convenience.
  • Data Lifecycle Management – Use adaptive scopes to automate your retention policy coverage.
  • Data Loss Prevention (DLP) -Control sharing and use of sensitive info on devices, apps, and services.
  • eDiscovery (Premium) – Preserve, collect, and review content for litigation and internal investigations.
  • Information Protection – Automatically identify, classify, and protect sensitive info wherever it travels.
  • Insider Risk Management – Quickly identify, investigate, and take immediate action on insider risks.
  • Records Management – Manage the classification, retention, and disposition of records in your org.

See more from the following article.

Investigate and respond to alerts generated from Data Loss Prevention policies

To generate alerts you need the following licensing models.

Licensing

  • Single-event alert configuration: Organizations that have an E1, F1, or G1 subscription or an E3 or G3 subscription can create alert policies only where an alert is triggered every time an activity occurs.
  • Aggregated alert configuration: To configure aggregate alert policies based on a threshold, you must have either of the following configurations:
    • An A5 subscription
    • An E5 or G5 subscription
    • An E1, F1, or G1 subscription or an E3 or G3 subscription that includes one of the following features:
      • Office 365 Advanced Threat Protection Plan 2
      • Microsoft 365 E5 Compliance
      • Microsoft 365 eDiscovery and Audit add-on license

Permissions

If you want to view the DLP alert management dashboard or to edit the alert configuration options in a DLP policy, you must be a member of one of these role groups:

  • Compliance Administrator
  • Compliance Data Administrator
  • Security Administrator
  • Security Operator
  • Security Reader

To access the DLP alert management dashboard, you need the Manage alerts role and either of the following roles:

  • DLP Compliance Management
  • View-Only DLP Compliance Management

How to use the guided setup?

If not already setup, the easiest way is to use https://admin.microsoft.com/adminportal/home#/modernonboarding/mipsetupguide for the process.

What the guide does?

In this guide, you’ll complete the following information protection and ‎DLP‎ tasks:

  1. Verify your license and roles.
  2. Prepare your environment.
  3. Set up information protection labels.
  4. Set up ‎DLP‎ policies.
  5. Set up advanced configurations, like migrating policies, increasing and testing accuracy, protecting services, and expanding actions such as setting alerts, blocking features, and using encryption.
  6. Manage alerts and incidents.

And you if you don’t the needed licensing, it will guide you for needed steps.

Get your trial on keep on going

Once done you can can create DLP policies

How to create policies with Alerts?

Open DLP policies page from https://compliance.microsoft.com/datalossprevention?viewid=policies and create a new policy

Let’s try with GDPR policy

Choosing only Email

Once you go forward, you can create a new rule and add Alerts to it. We will select High and send alert to Admins.

You can also add thresholds or send every time alert is triggered and also notify via email message when it happens.

And now we have new rule that will every single time send an alert, add managed as CC when sending to gmail.com.

You audit, enable or leave the policies off but in this we don’t care about the mistakes made.

And it will tell you that you should enable Teams as location but we don’t need for now.

Sensitivity labels as enforcer

You can also define DLP policies to be enforced with Labeled content. When you assign labels they will trigger DLP enforcement in example for sharing the content outside of your tenant.

Trying it out

Let’s login as a user and send some super secret secrets to a gmail.com recipient.

Discovering those Alerts

In a sec, DLP alert will kick in and inform inside compliance portal that there is a match

And also inside Defender for Office 365 alerts page. AlexW, you got busted.

And also his manager was informed as CC, he is really exposed!

Compliance portal

Details of the alerts will show this

And inside event you will

Event details
CategoryProperty nameDescriptionApplicable event types
Event details
IdUnique ID associated with the eventAll events
LocationWorkload where the event was detectedAll events
Time of activityTime of the user activity that caused the DLP violationAll events
Impacted entities
UserUser who caused the DLP violationAll events
HostnameHost name of the machine where the DLP violation was detectedDevices events
IP addressIP address of the machineDevices events
File pathAbsolute path of the file involved in the violationSharePoint, OneDrive, and Devices events
Email recipientsRecipients of the email that violated the DLP policyExchange events
Email subjectSubject of the email that violated the DLP policyExchange events
Email attachmentsNames of the attachments in the email that violated the DLP policyExchange events
Site ownerName of the site ownerSharePoint and OneDrive events
Site URLFull URL of the SharePoint or OneDrive siteSharePoint and OneDrive events
File createdTime of file creationSharePoint and OneDrive events
File last modifiedTime of the last modification of the fileSharePoint and OneDrive events
File sizeSize of the fileSharePoint and OneDrive events
File ownerOwner of the fileSharePoint and OneDrive events
Policy details
DLP policy matchedName of the DLP policy that was matchedAll events
Rule matchedName of the DLP rule in the DLP policy that was matchedAll events
Sensitive info types detectedSensitive information types that were detected as a part of the DLP policyAll events
Actions takenActions taken as a part of the matched DLP policyAll events
User overrode policyWhether the user overrode the policy through the policy tipAll events
Override justification textJustification provided to override the policy tipAll events
Continuing with the portal

And when you click on the event, you will even more on what happened and that the Manager was informed as CC like planned.

You can downloaded the message, see classifiers or even the raw Metadata of the email.

Defender for Office365 portal

You can see the following inside Defender. DlpAgent is giving the information was triggered the alert and you will see the location it was triggered from.

Also the category and possible techniques if used. In this case it was only an email.

And again (like in the first section) you can assign it to an existing incident or create a new one

And you can also open the user information page

In the user page you can all the triggered alerts and the timeline

You can either Confirm that the user is compromised or generate different actions, I will get back to this menu in the following sections, no worries.

Incidents

You will see incidents under Defender portal

Can assign them to a team member

And you can also classify them

That’s it, then to Insider risks

Investigate and respond to alerts generated from insider risk policies

Licensing

Microsoft Purview Insider Risk Management enables you to identify, look into, and respond to possibly harmful and unintentional acts in your company. This reduces internal risks.

Insider risk management is available in the following subscriptions:

  • Microsoft 365 E5/A5/F5/G5 subscription (paid or trial version)
  • Microsoft 365 E3/A3/F3/G3 subscription + the Microsoft 365 E5/A5/F5/G5 Compliance add-on
  • Microsoft 365 E3/A3/F3/G3 subscription + the Microsoft 365 E5/A5/F5/G5 Insider Risk Management add-on
  • Office 365 E3 subscription + Enterprise Mobility and Security E3 + the Microsoft 365 E5 Compliance add-on

Permissions

If you don’t have permissions in place, you will have to enable them first. Here is a list of the permissions.

And here is an detailed permissions list

Add users to the Insider Risk Management role group

Complete the following steps to add users to this role group:

  1. Sign into Microsoft Purview compliance portal using credentials for an admin account in your Microsoft 365 organization.
  2. Select Permissions in the left nav, and select Roles under the Microsoft Purview solutions list.
  3. Select the Insider Risk Management role group, then select Edit.
  4. Select the Choose users tab, then select the checkbox for all users you want to add to the role group.
  5. Choose Select, then Next.
  6. Select Save to add the users to the role group. Select Done to complete the steps.

Enable audit logging

You need to enable Audit logging if not already enabled.

If you don’t enable correct permissions, you won’t see all the menus

When assign the correct permissions, you will see more

If you want to give permissions to users when testing the features without seperation of their duties, you can use this group to give all the permissions at once.

How to setup Insider risks?

You have these policies in your disposal, note the prerequisites

And you can prioritize content if needed

I will choose on file extensions for my test and with the following limitations.

  • Each extension can’t exceed 20 characters
  • These characters aren’t supported: / \ : * ? < > |
  • Preceding the extension name with a period is optional. For example, you can enter ‘.exe’ or ‘exe’.

And Alerts will be triggered every time

And I will attach the DLP policy that we used in the previous section

You could also turn on Indicators for ex-filtration activities

But if you don’t enable Indicators, you won’t get any Alerts from Insider risks, only for the DLP policy.

When users perform activities related to indicators, policies collect signals and trigger alerts. Insider risk management collects signals and creates alerts using various types of events and indicators.

I will add Sending email with attachments outside as an threshold from 1 to 3

And the final solution will look like this

Adaptive protection (preview)

Adaptive versions is still in preview, so there could be changes to it.

Adaptive Protection uses machine learning models for insider risk management to establish and analyze risk levels, and then dynamically assigns suitable DLP rules to users depending on those risk levels. With this new capability, static DLP rules become user context-based and adaptive, ensuring that only high-risk users are subject to the most effective policy, such as banning data sharing. While low-risk users can continue to work productively.

With Adaptive protection you can have the following benefits:

  • Context-aware detection. Helps identify the most critical risks with ML-driven analysis of both content and user activities.
  • Dynamic controls. Helps enforce effective controls on high-risk users while others maintain productivity.
  • Automated mitigation. Helps to minimize the impact of potential data security incidents and reduce admin overhead.

If you press Quick setup, it can take up to 72 hrs for the Insider risk setting to be applied.

You can define Insider risk policy and Alert levels for different users

And you create your own DLP policies or use the automatically generated ones

And finally enable the protection

See more here

And a short introduction video

Alerts

You can see the alerts under under the Insider risk page or at Defender for Office 365 portal

When you open the alerts page, you will see the Policy that triggered the alert and status

When you open the Alert, you will see all the activities it has and create a case out of it

To dig a little bit deeper, you will see the separate activities

Under user activity you can see timeline and details on the activities

And you can also see the user timeline and triggered events under users menu

And if we discover the events more closely, we can see what the user actions were

And the email details

On SPO side we can see that the users has deleted files and it triggered another event

You can also export the Alerts with Management Activity APIs

See more on the Management Activity APIs

Creating a case

Once you verified the alerts, you can create a case out of them

When the case is created, you will have the following actions at your disposal

You can escalate it for for investigation, the investigation will be handled by eDiscovery admins

You can see the Alerts from DLP under Defender for Office 365 portal but nothing considering the Insider risks as those will be handled under Compliance portal

Scanning for risks

You can initiate an AI based scan for risks inside your tenant, just have to wait. Insider risk aren’t the quickest features. Like for the scan it could easily take couple of days.

Retention

The cases also have retention times for remove old alerts and content

ItemRetention/Limit
Alerts with Needs review status120 days from alert creation, then automatically deleted
Active cases (and associated artifacts)Indefinite retention, never expire
Resolved cases (and associated artifacts)120 days from case resolution, then automatically deleted
Maximum number of active cases100
User activities reports120 days from activity detection, then automatically deleted

Forensics evidence (preview)

Security teams must have visual context during forensic investigations to gain a deeper understanding of potentially problematic security-related user activities. Forensic evidence enables customizable visual activity capturing across devices with customizable event triggers and built-in user privacy protection controls to help your organization better mitigate, comprehend, and react to potential data risks like unauthorized data ex-filtration of sensitive data.

Closure

In the first part we discover the different aspects of investigation and remediation. Some things to remember for the test.

DLP

  • What licensing and permissions are needed for Purview?
  • How to create policies with Alerts?
  • How to use Sensitivity labels as enforcer?
  • What are the details for the events?
  • How you see the DLP alerts inside Defender for Office 365 portal and what are the actions and classifications you can assign for them?

Insider risks

  • What permissions are needed for Insider risks?
  • Prerequisites like licensing and Audit logs
  • How you can enable DLP policies for Risk policies?
  • How to investigate alerts and create cases from them? How to discover the activities under alerts?

Hopefully you found this useful, then to the next one with the following topics:

  • Identify, investigate, and remediate security risks by using Microsoft Defender for Cloud Apps
  • Configure Microsoft Defender for Cloud Apps to generate alerts and reports to detect threats

Author: Harri Jaakkonen

Leave a Reply

Your email address will not be published. Required fields are marked *