Section 8.2 – Mitigate threats using Microsoft Defender for Cloud – Configure and respond to alerts and incidents in Microsoft Defender for Cloud

And this is the second part of 8th section on my study guide and today we are looking at recommendations and the alerts and incidents it will create.

Again by apologies to all that had to wait as I cut it in two different posts. Again, let’s carry on!

Remediate alerts and incidents by using Microsoft Defender for Cloud recommendations

Remediation is the process of fixing a security flaw or lessening the possibility of a repeat of the occurrence. Via its advice, Microsoft Defender for Cloud assists enterprises in responding to discovered security risks. In this blog article, we’ll go through Microsoft Defender for Cloud advice for how to handle warnings and incidents.

And you can access the recommendations here https://portal.azure.com/#view/Microsoft_Azure_Security/SecurityMenuBlade/~/5

Remediating based on the recommendation

In example if you choose one of them, you can see the actions that you take. You should validate that they are are accurate to your environment and you can apply the recommended actions.

You can use Quick fix logic or manual remediation steps described below.

You can add this direct to your resource with Azure policies.

Disabling a recommendation

But you can also disable the recommendation if you want, you can do it from Environment settings -> settings -> Security policy

There are three different types:

  • Audit evaluates the compliance state of resources according to recommendation logic.
  • Disabled prevents the recommendation from running.
  • Deny prevents deployment of non-compliant resources based on recommendation logic.

And in this case you want to choose disabled

That’s it, now this won’t be displayed anymore inside those recommendations.

Linking alerts to incidents


Defender for Cloud links occurrences to warnings and contextual signals.

Correlation analyzes warnings by examining various signals across resources and fusing security expertise with artificial intelligence to spot fresh threat trends as they emerge.

Defender for Cloud can also rule out behavior that looks to be attack steps but isn’t by using the data obtained for each stage of the assault.

Manage security alerts and incidents

What is a alert?

  • Advanced detections made possible by enabling Defender plans for particular resource types result in security alerts.
    Each warning contains information about the resources, problems, and corrective actions that are affected.
  • Defender for Cloud categorizes and ranks warnings according to their seriousness.
    Even if the resource that was associated with the warning was destroyed within that period, it will still be visible on the portal for 90 days. This is due to the possibility that the warning indicates a breach that should be looked into further inside your firm.
  • The CSV format can be used to export alerts.
    Additionally, alerts may be broadcast directly to an ITSM or Security Orchestration Automated Response (SOAR) or Security Information and Event Management (SIEM) tool like Microsoft Sentinel.
    To formalize security domain knowledge, Defender for Cloud uses the MITRE Attack Matrix to link warnings with their observed purpose.
  • Individual notifications offer insightful hints regarding a finished or continuing attack.

What is a Incident?

Incidents will be automatically based on alerts and the contextual signals.

Correlation analyzes warnings by examining various signals across resources and fusing security expertise with artificial intelligence to spot fresh threat trends as they emerge.
Defender for Cloud can also rule out behavior that looks to be attack steps but isn’t by using the data obtained for each stage of the assault.

Here is a definition from Learn what alerts will trigger incidents

AlertDescriptionSeverity
Security incident with shared process detectedThe incident which started on {Start Time (UTC)} and recently detected on {Detected Time (UTC)} indicates that an attacker has {Action taken} your resource {Host}High
Security incident detected on multiple resourcesThe incident which started on {Start Time (UTC)} and recently detected on {Detected Time (UTC)} indicates that similar attack methods were performed on your cloud resources {Host}Medium
Security incident detected from same sourceThe incident which started on {Start Time (UTC)} and recently detected on {Detected Time (UTC)} indicates that an attacker has {Action taken} your resource {Host}High
Security incident detected on multiple machinesThe incident which started on {Start Time (UTC)} and recently detected on {Detected Time (UTC)} indicates that an attacker has {Action taken} your resources {Host}Medium

The series of steps that describe the progression of a cyberattack from reconnaissance to data exfiltration is often referred to as a “kill chain”.

Defender for Cloud’s supported kill chain intents are based on version 9 of the MITRE ATT&CK matrix

TacticATT&CK VersionDescription
PreAttackPreAttack could be either an attempt to access a certain resource regardless of a malicious intent, or a failed attempt to gain access to a target system to gather information prior to exploitation. This step is usually detected as an attempt, originating from outside the network, to scan the target system and identify an entry point.
Initial AccessV7, V9Initial Access is the stage where an attacker manages to get a foothold on the attacked resource. This stage is relevant for compute hosts and resources such as user accounts, certificates etc. Threat actors will often be able to control the resource after this stage.
PersistenceV7, V9Persistence is any access, action, or configuration change to a system that gives a threat actor a persistent presence on that system. Threat actors will often need to maintain access to systems through interruptions such as system restarts, loss of credentials, or other failures that would require a remote access tool to restart or provide an alternate backdoor for them to regain access.
Privilege EscalationV7, V9Privilege escalation is the result of actions that allow an adversary to obtain a higher level of permissions on a system or network. Certain tools or actions require a higher level of privilege to work and are likely necessary at many points throughout an operation. User accounts with permissions to access specific systems or perform specific functions necessary for adversaries to achieve their objective may also be considered an escalation of privilege.
Defense EvasionV7, V9Defense evasion consists of techniques an adversary may use to evade detection or avoid other defenses. Sometimes these actions are the same as (or variations of) techniques in other categories that have the added benefit of subverting a particular defense or mitigation.
Credential AccessV7, V9Credential access represents techniques resulting in access to or control over system, domain, or service credentials that are used within an enterprise environment. Adversaries will likely attempt to obtain legitimate credentials from users or administrator accounts (local system administrator or domain users with administrator access) to use within the network. With sufficient access within a network, an adversary can create accounts for later use within the environment.
DiscoveryV7, V9Discovery consists of techniques that allow the adversary to gain knowledge about the system and internal network. When adversaries gain access to a new system, they must orient themselves to what they now have control of and what benefits operating from that system give to their current objective or overall goals during the intrusion. The operating system provides many native tools that aid in this post-compromise information-gathering phase.
LateralMovementV7, V9Lateral movement consists of techniques that enable an adversary to access and control remote systems on a network and could, but does not necessarily, include execution of tools on remote systems. The lateral movement techniques could allow an adversary to gather information from a system without needing more tools, such as a remote access tool. An adversary can use lateral movement for many purposes, including remote Execution of tools, pivoting to more systems, access to specific information or files, access to more credentials, or to cause an effect.
ExecutionV7, V9The execution tactic represents techniques that result in execution of adversary-controlled code on a local or remote system. This tactic is often used in conjunction with lateral movement to expand access to remote systems on a network.
CollectionV7, V9Collection consists of techniques used to identify and gather information, such as sensitive files, from a target network prior to exfiltration. This category also covers locations on a system or network where the adversary may look for information to exfiltrate.
Command and ControlV7, V9The command and control tactic represents how adversaries communicate with systems under their control within a target network.
ExfiltrationV7, V9Exfiltration refers to techniques and attributes that result or aid in the adversary removing files and information from a target network. This category also covers locations on a system or network where the adversary may look for information to exfiltrate.
ImpactV7, V9Impact events primarily try to directly reduce the availability or integrity of a system, service, or network; including manipulation of data to impact a business or operational process. This would often refer to techniques such as ransomware, defacement, data manipulation, and others.
  • An incident is a group of connected alarms and related information that tells the tale of an attack.
  • To help you rapidly comprehend the activities an attacker made and the resources they affected, incidents give you a unified picture of an attack and any relevant alerts.
  • The necessity to identify even the smallest breach increases along with the breadth of threat coverage. Security researchers find it difficult to prioritize various alarms and spot a genuine assault. Defender for Cloud assists analysts in overcoming this alert fatigue by connecting alerts and poor fidelity signals into security issues.
  • Defender for Cloud may integrate AI algorithms to assess attack sequences that are reported on each Azure subscription. Because assaults in the cloud might happen across several tenants, this tool is useful. By using this strategy, the assault sequences are recognized as common alarm patterns rather than being merely coincidentally connected.
  • Analysts frequently require more information during an event investigation to make decisions regarding the type of threat and how to reduce it. For instance, it might be challenging to decide what steps to take once a network anomaly is discovered without knowledge of what else is going on in the network or with the targeted resource. A security incident may also contain artifacts, associated events, and data. Depending on the kind of threat identified and how your environment is set up, different extra information is accessible for security incidents.

Analyze Microsoft Defender for Cloud threat intelligence reports

Defender for Cloud detects threats and sends out security alerts with complete information about the incident and recommendations for fixing it. Defender for Cloud offers threat intelligence reports with details about discovered threats to assist incident response teams in their investigation and threat remediation.

Three different threat reports are available in Defender for Cloud, and they can change depending on the attack. There are the following reports:

  • Activity Group Report: provides deep dives into attackers, their objectives, and tactics.
  • Campaign Report: focuses on details of specific attack campaigns.
  • Threat Summary Report: covers all of the items in the previous two reports.

And under Threat Intelligence report you can view the report itself

You can read more from Learn

Manage user data discovered during an investigation

Customers information may be accessed in the tool by Defender for Cloud users with the roles of Reader, Owner, Contributor, or Account Administrator.

You can find you own data with following:

  • Through the Azure portal, you can examine your personal information. Only secure contact information, including phone numbers and email addresses, is stored by Defender for Cloud.
  • Using the just-in-time VM access capability of Defender for Cloud, you may check authorized IP configurations within the Azure portal.
  • Security alerts from Defender for Cloud, including IP addresses and attacker information, on the Azure portal.

You don’t need to classify personal data found in Defender for Cloud’s security contact feature.

But you can export content with:

  • Copying from the Azure portal
  • Executing the Azure REST API call

See more from Learn

Just-in-time data is considered non-identifiable data and is retained for 30 days.

Alert data is considered security data and is retained for two years

Closure

How to Remediate based on recommendation and how to disable a recommendation.

What is an alert and how many of them become an Incident?

Remember the Incident types

AlertDescriptionSeverity
Security incident with shared process detectedThe incident which started on {Start Time (UTC)} and recently detected on {Detected Time (UTC)} indicates that an attacker has {Action taken} your resource {Host}High
Security incident detected on multiple resourcesThe incident which started on {Start Time (UTC)} and recently detected on {Detected Time (UTC)} indicates that similar attack methods were performed on your cloud resources {Host}Medium
Security incident detected from same sourceThe incident which started on {Start Time (UTC)} and recently detected on {Detected Time (UTC)} indicates that an attacker has {Action taken} your resource {Host}High
Security incident detected on multiple machinesThe incident which started on {Start Time (UTC)} and recently detected on {Detected Time (UTC)} indicates that an attacker has {Action taken} your resources {Host}Medi

And that Defender for Cloud’s supported kill chain intents are based on version 9 of the MITRE ATT&CK matrix

Report types for Defender for Cloud TI:

  • Activity Group Report: provides deep dives into attackers, their objectives, and tactics.
  • Campaign Report: focuses on details of specific attack campaigns.
  • Threat Summary Report: covers all of the items in the previous two reports.

Who can access personal data and how long different type will be retained?

Link to main post

This image has an empty alt attribute; its file name is image-123.png
Author: Harri Jaakkonen

Leave a Reply

Your email address will not be published. Required fields are marked *