And this is the second part of 8th section on my study guide and today we are looking at recommendations and the alerts and incidents it will create.
Again by apologies to all that had to wait as I cut it in two different posts. Again, let’s carry on!
Table of Contents
Remediate alerts and incidents by using Microsoft Defender for Cloud recommendations
Remediation is the process of fixing a security flaw or lessening the possibility of a repeat of the occurrence. Via its advice, Microsoft Defender for Cloud assists enterprises in responding to discovered security risks. In this blog article, we’ll go through Microsoft Defender for Cloud advice for how to handle warnings and incidents.
And you can access the recommendations here https://portal.azure.com/#view/Microsoft_Azure_Security/SecurityMenuBlade/~/5
Remediating based on the recommendation
In example if you choose one of them, you can see the actions that you take. You should validate that they are are accurate to your environment and you can apply the recommended actions.
You can use Quick fix logic or manual remediation steps described below.
You can add this direct to your resource with Azure policies.
Disabling a recommendation
But you can also disable the recommendation if you want, you can do it from Environment settings -> settings -> Security policy
There are three different types:
- Audit evaluates the compliance state of resources according to recommendation logic.
- Disabled prevents the recommendation from running.
- Deny prevents deployment of non-compliant resources based on recommendation logic.
And in this case you want to choose disabled
That’s it, now this won’t be displayed anymore inside those recommendations.
Linking alerts to incidents
Defender for Cloud links occurrences to warnings and contextual signals.
Correlation analyzes warnings by examining various signals across resources and fusing security expertise with artificial intelligence to spot fresh threat trends as they emerge.
Defender for Cloud can also rule out behavior that looks to be attack steps but isn’t by using the data obtained for each stage of the assault.
Manage security alerts and incidents
What is a alert?
- Advanced detections made possible by enabling Defender plans for particular resource types result in security alerts.
Each warning contains information about the resources, problems, and corrective actions that are affected. - Defender for Cloud categorizes and ranks warnings according to their seriousness.
Even if the resource that was associated with the warning was destroyed within that period, it will still be visible on the portal for 90 days. This is due to the possibility that the warning indicates a breach that should be looked into further inside your firm. - The CSV format can be used to export alerts.
Additionally, alerts may be broadcast directly to an ITSM or Security Orchestration Automated Response (SOAR) or Security Information and Event Management (SIEM) tool like Microsoft Sentinel.
To formalize security domain knowledge, Defender for Cloud uses the MITRE Attack Matrix to link warnings with their observed purpose. - Individual notifications offer insightful hints regarding a finished or continuing attack.
What is a Incident?
Incidents will be automatically based on alerts and the contextual signals.
Correlation analyzes warnings by examining various signals across resources and fusing security expertise with artificial intelligence to spot fresh threat trends as they emerge.
Defender for Cloud can also rule out behavior that looks to be attack steps but isn’t by using the data obtained for each stage of the assault.
Here is a definition from Learn what alerts will trigger incidents
| Alert | Description | Severity |
|---|---|---|
| Security incident with shared process detected | The incident which started on {Start Time (UTC)} and recently detected on {Detected Time (UTC)} indicates that an attacker has {Action taken} your resource {Host} | High |
| Security incident detected on multiple resources | The incident which started on {Start Time (UTC)} and recently detected on {Detected Time (UTC)} indicates that similar attack methods were performed on your cloud resources {Host} | Medium |
| Security incident detected from same source | The incident which started on {Start Time (UTC)} and recently detected on {Detected Time (UTC)} indicates that an attacker has {Action taken} your resource {Host} | High |
| Security incident detected on multiple machines | The incident which started on {Start Time (UTC)} and recently detected on {Detected Time (UTC)} indicates that an attacker has {Action taken} your resources {Host} | Medium |
The series of steps that describe the progression of a cyberattack from reconnaissance to data exfiltration is often referred to as a “kill chain”.
Defender for Cloud’s supported kill chain intents are based on version 9 of the MITRE ATT&CK matrix
| Tactic | ATT&CK Version | Description |
|---|---|---|
| PreAttack | PreAttack could be either an attempt to access a certain resource regardless of a malicious intent, or a failed attempt to gain access to a target system to gather information prior to exploitation. This step is usually detected as an attempt, originating from outside the network, to scan the target system and identify an entry point. | |
| Initial Access | V7, V9 | Initial Access is the stage where an attacker manages to get a foothold on the attacked resource. This stage is relevant for compute hosts and resources such as user accounts, certificates etc. Threat actors will often be able to control the resource after this stage. |
| Persistence | V7, V9 | Persistence is any access, action, or configuration change to a system that gives a threat actor a persistent presence on that system. Threat actors will often need to maintain access to systems through interruptions such as system restarts, loss of credentials, or other failures that would require a remote access tool to restart or provide an alternate backdoor for them to regain access. |
| Privilege Escalation | V7, V9 | Privilege escalation is the result of actions that allow an adversary to obtain a higher level of permissions on a system or network. Certain tools or actions require a higher level of privilege to work and are likely necessary at many points throughout an operation. User accounts with permissions to access specific systems or perform specific functions necessary for adversaries to achieve their objective may also be considered an escalation of privilege. |
| Defense Evasion | V7, V9 | Defense evasion consists of techniques an adversary may use to evade detection or avoid other defenses. Sometimes these actions are the same as (or variations of) techniques in other categories that have the added benefit of subverting a particular defense or mitigation. |
| Credential Access | V7, V9 | Credential access represents techniques resulting in access to or control over system, domain, or service credentials that are used within an enterprise environment. Adversaries will likely attempt to obtain legitimate credentials from users or administrator accounts (local system administrator or domain users with administrator access) to use within the network. With sufficient access within a network, an adversary can create accounts for later use within the environment. |
| Discovery | V7, V9 | Discovery consists of techniques that allow the adversary to gain knowledge about the system and internal network. When adversaries gain access to a new system, they must orient themselves to what they now have control of and what benefits operating from that system give to their current objective or overall goals during the intrusion. The operating system provides many native tools that aid in this post-compromise information-gathering phase. |
| LateralMovement | V7, V9 | Lateral movement consists of techniques that enable an adversary to access and control remote systems on a network and could, but does not necessarily, include execution of tools on remote systems. The lateral movement techniques could allow an adversary to gather information from a system without needing more tools, such as a remote access tool. An adversary can use lateral movement for many purposes, including remote Execution of tools, pivoting to more systems, access to specific information or files, access to more credentials, or to cause an effect. |
| Execution | V7, V9 | The execution tactic represents techniques that result in execution of adversary-controlled code on a local or remote system. This tactic is often used in conjunction with lateral movement to expand access to remote systems on a network. |
| Collection | V7, V9 | Collection consists of techniques used to identify and gather information, such as sensitive files, from a target network prior to exfiltration. This category also covers locations on a system or network where the adversary may look for information to exfiltrate. |
| Command and Control | V7, V9 | The command and control tactic represents how adversaries communicate with systems under their control within a target network. |
| Exfiltration | V7, V9 | Exfiltration refers to techniques and attributes that result or aid in the adversary removing files and information from a target network. This category also covers locations on a system or network where the adversary may look for information to exfiltrate. |
| Impact | V7, V9 | Impact events primarily try to directly reduce the availability or integrity of a system, service, or network; including manipulation of data to impact a business or operational process. This would often refer to techniques such as ransomware, defacement, data manipulation, and others. |
- An incident is a group of connected alarms and related information that tells the tale of an attack.
- To help you rapidly comprehend the activities an attacker made and the resources they affected, incidents give you a unified picture of an attack and any relevant alerts.
- The necessity to identify even the smallest breach increases along with the breadth of threat coverage. Security researchers find it difficult to prioritize various alarms and spot a genuine assault. Defender for Cloud assists analysts in overcoming this alert fatigue by connecting alerts and poor fidelity signals into security issues.
- Defender for Cloud may integrate AI algorithms to assess attack sequences that are reported on each Azure subscription. Because assaults in the cloud might happen across several tenants, this tool is useful. By using this strategy, the assault sequences are recognized as common alarm patterns rather than being merely coincidentally connected.
- Analysts frequently require more information during an event investigation to make decisions regarding the type of threat and how to reduce it. For instance, it might be challenging to decide what steps to take once a network anomaly is discovered without knowledge of what else is going on in the network or with the targeted resource. A security incident may also contain artifacts, associated events, and data. Depending on the kind of threat identified and how your environment is set up, different extra information is accessible for security incidents.
Analyze Microsoft Defender for Cloud threat intelligence reports
Defender for Cloud detects threats and sends out security alerts with complete information about the incident and recommendations for fixing it. Defender for Cloud offers threat intelligence reports with details about discovered threats to assist incident response teams in their investigation and threat remediation.
Three different threat reports are available in Defender for Cloud, and they can change depending on the attack. There are the following reports:
- Activity Group Report: provides deep dives into attackers, their objectives, and tactics.
- Campaign Report: focuses on details of specific attack campaigns.
- Threat Summary Report: covers all of the items in the previous two reports.
And under Threat Intelligence report you can view the report itself
You can read more from Learn
Manage user data discovered during an investigation
Customers information may be accessed in the tool by Defender for Cloud users with the roles of Reader, Owner, Contributor, or Account Administrator.
You can find you own data with following:
- Through the Azure portal, you can examine your personal information. Only secure contact information, including phone numbers and email addresses, is stored by Defender for Cloud.
- Using the just-in-time VM access capability of Defender for Cloud, you may check authorized IP configurations within the Azure portal.
- Security alerts from Defender for Cloud, including IP addresses and attacker information, on the Azure portal.
You don’t need to classify personal data found in Defender for Cloud’s security contact feature.
But you can export content with:
- Copying from the Azure portal
- Executing the Azure REST API call
See more from Learn
Just-in-time data is considered non-identifiable data and is retained for 30 days.
Alert data is considered security data and is retained for two years
Closure
How to Remediate based on recommendation and how to disable a recommendation.
What is an alert and how many of them become an Incident?
Remember the Incident types
| Alert | Description | Severity |
|---|---|---|
| Security incident with shared process detected | The incident which started on {Start Time (UTC)} and recently detected on {Detected Time (UTC)} indicates that an attacker has {Action taken} your resource {Host} | High |
| Security incident detected on multiple resources | The incident which started on {Start Time (UTC)} and recently detected on {Detected Time (UTC)} indicates that similar attack methods were performed on your cloud resources {Host} | Medium |
| Security incident detected from same source | The incident which started on {Start Time (UTC)} and recently detected on {Detected Time (UTC)} indicates that an attacker has {Action taken} your resource {Host} | High |
| Security incident detected on multiple machines | The incident which started on {Start Time (UTC)} and recently detected on {Detected Time (UTC)} indicates that an attacker has {Action taken} your resources {Host} | Medi |
And that Defender for Cloud’s supported kill chain intents are based on version 9 of the MITRE ATT&CK matrix
Report types for Defender for Cloud TI:
- Activity Group Report: provides deep dives into attackers, their objectives, and tactics.
- Campaign Report: focuses on details of specific attack campaigns.
- Threat Summary Report: covers all of the items in the previous two reports.
Who can access personal data and how long different type will be retained?
Link to main post
RSS - Posts