Microsoft Threat Protection can automatically prevent attacks and reduce their persistence to keep them from rising again, prioritize events for investigation and reply, auto-heal assets and gives cross-domain hunting.
The output doesn't include any new security answers and that's a fixed strategy taken by Microsoft. The concept behind Microsoft Threat Protection is to give optimal security with minimal complexity for companies.
Companies should be operating in a world where you find a security breach has happened, and assume that you've been hit. Furthermore, anything can assist as an attack vector, from phones to laptops to Internet of Things sensors. Microsoft's strategy is to stay one step ahead by comparing the collected security data.
Microsoft Threat Protection combines multiple security answers that Microsoft also sells individually, but they are all tied collectively through the Microsoft 365 Security Center, a unique dashboard that provides a graphical summary of alerts, top warnings, and the devices and accounts that could be at danger. The panel also includes Office 365 Secure Score, a tool that shows Azure sets being used, along with an overall evaluation of an organization's security status. There are further e-mail and phishing protections presented in the panel.
There are five general categories of security protections directed by the Microsoft Threat Protection stock. The table below, which comes from Microsoft's decision, illustrates the protection services included in the output:
- Endpoints: Windows Defender Advanced Threat Protection, Windows 10, Microsoft Intune
- Identities: Azure Active Directory Information Protection, Azure Advanced Threat Protection, Microsoft Cloud App Security
- User Data: Exchange Online Protection, Office 365 Advanced Threat Protection, Office 365 Threat Intelligence, Windows Defender Advanced Threat Protection, Microsoft Cloud App Security
- Infrastructure: Azure Security Center, SQL Server, Linux
- Cloud Apps: Exchange Online Protection, Office 365 Advanced Threat Protection, Microsoft Cloud App Security
During the Ignite gathering, lecturers also typically considered that Attack Simulator is part of the solution. It's a mechanism that lets IT pros send phishing e-mails to end users to control their awareness of those avenues of attack.
Microsoft's statement promised that "customers who leverage all the assistance in Microsoft Threat Protection will have a fully integrated, end-to-end solution, securing their business, across the entire attack surface."
Perhaps, since no new security results are involved, Microsoft Threat Protection may be possible for enterprises to buy and use today. It's not clear from Microsoft's decision if that's the case, as the permitting wasn't described or discussed.
While Microsoft Threat Protection automatically signals and remediates threats, advanced hunting lets you take your answer a step further by allowing you to efficiently inspect benign issues that in specific contexts, can be suggestive of breach action. For some months now, in Microsoft 365 security center, SecOps team for various companies have started hunting for evidence on endpoints after receiving different emails. This has been made easy and comfortable by endpoint data from Microsoft Defender ATP and email information from Office 365 ATP.
Now, we’re expanding that coverage to cover data from Azure ATP and Microsoft Cloud App Security with the next new schema tables:
IdentityLogonEvents — includes authentication results from Active Directory as well as controlled cloud apps and assistance. Use this to surface different logon activities, including constant attempts and the use of atypical login methods.
IdentityQueryEvents — includes data about efforts to query identity data in Active Directory using LDAP and other protocols. These results are also tracked by Azure ATP to find surveillance activities, including actions meant to discover important targets on your system.
AppFileEvents — includes file-related actions involving apps controlled by Microsoft Cloud App Security. This provides you coverage over efforts to handle files that might include sensitive data as well as wicked code.
Sample situations you can try
With these new information sets, you can hunt for actions that happen across the cybersecurity attack chain. Check out the example scenarios below to examine what you can do with the developed schema.
LDAP authentication with cleartext keys
With IdentityLogonEvents, you can recognize possible lateral transfer activities by searching for logon tries using compromised accounts or logons over unsafe protocols, such cleartext authentications over LDAP.
SAMR questions to Active Directory
You can now instantly find reconnaissance activities, such as processes acting suspicious SAMR queries against users and admins in your org.
Renaming of .docx files to .doc
With AppFileEvents, you can hunt for efforts to move and stage malicious content using cloud tools. The next query locates attempts to rename .docx file to .doc, likely to bypass protection tools and allow malicious macros to work.
Customize signals and take automatic responses
Many of you might have already served from custom detection alerts driven by superior hunting queries in Microsoft Defender ATP.
Using advanced hunting questions, you can now automate your hunts so that you can effortlessly reduce fresh signals and raise warnings for new finds. Make sure you set your custom discovery rules to take quick response actions for you.