From 793e142c5ab1591d0e7201b690585bfe7e65286a Mon Sep 17 00:00:00 2001 From: Ronen-Refaeli <119348463+Ronen-Refaeli@users.noreply.github.com> Date: Sun, 5 Jan 2025 14:17:47 +0200 Subject: [PATCH 1/7] Update investigate-anomaly-alerts.md Waiting for office hours to discuss this. --- .../investigate-anomaly-alerts.md | 54 ++++--------------- 1 file changed, 11 insertions(+), 43 deletions(-) diff --git a/CloudAppSecurityDocs/investigate-anomaly-alerts.md b/CloudAppSecurityDocs/investigate-anomaly-alerts.md index 8c2f66ae40..ecd1f7bf62 100644 --- a/CloudAppSecurityDocs/investigate-anomaly-alerts.md +++ b/CloudAppSecurityDocs/investigate-anomaly-alerts.md @@ -40,7 +40,6 @@ Following proper investigation, all Defender for Cloud Apps alerts can be classi You should use the following general guidelines when investigating any type of alert to gain a clearer understanding of the potential threat before applying the recommended action. -- Review the user's [investigation priority score](tutorial-ueba.md#understand-the-investigation-priority-score) and compare with the rest of the organization. This will help you identify which users in your organization pose the greatest risk. - If you identify a **TP**, review all the user's activities to gain an understanding of the impact. - Review all user activity for other indicators of compromise and explore the source and scope of impact. For example, review the following user device information and compare with known device information: - Operating system and version @@ -712,7 +711,17 @@ Establishing a new user's activity pattern requires an initial learning period o 1. Review the deletion activities and create a list of deleted files. If needed, recover the deleted files. 1. Optionally, create a playbook using Power Automate to contact users and their managers to verify the activity. -### Investigation priority score increase (preview) +### Investigation priority score increase (legacy) + +> [!IMPORTANT] +> Starting November 2024, **Investigate risky users** support for Microsoft Defender for Cloud Apps is retired. As such, the legacy procedure presented in this article is provided for informational purposes only. +> +> If this feature was used in your organization and is needed, we recommend using the Entra risk score feature. Please use the following resources for additional information: +> +>[Investigate risk Microsoft Entra ID Protection - Microsoft Entra ID Protection | Microsoft Learn](https://learn.microsoft.com/en-us/entra/id-protection/howto-identity-protection-investigate-risk) +> +>[Microsoft Entra ID Protection risk-based access policies - Microsoft Entra ID Protection | Microsoft Learn](https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-policies) +> Anomalous activities and activities that triggered alerts are given scores based on severity, user impact, and behavioral analysis of the user. The analysis is done based on other users in the tenants. @@ -740,47 +749,6 @@ Establishing a new user's activity pattern requires an initial learning period o 1. Review all user activity and alerts for additional indicators of compromise. -#### Deprecation timeline - -We're gradually retiring the **Investigation priority score increase** alert from Microsoft Defender for Cloud Apps by August 2024. - -After careful analysis and consideration, we decided to deprecate it due to the high rate of false positives associated with this alert, which we found wasn't contributing effectively to the overall security of your organization. - -Our research indicated that this feature wasn't adding significant value and wasn't aligned with our strategic focus on delivering high-quality, reliable security solutions. - -We're committed to continuously improving our services and ensuring that they meet your needs and expectations. - -For those who wish to continue using this alert, we suggest using the following advanced hunting query instead as a suggested template. Modify the query based on your needs. - -```kql -let time_back = 1d; -let last_seen_threshold = 30; -// the number of days which the resource is considered to be in use by the user lately, and therefore not indicates anomaly resource usage -// anomaly score based on LastSeenForUser column in CloudAppEvents table -let last_seen_scores = -CloudAppEvents -| where Timestamp > ago(time_back) -| where isnotempty(LastSeenForUser) -| mv-expand LastSeenForUser -| extend resource = tostring(bag_keys(LastSeenForUser)[0]) -| extend last_seen = LastSeenForUser[resource] -| where last_seen < 0 or last_seen > last_seen_threshold -// score is calculated as the number of resources which were never seen before or breaching the chosen threshold -| summarize last_seen_score = dcount(resource) by ReportId, AccountId; -// anomaly score based on UncommonForUser column in CloudAppEvents table -let uncommonality_scores = -CloudAppEvents -| where Timestamp > ago(time_back) -| where isnotempty(UncommonForUser) -| extend uncommonality_score = array_length(UncommonForUser) -// score is calculated as the number of uncommon resources on the event -| project uncommonality_score, ReportId, AccountId; -last_seen_scores | join kind=innerunique uncommonality_scores on ReportId and AccountId -| project-away ReportId1, AccountId1 -| extend anomaly_score = last_seen_score + uncommonality_score -// joined scores -``` - ## See also > [!div class="nextstepaction"] From 22300918ca404349c01813c08a4682dbc611e057 Mon Sep 17 00:00:00 2001 From: Batami Gold <26892178+batamig@users.noreply.github.com> Date: Mon, 6 Jan 2025 15:17:00 +0200 Subject: [PATCH 2/7] adding what's new for unified soc opts --- unified-secops-platform/whats-new.md | 30 ++++++++++++++++++++++++++++ 1 file changed, 30 insertions(+) diff --git a/unified-secops-platform/whats-new.md b/unified-secops-platform/whats-new.md index 9707c2c410..ea36c7669c 100644 --- a/unified-secops-platform/whats-new.md +++ b/unified-secops-platform/whats-new.md @@ -20,6 +20,36 @@ ms.topic: concept-article This article lists recent features added into Microsoft's unified SecOps platform within the Microsoft Defender portal, and new features in related services that provide an enhanced user experience in the platform. +## January 2024 + +[SOC optimization updates for unified coverage management](#soc-optimization-updates-for-unified-coverage-management) + +### SOC optimization updates for unified coverage management + +In workspaces enabled for unified security operations, SOC optimziations now support both SIEM and XDR data, with detection coverage from across Microsoft Defender services. + +In the Defender portal, the **SOC optimizations** and **MITRE ATT&CK** pages also now provide extra functionality for threat-based coverage optimiations to help you understand the impact of the recommendations on your environment and help you prioritize which to implement first. + +Enhancements on the SOC optimizations **Overview** page include: + +- A **High**, **Medium**, or **Low** score for your current detection coverage. This sort of scoring can help you decide which recommendations to prioritize at a glance. +- An indication of the number of active Microsoft Defender products (services) out of all available products. This helps you understand whether there's a whole product that you're missing in your environment. + +Optimizations on an optimization details side pane, shown when you drill down to a specific optimization, include: + +- Detailed coverage analysis, including the number of user-defined detections, response actions, and products you have active +- Detailed spider charts that show your coverage across different threat categories, for both user-defined and out-of-the-box detections. +- An option to jump to the specific threat scenario in the **MITRE ATT&CK** page instead of viewing MITRE ATT&CK coverage only in the side pane. +- An option to **View full threat scenario** to drill down to even further details about the security products and detections available to provide security coverage in your environment. + +Enhancements for **MITRE ATT&CK** functionality include: + +- A new toggle to view coverage by threat scenario. If you've jumped to the **MITRE ATT&CK** page from either a recommendation details side pane or from the **View full threat scenario** page, the **MITRE ATT&CK** page is pre-filtered for your threat scenario. + +- The technique details pane, shown on the side when you select a specific MITRE ATT&CK technique, now shows the number of active detections out of all available detections for that technique. + +For more information, see [Optimize your security operations](/azure/sentinel/soc-optimization/soc-optimization-access?toc=%2Funified-secops-platform%2Ftoc.json&bc=%2Funified-secops-platform%2Fbreadcrumb%2Ftoc.json&tabs=defender-portal) and [Understand security coverage by the MITRE ATT&CK framework](/azure/sentinel/mitre-coverage). + ## December 2024 - [New SOC optimization recommendations based on similar organizations (Preview)](#new-soc-optimization-recommendations-based-on-similar-organizations-preview) From cbec2e1fbedbd536ef531eb6b430e204fe9d39df Mon Sep 17 00:00:00 2001 From: Batami Gold <26892178+batamig@users.noreply.github.com> Date: Mon, 6 Jan 2025 15:18:52 +0200 Subject: [PATCH 3/7] fixing toc --- unified-secops-platform/TOC.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/unified-secops-platform/TOC.yml b/unified-secops-platform/TOC.yml index fb27a36e5b..5d0d496911 100644 --- a/unified-secops-platform/TOC.yml +++ b/unified-secops-platform/TOC.yml @@ -70,7 +70,7 @@ - name: Automated investigation and response in Microsoft Defender XDR href: /defender-xdr/m365d-autoir?toc=/unified-secops-platform/toc.json&bc=/unified-secops-platform/breadcrumb/toc.json - name: Optimize your security operations - href: /azure/sentinel/soc-optimization/soc-optimization-access?toc=/unified-secops-platform/toc.json&bc=/unified-secops-platform/breadcrumb/toc.json + href: /azure/sentinel/soc-optimization/soc-optimization-access?toc=/unified-secops-platform/toc.json&bc=/unified-secops-platform/breadcrumb/toc.json&tabs=defender-portal - name: Manage your unified SOC items: - name: Manage multiple tenants From 8184faaedd76d8877da2f0dbb9ee611cb8e19f0b Mon Sep 17 00:00:00 2001 From: Batami Gold <26892178+batamig@users.noreply.github.com> Date: Thu, 9 Jan 2025 12:21:24 +0200 Subject: [PATCH 4/7] Apply suggestions from code review --- CloudAppSecurityDocs/investigate-anomaly-alerts.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/CloudAppSecurityDocs/investigate-anomaly-alerts.md b/CloudAppSecurityDocs/investigate-anomaly-alerts.md index ecd1f7bf62..0e51f252ff 100644 --- a/CloudAppSecurityDocs/investigate-anomaly-alerts.md +++ b/CloudAppSecurityDocs/investigate-anomaly-alerts.md @@ -718,9 +718,9 @@ Establishing a new user's activity pattern requires an initial learning period o > > If this feature was used in your organization and is needed, we recommend using the Entra risk score feature. Please use the following resources for additional information: > ->[Investigate risk Microsoft Entra ID Protection - Microsoft Entra ID Protection | Microsoft Learn](https://learn.microsoft.com/en-us/entra/id-protection/howto-identity-protection-investigate-risk) +>[Investigate risk Microsoft Entra ID Protection - Microsoft Entra ID Protection | Microsoft Learn](/entra/id-protection/howto-identity-protection-investigate-risk) > ->[Microsoft Entra ID Protection risk-based access policies - Microsoft Entra ID Protection | Microsoft Learn](https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-policies) +>[Microsoft Entra ID Protection risk-based access policies - Microsoft Entra ID Protection | Microsoft Learn](/entra/id-protection/concept-identity-protection-policies) > Anomalous activities and activities that triggered alerts are given scores based on severity, user impact, and behavioral analysis of the user. The analysis is done based on other users in the tenants. From ace2e9f420bc73bc364902c7e77bc8f8dce397d5 Mon Sep 17 00:00:00 2001 From: Batami Gold <26892178+batamig@users.noreply.github.com> Date: Thu, 9 Jan 2025 12:21:58 +0200 Subject: [PATCH 5/7] Apply suggestions from code review --- CloudAppSecurityDocs/investigate-anomaly-alerts.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CloudAppSecurityDocs/investigate-anomaly-alerts.md b/CloudAppSecurityDocs/investigate-anomaly-alerts.md index 0e51f252ff..ccf961e3e3 100644 --- a/CloudAppSecurityDocs/investigate-anomaly-alerts.md +++ b/CloudAppSecurityDocs/investigate-anomaly-alerts.md @@ -714,7 +714,7 @@ Establishing a new user's activity pattern requires an initial learning period o ### Investigation priority score increase (legacy) > [!IMPORTANT] -> Starting November 2024, **Investigate risky users** support for Microsoft Defender for Cloud Apps is retired. As such, the legacy procedure presented in this article is provided for informational purposes only. +> Starting November 2024, **Investigate risky users** support for Microsoft Defender for Cloud Apps is retired. > > If this feature was used in your organization and is needed, we recommend using the Entra risk score feature. Please use the following resources for additional information: > From 1e18c8006e76385c03f61a8403ad52c778dade63 Mon Sep 17 00:00:00 2001 From: Batami Gold <26892178+batamig@users.noreply.github.com> Date: Thu, 9 Jan 2025 12:24:32 +0200 Subject: [PATCH 6/7] Update investigation priority score section --- .../investigate-anomaly-alerts.md | 35 ++----------------- 1 file changed, 3 insertions(+), 32 deletions(-) diff --git a/CloudAppSecurityDocs/investigate-anomaly-alerts.md b/CloudAppSecurityDocs/investigate-anomaly-alerts.md index ccf961e3e3..03da017d87 100644 --- a/CloudAppSecurityDocs/investigate-anomaly-alerts.md +++ b/CloudAppSecurityDocs/investigate-anomaly-alerts.md @@ -713,41 +713,12 @@ Establishing a new user's activity pattern requires an initial learning period o ### Investigation priority score increase (legacy) -> [!IMPORTANT] -> Starting November 2024, **Investigate risky users** support for Microsoft Defender for Cloud Apps is retired. -> -> If this feature was used in your organization and is needed, we recommend using the Entra risk score feature. Please use the following resources for additional information: -> ->[Investigate risk Microsoft Entra ID Protection - Microsoft Entra ID Protection | Microsoft Learn](/entra/id-protection/howto-identity-protection-investigate-risk) -> ->[Microsoft Entra ID Protection risk-based access policies - Microsoft Entra ID Protection | Microsoft Learn](/entra/id-protection/concept-identity-protection-policies) -> - -Anomalous activities and activities that triggered alerts are given scores based on severity, user impact, and behavioral analysis of the user. The analysis is done based on other users in the tenants. - -When there's a significant and anomalous increase in the investigation priority score of a certain user, the alert will be triggered. - -This alert enables detecting potential breaches that are characterized by activities that don't necessarily trigger specific alerts but accumulate to a suspicious behavior for the user. - -**Learning period** - -Establishing a new user's activity pattern requires an initial learning period of seven days, during which alerts aren't triggered for any score increase. +Starting November 2024, **Investigate risky users** support for Microsoft Defender for Cloud Apps is retired. If this feature was used in your organization and is needed, we recommend using the Entra risk score feature. Please use the following resources for additional information: -**TP**, **B-TP**, or **FP**? - -1. **TP**: If you're able to confirm that the activities of the user aren't legitimate. - - **Recommended action**: Suspend the user, mark the user as compromised, and reset their password. +- [Investigate risk Microsoft Entra ID Protection - Microsoft Entra ID Protection | Microsoft Learn](/entra/id-protection/howto-identity-protection-investigate-risk) -1. **B-TP**: If you're able to confirm that user indeed significantly deviated from usual behavior, but there's no potential breach. +- [Microsoft Entra ID Protection risk-based access policies - Microsoft Entra ID Protection | Microsoft Learn](/entra/id-protection/concept-identity-protection-policies) -1. **FP** (Unusual behavior): If you're able to confirm that the user legitimately performed the unusual activities, or more activities than the established baseline. - - **Recommended action**: Dismiss the alert. - -**Understand the scope of the breach** - -1. Review all user activity and alerts for additional indicators of compromise. ## See also From 8c94242851913bbc76f01d2d78e8c79390ed3edc Mon Sep 17 00:00:00 2001 From: Batami Gold <26892178+batamig@users.noreply.github.com> Date: Thu, 9 Jan 2025 12:26:33 +0200 Subject: [PATCH 7/7] Update tutorial-ueba.md --- CloudAppSecurityDocs/tutorial-ueba.md | 6 ------ 1 file changed, 6 deletions(-) diff --git a/CloudAppSecurityDocs/tutorial-ueba.md b/CloudAppSecurityDocs/tutorial-ueba.md index 324bcd472c..ab53229756 100644 --- a/CloudAppSecurityDocs/tutorial-ueba.md +++ b/CloudAppSecurityDocs/tutorial-ueba.md @@ -46,12 +46,6 @@ Defender for Cloud Apps uses the following to measure risk: Select the investigation priority score for an alert or an activity to view the evidence that explains how Defender for Cloud Apps scored the activity. -> [!NOTE] -> We're gradually retiring the [**Investigation priority score increase**](investigate-anomaly-alerts.md#investigation-priority-score-increase-preview) alert from Microsoft Defender for Cloud Apps by August 2024. The investigation priority score and the procedure described in this article are not affected by this change. -> -> For more information, see [Investigation priority score increase deprecation timeline](investigate-anomaly-alerts.md#deprecation-timeline). - - ## Phase 1: Connect to the apps you want to protect Connect at least one app to Microsoft Defender for Cloud Apps using the [API connectors](enable-instant-visibility-protection-and-governance-actions-for-your-apps.md). We recommend that you start by connecting [Microsoft 365](./connect-office-365.md).