Azure Security Center – Incident Response

  Azure, Security Center

Main Menu

Incident Response

https://mva.microsoft.com/en-US/training-courses/hybrid-cloud-workload-protection-with-azure-security-center-18173?l=xGLWo42jE_4806218965

Incident Response in the Hybrid Cloud

How can Security Center help?

  • Each Security Alert provides information that can be used to better understand yte nature of the attack and suggest possible mitigations
  • Some alerts also provide links to either more information or to other sources of information within Azure
  • You can use the information provided for further research and to begin mitigation, and you can also search security-related data that is stored in your workspace.

Investigating Security Issues

  • Security Center > Detection > Security Alerts > Click any “Security incident detected” alert
  • On the top of the new “Security incident detected” panel, click “Start Investigation” or “Continue Investigation”
  • Select an entity that is tagged as a high priority

Using Security Playbooks

Integrated with Azure Logic Apps

These can be used for alerting using apps like Slack.

  • Security Center > Detection > Security Alerts > Click any “Security incident detected” alert
  • On the top of the new “Security incident detected” panel, click “Run Playbook”

Using Threat Intelligence

What is Threat Intelligence?

  • Threat intelligence is evidence-based knowledge, including context, mechanisms, indicators, implications and actionable advice about an existing or emerging menace or hazard to asset that can be use to inform decisions regarding the subject’s response to that menace or hazard.

Why use Threat Intelligence?

  • By using the threat intelligence option available in Security Center, IT administrators can identify security threats against the environment.
    • Computers can become nodes in a botnet when attackers illicitly install malware that secretly connects the computer to the command and control.  Threat intelligence can also identify potential threats coming from underground communication channels, such as the dark web.

How does Microsoft keep TI updated?

  • Teams of security researchers and data scientists
    • Monitor threat intelligence
    • Share signals and analysis across Microsoft security products and services
    • Work with on specialized fields, like forensics and web attack detections
  • Culminates in new detection algorithms, which are validated and tuned.
  • Often results in new security insights or threat intelligence that informs security research

Demo

  • Security Center > Detection > Threat Intelligence > Select workspace
  • Displays geo-locations of traffic coming to your environment.

 

LEAVE A COMMENT