What are the four categories of reporting found in the Microsoft 365 Defender Portal?
This blog post is about reports from Microsoft 365 Security also known as Microsoft 365 Defender. As a prerequisite, one or, in the best case, several Defender products should be set up. Show
The objectiveMy initial objective was to obtain a high-level management summary of our Microsoft Defender cloud environment, that we would share with our IT responsibles on a regular basis. It should be effective with its contents but also straight forward. The data should mainly come from Microsoft 365 Defender. Please note that this is especially recommended when only utilizing the Microsoft Defender Suite. (not Azure Sentinel SIEM, as there more unified reports would be available) Purpose of a (scheduled) security reportA personalized summary of the current and past security landscape can help to really understand the impact of your security products between the end users and security as a perimeter. It discloses information about your security posture and tells different parties about their contemporary and future strategy to follow. It could range from high- to low level, but often a management summary is required to be self explaining and straight forward. The key points of a security report consist of:
But how do you get and summarize all the signals and outputs from your various security systems? Well, you need to know the right places to find reportings, have Graph interfaces and sometimes even need to go to a separate portal. Part 1: where to find reportsReport types in Microsoft 365 DefenderOf course Microsoft 365 Defender houses a built-in report section:
Threat and vulnerability management (TVM) with Defender for EndpointFor endpoint security, Defender for Endpoint provides massive insight into threat and vulnerability management (TVM). This mainly focuses on devices and software and their CVE addressing. Other sourcesLet's link some more information to product reports. This could also be helpful to find more relevant data. Defender for EndpointTo gather more report types, I would consider PowerBI with the: Microsoft's Defender for Endpoint Github repository or this one. Next to that, the portal can give more insight, with the device inventory and the information related to each device. Additionally Microsoft Intune (if in place) has an own reports and analytics section. Defender for IdentityScheduled reports can be set up in the Defender for Identity external portal (legacy).
Defender for Office 365For Defender for Office 365 I can recommend the built-in reports of Microsoft 365 and the reports from Exchange admin center. One very important thing is missing at the time which constitutes of SPF and DKIM for DMARC. A DMARC policy supports aggregate and forensic reporting addresses. Unfortunately Microsoft does not provide a product for that use case yet. DMARC Analyzer from Mimecast is a suitable solution, to email security visibility and governance in terms of authentication. Defender for Cloud AppsCloud discovery from Defender for Cloud Apps is perfect to raise SaaS collaboration information. Defender for Endpoint integration is the best and most easy way to fill it with data. There you also have the option to have app connectors or Firewall logs that deliver powerful data. Azure ADI have already written a whole blog post about Monitoring Azure AD. Summarized: platform logs come with good filter options and workbooks are even better for reporting. Conditional AccessThe service insights from Azure AD Conditional Access is what I would go for to get MFA and CA reports. Do not forget: Asset management and ADDSAn extra source in addition to the already mentioned places would be
an independent asset management for: more device information, device security and compliance stats - Antivirus software, status and if it is running an up to date intelligence version or any irregularities. Part 2: Structure a management summaryThe management summary which I wrote, has the following requirements and is structured with its contents like the following: Requirements
Content list
If you want to dive deeper I can recommend the following sources:
What are the four categories found in the security report in the Microsoft 365 Defender Portal?The Microsoft 365 Defender portal helps security teams investigate and respond to attacks by bringing in signals from different workloads into a set of unified experiences for:. Incidents & alerts.. Hunting.. Actions & submissions.. Threat analytics.. Secure score.. Learning hub.. Trials.. What does Microsoft 365 Defender include?Microsoft 365 Defender is a unified pre- and post-breach enterprise defense suite that natively coordinates detection, prevention, investigation, and response across endpoints, identities, email, and applications to provide integrated protection against sophisticated attacks.
Which types of evidence can you review for the incident Microsoft 365 Defender?Evidence and Response
Microsoft 365 Defender automatically investigates all the incidents' supported events and suspicious entities in the alerts, providing you with information about the important emails, files, processes, services, IP Addresses, and more.
How many types of Microsoft Defender are there?Microsoft Defender as a brand sits at the top of the tree. In itself, it's not a product; it's the combination of two security stacks: Microsoft 365 Defender and Azure Defender.
|