◈ Triage security alerts
◈ Investigate further to determine the root cause and scope of a security incident
◈ Search security data to aid in investigation
Prerequisites
To step through the features covered in this tutorial, you must be on Security Center’s Standard pricing tier. You can try Security Center Standard at no cost for the first 60 days.
Triage security alerts
Security Center provides a unified view of all security alerts. Security alerts are ranked based on the severity and when possible related alerts are combined into a security incident. When triaging alerts and incidents, you should:
◈ Dismiss alerts for which no additional action is required, for example if the alert is a false positive
◈ Act to remediate known attacks, for example blocking network traffic from a malicious IP address
◈ Determine alerts that require further investigation
1. On the Security Center main menu under DETECTION, select Security alerts:
2. In the list of alerts, click on a security incident, which is a collection of alerts, to learn more about this incident. Security incident detected opens.
3. On this screen you have the security incident description on top, and the list of alerts that are part of this incident. Click on the alert that you want to investigate further to obtain more information.
For alerts that can be safely dismissed, you can right click on the alert and select the option Dismiss:
4. If the root cause and scope of the malicious activity is unknown, proceed to the next step to investigate further.
Investigate an alert or incident
1. On the Security alert page, click Start investigation button (if you already started, the name changes to Continue investigation).
The investigation map is a graphical representation of the entities that are connected to this security alert or incident. By clicking on an entity in the map, the information about that entity will show new entities, and the map expands. The entity that is selected in the map has its properties highlighted in the pane on the right side of the page. The information available on each tab will vary according to the selected entity. During the investigation process, review all relevant information to better understand the attacker’s movement.
2. If you need more evidence, or must further investigate entities that were found during the investigation, proceed to the next step.
Search data for investigation
You can use search capabilities in Security Center to find more evidence of compromised systems, and more details about the entities that are part of the investigation.
To perform a search open the Security Center dashboard, click Search in the left navigation pane, select the workspace that contains the entities that you want to search, type the search query, and click the search button.
Clean up resources
Other quickstarts and tutorials in this collection build upon this quickstart. If you plan to continue on to work with subsequent quickstarts and tutorials, continue running the Standard tier and keep automatic provisioning enabled. If you do not plan to continue or wish to return to the Free tier:
1. Return to the Security Center main menu and select Security Policy.
2. Select the subscription or policy that you want to return to Free. Security policy opens.
3. Under POLICY COMPONENTS, select Pricing tier.
4. Select Free to change subscription from Standard tier to Free tier.
5. Select Save.
If you wish to disable automatic provisioning:
1. Return to the Security Center main menu and select Security policy.
2. Select the subscription that you wish to disable automatic provisioning.
3. Under Security policy – Data Collection, select Off under Onboarding to disable automatic provisioning.
4. Select Save.
Note
Disabling automatic provisioning does not remove the Microsoft Monitoring Agent from Azure VMs where the agent has been provisioned. Disabling automatic provisioning limits security monitoring for your resources.
0 comments:
Post a Comment