Upload
others
View
32
Download
0
Embed Size (px)
Citation preview
Microsoft 365 Security Products Integration Design - August 2021 © Marius Mocanu, Adrian Grigorof
High Definition available at http://www.managedsentinel.com
Log Analytics Workspace
SecurityAlerts Table
Kusto Query Language Queries / Log Correlation / Enrichment / Log Retention
Playbooks
Automation Rules
Playbooks
Automation Rules
Azure Sentinel
Managed Sentinelwww.managedsentinel.com
Custom Alerts
24x7 Managed Detection and
Response
Security Investigation
Third Party RiskThreat
IntelligenceCyber Forensics
Incident ResponseVulnerability Management
https://www.bluevoyant.com
Managed Sentinelwww.managedsentinel.com
Custom Alerts
24x7 Managed Detection and
Response
Security Investigation
Third Party RiskThreat
IntelligenceCyber Forensics
Incident ResponseVulnerability Management
https://www.bluevoyant.com
Azure Lighthouse
Remote Management
SOAR Automation
M365 Deployment
Via M365 Defender Data Connector (bi-directional)
Alerts tune-up
Health Monitoring
Alert RulesAlert Rules
Defender for Office 365Defender for Office 365
Safe Attachments – SharePoint/OneDrive/Teams/Office clients
Safe Links – Links in emails and documents
Anti Phishing/ Anti Spam
Office 365 Protection – Sharepoint/OneDrive/Teams
Time of Click Protection – Teams/Outlook
Threat Explorer
Threat Tracker
Campaign Views
Attack Simulator
Automated Investigation and Response
(AIR)
Automated Investigation and Response
(AIR)
Mic
roso
ft D
efen
der
fo
r O
ffic
e P
lan
2
AlertsAlertsAlert PolicyAlert Policy
REST APIs WebhooksREST APIs Webhooks
ReportingReportingEvent SearchEvent SearchUser
TaggingUser
Tagging DashboardsDashboardsAlertsAlert Policy
REST APIs Webhooks
ReportingEvent SearchUser
Tagging Dashboards
Enhanced FilteringDKIMDKIM Allow/Block ListsAllow/Block Lists
ThreatPolicies
TemplatesPolicies
Rules
Defender for Office 365
Safe Attachments – SharePoint/OneDrive/Teams/Office clients
Safe Links – Links in emails and documents
Anti Phishing/ Anti Spam
Office 365 Protection – Sharepoint/OneDrive/Teams
Time of Click Protection – Teams/Outlook
Threat Explorer
Threat Tracker
Campaign Views
Attack Simulator
Automated Investigation and Response
(AIR)
Mic
roso
ft D
efen
der
fo
r O
ffic
e P
lan
2
AlertsAlert Policy
REST APIs Webhooks
ReportingEvent SearchUser
Tagging Dashboards
Enhanced FilteringDKIM Allow/Block Lists
ThreatPolicies
TemplatesPolicies
Rules
Via M365 Defender Data Connector (bi-directional)
Microsoft Cloud App Security
Information Protection
Threat Detection
Conditional Access App Control
Cloud Discovery
DashboardsDashboardsStorage *Storage * PoliciesPolicies ReportsReports
Governance ActionsGovernance Actions
Microsoft Cloud App Security
Information Protection
Threat Detection
Conditional Access App Control
Cloud Discovery
DashboardsStorage * Policies Reports
Governance Actions
Via M365 Defender Data Connector (bi-
directional)
ATP sensor
Windows Events Monitored:
4776, 4732, 4733, 4728, 4729, 4756, 4757, 7045, 8004
Windows Domain Controller
ATP sensor
Windows Events Monitored:
4776, 4732, 4733, 4728, 4729, 4756, 4757, 7045, 8004
Windows Domain Controller
VPN Gateway
Cisco ASA, Checkpoint, F5, Microsoft
RADIUS Accounting
On-Premises Infrastructure
Defender for Identity
Advanced Threats DetectionAdvanced Threats Detection
Attack Surface ReductionAttack Surface Reduction
Alert InvestigationAlert Investigation
User and Entity Behavior Analytics (UEBA) User and Entity Behavior Analytics (UEBA)
Storage *Storage * ReportsReports NotificationsNotifications Health
Defender for Identity
Advanced Threats Detection
Attack Surface Reduction
Alert Investigation
User and Entity Behavior Analytics (UEBA)
Storage * Reports Notifications Health
Activities, Alert,
Identity Metadata
Activities, Alert,
Identity Metadata
Software InventorySoftware Inventory Security RecommendationsSecurity Recommendations
Defender for EndpointDefender for Endpoint
Threat & Vulnerability ManagementThreat & Vulnerability Management
Attack Surface ReductionAttack Surface Reduction
Next Generation ProtectionNext Generation Protection
Automated Threat InvestigationAutomated Threat Investigation
Microsoft Threat ExpertsMicrosoft Threat Experts
Endpoint Detection and Response (EDR)Endpoint Detection and Response (EDR)Endpoint Detection and Response (EDR)
Threat & Vulnerability Management
Attack Surface Reduction
Next Generation Protection
Automated Threat Investigation
Microsoft Threat Experts
Endpoint Detection and Response (EDR)
Storage *Storage * ReportsReports DashboardsDashboardsAlertsAlerts RulesRules Live Response
Live Response
Software Inventory Security Recommendations
Defender for Endpoint
Threat & Vulnerability Management
Attack Surface Reduction
Next Generation Protection
Automated Threat Investigation
Microsoft Threat Experts
Endpoint Detection and Response (EDR)
Storage * Reports DashboardsAlerts Rules Live Response
Data Enrichment
Android 6.0 and aboveAndroid 6.0 and above
Windows OS
Windows 7 SP1Windows 10
Windows OS
Windows 7 SP1Windows 10
macOS
Versions:10.15 (Catalina), 10.14 (Mojave), 10.13 (High Sierra)
macOS
Versions:10.15 (Catalina), 10.14 (Mojave), 10.13 (High Sierra)
LinuxLinux
Alerts, Incidents(security and health)
Alerts, Incidents, Automated Investigations
(security and health)
Event IDs:5007, 1121, 1122
Azure AD Identity Protection
Risk Detection
Risk Investigation
Minimum Azure AD Premium P2 license
Risk Remediation
Reports
Risky usersRisky sign-ins
Risk detections
Reports
Risky usersRisky sign-ins
Risk detections
Policies
MFA registrationUser risk remediation
Sign-in risk remediation
Policies
MFA registrationUser risk remediation
Sign-in risk remediation
Policies
MFA registrationUser risk remediation
Sign-in risk remediation
AlertsAlerts DashboardsDashboards
Governance Actions
Azure AD Identity Protection
Risk Detection
Risk Investigation
Minimum Azure AD Premium P2 license
Risk Remediation
Reports
Risky usersRisky sign-ins
Risk detections
Policies
MFA registrationUser risk remediation
Sign-in risk remediation
Alerts Dashboards
Governance Actions
Microsoft 365 Compliance
Data Loss Prevention Classification
Record Management Information Governance
Supervision Service Assurance
Microsoft 365 Compliance
Data Loss Prevention Classification
Record Management Information Governance
Supervision Service Assurance
Suspicious inbox manipulation rulesImpossible travel
Azure ADAzure AD
3rd Party SaaS Applications
Conditional Access App Control
SAML 2.0
Via M365 Defender Data Connector (bi-directional)
Microsoft Graph Security REST API
Data Collection and Normalization
Analytics – Machine Learning, Insights
Publish to Internal APIs
Relationships Discovery
REST APIs WebhooksREST APIs Webhooks Graph ExplorerGraph ExplorerSecurity ScoreSecurity Score
Microsoft Graph Security REST API
Data Collection and Normalization
Analytics – Machine Learning, Insights
Publish to Internal APIs
Relationships Discovery
REST APIs Webhooks Graph ExplorerSecurity Score
Defender for Identities only via MCAS
Security AlertsSecurity Alerts
Microsoft Intelligence
Sample zoos
Dark markets
Threat feeds
Sinkholes honeypots
Detonation Sandboxes
Services IRIntelligence
Microsoft Intelligence
Sample zoos
Dark markets
Threat feeds
Sinkholes honeypots
Detonation Sandboxes
Services IRIntelligence
Threat Intelligence
Azure Security Center
Continuous Assessment & Recommendations
Azure Secure Score
Regulatory Compliance JIT VM Access AAC & Network Hardening
Azu
re
De
fen
der
DashboardsDashboardsAlertsAlertsInventoryInventoryWorkflow
AutomationWorkflow
Automation
REST APIs WebhooksREST APIs Webhooks
Auto Provisioning
Auto Provisioning
Vulnerability Scanning
Vulnerability Scanning
Automated RemediationAutomated
Remediation
Threat Protection
Azure Security Center
Continuous Assessment & Recommendations
Azure Secure Score
Regulatory Compliance JIT VM Access AAC & Network Hardening
Azu
re
De
fen
der
DashboardsAlertsInventoryWorkflow
Automation
REST APIs Webhooks
Auto Provisioning
Vulnerability Scanning
Automated Remediation
Threat Protection
Config checks
Azure DNSAzure DNS
Resource ManagerResource Manager
KubernetesKubernetes
Azure SQL DatabaseAzure SQL Database
Key VaultKey VaultAzure VMsAzure VMs StorageStorage
Container Registry
Container Registry
IoTIoT
Azu
re
De
fen
der
App ServicesApp Services
Network Security Groups
Network Security Groups
Azure FirewallAzure
FirewallEvent HubsEvent Hubs
App Gateway
App Gateway
Virtual Networks
Virtual Networks
Azure ADAzure AD
Azure Cloud ServicesAzure Cloud ServicesConfig checks
Azure DNS
Resource Manager
Kubernetes
Azure SQL Database
Key VaultAzure VMs Storage
Container Registry
IoT
Azu
re
De
fen
der
App Services
Network Security Groups
Azure Firewall
Event Hubs
App Gateway
Virtual Networks
Azure AD
Azure Cloud Services
Threat DetectionThreat DetectionMFA, Access hygiene recommendations, Identity
recommendations, Configuration Review, Network Maps, SSL usage
Centralized Management
Detection
3rd Party Cloud Connectors
Policy Mgmt., Vulnerability Mgmt., EDR, Security
Compliance
Security AlertsSecurity Alerts
Data Enrichment via API calls
Real Time app control
Real Time app control
Office 365Office 365
Azure ADAzure AD
Office 365Office 365
Azure ADAzure AD
Office 365Office 365
Azure AD
|
Azure AD
|
Security AlertsSecurity Alerts
Security AlertsSecurity AlertsSecurity AlertsSecurity Alerts
Data Enrichment
Data Connectors UEBA
Workbooks
Security AlertsSecurity Alerts
Security RecommendationsSecurity ScoreSecurity Alerts
Regulatory compliance
Security AlertsSecurity Alerts
Azure Security Baseline
Security AlertsSecurity Alerts
Detected Events
Discovery Logs(optional)
Security AlertsSecurity Alerts
ActivitiesAlerts
Host Metadata
ActivitiesAlerts
Host Metadata
Security AlertsSecurity Alerts
KPI Reporting & Monitoring
Windows Server
Security AlertsSecurity Alerts
Centralized Management
Requires E5 Licenses
180 days Data Retention
90 days Data Retention (Audit Trail)
Data Retention: Activity log: 180 days
Discovery data: 90 days Alerts: 180 days
Governance log: 120 days90 days Data Retention
MDR Service
MDR Service
MDR ServiceMDR Service MDR ServiceMDR Service MDR ServiceMDR Service
MDR ServiceMDR Service
AD Entities, Network Traffic, Windows Events
Security AlertsSecurity Alerts
MDR ServiceMDR Service
UEBA, Productivity App Discovery,
Oauth apps, Conditional Access
App Control
Threat Intel Feeds
NotebooksHunting Scripts