Automated investigations is a powerful feature that can help security teams identify where. After watching this video, you will understand how the Automated investigations feature works, and can be configured to your preferences.
- [Instructor] Now I'd like to show and tell you a bit about Automated Investigation and Response in Microsoft Defender Advanced Threat Protection. So I'll begin by browsing to the Microsoft Defender Security Center, the Defender ATP portal and to set the stage for automation, I want to go to Settings and check a couple of key items here, so under Advanced Features, I'll enable Automated Investigation which is enabling that capability and I'm also going to enable the ability to automatically resolve alerts. So that way if my automated investigation finds there's no threat or it successfully remediates the issue, it can go ahead and close those alerts for me automatically. Now we may not be comfortable with a brand new feature enabling full automation right away but we have some control over that. So, I'm going to go to Machine groups and show you how we can control that behavior so we can get comfortable with the new feature like this automation in remediating issues. So if I hit Add machine group, I can create a new group of machines, I'll show you one that I've already created for my Windows desktops in headquarters and if I scroll down to the bottom to Members, you'll see that I'm searching based on name. I can do this based on multiple criteria and then I can preview my results to make sure the machines I expect to be the group will be there and this will preview up to 10 machines. And up here near the top, you'll see the Automation level, so can set semi-automated as my starting point, so I can allow the investigation to happen on an automated basis, I can save that fully automated remediation for later. I can basically require approval and once I'm comfortable with the feature, I've seen good beahvior, I can flip the switch to full and allow Defender ATP to take control in an incidence situation from end to end. And this automated incident feature, automated investigation and response feature came from Microsoft's acquisition of a company called Hexadite. And the core problem here is that in many organizations they're experiencing more alerts, more items that require investigation than their human staff can investigate in a day's time, so they wind up with this insurmountable daily gap and so Defender ATP's automated investigation capability is intended to simply reproduce what a competence security analyst could do but at much greater scale and since that acquisition, Microsoft have over many months incorporated the Hexadite features into what we know today as automated investigation. So I'll go to my Alerts queue where I can examine a patched automated investigation. And all the alerts associated with an investigation get wrapped into an incident. There are a number of reasons that alerts can be gathered in an incident one of which is an automated investigation, so I clicked on a previous investigation here and we can see all the facets of this investigation right here. So here's the graph that shows me what exactly was examined and I can see that 2,800 entities were analyzed. It would take a human analyst a bit of time to do that. But Microsoft Defender ATP can do that quite quickly, so that's that scale element. I'll just jump over to Alerts. I can see the alerts that triggered this process. I can see the key findings associated with this investigation, so I see here there were quite a few malicious processes, a malicious file and when we look at the names of these, clearly these were really suspicious and there were alerts raised for each and the automated investigation was kicked off. Now you notice in this case there's a Pending actions history. That's because full automation was not enabled and the wait for approval went for three days before Defender finally abandoned that attempt. So this just points out where that automated remediation could come in really handy. If you're a very large corporation, you might have staff that work through weekend and holidays, after hours to make sure that those responses happen, that approvals are given where necessary but if you're a smaller company or short on staff, that automation may be exactly what you need to make sure that that remediation, that cleanup is taken care over a long weekend, after hours when people just don't have time to or eyes on that process. And if you'd like to try out some of these advanced features including automated investigation and remediation, if you'll just click on Help in the Microsoft Defender Security Center, click Simulations & Tutorials. The Automated Investigation is actually Scenario 4, so you can copy the script that simulates the attack. There's a PDF walkthrough that will take you through what is being performed in terms of actions and what is expected to be triggered in Defender ATP. So whether you're new to Microsoft Defender ATP or you haven't looked at Defender ATP in quite a while, it's definitely worth revisiting because the features have grown exponentially over the last 12 to 18 months.
- Configuring virtual-based security
- Securing email
- Implementing post-breach defense
- Protecting the cloud with Azure AD
- Using Windows Defender ATP
- Managing privileged access in Azure