Tutorial: Triage, investigate, and respond to security alerts

Microsoft Defender for Cloud continuously analyzes your hybrid cloud workloads using advanced analytics and threat intelligence to alert you about potentially malicious activities in your cloud resources. You can also integrate alerts from other security products and services into Defender for Cloud. Once an alert is raised, swift action is needed to investigate and remediate the potential security issue.

In this tutorial, you'll learn how to:

  • Triage security alerts
  • Investigate a security alert to determine the root cause
  • Respond to a security alert and mitigate that root cause

If you don't have an Azure subscription, create a free account before you begin.

Prerequisites

To step through the features covered in this tutorial, you must have Defender for Cloud's enhanced security features enabled. To learn more about Defender for Cloud's pricing, see the pricing page.

The quickstart, Get started with Defender for Cloud walks you through the upgrade process.

Triage security alerts

Defender for Cloud provides a unified view of all security alerts. Security alerts are ranked based on the severity of the detected activity.

Triage your alerts from the Security alerts page:

Microsoft Defender for Cloud's security alerts list

Use this page to review the active security alerts in your environment to decide which alert to investigate first.

When triaging security alerts, prioritize alerts based on the alert severity by addressing alerts with higher severity first. Learn more about alerts severity in How are alerts classified?.

Tip

You can connect Microsoft Defender for Cloud to most popular SIEM solutions including Microsoft Sentinel and consume the alerts from your tool of choice. Learn more in Stream alerts to a SIEM, SOAR, or IT Service Management solution.

Investigate a security alert

When you've decided which alert to investigate first:

  1. Select the desired alert.

  2. From the alert overview page, select the resource to investigate first.

  3. Begin your investigation from the left pane, which shows the high-level information about the security alert.

    The left pane of the alert details page highlighting the high-level information.

    This pane shows:

    • Alert severity, status, and activity time
    • Description that explains the precise activity that was detected
    • Affected resources
    • Kill chain intent of the activity on the MITRE ATT&CK matrix
  4. For more detailed information that can help you investigate the suspicious activity, examine the Alert details tab.

  5. When you've reviewed the information on this page, you may have enough to proceed with a response. If you need further details:

    • Contact the resource owner to verify whether the detected activity is a false positive.
    • Investigate the raw logs generated by the attacked resource

Respond to a security alert

After you've investigated a security alert and understood its scope, you can respond to the alert from within Microsoft Defender for Cloud:

  1. Open the Take action tab to see the recommended responses.

    Security alerts take action tab.

  2. Review the Mitigate the threat section for the manual investigation steps necessary to mitigate the issue.

  3. To harden your resources and prevent future attacks of this kind, remediate the security recommendations in the Prevent future attacks section.

  4. To trigger a logic app with automated response steps, use the Trigger automated response section.

  5. If the detected activity isn’t malicious, you can suppress future alerts of this kind using the Suppress similar alerts section.

  6. When you've completed the investigation into the alert and responded in the appropriate way, change the status to Dismissed.

    Setting an alert's status

    The alert is then removed from the main list of alerts. You can use the filter from the alerts list page to view all alerts with Dismissed status.

  7. We encourage you to provide feedback about the alert to Microsoft:

    1. Marking the alert as Useful or Not useful.

    2. Select a reason and add a comment.

      Provide feedback to Microsoft on the usefulness of an alert.

    Tip

    We review your feedback to improve our algorithms and provide better security alerts.

Clean up resources

Other quickstarts and tutorials in this collection build upon this quickstart. If you plan to continue to work with subsequent quickstarts and tutorials, keep automatic provisioning and Defender for Cloud's enhanced security features enabled.

If you don't plan to continue, or you want to disable either of these features:

  1. From Defender for Cloud's menu, open Environment settings.

  2. Select the relevant subscription.

  3. Select Defender plans and select Enhanced security off.

    Enable or disable Defender for Cloud's enhanced security features.

  4. Select Save.

    Note

    After you disable enhanced security features - whether you disable a single plan or all plans at once - data collection may continue for a short period of time.

  5. From Defender for Cloud's menu, open Environment settings.

  6. Select the relevant subscription.

  7. In the Monitoring coverage column of the Defender plan, select Settings.

  8. Disable the relevant extensions.

    Note

    Disabling extensions does not remove the Log Analytics agent from Azure VMs that already have the agent, but does limits security monitoring for your resources.

Next steps

In this tutorial, you learned about Defender for Cloud features to be used when responding to a security alert. For related material, see: