Tutorial: Triage, investigate, and respond to security alerts
Microsoft Defender for Cloud continuously analyzes your hybrid cloud workloads using advanced analytics and threat intelligence to alert you about potentially malicious activities in your cloud resources. You can also integrate alerts from other security products and services into Defender for Cloud. Once an alert is raised, swift action is needed to investigate and remediate the potential security issue.
In this tutorial, you will learn how to:
If you don't have an Azure subscription, create a free account before you begin.
Prerequisites
You'll need a Microsoft Azure subscription. If you don't have an Azure subscription, you can sign up for a free subscription.
You must enable Microsoft Defender for Cloud on your Azure subscription.
Triage security alerts
Defender for Cloud provides a unified view of all security alerts. Security alerts are ranked based on the severity of the detected activity.
Triage your alerts from the Security alerts page:
Use this page to review the active security alerts in your environment to decide which alert to investigate first.
When triaging security alerts, prioritize alerts based on the alert severity by addressing alerts with higher severity first. Learn more about alerts severity in How are alerts classified?.
Tip
You can connect Microsoft Defender for Cloud to most popular SIEM solutions including Microsoft Sentinel and consume the alerts from your tool of choice. Learn more in Stream alerts to a SIEM, SOAR, or IT Service Management solution.
Investigate a security alert
Once you have selected an alert, you will then be able to investigate it.
To investigate a security alert:
Select the desired alert.
From the alert overview page, select the resource to investigate first.
Begin your investigation from the left pane, which shows the high-level information about the security alert.
This pane shows:
- Alert severity, status, and activity time
- Description that explains the precise activity that was detected
- Affected resources
- Kill chain intent of the activity on the MITRE ATT&CK matrix
For more detailed information that can help you investigate the suspicious activity, examine the Alert details tab.
When you've reviewed the information on this page, you may have enough to proceed with a response. If you need further details:
- Contact the resource owner to verify whether the detected activity is a false positive.
- Investigate the raw logs generated by the attacked resource
Respond to a security alert
After you've investigated a security alert and understood its scope, you can respond to the alert from within Microsoft Defender for Cloud:
Open the Take action tab to see the recommended responses.
Review the Mitigate the threat section for the manual investigation steps necessary to mitigate the issue.
To harden your resources and prevent future attacks of this kind, remediate the security recommendations in the Prevent future attacks section.
To trigger a logic app with automated response steps, use the Trigger automated response section.
If the detected activity isn’t malicious, you can suppress future alerts of this kind using the Suppress similar alerts section.
When you've completed the investigation into the alert and responded in the appropriate way, change the status to Dismissed.
This removes the alert from the main alerts list. You can use the filter from the alerts list page to view all alerts with Dismissed status.
We encourage you to provide feedback about the alert to Microsoft:
Marking the alert as Useful or Not useful.
Select a reason and add a comment.
Tip
We review your feedback to improve our algorithms and provide better security alerts.
Clean up resources
There's no need to clean up any resources for this tutorial.
Next steps
In this tutorial, you learned about Defender for Cloud features to be used when responding to a security alert. For related material see:
Feedback
Submit and view feedback for