Monitor and maintain Microsoft 365 Business Premium and Defender for Business
Article
After you have set up and configured Microsoft 365 Business Premium or the standalone version of Microsoft Defender for Business, your next step is to prepare a plan for maintenance and operations. It's important to keep your systems, devices, user accounts, and security policies up to date to help protect against cyberattacks. You can use this article as a guide to prepare your plan.
As you prepare your plan, you can organize the various tasks into two main categories, as listed in the following table:
Check your threat vulnerability management dashboard
Get a snapshot of threat vulnerability by looking at your vulnerability management dashboard, which reflects how vulnerable your organization is to cybersecurity threats. A high exposure score means your devices are more vulnerable to exploitation.
1. In the Microsoft Defender portal (https://security.microsoft.com), in the navigation pane, select Vulnerability management > Dashboard.
2. Take a look at your Organization exposure score. If it's in the acceptable or "High" range, you can move on. If it isn't, select Improve score to see more details and security recommendations to improve this score.
Being aware of your exposure score helps you to: - Quickly understand and identify high-level takeaways about the state of security in your organization - Detect and respond to areas that require investigation or action to improve the current state - Communicate with peers and management about the impact of security efforts
Review pending actions in the Action center
As threats are detected, remediation actions come into play. Depending on the particular threat and how your security settings are configured, remediation actions might be taken automatically or only upon approval, which is why these should be monitored regularly. Remediation actions are tracked in the Action center.
2. Select the Pending tab to view and approve (or reject) any pending actions. Such actions can arise from antivirus or antimalware protection, automated investigations, manual response activities, or live response sessions.
3. Select the History tab to view a list of completed actions.
Review devices with threat detections
When threats are detected on devices, your security team needs to know so that any needed actions, such as isolating a device, can be taken promptly.
1. In the Microsoft Defender portal (https://security.microsoft.com), in the navigation pane, choose Reports > General > Security report.
2. Scroll down to the Vulnerable devices row. If threats were detected on devices, you can see that information in this row.
Learn about new incidents or alerts
As threats are detected and alerts are triggered, incidents are created. Your company's security team can view and manage incidents in the Microsoft Defender portal.
1. In the Microsoft Defender portal (https://security.microsoft.com), in the navigation menu, select Incidents. Incidents are displayed on the page with associated alerts.
2. Select an alert to open its flyout pane, where you can learn more about the alert.
3. In the flyout, you can see the alert title, view a list of assets (such as endpoints or user accounts) that were affected, take available actions, and use links to view more information and even open the details page for the selected alert.
Run a scan or automated investigation
Your security team can initiate a scan or an automated investigation on a device that has a high risk level or detected threats. Depending on the results of the scan or automated investigation, remediation actions can occur automatically or upon approval.
2. Select a device to open its flyout panel, and review the information that is displayed. - Select the ellipsis (...) to open the actions menu. - Select an action, such as Run antivirus scan or Initiate Automated Investigation.
Task
Description
Check your threat vulnerability management dashboard
Get a snapshot of threat vulnerability by looking at your vulnerability management dashboard, which reflects how vulnerable your organization is to cybersecurity threats. A high exposure score means your devices are more vulnerable to exploitation.
1. In the Microsoft Defender portal (https://security.microsoft.com), in the navigation pane, select Vulnerability management > Dashboard.
2. Take a look at your Organization exposure score. If it's in the acceptable or "High" range, you can move on. If it isn't, select Improve score to see more details and security recommendations to improve this score.
Being aware of your exposure score helps you to: - Quickly understand and identify high-level takeaways about the state of security in your organization - Detect and respond to areas that require investigation or action to improve the current state - Communicate with peers and management about the impact of security efforts
Review pending actions in the Action center
As threats are detected, remediation actions come into play. Depending on the particular threat and how your security settings are configured, remediation actions might be taken automatically or only upon approval, which is why these should be monitored regularly. Remediation actions are tracked in the Action center.
2. Select the Pending tab to view and approve (or reject) any pending actions. Such actions can arise from antivirus or antimalware protection, automated investigations, manual response activities, or live response sessions.
3. Select the History tab to view a list of completed actions.
Review devices with threat detections
When threats are detected on devices, your security team needs to know so that any needed actions, such as isolating a device, can be taken promptly.
1. In the Microsoft Defender portal (https://security.microsoft.com), in the navigation pane, choose Reports > General > Security report.
2. Scroll down to the Vulnerable devices row. If threats were detected on devices, you can see that information in this row.
Learn about new incidents or alerts
As threats are detected and alerts are triggered, incidents are created. Your company's security team can view and manage incidents in the Microsoft Defender portal.
1. In the Microsoft Defender portal (https://security.microsoft.com), in the navigation menu, select Incidents. Incidents are displayed on the page with associated alerts.
2. Select an alert to open its flyout pane, where you can learn more about the alert.
3. In the flyout, you can see the alert title, view a list of assets (such as endpoints or user accounts) that were affected, take available actions, and use links to view more information and even open the details page for the selected alert.
Run a scan or automated investigation
Your security team can initiate a scan or an automated investigation on a device that has a high risk level or detected threats. Depending on the results of the scan or automated investigation, remediation actions can occur automatically or upon approval.
2. Select a device to open its flyout panel, and review the information that is displayed. - Select the ellipsis (...) to open the actions menu. - Select an action, such as Run antivirus scan or Initiate Automated Investigation.
Microsoft Secure Score is a measurement of your organization's security posture. Higher numbers indicate that fewer improvement actions are needed. By using Secure Score, you can: - Report on the current state of your organization's security posture. - Improve your security posture by providing discoverability, visibility, guidance, and control. - Compare with benchmarks and establish key performance indicators (KPIs).
2. Review and make decisions about the remediations and actions in order to improve your overall Microsoft secure score.
Improve your Secure Score for devices
Improve your security configuration by remediating issues using the security recommendations list. As you do so, your Microsoft Secure Score for Devices improves and your organization becomes more resilient against cybersecurity threats and vulnerabilities going forward. It's always worth the time it takes to review and improve your score.
2. From the Microsoft Secure Score for Devices card in the Defender Vulnerability Management dashboard, select one of the categories. A list of recommendations related to that category displays, along with recommendations.
3.Select an item on the list to display details related to the recommendation.
4. Select Remediation options.
5. Read the description to understand the context of the issue and what to do next. Choose a due date, add notes, and select Export all remediation activity data to CSV so you can attach it to an email for follow-up. A confirmation message tells you the remediation task has been created.
6. Send a follow-up email to your IT Administrator and allow for the time that you've allotted for the remediation to propagate in the system.
7. Return to the Microsoft Secure Score for Devices card on the dashboard. The number of security controls recommendations has decreased as a result of your actions.
8. Select Security controls to go back to the Security recommendations page. The item that you addressed isn't listed there anymore, which results in your Microsoft secure score improving.
Task
Description
Monitor and improve your Secure Score
Microsoft Secure Score is a measurement of your organization's security posture. Higher numbers indicate that fewer improvement actions are needed. By using Secure Score, you can: - Report on the current state of your organization's security posture. - Improve your security posture by providing discoverability, visibility, guidance, and control. - Compare with benchmarks and establish key performance indicators (KPIs).
2. Review and make decisions about the remediations and actions in order to improve your overall Microsoft secure score.
Improve your Secure Score for devices
Improve your security configuration by remediating issues using the security recommendations list. As you do so, your Microsoft Secure Score for Devices improves and your organization becomes more resilient against cybersecurity threats and vulnerabilities going forward. It's always worth the time it takes to review and improve your score.
2. From the Microsoft Secure Score for Devices card in the Defender Vulnerability Management dashboard, select one of the categories. A list of recommendations related to that category displays, along with recommendations.
3.Select an item on the list to display details related to the recommendation.
4. Select Remediation options.
5. Read the description to understand the context of the issue and what to do next. Choose a due date, add notes, and select Export all remediation activity data to CSV so you can attach it to an email for follow-up. A confirmation message tells you the remediation task has been created.
6. Send a follow-up email to your IT Administrator and allow for the time that you've allotted for the remediation to propagate in the system.
7. Return to the Microsoft Secure Score for Devices card on the dashboard. The number of security controls recommendations has decreased as a result of your actions.
8. Select Security controls to go back to the Security recommendations page. The item that you addressed isn't listed there anymore, which results in your Microsoft secure score improving.
A false positive is an entity, such as a file or a process that was detected and identified as malicious even though the entity isn't actually a threat. A false negative is an entity that wasn't detected as a threat, even though it actually is malicious. False positives/negatives can occur with any threat protection solution, including Microsoft Defender for Office 365 and Microsoft Defender for Business, which are both included in Microsoft 365 Business Premium. Fortunately, steps can be taken to address and reduce these kinds of issues.
Defender for Business includes a vulnerability management dashboard that provides you with exposure score and enables you to view information about exposed devices and see relevant security recommendations. You can use your Defender Vulnerability Management dashboard to reduce exposure and improve your organization's security posture.
Reports are available so that you can view information about detected threats, device status, and more. Sometimes it's necessary to adjust your security policies. For example, you might apply strict protection to some user accounts or devices, and standard protection to others.
Sometimes it's necessary to submit entities, such as email messages, URLs, or attachments to Microsoft for further analysis. Reporting items can help reduce the occurrence of false positives/negatives and improve threat detection accuracy.
Not all user accounts have access to the same company information. Some accounts have access to sensitive information, such as financial data, product development information, partner access to critical build systems, and more. If compromised, accounts that have access to highly confidential information pose a serious threat. We call these types of accounts priority accounts. Priority accounts include (but aren't limited to) CEOs, CISOs, CFOs, infrastructure admin accounts, build system accounts, and more.
The overall risk assessment of a device is based on a combination of factors, such as the types and severity of active alerts on the device. As your security team resolves active alerts, approves remediation activities, and suppresses subsequent alerts, the risk level decreases.
As devices are replaced or retired, new devices are purchased, or your business needs change, you can onboard or offboard devices from Defender for Business.
Microsoft 365 Business Premium includes several remediation actions. Some actions are taken automatically, and others await approval by your security team.
2. Select a device, such as one with a high risk level or exposure level. A flyout pane opens and displays more information about alerts and incidents generated for that item.
3. On the flyout, view the information that is displayed. Select the ellipsis (...) to open a menu that lists available actions.
4. Select an available action. For example, you might choose Run antivirus scan, which will cause Microsoft Defender Antivirus to start a quick scan on the device. Or, you could select Initiate Automated Investigation to trigger an automated investigation on the device.
Task
Description
Manage false positives/negatives
A false positive is an entity, such as a file or a process that was detected and identified as malicious even though the entity isn't actually a threat. A false negative is an entity that wasn't detected as a threat, even though it actually is malicious. False positives/negatives can occur with any threat protection solution, including Microsoft Defender for Office 365 and Microsoft Defender for Business, which are both included in Microsoft 365 Business Premium. Fortunately, steps can be taken to address and reduce these kinds of issues.
Defender for Business includes a vulnerability management dashboard that provides you with exposure score and enables you to view information about exposed devices and see relevant security recommendations. You can use your Defender Vulnerability Management dashboard to reduce exposure and improve your organization's security posture.
Reports are available so that you can view information about detected threats, device status, and more. Sometimes it's necessary to adjust your security policies. For example, you might apply strict protection to some user accounts or devices, and standard protection to others.
Sometimes it's necessary to submit entities, such as email messages, URLs, or attachments to Microsoft for further analysis. Reporting items can help reduce the occurrence of false positives/negatives and improve threat detection accuracy.
Not all user accounts have access to the same company information. Some accounts have access to sensitive information, such as financial data, product development information, partner access to critical build systems, and more. If compromised, accounts that have access to highly confidential information pose a serious threat. We call these types of accounts priority accounts. Priority accounts include (but aren't limited to) CEOs, CISOs, CFOs, infrastructure admin accounts, build system accounts, and more.
The overall risk assessment of a device is based on a combination of factors, such as the types and severity of active alerts on the device. As your security team resolves active alerts, approves remediation activities, and suppresses subsequent alerts, the risk level decreases.
As devices are replaced or retired, new devices are purchased, or your business needs change, you can onboard or offboard devices from Defender for Business.
2. Select a device, such as one with a high risk level or exposure level. A flyout pane opens and displays more information about alerts and incidents generated for that item.
3. On the flyout, view the information that is displayed. Select the ellipsis (...) to open a menu that lists available actions.
4. Select an available action. For example, you might choose Run antivirus scan, which will cause Microsoft Defender Antivirus to start a quick scan on the device. Or, you could select Initiate Automated Investigation to trigger an automated investigation on the device.
Remediation actions for devices
The following table summarizes remediation actions that are available for devices in Microsoft 365 Business Premium and Defender for Business:
Source
Actions
Automated investigations
Quarantine a file Remove a registry key Kill a process Stop a service Disable a driver Remove a scheduled task
Manual response actions
Run antivirus scan Isolate device Add an indicator to block or allow a file
Live response
Collect forensic data Analyze a file Run a script Send a suspicious entity to Microsoft for analysis Remediate a file Proactively hunt for threats
General admin tasks
Maintaining your environment includes managing user accounts, managing devices, and keeping things up to date and working correctly. Admin tasks are typically performed by global administrators and tenant administrators. Learn more about admin roles.
Important
Microsoft recommends that you use roles with the fewest permissions. Using lower permissioned accounts helps improve security for your organization. Global Administrator is a highly privileged role that should be limited to emergency scenarios when you can't use an existing role.
Plan and execute an endpoint deployment strategy, using essential elements of modern management, co-management approaches, and Microsoft Intune integration.