Microsoft Defender for Business security operations guide

Article
05/25/2023

If you're new to Defender for Business, or if your business doesn't have a security operations guide in place yet, use this article as a starting point. If you do already have a security operations guide, review it against the recommendations in this article.

You can use this guidance to make decisions about security incident priorities and tasks your security team will perform in the Microsoft Defender portal (https://security.microsoft.com).

Security operations tasks to perform

Daily tasks

Task	Description
Check your threat vulnerability management dashboard	Get a snapshot of threat vulnerability by looking at your vulnerability management dashboard, which reflects how vulnerable your organization is to cybersecurity threats. A high exposure score means your devices are more vulnerable to exploitation. 1. In the Microsoft 365 Defender portal (https://security.microsoft.com), in the navigation pane, select Vulnerability management > Dashboard. 2. Take a look at your Organization exposure score. If it's in the acceptable or "High" range, you can move on. If it isn't, select Improve score to see more details and security recommendations to improve this score. Being aware of your exposure score helps you to: - Quickly understand and identify high-level takeaways about the state of security in your organization - Detect and respond to areas that require investigation or action to improve the current state - Communicate with peers and management about the impact of security efforts
Review pending actions in the Action center	As threats are detected, remediation actions come into play. Depending on the particular threat and how your security settings are configured, remediation actions might be taken automatically or only upon approval, which is why these should be monitored regularly. Remediation actions are tracked in the Action center. 1. In the Microsoft 365 Defender portal (https://security.microsoft.com), in the navigation pane, choose Action center. 2. Select the Pending tab to view and approve (or reject) any pending actions. Such actions can arise from antivirus or antimalware protection, automated investigations, manual response activities, or live response sessions. 3. Select the History tab to view a list of completed actions.
Review devices with threat detections	When threats are detected on devices, your security team needs to know so that any needed actions, such as isolating a device, can be taken promptly. 1. In the Microsoft 365 Defender portal (https://security.microsoft.com), in the navigation pane, choose Reports > General > Security report. 2. Scroll down to the Vulnerable devices row. If threats were detected on devices, you'll see that information in this row.
Learn about new incidents or alerts	As threats are detected and alerts are triggered, incidents are created. Your company's security team can view and manage incidents in the Microsoft 365 Defender portal. 1. In the Microsoft 365 Defender portal (https://security.microsoft.com), in the navigation menu, select Incidents. Incidents are displayed on the page with associated alerts. 2. Select an alert to open its flyout pane, where you can learn more about the alert. 3. In the flyout, you can see the alert title, view a list of assets (such as endpoints or user accounts) that were affected, take available actions, and use links to view more information and even open the details page for the selected alert.
Run a scan or automated investigation	Your security team can initiate a scan or an automated investigation on a device that has a high risk level or detected threats. Depending on the results of the scan or automated investigation, remediation actions can occur automatically or upon approval. 1. In the Microsoft 365 Defender portal (https://security.microsoft.com), in the navigation pane, choose Assets > Devices. 2. Select a device to open its flyout panel, and review the information that is displayed. - Select the ellipsis (...) to open the actions menu. - Select an action, such as Run antivirus scan or Initiate Automated Investigation.

Weekly tasks

Task	Description
Monitor and improve your security score	Microsoft Secure Score is a measurement of your organization's security posture. Higher numbers indicate that fewer improvement actions are needed. By using Secure Score, you can: - Report on the current state of your organization's security posture. - Improve your security posture by providing discoverability, visibility, guidance, and control. - Compare with benchmarks and establish key performance indicators (KPIs). To check your score, follow these steps: 1. In the Microsoft 365 Defender portal (https://security.microsoft.com), in the navigation pane choose Secure score. 2. Review and make decisions about the remediations and actions in order to improve your overall Microsoft secure score.
Improve your secure score for devices	Improve your security configuration by remediating issues using the security recommendations list. As you do so, your Microsoft Secure Score for Devices improves and your organization becomes more resilient against cybersecurity threats and vulnerabilities going forward. It's always worth the time it takes to review and improve your score. To check your secure score, follow these steps: 1. In the Microsoft 365 Defender portal (https://security.microsoft.com), in the navigation pane select Secure score. 2. From the Microsoft Secure Score for Devices card in the Defender Vulnerability Management dashboard, select one of the categories. A list of recommendations related to that category displays, along with recommendations. 3.Select an item on the list to display details related to the recommendation. 4. Select Remediation options. 5. Read the description to understand the context of the issue and what to do next. Choose a due date, add notes, and select Export all remediation activity data to CSV so you can attach it to an email for follow-up. A confirmation message tells you the remediation task has been created. 6. Send a follow-up email to your IT Administrator and allow for the time that you've allotted for the remediation to propagate in the system. 7. Return to the Microsoft Secure Score for Devices card on the dashboard. The number of security controls recommendations has decreased as a result of your actions. 8. Select Security controls to go back to the Security recommendations page. The item that you addressed isn't listed there anymore, which results in your Microsoft secure score improving.

Task

Description

Monitor and improve your security score

Microsoft Secure Score is a measurement of your organization's security posture. Higher numbers indicate that fewer improvement actions are needed. By using Secure Score, you can:
- Report on the current state of your organization's security posture.
- Improve your security posture by providing discoverability, visibility, guidance, and control.
- Compare with benchmarks and establish key performance indicators (KPIs).

To check your score, follow these steps:

1. In the Microsoft 365 Defender portal (https://security.microsoft.com), in the navigation pane choose Secure score.

2. Review and make decisions about the remediations and actions in order to improve your overall Microsoft secure score.

Improve your secure score for devices

Improve your security configuration by remediating issues using the security recommendations list. As you do so, your Microsoft Secure Score for Devices improves and your organization becomes more resilient against cybersecurity threats and vulnerabilities going forward. It's always worth the time it takes to review and improve your score.

To check your secure score, follow these steps:

1. In the Microsoft 365 Defender portal (https://security.microsoft.com), in the navigation pane select Secure score.

2. From the Microsoft Secure Score for Devices card in the Defender Vulnerability Management dashboard, select one of the categories. A list of recommendations related to that category displays, along with recommendations.

3.Select an item on the list to display details related to the recommendation.

4. Select Remediation options.

5. Read the description to understand the context of the issue and what to do next. Choose a due date, add notes, and select Export all remediation activity data to CSV so you can attach it to an email for follow-up. A confirmation message tells you the remediation task has been created.

6. Send a follow-up email to your IT Administrator and allow for the time that you've allotted for the remediation to propagate in the system.

7. Return to the Microsoft Secure Score for Devices card on the dashboard. The number of security controls recommendations has decreased as a result of your actions.

8. Select Security controls to go back to the Security recommendations page. The item that you addressed isn't listed there anymore, which results in your Microsoft secure score improving.

Monthly tasks

Task	Description
Run security reports	Several reports are available in the Microsoft 365 Defender portal. 1. In the Microsoft 365 Defender portal (https://security.microsoft.com), in the navigation pane, select Reports. 2. Choose a report to review. Each report displays many pertinent categories for that report. 3. Select View details to see deeper information for each category. 4. Select the title of a particular threat to see details specific to it.
Run a simulation tutorial	It's always a good idea to increase the security preparedness for you and your team through training. You can access simulation tutorials in the Microsoft 365 Defender portal. The tutorials cover several types of cyber threats. To get started, follow these steps: 1. In the Microsoft 365 Defender portal (https://security.microsoft.com), in the navigation pane, choose Tutorials.< 2. Read the walk-through for a tutorial you're interested in running, and then download the file, or copy the script needed to run the simulation according to the instructions.
Explore the Learning hub	Use the Learning hub to increase your knowledge of cybersecurity threats and how to address them. We recommend exploring the resources that are offered, especially in the Microsoft 365 Defender and Endpoints sections. 1. In the Microsoft 365 Defender portal (https://security.microsoft.com), in the navigation pane, choose Learning hub. 2. Select an area, such as Microsoft 365 Defender or Endpoints. 3. Select an item to learn more about each concept. Note that some resources in the Learning hub might cover functionality that isn't actually included in Defender for Business. For example, advanced hunting capabilities are included in enterprise subscriptions, such as Defender for Endpoint Plan 2 or Microsoft 365 Defender, but not in Defender for Business. Compare security features in Microsoft 365 plans for small and medium-sized businesses.

Tasks to perform as needed

Task	Description
Use the Threat analytics dashboard	Use the threat analytics dashboard to get an overview of the current threat landscape by highlighting reports that are most relevant to your organization. 1. In the Microsoft 365 Defender portal (https://security.microsoft.com), in the navigation pane, select Threat analytics to display the Threat analytics dashboard. The dashboard summarizes the threats into the following sections: - Latest threats lists the most recently published or updated threat reports, along with the number of active and resolved alerts. - High-impact threats lists the threats that have the highest impact to your organization. This section lists threats with the highest number of active and resolved alerts first. - Highest exposure lists threats with the highest exposure levels first. The exposure level of a threat is calculated using two pieces of information: how severe the vulnerabilities associated with the threat are, and how many devices in your organization could be exploited by those vulnerabilities. 3. Select the title of the one you want to investigate, and read the associated report. 4. You can also review the full Analyst report for more details, or select other headings to view the related incidents, impacted assets, and exposure and mitigations.
Remediate an item	Defender for Business includes several remediation actions. Some actions are taken automatically, and others await approval by your security team. 1. In the Microsoft 365 Defender portal (https://security.microsoft.com), in the navigation pane, go to Assets > Devices. 2. Select a device, such as one with a high risk level or exposure level. A flyout pane opens and displays more information about alerts and incidents generated for that item. 3. On the flyout, view the information that is displayed. Select the ellipsis (...) to open a menu that lists available actions. 4. Select an available action. For example, you might choose Run antivirus scan, which will cause Microsoft Defender Antivirus to start a quick scan on the device. Or, you could select Initiate Automated Investigation to trigger an automated investigation on the device.

Task

Description

Use the Threat analytics dashboard

Use the threat analytics dashboard to get an overview of the current threat landscape by highlighting reports that are most relevant to your organization.

1. In the Microsoft 365 Defender portal (https://security.microsoft.com), in the navigation pane, select Threat analytics to display the Threat analytics dashboard. The dashboard summarizes the threats into the following sections:
- Latest threats lists the most recently published or updated threat reports, along with the number of active and resolved alerts.
- High-impact threats lists the threats that have the highest impact to your organization. This section lists threats with the highest number of active and resolved alerts first.
- Highest exposure lists threats with the highest exposure levels first. The exposure level of a threat is calculated using two pieces of information: how severe the vulnerabilities associated with the threat are, and how many devices in your organization could be exploited by those vulnerabilities.

3. Select the title of the one you want to investigate, and read the associated report.

4. You can also review the full Analyst report for more details, or select other headings to view the related incidents, impacted assets, and exposure and mitigations.

Remediate an item

Defender for Business includes several remediation actions. Some actions are taken automatically, and others await approval by your security team.

1. In the Microsoft 365 Defender portal (https://security.microsoft.com), in the navigation pane, go to Assets > Devices.

2. Select a device, such as one with a high risk level or exposure level. A flyout pane opens and displays more information about alerts and incidents generated for that item.

3. On the flyout, view the information that is displayed. Select the ellipsis (...) to open a menu that lists available actions.

4. Select an available action. For example, you might choose Run antivirus scan, which will cause Microsoft Defender Antivirus to start a quick scan on the device. Or, you could select Initiate Automated Investigation to trigger an automated investigation on the device.

Remediation actions in Defender for Business

The following table summarizes remediation actions that are available in Defender for Business:

Source	Actions
Automated investigations	Quarantine a file Remove a registry key Kill a process Stop a service Disable a driver Remove a scheduled task
Manual response actions	Run antivirus scan Isolate device Add an indicator to block or allow a file
Live response	Collect forensic data Analyze a file Run a script Send a suspicious entity to Microsoft for analysis Remediate a file Proactively hunt for threats