Investigation, management, and response

Completed

Microsoft provides education organizations with two types of resources: proactive planning guides and reactive tools that automate issue detection, management, and response. These tools can help you detect and report incidents more efficiently and effectively.

• Proactive: A proactive response plan encompasses both internal and external processes for responding to cybersecurity incidents.
  • Review these IRP resources to learn more:
    • Microsoft Security Incident Response Process
    • Microsoft IRP Planning Checklist

• Reactive: Together, Microsoft Copilot for Security and Defender for Office 365 provide a comprehensive solution to help detect hidden patterns, harden defenses, and respond to incidents faster with generative AI.

Check out Defender for Office 365 in action

This interactive guide shows you how Defender for Office 365 fits into your cyber incident response plan by analyzing threats and responding quickly to attacks.

Incident severity assessment

Microsoft Security solutions can help you assess the severity of potential incidents in order to determine next steps. The severity of an incident is indicative of the impact it can have on your assets. The higher the severity, the bigger the impact and typically requires the most immediate attention. In Microsoft Defender products, you can filter incident alerts between High, Medium, Low, or Informational. Severity is based on:

• The specific trigger
• The confidence level that there was malicious intent behind the activity that led to the alert

Review recommended responses to alerts based on severity level.

Severity level	Recommended response
High	There's a high probability that your resource is compromised. You should investigate it right away. Defender has high confidence in both the malicious intent and in the findings used to issue the alert. For example, an alert that detects the execution of a known malicious tool such as Mimikatz, a common tool used for credential theft.
Medium	This is probably a suspicious activity that might indicate that a resource is compromised. Defender's confidence in the analytic or finding is medium, and the confidence of the malicious intent is medium to high. These would usually be machine learning or anomaly-based detections, for example a sign-in attempt from an unusual location.
Low	This might be a benign positive or a blocked attack. Defender isn't confident enough that the intent is malicious, and the activity might be innocent. For example, log clear is an action that might happen when an attacker tries to hide their tracks, but in many cases is a routine operation performed by admins. Defender doesn't usually tell you when attacks were blocked, unless it's an interesting case that we suggest you investigate.
Informational	An incident is typically made up of several alerts, some of which might appear on their own to be only informational, but in the context of the other alerts might be worthy of a closer look.

Learn more about how Microsoft Defender for Office 365 combines alerts from various detection sources into incidents to reduce analyst fatigue in this video.

Generate incident reports with Microsoft Copilot for Security

A comprehensive and clear incident report is an essential reference for security teams. However, writing a comprehensive report with the important details present can be a time-consuming task as it involves collecting, organizing, and summarizing incident information from multiple sources.

Microsoft Copilot for Security creates an incident report containing this information:

• The main incident management actions' timestamps, including:
  • Incident creation and closure
  • First and last logs, whether the log was analyst-driven or automated, captured in the incident
• The analysts involved in incident response
• Incident classification, including analysts' comments on how the incident was evaluated and classified
• Investigation actions applied by analysts and noted in the incident logs
• Remediation actions done, including:
  • Manual actions applied by analysts and noted in the incident logs
  • Automated actions applied by the system, including Microsoft Sentinel Playbooks ran and Microsoft Defender actions applied
• Follow up actions like recommendations, open issues, or next steps noted by the analysts in the incident logs

Learn how Microsoft Copilot for Security can help you create incident reports faster.

Next steps

1. Test and verify the effectiveness of cyber incident responses by collaborating with Microsoft in Simuland’s open-source initiative.

2. Review your institution's proactive plans and reactive tools. Consider these questions:

   • Do your current security tools help you efficiently and effectively investigate and assess alerts?
   • When incidents occur, what is your plan for creating a comprehensive incident report? Is there a way you could make your process more efficient?