Know the differences to optimize investigations.
Microsoft recently began reorganizing their Microsoft Defender 365 security platform to make it easier to use for cybersecurity analysts. With the recent additions to the Microsoft 365 Security menu, there are now four different menus that analysts can go to for investigations involving Defender for Office 365.
In this blog, we will go over what each of these Defender for Office 365 investigation menus do and when an analyst would want to go to each of them during an investigation. Each of these 4 menus can serve a purpose for as long as they are supported.
Microsoft 365 (M365) Defender Security Incidents
This incidents menu may look very similar to the Microsoft Defender for Endpoints (MDE) incidents menu because they are displaying the same incidents from MDE. The difference with this menu it also displays Defender for Office 365 alerts alongside the MDE alerts. In the future, Microsoft plans to depreciate MDE and move all the user interfaces in MDE over to the M365 Defender Security menu.
The transition is not complete yet, and features like a centralized AIR menu are still missing from the 365 Security menu. Analysts should use the Defender M365 Security incidents menu when they need to investigate incidents that involve both Defender for Office 365 and MDE. The MDE incidents menu should continue to be used for all other investigations until the transition between the security platforms is complete.
Email & Collaborations Investigations
This is one of the 2 menus that analysts should use together when investigating incidents that are specific to Defender for Office 365. The investigation menu that analysts see after selecting an incident in this menu has information about the evidence involved with the incident that cannot be found in the Office 365 Security & Compliance menu.
365 Security & Compliance Alerts
The Office 365 Security & Compliance View Alerts menu has a combination of Defender for Office 365 and Microsoft Cloud App Security (MCAS) alerts. This menu also has information related to compliance like tags. Analysts should come to this menu if they are investigating an incident that involves both Defender for Office 365 and MCAS. They should resolve the incident in the respective menus for each platform as well as in this menu so that everyone will know that the incident is resolved regardless of which menu they are looking at.
Threat Management Investigations
This is one of the 2 menus that analysts should use together when investigating incidents that are specific to Defender for Office 365. The investigation menu that analysts see after selecting an incident in this menu has more detailed information about the entities involved with the incident that cannot be found in the Office 365 Security menu.
We will continue to share best practices and lessons learned in future posts on using Defender for Office 365 in customer environments. Microsoft will continue to update their cloud security menus, so we must continue to keep track of the functions of each of the investigation menus.
In closing, consider these three questions when using Defender for Office 365 in your organization:
- Do our cybersecurity analysts understand why they are using each of the Defender for O365 menus?
- Is there any guidance we can use to inform analysts about which menus they need to use in different situations?
- Is anyone in our organization keeping track of changes to Microsoft cloud security platforms so that we do not get caught off guard?