“Automated, playbook-based investigations”
Microsoft has rolled out a range of automated incident response tools for security teams in its Office 365 Advanced Threat Protection (APT) product – a feature it first teased in preview in April this year.
With an upgraded API the new tools – which use machine learning to react to a range of triggers – in the email protection service can be integrated into existing security workflow solutions, like SIEMs, Microsoft said.
Automated Incident Response
The tools include automated, playbook-based investigations that are initiated when alerts such as user-reported phishing emails are reported.
These include automatic investigation when a user clicks a malicious link, clicks through a warning page, or malware is detected post-delivery. (Using signature-based detection of content that has been weaponised after delivery).
Users can also manually trigger investigations that follow an automated playbook, Microsoft said; a series of “carefully logged steps to comprehensively investigate an alert and offer… recommended actions.”
The release comes amid the common complaint from over-worked security teams that they are inundated with alerts, both genuine and false-positives, meaning workloads like correlating signals across multiple different systems is increasingly challenging, and alerts hard to prioritise.
The release is the latest from one of the public cloud giants aimed at tackling the flood of alerts security teams deal with and automating away some of the investigation or threat-hunting elements of the role.
Google has also got in on the action, with Backstory, which launched in March 2019, letting companies upload, store, and analyse their internal security telemetry to detect and investigate potential cyber threats, by running Chronicle’s analytics engine over high-volume data such as DNS traffic, netflow, endpoint logs, proxy logs, etc. in Google Cloud.