You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardexpand all lines: docs/SOCAnalystActionsByAlert.csv
+1-1
Original file line number
Diff line number
Diff line change
@@ -11,7 +11,7 @@ Unusual sequence of failed logons,1. Validate and scope the alert.,2. Check the
11
11
Impossible Travel Activity,1. Validate and scope the alert.,2. Check the source of the failed logon attempts for the user. Contact system and account owners to identify unexpected activity.,3. Check the location where the performed failed sign in activities came from. Check whether they originated outside of the users standard login location and how long before a login was noticed from their normal location. Within how many minutes?,"4. Check If the IP addresses are known and safe, add them in the IP address range page to improve the accuracy of the alerts. Otherwise if Malicious, add them to the ThreatIntelligence as Indicators/IOCs.","5. Escalate and contact your incident response team, or contact Microsoft support for forensic analysis and remediation services.",,,,,,,,,,,,,,,2/24/2021
12
12
Suspicious Attachment Opened,1. Validate the alert.,2. Inspect the attachment. Review the process that opened it and its behaviors.,3. Check for other suspicious activities in the machine timeline.,"4. Locate unfamiliar processes in the process tree. Check files for prevalence, their locations, and digital signatures.",5. Submit relevant files for deep analysis and review file behaviors.,6. Identify unusual system activity with system owners.,"7. Scope the incident. Find related machines, network addresses, and files in the incident graph.","8. Contain and mitigate the breach. Stop suspicious processes, isolate affected machines, decommission compromised accounts or reset passwords, block IP addresses and URLs, and install security updates.","9. Escalate - Contact your incident response team, or contact Microsoft support for investigation and remediation services.",,,,,,,,,,,2/24/2021
13
13
Password spray attack against Azure AD application,"1. Use Cloud Authentication - In the cloud, we see billions of sign-ins to Microsoft systems every day. Our security detection algorithms allow us to detect and block attacks as they’re happening. Because these are real time detection and protection systems driven from the cloud, they are available only when doing Azure AD authentication in the cloud (including Pass-Through Authentication).","2. If your using AAD, then your covered with Smart Lockout. If your using ADFS, enable Smart Lockout - https://docs.microsoft.com/windows-server/identity/ad-fs/operations/configure-ad-fs-extranet-smart-lockout-protection.",3. Use Attack Simulator to proactively evaluate your security posture and make adjustments - https://techcommunity.microsoft.com/t5/microsoft-security-and/announcing-the-public-preview-of-attack-simulator-for-office-365/ba-p/162412.,"4. Work with your Identity Global Admin and Enable MFA. A password is the key to accessing an account, but in a successful password spray attack, the attacker has guessed the correct password. To stop them, we need to use something more than just a password to distinguish between the account owner and the attacker. The three ways to do this are below:",4a. Risk-based MFA.,4b. Always-on MFA.,4c. Azure MFA as Primary Auth.,"5. NOTE: We strongly recommend enabling always-on multi-factor authentication for all admins in your organization, especially subscription owners and tenant admins. Seriously, go do this right now. For the best experience for the rest of your users, we recommend risk-based multi-factor authentication, which is available with Azure AD Premium P2 licenses. Otherwise, use Azure MFA for cloud authentication and ADFS. In ADFS, upgrade to ADFS on Windows Server 2016 to use Azure MFA as primary authentication, especially for all your extranet access.","6. Escalate and contact your incident response team, or contact Microsoft support for forensic analysis and remediation services.",,,,,,,,,,,2/24/2021
14
-
Anonymous IP address,"1. This risk event type indicates sign-ins from an anonymous IP address (e.g. Tor browser, anonymizer VPNs). Such IP addresses are commonly used by actors who want to hide their login telemetry (IP address, location, device, etc.) for potentially malicious intent. For more information - https://go.microsoft.com/fwlink/?linkid=2016442",2. Validate that the IP Address is Malicious.,3. Run Playbook Get-IPReputation - This pulls down known malicious info about the IP from VirusTotal.,"4. If no results return, IP is not listed. Validate the login with the User.","5. If results from VT are malicious, run VT Query in Sentinel.","6. Create a Bookmark, assign entities.",7. Attach Bookmark to current Incident.,8. Make notes of what known IOC's are associated with the IP Address.,9. Validate the login with the User if this step hasnt been done already.,"10. After validation, if the login was malicious, have the user reset their password.","11. Escalate - Contact your incident response team, or contact Microsoft support for investigation and remediation services.",,,,,,,,,2/24/2021
14
+
Anonymous IP address,"1. This risk event type indicates sign-ins from an anonymous IP address (e.g. Tor browser, anonymizer VPNs). Such IP addresses are commonly used by actors who want to hide their login telemetry (IP address, location, device, etc.) for potentially malicious intent. For more information - https://go.microsoft.com/fwlink/?linkid=2016442",2. Validate that the IP Address is Malicious.,3. Run Playbook Get-IPReputation - This pulls down known malicious info about the IP from VirusTotal.,"4. If no results return, IP is not listed. Validate the login with the User.","5. If results from VT are malicious, run VT Query in Sentinel.","6. Create a Bookmark, assign entities.",7. Attach Bookmark to current Incident.,8. Make notes of what known IOC's are associated with the IP Address.,"9. Validate the login with the User if this step hasn't been done already.","10. After validation, if the login was malicious, have the user reset their password.","11. Escalate - Contact your incident response team, or contact Microsoft support for investigation and remediation services.",,,,,,,,,2/24/2021
15
15
Adaptive application control policy violation was audited,1. Review the list of applications that were run.,2. Review the application control policy that is applied to this machine by visiting the Adaptive Application Controls section in the Azure Security Center portal.,"3. Review the list of existing rules in each of the rule collections (publisher/path/hash), and identify the rules that have triggered an audit event for the above applications.","4. If you have identified a rule that should allow the above applications to run, review the users that ran them.","5. In case you wish to allow them and change the application control policy applied to this machine policy group, make sure to add them to the appropriate rules that you have identified in step #3. Otherwise - contact the specific user and escalate this alert for further investigation.","6. If the above applications are not currently allowed by one of the rules that you have identified in step #3, and in case that you wish to allow them, make sure to add a new rule to this machine policy group.",,,,,,,,,,,,,,2/24/2021
16
16
Port Scan Detected,"1. Network scans may indicate legitimate activity, for example a new network device or new functionality on a device. Scanning activity may also be malicious.","2. For example the source device performing the scan may be carrying out network reconnaissance in order to test for and leverage potential vulnerabilities. If this succeeds, system configuration data and other critical information retrieved can be sent to attackers.","3. If the source device is an approved scanner, define it as a Scanning Device.","4. Escalate and contact your incident response team, or contact Microsoft support for forensic analysis and remediation services.",,,,,,,,,,,,,,,,2/24/2021
17
17
Traffic detected from IP addresses recommended for blocking,1. Click the link: Investigate in Azure Defender.,2. Review the IP addresses and determine if they should be communicating with the virtual machine.,"3. Enforce the hardening rule recommended by Security Center which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly.","4. Escalate and contact your incident response team, or contact Microsoft support for forensic analysis and remediation services.",,,,,,,,,,,,,,,,2/25/2021
0 commit comments