Reduce time to response with classification

Posted on by No Comments ↓

This post has been republished via RSS; it originally appeared at: Microsoft Tech Community - Latest Blogs - .

Classifying an alert or incident means you tag it as representing true malicious activity or a false alarm as part of the initial triage process. Classification is a great way to save time when managing your incident and alert queues and can significantly reduce your mean time to resolution (MTTR). This process lets your team know that a potential threat has been investigated and determined  be true or false. It’s them.

The new classification experience provides insights on similar alerts observed in the past, and tailored recommendations with direct links to follow-up actions, making alert triage and handling process quick and easy.

 

How it works

Classifying incidents and alerts is easy!

First, determine whether the alerted activity is indeed malicious or not. Then, open the Manage incident or Manage alert pane, select Classification, and then select the option that best To save time, when the classification is set on an incident, all the alerts in the incident will be classified with the same value. Here is an example.

OrenSaban_0-1645566200475.png

 

 

Options are divided into 3 categories:

  • True positive – Alerts that you believe accurately indicate a real threat and for which you want to be alerted going forward.
  • Informational, expected activity – Alerts that are technically accurate, but represent normal behavior or simulated threat activity. You generally want to ignore these alerts but expect them for similar activities in the future in case those future activities are triggered by actual attackers or malware. Use the options in this category to classify alerts for security tests, red team activity, as well as expected unusual behavior from trusted apps and users.
  • False positive — Alerts that you believe are a false alarm and the activity alerted on is not malicious. Use the options in this category to classify alerts that mistakenly identified normal events or activities as malicious or suspicious. Unlike alerts for informational, expected activity, which can also be useful for catching real threats, you generally don’t want to see these alerts again.

 

How classifications save time

 

Often, your organization will see over time some alerts that are similar to previous ones, as attack patterns often repeat. When you save your classification, you and your team can track and respond to the alert in an informed manner. It’s an easy way to share knowledge, helping teammates to learn how others resolved similar incidents or alerts.

 

Classifying similar alerts

Microsoft 365 Defender now identifies similar alerts. Once you determine the nature of an alert, you can classify it and similar other alerts at the same time.  Select Classify alert in the INSIGHT box as shown here.

OrenSaban_1-1645566200483.png

 

Microsoft 365 Defender displays the list of similar alerts and allows you classify all of them at once. Here’s an example.

OrenSaban_2-1645566200491.png

 

 

Saving triage time

If similar alerts were already classified in the past, you can save time by using the classification history to learn how other alerts were resolved by your teammates or by you in the past. The insights will help you triage with more confidence using knowledge from past similar alerts.

 

OrenSaban_3-1645566200497.png

 

 

After triaging the alert and classifying it, use the Recommendations tab for the next steps of investigation, containment, remediation, and prevention provided by Microsoft research experts.

 

OrenSaban_4-1645566200505.png

 

Your classifications help Microsoft create better alerts

Beyond assisting your SOC colleagues with faster classification of new similar alerts, classifications are also used to continuously assess and improve Microsoft’s detection quality.

Microsoft 365 Defender boasts a rich library of detection rules. Our models are constantly evolving to address the ever-changing threat landscape. Your alert classifications help continuously tune this library to provide the highest quality detections and keep organizations safe and .

We hope you try out this new feature and use it to more quickly and effectively manage incidents and alerts in your environment. We would love to hear from you - do you find it useful or have suggestions for improvement? Send us feedback through the Microsoft 365 Defender portal.

Leave a Reply

Your email address will not be published. Required fields are marked *

*

This site uses Akismet to reduce spam. Learn how your comment data is processed.