Unified SecOps Investigation for Hybrid Environments

With 81 percent of security breaches caused by compromised user credentials, identity security is paramount for all organizations. Enterprise security operations (SecOps) analysts face an increasing volume and velocity of alerts and incidents across an ever-expanding surface area from on-premises to the cloud.


For analysts investigating compromised users, context is key. The ability to understand relationships between events and activities across multiple environments is central.


Microsoft has three identity-centric security products offering detection capabilities across on-premise and in the cloud:

  • Azure Advanced Threat Protection (Azure ATP) identifies on-premises attacks

  • Azure Active Directory Identity Protection (Azure AD Identity Protection) detects and proactively prevents user and sign-in risks to identities in the cloud

  • Microsoft Cloud App Security (MCAS) identifies attacks within a cloud session, covering not only Microsoft products but also third-party applications

We are happy to announce that we have brought these together in a unified SecOps experience, which focuses on identity-based alerts and activities for true hybrid identity threat protection.


Growing Risk of Hybrid Attacks


Because many organizations have hybrid environments, we see attacks that start in the cloud and then pivot to on-premises, meaning SecOps teams need to investigate these attacks from multiple places.



By combining signals from cloud and on-premises sources, Microsoft empowers security analysts by providing unified identity and user information, in a single console, ending the need to toggle between security solutions. This gives your SecOps teams more time and the right information to make better decisions, and actively remediate the real identity threats and risks.


Understanding Top User Threats in Your Organization


In addition to the aggregated security awesomeness, we have simplified and boosted your ability to investigate with the new Investigation Priority Score, which provides you visibility into users that could pose the greatest risk to your organization should they be compromised.


Your SecOps team can immediately understand the real top user threats to your organization by Investigation Priority Score, directly verify their business impact and investigate all related activities – no matter whether they are compromised, exfiltrating data or acting as insider threats.


To calculate the Investigation Priority, we assess the investigation urgency of each specific user, using security alerts, abnormal activities, and potential business and asset impact related to each user.  For every Azure Active Directory user, we then build a dynamic Investigation Priority Score, based on intelligence built from Azure ATP, Microsoft Cloud App Security as well as Azure AD Identity Protection – which is continually updated based on recent behavior and impact.



The Investigation Priority Score helps in identifying top users to investigate and surfacing those users that we recommend for review based on the user analytics engine.


New investigation capabilities


The unified portal also brings significant new investigation capabilities for cloud and on-premises information.




  • Enabling security analysts to perform threat hunting with greater context over both cloud and on-premises resources.

  • Integrated user pages featuring all the information we know about the user coupled with everything we know about suggested investigation and next steps.

  • Full visibility and management of Azure AD user risk levels – incorporating the ability to confirm compromised user status which changes the Azure AD User Risk level to High, based on Azure AD conditional access policies.

  • Enhanced automation through Microsoft Flow integration for alerts (cloud and on-prem), as well task automation.


Participate in the evolution of the Unified SecOps Experience


If you’re one of the many enterprise customers already using Azure ATP, MCAS, or Azure AD Identity Protection (or a combination of these) and want to experience this new functionality, join our expanding preview program.



Get Started Today


If you are just starting your journey, begin trials of the Microsoft Threat Protection services today to experience the benefits of the most comprehensive, integrated, and secure threat protection solution for the modern workplace:

Source: EM+S Blog Feed

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.