I love the security tools that come with the M365 and O365 E5 plans but I’ve always felt there were too many separate, and largely unintegrated, tools. For this reason, I was very excited when Azure Sentinel came along as Microsoft’s cloud SIEM as it can consume and analyse data from all your tools. However, Sentinel comes at additional costs. It’s very powerful but often is overkill for organisations.
However, today I am excited to write that at the end of January, while I wasn’t looking, Microsoft have added Microsoft Threat Protection to Microsoft 365 Security Center, and now provides a workspace that consolidates information from Office 365 ATP, Microsoft Defender ATP, Azure ATP, and Microsoft Cloud App Security for M365 (but not O365) users.
With this integration Microsoft Threat Protection solution can combine the threat signals from each of these products and determine the scope and impact of the threat.
This consolidated view of you security landscape is designed around the concepts of Identity, Endpoints, User Data, Cloud Apps and Infrastructure rather than focusing on the underlying products that are producing the security signals and data.
From the few hours I’ve spent with this tool this morning I can say, for me, it seems to pull all these tools together making monitoring and investigation easier to conduct.
So how does one start.?
To use Microsoft Threat Protection, you need one of the following licenses or combination of licenses:
- Microsoft 365 E5
- Microsoft 365 E5 Security, Office 365 E5
- Enterprise Mobility + Security E5, and Windows E5
Within Microsoft Defender Security Center you will find a notice. Just Click to try it out…
Select Turn on Microsoft Threat Protection and take note of the notice on the data storage location.
Select the time. All security signals are recorded in UTC. I find it easier to have the times displayed as the local time.
Once set up you will be presented with the Microsoft Threat Protection Home dashboard that gives you a overview of your entire organisation with a number of blocks that can be rearranged as you desire.
The other screens available are:
Incidents – showing the individual alerts on systems allowing you to track the path of attacks.
Alerts – All the alerts across your Microsoft 356 environment, including alerts from Microsoft Cloud App Security, Office 365 ATP, Azure AD, Azure ATP, and Microsoft Defender ATP.
Action center – Shows all the automated actions taken and in progress.
Reports – View security trends and track the protection status of your identities, data, devices, apps, and infrastructure
Secure score – This page provides a summary of the different security features and capabilities you’ve enabled and includes recommendations for areas to improve.
Advanced hunting – Query your logs directly using custom queries.
Classification – Create and manage data sensitivity and retention labels.
Policies – Set up policies to manage devices, protect against threats, and receive alerts about various activities in your org.
Permissions – Manage who in your organisation has access to Microsoft 365 security center to view content and perform tasks. You can also assign Microsoft 365 permissions in the Azure AD Portal.
I’m presenting this to the security review this morning and hope to have the security team adopt it ASAP.
This post is part of my Learning out Loud series. You can read more about Learning out Loud and how it came about here: https://simonangling.com/learning-out-loud/
Just added the licensing requirements to the post. It seems this is not available to O365 but only M365 subscribers .