Incident management and incidents capabilities
In this, we will get to learn about the concept of Incident management and incidents capabilities.
Incidents are a collection of correlated alerts created when a suspicious event is found. Alerts generate from a different device, user, and mailbox entities, and can come from many different domains. These alerts automatically aggregate by Microsoft 365 Defender. However, it’s the grouping of these related alerts that form an incident. The incident provides a comprehensive view and context of an attack.
Incident management
- Managing incidents is critical in ensuring that threats are contained and addressed. However, in Microsoft 365 Defender, you can manage incidents on devices, user accounts, and mailboxes. And, you can manage incidents by selecting one from the Incidents queue.
- Secondly, incidents automatically assign a name based on an alert. You can edit the name of an incident, resolve it, then set its classification and determination.
- Lastly, when you investigate cases where you want to move alerts from one incident to another, you can also do so from the Alerts tab.
What is a security incident?
Microsoft defines a security incident in its online services as a breach of security leading to the accidental or unlawful destruction, loss, alteration or access to customer data or personal data in the process by Microsoft. For example, unauthorized access to Microsoft 365 infrastructure and exfiltration of customer data would constitute a security incident. However, security incidents do not consider the compliance events that do not affect the confidentiality, integrity, or availability of services or customer data.
How does Microsoft respond to security incidents?
- Firstly, whenever there is a security incident, Microsoft strives to respond quickly and effectively to protect Microsoft services and customer data. Microsoft investigates, contains, and removes security threats quickly and efficiently.
- Secondly, Microsoft cloud services are continuously monitored for signs of compromise. In addition to automated security monitoring and alerting, all employees receive annual training to recognize and report signs of potential security incidents.
- Thirdly, after detecting suspicious activity, service-specific Security Response teams initiate a process of analysis, containment, eradication, and recovery. These teams coordinate analysis of the potential incident to determine its scope, including any impact on customers or customer data. Based on this analysis, Service-specific Security Response teams work with impacted service teams to develop a plan to contain the threat and minimize the impact of the incident.
- Lastly, after resolving an incident, service teams implement any lessons taught from the incident to better prevent, detect, and respond to similar incidents in the future. Select security incidents, especially those that are customer-impacting or result in a data breach, undergo a full incident post-mortem.
Notifying customers for security or privacy incidents
Whenever Microsoft becomes aware of a breach of security involving unauthorized loss, disclosure, or modification of customer data. Then, Microsoft notifies affected customers within 72 hours as outlined in the Data Protection Addendum (DPA) of the Online Services Terms (OST). The notification timeline commitment begins when the official security incident declaration occurs. Upon declaring a security incident, the notification process occurs as expeditiously as possible, without undue delay.
Reference: Microsoft Documentation, Doc 2