{"id":21135,"date":"2022-06-02T07:57:58","date_gmt":"2022-06-02T14:57:58","guid":{"rendered":"https:\/\/devblogs.microsoft.com\/azuregov\/?p=21135"},"modified":"2022-06-03T06:43:23","modified_gmt":"2022-06-03T13:43:23","slug":"defending-federal-systems-with-the-microsoft-sentinel-threat-analysis-response-solution","status":"publish","type":"post","link":"https:\/\/devblogs.microsoft.com\/azuregov\/defending-federal-systems-with-the-microsoft-sentinel-threat-analysis-response-solution\/","title":{"rendered":"Defending Federal Systems with the Microsoft Sentinel Threat Analysis &#038; Response Solution"},"content":{"rendered":"<p><em>This blog is jointly authored by <a href=\"https:\/\/www.linkedin.com\/in\/lilidavoudian\/\">Lili Davoudian<\/a>, Senior Product Manager, Cloud &amp; AI Security; <a href=\"https:\/\/www.linkedin.com\/in\/ashwinrp\/\">Ashwin Patil<\/a>, Senior Security Researcher, Microsoft Threat Intelligence Center; and <a href=\"https:\/\/www.linkedin.com\/in\/ron-marsiano-86a8b644\/\">Ron Marsiano<\/a>, Senior Product Manager, Microsoft Sentinel.<\/em><\/p>\n<p>With the growing need for federal agencies to evaluate coverage of respective threat detection capabilities along with the need for adaptive solutions to evaluate and recommend analytics coverage within the MITRE ATT&amp;CK\u00ae framework \u2013 Microsoft now offers a singular place to manage your security coverage with the MITRE ATT&amp;CK\u00ae blade.<\/p>\n<p>Threat hunting programs also require dynamic threat modeling capabilities to understand where threats are maneuvering against workloads. Visibility is only half the battle, as incident response and remediation are required to mitigate threats ensuring organizations evolve defenses during each observed incident.<\/p>\n<p>Now, our Microsoft Sentinel: Threat Analysis &amp; Response Solution takes this a step further with two new workbooks designed to support development of threat hunting programs and dynamic threat modeling designed to identify, respond, harden, and remediate against threats.<\/p>\n<p><strong><a href=\"https:\/\/devblogs.microsoft.com\/azuregov\/wp-content\/uploads\/sites\/43\/2022\/06\/Threat-Analyis-Image-1.gif\"><img decoding=\"async\" class=\"wp-image-21136 aligncenter\" src=\"https:\/\/devblogs.microsoft.com\/azuregov\/wp-content\/uploads\/sites\/43\/2022\/06\/Threat-Analyis-Image-1-300x119.gif\" alt=\"Image Threat Analyis 8211 Image 1\" width=\"615\" height=\"244\" srcset=\"https:\/\/devblogs.microsoft.com\/azuregov\/wp-content\/uploads\/sites\/43\/2022\/06\/Threat-Analyis-Image-1-300x119.gif 300w, https:\/\/devblogs.microsoft.com\/azuregov\/wp-content\/uploads\/sites\/43\/2022\/06\/Threat-Analyis-Image-1-1024x405.gif 1024w, https:\/\/devblogs.microsoft.com\/azuregov\/wp-content\/uploads\/sites\/43\/2022\/06\/Threat-Analyis-Image-1-768x304.gif 768w\" sizes=\"(max-width: 615px) 100vw, 615px\" \/><\/a><\/strong><\/p>\n<p><strong>Watch the demo:<\/strong><\/p>\n<p><a href=\"https:\/\/youtu.be\/8Qb8p-WjpXY\"><img decoding=\"async\" class=\"wp-image-21141 aligncenter\" src=\"https:\/\/devblogs.microsoft.com\/azuregov\/wp-content\/uploads\/sites\/43\/2022\/06\/Threat-Analysis-Blog-Featured-Image-300x159.png\" alt=\"Image Threat Analysis Blog Featured Image\" width=\"613\" height=\"325\" srcset=\"https:\/\/devblogs.microsoft.com\/azuregov\/wp-content\/uploads\/sites\/43\/2022\/06\/Threat-Analysis-Blog-Featured-Image-300x159.png 300w, https:\/\/devblogs.microsoft.com\/azuregov\/wp-content\/uploads\/sites\/43\/2022\/06\/Threat-Analysis-Blog-Featured-Image.png 589w\" sizes=\"(max-width: 613px) 100vw, 613px\" \/><\/a><\/p>\n<h6 style=\"text-align: center;\"><em><span style=\"font-size: 8pt;\">In this video, we discuss and demo the Microsoft Sentinel: Threat Analysis &amp; Response Solution<\/span><\/em><\/h6>\n<p><strong>Key benefits<\/strong><\/p>\n<ul>\n<li>Proactive threat modeling (red vs. blue)<\/li>\n<li>Quantifiable framework for building threat hunting programs<\/li>\n<li>Monitoring &amp; alerting of security coverage, threat vectors, and blind spots<\/li>\n<li>Response via security orchestration automation and response (SOAR) playbooks<\/li>\n<li>Remediation with cloud security posture management (CSPM)<\/li>\n<li>Compliance alignment to NIST SP 800-53 controls<\/li>\n<\/ul>\n<p><a href=\"https:\/\/devblogs.microsoft.com\/azuregov\/wp-content\/uploads\/sites\/43\/2022\/06\/Threat-Analysis-Image-2.png\"><img decoding=\"async\" class=\"wp-image-21137 aligncenter\" src=\"https:\/\/devblogs.microsoft.com\/azuregov\/wp-content\/uploads\/sites\/43\/2022\/06\/Threat-Analysis-Image-2-300x155.png\" alt=\"Image Threat Analysis 8211 Image 2\" width=\"614\" height=\"317\" srcset=\"https:\/\/devblogs.microsoft.com\/azuregov\/wp-content\/uploads\/sites\/43\/2022\/06\/Threat-Analysis-Image-2-300x155.png 300w, https:\/\/devblogs.microsoft.com\/azuregov\/wp-content\/uploads\/sites\/43\/2022\/06\/Threat-Analysis-Image-2-1024x528.png 1024w, https:\/\/devblogs.microsoft.com\/azuregov\/wp-content\/uploads\/sites\/43\/2022\/06\/Threat-Analysis-Image-2-768x396.png 768w, https:\/\/devblogs.microsoft.com\/azuregov\/wp-content\/uploads\/sites\/43\/2022\/06\/Threat-Analysis-Image-2-1536x791.png 1536w, https:\/\/devblogs.microsoft.com\/azuregov\/wp-content\/uploads\/sites\/43\/2022\/06\/Threat-Analysis-Image-2-2048x1055.png 2048w\" sizes=\"(max-width: 614px) 100vw, 614px\" \/><\/a><\/p>\n<h6 style=\"text-align: center;\"><strong><em><span style=\"font-size: 8pt;\">Microsoft Sentinel: Threat Analysis &amp; Response Solution content<\/span><\/em><\/strong><\/h6>\n<p><strong>Solution content:<\/strong><\/p>\n<p><strong>Threat Analysis &amp; Response Workbook<\/strong><\/p>\n<p>Designed by the Microsoft Threat Intelligence Center, this workbook provides the foundation for building threat hunting programs. This workbook features recommended steps for getting started including resources for deploying analytics rules and hunting queries. Data Source Statistics provides an overview of which logs are ingested from respective sources which provides a starting point for determining utility of respective analytics rules. The Microsoft Sentinel GitHub section provides an overview of available analytics by alignment to respective tactics\/techniques. MITRE ATT&amp;CK Navigator Heatmap provides an assessment of coverage by tactic and technique areas which is valuable for evaluating the efficiency of organizational threat hunting programs.<\/p>\n<p><a href=\"https:\/\/devblogs.microsoft.com\/azuregov\/wp-content\/uploads\/sites\/43\/2022\/06\/Threat-Analysis-Image-3.png\"><img decoding=\"async\" class=\"wp-image-21138 aligncenter\" src=\"https:\/\/devblogs.microsoft.com\/azuregov\/wp-content\/uploads\/sites\/43\/2022\/06\/Threat-Analysis-Image-3-300x158.png\" alt=\"Image Threat Analysis 8211 Image 3\" width=\"613\" height=\"323\" srcset=\"https:\/\/devblogs.microsoft.com\/azuregov\/wp-content\/uploads\/sites\/43\/2022\/06\/Threat-Analysis-Image-3-300x158.png 300w, https:\/\/devblogs.microsoft.com\/azuregov\/wp-content\/uploads\/sites\/43\/2022\/06\/Threat-Analysis-Image-3-1024x539.png 1024w, https:\/\/devblogs.microsoft.com\/azuregov\/wp-content\/uploads\/sites\/43\/2022\/06\/Threat-Analysis-Image-3-768x404.png 768w, https:\/\/devblogs.microsoft.com\/azuregov\/wp-content\/uploads\/sites\/43\/2022\/06\/Threat-Analysis-Image-3-1536x809.png 1536w, https:\/\/devblogs.microsoft.com\/azuregov\/wp-content\/uploads\/sites\/43\/2022\/06\/Threat-Analysis-Image-3-2048x1078.png 2048w\" sizes=\"(max-width: 613px) 100vw, 613px\" \/><\/a><\/p>\n<h6 style=\"text-align: center;\"><em><span style=\"font-size: 8pt;\">Threat Analysis &amp; Response Workbook<\/span><\/em><\/h6>\n<p>&nbsp;<\/p>\n<p><strong>Dynamic Threat Analysis &amp; Response Workbook<\/strong><\/p>\n<p>The Dynamic Threat Analysis &amp; Response Workbook dynamically assesses attacks to your on-premises, cloud, and multi-cloud workloads. Attackers are categorized by the MITRE ATT&amp;CK for Cloud Matrix and evaluated against Microsoft Sentinel observed Analytics and Incidents. This provides pivots to evaluate attacks against specific users, assets, attacking IPs, countries, assigned analyst, and detecting product. Each tactic provides a respective control area comprised of technique control cards. Technique Control Cards provide details of establishing coverage, evaluation of observed attacks, and defense recommendations aligned to NIST SP 800-53 controls. Observed attacks are addressed via Microsoft Sentinel Incidents for Investigation, Playbooks for Response, MITRE ATT&amp;CK blade for Coverage, and Microsoft Defender for Cloud for Remediations.<\/p>\n<p><a href=\"https:\/\/devblogs.microsoft.com\/azuregov\/wp-content\/uploads\/sites\/43\/2022\/06\/Threat-Analysis-Image-4.png\"><img decoding=\"async\" class=\"wp-image-21139 aligncenter\" src=\"https:\/\/devblogs.microsoft.com\/azuregov\/wp-content\/uploads\/sites\/43\/2022\/06\/Threat-Analysis-Image-4-300x101.png\" alt=\"Image Threat Analysis 8211 Image 4\" width=\"615\" height=\"207\" srcset=\"https:\/\/devblogs.microsoft.com\/azuregov\/wp-content\/uploads\/sites\/43\/2022\/06\/Threat-Analysis-Image-4-300x101.png 300w, https:\/\/devblogs.microsoft.com\/azuregov\/wp-content\/uploads\/sites\/43\/2022\/06\/Threat-Analysis-Image-4-1024x346.png 1024w, https:\/\/devblogs.microsoft.com\/azuregov\/wp-content\/uploads\/sites\/43\/2022\/06\/Threat-Analysis-Image-4-768x260.png 768w, https:\/\/devblogs.microsoft.com\/azuregov\/wp-content\/uploads\/sites\/43\/2022\/06\/Threat-Analysis-Image-4-1536x520.png 1536w, https:\/\/devblogs.microsoft.com\/azuregov\/wp-content\/uploads\/sites\/43\/2022\/06\/Threat-Analysis-Image-4-2048x693.png 2048w\" sizes=\"(max-width: 615px) 100vw, 615px\" \/><\/a><\/p>\n<h6 style=\"text-align: center;\"><span style=\"font-size: 8pt;\"><em>Dynamic Threat Modeling &amp; Response Workbook<\/em><\/span><\/h6>\n<p>&nbsp;<\/p>\n<p><strong>Microsoft Sentinel: MITRE ATT&amp;CK blade<\/strong><\/p>\n<p><a href=\"https:\/\/attack.mitre.org\/\">MITRE ATT&amp;CK<\/a> is a publicly accessible knowledge base of tactics and techniques that are commonly used by attackers and is created and maintained by observing real-world observations. Many organizations use the MITRE ATT&amp;CK knowledge base to develop specific threat models and methodologies that are used to verify security status in their environments. Microsoft Sentinel analyzes ingested data, not only to detect threats and help you investigate, but also to visualize the nature and coverage of your organization&#8217;s security status.<\/p>\n<p><a href=\"https:\/\/devblogs.microsoft.com\/azuregov\/wp-content\/uploads\/sites\/43\/2022\/06\/Threat-Analysis-Image-5.png\"><img decoding=\"async\" class=\"wp-image-21140 aligncenter\" src=\"https:\/\/devblogs.microsoft.com\/azuregov\/wp-content\/uploads\/sites\/43\/2022\/06\/Threat-Analysis-Image-5-300x123.png\" alt=\"Image Threat Analysis 8211 Image 5\" width=\"615\" height=\"252\" srcset=\"https:\/\/devblogs.microsoft.com\/azuregov\/wp-content\/uploads\/sites\/43\/2022\/06\/Threat-Analysis-Image-5-300x123.png 300w, https:\/\/devblogs.microsoft.com\/azuregov\/wp-content\/uploads\/sites\/43\/2022\/06\/Threat-Analysis-Image-5-1024x420.png 1024w, https:\/\/devblogs.microsoft.com\/azuregov\/wp-content\/uploads\/sites\/43\/2022\/06\/Threat-Analysis-Image-5-768x315.png 768w, https:\/\/devblogs.microsoft.com\/azuregov\/wp-content\/uploads\/sites\/43\/2022\/06\/Threat-Analysis-Image-5-1536x630.png 1536w, https:\/\/devblogs.microsoft.com\/azuregov\/wp-content\/uploads\/sites\/43\/2022\/06\/Threat-Analysis-Image-5-2048x839.png 2048w\" sizes=\"(max-width: 615px) 100vw, 615px\" \/><\/a><\/p>\n<h6 style=\"text-align: center;\"><em><span style=\"font-size: 8pt;\">Microsoft Sentinel: MITRE ATT&amp;CK blade<\/span><\/em><\/h6>\n<p><strong>Get started today<\/strong><\/p>\n<p>To get started, go to your Azure or Azure Government portal to access the solution:<\/p>\n<ul>\n<li>Microsoft Sentinel &gt; Content Hub &gt; Search \u201cThreat Analysis &amp; Response\u201d &gt; Install\n<ul>\n<li>Review Workbooks (\u201cDynamic Threat Modeling &amp; Response\u201d &amp; \u201cThreat Response &amp; Analysis\u201d)<\/li>\n<\/ul>\n<\/li>\n<li>Microsoft Sentinel &gt; MITRE ATT&amp;CK\n<ul>\n<li>Review Coverage<\/li>\n<\/ul>\n<\/li>\n<li><a href=\"https:\/\/github.com\/Azure\/Azure-Sentinel\/tree\/master\/Solutions\/ThreatAnalysis%26Response\">See ReadMe for prerequisites, feature details, and deployment guidance<\/a><\/li>\n<\/ul>\n<p><strong>Learn more about threat hunting with Microsoft Security<\/strong><\/p>\n<ul>\n<li><a href=\"https:\/\/docs.microsoft.com\/en-us\/azure\/sentinel\/mitre-coverage\">Understand security coverage by the MITRE ATT&amp;CK\u00ae framework<\/a><\/li>\n<li><a href=\"https:\/\/techcommunity.microsoft.com\/t5\/microsoft-sentinel-blog\/joint-forces-ms-sentinel-and-the-mitre-framework\/ba-p\/3191589\">Joint forces &#8211; MS Sentinel and the MITRE framework<\/a><\/li>\n<li><a href=\"https:\/\/www.microsoft.com\/security\/blog\/2021\/06\/29\/mitre-attck-mappings-released-for-built-in-azure-security-controls\/\">MITRE ATT&amp;CK\u00ae mappings released for built-in Azure security controls<\/a><\/li>\n<\/ul>\n<h6><em><span style=\"font-size: 8pt;\">This solution demonstrates best practice guidance, but Microsoft does not guarantee nor imply compliance. All requirements, tactics, validations, and controls are governed by respective organizations. This solution provides visibility and situational awareness for security capabilities delivered with Microsoft technologies in predominantly cloud-based environments. Customer experience will vary by user and some panels may require additional configurations for operation. Recommendations do not imply coverage of respective controls as they are often one of several courses of action for approaching requirements which is unique to each customer. Recommendations should be considered a starting point for planning full or partial coverage of respective requirements.<\/span><\/em><\/h6>\n","protected":false},"excerpt":{"rendered":"<p>This blog is jointly authored by Lili Davoudian, Senior Product Manager, Cloud &amp; AI Security; Ashwin Patil, Senior Security Researcher, Microsoft Threat Intelligence Center; and Ron Marsiano, Senior Product Manager, Microsoft Sentinel. With the growing need for federal agencies to evaluate coverage of respective threat detection capabilities along with the need for adaptive solutions to [&hellip;]<\/p>\n","protected":false},"author":16830,"featured_media":21141,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[14,29],"tags":[75,216,315,3460,3465,502],"class_list":["post-21135","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-learning","category-security","tag-azure","tag-cybersecurity","tag-government","tag-microsoft-sentinel","tag-mitre","tag-security"],"acf":[],"blog_post_summary":"<p>This blog is jointly authored by Lili Davoudian, Senior Product Manager, Cloud &amp; AI Security; Ashwin Patil, Senior Security Researcher, Microsoft Threat Intelligence Center; and Ron Marsiano, Senior Product Manager, Microsoft Sentinel. With the growing need for federal agencies to evaluate coverage of respective threat detection capabilities along with the need for adaptive solutions to [&hellip;]<\/p>\n","_links":{"self":[{"href":"https:\/\/devblogs.microsoft.com\/azuregov\/wp-json\/wp\/v2\/posts\/21135","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/devblogs.microsoft.com\/azuregov\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/devblogs.microsoft.com\/azuregov\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/azuregov\/wp-json\/wp\/v2\/users\/16830"}],"replies":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/azuregov\/wp-json\/wp\/v2\/comments?post=21135"}],"version-history":[{"count":0,"href":"https:\/\/devblogs.microsoft.com\/azuregov\/wp-json\/wp\/v2\/posts\/21135\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/azuregov\/wp-json\/wp\/v2\/media\/21141"}],"wp:attachment":[{"href":"https:\/\/devblogs.microsoft.com\/azuregov\/wp-json\/wp\/v2\/media?parent=21135"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/azuregov\/wp-json\/wp\/v2\/categories?post=21135"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/azuregov\/wp-json\/wp\/v2\/tags?post=21135"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}