Monday 16th November 2020
Automated Investigation and Remediation in Microsoft Defender Security Center
Source: John Maton, Cyber Security Analyst at Satisnet
Defender for Endpoint is a security solution offers many endpoint detection and response (EDR) capabilities, giving an analyst the ability to investigate complex incidents in detail. However, many alerts that are received involve many entities to examine and these often take up the most of an analyst’s time. We cannot tune these alerts out as they may be just as important as any other alert, but by spending large amounts of time on them, there is less time for security analysts to deal with potentially more sophisticated attacks or to make the judgments only a human can make. This is where Automated Investigation and Remediation (AutoIR) comes in. AutoIR functions like an analyst for the more mundane aspects of responding to an alert. It will go through the ideal investigation steps and present a full log of its activity and document any evidence collected. If there are remediation steps that need to be taken, these can also be taken automatically or presented for manual approval. This allows an analyst to see at a glance what has been done and resolve substantially more alerts and spend additional time on the most important aspects of the job.
AutoIR sits in a specific space within Defender for Endpoint, and it can be easy to mistake its capabilities. It is not to be viewed as a replacement for the trained eye of a human analyst, but instead as an assistant to accelerate the process. Analysts are important not only to approve certain actions which gives responsibility and accountability, but to give the human perspective on more important or nuanced incidents which are beyond the ability of AutoIR to handle independently.
If you have an E5 license (or equivalent), enabling AutoIR is as simple as going to Settings > General > Advanced features and enabling the following settings:
- Automated Investigation
- Automatically resolve alerts
With AutoIR enabled, by default all devices will be ‘Ungrouped’. By going to Settings > Permissions > Device groups you can create groups for your different devices based on how you want to have remediation done for each. The level of automation can be controlled granularly from ‘Full- remediate threats automatically’ to ‘No automated response’. Between these options are three semi-automated options to a) require approval for any remediation, b) require approval for core folders, or c) require approval for non-temp folders.
From the analysts’ perspective, these semi-automated options will present themselves in the Action Center (Automated investigations > Action Center > Pending).
From here, any pending actions can be accepted or rejected, and there is full transparency for identifying what actions have been taken and who has authorised them.
The automated investigations themselves are similarly transparent to the analyst. They can be found in the tab of the same name. Once here, you will see a list of each investigation which has (or still is) taking place. Each will have a unique number and information about its status, the alert that triggered it, as well the entities involved and timings of the investigation. Ongoing investigations can be stopped by marking them and clicking ‘Cancel’ in the side pane which appears. You can also open the investigation page from here or by clicking on the investigation.
If you choose to cancel an investigation, you will need to provide a reason for doing so. This provides a record of what an analyst has done in case this needs to be reviewed at a later date.
An analyst will usually want to look at what steps the investigation has taken and what has been found. After opening the investigation page, the investigation details are still displayed in brief, and the investigation graph is presented. The investigation graph is a diagram of the steps taken, and an overview of what the investigation discovered. It always begins with the alert which began the investigation – or if it was started manually this is displayed instead. You can still click here to see the original alert as well. As well as alerts, the investigation graph shows devices, entities, evidence and the result. All of these except the result can be clicked on, taking you to the appropriate tab with the full details. You can also click on the tabs themselves.
Clicking the central node in the diagram, or the ‘Log’ tab provides a more granular breakdown of exactly what the investigation has done and when. Each entry can be drilled down on further, bringing up a side pane with the raw JSON input and output data.
As an analyst, you are most likely concerned with the evidence the investigation has found in the evidence tab, which could consist of files, IP addresses, processes and so forth. If you want to find these entities within the logs or search for where else they may have been seen, you can click ‘Go hunt’. This will open a new tab in the ‘Advanced hunting’ section of Defender for Endpoint (which is worth covering separately). Another thing you can do is to add rules to determine if the entity should be blocked or allowed or alerted on if encountered again. In the case of a file, the option is ‘Add Allowed/Blocked list rule for this file’. This presents a simple wizard to walk through and ensure the file is always remediated (blocked) or skipped (allowed) as appropriate. To determine which action should be taken here if unsure, you would select ‘Open file page’ first to view details for the file including Virus Total ratio and so on.
Finally, you will also come across AutoIR within the alert page of many alerts. Some alert types are unsupported, and this will be indicated if it is the case. The alert page presents a summary of the investigation results in the side pane as shown. To get to the investigation from here you need to click on the ID number.
As alerts make up incidents, you will also find these investigations within incident pages under the ‘Investigations’ tab, where they can be navigated in the same way as has been described.
One additional use of AutoIR which may not have been intended is that a new analyst can learn a lot about the process by examining how an automated investigation has been conducted, since this can be treated as a model investigation.
In conclusion, AutoIR is one of the key parts of Defender for Endpoint which should always be enabled where possible and made use of by analysts. It allows in many cases for appropriate remediation steps to be taken in a timely manner rather than remain in a queue for a long period of time without attention and functions as a useful support to a SOC team without taking away from the value the team itself provides.