跳到主要內容

Prioritize and Respond to Alerts

Implementation Effort: Medium — Prioritizing and responding to alerts requires configuring alert rules, integrating with incident response tools, and training security teams to triage and act on alerts effectively.

User Impact: Low — These actions are performed by security teams and automation systems, with no direct impact on end users unless containment actions are triggered.

Overview

Microsoft Defender for Cloud provides real-time security alerts for services like App Service, Key Vault, and Resource Manager. These alerts are prioritized based on severity and mapped to the MITRE ATT&CK framework to help security teams understand the intent and impact of detected threats.

Alert Prioritization

  • Alerts are automatically classified by severity: High, Medium, or Low.
  • Prioritize High severity alerts first, especially those indicating active exploitation or lateral movement 1.
  • Use filters in the Security alerts blade to focus on recent or critical alerts (e.g., last 24 hours, specific resource types).

Investigation and Response

  1. Access Alerts:

    • Go to Microsoft Defender for Cloud > Security alerts.
    • Filter by service (App Service, Key Vault, Resource Manager) or severity.
  2. Investigate Alerts:

    • Select an alert to view its description, affected resources, and kill chain intent.
    • Use the Alert details tab to examine IPs, processes, and other indicators of compromise 1.
  3. Take Action:

    • Use the Take action tab to:
      • Inspect resource context (activity logs).
      • Apply manual remediation steps.
      • Trigger automated responses via Logic Apps.
      • Suppress false positives if needed 1.
  4. Integrate with SIEM/SOAR:

    • Stream alerts to Microsoft Sentinel or other SIEM/SOAR platforms for centralized monitoring and orchestration 1.

These practices align with the "Assume Breach" and "Verify Explicitly" principles of Zero Trust by ensuring that every alert is investigated and responded to with full context and automation where possible.

Reference