Microsoft 365 Detect

InLigo’s Cybersecurity Framework: Microsoft 365 Identity – DETECT Anomalies and Events

InLigo security guidelines and Microsoft 365 solutions that help foster your cybersecurity posture. 

Anomalies and Events 

An anomaly describes any change in the specific established standard of communication of a network. An anomaly may include both malware and cyberattacks, as well as faulty data packets and communication changes caused by network problems, capacity bottlenecks, or equipment failures. Anomalies are detected by scanning user activity. The risk is evaluated by looking at over 30 different risk indicators, grouped into risk factors, as follows: 

  • Risky IP address 
  • Login failures 
  • Admin activity 
  • Inactive accounts 
  • Location 
  • Impossible travel 
  • Device and user agent 
  • Activity rate 

InLigo can help guild you through best practices in building out a proper anomaly detection policy. 

WHAT IS YOUR SECURITY SCORE?

Anomalies and Events

Anomalous activity is detected in a timely manner and the potential impact of events is understood.

InLigo’s Discovery Questions

  1. What is our average response time on threats that are detected?  
  2. What kind of reporting do you get on targeted attacks and methods used?  
  3. What are all of your data points for security detection? (Microsoft, 3rd party AV, etc)  
  4. Do you understand impacts of a breach?  
  5. What alerts do you have in place for high level threats?  
  6. Are these automated to create a ticket in a ticketing system? 

Microsoft 365 Solution 

  • Security Center, Microsoft Defender and Data Loss Prevention. 
  • Enhanced Filtering 
  • DMARC/DKIM 

Business Case 

You use a 3rd party AV/AS provider like Webroot or Proofpoint and you want to bundle in ATP from Microsoft. You want to fully leverage Microsoft’s Security Graph and machine learning capabilities from the messages that are relayed to Microsoft 365 from the connector you set up. You can configure enhanced filtering to get skip listing functionality you need to enhance the detection capabilities. 

Action Items 

  • Review the Threat Management Dashboard in the admin center.  
  • Send reports of information such as email sent/received, malware prevented, safe links/safe attachments quarantined, impersonation attempts, and spoofed domains.  
  •  Set up a Policy for Defender Safe Links and Safe Attachments.
  • Set up a policy for Anti-phishing. 
  • If you are using a 3rd party provider for Anti-virus protection like Webroot or Proofpoint, set up enhanced filtering.
  • Implement DMARC and DKIM.  
  • Configure a DLP policy in the Security Center to protect sensitive data.