Detection & Analysis in Incident Response

  • 6 minutes to read

Overview

The Detection & Analysis phase is a critical step in the Incident Response Process, as outlined by NIST 800-171 R2 and CMMC 2.0. This phase ensures that security teams promptly identify, classify, and respond to potential security incidents to minimize damage and prevent escalation.

Objectives:

  • Detect security incidents through Microsoft Sentinel and Microsoft Defender.
  • Classify incidents based on severity, impact, and recoverability.
  • Perform detailed forensic analysis using Microsoft security tools.
  • Enable timely incident reporting and escalation.

Detection & Analysis Action Items

Step Detection & Analysis
1 Determine whether an incident has occurred
1.1 Analyze the precursors and indicators
1.2 Look for correlating information
1.3 Perform research (e.g., search engines, knowledge base)
1.4 As soon as the handler believes an incident has occurred, begin documenting the investigation and gathering evidence
2 Prioritize handling the incident based on the relevant factors (functional impact, information impact, recoverability effort, etc.)
3 Report the incident to the appropriate internal personnel and external organizations

Incident Detection & Classification

Security incidents are detected through various signals, logs, and alerts generated by Microsoft’s security platforms. The key tools in the Microsoft ecosystem used in this phase are Microsoft Sentinel and Microsoft Defender for Endpoint.

Sources of Detection

Microsoft Defender for Endpoint

  • Real-time alerts from endpoint behavior anomalies.
  • AI-based threat detection of malware, ransomware, and suspicious scripts.
  • Automatic investigation and response workflows to identify potential threats.

Microsoft Defender for Cloud Apps

  • Real-time alerts from cloud app data anomalies.
  • Microsoft Purview integration utilizing Data Loss Prevention (DLP) policies to detect suspicious actions on sensitive data.
  • Automatic investigation and response workflows to identify potential threats.

Microsoft Defender for Office 365

  • Real-time alerts from email anomalies.
  • AI-base threat detection of email based phishing, malicious URL’s, malware, ransomware, and suspicious scripts.
  • Automatic investigation and response workflows to identify potential threats.

Microsoft Sentinel (SIEM & SOAR)

  • Aggregates logs and alerts from Microsoft 365 Defender, Entra ID, and other sources.
  • Uses advanced correlation rules and machine learning to detect complex threats.
  • Provides a unified view of threats across the entire environment.

Entra ID Identity Protection

  • Identifies and flags risky sign-ins and compromised accounts.
  • Generates alerts on impossible travel, unusual sign-in locations, and MFA bypass attempts.

Technical Steps for Detection & Analysis

Using Microsoft Sentinel for Incident Analysis

Microsoft Sentinel provides automated detection, log correlation, and threat hunting capabilities. The following steps outline how to leverage Sentinel for incident detection:

Step 1: Accessing Sentinel Logs

  1. Navigate to Microsoft Sentinel via Azure Portal.
  2. Select Log Analytics Workspace associated with Sentinel.
  3. Open Log Analytics and choose General > Logs.

  4. Run Kusto Query Language (KQL) queries to identify anomalies.

    Example KQL Query - Detecting Failed Logins:

    SigninLogs
| where ResultType == "50125"
| summarize count() by UserPrincipalName, IPAddress

Step 2: Reviewing Security Incidents

  1. In Sentinel, go to Incidents.
  2. Select an incident and review its correlation with other alerts.
  3. Investigate user actions using Entity Behavior Analytics (UEBA).

Step 3: Threat Hunting with Microsoft Sentinel

  1. Navigate to Threat Management > Hunting.
  2. Use predefined threat-hunting queries or create custom KQL queries.
  3. Identify compromised credentials, lateral movement, and persistent threats.
  4. If an active threat is detected, escalate to the Containment & Eradication phase.

Using Microsoft Defender for Endpoint for Threat Investigation

Microsoft Defender for Endpoint helps analyze security threats at the endpoint level.

Step 1: Accessing Defender for Endpoint

  1. Navigate to Microsoft Defender portal (GCC / GCC High).
  2. Go to Incidents & Alerts.
  3. Select the incident.

Step 2: Investigating Incidents

  1. Click on an incident to view details.
  2. Review device timeline to track suspicious activity.
  3. Inspect process execution details to determine malicious behavior.

Step 3: Automated Threat Investigation

  1. In Microsoft Defender incident, navigate to Automated Investigations.
  2. Review suggested remediation steps.
  3. Approve or dismiss automated remediation actions, if needed.

Step 4: Running Endpoint Queries

Using Advanced Hunting in Defender:

DeviceNetworkEvents
| where RemoteIP == "192.168.1.100"
| summarize count() by DeviceName, Timestamp

Incident Classification Framework

Once an incident is detected, it must be classified based on severity and impact:

Severity Levels:

Severity Description
High System-wide impact, data exfiltration, or account compromise.
Medium Partial impact, unauthorized access attempts, persistent malware.
Low Minimal impact, false positives, or minor policy violations.
Action High Severity Medium Severity Low Severity
Containment Immediate isolation Monitor & restrict access Log & review
Forensic Analysis Full investigation Partial analysis Limited analysis
Reporting Escalate to execs Notify SOC team Document internally

Conclusion

The Detection & Analysis phase plays a crucial role in the Incident Response Process by identifying, categorizing, and prioritizing security incidents. By leveraging Microsoft Sentinel and Microsoft Defender for Endpoint, security teams can rapidly analyze threats, detect anomalies, and take decisive action to mitigate cyber risks.

Next Steps:

  • Configure Sentinel detection rules based on organization-specific threats.
  • Automate Microsoft Defender remediation for common threats.
  • Improve threat visibility by integrating Entra ID logs with Sentinel.

References