| IR-1 |
nan |
Preparation - update incident response plan and handling process |
Parent |
Prepare for incident response |
No Azure Policy available |
Develop and maintain comprehensive incident response plans specifically tailored for Azure environments, incorporating the shared responsibility model, cloud-native investigation capabilities, and automated response tools. Regularly test response procedures through tabletop exercises and simulations to ensure effectiveness and continuous improvement. |
Organizations operating without comprehensive incident response plans face devastating consequences when security incidents occur, leading to prolonged business disruption, regulatory violations, and permanent damage to customer trust. |
Defense Evasion (TA0005): impair defenses (T1562) exploiting gaps in incident response procedures to operate longer without detection or effective containment. |
A healthcare organization implemented comprehensive Azure incident response preparation to meet HIPAA requirements and protect patient data with documented procedures and trained response teams. |
Must have |
IR-1, IR-1(1), IR-2, IR-2(1), CP-2, CP-2(1) |
12.10.1, 12.10.2 |
17.1, 17.2, 17.3 |
PR.IP-9, PR.IP-10, RS.CO-1 |
A.5.24, A.5.25, A.5.26, A.5.27 |
CC9.1, A1.1 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Without systematic incident response preparation: Chaotic crisis response:Lack of procedures, roles, and channels leads to confusion, delays, and ineffective action—extending dwell time and amplifying damage.Inadequate cloud-specific procedures:Traditional plans miss cloud shared responsibility model, investigation tools, and cloud forensics, causing incomplete response and evidence loss.Missing stakeholder coordination:Absent communication protocols with cloud service providers, regulators, customers, and internal teams create delays, violations, and reputational harm.Untested response capabilities:Organizations discover gaps in tools, skills, and procedures during actual incidents rather than controlled testing environments, leading to failed containment and extended recovery times.Regulatory compliance failures:Industries subject to incident notification requirements (HIPAA, PCI-DSS, GDPR, SOX) cannot meet mandatory reporting timelines without doc |
Impact (TA0040): data destruction (T1485) causing maximum damage when organizations lack rapid response capabilities for backup restoration and system recovery. |
Challenge:Healthcare organization lacked Azure-specific incident response procedures and structured team assignments, creating risk of delayed response during patient data breaches and potential HIPAA violations with unclear escalation paths. |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Collection (TA0009): data staged for exfiltration (T1074) taking advantage of delayed detection and response to complete data theft operations. |
Solution approach: Developed Azure-specific incident response planincorporating HIPAA breach notification requirements and Microsoft collaboration procedures for patient data incidentsEstablished incident response teamwith Azure security specialists certified inMicrosoft Sentinelinvestigation and Azure forensicsConfiguredMicrosoft Defender for Cloudsecurity contactswith 24/7 notification and automated escalation to legal teams for HIPAA breachesImplemented quarterly tabletop exercisesusingAzure Attack Simulationscenarios for ransomware, data exfiltration, and insider threatsCreated evidence collection proceduresfor Azure services including VM snapshot automation,Azure Monitorlog export, andMicrosoft Entra IDaudit preservationEstablished Microsoft collaboration workflowsfor engaging Microsoft Support during Azure platform incidents |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Outcome:Achieved comprehensive HIPAA-compliant incident response capability with documented procedures, trained teams, and 24/7 response coverage. |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Quarterly exercises validated response effectiveness and identified continuous improvement opportunities. |
|
|
|
|
|
|
|
| IR-1 |
IR-1.1 |
Develop Azure-specific incident response plans |
Child |
Prepare for incident response |
No Azure Policy available |
Develop and maintain comprehensive incident response plans specifically tailored for Azure environments, incorporating the shared responsibility model, cloud-native investigation capabilities, and automated response tools. Regularly test response procedures through tabletop exercises and simulations to ensure effectiveness and continuous improvement. |
nan |
nan |
Generic incident response plans fail in cloud environments where shared responsibility models, API-based evidence collection, and service provider collaboration requirements differ fundamentally from traditional datacenter incident handling. Azure-specific response procedures must address cloud-native capabilities like VM snapshots, network flow logs, and resource isolation through automation rather than physical network disconnection. Clear documentation of Microsoft collaboration processes ensures security teams know when and how to engage platform support during incidents requiring vendor assistance, preventing delayed response from uncertainty about escalation procedures. Establish cloud-aware incident response through Azure-specific planning: Develop comprehensive incident response plans addressing Azure environments, the shared responsibility model, and cloud-native security capabilities.Microsoft Defender for CloudandMicrosoft Sentinelprovide integrated incident response capabilities. Azure incident response plan development: Shared responsibility model integration:Clear delineation of responsibilities between Microsoft and customer for different service types (IaaS, PaaS, SaaS) in incident response activities using theAzure shared responsibility model.Azure-Native Investigation Capabilities:LeveragingAzure Monitorlogs,Microsoft Entra ID audit logs,Microsoft Entra ID sign-in logs,Network Security Group flow logs, and Microsoft Defender for Cloud alerts for comprehensiv |
nan |
nan |
nan |
nan |
nan |
nan |
nan |
| IR-1 |
IR-1.2 |
Establish incident response team structure and training |
Child |
Prepare for incident response |
No Azure Policy available |
Develop and maintain comprehensive incident response plans specifically tailored for Azure environments, incorporating the shared responsibility model, cloud-native investigation capabilities, and automated response tools. Regularly test response procedures through tabletop exercises and simulations to ensure effectiveness and continuous improvement. |
nan |
nan |
Incident response effectiveness depends critically on team member expertise with Azure-specific investigation techniques, log analysis capabilities, and cloud service architectures that differ from traditional infrastructure skills. Clearly defined roles prevent responsibility gaps and decision-making delays during high-pressure incidents when ambiguity about authority causes response paralysis. Specialized training in cloud-native investigation tools and procedures transforms general security analysts into Azure incident responders capable of rapid evidence collection and containment actions using platform capabilities. Build Azure incident response capability through specialized team structure: Establish dedicated incident response teams with clearly defined roles, responsibilities, and decision-making authority for Azure environments.Microsoft Security AcademyandMicrosoft Defender for Cloud training materialsprovide specialized cloud incident response training. Azure-Focused Team Structure: Cloud Security Analysts:Specialized in Azure security services, log analysis, and cloud-native investigation techniquesAzure Solution Architects:Understanding of Azure service configurations, network topologies, and architectural security implicationsLegal and Compliance Representatives:Knowledge of cloud-specific regulatory requirements and Microsoft collaboration proceduresBusiness Continuity Coordinators:Expertise in Azure disaster recovery, backup restoration, and service continuity |
nan |
nan |
nan |
nan |
nan |
nan |
nan |
| IR-2 |
nan |
Preparation - setup incident notification |
Parent |
Prepare for incident response |
Email notification for high severity alerts should be enabled |
Establish comprehensive incident notification systems with automated triggering, appropriate stakeholder contact lists, and integration with Microsoft security services to ensure rapid, accurate, and compliant incident communication across all required parties. |
Inadequate incident notification systems create critical delays that amplify security incident impact, violate regulatory requirements, and undermine stakeholder trust. |
Command and Control (TA0011): application layer protocol (T1071) maintaining command and control channels longer when delayed stakeholder notification prevents coordinated network-level containment actions. |
A financial services company implemented comprehensive external and internal incident notification to meet SOX compliance requirements and ensure rapid stakeholder communication during security incidents affecting trading systems and customer data. |
Must have |
IR-2, IR-2(1), IR-2(2), IR-4(2), IR-6 |
12.10.1, 12.10.3 |
17.4, 17.5 |
RS.CO-1, RS.CO-2, RS.CO-3, RS.CO-4 |
A.5.24, A.5.26, A.5.28 |
CC9.1, A1.1 |
|
|
|
|
|
Email notification to subscription owner for high severity alerts should be enabled |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Subscriptions should have a contact email address for security issues |
|
Without proper notification infrastructure: Delayed stakeholder awareness:Executives, legal teams, and responders remain unaware, preventing timely decisions and resource allocation.Regulatory violations:Missed notification timelines (GDPR 72-hour, HIPAA 60-day, PCI-DSS immediate) trigger fines and sanctions. (References:GDPR Articles 33/34,HIPAA Breach Notification Rule,PCI-DSS).Ineffective cloud provider collaboration:Failure to properly configure cloud security contacts prevents collaboration with cloud provider security response teams during platform-level incidents or when provider assistance is required.Customer trust erosion:Delayed or inadequate customer notification during incidents involving personal data or service disruptions damages relationships and creates legal exposure.Uncoordinated response efforts:Lack of automated notification triggers and escalation procedures results in fragmented response efforts with multiple teams working without coordination or situational awareness.Delayed response coordin |
Exfiltration (TA0010): exfiltration over C2 channel (T1041) completing data theft during notification and escalation delays before cross-team coordination enables effective blocking. |
Challenge:Financial services company lacked automated stakeholder notification during security incidents affecting trading systems, creating risk of delayed regulatory reporting to SEC/FINRA and potential SOX compliance violations with manual notification processes prone to errors. |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Impact (TA0040): data encrypted for impact (T1486) spreading ransomware across multiple systems while delayed notification prevents rapid isolation and backup recovery coordination. |
Solution approach: ConfiguredMicrosoft Defender for Cloudsecurity contactswith primary and secondary contacts providing 24/7 coverage across global trading centersImplementedAzure Logic Appsworkflowsfor automated external notifications including SEC incident reporting, FINRA breach notification, and customer data breach communication with pre-approved templatesCreatedMicrosoft Sentinel Playbookswith stakeholder matrix for internal notifications to legal teams, compliance officers, and executives, plus external notifications to regulators, affected customers, and business partnersEstablished regulatory notification templatesfor SEC Form 8-K filings, state attorney general breach notifications, and PCI-DSS acquirer notification with automated trigger conditions based on incident severity and data exposureConfigured customer notification workflowswith automated email generation for data breach notifications meeting state law requirements with legal review approvalsImplemented ticket system integrationwith automated ticket creation for internal response coordination and external stakeholder tracking for regulatory filing deadlines |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Outcome:Substantially reduced incident notification time with automated regulatory reporting ensuring SOX compliance. Pre-approved templates and automated workflows eliminated manual errors in stakeholder communication and ensured consistent regulatory filing procedures. |
|
|
|
|
|
|
|
| IR-2 |
IR-2.1 |
Configure Microsoft security contact information |
Child |
Prepare for incident response |
Email notification for high severity alerts should be enabled |
Establish comprehensive incident notification systems with automated triggering, appropriate stakeholder contact lists, and integration with Microsoft security services to ensure rapid, accurate, and compliant incident communication across all required parties. |
nan |
nan |
Security incidents requiring Microsoft platform-level intervention fail when outdated or incorrect contact information prevents provider notification, delaying critical response actions only the cloud vendor can perform. Verified 24/7-reachable security contacts enable Microsoft to immediately notify customers of platform vulnerabilities, service disruptions, or detected compromise patterns requiring coordinated response. Multi-channel communication methods and backup contacts ensure incident notifications reach appropriate personnel regardless of primary contact availability, time zone differences, or communication infrastructure failures. Enable Microsoft collaboration through verified security contacts: Configure security contact information inMicrosoft Defender for Cloudand establish comprehensive contact management so Microsoft can reach appropriate personnel during incidents requiring collaboration or platform-level response. Microsoft Defender for Cloud security contacts: Primary security contact:24/7 reachable security team representative with incident response authority and decision-making capabilitySecondary Contact Configuration:Backup contacts with geographic distribution for global organizations ensuring coverage across time zonesRole-Based Contact Assignment:Separate contacts for different incident types including data breaches, platform vulnerabilities, and service disruptionsContact Verification Procedures:Regular testing of contact information through Microso |
nan |
nan |
nan |
nan |
nan |
nan |
nan |
|
|
|
|
|
Email notification to subscription owner for high severity alerts should be enabled |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Subscriptions should have a contact email address for security issues |
|
|
|
|
|
|
|
|
|
|
|
| IR-2 |
IR-2.2 |
Implement automated notification workflows |
Child |
Prepare for incident response |
Email notification for high severity alerts should be enabled |
Establish comprehensive incident notification systems with automated triggering, appropriate stakeholder contact lists, and integration with Microsoft security services to ensure rapid, accurate, and compliant incident communication across all required parties. |
nan |
nan |
Manual notification processes introduce critical delays during security incidents when minutes matter for containment effectiveness, with human bottlenecks in stakeholder identification and communication preventing rapid response mobilization. Automated workflows eliminate notification latency by instantly routing alerts to appropriate personnel based on incident characteristics, severity, and regulatory requirements without manual determination. Severity-based escalation ensures leadership awareness of critical incidents while filtering routine alerts, maintaining executive attention for genuine business-impacting events rather than flooding leadership with security noise. Accelerate incident mobilization through notification automation: ImplementAzure Logic AppsandMicrosoft Sentinel Playbooksto automate incident notification workflows with stakeholder targeting, severity-based escalation, and regulatory compliance triggers. Automated notification implementation: Logic Apps workflow automation:Triggered notification workflows based on security alert severity, affected resource types, and business impact assessmentMicrosoft Sentinel Playbook Integration:Automated investigation and notification playbooks with enrichment capabilities and stakeholder determination logic (seeSentinel playbooks).Stakeholder Matrix Configuration:Role-based notification targeting including security teams, legal counsel, executive leadership, and compliance officersSeverity-Based Escalation:Automated |
nan |
nan |
nan |
nan |
nan |
nan |
nan |
|
|
|
|
|
Email notification to subscription owner for high severity alerts should be enabled |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Subscriptions should have a contact email address for security issues |
|
|
|
|
|
|
|
|
|
|
|
| IR-3 |
nan |
Detection and analysis - create incidents based on high-quality alerts |
Parent |
Detect, analyze, and investigate incidents |
Azure Defender for App Service should be enabled |
Implement high-quality alert generation through advanced analytics, threat intelligence integration, and continuous tuning to minimize false positives while ensuring comprehensive coverage of genuine security threats. Establish automated incident creation workflows with appropriate enrichment and escalation procedures. |
Poor alert quality creates operational inefficiency that undermines security operations effectiveness, leading to missed threats, analyst burnout, and degraded incident response capabilities. |
Defense Evasion (TA0005): masquerading (T1036) blending malicious activities with normal operations to avoid detection by poorly tuned alert systems. |
An organization implemented advanced alerting and automated incident creation to improve threat detection accuracy and ensure rapid response to security incidents, reducing false positive rates while maintaining comprehensive coverage. |
Must have |
SI-4, SI-4(1), SI-4(2), SI-4(4), IR-4(1), IR-5 |
5.3.2, 10.6.1, 10.6.2, 11.5.1 |
8.11, 13.1, 13.2, 17.4 |
DE.CM-1, DE.CM-4, DE.CM-7, DE.AE-1, DE.AE-2 |
A.8.16, A.5.24, A.5.26 |
CC7.2, CC7.3 |
|
|
|
|
|
Azure Defender for Azure SQL Database servers should be enabled |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Azure Defender for Key Vault should be enabled |
|
Without high-quality alert generation: Alert fatigue from false positives:Analysts become overwhelmed, leading to decreased attention, missed genuine threats, and delayed response.Critical threats buried in noise:High-priority incidents disappear in alert volume, preventing timely detection and response.Inefficient resource allocation:Security teams waste time investigating false positives and low-priority alerts instead of focusing on genuine threats requiring immediate attention and skilled analysis.Delayed threat detection and response:Poor signal-to-noise ratio extends Mean Time to Detect (MTTD) and Mean Time to Respond (MTTR), allowing attackers more time to achieve objectives and cause damage.Inadequate threat intelligence integration:Alerts lack contextual information, threat intelligence correlation, and risk scoring, preventing proper prioritization and effective response planning.Inconsistent incident creation:Manual or ad-hoc incident creation processes result in missed escalations, |
Persistence (TA0003): valid accounts (T1078) using legitimate credentials to perform malicious activities that may not trigger well-configured alerts for anomalous behavior. |
Challenge:Organization experienced high false positive rates from security alerts causing alert fatigue and delayed response to genuine threats, with manual incident creation processes creating inconsistent investigation scope and missed security events. |
|
|
|
|
|
|
|
|
|
|
|
|
Azure Defender for Resource Manager should be enabled |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Azure Defender for SQL servers on machines should be enabled |
|
|
Collection (TA0009): automated collection (T1119) conducting systematic data collection over extended periods when alert fatigue prevents detection of subtle anomalies. |
Solution approach: EnabledMicrosoft Defender for Cloudcomprehensive protectionincluding Defender for Servers, Storage, and Key Vault with customized alert thresholdsConfiguredMicrosoft Sentinelanalytics ruleswith organization-specific threat patterns including unauthorized data access, unusual database queries, and anomalous authentication patternsImplemented automated incident creationwith intelligent grouping reducing incident volume while ensuring comprehensive investigation scope for related security eventsDeployed entity enrichmentautomatically correlating user accounts withMicrosoft Entra IDgroups, privileged access levels, and historical security incidentsCreated automated playbooksfor incident investigation including evidence collection, stakeholder notification, and regulatory reporting workflowsEstablished SLA monitoringtracking incident response times with automated escalation for delayed responses |
|
|
|
|
|
|
|
|
|
|
|
|
Azure Defender for SQL should be enabled for unprotected Azure SQL servers |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Azure Defender for SQL should be enabled for unprotected MySQL flexible servers |
|
|
|
Outcome:Substantially reduced false positive rates through alert tuning while maintaining comprehensive threat coverage. |
|
|
|
|
|
|
|
|
|
|
|
|
Azure Defender for SQL should be enabled for unprotected PostgreSQL flexible servers |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Azure Defender for SQL should be enabled for unprotected SQL Managed Instances |
|
|
|
Automated incident creation significantly reduced investigation time with intelligent alert grouping and entity enrichment improving investigation efficiency. |
|
|
|
|
|
|
|
|
|
|
|
|
Azure Defender for open-source relational databases should be enabled |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Azure Defender for servers should be enabled |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Microsoft Defender CSPM should be enabled |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Microsoft Defender for APIs should be enabled |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Microsoft Defender for Containers should be enabled |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Microsoft Defender for SQL should be enabled for unprotected Synapse workspaces |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Microsoft Defender for SQL status should be protected for Arc-enabled SQL Servers |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Microsoft Defender for Storage should be enabled |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
SQL server-targeted autoprovisioning should be enabled for SQL servers on machines plan |
|
|
|
|
|
|
|
|
|
|
|
| IR-3 |
IR-3.1 |
Configure Microsoft Defender XDR for unified threat detection |
Child |
Detect, analyze, and investigate incidents |
Azure Defender for App Service should be enabled |
Implement high-quality alert generation through advanced analytics, threat intelligence integration, and continuous tuning to minimize false positives while ensuring comprehensive coverage of genuine security threats. Establish automated incident creation workflows with appropriate enrichment and escalation procedures. |
nan |
nan |
Isolated security signals from individual products generate overwhelming alert volumes without revealing complete attack narratives, forcing analysts to manually correlate disconnected events while adversaries progress through attack chains. Extended detection and response transforms fragmented alerts into unified incidents by correlating signals across endpoints, identities, email, and cloud applications to expose full attack stories that single-product detection cannot identify. Automated investigation and remediation respond to threats at machine speed rather than human-limited analysis pace, containing attacks within minutes instead of hours while analysts investigate complex cases. Detect coordinated attacks through cross-platform signal correlation: ImplementMicrosoft Defender XDR(Extended Detection and Response) as the primary unified security platform for comprehensive threat detection across Microsoft 365 workloads including endpoints, identities, email, and cloud applications. Defender XDR automatically correlates alerts from multiple sources into unified incidents for streamlined investigation and response. Microsoft Defender XDR core capabilities: Unified incident management:Automatic correlation of alerts across Microsoft Defender for Endpoint, Identity, Microsoft 365, and Cloud Apps into single incidents with complete attack story visualizationAutomated Investigation and Response (AIR):AI-powered automated investigation examining alerts and taking immediate reme |
nan |
nan |
nan |
nan |
nan |
nan |
nan |
|
|
|
|
|
Azure Defender for Azure SQL Database servers should be enabled |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Azure Defender for Key Vault should be enabled |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Azure Defender for Resource Manager should be enabled |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Azure Defender for SQL servers on machines should be enabled |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Azure Defender for SQL should be enabled for unprotected Azure SQL servers |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Azure Defender for SQL should be enabled for unprotected MySQL flexible servers |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Azure Defender for SQL should be enabled for unprotected PostgreSQL flexible servers |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Azure Defender for SQL should be enabled for unprotected SQL Managed Instances |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Azure Defender for open-source relational databases should be enabled |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Azure Defender for servers should be enabled |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Microsoft Defender CSPM should be enabled |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Microsoft Defender for APIs should be enabled |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Microsoft Defender for Containers should be enabled |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Microsoft Defender for SQL should be enabled for unprotected Synapse workspaces |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Microsoft Defender for SQL status should be protected for Arc-enabled SQL Servers |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Microsoft Defender for Storage should be enabled |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
SQL server-targeted autoprovisioning should be enabled for SQL servers on machines plan |
|
|
|
|
|
|
|
|
|
|
|
| IR-3 |
IR-3.2 |
Configure Microsoft Defender for Cloud advanced alerting |
Child |
Detect, analyze, and investigate incidents |
Azure Defender for App Service should be enabled |
Implement high-quality alert generation through advanced analytics, threat intelligence integration, and continuous tuning to minimize false positives while ensuring comprehensive coverage of genuine security threats. Establish automated incident creation workflows with appropriate enrichment and escalation procedures. |
nan |
nan |
Defender XDR detects sophisticated attacks but optimizing alert quality requires configuration tuning to minimize false positives while maintaining comprehensive threat coverage across Azure infrastructure and workloads. Advanced alerting with AI-powered analysis identifies genuine threats from benign operational activities, preventing alert fatigue that causes analysts to miss critical warnings amid noise. Integration with incident management platforms transforms raw alerts into actionable security events with appropriate stakeholder routing and response orchestration. Optimize Azure infrastructure threat detection through advanced alerting: ImplementMicrosoft Defender for Cloudwith advanced alerting and proper tuning to generate high-quality security alerts for Azure infrastructure and workloads with minimal false positives. Defender for Cloud provides AI-powered threat detection across Azure resources with continuous learning. Advanced alerting configuration: Defender plan enablement:Enable appropriate Defender plans including Defender for Servers, Defender for App Service, Defender for Storage, Defender for Containers, and Defender for Key Vault based on workload typesThreat Intelligence Integration:Automatic correlation with Microsoft threat intelligence feeds, global attack signatures, and known malicious indicators for enhanced detection accuracyMachine Learning Behavioral Analytics:AI-powered behavioral analysis detecting anomalous activities such as unusual login pat |
nan |
nan |
nan |
nan |
nan |
nan |
nan |
|
|
|
|
|
Azure Defender for Azure SQL Database servers should be enabled |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Azure Defender for Key Vault should be enabled |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Azure Defender for Resource Manager should be enabled |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Azure Defender for SQL servers on machines should be enabled |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Azure Defender for SQL should be enabled for unprotected Azure SQL servers |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Azure Defender for SQL should be enabled for unprotected MySQL flexible servers |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Azure Defender for SQL should be enabled for unprotected PostgreSQL flexible servers |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Azure Defender for SQL should be enabled for unprotected SQL Managed Instances |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Azure Defender for open-source relational databases should be enabled |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Azure Defender for servers should be enabled |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Microsoft Defender CSPM should be enabled |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Microsoft Defender for APIs should be enabled |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Microsoft Defender for Containers should be enabled |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Microsoft Defender for SQL should be enabled for unprotected Synapse workspaces |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Microsoft Defender for SQL status should be protected for Arc-enabled SQL Servers |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Microsoft Defender for Storage should be enabled |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
SQL server-targeted autoprovisioning should be enabled for SQL servers on machines plan |
|
|
|
|
|
|
|
|
|
|
|
| IR-3 |
IR-3.3 |
Implement automated incident creation and enrichment |
Child |
Detect, analyze, and investigate incidents |
Azure Defender for App Service should be enabled |
Implement high-quality alert generation through advanced analytics, threat intelligence integration, and continuous tuning to minimize false positives while ensuring comprehensive coverage of genuine security threats. Establish automated incident creation workflows with appropriate enrichment and escalation procedures. |
nan |
nan |
Security alerts generated but not transformed into managed incidents create disconnected investigation workflows where critical context, stakeholder assignments, and response tracking remain manual processes prone to human error and delays. Automated incident creation consolidates related alerts into unified cases with intelligent enrichment that adds threat intelligence, user context, and asset criticality before analyst review. Classification automation and stakeholder assignment ensure incidents immediately route to appropriate teams based on threat characteristics and business impact rather than waiting for manual triage decisions. Transform alerts into actionable incidents through automation: ImplementMicrosoft Sentinelautomated incident creation with intelligent enrichment, classification, and stakeholder assignment for consistent management and response effectiveness. Automated incident creation: Analytics rule configuration:Comprehensive analytics rules for converting high-quality alerts into incidents with appropriate severity levels and classification criteriaIncident Grouping Logic:Intelligent grouping of related alerts into single incidents to prevent fragmentation and ensure comprehensive investigation scopeEntity Mapping and Enrichment:Automatic extraction and mapping of entities (users, hosts, IP addresses, files) with enrichment from threat intelligence and historical dataSeverity Scoring and Prioritization:Automated severity scoring based on multiple factors |
nan |
nan |
nan |
nan |
nan |
nan |
nan |
|
|
|
|
|
Azure Defender for Azure SQL Database servers should be enabled |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Azure Defender for Key Vault should be enabled |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Azure Defender for Resource Manager should be enabled |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Azure Defender for SQL servers on machines should be enabled |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Azure Defender for SQL should be enabled for unprotected Azure SQL servers |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Azure Defender for SQL should be enabled for unprotected MySQL flexible servers |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Azure Defender for SQL should be enabled for unprotected PostgreSQL flexible servers |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Azure Defender for SQL should be enabled for unprotected SQL Managed Instances |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Azure Defender for open-source relational databases should be enabled |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Azure Defender for servers should be enabled |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Microsoft Defender CSPM should be enabled |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Microsoft Defender for APIs should be enabled |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Microsoft Defender for Containers should be enabled |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Microsoft Defender for SQL should be enabled for unprotected Synapse workspaces |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Microsoft Defender for SQL status should be protected for Arc-enabled SQL Servers |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Microsoft Defender for Storage should be enabled |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
SQL server-targeted autoprovisioning should be enabled for SQL servers on machines plan |
|
|
|
|
|
|
|
|
|
|
|
| IR-4 |
nan |
Detection and analysis - investigate an incident |
Parent |
Detect, analyze, and investigate incidents |
Network Watcher should be enabled |
Implement comprehensive incident investigation capabilities using Azure-native security services, forensic tools, and systematic investigation procedures to ensure complete understanding of attack scope, evidence preservation, and effective containment planning. |
Inadequate incident investigation capabilities prevent organizations from understanding attack scope, identifying root causes, and implementing effective containment measures, allowing attackers to maintain persistence and continue malicious activities. |
Defense Evasion (TA0005): indicator removal (T1070) deleting logs and evidence to prevent investigation and analysis of attack methods and scope. |
A financial services organization implemented comprehensive incident investigation capabilities to support SEC regulatory requirements and protect against sophisticated financial fraud attacks, ensuring complete forensic evidence collection and analysis capabilities. |
Must have |
IR-4, IR-4(1), IR-4(4), AU-6, AU-6(1), AU-6(3), AU-7 |
10.6.1, 10.6.2, 10.6.3, 12.10.4, 12.10.5 |
8.2, 8.5, 8.11, 13.2, 17.4 |
nan |
A.5.24, A.5.25, A.5.28, A.8.16 |
CC7.2, CC7.4, A1.2 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Without comprehensive investigation capabilities: Incomplete attack scope:Limited visibility into progression, lateral movement, and data access prevents containment and allows hidden footholds.Unknown data exposure:Failure to identify accessed, modified, or exfiltrated data creates compliance violations and prevents accurate breach notification.Missed attack persistence mechanisms:Inadequate investigation fails to identify backdoors, scheduled tasks, registry modifications, or other persistence mechanisms, allowing attackers to regain access after initial remediation efforts.Evidence destruction and tampering:Lack of proper evidence preservation procedures allows critical forensic evidence to be overwritten, modified, or deleted during investigation, compromising legal proceedings and root cause analysis.Extended dwell time and damage:Ineffective investigation prolongs attacker presence in the environment, increasing data exposure, |
Defense Evasion (TA0005): file deletion (T1070.004) removing malicious files and artifacts before forensic collection can preserve evidence. |
Challenge:Financial services organization lacked comprehensive forensic capabilities for investigating sophisticated financial fraud attacks, with manual evidence collection processes creating risk of evidence loss and inability to meet SEC investigation timelines requiring complete attack scope documentation. |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Persistence (TA0003): hidden files and directories (T1564.001) concealing backdoors and persistence mechanisms from superficial investigation efforts. |
Solution approach: DeployedMicrosoft Defender for Endpointacross all virtual machines with behavior monitoring and script analysis capabilities detecting malicious PowerShell, process injection, and credential theft activitiesConfiguredMicrosoft Sentinelwith entity behavior analytics detecting unusual trading patterns, unauthorized system access, and suspicious financial transactionsImplemented automated VM snapshot procedurestriggered by critical security alerts capturing complete system state within 5 minutes for forensic preservationEstablishedimmutable Azure Storagewith legal hold policies ensuring evidence integrity for SEC investigation requirements and litigation supportCreatedMicrosoft Defender XDRadvanced hunting queriesfor financial fraud patterns including after-hours trading activity, unusual data access patterns, and privileged account misuse across endpoints, identities, and cloud applicationsDeployedAzure Network Watcherwith automated packet capture for suspected insider trading incidents providing complete network forensic capabilities |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Discovery (TA0007): system information discovery (T1082) gathering system information to understand investigation capabilities and avoid detection mechanisms. |
Outcome:Achieved comprehensive forensic investigation capabilities with automated evidence preservation ensuring SEC compliance. |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Substantially reduced investigation time with advanced hunting queries and entity behavior analytics enabling rapid attack scope identification and complete evidence chain documentation. |
|
|
|
|
|
|
|
| IR-4 |
IR-4.1 |
Implement comprehensive log collection and analysis |
Child |
Detect, analyze, and investigate incidents |
Network Watcher should be enabled |
Implement comprehensive incident investigation capabilities using Azure-native security services, forensic tools, and systematic investigation procedures to ensure complete understanding of attack scope, evidence preservation, and effective containment planning. |
nan |
nan |
Incident investigation fails without comprehensive log data capturing authentication events, network traffic, configuration changes, and application activities that reveal attacker methods and infrastructure compromise scope. Centralized log analysis through Azure Monitor and Microsoft Sentinel transforms distributed logging into unified investigation capability, enabling queries across multiple log sources to construct complete attack timelines. Advanced query capabilities and correlation analytics identify patterns invisible in individual log sources, revealing sophisticated attacks that evade single-source detection. Enable comprehensive forensic investigation through centralized logging: Implement comprehensive log collection across Azure services and workloads with centralized analysis throughAzure Monitor,Microsoft Sentinel, andAzure Log Analyticsfor effective investigation and forensics. Azure log collection strategy: Microsoft Entra ID audit and sign-in logs:Complete authentication and authorization logging with risk analysis, conditional access policy evaluation, and privileged operation trackingAzure Activity Logs:Comprehensive control plane operations including resource modifications, policy changes, and administrative activities across all Azure services (Azure Activity log).Network Security Group Flow Logs:Network traffic analysis with source/destination mapping, protocol analysis, and connection pattern identification for lateral movement detection (NSG flow log |
nan |
nan |
nan |
nan |
nan |
nan |
nan |
| IR-4 |
IR-4.2 |
Establish evidence preservation and forensic capabilities |
Child |
Detect, analyze, and investigate incidents |
Network Watcher should be enabled |
Implement comprehensive incident investigation capabilities using Azure-native security services, forensic tools, and systematic investigation procedures to ensure complete understanding of attack scope, evidence preservation, and effective containment planning. |
nan |
nan |
Evidence collection delays and improper handling compromise forensic integrity, rendering investigation findings inadmissible in legal proceedings while allowing attackers to cover tracks through evidence destruction. Automated evidence preservation using VM snapshots, disk backups, and memory dumps captures system state immediately upon incident detection before adversary tampering occurs. Immutable storage with legal hold policies ensures evidence integrity throughout investigation and potential legal proceedings, maintaining chain of custody required for regulatory compliance and prosecution. Preserve forensic evidence through automated collection: Implement systematic evidence preservation usingAzure VM snapshots,Azure Disk Backup,memory dump collection, andimmutable storageto ensure forensic integrity and support legal proceedings. Evidence collection automation: Azure VM snapshot automation:PowerShell and ARM template automation for creating point-in-time VM snapshots during incident response with metadata tagging and retention policies (Create a snapshot).Azure Disk Backup Integration:Automated backup triggering during incidents with legal hold policies and long-term retention in Azure Backup vaults (Azure Backup overview).Memory Dump Collection:Systematic memory dump collection using Azure extensions and PowerShell remoting for volatile evidence preservationLog Export and Preservation:Automated export of Azure Monitor logs, Microsoft Entra ID logs, and security event |
nan |
nan |
nan |
nan |
nan |
nan |
nan |
| IR-5 |
nan |
Detection and analysis - prioritize incidents |
Parent |
Detect, analyze, and investigate incidents |
Azure Defender for App Service should be enabled |
Implement systematic incident prioritization based on asset criticality, business impact, threat severity, and regulatory requirements using automated scoring and classification to ensure appropriate resource allocation and response timing. |
Poor incident prioritization leads to misallocated security resources, delayed response to critical threats, and increased business impact from security incidents. |
Defense Evasion (TA0005): masquerading (T1036) creating numerous low-priority alerts to overwhelm security teams while conducting high-impact activities in business-critical systems. |
An organization implemented comprehensive incident prioritization to protect sensitive data and ensure business continuity, enabling appropriate resource allocation based on business impact and regulatory requirements. |
Should have |
IR-4(2), IR-4(4), IR-5, RA-2, RA-3 |
12.5.1, 12.10.5 |
1.1, 1.2, 17.4, 17.5 |
nan |
A.5.24, A.5.27, A.8.8 |
CC7.3, A1.1 |
|
|
|
|
|
Azure Defender for Azure SQL Database servers should be enabled |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Azure Defender for Key Vault should be enabled |
|
Without systematic prioritization: Delayed critical threat response:High-impact incidents receive inadequate attention while resources focus on lower-priority events.Resource exhaustion on low-priority events:Teams investigate minor incidents while sophisticated attacks progress in high-value systems.Business impact amplification:Lack of asset criticality awareness results in extended downtime for revenue-generating systems while focusing on non-critical infrastructure issues.Regulatory violation escalation:Incidents involving personally identifiable information (PII), protected health information (PHI), or financial data receive inadequate prioritization, leading to missed notification deadlines and compliance violations.Ineffective stakeholder communication:Absence of clear prioritization criteria prevents appropriate executive notification and resource allocation for incidents requiring senior leadership involvement.Attack progression during misprioritization:Sophisticated attackers exploit prioritization gaps to cond |
Impact (TA0040): data encrypted for impact (T1486) targeting high-value systems while security teams are distracted by lower-priority incidents. |
Challenge:Organization struggled with appropriate resource allocation during simultaneous security incidents, with manual prioritization processes causing delayed response to critical business system incidents and inconsistent escalation to executives for high-impact events. |
|
|
|
|
|
|
|
|
|
|
|
|
Azure Defender for Resource Manager should be enabled |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Azure Defender for SQL servers on machines should be enabled |
|
|
Lateral Movement (TA0008): remote services (T1021) progressing through high-value networks while prioritization gaps prevent appropriate focus on critical asset compromise. |
Solution approach: ImplementedAzure resource taggingstrategyclassifying all resources by business criticality with critical business systems tagged as "Critical" and non-essential systems as "Low"ConfiguredMicrosoft Sentinelwith custom scoring algorithms weighing regulatory scope, business impact, and data sensitivity for incident prioritizationDeployed automated escalation workflowsimmediately notifying executives and legal teams for incidents involving regulated data or critical business systemsCreated business impact assessment automationcalculating potential business impact based on affected systems and historical operational dataEstablished time-based escalation procedureswith 15-minute executive notification for critical incidents and 4-hour escalation for unacknowledged high-priority eventsIntegratedMicrosoft Purviewdata loss prevention alertswith incident prioritization ensuring automatic escalation for incidents involving sensitive data |
|
|
|
|
|
|
|
|
|
|
|
|
Azure Defender for SQL should be enabled for unprotected Azure SQL servers |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Azure Defender for SQL should be enabled for unprotected MySQL flexible servers |
|
|
|
Outcome:Improved incident response resource allocation with automated prioritization ensuring critical incidents received immediate attention. |
|
|
|
|
|
|
|
|
|
|
|
|
Azure Defender for SQL should be enabled for unprotected PostgreSQL flexible servers |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Azure Defender for SQL should be enabled for unprotected SQL Managed Instances |
|
|
|
Substantially reduced executive notification time for critical incidents while eliminating unnecessary escalations for low-priority events. |
|
|
|
|
|
|
|
|
|
|
|
|
Azure Defender for open-source relational databases should be enabled |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Azure Defender for servers should be enabled |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Microsoft Defender CSPM should be enabled |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Microsoft Defender for APIs should be enabled |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Microsoft Defender for Containers should be enabled |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Microsoft Defender for SQL should be enabled for unprotected Synapse workspaces |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Microsoft Defender for SQL status should be protected for Arc-enabled SQL Servers |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Microsoft Defender for Storage should be enabled |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
SQL server-targeted autoprovisioning should be enabled for SQL servers on machines plan |
|
|
|
|
|
|
|
|
|
|
|
| IR-5 |
IR-5.1 |
Implement asset criticality and business impact assessment |
Child |
Detect, analyze, and investigate incidents |
Azure Defender for App Service should be enabled |
Implement systematic incident prioritization based on asset criticality, business impact, threat severity, and regulatory requirements using automated scoring and classification to ensure appropriate resource allocation and response timing. |
nan |
nan |
Incident prioritization without business context treats all security events equally, overwhelming response teams with alerts while critical business-impacting incidents receive insufficient attention due to indistinguishable importance. Asset classification based on business criticality, revenue dependency, and regulatory scope enables risk-based prioritization that focuses limited response resources on incidents affecting organization-critical systems. Automated business impact scoring transforms subjective prioritization into data-driven decision making ensuring incidents threatening financial, operational, or reputational damage receive immediate escalation. Enable risk-based incident prioritization through business impact analysis: Implement comprehensive asset classification and business impact assessment usingAzure Resource Tags,Microsoft Defender for Cloud asset inventory, andbusiness impact scoringfor risk-based incident prioritization. Asset classification and tagging: Criticality-based resource tagging:Systematic tagging of Azure resources with criticality levels (Critical, High, Medium, Low) based on business impact assessment and revenue dependencyData Classification Integration:Integration with Microsoft Purview data classification for automatic prioritization of incidents involving sensitive data categoriesBusiness Function Mapping:Resource tagging with business function associations enabling rapid impact assessment for incidents affecting specific business capa |
nan |
nan |
nan |
nan |
nan |
nan |
nan |
|
|
|
|
|
Azure Defender for Azure SQL Database servers should be enabled |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Azure Defender for Key Vault should be enabled |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Azure Defender for Resource Manager should be enabled |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Azure Defender for SQL servers on machines should be enabled |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Azure Defender for SQL should be enabled for unprotected Azure SQL servers |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Azure Defender for SQL should be enabled for unprotected MySQL flexible servers |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Azure Defender for SQL should be enabled for unprotected PostgreSQL flexible servers |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Azure Defender for SQL should be enabled for unprotected SQL Managed Instances |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Azure Defender for open-source relational databases should be enabled |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Azure Defender for servers should be enabled |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Microsoft Defender CSPM should be enabled |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Microsoft Defender for APIs should be enabled |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Microsoft Defender for Containers should be enabled |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Microsoft Defender for SQL should be enabled for unprotected Synapse workspaces |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Microsoft Defender for SQL status should be protected for Arc-enabled SQL Servers |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Microsoft Defender for Storage should be enabled |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
SQL server-targeted autoprovisioning should be enabled for SQL servers on machines plan |
|
|
|
|
|
|
|
|
|
|
|
| IR-5 |
IR-5.2 |
Configure automated severity scoring and escalation |
Child |
Detect, analyze, and investigate incidents |
Azure Defender for App Service should be enabled |
Implement systematic incident prioritization based on asset criticality, business impact, threat severity, and regulatory requirements using automated scoring and classification to ensure appropriate resource allocation and response timing. |
nan |
nan |
Static incident severity classifications ignore business context and environmental factors, resulting in critical business-impacting incidents receiving insufficient attention while low-impact alerts consume disproportionate response resources. Automated severity scoring considers asset criticality, regulatory scope, affected user populations, and threat indicators to calculate dynamic priority scores reflecting actual business risk rather than generic alert categories. Time-based escalation ensures unacknowledged or unresolved critical incidents automatically trigger leadership notification, preventing critical events from stalling in queues while analysts handle routine cases. Calculate risk-based incident priority through automated scoring: ImplementMicrosoft Sentinelautomated severity scoring withcustom analytics rulesandescalation workflowsfor appropriate prioritization and resource allocation based on multiple risk factors. Automated severity scoring: Multi-factor risk scoring:Comprehensive scoring algorithm considering asset criticality, data sensitivity, threat intelligence confidence, and potential business impactMicrosoft Sentinel Entity Risk Scoring:AI-powered entity risk scoring for users, devices, and IP addresses with historical behavior analysis and anomaly detectionThreat Intelligence Integration:Automatic severity adjustment based on threat intelligence feeds, known attacker infrastructure, and campaign attributionCompliance Impact Assessment:Automatic severi |
nan |
nan |
nan |
nan |
nan |
nan |
nan |
|
|
|
|
|
Azure Defender for Azure SQL Database servers should be enabled |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Azure Defender for Key Vault should be enabled |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Azure Defender for Resource Manager should be enabled |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Azure Defender for SQL servers on machines should be enabled |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Azure Defender for SQL should be enabled for unprotected Azure SQL servers |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Azure Defender for SQL should be enabled for unprotected MySQL flexible servers |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Azure Defender for SQL should be enabled for unprotected PostgreSQL flexible servers |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Azure Defender for SQL should be enabled for unprotected SQL Managed Instances |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Azure Defender for open-source relational databases should be enabled |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Azure Defender for servers should be enabled |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Microsoft Defender CSPM should be enabled |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Microsoft Defender for APIs should be enabled |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Microsoft Defender for Containers should be enabled |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Microsoft Defender for SQL should be enabled for unprotected Synapse workspaces |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Microsoft Defender for SQL status should be protected for Arc-enabled SQL Servers |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Microsoft Defender for Storage should be enabled |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
SQL server-targeted autoprovisioning should be enabled for SQL servers on machines plan |
|
|
|
|
|
|
|
|
|
|
|
| IR-6 |
nan |
Containment, eradication and recovery - automate the incident handling |
Parent |
Contain, recover, and learn from incidents |
No Azure Policy available |
Implement comprehensive incident response automation through Microsoft Sentinel playbooks, Logic Apps, and Power Automate to enable rapid containment, consistent response procedures, and scalable incident handling that matches the speed of automated attacks. |
Manual incident response processes create dangerous delays that allow attackers to cause maximum damage, establish persistent access, and complete their objectives while security teams struggle with time-consuming manual procedures. |
Lateral Movement (TA0008): exploitation of remote services (T1210) progressing rapidly through networks while manual containment procedures lag behind attack progression. |
An organization implemented comprehensive incident response automation to reduce response times from hours to minutes while maintaining regulatory compliance. |
Should have |
IR-4(1), IR-4(4), IR-5(1), IR-8 |
12.10.4, 12.10.6 |
17.4, 17.6, 17.7 |
RS.RP-1, RS.MI-1, RS.MI-2, RS.MI-3 |
A.5.24, A.5.25, A.5.26 |
CC7.3, CC7.4, CC9.1 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Without automation: Extended response times:Manual containment takes hours or days while automated attacks complete objectives in minutes.Human error under pressure:Manual procedures produce mistakes including incomplete containment, evidence destruction, and incorrect recovery.Inconsistent response across incidents:Manual processes lead to variations in response quality, missed steps, and incomplete remediation depending on analyst experience and availability during incidents.Analyst burnout and resource exhaustion:Repetitive manual tasks during incident response consume analyst time and energy, reducing capacity for complex investigation and strategic threat hunting activities.Scalability limitations during widespread incidents:Organizations cannot respond effectively to multiple simultaneous incidents or large-scale attacks when relying on manual procedures requiring individual analyst attention.Delayed containment allowing damage amplification:Manua |
Impact (TA0040): data encrypted for impact (T1486) deploying ransomware across multiple systems while manual isolation efforts cannot scale to match attack speed. |
Challenge:Organization experienced delayed incident response with manual containment processes taking hours allowing attacker lateral movement, with inconsistent response procedures creating gaps in regulatory compliance documentation and audit trails. |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Exfiltration (TA0010): automated exfiltration (T1020) completing data theft operations during extended manual response times. |
Solution approach: DeployedMicrosoft Sentinel playbooksfor automated user account suspension and device isolation triggered by high-confidence security alertsImplementedAzure Automationrunbooksfor rapid virtual machine isolation preserving forensic evidence while preventing lateral movement to critical systemsCreatedLogic Appsworkflowsfor automated stakeholder notification including legal teams, compliance officers, and executives with severity-appropriate escalation proceduresConfiguredAzure Policyfor automated compliance remediation ensuring isolated systems maintain security configurations during incident response proceduresEstablished approval workflowsfor high-impact automation actions with two-person authorization requirements for actions affecting production systemsIntegrated workflowwith automated ticket creation, assignment, and escalation procedures ensuring comprehensive incident documentation and audit trails |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Outcome:Substantially reduced incident response time with automated containment matching the speed of automated attacks. |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Automated playbooks ensured consistent response procedures with complete audit trails supporting regulatory compliance while two-person authorization protected production systems from automation errors. |
|
|
|
|
|
|
|
| IR-6 |
IR-6.1 |
Deploy Microsoft Sentinel automated response playbooks |
Child |
Contain, recover, and learn from incidents |
No Azure Policy available |
Implement comprehensive incident response automation through Microsoft Sentinel playbooks, Logic Apps, and Power Automate to enable rapid containment, consistent response procedures, and scalable incident handling that matches the speed of automated attacks. |
nan |
nan |
Manual incident response actions introduce critical delays that allow adversaries to progress through attack chains while analysts execute containment procedures, with human-limited response speed enabling attackers to achieve objectives before effective countermeasures deploy. Automated playbooks execute containment, investigation, and recovery actions at machine speed—isolating compromised systems, disabling breached accounts, and blocking malicious infrastructure within seconds rather than hours of human-driven response. Standardized automated procedures ensure consistent response quality regardless of analyst experience level or incident volume, eliminating the variability that causes missed containment steps during high-pressure incident response. Execute consistent rapid response through automation: ImplementMicrosoft Sentinel PlaybookswithAzure Logic Appsintegration to automate common incident response actions including containment, investigation, and recovery. Playbooks provide consistent, rapid response at scale. Core playbook categories: User account response playbooks:Automated user account disabling, password reset, session termination, and privilege revocation with approval workflows for false positive preventionDevice Isolation Playbooks:Automated VM isolation through Network Security Group modification, Azure Firewall rule deployment, and virtual network segmentationMalware Response Playbooks:Automated file quarantine, hash blocking across Azure Defender, and s |
nan |
nan |
nan |
nan |
nan |
nan |
nan |
| IR-6 |
IR-6.2 |
Implement automated containment and isolation procedures |
Child |
Contain, recover, and learn from incidents |
No Azure Policy available |
Implement comprehensive incident response automation through Microsoft Sentinel playbooks, Logic Apps, and Power Automate to enable rapid containment, consistent response procedures, and scalable incident handling that matches the speed of automated attacks. |
nan |
nan |
Containment delays enable adversaries to establish persistence mechanisms, exfiltrate data, or deploy ransomware while manual isolation procedures progress through approval chains and configuration changes, with attack progression often outpacing human response capabilities. Automated containment through network isolation, account disabling, and system quarantine executes within seconds of detection, interrupting attack chains before adversaries achieve objectives. Pre-authorized containment automation removes human decision bottlenecks during critical response windows when minutes of delay determine incident outcome difference between contained intrusion and successful data breach. Prevent attack progression through immediate automated containment: Deployautomated network isolation,account disabling, andsystem quarantineusingAzure Automation(runbooks:Azure Automation overview),Azure Policy(Azure Policy overview), andMicrosoft Defenderfor rapid containment preventing attack progression. Network isolation automation: Azure Network Security Group automation:Automated modification of Network Security Group rules to isolate compromised virtual machines while preserving investigation access (Manage NSGs).Azure Firewall Rule Deployment:Rapid deployment of Azure Firewall rules blocking malicious IP addresses, domains, and communication patterns identified during incidents usingAzure Firewall.Virtual Network Isolation:Automated virtual network segmentation and subnet isolation to pre |
nan |
nan |
nan |
nan |
nan |
nan |
nan |
| IR-7 |
nan |
Post-incident activity - conduct lessons learned and retain evidence |
Parent |
Contain, recover, and learn from incidents |
No Azure Policy available |
Establish systematic post-incident activities including comprehensive lessons learned processes, evidence retention with immutable storage, and continuous improvement of incident response capabilities based on real-world incident experience and evolving threat landscape. |
Failure to conduct systematic post-incident activities creates missed opportunities for organizational learning, regulatory compliance violations, and repeated security incidents that could be prevented through proper lessons learned processes. |
Persistence (TA0003): account manipulation (T1098) reestablishing access through the same attack vectors when organizations fail to address root causes identified during post-incident analysis. |
A healthcare organization implemented comprehensive post-incident activities to meet HIPAA requirements with systematic evidence retention and lessons learned processes. |
Should have |
IR-4(4), IR-4(5), IR-4(10), CP-9(8), AU-11 |
10.5.1, 12.10.7 |
8.3, 17.8, 17.9 |
RS.RP-1, RS.IM-1, RS.IM-2 |
A.5.24, A.5.28, A.8.13 |
CC9.1, A1.2, A1.3 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Without comprehensive post-incident procedures: Recurring incidents:Failure to identify and remediate fundamental gaps leads to repeated attacks through the same vulnerabilities.Evidence destruction:Lack of retention destroys forensic evidence needed for legal action, insurance claims, and regulatory compliance.Missed regulatory compliance obligations:Industries with evidence retention requirements (HIPAA, SOX, PCI-DSS, GDPR) face significant penalties when evidence is not properly preserved for mandated timeframes.Ineffective security control improvements:Absence of systematic lessons learned processes prevents identification of security control gaps, leading to continued exposure to similar attacks and vulnerabilities.Degraded incident response capabilities:Teams fail to improve response procedures, tools, and training based on real incident experience, resulting in repeated response inefficiencies and delays.Lost organizational knowledge: |
Initial Access (TA0001): exploit public-facing application (T1190) repeatedly exploiting the same vulnerabilities when post-incident analysis fails to identify and remediate systemic security gaps. |
Challenge:Healthcare organization lacked systematic post-incident review processes creating recurring incidents from unaddressed root causes, with manual evidence retention procedures creating risk of HIPAA compliance violations and inability to meet OCR investigation requirements for 6-year retention. |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Defense Evasion (TA0005): indicator removal (T1070) taking advantage of inadequate evidence retention to prevent attribution and future detection of similar attack patterns. |
Solution approach: Established structured lessons learned meetingswithin 48 hours of incident closure involving clinical staff, IT teams, privacy officers, and senior leadershipImplementedAzure Storage immutable retentionwith 6-year retention policies for HIPAA compliance and automated legal hold triggers for potential litigationCreatedAzure DevOpswork item templatesfor tracking improvement implementations with assigned owners and quarterly review cyclesDeployed chain of custody automationwith cryptographic hashing and digital signatures ensuring evidence integrity for OCR investigations and legal proceedingsDeveloped incident response maturity metricstracking mean time to detection, containment effectiveness, and recurring incident patterns for continuous improvementIntegrated lessons learned findingsinto monthly security awareness training and quarterly incident response tabletop exercises |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Outcome:Achieved continuous incident response improvement with reduction in recurring incidents through systematic root cause remediation. |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Immutable storage with automated legal hold ensured HIPAA compliance with complete evidence chain of custody supporting OCR investigations and legal proceedings. |
|
|
|
|
|
|
|
| IR-7 |
IR-7.1 |
Implement systematic lessons learned processes |
Child |
Contain, recover, and learn from incidents |
No Azure Policy available |
Establish systematic post-incident activities including comprehensive lessons learned processes, evidence retention with immutable storage, and continuous improvement of incident response capabilities based on real-world incident experience and evolving threat landscape. |
nan |
nan |
Organizations failing to capture lessons learned from security incidents repeat preventable failures, missing opportunities to strengthen defenses based on actual attack patterns observed during real compromise scenarios rather than theoretical threats. Systematic post-incident reviews transform security events into organizational learning that drives measurable security improvements through control enhancements, process refinements, and training updates informed by actual adversary techniques. Structured root cause analysis identifies fundamental security weaknesses rather than addressing surface symptoms, preventing recurrence through architectural changes that eliminate entire attack classes. Transform incidents into security improvements through systematic learning: Organizations must establish comprehensive lessons learned procedures following security incidents usingMicrosoft Sentinel incident tracking,Azure DevOps work item management, andstructured improvement processesto capture knowledge and drive security enhancements. Lessons learned framework: Post-incident review meetings:Systematic review meetings within 72 hours of incident closure involving all stakeholders including technical responders, business owners, and senior managementRoot Cause Analysis Methodology:Structured root cause analysis using techniques such as Five Whys, Fishbone diagrams, and timeline analysis to identify fundamental causes beyond immediate symptomsSecurity Control Gap Assessment:Comprehen |
nan |
nan |
nan |
nan |
nan |
nan |
nan |
| IR-7 |
IR-7.2 |
Establish evidence retention and immutable storage |
Child |
Contain, recover, and learn from incidents |
No Azure Policy available |
Establish systematic post-incident activities including comprehensive lessons learned processes, evidence retention with immutable storage, and continuous improvement of incident response capabilities based on real-world incident experience and evolving threat landscape. |
nan |
nan |
Evidence modification or deletion after collection compromises forensic integrity, rendering investigation findings inadmissible in legal proceedings while allowing adversaries to claim evidence tampering in defense strategies. Immutable storage with time-based retention policies and legal holds ensures evidence preservation throughout regulatory retention periods and legal proceedings, preventing premature deletion or unauthorized modification. Chain of custody documentation with cryptographic verification provides legal proof that evidence remained unaltered from collection through analysis, meeting evidentiary standards required for prosecution and regulatory enforcement actions. Ensure forensic evidence integrity through immutable preservation: Organizations should implementAzure Storage immutable retention policies,legal hold procedures, andcompliance-based evidence managementto ensure proper evidence preservation for legal proceedings, regulatory requirements, and future incident analysis. Immutable evidence storage: Azure Blob Storage immutable policies:Time-based and legal hold policies preventing evidence modification or deletion during required retention periodsEvidence Classification and Retention:Systematic classification of evidence types with appropriate retention periods based on regulatory requirements and legal considerations; leverageMicrosoft Purviewfor data classification, sensitivity labeling, and retention/lifecycle policies to align evidence handling wi |
nan |
nan |
nan |
nan |
nan |
nan |
nan |