Webinar Replay – Getting the Most Value From Your Microsoft E3/E5 Security Products (and Minimizing Costly Pitfalls)

We’ve often seen instances of threat actors using the tool “Rclone,” a data syncing tool, to exfiltrate large amounts of data from Sharepoint/Onedrive in a short space of time as part of a ransomware attack. You can find more information on this here. One way to help detect these types of attacks is by monitoring for Unified Audit Logs (UAL), which track user and account actions across all the Microsoft365 services where logging is enabled. Realizing what’s normal vs. malicious activity can still be tricky, which is why having an MDR provider like Kroll can help. An MDR provider can use their knowledge of adversary tactics and real-world incidents to quickly identify a genuine threat, contain it on your behalf and help remediate it from all systems.

Microsoft positions Sentinel as its SOAR platform as it provides a wide variety of playbooks and connectors. However, it’s important to understand the difference between Microsoft Sentinel automations and broader SOC automations. While Microsoft Sentinel will help automate API integrations with other technologies, a broader SOC workflow automation is needed to cover triage, enrichment of threat intelligence Indicators of Compromise (IOCs) and containment. This is where an MDR provider like Kroll can help, using its own centralized platform to act as a single pane of glass where all your security products can ingest alerts into and use as a single interface to keep track of all security operations activities being carried out by the MDR provider’s analysts.

Yes, we advise our clients to filter data at ingestion to archive compliance-related and lower fidelity data into a long-term cloud data lake, such as Azure Data Explorer (ADX), while routing high-fidelity data—specific for threat detection use cases—into Microsoft Sentinel (Log Analytics). Microsoft Sentinel uses the same query language as ADX, which means you can focus on addressing high-fidelity alerts in your Security Information and Event Management (SIEM) while continuously hunting across your data lake for related data and generating detailed analytics reports at the same time.