mirror of
https://github.com/MicrosoftDocs/windows-itpro-docs.git
synced 2025-06-05 09:07:22 +00:00
analyst-report
This commit is contained in:
Louie Mayor
parent
e5b5463d43
commit
deb9e2a44e
@ -424,16 +424,8 @@
|
||||
|
||||
### [Microsoft Threat Experts](microsoft-defender-atp/microsoft-threat-experts.md)
|
||||
|
||||
### [Threat analytics](microsoft-defender-atp/threat-analytics.md)
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
### [Threat analytics overview](microsoft-defender-atp/threat-analytics.md)
|
||||
#### [Read the analyst report](microsoft-defender-atp/threat-analytics.md)
|
||||
|
||||
|
||||
## [How-to]()
|
||||
|
||||
@ -0,0 +1,95 @@
|
||||
---
|
||||
title: Understand the analyst report section in threat analytics
|
||||
ms.reviewer:
|
||||
description: Learn about the analyst report section of each threat analytics report. Understand how it provides information about threats, mitigations, detections, advanced hunting queries, and more.
|
||||
keywords: analyst report, threat analytics, detections, advanced hunting queries, mitigations,
|
||||
search.product: eADQiWindows 10XVcnh
|
||||
search.appverid: met150
|
||||
ms.prod: w10
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.pagetype: security
|
||||
ms.author: lomayor
|
||||
author: lomayor
|
||||
ms.localizationpriority: medium
|
||||
manager: dansimp
|
||||
audience: ITPro
|
||||
ms.collection: M365-security-compliance
|
||||
ms.topic: article
|
||||
---
|
||||
|
||||
# Understand the analyst report in threat analytics
|
||||
|
||||
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
|
||||
|
||||
**Applies to:**
|
||||
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
|
||||
|
||||
Each [threat analytics report](threat-analytics.md) includes dynamic sections and a comprehensive written section called the _analyst report_.
|
||||
|
||||
|
||||
_Analyst report section of a threat analytics report_
|
||||
|
||||
## Learn about the sections of the analyst report
|
||||
Most analyst reports include the following sections:
|
||||
|
||||
| Report section | Description |
|
||||
|--|--|
|
||||
| Executive summary | Overview of the threat, including when it was first seen, its motivations, notable events, major targets, and distinct tools and techniques. |
|
||||
| Analysis | Technical information about the threats, including the details of an attack or how a new technique or attack surface might be used. |
|
||||
| MITRE ATT&CK techniques observed | Lists the techniques and how they map to the techniques in the [MITRE ATT&CK attack framework](https://attack.mitre.org/). |
|
||||
| [Mitigations](#apply-additional-mitigations) | Lists recommendations that can stop or help reduce the impact of the threat. This section also includes mitigations that are not tracked dynamically as part of the threat analytics report. |
|
||||
| [Detection details](#understand-how-each-threat-can-be-detected) | Lists specific and generic detections provided by Microsoft security solutions that can surface activity or components associated with the threat. |
|
||||
| [Advanced hunting](#find-subtle-threat-artifacts-using-advanced-hunting) | Provides sample [advanced hunting queries](advanced-hunting-overview.md) for proactively identifying possible threat activity. Most queries are provided to supplement detections, especially for locating potentially malicious components or behaviors that couldn't be dynamically assessed to be malicious. |
|
||||
| References | Lists Microsoft and third-party references reviewed by analysts during the creation of the report. Threat analytics reports are based on data validated by Microsoft researchers. Information from publicly available, third-party source are identified clearly as such. |
|
||||
| Change log | The times of publication and when significant changes were made to the report. |
|
||||
|
||||
## Apply additional mitigations
|
||||
Threat analytics reports dynamically track the [status of security updates and secure configurations](threat-analytics,md#review-list-of-mitigations-and-the-status-of-your-devices). This information is available as charts and tables under the **Mitigations** tab.
|
||||
|
||||
In addition to these tracked mitigations, the analyst report also discusses mitigations that are _not_ dynamically monitored. Here are some examples of important mitigations that are not dynamically tracked:
|
||||
|
||||
- Block emails with _.lnk_ attachments or other suspicious file types
|
||||
- Randomize local administrator passwords
|
||||
- Educate end users about phishing email and other threat vectors
|
||||
|
||||
While you can use the **Mitigations** tab to assess your security posture against a threat, you can take additional steps towards improving your security posture. Carefully read all the mitigation guidance in the analyst report and apply them whenever possible.
|
||||
|
||||
## Understand how each threat can be detected
|
||||
The analyst report also provides the detections from various security Microsoft 365 Defender capabilities, including:
|
||||
|
||||
- Antivirus
|
||||
- Endpoint detection and response (EDR)
|
||||
- Attack surface reduction rules
|
||||
|
||||
### Antivirus detections
|
||||
These detections are available on devices with [Microsoft Defender Antivirus](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10) turned on. When these detections occur on devices that have been onboarded to Microsoft Defender for Endpoint, they also trigger alerts that light up the charts in the report.
|
||||
|
||||
#### Generic detections
|
||||
The analyst report also lists generic detections that can identify a wide-range of threats, in addition to components or behaviors associated with the tracked threat. These generic detections don't reflect in the charts.
|
||||
|
||||
### Endpoint detection and response (EDR) alerts
|
||||
Endpoint detection and response alerts constitute alerts in Microsoft Defender Security Center. They are raised on [devices onboarded to Microsoft Defender for Endpoint](onboard-configure.md). These alerts generally rely on security signals collected by the Microsoft Defender for Endpoint sensor and other endpoint capabilities: antivirus, network protection, tamper protection, among others that serve as powerful signal sources.
|
||||
|
||||
Like the list of antivirus detections, some EDR alerts are designed to generically flag suspicious behavior that might not be associated with the tracked threat. In such cases, the report will clearly identify the alert as generic and that it does not influence any of the charts in the report.
|
||||
|
||||
### Attack surface reduction rules
|
||||
When turned on, [attack surface reduction rules](attack-surface-reduction) can be set to either detect (audit) or block various behaviors commonly associated with threats, such as:
|
||||
- An Office application spawning a child process
|
||||
- An email client launching an executable
|
||||
- A script downloading executable content
|
||||
|
||||
The analyst report provides a list of attack surface reduction rules that you can use to detect or block the tracked threat.
|
||||
|
||||
## Find subtle threat artifacts using advanced hunting
|
||||
While detections allow you to identify and stop the tracked threat automatically, many attack activities leave subtle traces that require additional inspection. Some attack activities exhibit behaviors that are also exhibited by everyday transactions, so detecting them dynamically can result in operational noise or even false positives.
|
||||
|
||||
[Advanced hunting](advanced-hunting-overview.md) provides a query interface, based on Kusto Query Language, that simplifies locating subtle indicators of threat activity. It also allows you to surface contextual information quickly. You can verify whether identified indicators are indeed associated with the tracked threat.
|
||||
|
||||
Advanced hunting queries in the analyst reports have been vetted by Microsoft analysts and are ready for you to run in the [advanced hunting query editor](https://securitycenter.windows.com/advanced-hunting). You can also use the queries to create [custom detection rules](custom-detection-rules.md) that trigger alerts for future matches.
|
||||
|
||||
|
||||
## Related topics
|
||||
- [Threat analytics overview](threat-analytics.md)
|
||||
- [Proactively find threats with advanced hunting](advanced-hunting-overview.md)
|
||||
- [Custom detection rules](custom-detection-rules.md)
|
||||
@ -1,176 +0,0 @@
|
||||
---
|
||||
title: Understand the analyst report
|
||||
ms.reviewer:
|
||||
description: Learn about common sections in analyst report section of each threat analytics report and how it provides information about threats, mitigations, detections, advanced hunting queries, and more.
|
||||
keywords: analyst report, threat analytics, detections, advanced hunting queries, mitigations,
|
||||
search.product: eADQiWindows 10XVcnh
|
||||
search.appverid: met150
|
||||
ms.prod: w10
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.pagetype: security
|
||||
ms.author: lomayor
|
||||
author: lomayor
|
||||
ms.localizationpriority: medium
|
||||
manager: dansimp
|
||||
audience: ITPro
|
||||
ms.collection: M365-security-compliance
|
||||
ms.topic: article
|
||||
---
|
||||
|
||||
# Understand the analyst report in threat analytics
|
||||
|
||||
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
|
||||
|
||||
**Applies to:**
|
||||
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
|
||||
|
||||
The analyst report is the written section provided by Microsoft security researchers. Most analyst reports include the following sections:
|
||||
|
||||
| Report section | Description |
|
||||
|--|--|
|
||||
| Executive summary | Overview of the threat, including when the threat was first observed, its motivations, notable events, major targets (industries and regions), and distinct tools and techniques. |
|
||||
| Analysis | Provides available technical information, including the details of an attack or how a new technique or attack surface might be utilized. |
|
||||
| MITRE ATT&CK techniques observed | Lists the techniques observed using their MITRE ATT&CK technique category and IDs. |
|
||||
| Mitigations | Lists all known methods that might reduce the impact or stop the threat. This section also includes mitigations that are not tracked dynamically as part of the threat analytics report. |
|
||||
| Detection details | Lists specific and generic detections provided by Microsoft security solutions that can surface activity or components associated with the threat. |
|
||||
| Advanced hunting | Provides sample advanced hunting queries for proactively identifying possible threat activity. Most queries are provided to supplement detections, especially for locating potentially malicious components or behaviors that could not dynamically assessed to be malicious. |
|
||||
| References | Lists Microsoft and third-party references reviewed by analysts during the creation of the report. Threat analytics reports are based on data validated Microsoft researchers. Information from publicly-available, third-party source are identified clearly as such. |
|
||||
| Change log | Describes significant changes made to the report since the time of publication. |
|
||||
|
||||
## Review and apply mitigations
|
||||
Threat analytics reports dynamically track the status of security updates and secure configurations. These are available as charts and tables under the **Mitigations** tab.
|
||||
|
||||
The analyst report, however, also includes mitigations that are _not_ dynamically tracked. Here are some examples of mitigation guidance that are not tracked dynamically:
|
||||
|
||||
- Block emails with .lnk attachments or other suspicious file types
|
||||
- Randomize local administrator passwords
|
||||
- Educate end-users about phishing email and other threat vectors
|
||||
|
||||
While you can utilize the **Mitigations** tab to assess your security posture against a threat, carefully read through all the mitigation guidance in the analyst report for more tips on how to improve your security posture.
|
||||
|
||||
## Check detections
|
||||
The analyst report also provides a list of detections for various security capabilities available with Microsoft Defender for Endpoint, including:
|
||||
|
||||
- Antivirus
|
||||
- Endpoint detection and response (EDR)
|
||||
- Attack surface reduction rules
|
||||
|
||||
### Antivirus detections
|
||||
These detections are available on devices with [Microsoft Defender Antivirus](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10) turned on. When these detections occur on devices that are onboarded to Microsoft Defender for Endpoint, the same detections trigger alerts that are reflected in the charts provided with the report.
|
||||
|
||||
>[!NOTE]
|
||||
>There are cases when the report lists some generic detection names that detect a wide-range of threats in addition to the threat components or behaviors associated with the report. These generic detections do _not_ reflect in the charts.
|
||||
|
||||
### Endpoint detection and response (EDR) alerts
|
||||
Endpoint detection and response alerts constitute the alerts on Microsoft Defender Security Center and are raised on [devices onboarded to Microsoft Defender for Endpoint](onboard-configure.md). These detections generally rely on security signals collected by the Microsoft Defender for Endpoint sensor and its other capabilities on the endpoint, including antivirus, network protection, tamper protection, and all other signal sources.
|
||||
|
||||
Like the list of antivirus detections, some EDR alerts are designed to generically flag suspicious behavior that might not be associated with the tracked threat. In this case the alert is clearly identified as generic and will not influence any of the charts in the report.
|
||||
|
||||
### Attack surface reduction rules
|
||||
When turned on, [attack surface reduction rules](attack-surface-reduction) can be set to either detect (audit) or block various behaviors commonly associated with threats, such as:
|
||||
- An Office application or an email client launching an executable or spawning a child process
|
||||
- A script downloads executable content
|
||||
|
||||
The analyst report provides a list of attack surface reduction rules that you can use to monitor for or mitigate the tracked threat.
|
||||
|
||||
|
||||
## Proactively locate threats with advanced hunting
|
||||
While the detections allow you to automatically identify and stop threat activity by turning on the corresponding capabilities, many attack activities leave very subtle traces that require additional inspection. Most of these activities are generally considered normal, and detecting them dynamically can be disruptive.
|
||||
|
||||
[Advanced hunting](advanced-hunting-overview.md) provides a query interface, based on the Kusto Query Language, that simplifies locating indicators suspicious activity. Advanced hunting queries also help collect contextual information that you can use to verify whether suspicious activity is associated with the tracked threat.
|
||||
|
||||
To use the advanced hunting queries, open them in the [advanced hunting query editor](https://securitycenter.windows.com/advanced-hunting)...
|
||||
|
||||
|
||||
|
||||
___
|
||||
|
||||
[BREAK]
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
With more sophisticated adversaries and new threats emerging frequently and prevalently, it's critical to be able to quickly:
|
||||
|
||||
- Assess the impact of new threats
|
||||
- Review your resilience against or exposure to the threats
|
||||
- Identify the actions you can take to stop or contain the threats
|
||||
|
||||
Threat analytics is a set of reports from expert Microsoft security researchers covering the most relevant threats, including:
|
||||
|
||||
- Active threat actors and their campaigns
|
||||
- Popular and new attack techniques
|
||||
- Critical vulnerabilities
|
||||
- Common attack surfaces
|
||||
- Prevalent malware
|
||||
|
||||
Each report provides a detailed analysis of a threat and extensive guidance on how to defend against the threat. It also incorporates data from your network, indicating whether the threat is active and if you have applicable security updates and recommended settings in place.
|
||||
|
||||
Watch this short video to learn more about how threat analytics can help you track the latest threats and stop them.
|
||||
|
||||
## View the threat analytics dashboard
|
||||
|
||||
The threat analytics dashboard is a great jump off point for getting to the reports that are most relevant to your organization. It summarizes the threats in the following sections:
|
||||
|
||||
- **Latest threats**—lists the most recently published threat reports, along with the number of devices with active and resolved alerts.
|
||||
- **High-impact threats**—lists the threats that have had the highest impact to the organization. This section ranks threats by the number of devices that have active alerts.
|
||||
- **Threat summary**—shows the overall impact of all the threats reported in threat analytics by showing the number of threats with active and resolved alerts.
|
||||
|
||||
Select a threat from the dashboard to view the report for that threat.
|
||||
|
||||
|
||||
|
||||
## View a threat analytics report
|
||||
|
||||
Each threat analytics report provides information in three sections: **Overview**, **Analyst report**, and **Mitigations**.
|
||||
|
||||
### Quickly understand a threat and assess its impact to your network in the overview
|
||||
|
||||
The **Overview** section provides a preview of the detailed analyst report. It also provides charts that highlight the impact of the threat to your organization and your exposure through misconfigured and unpatched devices.
|
||||
|
||||
|
||||
_Overview section of a threat analytics report_
|
||||
|
||||
#### Organizational impact
|
||||
Each report includes charts designed to provide information about the organizational impact of a threat:
|
||||
- **Devices with alerts**—shows the current number of distinct devices that have been impacted by the threat. A device is categorized as **Active** if there is at least one alert associated with that threat and **Resolved** if *all* alerts associated with the threat on the device have been resolved.
|
||||
- **Devices with alerts over time**—shows the number of distinct devices with **Active** and **Resolved** alerts over time. The number of resolved alerts indicates how quickly your organization responds to alerts associated with a threat. Ideally, the chart should be showing alerts resolved within a few days.
|
||||
|
||||
#### Organizational resilience and exposure
|
||||
Each report includes charts that provide an overview of how resilient your organization is against a given threat:
|
||||
- **Security configuration status**—shows the number of devices that have applied the recommended security settings that can help mitigate the threat. Devices are considered **Secure** if they have applied _all_ the tracked settings.
|
||||
- **Vulnerability patching status**—shows the number of devices that have applied security updates or patches that address vulnerabilities exploited by the threat.
|
||||
|
||||
### Get expert insight from the analyst report
|
||||
Go to the **Analyst report** section to read through the detailed expert write-up. Most reports provide detailed descriptions of attack chains, including tactics and techniques mapped to the MITRE ATT&CK framework, exhaustive lists of recommendations, and powerful [threat hunting](advanced-hunting-overview.md) guidance.
|
||||
|
||||
|
||||
_Analyst report section of a threat analytics report_
|
||||
|
||||
### Review list of mitigations and the status of your devices
|
||||
In the **Mitigations** section, review the list of specific actionable recommendations that can help you increase your organizational resilience against the threat. The list of tracked mitigations includes recommended settings and vulnerability patches. It also shows the number of devices that don't have these mitigations in place.
|
||||
|
||||
Mitigation information in this section incorporates data from [threat and vulnerability management](next-gen-threat-and-vuln-mgt.md), which also provides detailed drill-down information from various links in the report.
|
||||
|
||||
|
||||
_Mitigations section of a threat analytics report_
|
||||
|
||||
|
||||
## Additional report details and limitations
|
||||
When using the reports, keep the following in mind:
|
||||
|
||||
- Data is scoped based on your role-based access control (RBAC) scope. You will see the status of devices in [groups that you can access](machine-groups.md).
|
||||
- Charts reflect only mitigations that are tracked. Check the report overview for additional mitigations that are not shown in the charts.
|
||||
- Mitigations don't guarantee complete resilience. The provided mitigations reflect the best possible actions needed to improve resiliency.
|
||||
- Devices are counted as "unavailable" if they have not transmitted data to the service.
|
||||
- Antivirus-related statistics are based on Microsoft Defender Antivirus settings. Devices with third-party antivirus solutions can appear as "exposed".
|
||||
|
||||
## Related topics
|
||||
- [Proactively find threats with advanced hunting](advanced-hunting-overview.md)
|
||||
- [Assess and resolve security weaknesses and exposures](next-gen-threat-and-vuln-mgt.md)
|
||||
@ -80,7 +80,7 @@ Each report includes charts that provide an overview of how resilient your organ
|
||||
- **Vulnerability patching status**—shows the number of devices that have applied security updates or patches that address vulnerabilities exploited by the threat.
|
||||
|
||||
### Get expert insight from the analyst report
|
||||
Go to the **Analyst report** section to read through the detailed expert write-up. Most reports provide detailed descriptions of attack chains, including tactics and techniques mapped to the MITRE ATT&CK framework, exhaustive lists of recommendations, and powerful [threat hunting](advanced-hunting-overview.md) guidance.
|
||||
Go to the [**Analyst report** section](threat-analytics-analyst-reports.md) to read through the detailed expert write-up. Most reports provide detailed descriptions of attack chains, including tactics and techniques mapped to the MITRE ATT&CK framework, exhaustive lists of recommendations, and powerful [threat hunting](advanced-hunting-overview.md) guidance.
|
||||
|
||||
|
||||
_Analyst report section of a threat analytics report_
|
||||
@ -105,4 +105,5 @@ When using the reports, keep the following in mind:
|
||||
|
||||
## Related topics
|
||||
- [Proactively find threats with advanced hunting](advanced-hunting-overview.md)
|
||||
- [Understand the analyst report section](threat-analytics-analyst-reports.md)
|
||||
- [Assess and resolve security weaknesses and exposures](next-gen-threat-and-vuln-mgt.md)
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user