Azure

The audit activity report is available in all editions of Azure AD. To access the audit logs, you need to have one of the following roles:

• Report Reader

• Security Reader

• Security Administrator

• Global Reader

• Global Administrator

Threat investigation and response capabilities in the Microsoft 365 Defender portal at https://security.microsoft.com are a set of tools and response workflows that include:

• Explorer

• Incidents

• Attack simulation training

• Automated investigation and response

Components and workflow

The architecture consists of the following workflow:

• Microsoft Defender for Cloud uses Microsoft Defender for Cloud to monitor on-premises systems, Azure VMs, Azure Monitor resources, and VMs hosted by other cloud providers.

• Microsoft Sentinel Is a cloud-native Security Information and Event Management (SIEM) and security orchestration automated response (SOAR) solution.can't use the default Defender for Cloud Log Analytics workspace with Microsoft Sentinel. need to create a customized workspace.

• Azure Stack. Is a portfolio of products that extend Azure services and capabilities to your environment of choice, from the datacenter to edge locations and remote offices.

• Azure Monitor. Collects monitoring telemetry from a variety of on-premises and Azure sources.

• Log Analytics workspace. Azure Monitor stores log data in a Log Analytics workspace, which is a container that includes data and configuration information.

• Azure Monitoring Agent. The Azure Monitoring Agent collects monitoring data from the guest operating system and VM workloads in Azure, other cloud providers, and on-premises.

• On-premises network. firewall configured to support HTTPS egress from defined systems.

• On-premises Windows and Linux systems. Systems with the Azure Monitoring Agent installed.

• Azure Windows and Linux VMs. Systems on which the Microsoft Defender for Cloud monitoring agent is installed.

Microsoft 365 activity logs

You can view Microsoft 365 activity logs from the Microsoft 365 admin center. Even though Microsoft 365 activity and Azure AD activity logs share many directory resources, only the Microsoft 365 admin center provides a full view of the Microsoft 365 activity logs.

Enabling Microsoft 365 Defender.

Follow these steps:

1. Sign up for one of the Microsoft 365 Defender workloads.

2. Enable the workloads and establish connectivity.

3. Configure detection on your devices and infrastructure to bring immediate visibility into activities going on in the environment. This gives you the all-important "dial tone" to start the flow of critical data.

4. Enable Microsoft 365 Defender to gain cross-workload visibility and incident detection.

Automated Investigation and Remediation (AIR) can be enabled gradually, so that you can develop a comfort level with the actions that are taken.

Follow these steps:

1. Enable AIR for a test group.

2. Analyze the investigation steps and response actions.

3. Gradually transition to automatic approval for all devices to reduce the time to detection and response.

Enable the Microsoft Defender for Endpoint integration via a Defender for Cloud security policy. Consider using Microsoft Sentinel for threat hunting and incident response.

GitHub - AzureAD/Azure-AD-Incident-Response-PowerShell-Module: The Azure Active Directory Incident Response PowerShell module provides a number of tools, developed by the Azure Active Directory Product Group in conjunction with the Microsoft Detection and Response Team (DART), to assist in compromise response.GitHub

GitHub - rod-trent/SentinelPSGitHub