Microsoft 365 Defender gives a purpose based UI to manage and examine security incidents and alerts across Microsoft 365 services.
You are a SOC Analyst working at a company XYZ that has configured Microsoft 365 Defender solutions, including Defender for Endpoint, Defender for Identity, Defender for Office 365, and Cloud App Security.
You are required to monitor related alerts across all the solutions as single incident to observe the incident's full impact and do a RCA (root cause investigation)
The Microsoft Security centre portal has a fused view of incidents and actions taken on them.
Which of the following can be classified as an Incident?
Click on the arrows to vote for the correct answer
A. B. C. D.Correct Answer: B
Reference:
Sure, I'd be happy to explain in detail!
In the context of Microsoft 365 Defender, an "incident" refers to a group of related alerts that may indicate a security breach or threat to the organization. These alerts may come from different Microsoft 365 Defender solutions, such as Defender for Endpoint, Defender for Identity, Defender for Office 365, and Cloud App Security, and may be related to different stages of an attack, such as initial compromise, lateral movement, or data exfiltration.
When an incident is detected, the SOC analyst will typically investigate the alerts that are associated with it to determine the root cause of the incident, assess the scope of the attack, and take appropriate actions to contain and remediate the threat.
To answer the question, a "test alert" would not be classified as an incident because it is not a real security event but rather a simulated one used to test the effectiveness of the security monitoring tools. A "true alert," on the other hand, would be classified as an incident because it indicates a real security event that requires investigation and response. The severity of the alert, whether it is classified as "high" or not, does not affect its classification as an incident. Similarly, a "positive alert" is not a standard term in the context of Microsoft 365 Defender, so it is unclear what it refers to and whether it would be classified as an incident.
In summary, the correct answer to the question is B. True alert.