Part 1: Exploring the Portal

In this first blog post, I will introduce you to the security.microsoft.com portal, which is the central hub for Microsoft 365 Defender and Microsoft Defender XDR. The portal provides an unified view of your security posture, alerts, incidents, investigations, and actions across endpoints, email, identities, and cloud apps. You will learn how to access the portal, explore its features and capabilities, and customize it for different roles and scenarios within your organization.

 Agenda:

- Introduction

- What is what - Exploring the Portal's Pages and Components

- My recommendation

- Conclusion

Introduction

The security.microsoft.com portal is a cloud-native solution that leverages the power of Microsoft 365 security products and services to help you protect your organization from advanced threats. The portal enables you to:

- Monitor and manage your security posture with dashboards, reports, and recommendations.

- Detect and respond to security incidents and alerts with automated investigation and remediation capabilities.

- Hunt for threats and anomalies with advanced hunting queries and threat analytics.

- Configure and enforce security policies and settings across your devices, users, mailboxes, and apps.

- Integrate with other Microsoft and third-party security solutions and tools via APIs and connectors.

What is what - Exploring the Portal's Pages and Components

The portal consists of several pages and components that you can access from the navigation menu on the left side of the screen. Here are some of the key pages and components that you should be familiar with:

Home: This is the landing page of the portal, where you can see an overview of your security status, such as the number of active incidents and alerts, the security score of your organization, and the latest threat analytics reports. You can also access the Microsoft Defender Security Center and the Microsoft 365 compliance center from this page.

Investigation and Response: This is where you can view and manage all the security incidents and alerts in your organization. You can filter, sort, and search for incidents and alerts by various criteria, such as severity, status, category, and source. You can also drill down into each incident or alert to see the details, timeline, evidence, and response actions. A new addition is the Microsoft Security Copilot feature to get AI-powered assistance with incident summary, script analysis, guided response, and incident report generation.

Moreover, you have the capability for advanced hunting here, allowing you to conduct hunts across various technologies.

Threat intelligence: This is where you can access the threat intelligence capabilities of Microsoft Defender XDR, such as threat analytics, threat indicators, and threat intelligence reports. You can see the latest threat intelligence insights and recommendations from Microsoft security researchers and analysts, as well as the indicators of compromise (IOCs) and indicators of attack (IOAs) that are relevant to your organization.

This page allows you to stay informed and proactive about the evolving threat landscape and apply the best practices and guidance from Microsoft to protect your organization. You can also use the threat intelligence data to enrich your investigations and hunting queries.

Endpoints - Threat & vulnerability management: This is where you can view and manage the threat and vulnerability management capabilities of Microsoft Defender XDR, such as vulnerability assessment, configuration assessment, software inventory, and remediation. You can see the threat and vulnerability management posture, exposure score, configuration score, and remediation recommendations. You can also perform threat and vulnerability management actions, such as create remediation request, approve remediation request, and deploy software updates.

Assets - Devices: This is where you can view and manage all the devices in your organization that are protected by Microsoft Defender for Endpoint. You can see the device inventory, compliance status, vulnerability exposure, and threat protection state. You can also perform device-level actions, such as isolate, collect investigation package, run antivirus scan, and initiate automated investigation.

This page allows you to monitor the health and security of your devices and respond quickly to any issues or threats. You can also access the device page from the incident page to investigate a specific device involved in an incident. You can see the device details, such as OS version, IP address, domain, and group memberships, as well as the device risk score, exposure score, and alerts history.

Assets - Identity: This is where you can view and manage the security of your identities and access management systems, such as Azure Active Directory and Microsoft Cloud App Security. You can see the identity and access security posture, risky users and sign-ins, and identity protection policies. You can also perform identity and access actions, such as confirm user compromised, dismiss user risk, and reset password.

Email & collaboration: This is where you can view and manage the security of your email and collaboration platforms, such as Exchange Online, SharePoint Online, OneDrive for Business, and Microsoft Teams. You can see the email and collaboration security posture, threat protection coverage, and attack campaigns. You can also perform email and collaboration actions, such as delete email, soft-delete email, hard-delete email, and block sender.

In this section of the portal, you can also create Policies and Rules. Here, you'll configure policies such as Anti-phishing, Anti-spam, and Anti-malware. Additionally, you can manage policies for Safe Attachments and Safe Links.

Cloud apps: This is where you can monitor and control the cloud applications and services that your organization uses, such as Office 365, Azure, AWS, and Salesforce. You can see the cloud app inventory, usage, risk, and compliance status. You can also create and manage cloud app policies, such as cloud discovery anomaly detection, session control, access control, and data protection.

Settings: This is where you can configure and manage the settings and policies for Microsoft Defender XDR and its integrated products and services. You can access the settings for each product and service from the left navigation menu. You can also access the unified role-based access control (RBAC) settings, where you can manage the roles and permissions for the portal users and groups.

My recommendation

As a security professional, you should explore the portal and familiarize yourself with its features and capabilities. You should also customize the portal to suit your role and preferences. Here are some of the things that you can do to customize the portal:

- Pin your favorite pages and components to the navigation menu for quick access.

- Create and save custom filters for incidents and alerts based on your criteria and interests.

- Create and save custom dashboards and reports with the widgets and charts that you need.

- Create and save custom advanced hunting queries and detection rules based on your hunting scenarios and objectives.

- Configure and enable email notifications for incidents and alerts based on your preferences and thresholds.

- Configure and enable automated investigation and response (AIR) settings and actions based on your policies and risk appetite.

Conclusion

In this blog post, I have given you an overview of the security.microsoft.com portal, its features and capabilities, and how to customize it for your organization's needs. The portal is a powerful and flexible tool that can help you protect your organization from advanced threats across endpoints, email, identities, and cloud apps. I hope this walkthrough assisted in making you more familiar with the portal and its capabilities. In the next blog post, I will dive deeper into how to use the portal for efficient incident response and management with Microsoft Defender XDR. Stay tuned!