Transcription
Version: 09/27/2021BLUEVOYANT MODERN SOCMICROSOFT MDRPOWERED BY MICROSOFT XDR AZURE SENTINELSERVICE DESCRIPTIONDescription of Service2Service Summaries4MDR for Azure Sentinel4MDR for Microsoft 365 Defender4MDR for Defender for Endpoint5MDR for Defender for Office 3656Microsoft Cross Signal Threat Hunting9Advanced Threat Hunting10Log Collector Virtual Appliance service11Services Included in All MDR Services12Service Level Agreements (SLA)17Client Communications19Client Responsibilities20Additional Details22Appendix25Appendix: MDR for Azure Sentinel (Additional Details)25Appendix: MDR for Microsoft 365 Defender (Additional Details)30Appendix: Advanced Threat Hunting (Service Details)42Appendix: Virtual Log Collector Appliance (Full Service Description)431
Version: 09/27/20211. DESCRIPTION OF SERVICEThis Service Description and Service Level Agreement (“Service Description”) describes theService (as defined below) being provided to you (“Client”, or “you”) by BlueVoyant executed byClient for the purchase of this Service.This Service is provided in connection with and is governed by the Client’s signed ServiceOrder/Proposal and separately signed BlueVoyant Standard Terms and Conditions (the “MSA”)that explicitly authorizes the sale of managed security and consulting services. In the absence ofeither an MSA or security services schedule, the Services described under this ServiceDescription will be governed by and subject to the terms and conditions of the BlueVoyantStandard Terms and Conditions (“MSA”).BlueVoyant Modern SOC (the “Service”) consists of BlueVoyant’s monitoring of the contractedClient-owned Microsoft environment (Azure and Microsoft 365) as specified on the ServiceOrder/Proposal and further described below. The services provide the Client with 24 hours a dayand 7 days a week security monitoring with detection and response services across the Client’sMicrosoft’s 365 Defender Suite of Products and Azure infrastructure. This Service utilizes theBlueVoyant platform (The “Platform”) which includes automation, case management, and threatintelligence enrichment in conjunction with security analysts in BlueVoyant’s Security OperationsCenters (“SOC”) and the Client’s Azure Sentinel instance and Microsoft 365 infrastructure andsecurity products. The Client is responsible for any license and consumption fees for theirMicrosoft environment including fees associated with Microsoft Azure Sentinel ingestion as wellas Microsoft 365 licensing.All the Services will be executed according to this service description unless stated differently inthe accompanying statement-of-work (SOW). The BlueVoyant Modern SOC includes thefollowing service components:2
Version: 09/27/2021MDR Services: This is an ongoing subscription for managed detection and response whichincludes a full-time cloud-based 24x7 security operations center. Standard MDR services are alsoreferred to below as “Tier 1” MDR services. Certain MDR services can be purchased individuallyor bundled. MDR for Azure Sentinel Monitoring and investigations of Sentinel incidents.MDR for Microsoft 365 Defender Monitoring, investigations, and eradication where possible of securitythreats across Defender 365 suite of products.MDR for Defender for Endpoint Can be purchased separately or as included with MDR for Microsoft 365DefenderMDR for Defender for Office 365 Can be purchased separately or as included with MDR for Microsoft 365Defender Includes Security Support Services for Email configuration and BusinessEmail Compromise Investigation ServicesAdvanced Threat Hunting, or Tier 2 MDR Services: Proactive threat hunting and other advanced detections by BlueVoyantexpertsClients may opt into the complete BlueVoyant SOC service offerings or select only some of theservices mentioned above. The price will change accordingly around selected services and thescope of service. Endpoint or Azure Active Directory response actions are not included in thisservice unless the client is expressly covered by BlueVoyants MDR Microsoft 365 Defenderservice.Client system onboarding for all of the MDR services above consists of a BlueVoyant Acceleratorconsulting service, or onboarding service. The scope and pricing of the onboarding service willvary based on existing security readiness and configuration of the client environment, andgenerally requires a scoping engagement prior to client onboarding. Please see the separateBlueVoyant Modern SOC - Microsoft Accelerators document for additional details here.3
Version: 09/27/20212. SERVICE SUMMARIESMDR FOR AZURE SENTINELBlueVoyant’s Managed Detection and Response (MDR) for Azure Sentinel servicecombines the power of Microsoft’s Azure Sentinel SIEM tool with an elite 24x7 securityoperations team to identify, investigate and stop today's most sophisticated andadvanced cyberattacks.The BlueVoyant MDR for Azure Sentinel service correlates and analyzes network, user,endpoint assets, and other IT and security logs in real-time, aggregating disparate dataand applying the latest threat intelligence to quickly identify and respond to securityevents. Additionally, the security operations team will also proactively tune alertsspecifically to each Client’s environment to filter out noise and false positives.BlueVoyant’sWavelength Client Experience Portal can be used to track alerts, events,and case investigations notes. Wavelength can also be used to track service requests.Clients will also be able to track other SOC-related activities directly in Azure Sentinel.Management of detections and console management for Azure Sentinel is includedwithin the MDR for Azure Sentinel offering. However, any detections or connectorslabeled “Public Preview” are not covered by BlueVoyant as Microsoft does not offersupport SLA’s for them.Key Services Delivered: 24x7 SOC Monitoring & Investigation in Azure Sentinel Proactive Alert Tuning Real-time Threat Intelligence Enrichment ServiceNow ITSM ticketing integration Wavelength PortalMDR FOR MICROSOFT 365 DEFENDERBlueVoyant’s Managed Detection and Response (MDR) for Microsoft 365 Defenderservice combines the power of Microsoft’s Defender product suite with an elite 24x7security operations team to identify, investigate and eradicate today’s most sophisticatedand advanced cyberattacks. This service requires the activation of Azure Sentinel.Key Services Delivered:4
Version: 09/27/2021 Onboarding of Microsoft 365 Defender products into Azure Sentinel and theBlueVoyant service (as provided by the Accelerator for MDR for Microsoft 365Defender)24x7 SOC investigation & response directly in Microsoft 365 Defender productsApplication of best practice policy and alert recommendationsClose investigated alerts with classifications to see trendsEnable cross-correlation of Microsoft 365 Defender signal to focus on MITREcoverage and informative responsesMicrosoft Cross Signale Threat Hunting (defined below) is includedAdvanced Threat Hunting (defined below) is includedServiceNow ITSM ticketing integrationWavelength PortalClients can purchase variations of the MDR service for Microsoft 365 Defender in thefollowing configurations:1. Complete coverage. This includes Managed Detection and Response (MDR)coverage for Microsoft 365 Defender as a whole.2. MDR for Endpoint with Defender for Endpoint only (no Azure Sentinel isrequired in this configuration).3. MDR for Office 365 (Exchange Online Protection 1&2 required) (Emailinvestigations only, as defined below. Azure Sentinel is required for service)I.MDR for Defender for EndpointMDR for Endpoint provides remote endpoint threat protection, response, andmitigation. It protects data, assets, and business operations by detecting malware,including ransomware variants, zero-days, non-malware, and file-less attacks. TheBlueVoyant SOC will investigate and neutralize threats on your behalf 24/7, based onrequirements and rules of engagement agreed upon by BlueVoyant and the Client.Additionally, the client will provide access to and licensing for Microsoft Defender forEndpoint.The MDR for Defender for Endpoint generally is deployed in conjunction with and as acomponent of MDR for Microsoft 365 Defender, and in this case, the client console toreview security cases and other notes and updates from the BlueVoyant SOC returned tothe client is Azure Sentinel with the Wavelength client portal. In client configurationswhere MDR for Defender for Endpoint is deployed in a stand-alone manner, and not as acomponent of MDR for Microsoft 365 Defender, Azure Sentinel may be an optionalcomponent, and may not be required.5
Version: 09/27/2021Key Services Delivered: Investigation & Notification Indicator Enrichment Endpoint Response Additional Details Supported Endpoint OS: Windows, macOS, Linux. Details on whichoperating systems are supported can be found pported-os Standard Managed Prevention: Utilizing Microsoft Defender forEndpoint, automatically blocks malicious indicators of compromise(IOCs) and behaviors of compromise (BOCs) with an expert review ofdetections to ensure there is always human oversight on technology.II.MDR for Defender for Office 365MDR for Defender for Office 365 provides threat detection and investigation againstmalicious threats posed by email messages, external links (URLs) in files, andcollaboration tools.Key Services Delivered: Security Support Services: This is an ongoing subscription service fromBlueVoyant’s support team. The services include a quarterly assessment of thesecurity configurations enabled for Defender for Office 365, including assessingexternal email forwarding statuses for new users and domains, review of DKIM,DMARC, and SPF records, and a review of in console Email reports forcontinuous improvement opportunities. In addition, the team provides Mondaythrough Friday support service to support configurations, modifications, andchange management within the Defender for Office 365 exchange adminconsole (EAC). This subscription service can be purchased after a successfulaccelerator engagement. Additional project hours can be purchased forextended team or project management use under a separate Statement ofWork.Business Email Compromise Investigation Services: This is an ongoingsubscription that includes a full-time cloud-based 24x7 security operationscenter that triages non-user submitted email alerts from Microsoft Defender forOffice 365. The team will investigate the following alert types to identify theseverity and blast radius of the attack and escalate accordingly: Email messages containing phish URLs removed after delivery Email messages containing malware removed after delivery6
Version: 09/27/2021 III.Admin triggered a manual investigation of an emailA potentially malicious URL click was detectedSuspicious email sending pattern detectedUser restricted from sending emailMDR for Defender for IdentityMDR for Defender for Identity (formerly Azure Advanced Threat Protection, also knownas Azure ATP) provides the ability to identify, detect, and investigate advanced threats,compromised identities, and malicious insider actions directed at your organization fromon-prem domain controller vulnerabilities and brute force attacks. This service ispurchased only as an included component of the MDR for Microsoft 365 Defenderservice, and is not purchased in a stand-alone manner.Key Services Delivered: Protect user identities and credentials stored in on-premises Active Directory Identify and investigate suspicious user activities and advanced attacksthroughout the kill chain Provide clear incident information on a simple timeline for fast triage The following alert types are supported use cases: Security Principal Reconnaissance NMAP Reconnaissance DC-Sync Attacks (Directory Services Replication) Suspected Pass the Ticket (Identity theft) Kerberos and NTLM brute force attacks SMB User and IP address reconnaissance7
Version: 09/27/2021IV.MDR for Microsoft Cloud App Security - MCASMDR for Microsoft Cloud App Security (“MCAS”) provides protection powered byMicrosoft’s MCAS solution. This service is purchased only as an included component ofthe MDR for Microsoft 365 Defender service, and is not purchased in a stand-alonemanner.Microsoft Cloud App Security is a Cloud Access Security Broker (CASB) that supportsvarious deployment modes, including log collection, API connectors, and reverse proxy.In addition, it provides rich visibility, control over data travel, and sophisticated analyticsto identify and combat cyber threats across all your Microsoft and third-party cloudservices.All of these techniques and monitors provide a rich level of events and incidents to theBlueVoyant SOC that enable rich visibility, control over data travel, and sophisticatedanalytics to identify and combat cyber threats across all your Microsoft and third-partycloud services.While Microsoft Cloud Application security offers DLP and compliance features, thesefeatures are out of scope for detection and response services.Alerts with category: ‘Threat Detection’ within MCAS offer the highest quality detectionsfor MDR, and are in scope for the service: Impossible TravelMultiple Failed Logonattempts to a serviceActivity from TOR IPaddressMultiple failed loginattemptsSuspicious OAuth appfile download activitiesData exfiltration to anunsanctioned appDiscovered app securitybreachMultiple powerBIsharing report activitiesMalware detection Misleading OAuth appnameMass download by asingle userCloud discoveryanomaly detectionFile shared withpersonal emailaddressesData exfiltration to anapp that is notsanctionedActivity from ananonymous proxyActivity from infrequentcountry8
Version: 09/27/2021 Externally sharedsource codeLogon from risky IPaddressNew high volume appExternal user added toTeams Investigation priorityscore increaseRansomware activitySuspicious inboxmanipulation ruleNew high uploadvolume appKey Services Delivered: 24x7 Cloud App Monitoring and response: Monitors suspicious behaviorand provides detailed visibility of alerts and their responses within theSentinel integration. On-going MCAS policies tune-up: BlueVoyant SOC will adjust all MCASpolicies to reduce the number of false positives alerts Centralized SIEM Alerting, Automation, and Remediation: ThroughSentinel integration, BlueVoyant SOC will provide advanced playbooksto automate the response for several built-in Threat Detection policiesprovided by Microsoft Support and remediation of security incidents related to users with highinvestigation scores: BlueVoyant SOC has developed a set of Sentinelalert rules and playbooks to actively remediate incidents related to highinvestigation priority score users (score 100) Conditional Access App Control apps: BlueVoyant team will assist theClient with setup and monitoring of new SAML application (subject tothe scope of Consulting Concierge Services)MICROSOFT CROSS SIGNAL THREAT HUNTINGCross Signal Threat Hunting is bundled with the MDR for Microsoft 365 Defenderoffering. This detection-driven, CI/CD model of threat hunting includes additional crosssignal detections across the Microsoft ecosystem that take advantage of cross-systemattribution capabilities within the Microsoft 365 Defender hunting tables. Examples ofthese hunting scenarios include identity and email detections in addition to traditionalendpoint hunting use cases.9
Version: 09/27/2021ADVANCED THREAT HUNTINGBlueVoyant’s Tier 2 Managed Detection and Response (generally referred to as “ThreatHunting”, but also includes additional capabilities as described below) may be added asan additional extended service to BlueVoyant MDR Services and includes all detectionand service delivery components of Tier 1 (Standard MDR), with additional detectioncapabilities and techniques, as listed below and described further in the Appendix. Anomaly DetectionThreat HuntingForensic Artifact AnalysisAttacker Abuse InsightsAd-hoc IOC DiscoveryBlueVoyant Threat Hunting services are designed to identify adversary activity that hasbypassed prevention and detection technologies, malware-less attacks, AdvancedPersistent Threat actors, and historical compromises. Through continuously updatedqueries and hunting hypotheses, BlueVoyant Threat Hunters execute automated, andmanual queries against raw telemetry from endpoints, network devices, and othersources to drastically reduce the risk of detection bypasses and hands-on-keyboardadversary activity.Some of the areas investigated include, but are not limited to, Persistence Mechanisms,Webshells, Malicious Scripts, Malicious Documents, Administrator Tool Use,Reconnaissance, Remote Access Solutions, privilege escalation, and manipulation,among other elements.Reactive hunting is performed on an ad-hoc based on intelligence tippers, new OSINT(open-source intelligence) on threat actor TTP (tactics, techniques, and procedures),client requests, and ongoing research. The BlueVoyant Threat Hunting team is constantlyadding new leads and retro-hunting and/or adding scheduled queries based onBlueVoyant research, publicly shared research, intelligence tippers, and the like.10
Version: 09/27/2021LOG COLLECTOR VIRTUAL APPLIANCE SERVICEThe BlueVoyant Log Collector Virtual Appliance is a software package deployed into avirtual machine that enables log collection from on-premises networks, othercommercial clouds, or other external sources, and delivers it to the customer's AzureSentinel instance(s). The log collector is used when deployment of a log collection agentis not possible, such as gathering logs from a device or appliance where a log collectoragent cannot be installed (ex. router or firewall). The BlueVoyant log collector isdesigned to receive log items in Syslog file formats. Upon receipt of the package by theclient, the log collector must be installed in a virtual environment of the customer'schoosing and be connected to the networks that are being monitored.BlueVoyant will remotely manage the virtual appliance, and it will be dedicated to thispurpose. In addition, customers will provide internet access and manage firewall rules.This log collector virtual appliance does not support guaranteed delivery of logs.Therefore, it should not be used for compliance purposes when logs are required to becollected and stored for purposes other than as required by the BlueVoyant ModernSOC.Key Services Delivered: A BlueVoyant Ubuntu-based image containing the software stack required forthe Log Collector Virtual Appliance, including Remote Access for management,patching, AV detection, and monitoringLog Collector virtual appliance health monitoring, administration, updates, andpatchingLog Source and log file receipt monitoring11
Version: 09/27/20213. SERVICES INCLUDED IN ALL MDR SERVICES Security Operations Centers (SOC): BlueVoyant’s managed detection and response service isdelivered through a cloud-native SOC, which operates 24 hours a day, 7 days a week. TheBlueVoyant SOC is SOC II TYPE II certified and staffed with security experts with technicalcertifications including, but not limited to, Microsoft (MS-500, AZ-500, SC-200), SANS (GCFA,GCFE, CDIA, GCIA, GCIH), and CISSP. Wavelength (BlueVoyant’s Client Portal): Wavelength is a web-based portal that providesreal-time visibility to detected alerts, confirmed incidents, enables approved Client employees tointeract with BlueVoyant’s SOC analysts, view all detected assets, and if applicable, viewvulnerabilities. Dashboards: Available through Wavelength, dashboards representing a variety ofcontent including but not limited to event volume, alert volume, detected assets, andanalyst response actions. Reports: Available through Wavelength, reports include Client environment contentrelated to alerts, incidents, indicators, assets, and vulnerabilities. If needed, the Client can request specific reporting on events bedelivered as a report on an automated basis. Extensive customization ofreport templates and or creation of custom reports are not included inthe service and can be performed on an engagement basis subject tothe mutual agreement of a separate signed Statement of Work. Threat Intelligence Reports: Threat landscape and intelligence summary reports aredeveloped by the BlueVoyant Threat Fusion Cell.The BlueVoyant Threat Fusion Cell (TFC) is a dedicated team of intelligence analysts andthreat researchers operating within our SOC that identifies, prioritizes, andoperationalizes information about threats that pose risks to our Clients. The TFC collectsand curates feeds from 37 sources of data to include BlueVoyant’s proprietary dataset,as well as an open-source, partner, and paid intelligence to operationalize andcontextualize malicious activities that could pose a risk to you. Threat intelligenceincludes all atomic indicator types such as SHA256, SHA1, and MD5 hashes, emailaddresses, URLs, domains, IP addresses, and CVE vulnerabilities. In addition, threatintelligence indicators may also include unstructured indicators on the dark web fromweb forums or data leaks.Our process enables curated threat intelligence to improve detections using a guidedcourse of action with the SOC. Focused on zero-day and emerging threats, the servicerecommends mitigation efforts for successful incidents. Curated threat intelligence is keyto any strategic threat hunt missions and, once detected, is used for reputation scoringand detection efficacy.12
Version: 09/27/2021 Unlimited Live Remote Response: A core component to BlueVoyant’s MDR service includesunlimited remote investigations and response services for all activities consistent with remoteSOC capabilities and visibility and response capabilities of managed security tools. This willinclude day-to-day remote level 1 through 3 investigations and response to all events requiringongoing coordination and communications with the Client via telephone, email, or conferencingwith BlueVoyant security operations personnel. However, remote SOC services do not includeon-site support, information technology configuration management, and traditionalpost-mortem endpoint or network forensics. Traditional incident response services are available from BlueVoyant’s incident responseteam through a separate professional services engagement. A professional services (PS)engagement is necessary for scenarios where endpoint security tools (such as Defenderfor Endpoint) cannot provide enough insights to determine the root cause or the extentof any data exfiltration that may have occurred. As an example, this can occur whenincidents involve devices without sensors or during heavily obfuscated activities. BlueVoyant’s incident response services (separate add-on) include conductingforensic analysis on endpoint devices utilizing multiple industry-standard toolssuch as Encase, FTK, Axiom, and X-ways. This analysis is performed in scenarioswhere additional evidence may be required to solidify conclusions regarding theroot cause or data exfiltration, such as passwords, PHI, PII, or other sensitivedata from a compromised device. With the help of these tools, BV’s professionalservices can more thoroughly understand the impact of even a briefcompromise and identify future risks to the environment. BlueVoyant’s incident response services will also perform investigations in aforensically sound manner for proper transitioning between investigativeservices and law enforcement.Security Orchestration and Automation: Security orchestration and automation are key systemcomponents of the Platform that support the BlueVoyant Modern SOC. BlueVoyant has multiplemethods to bring SOAR platforms to security operations centers to accelerate event triage,reduce false positives, and improve mean time to resolution (MTTR). MDR Playbooks: BlueVoyant SOC and engineering teams have developed automation tosupport services and continue to deliver new automation as part of the service. Theseplaybooks support service implementation, delivery, assessment, and operational datagathering and are not configurable by the Client. SOAR Playbooks: Additional response action automation that requires privileged accessto execute or SOAR playbooks extensions of custom requirements are deployed withinthe Client’s Azure Sentinel environment during Accelerator packages. The MDR Servicewill use customer-specific SOAR playbooks in escalation recommendations but ensures13
Version: 09/27/2021access to invoke this automation stays within the Client’s jurisdiction. These areconfigurable but managed by BlueVoyant. BlueVoyant Client Experience Team: BlueVoyant’s Client experience team is the primary supportteam for the Client. The assigned Client Success Manager (CSM) will meet with the Clientregularly to understand the Client’s security program goals and advise how BlueVoyant servicescan best meet their needs. The CSM is also engaged in any significant security events that occurfor the Client. In addition, the CSM will deliver any requested feedback to the BlueVoyantproduct and service delivery teams. The CSM may also encourage the participation of aBlueVoyant Security Advisor (SA) where appropriate.Concierge Services Standard Concierge Services: Standard Concierge Services is a service that allows the Client torequest modifications to the operation of the MDR Service or management of the SIEM. Thismay include maintaining and tuning data sources to adjust to changes in source systems or tokeep up with platform updates. Standard Concierge Services are intended to describe servicesthat modify the existing configuration of BlueVoyant services for a customer and include suchservices as grouping alerts together into a single response, adjusting thresholds for an automaticresponse, alert tuning, and threat eradication or adding and removing columns in responsearrays, etc. Consulting Concierge Services: Consulting Concierge Services is a paid service for the creation ofcustomized content and for Client requests that are out of scope for Standard ConciergeServices. Generally, this occurs after the Client has reached a “steady state” with live monitoringservices. Prior to work being initiated, BlueVoyant will provide a Consulting Concierge Servicestatement of work (SOW), including a price quote, and will review this for approval with theClient. Depending on the work effort required, a project manager may also be assigned as partof the work effort. BlueVoyant has the right to refuse the development of custom content forthe Client based upon the effort or scope of the request. Consulting Concierge Services will bebilled in 30 minute increments. Scope of Requests: The scope that the Concierge will support includes (but is not limited to) thedevelopment of customized dashboards, widgets, reports, alerts rules, playbooks based on theevent and/or available threat intelligence data, and informal user training of the Sentinelsoftware. Submitting a Concierge Request. Client requests for Concierge Services are submitted as aconcierge service ticket or to the CSM via a service request. The Concierge desk will determinewhen a Client request qualifies as a Standard Concierge Service or when it is out of scope andmust be classified as a Consulting Concierge Service request. This may be when a Client request14
Version: 09/27/2021is too complex or would take too many hours to be completed using the standard level ofservice. Concierge Work Hours. Concierge work hours are determined by “work effort”, or the time ittakes a Concierge Content Engineer (“CCE”) to build, test, and deploy the requested content toyour environment. Standard Concierge Services work hours are not charged to the customer,but Consulting Concierge Services work hours are charged against the Client Work Hour Account. Client Work Hour Accounts. Each request for Consulting Concierge Services is charged againstthe client account for Concierge Work Hours. Generally, a BlueVoyant MDR Contract will includean initial quantity of twenty (20) Concierge Work Hours. If a Concierge request is estimated torequire more hours than are available in the client account, the client will be asked to purchasesufficient additional Concierge work hours to cover the expected work effort. Limitations: All Concierge requests are subject to the technical and contractual limitations of theAzure Sentinel software as provided by Microsoft (the “Vendor”). All Concierge requests aresubject to review and approval by BlueVoyant. Due to the highly customized and dynamic natureof the Concierge service, there is no SLA for the CCE completion of Concierge requests. Billing: Concierge Work Hours for Consulting Concierge Services time can be purchased fromBlueVoyant at a 320/hour rate unless stated differently on a separate SOW. Customers can alsopurchase additional quantities of Concierge Work Hours at a discounted rate. Exclusions. Concierge engineers do not fulfill requests for security consulting, posturing, incidentresponse/remediation, legal, or audit support. Please contact your Client Experience Teamadvisor to direct these types of requests to the appropriate channels. For incident response,please email incident@bluevoyant.com (24/7) or call 1 (646) 558-0052 (8am-5pm EST). Tracking. CCEs will record and report on hours on a weekly basis to Client as incurred, along withan email summary of work performed.Concierge Support Activities Below is a list of example support activities. Concierge support activities are not limited to theitems below, but it can be a helpful list.Activity typeStandard Inquiriesand tuningActivity NameConciergeService TypeBilling questionsStandardRequest for service detailsStandardRequest for technical advice about any Microsoft Standardtools and technologiesReport Service function incidentStandard15
Version: 09/27/2021Modify authorized contact/userStandardUpdate or create a Sentinel constantStand
analytics to identify and combat cyber threats across all your Microsoft and third-party cloud services. While Microsoft Cloud Application security offers DLP and compliance features, these features are out of scope for detection and response services. Alerts with category: 'Threat Detection' within MCAS offer the highest quality detections
