What’s Included
ConnectWise MDR for Microsoft 365 is deployed in conjunction with the ConnectWise Security Operations Center SOC to monitor, alert, and help protect the Microsoft 365 environment.
The service integrates with Microsoft Defender for Office 365, Defender for Identity, and Defender for Cloud Apps to provide continuous 24/7 monitoring of the Microsoft 365 tenant.
Alert feeds from these integrated Defender products are analyzed by ConnectWise internal systems and certified SOC analysts to detect email borne threats, identity based attacks, anomalous user behavior, and cloud application activity, helping reduce alert fatigue and support high fidelity escalations.
Upon detection of a security incident or indicator of compromise within the Microsoft 365 environment, the following services are provided in coordination with the ConnectWise SOC:
- Security alerts originating from the Microsoft 365 tenant are initially analyzed by the ConnectWise SOC, triaged, and contextualized against global threat intelligence, with significant alerts escalated to the security team
- Investigation of escalated alerts to confirm whether an alert represents a true security incident and to assess the threat’s severity, scope, and potential impact on data, users, and cloud resources.
Alert categories may include:
- Phishing, including basic, credential harvesting, and advanced social engineering attacks
- Spoofing, including domain and display name impersonation
- Business Email Compromise BEC, including CEO fraud and compromised account alerts
- Spam, including unwanted bulk email
- Zero day attacks, including exploitation of unpatched vulnerabilities
- Anomalous activity, including unusual outbound email volume and suspicious inbox rules
- Threat intelligence alerts tied to indicators of compromise such as known malicious URLs, file hashes, or sender addresses
- Use of unified monitoring dashboards, such as ConnectWise BrightGauge or equivalent, to maintain real time visibility into threats across the Microsoft 365 environment, incorporating Microsoft Secure Score telemetry, audit log data, and signals aggregated by the MDR platform to assess the nature, origin, and potential lateral movement or propagation of detected threats across cloud workloads and identities
- Prompt notification to designated security contacts upon verification of a security incident or high risk threat, including threat details, affected users, mailboxes, files, or applications, along with preliminary recommended actions
- Collaboration to determine appropriate response measures consistent with operational requirements and any predefined incident response plan
- Execution of containment and remediation measures for confirmed threats in coordination with the ConnectWise SOC, which may include disabling or revoking access for compromised user accounts, invalidating active sessions and OAuth tokens, blocking malicious mail flow rules or inbox forwarding configurations, removing malicious email messages from affected mailboxes, restoring altered SharePoint or OneDrive files to a pre incident state where versioning permits, and revoking risky third party application permissions
- Response actions are executed in accordance with MDR service capabilities, applicable Microsoft 365 administrative permissions granted, and any client specific instructions
- Documentation of significant incidents and actions taken in a report or within the ticketing system, including the nature of the threat, affected Microsoft 365 services and user accounts, detection and neutralization methods employed, and recommendations regarding additional hardening steps, policy adjustments, or security improvements to help reduce future risk within the Microsoft 365 environment
- Note: The Microsoft 365 tenant must include a minimum of one 1 Microsoft Defender for Office 365 Plan 2 license.