Altanova SIEM Dashboard — Sentinel & Defender

📋

Incident Remediation Playbooks

10 incident playbooks · select a scenario to see step-by-step response · click Launch Runbook for the full interactive checklist ACTIF — Playbooks

🔒

Ransomware Attack

CRITICAL

🎣

Phishing / Email Attack

HIGH

🦠

Virus / Malware Infection

HIGH

🔓

Account Compromise

HIGH

📤

Data Exfiltration

CRITICAL

🔨

Brute Force / Password Spray

MEDIUM

👑

Privileged Account Compromise

CRITICAL

🕵

Insider Threat

HIGH

🌊

DDoS / Network Attack

HIGH

📱

Lost / Stolen Device

HIGH

🔒

Ransomware Attack

Mass file encryption · shadow copy deletion · lateral spread via SMB

CRITICAL

Immediate Isolation

Disconnect the affected device from the network — remove Ethernet cable or disable the NIC. Do NOT power off — preserve forensic memory for analysis.

Scope Assessment

Identify all devices on the same network segment, shared drives, and mapped drives. Check for encrypted file extensions across the environment.

Account Lockdown

Reset passwords for all accounts that logged into the affected device in the past 24h. Revoke all Azure AD sessions via Entra ID → Users → Revoke Sessions.

Identify the Strain

Collect the ransomware note, encrypted file extensions, and samples. Check nomoreransom.org for known decryptors before paying any ransom.

Cloud Audit

Check SharePoint, OneDrive, and Teams for encrypted files uploaded from the infected device during the attack window.

Backup Validation

Verify offline backup integrity before considering restoration. Never restore from a backup that was mounted on an infected system.

Recovery

Restore from a clean verified backup or reimage from a known-good baseline. Reconnect only after full Defender AV clearance.

Post-Incident Hardening

Review patch levels, disable SMBv1, deploy EDR on all endpoints, enable Controlled Folder Access, and run user phishing awareness training.

Resources & Portal Links

🛡 Defender XDR — Incidents 💻 Defender — Device inventory 📱 Intune — Devices 🔍 Advanced Hunting (KQL) 📖 MS Ransomware Playbook 🔑 No More Ransom

🎣

Phishing / Email Attack

Malicious email · spear-phishing · BEC · credential harvesting links

HIGH

Quarantine the Email

Remove from all mailboxes using Defender Threat Explorer → Purge, or via PowerShell New-ComplianceSearchAction -Purge.

Check for Clicks

In Defender for Office 365, review the Safe Links report to identify who clicked the malicious URL. Treat every clicker as potentially compromised.

Credential Reset

For any user who clicked or opened the attachment — force an immediate password reset and MFA re-enrolment.

Block Sender / Domain

Add the sender domain and IP to the block list in Exchange Admin Center → Tenant Allow/Block Lists.

Lateral Email Hunt

Search Exchange logs for similar subject lines, sender domains, or attachment hashes sent to other users in the same window.

Inbox Rule Audit

Check all affected accounts for suspicious forwarding or delete rules via Exchange Admin or Get-InboxRule.

User Awareness

Notify all users about the phishing campaign and provide guidance on how to report future suspicious emails via the Phish Alert Button.

Resources & Portal Links

🔍 Threat Explorer 🛡 Defender XDR — Incidents 📨 Submissions (report phish) 🎯 Attack Simulator 📧 Exchange Admin 📬 Message Trace 📖 MS Phishing Playbook

🦠

Virus / Malware Infection

Trojan · spyware · rootkit · worm · adware detected on endpoint

HIGH

Verify Quarantine

Confirm the file is quarantined in the Defender portal (Device → Action Center). If not, trigger remote quarantine immediately.

Offline Scan

Run Microsoft Defender Offline Scan to detect rootkit-level persistence that standard on-device scans may miss.

Check Persistence

Review startup registry keys (HKCU\Run, HKLM\Run), scheduled tasks, installed services, and browser extensions for persistence mechanisms.

Trace Infection Vector

Review email attachments, browser downloads, USB activity, and recently installed software to identify the initial access vector.

Credential Audit

Assume all credentials used on this device are compromised — reset passwords and invalidate all active tokens.

Lateral Movement Check

Review network logs for unusual outbound connections from this device to other internal systems or known C2 infrastructure.

Reimage If Needed

If deep persistence is confirmed, reimage from a known-clean baseline rather than attempting manual cleanup — do not trust remediation tools on a compromised host.

Resources & Portal Links

📖 Compromised Endpoint Playbook ⬦ Defender Alerts

🔓

Account Compromise

Stolen credentials · impossible travel · anomalous sign-in · session hijacking

HIGH

Revoke All Sessions

Go to Entra ID → Users → [User] → Revoke Sessions, then force an immediate password reset.

Out-of-Band Verification

Contact the account owner via phone or in person — do not use email or Teams which may be compromised.

Audit Sign-In Logs

Review Azure AD Sign-in logs for what apps were accessed, from which IP, and from which device during the anomalous window.

Check Inbox Rules

Look for forwarding or auto-delete rules that may have been created during the compromised session.

Review Data Access

Check SharePoint, OneDrive, and Teams for files accessed, downloaded, or shared during the breach window.

Enforce Strong MFA

Enrol phishing-resistant MFA (FIDO2 or certificate-based) before re-enabling the account.

Conditional Access Review

Tighten Conditional Access policies — require compliant device and MFA for all sensitive applications.

Resources & Portal Links

🪪 Entra ID — Users 📊 Sign-in logs 🔐 Conditional Access ⚠ Risky users (ID Protection) 🛡 Defender XDR — Incidents 📧 Inbox rules audit 📖 MS Account Compromise Playbook

📤

Data Exfiltration

Unusual outbound transfer · bulk download · mass cloud upload · DLP breach

CRITICAL

Block Destination

Block the destination IP/domain immediately on your perimeter firewall and in Defender for Cloud Apps (CASB).

Suspend Account

Suspend the involved user account and revoke all active sessions in Entra ID.

Data Classification

Determine exactly what was exfiltrated — review DLP logs, Purview activity, and file access history.

Threat Intelligence

Check the external IP/domain against VirusTotal, AbuseIPDB, and your threat intel feeds for known malicious infrastructure.

DPO / Legal Notification

If PII or regulated data was involved, engage your Data Protection Officer. GDPR requires notification within 72 hours of awareness.

CASB Review

Identify all unsanctioned cloud apps used and block personal cloud storage (Dropbox, WeTransfer, Google Drive personal) tenant-wide.

DLP Policy Hardening

Implement or strengthen Microsoft Purview DLP policies and apply sensitivity labels to prevent future exfiltration.

Resources & Portal Links

📖 Exfiltration Playbook 🔏 Purview Portal ☁ Cloud App Security

🔨

Brute Force / Password Spray

High-volume failed logins · credential stuffing · password spraying attacks

MEDIUM

Check for Successful Login

Immediately determine if any attempt succeeded — look for a successful login following the failed spike in sign-in logs.

If Successful — Treat as Compromise

Revoke all sessions, force password reset, and enforce MFA before re-enabling the account.

Block Source IPs

Add attacker IP ranges to Named Locations in Conditional Access and block at the perimeter firewall.

Verify Smart Lockout

Confirm Azure AD Smart Lockout is configured to lock accounts after 10+ consecutive failures in Authentication Methods.

Enforce MFA Org-Wide

Brute force becomes impractical when MFA is required for all users. Enable Security Defaults or a Conditional Access baseline policy.

Audit Exposed Services

Review publicly exposed VPN, RDP, and OWA endpoints — consider Zero Trust Network Access (ZTNA) to eliminate direct exposure.

Resources & Portal Links

📖 Identity Compromise Playbook 🪪 Entra ID

👑

Privileged Account Compromise

Admin account anomaly · privilege escalation · PIM role abuse

CRITICAL

Immediate Session Revocation

Revoke all sessions for the privileged account in Entra ID → Users → Revoke Sessions.

Out-of-Band Contact

Contact the account owner via phone or in person only — do not use any digital channel that may be compromised.

Audit All Admin Actions

Review every action in the anomalous session: role assignments, policy changes, app registrations, new service principals, and Conditional Access modifications.

Rollback Unauthorized Changes

Revert any policy changes, role assignments, or configurations applied during the breach session.

Require Hardware MFA

Before re-enabling, mandate phishing-resistant MFA — FIDO2 hardware security key or certificate-based authentication.

Implement PIM

All privileged roles should require just-in-time activation with MFA, justification, and approval via Privileged Identity Management.

Least-Privilege Audit

Audit and reduce all admin role assignments — no user should hold Global Admin permanently for day-to-day operations.

Resources & Portal Links

📖 Privileged Account Playbook 👑 PIM Portal

🕵

Insider Threat

Malicious or negligent employee · bulk data access · exfiltration · sabotage

HIGH

Evidence Preservation First

Before any user-visible action, preserve all digital evidence — audit logs, email records, and access history — in coordination with HR and Legal.

Scope the Activity

Review Cloud App Security, Purview audit logs, and SharePoint activity to determine what data was accessed, downloaded, or shared.

Legal & HR Coordination

Engage HR, Legal, and your DPO before taking any disciplinary or technical action — there may be regulatory and evidentiary constraints.

Account Limitation

Based on risk level, either silently monitor the account or restrict access to sensitive systems pending investigation outcome.

Data Recovery

If data was deleted or modified, check SharePoint recycle bin, OneDrive version history, and Exchange deleted items folder.

Policy & Process Review

Tighten data classification, sensitivity labels, and off-boarding procedures to prevent recurrence. Review the Insider Risk Management dashboard.

Resources & Portal Links

📖 Insider Threat Playbook 🔍 Insider Risk Management

🌊

DDoS / Network Attack

Volumetric attack · service disruption · network anomaly · port scan

HIGH

Activate DDoS Protection

Enable Azure DDoS Protection Standard on affected public IP resources and turn on adaptive tuning and telemetry alerts.

Traffic Analysis

Use Azure Monitor and Network Watcher to identify attack vectors, source IP ranges, and targeted ports or protocols.

Apply Mitigation Rules

Configure NSG rules, WAF policies, and upstream rate-limiting to block or throttle malicious traffic at the edge.

ISP Engagement

For volumetric attacks exceeding your mitigation capacity, contact your upstream ISP to apply blackhole routing or traffic scrubbing upstream.

CDN / WAF Layering

Route production traffic through Azure Front Door or Cloudflare to absorb volumetric floods before they reach origin servers.

Post-Attack Review

Analyse attack patterns in Sentinel to update detection analytics rules, refine baselines, and improve future mitigation policies.

Resources & Portal Links

📖 Azure DDoS Docs ☁ Azure Portal

📱

Lost or Stolen Device

Laptop / phone missing · misplaced hardware · theft report · unreturned leaver device

HIGH

Confirm loss & open ticket (< 15 min)

Get a written statement from the user: last seen location, time, circumstances (lost / stolen / left unattended). Open a high-priority incident in your ITSM tool. If stolen → advise the user to file a police report; you'll need the reference number for the insurance claim and for any data-breach notification.

Disable the user & revoke tokens (< 30 min)

In Entra ID → Users → [User] → Revoke sessions, then force a password reset. This invalidates all refresh tokens so the thief can't stay signed in via cached cookies. If the user has privileged roles, also remove them from PIM role assignments until the device is confirmed clean or replaced.

Remote wipe via Intune

Open Intune → Devices → All devices → [Device] → Wipe. For Windows choose Wipe (factory reset) if recovery is unlikely, or Retire (company data only) if the device is personally owned BYOD. For iOS/Android use Wipe. For macOS use Erase. If the device is offline, the command queues and executes the moment the device reconnects to the internet.

Verify disk encryption & escrow key

Confirm the device was BitLocker-encrypted (Windows) or FileVault-encrypted (macOS). In Intune → Devices → [Device] → Recovery keys check the BitLocker key is escrowed. If the device was NOT encrypted, treat this as a confirmed data-breach and go directly to step 9 for GDPR notification.

Isolate in Defender for Endpoint

In Microsoft 365 Defender → Assets → Devices → [Device] → Isolate device. This cuts all network traffic except to Defender itself — useful if the attacker brought the device online to exfiltrate data before your wipe command lands. Pair with Restrict app execution to block unsigned code.

Audit what was on the device

Pull the last sync date of OneDrive and the list of locally cached SharePoint sites. Check Purview → Activity explorer for files the user opened in the 30 days before the incident — this tells you the realistic worst-case data exposure. Check the mailbox for sensitive attachments cached offline.

Revoke Authenticator / passkeys on the device

In Entra ID → Users → [User] → Authentication methods, delete any Microsoft Authenticator app registration tied to the lost device, delete any FIDO2/passkey registered on that hardware, and delete any Windows Hello for Business key bound to the TPM of the lost machine. Re-enrol on the replacement device only.

Physical controls & third-party access

Deactivate the user's building badge if a building access card was with the device. Rotate any shared secrets the user had access to (Wi-Fi pre-shared keys, VPN PSK, vault break-glass). Revoke any SSH keys, Git personal access tokens, and cloud provider CLI tokens that could be in the local keychain.

Breach assessment & GDPR 72 h clock

If the device was encrypted AND wiped successfully AND there is no evidence of unauthorised access, you typically do not owe a GDPR notification — document the decision. If any of those conditions fails, treat it as a personal-data breach: engage your DPO, notify the supervisory authority within 72 hours of awareness, and inform affected data subjects if the risk is high.

Replace & reset the user

Ship a new Autopilot-enrolled device. New hire-style onboarding: new password, re-enrol MFA methods, re-register FIDO2 / Windows Hello. Restore OneDrive from the cloud (files, not the device image). Remove the old device from the Intune / Defender asset inventory after the wipe is confirmed.

Post-incident review

Was the wipe command delivered within 24 h? Was the device encrypted? Did the user have MFA? Update the asset inventory, file the insurance claim with the police report, and feed lessons learned into the Setup & Configuration onboarding checklist to prevent recurrence.

Resources & Portal Links

📱 Intune — All devices 🛡 Defender — Device inventory 🪪 Entra ID — Users 📊 Purview — Activity Explorer 📖 Intune Wipe & Retire docs

🏅

SOC 2 Compliance Guide

Complete reference — explained, environment check, audit process & Type 1 / Type 2 roadmap ACTIF — Reference Guide

📖 SOC 2 Explained

⚖ SOC 2 Type 1 vs Type 2

🔍 Environment Check

📋 Audit Process Information

✅ Audit Process

🏛

What is SOC 2?

SOC 2 (System and Organization Controls 2) is an auditing standard developed by the AICPA. It evaluates how a service organization manages customer data to protect its security, availability, and confidentiality.

Unlike ISO 27001 (a certification), SOC 2 produces an attestation report issued by a licensed CPA firm — the de-facto trust standard for cloud and SaaS companies in North America, increasingly required by enterprise customers worldwide.

Who needs it? Any company that stores, processes, or transmits customer data — SaaS vendors, cloud providers, MSPs, data processors, and B2B technology companies.

🔐

Trust Services Criteria (TSC)

SOC 2 is built on five Trust Services Criteria defined by the AICPA. Only Security is mandatory:

🔒 Security (CC) — Required ⏱ Availability (A) ⚙ Processing Integrity (PI) 🔐 Confidentiality (C) 🛡 Privacy (P)

Security (CC) — Logical/physical access, change management, risk assessment, monitoring & incident response (CC1–CC9, COSO framework).
Availability (A) — System is available as committed.
Processing Integrity (PI) — Processing is complete, valid, accurate & timely.
Confidentiality (C) — Confidential information is protected.
Privacy (P) — Personal data handled as committed (GDPR/PIPEDA aligned).

📐

Common Criteria (CC1–CC9) Breakdown

All SOC 2 reports must address these 9 CC groups:

CC1 Control environment — governance, ethics, accountability
CC2 Communication & information
CC3 Risk assessment — identify & analyze risks
CC4 Monitoring activities — detect deficiencies
CC5 Control activities — policies & procedures
CC6 Logical & physical access controls (largest section)
CC7 System operations — anomaly detection, incident management
CC8 Change management — SDLC, vulnerability management
CC9 Risk mitigation — vendor management, insurance

🎯

Defining Your Scope

The in-scope system is the product or service your customers rely on. It includes the people, processes, and technology supporting it:

Infrastructure — Cloud hosting (Azure), networks, databases, endpoints
Software — Application code, SaaS tools, third-party services
People — Employees and contractors who access in-scope data
Procedures — Policies, runbooks, change management processes

💡 Narrow scope = lower cost. Excluding systems that don't touch customer data can reduce audit effort by 30–50%.

📄

What's Inside a SOC 2 Report?

A SOC 2 report contains 5 sections:

Section I — Independent auditor's report & opinion
Section II — Management's assertion
Section III — System description (infrastructure, software, people, processes)
Section IV — Trust Services Criteria with listed controls
Section V — Other information (management responses to exceptions)

Opinion types:
✅ Unqualified — Clean report, no material issues
⚠ Qualified — Exceptions noted, controls partially effective
❌ Adverse — Controls not effective (rare, very serious)

How to read this check: This assessment maps your Microsoft / Azure environment to SOC 2 Common Criteria controls. Green items are capabilities your stack already provides. Amber items require configuration or activation. Red items require processes, documentation, or tools outside the Microsoft stack.

✅ Already Covered by Your Microsoft Environment

✅

Multi-Factor Authentication (CC6.1)

Entra ID provides MFA with FIDO2, Microsoft Authenticator, SMS, and phishing-resistant authentication. Entra ID Conditional Access

✅

Role-Based Access Control (CC6.1, CC6.3)

Azure RBAC and Entra ID groups enforce least-privilege access. PIM provides just-in-time privileged access. Entra PIM Azure RBAC

✅

Audit Logging & SIEM (CC7.2, CC7.3)

Microsoft Sentinel ingests logs from Entra ID, M365, Azure, and endpoints. Retention configurable to 90+ days. Sentinel Log Analytics

✅

Intrusion Detection & Alerting (CC7.1)

Defender XDR and Sentinel provide real-time threat detection, analytics rules, and incident correlation. Defender XDR Sentinel Analytics

✅

Encryption at Rest & in Transit (CC6.7)

Azure encrypts all data at rest (AES-256) and in transit (TLS 1.2+) by default. Customer-managed keys available via Key Vault. Azure Storage Key Vault

✅

Data Loss Prevention (CC6.7, Confidentiality)

Purview DLP policies prevent sensitive data exfiltration via email, SharePoint, endpoints. Sensitivity labels classify data. Purview DLP Sensitivity Labels

✅

Endpoint Protection (CC6.8, CC7.1)

Defender for Endpoint provides EDR, AV, attack surface reduction, and device compliance enforcement. Defender for Endpoint Intune

✅

Vulnerability Management (CC8.1)

Defender for Cloud and Defender for Endpoint provide vulnerability scanning, CVE tracking and prioritised remediation. Defender for Cloud Secure Score

✅

Conditional Access Policies (CC6.1, CC6.6)

Block untrusted locations, require compliant devices, enforce MFA for high-risk logins. Covers all Microsoft 365 and Azure resources. Conditional Access

✅

Identity Protection & Risk Scoring (CC6.1)

Entra ID Protection detects risky sign-ins, impossible travel, and leaked credentials. Risk-based Conditional Access policies auto-respond. Entra ID Protection

✅

Security Posture Score (CC4.1)

Microsoft Secure Score and Defender for Cloud provide a continuous, quantified measure of posture with improvement recommendations. Secure Score

✅

Change Management Logging (CC8.1)

Azure Activity Log, Entra Audit Log, and M365 Unified Audit Log capture all configuration and administrative changes. Activity Log Audit Log

⚠ Available But Needs Configuration / Activation

⚠

Log Retention ≥ 90 Days (CC7.2)

Default Entra/M365 audit log retention is 90 days (E3) or 180 days (E5). SOC 2 Type 2 requires logs for the full audit period. Configure Log Analytics workspace with 1-year retention. Log Analytics

⚠

Privileged Access Workstations (CC6.1)

PIM is available but may not be fully configured. Ensure all Global Admin and privileged roles require PIM activation with justification and approval workflows. Entra PIM

⚠

Backup & Recovery Testing (A1.2, A1.3)

Azure Backup is available but recovery testing must be documented and scheduled. SOC 2 requires evidence of periodic restore tests with recovery time objectives (RTO/RPO). Azure Backup Site Recovery

⚠

User Access Reviews (CC6.2, CC6.3)

Entra ID Access Reviews exist but must be configured with periodic (quarterly) reviews of all privileged roles and application assignments. Reviews must produce evidence. Entra Access Reviews

⚠

Network Segmentation & Firewalls (CC6.6)

Azure VNets and NSGs can enforce segmentation but must be explicitly configured. Document your network topology, perimeter controls, and NSG rule justifications. Azure Firewall NSG

⚠

Insider Risk Management (CC9.2)

Purview Insider Risk Management is available in E5 or as an add-on. Configure policies to detect data theft, leakage by departing employees. Purview IRM

❌ Not in Microsoft's Stack — Requires Process / Documentation

Important: These gaps are common to almost all organisations regardless of their cloud platform. They require written policies, documented procedures, and operational evidence — not just technology.

❌

Written Information Security Policy (CC1.1, CC2.2)

A documented IS policy signed off by leadership, covering acceptable use, data classification, incident response, and access control — reviewed annually.

❌

Formal Risk Assessment (CC3.1, CC3.2)

Annual risk register with identified threats, likelihood/impact scoring, and treatment decisions. Must be reviewed by management and updated regularly.

❌

Security Awareness Training (CC1.4, CC2.2)

All employees must complete documented security training at hire and annually. Evidence: training completion records, phishing simulation results. Microsoft Viva Learning or KnowBe4.

❌

Vendor / Third-Party Risk Management (CC9.2)

Formal vendor inventory with risk classification, security questionnaires (SIG/CAIQ), and evidence of periodic vendor reviews. Especially for sub-processors handling customer data.

❌

Incident Response Plan & Evidence (CC7.3, CC7.4, CC7.5)

A documented IR plan with defined roles, escalation paths, communication templates, and post-incident review process. Type 2 requires evidence of actual incidents being handled per the plan.

❌

Change Management Procedure (CC8.1)

Documented SDLC / change control process: code review requirements, testing gates, approval workflows, rollback procedures. Tickets and PR history serve as evidence for Type 2.

❌

Business Continuity / Disaster Recovery Plan (A1.2)

Documented BCP/DRP with defined RTO/RPO, recovery steps, communication tree, and tested recovery procedures. Annual tabletop exercises with documented outcomes.

❌

Background Check Process (CC1.1)

Pre-employment background screening policy for employees and contractors with access to in-scope systems. Document the process and retain completion records.

❌

Penetration Testing (CC4.1, CC7.1)

Annual third-party pen test scoped to in-scope systems. Report with findings, CVSS scoring, and documented remediation. Required for most enterprise SOC 2 customers.

❌

Offboarding Procedure (CC6.2)

Formal documented checklist for revoking all access within 24h of termination: Entra ID accounts, VPN, third-party apps, physical access. Evidence for each offboarding event.

Two parallel tracks are shown below. Steps marked 🔵 apply to both Type 1 and Type 2. Steps marked 🟣 are additional requirements for Type 2 only. Estimated timelines are for a mid-size organisation completing their first SOC 2 audit.

Scope Definition & Readiness

🔵 Both Types · 3–5 weeks

▶

Define the system boundary: Document every service, application, infrastructure component, and data store that processes customer data. Create a system description document.
Select Trust Services Criteria: At minimum Security (CC). Add Availability if you have uptime SLAs, Confidentiality for data protection obligations, Privacy if you handle PII under GDPR/CCPA.
Assign internal ownership: Designate a SOC 2 project lead (typically CISO or CTO), executive sponsor, and a control owner for each CC group. Map CC1–CC9 to responsible teams.
Microsoft-specific actions: Export your Entra ID tenant settings, Conditional Access policies, Defender configuration, and Sentinel workspace structure as baseline documentation. Entra ID Defender Sentinel
Select your auditor early: Issue RFPs to 3–5 AICPA-licensed CPA firms with SOC 2 experience. Shortlist based on industry experience, timeline, and price. Sign the engagement letter before starting remediation.

Gap Assessment & Remediation Planning

🔵 Both Types · 4–6 weeks

▶

Map controls to TSC: For each CC sub-criterion, identify your existing controls. Use the AICPA's SOC 2 criteria matrix or a GRC tool (Drata, Vanta, Secureframe, Tugboat Logic) to track mappings.
Conduct internal gap analysis: Walk through every CC point: "Do we have a control? Is it documented? Is there evidence?" Document gaps in a remediation tracker with priority, owner, and target date.
Prioritise critical gaps: Focus first on CC6 (access controls), CC7 (monitoring), and CC8 (change management) — these have the most sub-criteria and the highest auditor scrutiny.
Microsoft Secure Score review: Run your Secure Score improvement actions and address critical recommendations. Export the Secure Score report as evidence of your security posture baseline. Secure Score
Review vendor list: Inventory all third-party services (CRMs, CDNs, payment processors) that access customer data. Collect their SOC 2 or ISO 27001 reports. Begin a formal vendor risk register.

Policy Writing & Control Implementation

🔵 Both Types · 5–8 weeks

▶

Write or update core policies: Information Security Policy, Acceptable Use Policy, Access Control Policy, Incident Response Policy, Change Management Policy, Vendor Management Policy, Business Continuity Plan, Data Retention & Disposal Policy.
Implement technical controls: Enable Entra PIM for all privileged roles, configure Access Reviews (quarterly), enforce MFA via Conditional Access, set log retention ≥ 1 year in Log Analytics workspace. Entra PIM Conditional Access
Configure Sentinel detection rules: Enable scheduled analytics rules for failed logins, privilege escalation, impossible travel, data exfiltration, and log deletion. These alerts are key evidence for CC7. Sentinel Analytics
Deploy security awareness training: Enrol all employees in a training platform. Run a baseline phishing simulation. Record completion rates. Set a quarterly cadence for reminders.
Perform penetration test: Commission a third-party pen test scoped to in-scope systems. Remediate all Critical/High findings before the audit. Retain the final report and remediation evidence.
Get board/executive sign-off: All policies must be formally approved by leadership. Use DocuSign or similar — retain signed copies as evidence for CC1.1 (tone at the top).

🔵 Type 1 Path — Evidence Submission

Auditor Evidence Submission

4–6 weeks

▶

Set the as-of date: A Type 1 report is valid for one specific date (e.g., "as of March 31, 2026"). All evidence — screenshots, configurations, policy versions — must reflect that date.
Prepare the evidence package: For each control, collect: (1) the relevant policy, (2) a configuration screenshot or export, (3) a logical access list (who has what access), (4) a description of how the control works.
Key Microsoft evidence to export: Entra ID users list, role assignments, MFA report, Conditional Access policies · Sentinel analytics rules · Defender enrolled devices · Azure RBAC assignments. Entra ID Sentinel Defender
Auditor walkthrough sessions: Schedule 1–3 hour sessions for each CC group. Walk the auditor through your controls with a screen share — "inquiry" is a primary evidence type for Type 1.
Management assertion letter: Sign and submit the management assertion confirming the system description is accurate and controls are in place. Have legal review it.
Address deficiencies: Work with auditors on management responses — remediate or explain a compensating control. A few minor exceptions are normal.

Month 1–2: Scope, gap assessment, auditor selection
Month 2–4: Policy writing, control implementation, pen test
Month 4–5: Evidence collection, auditor walkthroughs
Month 5–6: Draft review, management assertion, final report

⏱ Total: 4–6 months · 💰 $15K–$35K

🟣 Type 2 Path — Observation + Testing

Observation Period (Operating Effectiveness)

6–12 months

▶

Start the observation period: Agree on start and end dates with your auditor (min 6 months; 12 months for a full annual report). Every control must operate consistently throughout this period.
Automate evidence collection: Integrate your Microsoft stack with a GRC tool (Drata, Vanta) to auto-collect screenshots and reports daily. Drata Vanta
Run quarterly access reviews: Use Entra ID Access Reviews to generate quarterly reports. Export the review results as evidence. Entra Access Reviews
Document every incident: All security incidents must be logged, investigated, and closed per your IR plan. Auditors request a complete incident register. Sentinel Incidents
Maintain change log evidence: Every production change must go through your change management process. Auditors will sample PRs, tickets, and approval records. Azure Activity Log
Track training completion: Ensure 100% of employees complete annual security training. Run at least one phishing simulation and document results.
Annual pen test: At least one pen test must fall within or shortly before the audit period. Retain the report, findings, and remediation evidence.

Auditor Testing & Sampling

6–10 weeks

▶

Population testing: Auditors select a statistical sample — e.g., 25 access provisioning tickets, 10 change approvals, 15 offboarding events. Provide evidence for every sample requested.
Log analysis: Auditors review Sentinel logs, Entra sign-in logs, and Azure Activity Logs to verify controls operated during the period. Sentinel Log Analytics
Re-performance testing: For key controls, auditors may re-run tests themselves — e.g., attempt a login from an untrusted network to verify Conditional Access blocks it. Conditional Access
Exceptions management: Document root cause, impact, and remediation for any exceptions. A small number with strong management responses rarely prevent a clean opinion.
Draft report review: Review carefully — this is your last opportunity to correct factual errors or add management responses before issuance.

Month 1–3: Scope, gap, remediation (parallel to Type 1 or standalone)
Month 3–15: 12-month observation period, continuous evidence collection
Month 13–17: Auditor fieldwork, sampling, log review
Month 17–18: Draft review, management assertions, final report

⏱ Total: 15–18 months · 💰 $30K–$100K+

Report Issuance & Continuous Compliance

🔵 Both Types · Ongoing

▶

Receive the final report: The auditor issues the signed SOC 2 report (Type 1 or Type 2) with their opinion letter. The report is typically 50–150 pages including system description, controls, and testing results.
Distribute under NDA: SOC 2 reports are confidential. Share only with customers and prospects who sign an NDA or a specific "report recipient" letter. Never post publicly — only a SOC 2 summary letter or badge goes on your website.
Begin next audit cycle: For Type 2, the next observation period begins the day after the previous one ends. There should be no gap. Update your engagement letter with your auditor before the end of each period.
Remediate report findings: Create a remediation plan for every exception noted. Track completion in your GRC tool. Demonstrate improvement in the next report cycle.
Maintain continuous monitoring: SOC 2 is not a point-in-time exercise anymore. Use this dashboard with Sentinel alerts, Defender Secure Score, and Entra Access Reviews to maintain posture year-round. This Dashboard Sentinel Secure Score

💡 Recommended tooling for Microsoft environments: Consider integrating Drata or Vanta with your Microsoft 365 tenant. These GRC platforms natively connect to Entra ID, Defender, Azure, and Intune to automatically collect evidence, alert on control failures, and generate audit-ready reports — reducing audit prep time by 60–80%.

⚖

SOC 2 Type 1 vs Type 2 — Key Differences

Type 1 asks "Are the controls designed correctly?" · Type 2 asks "Are they actually working, consistently, over time?"

Criteria	▸ Type 1	▸ Type 2
Scope	Single snapshot date	Observation period — min 6 months, typically 12
What is tested	Design & implementation of controls	Design + operating effectiveness over time
Evidence	Policies, procedures, configuration screenshots	Logs, tickets, reviews, exceptions — all dated during the period
Auditor testing	Inquiry & inspection only	Inquiry, inspection, observation, re-performance
Timeline	2–4 months total	9–18 months total (inc. observation period)
Cost	$15,000 – $35,000 USD	$30,000 – $100,000+ USD
Market value	Good starting point	Gold standard — required by most enterprise customers
Best for	New companies, quick compliance, pre-sales	Ongoing compliance, mature programs, enterprise deals
Renewal	One-time or annual snapshot	Annual — covers the trailing 12 months

💡 Best practice: Start with Type 1 to establish a baseline, then immediately begin the Type 2 observation period. Most companies achieve their first Type 2 report 12–18 months after starting.

SOC 2 Audit Progress

0 of 49 tasks completed across 9 phases

Completed0

In Progress0

Blocked0

Not Started0

🛡

Security Incident Log

Altanova · Version 1.0 · March 2026 · Owner: Altanova

By Severity

By Type

ID	Date Reported	Incident Title	Type	Severity	Priority	Status	Assigned To

▶ Reference Guide — Types, Severities, Statuses & Priorities

Incident Types

🦠 Malware / Ransomware🎣 Phishing / Social Engineering🔓 Unauthorized Access📤 Data Breach / Exfiltration💥 Denial of Service (DoS/DDoS)🕵 Insider Threat🏢 Physical Security⚙ System Misconfiguration💻 Lost / Stolen Device📌 Other

Severity Levels

Critical — Immediate threat, major impact High — Significant risk, fast action needed Medium — Moderate impact, planned response Low — Minor, informational or awareness

Statuses & Priorities

Open In Progress Contained Resolved Closed

P1 – Immediate P2 – Urgent P3 – Normal P4 – Low

📊

SharePoint Usage

Site storage, user activity & file operations — pulled from Microsoft Graph Reports API

Connect to Microsoft to load SharePoint data.

🌐

—

Total Sites

All SharePoint sites

✅

—

Active Sites

With file activity

👤

—

Active Users

In selected period

📁

—

Total Files

Across all sites

📂

—

Active Files

Viewed or edited

🔗

—

Page Visits

In selected period

—

used

💾 Tenant Storage Usage

—

📤 Storage Used

—

📊 Utilization

—

📅 As of Date

📈 File Activity Breakdown

👁️

—

Viewed / Edited

Files opened or modified

🔄

—

Synced

Via OneDrive sync client

🏢

—

Shared Internally

↗ Click to explore files

🌍

—

Shared Externally

↗ Click to explore files

Top Sites by Storage

Relative storage share across all sites

Site

Storage

Active Files ↕ period

Connect to Microsoft to load site data.

Storage Trend

Tenant total storage usage over time (GB)

No trend data available

ℹ️ Requires Sites.Read.All permission in Azure AD. Search for any site to view its permission entries and navigate to it directly.

🏆 Top Sites by Activity — hover to act

Load SharePoint Usage first to see top sites here.

or search by name

🔍

Search for a site above to view its permissions.

Orange border = item has explicit sharing (link, external user, or specific people)

🔐Click a folder (Col 2) or a file (Col 3) to view its permissions in Col 4

🌐 Sites

Connect to Microsoft and load SharePoint data first,
or click ↻ next to Sites to load sites directly.

📁 Folders

Select a site
to browse folders

📄 Files

—

Select a folder
to view its files

🔐 Permissions

Select a file or folder
to view its permissions

Supabase

Database Security · Auth Analytics · Defender Integration

⚠️

Service Role Key — Admin Use Only. This key bypasses Row Level Security (RLS) and grants full database access. Use it only in this trusted admin dashboard. Never embed it in client-side apps, public repos, or share it with end users. Your credentials are kept in memory only and are never stored in localStorage or sent anywhere except your own Supabase project.

Supabase Project URL

Service Role Key (Admin only — never share)

🛡️ Microsoft Defender + Supabase Integration

Use Supabase Edge Functions as a secure backend bridge between Microsoft Defender (via Graph API) and your Supabase database. This pattern ensures your service role key never leaves the server — only Defender webhook payloads are forwarded.

📐 Architecture Overview

Microsoft Defender → webhook → Supabase Edge Function → service role (server-side) → Supabase DB

Implementation Steps

Create the incidents table in Supabase

Run this SQL in your Supabase SQL Editor. Enable RLS immediately after creation.

CREATE TABLE public.defender_incidents (
  id            uuid DEFAULT gen_random_uuid() PRIMARY KEY,
  incident_id   text UNIQUE NOT NULL,
  title         text,
  severity      text,
  status        text,
  assigned_to   text,
  created_time  timestamptz,
  updated_time  timestamptz,
  raw           jsonb,
  synced_at     timestamptz DEFAULT now()
);

-- Enable RLS immediately
ALTER TABLE public.defender_incidents ENABLE ROW LEVEL SECURITY;

-- Allow read-only access for authenticated admin users
CREATE POLICY "Admins can view incidents"
  ON public.defender_incidents FOR SELECT
  USING (auth.role() = 'authenticated');

Create a Supabase Edge Function

This function runs server-side. The service role key is stored as an environment secret, never exposed to clients.

// supabase/functions/sync-defender/index.ts
import { createClient } from 'https://esm.sh/@supabase/supabase-js@2'

const supabase = createClient(
  Deno.env.get('SUPABASE_URL')!,
  Deno.env.get('SUPABASE_SERVICE_ROLE_KEY')!  // ← server-side only
)

Deno.serve(async (req) => {
  // Verify Defender webhook secret
  const secret = req.headers.get('x-webhook-secret')
  if (secret !== Deno.env.get('DEFENDER_WEBHOOK_SECRET')) {
    return new Response('Unauthorized', { status: 401 })
  }

  const incidents = await req.json()

  const rows = incidents.value.map((inc: any) => ({
    incident_id:  inc.id,
    title:        inc.displayName,
    severity:     inc.severity,
    status:       inc.status,
    assigned_to:  inc.assignedTo,
    created_time: inc.createdDateTime,
    updated_time: inc.lastUpdateDateTime,
    raw:          inc,
  }))

  const { error } = await supabase
    .from('defender_incidents')
    .upsert(rows, { onConflict: 'incident_id' })

  if (error) return new Response(error.message, { status: 500 })
  return new Response(JSON.stringify({ synced: rows.length }), {
    headers: { 'Content-Type': 'application/json' }
  })
})

Deploy the Edge Function & set secrets

supabase functions deploy sync-defender --no-verify-jwt

supabase secrets set \
  SUPABASE_SERVICE_ROLE_KEY=your_service_role_key \
  DEFENDER_WEBHOOK_SECRET=your_random_secret

Configure Microsoft Defender webhook

In Microsoft Defender portal → Settings → SIEM → Streaming API, configure:

Endpoint URL:  https://<project-ref>.supabase.co/functions/v1/sync-defender
Custom Header: x-webhook-secret: your_random_secret
Events:        Incident Created, Incident Updated

Alternatively, use a Logic App / Power Automate flow to call Graph API on a schedule and POST to this Edge Function.

Query incidents safely from the frontend

On the client, use the anon key + a valid JWT from Supabase Auth. RLS ensures users only see what they're allowed to.

import { createClient } from '@supabase/supabase-js'

// ✅ Use anon key on the client — NOT the service role key
const supabase = createClient(
  'https://your-project.supabase.co',
  'your-anon-key'  // public, safe for clients
)

// RLS policy controls what this user can see
const { data: incidents } = await supabase
  .from('defender_incidents')
  .select('*')
  .order('created_time', { ascending: false })
  .limit(50)

✅ Supabase Security Checklist

✓Enable RLS on every public-schema table

✓Service role key only in Edge Functions / secure backends

✓Anon key on the client + JWT from Supabase Auth

✓auth.uid() in RLS policies for per-user isolation

✓Sensitive tables in private schema, accessed via secure functions

✓Security Advisor in Supabase Dashboard — run regularly

✓Rotate service role key immediately if accidentally exposed

✓Webhook secret in Edge Function to verify Defender calls

⚡

Connect to your Supabase project

Enter your Project URL and Service Role Key above, then click Connect.
Find your keys in Supabase Dashboard → Project Settings → API.

Hardware Inventory

Devices · Servers · Network equipment · Asset tracking ◈ Local Storage

Total Assets

Active

In Repair

Out of Warranty

Expiring Soon

Asset Tag	Assigned To	Model	Serial #	Windows	ESET	Pulse	Status	Warranty	Actions
🖥 No hardware assets yet Click Add Asset to add your first device, or Import an Excel/CSV file.

0 assets Data stored locally in your browser

Software Inventory

Licenses · Subscriptions · Installed apps · Compliance

	Product ▲	Category ⇅	SKU ⇅	Purchased ⇅	Assigned ⇅	Available ⇅	Usage	Status
📦 No data loaded Click Connect & Load above to fetch from your tenant.

Software ▲	Vendor	Version	Category	License	Seats	Renewal	Status	Actions
📦 No software entries yet Click Add Software to add your first entry.

Microsoft 365 License Cost Advisor

Analyse all licensing scenarios · Compare costs · Find the optimal plan for your organisation

Prices as of April 2026 · EUR/USD retail

👥 Number of users

📋 Current licence

🎯 Primary need

💡 Currency

✦ Recommended Plan

Microsoft 365 E5

Best overall value for security, compliance and device management

Monthly cost (14 users)

$798

$9,576 / year

🧮 License Mix Builder — Your Custom Configuration

Add one row per license type your organisation uses

Mix different plan types for different user groups — the total will update automatically

	License Plan	Users	Cost / User / Mo	Monthly Total	Annual Total

Total Users

—

Monthly

—

Annual

—

📊 All Licensing Scenarios — Cost Comparison

⚖ Break-even & Upgrade Analysis

E3 → E5 Upgrade Break-even

At what point does adding E5 add-ons cost more than simply upgrading to full E5?

E3 + E5 Sec + E5 Comp vs E5

Add-on vs E5 Full — Annual Savings

If you only need security (no compliance), E3 + E5 Security saves you:

$1,512

per year vs upgrading to full M365 E5

🔎 Feature Comparison Matrix

Feature / Capability	M365 E3	E3 + E5 Sec	E3 + E5 Comp	E3 + Both	M365 E5	E5 + Intune Suite
🛡 Endpoint Security
Microsoft Defender for Endpoint P1	✓	✓	✓	✓	✓	✓
Microsoft Defender for Endpoint P2	—	✓	—	✓	✓	✓
Microsoft Defender Vulnerability Mgmt	—	✓	—	✓	✓	✓
Microsoft Defender for Identity	—	✓	—	✓	✓	✓
Microsoft Defender for Office 365 P2	—	✓	—	✓	✓	✓
Microsoft Defender for Cloud Apps	—	✓	—	✓	✓	✓
Microsoft Defender XDR (SIEM correlation)	—	✓	—	✓	✓	✓
Microsoft Entra ID P2 (Conditional Access)	—	✓	—	✓	✓	✓
📱 Device Management (Intune)
Microsoft Intune Plan 1 (basic MDM/MAM)	✓	✓	✓	✓	✓	✓
Remote Help (remote device support)	—	—	—	—	—	✓
Endpoint Privilege Management	—	—	—	—	—	✓
Advanced Endpoint Analytics	—	—	—	—	—	✓
Tunnel for MAM (mobile app mgmt VPN)	—	—	—	—	—	✓
Windows Autopatch	~	~	~	~	~	✓
📋 Compliance & Data Protection
Microsoft Purview (basic DLP, retention)	~	~	✓	✓	✓	✓
Advanced eDiscovery	—	—	✓	✓	✓	✓
Communication Compliance	—	—	✓	✓	✓	✓
Customer Key / BYOK Encryption	—	—	✓	✓	✓	✓
Azure Information Protection P2	—	—	✓	✓	✓	✓
Privileged Access Management	—	—	✓	✓	✓	✓
📊 Analytics & Intelligence
Microsoft Defender Threat Intelligence	—	✓	—	✓	✓	✓
Microsoft Sentinel (SIEM/SOAR) — separate	—	—	—	—	~	~
Power BI Pro	—	—	—	—	✓	✓
Microsoft 365 Copilot (add-on eligible)	~	~	~	~	~	~

✓ Included | ~ Partial / requires additional configuration | — Not included

💲 Add-on Pricing Reference (per user / month)

⚠ Pricing Disclaimer: Prices shown are Microsoft retail list prices in USD (April 2026). Actual costs may vary based on your region, CSP partner agreements, existing enterprise agreements, non-profit or education discounts, or promotional pricing. EUR conversion uses indicative rate. Always validate final pricing with your Microsoft partner or the Microsoft admin centre. Microsoft Sentinel ingestion costs are billed separately per GB.

Launch Cost Advisor

Pick your licences · Choose the security capabilities you need · Compare actual vs cost-effective vs best solution

Prices as of April 2026 · Microsoft retail USD/EUR

1️⃣ Your Current Licences — Add one row per Microsoft / Office plan

Add a row for each licence type your organisation already owns

Mix different plan types for different teams — totals update automatically

	Licence Plan	Users	Cost / User / Mo	Monthly Total	Annual Total

2️⃣ Security Capabilities You Want To Achieve

Tick every capability you need. The advisor will figure out the cheapest licence mix that delivers all of them, and compare it with the cleanest "best" stack.

3️⃣ Recommended Solutions

📌 Your Actual Setup

—

Total of the licences you listed above

Monthly

—

— / year

—

💰 Cost-Effective Solution

—

Cheapest combination that meets all selected capabilities

Monthly

—

— / year

—

✦ Best Solution

—

Cleanest, most future-proof stack from a single Microsoft plan

Monthly

—

— / year

—

🔎 Capability Coverage Matrix

Selected Capability	M365 E3	M365 E5	Your Actual Setup	Cost-Effective	Best

✓ Included in plan — Not included E3 / E5 user counts come from Users Information after a Microsoft 365 sync.

⚠ Disclaimer: Prices shown are Microsoft retail list prices in USD (April 2026); EUR uses an indicative conversion rate. Actual costs vary by region, CSP partner, EA terms, non-profit / education discounts. Third-party AV (e.g. ESET) is illustrative — replace with your contracted rate. Always validate final pricing with your Microsoft partner.

Setup & Configuration

End-to-end onboarding workflow · From user creation to a fully compliant Intune-managed device reporting to Defender

7-step process · Microsoft 365 best-practice flow

Step in workflow

License required

Important note

Goal: User → Hardware → Compliant in Intune → AV/EDR reporting to Microsoft Defender

👤

Create the User in Microsoft Entra ID

The starting point — every device, license, and policy follows the user identity.

📍 Where

Microsoft 365 admin center → Users → Active users → Add a user
Or directly in Entra: entra.microsoft.com → Identity → Users → New user

📋 What to set

UPN · Display name · Department · Job title · Office location · Group memberships (security + M365 groups for license assignment)

✓ License: any Microsoft 365 tenant (no extra cost for the user object itself) ⚠ Tip: assign users to a security group — use group-based licensing for everything that follows.

🎫

Assign the Right Microsoft 365 License

The license decides which security workloads the user (and their device) can use.

🎯 Minimum to reach Intune + AV + EDR

Microsoft 365 Business Premium (≤300 users) — Intune P1, Defender for Endpoint P1, Defender for Office P1, Entra P1
Microsoft 365 E3 (any size) — same workloads at enterprise scale
Microsoft 365 E5 — adds MDE P2 (EDR), MDI, MDO P2, Entra P2, Defender XDR, Purview Advanced

📍 How to assign

M365 admin center → Users → select user → Licenses and apps → tick the SKU
Or (recommended) Entra → Groups → select group → Licenses → assign to the group so every member inherits it.

✓ Required: Business Premium / E3 / E5 to unlock Intune + Defender ⚠ E5 is the only SKU that gives MDE P2 (EDR), MDI, MDO P2 and Defender XDR in one bundle.

🔐

Secure the Identity (MFA + Conditional Access)

No device should ever connect to your tenant without a verified user.

✅ Actions

Enable Security Defaults OR a baseline Conditional Access policy
Require MFA for all users (admin first, then everyone)
Block legacy authentication
Require compliant or hybrid-joined device for cloud apps (sets up the link to Intune in Step 5)

📍 Where

Entra → Protection → Conditional Access
Entra → Protection → Authentication methods
For PIM / risk policies: Identity Protection (needs Entra ID P2)

✓ MFA: free with any tenant · Conditional Access: Entra P1 (BP/E3/E5) · Risk-based + PIM: Entra P2 (E5)

💻

Enroll the Hardware in Microsoft Intune

Physically connect the laptop / phone / Mac to your tenant so Intune can manage it.

🪟 Windows 10/11

Best: Windows Autopilot — pre-register device hardware hash in Intune → Devices > Windows > Enrollment > Devices. End-user signs in once, the laptop self-configures.

Manual: Settings → Accounts → Access work or school → Connect → sign in with the M365 account → choose Join this device to Microsoft Entra.

🍎 macOS

Install Company Portal from the Mac App Store → sign in → follow the enrollment profile install (System Settings → Privacy & Security → Profiles).

For Apple-supervised fleets: use Apple Business Manager + Automated Device Enrollment linked to Intune.

📱 iOS / iPadOS

Install Intune Company Portal from the App Store → sign in → tap Begin → install MDM profile from Settings.

🤖 Android

Install Intune Company Portal from Google Play → sign in → choose Work profile (BYOD) or Fully managed (corporate).

✓ License: Intune P1 — included in Business Basic / Standard / Premium · M365 E3 · M365 E5 · M365 F3 ⚠ For Autopilot you need to register the hardware hash before shipping the device — the OEM or your reseller can upload it directly to your tenant.

🛡️

Apply Compliance & Configuration Policies

Define what "healthy" means for a device and block the rest.

📋 Compliance policy (Intune)

Intune → Devices > Compliance policies > Create policy

Minimum OS version
BitLocker / FileVault encryption required
Firewall enabled
Antivirus + anti-spyware enabled (Defender)
Device threat level ≤ Medium (links to MDE)
Secure boot & code integrity

⚙️ Configuration profiles

Intune → Devices > Configuration > Create profile

Endpoint protection (BitLocker, Defender, Firewall)
Account protection (LAPS, Credential Guard)
Wi-Fi / VPN profiles, certificates
OneDrive Known Folder Move
Update Rings (Windows Update for Business)

✓ License: Intune P1 (compliance) + Entra P1 (Conditional Access for "require compliant device") ⚠ Pair compliance with a Conditional Access policy — otherwise non-compliant devices still reach M365.

🧠

Onboard the Device to Microsoft Defender for Endpoint

Get AV + EDR signals streaming into the Defender portal.

🔗 Connect Intune ↔ Defender (one-time)

Intune → Endpoint security > Microsoft Defender for Endpoint → toggle Allow Microsoft Defender for Endpoint to enforce Endpoint Security configurations → Save.
This creates the bidirectional connector between Intune and the Defender portal at security.microsoft.com.

📡 Push the onboarding policy

Intune → Endpoint security > Endpoint detection and response > Create Policy → Platform: Windows 10+ → assign to your device group.
Intune now silently runs the MDE onboarding script on every enrolled device.

🧪 AV / Anti-malware policy

Intune → Endpoint security > Antivirus > Create Policy → Microsoft Defender Antivirus profile.
Set: cloud-delivered protection, real-time protection, PUA blocking, scan schedule, exclusions.

🌐 Other platforms

macOS / Linux / iOS / Android: Intune → Apps > Add → Microsoft Defender for Endpoint app, plus the matching onboarding configuration profile from security.microsoft.com > Settings > Endpoints > Onboarding.

✓ License: Defender for Endpoint P1 (AV + attack surface reduction) — in Business Premium / E3 · Defender for Endpoint P2 (full EDR + automated investigation) — in E5 only or as standalone add-on

✅

Verify Everything is Reporting Correctly

Don't trust — verify. Walk the chain end-to-end.

🔍 Intune side

Intune → Devices > All devices → device appears, Compliant = Yes
Reports > Device compliance → no failed settings
Endpoint security > Microsoft Defender for Endpoint → "Connection status: Available"

🛡️ Defender side

security.microsoft.com → Assets > Devices → device listed, Sensor health = Active
Reports > Device health → AV signature up to date, real-time protection on
Vulnerability management > Inventories → device shows software inventory

🔐 Entra side

Entra → Devices > All devices → device shows Microsoft Entra joined + Compliant: Yes
Sign-in logs → user signs in successfully under the relevant CA policy with Result: Success, requirement satisfied: compliantDevice

🚦 Quick test

From the device, run an EICAR test file → Defender should detect & quarantine it within seconds, an alert appears in security.microsoft.com > Incidents & alerts, and the device's health score drops then recovers.

✓ At this point: User created · Licensed · Identity protected · Hardware enrolled · Compliant · AV/EDR streaming to Microsoft Defender — full security compliance achieved.

📝 Note: This workflow is the Microsoft-recommended onboarding flow for cloud-only / hybrid environments. The exact licence required for each capability is documented in Launch Cost Advisor. If you operate at the lowest tier (Business Premium) you reach the same compliance posture as E3 — only EDR depth (MDE P2), Defender XDR cross-signal correlation, and risk-based identity protection require E5.

Onboarding / Offboarding · HR Lifecycle

End-to-end employee lifecycle · Background checks · HR SaaS vendors · IT security policies

Best-practice workflow · HR + IT joint checklist

🟢 Onboarding workflow · HR + IT joint checklist

Start 7 days before the first day. Parallel HR and IT tracks converge when the new hire picks up their pre-provisioned laptop. Automate via the HR SaaS of your choice (see HR Vendors tab).

Pre-hire & offer letter

D-14 to D-7 · HR

Issue signed offer letter with start date & role
Collect identity documents (passport, right-to-work)
Trigger background check (criminal, education, references)
Send welcome pack & first-day instructions
Confirm work location, equipment preference, T-shirt size

Background check

D-10 to D-3 · Compliance

Criminal record (national + international if relevant)
Employment history & reference verification
Education / diploma verification
Credit check (finance roles only)
Sanctions / PEP screening where required
Store results encrypted · GDPR-compliant retention

Identity provisioning

D-5 to D-1 · IT

Create Entra ID account (UPN + display name)
Assign M365 licence (Business Premium / E3 / E5)
Add to role-based security groups
Enforce MFA + Conditional Access from day 1
Set default password policy & SSPR

Hardware preparation

D-5 to D-1 · IT

Order / stage laptop (Windows Autopilot or macOS ABM)
Assign device to user in Intune
Apply compliance & configuration profiles
Auto-enrol Defender for Endpoint via Intune
Encrypt disk (BitLocker / FileVault) + escrow key
Ship to home or store for first-day pickup

Day 1 · First contact

D-Day · HR + Manager

Welcome session + company tour (virtual OK)
Sign employment contract + code of conduct
Sign Acceptable Use Policy (AUP) + NDA
Hand over laptop · self-service Autopilot enrolment
Assign onboarding buddy
Introduce manager & team

Week 1 · Security training

D+1 to D+7

Attack Simulator phishing baseline (Defender for Office)
GDPR / data-handling awareness course
Password manager enrolment (1Password / Bitwarden)
Teams / SharePoint / OneDrive onboarding
Review of AUP, BYOD, remote-work policies
Access request workflow walkthrough

Day 30 · Probation review

D+30 · Manager + HR

1:1 feedback session with manager
Verify licence assignment still correct
Audit role-based access (least privilege check)
Confirm device compliance in Intune dashboard
Document lessons learned for next onboarding

⚠ Common onboarding mistakes: granting broad permissions "just in case", skipping MFA enforcement for the first week, assigning E5 to everyone by default, and letting managers share their own credentials for shared mailboxes. All four create audit findings later.

🔴 Offboarding workflow · Secure deprovisioning

59% of companies report a data breach linked to poor offboarding. Target: all access revoked within 24 hours of the last day, ideally same-day and automated from HRIS.

Advance notice (friendly leaver)

D-14 to D-1 · HR

Confirm last working day in HRIS
Trigger automated leaver workflow
Schedule exit interview
Plan knowledge transfer sessions
Identify replacement for ongoing projects
Notify IT, Finance, Facilities

Access revocation (D-Day)

Last day · IT · < 24 h

Disable Entra ID account (do NOT delete yet)
Revoke all active MFA sessions & refresh tokens
Remove from all security & distribution groups
Revoke VPN, SaaS, PAM, Git, cloud tokens
Sign-out of all Microsoft 365 sessions (OAuth kill)
Rotate any shared credentials the user knew

Mailbox & data handover

D to D+7 · IT

Convert mailbox to shared (free up licence)
Set auto-reply with replacement contact
Forward inbound mail to manager
Transfer OneDrive ownership to manager
Reassign SharePoint / Teams ownership
Remove user from delegated mailboxes

Hardware recovery

D to D+3 · IT + Facilities

Collect laptop, phone, security keys, smart card
If not returned in 48h → Intune remote wipe
Deactivate building badge & parking access
Collect company credit card
Retire device in Intune after wipe confirmed
Log chain-of-custody in inventory

Licence reclamation

D+1 · Finance + IT

Remove M365 licence (after mailbox converted)
Remove Defender P2 / EMS E5 add-ons
Remove third-party SaaS seats (Slack, Jira, Figma…)
Update licence budget / FinOps dashboard
Cancel any personal corporate subscriptions

Post-departure monitoring

D+1 to D+90 · Security

Alert on any sign-in attempt with disabled account
Alert on mass-download activity before departure
Monitor access to git repos / data rooms the user touched
DLP rule on personal email forward to ex-employee
Retain audit logs for legal retention period

Final closure

D+30 to D+90 · HR + IT

Delete Entra ID account (after data-retention window)
Permanently delete mailbox / OneDrive content per policy
Archive HR file & exit interview notes
Issue final pay, tax documents, P45 / attestation
Document timeline & lessons learned

⚠ High-risk scenarios: hostile departures (escort off-site + revoke before notice), employees moving to a direct competitor (legal hold + extended log retention), shared admin accounts (rotate immediately), and terminations happening outside business hours (on-call runbook required). Automate leaver workflow from HRIS so access drops the moment HR closes the record.

🏢 Recommended HR & background-check vendors

Shortlist of market leaders for onboarding, offboarding and background screening. Pricing is indicative (2026) and often custom-negotiated at scale. Click the vendor name to open their site.

All-in-one HRIS + Onboarding

Top Pick · IT+HR

Rippling

From $8/user/mo

All-in-one workforce platform: HR, IT, payroll, device provisioning, background checks, app access in one unified workflow. Strongest IT integration in the market.

HRIS Device mgmt Background check App provisioning Global payroll

rippling.com →

BambooHR

Custom quote

SMB favourite. Custom onboarding templates per department, e-signatures, welcome workflows, employee records, integrates with Checkr for background checks.

HRIS Templates e-Signature Workflows

bamboohr.com →

Workday HCM

Enterprise

Enterprise-grade HCM. Robust onboarding/offboarding with e-signatures, background-check integrations, equipment provisioning, personalised training paths.

Enterprise HCM Global Analytics

workday.com →

HiBob

Custom quote

Modern HRIS loved by scaling mid-market tech companies. Strong onboarding experience, integrations-first design, great UX for remote teams.

HRIS Mid-market EU-friendly Great UX

hibob.com →

Paylocity

Custom quote

All-in-one HR, payroll, talent and IT. AI-powered resume screening, integrated offer management, strong North-American market presence.

Payroll Talent AI screening US-focused

paylocity.com →

Deel

From $49/contractor

Global EOR + HRIS. Best choice when hiring internationally across 150+ countries. Built-in background checks, compliant contracts, localised onboarding.

Global EOR Contractors Compliance 150+ countries

deel.com →

Background-check specialists

Market Leader

Checkr

$29.99 – $79.99 / check

AI-powered workflows, 100+ ATS integrations, 120,000+ customers. Basic+ / Essential / Professional tiers. Fastest turnaround in the industry.

Criminal Drug MVR 100+ ATS API-first

checkr.com →

HireRight

$39.95 – $79.95 / check

30+ years in business. 70+ ATS integrations. "99.98% dispute-free" advantage. Global coverage, strong enterprise customer base.

Global 70+ ATS Enterprise Education

hireright.com →

Sterling

~$50 – several hundred / check

Enterprise-grade global screening. Range of checks from basic to extensive, with adverse-action automation and FCRA compliance tooling.

Global Enterprise FCRA Custom pkgs

sterlingcheck.com →

Certn

From $3.50 / reference

Pay-as-you-go self-service. Mobile-first candidate portal. Best price for SMBs and one-off checks. Coverage in 200+ countries.

Pay-as-you-go Mobile-first SMB Global

certn.co →

IT deprovisioning / offboarding automation

Freshservice

From $19/agent/mo

ITSM with joiner-mover-leaver workflows. Out-of-the-box integrations with Workday, BambooHR, Oracle HCM, SAP SuccessFactors.

ITSM JML HRIS integ

freshservice.com →

Okta Workflows

Add-on

No-code identity automation. Trigger deprovisioning from HRIS change, revoke SaaS access, rotate secrets, notify managers — all without a script.

Identity SaaS No-code

okta.com →

BetterCloud

Custom quote

SaaS management platform. Discover shadow SaaS, automate offboarding across 100+ SaaS apps, protect data during departures.

SaaS ops Shadow IT Automation

bettercloud.com →

📜 Essential IT policies · Required at hire

New hires must read and sign these policies on Day 1 — ideally via e-signature in the HR platform. These templates cover 90% of SMB/mid-market needs and should be reviewed annually.

📋 Acceptable Use Policy (AUP)

Defines acceptable and prohibited use of company IT resources: computers, email, internet, software, mobile devices and cloud services. Every employee signs this on Day 1.

Authorised business use vs. incidental personal use
Prohibited activities (piracy, illegal content, crypto mining…)
Monitoring & privacy expectations
Consequences of violation
Reference templates: SANS Policy Templates · CIS white papers

🔐 Password & Authentication Policy

NIST SP 800-63B-aligned minimum controls: passphrase length ≥ 12 chars, no forced rotation, MFA on every identity.

MFA mandatory (Microsoft Authenticator, FIDO2, or SMS as last resort)
Company-issued password manager required
Shared accounts forbidden; break-glass accounts in vault only
Lockout & throttling thresholds
Reference: NIST SP 800-63B

💻 BYOD & Mobile Device Policy

Governs personal devices accessing company data. If BYOD is allowed, it must be enrolled in Intune MAM (without full device enrolment) to protect corporate data only.

Minimum OS version, device encryption, screen-lock
Intune App Protection Policy (no copy-paste to personal apps)
Right to wipe corporate data on termination
Liability & reimbursement rules

🛡 Data Classification & Handling

Every piece of company data must carry a classification label: Public · Internal · Confidential · Restricted. Microsoft Purview Sensitivity Labels are the enforcement layer.

Label taxonomy with clear examples per tier
Encryption requirements per tier
Storage locations allowed per tier (OneDrive/SharePoint only — not Dropbox/WeTransfer)
Retention & disposal rules
Reference: Microsoft Purview Sensitivity Labels

🏠 Remote Work & VPN Policy

Defines where, how and with what hardware employees can work remotely. Modern best practice is Zero Trust (Entra ID Conditional Access) rather than traditional VPN.

Approved home network security (WPA2/WPA3, no guest Wi-Fi)
No public Wi-Fi without company VPN or Entra Private Access
Physical security of the laptop (privacy screen in transit)
Reporting lost/stolen devices within 1 hour

🚨 Incident Response & Reporting

Every employee is a first-line sensor. They must know how — and within what timeframe — to report a suspected incident (phishing, lost device, suspicious email, data leak).

Single reporting channel (e.g., security@company, Report Phishing button in Outlook)
Response SLA and escalation matrix
GDPR 72-hour breach-notification obligation
No-blame culture: better a false positive than silence
Reference: ENISA Incident Reporting

📧 Email & Communications Policy

Rules for professional email, Teams, and external communications.

No personal use of professional email for sensitive matters
External-email banner mandatory (Defender for Office feature)
DKIM, DMARC, SPF enforced outbound
Auto-forwarding to external addresses blocked by default

👋 Exit & Return of Property

Signed at hire — spells out what must happen on departure. Removes friction and legal ambiguity later.

List of property to return (laptop, phone, badge, keys, tokens)
Deadline for return (typically last working day)
Remote wipe clause if hardware isn't returned
Non-disclosure & intellectual property continuation
Reference: Clarity Security · IT Offboarding Checklist

📝 Note: Pricing and vendor information is indicative as of 2026 and may change — always request a live quote and a reference-customer call before signing. For EU-based companies, prefer vendors with GDPR Data Processing Agreements, EU data residency, and SOC 2 Type II attestations. For regulated industries (finance, health), prefer vendors with ISO 27001 + SOC 2 + HIPAA/PCI as applicable.

Actor	Origin	IOCs	Activity
APT29 (Cozy Bear)	🇷🇺 Russia	214	High
Lazarus Group	🇰🇵 DPRK	187	High
FIN7	🌐 Unknown	143	Medium
APT41	🇨🇳 China	126	Medium
Scattered Spider	🌐 Unknown	89	Low

CVE	CVSS	Product	Exploited
CVE-2025-21333	9.8	Windows Hyper-V	PoC Public
CVE-2025-29824	9.3	Windows CLFS	In Wild
CVE-2024-49138	8.8	Windows CLFS	PoC Public
CVE-2025-24054	8.1	NTLM Hash Leak	Limited
CVE-2024-38213	7.5	Windows SmartScreen	Limited

User	Department	Risk Score	Anomalies (7d)	Primary Trigger	Last Activity	Status
MR M. Rodriguez m.rodriguez@altanova.com	Finance	92	14	Excessive Data Download	Today 02:41	● Critical
JK J. Kim j.kim@altanova.com	IT Operations	87	11	Impossible Travel	Yesterday 23:08	● Critical
DL D. Laurent d.laurent@altanova.com	Engineering	74	8	Unusual Login Hours	Today 01:22	● High
SP S. Patel s.patel@altanova.com	HR	68	7	Mass Email Forward	Yesterday 16:54	● High
AT A. Torres a.torres@altanova.com	Legal	61	5	Privilege Escalation	Today 09:13	● High

Analyst	Alerts Triaged	Cases Closed	Avg Response Time	False Positives	Accuracy	Status
C. Fontaine	142	28	1.8 h	4	97%	On Duty
R. Okafor	118	21	2.2 h	8	93%	On Duty
M. Svensson	97	16	3.1 h	14	86%	Off Duty
L. Nguyen	134	24	2.4 h	6	95%	On Duty

Asset	Type	OS / Platform	IP Address	Risk	Open Alerts	Owner	Last Seen	Status
💻 WS-FINANCE-041 ALTANOVA\m.rodriguez	Workstation	Windows 11 22H2	10.0.1.141	Critical	7	Finance	1 min ago	Online
🖥 SRV-DC-001 Domain Controller	Server	Windows Server 2022	10.0.0.10	High	3	IT Ops	Just now	Online
☁ az-prod-vm-web01 Azure East US	Cloud VM	Ubuntu 22.04 LTS	20.84.132.77	Medium	1	DevOps	3 min ago	Online
💻 WS-HR-017 ALTANOVA\s.patel	Workstation	Windows 11 23H2	10.0.2.217	High	4	HR	8 min ago	Online
📱 MOB-UNMANAGED-004 Unknown owner	Unmanaged	iOS 17.4	10.0.5.88	High	0	—	22 min ago	⚠ Unmanaged
🖥 SRV-FILE-002 File Server	Server	Windows Server 2019	10.0.0.22	Low	0	IT Ops	1 min ago	Online
💻 WS-ENG-028 ALTANOVA\d.laurent	Workstation	macOS Sequoia 15.2	10.0.3.128	High	2	Engineering	45 min ago	Offline
☁ az-backup-vault-01 Azure Backup	Cloud	Azure Recovery Vault	—	Low	0	IT Ops	5 min ago	Online

⚙ Azure Connection Settings

🔒 Settings Password ▼

Azure AD App Credentials ▼

🔗 Connect Defender for Cloud Apps Policies ▼

Auto-Refresh ▼

ESET PROTECT Cloud Credentials ▼

📁 Proxy Folder ▼

📋 One-Time Azure Setup (5 min) ▼

👥 Team Members ▼

🔔 Notifications ▼

👁 Watchlist ▼

Case ID	Title	Severity	Status	Assigned To	Linked Alerts	Opened	Last Updated
CS-2026-031	Credential Stuffing — Finance Portal Repeated failed auth + successful login from new IP	Critical	In Progress	C. Fontaine	12	Today 08:14	Today 09:43
! Case escalated to Critical — 12 alerts correlated from 3 source IPs Today 09:43 → Assigned to C. Fontaine — investigation started, IPs added to block list Today 09:12 + Case created — initial 4 failed-auth alerts from 198.51.100.42 Today 08:14
CS-2026-030	Suspected Data Exfiltration — M. Rodriguez Large SharePoint download + off-hours access	Critical	In Progress	R. Okafor	7	Today 02:54	Today 08:30
⚠ UEBA high-risk score (92) confirmed — HR and Legal notified, user account flagged Today 08:30 → Assigned to R. Okafor — SharePoint audit logs pulled for review Today 07:15 + Case auto-created from UEBA anomaly trigger — 2.3 GB download in 18 minutes Today 02:54
CS-2026-029	Impossible Travel Alert — J. Kim Login from Toronto then Seoul within 40 minutes	High	Open	Unassigned	3	Yesterday 23:10	Yesterday 23:45
+ Case opened — UEBA impossible travel flag, login from CA then KR (2,897 miles, 40 min apart) Yesterday 23:10
CS-2026-028	Lateral Movement — Internal Subnet Scan WS-ENG-028 scanning 10.0.0.0/24 via SMB	High	In Progress	L. Nguyen	5	Yesterday 18:32	Today 07:02
⚠ Network telemetry confirms SMB scanning pattern — host isolated pending investigation Today 07:02 → Assigned to L. Nguyen — Defender for Endpoint alert correlated Yesterday 19:45 + Case created — anomalous SMB traffic detected from D. Laurent's workstation Yesterday 18:32
CS-2026-027	Phishing Link Clicked — 3 Users Defender ATP blocked payload delivery	Medium	Open	Unassigned	3	Yesterday 14:07	Yesterday 14:30
✓ Defender ATP blocked payload delivery — URL added to tenant block list Yesterday 14:30 + Case opened — 3 users clicked same phishing URL from spoofed "IT Help Desk" email Yesterday 14:07

Name	Last Run	Hits
Daily Auth Burst Check Failed logins > 10 per user per hour	Today 06:00	0
Exfiltration Detector SharePoint > 500MB in 30 min	Today 06:00	2
New Admin Accounts GA/PA role assigned in last 24h	Yesterday 18:00	0
Off-Hours Admin Login Admin login between 22:00–06:00	Today 06:00	1

Query	Ran	Duration	Rows
SignInLogs \| failed auth >10	Today 09:12	1.2s	0
SharePointAudit \| bytes > 500MB	Today 08:44	2.8s	2
AuditLogs \| admin role assigned	Yesterday 22:01	0.9s	0
SignInLogs \| off-hours admin	Yesterday 18:02	1.4s	1
DeviceNetworkEvents \| SMB scan	Yesterday 14:30	3.1s	5

🗄 Archive as Group

Mark as Resolved

Create Archive Group

Manage Groups

Add to Group

Rename Group

Delete Permanently

⚙ Azure Connection Settings

🔒 Settings Password ▼

Azure AD App Credentials ▼

🔗 Connect Defender for Cloud Apps Policies ▼

Auto-Refresh ▼

ESET PROTECT Cloud Credentials ▼

📁 Proxy Folder ▼

📋 One-Time Azure Setup (5 min) ▼

👥 Team Members ▼

🔔 Notifications ▼

👁 Watchlist ▼