Summary: OMS Security advanced detections will automatically be enabled for all OMS Security customers who have workspaces in Europe.
Since we introduced the advanced detection capability in OMS Security last August, we have seen it in action for thousands of customers. It scans more than seven billion events per day and analyzes them to generate useful detections. We heard from customers that this capability helped them to uncover attacks in their systems that they did not find before.
OMS Security advanced detections are provided as a service, which means that customers don’t have to create or maintain the infrastructure and write threat detection rules. Microsoft does it for them on a global scale and brings Microsoft’s vast security knowledge and tools into play. We are continuously adding new patterns and new detection types to keep up with the latest attack techniques. We keep monitoring the detections to reduce the false positive detections as much as we can.
As we reduce the false detections, most customers will have very few or no detections presented. Only 38% of the relevant customers had any detection, while most of them had detections only on failed attempts that requires some attention. If you would like to improve your detection coverage, add more machines and adjust your auditing policy to collect more information such as the command line parameters as specified in 4688(S): A new process has been created.
Today, we are announcing the biggest expansion yet of the service to cover all our European customers. The OMS Security advanced detections will automatically be enabled for all OMS Security customers who have workspaces in Europe. For these customers, the detection analysis will run in European datacenters.
We also improve the experience of investigating these detections. When you click a detection now, you would get inside the search a dedicated view:
This is not just a static view. If you click users and computers that are involved in the detection, you can view their security details as well: