Connect with us

Hi, what are you looking for?


Email Security

Microsoft Makes Automated Incident Response in Office 365 ATP Generally Available

The Automated Incident Response feature in Office 365 Advanced Threat Protection (ATP) is now generally available, Microsoft has announced.

The Automated Incident Response feature in Office 365 Advanced Threat Protection (ATP) is now generally available, Microsoft has announced.

Meant to provide automation capabilities to help with investigation and response, the feature was launched in preview earlier this year. Now, Microsoft is making generally available two categories of automation, namely for automatic and manually triggered investigations.

Automatic investigations, Microsoft says, are triggered when alerts are raised. Alerts and related playbooks are available for user-reported phishing emails, when the user clicks a malicious link with changed verdict, malware is detected post-delivery, or a phishing email is detected post-delivery.

Manually triggered investigations represent those automated investigations that security teams trigger from within the Threat Explorer for any email and related content they want to analyze.

“In each of the above cases, the automation follows rich security playbooks. These playbooks are essentially a series of carefully logged steps to comprehensively investigate an alert and offer a set of recommended actions for containment and mitigation,” Microsoft notes.

These playbooks correlate similar emails sent or received within the organization, as well as suspicious activities for relevant users. Flagged activities for users include mail forwarding, mail delegation, Office 365 Data Loss Prevention (DLP) violations, or suspicious email sending patterns.

The playbooks also integrate with signals and detections from Microsoft’s Cloud App Security and Defender ATP. Thus, anomalies detected by Cloud App Security are ingested in the playbooks, and the playbooks trigger device investigations with Microsoft Defender ATP.

“Based on feedback from our public preview of these automation capabilities, we extended the Office 365 ATP events and alerts available in the Office 365 Management API to include links to these automated investigations and related artifacts. This helps security teams integrate these automation capabilities into existing security workflow solutions, such as SIEMs,” Microsoft says.

Advertisement. Scroll to continue reading.

The new capabilities have been made available as part of Office 365 ATP Plan 2, Office 365 E5, and Microsoft 365 E5 Security (which includes the full Microsoft Threat Protection experience).

Related: Microsoft Unveils New Azure, Windows Defender ATP Tools

Related: New Microsoft 365 Offerings Target Security, Compliance

Related: Windows Defender ATP Detects Spyware Used by Law Enforcement: Microsoft

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Gain valuable insights from industry professionals who will help guide you through the intricacies of industrial cybersecurity.


Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.


Expert Insights

Related Content


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Data Breaches

LastPass DevOp engineer's home computer hacked and implanted with keylogging malware as part of a sustained cyberattack that exfiltrated corporate data from the cloud...

Cloud Security

Cloud security researcher warns that stolen Microsoft signing key was more powerful and not limited to and Exchange Online.


Government agencies in the United States have made progress in the implementation of the DMARC standard in response to a Department of Homeland Security...

Incident Response

Microsoft has rolled out a preview version of Security Copilot, a ChatGPT-powered tool to help organizations automate cybersecurity tasks.

Email Security

Many Fortune 500, FTSE 100 and ASX 100 companies have failed to properly implement the DMARC standard, exposing their customers and partners to phishing...

Data Breaches

GoTo said an unidentified threat actor stole encrypted backups and an encryption key for a portion of that data during a 2022 breach.