Security Experts:

Connect with us

Hi, what are you looking for?


Email Security

Microsoft Makes Automated Incident Response in Office 365 ATP Generally Available

The Automated Incident Response feature in Office 365 Advanced Threat Protection (ATP) is now generally available, Microsoft has announced.

The Automated Incident Response feature in Office 365 Advanced Threat Protection (ATP) is now generally available, Microsoft has announced.

Meant to provide automation capabilities to help with investigation and response, the feature was launched in preview earlier this year. Now, Microsoft is making generally available two categories of automation, namely for automatic and manually triggered investigations.

Automatic investigations, Microsoft says, are triggered when alerts are raised. Alerts and related playbooks are available for user-reported phishing emails, when the user clicks a malicious link with changed verdict, malware is detected post-delivery, or a phishing email is detected post-delivery.

Manually triggered investigations represent those automated investigations that security teams trigger from within the Threat Explorer for any email and related content they want to analyze.

“In each of the above cases, the automation follows rich security playbooks. These playbooks are essentially a series of carefully logged steps to comprehensively investigate an alert and offer a set of recommended actions for containment and mitigation,” Microsoft notes.

These playbooks correlate similar emails sent or received within the organization, as well as suspicious activities for relevant users. Flagged activities for users include mail forwarding, mail delegation, Office 365 Data Loss Prevention (DLP) violations, or suspicious email sending patterns.

The playbooks also integrate with signals and detections from Microsoft’s Cloud App Security and Defender ATP. Thus, anomalies detected by Cloud App Security are ingested in the playbooks, and the playbooks trigger device investigations with Microsoft Defender ATP.

“Based on feedback from our public preview of these automation capabilities, we extended the Office 365 ATP events and alerts available in the Office 365 Management API to include links to these automated investigations and related artifacts. This helps security teams integrate these automation capabilities into existing security workflow solutions, such as SIEMs,” Microsoft says.

The new capabilities have been made available as part of Office 365 ATP Plan 2, Office 365 E5, and Microsoft 365 E5 Security (which includes the full Microsoft Threat Protection experience).

Related: Microsoft Unveils New Azure, Windows Defender ATP Tools

Related: New Microsoft 365 Offerings Target Security, Compliance

Related: Windows Defender ATP Detects Spyware Used by Law Enforcement: Microsoft

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content

Data Breaches

GoTo said an unidentified threat actor stole encrypted backups and an encryption key for a portion of that data during a 2022 breach.

Email Security

Microsoft is urging customers to install the latest Exchange Server updates and harden their environments to prevent malicious attacks.

Incident Response

Cygnvs emerges from stealth mode with an incident response platform and $55 million in Series A funding.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Data Breaches

T-Mobile disclosed another massive data breach affecting approximately 37 million customer accounts.

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...

Incident Response

A new Mississippi Cyber Unit will be the state’s centralized cybersecurity threat information, mitigation and incident reporting and response center.


Albanian prosecutors on Wednesday asked for the house arrest of five public employees they blame for not protecting the country from a cyberattack by...