The Automated Incident Response feature in Office 365 Advanced Threat Protection (ATP) is now generally available, Microsoft has announced.
Meant to provide automation capabilities to help with investigation and response, the feature was launched in preview earlier this year. Now, Microsoft is making generally available two categories of automation, namely for automatic and manually triggered investigations.
Automatic investigations, Microsoft says, are triggered when alerts are raised. Alerts and related playbooks are available for user-reported phishing emails, when the user clicks a malicious link with changed verdict, malware is detected post-delivery, or a phishing email is detected post-delivery.
Manually triggered investigations represent those automated investigations that security teams trigger from within the Threat Explorer for any email and related content they want to analyze.
“In each of the above cases, the automation follows rich security playbooks. These playbooks are essentially a series of carefully logged steps to comprehensively investigate an alert and offer a set of recommended actions for containment and mitigation,” Microsoft notes.
These playbooks correlate similar emails sent or received within the organization, as well as suspicious activities for relevant users. Flagged activities for users include mail forwarding, mail delegation, Office 365 Data Loss Prevention (DLP) violations, or suspicious email sending patterns.
The playbooks also integrate with signals and detections from Microsoft’s Cloud App Security and Defender ATP. Thus, anomalies detected by Cloud App Security are ingested in the playbooks, and the playbooks trigger device investigations with Microsoft Defender ATP.
“Based on feedback from our public preview of these automation capabilities, we extended the Office 365 ATP events and alerts available in the Office 365 Management API to include links to these automated investigations and related artifacts. This helps security teams integrate these automation capabilities into existing security workflow solutions, such as SIEMs,” Microsoft says.
The new capabilities have been made available as part of Office 365 ATP Plan 2, Office 365 E5, and Microsoft 365 E5 Security (which includes the full Microsoft Threat Protection experience).