Office 365 ATP Automated Incident Response Now Generally Available

Posted by & filed under Security Alerts.

Microsoft announced today the general availability of the Automated Incident Response feature in Office 365 Advanced Threat Protection (ATP) users to support the rising requirements of security teams.

“Applying these powerful automation capabilities to investigation and response workflows can dramatically improve the effectiveness and efficiency of your organization’s security teams,” says Microsoft.

Automated Incident Response is designed to make it easier for security departments to go through the huge amounts of alerts received daily with the help of security playbooks that will provide them with the steps needed to “comprehensively investigate an alert and offer a set of recommended actions for containment and mitigation.”

Automatic and manually triggered investigations

These automated playbooks offered by Office 365’s Automated Incident Response capability are shaped to match security teams’ workflows, and to make it a lot faster to methodically address the most frequently encountered threats.

“In addition, aligned with our Microsoft Threat Protection promise, these playbooks also integrate with signals and detections from Microsoft Cloud App Security and Microsoft Defender ATP,” adds Office 365 Security Group Program Manager Girish Chander.

At the moment, both automatic and manually triggered investigations are available for Office 365 automated incident response:

• Manually triggered investigations that follow an automated playbook: Security teams can trigger automated investigations from within the Threat Explorer at any time for any email and related content (attachment or URLs).
• Automatic investigations that are triggered when alerts are raised: Alerts and related playbooks for a limited set of scenarios are now available.

Once included within a SecOps team’s investigation and response workflow, the Automated Incident Response capabilities will help to save huge amounts of time by entrusting them to deal with several of the steps needed to deal with alerts.

Cycle of investigation
SecOps investigation workflow

Frees up experts to tackle more complicated issues

Automated Incident Response for Office 365 ATP was initially announced to enter preview during April and it is designed to evolve into an important part of enterprise-grade security solutions.

“It can help mitigate more threats in real-time, reduce the time for detection and recovery, and ultimately, improve the efficiency, accuracy, and overall security for any organization,” said Microsoft Senior Product Marketing Manager Pragya Pandey at the time.

“Just as important, it frees up time for the organization’s key security expertise to focus on more complicated problems – getting more out of their most trained experts.”

Several playbooks available for automatic investigations

These are the following scenarios for which a security playbook automatically initiates when an alert is triggered:

• User-reported phishing emails—When a user reports what they believe to be a phishing email, an alert is raised triggering an automatic investigation.
• User clicks a malicious link with changed verdict—An alert is raised when a user clicks a URL, which is wrapped by Office 365 ATP Safe Links, and is determined to be malicious through detonation (change in verdict). Or if the user clicks through the Office 365 ATP Safe Links warning pages an alert is also raised. In both cases, the automated investigation kicks in as soon as the alert is raised.
• Malware detected post-delivery (Malware Zero-Hour Auto Purge (ZAP))—When Office 365 ATP detects and/or ZAPs an email with malware, an alert triggers an automatic investigation.
• Phish detected post-delivery (Phish ZAP)—When Office 365 ATP detects and/or ZAPs a phishing email previously delivered to a user’s mailbox, an alert triggers an automatic investigation.

The Office 365 ATP Automated Incident Response capabilities are now available as part of the following offerings:

• Office 365 ATP Plan 2
• Office 365 E5
• Microsoft 365 E5 Security, which includes the full Microsoft Threat Protection experience
The information contained in this website is for general information purposes only. The information is gathered from Bleeping Computer while we endeavour to keep the information up to date and correct, we make no representations or warranties of any kind, express or implied, about the completeness, accuracy, reliability, suitability or availability with respect to the website or the information, products, services, or related graphics contained on the website for any purpose. Any reliance you place on such information is therefore strictly at your own risk.  Through this website, you are able to link to other websites which are not under the control of CSIRT-CY. We have no control over the nature, content and availability of those sites. The inclusion of any links does not necessarily imply a recommendation or endorse the views expressed within them. Every effort is made to keep the website up and running smoothly. However, CSIRT-CY takes no responsibility for, and will not be liable for, the website being temporarily unavailable due to technical issues beyond our control.