Microsoft announced today the general availability of the Automated Incident Response feature in Office 365 Advanced Threat Protection (ATP) users to support the rising requirements of security teams.
“Applying these powerful automation capabilities to investigation and response workflows can dramatically improve the effectiveness and efficiency of your organization’s security teams,” says Microsoft.
Automated Incident Response is designed to make it easier for security departments to go through the huge amounts of alerts received daily with the help of security playbooks that will provide them with the steps needed to “comprehensively investigate an alert and offer a set of recommended actions for containment and mitigation.”
Automatic and manually triggered investigations
These automated playbooks offered by Office 365’s Automated Incident Response capability are shaped to match security teams’ workflows, and to make it a lot faster to methodically address the most frequently encountered threats.
“In addition, aligned with our Microsoft Threat Protection promise, these playbooks also integrate with signals and detections from Microsoft Cloud App Security and Microsoft Defender ATP,” adds Office 365 Security Group Program Manager Girish Chander.
At the moment, both automatic and manually triggered investigations are available for Office 365 automated incident response:
• Automatic investigations that are triggered when alerts are raised: Alerts and related playbooks for a limited set of scenarios are now available.
Once included within a SecOps team’s investigation and response workflow, the Automated Incident Response capabilities will help to save huge amounts of time by entrusting them to deal with several of the steps needed to deal with alerts.
Frees up experts to tackle more complicated issues
Automated Incident Response for Office 365 ATP was initially announced to enter preview during April and it is designed to evolve into an important part of enterprise-grade security solutions.
“It can help mitigate more threats in real-time, reduce the time for detection and recovery, and ultimately, improve the efficiency, accuracy, and overall security for any organization,” said Microsoft Senior Product Marketing Manager Pragya Pandey at the time.
“Just as important, it frees up time for the organization’s key security expertise to focus on more complicated problems – getting more out of their most trained experts.”
Several playbooks available for automatic investigations
These are the following scenarios for which a security playbook automatically initiates when an alert is triggered:
• User clicks a malicious link with changed verdict—An alert is raised when a user clicks a URL, which is wrapped by Office 365 ATP Safe Links, and is determined to be malicious through detonation (change in verdict). Or if the user clicks through the Office 365 ATP Safe Links warning pages an alert is also raised. In both cases, the automated investigation kicks in as soon as the alert is raised.
• Malware detected post-delivery (Malware Zero-Hour Auto Purge (ZAP))—When Office 365 ATP detects and/or ZAPs an email with malware, an alert triggers an automatic investigation.
• Phish detected post-delivery (Phish ZAP)—When Office 365 ATP detects and/or ZAPs a phishing email previously delivered to a user’s mailbox, an alert triggers an automatic investigation.
The Office 365 ATP Automated Incident Response capabilities are now available as part of the following offerings: