Microsoft announces automatic investigation capabilities in Office 365

Microsoft yesterday announced the general availability of Automated Incident Response in Office 365 Advanced Threat Protection. These new security automation features will help security teams in organizations to work more efficiently. Microsoft announced two categories of automation capabilties—automatic and manually triggered investigations. Read about them detail below.

1. Automatic investigations that are triggered when alerts are raised—Alerts and related playbooks for the following scenarios are now available:
   • User-reported phishing emails—When a user reports what they believe to be a phishing email, an alert is raised triggering an automatic investigation.
   • User clicks a malicious link with changed verdict—An alert is raised when a user clicks a URL, which is wrapped by Office 365 ATP Safe Links, and is determined to be malicious through detonation (change in verdict). Or if the user clicks through the Office 365 ATP Safe Links warning pages an alert is also raised. In both cases, the automated investigation kicks in as soon as the alert is raised.
   • Malware detected post-delivery (Malware Zero-Hour Auto Purge (ZAP))—When Office 365 ATP detects and/or ZAPs an email with malware, an alert triggers an automatic investigation.
   • Phish detected post-delivery (Phish ZAP)—When Office 365 ATP detects and/or ZAPs a phishing email previously delivered to a user’s mailbox, an alert triggers an automatic investigation.

2. Manually triggered investigations that follow an automated playbook—Security teams can trigger automated investigations from within the Threat Explorer at any time for any email and related content (attachment or URLs).

These new security capabilities are available for Office 365 ATP Plan 2, Office 365 E5 and Microsoft 365 E5 Security plan customers.

Source: Microsoft