Office 365 security: Automated incident response based on playbooks - Help Net Security

Office 365 security: Automated incident response based on playbooks - Help Net Security

Five months after introducing Automated Incident Response in Office 365 ATP, Microsoft has announced it’s making it more widely available.


Customers who have opted for Office 365 ATP Plan 2, Office 365 E5 or Microsoft 365 E5 Security will now be able to make their SecOps team’s work easier through the use of security playbooks.


Security playbooks for the most common threats


Microsoft offers playbooks for the following scenarios:


User-reported phishing emails – The alert and an automatic investigation following the playbook is triggered when the user reports a phish email using the Report message add-in in Outlook or Outlook on the web
User clicks a malicious link with verdict changed (to malicious) – Attackers often weaponize a link after the delivery of an email. The user clicking on such a link will trigger an alert and an automatic investigation following the URL Verdict Change playbook, which will correlate similar emails and suspicious activities for the relevant users across Office 365.
Malware detected post-delivery – When Office 365 ATP detects and/or ZAPs an email with malware, an alert triggers an automatic investigation into similar emails and related user actions in Office 365 for the period when the emails were present in a user’s inbox, as well as into the relevant devices for the users
Phish detected post-delivery – When Office 365 ATP detects and/or ZAPs a phishing email previously delivered to a user’s mailbox, an alert triggers an automatic investigation into similar emails and related user actions in Office 365 for the period when the emails were present in a user’s inbox. (It also evaluates if the user clicked any of the links.)

These automatic investigations that follow an automated playb ..