Automatically Respond to Security Incidents in Office 365

Microsoft has announced a new general availability feature for its Security Service Office 365 Advanced Threat Protection (Office 365 ATP) that enables automated response to Office 365 security incidents. The software company differentiates between two automation categories: automatic as well as manually triggered reactions.

The automatic investigation of incidents is initiated on the basis of warnings, for example by detecting malicious contents of an e-mail by the Safe Links and Safe Attachments services or by users themselves reporting a phishing e-mail.

The second category, on the other hand, is based on manual investigations that follow automated "playbook sequences" for different attack scenarios and attack types. Essentially, these playbooks consist of a series of carefully logged steps to comprehensively investigate an alert and provide a range of recommended mitigation measures. They correlate similar e-mails sent or received within an organization and suspicious activities affecting the relevant Office 365 users. These activities include e-mail forwarding, e-mail delegation, Office 365 Data Loss Prevention (DLP) violations, or suspicious e-mail sending patterns. All in all, both automatic and manually initiated incident responses are designed to help security analysts respond quickly and systematically to, mitigate and eliminate Office 365 threats.

However, the new feature in Office 365 ATP can only be used by enterprise customers who have either an Office 365 ATP Plan 2 or an Office 365 Enterprise E5 subscription. Licensing is per user and must be completed for at least one year.

Source: Microsoft