Optimize SecOps efficiency with new Automated Incident Response in Office 365 ATP

April 4, 2019
The original article is published on the Microsoft Tech Community Security, Privacy and Compliance Blog.

Microsoft Threat Protection offers unparalleled intelligence leveraging the Microsoft Intelligent Security Graph, which blends strength of signals and unique, sophisticated ML algorithms to engineer best in class threat mitigation. This intelligence enables seamless integration across services providing extensive visibility into the threat landscape across multiple attack vectors. The strong integration and interaction between services helps correlate signals from a variety of sources empowering SecOps to achieve more despite limited time, budget and resources. Microsoft Threat Protection also adds powerful automation capabilities that are critical in delivering rapid and effective incident response improving efficiency of SecOps immensely. We’re excited to announce new Automated Incident Response (AIR) capabilities in Office 365 ATP that enhance the automation in Microsoft Threat Protection by enabling comprehensive visibility into the threat landscape and investigating and remediating attacks across emails, devices and users. 

Security Dashboard.pngSecurity Dashboard showing summary of automated investigations

Challenges faced by SecOps today

Over the years, we’ve learnt from our customers that the SecOps teams are faced with numerous challenges when dealing with incident response. One key issue is the lack of expertise and skill set needed to analyze signals and respond to incidents in an efficient way. Additionally:

  1. Most organizations struggle with the growing sophistication of attacks
  2. Tracking kill chains is time consuming – Alerts are noisy & voluminous
  3. SecOps teams are constantly struggling with time, resources and budget

A day in the life.png

Every single security alert invokes the above process and with the huge volume of incidents that need to be addressed, it can quickly become challenging for security teams to scale. Intelligent correlation of signals and automatic investigation of attacks can significantly reduce the manual effort and time for incident response.

Automation can significantly reduce the time, effort and resources needed for incident response

Last year, we shared how Office 365 ATP can help you become more effective and efficient in the threat investigation and remediation process. This research from Forrester also revealed huge cost savings when using our Office 365 Threat Intelligence service.

Composite Organization.png

The new automation capabilities in Office 365 ATP further support the goal of bringing more effectiveness and efficiency for SecOps.

Introducing new security playbooks within Office 365 ATP


Security playbooks are the foundation of automated incident response. They are the back-end policies that admins can select to trigger automatic investigation. The playbooks are built off our experience with real-world security scenarios. Based on our visibility and experience into the threat landscape we’ve designed these playbooks which tackle the most frequent threats.

Security playbooks.pngSecurity playbooks are the foundation of AIR

We’re delighted to announce the public preview of two playbooks that help investigate key threats and alerts within Office 365 with recommended actions for containment and mitigation.

In preview, we’re introducing the following alerts and playbooks and will add more in coming months.

  • User reports a phishing email— This alert will trigger an automatic investigation using the User Reported Messages Playbook when users use the “Report Message” button to report a phishing email.
  • User clicks on a malicious link— This alert will trigger an automatic investigation using the Weaponized URL playbook when an Office 365 ATP Safe Links protected URL clicked by a user is determined to be malicious through detonation (change in verdict) or if the user overrides (clicks through) the Office 365 ATP Safe Links warning pages.

Alert automatically.pngAlert automatically triggers investigation when a user reports an email as phish

Investigation graph.pngInvestigation graph showing a summary of relevant emails and users with threats and recommended actions.

You can learn more about how the SecOps teams can use these playbooks in this article.

Watch below:

to see the playbooks in action.

Triggering manual investigation from the Threat Explorer

In addition to these playbooks, we’re also adding the ability to trigger manual investigations from the Threat Explorer. This provides additional flexibility to SecOps to trigger an on-demand investigation. It’s particularly important in threat hunting scenario where SecOps need to perform investigation for an IOC such as bad file hash, URL, domain or IP. This allows them to gain visibility into any potential threat instantly with relevant recommendations.

Triggering automated.pngTriggering automated investigations from the Threat Explorer for All email view

Automation for incident response will become a much more important part of an enterprise-grade security solution.  It can help mitigate more threats in real-time, reduce the time for detection and recovery, and ultimately, improve the efficiency, accuracy, and overall security for any organization.  Just as important, it frees up time for the organization’s key security operations to focus on more complicated problems – getting more out of their most trained experts.

Microsoft Threat Protection offers powerful automation capabilities which enable better detection, more insightful investigations, and more rapid remediation across multiple vectors such as emails, users and devices.

This is just the beginning. We’ll be rolling out more playbooks to address the most common threat scenarios. We invite you to try these playbooks out and provide feedback.

Discuss this article in the Microsoft Technical Community.