Office 365 security: Automated incident response based on playbooks

Five months after introducing Automated Incident Response in Office 365 ATP, Microsoft has announced it’s making it more widely available.

Customers who have opted for Office 365 ATP Plan 2, Office 365 E5 or Microsoft 365 E5 Security will now be able to make their SecOps team’s work easier through the use of security playbooks.

Security playbooks for the most common threats

Microsoft offers playbooks for the following scenarios:

  • User-reported phishing emails – The alert and an automatic investigation following the playbook is triggered when the user reports a phish email using the Report message add-in in Outlook or Outlook on the web
  • User clicks a malicious link with verdict changed (to malicious) – Attackers often weaponize a link after the delivery of an email. The user clicking on such a link will trigger an alert and an automatic investigation following the URL Verdict Change playbook, which will correlate similar emails and suspicious activities for the relevant users across Office 365.
  • Malware detected post-delivery – When Office 365 ATP detects and/or ZAPs an email with malware, an alert triggers an automatic investigation into similar emails and related user actions in Office 365 for the period when the emails were present in a user’s inbox, as well as into the relevant devices for the users
  • Phish detected post-delivery – When Office 365 ATP detects and/or ZAPs a phishing email previously delivered to a user’s mailbox, an alert triggers an automatic investigation into similar emails and related user actions in Office 365 for the period when the emails were present in a user’s inbox. (It also evaluates if the user clicked any of the links.)

These automatic investigations that follow an automated playbook can be set to be triggered when alerts are raised, but can also be triggered manually by security teams via the Threat Explorer tool.

“These playbooks are essentially a series of carefully logged steps to comprehensively investigate an alert and offer a set of recommended actions for containment and mitigation,” explained Girish Chander, Group Program Manager, Office 365.

“They correlate similar emails sent or received within the organization and any suspicious activities for relevant users. Flagged activities for users might include mail forwarding, mail delegation, Office 365 Data Loss Prevention (DLP) violations, or suspicious email sending patterns.”

Microsoft plans to add new playbooks in the future.

What happens when an automatic investigation is triggered?

Let’s take the first scenario as an example.

Office 365 incident response

The user reports an email as malicious, the user-reported message triggers a system-based informational alert, and the alert launches the investigation playbook.

The playbook covers several sequential steps: root investigation, threat investigation and hunting and, finally, remediation.

Root investigation includes the assessment of the various aspects of the suspicious email (what type of threat is it, who sent it, is it associated with known campaigns, etc.). Once it’s complete, the playbook provides the SecOps teams a list of recommended actions they can take regarding the malicious emails and entities associated with it.

The threat investigation and hunting phase includes cross-platform information sharing and a number of automatic actions and checks, all done to identify similar email messages, whether any users have clicked through the malicious links in all of those emails, and whether some users have been compromised.

Lastly, a list of threat mitigation and remediation actions is presented to the security team.

Don't miss