Automated Investigation and Response for Emails in Office 365

Summary: Once a security alert is triggered on Office 365 platform, then depending on how you have configured the alert policies, an investigation process is activated automatically by the security playbook. Security playbooks can implement appropriate remediation actions, like blocking a malicious URL or sending an email to quarantine on their own. Otherwise, you can configure the system for semi-autonomous operation. To maintain security, you can track and review all activities in Microsoft Security and Compliance Centre. Furthermore, you can use dedicated email investigation software like Stellar Email Forensic. These steps will ensure that your email environment is protected on all fronts.

TRY 60 DAYS FREE

Whenever a security alert is triggered in an organization, the primary responsibility of the security operations center team is to take appropriate steps to contain the threat. However, you don’t have to manually handle every threat as you can take the help of Office 365’s Automated Investigation and Response services.

Automated Investigation and Response services offer a wide range of automated investigation processes that leverage artificial intelligence to fight the majority of threats, especially email threats. Here is how they work:

• When a security alert is triggered on Office 365 platform, depending on how you have configured the alert policies, an investigation process is automatically activated by a cyber security incident response playbook.
• These cyber security incident response playbooks can then implement appropriate remediation actions, like blocking a malicious URL or sending an email to quarantine on their own. Otherwise, you can configure the system for semi-autonomous operation. With that, the cyber security incident response playbook, also known as the security playbook, will recommend the same actions to your team. The security operations center staff can manually approve or reject each step. It is still a semi-autonomous mechanism and saves time, as the team merely needs to review and approve/ignore the recommended actions rather than look into the security alerts manually.
• To maintain security, you can track and review all activities in Microsoft Security and Compliance Centre.

You can set automation levels for different machine groups to handle various threats on other computers. The following are your options:

• Not Protected: This disables automated investigations on the machine group (not recommended).
• Semi-require Approval for any Remediation: In this, the machine group requires approvals for remediation. In addition to this, investigation takes place automatically.
• Semi-require Approval for Non-temp Folders Remediation: This enables automatic remediation for any file in a temp folder or a user’s download folder.
• Semi-require Approval for Core Folders Remediation: This enables automatic remediation for any file not in the system directory.
• Full: This remediates threats automatically and enables automatic remediation for all files.

What are Security Playbooks?

Security playbooks are backend security policies that fall under the Microsoft Threat Protection system. They are activated when a security alert is triggered across Office 365 platform.

Microsoft is currently releasing security playbooks in multiple phases. At present, Phase 1 is available that offers playbooks that can recommend actions for user-reported phishing messages, malware detection, etc.

Email Security Automation Example: Reported Phishing Attack

Let us consider a real-world scenario to understand how Automated Investigation and Response services can actually aid your team. Let us say an employee in your organization reports an email message, believing it may be a phishing attack. This activates a cyber security incident response playbook, and it starts analyzing the email for the following details:

• Email sender and the email infrastructure used for sending.
• If the email is linked to other campaigns.
• If other instances of the email, if exist, were blocked or approved in the past.

The security playbook processes this information and shares a list of recommended actions with the security team, such as blocking the sender, deleting suspicious attachments, etc. The unit can approve or reject these recommendations at its discretion.

After the security team responds to the recommendations, the playbook initiates different hunting steps. These include identifying similar email messages that pose a threat, checking with Office 365 Advanced Threat Protection and Exchange Online Protection to see if similar emails were reported by other users, etc.

The final step is remediation, in which the investigation and hunting phases are taken into account. The security playbook shares remediation steps that you can approve. These may include actions like blocking specific URLs, turning off mail forwarding, etc. These steps are meant to prevent future occurrences of detected threats.

Coupling Automated Investigation and Response with Other Security Measures

Office 365 Automated Investigation and Response services can significantly help the security operations center team by handling simple threats with little to no intervention. However, combining multiple mechanisms can achieve more comprehensive email security. For instance, you can create mail flow rules that block attachments commonly used for ransomware attacks and learn how to use Microsoft Office 365 Secure Score to boost security. Further, you can use dedicated email investigation software like Stellar Email Forensic. This will ensure that your email environment is protected on all fronts. Take a free 60-day trial of Stellar Email Forensic software to know more.

Was this article helpful?

YES0

NO

About The Author

Abhinav Sethi

Abhinav Sethi is a Senior Writer at Stellar. He writes articles, blog posts, knowledge-bases, case studies, etc. for different technologies. He also has a keen interest in digital forensics and helps forward-thinking companies fight different threats with apt solutions.