MC788953: Microsoft Defender for Office 365: New added feature called the Take action wizard in Threat Explorer.

Announcement IDMC788953Published Date04-29-2024
ServiceMicrosoft365DefenderLast Updated07-05-2024
CategoryStay informedExpiration Date08-05-2024
Roadmap ID393937Action Required by Date
TagsAdmin impact, Feature update


Summary
                Microsoft Defender for Office 365 has introduced a new feature called Take action wizard in Threat Explorer, allowing execution of multiple response actions simultaneously. This enhancement aids in efficient threat remediation, supporting actions like email purging, inline submissions, and Tenant level block actions for up to 100 messages. Rollout began in mid-April 2024 and will complete by late June 2024. Users need the Search and Purge role to perform email purge actions.


More Information

Microsoft Defender for office 365 Services now allows the execution of several response actions simultaneously through the Take action wizard in Threat Explorer/ Realtime detection.

Many Security analyst teams use Threat explorer to execute bulk email remediation actions, and we're enhancing this capability with an improved Take action feature. This feature facilitates a more streamlined and efficient remediation of threats.

With the new Take action wizard, you can perform multiple actions such as purging emails, inline submissions, triggering investigations, and Tenant level block actions together with a single wizard up to 100 messages. Moreover, you can take Tenant level block URL/file actions directly from Threat explorer.

Alternatively, if you want to perform bulk email remediation for more than 100, this new wizard will enable you to do that in an organized manner.

Some of the actions are not available based on the current location of the message, but if there is a conflict, the new experience gives more options and power through toggle. SecOps can use toggle choices to turn them on/off as desired and take proper action.

When this will happen:

General Availability (Worldwide): Rollout began in mid-April 2024 and expect to complete by late June 2024.

General Availability (GCC): On-hold.

How this will affect your organization:

If you are part of the Security Operations team and use Microsoft defender for Office 365 email remediation features, the following are the enhancements for the email entity page and email summary panel:

  • Step 1: Log into the Microsoft 365 Defender portal at https://security.microsoft.com 
  • Step 2: Navigate to Threat Explorer / Real time detection and select the desired emails.
  • Step 3: Click on Take action. Please note that previously, the drop-down menu was called Message actions.
  • A new panel will open (e.g. figure1). Some actions may be unavailable based on the message's latest delivery location.
  • Step 4: Click on I've confirmed as threat to see a new panel and select multiple entities to block. You can also select multiple entities to block. Please note that Tenant level allow, and block (TABL) actions are under Submissions. 
  • STEP 5: Select target entities.
  • STEP 6: Review and submit your actions.

The available actions in the Take action wizard in Threat Explorer (Defender for Office 365 Plan 2) and Real-time detections (Defender for Office 365 Plan 1) are listed in the following:

Action under Threat explorer 

  • Move to mailbox folder. 
  • Submit to Microsoft for review. 
  • Allow or block entries in the Tenant Allow/Block List
  • Initiate automated investigation. 
  • Propose remediation. 

Action under Real-time Detections

  • Submit to Microsoft for review.
  • Allow or block entries in the Tenant Allow/Block List

¹ This action requires the Search and Purge role in email & collaboration permissions. By default, this role is assigned only to the Data Investigator and Organization Management role groups. You can add users to those role groups, or you can create a new role group with the Search and Purge role assigned and add the users to the custom role group.

What you need to do to prepare:

To perform email purge actions from the email entity page, you are required to have the Search and Purge role, as well as the necessary permissions within the Microsoft 365 Defender portal.

    Previous Post Next Post