Microsoft is making two categories of automated incident response generally available. The first are automatic investigations that commence in response to new alerts, such as users reporting phishing email, users clicking on a link determined to be malicious, malware being detected in received email, and phishing email that has landed in a user's mailbox.
The second category consists of manually initiated investigations that use Microsoft's 'automated playbook' sequences for different scenarios and attack types.
For example, one playbook helps security analysts respond to user reports of phishing email, while the 'weaponized URL playbook' assists in the response to a URL found to be malicious. Security analysts can launch these investigations through Microsoft's Threat Explorer tool.
The playbooks "correlate similar emails sent or received within the organization and any suspicious activities for relevant users". The playbooks also flag suspicious activities on user accounts, such as mail forwarding, mail delegation, Office 365 Data Loss Prevention (DLP) violations, or suspicious email sending patterns.
Overall, the playbooks aim to help analysts quickly contain a threat, for example, by locking down accounts and devices as well as requiring multi-factor authentication, and ultimately removing the threat.
The investigation dashboard provides details about the investigation number, the time it started and ended, pending actions required, as well as users, devices and emails investigated.
The automated incident response features are available to organizations with the Office 365 ATP Plan 2, which costs $5 per user a month, as well as Office 365 Enterprise E5 tier, which costs $35 per user a month.
Both require contracts of one year. It is also available in the Microsoft 365 E5 Security bundle.