New alert policies in Microsoft Defender for Office 365
Microsoft Defender for Office 365 is introducing new and improved alert policies related to post-delivery detections. This includes enhancements to the Automated Investigation & Response (AIR) playbooks associated with them. In addition, we're modifying the severity classification for six default alert policies to better align the alerts generated by these policies with their impact on your organization.
Tip
If you're not an E5 customer, use the 90-day Microsoft Purview solutions trial to explore how additional Purview capabilities can help your organization manage data security and compliance needs. Start now at the Microsoft Purview compliance portal trials hub. Learn details about signing up and trial terms.
Post-delivery detections
We'll be introducing four new default alert policies related to post-delivery detections after the Microsoft Defender for Office 365 Zero-hour auto purge (ZAP) removes messages from an inbox. These four new alert policies will replace two existing default alert policies that cover ZAP scenarios and will provide organizations enhanced details about the underlying detection and related indicators. These alerts (and the AIR playbooks that will be triggered from these alerts) will accurately capture the threats of the emails and entities, including if the URL points to a malicious file or if the file contains a malicious URL.
The following table lists the new alert policies and the existing alert policies that will be removed. See the How this will affect your organization section for details about the rollout.
| New or existing alert policy | Alert policy name | Alert policy ID |
|---|---|---|
| New | Email messages containing malicious URL removed after delivery | 8e6ba277-ef39-404e-aaf1-294f6d9a2b88 |
| New | Email messages containing malicious file removed after delivery | 4b1820ec-39dc-45f3-abf6-5ee80df51fd2 |
| New | Email messages from a campaign were delivered and later removed | c8522cbb-9368-4e25-4ee9-08d8d899dfab |
| New | Email messages removed after delivery | b8f6b088-5487-4c70-037c-08d8d71a43fe |
| Existing (will be removed) | Email messages containing phish URLs removed after delivery | EA8169FA-0678-4751-8854-AEBEA7ADECEB |
| Existing (will be removed) | Email messages containing malware removed after delivery | 0179B3F7-3FDA-40C3-8F24-278563978DBB |
Alert severity enhancements
For the following table identifies the default alert policies whose severity classifications are being modified. We're changing the severity classification for these alert policies to better align with the potential risk and impact on your organization and to help your security teams prioritize the alerts generated by these policies.
| Alert | Alert policy ID | Old severity | New severity |
|---|---|---|---|
| Suspicious email forwarding activity | BFD48F06-0865-41A6-85FF-ADB746423EBF | Medium | High |
| Email reported by user as malware or phish | B26A5770-0C38-434A-9380-3A3C2C27BBB3 | Informational | Low |
| Unusual increase in email reported as phish | A00D8C62-9320-4EEA-A7E5-966B9AC09558 | High | Medium |
| Admin Submission result completed | AE9B83DD-6039-4EA9-B675-6B0AC3BF4A41 | Low | Informational |
| Creation of forwarding/redirect rule | D59A8FD4-1272-41EE-9408-86F7BCF72479 | Low | Informational |
| eDiscovery search started or exported | 6FDC5710-3998-47F0-AFBB-57CEFD7378A | Medium | Informational |
When will these changes happen
The following table identifies when the new alert policies will begin triggering post-delivery alerts. The table also identifies when the two existing alert policies will be removed.
| Alert policy | Date |
|---|---|
| Email messages containing malicious URL removed after delivery (new) | Alerts will start triggering on April 11, 2021 |
| Email messages containing malicious file removed after delivery (new) | Alerts will start triggering on April 11, 2021 |
| Emails messages from a campaign were delivered and later removed (new) | Alerts will start triggering on May 28, 2021 |
| Malicious emails were delivered and later removed (new) | Alerts will start triggering on May 28, 2021 |
| Email messages containing phish URLs removed after delivery (existing, will be removed) | The alert policy was removed in June 2021. See the What you need to do to prepare for these changes section. |
| Email messages containing malware removed after delivery (existing, will be removed) | The alert policy was removed in June 2021. See the What you need to do to prepare for these changes section. |
The alert severity changes will be rolled out to all organizations by May 14, 2021.
How this will affect your organization
The new alerts will begin firing, and triggering the AIR investigations in your organization on the dates listed above. To reduce the impact on security organizations that have operationalized the two alerts that are to be removed, you'll see alerts triggered by the existing alert policies and the alerts triggered by the new alert policies between April 5, 2021 and May 28, 2021. This is to provide security teams with time to handle the required changes. To help security teams with the increased alert volume during this short duration, both the existing alerts and the new alerts will be correlated into the same AIR investigation and correlated into a same Incident. More specifically, this includes the following behavior for alerts, AIR investigations, and Incidents:
Alerts: By design, you'll see the following alert pairs across the existing and new alerts:
Email messages containing phish URLs removed after delivery AND Email messages containing malicious URL removed after delivery
Email messages containing malware removed after delivery AND Email messages containing malicious file removed after delivery
For more information about managing these alert pairs, see the What you need to do to prepare for these changes section.
AIR Investigations: Alerts will be correlated into a single AIR Investigation, with one of the alerts classified as "triggering" and the other as "repeated".
Incidents: Both alerts will correlate into the same Incident
What you need to do to prepare for these changes
How your organization utilizes these alerts will determine what you need to do to prepare. If you've operationalized the alerts and are using or consuming them either through an API, an alert email notification, or in the Microsoft Purview compliance portal or the Microsoft Defender portal, you'll need to modify your workflows.
If you haven't operationalized these alerts, you can do one of the following:
Disable the following alert policies (that are being removed) to reduce alert volume in your organization:
Email messages containing phish URLs removed after delivery
Email messages containing malware removed after delivery
Do nothing. We'll disable the existing alert policies on May 28, 2021.
If you have operationalized these alerts:
Start consuming the new alerts as a part of your workflows, in anticipation of the existing alert policy removal on May 28, 2021. If you have custom logic in your ticketing system, a security mailbox where you receive alert email notifications, or a SIEM solution that depends on the alert name or alert policy ID (CorrelationId), you'll need to modify the logic to accommodate the change.
Note
The information in the alerts, investigations, and incidents has not changed. In fact, this information has been enhanced with additional detail about the threats associated with them.
After you've made the modifications, you can disable the existing alert policies to reduce alert volume in your organization:
Email messages containing phish URLs removed after delivery
Email messages containing malware removed after delivery
Alternatively, you can leave these alert policies enabled until we delete them on May 28, 2021.