Microsoft Defender for Office 365 Security Operations Guide

Tip

Did you know you can try the features in Microsoft 365 Defender for Office 365 Plan 2 for free? Use the 90-day Defender for Office 365 trial at the Microsoft 365 Defender portal trials hub. Learn about who can sign up and trial terms here.

Applies to:

This article gives an overview of the requirements and tasks for successfully operating Microsoft Defender for Office 365 in your organization. These tasks help ensure that your security operations center (SOC) provides a high-quality, reliable approach to protect, detect, and respond to email and collaboration-related security threats.

The rest of this guide describes the required activities for SecOps personnel. The activities are grouped into prescriptive daily, weekly, monthly, and ad-hoc tasks.

A companion article to this guide provides an overview to manage incidents and alerts from Defender for Office 365 on the Incidents page in the Microsoft 365 Defender portal.

The Microsoft 365 Defender Security Operations Guide contains additional information that you can use for planning and development.

For a video about this information, see https://youtu.be/eQanpq9N1Ps.

Daily activities

Monitor the Microsoft 365 Defender Incidents queue

The Incidents page in the Microsoft 365 Defender portal at https://security.microsoft.com/incidents-queue (also known as the Incidents queue) allows you to manage and monitor events from the following sources in Defender for Office 365:

For more information about the Incidents queue, see Prioritize incidents in Microsoft 365 Defender.

Your triage plan for monitoring the Incidents queue should use the following order of precedence for incidents:

  1. A potentially malicious URL click was detected.
  2. User restricted from sending email.
  3. Suspicious email sending patterns detected.
  4. Email reported by user as malware or phish, and Multiple users reported email as malware or phish.
  5. Email messages containing malicious file removed after delivery, Email messages containing malicious URL removed after delivery, and Email messages from a campaign removed after delivery.
  6. Phish delivered due to an ETR override, Phish delivered because a user's Junk Mail folder is disabled, and Phish delivered due to an IP allow policy
  7. Malware not zapped because ZAP is disabled and Phish not zapped because ZAP is disabled.

Incident queue management and the responsible personas are described in the following table:

Activity Cadence Description Persona
Triage incidents in the Incidents queue at https://security.microsoft.com/incidents-queue. Daily Verify that all Medium and High severity incidents from Defender for Office 365 are triaged. Security Operations Team
Investigate and take Response actions on incidents. Daily Investigate all incidents and actively take the recommended or manual response actions. Security Operations Team
Resolve incidents. Daily If the incident has been remediated, resolve the incident. Resolving the incident resolves all linked and related active alerts. Security Operations Team
Classify incidents. Daily Classify incidents as true or false. For true alerts, specify the threat type. This classification helps your security team see threat patterns and defend your organization from them. Security Operations Team

Manage false positive and false negative detections

In Defender for Office 365, you manage false positives (good mail marked as bad) and false negatives (bad mail allowed) in the following locations:

For more information, see the Manage false positive and false negative detections section later in this article.

False positive and false negative management and the responsible personas are described in the following table:

Activity Cadence Description Persona
Submit false positives and false negatives to Microsoft at https://security.microsoft.com/reportsubmission. Daily Provide signals to Microsoft by reporting incorrect email, URL, and file detections. Security Operations Team
Analyze admin submission details. Daily Understand the following factors for the submissions you make to Microsoft:
  • What caused the false positive or false negative.
  • The state of your Defender for Office 365 configuration at the time of the submission.
  • Whether you need to make changes to your Defender for Office 365 configuration.
Security Operations Team

Security Administration
Add block entries in the Tenant Allow/Block List at https://security.microsoft.com/tenantAllowBlockList. Daily Use the Tenant Allow/Block List to add block entries for false negative URL, file, or sender detections as needed. Security Operations Team
Release false positive from quarantine. Daily After the recipient confirms that the message was incorrectly quarantined, you can release or approve release requests for users.

To control what users can do to their own quarantined messages (including release or request release), see Quarantine policies.
Security Operations Team

Messaging Team

Review phishing and malware campaigns that resulted in delivered mail

Activity Cadence Description Persona
Review email campaigns. Daily Review email campaigns that targeted your organization at https://security.microsoft.com/campaigns. Focus on campaigns that resulted in messages being delivered to recipients.

Remove messages from campaigns that exist in user mailboxes. This action is required only when a campaign contains email that hasn't already been remediated by actions from incidents, zero-hour auto purge (ZAP), or manual remediation.
Security Operations Team

Weekly activities

In Defender for Office 365, you can use the following reports to review email detection trends in your organization:

Activity Cadence Description Persona
Review email detection reports at: Weekly Review email detection trends for malware, phishing, and spam as compared to good email. Observation over time allows you to see threat patterns and determine whether you need to adjust your Defender for Office 365 policies. Security Administration

Security Operations Team

Track and respond to emerging threats using Threat analytics

Use Threat analytics to review active, trending threats.

Activity Cadence Description Persona
Review threats in Threat analytics at https://security.microsoft.com/threatanalytics3. Weekly Threat analytics provides detailed analysis, including the following items:
  • IOCs.
  • Hunting queries about active threat actors and their campaigns.
  • Popular and new attack techniques.
  • Critical vulnerabilities.
  • Common attack surfaces.
  • Prevalent malware.
Security Operations Team

Threat hunting team

Review top targeted users for malware and phishing

Use the Top targeted users tab in Threat Explorer to discover or confirm the users who are the top targets for malware and phishing email.

Activity Cadence Description Persona
Review the Top targeted users tab in Threat Explorer at https://security.microsoft.com/threatexplorer. Weekly Use the information to decide if you need to adjust policies or protections for these users. Add the affected users to Priority accounts to gain the following benefits: Security Administration

Security Operations Team

Review top malware and phishing campaigns that target your organization

Campaign Views reveals malware and phishing attacks against your organization. For more information, see Campaign Views in Microsoft Defender for Office 365.

Activity Cadence Description Persona
Use Campaign Views at https://security.microsoft.com/campaigns to review malware and phishing attacks that affect you. Weekly Learn about the attacks and techniques and what Defender for Office 365 was able to identify and block.

Use Download threat report in Campaign Views for detailed information about a campaign.
Security Operations Team

Ad-hoc activities

Manual investigation and removal of email

Activity Cadence Description Persona
Investigate and remove bad email in Threat Explorer at https://security.microsoft.com/threatexplorer based on user requests. Ad-hoc Use the Trigger investigation action in Threat Explorer to start an automated investigation and response playbook on any email from the last 30 days. Manually triggering an investigation saves time and effort by centrally including:
  • A root investigation.
  • Steps to identify and correlate threats.
  • Recommended actions to mitigate those threats.

For more information, see Example: A user-reported phish message launches an investigation playbook

Or, you can use Threat Explorer to manually investigate email with powerful search and filtering capabilities and take manual response action directly from the same place. Available manual actions:
  • Move to Inbox
  • Move to Junk
  • Move to Deleted items
  • Soft delete
  • Hard delete.
Security Operations Team

Proactively hunt for threats

Activity Cadence Description Persona
Regular, proactive hunting for threats at: . Ad-hoc Search for threats using Threat Explorer and Advanced hunting. Security Operations Team

Threat hunting team
Share hunting queries. Ad-hoc Actively share frequently used, useful queries within the security team for faster manual threat hunting and remediation.

Use Threat trackers and shared queries in Advanced hunting.
Security Operations Team

Threat hunting team
Create custom detection rules at https://security.microsoft.com/custom_detection. Ad-hoc Create custom detection rules to proactively monitor events, patterns, and threats based on Defender for Office 365 data in Advance Hunting. Detection rules contain advanced hunting queries that generate alerts based on the matching criteria. Security Operations Team

Threat hunting team

Review Defender for Office 365 policy configurations

Activity Cadence Description Persona
Review the configuration of Defender for Office 365 policies at https://security.microsoft.com/configurationAnalyzer. Ad-hoc

Monthly
Use the Configuration analyzer to compare your existing policy settings to the recommended Standard or Strict values for Defender for Office 365. The Configuration analyzer identifies accidental or malicious changes that can lower your organization's security posture.

Or you can use the PowerShell-based ORCA tool.
Security Administration

Messaging Team
Review detection overrides in Defender for Office 365 at https://security.microsoft.com/reports/TPSMessageOverrideReportATP Ad-hoc

Monthly
Use the View data by System override > Chart breakdown by Reason view in the Threat Protection status report to review email that was detected as phishing but delivered due to policy or user override settings.

Actively investigate, remove, or fine tune overrides to avoid delivery of email that was determined to be malicious.
Security Administration

Messaging Team

Review spoof and impersonation detections

Activity Cadence Description Persona
Review the Spoof intelligence insight and the Impersonation detection insights at . Ad-hoc

Monthly
Use the spoof intelligence insight and the impersonation insight to adjust filtering for spoof and impersonation detections. Security Administration

Messaging Team

Review priority account membership

Activity Cadence Description Persona
Review who's defined as a priority account at https://security.microsoft.com/securitysettings/userTags. Ad-hoc Keep the membership of priority accounts current with organizational changes to get the following benefits for those users:
  • Better visibility in reports.
  • Filtering in incidents and alerts.
  • Tailored heuristics for executive mail flow patterns (priority account protection).

Use custom user tags for other users to get:
  • Better visibility in reports.
  • Filtering in incidents and alerts.
Security Operations Team

Appendix

Learn about Microsoft Defender for Office 365 tools and processes

Security operations and response team members need to integrate Defender for Office 365 tools and features into existing investigations and response processes. Learning about new tools and capabilities can take time but it's a critical part of the on-boarding process. The simplest way for SecOps and email security team members to learn about Defender for Office 365 is to use the training content that's available as part of the Ninja training content at https://aka.ms/mdoninja.

The content is structured for different knowledge levels (Fundamentals, Intermediate, and Advanced) with multiple modules per level.

Short videos for specific tasks are also available in the Microsoft Defender for Office 365 YouTube channel.

Permissions for Defender for Office 365 activities and tasks

Permissions for managing Defender for Office 365 in the Microsoft 365 Defender portal and PowerShell are based on the role-based access control (RBAC) permissions model. RBAC is the same permissions model that's used by most Microsoft 365 services. For more information, see Permissions in the Microsoft 365 Defender portal.

Note

Privileged Identity Management (PIM) in Azure AD is also a way to assign required permissions to SecOps personnel. For more information, see Privileged Identity Management (PIM) and why to use it with Microsoft Defender for Office 365.

The following permissions (roles and role groups) are available in Defender for Office 365 and can be used to grant access to security team members:

  • Azure AD roles: Centralized roles that assign permissions for all Microsoft 365 services, including Defender for Office 365. You can view the Azure AD roles and assigned users in the Microsoft 365 Defender portal, but you can't manage them directly there. Instead, you manage Azure AD roles and members at https://aad.portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/RolesAndAdministrators. The most frequent roles used by security teams are:

    • Security administrator
    • Security operator
    • Security reader
  • Email & collaboration roles: Roles and role groups that grant permission specific to Microsoft Defender for Office 365. The following roles are not available in Azure AD, but can be important for security teams:

    • Preview role: Assign this role to team members who need to preview or download email messages as part of investigation activities. Allows users to preview and download email messages in cloud mailboxes using the email entity page.

      By default, this role is assigned only to the following role groups:

      • Data Investigator
      • eDiscovery Manager

      To assign this role to a new or existing role group, see Modify Email & collaboration role membership in the Microsoft 365 Defender portal.

    • Search and Purge role: Approve the deletion of malicious messages as recommended by AIR or take manual action on messages in hunting experiences like Threat Explorer.

      By default, this role is assigned only to the following role groups:

      • Data Investigator
      • Organization Management

      To assign this role to a new or existing role group, see Modify Email & collaboration role membership in the Microsoft 365 Defender portal.

    • Tenant AllowBlockList Manager: Manage allow and block entries in the Tenant Allow/Block List. Blocking URLs, files (using file hash) or senders is a useful response action to take when investigating malicious email that was delivered.

      By default, this role is assigned only to the Security Operator role group. But, members of the Security Administrators and Organization management role groups can also manage entries in the Tenant Allow/Block List.

SIEM/SOAR integration

Defender for Office 365 exposes most of its data through a set of programmatic APIs. These APIs help you automate workflows and make full use of Defender for Office 365 capabilities. Data is available through the Microsoft 365 Defender APIs and can be used to integrate Defender for Office 365 into existing SIEM/SOAR solutions.

  • Incident API: Defender for Office 365 alerts and automated investigations are active parts of incidents in Microsoft 365 Defender. Security teams can focus on what's critical by grouping the full attack scope and all impacted assets together.

  • Event streaming API: Allows shipping of real-time events and alerts into a single data stream as they happen. Supported Defender for Office 365 event types include:

    The events contain data from processing all email (including intra-org messages) in the last 30 days.

  • Advance Hunting API: Allows cross-product threat hunting.

  • Threat Assessment API: Can be used to report spam, phishing URLs, or malware attachments directly to Microsoft.

To connect Defender for Office 365 incidents and raw data with Microsoft Sentinel, you can use the Microsoft 365 Defender (M365D) connector

You can use this simple "Hello World" example to test API access to Microsoft Defender APIs: Hello World for Microsoft 365 Defender REST API.

For more information about SIEM tool integration, see Integrate your SIEM tools with Microsoft 365 Defender.

Address false positives and false negatives in Defender for Office 365

User reported messages and admin submissions of email messages are critical positive reinforcement signals for our machine learning detection systems. Submissions help us review, triage, rapidly learn, and mitigate attacks. Actively reporting false positives and false negatives is an important activity that provides feedback to Defender for Office 365 when mistakes are made during detection.

Organizations have multiple options for configuring user reported messages. Depending on the configuration, security teams might have more active involvement when users submit false positives or false negatives to Microsoft:

  • User user reported messages are sent to Microsoft for analysis when the user reported message settings are configured with either of the following settings:

    • Send the reported messages to: Microsoft only.
    • Send the reported messages to: Microsoft and my reporting mailbox.

    Security teams members should do add-hoc admin submissions when false positives or false negatives that were not reported by users were discovered by the operations teams.

  • When user reported messages are configured to send messages only to the organization's mailbox, security teams should actively send user-reported false positives and false negatives to Microsoft via admin submissions.

Whenever a user reports a message as phishing, Defender for Office 365 generates an alert and the alert will trigger an AIR playbook. Incident logic will correlate this information to other alerts and events where possible. This consolidation of information helps security teams triage, investigate, and respond to user reported messages.

User reported messages and admin submissions are handled by the submission pipeline by Microsoft, which follows a tightly integrated process. This process includes:

  • Noise reduction.
  • Automated triage.
  • Grading by security analysts and human-partnered machine learning-based solutions.

For more information, see Reporting an email in Defender for Office 365 - Microsoft Tech Community.

Security team members can do submissions from multiple locations in the Microsoft 365 Defender portal at https://security.microsoft.com:

  • Admin submission: Use the Submissions portal to submit suspected spam, phishing, URLs, and files to Microsoft.

  • Directly from Threat Explorer using one of the following message actions:

    • Report clean
    • Report phishing
    • Report malware
    • Report spam

    You can select up to 10 messages to perform a bulk submission. Admin submissions created this way also visible in the Submission portal.

For the short-term mitigation of false negatives, security teams can directly manage block entries for files, URLs, and domains or email addresses in the Tenant Allow/Block List.

For the short-term mitigation of false positives, security teams can't directly manage allow entries for domains and email addresses in the Tenant Allow/Block List. Instead, they need to use admin submissions to report the email message as a false positive. For instructions, see Use the Microsoft 365 Defender portal to create allow entries for domains and email addresses in the Submissions portal.

Quarantine in Defender for Office 365 holds potentially dangerous or unwanted messages and files. Security teams can view, release, and delete all types of quarantined messages for all users. This capability enables security teams to respond effectively when a false positive message or file is quarantined.

Integrate third-party reporting tools with Defender for Office 365 user reported messages

If your organization uses a third-party reporting tool that allows users to internally report suspicious email, you can integrate the tool with the user reported message capabilities of Defender for Office 365. This integration provides the following benefits to security teams:

  • Integration with the AIR capabilities of Defender for Office 365.
  • Simplified triage.
  • Reduced investigation and response time.

Designate the reporting mailbox where user reported messages are sent on the User reported page in the Microsoft 365 Defender portal at https://security.microsoft.com/securitysettings/userSubmission. For more information, see user reported message settings.

Note

  • The reporting mailbox must be an Exchange Online mailbox.
  • The third-party reporting tool must include the original reported message as an uncompressed .EML or .MSG attachment in the message that's sent to the reporting mailbox (don't just forward the original message to the reporting mailbox).
  • The reporting mailbox requires specific prerequisites to allow potentially bad messages to be delivered without being filtered or altered. For more information, see Configuration requirements for the reporting mailbox.

When a user reported message arrives in the reporting mailbox, Defender for Office 365 automatically generates the alert named Email reported by user as malware or phish. This alert launches an AIR playbook. The playbook performs a series of automated investigations steps:

  • Gather data about the specified email.
  • Gather data about the threats and entities related to that email. Entities can include files, URLs, and recipients.
  • Provide recommended actions for the SecOps team to take based on the investigation findings.

Email reported by user as malware or phish alerts, automated investigations and their recommended actions are automatically correlated to incidents in Microsoft 365 Defender. This correlation further simplifies the triage and response process for security teams. If multiple users report the same or similar messages, all of the users and messages are correlated into the same incident.

Data from alerts and investigations in Defender for Office 365 is automatically compared to alerts and investigations in the other Microsoft 365 Defender products:

  • Microsoft Defender for Endpoint
  • Microsoft Defender for Cloud Apps
  • Microsoft Defender for Identity

If a relationship is discovered, the system creates an incident that gives visibility for the entire attack.