This article gives an overview of the requirements and tasks for successfully operating Microsoft Defender for Office 365 in your organization. These tasks help ensure that your security operations center (SOC) provides a high-quality, reliable approach to protect, detect, and respond to email and collaboration-related security threats.
The rest of this guide describes the required activities for SecOps personnel. The activities are grouped into prescriptive daily, weekly, monthly, and ad-hoc tasks.
Monitor the Microsoft Defender XDR Incidents queue
The Incidents page in the Microsoft Defender portal at https://security.microsoft.com/incidents (also known as the Incidents queue) allows you to manage and monitor events from the following sources in Defender for Office 365:
Your triage plan for monitoring the Incidents queue should use the following order of precedence for incidents:
A potentially malicious URL click was detected.
User restricted from sending email.
Suspicious email sending patterns detected.
Email reported by user as malware or phish, and Multiple users reported email as malware or phish.
Email messages containing malicious file removed after delivery, Email messages containing malicious URL removed after delivery, and Email messages from a campaign removed after delivery.
Phish delivered due to an ETR override, Phish delivered because a user's Junk Mail folder is disabled, and Phish delivered due to an IP allow policy
Malware not zapped because ZAP is disabled and Phish not zapped because ZAP is disabled.
Incident queue management and the responsible personas are described in the following table:
Verify that all Medium and High severity incidents from Defender for Office 365 are triaged.
Security Operations Team
Investigate and take Response actions on incidents.
Daily
Investigate all incidents and actively take the recommended or manual response actions.
Security Operations Team
Resolve incidents.
Daily
If the incident has been remediated, resolve the incident. Resolving the incident resolves all linked and related active alerts.
Security Operations Team
Classify incidents.
Daily
Classify incidents as true or false. For true alerts, specify the threat type. This classification helps your security team see threat patterns and defend your organization from them.
Security Operations Team
Manage false positive and false negative detections
Remove messages from campaigns that exist in user mailboxes. This action is required only when a campaign contains email that hasn't already been remediated by actions from incidents, zero-hour auto purge (ZAP), or manual remediation.
Security Operations Team
Weekly activities
Review email detection trends in Defender for Office 365 reports
In Defender for Office 365, you can use the following reports to review email detection trends in your organization:
Review email detection trends for malware, phishing, and spam as compared to good email. Observation over time allows you to see threat patterns and determine whether you need to adjust your Defender for Office 365 policies.
Security Administration
Security Operations Team
Track and respond to emerging threats using Threat analytics
Threat analytics provides detailed analysis, including the following items:
IOCs.
Hunting queries about active threat actors and their campaigns.
Popular and new attack techniques.
Critical vulnerabilities.
Common attack surfaces.
Prevalent malware.
Security Operations Team
Threat hunting team
Review top targeted users for malware and phishing
Use the Top targeted users tab (view) in the details area of the All email, Malware, and Phish views in Threat Explorer to discover or confirm the users who are the top targets for malware and phishing email.
Use the information to decide if you need to adjust policies or protections for these users. Add the affected users to Priority accounts to gain the following benefits:
Additional visibility when incidents affect them.
Tailored heuristics for executive mail flow patterns (priority account protection).
Learn about the attacks and techniques and what Defender for Office 365 was able to identify and block.
Use Download threat report in Campaign Views for detailed information about a campaign.
Security Operations Team
Ad-hoc activities
Tip
For a quick overview on how to investigate email messages in Microsoft Defender for Office 365, check out this short video: https://youtu.be/5hA7VfaMvqs.
Use the Trigger investigation action in Threat Explorer to start an automated investigation and response playbook on any email from the last 30 days. Manually triggering an investigation saves time and effort by centrally including:
Create custom detection rules to proactively monitor events, patterns, and threats based on Defender for Office 365 data in Advance Hunting. Detection rules contain advanced hunting queries that generate alerts based on the matching criteria.
Security Operations Team
Threat hunting team
Review Defender for Office 365 policy configurations
Learn about Microsoft Defender for Office 365 tools and processes
Security operations and response team members need to integrate Defender for Office 365 tools and features into existing investigations and response processes. Learning about new tools and capabilities can take time but it's a critical part of the on-boarding process. The simplest way for SecOps and email security team members to learn about Defender for Office 365 is to use the training content that's available as part of the Ninja training content at https://aka.ms/mdoninja.
The content is structured for different knowledge levels (Fundamentals, Intermediate, and Advanced) with multiple modules per level.
Permissions for Defender for Office 365 activities and tasks
Permissions for managing Defender for Office 365 in the Microsoft Defender portal and PowerShell are based on the role-based access control (RBAC) permissions model. RBAC is the same permissions model that's used by most Microsoft 365 services. For more information, see Permissions in the Microsoft Defender portal.
The following permissions (roles and role groups) are available in Defender for Office 365 and can be used to grant access to security team members:
Microsoft Defender XDR Unified role based access control (RBAC): A single permissions management experience that provides one central location for administrators to control user permissions across different security solutions. For more information, see Microsoft Defender XDR Unified RBAC.
Read access for email and Teams message headers: Security operations/Raw data (email & collaboration)/Email & collaboration metadata (read).
Preview and download email messages: Security operations/Raw data (email & collaboration)/Email & collaboration content (read).
Exchange Online and Email & collaboration: Roles and role groups that grant permission specific to Microsoft Defender for Office 365. The following roles aren't available in Microsoft Entra ID, but can be important for security teams:
Preview role (Email & collaboration): Assign this role to team members who need to preview or download email messages as part of investigation activities. Allows users to preview and download email messages from cloud mailboxes using Threat Explorer (Explorer) or Real-time detections and the Email entity page.
By default, the Preview role is assigned only to the following role groups:
Data Investigator
eDiscovery Manager
You can add users to those role groups, or you can create a new role group with the Preview role assigned, and add the users to the custom role group.
Search and Purge role (Email & collaboration): Approve the deletion of malicious messages as recommended by AIR or take manual action on messages in hunting experiences like Threat Explorer.
By default, the Search and Purge role is assigned only to the following role groups:
Data Investigator
Organization Management
You can add users to those role groups, or you can create a new role group with the Search and Purge role assigned, and add the users to the custom role group.
Tenant AllowBlockList Manager (Exchange Online): Manage allow and block entries in the Tenant Allow/Block List. Blocking URLs, files (using file hash) or senders is a useful response action to take when investigating malicious email that was delivered.
By default, this role is assigned only to the Security Operator role group in Exchange Online, not in Microsoft Entra ID. Membership in the Security Operator role in Microsoft Entra IDdoesn't allow you to manage entries the Tenant Allow/Block List.
Members of the Security Administrator or Organization management roles in Microsoft Entra ID or the corresponding role groups in Exchange Online are able to manage entries in the Tenant Allow/Block List.
SIEM/SOAR integration
Defender for Office 365 exposes most of its data through a set of programmatic APIs. These APIs help you automate workflows and make full use of Defender for Office 365 capabilities. Data is available through the Microsoft Defender XDR APIs and can be used to integrate Defender for Office 365 into existing SIEM/SOAR solutions.
Incident API: Defender for Office 365 alerts and automated investigations are active parts of incidents in Microsoft Defender XDR. Security teams can focus on what's critical by grouping the full attack scope and all impacted assets together.
Event streaming API: Allows shipping of real-time events and alerts into a single data stream as they happen. Supported event types in Defender for Office 365 include:
Address false positives and false negatives in Defender for Office 365
User reported messages and admin submissions of email messages are critical positive reinforcement signals for our machine learning detection systems. Submissions help us review, triage, rapidly learn, and mitigate attacks. Actively reporting false positives and false negatives is an important activity that provides feedback to Defender for Office 365 when mistakes are made during detection.
Organizations have multiple options for configuring user reported messages. Depending on the configuration, security teams might have more active involvement when users submit false positives or false negatives to Microsoft:
User reported messages are sent to Microsoft for analysis when the User reported settings are configured with either of the following settings:
Send the reported messages to: Microsoft only.
Send the reported messages to: Microsoft and my reporting mailbox.
Security teams members should do add-hoc admin submissions when the operations team discovers false positives or false negatives that weren't reported by users.
When user reported messages are configured to send messages only to the organization's mailbox, security teams should actively send user-reported false positives and false negatives to Microsoft via admin submissions.
When a user reports a message as phishing, Defender for Office 365 generates an alert, and the alert triggers an AIR playbook. Incident logic correlates this information to other alerts and events where possible. This consolidation of information helps security teams triage, investigate, and respond to user reported messages.
The submission pipeline in the service follows a tightly integrated process when user report messages and admins submit messages. This process includes:
Noise reduction.
Automated triage.
Grading by security analysts and human-partnered machine learning-based solutions.
Security team members can do submissions from multiple locations in the Microsoft Defender portal at https://security.microsoft.com:
Admin submission: Use the Submissions page to submit suspected spam, phishing, URLs, and files to Microsoft.
Directly from Threat Explorer using one of the following message actions:
Report clean
Report phishing
Report malware
Report spam
You can select up to 10 messages to perform a bulk submission. Admin submissions created using these methods are visible on the respective tabs on the Submissions page.
For the short-term mitigation of false negatives, security teams can directly manage block entries for files, URLs, and domains or email addresses in the Tenant Allow/Block List.
For the short-term mitigation of false positives, security teams can't directly manage allow entries for domains and email addresses in the Tenant Allow/Block List. Instead, they need to use admin submissions to report the email message as a false positive. For instructions, see Report good email to Microsoft.
Quarantine in Defender for Office 365 holds potentially dangerous or unwanted messages and files. Security teams can view, release, and delete all types of quarantined messages for all users. This capability enables security teams to respond effectively when a false positive message or file is quarantined.
Integrate third-party reporting tools with Defender for Office 365 user reported messages
If your organization uses a third-party reporting tool that allows users to internally report suspicious email, you can integrate the tool with the user reported message capabilities of Defender for Office 365. This integration provides the following benefits to security teams:
Integration with the AIR capabilities of Defender for Office 365.
The reporting mailbox must be an Exchange Online mailbox.
The third-party reporting tool must include the original reported message as an uncompressed .EML or .MSG attachment in the message that's sent to the reporting mailbox (don't just forward the original message to the reporting mailbox). For more information, see Message submission format for third-party reporting tools.
The reporting mailbox requires specific prerequisites to allow potentially bad messages to be delivered without being filtered or altered. For more information, see Configuration requirements for the reporting mailbox.
When a user reported message arrives in the reporting mailbox, Defender for Office 365 automatically generates the alert named Email reported by user as malware or phish. This alert launches an AIR playbook. The playbook performs a series of automated investigations steps:
Gather data about the specified email.
Gather data about the threats and entities related to that email (for example, files, URLs, and recipients).
Provide recommended actions for the SecOps team to take based on the investigation findings.
Email reported by user as malware or phish alerts, automated investigations and their recommended actions are automatically correlated to incidents in Microsoft Defender XDR. This correlation further simplifies the triage and response process for security teams. If multiple users report the same or similar messages, all of the users and messages are correlated into the same incident.
Data from alerts and investigations in Defender for Office 365 is automatically compared to alerts and investigations in the other Microsoft Defender XDR products:
Microsoft Defender for Endpoint
Microsoft Defender for Cloud Apps
Microsoft Defender for Identity
If a relationship is discovered, the system creates an incident that gives visibility for the entire attack.
This module examines how Microsoft Defender for Office 365 extends EOP protection through various tools, including Safe Attachments, Safe Links, spoofed intelligence, spam filtering policies, and the Tenant Allow/Block List.