SharePoint email notifications help you stay up-to-date with news, comments, and activities. We’ve recently announced notifications for comments, replies and likes on modern pages and news posts.
We know you want to control what lands in your inbox. Currently, you can unsubscribe from a category of notifications by clicking the Unsubscribe link in a notification email.
Email notifications settings panel
The email notifications settings panel, rolling out in late June 2019, enables you to manage all your email notifications from a single place. You can select the categories of email notifications you want to receive.
To access the email notifications settings panel, click the Manage your preferences link in a notification email.
Alternately, click SharePoint in the Office launcher (also known as the “waffle menu”). From the SharePoint start page, click the settings cog, then click Email notifications.
As we add new categories of notifications, we will add them to the settings panel.
Data loss is non-negotiable. Period. As innovation in the cloud drives business value, it delivers new capabilities to the IT professionals and site admins who work tirelessly to support, configure, administer, and secure their organizations’ and teams’ content. And it is important that you are empowered to recover from accidental deletions or version issues at the speed business productivity requires.
Today we begin to roll out Files Restore for SharePoint and Microsoft Teams – a new Microsoft 365 feature. This is associated with Microsoft 365 Roadmap: ID 33714 and originally announced at Ignite 2018.
If something went wrong, you can restore a SharePoint document library (the same storage mechanism behind the Files tab in Microsoft Teams) to a previous time. Select a date preset or use the slider to find a date within unusual activity in the chart. Then select the changes that you want to undo.
We’ve built Microsoft 365 with global scale, exceptional reliability, and support for compliance across industries and geographies on top of intelligent security that keeps your service and content protected and private, we give you granular and dynamic controls so that you can manage access, distribution and recovery of your organization’s sensitive content and information.
Let’s dive into the details…
Restore your files with confidence from SharePoint and Microsoft Teams
Files restore for SharePoint and Microsoft Teams is a complete self-service recovery solution that allows administrators and site owners to restore files from any point in time during the last 30 days. Site owners will see a new “Restore this library” option within the library settings panel. This can be used as a self-service to restore the files and folders in the library you suspect have been compromised by end-user deletion, file corruption, or malware infection – to any point in the past 30 days.
Simply go to the gear icon in the upper right > select Restore this library > select a date range, select your files > click Restore.
Go to Site Settings and select “Restore this library” to start the process of recovering a file or set of files based on a date prior to the issue.
If lots of your SharePoint or Teams files get deleted, overwritten, corrupted, or infected by malware, you can restore your entire document library to a previous time. Files Restore helps Office 365 subscribers undo all the actions that occurred on both files and folders within the last 30 days.
Files Restore is now available for SharePoint document libraries, protecting your shared files in SharePoint, Teams, Outlook groups, and Yammer groups connected to Office 365 groups and uses the same recovery capabilities that protect your individual files in OneDrive for Business.
Note to IT: files across the SharePoint and Teams user interfaces are stored in the same storage container (SharePoint document libraries), thus offer the same experience and capabilities as a single-source offering throughout Microsoft 365.
What else do I need to know?
Now you can rewind changes using activity data to find the exact moment to revert to.
We’ll be gradually rolling this out to Targeted Release organizations in April 2019, and the roll out will be completed worldwide by the end of May 2019.
Learn more how to restore your SharePoint and Teams files. And the related how to restore your OneDrive.
Frequently Asked Questions (FAQs)
Q: When is this all being released in Office 365?
A: Files restore for SharePoint has begun Targeted Release to customers in Office 365. We plan to extend release to all full Targeted Release customers by the end of April 2019. We then plan to fully release to all full production Office 365 customers by the end of May 2019.
Data loss is non-negotiable. Period. As innovation in the cloud drives business value, it delivers new capabilities to the IT professionals and site admins who work tirelessly to support, configure, administer, and secure their organizations’ and teams’ content. And it is important that you are empowered to recover from accidental deletions or version issues at the speed business productivity requires.
Today we begin to roll out Files Restore for SharePoint and Microsoft Teams – a new Microsoft 365 feature. This is associated with Microsoft 365 Roadmap: ID 33714 and originally announced at Ignite 2018.
If something went wrong, you can restore a SharePoint document library (the same storage mechanism behind the Files tab in Microsoft Teams) to a previous time. Select a date preset or use the slider to find a date within unusual activity in the chart. Then select the changes that you want to undo.
We’ve built Microsoft 365 with global scale, exceptional reliability, and support for compliance across industries and geographies on top of intelligent security that keeps your service and content protected and private, we give you granular and dynamic controls so that you can manage access, distribution and recovery of your organization’s sensitive content and information.
Let’s dive into the details…
Restore your files with confidence from SharePoint and Microsoft Teams
Files restore for SharePoint and Microsoft Teams is a complete self-service recovery solution that allows administrators and site owners to restore files from any point in time during the last 30 days. Site owners will see a new “Restore this library” option within the library settings panel. This can be used as a self-service to restore the files and folders in the library you suspect have been compromised by end-user deletion, file corruption, or malware infection – to any point in the past 30 days.
Simply go to the gear icon in the upper right > select Restore this library > select a date range, select your files > click Restore.
Go to Site Settings and select “Restore this library” to start the process of recovering a file or set of files based on a date prior to the issue.
If lots of your SharePoint or Teams files get deleted, overwritten, corrupted, or infected by malware, you can restore your entire document library to a previous time. Files Restore helps Office 365 subscribers undo all the actions that occurred on both files and folders within the last 30 days.
Files Restore is now available for SharePoint document libraries, protecting your shared files in SharePoint, Teams, Outlook groups, and Yammer groups connected to Office 365 groups and uses the same recovery capabilities that protect your individual files in OneDrive for Business.
Note to IT: files across the SharePoint and Teams user interfaces are stored in the same storage container (SharePoint document libraries), thus offer the same experience and capabilities as a single-source offering throughout Microsoft 365.
What else do I need to know?
Now you can rewind changes using activity data to find the exact moment to revert to.
We’ll be gradually rolling this out to Targeted Release organizations in April 2019, and the roll out will be completed worldwide by the end of May 2019.
Learn more how to restore your SharePoint and Teams files. And the related how to restore your OneDrive.
Frequently Asked Questions (FAQs)
Q: When is this all being released in Office 365?
A: Files restore for SharePoint has begun Targeted Release to customers in Office 365. We plan to extend release to all full Targeted Release customers by the end of April 2019. We then plan to fully release to all full production Office 365 customers by the end of May 2019.
SharePoint news is a content distribution system that works across personal, team and organizational news. News articles and links can be composed on browser or mobile platforms, and are easily surfaced in portals, Microsoft Teams, email, Microsoft Search and more. Rich new capabilities will empower communicators to keep groups, departments, and divisions up to date easily.
Let’s dive into each feature.
News – organize. Within the news web part, you can now organize your news posts to appear in custom order. This means you can highlight high-value content knowing it is more visible among articles published on a site. Learn more in our support article.
Figure 1 Controlling the news display sort order
Authoritative news – News can come from many different sites. But you might have “official” or “authoritative” sites for organization news. When these sites are specified as organization news sources, posts from these sites are interleaved throughout all news posts displayed for users on SharePoint home in Office 365, or via the news tab in SharePoint mobile. They are distinguished by a color block on the title as a visual cue. Admins can manage news sources using simple PowerShell commands, referenced below.
Figure 2 Site showing authoritative organization-wide news
News notifications from followed sites – Starting in March 2019, users that follow sites will start to get notifications for any news posted on those sites. They will also get notifications when people they work with posted news. And soon, news notifications can be delivered over email as well. It’s never been easier to stay up to date with information from key areas of your intranet.
Page templates. You’ve created a great page, and you want to make it available for others to use as a starting point for their pages. Or, you need to create a page, but aren’t sure where to start. Page templates can save time.
Initially, we’ll ship three page templates – basic, text-centric and visual, as shown below. You can also create your own templates from existing pages. Once a page is saved as a template, it can be chosen from the Template gallery as users create pages and news. Again, learn more in our support article.
Figure 3 SharePoint page templates
Try more and more of what SharePoint offers, and let us know what you think
We want to empower you and every person on your team to achieve more. Let us know what you need next. We are always open to feedback via UserVoice and continued dialog in the SharePoint community in the Microsoft Tech Community —and we always have an eye on tweets to @SharePoint. Let us know.
—Chris McNulty, senior product manager for Microsoft 365
FAQs
Q: When is this all being released?
A: Our goal is to release all the items to Targeted Release customers by the end of March 2019.
Q: How can administrators manage authoritative news sources?
A: Your tenant admin will need to add sites to the organization news list of sites using PowerShell. Here are some helpful commands.
SharePoint news is a content distribution system that works across personal, team and organizational news. News articles and links can be composed on browser or mobile platforms, and are easily surfaced in portals, Microsoft Teams, email, Microsoft Search and more. Rich new capabilities will empower communicators to keep groups, departments, and divisions up to date easily.
Let’s dive into each feature.
News – organize. Within the news web part, you can now organize your news posts to appear in custom order. This means you can highlight high-value content knowing it is more visible among articles published on a site. Learn more in our support article.
Figure 1 Controlling the news display sort order
Authoritative news – News can come from many different sites. But you might have “official” or “authoritative” sites for organization news. When these sites are specified as organization news sources, posts from these sites are interleaved throughout all news posts displayed for users on SharePoint home in Office 365, or via the news tab in SharePoint mobile. They are distinguished by a color block on the title as a visual cue. Admins can manage news sources using simple PowerShell commands, referenced below.
Figure 2 Site showing authoritative organization-wide news
News notifications from followed sites – Starting in March 2019, users that follow sites will start to get notifications for any news posted on those sites. They will also get notifications when people they work with posted news. And soon, news notifications can be delivered over email as well. It’s never been easier to stay up to date with information from key areas of your intranet.
Page templates. You’ve created a great page, and you want to make it available for others to use as a starting point for their pages. Or, you need to create a page, but aren’t sure where to start. Page templates can save time.
Initially, we’ll ship three page templates – basic, text-centric and visual, as shown below. You can also create your own templates from existing pages. Once a page is saved as a template, it can be chosen from the Template gallery as users create pages and news. Again, learn more in our support article.
Figure 3 SharePoint page templates
Try more and more of what SharePoint offers, and let us know what you think
We want to empower you and every person on your team to achieve more. Let us know what you need next. We are always open to feedback via UserVoice and continued dialog in the SharePoint community in the Microsoft Tech Community —and we always have an eye on tweets to @SharePoint. Let us know.
—Chris McNulty, senior product manager for Microsoft 365
FAQs
Q: When is this all being released?
A: Our goal is to release all the items to Targeted Release customers by the end of March 2019.
Q: How can administrators manage authoritative news sources?
A: Your tenant admin will need to add sites to the organization news list of sites using PowerShell. Here are some helpful commands.
SharePoint Look Book site is an awesome web site having pictures on example modern portals build with SharePoint Online. These designs demonstrate what’s possible with the modern SharePoint and we will be releasing updated guidance on the Look Book also in future.
Having example pictures and written clarifications of the structures around the sites built with modern SharePoint is great, but wouldn’t it be even more awesome if you could provision actual site collections and structures based on those designs so that you can even adjust those based on your needs?
That would be awesome!
We thought so as well and started building a specific service to enable you to easily provision sample content and scenarios to any SharePoint tenant.
How to use the service?
It’s as easy as following these simple steps:
- Move to the provisioning service at https://provisioning.sharepointpnp.com
- Select a template which you want to use (remember to check template specific prerequisites if any)
- Click “Add to your tenant“
- Sign-in to your tenant
- Provide requested metadata like the URL to be used
- Confirm and wait for an email notification when provisioning is completed
See the following 2-minute video as a quick introduction on how the service works in practice.
Right now the service is in public preview like mentioned as we keep on polishing up the experience and the provided templates.
What are the prerequisites for the usage?
You will need to be a tenant administrator to be able to use the service. This is due to the cross tenant capabilities, which the templates might contain, like Microsoft Teams structures, SharePoint solutions, Site Designs, and Themes. We are looking into enabling simple templates also for site collection administrators in the future without tenant administrator requirements. Notice also that currently, SharePoint administrator permissions are not sufficient.
Notice also that some of the initially provided templates also contain other prerequisites, like having a tenant app catalog created for SharePoint Framework solutions or having the tenant administrator as a term store administrator before the provisioning is started. Please check the prerequisites specifically for SharePoint Starter Kit or for the Custom Learning templates.
Currently, templates have been also tested properly only for the English language, so please provide us feedback based on your experiences with non-English tenants.
Can I use the service in my production environment?
We do recommend testing the templates in a test environment to ensure that you are aware of how they work. Some of the initially provided templates, like Each provided template, has a detailed description of the contained content which is getting provisioned. You can get a test tenant by using a trial Office 365 tenants or by subscribing to the Office 365 developer program (if you are a developer).
Can I use the templates also outside of the service?
Absolutely. We are providing all used templates as an open-source solution through GitHub repository. If you are an IT Pro or a developer, you can also use those templates by using code or PowerShell.
Please provide us feedback on the service and share any issues with us which you might have as part of using it. Thank you for your input advance.
SharePoint Look Book site is an awesome web site having pictures on example modern portals build with SharePoint Online. These designs demonstrate what’s possible with the modern SharePoint and we will be releasing updated guidance on the Look Book also in future.
Having example pictures and written clarifications of the structures around the sites built with modern SharePoint is great, but wouldn’t it be even more awesome if you could provision actual site collections and structures based on those designs so that you can even adjust those based on your needs?
That would be awesome!
We thought so as well and started building a specific service to enable you to easily provision sample content and scenarios to any SharePoint tenant.
How to use the service?
It’s as easy as following these simple steps:
- Move to the provisioning service at https://provisioning.sharepointpnp.com
- Select a template which you want to use (remember to check template specific prerequisites if any)
- Click “Add to your tenant“
- Sign-in to your tenant
- Provide requested metadata like the URL to be used
- Confirm and wait for an email notification when provisioning is completed
See the following 2-minute video as a quick introduction on how the service works in practice.
Right now the service is in public preview like mentioned as we keep on polishing up the experience and the provided templates.
What are the prerequisites for the usage?
You will need to be a tenant administrator to be able to use the service. This is due to the cross tenant capabilities, which the templates might contain, like Microsoft Teams structures, SharePoint solutions, Site Designs, and Themes. We are looking into enabling simple templates also for site collection administrators in the future without tenant administrator requirements. Notice also that currently, SharePoint administrator permissions are not sufficient.
Notice also that some of the initially provided templates also contain other prerequisites, like having a tenant app catalog created for SharePoint Framework solutions or having the tenant administrator as a term store administrator before the provisioning is started. Please check the prerequisites specifically for SharePoint Starter Kit or for the Custom Learning templates.
Currently, templates have been also tested properly only for the English language, so please provide us feedback based on your experiences with non-English tenants.
Can I use the service in my production environment?
We do recommend testing the templates in a test environment to ensure that you are aware of how they work. Some of the initially provided templates, like Each provided template, has a detailed description of the contained content which is getting provisioned. You can get a test tenant by using a trial Office 365 tenants or by subscribing to the Office 365 developer program (if you are a developer).
Can I use the templates also outside of the service?
Absolutely. We are providing all used templates as an open-source solution through GitHub repository. If you are an IT Pro or a developer, you can also use those templates by using code or PowerShell.
Please provide us feedback on the service and share any issues with us which you might have as part of using it. Thank you for your input advance.
Office 365 ATP offers unparalleled protection from targeted and zero-day attacks over email and other collaboration vectors. Building over the massive threat intelligence signal available in the Microsoft Intelligent Security Graph and pairing it with sophisticated Machine Learning algorithms, Office 365 ATP offers security teams best-in-class prevention, detection and response capabilities to keep their organizations secure with stellar effectiveness and efficiency. And today we’re extremely excited to announce new Automation capabilities in Office 365 ATP that further amplify the efficiency of security teams as they investigate and respond to threats within their organization.
The broad intelligence of the Microsoft Security Graph that supports all of the Advanced Threat Protection products from Microsoft and the deep integration between them forms the backbone of Microsoft Threat Protection that offers security teams amazing capabilities to protect their organizations across their users, devices, email, applications, data and infrastructure. And the automation capabilities we’re announcing today further strengthen the overall automation story of Microsoft Threat Protection.
Security Dashboard showing summary of automated investigations
Challenges faced by SecOps today
To set some context, we continue to hear from customers that dealing with incident response quickly and effectively is a big challenge facing their SecOps teams. One key issue is the lack of available resources and expertise needed to analyze signals and respond to incidents in an efficient way. There are just too many alerts to investigate and signals to correlate. And SecOps teams are constantly struggling with budget and time.
A typical Security team member goes through the following cycle of investigation day in and day out.
Every single security alert goes through the above process and with the huge volume of alerts that need to be looked at, it can quickly become challenging for security teams to scale. Intelligent correlation of signals and automatic investigation of alerts can significantly reduce the manual effort and time for incident response.
Automation can significantly reduce the time, effort and resources needed for incident response
Last year, we shared how Office 365 ATP can help security teams become more effective and efficient in the threat investigation and response process. This research from Forrester also revealed huge cost savings when using our Office 365 Threat Intelligence service.
The new automation capabilities in Office 365 ATP goes even further in being able to bring more effectiveness and efficiency into SecOps flows.
Introducing new security playbooks within Office 365 ATP
Security playbooks are the foundation of automated incident response. They are the back-end policies that admins can select to trigger automatic investigation. The playbooks are built off our experience with real-world security scenarios. Based on our visibility and experience into the threat landscape we’ve designed these playbooks which tackle the most frequent threats.
Security playbooks are the foundation of AIR
We’re delighted to announce the public preview of two playbooks that help investigate key threats and alerts within Office 365 with recommended actions for containment and mitigation.
- User reports a phishing email— This alert will trigger an automatic investigation using the User Reported Messages Playbook when users use the “Report Message” button to report a phishing email.
- User clicks on a malicious link— This alert will trigger an automatic investigation using the Weaponized URL playbook when an Office 365 ATP Safe Links protected URL clicked by a user is determined to be malicious through detonation (change in verdict) or if the user overrides (clicks through) the Office 365 ATP Safe Links warning pages.
Over the new few weeks and months we’ll continue to add even more playbooks.
Alert automatically triggers investigation when a user reports an email as phish
Investigation graph showing a summary of relevant emails and users with threats and recommended actions.
You can learn more about how the SecOps teams can use these playbooks in this article.
Watch below:
to see the playbooks in action.
Triggering an automated investigation from the Threat Explorer
In addition to these playbooks, we’re also adding the ability to manually trigger automated investigations from the Threat Explorer. The Threat Explorer has become an invaluable tool for many security teams to hunt for and investigate threats within the O365 productivity suite as security teams use it to search for bad actors or IOCs. With the new ability to trigger an automatic investigation from within the Threat Explorer, security teams can leverage the efficiency and effectiveness gains that come with automation as part their hunting/investigation flow. This allows them to gain visibility into any potential threat instantly with relevant recommendations.
Triggering automated investigations from the Threat Explorer for All email view
We’re only getting started
Automation for incident response will become a much more important part of an enterprise-grade security solution. It can help mitigate more threats in real-time, reduce the time for detection and recovery, and ultimately, improve the efficiency, accuracy, and overall security for any organization. Just as important, it frees up time for the organization’s key security expertise to focus on more complicated problems – getting more out of their most trained experts.
The automation capabilities announced today paired with the automation within the Microsoft Defender Advanced Threat Protection offering form the backbone of the powerful integrated automated protection that comes as part of the Microsoft Threat Protection stack to enable better
detection, more insightful investigations, and more rapid remediation across multiple vectors such as emails, users and devices.
This is just the beginning. We’ll be rolling out more playbooks to address the most common threat scenarios. We invite you to try these playbooks out and provide feedback.
Office 365 ATP offers unparalleled protection from targeted and zero-day attacks over email and other collaboration vectors. Building over the massive threat intelligence signal available in the Microsoft Intelligent Security Graph and pairing it with sophisticated Machine Learning algorithms, Office 365 ATP offers security teams best-in-class prevention, detection and response capabilities to keep their organizations secure with stellar effectiveness and efficiency. And today we’re extremely excited to announce new Automation capabilities in Office 365 ATP that further amplify the efficiency of security teams as they investigate and respond to threats within their organization.
The broad intelligence of the Microsoft Security Graph that supports all of the Advanced Threat Protection products from Microsoft and the deep integration between them forms the backbone of Microsoft Threat Protection that offers security teams amazing capabilities to protect their organizations across their users, devices, email, applications, data and infrastructure. And the automation capabilities we’re announcing today further strengthen the overall automation story of Microsoft Threat Protection.
Security Dashboard showing summary of automated investigations
Challenges faced by SecOps today
To set some context, we continue to hear from customers that dealing with incident response quickly and effectively is a big challenge facing their SecOps teams. One key issue is the lack of available resources and expertise needed to analyze signals and respond to incidents in an efficient way. There are just too many alerts to investigate and signals to correlate. And SecOps teams are constantly struggling with budget and time.
A typical Security team member goes through the following cycle of investigation day in and day out.
Every single security alert goes through the above process and with the huge volume of alerts that need to be looked at, it can quickly become challenging for security teams to scale. Intelligent correlation of signals and automatic investigation of alerts can significantly reduce the manual effort and time for incident response.
Automation can significantly reduce the time, effort and resources needed for incident response
Last year, we shared how Office 365 ATP can help security teams become more effective and efficient in the threat investigation and response process. This research from Forrester also revealed huge cost savings when using our Office 365 Threat Intelligence service.
The new automation capabilities in Office 365 ATP goes even further in being able to bring more effectiveness and efficiency into SecOps flows.
Introducing new security playbooks within Office 365 ATP
Security playbooks are the foundation of automated incident response. They are the back-end policies that admins can select to trigger automatic investigation. The playbooks are built off our experience with real-world security scenarios. Based on our visibility and experience into the threat landscape we’ve designed these playbooks which tackle the most frequent threats.
Security playbooks are the foundation of AIR
We’re delighted to announce the public preview of two playbooks that help investigate key threats and alerts within Office 365 with recommended actions for containment and mitigation.
- User reports a phishing email— This alert will trigger an automatic investigation using the User Reported Messages Playbook when users use the “Report Message” button to report a phishing email.
- User clicks on a malicious link— This alert will trigger an automatic investigation using the Weaponized URL playbook when an Office 365 ATP Safe Links protected URL clicked by a user is determined to be malicious through detonation (change in verdict) or if the user overrides (clicks through) the Office 365 ATP Safe Links warning pages.
Over the new few weeks and months we’ll continue to add even more playbooks.
Alert automatically triggers investigation when a user reports an email as phish
Investigation graph showing a summary of relevant emails and users with threats and recommended actions.
You can learn more about how the SecOps teams can use these playbooks in this article.
Watch below:
to see the playbooks in action.
Triggering an automated investigation from the Threat Explorer
In addition to these playbooks, we’re also adding the ability to manually trigger automated investigations from the Threat Explorer. The Threat Explorer has become an invaluable tool for many security teams to hunt for and investigate threats within the O365 productivity suite as security teams use it to search for bad actors or IOCs. With the new ability to trigger an automatic investigation from within the Threat Explorer, security teams can leverage the efficiency and effectiveness gains that come with automation as part their hunting/investigation flow. This allows them to gain visibility into any potential threat instantly with relevant recommendations.
Triggering automated investigations from the Threat Explorer for All email view
We’re only getting started
Automation for incident response will become a much more important part of an enterprise-grade security solution. It can help mitigate more threats in real-time, reduce the time for detection and recovery, and ultimately, improve the efficiency, accuracy, and overall security for any organization. Just as important, it frees up time for the organization’s key security expertise to focus on more complicated problems – getting more out of their most trained experts.
The automation capabilities announced today paired with the automation within the Microsoft Defender Advanced Threat Protection offering form the backbone of the powerful integrated automated protection that comes as part of the Microsoft Threat Protection stack to enable better
detection, more insightful investigations, and more rapid remediation across multiple vectors such as emails, users and devices.
This is just the beginning. We’ll be rolling out more playbooks to address the most common threat scenarios. We invite you to try these playbooks out and provide feedback.
Office 365 ATP offers unparalleled protection from targeted and zero-day attacks over email and other collaboration vectors. Building over the massive threat intelligence signal available in the Microsoft Intelligent Security Graph and pairing it with sophisticated Machine Learning algorithms, Office 365 ATP offers security teams best-in-class prevention, detection and response capabilities to keep their organizations secure with stellar effectiveness and efficiency. And today we’re extremely excited to announce new Automation capabilities in Office 365 ATP that further amplify the efficiency of security teams as they investigate and respond to threats within their organization.
The broad intelligence of the Microsoft Security Graph that supports all of the Advanced Threat Protection products from Microsoft and the deep integration between them forms the backbone of Microsoft Threat Protection that offers security teams amazing capabilities to protect their organizations across their users, devices, email, applications, data and infrastructure. And the automation capabilities we’re announcing today further strengthen the overall automation story of Microsoft Threat Protection.
Security Dashboard showing summary of automated investigations
Challenges faced by SecOps today
To set some context, we continue to hear from customers that dealing with incident response quickly and effectively is a big challenge facing their SecOps teams. One key issue is the lack of available resources and expertise needed to analyze signals and respond to incidents in an efficient way. There are just too many alerts to investigate and signals to correlate. And SecOps teams are constantly struggling with budget and time.
A typical Security team member goes through the following cycle of investigation day in and day out.
Every single security alert goes through the above process and with the huge volume of alerts that need to be looked at, it can quickly become challenging for security teams to scale. Intelligent correlation of signals and automatic investigation of alerts can significantly reduce the manual effort and time for incident response.
Automation can significantly reduce the time, effort and resources needed for incident response
Last year, we shared how Office 365 ATP can help security teams become more effective and efficient in the threat investigation and response process. This research from Forrester also revealed huge cost savings when using our Office 365 Threat Intelligence service.
The new automation capabilities in Office 365 ATP goes even further in being able to bring more effectiveness and efficiency into SecOps flows.
Introducing new security playbooks within Office 365 ATP
Security playbooks are the foundation of automated incident response. They are the back-end policies that admins can select to trigger automatic investigation. The playbooks are built off our experience with real-world security scenarios. Based on our visibility and experience into the threat landscape we’ve designed these playbooks which tackle the most frequent threats.
Security playbooks are the foundation of AIR
We’re delighted to announce the public preview of two playbooks that help investigate key threats and alerts within Office 365 with recommended actions for containment and mitigation.
- User reports a phishing email— This alert will trigger an automatic investigation using the User Reported Messages Playbook when users use the “Report Message” button to report a phishing email.
- User clicks on a malicious link— This alert will trigger an automatic investigation using the Weaponized URL playbook when an Office 365 ATP Safe Links protected URL clicked by a user is determined to be malicious through detonation (change in verdict) or if the user overrides (clicks through) the Office 365 ATP Safe Links warning pages.
Over the new few weeks and months we’ll continue to add even more playbooks.
Alert automatically triggers investigation when a user reports an email as phish
Investigation graph showing a summary of relevant emails and users with threats and recommended actions.
You can learn more about how the SecOps teams can use these playbooks in this article.
Watch below:
to see the playbooks in action.
Triggering an automated investigation from the Threat Explorer
In addition to these playbooks, we’re also adding the ability to manually trigger automated investigations from the Threat Explorer. The Threat Explorer has become an invaluable tool for many security teams to hunt for and investigate threats within the O365 productivity suite as security teams use it to search for bad actors or IOCs. With the new ability to trigger an automatic investigation from within the Threat Explorer, security teams can leverage the efficiency and effectiveness gains that come with automation as part their hunting/investigation flow. This allows them to gain visibility into any potential threat instantly with relevant recommendations.
Triggering automated investigations from the Threat Explorer for All email view
We’re only getting started
Automation for incident response will become a much more important part of an enterprise-grade security solution. It can help mitigate more threats in real-time, reduce the time for detection and recovery, and ultimately, improve the efficiency, accuracy, and overall security for any organization. Just as important, it frees up time for the organization’s key security expertise to focus on more complicated problems – getting more out of their most trained experts.
The automation capabilities announced today paired with the automation within the Microsoft Defender Advanced Threat Protection offering form the backbone of the powerful integrated automated protection that comes as part of the Microsoft Threat Protection stack to enable better
detection, more insightful investigations, and more rapid remediation across multiple vectors such as emails, users and devices.
This is just the beginning. We’ll be rolling out more playbooks to address the most common threat scenarios. We invite you to try these playbooks out and provide feedback.
