{"id":89837,"date":"2019-09-09T09:00:37","date_gmt":"2019-09-09T16:00:37","guid":{"rendered":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/\/?p=89837"},"modified":"2023-05-15T22:58:32","modified_gmt":"2023-05-16T05:58:32","slug":"automated-incident-response-office-365-atp-now-generally-available","status":"publish","type":"post","link":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2019\/09\/09\/automated-incident-response-office-365-atp-now-generally-available\/","title":{"rendered":"Automated incident response in Office 365 ATP now generally available"},"content":{"rendered":"<p>Security teams responsible for investigating and responding to incidents often deal with a massive number of signals from widely disparate sources. As a result, rapid and efficient incident response continues to be the biggest challenge facing security teams today. The sheer volume of these signals, combined with an ever-growing digital estate of organizations, means that a lot of critical alerts miss getting the timely attention they deserve. Security teams need help to scale better, be more efficient, focus on the right issues, and deal with incidents in a timely manner.<\/p>\n<p>This is why I\u2019m excited to announce the general availability of Automated Incident Response in Office 365 Advanced Threat Protection (ATP). Applying these powerful automation capabilities to investigation and response workflows can dramatically improve the effectiveness and efficiency of your organization\u2019s security teams.<\/p>\n<h3>A day in the life of a security analyst<\/h3>\n<p>To give you an idea of the complexity that security teams deal with in the absence of automation, consider the following typical workflow that these teams go through when investigating alerts:<\/p>\n<p><a href=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/\/wp-content\/uploads\/2019\/09\/Automated-Incident-Response-in-Office-365-ATP-1.png\" target=\"_blank\" rel=\"noopener noreferrer\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-89838 size-full\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/\/wp-content\/uploads\/2019\/09\/Automated-Incident-Response-in-Office-365-ATP-1.png\" alt=\"Infographic showing these steps: Alert, Analyze, Investigate, Assess impact, Contain, and Respond.\" width=\"991\" height=\"183\" srcset=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2019\/09\/Automated-Incident-Response-in-Office-365-ATP-1.png 991w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2019\/09\/Automated-Incident-Response-in-Office-365-ATP-1-300x55.png 300w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2019\/09\/Automated-Incident-Response-in-Office-365-ATP-1-768x142.png 768w\" sizes=\"auto, (max-width: 991px) 100vw, 991px\" \/><\/a><\/p>\n<p>And as they go through this flow for every single alert\u2014potentially hundreds in a week\u2014it can quickly become overwhelming. In addition, the analysis and investigation often require correlating signals across multiple different systems. This can make effective and timely response very difficult and costly. There are just too many alerts to investigate and signals to correlate for today\u2019s lean security teams.<\/p>\n<p>To address these challenges, earlier this year we <a href=\"https:\/\/techcommunity.microsoft.com\/t5\/Security-Privacy-and-Compliance\/Bolster-efficiency-of-security-teams-with-new-Automated-Incident\/ba-p\/392773\" target=\"_blank\" rel=\"noopener noreferrer\">announced the preview of powerful automation capabilities<\/a> to help improve the efficiency of security teams significantly. The security playbooks we introduced address some of the most common threats that security teams investigate in their day-to-day jobs and are modeled on their typical workflows.<\/p>\n<p><a href=\"https:\/\/customers.microsoft.com\/en-us\/story\/ithaca-college-higher-education-microsoft-365\" target=\"_blank\" rel=\"noopener noreferrer\">This story from Ithaca College<\/a> reflects some of the feedback we received from customers of the preview of these capabilities, including:<\/p>\n<blockquote><p>\u201cThe incident detection and response capabilities we get with Office 365 ATP give us far more coverage than we\u2019ve had before. This is a really big deal for us.\u201d<br \/>\n\u2014Jason Youngers, Director and Information Security Officer, Ithaca College<\/p><\/blockquote>\n<h3>Two categories of automation now generally available<\/h3>\n<p>Today, we\u2019re announcing the general availability of two categories of automation\u2014automatic and manually triggered investigations:<\/p>\n<ol>\n<li><strong>Automatic investigations that are triggered when alerts are raised<\/strong>\u2014<a href=\"https:\/\/docs.microsoft.com\/en-us\/office365\/securitycompliance\/automated-investigation-response-office\" target=\"_blank\" rel=\"noopener noreferrer\">Alerts and related playbooks<\/a> for the following scenarios are now available:\n<ul>\n<li><strong>User-reported phishing emails<\/strong>\u2014When a user reports what they believe to be a phishing email, an alert is raised triggering an automatic investigation.<\/li>\n<li><strong>User clicks a malicious link with changed verdict<\/strong>\u2014An alert is raised when a user clicks a URL, which is wrapped by <em>Office 365 ATP Safe Links, <\/em>and is determined to be malicious through detonation (change in verdict). Or if the user clicks through the <em>Office 365 ATP Safe Links <\/em>warning pages an alert is also raised. In both cases, the automated investigation kicks in as soon as the alert is raised.<\/li>\n<li><strong>Malware detected post-delivery (Malware <\/strong><a href=\"https:\/\/docs.microsoft.com\/en-us\/office365\/securitycompliance\/zero-hour-auto-purge\" target=\"_blank\" rel=\"noopener noreferrer\"><strong>Zero-Hour Auto Purge (ZAP)<\/strong><\/a><strong>)<\/strong>\u2014When Office 365 ATP detects and\/or ZAPs an email with malware, an alert triggers an automatic investigation.<\/li>\n<li><strong>Phish detected post-delivery (Phish ZAP)<\/strong>\u2014When Office 365 ATP detects and\/or ZAPs a phishing email previously delivered to a user&#8217;s mailbox, an alert triggers an automatic investigation.<\/li>\n<\/ul>\n<\/li>\n<\/ol>\n<ol start=\"2\">\n<li><strong>Manually triggered investigations that follow an automated playbook<\/strong>\u2014Security teams can trigger automated investigations from within the Threat Explorer at any time for any email and related content (attachment or URLs).<\/li>\n<\/ol>\n<h3>Rich security playbooks<\/h3>\n<p>In each of the above cases, the automation follows rich security playbooks. These playbooks are essentially a series of carefully logged steps to comprehensively investigate an alert and offer a set of recommended actions for containment and mitigation. They correlate similar emails sent or received within the organization and any suspicious activities for relevant users. Flagged activities for users might include mail forwarding, mail delegation, Office 365 Data Loss Prevention (DLP) violations, or suspicious email sending patterns.<\/p>\n<p>In addition, aligned with our <a href=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/the-evolution-of-microsoft-threat-protection\/\" target=\"_blank\" rel=\"noopener noreferrer\">Microsoft Threat Protection<\/a> promise, these playbooks also integrate with signals and detections from <a href=\"https:\/\/www.microsoft.com\/en-us\/microsoft-365\/enterprise-mobility-security\/cloud-app-security\" target=\"_blank\" rel=\"noopener noreferrer\">Microsoft Cloud App Security<\/a> and <a href=\"https:\/\/docs.microsoft.com\/en-us\/windows\/security\/threat-protection\/microsoft-defender-atp\/microsoft-defender-advanced-threat-protection\" target=\"_blank\" rel=\"noopener noreferrer\">Microsoft Defender ATP<\/a>. For instance, <a href=\"https:\/\/docs.microsoft.com\/en-us\/cloud-app-security\/anomaly-detection-policy\" target=\"_blank\" rel=\"noopener noreferrer\">anomalies detected by Microsoft Cloud App Security<\/a> are ingested as part of these playbooks. And the playbooks also trigger device investigations with Microsoft Defender ATP (for malware playbooks) where appropriate.<\/p>\n<p>Let\u2019s look at each of these automation scenarios in detail:<\/p>\n<p><strong>User reports a phishing email<\/strong>\u2014This represents one of the most common flows investigated today. The alert is raised when a user reports a phish email using the Report message add-in in Outlook or Outlook on the web and triggers an automatic investigation using the User Reported Message playbook.<\/p>\n<p><a href=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/\/wp-content\/uploads\/2019\/09\/Automated-Incident-Response-in-Office-365-ATP-2.png\" target=\"_blank\" rel=\"noopener noreferrer\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-89839 size-full\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/\/wp-content\/uploads\/2019\/09\/Automated-Incident-Response-in-Office-365-ATP-2.png\" alt=\"Screenshot of a phishing email being investigated.\" width=\"1596\" height=\"1286\" srcset=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2019\/09\/Automated-Incident-Response-in-Office-365-ATP-2.png 1596w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2019\/09\/Automated-Incident-Response-in-Office-365-ATP-2-300x242.png 300w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2019\/09\/Automated-Incident-Response-in-Office-365-ATP-2-768x619.png 768w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2019\/09\/Automated-Incident-Response-in-Office-365-ATP-2-1024x825.png 1024w\" sizes=\"auto, (max-width: 1596px) 100vw, 1596px\" \/><\/a><\/p>\n<p><b>User clicks on a malicious link<\/b><span style=\"font-family: 'Segoe UI',sans-serif;\">\u2014<\/span>A very common vector used by attackers is to weaponize a link after delivery of an email. With Office 365 ATP Safe Links protection, we can detect such attacks when links are detonated at time-of-click. A user clicking such links and\/or overriding the Safe Links warning pages is at risk of compromise. The alert raised when a malicious URL is clicked triggers an automatic investigation using the URL verdict change<b> <\/b>playbook to correlate any similar emails and any suspicious activities for the relevant users across Office 365.<\/p>\n<p><a href=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/\/wp-content\/uploads\/2019\/09\/Automated-Incident-Response-in-Office-365-ATP-3.png\" target=\"_blank\" rel=\"noopener noreferrer\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-89840 size-full\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/\/wp-content\/uploads\/2019\/09\/Automated-Incident-Response-in-Office-365-ATP-3.png\" alt=\"Image of a clicked URL being assigned as malicious.\" width=\"1596\" height=\"1282\" srcset=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2019\/09\/Automated-Incident-Response-in-Office-365-ATP-3.png 1596w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2019\/09\/Automated-Incident-Response-in-Office-365-ATP-3-300x241.png 300w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2019\/09\/Automated-Incident-Response-in-Office-365-ATP-3-768x617.png 768w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2019\/09\/Automated-Incident-Response-in-Office-365-ATP-3-1024x823.png 1024w\" sizes=\"auto, (max-width: 1596px) 100vw, 1596px\" \/><\/a><\/p>\n<p><strong>Email messages containing malware removed after delivery<\/strong>\u2014One of the critical pillars of protection in Office 365 Exchange Online Protection (EOP) and Office 365 ATP is our capability to ZAP malicious emails. Email messages containing malware removed after delivery alert trigger an investigation into similar emails and related user actions in Office 365 for the period when the emails were present in a user&#8217;s inbox. In addition, the playbook also triggers an investigation into the relevant devices for the users by leveraging the native integration with Microsoft Defender ATP.<\/p>\n<p><a href=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/\/wp-content\/uploads\/2019\/09\/Automated-Incident-Response-in-Office-365-ATP-4.png\" target=\"_blank\" rel=\"noopener noreferrer\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-89841 size-full\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/\/wp-content\/uploads\/2019\/09\/Automated-Incident-Response-in-Office-365-ATP-4.png\" alt=\"Screenshot showing malware being zapped.\" width=\"1602\" height=\"1321\" srcset=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2019\/09\/Automated-Incident-Response-in-Office-365-ATP-4.png 1602w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2019\/09\/Automated-Incident-Response-in-Office-365-ATP-4-300x247.png 300w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2019\/09\/Automated-Incident-Response-in-Office-365-ATP-4-768x633.png 768w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2019\/09\/Automated-Incident-Response-in-Office-365-ATP-4-1024x844.png 1024w\" sizes=\"auto, (max-width: 1602px) 100vw, 1602px\" \/><\/a><\/p>\n<p><b>Email messages containing phish removed after delivery<\/b><span style=\"font-family: 'Segoe UI',sans-serif;\">\u2014<\/span>With the rise in phishing attack vectors, Office 365 EOP and Office 365 ATP\u2019s ability to ZAP malicious emails detected after delivery is a critical protection feature. The alert raised triggers an investigation into similar emails and related user actions in Office 365 for the period when the emails were present in a user&#8217;s inbox and also evaluates if the user clicked any of the links.<\/p>\n<p><a href=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/\/wp-content\/uploads\/2019\/09\/Automated-Incident-Response-in-Office-365-ATP-5.png\" target=\"_blank\" rel=\"noopener noreferrer\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-89842 size-full\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/\/wp-content\/uploads\/2019\/09\/Automated-Incident-Response-in-Office-365-ATP-5.png\" alt=\"Screenshot of a phish URL being zapped.\" width=\"1603\" height=\"1328\" srcset=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2019\/09\/Automated-Incident-Response-in-Office-365-ATP-5.png 1603w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2019\/09\/Automated-Incident-Response-in-Office-365-ATP-5-300x249.png 300w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2019\/09\/Automated-Incident-Response-in-Office-365-ATP-5-768x636.png 768w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2019\/09\/Automated-Incident-Response-in-Office-365-ATP-5-1024x848.png 1024w\" sizes=\"auto, (max-width: 1603px) 100vw, 1603px\" \/><\/a><\/p>\n<p><strong>Automated investigation triggered from within the Threat Explorer<\/strong>\u2014As part of existing hunting or security operations workflows, Security teams can also trigger automated investigations on emails (and related URLs and attachments) from within the Threat Explorer. This provides Security Operations (SecOps) a powerful mechanism to gain insights into any threats and related mitigations or containment recommendations from Office 365.<\/p>\n<p><a href=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/\/wp-content\/uploads\/2019\/09\/Automated-Incident-Response-in-Office-365-ATP-6.png\" target=\"_blank\" rel=\"noopener noreferrer\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-89843 size-full\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/\/wp-content\/uploads\/2019\/09\/Automated-Incident-Response-in-Office-365-ATP-6.png\" alt=\"Screenshot of an action being taken in the Office 365 Security and Compliance dash. An email is being investigated.\" width=\"1602\" height=\"1326\" srcset=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2019\/09\/Automated-Incident-Response-in-Office-365-ATP-6.png 1602w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2019\/09\/Automated-Incident-Response-in-Office-365-ATP-6-300x248.png 300w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2019\/09\/Automated-Incident-Response-in-Office-365-ATP-6-768x636.png 768w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2019\/09\/Automated-Incident-Response-in-Office-365-ATP-6-1024x848.png 1024w\" sizes=\"auto, (max-width: 1602px) 100vw, 1602px\" \/><\/a><\/p>\n<h3>Try out these capabilities<\/h3>\n<p>Based on feedback from our public preview of these automation capabilities, we extended the Office 365 ATP events and alerts available in the <a href=\"https:\/\/docs.microsoft.com\/en-us\/office\/office-365-management-api\/office-365-management-apis-overview\" target=\"_blank\" rel=\"noopener noreferrer\">Office 365 Management API<\/a> to include links to these automated investigations and related artifacts. This helps security teams integrate these automation capabilities into existing security workflow solutions, such as SIEMs.<\/p>\n<p>These capabilities are available as part of the following offerings. We hope you\u2019ll give it a try.<\/p>\n<ul>\n<li><a href=\"https:\/\/products.office.com\/en-us\/exchange\/advance-threat-protection\" target=\"_blank\" rel=\"noopener noreferrer\">Office 365 ATP Plan 2<\/a><\/li>\n<li><a href=\"https:\/\/www.microsoft.com\/en-us\/microsoft-365\/business\/office-365-enterprise-e5-business-software\" target=\"_blank\" rel=\"noopener noreferrer\">Office 365 E5<\/a><\/li>\n<li>Microsoft 365 E5 Security, which includes the full <a href=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/the-evolution-of-microsoft-threat-protection\/\" target=\"_blank\" rel=\"noopener noreferrer\">Microsoft Threat Protection<\/a> experience<\/li>\n<\/ul>\n<p>Bringing SecOps efficiency by connecting the dots between disparate threat signals is a key promise of <a href=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/the-evolution-of-microsoft-threat-protection\/\" target=\"_blank\" rel=\"noopener noreferrer\">Microsoft Threat Protection<\/a>. The integration across Microsoft Threat Protection helps bring broad and valuable insights that are critical to the incident response process. Get started with a <a href=\"https:\/\/docs.microsoft.com\/en-us\/enterprise-mobility-security\/mtptrial\" target=\"_blank\" rel=\"noopener noreferrer\">Microsoft Threat Protection trial<\/a> if you want to experience the comprehensive and integrated protection that Microsoft Threat Protection provides.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Powerful automation capabilities help improve the effectiveness and efficiency of investigating and responding to Office 365 alerts.<\/p>\n","protected":false},"author":96,"featured_media":89844,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"ms_queue_id":[],"ep_exclude_from_search":false,"_classifai_error":"","_classifai_text_to_speech_error":"","footnotes":""},"content-type":[3662],"topic":[3664,3681],"products":[3690,3695],"threat-intelligence":[],"tags":[],"coauthors":[2162],"class_list":["post-89837","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","content-type-news","topic-ai-and-machine-learning","topic-risk-management","products-microsoft-defender","products-microsoft-defender-for-office-365"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v24.7 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Automated incident response in Office 365 ATP now generally available<\/title>\n<meta name=\"description\" content=\"Powerful automation capabilities help improve the effectiveness and efficiency of investigating and responding to Office 365 alerts.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2019\/09\/09\/automated-incident-response-office-365-atp-now-generally-available\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Automated incident response in Office 365 ATP now generally available\" \/>\n<meta property=\"og:description\" content=\"Powerful automation capabilities help improve the effectiveness and efficiency of investigating and responding to Office 365 alerts.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2019\/09\/09\/automated-incident-response-office-365-atp-now-generally-available\/\" \/>\n<meta property=\"og:site_name\" content=\"Microsoft Security Blog\" \/>\n<meta property=\"article:published_time\" content=\"2019-09-09T16:00:37+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2023-05-16T05:58:32+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2019\/09\/Automated-incident-response-in-Office-365-ATP-full-size.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"2000\" \/>\n\t<meta property=\"og:image:height\" content=\"1200\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"Girish Chander\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:image\" content=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2019\/09\/Automated-incident-response-in-Office-365-ATP-full-size.jpg\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Girish Chander\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"5 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2019\/09\/09\/automated-incident-response-office-365-atp-now-generally-available\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2019\/09\/09\/automated-incident-response-office-365-atp-now-generally-available\/\"},\"author\":[{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/author\/girish-chander\/\",\"@type\":\"Person\",\"@name\":\"Girish Chander\"}],\"headline\":\"Automated incident response in Office 365 ATP now generally available\",\"datePublished\":\"2019-09-09T16:00:37+00:00\",\"dateModified\":\"2023-05-16T05:58:32+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2019\/09\/09\/automated-incident-response-office-365-atp-now-generally-available\/\"},\"wordCount\":1235,\"publisher\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#organization\"},\"image\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2019\/09\/09\/automated-incident-response-office-365-atp-now-generally-available\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2019\/09\/Automated-incident-response-in-Office-365-ATP-card.jpg\",\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2019\/09\/09\/automated-incident-response-office-365-atp-now-generally-available\/\",\"url\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2019\/09\/09\/automated-incident-response-office-365-atp-now-generally-available\/\",\"name\":\"Automated incident response in Office 365 ATP now generally available\",\"isPartOf\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2019\/09\/09\/automated-incident-response-office-365-atp-now-generally-available\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2019\/09\/09\/automated-incident-response-office-365-atp-now-generally-available\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2019\/09\/Automated-incident-response-in-Office-365-ATP-card.jpg\",\"datePublished\":\"2019-09-09T16:00:37+00:00\",\"dateModified\":\"2023-05-16T05:58:32+00:00\",\"description\":\"Powerful automation capabilities help improve the effectiveness and efficiency of investigating and responding to Office 365 alerts.\",\"breadcrumb\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2019\/09\/09\/automated-incident-response-office-365-atp-now-generally-available\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2019\/09\/09\/automated-incident-response-office-365-atp-now-generally-available\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2019\/09\/09\/automated-incident-response-office-365-atp-now-generally-available\/#primaryimage\",\"url\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2019\/09\/Automated-incident-response-in-Office-365-ATP-card.jpg\",\"contentUrl\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2019\/09\/Automated-incident-response-in-Office-365-ATP-card.jpg\",\"width\":440,\"height\":268,\"caption\":\"Image of an IT office.\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2019\/09\/09\/automated-incident-response-office-365-atp-now-generally-available\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Automated incident response in Office 365 ATP now generally available\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#website\",\"url\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/\",\"name\":\"Microsoft Security Blog\",\"description\":\"Expert coverage of cybersecurity topics\",\"publisher\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#organization\",\"name\":\"Microsoft Security Blog\",\"url\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/08\/cropped-cropped-microsoft_logo_element.png\",\"contentUrl\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/08\/cropped-cropped-microsoft_logo_element.png\",\"width\":512,\"height\":512,\"caption\":\"Microsoft Security Blog\"},\"image\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#\/schema\/logo\/image\/\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Automated incident response in Office 365 ATP now generally available","description":"Powerful automation capabilities help improve the effectiveness and efficiency of investigating and responding to Office 365 alerts.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2019\/09\/09\/automated-incident-response-office-365-atp-now-generally-available\/","og_locale":"en_US","og_type":"article","og_title":"Automated incident response in Office 365 ATP now generally available","og_description":"Powerful automation capabilities help improve the effectiveness and efficiency of investigating and responding to Office 365 alerts.","og_url":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2019\/09\/09\/automated-incident-response-office-365-atp-now-generally-available\/","og_site_name":"Microsoft Security Blog","article_published_time":"2019-09-09T16:00:37+00:00","article_modified_time":"2023-05-16T05:58:32+00:00","og_image":[{"width":2000,"height":1200,"url":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2019\/09\/Automated-incident-response-in-Office-365-ATP-full-size.jpg","type":"image\/jpeg"}],"author":"Girish Chander","twitter_card":"summary_large_image","twitter_image":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2019\/09\/Automated-incident-response-in-Office-365-ATP-full-size.jpg","twitter_misc":{"Written by":"Girish Chander","Est. reading time":"5 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2019\/09\/09\/automated-incident-response-office-365-atp-now-generally-available\/#article","isPartOf":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2019\/09\/09\/automated-incident-response-office-365-atp-now-generally-available\/"},"author":[{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/author\/girish-chander\/","@type":"Person","@name":"Girish Chander"}],"headline":"Automated incident response in Office 365 ATP now generally available","datePublished":"2019-09-09T16:00:37+00:00","dateModified":"2023-05-16T05:58:32+00:00","mainEntityOfPage":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2019\/09\/09\/automated-incident-response-office-365-atp-now-generally-available\/"},"wordCount":1235,"publisher":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#organization"},"image":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2019\/09\/09\/automated-incident-response-office-365-atp-now-generally-available\/#primaryimage"},"thumbnailUrl":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2019\/09\/Automated-incident-response-in-Office-365-ATP-card.jpg","inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2019\/09\/09\/automated-incident-response-office-365-atp-now-generally-available\/","url":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2019\/09\/09\/automated-incident-response-office-365-atp-now-generally-available\/","name":"Automated incident response in Office 365 ATP now generally available","isPartOf":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2019\/09\/09\/automated-incident-response-office-365-atp-now-generally-available\/#primaryimage"},"image":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2019\/09\/09\/automated-incident-response-office-365-atp-now-generally-available\/#primaryimage"},"thumbnailUrl":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2019\/09\/Automated-incident-response-in-Office-365-ATP-card.jpg","datePublished":"2019-09-09T16:00:37+00:00","dateModified":"2023-05-16T05:58:32+00:00","description":"Powerful automation capabilities help improve the effectiveness and efficiency of investigating and responding to Office 365 alerts.","breadcrumb":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2019\/09\/09\/automated-incident-response-office-365-atp-now-generally-available\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.microsoft.com\/en-us\/security\/blog\/2019\/09\/09\/automated-incident-response-office-365-atp-now-generally-available\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2019\/09\/09\/automated-incident-response-office-365-atp-now-generally-available\/#primaryimage","url":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2019\/09\/Automated-incident-response-in-Office-365-ATP-card.jpg","contentUrl":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2019\/09\/Automated-incident-response-in-Office-365-ATP-card.jpg","width":440,"height":268,"caption":"Image of an IT office."},{"@type":"BreadcrumbList","@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2019\/09\/09\/automated-incident-response-office-365-atp-now-generally-available\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/"},{"@type":"ListItem","position":2,"name":"Automated incident response in Office 365 ATP now generally available"}]},{"@type":"WebSite","@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#website","url":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/","name":"Microsoft Security Blog","description":"Expert coverage of cybersecurity topics","publisher":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#organization","name":"Microsoft Security Blog","url":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/08\/cropped-cropped-microsoft_logo_element.png","contentUrl":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/08\/cropped-cropped-microsoft_logo_element.png","width":512,"height":512,"caption":"Microsoft Security Blog"},"image":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#\/schema\/logo\/image\/"}}]}},"msxcm_display_generated_audio":false,"distributor_meta":false,"distributor_terms":false,"distributor_media":false,"distributor_original_site_name":"Microsoft Security Blog","distributor_original_site_url":"https:\/\/www.microsoft.com\/en-us\/security\/blog","push-errors":false,"_links":{"self":[{"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/posts\/89837","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/users\/96"}],"replies":[{"embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/comments?post=89837"}],"version-history":[{"count":0,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/posts\/89837\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/media\/89844"}],"wp:attachment":[{"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/media?parent=89837"}],"wp:term":[{"taxonomy":"content-type","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/content-type?post=89837"},{"taxonomy":"topic","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/topic?post=89837"},{"taxonomy":"products","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/products?post=89837"},{"taxonomy":"threat-intelligence","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/threat-intelligence?post=89837"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/tags?post=89837"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/coauthors?post=89837"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}