Blog Post

Microsoft Defender for Endpoint Blog
3 MIN READ

Unified submissions in Microsoft 365 Defender now Generally Available!

JuliHooper's avatar
JuliHooper
Icon for Microsoft rankMicrosoft
Apr 11, 2022

It's time for a new, unified submissions experience 

Your security team now has a “one-stop shop” for submitting emails, URLs, email attachments, and files in one, easy-to-use submission experience. To simplify the submission process, we are excited to announce a new unified submissions experience in the Microsoft 365 Defender portal (https://security.microsoft.com). With unified submissions, you can submit files to Microsoft 365 Defender for review from within the portal. We are also adding the ability to submit a file directly from a Microsoft Defender for Endpoint Alert page.  

 

Important note: Currently, the new submissions experience is available only in subscriptions that include Microsoft 365 Defender, Microsoft Defender for Endpoint Plan 2, or Microsoft Defender for Office. 

 

Let’s look at the new unified submissions experience! 

 

 

New entry points to submit items for analysis 

With unified submissions in preview, you can submit files from these entry points in Microsoft 365 Defender: 

  • Submissions page. You can add a new submission to report a file as clean (false positive), unwanted software or malicious (false negative).  
  • An Alert page. While viewing an alert, you can choose the action to submit a file for analysis “Submit items to Microsoft for review”. 

The Submissions portal that was previously under Email & collaboration is now in the unified submission surface.  

 

Tabs you’ll see on the new Submissions page 

The new, unified submissions page includes the following tabs: 

  • Emails 
  • URLs 
  • Email Attachments 
  • Files 
  • User reported messages 

You can now see submission items broken out by type (Emails, Email Attachments, URLs, Files and User reported messages). A security admin can view the collection of emails that your users have submitted for review and create a submission to Microsoft if needed. 

 

Note: If your subscription includes Microsoft 365 Defender, you’ll see all five tabs. If your subscription only includes Defender for Endpoint Plan 2, you’ll only see the Files tab. And, if your subscription only includes Defender for Office 365, you won’t see the Files tab. 

 

The Alert page submission experience 

You can now submit a file for analysis from the Alerts page. Open the Microsoft 365 Defender portal. Go to Incidents & alerts, and then select Alerts to view the list of alerts. You can then select a Microsoft Defender for Endpoint alert that contains an item you want to report.  

 

Notice a checkbox on the alert submission form for “Include alert story.” By choosing this option, you’ll attach a JSON file of the alert story with your submission. That file will be shared with our analysts to improve the quality of results and the response time of your submission. 

 

Here’s what the alert page submission entry point looks like: 

 

 

And here’s an example of an alert page submission form: 

 

 

The Submissions list 

Your Submissions list enables you to see all of your company’s submissions in one place, organized by type: Emails, Email attachments, URLs, Files, and User reporting messages. You can also create a new submission on this page. (You must have the Global Administrator, Security Administrator, Security Reader, or Organization Management role assigned.) 

 

To use the Submissions list, go to the Microsoft 365 Defender portal, and then select Submissions. Then choose one of the available options. In the following example, we are showing the File submission option: 

 

The File submission list looks like this: 

 

 

On the Files tab, we select Add new submission. This action opens the File submission form, which looks like this: 

 

 

After submitting the file for analysis, the File submission results now look like this: 

 

Known issues 

When adding text in the Notes for Microsoft box, the cursor might jump to the end of the line when you try to place the cursor in the middle of an already typed line to add more text. We are working to resolve this issue. 

 

Learn more 

Want to learn more about Unified submissions? See Submit suspected files in Microsoft Defender for Endpoint for more details. 

 

Let us know what you think! 

We are excited to bring you this simplified submission experience! Try it out and let us know what you think. Tell us if the new, unified experience is helpful, and share any additional requests or suggestions you have for improving the experience! 

Updated Jun 13, 2022
Version 4.0
  • JonasBack 

     

    1. Microsoft Defender for Office 365 is working on this. In the future you can leverage review section of quarantine to take actions on file quarantined. Some pieces of it already exist today. 

    2. You have to do zip the file and try to send it or open a support ticket to solve this for now. I am curious to understand how big this file was?

    3. If you release the file from the review section of quarantine the previously captured files should be released. You can learn more here.

     

    Let me know if you have further questions or concerns here.

     

  • JonasBack's avatar
    JonasBack
    Steel Contributor

    JuliHooper we've had incidents where Defender for Office 365 has marked a file as malware in Onedrive but it was a False-positive. The only way we found to submit that to Microsoft was to download the file manually and submit it as a file. Has a few issues with that.

     

    1. Is there any other way to Submit this file without giving yourself permission to the user OneDrive and download the file and submit it?

     

    2. The file was larger than the allow max size to Submit. How do we then submit it?

     

    2. The other scenario with a smaller file and after submission it came out clean, how do we "rescan" the file in OneDrive to mark it as clean? The only way we found was to delete the file and re-upload it?

  • JasonGates895's avatar
    JasonGates895
    Copper Contributor

    Still waiting for the ability for GCC tenants to even submit samples to Microsoft.

  • Hi NY_Dina Deep analysis is a bit of a different scenario - it does automated dynamic execution in a detonation chamber for the customer to understand, in that detonation chamber, what the file does. This can help SecOps see what the file would do if it were able to progress further in execution. This is different than "this detection needs to be fixed" which is the scenario that Unified Submissions is meant to address. 

  • NY_Dina's avatar
    NY_Dina
    Copper Contributor

    What is difference deep analysis and file submission? 

  • Hi mas18 yes you can still submit files through this feature (as Manuel Hauch mentions) just like you would with WDSI/MSI, however, please note that the 'File hash' submission option relies on your sample submission setting, so this could fail if we did not already have the file available to us.  To avoid this issue, you would need to choose the 'File' submission option and upload the file yourself.

  • mas18 Yes, you're referring to the Cloud Protection in Defender AV which is an automated mechanism, while this option is to manually submit files to Microsoft if you think it should have been detected or it's a false positive and you want Microsoft to remove the detection on the file. This new submission experience is technically the same as if you would submit the file to Microsoft through aka.ms/wdsi

  • mas18's avatar
    mas18
    Brass Contributor

    If we have enabled “never send samples” in AV policy,  still I can able to use file submission option in portal?