In the Action Center I would like to automatically reject the pending actions "Block URL" and "Soft delete emails". I know this is not natively supported, but is there way to automate this using PowerShell, Power Automate, Security Graph API or something else?

As far as I know, it's not possible currently.But the MTP API is being expanded as we speak, so I assume this will be possible in the future

Lior Ben Porat In generel e-mail identified as Phishing starts an investigation that creates 4 different E-mail Soft Delete actions and one Block URL action for every URL in the email. Some of these e-mails are false positives, as an example e-mails from the shipping company postnord.no is regularly detected as phishing. It is very easy for someone to approve these pending actions withouth proper investigation and then legitime e-mails and URL's are deleted and blocked for the entire organization. If we just let them be and await for them to expire, then the other actions we actually want to look into are harder to notice in the sea of pending actions.

Hi Joachim83 , Auto reject is not supported natively , however if you take no action to approve "block URL" or "Soft delete emails" the action will be expired in a month... Could you please elaborate on the scenario / reason for auto reject?

Hi Evald Markinzon We want to automate as much as possible, so for these actions we want ZAP and native SafeLinks to automatically handle deleting emails and blocking URL.These extra pending actions are being generated in large volumes and create too many false positives, so we've decided to always reject them and perform these actions manually when necessary.To avoid alert fatigue and to better highlight the other Actions we need to evaluate, we want to automatically reject these actions so they don't flood the list.

Joachim83 - Zap does automatically act on emails and is the source of many of these alerts. Zap will perform the action chosen for that threat in the appropriate policy - so if you have phish set to junk, zap will auto-junk it. However, there are cases where Zap may not remediate the email - e.g. emails that were over 48 hours old with the malicious url/file, phish emails where the user/organization had 'override policies' (e.g. safe sender, safe domain, ETRs, etc.), plus emails from similar emails but with different malicious links/files that don't get identified. I definitely hear your request for clearer needed actions. For the moment want to make sure admins review and give us feedback when they disagree with aspects of the investigation. As Evald said - if you simply ignore the investigations they'll expire. Safe links does auto-block the links today if you're applying the policy to your usrs - the action from the investigation is redundant right now. I'd suggest you definitely review any 'User compromise' and 'URL verdict change' investigation at a minimum. These are high severity because they are situations where the user may be compromised - so the other details in the investigation are particularly worth reviewing (user evidence, bad URLs, etc.).

Automate pending actions | Microsoft Community Hub

Evald Markinzon
Microsoft
Aug 11, 2020
Hi Joachim83 , Auto reject is not supported natively , however if you take no action to approve "block URL" or "Soft delete emails" the action will be expired in a month...

Could you please elaborate on the scenario / reason for auto reject?
- Joachim83
  Copper Contributor
  Aug 11, 2020
  Hi Evald Markinzon
  
  We want to automate as much as possible, so for these actions we want ZAP and native SafeLinks to automatically handle deleting emails and blocking URL.
  These extra pending actions are being generated in large volumes and create too many false positives, so we've decided to always reject them and perform these actions manually when necessary.
  To avoid alert fatigue and to better highlight the other Actions we need to evaluate, we want to automatically reject these actions so they don't flood the list.
  - Lior Ben Porat
    Microsoft
    Aug 17, 2020
    Hi Joachim83
    
    Beyond what was already discussed regrading the redundant actions, and your preference for manual investigation. Could you please elaborate more on the false-positives issue that you mentioned?
    
    Would be great if you could provide any concrete details so we can investigate this further and improve our investigation logic accordingly.
Thijs Lecomte
Bronze Contributor
Aug 09, 2020
As far as I know, it's not possible currently.
But the MTP API is being expanded as we speak, so I assume this will be possible in the future
- Dean_Gross
  Silver Contributor
  Jan 26, 2021
  Thijs Lecomte are you aware of any changes to the API for doing this type of automation? I have not been able to find anything. I'm hoping that there might be a preview program underway that I don't know about.
  - Thijs Lecomte
    Bronze Contributor
    Feb 03, 2021
    Dean_Gross there is no automation capabiliy as of yet. NO previews as far as I know.
    i hope this will come with the new Security Portal

Forum Discussion

Automate pending actions

Resources