Forum Discussion
Automate pending actions
Hi Evald Markinzon
We want to automate as much as possible, so for these actions we want ZAP and native SafeLinks to automatically handle deleting emails and blocking URL.
These extra pending actions are being generated in large volumes and create too many false positives, so we've decided to always reject them and perform these actions manually when necessary.
To avoid alert fatigue and to better highlight the other Actions we need to evaluate, we want to automatically reject these actions so they don't flood the list.
MicrosoftJoachim83 - Zap does automatically act on emails and is the source of many of these alerts. Zap will perform the action chosen for that threat in the appropriate policy - so if you have phish set to junk, zap will auto-junk it.
However, there are cases where Zap may not remediate the email - e.g. emails that were over 48 hours old with the malicious url/file, phish emails where the user/organization had 'override policies' (e.g. safe sender, safe domain, ETRs, etc.), plus emails from similar emails but with different malicious links/files that don't get identified. I definitely hear your request for clearer needed actions. For the moment want to make sure admins review and give us feedback when they disagree with aspects of the investigation. As Evald said - if you simply ignore the investigations they'll expire.
Safe links does auto-block the links today if you're applying the policy to your usrs - the action from the investigation is redundant right now.
I'd suggest you definitely review any 'User compromise' and 'URL verdict change' investigation at a minimum. These are high severity because they are situations where the user may be compromised - so the other details in the investigation are particularly worth reviewing (user evidence, bad URLs, etc.).
- I know this is an old thread, but is there any way to auto-approve 'soft delete emails' or change policies so that they don't even reach action center? I'm seeing close to 1000 actions 'pending approval' per day and it's a pain to clear them manually.
TerrySu Hey there! Were you ever able to figure out if there is a way to auto-approve the soft delete Actions that usually sit there in a Pending status until they time out if not acted upon?
mzraibI'd like to know how to automate this as well. We can't have someone going through thousands per day approving soft delete.
We have a Power Automate job that automatically trigger a full MDATP antivirus scan and investigations on any computer a user has logged in to the last 3 days when a High Threat Management Alert has been triggered by a user. These we do check after they have completed.
However the URL block actions are redundant like you mention as SafeLinks have already blocked them, so we want them automatically rejected.
And if ZAP doesn't automatically delete e-mails we will create manual remediation jobs, so we want to automatically decline the delete email actions as well.
