We are extremely happy to announce that all email related actions, taken automatically or manually by the security teams via the various Microsoft Defender for Office 365 and Microsoft 365 Defender experiences, are now available in the unified Action Center. Utilizing a new action focused , this capability helps SecOps to track and manage remediation actions through a single unified experience which saves time. Also, all email remediations follow a consistent framework i.e. all remediations will have an alert and investigation for it, additional filters to narrow down the results.
The Unified Action Center provides a comprehensive view of pending and completed remediation actions across the Microsoft 365 Defender products like endpoint, email & collaboration content, and identities in one location helping improve the efficiency and effectiveness of security operations teams.
What is email remediation?
Common Office 365 related attacks start through email, with attackers using various attack vectors to lure humans and use it as an entry to the enterprise. Once an attack is identified by our automation or as part of a Security Operation (SecOps) team’s investigation, SecOps would go ahead and take email remediations like soft delete, hard delete, move to junk, etc.
These email remediation actions are part of existing capabilities in Microsoft Defender for Office 365. Actions can be taken through Threat Explorer or Advanced Hunting after manual investigations performed by security teams, or can be taken through Automatic Investigation and Response (AIR) by approving recommended actions.
Manual email remediation in unified Action Center
Following an entity selection from Threat Explorer and Advanced Hunting, an admin typically selects an action and executing the remediation. The side pane opens and as soon as the admin approves this action, they see the Approval ID and a link to the Microsoft 365 Defender Action Center, where actions can be tracked.
As the remediation starts, it generates an alert and an investigation in parallel. History and action logs for email actions (such as Soft Delete and Move to deleted items folder) are all conveniently available in a centralized view under the unified Action Center > History tab. This applies regardless of where the email action was taken from: Threat Explorer, Advanced Hunting, Automated Investigation, Incidents, or from the unified Action Center itself. Additional details can be found in product documentation. Additional guidance on taking action on advanced hunting query results is available here.
If you utilize a two-step approval process (An additional admin action is required as a result of permissions, or an additional review by other SecOps members is required), this functionality will also be available from the unified Action Center shortly. You can view and act on emails from Action Center > Pending tab (https://security.microsoft.com/action-center/pending) tab and then filter by approval ID and review the list of actions that are awaiting approval.
We are excited about the new unified Action Center experience. As we progress towards general availability, the Office Action Center (https://security.microsoft.com/threatincidents) will be phased out. While we plan to automatically redirect users from the Office Action Center to the Unified Action Center, in the 60 days prior to this change you’ll see a banner in the Office Action Center pointing users to the new experiences.
For more information on the unified Action center in Microsoft 365 Defender, view our documentation.
Do you have questions or feedback about Microsoft Defender for Office 365? Engage with the community and Microsoft experts in the Defender for Office 365 forum.