Email remediation actions now available in unified Action Center

Published May 11 2022 09:00 AM 1,781 Views
Microsoft

 

We are extremely happy to announce that all email related actions, taken automatically or manually by the security teams via the various Microsoft Defender for Office 365 and Microsoft 365 Defender experiences, are now available in the unified Action Center. Utilizing a new action focused , this capability helps SecOps to track and manage remediation actions through a single unified experience which saves time. Also, all email remediations follow a consistent framework i.e. all remediations will have an alert and investigation for it, additional filters to narrow down the results.

 

The Unified Action Center provides a comprehensive view of pending and completed remediation actions across the Microsoft 365 Defender products like endpoint, email & collaboration content, and identities in one location helping improve the efficiency and effectiveness of security operations teams.

 

What is email remediation?

 

Common Office 365 related attacks start through email, with attackers using various attack vectors to lure humans and use it as an entry to the enterprise. Once an attack is identified by our automation or as part of a Security Operation (SecOps) team’s investigation, SecOps would go ahead and take email remediations like soft delete, hard delete, move to junk, etc.

 

These email remediation actions are part of existing capabilities in Microsoft Defender for Office 365. Actions can be taken through Threat Explorer or Advanced Hunting after manual investigations performed by security teams, or can be taken through Automatic Investigation and  Response (AIR) by approving recommended actions.

 

Manual email remediation in unified Action Center

 

Following an entity selection from Threat Explorer and Advanced Hunting, an admin typically selects an action and executing the remediation. The side pane opens and as soon as the admin approves this action, they see the Approval ID and a link to the Microsoft 365 Defender Action Center, where actions can be tracked.

 

As the remediation starts, it generates an alert and an investigation in parallel. History and action logs for email actions (such as Soft Delete and Move to deleted items folder) are all conveniently available in a centralized view under the unified Action Center > History tab. This applies regardless of where the email action was taken from: Threat Explorer, Advanced Hunting, Automated Investigation, Incidents, or from the unified Action Center itself. Additional details can be found in product documentation. Additional guidance on taking action on advanced hunting query results is available here.

 

 

With this new flow, you’ll be able to view all the cross-workload action logs at Actions & Submissions > Action center -> History tab (https://security.microsoft.com/action-center/history) . Since the Microsoft Defender for Office 365 Action center is being retired, if your process is to track actions from the Action center in the Email & collaboration blade Email & Collaboration > Review > Action center( https://security.microsoft.com/threatincidents), please replace the URL with  unified action center Actions & Submissions > Action center -> History tab(  https://security.microsoft.com/action-center/history ).

 

From Threat Explorer:

soumyamishra_0-1652207866357.png

 

 

From Advanced hunting:

soumyamishra_3-1652207257972.png

 

 

 

Reviewing automated investigation actions in Unified Action Center

The unified Action Center also allows you to manage automated investigation actions, as follows:

 

Please visit the Action Center > Pending tab (https://security.microsoft.com/action-center/pending) review the list of actions that are awaiting approval. Upon approval you can see the logs in the Action Center > History tab (https://security.microsoft.com/action-center/history) tab.

 

Two step approvals

If you utilize a two-step approval process (An additional admin action is required as a result of permissions, or an additional review by other SecOps members is required), this functionality will also be available from the unified Action Center shortly. You can view and act on emails from  Action Center > Pending tab (https://security.microsoft.com/action-center/pending)  tab and then filter by approval ID and review the list of actions that are awaiting approval.

 

 

Next steps

We are excited about the new unified Action Center experience. As we progress towards general availability, the Office Action Center (https://security.microsoft.com/threatincidents) will be phased out. While we plan to automatically redirect users from the Office Action Center to the Unified Action Center, in the 60 days prior to this change you’ll see a banner in the Office Action Center pointing users to the new experiences.


For more information on the unified Action center in Microsoft 365 Defender, view our documentation.

 

 

 

Do you have questions or feedback about Microsoft Defender for Office 365? Engage with the community and Microsoft experts in the Defender for Office 365 forum.

 

 

 

 

 

 

 

%3CLINGO-SUB%20id%3D%22lingo-sub-3352996%22%20slang%3D%22en-US%22%3EEmail%20remediation%20actions%20now%20available%20in%20unified%20Action%20Center%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-3352996%22%20slang%3D%22en-US%22%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EWe%20are%20extremely%20happy%20to%20announce%20that%20all%20email%20related%20actions%2C%20taken%20automatically%20or%20manually%20by%20the%20security%20teams%20via%20the%20various%20Microsoft%20Defender%20for%20Office%20365%20and%20Microsoft%20365%20Defender%20experiences%2C%20are%20now%20available%20in%20the%20unified%20Action%20Center.%20Utilizing%20a%20new%20%3CSTRONG%3Eaction%20focused%20%3C%2FSTRONG%3E%2C%20this%20capability%20helps%20SecOps%20to%20track%20and%20manage%20remediation%20actions%20through%20a%20single%20unified%20experience%20which%20saves%20time.%20Also%2C%20all%20email%20remediations%20follow%20a%20consistent%20framework%20i.e.%20all%20remediations%20will%20have%20an%20alert%20and%20investigation%20for%20it%2C%20additional%20filters%20to%20narrow%20down%20the%20results.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThe%20Unified%20Action%20Center%20provides%20a%20%3CSTRONG%3Ecomprehensive%20view%20of%20pending%20and%20completed%20remediation%20actions%20%3C%2FSTRONG%3Eacross%20the%20%3CSTRONG%3EMicrosoft%20365%20Defender%20products%3C%2FSTRONG%3E%20like%20endpoint%2C%20email%20%26amp%3B%20collaboration%20content%2C%20and%20identities%20in%20one%20location%20helping%20improve%20the%20efficiency%20and%20effectiveness%20of%20security%20operations%20teams.%3C%2FP%3E%0A%3CP%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CH2%20id%3D%22toc-hId-420485401%22%20id%3D%22toc-hId-420663060%22%3E%3CSPAN%3EWhat%20is%20email%20remediation%3F%3C%2FSPAN%3E%3C%2FH2%3E%0A%3CP%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%3ECommon%20Office%20365%20related%20attacks%20start%20through%20email%2C%20with%20attackers%20using%20various%20attack%20vectors%20to%20lure%20humans%20and%20use%20it%20as%20an%20entry%20to%20the%20enterprise.%20Once%20an%20attack%20is%20identified%20by%20our%20automation%20or%20as%20part%20of%20a%20Security%20Operation%20(SecOps)%20team%E2%80%99s%20investigation%2C%20SecOps%20would%20go%20ahead%20and%20take%20email%20remediations%20like%20soft%20delete%2C%20hard%20delete%2C%20move%20to%20junk%2C%20etc.%20%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThese%20email%20remediation%20actions%20are%20part%20of%20existing%20capabilities%20in%20Microsoft%20Defender%20for%20Office%20365.%20Actions%20can%20be%20taken%20through%20Threat%20Explorer%20or%20Advanced%20Hunting%20after%20manual%20investigations%20performed%20by%20security%20teams%2C%20or%20can%20be%20taken%20through%20Automatic%20Investigation%20and%20%26nbsp%3BResponse%20(AIR)%20by%20approving%20recommended%20actions.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH2%20id%3D%22toc-hId--1386969062%22%20id%3D%22toc-hId--1386791403%22%3E%3CSPAN%3EManual%20email%20remediation%20in%20unified%20Action%20Center%3C%2FSPAN%3E%3C%2FH2%3E%0A%3CP%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3EFollowing%20an%20entity%20selection%20from%20Threat%20Explorer%20and%20Advanced%20Hunting%2C%20an%20admin%20typically%20selects%20an%20action%20and%20executing%20the%20remediation.%20The%20side%20pane%20opens%20and%20as%20soon%20as%20the%20admin%20approves%20this%20action%2C%20they%20see%20the%20Approval%20ID%20and%20a%20link%20to%20the%20Microsoft%20365%20Defender%20Action%20Center%2C%20where%20actions%20can%20be%20tracked.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EAs%20the%20remediation%20starts%2C%20it%20generates%20an%20alert%20and%20an%20investigation%20in%20parallel.%20History%20and%20action%20logs%20for%20email%20actions%20(such%20as%20Soft%20Delete%20and%20Move%20to%20deleted%20items%20folder)%20are%20%3CSTRONG%3Eall%20conveniently%20available%20in%20a%20centralized%20view%3C%2FSTRONG%3E%20under%20the%20unified%20Action%20Center%20%26gt%3B%20History%20tab.%20This%20applies%20regardless%20of%20where%20the%20email%20action%20was%20taken%20from%3A%20Threat%20Explorer%2C%20Advanced%20Hunting%2C%20Automated%20Investigation%2C%20Incidents%2C%20or%20from%20the%20unified%20Action%20Center%20itself.%20Additional%20details%20can%20be%20found%20in%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fmicrosoft-365%2Fsecurity%2Foffice-365-security%2Fremediate-malicious-email-delivered-office-365%3Fview%3Do365-worldwide%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Eproduct%20documentation%3C%2FA%3E.%20Additional%20guidance%20on%20taking%20action%20on%20advanced%20hunting%20query%20results%20is%20available%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fmicrosoft-365%2Fsecurity%2Fdefender%2Fadvanced-hunting-take-action%3Fview%3Do365-worldwide%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehere%3C%2FA%3E.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EWith%20this%20new%20flow%2C%20you%E2%80%99ll%20be%20able%20to%20view%20all%20the%20cross-workload%20action%20logs%20at%20%3CSTRONG%3EActions%20%26amp%3B%20Submissions%3C%2FSTRONG%3E%26nbsp%3B%26gt%3B%26nbsp%3B%3CSTRONG%3EAction%20center%3C%2FSTRONG%3E%26nbsp%3B-%26gt%3B%26nbsp%3B%3CSTRONG%3EHistory%20tab%3C%2FSTRONG%3E%20(%3CA%20href%3D%22https%3A%2F%2Fsecurity.microsoft.com%2Faction-center%2Fhistory%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fsecurity.microsoft.com%2Faction-center%2Fhistory%3C%2FA%3E%3CSPAN%3E)%20%3C%2FSPAN%3E.%20Since%20the%20Microsoft%20Defender%20for%20Office%20365%20Action%20center%20is%20being%20retired%2C%20if%20your%20process%20is%20to%20track%20actions%20from%20the%20Action%20center%20in%20the%20Email%20%26amp%3B%20collaboration%20blade%20%3CSTRONG%3EEmail%20%26amp%3B%20Collaboration%3C%2FSTRONG%3E%26nbsp%3B%26gt%3B%20%3CSTRONG%3EReview%3C%2FSTRONG%3E%26nbsp%3B%26gt%3B%26nbsp%3B%3CSTRONG%3EAction%20center%3C%2FSTRONG%3E%3CSTRONG%3E(%3C%2FSTRONG%3E%20%3CSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fsecurity.microsoft.com%2Fthreatincidents%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fsecurity.microsoft.com%2Fthreatincidents%3C%2FA%3E%3C%2FSPAN%3E)%2C%20please%20replace%20the%20URL%20with%20%26nbsp%3Bunified%20action%20center%20%3CSTRONG%3EActions%20%26amp%3B%20Submissions%3C%2FSTRONG%3E%26nbsp%3B%26gt%3B%26nbsp%3B%3CSTRONG%3EAction%20center%3C%2FSTRONG%3E%26nbsp%3B-%26gt%3B%26nbsp%3B%3CSTRONG%3EHistory%20tab%3C%2FSTRONG%3E%3CSTRONG%3E(%20%3C%2FSTRONG%3E%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fsecurity.microsoft.com%2Faction-center%2Fhistory%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fsecurity.microsoft.com%2Faction-center%2Fhistory%3C%2FA%3E%3CSPAN%3E%20).%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EFrom%20Threat%20Explorer%3A%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Figure%201%3A%20Actions%20taken%20in%20Threat%20Explorer%22%20style%3D%22width%3A%20975px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F370522i78596B4B65F179DF%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22soumyamishra_0-1652207866357.png%22%20alt%3D%22soumyamishra_0-1652207866357.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EFrom%20Advanced%20hunting%3A%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Figure%202%3A%20Actions%20taken%20from%20Advanced%20hunting%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F370520i5EB64F3DB117DD6E%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22soumyamishra_3-1652207257972.png%22%20alt%3D%22soumyamishra_3-1652207257972.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH2%20id%3D%22toc-hId-1100543771%22%20id%3D%22toc-hId-1100721430%22%3E%3CSPAN%3EReviewing%20automated%20investigation%20actions%20in%20Unified%20Action%20Center%3C%2FSPAN%3E%3C%2FH2%3E%0A%3CP%3EThe%20unified%20Action%20Center%20also%20allows%20you%20to%20manage%20%3CSTRONG%3Eautomated%20investigation%20actions%3C%2FSTRONG%3E%2C%20as%20follows%3A%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EPlease%20visit%20the%20%3CSTRONG%3EAction%20Center%3C%2FSTRONG%3E%20%26gt%3B%20%3CSTRONG%3EPending%3C%2FSTRONG%3E%20tab%20(%3CA%20href%3D%22https%3A%2F%2Fsecurity.microsoft.com%2Faction-center%2Fpending%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fsecurity.microsoft.com%2Faction-center%2Fpending%3C%2FA%3E)%20review%20the%20list%20of%20actions%20that%20are%20awaiting%20approval.%20Upon%20approval%20you%20can%20see%20the%20logs%20in%20the%20%3CSTRONG%3EAction%20Center%3C%2FSTRONG%3E%20%26gt%3B%20%3CSTRONG%3EHistory%3C%2FSTRONG%3E%20tab%20(%3CA%20href%3D%22https%3A%2F%2Fsecurity.microsoft.com%2Faction-center%2Fhistory%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fsecurity.microsoft.com%2Faction-center%2Fhistory%3C%2FA%3E%3CSPAN%3E)%20%3C%2FSPAN%3Etab.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH2%20id%3D%22toc-hId--706910692%22%20id%3D%22toc-hId--706733033%22%3ETwo%20step%20approvals%3C%2FH2%3E%0A%3CP%3EIf%20you%20utilize%20a%20two-step%20approval%20process%20(An%20additional%20admin%20action%20is%20required%20as%20a%20result%20of%20permissions%2C%20or%20an%20additional%20review%20by%20other%20SecOps%20members%20is%20required)%2C%20this%20functionality%20will%20also%20be%20available%20from%20the%20unified%20Action%20Center%20shortly.%20You%20can%20view%20and%20act%20on%20emails%20from%26nbsp%3B%20%3CSTRONG%3EAction%20Center%3C%2FSTRONG%3E%20%26gt%3B%20%3CSTRONG%3EPending%3C%2FSTRONG%3E%20tab%20(%3CA%20href%3D%22https%3A%2F%2Fsecurity.microsoft.com%2Faction-center%2Fpending%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fsecurity.microsoft.com%2Faction-center%2Fpending%3C%2FA%3E)%20%26nbsp%3Btab%20and%20then%20filter%20by%20approval%20ID%20and%20review%20the%20list%20of%20actions%20that%20are%20awaiting%20approval.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3E%26nbsp%3B%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CH2%20id%3D%22toc-hId-1780602141%22%20id%3D%22toc-hId-1780779800%22%3E%3CSPAN%3ENext%20steps%3C%2FSPAN%3E%3C%2FH2%3E%0A%3CP%3EWe%20are%20excited%20about%20the%20new%20unified%20Action%20Center%20experience.%20As%20we%20progress%20towards%20general%20availability%2C%20the%20Office%20Action%20Center%20(%3CA%20href%3D%22https%3A%2F%2Fsecurity.microsoft.com%2Fthreatincidents%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fsecurity.microsoft.com%2Fthreatincidents%3C%2FA%3E%3CSPAN%3E)%20%3C%2FSPAN%3Ewill%20be%20phased%20out.%20While%20we%20plan%20to%20automatically%20redirect%20users%20from%20the%20Office%20Action%20Center%20to%20the%20Unified%20Action%20Center%2C%20in%20the%2060%20days%20prior%20to%20this%20change%20you%E2%80%99ll%20see%20a%20banner%20in%20the%20Office%20Action%20Center%20pointing%20users%20to%20the%20new%20experiences.%3C%2FP%3E%0A%3CP%3E%3CBR%20%2F%3EFor%20more%20information%20on%20the%20unified%20Action%20center%20in%20Microsoft%20365%20Defender%2C%20view%20our%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fmicrosoft-365%2Fsecurity%2Fdefender%2Fm365d-action-center%3Fview%3Do365-worldwide%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Edocumentation%3C%2FA%3E.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%3EDo%20you%20have%20questions%20or%20feedback%20about%20Microsoft%20Defender%20for%20Office%20365%3F%20Engage%20with%20the%20community%20and%20Microsoft%20experts%20in%20the%26nbsp%3B%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Faka.ms%2FMDOForum%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EDefender%20for%20Office%20365%20forum%3C%2FA%3E%3CSPAN%3E.%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-TEASER%20id%3D%22lingo-teaser-3352996%22%20slang%3D%22en-US%22%3E%3CP%3EWe%20are%20extremely%20happy%20to%20announce%20that%20all%20email%20related%20actions%20are%20now%20available%20in%20the%20unified%20Action%20Center.%3C%2FP%3E%3C%2FLINGO-TEASER%3E%3CLINGO-LABS%20id%3D%22lingo-labs-3352996%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EMicrosoft%20365%20Defender%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ERemediation%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
Co-Authors
Version history
Last update:
‎May 10 2022 05:12 PM
Updated by: