Dealing with "Email reported by user as malware or phish"

New Contributor

We're working through automation of our Defender 365 incidents in Sentinel to try and reduce the operational load on our team.

 

One of the most common incidents we receive is "Email reported by user as malware or phish". We were hoping to use the result of the automated investigation to determine whether the automated action should be approved, but I have no idea how to get the result of the automated investigation into a playbook.

 

Does anyone have any suggestions? How do you deal with these types of incidents?

 

Thanks!

1 Reply

@mongie105 @Abhishek Agrawal (CDM) @Scott Landry is there an Graph API for the result of a MDO Investigation that Sentinel can query?