Automated Investigation and Response
Upgraded to Defender for 365 P2 based on the idea of setting automated responses to certain alerts. That's how it was described. Now I'm trying to enable and configure it. The documentation has bounced me around 20 different articles for XDR, Defender Enterprise, Defender for Business... I do not see anywhere to configure the automation in Defender. One doc points me https://security.microsoft.com/securitysettings/endpoints/integration for making sure it's enabled. when I open this, and go down to Automation, it's simply an empty list of device groups. We don't use Device groups - we don't use Defender Endpoint. Has anyone configured this in a non-XDR environment? What I'm encountering and what was advertised seem very different...
Quarantine - Certain Users Not Showing
We have our environment setup to where we get active alerts for any emails that are requested to be released from quarantine. My team then goes in and looks at the email to make sure it is legit enough to be released. Since we have been doing this, we have noticed that certain users will not show up in the quarantine section from time to time. Even though I can pull up the email in Explorer and verify that it was sent to quarantine, it cannot be searched or found in there. I was even able to verify several OTHER users who received these quarantined emails and they do show up. I thought at one point it was just certain emails but recently verified that it is the user themselves. Even though I can verify that 100+ emails have been received and sent to quarantine in the past 30 days by a user, NONE of them show up in the actual quarantine section of Microsoft 365 Defender no matter how it is searched for. Does anyone have any possible fixes for this? It is very frustrating if we are trying to manage these emails for our end users.
Notification for pending actions
I'm having an issue where Defender isn't notifying me on pending actions like deleting an email and it's not waiting long enough for me to approve actions. Example: An email is delivered at 6pm (after hours) with a malicious URL. Defender detects it and ZAPs the URL automatically and sends me a useless alert "Email messages containing malicious URL removed after delivery". Sometimes this alert requires my intervention, sometimes not but the same alert comes through every time so I have to check every time. The next morning I come in around 8 and see the useless alerts and go to my Actions queue and all the pending actions have now timed out so now I'm hunting to get rid of these messages. If I could get notified when I need to take action I can disable the useless alert telling me it zapped a URL as not every ZAP requires Admin intervention. I could also configure this "admin approval required" alert to text me so I can take action immediately instead of the next time I check my email. I have 2 questions: 1. How do I setup Defender to send me a notification whenever I have pending actions? 2. How can I change the default behavior of the automated investigations? Ideally, if Defender finds a bad URL or attachment I'd rather have it just soft delete without my intervention.