แก้ไข

แชร์ผ่าน

Remediation actions from AIR in Microsoft Defender for Office 365 Plan 2

Tip

Did you know you can try the features in Microsoft Defender for Office 365 Plan 2 for free? Use the 90-day Defender for Office 365 trial at the Microsoft Defender portal trials hub. Learn about who can sign up and trial terms on Try Microsoft Defender for Office 365.

Automated investigation and response (AIR) in Microsoft Defender for Office 365 Plan 2 often results in remediation actions that require approval from you security operations (SecOps) team.

In some cases, AIR doesn't result in specific remediation actions. To further investigate and take appropriate actions, use the guidance in the following table.

Category Threat/risk Remediation actions
Email Malware Soft delete email/cluster.

If more than a handful of related messages contain malware, the entire cluster is considered to be malicious.
Email A malicious URL was detected by Safe Links. Soft delete email/cluster.

Block URL at time-of-click.

The message that contains a malicious URL is considered to be malicious.
Email Phishing Soft delete email/cluster.

If more than a handful of related messages contain phishing attempts, the entire cluster is considered to be a phishing attempt.
Email Phishing email delivered and then removed by zero-hour auto purge (ZAP).) Soft delete email/cluster.

To see if ZAP removed a message, see How to see if ZAP moved your message.
Email User reported phishing email Automated investigation triggered by the user's report
Email Volume anomaly (recent email quantities exceed the previous 7-10 days for matching criteria). No specific pending actions from AIR.

A volume anomaly isn't a clear threat. Although a high volume of email can indicate potential issues, confirmation is required in terms of either malicious verdicts or a manual review of email messages/clusters. For more information, see Find suspicious email that was delivered.
Email No threats found (the system found no threats based on files, URLs, or analysis of email cluster verdicts). No specific pending actions from AIR.

Threats found and removed by ZAP after a completed investigation aren't reflected in an investigation's numerical results, but such threats are viewable in Threat Explorer.
User A user clicked a malicious URL (a user visited a page that was later found to be malicious, or bypassed a Safe Links warning page to get to a malicious page.) No specific pending actions from AIR.

Block URL at time-of-click.

Use Threat Explorer to view data about URLs and click verdicts.

If your organization is using Microsoft Defender for Endpoint, consider investigating the user to determine if their account is compromised.
User User sending malware/phishing messages No specific pending actions from AIR.

The user might be reporting malware/phishing messages, or someone could be spoofing the user as part of an attack. Use Threat Explorer to view and handle email containing malware or phishing.
User Automatic external email forwarding (SMTP forwarding, Inbox rules, or Exchange mail flow rules (also known as transport rules) could be used for data exfiltration). Remove the forwarding rule or configuration.

Use the Autoforwarded messages report to view specific details about forwarded email.
User Email delegation (an account has delegations set up). Remove delegations.

If your organization is using Defender for Endpoint, consider investigating the user with the delegation permission.
User Data exfiltration (a user violated email or file-sharing DLP policies). AIR doesn't result in a specific pending action.

Get started with Activity Explorer.
User Anomalous email sending (a user recently sent more email than during the previous 7-10 days.) No specific pending actions from AIR.

Sending a large volume of email isn't necessarily malicious (for example, the user might have sent email to a large group of recipients for an event). To investigate, use the New users forwarding email insight and Outbound message report in the Exchange admin center (EAC).

Next steps