It works really well to know every time a harsh action like remediation is performed on entities. It presents details like name of the person who performed the action, supporting investigation link, time etc. Alert shows up in the alerts queue with the name "Administrative action submitted by an Administrator" suggesting that security personnel took the action of remediating an entity. Once emails are selected through Explorer, you can start remediation by taking direct action or by queuing up emails for an action:ĭirect approval: When actions like move to inbox, move to junk, move to deleted items, soft delete, or hard delete are selected by security personnel who have appropriate permissions, and the next steps in remediation are followed, the remediation process begins to execute the selected action.Īs the remediation gets kicked-off, it generates an alert and an investigation in parallel. The query can hold a maximum of 200,000 emails. To do so, an admin can use the Select all check box and scroll down to exclude emails manually. Query selection with exclusion: Sometimes security operations teams may want to remediate emails by selecting an entire query and excluding certain emails from the query manually. Customers can submit maximum 200,000 emails from threat explorer. The same query is also shown in action center mail submission details. Query selection: Select an entire query by using the top select all button. Security teams can use Explorer to select emails in several ways:Ĭhoose emails by hand: Use filters in various views. Manual email remediation can be triggered through any email view ( Malware, Phish, or All email) after you identify a set of emails that need to be remediated. Manual hunting occurs when security teams identify threats manually by using the search and filtering capabilities in Explorer. Go to Settings > Endpoints > Advanced features and turn on Automated Investigation. Without the *Search and purge"*role added to one of the role-groups, they won't be able to execute the action.īecause email actions create automated investigations in the backend, you need to enable Automated Investigation. What you need to know before you beginĪdmins can take required action on emails, but to get those actions approved, they must have the Search and Purge role assigned to them in the Email & collaboration permissions in the Microsoft 365 Defender portal. Role assignment is done through permissions in the Microsoft 365 Defender portal. To remediate malicious email, security teams need the Search and Purge role assigned to them.
0 Comments
Leave a Reply. |