Threat investigation and response
The improved Microsoft 365 security center is now available. This new experience brings Defender for Endpoint, Defender for Office 365, Microsoft 365 Defender, and more into the Microsoft 365 security center. Learn what's new.
Threat investigation and response capabilities in Microsoft Defender for Office 365 help security analysts and administrators protect their organization's Microsoft 365 for business users by:
- Making it easy to identify, monitor, and understand cyberattacks
- Helping to quickly address threats in Exchange Online, SharePoint Online, OneDrive for Business and Microsoft Teams
- Providing insights and knowledge to help security operations prevent cyberattacks against their organization
- Employing automated investigation and response in Office 365 for critical email-based threats
Threat investigation and response capabilities provide insights into threats and related response actions that are available in the Security & Compliance Center. These insights can help your organization's security team protect users from email- or file-based attacks. The capabilities help monitor signals and gather data from multiple sources, such as user activity, authentication, email, compromised PCs, and security incidents. Business decision makers and your security operations team can use this information to understand and respond to threats against your organization and protect your intellectual property.
Get acquainted with threat investigation and response tools
Threat investigation and response capabilities surface in the Security & Compliance Center, as a set of tools and response workflows, including the following:
Use the Threat dashboard (this is also referred to as the Security dashboard) to quickly see what threats have been addressed, and as a visual way to report to business decision makers how Microsoft 365 services are securing your business.
To view and use this dashboard, in the Security & Compliance Center, go to Threat management > Dashboard.
Use Threat Explorer (and real-time detections) to analyze threats, see the volume of attacks over time, and analyze data by threat families, attacker infrastructure, and more. Threat Explorer (also referred to as Explorer) is the starting place for any security analyst's investigation workflow.
To view and use this report, in the Security & Compliance Center, go to Threat management > Explorer.
Use the Incidents list (this is also called Investigations) to see a list of in flight security incidents. Incidents are used to track threats such as suspicious email messages, and to conduct further investigation and remediation.
To view the list of current incidents for your organization, in the Security & Compliance Center, go to Threat management > Review > Incidents.
Use Attack Simulator to set up and run realistic cyberattacks in your organization, and identify vulnerable people before a real cyberattack affects your business. To learn more, see Attack Simulator in Office 365.
Automated investigation and response
Use automated investigation and response (AIR) capabilities to save time and effort correlating content, devices, and people at risk from threats in your organization. AIR processes can begin whenever certain alerts are triggered, or when started by your security operations team. To learn more, see automated investigation and response in Office 365.
Threat intelligence widgets
As part of the Microsoft Defender for Office 365 Plan 2 offering, security analysts can review details about a known threat. This is useful to determine whether there are additional preventative measures/steps that can be taken to keep users safe.
How do we get these capabilities?
Microsoft 365 threat investigation and response capabilities are included in Microsoft Defender for Office 365 Plan 2, which is included in Enterprise E5 or as an add-on to certain subscriptions. To learn more, see Defender for Office 365 Plan 1 and Plan 2.
Required roles and permissions
Microsoft Defender for Office 365 uses role-based access control. Permissions are assigned through certain roles in Azure Active Directory, the Microsoft 365 admin center, or the Security & Compliance Center.
Although some roles, such as Security Administrator, can be assigned in the Security & Compliance Center, consider using either the Microsoft 365 admin center or Azure Active Directory instead. For information about roles, role groups, and permissions, see the following resources:
|Activity||Roles and permissions|
|Use the Threat dashboard (or the new Security dashboard)
View information about recent or current threats
|One of the following:
|Use Threat Explorer (and real-time detections) to analyze threats||One of the following:
|View Incidents (also referred to as Investigations)
Add email messages to an incident
|One of the following:
|Trigger email actions in an incident
Find and delete suspicious email messages
|One of the following:
The Search and Purge role must be assigned in the Security & Compliance Center (https://protection.office.com).
|Integrate Microsoft Defender for Office 365 Plan 2 with Microsoft Defender for Endpoint
Integrate Microsoft Defender for Office 365 Plan 2 with a SIEM server
|Either the Global Administrator or the Security Administrator role assigned in either Azure Active Directory (https://portal.azure.com) or the Microsoft 365 admin center (https://admin.microsoft.com).
--- plus ---
An appropriate role assigned in additional applications (such as Microsoft Defender Security Center or your SIEM server).