[MDO] Investigation updates for improved email threats and actions
Microsoft is improving Automated Investigation and Response (AIR) from Defender for Office365
The rollout of the updated email clustering will begin today, June 21st.
- Investigations will now only queue actions for approval when malicious emails are still in the mailbox (by using latest delivery location instead of original).
- Investigations only queue actions for malware or high confidence phish. Spam and normal phish are suspicious with no actions. This reduces the number of investigations requiring action and focuses them on the most significant problems.
- Investigations that are pending approval will update email results periodically. If, after an update, all malicious emails are removed, pending actions will get closed. If all actions have been mitigated/taken due to actions elsewhere, then the investigation will change to remediated and alerts resolved for the investigation.
This ensures security teams get clear visibility into present problems, not just previously identified issues that may have been resolved already.