From f46a2c3beef4b867125204d553c19a3ef4208052 Mon Sep 17 00:00:00 2001 From: MdamodaranNinja Date: Mon, 4 Nov 2024 17:32:09 -0500 Subject: [PATCH 1/5] Update mdo-sec-ops-manage-incidents-and-alerts.md Link to incidents page has been updated from https://security.microsoft.com/incidents-queue to https://security.microsoft.com/incidents on multiple lines in this document --- .../mdo-sec-ops-manage-incidents-and-alerts.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/defender-office-365/mdo-sec-ops-manage-incidents-and-alerts.md b/defender-office-365/mdo-sec-ops-manage-incidents-and-alerts.md index 175a995099..ec1f8beccc 100644 --- a/defender-office-365/mdo-sec-ops-manage-incidents-and-alerts.md +++ b/defender-office-365/mdo-sec-ops-manage-incidents-and-alerts.md @@ -27,7 +27,7 @@ appliesto: [!INCLUDE [MDO Trial banner](../includes/mdo-trial-banner.md)] -An [incident](/defender-xdr/incidents-overview) in Microsoft Defender XDR is a collection of correlated alerts and associated data that define the complete story of an attack. Defender for Office 365 [alerts](/purview/alert-policies#default-alert-policies), [automated investigation and response (AIR)](air-about.md#the-overall-flow-of-air), and the outcome of the investigations are natively integrated and correlated on the **Incidents** page in Microsoft Defender XDR at . We refer to this page as the _Incidents queue_. +An [incident](/defender-xdr/incidents-overview) in Microsoft Defender XDR is a collection of correlated alerts and associated data that define the complete story of an attack. Defender for Office 365 [alerts](/purview/alert-policies#default-alert-policies), [automated investigation and response (AIR)](air-about.md#the-overall-flow-of-air), and the outcome of the investigations are natively integrated and correlated on the **Incidents** page in Microsoft Defender XDR at . We refer to this page as the _Incidents_ queue. Alerts are created when malicious or suspicious activity affects an entity (for example, email, users, or mailboxes). Alerts provide valuable insights about in-progress or completed attacks. However, an ongoing attack can affect multiple entities, which results in multiple alerts from different sources. Some built-in alerts automatically trigger AIR playbooks. These playbooks do a series of investigation steps to look for other impacted entities or suspicious activity. @@ -36,7 +36,7 @@ Watch this short video on how to manage Microsoft Defender for Office 365 alerts Defender for Office 365 alerts, investigations, and their data are automatically correlated. When a relationship is determined, the system creates an incident to give security teams visibility for the entire attack. -We strongly recommend that SecOps teams manage incidents and alerts from Defender for Office 365 in the Incidents queue at . This approach has the following benefits: +We strongly recommend that SecOps teams manage incidents and alerts from Defender for Office 365 in the Incidents queue at . This approach has the following benefits: - Multiple options for [management](/defender-xdr/manage-incidents): - Prioritization @@ -75,7 +75,7 @@ We strongly recommend that SecOps teams manage incidents and alerts from Defende > [!NOTE] > Incidents don't just represent static events. They also represent attack stories that happen over time. As the attack progresses, new Defender for Office 365 alerts, AIR investigations, and their data are continuously added to the existing incident. -Manage incidents on the **Incidents** page in the Microsoft Defender portal at : +Manage incidents on the **Incidents** page in the Microsoft Defender portal at : :::image type="content" source="media/mdo-sec-ops-incidents.png" alt-text="Incidents page in the Microsoft Defender portal." lightbox="media/mdo-sec-ops-incidents.png"::: @@ -106,7 +106,7 @@ Security teams can take wide variety of response actions on email using Defender You can take these actions from the following locations: - - The **Evidence and response** tab from the details of the incident on the **Incidents** page** at (recommended). + - The **Evidence and response** tab from the details of the incident on the **Incidents** page** at (recommended). - **Threat Explorer** at . - The unified **Action center** at . From 5f46f974813a3f6e6673770b0bc6612ebe44719b Mon Sep 17 00:00:00 2001 From: MdamodaranNinja Date: Mon, 4 Nov 2024 17:42:10 -0500 Subject: [PATCH 2/5] Update mdo-sec-ops-guide.md Link to incidents page has been updated from https://security.microsoft.com/incidents-queue to https://security.microsoft.com/incidents on two lines in this document --- defender-office-365/mdo-sec-ops-guide.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/defender-office-365/mdo-sec-ops-guide.md b/defender-office-365/mdo-sec-ops-guide.md index 17e661fc9b..101184755d 100644 --- a/defender-office-365/mdo-sec-ops-guide.md +++ b/defender-office-365/mdo-sec-ops-guide.md @@ -43,7 +43,7 @@ For a video about this information, see . ### Monitor the Microsoft Defender XDR Incidents queue -The **Incidents** page in the Microsoft Defender portal at (also known as the _Incidents queue_) allows you to manage and monitor events from the following sources in Defender for Office 365: +The **Incidents** page in the Microsoft Defender portal at (also known as the _Incidents_ queue) allows you to manage and monitor events from the following sources in Defender for Office 365: - [Alerts](/purview/alert-policies#default-alert-policies). - [Automated investigation and response (AIR)](air-about.md). @@ -64,7 +64,7 @@ Incident queue management and the responsible personas are described in the foll |Activity|Cadence|Description|Persona| |---|---|---|---| -|Triage incidents in the Incidents queue at .|Daily|Verify that all **Medium** and **High** severity incidents from Defender for Office 365 are triaged.|Security Operations Team| +|Triage incidents in the Incidents queue at .|Daily|Verify that all **Medium** and **High** severity incidents from Defender for Office 365 are triaged.|Security Operations Team| |Investigate and take Response actions on incidents.|Daily|Investigate all incidents and actively take the recommended or manual response actions.|Security Operations Team| |Resolve incidents.|Daily|If the incident has been remediated, resolve the incident. Resolving the incident resolves all linked and related active alerts.|Security Operations Team| |Classify incidents.|Daily|Classify incidents as true or false. For true alerts, specify the threat type. This classification helps your security team see threat patterns and defend your organization from them.|Security Operations Team| From 887f6595a0e07b28b3ea9584d17f28850869f736 Mon Sep 17 00:00:00 2001 From: Urja Gandhi <65732558+urgandhi@users.noreply.github.com> Date: Mon, 4 Nov 2024 15:07:15 -0800 Subject: [PATCH 3/5] Update safe-links-about.md Further note to include Onedrive for Business --- defender-office-365/safe-links-about.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/defender-office-365/safe-links-about.md b/defender-office-365/safe-links-about.md index a268604cb2..977c2529ef 100644 --- a/defender-office-365/safe-links-about.md +++ b/defender-office-365/safe-links-about.md @@ -60,7 +60,7 @@ Safe Links protection by Safe Links policies is available in the following locat > - Safe Links doesn't provide protection for URLs in Rich Text Format (RTF) email messages. > - Safe Links supports only HTTP(S) and FTP formats. > - Safe Links ignores S/MIME signed messages. - > - Safe Links no longer wraps URLs pointing to SharePoint Online sites. SharePoint URLs are still processed by the Safe Links service. This change doesn't cause a degradation in the protection a tenant receives. It's intended to improve the performance of loading SharePoint URLs. + > - Safe Links no longer wraps URLs pointing to SharePoint Online sites or to Onedrive for Business sites. SharePoint URLs are still processed by the Safe Links service. This change doesn't cause a degradation in the protection a tenant receives. It's intended to improve the performance of loading SharePoint URLs. > - Using another service to wrap links before Defender for Office 365 might prevent Safe Links from process links, including wrapping, detonating, or otherwise validating the "maliciousness" of the link. - **Microsoft Teams**: Safe Links protection for links in Teams conversations, group chats, or from channels. From 047be7fb8fb3005e4bfb14331df057a76f477f41 Mon Sep 17 00:00:00 2001 From: Chris Davis Date: Mon, 4 Nov 2024 16:26:23 -0800 Subject: [PATCH 4/5] Update safe-links-about.md --- defender-office-365/safe-links-about.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/defender-office-365/safe-links-about.md b/defender-office-365/safe-links-about.md index 977c2529ef..30d91bd0db 100644 --- a/defender-office-365/safe-links-about.md +++ b/defender-office-365/safe-links-about.md @@ -60,7 +60,7 @@ Safe Links protection by Safe Links policies is available in the following locat > - Safe Links doesn't provide protection for URLs in Rich Text Format (RTF) email messages. > - Safe Links supports only HTTP(S) and FTP formats. > - Safe Links ignores S/MIME signed messages. - > - Safe Links no longer wraps URLs pointing to SharePoint Online sites or to Onedrive for Business sites. SharePoint URLs are still processed by the Safe Links service. This change doesn't cause a degradation in the protection a tenant receives. It's intended to improve the performance of loading SharePoint URLs. + > - Safe Links no longer wraps URLs pointing to SharePoint or OneDrive sites, but the URLs are still processed by the Safe Links service. This change doesn't degrade protection. Instead, it improves the performance of loading SharePoint or OneDrive URLs. > - Using another service to wrap links before Defender for Office 365 might prevent Safe Links from process links, including wrapping, detonating, or otherwise validating the "maliciousness" of the link. - **Microsoft Teams**: Safe Links protection for links in Teams conversations, group chats, or from channels. From e6faaed237d764778c1600e264f58dd77d1652b6 Mon Sep 17 00:00:00 2001 From: Rebecca Agiewich <16087112+rjagiewich@users.noreply.github.com> Date: Mon, 4 Nov 2024 16:44:30 -0800 Subject: [PATCH 5/5] Update defender-office-365/mdo-sec-ops-manage-incidents-and-alerts.md --- defender-office-365/mdo-sec-ops-manage-incidents-and-alerts.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/defender-office-365/mdo-sec-ops-manage-incidents-and-alerts.md b/defender-office-365/mdo-sec-ops-manage-incidents-and-alerts.md index ec1f8beccc..fe7693ca3c 100644 --- a/defender-office-365/mdo-sec-ops-manage-incidents-and-alerts.md +++ b/defender-office-365/mdo-sec-ops-manage-incidents-and-alerts.md @@ -106,7 +106,7 @@ Security teams can take wide variety of response actions on email using Defender You can take these actions from the following locations: - - The **Evidence and response** tab from the details of the incident on the **Incidents** page** at (recommended). + - The **Evidence and response** tab from the details of the incident on the **Incidents** page at (recommended). - **Threat Explorer** at . - The unified **Action center** at .