Updates to Microsoft Defender for Office 365 events in Office 365 Management API
We have been working to meet the extensibility requirements of our customers, who are using the information around our detections within their custom tools. As part of this update, we are enhancing the information around Email Detections within Office 365 Management API.
This message is associated with Microsoft 365 Roadmap ID 70744
When this will happen:
We are expecting this rollout to begin in late June and expect the rollout to be fully completed by late July.
How this will affect your organization:
This enhancements includes introduction of new fields within Email Message events, such as:
- AdditionalActionsandResults: These include the post-delivery actions that were taken on an email e.g. ZAP or Admin Action, along with the result of that action
- Connectors: List of Connectors associated with the email
- Authentication Details: The authentication checks that are done for the email. This would include values like DKIM, DMARC, SPF, CompAuth and their result.
- SystemOverrides: This would help you identify if there was a tenant or user override which impacted the delivery of an email, and would help you determine the final override.
- Phish Confidence Level: Phish confidence level helps identify the degree of confidence with which an email was categorized as “phish.” The two possible values are High and Normal
In addition to lighting up in Email events (RecordType 28), these will also extend to MailMessage entity in AIR Events (RecordType 64)
NOTE: These are new fields, and this update does not include changes to existing attributes. Therefore, there should not be any impact on your existing workflows. Once these new fields are available, you can start leveraging them for your workflows.
What you need to do to prepare:
You might want to notify your admins about these enhancements and update your training and documentation as appropriate.
Message ID: MC260568