AzureFeeds

Security teams in both small and large organizations track key metrics to make critical security decisions and identify meaningful trends in their organizations. Defender for Office 365 has rich, built-in reporting capabilities that provide insights into your security posture to support these needs. However, sometimes security teams require custom reporting solutions to create dedicated views, combine multiple data sources, and get additional insights to meet their needs. 

In January of this year, we shared an example of how you can use workbooks in Microsoft Sentinel to build a custom dashboard for Defender for Office 365. 

Today, we are excited to announce the release of an updated version of the Microsoft Defender for Office 365 Detections and Insights – Microsoft Sentinel workbook. 

Over the past few months, we have received feedback from numerous security teams, offering a multitude of ideas for new insights, updated visuals, and improved structure for the workbook. We have incorporated these suggestions into this update to enhance the experience for all users of the Microsoft Defender for Office 365 Detections and Insights workbook.

What’s new? 

We have changed the workbook structure and divided visuals and insights related to the same topic to be on their own tab. We have also added many new visuals and updated existing visuals.

Using tabs for easier navigation

Simply use the tabs now on the top of the workbook to navigate between the various insights’ groups.

Notable changes:

• False Positive and False Negative Submissions insights are separated to have their own tab


• A new tab added for Quarantine Insights. 

The complete list of tabs is: 

Detection Overview | Email – Malware Detections | Email – Phish Detections | Email – Spam Detections | URL Detections and Clicks | Email – Top Users/Senders | Email – Detection Overrides | False Negative (FN) Submissions | False Positive (FP) Submissions | File – Malware Detections (SharePoint, Teams and OneDrive) | Post Delivery Detections and Admin Actions | Quarantine Insights

Please note: The workbook has a total of 12 tabs. If all tabs are not visible, you can access the remaining tabs using the “…” located at the end of the tab list on the right side. 

New insights and visuals 

We have added new insights and visuals to help security team members better understand their Email security posture. 

Some examples: 

• Detection Overview tab – Bad traffic percentage (%) – Inbound Emails Visualizes bad traffic (% of emails with threats) compared to total inbound emails over time summarizing the data daily. 


• 
  

   

  
  


• Email – Malware/Email-Phish detection tabs – Zero Day detections (URL & Attachment detonation) 
  Visualizes total emails with Malware/Phish detections over time summarizing the data daily by detection technologies/controls used for detecting unknown-unique malware and phish (URL detonation, File detonation). 


• 
  

   

  
  


• Email – Phish Detections tab – Top Domains Outbound with Emails with Threats Inbound (Partner BEC) 
  Visualizes top outbound recipient domains by outbound email volume and shows total number of inbound emails with Threats from the same domains (as inbound senders). 


• 
  

   

  
  

• 
  

  Email – Malware/Phish/Spam Detection tabs – Detections by delivery location
  Visualizes total emails with Malware/Phish/Spam detections over time summarizing the data daily by Delivery Location. These insights can help security teams drive towards stronger security posture by adopting Quarantine as filter verdict action replacing Move to Junk email folder. 

  
  


• 
  

   

  
  


• 
  

  URL Detections and Clicks tab – Top malicious URLs clicked by users
  Visualizes top malicious URLs with the number of clicks attempts performed by users. 

  
  


• 
  

   

  
  


• False Negative (FN) Submissions tab – new insights added for user defined filter verdict override configuration impacting the delivery action of the reported email, top 10 inbound P2 senders’ domains of reported emails, top subjects of the internal emails reported by users as Phish, number if user reported Phish emails where the email is already in the Junk email folder.


• 
  

   

  
  

Updated Insights

We have updated existing insights by adding additional information to them or visualizing the raw data in a different way. 

Some examples: 

• Email – Malware/Phish/Spam Detection tabs – Email Top 10 Domains sending Malware table view now has Total emails sent by the sender domain and bad traffic % from the sender domain.
  


• 
  

   

  
  


• Grid views are now searchable:


• 
  

   

  
  


• False Negative (FN) Submissions/ False Positive (FP) Submissions are separated now on their own tab, existing insights got updated to understand better what users and security team members are submitting.


• 
  

   

  
  


• Malware family related visuals on Email – Malware detections and File – Malware Detections (SharePoint, Teams and OneDrive) are using searchable grid now:

How can I get the updated version? 

The latest version of the Microsoft Defender for Office 365 Detections and Insights workbook is available as part of the Microsoft Defender XDR solution in the Microsoft Sentinel – Content hub. Version 3.0.12 of the solution has the updated workbook template.

If you already have the Microsoft Defender XDR solution deployed, version 3.0.12 is available now as an update. After you install the update, you will have the new workbook template available to use.

If you install the Microsoft Defender XDR solution for the first time, you are deploying the latest version and will have the updated template ready to use.

How to share the workbook with others

Leveraging Microsoft Sentinel workbooks for reporting to leadership is a common use case. A common concern is granting recipients access to Microsoft Sentinel or all of the tables within the workspace. Using some different RBAC components, this can be done. 

For details, see the Manage Access to Microsoft Sentinel Workbooks with Lower Scoped RBAC on the Microsoft Sentinel Blog. 

Can I edit the workbook and change the visuals?

Yes, absolutely. The Microsoft Defender for Office 365 Detections and Insights is a workbook template in Microsoft Sentinel. It is ready to use with a few simple clicks, however when needed you can save and edit the workbook based on your organization’s need. 

You can customize each visual easily or review the underlying KQL. 

Simply edit the workbook after saving, then adjust the underlying KQL query, change the type of the visual, or create new insights. 

More information: Visualize your data using workbooks in Microsoft Sentinel | Microsoft Learn 

Why use workbooks in Microsoft Sentinel for email security reports and insights? 

There are many potential benefits to using workbooks if you already use Microsoft Sentinel and already stream the hunting data tables:

• You can choose to store data for a longer period of time via configuring longer retention for tables you use for your workbooks. For example, you can store Defender for Office 365 Email Events table data for 1 year and build visuals over a longer period of time.  

• You can configure auto-refresh for the workbook to keep the data shown up to date. 

• You can access ready-to-use workbook templates and customize them if it’s needed. 

Do you have questions or feedback about Microsoft Defender for Office 365? Engage with the community and Microsoft experts in the Defender for Office 365 forum.  

More information

• Integrate Microsoft Defender XDR with Microsoft Sentinel


• Learn more about Microsoft Sentinel workbooks


• Microsoft Defender for Office 365 Detection Details Report – Updated Power BI template for Microsoft Sentinel and Log Analytics 


• Learn more about Microsoft Defender XDR