Manage office atp alerts like a boss

Image by Gerhard G. from Pixabay

Let’s face it: Sometimes you get false positives in Office ATP phishing Email alerts. Either this is caused by the system or you may have scheduled a phishing simulation from a third party provider that cannot be properly whitelisted.

In such cases, you find yourself sitting in front of an infinite list of either investigation events:

or infront of a likewise infinite list of the associated alerts:

Both lists have one thing in common: filtering and modification of additional columns is very limited. In fact, both lists do not provide any valuable data in this overview. To get more information, you have to click an entry of one of those lists and then you might have to click even further only to find out, you don’t have to touch that alert, cause it is a false positive.

From a defender’s perspective, this is not very handy and takes a lot of time. Let’s hope, we see some improvement here in the next time in the SCC portal. Anyway, until then, I have created a PowerShell script that connects to the Office 365 Management API and grabs all the needed information from the investigations and from the alerts and displays it in ONE Excel table.

The above is just an extract. You will get the following columns:

  • CreationTime
  • id
  • InvestigationName
  • InvestigationType
  • Status
  • Recipient
  • Subject
  • Urls (all URLs in body ; seperated)
  • Sender
  • P1Sender
  • SenderIP
  • P2Sender
  • Received Date
  • DeliveryAction
  • DeliveryLocation
  • DeepLinkUrl (direct link to investigation – clickable)
  • AlertUrl (direct link to alert – clickable)
  • AlertID

With Excel you can now easily filter e.g. the URLs column or whatever you would like to rule out. Would be really cool, if a functionality like this would come to e.g. the “explorer” in Office ATP.

Until then, check out my script on GitHub.

(regarding the client secret: since this is very sensitive, I would put it into a Azure Key Vault and request it on run time, that’s the way I implemented it in this script)

2 comments

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.