Extend allow in Tenant Allow/Block List allow entries in a transparent data driven manner
This feature is Available to customers who have Exchange Online Protection or Defender for Office 365 Plan 1 or Plan 2 across WW, GCC, GCCH, DoD.
Transparency inside Tenant Allow/Block List
Recently we launched the last used date for allowed or blocked domains, email addresses, URLs, or files inside the Microsoft Defender XDR. For block entries, the last used date is updated when the entity is encountered by the filtering system (at time of click or during mail flow). For allow entries, when the filtering system determines that the entity is malicious (at time of click or during mail flow), the allow entry is triggered and the last used date is updated.
Time for data driven allow management
Now you can edit existing allowed domains, email addresses, URLs, or files inside the Tenant Allow/Block List to have the Remove allow entry after value of 45 days after last used date.
As a member of a security team, you create an allow entry in the Tenant Allow/Block List through the submissions page if you find a legitimate email being delivered to the Junk Email folder or quarantine.
The last used date for allow entries will update in real time until the filtering system has learned that the entity is clean. You can view the last used date in the Tenant Allow/Block List experience or via the Get-TenantAllowBlockListItems cmdlet in Exchange Online PowerShell. Once the filtering system learns that the entity is clean, the allow entry last used date will no longer be updated, and the allow entry will be removed 45 days after this last used date (if the entry is configured this way). This behavior prevents legitimate email from being sent to junk or quarantine while you have full visibility into what is going on. Spoof allow entries don’t expire, so they aren’t affected in this case.
Here’s an example for better understanding. Suppose you created an allow entry on July 1 with the Remove allow entry after value of 45 days after last used date. And suppose the filtering system finds the entity to be malicious until July 29. and then finds the entity to be clean on July 30. From Jul 1 to July 29, the last used date is updated whenever the entry is encountered during mail flow or at time of click. From July 30th, the last used date of the allow entry is no longer updated, because the entity is clean. The allow entry will be removed on September 12, which is 45 days after July 29th. The following alert will be raised in the Alerts and Incidents section of the Defender XDR portal: Removed an entry in Tenant Allow/Block List.
As a security professional, your job of managing the allow entries in the Tenant Allow/Block List just got easier in a data driven, transparent manner.
To learn more, check out these articles:
Allow or block email using the Tenant Allow/Block List
Allow or block URL using the Tenant Allow/Block List
Allow or block file using the Tenant Allow/Block List
Let Us Know What You Think!
We are excited for you to experience automatic Tenant Allow/Block List expiration management for allow entries. Let us know what you think by commenting below.
If you have other questions or feedback about Microsoft Defender for Office 365, engage with the community and Microsoft experts in the Defender for Office 365 forum.
Microsoft Tech Community – Latest Blogs –Read More