Overview of automated investigations

Applies to:


  • Windows

Want to see how it works? Watch the following video:

The technology in automated investigation uses various inspection algorithms and is based on processes that are used by security analysts. AIR capabilities are designed to examine alerts and take immediate action to resolve breaches. AIR capabilities significantly reduce alert volume, allowing security operations to focus on more sophisticated threats and other high-value initiatives. All remediation actions, whether pending or completed, are tracked in the Action center. In the Action center, pending actions are approved (or rejected), and completed actions can be undone if needed.

This article provides an overview of AIR and includes links to next steps and additional resources.


Want to experience Microsoft Defender for Endpoint? Sign up for a free trial.

How the automated investigation starts

An automated investigation can start when an alert is triggered or when a security operator initiates the investigation.

Situation What happens
An alert is triggered In general, an automated investigation starts when an alert is triggered, and an incident is created. For example, suppose a malicious file resides on a device. When that file is detected, an alert is triggered, and incident is created. An automated investigation process begins on the device. As other alerts are generated because of the same file on other devices, they are added to the associated incident and to the automated investigation.
An investigation is started manually An automated investigation can be started manually by your security operations team. For example, suppose a security operator is reviewing a list of devices and notices that a device has a high risk level. The security operator can select the device in the list to open its flyout, and then select Initiate Automated Investigation.

How an automated investigation expands its scope

While an investigation is running, any other alerts generated from the device are added to an ongoing automated investigation until that investigation is completed. In addition, if the same threat is seen on other devices, those devices are added to the investigation.

If an incriminated entity is seen in another device, the automated investigation process expands its scope to include that device, and a general security playbook starts on that device. If 10 or more devices are found during this expansion process from the same entity, then that expansion action requires an approval, and is visible on the Pending actions tab.

How threats are remediated

As alerts are triggered, and an automated investigation runs, a verdict is generated for each piece of evidence investigated. Verdicts can be:

  • Malicious;
  • Suspicious; or
  • No threats found.

As verdicts are reached, automated investigations can result in one or more remediation actions. Examples of remediation actions include sending a file to quarantine, stopping a service, removing a scheduled task, and more. To learn more, see Remediation actions.

Depending on the level of automation set for your organization, as well as other security settings, remediation actions can occur automatically or only upon approval by your security operations team. Additional security settings that can affect automatic remediation include protection from potentially unwanted applications (PUA).

All remediation actions, whether pending or completed, are tracked in the Action center. If necessary, your security operations team can undo a remediation action. To learn more, see Review and approve remediation actions following an automated investigation.


Check out the new, unified investigation page in the Microsoft Defender portal. To learn more, see Unified investigation page.

Requirements for AIR

Your subscription must include Defender for Endpoint or Defender for Business.


Automated investigation and response requires Microsoft Defender Antivirus for running in passive mode or active mode. If Microsoft Defender Antivirus is disabled or uninstalled, Automated Investigation and Response will not function correctly.

Currently, AIR only supports the following OS versions:

  • Windows Server 2012 R2 (Preview)
  • Windows Server 2016 (Preview)
  • Windows Server 2019
  • Windows Server 2022
  • Windows 10, version 1709 (OS Build 16299.1085 with KB4493441) or later
  • Windows 10, version 1803 (OS Build 17134.704 with KB4493464) or later
  • Windows 10, version 1803 or later
  • Windows 11


Automated investigation and response on Windows Server 2012 R2 and Windows Server 2016 requires the Unified Agent to be installed.

Next steps

See also


Do you want to learn more? Engage with the Microsoft Security community in our Tech Community: Microsoft Defender for Endpoint Tech Community.