Automated investigation and response (AIR) in Microsoft Defender for Office 365 Plan 2

Tip

Did you know you can try the features in Microsoft Defender for Office 365 Plan 2 for free? Use the 90-day Defender for Office 365 trial at the Microsoft Defender portal trials hub. Learn about who can sign up and trial terms on Try Microsoft Defender for Office 365.

As security alerts appear in a Microsoft 365 organization at https://security.microsoft.com/alerts, it's up to the security operations (SecOps) team to review, prioritize, and respond to those alerts. Keeping up with the volume of incoming alerts can be overwhelming. Automating some of those tasks can help.

Microsoft Defender for Office 365 Plan 2 (included in Microsoft 365 licenses like E5 or as a standalone subscription) includes powerful automated investigation and response (AIR) capabilities that save time and effort for SecOps teams.

AIR triages high impact, high volume alerts by completing organization level investigations. AIR investigations expand on detections or provide additional analysis to determine the threat status for the organization. When AIR identifies threats, it queues threat remediation actions for SecOps personnel to approve. AIR results in the following benefits:

  • Automated investigation processes in response to well-known threats.
  • Appropriate remediation actions awaiting approval, enabling your SecOps team to respond effectively to detected threats.
  • Your SecOps team is able to focus on higher-priority tasks without losing sight of important alerts that are triggered.

AIR in Defender for Office 365 Plan 2 requires that audit logging is turned on (it's on by default).

The overall flow of AIR

An alert is triggered, and a security playbook starts an automated investigation, which results in findings and recommended actions. Here's the overall flow of AIR, step by step:

  1. An automated investigation is started initiated in one of the following ways:

    • Specific alerts that are designed to initiate AIR. These alerts include:

      • Something suspicious is identified in email (for example, the message itself, an attachment, a URL, or a compromised user account).

      • Zero-hour auto purge (ZAP).

      • User submissions.

      • User click alerts.

      • Suspicious mailbox behavior.

        Tip

        Be sure to regularly review the alerts your organization. For more information about alert policies that trigger automated investigations, see the default alert policies in the Threat management category. The entries that contain the value Yes for Automated investigation can trigger automated investigations. If these alerts are disabled or replaced by custom alerts, AIR isn't triggered.

    • A security analyst manually triggers the investigation by selecting Take action in Threat Explorer, Advanced hunting, custom detection, the Email entity page, or the Email summary panel. For more information, see Threat hunting: Email remediation. For examples, see For examples, see Automated investigation and response (AIR) examples in Microsoft Defender for Office 365 Plan 2.

  2. The automated investigation evaluates and analyzes the nature of the alert, the message involved, and additional evidence surrounding the message. The scope of the investigation can increase based on the evidence that's uncovered and collected during the investigation.

  3. During and after an automated investigation, details and results are available. Results might include recommended actions for SecOps personnel to remediate the threats that were found.

  4. The SecOps team reviews the investigation results and recommendations (in the investigation itself, the incident, or in the Action center), and approves or rejects the remediation actions.

    Tip

    No remediation actions happen automatically. Remediation actions require manual approval by SecOps personnel. AIR capabilities save time by getting to the recommended remediation actions with all the details to make an informed decision.

    AIR also saves time by evaluating and automatically resolving alerts and incidents where no threats were found. This result is very common in user submission scenarios. AIR closes the investigation if no threats were found or threats were found in messages that have already been remediated. Typically

  5. As pending remediation actions are approved or rejected, the automated investigation completes.

    The automated investigation automatically closes if no recommended actions are identified. The details of the investigation are still available on the Investigations page at https://security.microsoft.com/airinvestigation.

During and after each automated investigation, the SecOps team can do the following tasks:

Required permissions and licensing for AIR

You need to be assigned permissions to use AIR. You have the following options:

  • Microsoft Defender XDR Unified role based access control (RBAC) (If Email & collaboration > Defender for Office 365 permissions is Active. Affects the Defender portal only, not PowerShell):
    • Start an automated investigation or Approve or reject recommended actions: Security operations/Email advanced remediation actions (manage).
  • Email & collaboration permissions in the Microsoft Defender portal:
    • Set up AIR features: Membership in the Organization Management or Security Administrator role groups.
    • Start an automated investigation or Approve or reject recommended actions:
      • Membership in the Organization Management, Security Administrator, Security Operator, Security Reader, or Global Reader role groups. and
      • The Search and Purge role, which is assigned only to the Data Investigator or Organization Management role groups by default. Or you can create a new role group with the Search and Purge role assigned, and add the users to the custom role group.
  • Microsoft Entra permissions: Give users the required permissions and permissions for other features in Microsoft 365:
    • Set up AIR features Membership in the Global Administrator or Security Administrator roles.
    • Start an automated investigation or Approve or reject recommended actions:
      • Membership in the Global Administrator, Security Administrator, Security Operator, Security Reader, or Global Reader roles. and
      • Membership in an Email & collaboration role group with the Search and Purge role assigned as previously described.

To use AIR, you need to be assigned a license for Defender for Office 365 Plan 2 (included in your subscription or an add-on license).

Next steps