How automated investigation and response works in Microsoft Defender for Office 365


Did you know you can try the features in Microsoft Defender XDR for Office 365 Plan 2 for free? Use the 90-day Defender for Office 365 trial at the Microsoft Defender portal trials hub. Learn about who can sign up and trial terms here.

As security alerts are triggered, it's up to your security operations team to look into those alerts and take steps to protect your organization. Sometimes, security operations teams can feel overwhelmed by the volume of alerts that are triggered. Automated investigation and response (AIR) capabilities in Microsoft Defender for Office 365 can help.

AIR enables your security operations team to operate more efficiently and effectively. AIR capabilities include automated investigation processes in response to well-known threats that exist today. Appropriate remediation actions await approval, enabling your security operations team to respond to detected threats.

This article describes how AIR works through several examples. When you're ready to get started using AIR, see Automatically investigate and respond to threats.

Example: A user-reported phish message launches an investigation playbook

Suppose that a user in your organization receives an email that they think is a phishing attempt. The user, trained to report such messages, uses the Microsoft Report Message or Report Phishing add-ins to send it to Microsoft for analysis. The submission is also sent to your system and is visible in Explorer in the Submissions view (formerly referred to as the User-reported view). In addition, the user-reported message now triggers a system-based informational alert, which automatically launches the investigation playbook.

During the root investigation phase, various aspects of the email are assessed. These aspects include:

  • A determination about what type of threat it might be;
  • Who sent it;
  • Where the email was sent from (sending infrastructure);
  • Whether other instances of the email were delivered or blocked;
  • An assessment from our analysts;
  • Whether the email is associated with any known campaigns;
  • and more.

After the root investigation is complete, the playbook provides a list of recommended actions to take on the original email and the entities associated with it (for example, files, URLs, and recipients).

Next, several threat investigation and hunting steps are executed:

During the hunting phase, risks and threats are assigned to various hunting steps.

Remediation is the final phase of the playbook. During this phase, remediation steps are taken, based on the investigation and hunting phases.

Example: A security administrator triggers an investigation from Threat Explorer

In addition to automated investigations that are triggered by an alert, your organization's security operations team can trigger an automated investigation from a view in Threat Explorer. This investigation also creates an alert, so Microsoft Defender XDR incidents and external SIEM tools can see that this investigation was triggered.

For example, suppose that you are using the Malware view in Explorer. Using the tabs below the chart, you select the Email tab. If you select one or more items in the list, the + Actions button activates.

The Explorer with selected messages

Using the Actions menu, you can select Trigger investigation.

The Actions menu for selected messages

Similar to playbooks triggered by an alert, automatic investigations that are triggered from a view in Explorer include a root investigation, steps to identify and correlate threats, and recommended actions to mitigate those threats.

Example: A security operations team integrates AIR with their SIEM using the Office 365 Management Activity API

AIR capabilities in Microsoft Defender for Office 365 include reports & details that security operations teams can use to monitor and address threats. But you can also integrate AIR capabilities with other solutions. Examples include a security information and event management (SIEM) system, a case management system, or a custom reporting solution. These kinds of integrations can be done by using the Office 365 Management Activity API.

For example, recently, an organization set up a way for their security operations team to view user-reported phish alerts that were already processed by AIR. Their solution integrates relevant alerts with the organization's SIEM server and their case-management system. The solution greatly reduces the number of false positives so that their security operations team can focus their time and effort on real threats. To learn more about this custom solution, see Tech Community blog: Improve the Effectiveness of your SOC with Microsoft Defender for Office 365 and the O365 Management API.

Next steps