This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
When alerts are triggered in Microsoft Defender XDR, automated investigation and response (AIR) begins and hunts across an organization's subscription, determine the impact and scope of the threat, and collate the information into a single Incident so that admins don't have to manage multiple incidents.
Navigate to the security portal Incidents page https://security.microsoft.com/incidents.
When the Incident page loads you can filter and prioritize by clicking columns to sort the actions or press Filters to apply a filter such as data source, tags or state.
Now you have a prioritized list of incidents, from which you can select to rename, assign, classify, tag, change the status or add comments via the Manage incidents button.
Use the filters to make sure Microsoft Defender for Office 365 items are included.
If you're looking for specific alerts, either use the incident search capability (Search for name or ID) or consider using the alert queue filtering on a specific alert.
After you have prioritized your incident queue, select the Incident you'd like to investigate to load the incidents Overview page. You see useful information, such as MITRE ATT&CK techniques observed and a timeline of the attack.
The tabs at the top of the incident page allow you to explore more details such as the affected users, mailboxes, endpoints, and et cetera.
The Evidence and Response tab shows items identified as related to the original alert via the investigation.
Any items showing as Pending Action within Evidence and Response are awaiting approval from an administrator. Sorting by the remediation status column in the All Evidence view is recommended, followed by clicking the entity or cluster to load the flyout menu where you can then approve the actions if appropriate.
If you need to understand the items involved further, you can use the incident graph to see the visual linkage of the evidence and entities involved. Alternatively, you can review the underlying investigations, which show more of the entities and items involved in the security event.
You can start using Action Center to act on pending action items from all incidents in your organization if you want to focus on the action items AIR needs approval for.
Manage incidents in Microsoft Defender XDR | Microsoft Docs.
Automated investigation and response (AIR) examples in Microsoft Defender for Office 365 Plan 2.
Training
Module
Mitigate incidents using Microsoft Defender - Training
Mitigate incidents using Microsoft Defender
Certification
Microsoft Certified: Security Operations Analyst Associate - Certifications
Investigate, search for, and mitigate threats using Microsoft Sentinel, Microsoft Defender for Cloud, and Microsoft 365 Defender.
Documentation
How to steps to analyze and approve AIR actions directly from the Action Center. When alerts are triggered, Automated Investigation and Response (AIR) determines the scope of impact of a threat in your organization and provided recommended remediation actions.
Security Operations Guide for Defender for Office 365 - Microsoft Defender for Office 365
A prescriptive playbook for SecOps personnel to manage Microsoft Defender for Office 365.
Get started using automated investigation and response capabilities in Microsoft Defender for Office 365.