Automated investigation and response in Microsoft Defender XDR
Article
Applies to:
Microsoft Defender XDR
If your organization is using Microsoft Defender XDR, your security operations team receives an alert within the Microsoft Defender portal whenever a malicious or suspicious activity or artifact is detected. Given the seemingly never-ending flow of threats that can come in, security teams often face the challenge of addressing the high volume of alerts. Fortunately, Microsoft Defender XDR includes automated investigation and response (AIR) capabilities that can help your security operations team address threats more efficiently and effectively.
This article provides an overview of AIR and includes links to next steps and additional resources.
How automated investigation and self-healing works
As security alerts are triggered, it's up to your security operations team to look into those alerts and take steps to protect your organization. Prioritizing and investigating alerts can be very time consuming, especially when new alerts keep coming in while an investigation is going on. Security operations teams can feel overwhelmed by the sheer volume of threats they must monitor and protect against. Automated investigation and response capabilities, with self-healing, in Microsoft Defender XDR can help.
Watch the following video to see how self-healing works:
In Microsoft Defender XDR, automated investigation and response with self-healing capabilities works across your devices, email & content, and identities.
Imagine having a virtual analyst in your Tier 1 or Tier 2 security operations team. The virtual analyst mimics the ideal steps that security operations would take to investigate and remediate threats. The virtual analyst could work 24x7, with unlimited capacity, and take on a significant load of investigations and threat remediation. Such a virtual analyst could significantly reduce the time to respond, freeing up your security operations team for other important threats or strategic projects. If this scenario sounds like science fiction, it's not! Such a virtual analyst is part of your Microsoft Defender XDR suite, and its name is automated investigation and response.
Automated investigation and response capabilities enable your security operations team to dramatically increase your organization's capacity to deal with security alerts and incidents. With automated investigation and response, you can reduce the cost of dealing with investigation and response activities and get the most out of your threat protection suite. Automated investigation and response capabilities help your security operations team by:
Determining whether a threat requires action.
Taking (or recommending) any necessary remediation actions.
Determining whether and what other investigations should occur.
Repeating the process as necessary for other alerts.
The automated investigation process
An alert creates an incident, which can start an automated investigation. The automated investigation results in a verdict for each piece of evidence. Verdicts can be:
Malicious
Suspicious
No threats found
Remediation actions for malicious or suspicious entities are identified. Examples of remediation actions include:
While an investigation is running, any other related alerts that arise are added to the investigation until it completes. If an affected entity is seen elsewhere, the automated investigation expands its scope to include that entity, and the investigation process repeats.
In Microsoft Defender XDR, each automated investigation correlates signals across Microsoft Defender for Identity, Microsoft Defender for Endpoint, and Microsoft Defender for Office 365, as summarized in the following table:
Entities
Threat protection services
Devices (also referred to as endpoints or machines)
Not every alert triggers an automated investigation, and not every investigation results in automated remediation actions. It depends on how automated investigation and response is configured for your organization. See Configure automated investigation and response capabilities.
The new Automated investigation & response card is available in the Microsoft Defender portal (https://security.microsoft.com). This new card visibility to the total number of available remediation actions. The card also gives an overview of all the alerts and required approval time for each alert.
Using the Automated investigation & response card, your security operations team can quickly navigate to the Action center by selecting the Approve in Action Center link, and then taking appropriate actions. The card enables your security operations team to more effectively manage actions that are pending approval.
To earn this Microsoft Applied Skills credential, learners demonstrate the ability to use Microsoft Defender XDR to detect and respond to cyberthreats. Candidates for this credential should be familiar with investigating and gathering evidence about attacks on endpoints. They should also have experience using Microsoft Defender for Endpoint and Kusto Query Language (KQL).