Automated investigation and response (AIR) in Microsoft Defender for Office 365 Plan 2 (included in Microsoft 365 licenses like E5 or as a standalone subscription) enables your SecOps team to operate more efficiently and effectively. AIR includes automated investigations to well-known threats, and provides recommended remediation actions. The SecOps team can review the evidence and approve or reject the recommended actions. For more information about AIR, see Automated investigation and response (AIR) in Microsoft Defender for Office 365 Plan 2.
This article describes how AIR works through several examples:
Example: A user-reported phishing message launches an investigation playbook
A user receives an email that looks like a phishing attempt. The user reports the message using the Microsoft Report Message or Report Phishing add-ins, which results in an alert that's triggered by the Email reported by user as malware or phishalert policy, which automatically launches the investigation playbook.
Various aspects of the reported email message are assessed. For example:
The identified threat type
Who sent the message
Where the message was sent from (sending infrastructure)
Whether other instances of the message were delivered or blocked
The tenant landscape, including similar messages and their verdicts through email clustering
Whether the message is associated with any known campaigns
And more.
The playbook evaluates and automatically resolves submissions where no action is needed (which frequently happens on user reported messages). For the remaining submissions, a list of recommended actions to take on the original message and the associated entities (for example, attached files, included URLs, and recipients) is provided:
Identify similar email messages via email cluster searches.
Determine whether any users clicked through any malicious links in suspicious email messages.
Example: A security administrator triggers an investigation from Threat Explorer
You're in Explorer (Threat Explorer) at https://security.microsoft.com/threatexplorerv3 in the All email, Malware, or Phish views. You're on the Email tab (view) of the details area below the chart. You select a message to investigate by using either of the following methods:
Select one or more entries in the table by selecting the check box next to the first column. Take action is available directly in the tab.
Click on the Subject value of an entry in the table. The details flyout that opens contains Take action at the top of the flyout.
After you select Take action, select Initiate automated investigation. For more information, see Email remediation.
Similar to playbooks triggered by an alert, automatic investigations that are triggered from Threat Explorer include:
Example: A security operations team integrates AIR with their SIEM using the Office 365 Management Activity API
AIR capabilities in Defender for Office 365 Plan 2 include reports and details that the SecOps team can use to monitor and address threats. But you can also integrate AIR capabilities with other solutions. For example:
Security information and event management (SIEM) systems.