Run automated investigations and responses

Completed

Automated investigation and response (AIR) capabilities enable organizations to run automated investigation processes in response to well-known threats that exist today. AIR can help an organization's security operations team operate more efficiently and effectively.

If your organization is using Microsoft Defender XDR, your security operations team receives an alert within the Microsoft Defender portal whenever the system detects a malicious or suspicious activity or artifact. Given the never-ending flow of threats that can come in, security teams often face the challenge of addressing the high volume of alerts. Fortunately, Microsoft Defender XDR includes automated investigation and response (AIR) capabilities that can help your security operations team address threats more efficiently and effectively.

When an automated investigation completes, it reaches a verdict for every piece of evidence of an incident. Depending on the verdict, it can also identify remediation actions. In some cases, it takes remediation actions. In other cases, remediation actions await approval through the Microsoft Defender Action center.

How automated investigation and self-healing works

As the system triggers security alerts, it's up to the organization's security operations team to look into the alerts and take steps to protect the organization. Prioritizing and investigating alerts can be very time consuming, especially when new alerts keep coming in while an investigation is going on. Security operations teams can feel overwhelmed by the sheer volume of threats they must monitor and protect against. Automated investigation and response capabilities, with self-healing, in Microsoft Defender XDR can help.

Additional viewing. Select the following link to watch a video titled: Automated self-healing.

In Microsoft Defender XDR, automated investigation and response with self-healing capabilities works across your devices, email & content, and identities.

Automated investigation and response capabilities enable an organization's security operations team to dramatically increase the company's capacity to deal with security alerts and incidents. With automated investigation and response, you can reduce the cost of dealing with investigation and response activities. You can also get the most out of your threat protection suite. Automated investigation and response capabilities help your security operations team complete the following steps:

  1. Determine whether a threat requires action.
  2. Take (or recommend) any necessary remediation actions.
  3. Determine whether and what other investigations should occur.
  4. Repeat the process as necessary for other alerts.

An alert creates an incident, which can start an automated investigation. The automated investigation results in a verdict for each piece of evidence. Verdicts can be:

  • Malicious
  • Suspicious
  • No threats found

The system identifies remediation actions for malicious or suspicious entities. Examples of remediation actions include:

  • Sending a file to quarantine
  • Stopping a process
  • Isolating a device
  • Blocking a URL
  • Other actions

Additional reading. For more information, see See Remediation actions in Microsoft Defender XDR.

An organization can configure the automated investigation and response capabilities in either of two ways:

  • The system can automatically remediate actions.
  • The system can remediate actions only upon approval of the security operations team.

The system lists all actions, whether pending or completed, in the Action center in the Microsoft Defender portal.

While an investigation is running, the system adds to the investigation any other related alerts that arise until it completes. If the system sees an affected entity elsewhere, the automated investigation expands its scope to include that entity, and the investigation process repeats.

Important

Not every alert triggers an automated investigation, and not every investigation results in automated remediation actions. It depends on how the organization configured the automated investigation and response. See Configure automated investigation and response capabilities.

Details and results of an automated investigation

With Microsoft Defender XDR, when an automated investigation runs, details about that investigation are available both during and after the automated investigation process. If you have the proper permissions, you can view those details in an investigation details view that provides you with up-to-date status and the ability to approve any pending actions.

You can open the Investigation Details view by using one of the following methods:

  • Select an item in the Action center.
  • Select an investigation from an incident details page.

The following sections outline these methods.

Select an item in the Action center

The Action center in the Microsoft Defender portal brings together remediation actions across your devices, email and collaboration content, and identities. The remediation actions it displays include both automatically and manually taken actions. In the Action center, you can view actions awaiting approval and actions already approved or completed. You can also navigate to more details, such as an investigation page. You must have proper permissions to approve, reject, or undo actions.

Complete the following steps to select an item in the Action center:

  1. Go to the Microsoft Defender portal and sign in.
  2. In the navigation pane, select Actions & submissions, and then select Action center.
  3. On the Action center pane, the Pending tab is displayed by default. Select either the Pending or History tab and then select an item. The system displays a detail pane for the selected item.
  4. Review the information in the details pane, and then take one of the following steps:
    • Select Open investigation page to view more details about the investigation.
    • Select Approve to initiate a pending action.
    • Select Reject to prevent the system from taking a pending action.
    • Select Go hunt to go into Advanced hunting. A later unit in this module explores Advanced threat hunting.

Select an investigation from an incident details page

The second method of opening an Investigation Details page is by opening an incident in the Microsoft Defender portal. Doing so enables you to view detailed information about an incident. For example, triggered alerts, affected devices, user accounts, and mailboxes.

  1. Go to the Microsoft Defender portal and sign in.
  2. In the navigation pane, select Incidents & alerts, and then select Incidents.
  3. On the Incidents page, select an item in the list, and then select Open incident page.
  4. Select the Investigations tab, and then select an investigation in the list. A detail pane appears for the investigation.
  5. On the detail pane, select Open investigation.

Investigation details

Use the investigation details view to see past, current, and pending activity pertaining to an investigation. In the Investigation details view, the system displays information in several tabs. The following table examines each of these tabs.

Note

The specific tabs you see in an Investigation details page depends on what your subscription includes. For example, if your subscription doesn't include Microsoft Defender for Office 365 Plan 2, you won't see a Mailboxes tab.

Tab Description
Investigation graph Provides a visual representation of the investigation. Depicts entities and lists threats the investigation found, along with alerts and whether any actions are awaiting approval.

You can select an item on the graph to view more details. For example, selecting the Evidence icon takes you to the Evidence tab. From here, you can see detected entities and their verdicts.
Alerts Lists all alerts associated with the investigation. Alerts can come from threat protection features found in:
- A user's device
- Office apps
- Microsoft Defender for Cloud Apps
- Other Microsoft Defender XDR features
Devices Lists all devices included in the investigation, along with their remediation level. Remediation levels correspond to the automation level for device groups.
Mailboxes Lists the mailboxes affected by the detected threats.
Users Lists the user accounts affected by the detected threats.
Evidence Lists the pieces of evidence raised by alerts or investigations. Includes verdicts (Malicious, Suspicious, Unknown, or No threats found) and remediation status.
Entities Provides details about each analyzed entity, including a verdict for each entity type (Malicious, Suspicious, or No threats found).
Log Provides a chronological, detailed view of all the investigation actions taken after the system triggered an alert.
Pending actions history Lists the items that require approval to proceed. Go to the Action center to approve pending actions.

Knowledge check

Choose the best response for the following question.

Check your knowledge

1.

Contoso wants to implement Microsoft 365 Defender's automated investigation and response capability. When it does so, which of the following items triggers the start of an automated investigation?