Overview of automated investigations
Applies to:
Platforms
- Windows
Want to see how it works? Watch the following video:
The technology in automated investigation uses various inspection algorithms and is based on processes that are used by security analysts. AIR capabilities are designed to examine alerts and take immediate action to resolve breaches. AIR capabilities significantly reduce alert volume, allowing security operations to focus on more sophisticated threats and other high-value initiatives. All remediation actions, whether pending or completed, are tracked in the Action center. In the Action center, pending actions are approved (or rejected), and completed actions can be undone if needed.
This article provides an overview of AIR and includes links to next steps and additional resources.
Tip
Want to experience Microsoft Defender for Endpoint? Sign up for a free trial.
How the automated investigation starts
An automated investigation can start when an alert is triggered or when a security operator initiates the investigation.
| Situation | What happens |
|---|---|
| An alert is triggered | In general, an automated investigation starts when an alert is triggered, and an incident is created. For example, suppose a malicious file resides on a device. When that file is detected, an alert is triggered, and incident is created. An automated investigation process begins on the device. As other alerts are generated because of the same file on other devices, they are added to the associated incident and to the automated investigation. |
| An investigation is started manually | An automated investigation can be started manually by your security operations team. For example, suppose a security operator is reviewing a list of devices and notices that a device has a high risk level. The security operator can select the device in the list to open its flyout, and then select Initiate Automated Investigation. |
How an automated investigation expands its scope
While an investigation is running, any other alerts generated from the device are added to an ongoing automated investigation until that investigation is completed. In addition, if the same threat is seen on other devices, those devices are added to the investigation.
If an incriminated entity is seen in another device, the automated investigation process expands its scope to include that device, and a general security playbook starts on that device. If 10 or more devices are found during this expansion process from the same entity, then that expansion action requires an approval, and is visible on the Pending actions tab.
How threats are remediated
As alerts are triggered, and an automated investigation runs, a verdict is generated for each piece of evidence investigated. Verdicts can be:
- Malicious;
- Suspicious; or
- No threats found.
As verdicts are reached, automated investigations can result in one or more remediation actions. Examples of remediation actions include sending a file to quarantine, stopping a service, removing a scheduled task, and more. To learn more, see Remediation actions.
Depending on the level of automation set for your organization, as well as other security settings, remediation actions can occur automatically or only upon approval by your security operations team. Additional security settings that can affect automatic remediation include protection from potentially unwanted applications (PUA).
All remediation actions, whether pending or completed, are tracked in the Action center. If necessary, your security operations team can undo a remediation action. To learn more, see Review and approve remediation actions following an automated investigation.
Tip
Check out the new, unified investigation page in the Microsoft Defender portal. To learn more, see Unified investigation page.
Requirements for AIR
Your subscription must include Defender for Endpoint or Defender for Business.
Note
Automated investigation and response requires Microsoft Defender Antivirus for running in passive mode or active mode. If Microsoft Defender Antivirus is disabled or uninstalled, Automated Investigation and Response will not function correctly.
Currently, AIR only supports the following OS versions:
- Windows Server 2012 R2 (Preview)
- Windows Server 2016 (Preview)
- Windows Server 2019
- Windows Server 2022
- Windows 10, version 1709 (OS Build 16299.1085 with KB4493441) or later
- Windows 10, version 1803 (OS Build 17134.704 with KB4493464) or later
- Windows 10, version 1803 or later
- Windows 11
Note
Automated investigation and response on Windows Server 2012 R2 and Windows Server 2016 requires the Unified Agent to be installed.
Next steps
- Learn more about automation levels
- See the interactive guide: Investigate and remediate threats with Microsoft Defender for Endpoint
- Configure automated investigation and remediation capabilities in Microsoft Defender for Endpoint
See also
- PUA protection
- Automated investigation and response in Microsoft Defender for Office 365
- Automated investigation and response in Microsoft Defender XDR
Tip
Do you want to learn more? Engage with the Microsoft Security community in our Tech Community: Microsoft Defender for Endpoint Tech Community.