Automated investigation and response in Microsoft 365 Defender

Important

The improved Microsoft 365 security center is now available. This new experience brings Defender for Endpoint, Defender for Office 365, Microsoft 365 Defender, and more into the Microsoft 365 security center. Learn what's new.

Applies to:

  • Microsoft 365 Defender

If your organization is using Microsoft 365 Defender, your security operations team receives an alert within the Microsoft 365 security center whenever a malicious or suspicious activity or artifact is detected. Given the seemingly never-ending flow of threats that can come in, security teams often face the challenge of addressing the high volume of alerts. Fortunately, Microsoft 365 Defender includes automated investigation and response (AIR) capabilities that can help your security operations team address threats more efficiently and effectively.

This article provides an overview of AIR and includes links to next steps and additional resources.

Tip

Want to experience Microsoft 365 Defender? You can evaluate it in a lab environment or run your pilot project in production.

How automated investigation and self-healing works

As security alerts are triggered, it's up to your security operations team to look into those alerts and take steps to protect your organization. Prioritizing and investigating alerts can be very time consuming, especially when new alerts keep coming in while an investigation is going on. Security operations teams can feel overwhelmed by the sheer volume of threats they must monitor and protect against. Automated investigation and response capabilities, with self-healing, in Microsoft 365 Defender can help.

Watch the following video to see how self-healing works:

In Microsoft 365 Defender, automated investigation and response with self-healing capabilities works across your devices, email & content, and identities.

Tip

This article describes how automated investigation and response works. To configure these capabilities, see Configure automated investigation and response capabilities in Microsoft 365 Defender.

Your own virtual analyst

Imagine having a virtual analyst in your Tier 1 or Tier 2 security operations team. The virtual analyst mimics the ideal steps that security operations would take to investigate and remediate threats. The virtual analyst could work 24x7, with unlimited capacity, and take on a significant load of investigations and threat remediation. Such a virtual analyst could significantly reduce the time to respond, freeing up your security operations team for other important threats or strategic projects. If this scenario sounds like science fiction, it's not! Such a virtual analyst is part of your Microsoft 365 Defender suite, and its name is automated investigation and response.

Automated investigation and response capabilities enable your security operations team to dramatically increase your organization's capacity to deal with security alerts and incidents. With automated investigation and response, you can reduce the cost of dealing with investigation and response activities and get the most out of your threat protection suite. Automated investigation and response capabilities help your security operations team by:

  1. Determining whether a threat requires action.
  2. Taking (or recommending) any necessary remediation actions.
  3. Determining whether and what other investigations should occur.
  4. Repeating the process as necessary for other alerts.

The automated investigation process

An alert creates an incident, which can start an automated investigation. The automated investigation results in a verdict for each piece of evidence. Verdicts can be:

  • Malicious
  • Suspicious
  • No threats found

Remediation actions for malicious or suspicious entities are identified. Examples of remediation actions include:

  • Sending a file to quarantine
  • Stopping a process
  • Isolating a device
  • Blocking a URL
  • Other actions

For more information, see See Remediation actions in Microsoft 365 Defender.

Depending on how automated investigation and response capabilities are configured for your organization, remediation actions are taken automatically or only upon approval by your security operations team. All actions, whether pending or completed, are listed in the Action center.

While an investigation is running, any other related alerts that arise are added to the investigation until it completes. If an affected entity is seen elsewhere, the automated investigation expands its scope to include that entity, and the investigation process repeats.

In Microsoft 365 Defender, each automated investigation correlates signals across Microsoft Defender for Identity, Microsoft Defender for Endpoint, and Microsoft Defender for Office 365, as summarized in the following table:

Entities Threat protection services
Devices (also referred to as endpoints or machines) Defender for Endpoint
On-premises Active Directory users, entity behavior, and activities Defender for Identity
Email content (email messages that can contain files and URLs) Defender for Office 365

Note

Not every alert triggers an automated investigation, and not every investigation results in automated remediation actions. It depends on how automated investigation and response is configured for your organization. See Configure automated investigation and response capabilities.

Viewing a list of investigations

To view investigations, go to the Incidents page. Select an incident, and then select the Investigations tab. To learn more, see Details and results of an automated investigation.

Next steps