Automated investigation and response in Microsoft 365 Defender


The improved Microsoft 365 security center is now available in public preview. This new experience brings Defender for Endpoint, Defender for Office 365, Microsoft 365 Defender, and more into the Microsoft 365 security center. Security teams can now manage all endpoint, email and cross product investigations, configuration and remediation without the need to navigate to separate product portals. Learn more about what's changed.

Applies to:

  • Microsoft 365 Defender

If your organization is using Microsoft 365 Defender, your security operations team receives an alert whenever a malicious or suspicious artifact is detected. Given the seemingly never-ending flow of threats that come in, security teams often face challenges in addressing the high volume of alerts. Fortunately, Microsoft 365 Defender includes automated investigation and remediation (AIR) capabilities that can help your security operations team address threats more efficiently and effectively.

This article provides an overview of AIR and includes links to next steps and additional resources.


Want to experience Microsoft 365 Defender? You can evaluate it in a lab environment or run your pilot project in production.

How automated investigation and self-healing works

As security alerts are triggered, it's up to your security operations team to look into those alerts and take steps to protect your organization. Prioritizing and investigating alerts can be very time consuming, especially when new alerts keep coming in while an investigation is going on. Security operations teams can feel overwhelmed by the sheer volume of threats they must monitor and protect against. Automated investigation and response capabilities, with self-healing, in Microsoft 365 Defender can help.

Watch the following video to see how self-healing works:

In Microsoft 365 Defender, automated investigation and response with self-healing capabilities works across your devices, email & content, and identities.


This article describes how automated investigation and response works. To configure these capabilities, see Configure automated investigation and response capabilities in Microsoft 365 Defender.

Your own virtual analyst

Imagine having a virtual analyst in your Tier 1 or Tier 2 security operations team. The virtual analyst mimics the ideal steps that security operations would take to investigate and remediate threats. The virtual assistant could work 24x7, with unlimited capacity, and take on a significant load of investigations and threat remediation. Such a virtual assistant could significantly reduce the time to respond, freeing up your security operations team for other important strategic projects. If this scenario sounds like science fiction, it's not! Such a virtual analyst is part of your Microsoft 365 Defender suite, and its name is automated investigation and response.

Automated investigation and response capabilities enable your security operations team to dramatically increase your organization's capacity to deal with security alerts and incidents. With automated investigation and response, you can reduce the cost of dealing with investigation and remediation activities and get the most out of your threat protection suite. Automated investigation and response capabilities help your security operations team by:

  1. Determining whether a threat requires action;
  2. Taking (or recommending) any necessary remediation actions;
  3. Determining whether and what other investigations should occur; and
  4. Repeating the process as necessary for other alerts.

The automated investigation process

An alert creates an incident, which can start an automated investigation. The automated investigation results in a verdict for each piece of evidence. Verdicts can be:

  • Malicious;
  • Suspicious; or
  • No threats found.

Remediation actions for malicious or suspicious entities are identified. Examples of remediation actions include:

Depending on how automated investigation and response capabilities are configured for your organization, remediation actions are taken automatically or only upon approval by your security operations team. All actions, whether pending or completed, are listed in the Action center.

While an investigation is running, any other related alerts that arise are added to the investigation until it completes. If an incriminated entity is seen elsewhere, the automated investigation expands its scope to include that entity, and the investigation process repeats.

In Microsoft 365 Defender, each automated investigation correlates signals across Microsoft Defender for Identity, Microsoft Defender for Endpoint, and Defender for Office 365, as summarized in the following table:

Entities Threat protection services
Devices (also referred to as endpoints, and sometimes referred to as machines) Microsoft Defender for Endpoint
Microsoft Defender for Identity
Email content (email messages that can contain files and URLs) Microsoft Defender for Office 365


Not every alert triggers an automated investigation, and not every investigation results in automated remediation actions; it depends on how automated investigation and response is configured for your organization. See Configure automated investigation and response capabilities in Microsoft 365 Defender.

Next steps