Automated investigation and response (AIR) in Microsoft Defender for Office 365

Tip

Did you know you can try the features in Microsoft Defender XDR for Office 365 Plan 2 for free? Use the 90-day Defender for Office 365 trial at the Microsoft Defender portal trials hub. Learn about who can sign up and trial terms here.

Microsoft Defender for Office 365 includes powerful automated investigation and response (AIR) capabilities that can save your security operations team time and effort. As alerts are triggered, it's up to your security operations team to review, prioritize, and respond to those alerts. Keeping up with the volume of incoming alerts can be overwhelming. Automating some of those tasks can help.

AIR enables your security operations team to operate more efficiently and effectively. AIR capabilities include automated investigation processes in response to well-known threats that exist today. Appropriate remediation actions await approval, enabling your security operations team to respond effectively to detected threats. With AIR, your security operations team can focus on higher-priority tasks without losing sight of important alerts that are triggered.

This article describes:

This article also includes next steps, and resources to learn more.

The overall flow of AIR

An alert is triggered, and a security playbook starts an automated investigation, which results in findings and recommended actions. Here's the overall flow of AIR, step by step:

  1. An automated investigation is initiated in one of the following ways:

  2. While an automated investigation runs, it gathers data about the email in question and entities related to that email (for example, files, URLs, and recipients). The investigation's scope can increase as new and related alerts are triggered.

  3. During and after an automated investigation, details and results are available to view. Results might include recommended actions that can be taken to respond to and remediate any existing threats that were found.

  4. Your security operations team reviews the investigation results and recommendations, and approves or rejects remediation actions.

  5. As pending remediation actions are approved (or rejected), the automated investigation completes.

Note

If the investigation does not result in recommended actions the automated investigation will close and the details of what was reviewed as part of the automated investigation will still be available on the investigation page.

In Microsoft Defender for Office 365, no remediation actions are taken automatically. Remediation actions are taken only upon approval by your organization's security team. AIR capabilities save your security operations team time by identifying remediation actions and providing the details needed to make an informed decision.

During and after each automated investigation, your security operations team can:

Tip

For a more detailed overview, see How AIR works.

How to get AIR

AIR capabilities are included in Microsoft Defender for Office 365, as long as audit logging is turned on (it's on by default).

In addition, make sure to review your organization's alert policies, especially the default policies in the Threat management category.

Which alert policies trigger automated investigations?

Microsoft 365 provides many built-in alert policies that help identify Exchange admin permissions abuse, malware activity, potential external and internal threats, and information governance risks. Several of the default alert policies can trigger automated investigations. The following table describes the alerts that trigger automated investigations, their severity in the Microsoft Defender portal, and how they're generated:

Alert Severity How the alert is generated
A potentially malicious URL click was detected High This alert is generated when any of the following occurs:
  • A user protected by Safe Links in your organization clicks a malicious link
  • Verdict changes for URLs are identified by Microsoft Defender for Office 365
  • Users override Safe Links warning pages (based on your organization's Safe Links policy.

For more information on events that trigger this alert, see Set up Safe Links policies.
An email message is reported by a user as malware or phish Low This alert is generated when users in your organization report messages as phishing email using the Microsoft Report Message or Report Phishing add-ins.
Email messages containing malicious file removed after delivery Informational This alert is generated when any messages containing a malicious file are delivered to mailboxes in your organization. If this event occurs, Microsoft removes the infected messages from Exchange Online mailboxes using zero-hour auto purge (ZAP).
Email messages containing malware are removed after delivery Informational This alert is generated when any email messages containing malware are delivered to mailboxes in your organization. If this event occurs, Microsoft removes the infected messages from Exchange Online mailboxes using zero-hour auto purge (ZAP).
Email messages containing malicious URL removed after delivery Informational This alert is generated when any messages containing a malicious URL are delivered to mailboxes in your organization. If this event occurs, Microsoft removes the infected messages from Exchange Online mailboxes using zero-hour auto purge (ZAP).
Email messages containing phish URLs are removed after delivery Informational This alert is generated when any messages containing phish are delivered to mailboxes in your organization. If this event occurs, Microsoft removes the infected messages from Exchange Online mailboxes using ZAP.
Suspicious email sending patterns are detected Medium This alert is generated when someone in your organization has sent suspicious email and is at risk of being restricted from sending email. The alert is an early warning for behavior that might indicate that the account is compromised, but not severe enough to restrict the user.

Although it's rare, an alert generated by this policy may be an anomaly. However, it's a good idea to check whether the user account is compromised.

A user is restricted from sending email High This alert is generated when someone in your organization is restricted from sending outbound mail. This alert typically results when an email account is compromised.

For more information about restricted users, see Remove blocked users from the Restricted entities page.

Admin triggered manual investigation of email Informational This alert is generated when an admin triggers the manual investigation of an email from Threat Explorer. This alert notifies your organization that the investigation was started.
Admin triggered user compromise investigation Medium This alert is generated when an admin triggers the manual user compromise investigation of either an email sender or recipient from Threat Explorer. This alert notifies your organization that the user compromise investigation was started.

Tip

To learn more about alert policies or edit the default settings, see Alert policies in the Microsoft Defender portal.

Required permissions to use AIR capabilities

You need to be assigned permissions to use AIR. You have the following options:

  • Microsoft Defender XDR Unified role based access control (RBAC) (Affects the Defender portal only, not PowerShell):

    • Start an automated investigation or Approve or reject recommended actions: Security Operator/Email advanced remediation actions (manage).
  • Email & collaboration permissions in the Microsoft Defender portal:

    • Set up AIR features: Membership in the Organization Management or Security Administrator role groups.
    • Start an automated investigation or Approve or reject recommended actions:
      • Membership in the Organization Management, Security Administrator, Security Operator, Security Reader, or Global Reader role groups. and
      • Membership in a role group with the Search and Purge role assigned. By default, this role is assigned to the Data Investigator and Organization Management role groups. Or, you can create a custom role group to assign the Search and Purge role.
  • Microsoft Entra permissions:

    • Set up AIR features Membership in the Global Administrator or Security Administrator roles.
    • Start an automated investigation or Approve or reject recommended actions:
      • Membership in the Global Administrator, Security Administrator, Security Operator, Security Reader, or Global Reader roles. and
      • Membership in an Email & collaboration role group with the Search and Purge role assigned. By default, this role is assigned to the Data Investigator and Organization Management role groups. Or, you can create a custom Email & collaboration role group to assign the Search and Purge role.

    Microsoft Entra permissions give users the required permissions and permissions for other features in Microsoft 365.

Required licenses

Microsoft Defender for Office 365 Plan 2 licenses should be assigned to:

  • Security administrators (including global administrators)
  • Your organization's security operations team (including security readers and those with the Search and Purge role)
  • End users

Next steps