Automated investigation and response (AIR) in Microsoft Defender for Office 365
Important
The improved Microsoft 365 Defender portal is now available. This new experience brings Defender for Endpoint, Defender for Office 365, Microsoft 365 Defender, and more into the Microsoft 365 Defender portal. Learn what's new.
Applies to
Microsoft Defender for Office 365 includes powerful automated investigation and response (AIR) capabilities that can save your security operations team time and effort. As alerts are triggered, it's up to your security operations team to review, prioritize, and respond to those alerts. Keeping up with the volume of incoming alerts can be overwhelming. Automating some of those tasks can help.
AIR enables your security operations team to operate more efficiently and effectively. AIR capabilities include automated investigation processes in response to well-known threats that exist today. Appropriate remediation actions await approval, enabling your security operations team to respond effectively to detected threats. With AIR, your security operations team can focus on higher-priority tasks without losing sight of important alerts that are triggered.
This article describes:
- The overall flow of AIR;
- How to get AIR; and
- The required permissions to configure or use AIR capabilities.
- Changes that are coming soon to your Microsoft 365 Defender portal
This article also includes next steps, and resources to learn more.
The overall flow of AIR
An alert is triggered, and a security playbook starts an automated investigation, which results in findings and recommended actions. Here's the overall flow of AIR, step by step:
- An automated investigation is initiated in one of the following ways:
- Either an alert is triggered by something suspicious in email (such as a message, attachment, URL, or compromised user account). An incident is created, and an automated investigation begins; or
- A security analyst starts an automated investigation while using Explorer.
- While an automated investigation runs, it gathers data about the email in question and entities related to that email. Such entities can include files, URLs, and recipients. The investigation's scope can increase as new and related alerts are triggered.
- During and after an automated investigation, details and results are available to view. Results include recommended actions that can be taken to respond to and remediate any threats that were found.
- Your security operations team reviews the investigation results and recommendations, and approves or rejects remediation actions.
- As pending remediation actions are approved (or rejected), the automated investigation completes.
In Microsoft Defender for Office 365, no remediation actions are taken automatically. Remediation actions are taken only upon approval by your organization's security team. AIR capabilities save your security operations team time by identifying remediation actions and providing the details needed to make an informed decision.
During and after each automated investigation, your security operations team can:
- View details about an alert related to an investigation
- View the results details of an investigation
- Review and approve actions as a result of an investigation
Tip
For a more detailed overview, see How AIR works.
How to get AIR
AIR capabilities are included in Microsoft Defender for Office 365, provided your policies and alerts are configured. Need some help? Follow the guidance in Protect against threats to set up or configure the following protection settings:
- Audit logging (should be turned on)
- Anti-malware protection
- Anti-phishing protection
- Anti-spam protection
- Safe Links and Safe Attachments
In addition, make sure to review your organization's alert policies, especially the default policies in the Threat management category.
Which alert policies trigger automated investigations?
Microsoft 365 provides many built-in alert policies that help identify Exchange admin permissions abuse, malware activity, potential external and internal threats, and information governance risks. Several of the default alert policies can trigger automated investigations. The following table describes the alerts that trigger automated investigations, their severity in the Microsoft 365 Defender portal, and how they're generated:
| Alert | Severity | How the alert is generated |
|---|---|---|
| A potentially malicious URL click was detected | High | This alert is generated when any of the following occurs:
For more information on events that trigger this alert, see Set up Safe Links policies. |
| An email message is reported by a user as malware or phish | Informational | This alert is generated when users in your organization report messages as phishing email using the Report Message add-in or the Report Phishing add-in. |
| Email messages containing malware are removed after delivery | Informational | This alert is generated when any email messages containing malware are delivered to mailboxes in your organization. If this event occurs, Microsoft removes the infected messages from Exchange Online mailboxes using zero-hour auto purge (ZAP). |
| Email messages containing phish URLs are removed after delivery | Informational | This alert is generated when any messages containing phish are delivered to mailboxes in your organization. If this event occurs, Microsoft removes the infected messages from Exchange Online mailboxes using ZAP. |
| Suspicious email sending patterns are detected | Medium | This alert is generated when someone in your organization has sent suspicious email and is at risk of being restricted from sending email. The alert is an early warning for behavior that might indicate that the account is compromised, but not severe enough to restrict the user. Although it's rare, an alert generated by this policy may be an anomaly. However, it's a good idea to check whether the user account is compromised. |
| A user is restricted from sending email | High | This alert is generated when someone in your organization is restricted from sending outbound mail. This alert typically results when an email account is compromised. For more information about restricted users, see Remove blocked users from the Restricted Users portal in Microsoft 365. |
Tip
To learn more about alert policies or edit the default settings, see Alert policies in the Microsoft 365 compliance center.
Required permissions to use AIR capabilities
Permissions are granted through certain roles, such as those that are described in the following table:
| Task | Role(s) required |
|---|---|
| Set up AIR features | One of the following roles:
These roles can be assigned in Azure Active Directory or in the Microsoft 365 Defender portal. |
| Start an automated investigation --- or --- Approve or reject recommended actions |
One of the following roles, assigned in Azure Active Directory or in the Microsoft 365 Defender portal:
|
Required licenses
Microsoft Defender for Office 365 Plan 2 licenses should be assigned to:
- Security administrators (including global administrators)
- Your organization's security operations team (including security readers and those with the Search and Purge role)
- End users
Changes are coming soon in your Microsoft 365 Defender portal
If you're already using AIR capabilities in Microsoft Defender for Office 365, you're about to see some changes in the improved Microsoft 365 Defender portal.
The new and improved Microsoft 365 Defender portal brings together AIR capabilities in Microsoft Defender for Office 365 and in Microsoft Defender for Endpoint. With these updates and improvements, your security operations team will be able to view details about automated investigations and remediation actions across your email, collaboration content, user accounts, and devices, all in one place.
Tip
The new Microsoft 365 Defender portal replaces the following centers:
- Security & Compliance Center (https://protection.office.com)
- Microsoft Defender Security Center (https://securitycenter.windows.com)
In addition to the URL changing, there's a new look and feel, designed to give your security team a more streamlined experience, with visibility to more threat detections in one place.
What to expect
The following table lists changes and improvements coming to AIR in Microsoft Defender for Office 365.
| Item | What's changing? |
|---|---|
| Investigations page | The updated Investigations page is more consistent with what you see in Microsoft Defender for Endpoint. You'll see some general format and styling changes that align with the new, unified Investigations view. For example, the investigation graph has a more unified format. |
| Users tab | The Users tab is now the Mailboxes tab. Details about users are listed on the Mailbox tab. |
| Email tab | The Email tab has been removed; visit the Entities tab to see a list of email and email cluster items. |
| Entities tab | The Entities tab has a tab-in-tab style that includes an all-summary view, and the ability to filter by entity type. The Entities tab now includes a Go hunting option in addition to the Open in Explorer option. You can now use either Explorer or advanced hunting to find entities and threats, and filter on results. |
| Actions tab | The updated Actions tab now includes a Pending actions tab and an Actions history tab. Actions can be approved (or rejected) in a side pane that opens when you select a pending action. |
| Evidence tab | A new Evidence tab shows the key entity findings related to actions. Actions related to each piece of evidence can be approved (or rejected) in a side pane that opens when you select a pending action. |
| Action center | The updated Action center (https://security.microsoft.com/action-center) brings together pending and completed actions across email, devices, and identities. To learn more, see Action center. (To learn more, see The Action center.) |
| Incidents page | The Incidents page now correlates multiple investigations together to provide a better consolidated view of investigations. (Learn more about Incidents.) |