Automated investigation and response (AIR) examples in Microsoft Defender for Office 365 Plan 2
Tip
Did you know you can try the features in Microsoft Defender for Office 365 Plan 2 for free? Use the 90-day Defender for Office 365 trial at the Microsoft Defender portal trials hub. Learn about who can sign up and trial terms on Try Microsoft Defender for Office 365.
Automated investigation and response (AIR) in Microsoft Defender for Office 365 Plan 2 (included in Microsoft 365 licenses like E5 or as a standalone subscription) enables your SecOps team to operate more efficiently and effectively. AIR includes automated investigations to well-known threats, and provides recommended remediation actions. The SecOps team can review the evidence and approve or reject the recommended actions. For more information about AIR, see Automated investigation and response (AIR) in Microsoft Defender for Office 365 Plan 2.
This article describes how AIR works through several examples:
- Example: A user-reported phishing message launches an investigation playbook
- Example: A security administrator triggers an investigation from Threat Explorer
- Example: A security operations team integrates AIR with their SIEM using the Office 365 Management Activity API
Example: A user-reported phishing message launches an investigation playbook
A user receives an email that looks like a phishing attempt. The user reports the message using the Microsoft Report Message or Report Phishing add-ins, which results in an alert that's triggered by the Email reported by user as malware or phish alert policy, which automatically launches the investigation playbook.
Various aspects of the reported email message are assessed. For example:
- The identified threat type
- Who sent the message
- Where the message was sent from (sending infrastructure)
- Whether other instances of the message were delivered or blocked
- The tenant landscape, including similar messages and their verdicts through email clustering
- Whether the message is associated with any known campaigns
- And more.
The playbook evaluates and automatically resolves submissions where no action is needed (which frequently happens on user reported messages). For the remaining submissions, a list of recommended actions to take on the original message and the associated entities (for example, attached files, included URLs, and recipients) is provided:
- Identify similar email messages via email cluster searches.
- Determine whether any users clicked through any malicious links in suspicious email messages.
- Risks and threats are assigned. For more information, see Details and results of an automated investigation.
- Remediation steps. For more information, see Remediation actions in Microsoft Defender for Office 365.
Example: A security administrator triggers an investigation from Threat Explorer
You're in Explorer (Threat Explorer) at https://security.microsoft.com/threatexplorerv3 in the All email, Malware, or Phish views. You're on the Email tab (view) of the details area below the chart. You select a message to investigate by using either of the following methods:
Select one or more entries in the table by selecting the check box next to the first column.
Take action is available directly in the tab.
Click on the Subject value of an entry in the table. The details flyout that opens contains
Take action at the top of the flyout.
After you select
Take action, select Initiate automated investigation. For more information, see Email remediation.
Similar to playbooks triggered by an alert, automatic investigations that are triggered from Threat Explorer include:
- A root investigation.
- Steps to identify and correlate threats. For more information, see Details and results of an automated investigation.
- Recommended actions to mitigate threats. For more information, see Remediation actions in Microsoft Defender for Office 365.
Example: A security operations team integrates AIR with their SIEM using the Office 365 Management Activity API
AIR capabilities in Defender for Office 365 Plan 2 include reports and details that the SecOps team can use to monitor and address threats. But you can also integrate AIR capabilities with other solutions. For example:
- Security information and event management (SIEM) systems.
- Case management systems.
- Custom reporting solutions.
Use the Office 365 Management Activity API for integration with these solutions.
For an example of a custom solution that integrates alerts from user-reported phishing messages that were already processed by AIR into a SIEM server and case management system, see Tech Community blog: Improve the Effectiveness of your SOC with Microsoft Defender for Office 365 and the Office 365 Management API.
The integrated solution greatly reduces the number of false positives, which allows the SecOps team to focus their time and effort on real threats.