Microsoft Defender for Office 365 | Automatic investigation and response

Microsoft Defender for Endpoint was the first product in the Defender (ATP) suite with AIR (Automatic investigation and response) functionality, the respond is semi (manual approval) or full (automatic approval — preferred setting).

Microsoft Defender for Office 365 (Plan 2) is the 2nd product with the AIR functionality (Microsoft 365 Defender provides an overview of the two AIR products, the details page is linked back to the product itself).

Microsoft Defender for Office 365 does not support automatic response, only manual (√ approve or X reject remediation action).

Alert

The Microsoft Defender for Endpoint AIR process detects well-known threats that trigger an alert which starts the AIR process. The well-known threats are:

¹ assigned informational severity in Office 365 alert policies (already mitigated)
² generally available alerts associated with public preview playbooks

When an alert is triggered it creates an incident which (depending on the type of incident) start a security playbook.

Security Playbook

A security playbook is a set of logged steps to investigate and offer recommended action for mitigation. A security playbook starts an automated investigation to gather additional data about the e-mail and entities (file, URL, recipient, etc.) related to the incident.

¹ ZAP (Zero-Auto Purge) moves e-mail (delivered to inbox) to Junk Folder or Quarantine (anti-spam policy) after marked as malicious (malware, phish or spam).

See https://docs.microsoft.com/nl-nl/microsoft-365/security/office-365-security/recommended-settings-for-eop-and-office365-atp for details

Automated Investigation

An automated investigation includes an investigation graph including all entities.

If a pending action is expired (7 days) the status is ‘terminated by system’

Remediation Recommendation

Remediation actions is the manual action taken by a SOC (Security Operations Center) employee to √ Approve or X Reject the recommended remediation action.

The remediation actions available are (depending on the incident type)

Not all incidents result in a recommended remediation.

Dashboard

The Microsoft Defender for Office 365 dashboard contains a section about the AIR (Automated Investigations and Response) overview.

Details of all dashboards are in the Investigation section of Threat Management.

Email notification

Alerts with severity (informational) are hidden by default in the alert view of Office 365 and e-mail notification is turned off.

Email notification can be set in the Office 365 Alert policies section (the severity type cannot be changed).

Hope this blog provides some insights in the Microsoft Defender for Office 365 AIR features.