Manage automated investigation and response in Defender XDR
5 minutes
5 Questions
Automated Investigation and Response (AIR) in Microsoft Defender XDR is a powerful capability that helps security operations teams efficiently handle threats by automating investigation workflows and remediation actions. This feature significantly reduces the manual workload on security analysts wh…Automated Investigation and Response (AIR) in Microsoft Defender XDR is a powerful capability that helps security operations teams efficiently handle threats by automating investigation workflows and remediation actions. This feature significantly reduces the manual workload on security analysts while accelerating threat response times.
When an alert triggers in Defender XDR, AIR automatically initiates an investigation by collecting relevant evidence, analyzing artifacts, and correlating data across multiple security products including Defender for Endpoint, Defender for Office 365, Defender for Identity, and Defender for Cloud Apps. The system examines entities such as files, processes, services, registry keys, and user activities to determine the scope and severity of potential threats.
Security operations teams can manage AIR through several key functions. First, administrators configure automation levels that determine how much autonomy the system has when taking remediation actions. Options range from full automation, where approved actions execute on their own, to no automation, requiring manual approval for every action.
The Action Center serves as the central hub for managing automated investigations. Here, analysts can review pending actions awaiting approval, track completed remediation steps, and access historical investigation data. Teams can approve or reject recommended actions based on their assessment of the situation.
Managing AIR also involves configuring device groups with appropriate automation settings, ensuring that critical systems receive proper oversight while allowing routine threats to be handled autonomously. Security teams should regularly review investigation results to fine-tune detection logic and improve response accuracy.
Best practices include establishing clear escalation procedures, defining roles for action approval, and maintaining documentation of automated responses. Regular audits of AIR activities help identify patterns and optimize the balance between automation efficiency and human oversight. This comprehensive approach ensures that security operations remain effective while maximizing the benefits of automation in threat detection and response.
Manage Automated Investigation and Response in Defender XDR
Why Is This Important?
Automated Investigation and Response (AIR) in Microsoft Defender XDR is a critical capability that enables security teams to handle the growing volume of security alerts efficiently. Organizations face thousands of alerts daily, and manual investigation of each would be impossible. AIR reduces the workload on Security Operations Center (SOC) analysts by automatically investigating alerts and taking remediation actions, allowing teams to focus on complex threats that require human expertise.
What Is Automated Investigation and Response?
AIR is a feature in Microsoft Defender XDR that uses artificial intelligence and automation playbooks to examine alerts, determine if a threat exists, and take appropriate remediation actions. When an alert triggers, the system automatically:
• Analyzes the alert and related entities (files, processes, users, devices) • Expands the investigation scope to find related malicious activities • Determines verdicts for investigated entities • Recommends or executes remediation actions based on automation level settings
How Does AIR Work?
Triggering Automated Investigations: Investigations can be triggered by: • Alerts from Defender for Endpoint, Defender for Office 365, Defender for Identity, and Defender for Cloud Apps • Manual initiation by security analysts • Incidents that group related alerts
Automation Levels: There are four automation levels that determine how AIR handles remediation:
1. Full - remediate threats automatically: All remediation actions are performed automatically 2. Semi - require approval for any remediation: All actions require analyst approval 3. Semi - require approval for core folders remediation: Actions on files in core Windows folders require approval 4. Semi - require approval for non-temp folders remediation: Actions on files outside temporary folders require approval 5. No automated response: Automated investigations still run, but no remediation occurs
The Investigation Process: 1. Alert triggers an investigation 2. Playbook analyzes entities and expands scope 3. Evidence is collected and analyzed 4. Verdicts are assigned (Malicious, Suspicious, Clean, Unknown) 5. Remediation actions are pending or executed based on automation level
Action Center: The Action Center is the central location for viewing: • Pending actions requiring approval • Completed remediation actions • History of all automated actions
1. Know the automation levels: Understand the difference between full automation and semi-automation options. Questions often test which level is appropriate for different organizational requirements.
2. Understand the Action Center: Know that pending actions appear in the Action Center and require analyst approval when automation is set to semi-automatic modes.
3. Remember integration points: AIR works across Defender for Endpoint, Defender for Office 365, Defender for Identity, and Defender for Cloud Apps. Questions may test which products support AIR capabilities.
4. Device groups and automation: Automation levels are configured per device group. Different groups can have different automation levels based on risk tolerance.
5. Prerequisites: Know that devices must be onboarded to Defender for Endpoint and meet minimum OS requirements for AIR to function.
6. Live Response vs AIR: Understand that Live Response is for manual, real-time investigation while AIR is for automated investigation. These are complementary but distinct features.
7. Undo actions: Be aware that remediation actions can be undone from the Action Center if needed.
Common Question Patterns: • Scenarios asking which automation level to configure for specific requirements • Questions about where to view pending or completed actions • Identifying what triggers automated investigations • Understanding the order of investigation steps
Key Terminology to Remember: • AIR - Automated Investigation and Response • Action Center - Central hub for managing remediation actions • Playbooks - Automated procedures that guide investigations • Device Groups - Collections of devices with shared automation policies