AIR Is Not Just Automation


Using Microsoft 365 Defender AIR for broader incident management.

Microsoft 365 Defender’s Automated Investigation and Response (AIR) is a solution for investigating and remediating known incidents. Depending on the level of automation an organization selects, AIR can not only automatically resolve security incidents. It can also be used to assist with analyst-driven investigations as well.

In this blog, we show how an analyst can use AIR to both automatically address and gather more information about their incidents. By taking time to go over the information the automation produces, analysts can become both more efficient and effective during investigations.

MDE AIR Side Menu

An analyst can go to the AIR menu in Microsoft 365 Defender for Endpoints (MDE) to find a list of all automated activity that has happened recently. They can use the incident ID number associated with the incidents they are investigating to find what kind of automated actions AIR took during those incidents.

When an automated investigation is selected, it will pull up the AIR side menu which has all the main details about what happened during the automated response. There is also a link to the automated investigation page that an analyst can select to see more information.

AIR Investigation Graph

Similar to other Microsoft cloud security APIs, there is an investigation graph that analysts can use to visualize what happened during an incident. Depending on how the analyst wishes to view it, they can either go down or counterclockwise to view the order of events during the automated response.

In this scenario the automation scanned 3690 entities on the device, found one potentially malicious entity, and waited 10 seconds before automatically removing that malicious entity. An analyst can use the parts of this investigation graph to help form a timeline of the automated part of their incidents.

AIR Evidence Tab

Now that the analyst knows there was a confirmed instance of a potentially malicious files, they can move to the evidence tab to learn more about what the automation found. The analyst can select the evidence to see a side menu with more details about what happened.

In the side menu the analyst discovered some important details, such as the URI of the file which implies that it was put on the device through a USB port. The other piece of useful information is the “Virus Total” check that shows how many IOC (indicator of compromise) databases consider the file dangerous. They can also click on the link to see the Virus Total page for the IOC.

AIR Entities Tab

If an analyst wants to go in depth with their investigation, they can look through the entities tab that has a list of information on each of the entities that AIR scanned. They can select the sub-tabs on the left-hand side to look for more information like files, processes, and recently accessed IP addresses on the device.

AIR Activity Log Tab

AIR keeps a full activity log of what it is doing while it is running its automated tasks. If analysts are interested in a particular part of what the automation did during the investigation, they can go through the activity log to see more details about automation activity. This information is useful for creating a precise timeline and double checking what an automation did to remove a potentially malicious entity.

We will continue to share best practices and lessons learned in future posts on using automation in customer environments. Taking full advantage of AIR and all the other automation tools offered by Microsoft is one of the defining capabilities of CyberMSI.

In closing, consider these three questions when using AIR in your organization:

  1. Are we taking full advantage of the automation features Microsoft Defender 365 has to offer?
  2. Do we have investigation procedures that use the additional information in AIR?
  3. How does our SecOps team go through the entities tab using AIR to find more information during complex and high severity incidents?

How Can We Help?

Main Contact Form