Automated Investigation and Response (AIR) in Office 365
AIR enables you to run automated investigation processes in response to well-known threats that exist today.
AIR can help your security operations team operate more efficiently and effectively
AIR is included in the Microsoft 365 E5, Microsoft 365 E5 Security, Office 365 E5, and Office 365 Advanced Threat Protection Plan 2. With AIR, when certain alerts that you set are triggered, one or more security playbook plans are initiated and an automated investigation begins. During and after this automated investigation process, administrators and your security operations team can look at the details of the investigation, review and approve actions to follow as a result of the investigation, and view details about the alert that triggered the investigation. Read on to find out how we can help and how you can optimize AIR for your organization...
The Process of AIR
Below is the overall flow of AIR at a high level and how each phase works:
- Phase 1 – An alert is triggered, and a security playbook initiates.
- Phase 2 – Depending on the alert and security playbook, the automated investigation starts immediately. (Alternative: A Security Analyst can start an automated investigation manually, from a value in a report.)
- Phase 3 – While the automated investigation runs, its scope can increase as new, related alerts are triggered.
- Phase 4 – During and after the automated investigation, results and details are available to review. Results include recommended actions to be taken in response to remediate any threats found. Additionally, a playbook log is available* that tracks all investigation activity.
- Phase 5 – Your security operations team reviews the results and recommendations given and approves remediation actions. In Office 365, remediation actions are taken only upon approval by your organization’s security team.
*If your organization is using a custom reporting solution or a third-party solution, you can use the Office 365 Management Activity API to view information about automated investigations and threats.
Alerts, Playbooks, and Actions
Alerts are representative triggers for security team workflows for incident responses. Prioritizing the right set of alerts can be challenging. When an alert is generated, you can set specific actions to automatically create an investigation of the alert. For example, let's say a user reported a phishing email. You can create a policy to automatically start collecting logs around the email. These logs could include what the user might have done with the email, i.e. forwarding to another user, opened a link within the email, or responded to the email.
Security playbooks are back-end policies that are the core of automation in Microsoft Threat Protection. These are based on common real-world security scenarios. Security playbooks run investigations and look at all associated metadata (such as email messages, users, subjects, senders, etc.). Then, based on findings, Microsoft AIR will provide a set of recommended actions. Security playbooks are rolling out in phases- with Phase 1 being generally available now, including playbooks and recommendations for:
- User-reported phish messages
- URL click verdict change
- Malware detected post-delivery (Malware ZAP)
- Phish detected post-delivery ZAP (Phish ZAP)
Further playbooks will be released, to view what all is planned and coming soon please visit Microsoft 365 Roadmap.
How AIR Can Help
Once the case has been created and all logs have been collected, you can analyze everything. This set of logs could vary depending on what actions have been done to the email or file that triggered the investigation. After all the data has been analyzed by the admin, AIR will provide recommended actions that should be taken on the collected data.
Due to the massive amount of emails that users in each organization send and receive, the process of clustering emails based on similar attributes, separating malicious emails from good emails, and then taking action on malicious emails can be very time-consuming. AIR automates this process for your organization and security team. With AIR you can get a visual overview of clusters of emails and the threats found, investigate email clusters, and show full alert details on threats listed.
Give AIR a Try Today
If Office 365 Automated Investigation and Response is something you are interested in pursuing and utilizing, we would love to discuss how it would fit your organization's needs. If your organization is looking into AIR but still has questions, contact Interlink, and we can start a discussion about your organization’s specific needs to determine the best-fitting solution.
Can’t keep up with all the security alerts? Let’s talk about Interlink’s Managed Security Services!
Interested in learning more? View our similar blog: Windows Autopilot | How It Makes Your Life Easier.
About the author
Jimmy Smogor is the Security Practice Lead at Interlink. Jimmy started at Interlink over 8 years ago while in college and has developed immense expertise in the world of cybersecurity. He has expanded his knowledge of Microsoft Security to assist our clients by leveraging Microsoft’s security stacks, whether it’s a simple deployment of Multi-factor for sign-in or leveraging Defender for Endpoint EDR with Microsoft Sentinel for automated playbooks. Jimmy is continuing to grow his expertise in cybersecurity and the advantages of Microsoft Security.
Welcome to the Interlink Cloud Blog
All content provided on this blog is for informational purposes only. The owner of this blog makes no representations or warranties regarding the information from our partners or other external sources.