Microsoft Defender for Office 365 Automated Investigation and response (AIR) Now Blocks Threats Automatically

Microsoft has rolled out automated remediation support for its Automated Investigation and Response (AIR) in Defender for Office 365. This new security feature can now take AI-driven action against detected threats to eliminate the need for manual intervention from security teams.

What is Automated Investigation and Response (AIR)?

Automated Investigation and Response (AIR) is a security feature in Microsoft Defender for Office 365, which helps organizations detect, investigate, and respond to threats. It leverages AI to automatically investigate alerts, assess the scope of potential attacks, and take recommended actions, such as quarantining emails or blocking malicious content. This security feature works with Microsoft 365 Defender and other security tools.

How does automated remediation work?

By default, when the Automated Investigation and Response (AIR) service detects a threat and recommends a remediation action, it waits for approval from the Security Operations (SecOps) team before proceeding. Now, Microsoft has introduced a feature that lets administrators pre-configure specific actions, which allows AIR to execute them automatically without waiting for manual approval.

Microsoft emphasized that automatically remediating malicious messages identified during AIR investigations improves security by blocking threats more quickly. This feature also helps SecOps teams save time and focus on more complex, high-priority tasks.

Automated Investigation and Response (AIR) uses a clustering approach to analyze threats. When it detects a malicious file, it forms a cluster, which is a group of related messages that may also contain or be connected to the same threat. AIR then scans to locate these messages and particularly checks if any are still present in users’ mailboxes.

If any of these messages are found in user mailboxes, AIR automatically generates a remediation action, such as removing or quarantining the message. Once the cluster types are defined, the selected action is executed without requiring approval from the SecOps team.

The new automated remediation features in AIR help organizations strengthen security, enhance productivity, and build a more resilient defense against threats. If you’re interested, you can learn more about configuring automated remediation on this support page.