AIR is included in the Microsoft 365 E5, Microsoft 365 E5 Security, Office 365 E5, and Office 365 Advanced Threat Protection Plan 2. With AIR, when certain alerts that you set are triggered, one or more security playbook plans are initiated and an automated investigation begins. During and after this automated investigation process, administrators and your security operations team can look at the details of the investigation, review and approve actions to follow as a result of the investigation, and view details about the alert that triggered the investigation. Read on to find out how we can help and how you can optimize AIR for your organization...
Below is the overall flow of AIR at a high level and how each phase works:
*If your organization is using a custom reporting solution or a third-party solution, you can use the Office 365 Management Activity API to view information about automated investigations and threats.
Alerts are representative triggers for security team workflows for incident responses. Prioritizing the right set of alerts can be challenging. When an alert is generated, you can set specific actions to automatically create an investigation of the alert. For example, let's say a user reported a phishing email. You can create a policy to automatically start collecting logs around the email. These logs could include what the user might have done with the email, i.e. forwarding to another user, opened a link within the email, or responded to the email.
Security playbooks are back-end policies that are the core of automation in Microsoft Threat Protection. These are based on common real-world security scenarios. Security playbooks run investigations and look at all associated metadata (such as email messages, users, subjects, senders, etc.). Then, based on findings, Microsoft AIR will provide a set of recommended actions. Security playbooks are rolling out in phases- with Phase 1 being generally available now, including playbooks and recommendations for:
Further playbooks will be released, to view what all is planned and coming soon please visit Microsoft 365 Roadmap.
Once the case has been created and all logs have been collected, you can analyze everything. This set of logs could vary depending on what actions have been done to the email or file that triggered the investigation. After all the data has been analyzed by the admin, AIR will provide recommended actions that should be taken on the collected data.
Due to the massive amount of emails that users in each organization send and receive, the process of clustering emails based on similar attributes, separating malicious emails from good emails, and then taking action on malicious emails can be very time-consuming. AIR automates this process for your organization and security team. With AIR you can get a visual overview of clusters of emails and the threats found, investigate email clusters, and show full alert details on threats listed.
If Office 365 Automated Investigation and Response is something you are interested in pursuing and utilizing, we would love to discuss how it would fit your organization's needs. If your organization is looking into AIR but still has questions, contact Interlink, and we can start a discussion about your organization’s specific needs to determine the best-fitting solution.