AIR updates per TR

chrisda · chrisda · commit e0df70702d1b · 2025-01-10T15:29:58.000-08:00
diff --git a/defender-office-365/air-about.md b/defender-office-365/air-about.md
@@ -7,7 +7,7 @@ ms.author: chrisda
 manager: deniseb
 audience: ITPro
 ms.topic: conceptual
-ms.date: 10/22/2024
+ms.date: 01/10/2025
 ms.localizationpriority: medium
 search.appverid:
 - MET150
@@ -31,7 +31,9 @@ appliesto:
 
 As [security alerts](/defender-xdr/investigate-alerts) appear in a Microsoft 365 organization at <https://security.microsoft.com/alerts>, it's up to the security operations (SecOps) team to review, prioritize, and respond to those alerts. Keeping up with the volume of incoming alerts can be overwhelming. Automating some of those tasks can help.
 
-[Microsoft Defender for Office 365 Plan 2](mdo-about.md#defender-for-office-365-plan-2-capabilities) includes powerful automated investigation and response (AIR) capabilities that save time and effort for SecOps teams. AIR includes the following capabilities:
+[Microsoft Defender for Office 365 Plan 2](mdo-about.md#defender-for-office-365-plan-2-capabilities) (included in Microsoft 365 licenses like E5 or as a standalone subscription) includes powerful automated investigation and response (AIR) capabilities that save time and effort for SecOps teams.
+
+AIR triages high impact, high volume alerts by completing organization level investigations. AIR investigations expand on detections or provide additional analysis to determine the threat status for the organization. When AIR identifies threats, it queues threat remediation actions for SecOps personnel to approve. AIR results in the following benefits:
 
 - Automated investigation processes in response to well-known threats.
 - Appropriate remediation actions awaiting approval, enabling your SecOps team to respond effectively to detected threats.
@@ -44,25 +46,32 @@ AIR in Defender for Office 365 Plan 2 requires that [audit logging is turned on]
 An alert is triggered, and a security playbook starts an automated investigation, which results in findings and recommended actions. Here's the overall flow of AIR, step by step:
 
 1. An automated investigation is started initiated in one of the following ways:
-   - An alert is triggered by an alert policy that identified something suspicious in email (for example, the message itself, an attachment, a URL, or a compromised user account). An incident is created, and an automated investigation begins.
+   - Specific alerts that are designed to initiate AIR. These alerts include:
+     - Something suspicious is identified in email (for example, the message itself, an attachment, a URL, or a compromised user account).
+     - [Zero-hour auto purge (ZAP)](zero-hour-auto-purge.md).
+     - User submissions.
+     - User click alerts.
+     - Suspicious mailbox behavior.
 
-     > [!TIP]
-     > Be sure to regularly review the alerts your organization. For more information about alert policies that trigger automated investigations, see the [default alert policies in the Threat management category](/purview/alert-policies#default-alert-policies). The entries that contain the value **Yes** for **Automated investigation** can trigger automated investigations. If these alerts are disabled or replaced by custom alerts, AIR isn't triggered.
+       > [!TIP]
+       > Be sure to regularly review the alerts your organization. For more information about alert policies that trigger automated investigations, see the [default alert policies in the Threat management category](/purview/alert-policies#threat-management-alert-policies). The entries that contain the value **Yes** for **Automated investigation** can trigger automated investigations. If these alerts are disabled or replaced by custom alerts, AIR isn't triggered.
 
-   - A security analyst manually triggers the investigation. For examples, see [Automated investigation and response (AIR) examples in Microsoft Defender for Office 365 Plan 2](air-examples.md).
+   - A security analyst manually triggers the investigation by selecting :::image type="icon" source="media/m365-cc-sc-take-actions-icon.png" border="false"::: **Take action** in Threat Explorer, Advanced hunting, custom detection, the Email entity page, or the Email summary panel. For more information, see [Threat hunting: Email remediation](threat-explorer-threat-hunting.md#email-remediation). For examples, see For examples, see [Automated investigation and response (AIR) examples in Microsoft Defender for Office 365 Plan 2](air-examples.md).
 
-2. A running automated investigation gathers data about the specified email message and the related _entities_ (for example, attached files, included URLs, and recipients). The scope of the investigation can increase as new and related alerts are triggered.
+2. The automated investigation evaluates and analyzes the nature of the alert, the message involved, and additional evidence surrounding the message. The scope of the investigation can increase based on the evidence that's uncovered and collected during the investigation.
 
 3. During and after an automated investigation, [details and results](air-view-investigation-results.md) are available. Results might include [recommended actions](air-remediation-actions.md) for SecOps personnel to remediate the threats that were found.
 
-4. The SecOps team reviews the [investigation results and recommendations](air-view-investigation-results.md), and [approves or rejects the remediation actions](air-review-approve-pending-completed-actions.md).
+4. The SecOps team reviews the [investigation results and recommendations](air-view-investigation-results.md) (in the investigation itself, the incident, or in the Action center), and [approves or rejects the remediation actions](air-review-approve-pending-completed-actions.md).
 
    > [!TIP]
    > No remediation actions happen automatically. Remediation actions require manual approval by SecOps personnel. AIR capabilities save time by getting to the recommended remediation actions with all the details to make an informed decision.
+   >
+   > AIR also saves time by evaluating and automatically resolving alerts and incidents where no threats were found. This result is very common in user submission scenarios. AIR closes the investigation if no threats were found or threats were found in messages that have already been remediated. Typically
 
 5. As pending remediation actions are approved or rejected, the automated investigation completes.
 
-   The automated investigation automatically closes if no recommended actions are identified. The details of the investigation are still available on the **Investigations** page at <>.
+   The automated investigation automatically closes if no recommended actions are identified. The details of the investigation are still available on the **Investigations** page at <https://security.microsoft.com/airinvestigation>.
 
 During and after each automated investigation, the SecOps team can do the following tasks:
 
@@ -75,7 +84,7 @@ During and after each automated investigation, the SecOps team can do the follow
 You need to be assigned permissions to use AIR. You have the following options:
 
 - [Microsoft Defender XDR Unified role based access control (RBAC)](/defender-xdr/manage-rbac) (If **Email & collaboration** \> **Defender for Office 365** permissions is :::image type="icon" source="media/scc-toggle-on.png" border="false"::: **Active**. Affects the Defender portal only, not PowerShell):
-  - _Start an automated investigation_ or _Approve or reject recommended actions_: **Security Operator/Email advanced remediation actions (manage)**.
+  - _Start an automated investigation_ or _Approve or reject recommended actions_: **Security operations/Email advanced remediation actions (manage)**.
 - [Email & collaboration permissions in the Microsoft Defender portal](mdo-portal-permissions.md):
   - _Set up AIR features_: Membership in the **Organization Management** or **Security Administrator** role groups.
   - _Start an automated investigation_ or _Approve or reject recommended actions_:
@@ -91,8 +100,6 @@ You need to be assigned permissions to use AIR. You have the following options:
 
 To use AIR, you need to be assigned a license for Defender for Office 365 Plan 2 (included in your subscription or an add-on license).
 
-AIR contains data for users with Defender for Office 365 licenses assigned to them.
-
 ## Next steps
 
 - [AIR examples](air-examples.md)
diff --git a/defender-office-365/air-examples.md b/defender-office-365/air-examples.md
@@ -1,5 +1,5 @@
 ---
-title: How automated investigation and response works in Microsoft Defender for Office 365
+title: Automated investigation and response examples
 f1.keywords:
 - NOCSH
 author: chrisda
@@ -14,7 +14,7 @@ search.appverid:
 ms.collection:
 - m365-security
 - tier2
-ms.date: 07/10/2024
+ms.date: 01/10/2025
 description: See examples for how to start automated investigation and response (AIR) in Microsoft Defender for Office 365 Plan 2.
 ms.custom:
 - air
@@ -29,9 +29,7 @@ appliesto:
 
 [!INCLUDE [MDO Trial banner](../includes/mdo-trial-banner.md)]
 
-It's up to your security operations (SecOps) team to investigate security alerts and take steps to protect your organization. SecOps teams can often feel overwhelmed by the volume of alerts that require review. Automated investigation and response (AIR) in Microsoft Defender for Office 365 Plan 2 can help. For more information about AIR, see [Automated investigation and response (AIR) in Microsoft Defender for Office 365 Plan 2](air-about.md).
-
-AIR enables your SecOps team to operate more efficiently and effectively. AIR includes automated investigations to well-known threats, and provides recommended remediation actions. The SecOps team can review the evidence and approve or reject the recommended actions.
+Automated investigation and response (AIR) in Microsoft Defender for Office 365 Plan 2 (included in Microsoft 365 licenses like E5 or as a standalone subscription) enables your SecOps team to operate more efficiently and effectively. AIR includes automated investigations to well-known threats, and provides recommended remediation actions. The SecOps team can review the evidence and approve or reject the recommended actions. For more information about AIR, see [Automated investigation and response (AIR) in Microsoft Defender for Office 365 Plan 2](air-about.md).
 
 This article describes how AIR works through several examples:
 
@@ -41,35 +39,24 @@ This article describes how AIR works through several examples:
 
 ## Example: A user-reported phishing message launches an investigation playbook
 
-A user receives an email that looks like a phishing attempt. The user reports the message using the [Microsoft Report Message or Report Phishing add-ins](submissions-users-report-message-add-in-configure.md), which results in the following actions:
-
-- The submission is added to the **User reported** tab of the **Submissions** page in the Microsoft Defender portal at <https://security.microsoft.com/reportsubmission?viewid=user>.
-- Depending on the [user reported settings](submissions-user-reported-messages-custom-mailbox.md), the message is sent to Microsoft for analysis directly by the user submission or by an admin from the **User reported** page.
-- An alert is triggered by the **Email reported by user as malware or phish** [alert policy](/purview/alert-policies#threat-management-alert-policies), which automatically launches the investigation playbook.
+A user receives an email that looks like a phishing attempt. The user reports the message using the [Microsoft Report Message or Report Phishing add-ins](submissions-users-report-message-add-in-configure.md), which results in an alert that's triggered by the **Email reported by user as malware or phish** [alert policy](/purview/alert-policies#threat-management-alert-policies), which automatically launches the investigation playbook.
 
-During the root investigation phase, various aspects of the reported email message are assessed. For example:
+Various aspects of the reported email message are assessed. For example:
 
-- The identified threat type.
-- Who sent the message.
-- Where the message was sent from (sending infrastructure).
-- Whether other instances of the message were delivered or blocked.
-- An assessment from our analysts.
-- Whether the message is associated with any known campaigns.
+- The identified threat type
+- Who sent the message
+- Where the message was sent from (sending infrastructure)
+- Whether other instances of the message were delivered or blocked
+- The tenant landscape, including similar messages and their verdicts through email clustering
+- Whether the message is associated with any known campaigns
 - And more.
 
-After the root investigation is complete, the playbook provides a list of recommended actions to take on the original message and the associated _entities_ (for example, attached files, included URLs, and recipients).
-
-Next, several threat investigation and hunting steps are done:
+The playbook evaluates and automatically resolves submissions where no action is needed (which frequently happens on user reported messages). For the remaining submissions, a list of recommended actions to take on the original message and the associated _entities_ (for example, attached files, included URLs, and recipients) is provided:
 
 - Identify similar email messages via email cluster searches.
-- Share the signal with other platforms (for example, [Microsoft Defender for Endpoint](/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection)).
 - Determine whether any users clicked through any malicious links in suspicious email messages.
-- Determine whether other users reported similar messages in [Exchange Online Protection](eop-about.md) (EOP) and [Microsoft Defender for Office 365](mdo-about.md).
-- Determine whether a user is compromised. This check uses signals across Office 365, [Microsoft Defender for Cloud Apps](/cloud-app-security), and [Microsoft Entra ID](/azure/active-directory), correlating any related user activity anomalies.
-
-During the hunting phase, risks and threats are assigned to various hunting steps. For more information, see [Details and results of an automated investigation](air-view-investigation-results.md).
-
-Remediation is the final phase of the playbook. During this phase, remediation steps are taken, based on the investigation and hunting phases. For more information, see [Remediation actions in Microsoft Defender for Office 365](air-remediation-actions.md).
+- Risks and threats are assigned. For more information, see [Details and results of an automated investigation](air-view-investigation-results.md).
+- Remediation steps. For more information, see [Remediation actions in Microsoft Defender for Office 365](air-remediation-actions.md).
 
 ## Example: A security administrator triggers an investigation from Threat Explorer
 
diff --git a/defender-office-365/air-review-approve-pending-completed-actions.md b/defender-office-365/air-review-approve-pending-completed-actions.md
@@ -17,7 +17,7 @@ ms.collection:
 ms.custom:
 description: Learn about remediation actions in automated investigation and response capabilities in Microsoft Defender for Office 365 Plan 2.
 ms.service: defender-office-365
-ms.date: 07/10/2024
+ms.date: 01/10/2025
 appliesto:
   - ✅ <a href="https://learn.microsoft.com/defender-office-365/mdo-about#defender-for-office-365-plan-1-vs-plan-2-cheat-sheet" target="_blank">Microsoft Defender for Office 365 Plan 2</a>
 ---
@@ -26,7 +26,7 @@ appliesto:
 
 [!INCLUDE [MDO Trial banner](../includes/mdo-trial-banner.md)]
 
-In Microsoft 365 organizations with [Microsoft Defender for Office 365 Plan 2](mdo-about.md#defender-for-office-365-plan-1-vs-plan-2-cheat-sheet), automated investigation and response (AIR) often results in pending remediation actions. For example:
+In Microsoft 365 organizations with [Microsoft Defender for Office 365 Plan 2](mdo-about.md#defender-for-office-365-plan-1-vs-plan-2-cheat-sheet)  (included in Microsoft 365 licenses like E5 or as a standalone subscription), automated investigation and response (AIR) often results in pending remediation actions. For example:
 
 - Soft deleting email messages or clusters.
 - Turning off external mail forwarding.
@@ -47,9 +47,9 @@ These remediation actions aren't taken automatically. The remediation actions ne
 
 For more information about the **Incidents** page in Defender for Office 365, see [Details and results of automated investigation and response (AIR) in Microsoft Defender for Office 365 Plan 2](air-view-investigation-results.md).
 
-1. In the Microsoft Defender portal at <https://security.microsoft.com>, go to the Email & collaboration **Investigations** page at **Email & collaboration** \> **Investigations**. Or, to go directly to the Email & collaboration **Investigations** page, use <https://security.microsoft.com/airinvestigation>.
-2. On the **Investigations** page, find and an item in the list where the **Status** value is **Pending approval**. Use :::image type="icon" source="media/m365-cc-sc-filter-icon.png" border="false"::: **Filter** to filter the results by the **Status** value **Pending action**.
-3. On the **Investigations** page, select the **Pending action** item by clicking on :::image type="icon" source="media/m365-cc-sc-open-icon.png" border="false"::: **Open in new window** in the **ID**column (don't select the check box).
+1. In the Microsoft Defender portal at <https://security.microsoft.com>, go to the **Investigations** page in Defender for Office 365 at **Email & collaboration** \> **Investigations**. Or, to go directly to the **Investigations** page in Defender for Office 365, use <https://security.microsoft.com/airinvestigation>.
+2. On the **Investigations** page in Defender for Office 365, find and an item in the list where the **Status** value is **Pending approval**. Use :::image type="icon" source="media/m365-cc-sc-filter-icon.png" border="false"::: **Filter** to filter the results by the **Status** value **Pending action**.
+3. On the **Investigations** page, select the **Pending action** item by clicking on :::image type="icon" source="media/m365-cc-sc-open-icon.png" border="false"::: **Open in new window** in the **ID** column (don't select the check box).
 4. In the investigation details page that opens, select the **Pending actions** tab, and then select an entry from the list by clicking anywhere in the row other than the check box next to the first column.
 5. In the details flyout that opens, review the information and then select one of the following actions from the top of the flyout:
    - :::image type="icon" source="media/m365-cc-sc-check-mark-icon.png" border="false"::: **Approve**: Initiate the pending action.
@@ -59,8 +59,8 @@ For more information about the **Incidents** page in Defender for Office 365, se
 
 For more information about the **Incidents** page in Defender XDR, see [Investigate incidents in Microsoft Defender XDR](/defender-xdr/investigate-incidents).
 
-1. In the Microsoft Defender portal at <https://security.microsoft.com>, go to the Defender XDR **Incidents** page at **Incidents & alerts** \> **Incidents**. Or, to go directly to the Defender XDR **Incidents** page, use <https://security.microsoft.com/incidents>.
-2. On the **Investigations** page, find and an item in the list where the **Status** value is **Pending approval**. Use the following steps to filter the results:
+1. In the Microsoft Defender portal at <https://security.microsoft.com>, go to the **Incidents** page in Defender XDR at **Incidents & alerts** \> **Incidents**. Or, to go directly to the **Incidents** page in Defender XDR, use <https://security.microsoft.com/incidents>.
+2. On the **Investigations** page in Defender XDR, find and an item in the list where the **Status** value is **Pending approval**. Use the following steps to filter the results:
    1. Clear any existing unwanted filters on the **Incidents** page by selecting :::image type="icon" source="media/m365-cc-sc-remove-selection-icon.png" border="false"::: **Clear**.
    2. Select :::image type="icon" source="media/m365-cc-sc-filter-icon.png" border="false"::: **Add filter**.
    3. In the **Add filter** dialog that opens, select **Automated investigation state**, and then select **Add**.
