This chapter covers Automated Investigation and Response (AIR) in Microsoft Defender for Endpoint (MDE), a critical capability for reducing alert fatigue and accelerating incident response. For the SC-200 exam, AIR questions typically account for 10-15% of the 'Manage a security operations environment' domain, focusing on configuration, automation levels, and investigation outcomes. Understanding AIR's mechanics, default settings, and integration with other Defender XDR services is essential for both the exam and real-world security operations.
Jump to a section
Automated Investigation and Response (AIR) in Microsoft Defender for Endpoint (MDE) works like a police detective team assigned to handle security incidents. When a crime (alert) is reported, the team's automated system kicks in: the first detective (automated investigation) reviews the evidence — logs, timelines, and witness statements (signals from endpoints, network, and cloud) — to determine if a crime actually occurred. The system uses a set of standard procedures (playbooks) based on the type of alert. For example, for a 'suspicious file execution' alert, the playbook might check: (1) Is the file signed? (2) Does it have a known malware hash? (3) What parent process launched it? (4) Any network connections? Each check is a step in the investigation. If the investigation confirms malicious activity, the detective team executes a response action automatically (like isolating the machine, killing a process, or removing a file). The system also keeps a record of every action taken (investigation timeline) for later review. The key is that the automation is rule-based and configurable — you can set the level of automation (full, semi, or no automation) and define which actions are taken automatically. Just like a police team has a supervisor (security operations analyst) who can override decisions or add manual steps, AIR allows analysts to approve or reject pending actions. The entire process is designed to reduce mean-time-to-respond (MTTR) by handling common, predictable incidents without human intervention, while still allowing human oversight for complex or high-impact cases.
What is Automated Investigation and Response (AIR)?
Automated Investigation and Response (AIR) is a feature in Microsoft Defender for Endpoint (MDE) that automatically investigates alerts and takes immediate remediation actions on confirmed threats. Its primary goal is to reduce the volume of alerts that require manual triage by handling common, predictable incidents — such as malware infections, suspicious process executions, or network connections to known malicious IPs — without human intervention. AIR is part of Microsoft's broader philosophy of 'security automation' and is a key component of the Security Operations Automation (SOAR) capabilities within Defender XDR.
How AIR Works: The Investigation Engine
When an alert is generated in MDE, the AIR engine evaluates the alert against a set of predefined investigation playbooks. Each playbook is a sequence of automated steps that examine the entity involved (e.g., a file, process, or URL) and its relationships. For example, if an alert fires for 'Suspicious process execution,' the playbook might:
Collect the file's metadata (hash, signature, prevalence)
Check the file against threat intelligence feeds (Microsoft's global threat intelligence)
Analyze the parent process and command line
Review network connections made by the process
Check for similar alerts on the same machine or other machines
The investigation engine uses a combination of cloud-based machine learning models and deterministic rules to determine the verdict for each entity: 'Malicious', 'Suspicious', or 'Clean'. The verdict is based on confidence scores. If the confidence is high enough (typically > 90% for malicious), the playbook proceeds to the remediation phase.
Automation Levels: Full, Semi, and No Automation
AIR offers three automation levels that determine how much of the investigation and response is automatic: - Full – Remediate threats automatically: All investigation steps are automatic, and any remediation action (e.g., isolate machine, delete file) is executed without human approval. This is the default for most device groups and is recommended for low-risk environments. - Semi – Require approval for any remediation: Investigation is automatic, but every remediation action requires manual approval from a security analyst. This is typical for production environments where unintended isolation could cause business disruption. - No automation: The investigation and response are entirely manual. This is used only for testing or when you want complete control.
You configure automation levels per device group in the MDE portal under Settings > Endpoints > Advanced features > Automated investigation and response. Each device group can have a different automation level, allowing granular control based on device criticality.
Investigation Timelines and Actions
Every AIR investigation produces a timeline that records every step taken, including:
Entities examined (files, processes, IPs, URLs)
Verdicts assigned (malicious, suspicious, clean)
Remediation actions taken or pending
Evidence collected
Analysts can review the timeline in the MDE portal under Investigation > Investigation timeline. If the automation level is 'Semi', pending actions appear in the Action center for approval. Actions include: - Isolate machine: Disconnects the device from the network (except the MDE cloud service). - Kill process: Terminates a running process. - Remove file: Deletes or quarantines a file. - Block file/URL: Adds to the custom indicator list. - Run antivirus scan: Initiates a Microsoft Defender Antivirus scan.
Default Values and Timers
Default automation level: Full (remediate automatically) for all device groups.
Investigation timeout: Each investigation has a default timeout of 1 hour. If the investigation doesn't complete within that time, it is marked as 'Timeout' and no automatic remediation occurs (even in Full automation).
Pending action expiry: Actions pending approval in the Action center expire after 7 days if not approved or rejected.
Investigation retention: Completed investigations are retained for 180 days in the portal.
Configuration and Verification Commands
While most AIR configuration is done via the MDE portal, you can use PowerShell to query investigation status or trigger investigations (for testing). For example:
# Get all investigations for a machine (using machine ID)
Get-MtpInvestigation -MachineId "machine-id"
# Start a new investigation on a machine
Start-MtpInvestigation -MachineId "machine-id" -Comment "Triggered by analyst"In the MDE portal, you can also use Advanced Hunting to query investigation data:
// Get all investigations with verdicts
AlertInfo
| where Timestamp > ago(7d)
| join kind=inner (AlertEvidence) on AlertId
| where EvidenceType == "Investigation"
| project Timestamp, AlertId, InvestigationId, VerdictIntegration with Other Defender XDR Components
AIR in MDE is tightly integrated with: - Microsoft Defender for Office 365: Alerts from email (phishing, malware) can trigger AIR investigations on endpoints if the email was opened. - Microsoft Defender for Cloud Apps: Suspicious user activities detected in cloud apps can trigger endpoint investigations. - Microsoft Sentinel: You can forward AIR investigation data to Sentinel for advanced correlation and hunting. - Microsoft 365 Defender: AIR investigations are visible in the unified M365 Defender portal (security.microsoft.com) along with investigations from other Defender services.
How AIR Interacts with Microsoft Defender Antivirus
When AIR decides to remediate a threat (e.g., remove a malicious file), it invokes Microsoft Defender Antivirus actions. The antivirus engine performs the actual file deletion or quarantine. If the file is already quarantined by Defender Antivirus, AIR may simply confirm the action. This integration ensures that remediation is consistent with the endpoint protection policies.
Limitations and Edge Cases
Investigation scope: AIR only investigates alerts that are part of an incident. Standalone alerts (not grouped into incidents) are not automatically investigated unless manually triggered.
False positives: AIR can sometimes investigate benign files if they trigger alerts (e.g., due to suspicious behavior). The verdict system is designed to minimize false positives, but they can occur. Analysts should regularly review investigation outcomes and adjust suppression rules if needed.
Network isolation caveat: When AIR isolates a machine, it blocks all network traffic except traffic to the MDE cloud service (via specific allowed URLs). If the machine hosts critical services, isolation can cause outages. That's why Semi automation is recommended for production servers.
Exam-Relevant Details
The default automation level is Full – Remediate threats automatically.
In the SC-200 exam, you may be asked to configure automation levels for different device groups based on scenarios (e.g., critical servers, user workstations).
You must know the three automation levels and their effects.
Understand that AIR investigations are triggered by alerts that are part of an incident (not standalone alerts).
Know that pending actions expire after 7 days.
Be aware that AIR uses playbooks to determine steps, and you can customize these playbooks only via Microsoft Support (no direct UI customization).
Alert Trigger and Incident Creation
When a suspicious activity occurs on an endpoint (e.g., process execution, file creation, network connection), MDE generates an alert. If multiple alerts are related (same machine, same timeline), they are grouped into an incident. AIR only investigates alerts that are part of an incident. The incident is assigned a severity (Low, Medium, High, Informational) based on the alert signals. Once the incident is created, the AIR engine checks the device group's automation level. If automation is enabled (Full or Semi), the investigation begins. If No automation, the incident sits in the queue for manual triage.
Playbook Selection and Execution
The AIR engine selects the appropriate playbook based on the alert type. For example, an alert for 'Suspicious process execution' triggers the 'Process Investigation' playbook. The playbook is a predefined sequence of steps that examine the file, process, and related entities. Each step is executed in order: first, file reputation check against Microsoft's threat intelligence (cloud-based); second, parent process analysis; third, network connection analysis; fourth, prevalence check (how many machines have this file). If any step returns a high-confidence malicious verdict, the playbook may skip remaining steps and proceed to remediation. The entire investigation is logged in the investigation timeline.
Verdict Determination
For each entity examined (file, process, URL, IP), the AIR engine assigns a verdict: Malicious, Suspicious, or Clean. The verdict is based on a confidence score derived from multiple signals: threat intelligence matches, behavioral analytics, machine learning models, and prevalence. For example, if a file's hash matches a known malware family, the verdict is 'Malicious' with high confidence. If the behavior is anomalous but no known signature, it may be 'Suspicious'. If the file is signed by a trusted publisher and has high prevalence, it is 'Clean'. The verdict determines the next action: Malicious leads to remediation, Suspicious may require manual review (in Semi automation), and Clean stops the investigation.
Remediation Action Execution
If the automation level is 'Full' and the verdict is Malicious, the AIR engine immediately executes the remediation action defined in the playbook. Common actions include: isolating the machine (disconnects from network except MDE cloud), terminating the malicious process, removing or quarantining the file, and blocking the file's hash or URL. The action is recorded in the Action center and the investigation timeline. If the automation level is 'Semi', the action is created as a pending action in the Action center, awaiting manual approval. The analyst can approve or reject the action. If not approved within 7 days, the action expires. In 'No automation', no actions are taken automatically.
Investigation Completion and Review
Once all playbook steps are executed (or timeout after 1 hour), the investigation is marked as 'Completed' or 'Timeout'. The investigation timeline shows every step, verdict, and action taken. Analysts can review the investigation in the MDE portal under Investigation. They can also re-run an investigation manually if needed. The investigation data is retained for 180 days. After completion, the incident status may be updated (e.g., resolved if all entities are clean, or active if malicious entities remain). The analyst can also add comments or change the incident status. Completed investigations can be exported as CSV for reporting.
Enterprise Scenario 1: Large Enterprise with 10,000+ Endpoints
A global company with 10,000 endpoints uses AIR with 'Full' automation for all user workstations and 'Semi' automation for servers. This reduces the security team's workload by automatically remediating common malware infections (e.g., trojans, ransomware) on workstations without human intervention. The team configures device groups in MDE: 'Workstations' (Full), 'Servers-Critical' (Semi), 'Servers-NonCritical' (Full). When a phishing email delivers a malicious document that triggers a 'Suspicious process execution' alert, AIR automatically investigates, determines the file is malicious (based on hash lookup), and isolates the workstation within seconds. The incident is resolved without any analyst action. The team reviews the investigation timeline weekly to tune suppression rules. Performance considerations: The AIR engine scales to handle thousands of simultaneous investigations, but each investigation consumes cloud API calls. Microsoft imposes rate limits (e.g., 30 investigations per minute per tenant) to prevent abuse. In practice, this is rarely reached.
Scenario 2: Financial Institution with Strict Compliance
A bank uses AIR with 'Semi' automation for all device groups because any automatic isolation could break trading applications. When a suspicious alert fires, AIR investigates automatically but holds the remediation action for approval. The security team has a 24/7 SOC that monitors the Action center. For example, an alert for 'Powershell execution with obfuscated command' triggers investigation. AIR finds the script is malicious (based on AI analysis) and recommends isolation. The SOC analyst reviews the evidence, sees the script is indeed a C2 beacon, and approves the isolation. The entire process takes 5 minutes, compared to 30 minutes if the investigation were manual. The bank also integrates AIR with Microsoft Sentinel to create custom playbooks that trigger additional actions (e.g., disable user account in Azure AD). Misconfiguration risk: If the automation level is accidentally set to 'Full' on a critical server, a false positive could isolate the server, causing a trading outage. The bank mitigates this by using Azure Policy to enforce 'Semi' automation on all servers tagged as 'Critical'.
Scenario 3: Managed Security Service Provider (MSSP)
An MSSP manages multiple tenants using MDE. They configure AIR per tenant based on customer requirements. For a small customer with no 24/7 SOC, they use 'Full' automation to ensure threats are remediated quickly. For a larger customer with an internal SOC, they use 'Semi' automation. The MSSP uses the MDE API to pull investigation data into their own SIEM. They also use Advanced Hunting queries to identify patterns in AIR investigations, such as frequent false positives on a specific application. They then create custom detection rules to suppress those alerts. Challenges: Each tenant has separate device groups and automation settings, so the MSSP must have clear documentation. They also need to train their analysts on how to interpret investigation timelines across different tenants.
What SC-200 Tests on AIR (Objective 1.1)
The SC-200 exam covers AIR under 'Manage a security operations environment' with focus on configuration and operation. Specific sub-objectives include:
Configure automated investigation and response
Manage automated investigation and response settings
Review investigation results
You should expect 5-8 questions on AIR, including scenario-based questions where you must choose the correct automation level for a given device group.
Common Wrong Answers and Why Candidates Choose Them
Choosing 'No automation' for all devices: Candidates think this gives more control, but the exam wants you to balance security and efficiency. 'Full' is the default and recommended for most workstations.
Assuming AIR investigates all alerts: In reality, AIR only investigates alerts that are part of an incident. Standalone alerts are not automatically investigated. Candidates often miss this.
Thinking pending actions expire in 24 hours: The correct expiry is 7 days. The exam may include a distractor with 24 hours or 30 days.
Believing you can customize playbooks in the UI: You cannot. Playbooks are predefined by Microsoft and can only be customized via Microsoft Support. Candidates may think there's a 'Playbook editor' in MDE.
Specific Numbers and Terms to Memorize
Automation levels: Full, Semi, No automation
Default automation level: Full
Investigation timeout: 1 hour
Pending action expiry: 7 days
Investigation retention: 180 days
The term 'Investigation timeline' and 'Action center'
The entity types: file, process, URL, IP, machine
Edge Cases the Exam Tests
What happens if an investigation times out? (No automatic remediation, even in Full automation)
Can AIR remediate threats on machines that are offline? (No, actions are queued and executed when the machine comes online)
What if a file is already quarantined by Defender AV? (AIR may confirm the action or skip it)
How to handle false positives? (Create suppression rules or adjust automation level)
How to Eliminate Wrong Answers
If the question mentions 'automatic remediation without approval', the answer is 'Full automation'.
If the question says 'investigation but manual approval for actions', the answer is 'Semi automation'.
If the question says 'no automation', the answer is 'No automation' (but rarely the correct choice in a recommendation scenario).
If the question asks about 'pending actions', remember 7 days.
If the question asks about 'investigation trigger', remember it must be part of an incident.
AIR automatically investigates alerts that are part of an incident using predefined playbooks.
Three automation levels: Full (remediate automatically), Semi (require approval), No automation (manual).
Default automation level is Full for all device groups.
Investigation timeout is 1 hour; if exceeded, no automatic remediation occurs.
Pending actions in Semi automation expire after 7 days.
Completed investigations are retained for 180 days.
AIR integrates with Defender Antivirus to perform remediation actions like file quarantine and process termination.
You cannot customize playbooks via the UI; only Microsoft Support can modify them.
AIR only works on online machines; actions are queued for offline machines.
The Action center is where pending actions are reviewed and approved or rejected.
These come up on the exam all the time. Here's how to tell them apart.
Full Automation
Remediation actions are taken automatically without approval.
Recommended for low-risk or non-critical devices (e.g., user workstations).
Reduces MTTR significantly but may cause false positive disruptions.
Default automation level for all device groups.
Actions are executed immediately after investigation completes.
Semi Automation
Remediation actions require manual approval from an analyst.
Recommended for critical servers or devices where isolation could cause business impact.
Balances automation and human oversight.
Not the default; must be configured per device group.
Actions are created as pending and must be approved within 7 days.
Mistake
AIR investigates every alert that MDE generates.
Correct
AIR only investigates alerts that are part of an incident. Standalone alerts (e.g., informational alerts) are not automatically investigated unless manually triggered.
Mistake
You can create custom investigation playbooks in the MDE portal.
Correct
Playbooks are predefined by Microsoft and cannot be customized via the UI. Customization requires contacting Microsoft Support to modify the built-in playbooks.
Mistake
Pending actions for remediation expire in 24 hours.
Correct
Pending actions expire after 7 days if not approved or rejected. The 24-hour value is a common distractor on the exam.
Mistake
AIR can investigate and remediate threats on machines that are offline.
Correct
AIR requires the machine to be online to execute actions. Actions are queued and executed when the machine connects to the MDE cloud service.
Mistake
Setting automation level to 'Full' means all investigations complete instantly.
Correct
Investigations still take time (up to 1 hour timeout). 'Full' only means remediation actions are taken automatically without approval, not that the investigation is instantaneous.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
Full automation automatically remediates threats without human approval, while Semi automation requires an analyst to approve each remediation action. Full is the default and is best for non-critical devices. Semi is recommended for critical servers to avoid unintended isolation. Both levels conduct automatic investigation; only the remediation step differs.
Each investigation has a default timeout of 1 hour. Most investigations complete within minutes, but complex investigations involving multiple entities may take longer. If the investigation does not complete within 1 hour, it is marked as 'Timeout' and no automatic remediation occurs, even in Full automation.
No, AIR playbooks are predefined by Microsoft and cannot be customized through the MDE portal. If you need changes, you must contact Microsoft Support. However, you can create custom detection rules and suppression rules to influence which alerts trigger investigations.
If the machine is offline, the investigation can still start and collect available data (e.g., from cloud sources), but remediation actions cannot be executed. The actions are queued and will be executed when the machine comes online and connects to the MDE cloud service.
Navigate to the Action center in the MDE portal (under Security Operations). You will see pending actions for investigations that require approval. You can select each action and choose 'Approve' or 'Reject'. Actions expire after 7 days if not acted upon.
Yes, AIR in MDE can investigate alerts that originate from Microsoft Defender for Office 365 if they are related to endpoint activities. For example, a phishing email that delivered a malicious attachment can trigger an investigation on the endpoint that opened the attachment. This integration is part of Defender XDR.
Completed investigations are retained for 180 days in the MDE portal. After that, they are automatically deleted. You can export investigation data before deletion if needed.
You've just covered Automated Investigation and Response (AIR) in MDE — now see how well it sticks with free SC-200 practice questions. Full explanations included, no account needed.
Done with this chapter?