Automated Investigation & Attack Disruption
Let the machines do the heavy lifting. Learn how Automated Investigation and Response (AIR) works, configure automatic attack disruption, and manage device groups with proper automation levels.
Why automate investigation?
Imagine a hospital emergency room with 200 patients arriving every hour. Doctors cannot examine every patient individually — they need triage nurses to handle the obvious cases and escalate only the complex ones.
Automated Investigation and Response (AIR) is your triage nurse. When an alert fires, AIR automatically investigates — checks the evidence, determines the scope, and either remediates the threat or escalates to an analyst for approval. It handles the repetitive work so your SOC team focuses on the hard stuff.
Automatic attack disruption goes further — it does not wait for investigation to complete. If Defender XDR detects an active attack in progress (ransomware spreading, business email compromise), it immediately contains the threat by isolating devices or disabling compromised accounts.
How AIR works
When an alert triggers, AIR runs an automated investigation playbook:
- Alert triggers → AIR starts automatically (for supported alert types)
- Evidence collection → examines files, processes, registry keys, network connections, user activities
- Verdict determination → classifies each entity as Malicious, Suspicious, Clean, or No threats found
- Remediation actions → proposes or executes actions based on the automation level
Common AIR remediation actions
| Action | What It Does | Requires Approval? |
|---|---|---|
| Quarantine file | Moves a malicious file to quarantine | Depends on automation level |
| Stop process | Terminates a running malicious process | Depends on automation level |
| Remove registry key | Deletes a malicious persistence mechanism | Depends on automation level |
| Isolate device | Cuts network access (keeps Defender connection) | Depends on automation level |
| Block URL/IP | Adds a network indicator to block access | Depends on automation level |
| Disable user account | Temporarily disables a compromised Entra ID account | Depends on automation level |
Automation levels
Automation levels control how much freedom AIR has to act without human approval. You set these per device group.
Microsoft defines five automation levels, not just “auto or manual”:
| Level | What Happens | Best For |
|---|---|---|
| Full — remediate threats automatically | All remediation actions execute without approval | Production endpoints, well-tuned environments |
| Semi — require approval for all folders | All file/folder remediation needs analyst approval | New deployments, testing phase |
| Semi — require approval for core folders | Remediation in OS-critical folders (e.g., \Windows\, \Program Files\) needs approval; other folders auto-remediate | Balanced — protect OS folders, auto-handle user directories |
| Semi — require approval for non-temp folders | Only temp folder remediation is automatic; everything else needs approval | Conservative — minimal auto-remediation |
| No automated response | No automated investigation runs at all — fully manual | High-sensitivity devices (domain controllers, executive laptops) |
Key distinction: The “core folders” and “non-temp folders” levels refer to file path locations, not action types. “Core folders” means Windows system directories.
Exam tip: default is Full automation
New Microsoft 365 tenants default to Full automation. The exam may ask what happens if no automation level is configured — the answer is that remediation actions execute automatically.
If a question describes wanting to review actions before execution, the answer is one of the Semi levels. Pay attention to whether the question specifies OS folders, all folders, or non-temp folders — each maps to a different Semi level.
Also note: No automated response means the investigation itself does not run — not just that remediation is skipped.
Device groups
Device groups organise endpoints into logical collections for targeted policies. Each group gets its own automation level, access permissions, and priority.
Device group configuration
| Setting | Purpose |
|---|---|
| Name | Descriptive label (e.g., “Finance Servers”, “Executive Devices”) |
| Automation level | Full, Semi (approve any/core), or No automation |
| Members | Dynamic membership based on device tags, OS, domain, or name patterns |
| Priority | When a device matches multiple groups, highest priority wins |
| User access | Which Defender XDR user groups can view/manage devices in this group |
Scenario: James structures device groups at Pacific Meridian
James creates five device groups:
- Domain Controllers — No automation (too critical for auto-remediation). Only senior analysts can access. Priority: 1 (highest)
- Executive Devices — Semi (approve core). James and Sarah review actions. Priority: 2
- Finance Servers — Semi (approve any). Compliance requires audit trail of all actions. Priority: 3
- Standard Workstations — Full automation. 8,000 devices, handled automatically. Priority: 4
- BYOD — Full automation. Less trust, more aggressive auto-remediation. Priority: 5
When a device matches multiple groups (e.g., an executive’s laptop that is also a standard workstation), priority determines the winner — Executive Devices (priority 2) wins.
Automatic attack disruption
Attack disruption is different from AIR — it acts in real-time during an active attack, not after investigation.
What triggers disruption
Defender XDR’s AI engine identifies high-confidence attack patterns:
- Human-operated ransomware — encryption spreading across devices
- Business email compromise (BEC) — attacker using a compromised mailbox
- Adversary-in-the-middle (AiTM) — session token theft and replay
Disruption actions
| Action | When It Fires |
|---|---|
| Contain device | Device is actively spreading ransomware or lateral movement |
| Contain user | Compromised account being used for BEC or credential abuse |
| Disable user in Entra ID | High-confidence account compromise with active abuse |
These actions happen within minutes of detection — before most SOC teams could even triage the alert.
Exam tip: disruption vs AIR
Attack disruption and AIR are related but different:
- AIR = post-alert investigation and remediation (minutes to hours)
- Attack disruption = real-time containment of active attacks (seconds to minutes)
Attack disruption does NOT wait for an investigation to complete. It is designed for time-critical scenarios where delay means damage.
The exam may describe an active ransomware attack and ask “what stops the spread fastest?” — the answer is automatic attack disruption, not AIR.
Pacific Meridian experiences a ransomware attack spreading across workstations. Within 3 minutes, Defender XDR automatically isolates the affected devices. What feature stopped the attack?
James wants domain controllers at Pacific Meridian to require manual analyst review for ALL remediation actions. Which automation level should he configure for the Domain Controllers device group?
Pacific Meridian experiences a BEC attack. Attack disruption disables the compromised CFO account and isolates 2 devices. James finds that the attacker also created an OAuth app with Mail.ReadWrite permissions 6 hours before disruption fired. The app is still active. What should James prioritise FIRST?
🎬 Video coming soon
Next up: Investigation is automated. Now let’s automate the response — Sentinel automation rules and playbooks take action when incidents match your criteria.