Sign In

SA0.8 Defender XDR Automation Architecture

5 hours · Module 0 · Free
DEFENDER XDR AUTOMATION — THREE NATIVE CAPABILITIESAUTO INVESTIGATION (AIR)Investigates alerts automaticallyQuarantines email, blocks filesDisables compromised accountsConfigurable: auto or approvalMonitor: Action CenterATTACK DISRUPTIONDisrupts in-progress attacksContains compromised usersIsolates compromised devicesTargets: ransomware, BEC, AiTMHigh confidence, limited scopeCUSTOM DETECTIONSKQL-based custom rulesAttach auto-actions: isolate,quarantine file, disable userYour detections + your responseComplements Sentinel automationSENTINEL vs DEFENDER XDR — WHEN TO AUTOMATE WHEREDEFENDER XDR: single-product responses (isolate endpoint, quarantine email, disable user in MDE/MDO/MDI)SENTINEL: cross-product orchestration (identity + endpoint + network + external integrations)BOTH: complement each other. Defender handles product-native fast actions. Sentinel handles complex workflows.Rule: if the action is within one Defender product → Defender XDR. If it crosses products or requires external → Sentinel.

Figure SA0.8 — Defender XDR's three native automation capabilities and the decision framework for choosing between Defender XDR and Sentinel automation.

Operational Objective
Sentinel is not the only automation platform in your M365 environment. Defender XDR has its own automation capabilities — Auto Investigation and Response (AIR), attack disruption, and custom detection rules with auto-actions. These capabilities complement Sentinel automation, but using both without coordination creates duplicate responses, conflicting actions, and blind spots. This sub maps Defender XDR's automation architecture and establishes the decision framework for where to automate: Defender XDR for single-product fast actions, Sentinel for cross-product orchestration.
Deliverable: Understanding of Defender XDR's three automation capabilities and the ability to decide whether a given automation belongs in Defender XDR, Sentinel, or both.
⏱ Estimated completion: 25 minutes

Auto Investigation and Response (AIR)

When Defender for Endpoint detects malware on a device, AIR automatically investigates: it examines the process tree, checks related files, reviews network connections, and identifies other endpoints that may be affected. Based on the investigation findings, AIR recommends or executes remediation actions — quarantine the file, isolate the endpoint, disable the account.

AIR operates in two modes. In “full automation” mode, it investigates and remediates without human approval. In “semi-automation” mode, it investigates automatically but presents the remediation actions for analyst approval in the Action Center. The mode is configured per device group — you can set full automation for workstations (low blast radius) and semi-automation for servers (high blast radius).

The critical insight about AIR is that it operates entirely within Defender XDR’s product boundary. It cannot call external APIs, query Sentinel watchlists, post to Teams, or create ServiceNow tickets. It cannot check your VIP watchlist before disabling an account. It cannot correlate with Sentinel incidents from non-Microsoft data sources. AIR is powerful within its scope and blind outside it.

What AIR catches well: Known malware (signature-based), credential theft tools (Mimikatz patterns), lateral movement using known techniques (PsExec, WMI, RDP with pass-the-hash), and email threats (phishing with known indicators). These are high-confidence detections where AIR’s built-in investigation logic performs well.

What AIR misses: Custom attack tools, living-off-the-land techniques that blend with legitimate administration, attacks that span multiple products (identity compromise + email + endpoint), and attacks that require environmental context (is this user a VIP? Is this server critical?) to make correct response decisions.

Attack disruption

Attack disruption is Defender XDR’s highest-confidence automated response. It identifies in-progress attacks — ransomware encryption, BEC financial fraud, AiTM session hijacking — and automatically disrupts them by containing the compromised user and isolating the compromised device.

Attack disruption differs from AIR in two ways. First, it targets specific high-impact attack patterns (ransomware, BEC, AiTM) rather than generic alert types. Second, it acts faster — it is designed to disrupt an attack in progress, not investigate after the fact.

The limitation is scope. Attack disruption only fires on attack patterns that Defender’s ML models recognise. A novel attack technique, a custom malware family, or an attack chain that does not match a known pattern will not trigger attack disruption. This is where Sentinel automation fills the gap — custom detections with custom response logic for the threats that are specific to your environment and your threat model.

Custom detection rules with auto-actions

Defender XDR custom detection rules are KQL queries that run against the advanced hunting tables (DeviceProcessEvents, EmailEvents, IdentityLogonEvents, CloudAppEvents). When the query returns results, Defender creates an alert and can automatically execute response actions on the entities in the results — isolate the device, quarantine the file, disable the user, or force password reset.

This is the Defender equivalent of Sentinel’s automation rule + playbook combination. The advantage: the response action executes directly from the detection, with no Logic App overhead, no managed identity configuration, and no connector setup. The disadvantage: the response actions are limited to Defender’s built-in capabilities. You cannot call external APIs, query non-Microsoft data sources, or implement complex conditional logic.

When to use Defender custom detections: When the detection and the response are both within Defender’s product scope. A detection for “encoded PowerShell downloading from external URL” that auto-isolates the endpoint is a perfect Defender custom detection — the detection uses DeviceProcessEvents, the response uses MDE’s isolation API, and no external integration is needed.

When to use Sentinel instead: When the response requires cross-product action (revoke identity sessions AND isolate endpoint AND block IP at firewall), external integration (notify Teams, create ServiceNow ticket, query external TI), or conditional logic (check VIP watchlist, assess blast radius, route to approval).

The unified model — Defender XDR and Sentinel together

The correct architecture uses both platforms:

Defender XDR handles fast, single-product responses. AIR investigates and remediates within MDE, MDO, and MDI. Attack disruption contains in-progress attacks. Custom detections with auto-actions handle Defender-specific detection-response pairs.

Sentinel handles cross-product orchestration. Playbooks coordinate identity + endpoint + network containment. Logic Apps integrate with Teams, email, ticketing, and external TI. Watchlists provide environmental context (VIP lists, known-safe IPs, asset criticality). Workbooks monitor automation health across both platforms.

The platforms must not conflict. If Defender AIR auto-disables a user account and a Sentinel playbook also tries to disable the same account, the second action fails (the account is already disabled) and generates an error log. This is not harmful, but it is noise. Coordinate by: having the Sentinel playbook check the current account status before acting (if already disabled, skip and log “already contained by Defender”), and monitoring the Action Center to ensure Sentinel and Defender are not duplicating actions.

⚠ Compliance Myth: "We should disable Defender AIR because we want all containment to go through Sentinel playbooks for audit consistency"

The myth: Running two automation platforms creates audit complexity. Consolidating all automation in Sentinel provides a single audit trail.

The reality: Disabling AIR removes real-time automated investigation and response capability that operates faster than any Sentinel playbook. AIR investigates within seconds of the alert. A Sentinel playbook triggers on incident creation, which can be minutes after the alert. For active ransomware or credential theft, those minutes matter.

The audit trail concern is valid but solvable. Both Sentinel and Defender log every automated action. The Sentinel unified incident view shows Defender actions alongside Sentinel actions. The IR report should include actions from both platforms. The solution is unified reporting, not disabling half your automation.

Decision point: You have built a KQL detection for “service account authenticating from a non-server IP” that detects compromised service accounts. You want to auto-disable the service account when this detection fires. Should you build this as a Defender XDR custom detection with auto-action or a Sentinel analytics rule with a containment playbook? The answer depends on whether you need environmental context. If the service account can be safely disabled without checking dependencies (unlikely for a service account), Defender custom detection is simpler. If you need to check the service account’s dependencies, check a watchlist for “never auto-disable” accounts, or notify the application owner before disabling, you need a Sentinel playbook. For service accounts, the Sentinel playbook is almost always the correct choice because service account containment requires dependency awareness that Defender custom detections cannot provide.

Try it: Review your Defender XDR automation
  1. Open security.microsoft.com → Settings → Endpoints → Advanced features. Is automated investigation enabled? What level (full or semi)?
  2. Open Action center → History. How many automated actions in the last 30 days? How many pending approval?
  3. Open Hunting → Custom detection rules. How many rules exist? Do any have auto-actions attached?
  4. Check Settings → Endpoints → Device groups. What automation level is configured per group?

Compare what Defender is doing automatically against what you thought was happening. If there are surprises, that is a monitoring gap.

You want to build automation that detects an AiTM attack, revokes the user's cloud sessions, isolates their endpoint, blocks the attacker IP at the firewall, and sends a Teams notification to the SOC channel. Where should this automation live?
Defender XDR custom detection with auto-actions. Defender can revoke sessions and isolate the endpoint, but it cannot block IPs at the firewall (Palo Alto) or send Teams notifications. The cross-product and external integration requirements exceed Defender's scope.
Sentinel playbook triggered by an automation rule. The playbook can call Graph API (session revocation), MDE API (endpoint isolation), Palo Alto API (firewall block), and Teams connector (notification) — all in a single workflow with conditional logic, blast radius checks, and error handling. This is a cross-environment orchestration scenario that requires Sentinel's integration capability.
Split between Defender (session revoke + isolate) and Sentinel (firewall + Teams). Splitting creates coordination complexity — what if the Sentinel playbook fails while Defender succeeds? You have partial containment with no unified error handling. Run the entire workflow from one platform (Sentinel) for unified execution, logging, and error management.
Let Defender attack disruption handle it — it already detects AiTM. Attack disruption may contain the user and device, but it will not block the firewall IP or send the Teams notification. It also does not provide the environmental context checks (VIP, blast radius) that your custom playbook includes. Attack disruption is a baseline; your custom playbook adds the organisation-specific response.

Where this goes deeper. SA8 is dedicated entirely to Defender XDR automation — AIR configuration, attack disruption tuning, custom detection rules, MDE indicators, and the unified Sentinel + Defender automation architecture. SA5-SA7 implement the cross-environment containment that Sentinel playbooks enable and Defender alone cannot provide.

Operational Artifact — Defender XDR vs Sentinel Automation Decision Guide
Single-product, fast action → Defender XDR (AIR, attack disruption, custom detection auto-actions). Cross-product, external integration, conditional logic → Sentinel playbook. Both platforms should be active. Monitor both through the Sentinel unified incident view and the Defender Action Center. Document actions from both platforms in IR reports.
© 2026 Ridgeline Cyber Defence™ Ltd. Content may not be reproduced or redistributed. Worked artifacts may be adapted for use within your organization.

You're reading the free modules of this course

The full course continues with advanced topics, production detection rules, worked investigation scenarios, and deployable artifacts. Premium subscribers get access to all courses.

View Pricing See Full Syllabus
← SA0.7 Sentinel Automation Architecture SA0.9 The Automation Governance Framework →