8.9 Automated Investigation and Response for Email

90 minutes · Module 8

Automated Investigation and Response for Email

By the end of this subsection, you will understand how AIR automates email threat investigation, know the approval workflow, and be able to monitor AIR effectiveness.

How email AIR works

When Defender for Office 365 detects a phishing email or malware, AIR automatically:

Identifies the threat — classifies the email as phishing, malware, or spam
Scopes the campaign — finds all related emails (same sender, URL, or attachment hash)
Identifies affected users — which mailboxes received the campaign
Recommends remediation — soft delete from all affected mailboxes
Executes or waits — depending on your automation level, either acts immediately or waits for analyst approval

Automation levels for email

Level	AIR behavior	Best for
Require approval	AIR investigates and recommends. Analyst approves.	Starting point — human reviews every action
Auto-remediate confirmed threats	AIR remediates high-confidence malware/phishing automatically. Lower confidence waits for approval.	After 90 days of reviewing AIR recommendations with high accuracy
Full automation	AIR remediates all findings automatically	High-volume environments where analyst review is a bottleneck

Email AIR is separate from endpoint AIR (Module 7.4)

Email AIR handles email threats: soft-delete campaigns, block senders, submit for analysis. Endpoint AIR handles device threats: quarantine files, isolate devices. They are configured independently and operate in their respective domains. A cross-domain incident (phishing email leads to malware on device) triggers both.

Monitoring AIR effectiveness

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
AlertInfo
| where TimeGenerated > ago(30d)
| where ServiceSource == "Microsoft Defender for Office 365"
| where Category has "Phish" or Category has "Malware"
| summarize
    TotalAlerts = count(),
    AutoRemediated = countif(InvestigationState == "Remediated"),
    PendingApproval = countif(InvestigationState == "Pending"),
    NoAction = countif(InvestigationState == "NoThreatsFound")
| extend AutoRate = round(AutoRemediated * 100.0 / TotalAlerts, 1)

Expected Output

TotalAlerts	AutoRemediated	PendingApproval	NoAction	AutoRate
142	98	31	13	69.0%

What to look for: 69% auto-remediation rate means AIR handled 98 email threats without analyst intervention. The 31 pending need manual review — check these for false positives or ambiguous verdicts. If the pending items are consistently approved, consider moving to a higher automation level. The 13 "NoThreatsFound" were investigated and cleared — AIR correctly determined no action was needed.

Email AIR reduces analyst workload by 60-70% on email threats

Without AIR, every phishing email triggers manual investigation: identify the campaign, find all recipients, check clicks, decide on remediation, execute soft-delete across all mailboxes. With AIR, steps 1-4 are automated. The analyst reviews and approves — a 5-minute task instead of a 30-minute investigation. At 30+ email threats per week, this is the difference between a manageable workload and alert fatigue.

Reviewing AIR investigations

When AIR completes an email investigation, review these elements before approving:

1. Scope accuracy: Did AIR identify all emails in the campaign? Compare the count against your manual Threat Explorer search. If AIR found 18 but you find 23, there are 5 emails AIR missed — remediate manually.

2. Verdict confidence: Check the confidence level of the phishing/malware classification. High confidence = approve quickly. Low confidence = review sample emails before approving.

3. Recommended actions: Is soft delete appropriate, or do some emails need hard delete (e.g., malware that users might restore from Recoverable Items)?

4. Affected users: Review the list of affected mailboxes. Any VIP users? Any service accounts? VIPs may need additional follow-up (Module 13.7 phone notification).

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
// Track AIR investigation outcomes over time
AlertInfo
| where TimeGenerated > ago(30d)
| where ServiceSource == "Microsoft Defender for Office 365"
| summarize
    Investigations = count(),
    Remediated = countif(InvestigationState == "Remediated"),
    Approved = countif(InvestigationState == "PendingApproval"),
    Failed = countif(InvestigationState == "Failed")
    by bin(TimeGenerated, 7d)
| extend SuccessRate = round(Remediated * 100.0 / Investigations, 0)
| sort by TimeGenerated asc

Expected Output

Week	Investigations	Remediated	Approved	Failed	SuccessRate
Week 1	12	8	3	1	67%
Week 2	18	14	4	0	78%
Week 3	31	27	3	1	87%

What to look for: Success rate trending upward (67% to 87%) shows AIR improving. The 2 "Failed" investigations need review — common causes: permissions issue preventing remediation, mailbox on legal hold preventing deletion, or the email was already manually remediated before AIR completed. If success rate plateaus below 80%, check AIR configuration and permissions.

Try it yourself

AIR recommends soft-deleting 200 emails classified as phishing. Your review shows the emails are from a new vendor your company onboarded last week — legitimate emails, not phishing. What do you do?

Reject the AIR recommendation. Then:

1. Allow the sender: Add the vendor domain to the Tenant Allow/Block List as an allowed sender.

2. Submit as false positive: Submit a sample email to Microsoft for analysis to improve detection accuracy.

3. Verify anti-phishing policy: Check if impersonation protection is flagging the vendor's display name as impersonating an internal user.

4. Communicate: Notify the user who reported the vendor's emails as suspicious (or whose mailbox triggered the alert).

This is why the approval workflow exists — to catch exactly this scenario. If this had been on full automation, 200 legitimate vendor emails would have been deleted.

Check your understanding

1. AIR identifies a phishing campaign affecting 200 mailboxes and recommends soft delete. Your automation is set to "require approval." What do you do?

Review AIR's investigation: check the email samples, verify the phishing verdict, confirm the scope is correct (200 mailboxes, not 2,000). If the investigation is accurate, approve the soft delete. Then check for users who clicked before the remediation. The approval step exists to catch AIR misclassifications — use it to verify, not rubber-stamp.

Approve immediately — AIR is always correct

Reject and investigate manually

The approval workflow is a verification step, not a bottleneck. Review the evidence AIR presents, verify the verdict, then approve. If you consistently approve every recommendation without finding errors, it is time to increase the automation level.

← 8.8 Threat Explorer Deep Dive 8.10 Module Assessment →