Defender For Office 365's Auto-Remediation Of Malicious Messages In Automated Investigation And Response (AIR)

Microsoft Defender for Office 365 now features Auto-Remediation in Automated Investigation and Response (AIR). When AIR detects a malicious file or URL, it creates a cluster grouping all related messages containing that threat. The system then checks the location of these messages—if they are found in users’ mailboxes, AIR generates a remediation action. If auto-remediation is enabled, this action executes automatically without requiring SecOps approval, neutralizing threats at machine speed.

🔗 Reference: Microsoft Defender for Office 365 Auto-Remediation

You Should Know:

Key Commands & Steps for Threat Remediation in Microsoft Defender

1. Enable Auto-Remediation in Defender for Office 365

Set-AutomatedInvestigationRemediation -EnableAutoRemediation $true

This PowerShell command activates automatic remediation for detected threats.

2. Check AIR Investigation Status

Get-AutomatedInvestigation -InvestigationId <ID>

Retrieves the status of an ongoing AIR investigation.

3. Manually Trigger an Investigation

Start-AutomatedInvestigation -Entity <EmailID>

Forces an investigation on a specific suspicious email.

4. Review Remediation Actions

Get-ActionCenterReport -RemediationAction <ActionID>

Lists all remediation actions taken by AIR.

5. Export Threat Cluster Data

Export-AIRThreatCluster -ClusterId <ClusterID> -Path "C:\Reports\ThreatReport.csv"

Exports threat cluster details for further analysis.

6. Restore a False Positive Remediation

Undo-AutomatedInvestigationAction -ActionId <ActionID>

Reverts an automated action if a false positive is detected.

Monitor AIR via Microsoft 365 Defender Portal

Use curl to fetch AIR logs (API) 
curl -X GET "https://api.security.microsoft.com/api/air/investigations" -H "Authorization: Bearer <Token>"

Fetches AIR investigation logs via API.

Linux & Windows Commands for Threat Hunting

Linux (SIEM & Log Analysis)

 Search for malicious URLs in logs 
grep -E "(http|https)://malicious-domain" /var/log/

Check suspicious processes 
ps aux | grep -i "suspicious_process"

Analyze network connections 
netstat -tulnp | grep ESTABLISHED

Extract email attachments for analysis 
foremost -i suspicious_email.eml -o output_dir

Windows (Defender & Event Logs)

 Scan a file with Windows Defender 
Start-MpScan -ScanPath "C:\Downloads\file.exe" -ScanType FullScan

Check Defender logs 
Get-WinEvent -LogName "Microsoft-Windows-Windows Defender/Operational"

Block a malicious IP via Firewall 
New-NetFirewallRule -DisplayName "Block Malicious IP" -Direction Inbound -RemoteAddress 1.2.3.4 -Action Block

What Undercode Say

Microsoft Defender for Office 365’s Auto-Remediation significantly reduces response time by automating threat removal. However, organizations must:
– Monitor false positives to avoid unintended data loss.
– Integrate with SIEM (e.g., Azure Sentinel) for enhanced visibility.
– Regularly audit AIR actions to ensure accuracy.

For security teams, combining PowerShell automation, log analysis, and proactive threat hunting ensures robust defense against evolving email threats.

Prediction

As AI-driven security evolves, expect more auto-remediation features in XDR platforms, reducing manual SOC workloads while improving threat response times.

Expected Output:

Defender AIR auto-remediates threats without manual approval.
PowerShell & API commands streamline threat management.
Linux/Windows commands aid in forensic analysis.
Future XDR solutions will further automate SecOps.