Blog Post

Microsoft Defender for Endpoint Blog
3 MIN READ

Enhance your SOC with Microsoft Defender ATP Automatic Investigation and Remediation

Evald Markinzon's avatar
Sep 11, 2019

Three of the modern security operations center (SOC) challenges are:

  • The volume of cyber threats is growing while SOC capacity remains the same
  • Day-to-day work is eating SOC capacity, leaving little no time for strategic initiatives and projects
  • The time to respond to incoming threats is high.

Imagine having a virtual analyst in your Tier 1 / Tier 2 SOC team that mimics the ideal steps that SecOps would take to investigate and remediate threats. The virtual assistant could work 24x7, with unlimited capacity. Such a virtual analyst can take on a significant load of investigations and threat remediation, significantly reducing the time to respond, and freeing up your SOC team for other important strategic  .

If this all sounds like science fiction, it’s not!

Such a virtual analyst is part of your Microsoft Defender ATP suite, and its name is Automated Investigation and Remediation (AutoIR).

 

Let’s see what AutoIR does and how you can configure AutoIR in minutes to get immediate ROI.

 

What is Microsoft Defender ATP AutoIR?

AutoIR is an integral part of the Microsoft Defender ATP suite, built into Windows 10, version 1709 (RS3) and higher. AutoIR completes the protect-detect-investigate-remediate-close alert cycle automatically, with unlimited scale and provided with no additional cost. If your organization’s subscription includes Windows 10 E5, then you have automatic investigation and remediation capabilities.

 

Similar to how a manual SecOps investigation is done, AutoIR investigates alerts and remediates threats in 4 steps:

  1. Investigation
    • Analyze all alerts on a potentially compromised device, and determine whether they are related and should be consolidated into a single investigation.
    • For each alert on an impacted device, collect all the evidence that triggered alerts, and collect additional evidence, based on rules, such as similarity, prevalence, create/execution time similarity, and so on.
    • Analyze each piece of evidence by leveraging the Microsoft Security Graph infrastructure, with its built-in sandbox, various detection engines, Threat intelligence, reputation, machine learning algorithms, and custom indicators that together generate a concrete verdict for each piece of evidence: Clean, Malicious, or Suspicious.
  2. Remediation
    • For each piece of evidence type, such as file, process, service, driver, registry key, persistency method, apply an appropriate remediation action.
  3. Resolve alert
    • Update each alert investigation summary.
    • Resolve each alert.
  4. Pivot to additional devices
    • Identify whether additional devices were impacted
    • Repeat steps 1-3 for each impacted device

 

 

How to configure AutoIR for automatic threat investigation and remediation, end to end (protect-detect-investigate-remediate-close alert)

 

  • Go to the Microsoft Defender Security Center (https://securitycenter.windows.com) and sign in as a global administrator or security administrator.
  • In the navigation pane, choose Settings.
  • In the General section, select Advanced features.
  • Turn on Automated Investigation and Automatically resolve alerts, as shown in the following image:

 

  • In the Permissions section, select Machine groups.
  • Select + Add machine group, and create at least one machine group. In the Automation level list, select Full – remediate threats automatically.

 

Do I have an audit log of all remediation actions?

Of course, you do! All remediation actions performed by AutoIR and Microsoft Defender Next Generation protection are listed in the Action center, on the History tab. In addition , SecOps can undo an action in case a file is determined to be legitimate in an organization.

 

And, an application can be added to an allow list by using Microsoft Defender ATP indicators. When you do this, an application will not be remediated again by AutoIR. To set up your allow list, see Manage indicators.

 

Congratulations! You now know how to complete AutoIR configuration and get a “virtual analyst” in your SOC.:smile:

 

AutoIR team.

 

Updated Sep 11, 2019
Version 1.0
No CommentsBe the first to comment