How automation brings value to your security teams
Published Jul 09 2019 08:41 AM 21.7K Views

Since we launched Microsoft Defender Advanced Threat Protection (ATP), it has continually evolved with new protection and detection capabilities, investigation and hunting tools, and response options. Last year we announced automated investigation and remediation with Microsoft Defender ATP. Since then, we see more and more customers leveraging this unique value to reduce the overall exposure time, repetitive work, and dramatically reduce security operations costs.


One feedback that we keep hearing is “how do you do that?” “what is the secret sauce?”

In this blog, we will highlight the three main parts of a successful automated investigation and remediation, performed by Microsoft Defender ATP – exposing some of our secret sauce.


The three main parts are: containment, investigation & remediation, and prevention of future reoccurrence.


Microsoft Defender ATP automatically covers the end-to-end threat lifecycle from protection and detection to investigation and response. Microsoft Defender ATP’s automated investigation and remediation leverages state of the art AI technology to resolve incidents, investigate alerts, apply artificial intelligence to determine whether a threat is real, and determine what action to take, going from alert to remediation in minutes at scale.



Okay, that’s a lot to read and a lot of buzzwords – let’s start breaking it down.

Similar to a human analyst, Microsoft Defender ATP continuously monitors the alert queue. Once an alert is received, we will briefly analyze its risk and adjust the machine(s) risk level accordingly, which will automatically enforce Conditional Access to contain the threat. As an alert contains detection information and related data, Microsoft Defender ATP will analyze this information and generate context aware questions. For example, for an alert that includes a file that might be malicious, the system will automatically answer the following questions (not complete list):

  • Where was the file created?
  • Who created the file?
  • What else was created with this file?
  • Where did this file come from?
  • Where else can I see this file in your organization?
  • Where else can I see this file worldwide?
  • When was the file created?
  • What are the file permissions?
  • Is the file digital signed?
  • Was it part of an install process?
  • Is it similar to any other file?
  • Have we seen it before?
  • Was the file executed?


To answer those questions Microsoft Defender ATP can leverage three different data sets: historical machine data, historical organizational data, and if we can’t answer the questions by using historical data, we can always access the involved machines in real time.


As you might guess, it will not answer all questions – it will actually generate more questions. For example, if we find that this file was created by a specific process, now it’s time to ask ourselves a new set of questions related to that process.

  • When was this process first initiated?
  • Whats the full process execution tree?
  • What other files did this process create?
  • What other modules did this process load?
  • Where did the process communicate to?
  • Did it change any persistency method?
  • Where else have I seen this process in your organization?
  • What is the process image file?

Yeah fun! More questions!

Again, it will not answer these questions. It will generate more of them, but no worries, Microsoft Defender ATP is deterministic. Eventually we will have answered all questions. Then we can move on to the next step.


Just before we jump to the next step, we want to go back and highlight the recurring process of forming a hypothesis, asking questions, collecting data, analyzing the data, and answering the questions -- what we usually refer to as an automated investigation. By the way, that’s exactly what your analyst is doing when an alert comes in.

Let’s say that we found a malicious process, which created persistency and communicated with a command and control server (C2) and created a few other malicious files (yes, yes we did investigate all relevant machines in your network for a similar behavior and in this example we couldn’t find any other sign of infection).

Now with all those answers, we have finalized our investigation process and have all the context we need in order to build the right response package.

You might guess, what we need to do is to find a way to safely remove the threat. Let’s do this.

For the C2 communication we will go ahead and block connection to it to make sure another variant of this threat will not be able to communicate with this C2. For all the persistency method, we need to go back to our investigation data, and based on the outcome, securely remove them etc.

The response contains two main parts: real-time remediation (killing a process, quarantine a file, terminating a connection…) and future prevention (blocking IP, adding file to a blocklist) to avoid any further reoccurrence.

Now that the threat was remediated and your machines self-healed, we will auto-resolve the alerts for you and safely remove it from your “to-do-list”.


As threats evolve, we continuously enhance our protection, detection, and automation capabilities, helping your security teams to stay ahead of the bad guys.


Keep following our blogs to stay updated!

Microsoft Defender ATP Team

Version history
Last update:
‎Jul 10 2019 05:29 PM
Updated by: