M365 AIR Investigation Signal

IMPORTANT: This documentation is no longer updated. Refer to Elastic's version policy and the latest documentation.

M365 AIR Investigation Signal

Identifies Microsoft 365 Automated Investigation and Response (AIR) events including automated investigations, manual investigations, and admin-initiated actions. These events track Microsoft’s automated threat response activities and can indicate active threats being remediated. This building block rule generates security events for correlation, threat hunting, and telemetry collection to provide visibility into automated response actions.

Rule type: query

Rule indices:

logs-o365.audit-*
filebeat-*

Severity: low

Risk score: 21

Runs every: 5m

Searches indices from: now-9m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

Tags:

Domain: Cloud
Domain: SaaS
Data Source: Microsoft 365
Data Source: Microsoft 365 Audit Logs
Data Source: Microsoft Defender for Office 365
Use Case: Threat Detection
Use Case: Automated Response Tracking
Tactic: Initial Access
Tactic: Execution
Rule Type: BBR

Version: 1

Rule authors:

Elastic

Rule license: Elastic License v2

Setup

edit

Additional notes

For information on troubleshooting the maximum alerts warning please refer to this guide.

Rule query

edit

event.dataset:o365.audit and
    event.code:(AirInvestigation or AirManualInvestigation or AirAdminActionInvestigation)

Framework: MITRE ATT&CK^TM

Tactic:
- Name: Initial Access
- ID: TA0001
- Reference URL: https://attack.mitre.org/tactics/TA0001/
Technique:
- Name: Phishing
- ID: T1566
- Reference URL: https://attack.mitre.org/techniques/T1566/
Tactic:
- Name: Execution
- ID: TA0002
- Reference URL: https://attack.mitre.org/tactics/TA0002/
Technique:
- Name: User Execution
- ID: T1204
- Reference URL: https://attack.mitre.org/techniques/T1204/

« Local Scheduled Task Creation M365 Defender Alerts Signal »