M365 AIR Investigation Signal

Identifies Microsoft 365 Automated Investigation and Response (AIR) events including automated investigations, manual investigations, and admin-initiated actions. These events track Microsoft's automated threat response activities and can indicate active threats being remediated. This building block rule generates security events for correlation, threat hunting, and telemetry collection to provide visibility into automated response actions.

Rule type: query
Rule indices:

• logs-o365.audit-*
• filebeat-*

Rule Severity: low
Risk Score: 21
Runs every:
Searches indices from: now-9m
Maximum alerts per execution: 100
References:

• https://learn.microsoft.com/en-us/defender-office-365/air-about
• https://learn.microsoft.com/en-us/office/office-365-management-api/office-365-management-activity-api-schema#enum-auditlogrecordtype---type-edmint32

Tags:

• Domain: Cloud
• Domain: SaaS
• Data Source: Microsoft 365
• Data Source: Microsoft 365 Audit Logs
• Data Source: Microsoft Defender for Office 365
• Use Case: Threat Detection
• Use Case: Automated Response Tracking
• Tactic: Initial Access
• Tactic: Execution
• Rule Type: BBR

Version: 1
Rule authors:

• Elastic

Rule license: Elastic License v2

For information on troubleshooting the maximum alerts warning please refer to this guide.

event.dataset:o365.audit and
    event.code:(AirInvestigation or AirManualInvestigation or AirAdminActionInvestigation)
		

Framework: MITRE ATT&CK

• Tactic:

  • Name: Initial Access
  • Id: TA0001
  • Reference URL: https://attack.mitre.org/tactics/TA0001/

• Technique:

  • Name: Phishing
  • Id: T1566
  • Reference URL: https://attack.mitre.org/techniques/T1566/

Framework: MITRE ATT&CK

• Tactic:

  • Name: Execution
  • Id: TA0002
  • Reference URL: https://attack.mitre.org/tactics/TA0002/

• Technique:

  • Name: User Execution
  • Id: T1204
  • Reference URL: https://attack.mitre.org/techniques/T1204/