Adversaries may use AIR investigation actions to gather information about user activity and system behavior, indicating potential reconnaissance or forensic analysis. SOC teams should proactively hunt for these actions in Azure Sentinel to identify suspicious investigative patterns that may signal an ongoing compromise or advanced threat activity.
KQL Query
CloudAppEvents
| where ActionType == "AirInvestigationData"
| project Timestamp, RawEventData
| extend EventData = parse_json(RawEventData)
| extend Data = parse_json(tostring(EventData.Data))
| extend InvestigationType = EventData.InvestigationType
| extend InvestigationId = RawEventData.InvestigationId
| extend Status = tostring(Data.Status)
| where Status == "Resolved"
| extend ActionRaw = parse_json(tostring(EventData.Actions))
| mv-expand ActionRaw
| extend Action = parse_json(tostring(ActionRaw))
| extend ActionType=Action.ActionType, ActionApproval=Action.ActionApproval, ApprovedBy=Action.ApprovedBy, ApproverComment=Action.ApproverComment, ActionStatus=Action.ActionStatus
| mv-expand Action.Entities
| extend EntityQuery = Action_Entities.Query
| mv-expand Action_Entities.Urls, Action_Entities.NetworkMessageIds
| sort by Timestamp
| project Timestamp, InvestigationType, InvestigationId, ActionType, ActionApproval, ApprovedBy, ApproverComment, ActionStatus, EntityQuery, Action_Entities_Urls, Action_Entities_NetworkMessageIds
id: 28a1ce89-ee88-47b3-872b-fb5c3c8b350c
name: AIR investigation actions insight
description: |
This query provides insights into AIR investigation actions in Microsoft Defender for Office 365.
description-detailed: |
This query provides insights into AIR investigation results approval actions (Approved, Declined etc.) in Microsoft Defender for Office 365.
More information:https://learn.microsoft.com/en-us/defender-office-365/air-remediation-actions and https://learn.microsoft.com/en-us/defender-office-365/air-review-approve-pending-completed-actions
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- CloudAppEvents
tactics:
- InitialAccess
relevantTechniques:
- T1566
query: |
CloudAppEvents
| where ActionType == "AirInvestigationData"
| project Timestamp, RawEventData
| extend EventData = parse_json(RawEventData)
| extend Data = parse_json(tostring(EventData.Data))
| extend InvestigationType = EventData.InvestigationType
| extend InvestigationId = RawEventData.InvestigationId
| extend Status = tostring(Data.Status)
| where Status == "Resolved"
| extend ActionRaw = parse_json(tostring(EventData.Actions))
| mv-expand ActionRaw
| extend Action = parse_json(tostring(ActionRaw))
| extend ActionType=Action.ActionType, ActionApproval=Action.ActionApproval, ApprovedBy=Action.ApprovedBy, ApproverComment=Action.ApproverComment, ActionStatus=Action.ActionStatus
| mv-expand Action.Entities
| extend EntityQuery = Action_Entities.Query
| mv-expand Action_Entities.Urls, Action_Entities.NetworkMessageIds
| sort by Timestamp
| project Timestamp, InvestigationType, InvestigationId, ActionType, ActionApproval, ApprovedBy, ApproverComment, ActionStatus, EntityQuery, Action_Entities_Urls, Action_Entities_NetworkMessageIds
version: 1.0.0| Sentinel Table | Notes |
|---|---|
CloudAppEvents | Ensure this data connector is enabled |
Scenario: Admin performs a scheduled mailbox export for compliance purposes using Microsoft 365 Compliance Center.
Filter/Exclusion: Exclude events where the action is initiated from the Compliance Center or where the user has the Compliance Administrator role.
Scenario: A Microsoft Defender for Office 365 scheduled job runs to scan for phishing content in user mailboxes.
Filter/Exclusion: Exclude events associated with scheduled scan jobs or where the action is initiated by the Microsoft Defender for Office 365 service account.
Scenario: An administrator manually investigates a suspicious email using Microsoft Defender for Office 365’s investigation tools.
Filter/Exclusion: Exclude events where the user has the Global Administrator role or where the action is initiated from the Security & Compliance Center.
Scenario: A Microsoft Teams meeting is reviewed for security purposes, triggering an investigation action in the system.
Filter/Exclusion: Exclude events related to Microsoft Teams meetings or where the action is associated with the Teams admin role.
Scenario: A Power Automate flow is configured to automatically investigate and flag suspicious emails based on predefined criteria.
Filter/Exclusion: Exclude events where the action is initiated by a Power Automate flow or where the user has the Power Platform admin role.