Query Details
Email AIR Effectiveness
Query
# Automated investigation and response effectiveness ## Query Information #### Description THis query only returns results if automated investigation and response is enabled in Defender For Office. The query is aimed to display the effectiveness of AIR, it could be that these automatic response actions fail, hence it is important to review these on a periodic basis. The query lists the statistics by day and result. #### References - https://learn.microsoft.com/en-us/defender-office-365/air-about ## Defender XDR ```KQL EmailPostDeliveryEvents where ActionType =~ Automated Remediation summarize TotalNetworkMessages = dcount(NetworkMessageId) by bin(Timestamp, 1d), ActionResult ``` ## Sentinel ```KQL EmailPostDeliveryEvents where ActionType =~ Automated Remediation summarize TotalNetworkMessages = dcount(NetworkMessageId) by bin(Timestamp, 1d), ActionResult ```
Explanation
This query is designed to evaluate the effectiveness of Automated Investigation and Response (AIR) in Microsoft Defender for Office 365. It specifically checks if AIR is enabled and analyzes how well it performs by looking at the outcomes of automated remediation actions. The query does this by counting the number of unique network messages processed each day and categorizing them by the result of the action (e.g., success or failure). This helps in identifying any issues with the automatic responses and ensures they are reviewed regularly to maintain their effectiveness. The same query is used in both Defender XDR and Sentinel environments.
Details
Bert-Jan Pals
Released: July 21, 2025
Tables
EmailPostDeliveryEvents
Keywords
EmailPostDeliveryEventsActionTypeAutomatedRemediationNetworkMessageIdTimestampActionResult
Operators
where=~summarizedcountbin