Microsoft Defender alert investigation, automated

Defender is good at firing alerts. It is less good at telling you which ones matter. A mid-sized estate running Defender for Endpoint and Defender for Office can surface hundreds of signals a day — encoded-PowerShell executions, suspicious child processes, OAuth consent grants, phishing and adversary-in-the-middle (AiTM) sign-ins. Most are noise. A few are not.

Triaging that volume by hand means analysts skim, sample, or queue. The 3am alert waits until morning. OwlSOC investigates every alert the same way a careful analyst would, and does it in minutes rather than leaving it in a queue.

When a Defender alert fires, OwlSOC pulls the surrounding signal — process trees, identity and device context, mail events, sign-in logs — and reasons over it. It resolves the affected entities, maps the activity to MITRE ATT&CK, and builds a timeline where every claim cites its source. You can click from any line of the narrative to the exact Defender record behind it.

The output is written in plain language: what happened, why it matters, and how sure we are. No screen of raw JSON to interpret under pressure.

Every case gets standard deterministic triage: a score and a one-line summary on each alert. The AI investigation — a calibrated confidence percentage, a root-cause narrative, alternative hypotheses and the verdict — is a separate step included in the paid tiers.

Verdicts are hedged on purpose. OwlSOC returns likely true positive, likely false positive, or uncertain — needs review. There is no green tick that says confirmed. Ambiguous cases are flagged for review rather than miscalled, and because the timeline is fully sourced, your team can disagree with any conclusion and see exactly why OwlSOC reached it.

OwlSOC does not act on your tenant by itself. It investigates and recommends; a human approves. For a confirmed phishing-driven compromise it might recommend revoking the session and blocking the indicator — but those actions only execute through a write connector after someone on your team approves the specific action, and only if you have granted the write scope. The API enforces this regardless of what the portal shows.

By default OwlSOC connects read-only. Every recommended and approved action is logged in an action trail; reversible actions can be undone, and the few that cannot are flagged before approval.

Connection is an OAuth grant — read-only by default, no agents to install and nothing to deploy to your endpoints. OwlSOC reads the security signal it needs to investigate an alert and nothing outside that scope; it does not read mail content or files.

Most pilots are investigating live Defender alerts within about 48 hours of the grant. The slowest part is usually getting the grant approved on your side.