Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
By default, remediation actions identified by automated investigation and response (AIR) in Microsoft Defender for Office 365 Plan 2 require approval by security operations (SecOps) teams. For more information about AIR, see Automated investigation and response (AIR) in Microsoft Defender for Office 365 Plan 2
Now, admins can also designate certain actions to automatically remediate. Automatically remediating messages identified as malicious in AIR investigations has the following benefits:
- Increases customer protection by expediting remediation of more threats.
- Saves time for SecOps teams by reducing the need for approval.
The rest of this article describes how to configure automated remediation in AIR and how to identify messages that were automatically remediated.
Configure automated remediation
AIR creates a cluster around a detected malicious file or URL, and then the automated investigation checks the location of messages within the cluster. If the messages are in mailboxes, AIR produces a remediation action.
After you select the cluster types to automatically remediate, the selected remediation action occurs without the need for SecOps approval.
Tip
Clusters produced by AIR that don't automatically remediate still show as Pending action as they do today.
Clusters larger than 10,000 messages don't automatically remediate and show as Pending action for review.
Use the following steps to select the cluster types to automatically remediate:
In the Microsoft Defender portal at https://security.microsoft.com, go to Settings > Email & collaboration > MDO automation settings.
The following settings are available on the Automation settings page:
Message clusters section: Specifies the types of message clusters that are automatically remediated. Choose one or more of the following options:
Similar files: When the automated investigation recognizes a malicious file, it creates a cluster around the malicious file. The cluster groups all messages that contain the file into the cluster. Selecting this setting opts the organization in to automated remediation for these malicious file clusters.
Similar URLs: When the automated investigation recognizes a malicious URL, it creates a cluster around the malicious URL. The cluster groups all messages that contain the URL into the cluster. Selecting this setting opts the organization in to automated remediation for these malicious URL clusters.
Tip
Follow the roadmap to stay informed on when more message clusters are available for automated remediation.
Remediation action section: Specifies the action to take on message cluster types specified in the Message clusters section.
Currently, Soft delete is the only available action. For more information about soft deleted messages, see Recoverable Items folder in Exchange Online.
Important
The ability to recover soft deleted messages depends on the retention policy for soft deleted messages in each mailbox. Verify your legal obligations for email retention, including messages marked as malicious. For more information on the retention of soft deleted messages, see Change how long permanently deleted items are kept for an Exchange Online mailbox in Exchange Online.
When you're finished on the Automation settings page, select Save.
Review automatically remediated messages
The following subsection shows how to use the Defender portal to review automated remediation actions.
Automated remediation results in the Action center
In the Action center at https://security.microsoft.com/action-center/, automatically remediated clusters appear on the History tab. Use the Decided by filter with the value Automation to return clusters that were automatically remediated.
For more information about the Action center, see The Action center.
Automated remediation results in investigations
Within an investigation in AIR, automatically remediated clusters appear on the Pending action history tab of the investigation with the Handled by value Automation.
For more information about AIR investigation results, see Details and results of automated investigation and response (AIR) in Microsoft Defender for Office 365 Plan 2.
Automated remediation results in Threat Explorer
In Threat Explorer (Explorer), automatically remediated messages have the Additional action value Automated remediation:automated.
For more information about Threat Explorer, see About Threat Explorer and Real-time detections in Microsoft Defender for Office 365.
Automated remediation results in Advanced hunting
In Advanced hunting, automatically remediated messages are in the EmailPostDeliveryEvents table with both of the following property values:
ActionTypeequals Automated RemediationActionTriggerequals Automation.
For more information about Advanced hunting, see Proactively hunt for threats with advanced hunting in Microsoft Defender.
Revert automated remediation actions on messages
Note
The ability to recover messages depends on the data still being available in Defender and the mailbox retention settings for soft deleted messages. For more information, see the following articles:
The following methods are available to revert automated remediation actions and restore messages to mailboxes:
Take action on the message in Threat Explorer or Advanced Hunting. For information about the Take action wizard, see The Take action wizard.The Move to Inbox or
> Move to Junk actions in the cluster property details flyout on History tab of the Action center as shown in the following screenshot:
