Configure automated investigation and response capabilities in Microsoft Defender XDR

Microsoft Defender XDR includes powerful automated investigation and response capabilities that can save your security operations team much time and effort. With self-healing, these capabilities mimic the steps a security analyst would take to investigate and respond to threats, only faster, and with more ability to scale.

This article describes how to configure automated investigation and response in Microsoft Defender XDR with these steps:

  1. Review the prerequisites.
  2. Review or change the automation level for device groups.
  3. Review your security and alert policies in Office 365.

Then, after you're all set up, you can view and manage remediation actions in the Action center. And, if necessary, you can make changes to automated investigation settings.

Prerequisites for automated investigation and response in Microsoft Defender XDR

Requirement Details
Subscription requirements One of these subscriptions:
  • Microsoft 365 E5
  • Microsoft 365 A5
  • Microsoft 365 E3 with the Microsoft 365 E5 Security add-on
  • Microsoft 365 A3 with the Microsoft 365 A5 Security add-on
  • Office 365 E5 plus Enterprise Mobility + Security E5 plus Windows E5

See Microsoft Defender XDR licensing requirements.
Network requirements
Windows device requirements
Protection for email content and Office files
Permissions To configure automated investigation and response capabilities, you must have one of the following roles assigned in either Microsoft Entra ID (https://portal.azure.com) or in the Microsoft 365 admin center (https://admin.microsoft.com):
  • Global Administrator
  • Security Administrator
To work with automated investigation and response capabilities, such as by reviewing, approving, or rejecting pending actions, see Required permissions for Action center tasks.

Note

Microsoft recommends using roles with fewer permissions for better security. The Global Administrator role, which has many permissions, should only be used in emergencies when no other role fits.

Review or change the automation level for device groups

Whether automated investigations run, and whether remediation actions are taken automatically or only upon approval for your devices depend on certain settings, such as your organization's device group policies. Review the configured automation level for your device group policies. You must be a global administrator or security administrator to perform the following procedure:

  1. Go to the Microsoft Defender portal at https://security.microsoft.com and sign in.

  2. Go to Settings > Endpoints > Device groups under Permissions.

  3. Review your device group policies. In particular, look at the Remediation level column. We recommend using Full - remediate threats automatically. You might need to create or edit your device groups to get the level of automation you want. To get help with this task, see the following articles:

Review your security and alert policies in Office 365

Microsoft provides built-in alert policies that help identify certain risks. These risks include Exchange admin permissions abuse, malware activity, potential external and internal threats, and data lifecycle management risks. Some alerts can trigger automated investigation and response in Office 365. Make sure your Defender for Office 365 features are configured correctly.

Although certain alerts and security policies can trigger automated investigations, no remediation actions are taken automatically for email and content. Instead, all remediation actions for email and email content await approval by your security operations team in the Action center.

Security settings in Exchange Online Protection (EOP) and Defender for Office 365 help protect email and content. We recommend using the Standard and Strict preset security policies to assign protection to users.

If you're using custom policies, use the Configuration analyzer to compare your policy settings to the Standard and Strict preset security policy settings. For a detailed listing of all policy settings, see the tables in Recommended settings for EOP and Microsoft Defender for Office 365 security.

You can review your alert policies in the Defender portal at https://security.microsoft.com > Policies & rules > Alert policy or directly at https://security.microsoft.com/alertpoliciesv2. Several default alert policies are in the Threat management category. Some of the alert policies in the Threat management category can trigger automated investigation and response. To learn more, see Threat management alert policies.

Need to make changes to automated investigation settings?

You can choose from several options to change settings for your automated investigation and response capabilities. Some options are listed in the following table:

To do this Follow these steps
Specify automation levels for groups of devices
  1. Set up one or more device groups. See Create and manage device groups.
  2. In the Microsoft Defender portal, go to Permissions > Endpoints roles & groups > Device groups.
  3. Select a device group and review its Automation level setting. (We recommend using Full - remediate threats automatically). See Automation levels in automated investigation and remediation capabilities.
  4. Repeat steps 2 and 3 as appropriate for all your device groups.

Next steps

Tip

Do you want to learn more? Engage with the Microsoft Security community in our Tech Community: Microsoft Defender XDR Tech Community.