Remediate your first incident in Microsoft Defender XDR

Applies to:

• Microsoft Defender XDR

Microsoft Defender XDR provides detection and analysis capabilities to ensure containment and eradication of threats. Containment includes steps to reduce the impact of the attack while eradication ensures all traces of attacker activity are removed from the network.

Remediation in Microsoft Defender XDR can be automated or through manual actions taken by incident responders. Remediation actions can be taken on devices, files, and identities.

Automatic remediation

Microsoft Defender XDR leverages its threat intelligence and the signals within your network to combat the most disruptive attacks. Ransomware, business email compromise (BEC), and adversary-in-the-middle (AiTM) phishing are some of the most complex attacks that can be contained immediately through automatic attack disruption capability. Once an attack has been disrupted, incident responders can take over and fully investigate an attack and apply the required remediation.

Learn how automatic attack disruption helps in incident response:

Meanwhile, Microsoft Defender XDR's automated investigation and response capabilities can automatically investigate and apply remediation actions to malicious and suspicious items. These capabilities scale investigation and resolution to threats, freeing incident responders to focus their efforts on high-impact attacks.

You can configure and manage automated investigation and response capabilities. You can also view all past and pending actions through the Action center.

Note

You can undo automatic actions after review.

To speed up some of your investigation tasks, you can triage alerts with Power Automate. In addition, automated remediation can be created using automation and playbooks. Microsoft has playbook templates on GitHub for the following scenarios:

• Remove sensitive file sharing after requesting user validation
• Auto-triage infrequent country alerts
• Request for manager action before disabling an account
• Disable malicious inbox rules

Playbooks use Power Automate to create custom robotic process automation flows to automate certain activities once specific criteria have been triggered. Organizations can create playbooks either from existing templates or from scratch. Playbooks can also be created during post-incident review to create remediation actions from resolved incidents.

Learn how Power Automate can help you automate your incident response through this video:

Manual remediation

While responding to an attack, security teams can leverage the portal's manual remediation actions to stop attacks from further incurring damage. Some actions can immediately stop a threat, while others assist in further forensic analysis. You can apply these actions to any entity depending on the Defender workloads deployed within your organization.

Actions on devices

• Isolate the device - isolates an affected device by disconnecting the device from the network. The device remains connected to the Defender for Endpoint service for continued monitoring.

• Restrict app execution - restricts an application by applying a code integrity policy that only allows files to run if they're signed by a Microsoft-issued certificate.

• Run Antivirus scan - initiates a Defender Antivirus scan remotely for a device. The scan can run alongside other antivirus solutions, whether Defender Antivirus is the active antivirus solution or not.

• Collect investigation package - you can collect an investigation package from a device as part of the investigation or response process. By collecting the investigation package, you can identify the current state of the device and further understand the tools and techniques used by the attacker.

• Initiate automated investigation - starts a new general purpose automated investigation on the device. While an investigation is running, any other alert generated from the device will be added to an ongoing automated investigation until that investigation is completed. In addition, if the same threat is seen on other devices, those devices are added to the investigation.

• Initiate live response - gives you instantaneous access to a device by using a remote shell connection so you can do in-depth investigative work and take immediate response actions to promptly contain identified threats in real time. Live response is designed to enhance investigations by enabling you to collect forensic data, run scripts, send suspicious entities for analysis, remediate threats, and proactively hunt for emerging threats.

• Ask Defender Experts - you can consult a Microsoft Defender expert for more insights regarding potentially compromised or already compromised devices. Microsoft Defender experts can be engaged directly from within the portal for a timely and accurate response. This action is available for both devices and files.

Other actions on devices are available through the following tutorial:

• Response actions on a device enabled through Defender for Endpoint

Note

You can take actions on devices straight from the graph within the attack story.

Actions on files

• Stop and quarantine file - includes stopping running processes, quarantining files, and deleting persistent data like registry keys.
• Add indicators to block or allow file - prevents an attack from spreading further by banning potentially malicious files or suspected malware. This operation prevents the file from being read, written, or executed on devices in your organization.
• Download or collect file – allows analysts to download a file in a password protected .zip archive file for further analysis by the organization.
• Deep analysis – executes a file in a secure, fully instrumented cloud environment. Deep analysis results show the file's activities, observed behaviors, and associated artifacts, such as dropped files, registry modifications, and communication with IP addresses.

Remediating other attacks

Note

These tutorials apply when other Defender workloads are enabled in your environment.

The following tutorials enumerate steps and actions that you can apply when investigating entities or responding to specific threats:

• Responding to a compromised email account via Defender for Office 365
• Remediating vulnerabilities with Defender for Vulnerability Management
• Remediation actions for user accounts via Defender for Identity
• Applying policies to control apps with Defender for Cloud Apps

Next steps

• Simulate attacks through the attack simulation training
• Explore Microsoft Defender XDR through the Virtual Ninja training

See also

• Investigate incidents
• Learn the portal's features and functions through the Microsoft Defender XDR Ninja training

Tip

Do you want to learn more? Engage with the Microsoft Security community in our Tech Community: Microsoft Defender XDR Tech Community.