Configure automated investigation and response capabilities in Microsoft 365 Defender

Note

Want to experience Microsoft 365 Defender? Learn more about how you can evaluate and pilot Microsoft 365 Defender.

Microsoft 365 Defender includes powerful automated investigation and response capabilities that can save your security operations team much time and effort. With self-healing, these capabilities mimic the steps a security analyst would take to investigate and respond to threats, only faster, and with more ability to scale.

This article describes how to configure automated investigation and response in Microsoft 365 Defender with these steps:

1. Review the prerequisites.
2. Review or change the automation level for device groups.
3. Review your security and alert policies in Office 365.

Then, after you're all set up, you can view and manage remediation actions in the Action center. And, if necessary, you can make changes to automated investigation settings.

Prerequisites for automated investigation and response in Microsoft 365 Defender

Requirement	Details
Subscription requirements	One of these subscriptions: Microsoft 365 E5 Microsoft 365 A5 Microsoft 365 E3 with the Microsoft 365 E5 Security add-on Microsoft 365 A3 with the Microsoft 365 A5 Security add-on Office 365 E5 plus Enterprise Mobility + Security E5 plus Windows E5 See Microsoft 365 Defender licensing requirements.
Network requirements	Microsoft Defender for Identity enabled Microsoft Defender for Cloud Apps configured Microsoft Defender for Identity integration
Windows device requirements	Windows 11 Windows 10, version 1709 or later installed (See Windows release information) The following threat protection services are configured: Microsoft Defender for Endpoint Microsoft Defender Antivirus
Protection for email content and Office files	Microsoft Defender for Office 365 is configured Automated investigation and remediation capabilities in Defender for Endpoint are configured (required for manual response actions, such as deleting email messages on devices)
Permissions	To configure automated investigation and response capabilities, you must have one of the following roles assigned in either Azure Active Directory (https://portal.azure.com) or in the Microsoft 365 admin center (https://admin.microsoft.com): Global Administrator Security Administrator To work with automated investigation and response capabilities, such as by reviewing, approving, or rejecting pending actions, see Required permissions for Action center tasks.

Review or change the automation level for device groups

Whether automated investigations run, and whether remediation actions are taken automatically or only upon approval for your devices depend on certain settings, such as your organization's device group policies. Review the configured automation level for your device group policies. You must be a global administrator or security administrator to perform the following procedure:

1. Go to the Microsoft 365 Defender portal (https://security.microsoft.com) and sign in.

2. Go to Settings > Endpoints > Device groups under Permissions.

3. Review your device group policies. In particular, look at the Automation level column. We recommend using Full - remediate threats automatically. You might need to create or edit your device groups to get the level of automation you want. To get help with this task, see the following articles:

   • How threats are remediated
   • Create and manage device groups

Review your security and alert policies in Office 365

Microsoft provides built-in alert policies that help identify certain risks. These risks include Exchange admin permissions abuse, malware activity, potential external and internal threats, and data lifecycle management risks. Some alerts can trigger automated investigation and response in Office 365. Make sure your Defender for Office 365 features are configured correctly.

Although certain alerts and security policies can trigger automated investigations, no remediation actions are taken automatically for email and content. Instead, all remediation actions for email and email content await approval by your security operations team in the Action center.

Security settings in Office 365 help protect email and content. To view or change these settings, follow the guidance in Protect against threats.

1. In the Microsoft 365 Defender portal, go to Policies & Rules > Threat policies.

2. Make sure all of the following policies are configured. To get help and recommendations, see Protect against threats.

   • Anti-malware
   • Anti-phishing
   • Anti-spam
   • Safe Attachments
   • Safe Links

3. Make sure Safe Attachments for SharePoint, OneDrive, and Microsoft Teams is turned on.

4. Make sure Zero-hour auto purge (ZAP) in Exchange Online is in effect.

5. (This step is optional.) Review your Office 365 alert policies in the Microsoft Purview compliance portal (https://compliance.microsoft.com/compliancepolicies). Several default alert policies are in the Threat management category. Some of these alerts can trigger automated investigation and response. To learn more, see Default alert policies.

Need to make changes to automated investigation settings?

You can choose from several options to change settings for your automated investigation and response capabilities. Some options are listed in the following table:

To do this

Follow these steps

Specify automation levels for groups of devices

Set up one or more device groups. See Create and manage device groups. In the Microsoft 365 Defender portal, go to Permissions > Endpoints roles & groups > Device groups. Select a device group and review its Automation level setting. (We recommend using Full - remediate threats automatically). See Automation levels in automated investigation and remediation capabilities. Repeat steps 2 and 3 as appropriate for all your device groups.

Next steps

• Remediation actions in Microsoft 365 Defender
• Visit the Action center