Remediation actions in Microsoft Defender XDR
Applies to:
- Microsoft Defender XDR
During and after an automated investigation in Microsoft Defender XDR, remediation actions are identified for malicious or suspicious items. Some kinds of remediation actions are taken on devices, also referred to as endpoints. Other remediation actions are taken on identities, accounts, and email content. In addition, some types of remediation actions can occur automatically, whereas other types of remediation actions are taken manually by your organization's security team. When an automated investigation results in one or more remediation actions, the investigation completes only when the remediation actions are taken, approved, or rejected.
Important
Whether remediation actions are taken automatically or only upon approval depends on certain settings, such as automation levels. To learn more, see the following articles:
The following table summarizes remediation actions that are currently supported in Microsoft Defender XDR.
| Device (endpoint) remediation actions | Email remediation actions | Users (accounts) |
|---|---|---|
| - Collect investigation package - Isolate device (this action can be undone) - Offboard machine - Release code execution - Release from quarantine - Request sample - Restrict code execution (this action can be undone) - Run antivirus scan - Stop and quarantine - Contain devices from the network |
- Block URL (time-of-click) - Soft delete email messages or clusters - Quarantine email - Quarantine an email attachment - Turn off external mail forwarding |
- Disable user - Reset user password - Confirm user as compromised |
Remediation actions, whether pending approval or already complete, can be viewed in the Action center.
Remediation actions that follow automated investigations
When an automated investigation completes, a verdict is reached for every piece of evidence involved. Depending on the verdict, remediation actions are identified. In some cases, remediation actions are taken automatically; in other cases, remediation actions await approval. It all depends on how automated investigation and response is configured.
The following table lists possible verdicts and outcomes:
| Verdict | Affected entities | Outcomes |
|---|---|---|
| Malicious | Devices (endpoints) | Remediation actions are taken automatically (assuming your organization's device groups are set to Full - remediate threats automatically) |
| Compromised | Users | Remediation actions are taken automatically |
| Malicious | Email content (URLs or attachments) | Recommended remediation actions are pending approval |
| Suspicious | Devices or email content | Recommended remediation actions are pending approval |
| No threats found | Devices or email content | No remediation actions are needed |
Remediation actions that are taken manually
In addition to remediation actions that follow automated investigations, your security operations team can take certain remediation actions manually. These actions include:
- Manual device action, such as device isolation or file quarantine
- Manual email action, such as soft-deleting email messages
- Manual user action, such as disable user or reset user password
- Advanced hunting action on devices, users, or email
- Explorer action on email content, such as moving email to junk, soft-deleting email, or hard-deleting email
- Manual live response action, such as deleting a file, stopping a process, and removing a scheduled task
- Live response action with Microsoft Defender for Endpoint APIs, such as isolating a device, running an antivirus scan, and getting information about a file
Next steps
- Visit the Action center
- View and manage remediation actions
- Address false positives or false negatives
- Contain devices from the network
Tip
Do you want to learn more? Engage with the Microsoft Security community in our Tech Community: Microsoft Defender XDR Tech Community.