Steps to use manual email remediation in Threat Explorer

Email remediation is an already existing feature that helps admins act on emails that are threats.

What you need

• Microsoft Defender for Office 365 Plan 2 (Included in E5 plans)
• Sufficient permissions (be sure to grant the account Search and Purge role)

Create and track the remediation

1. Select a threat to remediate in Threat Explorer and select Take action, which offers you options such as Soft Delete or Hard Delete.
2. The side pane opens and asks for details, like a name for the remediation, severity, and description. Once the information is reviewed, select Submit.
3. As soon as the admin approves this action, they see the Approval ID and a link to the Microsoft Defender XDR Action Center here. This page is where actions can be tracked.
   1. Admin action alert - A system alert shows up in the alert queue with the name 'Administrative action submitted by an Administrator'. This indicates that an admin took the action of remediating an entity. It gives details such as the name of the admin who took the action, and the investigation link and time. This makes admins aware of each important action, like remediation, taken on entities.
   2. Admin action investigation - Since the analysis on entities was already done by the admin and that's what led to the action taken, no more analysis is done by the system. It shows details such as related alert, entity selected for remediation, action taken, remediation status, entity count, and approver of the action. This allows admins to keep track of the investigation and actions carried out manually--an admin action investigation.
4. Action logs in unified action center - History and action logs for email actions like soft delete and move to deleted items folder, are all available in a centralized view under the unified Action Center > History tab.
5. Filters in unified action center - There are multiple filters such as remediation name, approval ID, Investigation ID, status, action source, and action type. These are useful for finding and tracking email actions in unified Action center.

Important

For better performance, remediation should be done in batches of 50,000 or fewer. Narrow down the search result by using latest delivery location and trigger email remediation if the email is in remediable folder like Inbox, Junk, Deleted, for example.

Scenarios that call for email remediation

Here are scenarios of email remediation:

1. As part of an investigation SecOps identifies a threat in an end-user's mailbox and wants to clear out the problem emails.
2. When suggested email actions in Automated Investigation and Response (AIR) are approved by SecOps, remediation action triggers automatically for the given email or email cluster.

Two manual email remediation scenarios:

1. The main scenario:
   1. Manual actions taken on emails (for example, using Threat Explorer or Advanced Hunting) are only visible in the legacy Defender for Office 365 Action Center (Email and Collaboration > Review > Action Center in Action center - Microsoft 365 security).
2. Two-step approval scenario:
   1. Manual actions pending approval using the two-step approval process (1. The email was added to remediation by one analyst, 2. The email was reviewed and approved by another analyst).

Given the common scenarios, email remediation can be triggered in three different ways.

1. Query based remediation: By selecting all the search results with a query (200,000 emails can be submitted at a maximum).
2. Handpicked remediation: Selecting emails one-by-one by clicking on the check box (100 emails can be submitted at one time).
3. Query based remediation with exclusions: Selecting all emails, and then manually removing a few messages (the query can hold a maximum of 1,000 emails and the maximum number of exclusions is 100).

Next Steps

1. Go to the Microsoft Defender portal and sign in.
2. In the navigation pane, select Action center.
3. Go to the History tab, select any waiting approval list. It opens up a side pane.
4. Track the action status in the unified action center.

More information

Learn more about email remediation.