Manage automation file uploads

Applies to:

• Microsoft Defender for Endpoint Plan 1
• Microsoft Defender for Endpoint Plan 2
• Microsoft Defender XDR

Want to experience Defender for Endpoint? Sign up for a free trial.

Enable the content analysis capability so that certain files and email attachments can automatically be uploaded to the cloud for additional inspection in Automated investigation.

Microsoft uses various file investigation mechanisms to inspect and analyze files.

Identify the files and email attachments by specifying the file extension names and email attachment extension names.

For example, if you add exe and bat as file or attachment extension names, then all files or attachments with those extensions will automatically be sent to the cloud for additional inspection during Automated investigation.

Note

Microsoft securely stores the files submitted for a six-month period. Files are promptly deleted after six months.

Add file extension names and attachment extension names

Important

Microsoft recommends that you use roles with the fewest permissions. This helps improve security for your organization. Global Administrator is a highly privileged role that should be limited to emergency scenarios when you can't use an existing role.

1. Sign in to the Microsoft Defender portal using an account with the Security administrator or Global administrator role assigned.

2. In the navigation pane, select Settings > Endpoints > Rules > Automation uploads.

3. Toggle the content analysis setting between On and Off.

4. Configure the following extension names and separate extension names with a comma:

   • File extension names - Suspicious files except email attachments will be submitted for additional inspection

Related topics

• Manage automation folder exclusions

Tip

Do you want to learn more? Engage with the Microsoft Security community in our Tech Community: Microsoft Defender for Endpoint Tech Community.