Remediation actions in Microsoft Defender XDR

Applies to:

  • Microsoft Defender XDR

During and after an automated investigation in Microsoft Defender XDR, remediation actions are identified for malicious or suspicious items. Some kinds of remediation actions are taken on devices, also referred to as endpoints. Other remediation actions are taken on identities, accounts, and email content. In addition, some types of remediation actions can occur automatically, whereas other types of remediation actions are taken manually by your organization's security team. When an automated investigation results in one or more remediation actions, the investigation completes only when the remediation actions are taken, approved, or rejected.

Important

Whether remediation actions are taken automatically or only upon approval depends on certain settings, such as automation levels. To learn more, see the following articles:

The following table summarizes remediation actions that are currently supported in Microsoft Defender XDR.

Device (endpoint) remediation actions Email remediation actions Users (accounts)
- Collect investigation package
- Isolate device (this action can be undone)
- Offboard machine
- Release code execution
- Release from quarantine
- Request sample
- Restrict code execution (this action can be undone)
- Run antivirus scan
- Stop and quarantine
- Contain devices from the network
- Block URL (time-of-click)
- Soft delete email messages or clusters
- Quarantine email
- Quarantine an email attachment
- Turn off external mail forwarding
- Disable user
- Reset user password
- Confirm user as compromised

Remediation actions, whether pending approval or already complete, can be viewed in the Action center.

Remediation actions that follow automated investigations

When an automated investigation completes, a verdict is reached for every piece of evidence involved. Depending on the verdict, remediation actions are identified. In some cases, remediation actions are taken automatically; in other cases, remediation actions await approval. It all depends on how automated investigation and response is configured.

The following table lists possible verdicts and outcomes:

Verdict Affected entities Outcomes
Malicious Devices (endpoints) Remediation actions are taken automatically (assuming your organization's device groups are set to Full - remediate threats automatically)
Compromised Users Remediation actions are taken automatically
Malicious Email content (URLs or attachments) Recommended remediation actions are pending approval
Suspicious Devices or email content Recommended remediation actions are pending approval
No threats found Devices or email content No remediation actions are needed

Remediation actions that are taken manually

In addition to remediation actions that follow automated investigations, your security operations team can take certain remediation actions manually. These actions include:

  • Manual device action, such as device isolation or file quarantine
  • Manual email action, such as soft-deleting email messages
  • Manual user action, such as disable user or reset user password
  • Advanced hunting action on devices, users, or email
  • Explorer action on email content, such as moving email to junk, soft-deleting email, or hard-deleting email
  • Manual live response action, such as deleting a file, stopping a process, and removing a scheduled task
  • Live response action with Microsoft Defender for Endpoint APIs, such as isolating a device, running an antivirus scan, and getting information about a file

Next steps

Tip

Do you want to learn more? Engage with the Microsoft Security community in our Tech Community: Microsoft Defender XDR Tech Community.