Remediation actions in Microsoft 365 Defender

Important

The improved Microsoft 365 security center is now available in public preview. This new experience brings Defender for Endpoint, Defender for Office 365, Microsoft 365 Defender, and more into the Microsoft 365 security center. Security teams can now manage all endpoint, email and cross product investigations, configuration and remediation without the need to navigate to separate product portals. Learn more about what's changed.

Applies to:

  • Microsoft 365 Defender

Remediation actions

During and after an automated investigation in Microsoft 365 Defender, remediation actions are identified for malicious or suspicious items. Some kinds of remediation actions are taken on devices, also referred to as endpoints. Other remediation actions are taken on email content. Automated investigations complete after remediation actions are taken, approved, or rejected.

Important

Whether remediation actions are taken automatically or only upon approval depends on certain settings, such as how automation levels. To learn more, see the following articles:

The following table summarizes remediation actions that are currently supported in Microsoft 365 Defender:

Device (endpoint) remediation actions Email remediation actions
- Collect investigation package
- Isolate device (this action can be undone)
- Offboard machine
- Release code execution
- Release from quarantine
- Request sample
- Restrict code execution (this action can be undone)
- Run antivirus scan
- Stop and quarantine
- Block URL (time-of-click)
- Soft delete email messages or clusters
- Quarantine email
- Quarantine an email attachment
- Turn off external mail forwarding

Remediation actions, whether pending approval or already complete, can be viewed in the Action Center.

Remediation actions that follow automated investigations

When an automated investigation completes, a verdict is reached for every piece of evidence involved. Depending on the verdict, remediation actions are identified. In some cases, remediation actions are taken automatically; in other cases, remediation actions await approval. It all depends on how automated investigation and response is configured.

The following table lists possible verdicts and outcomes:

Verdict Area Outcomes
Malicious Devices (endpoints) Remediation actions are taken automatically (assuming your organization's device groups are set to Full - remediate threats automatically)
Malicious Email content (URLs or attachments) Recommended remediation actions are pending approval
Suspicious Devices or email content Recommended remediation actions are pending approval
No threats found Devices or email content No remediation actions are needed

Remediation actions that are taken manually

In addition to remediation actions that follow automated investigations, your security operations team can take certain remediation actions manually. These include the following actions:

  • Manual device action, such as device isolation or file quarantine.
  • Manual email action, such as soft-deleting email messages.
  • Advanced hunting action on devices or email.
  • Explorer action on email content, such as moving email to junk, soft-deleting email, or hard-deleting email.
  • Manual live response action, such as deleting a file, stopping a process, and removing a scheduled task.
  • Live response action with Microsoft Defender for Endpoint APIs, such as isolating a device, running an antivirus scan, and getting information about a file.

Next steps