Configure automated investigation and response capabilities in Microsoft 365 Defender

Microsoft 365 Defender includes powerful automated investigation and response capabilities that can save your security operations team much time and effort. With self-healing, these capabilities mimic the steps a security analyst would take to investigate and respond to threats, only faster, and with more ability to scale. This article describes how to configure automated investigation and response in Microsoft 365 Defender.

To configure automated investigation and response capabilities, follow these steps:

  1. Review the prerequisites.
  2. Review or change the automation level for device groups.
  3. Review your security and alert policies in Office 365.
  4. Make sure Microsoft 365 Defender is turned on.

Then, after you're all set up, review pending and completed actions in the Action center.

Prerequisites for automated investigation and response in Microsoft 365 Defender

Requirement Details
Subscription requirements One of the subscriptions:
  • Microsoft 365 E5
  • Microsoft 365 A5
  • Microsoft 365 E5 Security
  • Microsoft 365 A5 Security
  • Office 365 E5 plus Enterprise Mobility + Security E5 plus Windows E5

See Microsoft 365 Defender licensing requirements.

Network requirements
Windows machine requirements Windows 10, version 1709 or later installed (See Windows 10 release information) with the following threat protection services configured:
Protection for email content and Office files Microsoft Defender for Office 365 configured
Permissions

Review or change the automation level for device groups

Whether automated investigations run, and whether remediation actions are taken automatically or only upon approval for your devices depend on certain settings, such as your organization's device group policies. Review the automation level set for your device group policies.

  1. Go to the Microsoft Defender Security Center (https://securitycenter.windows.com) and sign in.

  2. Go to Settings > Permissions > Device groups.

  3. Review your device group policies. In particular, look at the Remediation level column. We recommend using Full - remediate threats automatically. You might need to create or edit your device groups to get the level of automation you want. To get help with this task, see the following articles:

Review your security and alert policies in Office 365

Microsoft provides built-in alert policies that help identify certain risks. These risks include Exchange admin permissions abuse, malware activity, potential external and internal threats, and information governance risks. Some alerts can trigger automated investigation and response in Office 365. Make sure your Microsoft Defender for Office 365 features are configured correctly.

Although certain alerts and security policies can trigger automated investigations, no remediation actions are taken automatically for email and content. Instead, all remediation actions for email and email content await approval by your security operations team in the Action center.

Security settings in Office 365 help protect email and content. To view or change these settings, follow the guidance in Protect against threats.

  1. In the Microsoft 365 security center (https://security.microsoft.com/), go to Policies > Threat protection.

  2. Make sure all of the following policies are configured. To get help and recommendations, see Protect against threats.

  3. Make sure Microsoft Defender for Office 365 for SharePoint, OneDrive, and Microsoft Teams is turned on.

  4. Make sure zero-hour auto purge for email protection is in effect.

  5. (This is optional.) Review your Office 365 alert policies in the Microsoft 365 compliance center (https://compliance.microsoft.com/compliancepolicies). Several default alert policies are in the Threat management category. Some of these alerts can trigger automated investigation and response. To learn more, see Default alert policies.

Make sure Microsoft 365 Defender is turned on

  1. Go to the Microsoft 365 security center (https://security.microsoft.com) and sign in.

  2. In the navigation pane, look for Incidents, Action center, and Hunting, as shown in the following image:

    MTP on

  3. In the navigation pane, choose Settings > Microsoft 365 Defender. Confirm that Microsoft 365 Defender is turned on.

    Need help? See Turn on Microsoft 365 Defender.

Review pending and completed actions in the Action center

After you have configured automated investigation and response in Microsoft 365 Defender, your next step is to visit the Action center (https://security.microsoft.com/action-center). There, you can review and approve pending actions, and see remediation actions that were taken automatically or manually.

Visit the Action center.