Automation levels in automated investigation and remediation capabilities

Applies to:

• Microsoft Defender XDR
• Microsoft Defender for Endpoint Plan 2
• Microsoft Defender for Business

Automated investigation and remediation (AIR) capabilities in Microsoft Defender for Business are preconfigured and aren't configurable. In Microsoft Defender for Endpoint, you can configure AIR to one of several levels of automation. Your automation level affects whether remediation actions following AIR investigations are taken automatically or only upon approval.

• Full automation (recommended) means remediation actions are taken automatically on artifacts determined to be malicious. (Full automation is set by default in Defender for Business.)
• Semi-automation means some remediation actions are taken automatically, but other remediation actions await approval before being taken. (See the table in Levels of automation.)
• All remediation actions, whether pending or completed, are tracked in the Action Center (https://security.microsoft.com).

Tip

For best results, we recommend using full automation when you configure AIR. Data collected and analyzed over the past year shows that customers who are using full automation had 40% more high-confidence malware samples removed than customers who are using lower levels of automation. Full automation can help free up your security operations resources to focus more on your strategic initiatives.

Note

Device group creation is supported in Defender for Endpoint Plan 1 and Plan 2.

Levels of automation

Automation level	Description
Full - remediate threats automatically (also referred to as full automation)	With full automation, remediation actions are performed automatically on entities that are considered to be malicious. All remediation actions that are taken can be viewed in the Action Center on the History tab. If necessary, a remediation action can be undone. Full automation is recommended and is selected by default for tenants with Defender for Endpoint that were created on or after August 16, 2020, with no device groups defined yet. Full automation is set by default in Defender for Business.
Semi - require approval for all folders (also referred to as semi-automation)	With this level of semi-automation, approval is required for remediation actions on all files. Such pending actions can be viewed and approved in the Action Center, on the Pending tab. Pending actions time out after 7 days. If an action times out, the behavior is the same as if the action is rejected. This level of semi-automation is selected by default for tenants that were created before August 16, 2020 with Microsoft Defender for Endpoint, with no device groups defined.
Semi - require approval for core folders remediation (also a type of semi-automation)	With this level of semi-automation, approval is required for any remediation actions needed on files or executables that are in core folders. Core folders include operating system directories, such as the Windows (\windows\*). Remediation actions can be taken automatically on files or executables that are in other (non-core) folders. Pending actions for files or executables in core folders can be viewed and approved in the Action Center, on the Pending tab. Actions that were taken on files or executables in other folders can be viewed in the Action Center, on the History tab.
Semi - require approval for non-temp folders remediation (also a type of semi-automation)	With this level of semi-automation, approval is required for any remediation actions needed on files or executables that aren't* in temporary folders. Temporary folders can include the following examples: \users\*\appdata\local\temp\* \documents and settings\*\local settings\temp\* \documents and settings\*\local settings\temporary\* \windows\temp\* \users\*\downloads\* \program files\ \program files (x86)\* \documents and settings\*\users\* Remediation actions can be taken automatically on files or executables that are in temporary folders. Pending actions for files or executables that aren't in temporary folders can be viewed and approved in the Action Center, on the Pending tab. Actions that were taken on files or executables in temporary folders can be viewed and approved in the Action Center, on the History tab.
No automated response (also referred to as no automation)	With no automation, automated investigation doesn't run on your organization's devices. As a result, no remediation actions are taken or pending as a result of automated investigation. However, other threat protection features, such as protection from potentially unwanted applications, can be in effect, depending on how your antivirus and next-generation protection features are configured. *Using the no automation option is not recommended, because it reduces the security posture of your organization's devices. Consider setting up your automation level to full automation (or at least semi-automation).

Important points about automation levels

• Full automation has proven to be reliable, efficient, and safe, and is recommended for all customers. Full automation frees up your critical security resources so they can focus more on your strategic initiatives.

• New tenants (which include tenants that were created on or after August 16, 2020) with Defender for Endpoint are set to full automation by default.

• Defender for Business uses full automation by default. Defender for Business doesn't use device groups the same way as Defender for Endpoint. Thus, full automation is turned on and applied to all devices in Defender for Business.

• If your security team has defined device groups with a level of automation, those settings aren't changed by the new default settings that are rolling out.

• You can keep your default automation settings, or change them according to your organizational needs. To change your settings, set your level of automation.

Note

Defender for Business depends on real-time protection for automatic investigation. Real-time protection must be enabled and in active mode to enable automatic investigation.

Next steps

• Configure automated investigation and remediation capabilities in Defender for Endpoint
• Visit the Action Center

Tip

Do you want to learn more? Engage with the Microsoft Security community in our Tech Community: Microsoft Defender for Endpoint Tech Community.