The improved Microsoft 365 Defender portal is now available. This new experience brings Defender for Endpoint, Defender for Office 365, Microsoft 365 Defender, and more into the Microsoft 365 Defender portal. Learn what’s new.

Applies to:

  • Microsoft 365 Defender

During and after an automated investigation in Microsoft 365 Defender, remediation actions are identified for malicious or suspicious items. Some kinds of remediation actions are taken on devices, also referred to as endpoints. Other remediation actions are taken on email content. Automated investigations complete after remediation actions are taken, approved, or rejected.


Whether remediation actions are taken automatically or only upon approval depends on certain settings, such as how automation levels. To learn more, see the following articles:

The following table summarizes remediation actions that are currently supported in Microsoft 365 Defender.

Device (endpoint) remediation actions Email remediation actions
– Collect investigation package
– Isolate device (this action can be undone)
– Offboard machine
– Release code execution
– Release from quarantine
– Request sample
– Restrict code execution (this action can be undone)
– Run antivirus scan
– Stop and quarantine
– Block URL (time-of-click)
– Soft delete email messages or clusters
– Quarantine email
– Quarantine an email attachment
– Turn off external mail forwarding

Remediation actions, whether pending approval or already complete, can be viewed in the Action center.

Remediation actions that follow automated investigations

When an automated investigation completes, a verdict is reached for every piece of evidence involved. Depending on the verdict, remediation actions are identified. In some cases, remediation actions are taken automatically; in other cases, remediation actions await approval. It all depends on how automated investigation and response is configured.

The following table lists possible verdicts and outcomes:

Verdict Affected entities Outcomes
Malicious Devices (endpoints) Remediation actions are taken automatically (assuming your organization’s device groups are set to Full – remediate threats automatically)
Malicious Email content (URLs or attachments) Recommended remediation actions are pending approval
Suspicious Devices or email content Recommended remediation actions are pending approval
No threats found Devices or email content No remediation actions are needed

Remediation actions that are taken manually

In addition to remediation actions that follow automated investigations, your security operations team can take certain remediation actions manually. These include the following:

  • Manual device action, such as device isolation or file quarantine
  • Manual email action, such as soft-deleting email messages
  • Advanced hunting action on devices or email
  • Explorer action on email content, such as moving email to junk, soft-deleting email, or hard-deleting email
  • Manual live response action, such as deleting a file, stopping a process, and removing a scheduled task
  • Live response action with Microsoft Defender for Endpoint APIs, such as isolating a device, running an antivirus scan, and getting information about a file

Source : Official Microsoft Brand
Editor by : BEST Antivirus KBS Team

How useful was this post?

Click on a star to rate it!

Average rating 0 / 5. Vote count: 0

No votes so far! Be the first to rate this post.