Forum Discussion
Setting up Automated Remediation.
Pretty new to this, so please, be patient. I am trying to get Defender to automatically isolate a device should it pick up medium or high-level threat? When opening "Auto remediation" in Defender\...
Auto remediation only applies to the actions below.
Quarantine a file
Remove a registry key
Kill a process
Stop a service
Disable a driver
Remove a scheduled task
https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/manage-auto-investigation?view=o365-worldwide
If you require devices to be isolated, you can choose to use custom detection rules, or to create a logic app / power automate flow to trigger on MDE alerts.
See below for custom detection rules.
https://learn.microsoft.com/en-us/microsoft-365/security/defender/custom-detection-rules?view=o365-worldwide
Custom detection rules are the easiest to configure, but it is a search query running on a specific schedule where "hourly" is the tightest you are going to get, so depending on the timing of the alert, you might have to wait for an hour.
If you need instant remedation, power automate or logic apps are the way to go.
Quarantine a file
Remove a registry key
Kill a process
Stop a service
Disable a driver
Remove a scheduled task
https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/manage-auto-investigation?view=o365-worldwide
If you require devices to be isolated, you can choose to use custom detection rules, or to create a logic app / power automate flow to trigger on MDE alerts.
See below for custom detection rules.
https://learn.microsoft.com/en-us/microsoft-365/security/defender/custom-detection-rules?view=o365-worldwide
Custom detection rules are the easiest to configure, but it is a search query running on a specific schedule where "hourly" is the tightest you are going to get, so depending on the timing of the alert, you might have to wait for an hour.
If you need instant remedation, power automate or logic apps are the way to go.