Forum Discussion

underQualifried's avatar
underQualifried
Brass Contributor
Apr 01, 2025

upgraded from P1 to P2... how do I configure this?

Upgraded to Defender 365 P2 from P1, based on the automated responses. Kinda figured we'd be able to tweak these, but I guess not? Anyway, I'm a little bit confused about how to set this up maximally. Realized yesterday we had a 'User click a malicious link" investigation that was pending - but no one knew. When I click 'Email Notification' in the 'Incidents' window, it brings me to the XDR settings menu, with options for setting emails to notify of Alerts, Incidents and Threat Analytics. Except we don't have XDR? So I can't tell if these are even valid? 

The documentation on the AIR component is really hard to decipher - wondering if anyone has much experience with this, and knows how to configure it optimally? As in, how do I notify someone of a Critical Investigation, or something needing approval for remediation? Can I configure certain things to not require approval? Like... removing a reported phishing email from everyone's inbox? 

configuration
investigation
microsoft 365 defender
remediation
threat intelligence

2 Replies

  • micheleariis's avatar
    micheleariis
    MCT
    Apr 04, 2025

    Hi, in fact, configuring notifications and automation levels in Defender 365 P2 goes through the Security portal and often refers to XDR, even if you don't use it directly. To manage notifications and approvals, look in M365 Defender's settings (email & collaboration > policies & rules > threat policies) for the section on automated investigation: from there you can set the level of automation, who receives critical alerts, and whether certain actions (e.g., removing phishing email from all boxes) can take place without approval. Unfortunately, the interface can be confusing, but it is all handled by these policies.

    • underQualifried's avatar
      underQualifried
      Brass Contributor
      Apr 21, 2025

      Hi micheleariis, thanks for the reply. Looking through the settings you listed, email & collaboration > policies & rules > threat policies doesn't have anything about automated investigation. If I go to settings > Defender XDR, (below img) there ARE some AIR-related settings, but the only ones relevant to me would be simple notification settings. We don't use device groups or Defender Endpoint. Really my concern is making sure the 'automation' P2 brings doesn't INCREASE workflow. Just looking at the Threat Policies - I don't see anything here that didn't exist already with P1. 

       

      THIS - 'whether certain actions (e.g., removing phishing email from all boxes) can take place without approval.' for example, is something I would like to configure. But I just don't see this anywhere

Resources