Granular Automated Investigation/Remediation configuration

Deleted · ‎Jun 03 2021

We have the option for Automatically resolving alerts (Resolves an alert if Automated investigation finds no threats or has successfully remediated all malicious artifacts.) enabled, which affects custom alerts too. This is not always desirable as the logic of custom rules can be of such nature that no artifacts exist that could be investigated by automation, thus no threats are found and alert resolved automatically.

It would be great if Automated investigation/remediation could be set per alert types and especially custom alerts in a similar way it's configured for device groups. For instance:

Alert source = AV --> Apply automated investigation and resolve alert if no threats found or remediated

Alert source = EDR --> Apply automated investigation and keep alert open for analyst review even if no threats are found

Alert source = custom alert --> Do not apply automated investigation at all

Ambarish RH · ‎Jun 03 2021

@Deleted Best option would be to use the feedback feature in the portal Provide feedback on Microsoft 365 Defender | Microsoft Docs

I got someone calling me from the defender team based on my feedback on the UI issue

Products (50)

Special Topics (27)

Video Hub (462)

Most Active Hubs

Most Active Hubs

Video Hub

Granular Automated Investigation/Remediation configuration

Granular Automated Investigation/Remediation configuration

Re: Granular Automated Investigation/Remediation configuration