Granular Automated Investigation/Remediation configuration

%3CLINGO-SUB%20id%3D%22lingo-sub-2411878%22%20slang%3D%22en-US%22%3EGranular%20Automated%20Investigation%2FRemediation%20configuration%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2411878%22%20slang%3D%22en-US%22%3E%3CP%3EWe%20have%20the%20option%20for%26nbsp%3BAutomatically%20resolving%20alerts%20(%3CSPAN%3E%3CEM%3EResolves%20an%20alert%20if%20Automated%20investigation%20finds%20no%20threats%20or%20has%20successfully%20remediated%20all%20malicious%20artifacts.%3C%2FEM%3E)%20enabled%2C%20which%20affects%20custom%20alerts%20too.%20This%20is%20not%20always%20desirable%20as%20the%20logic%20of%20custom%20rules%20can%20be%20of%20such%20nature%20that%20no%20artifacts%20exist%20that%20could%20be%20investigated%20by%20automation%2C%20thus%20no%20threats%20are%20found%20and%20alert%20resolved%20automatically.%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EIt%20would%20be%20great%20if%20Automated%20investigation%2Fremediation%20could%20be%20set%20per%20alert%20types%20and%20especially%20custom%20alerts%20in%20a%20similar%20way%20it's%20configured%20for%20device%20groups.%20For%20instance%3A%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3EAlert%20source%20%3D%20AV%20--%26gt%3B%20Apply%20automated%20investigation%20and%20resolve%20alert%20if%20no%20threats%20found%20or%20remediated%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3EAlert%20source%20%3D%20EDR%20--%26gt%3B%20Apply%20automated%20investigation%20and%20keep%20alert%20open%20for%20analyst%20review%20even%20if%20no%20threats%20are%20found%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3EAlert%20source%20%3D%20custom%20alert%20--%26gt%3B%20Do%20not%20apply%20automated%20investigation%20at%20all%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2412019%22%20slang%3D%22en-US%22%3ERe%3A%20Granular%20Automated%20Investigation%2FRemediation%20configuration%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2412019%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F1070176%22%20target%3D%22_blank%22%3E%40mmmmp%3C%2FA%3E%26nbsp%3B%20Best%20option%20would%20be%20to%20use%20the%20feedback%20feature%20in%20the%20portal%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fmicrosoft-365%2Fsecurity%2Fdefender%2Ffeedback%3Fview%3Do365-worldwide%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EProvide%20feedback%20on%20Microsoft%20365%20Defender%20%7C%20Microsoft%20Docs%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20got%20someone%20calling%20me%20from%20the%20defender%20team%20based%20on%20my%20feedback%20on%20the%20UI%20issue%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Frequent Visitor

We have the option for Automatically resolving alerts (Resolves an alert if Automated investigation finds no threats or has successfully remediated all malicious artifacts.) enabled, which affects custom alerts too. This is not always desirable as the logic of custom rules can be of such nature that no artifacts exist that could be investigated by automation, thus no threats are found and alert resolved automatically.

 

It would be great if Automated investigation/remediation could be set per alert types and especially custom alerts in a similar way it's configured for device groups. For instance:

Alert source = AV --> Apply automated investigation and resolve alert if no threats found or remediated

Alert source = EDR --> Apply automated investigation and keep alert open for analyst review even if no threats are found

Alert source = custom alert --> Do not apply automated investigation at all

1 Reply

@mmmmp  Best option would be to use the feedback feature in the portal Provide feedback on Microsoft 365 Defender | Microsoft Docs

 

I got someone calling me from the defender team based on my feedback on the UI issue