Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community

Setting up Automated Remediation.

Copper Contributor

Pretty new to this, so please, be patient.

I am trying to get Defender to automatically isolate a device should it pick up medium or high-level threat? 

When opening "Auto remediation" in Defender\Settings\Endpoints, there's not much there, only the ability to "Choose columns" and "Set automated remediation levels"?

What am I missing?

2 Replies
Auto remediation only applies to the actions below.

Quarantine a file
Remove a registry key
Kill a process
Stop a service
Disable a driver
Remove a scheduled task
https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/manage-auto-investigation...

If you require devices to be isolated, you can choose to use custom detection rules, or to create a logic app / power automate flow to trigger on MDE alerts.
See below for custom detection rules.
https://learn.microsoft.com/en-us/microsoft-365/security/defender/custom-detection-rules?view=o365-w...

Custom detection rules are the easiest to configure, but it is a search query running on a specific schedule where "hourly" is the tightest you are going to get, so depending on the timing of the alert, you might have to wait for an hour.
If you need instant remedation, power automate or logic apps are the way to go.
The documentation of what exact actions are taken for each automation level is not specific in MS docs. I've just opened issues on docs Github to suggest a change and update of the corresponding docs pages :)