Setting up Automated Remediation.

Occasional Contributor

Pretty new to this, so please, be patient.

I am trying to get Defender to automatically isolate a device should it pick up medium or high-level threat? 

When opening "Auto remediation" in Defender\Settings\Endpoints, there's not much there, only the ability to "Choose columns" and "Set automated remediation levels"?

What am I missing?

1 Reply
Auto remediation only applies to the actions below.

Quarantine a file
Remove a registry key
Kill a process
Stop a service
Disable a driver
Remove a scheduled task
https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/manage-auto-investigation...

If you require devices to be isolated, you can choose to use custom detection rules, or to create a logic app / power automate flow to trigger on MDE alerts.
See below for custom detection rules.
https://learn.microsoft.com/en-us/microsoft-365/security/defender/custom-detection-rules?view=o365-w...

Custom detection rules are the easiest to configure, but it is a search query running on a specific schedule where "hourly" is the tightest you are going to get, so depending on the timing of the alert, you might have to wait for an hour.
If you need instant remedation, power automate or logic apps are the way to go.