Possible actions within the "Explorer" in the Microsoft Defender Portal

Copper Contributor

Hi everybody,


I have a problem understanding the possible actions in the email "explorer" within the Microsoft Defender portal.

In the meantime I have spent a lot of time browsing the Micrsosoft Docs and have not found a good answer.  


Does anyone know what the system does for the following actions?


For me, only the feature "Trigger Investigation" is clear, because this starts an "automated investigation and response" process. 

But as I mentioned, for the other actions, I was not able to find an answer.


Thanks a lot in advance


Kind regards,

Marvin Peters

1 Reply
Add to Remediation starts a remediation [job]. Unlike the Hard Delete action visible at the top of your screen shot, this action merely creates a job or adds the mails you have selected to an existing job. You then have to go into the action tab of the job and select the action you want to do. Why bother with this method? Because unlike the earlier action, a formal remediation can tackle a lot more than 100 mails (unless that limit has been changed).

Contact Recipients simply creates a mail BCC all of the recipients of the mails you have selected. It is useful in situations where EO is forwarding on to another mail system, and all you can do is send an urgent mail after the phish or whatever saying "Don't open this!"

If I want to investigate a sender, I just turn on the Sender IP column in Threat Explorer, write myself a scrap of KQL or pull an EML sample apart manually.