Configure automated investigation and remediation capabilities in Microsoft Defender for Endpoint

Applies to:

• Microsoft Defender XDR
• Microsoft Defender for Endpoint Plan 2

If your organization is using Defender for Endpoint (or Defender for Business), automated investigation and remediation capabilities can save your security operations team time and effort. As outlined in this blog post, these capabilities mimic the ideal steps that a security analyst takes to investigate and remediate threats. Learn more about automated investigation and remediation.

If you're using Defender for Endpoint, you can specify an automation level so that when a threat is detected on a device, the entity can be remediated automatically or only upon approval by your security team. You can configure automated investigation and remediation with device groups.

Set up device groups

1. In the Microsoft Defender portal (https://security.microsoft.com), on the Settings page, under Permissions, select Device groups.

2. Select + Add device group.

3. Create at least one device group, as follows:

   • Specify a name and description for the device group.
   • In the Automation level list, select a level, such as Full - remediate threats automatically. The automation level determines whether remediation actions are taken automatically, or only upon approval. To learn more, see Automation levels in automated investigation and remediation.
   • In the Members section, use one or more conditions to identify and include devices.

4. Select Done when you're finished setting up your device group.

Next steps

• Visit the Action Center to view pending and completed remediation actions
• Review and approve pending actions

See also

• Address false positives/negatives in Microsoft Defender for Endpoint
• Automation levels in automated investigation and remediation