Skip to content

Latest commit

 

History

History
58 lines (42 loc) · 3.14 KB

m365bp-review-remediation-actions-devices.md

File metadata and controls

58 lines (42 loc) · 3.14 KB
Raw
title description search.appverid ms.author author manager audience ms.topic ms.service ms.date ms.localizationpriority ms.reviewer f1.keywords ms.collection
Review remediation actions in Microsoft Defender XDR
See how to view remediations that were taken automatically or that are awaiting approval in the Action center.
MET150
siosulli
siosulli
deniseb
Admin
how-to
microsoft-365-business-security
05/31/2024
medium
efratka
NOCSH
SMB
m365-security
m365-initiative-defender-business
tier2

Review remediation actions in the Microsoft Defender portal

Okay, you've discovered a security breach, but what do you do? It depends on the nature of it.

Microsoft 365 Business Premium includes remediation actions. Some actions are taken automatically when threats are detected, and other actions can be taken manually by your security team.

Examples of remediation actions include sending a file to quarantine, stopping a process from running, or completely removing a scheduled task. All remediation actions are tracked in the Action center, which is located at https://security.microsoft.com/action-center.

:::image type="content" source="../media/defender-business/mdb-actioncenter.png" alt-text="Screenshot of the Action Center in M365.":::

This article describes:

How to use your Action center

  1. Go to the Microsoft Defender portal (https://security.microsoft.com), and sign in.

  2. In the navigation pane, choose Action center.

  3. Select the Pending tab to view and approve (or reject) any pending actions. Such actions can arise from antivirus/antimalware protection, automated investigations, manual response activities, or live response sessions.

  4. Select the History tab to view a list of completed actions.

Types of remediation actions

Your subscription includes several different types of remediation actions for detected threats. These actions include manual response actions, actions following automated investigation, and live response actions.

The following table lists remediation actions that are available:

Source Actions
Automated attack disruption (NEW!)
  • Contain a device
  • Contain a user account on a device
Automated investigations
  • Quarantine a file/li>
  • Remove a registry key/li>
  • Kill a process/li>
  • Stop a service/li>
  • Disable a driver/li>
  • Remove a scheduled task
Manual response actions
  • Run antivirus scan/li>
  • Isolate device/li>
  • Add an indicator to block or allow a file
Live response
  • Collect forensic data/li>
  • Analyze a file/li>
  • Run a script/li>
  • Send a suspicious entity to Microsoft for analysis/li>
  • Remediate a file/li>
  • Proactively hunt for threats