- The article explains how to use Microsoft 365 Defender to create and manage remediation actions for security issues detected by the suite of tools.
- The article shows two ways to create a remediation action from the Recommendations page or the Remediation page, and how to edit, delete, mark as done, reopen, or add comment to a remediation action.
- The article also provides some tips and best practices for using remediation actions effectively, such as reviewing the recommendations regularly, assigning clear and descriptive names and descriptions, setting realistic and reasonable due dates and priorities, communicating and collaborating with your team members, and documenting and reporting on your remediation activities and outcomes.
Microsoft 365 Defender is a powerful suite of tools that can help you protect your organization from various cyber threats, such as phishing, malware, ransomware, and identity compromise. But what if you encounter a security issue that requires your intervention? How can you use Microsoft 365 Defender to remediate the problem and prevent it from happening again?
In this blog post, we will show you how to use Microsoft 365 Defender to create and manage remediation actions for security issues. We will also share some tips and best practices for using this feature effectively.
Table of Contents
- What are remediation actions in Microsoft 365 Defender?
- How to create a remediation action in Microsoft 365 Defender?
- How to manage a remediation action in Microsoft 365 Defender?
- Tips and best practices for using remediation actions in Microsoft 365 Defender
- Frequently Asked Questions (FAQ)
- Question: How do I access Microsoft 365 Defender?
- Question: How do I enable or disable recommendations in Microsoft 365 Defender?
- Question: How do I get notified of new or updated remediation actions in Microsoft 365 Defender?
- Conclusion
What are remediation actions in Microsoft 365 Defender?
Remediation actions are tasks that you can create and assign to yourself or other security professionals in your organization to resolve security issues detected by Microsoft 365 Defender. For example, you can create a remediation action to update a vulnerable software, uninstall a malicious application, reset a compromised password, or isolate an infected device.
Remediation actions can help you:
- Streamline your incident response process by automating the creation and assignment of tasks based on security alerts.
- Track the progress and status of your remediation efforts across different security domains (endpoint, identity, email, cloud apps).
- Improve your security posture by reducing the time and effort required to address security issues.
How to create a remediation action in Microsoft 365 Defender?
There are two ways to create a remediation action in Microsoft 365 Defender:
- From the Recommendations page: This page shows you a list of recommended actions based on the vulnerabilities and misconfigurations identified by Microsoft 365 Defender across your environment. You can filter the recommendations by severity, category, domain, or device group. To create a remediation action from a recommendation, select the recommendation and click Request remediation. You can then specify the details of the task, such as the name, description, due date, priority, and assignee.
- From the Remediation page: This page shows you a list of all the remediation actions that have been created in your organization. You can filter the actions by status, priority, domain, or assignee. To create a remediation action from this page, click New action. You can then enter the details of the task, such as the name, description, due date, priority, assignee, and affected devices or users.
How to manage a remediation action in Microsoft 365 Defender?
Once you have created a remediation action, you can manage it from the Remediation page. You can perform various actions on a remediation task, such as:
- Edit: You can edit the details of the task, such as the name, description, due date, priority, assignee, or affected devices or users.
- Delete: You can delete the task if it is no longer relevant or needed.
- Mark as done: You can mark the task as done if you have completed it successfully.
- Reopen: You can reopen the task if it was marked as done by mistake or if the issue persists.
- Add comment: You can add a comment to the task to provide additional information or feedback.
You can also view the history of the task, such as when it was created, edited, deleted, marked as done, reopened, or commented on.
Tips and best practices for using remediation actions in Microsoft 365 Defender
Here are some tips and best practices for using remediation actions in Microsoft 365 Defender:
- Review the recommendations regularly and prioritize the ones with high severity or impact.
- Assign clear and descriptive names and descriptions to your remediation actions.
- Set realistic and reasonable due dates and priorities for your remediation actions.
- Assign the tasks to the appropriate security professionals based on their roles and responsibilities.
- Communicate and collaborate with your team members on the remediation actions using comments or other tools.
- Monitor and update the status of your remediation actions as you work on them.
- Document and report on your remediation activities and outcomes.
Frequently Asked Questions (FAQ)
Here are some frequently asked questions about remediation actions in Microsoft 365 Defender:
Question: How do I access Microsoft 365 Defender?
Answer: To access Microsoft 365 Defender, you need to have one of the following licenses:
- Microsoft 365 E5
- Microsoft 365 E5 Security
- Microsoft 365 A5
- Microsoft 365 A5 Security
You also need to have one of the following roles:
- Global administrator
- Security administrator
- Security operator
- Security reader
Question: How do I enable or disable recommendations in Microsoft 365 Defender?
Answer: To enable or disable recommendations in Microsoft 365 Defender, go to https://security.microsoft.com > Settings > Recommendations settings. You can then select or deselect the recommendations that you want to enable or disable.
Question: How do I get notified of new or updated remediation actions in Microsoft 365 Defender?
Answer: To get notified of new or updated remediation actions in Microsoft 365 Defender, you can use the following methods:
- Email notifications: You can enable email notifications for remediation actions from https://security.microsoft.com > Settings > Email notifications. You can then select the types of notifications that you want to receive, such as when a remediation action is created, assigned, updated, or completed.
- Microsoft Teams notifications: You can enable Microsoft Teams notifications for remediation actions from https://security.microsoft.com > Settings > Microsoft Teams notifications. You can then select the channel where you want to receive the notifications and the types of notifications that you want to receive, such as when a remediation action is created, assigned, updated, or completed.
Conclusion
Remediation actions are a useful feature of Microsoft 365 Defender that can help you resolve security issues in your organization. By creating and managing remediation actions, you can improve your incident response process, track your remediation progress, and enhance your security posture. We hope this blog post has helped you understand how to use remediation actions in Microsoft 365 Defender and provided you with some tips and best practices for using this feature effectively.
Disclaimer: This blog post is not an official guide or endorsement from Microsoft. Please refer to the official documentation and support channels for more information and assistance on Microsoft 365 Defender.