Auto Investigation and Remediation in Microsoft Defender for Endpoint
Microsoft Defender for Endpoint is a comprehensive endpoint security solution that provides preventative protection, post-breach detection, automated investigation, and response. The cloud-delivered endpoint security solution includes advanced capabilities, such as the ability to identify vulnerabilities and misconfigurations in real-time, powerful threat monitoring and analysis tools and support, next-generation protection against polymorphic and metamorphic malware, behavioral analytics, and machine learning for protection against zero-day exploits, and attack surface reduction for delivering holistic and unified security management. In this article, we will elaborate on Auto Investigation and Remediation in Microsoft Defender for Endpoint.
How Does Auto Investigation and Remediation Work in Microsoft Defender for Endpoint?
Security operations teams often find it challenging when they start receiving several alerts triggered by malicious or suspicious artifacts. The automated investigation and remediation (AIR) capabilities in Microsoft Defender for Endpoint can help security operations teams address threats more efficiently and effectively. Microsoft Defender for Endpoint triggers an automated investigation on the machine where suspicious activity is detected. This investigation begins with the analysis of malicious entities that triggered the investigation and continues with the collection and examination of other items associated with it. Files, processes, services, register keys, and other areas that could contain threat-related evidence are inspected during the process of investigation. The scan generates a list of entities related to the alert, along with a verdict (malicious, suspicious, or clean).
Consequently, Microsoft Defender for Endpoint will create a remediation action, that when approved, will remove or contain malicious entities found during the investigation. All the actions are defined, managed, and executed by Microsoft Defender for Endpoint without the need for security operations teams to connect remotely with affected devices.
How Does Automation by Default Empower Defender?
When AIR capabilities were introduced in Microsoft Endpoint for Defender, the default automation level had been set to semi – require approval for any remediation. With this setting, the remediation action has to be manually approved, and there is an increased risk of spread of the malware to other devices and cause greater damage.
Starting February 16, 2021, tenants opting for the public previews for Microsoft Defender for Endpoint would find that the level is set to full-remediate threats automatically by default. This is because Microsoft noticed that organizations with fully automated tenants managed to contain and remediate threats more successfully than those with the default ‘semi’ level. Not only has full automation proven to remove 40% more high-confidence malware samples than lower automation levels, but also frees up security resources that can be redeployed to other initiatives.
Apps4Rent Can Help with Microsoft Defender for Endpoint
As an enterprise endpoint security platform that works with various other Microsoft security solutions to form a unified pre- and post-breach enterprise defense suit for protecting endpoints, email, identity, and applications against sophisticated attacks, Microsoft Defender for Endpoint is available for enterprises with volume licensing.
Being a Tier 1 Microsoft CSP, Apps4Rent is a trusted partner for licensing and implementing cutting-edge security solutions such as Microsoft Defender for Endpoint, which is available in Microsoft 365 E5 and other plans. Contact our Microsoft-certified cloud experts available 24/7 via phone, chat, and email for assistance.
