From af8acd4a7f6921baf4c1d9d72aeeae0ccf391267 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Wed, 21 Oct 2020 14:56:33 -0700 Subject: [PATCH] Create automation-levels.md --- .../automation-levels.md | 44 +++++++++++++++++++ 1 file changed, 44 insertions(+) create mode 100644 windows/security/threat-protection/microsoft-defender-atp/automation-levels.md diff --git a/windows/security/threat-protection/microsoft-defender-atp/automation-levels.md b/windows/security/threat-protection/microsoft-defender-atp/automation-levels.md new file mode 100644 index 0000000000..698a67f5b8 --- /dev/null +++ b/windows/security/threat-protection/microsoft-defender-atp/automation-levels.md @@ -0,0 +1,44 @@ +--- +title: Automation levels in automated investigation and remediation +description: Get an overview of automation levels and how they work in Microsoft Defender for Endpoint +keywords: automated, investigation, level, defender atp +search.product: eADQiWindows 10XVcnh +search.appverid: met150 +ms.prod: w10 +ms.technology: windows +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: deniseb +author: denisebmsft +ms.date: 10/21/2020 +ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: +- m365-security-compliance +- m365initiative-defender-endpoint +ms.topic: conceptual +ms.reviewer: ramarom, evaldm, isco, mabraitm, chriggs +ms.custom: AIR +--- + +# Automation levels in automated investigation and remediation capabilities + +Depending on how you set your organization's level of automation, each automated investigation either requires user approval (default) or automatically takes action to remediate threats. The following table describes each level of automation and how it works. + +|Automation level | Description| +|:---|:---| +|**Full - remediate threats automatically**
(also referred to as *full automation*)| With full automation, remediation actions are performed automatically, and can be viewed in the [Action Center](auto-investigation-action-center.md) on the **History** tab. If necessary, a remediation action can be undone.

***Full automation is recommended** and is selected by default for tenants that were created on or after August 16, 2020 with Microsoft Defender for Endpoint, with no device groups defined yet.*

*If you do have a device group defined, you will have an additional device group called **Ungrouped devices (default)**, which is set to full automation.* | +|**Semi - require approval for any remediation**
(also referred to as *semi-automation*)| With this level of semi-automation, approval is required for *any* remediation action. Such pending actions can be viewed and approved in the [Action Center](auto-investigation-action-center.md).

*This level of semi-automation is selected by default for tenants that were created before August 16, 2020 with Microsoft Defender ATP, with no device groups defined.*

*If you do have a device group defined, you will have an additional device group called **Ungrouped devices (default)**, which will be set to **Semi - require approval for any remediation**.*| +|**Semi - require approval for core folders remediation** | Approval is required for remediation actions on files or executables that are in core folders. Pending actions can be viewed and approved in the [Action Center](auto-investigation-action-center.md).

Remediation actions can be taken automatically on files or executables that are in other (non-core) folders. Core folders include operating system directories, such as the **Windows** (`\windows\*`). | +|**Semi - require approval for non-temp folders remediation** | Approval is required for remediation actions on files or executables that are not in temporary folders. Pending actions can be viewed and approved in the [Action Center](auto-investigation-action-center.md).

Remediation actions can be taken automatically on files or executables that are in temporary folders. Temporary folders can include the following examples:
- `\users\*\appdata\local\temp\*`
- `\documents and settings\*\local settings\temp\*`
- `\documents and settings\*\local settings\temporary\*`
- `\windows\temp\*`
- `\users\*\downloads\*`
- `\program files\`
- `\program files (x86)\*`
- `\documents and settings\*\users\*` | +|**No automated response** | Automated investigation does not run on your organization's devices. As a result, no remediation actions are taken or pending as a result of automated investigation.

***This option is not recommended**, because it reduces the security posture of your organization's devices. [Consider setting up or changing your device groups to use **Full** or **Semi** automation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/machine-groups)* | + + +> [!IMPORTANT] +> - New tenants (which include tenants that were created on or after August 16, 2020) with Microsoft Defender for Endpoint are set to full automation by default. +> - Full automation has proven to be reliable, efficient, and safe, and is recommended for all customers. Data collected and analyzed over the past year shows that customers who are using full automation had 40% more high-confidence malware samples removed than customers using lower levels of automation. Full automation frees up your critical security resources so they can focus more on your strategic initiatives. +> - If your security team has defined device groups that include certain levels of automation, those settings are not changed by new default settings that are rolled out. However, we recommend using full automation wherever possible. +> - You can keep your default automation setting, or change it according to your organizational needs. To change your settings, [set your level of automation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-automated-investigations-remediation#set-up-device-groups). +