Announcing Auto-Remediation in Microsoft Defender XDR’s Automated Investigation and Response (AIR)

By /

Listen to this Post

Featured Image
Microsoft Defender XDR’s Automated Investigation and Response (AIR) now supports auto-remediation capabilities, enabling organizations to automatically address security threats without manual SecOps approval. This major update accelerates threat response while reducing workload for security teams.

Key Features:

  • Malicious File Clusters: Automatically remediate files identified as malicious across the organization
  • Malicious URL Clusters: Automatically block and remediate malicious URLs detected in messages
  • Configurable Automation: Admins can enable/disable auto-remediation per threat type

Official Documentation: https://lnkd.in/dBwisRAX

You Should Know:

PowerShell Commands for MDO Configuration:

 Connect to Microsoft Defender Security Center
Connect-IPPSSession -UserPrincipalName [email protected]

Get current automation settings
Get-AutomationSetting

Enable auto-remediation for malicious files
Set-AutomationSetting -EnableFileClusterRemediation $true

Enable auto-remediation for malicious URLs
Set-AutomationSetting -EnableUrlClusterRemediation $true

Linux/MacOS Investigation Commands:

 Check for malicious file hashes (replace HASH with actual hash)
curl -s "https://www.virustotal.com/api/v3/files/{HASH}" \
-H "x-apikey: YOUR_VIRUSTOTAL_API_KEY"

Analyze suspicious URLs with whois
whois malicious-domain.com

Check DNS records for malicious domains
dig malicious-domain.com ANY

Windows Defender Investigation Commands:

:: Check Defender detection history
powershell Get-MpThreatDetection

:: Force manual remediation of a file
powershell Remove-MpThreat -ThreatID <ID> -Force

KQL Queries for Threat Hunting:

// Find all files in a malicious cluster
DeviceFileEvents
| where SHA256 == "<malicious-file-hash>"
| project Timestamp, DeviceName, FolderPath, FileName

// Find all emails containing malicious URLs
EmailUrlInfo
| where Url == "http://malicious-domain.com"
| project NetworkMessageId, SenderFromAddress, RecipientEmailAddress

What Undercode Say:

Microsoft’s auto-remediation feature represents a significant leap in security automation. While powerful, organizations should implement these controls carefully:

  1. Testing Phase: Run in audit mode first with these commands: 
    Set-AutomationSetting -AuditOnly $true

  2. Exception Handling: Create exclusion lists for critical systems:

    New-AutomationException -EntityType File -EntityPath "C:\critical\app.exe"

  3. Monitoring: Combine with SIEM solutions using these Linux commands:

    Tail Defender logs for real-time monitoring
journalctl -u mdatp -f

Parse Windows Defender logs on Linux systems
grep "Threat" /var/log/mdatp/microsoft-defender.log

4. Complementary Security: Enhance with network controls:

 Block malicious IPs at firewall level
iptables -A INPUT -s malicious-ip -j DROP
  1. Recovery Procedures: Always maintain backup and rollback capabilities: 
    Windows system restore point before major changes
Checkpoint-Computer -Description "Pre-AutoRemediation" -RestorePointType MODIFY_SETTINGS

For optimal security, balance automation with human oversight. The feature shines for known threat patterns but should be complemented with advanced threat hunting for novel attacks.

Expected Output:

[Auto-Remediation Status]
File Cluster Protection: Enabled
URL Cluster Protection: Enabled
Last Remediation Action: 2023-11-15T14:22:01Z
Threats Mitigated: 47
Pending Approvals: 2

References:

Reported By: Markolauren Mdo – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

Join Our Cyber World:

💬 Whatsapp | 💬 Telegram

Related Posts: