title

description

search.appverid

ms.service

ms.subservice

f1.keywords

ms.author

author

ms.localizationpriority

manager

audience

ms.collection

ms.custom

ms.topic

ms.date

Take action on advanced hunting query results in Microsoft Defender XDR

Quickly address threats and affected assets in your advanced hunting query results

met150

defender-xdr

adv-hunting

NOCSH

maccruz

schmurky

medium

dansimp

ITPro

m365-security

tier1

cx-ti

cx-ah

how-to

07/18/2024

Take action on advanced hunting query results

[!INCLUDE Microsoft Defender XDR rebranding]

Applies to:

Microsoft Defender XDR

[!INCLUDE Prerelease information]

You can quickly contain threats or address compromised assets that you find in advanced hunting using powerful and comprehensive action options. With these options, you can:

Take various actions on devices
Quarantine files

Required permissions

To take action on devices through advanced hunting, you need a role in Microsoft Defender for Endpoint with permissions to submit remediation actions on devices.

Important

Microsoft recommends that you use roles with the fewest permissions. This helps improve security for your organization. Global Administrator is a highly privileged role that should be limited to emergency scenarios when you can't use an existing role.

If you can't take action, contact a Global Administrator about getting the following permission:

Active remediation actions > Threat and vulnerability management - Remediation handling

To take action on emails through advanced hunting, you need a role in Microsoft Defender for Office 365 to search and purge emails.

Take various actions on devices

You can take the following actions on devices identified by the DeviceId column in your query results:

Isolate affected devices to contain an infection or prevent attacks from moving laterally
Collect investigation package to obtain more forensic information
Run an antivirus scan to find and remove threats using the latest security intelligence updates
Initiate an automated investigation to check and remediate threats on the device and possibly other affected devices
Restrict app execution to only Microsoft-signed executable files, preventing subsequent threat activity through malware or other untrusted executables

To learn more about how these response actions are performed through Microsoft Defender for Endpoint, read about response actions on devices.

Quarantine files

You can deploy the quarantine action on files so that they're automatically quarantined when encountered. When selecting this action, you can choose between the following columns to identify which files in your query results to quarantine:

SHA1: In most advanced hunting tables, this column refers to the SHA-1 of the file that's affected by the recorded action. For example, if a file was copied, this affected file would be the copied file.
InitiatingProcessSHA1: In most advanced hunting tables, this column refers to the file responsible for initiating the recorded action. For example, if a child process was launched, this initiator file would be part of the parent process.
SHA256: This column is the SHA-256 equivalent of the file identified by the SHA1 column.
InitiatingProcessSHA256: This column is the SHA-256 equivalent of the file identified by the InitiatingProcessSHA1 column.

To learn more about how quarantine actions are taken and how files can be restored, read about response actions on files.

Note

To locate files and quarantine them, the query results should also include DeviceId values as device identifiers.

To take any of the described actions, select one or more records in your query results and then select Take actions. A wizard guides you through the process of selecting and then submitting your preferred actions.

:::image type="content" source="media/take-action-multiple.png" alt-text="Screenshot of the take actions option in the Microsoft Defender portal." lightbox="media/take-action-multiple.png":::

Take various actions on emails

Apart from device-focused remediation steps, you can also take some actions on emails from your query results. Select the records you want to take action on, select Take actions, then under Choose actions, select your choice from the following:

Move to mailbox folder - select this action to move the email messages to Junk, Inbox, or Deleted items folder

Note that you can move email results consisting of quarantined items (for instance, in the case of false positives) by selecting the Inbox option.

:::image type="content" source="media/advanced-hunting-quarantine-results.png" alt-text="Screenshot of the Inbox option under take actions pane in the Microsoft Defender portal." lightbox="media/advanced-hunting-quarantine-results.png":::
Delete email - select this action to move email messages to the Deleted items folder (Soft delete) or delete them permanently (Hard delete)

Selecting Soft delete also automatically soft deletes the messages from the sender's Sent Items folder if the sender is in the organization.

:::image type="content" source="media/soft-delete-sender-copy.png" alt-text="Screenshot of take actions option in the Microsoft Defender portal." lightbox="media/soft-delete-sender-copy.png":::

Automatic soft-deletion of the sender's copy is available for results using the EmailEvents and EmailPostDeliveryEvents tables but not the UrlClickEvents table. Furthermore, the result should contain the columns EmailDirection and SenderFromAddress columns for this action option to show up in the Take actions wizard. Sender's copy clean-up applies to intra-organization emails and outbound emails, ensuring that only the sender's copy is soft-deleted for these email messages. Inbound messages are out of scope.

See the following query as reference:
```
EmailEvents
| where ThreatTypes contains "spam"
| project NetworkMessageId,RecipientEmailAddress, EmailDirection, SenderFromAddress, LatestDeliveryAction,LatestDeliveryLocation
```

You can also provide a remediation name and a short description of the action taken to easily track it in the action center history. You can also use the Approval ID to filter for these actions in the action center. This ID is provided at the end of the wizard:

:::image type="content" source="media/choose-email-actions-entities.png" alt-text="take actions wizard showing choose actions for entities" lightbox="media/choose-email-actions-entities.png":::

These email actions are applicable to custom detections as well.

Review actions taken

Each action is individually recorded in the action center under Action center > History (security.microsoft.com/action-center/history). Go to the action center to check the status of each action.

Note

Some tables in this article might not be available in Microsoft Defender for Endpoint. Turn on Microsoft Defender XDR to hunt for threats using more data sources. You can move your advanced hunting workflows from Microsoft Defender for Endpoint to Microsoft Defender XDR by following the steps in Migrate advanced hunting queries from Microsoft Defender for Endpoint.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

advanced-hunting-take-action.md

advanced-hunting-take-action.md

Take action on advanced hunting query results

Required permissions

Take various actions on devices

Quarantine files

Take various actions on emails

Review actions taken

Related articles

Files

advanced-hunting-take-action.md

Latest commit

History

advanced-hunting-take-action.md

File metadata and controls

Take action on advanced hunting query results

Required permissions

Take various actions on devices

Quarantine files

Take various actions on emails

Review actions taken

Related articles