check before: 2025-11-10
Product:
Defender, Defender XDR, Microsoft 365 Defender
Platform:
Online, World tenant
Status:
Change type:
Feature update, User impact, Admin impact
Links:
Details:
Summary:
Microsoft Defender for O365 now allows triggering new remediation actions—Submit to Microsoft, add to allow/block list, and initiate automated investigation—directly from the Advanced Hunting interface. This feature, rolled out since November 10, 2025, is enabled by default and supports improved threat response without policy changes.
Details:
[Introduction:]
This update introduces new remediation actions in Microsoft Defender for O365 that can be triggered directly from the Advanced Hunting interface. These actions-previously only available in Threat Explorer-include "Submit to Microsoft" and "Initiate automated investigation." This enhancement enables security teams to respond to threats more efficiently and programmatically using custom queries, aligning with customer feedback to streamline incident response workflows.
[When this will happen:]
General Availability (Worldwide): We began rolling out this feature on November 10, 2025.
Change Category:
XXXXXXX ... free basic plan only
Scope:
XXXXXXX ... free basic plan only
Release Phase:
Created:
2025-11-12
updated:
2025-11-12
Task Type
XXXXXXX ... free basic plan only
Docu to Check
XXXXXXX ... free basic plan only
MS How does it affect me
XXXXXXX ... free basic plan only
MS Preperations
XXXXXXX ... free basic plan only
MS Urgency
XXXXXXX ... free basic plan only
MS workload name
XXXXXXX ... free basic plan only
summary for non-techies**
XXXXXXX ... free basic plan only
Direct effects for Operations**
New Remediation Actions in Advanced Hunting
The introduction of new remediation actions may lead to confusion among users if they are not adequately trained or informed about the changes, potentially resulting in improper use of the new features.
- roles: Admins, Security Analysts
- references: https://learn.microsoft.com/defender-xdr/advanced-hunting-take-action
Increased Complexity in Incident Response
The availability of new actions without proper preparation may complicate existing incident response workflows, leading to delays in threat mitigation and increased risk of security incidents.
- roles: Admins, Security Analysts
- references: https://learn.microsoft.com/defender-xdr/advanced-hunting-take-action
Configutation Options**
XXXXXXX ... paid membership only
IT Security**
XXXXXXX ... paid membership only
explanation for non-techies**
Microsoft Defender for O365 has introduced new features that allow security teams to take action on potential threats directly from the Advanced Hunting interface. Think of Advanced Hunting as a detective's toolkit, where security analysts can investigate suspicious activities. Previously, certain actions could only be performed from a different tool called Threat Explorer. Now, with this update, it's like giving detectives the ability to not only find clues but also act on them immediately without switching tools.
The new actions include "Submit to Microsoft," which is akin to sending a sample to a lab for further analysis. If you find something suspicious, you can send it to Microsoft for a deeper investigation. Another action is adding entries to the allow/block list, similar to deciding who gets past security at a building. You can now directly update this list based on your findings. Lastly, initiating an automated investigation is like setting a robot detective to follow up on leads, allowing for a quicker response to potential threats.
These features are automatically available, meaning you don't need to adjust any settings to use them. It's like getting a software update on your phone that installs overnight; you wake up to new features ready to use. Importantly, these changes don't affect existing security policies, so you don't have to worry about rewriting any rules.
For those managing security teams, it's important to inform your team about these new capabilities. Consider reviewing your current processes and updating any relevant training materials. If you want to control who can use these new features, you can manage permissions using role-based access control, much like deciding who has keys to different rooms in an office.
Overall, these updates are designed to make threat response more efficient and integrated, allowing security teams to act swiftly and effectively.
** AI generated content. This information must be reviewed before use.
a free basic plan is required to see more details. Sign up here
A cloudsocut.one plan is required to see all the changed details. If you are already a customer, choose login.
If you are new to cloudscout.one please choose a plan.
Last updated 4 weeks ago ago
