You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: defender-xdr/faq-managed-response.md
+2-2Lines changed: 2 additions & 2 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -14,7 +14,7 @@ ms.collection:
14
14
- tier1
15
15
ms.topic: conceptual
16
16
search.appverid: met150
17
-
ms.date: 07/31/2024
17
+
ms.date: 08/01/2024
18
18
---
19
19
20
20
# Understanding Managed response
@@ -29,7 +29,7 @@ The following section lists down questions you or your SOC team might have regar
29
29
|---------|---------|
30
30
|**What is Managed response?**| Microsoft Defender Experts for XDR offers **Managed response** where our experts manage the entire remediation process for incidents that require them. This process includes investigating the incident to identify the root cause, determining the required response actions, and taking those actions on your behalf.|
31
31
|**What actions are in scope for Managed response?**| All actions found below are in scope for Managed response for any device and user that isn't excluded.<br><br>*For devices**(Available now)*<ul><li>Isolate machine<br><li>Release machine from isolation<br><li>Stop and quarantine file<br><li>Restrict app execution<br><li>Remove app restriction<br><li>Disable user<br><li>Enable user</ul><br>*For users (Coming soon)*<ul><li>Revoke refresh token<br><li>Soft delete emails</ul> |
32
-
|**Can I customize the extent of Managed response?**| You can configure the extent to which our experts do Managed response actions on your behalf by excluding certain devices and users (individually or by groups) either during onboarding or later by modifying your service's settings. [Read more about excluding device groups](get-started-xdr.md#exclude-devices-from-remediation)|
32
+
|**Can I customize the extent of Managed response?**| You can configure the extent to which our experts do Managed response actions on your behalf by excluding certain devices and users (individually or by groups) either during onboarding or later by modifying your service's settings. [Read more about excluding device groups](get-started-xdr.md#exclude-devices-and-users-from-remediation)|
33
33
|**What support do Defender Experts offer for excluded assets?**| If our experts determine that you need to perform response actions on excluded devices or users, we notify you through various customizable methods and direct you to your Microsoft Defender XDR portal. From your portal, you can then view a detailed summary of our investigation process and the required response actions in the portal and perform these required actions directly. Similar capabilities are also available through Defender APIs, in case you prefer using a security information and event management (SIEM), IT service management (ITSM), or any other third-party tool. |
34
34
|**How am I going to be informed about the response actions?**| Response actions that our experts have completed on your behalf and any pending ones that you need to perform on your excluded assets are displayed in the **Managed response** panel in your Defender portal's **Incidents** page. <br><br>In addition, you'll also receive an email containing a link to the incident and instructions to view the Managed response in the portal. Moreover, if you have integration with Microsoft Sentinel or APIs, you'll also be notified within those tools by looking for Defender Experts statuses. For more information, see [FAQs related to Microsoft Defender Experts for XDR incident notifications](faq-incident-notifications-xdr.md).|
35
35
|**Can I customize Managed response based on actions?**| No. If you have devices or users that are considered high-value or sensitive, you can add them to your exclusion list. Our experts will NOT take any action on them and will only provide guidance if they're impacted by an incident.|
Copy file name to clipboardExpand all lines: defender-xdr/get-started-xdr.md
+10-7Lines changed: 10 additions & 7 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -15,7 +15,7 @@ ms.collection:
15
15
- essentials-get-started
16
16
ms.topic: conceptual
17
17
search.appverid: met150
18
-
ms.date: 06/28/2024
18
+
ms.date: 08/01/2024
19
19
---
20
20
21
21
# Get started with Microsoft Defender Experts for XDR
@@ -57,15 +57,15 @@ You also need to grant our experts one or both of the following permissions:
57
57
58
58
1. In the same Defender Experts settings setup, under **Permissions**, choose the access level(s) you want to grant our experts.
59
59
60
-
1. If you wish to [exclude device and user groups](#exclude-devices-from-remediation) in your organization from remediation actions, select **Manage exclusions**.
60
+
1. If you wish to [exclude device and user groups](#exclude-devices-and-users-from-remediation) in your organization from remediation actions, select **Manage exclusions**.
61
61
62
62
1. Select **Next** to [add contact persons or groups](#tell-us-who-to-contact-for-important-matters).
63
63
64
64
To edit or update permissions after the initial setup, go to **Settings** > **Defender Experts** > **Permissions**.
65
65
66
-
## Exclude devices from remediation
66
+
## Exclude devices and users from remediation
67
67
68
-
Defender Experts for XDR lets you exclude devices and users from remediation actions taken by our experts and instead get remediation guidance for those entities. These exclusions are based on identified [device groups](/defender-endpoint/machine-groups) in Microsoft Defender for Endpoint<!--and identified [user groups](/entra/fundamentals/concept-learn-about-groups) in Microsoft Entra ID-->.
68
+
Defender Experts for XDR lets you exclude devices and users from remediation actions taken by our experts and instead get remediation guidance for those entities. These exclusions are based on identified [device groups](/defender-endpoint/machine-groups) in Microsoft Defender for Endpointand identified [user groups](/entra/fundamentals/concept-learn-about-groups) in Microsoft Entra ID.
69
69
70
70
**To exclude device groups:**
71
71
@@ -83,7 +83,7 @@ Defender Experts for XDR lets you exclude devices and users from remediation act
83
83
84
84
:::image type="content" source="/defender/media/xdr/exclude-device-groups.png" alt-text="Screenshot of option to exclude device groups." lightbox="/defender/media/xdr/exclude-device-groups.png":::
85
85
86
-
<!--**To exclude user groups:**
86
+
**To exclude user groups:**
87
87
88
88
1. In the same Defender Experts settings setup, under **Exclusions**, go to the **User groups** tab.
89
89
2. Select **+ Add user groups**, then search for and choose the user group(s) that you wish to exclude.
@@ -94,10 +94,13 @@ Defender Experts for XDR lets you exclude devices and users from remediation act
94
94
4. Back on the **User groups** tab, review the list of excluded user groups. If you wish to remove a user group from the exclusion list, choose it then select **Remove user group**.
95
95
5. Select **Next** to confirm your exclusion list and proceed to [adding contact persons or groups](#tell-us-who-to-contact-for-important-matters). Otherwise, select **Skip**, and all your added exclusions are discarded.
96
96
97
-
:::image type="content" source="/defender/media/xdr/exclude-user-groups.png" alt-text="Screenshot of option to exclude user groups in Defender Experts for XDR service." lightbox="/defender/media/xdr/exclude-user-groups.png":::
97
+
:::image type="content" source="media/exclude-user-groups.png" alt-text="Screenshot to exclude user groups in Defender Experts for XDR." lightbox="media/exclude-user-groups.png":::
98
+
99
+
> [!NOTE]
100
+
> You can only exclude users by adding them to an Microsoft Entra ID security group. On-prem Entra ID users cannot be excluded at this time.
98
101
99
102
To edit or update exclusions after the initial setup, go to **Settings** > **Defender Experts** > **Exclusions**, then go to the **Device groups** or **User groups** tab.
100
-
-->
103
+
101
104
<!--
102
105
### Exclude all high-value devices or users automatically
Copy file name to clipboardExpand all lines: defender-xdr/whats-new.md
+1-1Lines changed: 1 addition & 1 deletion
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -138,7 +138,7 @@ You can also get product updates and important notifications through the [messag
138
138
139
139
-**Microsoft Defender XDR Unified role-based access control (RBAC)** is now generally available. Unified (RBAC) allows administrators to manage user permissions across different security solutions from a single, centralized location. This offering is also available to GCC Moderate customers. To learn more, see [Microsoft Defender XDR Unified role-based access control (RBAC)](manage-rbac.md).
140
140
141
-
- Microsoft Defender Experts for XDR now lets you [exclude devices](get-started-xdr.md#exclude-devices-from-remediation) from remediation actions taken by our experts and instead get remediation guidance for those entities.
141
+
- Microsoft Defender Experts for XDR now lets you [exclude devices](get-started-xdr.md#exclude-devices-and-users-from-remediation) from remediation actions taken by our experts and instead get remediation guidance for those entities.
142
142
143
143
- The Microsoft Defender portal's incident queue has updated filters, search, and added a new function where you can create your own filter sets. For details, see [Available filters](incident-queue.md#available-filters).
0 commit comments