You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
You can quickly contain threats or address compromised assets that you find in [advanced hunting](advanced-hunting-overview.md) using powerful and comprehensive action options. With these options, you can:
@@ -46,7 +44,7 @@ To take action on devices through advanced hunting, you need a role in Microsoft
46
44
47
45
If you can't take action, contact a Global Administrator about getting the following permission:
To take action on emails through advanced hunting, you need a role in Microsoft Defender for Office 365 to [search and purge emails](/defender-office-365/scc-permissions).
52
50
@@ -87,7 +85,7 @@ Apart from device-focused remediation steps, you can also take some actions on e
87
85
-`Move to mailbox folder` - select this action to move the email messages to Junk, Inbox, or Deleted items folder
88
86
89
87
Note that you can move email results consisting of quarantined items (for instance, in the case of false positives) by selecting the **Inbox** option.
90
-
88
+
91
89
:::image type="content" source="media/advanced-hunting-quarantine-results.png" alt-text="Screenshot of the Inbox option under take actions pane in the Microsoft Defender portal." lightbox="media/advanced-hunting-quarantine-results.png":::
92
90
93
91
-`Delete email` - select this action to move email messages to the Deleted items folder (**Soft delete**) or delete them permanently (**Hard delete**)
@@ -106,6 +104,20 @@ Apart from device-focused remediation steps, you can also take some actions on e
-`Submit to Microsoft` - select this action to submit false positives or false negative emails to Microsoft. As part of the submission, you can also add URLs, senders, and their domains to the Tenant Allow/Block List to immediately resolve the issue while Microsoft evaluates the submission.
108
+
109
+
URL entries in the Tenant Allow/Block List are supported only if the query result has the `Url` column by joining with `EmailUrlInfo` table on `NetworkMessageId`.
110
+
111
+
**Submit to Microsoft** might be disabled if mandatory columns are missing. To resolve this issue, select **Show empty columns** before you select **Take actions**.
112
+
113
+
:::image type="content" source="media/advanced-hunting-take-actions-submit-to-microsoft.png" alt-text="Screenshot of Choose actions page of the Take actions wizard with Submit to Microsoft selected and the Selected entities to block details flyout." lightbox="media/advanced-hunting-take-actions-submit-to-microsoft.png":::
114
+
115
+
-`Initiate automated investigation` - select this action to trigger [Automated investigation](/defender-office-365/air-about) on email, sender, recipient or contact recipients.
116
+
117
+
**Initiate automated investigation** might be disabled if mandatory columns are missing. To resolve this issue, select **Show empty columns** before you select **Take actions**.
118
+
119
+
:::image type="content" source="media/advanced-hunting-take-actions-choose-actions.png" alt-text="Screenshot of the Choose actions page of the Take actions wizard with Initiate automated investigation selected." lightbox="media/advanced-hunting-take-actions-choose-actions.png":::
120
+
109
121
You can also provide a remediation name and a short description of the action taken to easily track it in the action center history. You can also use the Approval ID to filter for these actions in the action center. This ID is provided at the end of the wizard:
0 commit comments