We will soon update Microsoft Defender for Office (MDO) to enrich the logging of remediation actions initiated through automated investigation and response (AIR). When customers approve a pending action produced by AIR, the action logging associated to the remediated message will indicate the action originated through AIR, to provide customers with additional clarity.
This message is associated with Microsoft 365 Roadmap ID 389376.
When this will happen:
General Availability (Worldwide, GCC): We will begin rolling out early February 2025 and expect to be complete by mid-February 2025.
How this will affect your organization:
After this rollout, in Threat Explorer, the Additional action will display Automated remediation: admin approved when a message was remediated as a result of approving an AIR action. An additional Automated remediation filter option will be available in the Additional action filter to show only messages remediated as a result of AIR action. In Advanced Hunting, ActionType will display Automated remediation and the ActionTrigger will show AdminApproved for messages remediated as a result of AIR action; customers can use these values in Advanced Hunting queries. The email entity will reflect the event type as AIR.
Your organization will notice updated logging in Threat Explorer, Advanced Hunting, and on the email entity for remediations that occur as a result of approving actions produced by AIR. Manual admin action remediation logging will not be affected or changed by this rollout.
This change will be available by default.
In Advanced Hunting, use ActionType Automated remediation and ActionTrigger AdminApproved to review remediation actions originated from AIR:
In Threat Explorer, use the Automated Remediation option in Additional action to review remediation actions originated from AIR:
What you need to do to prepare:
Be prepared for the logging update and adjust any reporting based on these fields accordingly.
This rollout will happen automatically by the specified date with no admin action required before the rollout. Review any reporting that uses these fields to determine the impact for your organization. You may want to notify your admins about this change and update any relevant documentation.