Skip to main content Link Menu Expand (external link) Document Search Copy Copied
TechWorkshop L300 Understanding XDR

Exercise 06: Automate Containment and Remediation Actions

Exercise Learning Objectives

  • Enable and tune Automated Investigation & Response (AIR) with appropriate remediation levels for devices and email.
  • Configure MDE policies/features to permit automated containment.
  • Configure MDO to auto-remediate.
  • Create, approve, and execute Live Response scripted actions; monitor results in Action center.
  • Validate end-to-end automation using safe test artifacts.

Licensing and Environment

  • An active Microsoft 365 tenant with security.microsoft.com access.

  • Licensing covering each workload:

    • Microsoft Defender XDR (via Microsoft 365 E5, Enterprise Mobility + Security E5).

    • Defender for Endpoint Plan 2, Defender for Office 365 Plan 2, Defender for Identity, Defender for Cloud Apps, Microsoft Entra ID P2 (for risk-based policies & Identity Protection)

  • At least 1–2 test users, mailboxes, and onboarded devices (Windows 10/11/Server) to produce real telemetry. Note: Lab uses seeded test activity data where required and at least one Azure Windows VM on boarded.

Roles & Permissions

  • Lab environment: Global Admin role for the lab

  • Real-world deployments: granular RBAC assignments are recommended:

    • Security Reader (read-only) or Security Analyst / Security Administrator for M365 Defender.

    • Global Reader or Service Support Admin to view M365 Service Health.

    • Microsoft Sentinel Reader/Contributor on the Sentinel workspace (via Azure RBAC).

    • Exchange Admin/ Security Admin (read) for Email & Collaboration policy visibility.

    • Defender for Identity permissions (to view identity health & entities).

    • Cloud App Security Admin/Reader (for Defender for Cloud Apps).

Estimated exercise time (minutes) for a student: 70 minutes

Table of contents