Exercise 09: Runbooks and native automations

Exercise learning objectives

• Standardize actions for MDO purge, MDE isolation and Live Response, MDI user disablement, and MDA session control.
• Configure AIR auto-remediation levels and approval flows.
• Validate human-in-the-loop versus hands-off response scenarios.

Estimated time: 30 minutes

---

CISO Overview - Scenario and goals

A recent credential-phish slipped past first-layer defenses and reached a few users.

Your mandate today is to standardize native response actions in Defender XDR-no custom playbooks-so the SOC can purge malicious mail, contain compromised endpoints, revoke risky user sessions, and enforce safer SaaS access in minutes.

You’ll tune Automated Investigation & Response (AIR), validate human-in-the-loop approvals, and execute live runbooks that prove MTTR reduction without adding operational risk.

Success criteria: consistent, repeatable, and auditable actions across email, endpoints, identities, and cloud apps-all inside the Defender XDR portal.

---

Table of contents

• 01: Turn on native automations (AIR) with approvals
• 02: One-click mail purge runbook (native compliance search)
• 03: Endpoint isolate and collect triage bundle
• 04: Identity session revoke and SaaS download block