Services
Summary
Microsoft Defender for O365 now allows triggering new remediation actions—Submit to Microsoft, add to allow/block list, and initiate automated investigation—directly from the Advanced Hunting interface. This feature, rolled out since November 10, 2025, is enabled by default and supports improved threat response without policy changes.
Details
This update introduces new remediation actions in Microsoft Defender for O365 that can be triggered directly from the Advanced Hunting interface. These actions—previously only available in Threat Explorer—include “Submit to Microsoft†and “Initiate automated investigation.†This enhancement enables security teams to respond to threats more efficiently and programmatically using custom queries, aligning with customer feedback to streamline incident response workflows.
When this will happen:General Availability (Worldwide): We began rolling out this feature on November 10, 2025.
How this affects your organization:Who is affected:
- Admins and Security Analysts using Microsoft Defender XDR and Advanced Hunting.
What will happen:
- New actions will be available directly from Advanced Hunting results:
- Submit to Microsoft
- Add entries to Tenant allow/block list
- Initiate automated investigation
- These actions are enabled automatically and available by default; they cannot be removed from the user interface.
- Existing admin policies are respected; no policy changes are required.
- Threat Explorer will continue to be available; both interfaces will coexist.
- Review and update existing hunting queries and playbooks to incorporate new actions.
- Communicate the change to SOC teams and relevant stakeholders.
- Provide training or documentation as needed.
- If you want to scope access to these actions, use role-based access control (RBAC) in Microsoft Defender XDR.
- Click path: Microsoft 365 Defender portal > Settings > Permissions > Roles
Compliance considerations:
No compliance considerations identified, review as appropriate for your organization.