This guide is the first step of a larger process to enable auto remediations. After completing the steps on this page, you will be instructed to return to the Enable an Auto Remediation in Workbench guide to finish your setup.

This guide helps you set up your Microsoft Defender for Endpoint device so that you can enable the Delete Malicious Files auto remediation in Workbench. During the setup process, you will grant Expel all necessary permissions for the remediation to work.

How It Works

If our SOC identifies a malicious file that must be deleted due to malware or suspicious hash, Workbench completes the action automatically unless the machine is offline or the file is specifically designated as a "Never Delete" asset (these files must be added as context and then configured in Workbench; see Step 3).

Scope and Limitations

When choosing to enable this auto remediation, remember the following:

• If your machine is offline at the time the auto remediation is triggered, the action will be assigned to you to perform manually instead.
• Due to limitations with the Microsoft Defender for Endpoint API, there is no ability to undo a delete file action performed via the auto remediation.

Prerequisites

1. You must have admin access in Azure to add the API permissions to the enterprise application. 
2. You must have admin access in Microsoft Defender to enable live response.
3. You must be using one of these supported operating systems.
4. You must have admin access in Workbench, as auto remediations are enabled at the organization level.

Quick Links

Setup includes the following steps (select any step for detailed instructions):

1. Grant Necessary Permissions in Azure
2. Grant Necessary Permissions in Microsoft Defender
3. Update Your Context
4. Return to the Main Setup Guide

Step 1: Grant Necessary Permissions in Azure

The remediation actions the Expel SOC creates in Workbench will run in your vendor technology, so granting us certain permissions is required. 

1. Log in to Azure.
2. Search for and select App Registrations.
3. On the App registrations page, select the All applications tab.
4. Locate and select the Microsoft Defender for Endpoint application that you configured during your initial onboarding.
5. In the left menu, select Manage > API Permissions.
6. Select Add a permission.
7. Search for "WindowsDefenderATP".
8. Select the following two Application permissions for WindowsDefenderATP:
   • Machine.LiveResponse
   • Library.Manage
9. Select Update permissions.
10. Check the Status column for your new permissions, and make sure to grant admin consent if you see a "Not granted" message.

Step 2: Grant Necessary Permissions in Microsoft Defender

These permissions allow us to run a small script on the machine that uses an ID or process path to kill the process. The script is in Powershell for Windows and Bash for Linux and Mac.

1. Log in to the Microsoft Defender portal.
2. Go to Settings > Endpoints > Advanced Features. 
3. Turn on the following three settings:
   • Live Response
   • Live Response for Servers
   • Live Response unsigned script execution
4. Select Save preferences.

Step 3: Update Your Context

If you do not want to specify any processes for a "do not delete" list, skip to Step 4.

Working with your Customer Success Manager, add any files that should be on the "do not delete" list as context for your environment. You will then be able to select those files as "Never delete" assets when you enable the auto remediation in Workbench.

Note

If our SOC identifies a file that must be deleted, any file added as "Never delete" assets are assigned to you as actions rather than being killed automatically.

Step 4: Return to the Main Setup Guide

Your Microsoft Defender for Endpoint device is now ready for the Delete Malicious Files auto remediation. You should now do one of the following:

• If you do not need to set up any other devices for this auto remediation, you can return to the Enable an Auto Remediation in Workbench guide to finish Step 2 of the process.
• If you need to set up additional devices for this auto remediation, or wish to use this device with multiple auto remediations, be sure to complete those setup guides as well before returning to the Enable an Auto Remediation in Workbench guide to finish Step 2 of the process. Make sure to follow the setup guide that is specific to your auto remediation, as device setup instructions are unique to each auto remediation and device.