| title | FAQs related to Microsoft Defender Experts for XDR Managed response | ||
|---|---|---|---|
| ms.reviewer | |||
| description | Frequently asked questions related to managed response notifications | ||
| ms.service | defender-experts-for-xdr | ||
| ms.author | pauloliveria | ||
| author | poliveria | ||
| ms.localizationpriority | medium | ||
| manager | orspodek | ||
| audience | ITPro | ||
| ms.collection |
|
||
| ms.topic | faq | ||
| ms.custom |
|
||
| search.appverid | met150 | ||
| ms.date | 01/29/2026 |
Applies to:
The following section lists down questions you or your SOC team might have regarding Managed response.
| Questions | Answers |
|---|---|
| What is Managed response? | Microsoft Defender Experts for XDR offers Managed response where our experts manage the entire remediation process for incidents that require them. This process includes investigating the incident to identify the root cause, determining the required response actions, and taking those actions on your behalf. |
| What actions are in scope for Managed response? | All actions found below are in scope for Managed response for any device and user that isn't excluded. For devices
For users
|
| Can I customize the extent of Managed response? | You can configure the extent to which our experts do Managed response actions on your behalf by excluding certain devices and users (individually or by groups) either during onboarding or later by modifying your service's settings. Read more about excluding device groups |
| What support do Defender Experts offer for excluded assets? | If our experts determine that you need to perform response actions on excluded devices or users, we notify you through various customizable methods and direct you to your Microsoft Defender portal. From your portal, you can then view a detailed summary of our investigation process and the required response actions in the portal and perform these required actions directly. Similar capabilities are also available through Defender APIs, in case you prefer using a security information and event management (SIEM), IT service management (ITSM), or any other third-party tool. |
| How am I going to be informed about the response actions? | Response actions that our experts have completed on your behalf and any pending ones that you need to perform on your excluded assets are displayed in the Managed response panel in your Defender portal's Incidents page. In addition, you'll also receive an email containing a link to the incident and instructions to view the Managed response in the portal. Moreover, if you have integration with Microsoft Sentinel or APIs, you'll also be notified within those tools by looking for Defender Experts statuses. For more information, see FAQs related to Microsoft Defender Experts for XDR incident notifications. |
| Can I customize Managed response based on actions? | No. If you have devices or users that are considered high-value or sensitive, you can add them to your exclusion list. Our experts will NOT take any action on them and will only provide guidance if they're impacted by an incident. |
- Managed detection and response
- FAQs related to Microsoft Defender Experts for XDR incident notifications
[!INCLUDE Microsoft Defender XDR rebranding]