From cbea7eec6d7863d6968676168c3c46cd8fe084fb Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Thu, 3 Dec 2020 13:40:51 -0800 Subject: [PATCH 01/12] Update automated-investigations.md --- .../automated-investigations.md | 27 ++++++++++++++----- 1 file changed, 21 insertions(+), 6 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/automated-investigations.md b/windows/security/threat-protection/microsoft-defender-atp/automated-investigations.md index 42a409f78e..0f10f2a7b9 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/automated-investigations.md +++ b/windows/security/threat-protection/microsoft-defender-atp/automated-investigations.md @@ -11,7 +11,7 @@ ms.sitesec: library ms.pagetype: security ms.author: deniseb author: denisebmsft -ms.date: 10/21/2020 +ms.date: 12/03/2020 ms.localizationpriority: medium manager: dansimp audience: ITPro @@ -59,7 +59,7 @@ When an alert is triggered, a security playbook goes into effect. Depending on t During and after an automated investigation, you can view details about the investigation. Select a triggering alert to view the investigation details. From there, you can go to the **Investigation graph**, **Alerts**, **Devices**, **Evidence**, **Entities**, and **Log** tabs. |Tab |Description | -|--|--| +|:--|:--| |**Alerts**| The alert(s) that started the investigation.| |**Devices** |The device(s) where the threat was seen.| |**Evidence** |The entities that were found to be malicious during an investigation.| @@ -82,20 +82,35 @@ As alerts are triggered, and an automated investigation runs, a verdict is gener As verdicts are reached, automated investigations can result in one or more remediation actions. Examples of remediation actions include sending a file to quarantine, stopping a service, removing a scheduled task, and more. (See [Remediation actions](manage-auto-investigation.md#remediation-actions).) -Depending on the [level of automation](automation-levels.md) set for your organization, remediation actions can occur automatically or only upon approval by your security operations team. +Depending on the [level of automation](automation-levels.md) set for your organization, remediation actions can occur automatically or only upon approval by your security operations team. + +> [!NOTE] +> Additional security settings, such as protection from potentially unwanted applications, can also affect whether remediation actions are taken automatically. See section, [PUA protection and automatic remediation](#pua-protection-and-automatic-remediation), for more details. All remediation actions, whether pending or completed, can be viewed in Action Center. If necessary, your security operations team can undo a remediation action. (See [Review and approve remediation actions following an automated investigation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/manage-auto-investigation).) +## PUA protection and automatic remediation + +As mentioned earlier, the [level of automation](automation-levels.md) set for your organization affects whether remediation actions occur automatically or only upon approval. [Protection from potentially unwanted applications](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus) (PUA protection), included in Microsoft Defender Antivirus, can also affect whether certain remediation actions are taken automatically. + +The following table shows the relationship between PUA protection and automation levels: + + +|PUA protection setting |Column2 |Column3 | +|---------|---------|---------| +|Row1 | | | +|Row2 | | | +|Row3 | | | + + ## Next steps - [Get an overview of the automated investigations dashboard](manage-auto-investigation.md) - - [Learn more about automation levels](automation-levels.md) - - [See the interactive guide: Investigate and remediate threats with Microsoft Defender for Endpoint](https://aka.ms/MDATP-IR-Interactive-Guide) ## See also +- [PUA protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus) - [Automated investigation and response in Microsoft Defender for Office 365](https://docs.microsoft.com/microsoft-365/security/office-365-security/office-365-air) - - [Automated investigation and response in Microsoft 365 Defender](https://docs.microsoft.com/microsoft-365/security/mtp/mtp-autoir) From 8daacc79fef1b70e9c374e128732b6bfe7fa7550 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Thu, 3 Dec 2020 15:38:49 -0800 Subject: [PATCH 02/12] Update automated-investigations.md --- .../microsoft-defender-atp/automated-investigations.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/automated-investigations.md b/windows/security/threat-protection/microsoft-defender-atp/automated-investigations.md index 0f10f2a7b9..7063b553d3 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/automated-investigations.md +++ b/windows/security/threat-protection/microsoft-defender-atp/automated-investigations.md @@ -96,7 +96,7 @@ As mentioned earlier, the [level of automation](automation-levels.md) set for yo The following table shows the relationship between PUA protection and automation levels: -|PUA protection setting |Column2 |Column3 | +|PUA protection setting |Microsoft Defender Antivirus |Automated investigation and remediation | |---------|---------|---------| |Row1 | | | |Row2 | | | From 1a92edcb02bcd30fe8d8439c3e00f9a3096df6a3 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Thu, 3 Dec 2020 15:47:42 -0800 Subject: [PATCH 03/12] Update automated-investigations.md --- .../automated-investigations.md | 16 ++++++++++------ 1 file changed, 10 insertions(+), 6 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/automated-investigations.md b/windows/security/threat-protection/microsoft-defender-atp/automated-investigations.md index 7063b553d3..e9d90eeff3 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/automated-investigations.md +++ b/windows/security/threat-protection/microsoft-defender-atp/automated-investigations.md @@ -32,7 +32,7 @@ ms.custom: AIR - [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146806) -Your security operations team receives an alert whenever a malicious or suspicious artifact is detected by Microsoft Defender for Endpoint. Security operations teams face challenges in addressing the multitude of alerts that arise from the seemingly never-ending flow of threats. Microsoft Defender for Endpoint includes automated investigation and remediation capabilities that can help your security operations team address threats more efficiently and effectively. +Your security operations team receives an alert whenever a malicious or suspicious artifact is detected by Microsoft Defender for Endpoint. Security operations teams face challenges in addressing the multitude of alerts that arise from the seemingly never-ending flow of threats. Microsoft Defender for Endpoint includes automated investigation and remediation (AIR) capabilities that can help your security operations team address threats more efficiently and effectively. Watch the following video to see how automated investigation and remediation works: @@ -48,7 +48,7 @@ Automated investigation uses various inspection algorithms and processes used by When an alert is triggered, a security playbook goes into effect. Depending on the security playbook, an automated investigation can start. For example, suppose a malicious file resides on a device. When that file is detected, an alert is triggered, and the automated investigation process begins. Microsoft Defender for Endpoint checks to see if the malicious file is present on any other devices in the organization. Details from the investigation, including verdicts (*Malicious*, *Suspicious*, and *No threats found*) are available during and after the automated investigation. >[!NOTE] ->Currently, automated investigation only supports the following OS versions: +>Currently, AIR only supports the following OS versions: >- Windows Server 2019 >- Windows 10, version 1709 (OS Build 16299.1085 with [KB4493441](https://support.microsoft.com/help/4493441/windows-10-update-kb4493441)) or later >- Windows 10, version 1803 (OS Build 17134.704 with [KB4493464](https://support.microsoft.com/help/4493464/windows-10-update-kb4493464)) or later @@ -96,11 +96,15 @@ As mentioned earlier, the [level of automation](automation-levels.md) set for yo The following table shows the relationship between PUA protection and automation levels: -|PUA protection setting |Microsoft Defender Antivirus |Automated investigation and remediation | +|PUA protection setting
(Microsoft Defender Antivirus) |PUA protection enabled
(AIR) |PUA protection disabled
(AIR) | |---------|---------|---------| -|Row1 | | | -|Row2 | | | -|Row3 | | | +|Enabled |PUA remediated by Microsoft Defender Antivirus and/or AIR |PUA remediated by Microsoft Defender Antivirus | +|Audit mode |PUA remediated by AIR |PUA detected but not remediated | +|Disabled |PUA remediated by AIR |PUA not remediated | + +To configure PUA protection in AIR, go to the Microsoft Defender Security Center ([https://securitycenter.windows.com](https://securitycenter.windows.com)) and sign in. Choose **Settings** > **Advanced features**, and then turn on **Always remediate PUA** (or **Allow or block file**). + +To configure PUA protection in Microsoft Defender Antivirus, see [Configure PUA protection in Microsoft Defender Antivirus](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus#configure-pua-protection-in-microsoft-defender-antivirus). ## Next steps From e85f8f6b9f651cb8b1c1d70a325ce098e2b14918 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Thu, 3 Dec 2020 15:51:40 -0800 Subject: [PATCH 04/12] Update automated-investigations.md --- .../microsoft-defender-atp/automated-investigations.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/automated-investigations.md b/windows/security/threat-protection/microsoft-defender-atp/automated-investigations.md index e9d90eeff3..9c9e381e83 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/automated-investigations.md +++ b/windows/security/threat-protection/microsoft-defender-atp/automated-investigations.md @@ -99,7 +99,7 @@ The following table shows the relationship between PUA protection and automation |PUA protection setting
(Microsoft Defender Antivirus) |PUA protection enabled
(AIR) |PUA protection disabled
(AIR) | |---------|---------|---------| |Enabled |PUA remediated by Microsoft Defender Antivirus and/or AIR |PUA remediated by Microsoft Defender Antivirus | -|Audit mode |PUA remediated by AIR |PUA detected but not remediated | +|Audit mode |PUA remediated by AIR |PUA detected but not remediated if **Allow or block file** is turned on

PUA remediated if **Always remediate PUA** is turned on | |Disabled |PUA remediated by AIR |PUA not remediated | To configure PUA protection in AIR, go to the Microsoft Defender Security Center ([https://securitycenter.windows.com](https://securitycenter.windows.com)) and sign in. Choose **Settings** > **Advanced features**, and then turn on **Always remediate PUA** (or **Allow or block file**). From 2789d509eaf8e2176a4507ad516b5829364af929 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Thu, 3 Dec 2020 15:53:05 -0800 Subject: [PATCH 05/12] Update automated-investigations.md --- .../microsoft-defender-atp/automated-investigations.md | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/automated-investigations.md b/windows/security/threat-protection/microsoft-defender-atp/automated-investigations.md index 9c9e381e83..ca920f0e2f 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/automated-investigations.md +++ b/windows/security/threat-protection/microsoft-defender-atp/automated-investigations.md @@ -32,9 +32,7 @@ ms.custom: AIR - [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146806) -Your security operations team receives an alert whenever a malicious or suspicious artifact is detected by Microsoft Defender for Endpoint. Security operations teams face challenges in addressing the multitude of alerts that arise from the seemingly never-ending flow of threats. Microsoft Defender for Endpoint includes automated investigation and remediation (AIR) capabilities that can help your security operations team address threats more efficiently and effectively. - -Watch the following video to see how automated investigation and remediation works: +Your security operations team receives an alert whenever a malicious or suspicious artifact is detected by Microsoft Defender for Endpoint. Security operations teams face challenges in addressing the multitude of alerts that arise from the seemingly never-ending flow of threats. Microsoft Defender for Endpoint includes automated investigation and remediation (AIR) capabilities that can help your security operations team address threats more efficiently and effectively. Want to see how it works? Watch the following video: > [!VIDEO https://www.microsoft.com/videoplayer/embed/RE4bOeh] From fc1c7de7770e1358fe3749fdd8efa56cdf8db284 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Thu, 3 Dec 2020 15:55:06 -0800 Subject: [PATCH 06/12] Update automated-investigations.md --- .../microsoft-defender-atp/automated-investigations.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/automated-investigations.md b/windows/security/threat-protection/microsoft-defender-atp/automated-investigations.md index ca920f0e2f..4a9f9ca84d 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/automated-investigations.md +++ b/windows/security/threat-protection/microsoft-defender-atp/automated-investigations.md @@ -83,7 +83,7 @@ As verdicts are reached, automated investigations can result in one or more reme Depending on the [level of automation](automation-levels.md) set for your organization, remediation actions can occur automatically or only upon approval by your security operations team. > [!NOTE] -> Additional security settings, such as protection from potentially unwanted applications, can also affect whether remediation actions are taken automatically. See section, [PUA protection and automatic remediation](#pua-protection-and-automatic-remediation), for more details. +> Additional security settings, such as protection from potentially unwanted applications, can also affect whether remediation actions are taken automatically. For more information, see [PUA protection and automatic remediation](#pua-protection-and-automatic-remediation) (in this article). All remediation actions, whether pending or completed, can be viewed in Action Center. If necessary, your security operations team can undo a remediation action. (See [Review and approve remediation actions following an automated investigation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/manage-auto-investigation).) From 269952bcf126a1c5c940b7627d869669de68cf18 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Fri, 4 Dec 2020 06:45:34 -0800 Subject: [PATCH 07/12] Update automated-investigations.md --- .../microsoft-defender-atp/automated-investigations.md | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/automated-investigations.md b/windows/security/threat-protection/microsoft-defender-atp/automated-investigations.md index 4a9f9ca84d..0c64c56f52 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/automated-investigations.md +++ b/windows/security/threat-protection/microsoft-defender-atp/automated-investigations.md @@ -100,10 +100,15 @@ The following table shows the relationship between PUA protection and automation |Audit mode |PUA remediated by AIR |PUA detected but not remediated if **Allow or block file** is turned on

PUA remediated if **Always remediate PUA** is turned on | |Disabled |PUA remediated by AIR |PUA not remediated | -To configure PUA protection in AIR, go to the Microsoft Defender Security Center ([https://securitycenter.windows.com](https://securitycenter.windows.com)) and sign in. Choose **Settings** > **Advanced features**, and then turn on **Always remediate PUA** (or **Allow or block file**). +### To configure PUA protection in AIR -To configure PUA protection in Microsoft Defender Antivirus, see [Configure PUA protection in Microsoft Defender Antivirus](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus#configure-pua-protection-in-microsoft-defender-antivirus). +1. Go to the Microsoft Defender Security Center ([https://securitycenter.windows.com](https://securitycenter.windows.com)) and sign in. +2. Choose **Settings** > **Advanced features**. +3. Turn on **Always remediate PUA** (or, turn on **Allow or block file**). +### To configure PUA protection in Microsoft Defender Antivirus + +See [Configure PUA protection in Microsoft Defender Antivirus](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus#configure-pua-protection-in-microsoft-defender-antivirus). ## Next steps From 3fd8ab03cd4b5817602e080a90cdfb8d657aa887 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Fri, 4 Dec 2020 06:46:31 -0800 Subject: [PATCH 08/12] Update automated-investigations.md --- .../microsoft-defender-atp/automated-investigations.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/automated-investigations.md b/windows/security/threat-protection/microsoft-defender-atp/automated-investigations.md index 0c64c56f52..4210e8e8c1 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/automated-investigations.md +++ b/windows/security/threat-protection/microsoft-defender-atp/automated-investigations.md @@ -104,7 +104,7 @@ The following table shows the relationship between PUA protection and automation 1. Go to the Microsoft Defender Security Center ([https://securitycenter.windows.com](https://securitycenter.windows.com)) and sign in. 2. Choose **Settings** > **Advanced features**. -3. Turn on **Always remediate PUA** (or, turn on **Allow or block file**). +3. Turn on **Always remediate PUA**. (Alternately, if you don't see the PUA setting, turn on **Allow or block file**.) ### To configure PUA protection in Microsoft Defender Antivirus From 556baebb004805cdaf52f2a2175224614d5cf04d Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Mon, 7 Dec 2020 11:26:03 -0800 Subject: [PATCH 09/12] Update automated-investigations.md --- .../automated-investigations.md | 32 ++----------------- 1 file changed, 3 insertions(+), 29 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/automated-investigations.md b/windows/security/threat-protection/microsoft-defender-atp/automated-investigations.md index 4210e8e8c1..78c8b137a1 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/automated-investigations.md +++ b/windows/security/threat-protection/microsoft-defender-atp/automated-investigations.md @@ -11,7 +11,7 @@ ms.sitesec: library ms.pagetype: security ms.author: deniseb author: denisebmsft -ms.date: 12/03/2020 +ms.date: 12/07/2020 ms.localizationpriority: medium manager: dansimp audience: ITPro @@ -80,35 +80,9 @@ As alerts are triggered, and an automated investigation runs, a verdict is gener As verdicts are reached, automated investigations can result in one or more remediation actions. Examples of remediation actions include sending a file to quarantine, stopping a service, removing a scheduled task, and more. (See [Remediation actions](manage-auto-investigation.md#remediation-actions).) -Depending on the [level of automation](automation-levels.md) set for your organization, remediation actions can occur automatically or only upon approval by your security operations team. +Depending on the [level of automation](automation-levels.md) set for your organization, as well as other security settings, remediation actions can occur automatically or only upon approval by your security operations team. Additional security settings that can affect automatic remediation include [protection from potentially unwanted applications](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus) (PUA). -> [!NOTE] -> Additional security settings, such as protection from potentially unwanted applications, can also affect whether remediation actions are taken automatically. For more information, see [PUA protection and automatic remediation](#pua-protection-and-automatic-remediation) (in this article). - -All remediation actions, whether pending or completed, can be viewed in Action Center. If necessary, your security operations team can undo a remediation action. (See [Review and approve remediation actions following an automated investigation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/manage-auto-investigation).) - -## PUA protection and automatic remediation - -As mentioned earlier, the [level of automation](automation-levels.md) set for your organization affects whether remediation actions occur automatically or only upon approval. [Protection from potentially unwanted applications](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus) (PUA protection), included in Microsoft Defender Antivirus, can also affect whether certain remediation actions are taken automatically. - -The following table shows the relationship between PUA protection and automation levels: - - -|PUA protection setting
(Microsoft Defender Antivirus) |PUA protection enabled
(AIR) |PUA protection disabled
(AIR) | -|---------|---------|---------| -|Enabled |PUA remediated by Microsoft Defender Antivirus and/or AIR |PUA remediated by Microsoft Defender Antivirus | -|Audit mode |PUA remediated by AIR |PUA detected but not remediated if **Allow or block file** is turned on

PUA remediated if **Always remediate PUA** is turned on | -|Disabled |PUA remediated by AIR |PUA not remediated | - -### To configure PUA protection in AIR - -1. Go to the Microsoft Defender Security Center ([https://securitycenter.windows.com](https://securitycenter.windows.com)) and sign in. -2. Choose **Settings** > **Advanced features**. -3. Turn on **Always remediate PUA**. (Alternately, if you don't see the PUA setting, turn on **Allow or block file**.) - -### To configure PUA protection in Microsoft Defender Antivirus - -See [Configure PUA protection in Microsoft Defender Antivirus](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus#configure-pua-protection-in-microsoft-defender-antivirus). +All remediation actions, whether pending or completed, can be viewed in the [Action Center](auto-investigation-action-center.md) ([https://securitycenter.windows.com](https://securitycenter.windows.com)). If necessary, your security operations team can undo a remediation action. (See [Review and approve remediation actions following an automated investigation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/manage-auto-investigation).) ## Next steps From 006a6682a293269eef0bc9c9e2c13242d1eb17d3 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Mon, 7 Dec 2020 11:46:20 -0800 Subject: [PATCH 10/12] Update automated-investigations.md --- .../microsoft-defender-atp/automated-investigations.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/automated-investigations.md b/windows/security/threat-protection/microsoft-defender-atp/automated-investigations.md index 78c8b137a1..b199a3a2dd 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/automated-investigations.md +++ b/windows/security/threat-protection/microsoft-defender-atp/automated-investigations.md @@ -43,14 +43,14 @@ Automated investigation uses various inspection algorithms and processes used by ## How the automated investigation starts -When an alert is triggered, a security playbook goes into effect. Depending on the security playbook, an automated investigation can start. For example, suppose a malicious file resides on a device. When that file is detected, an alert is triggered, and the automated investigation process begins. Microsoft Defender for Endpoint checks to see if the malicious file is present on any other devices in the organization. Details from the investigation, including verdicts (*Malicious*, *Suspicious*, and *No threats found*) are available during and after the automated investigation. +When an alert is triggered, a security playbook goes into effect. Depending on the security playbook, an automated investigation can start. For example, suppose a malicious file resides on a device. When that file is detected, an alert is triggered, and the automated investigation process begins. Microsoft Defender for Endpoint checks to see if the malicious file is present on any other devices in the organization. Details from the investigation, including verdicts (*Malicious*, *Suspicious*, and *No threats found*) are available during and after the automated investigation. To learn more about what happens after a verdict is reached, see [Automated investigation results and remediation actions](manage-auto-investigation.md#automated-investigation-results-and-remediation-actions). >[!NOTE] >Currently, AIR only supports the following OS versions: >- Windows Server 2019 >- Windows 10, version 1709 (OS Build 16299.1085 with [KB4493441](https://support.microsoft.com/help/4493441/windows-10-update-kb4493441)) or later >- Windows 10, version 1803 (OS Build 17134.704 with [KB4493464](https://support.microsoft.com/help/4493464/windows-10-update-kb4493464)) or later ->- Later versions of Windows 10 +>- Windows 10, version [1803](https://docs.microsoft.com/windows/release-information/status-windows-10-1809-and-windows-server-2019) or later ## Details of an automated investigation From 9da6038c28c48136b4f5dd8ca68c39eff6f6d018 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Mon, 7 Dec 2020 11:51:12 -0800 Subject: [PATCH 11/12] Update manage-auto-investigation.md --- .../manage-auto-investigation.md | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/manage-auto-investigation.md b/windows/security/threat-protection/microsoft-defender-atp/manage-auto-investigation.md index 501b9ea75e..a6463f2487 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/manage-auto-investigation.md +++ b/windows/security/threat-protection/microsoft-defender-atp/manage-auto-investigation.md @@ -17,7 +17,7 @@ ms.collection: - m365-security-compliance - m365initiative-defender-endpoint ms.topic: conceptual -ms.date: 09/15/2020 +ms.date: 12/07/2020 --- # Review and approve remediation actions following an automated investigation @@ -39,13 +39,13 @@ remediation actions can occur automatically or only upon approval by your organi Here are a few examples: -- Example 1: Fabrikam's device groups are set to **Full - remediate threats automatically** (this is the recommended setting). In this case, remediation actions are taken automatically for artifacts that are considered to be malicious following an automated investigation. (See [Review completed actions](#review-completed-actions).) +- Example 1: Fabrikam's device groups are set to **Full - remediate threats automatically** (the recommended setting). In this case, remediation actions are taken automatically for artifacts that are considered to be malicious following an automated investigation. (See [Review completed actions](#review-completed-actions).) - Example 2: Contoso's devices are included in a device group that is set for **Semi - require approval for any remediation**. In this case, Contoso's security operations team must review and approve all remediation actions following an automated investigation. (See [Review pending actions](#review-pending-actions).) -- Example 3: Tailspin Toys has their device groups set to **No automated response** (this is not recommended). In this case, automated investigations do not occur. As a result, no remediation actions are taken or pending, and no actions are logged in the [Action center](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/auto-investigation-action-center#the-action-center) for their devices. (See [Manage device groups](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/machine-groups#manage-device-groups)) +- Example 3: Tailspin Toys has their device groups set to **No automated response** (not recommended). In this case, automated investigations do not occur. No remediation actions are taken or pending, and no actions are logged in the [Action center](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/auto-investigation-action-center#the-action-center) for their devices. (See [Manage device groups](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/machine-groups#manage-device-groups)) -Whether taken automatically or upon approval, remediation actions following an automated investigation include the following: +Whether taken automatically or upon approval, an automated investigation can result in one or more of the remediation actions: - Quarantine a file - Remove a registry key - Kill a process @@ -55,11 +55,11 @@ Whether taken automatically or upon approval, remediation actions following an a ### Automated investigation results and remediation actions -The following table summarizes remediation actions following an automated investigation, how device group settings affect whether actions are taken automatically or upon approval, and what to do in each case. +The following table summarizes remediation actions, how automation level settings affect whether actions are taken automatically or upon approval, and what to do. |Device group setting | Automated investigation results | What to do | |:---|:---|:---| -|**Full - remediate threats automatically** (this is the recommended setting) |A verdict of *Malicious* is reached for a piece of evidence.

Appropriate remediation actions are taken automatically. |[Review completed actions](#review-completed-actions) | +|**Full - remediate threats automatically** (the recommended setting) |A verdict of *Malicious* is reached for a piece of evidence.

Appropriate remediation actions are taken automatically. |[Review completed actions](#review-completed-actions) | |**Full - remediate threats automatically** |A verdict of *Suspicious* is reached for a piece of evidence.

Remediation actions are pending approval to proceed. | [Approve (or reject) pending actions](#review-pending-actions) | |**Semi - require approval for any remediation** |A verdict of either *Malicious* or *Suspicious* is reached for a piece of evidence.

Remediation actions are pending approval to proceed. |[Approve (or reject) pending actions](#review-pending-actions) | |**Semi - require approval for core folders remediation** |A verdict of *Malicious* is reached for a piece of evidence.

If the artifact is a file or executable and is in an operating system directory, such as the Windows folder or the Program files folder, then remediation actions are pending approval.

If the artifact is *not* in an operating system directory, remediation actions are taken automatically. |1. [Approve (or reject) pending actions](#review-pending-actions)

2. [Review completed actions](#review-completed-actions) | @@ -67,7 +67,7 @@ The following table summarizes remediation actions following an automated invest |**Semi - require approval for non-temp folders remediation** |A verdict of *Malicious* is reached for a piece of evidence.

If the artifact is a file or executable that is not in a temporary folder, such as the user's downloads folder or temp folder, remediation actions are pending approval.

If the artifact is a file or executable that *is* in a temporary folder, remediation actions are taken automatically. |1. [Approve (or reject) pending actions](#review-pending-actions)

2. [Review completed actions](#review-completed-actions) | |**Semi - require approval for non-temp folders remediation** |A verdict of *Suspicious* is reached for a piece of evidence.

Remediation actions are pending approval. |[Approve (or reject) pending actions](#review-pending-actions) | |Any of the **Full** or **Semi** automation levels |A verdict of *No threats found* is reached for a piece of evidence.

No remediation actions are taken, and no actions are pending approval. |[View details and results of automated investigations](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/auto-investigation-action-center) | -|**No automated response** (this is not recommended)|No automated investigations run, so no verdicts are reached, and no remediation actions are taken or awaiting approval. |[Consider setting up or changing your device groups to use **Full** or **Semi** automation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/machine-groups) | +|**No automated response** (not recommended)|No automated investigations run, so no verdicts are reached, and no remediation actions are taken or awaiting approval. |[Consider setting up or changing your device groups to use **Full** or **Semi** automation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/machine-groups) | In Microsoft Defender for Endpoint, all verdicts are [tracked and viewable in the Microsoft Defender Security Center](#review-completed-actions). @@ -85,7 +85,7 @@ In Microsoft Defender for Endpoint, all verdicts are [tracked and viewable in th 4. Select an investigation from any of the categories to open a panel where you can approve or reject remediation actions. - Other details such as file or service details, investigation details, and alert details are displayed. From the panel, you can click on the **Open investigation page** link to see the investigation details. You can also select multiple investigations to approve or reject actions on multiple investigations. + Other details such as file or service details, investigation details, and alert details are displayed. From the panel, you can select the **Open investigation page** link to see the investigation details. You can also select multiple investigations to approve or reject actions on multiple investigations. ## Review completed actions From 5440b4b872346ffe30570875d2bdb3fc7871375e Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Mon, 7 Dec 2020 11:55:51 -0800 Subject: [PATCH 12/12] Update automated-investigations.md --- .../microsoft-defender-atp/automated-investigations.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/automated-investigations.md b/windows/security/threat-protection/microsoft-defender-atp/automated-investigations.md index b199a3a2dd..fea480df60 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/automated-investigations.md +++ b/windows/security/threat-protection/microsoft-defender-atp/automated-investigations.md @@ -36,7 +36,7 @@ Your security operations team receives an alert whenever a malicious or suspicio > [!VIDEO https://www.microsoft.com/videoplayer/embed/RE4bOeh] -Automated investigation uses various inspection algorithms and processes used by analysts to examine alerts and take immediate action to resolve breaches. These capabilities significantly reduce alert volume, allowing security operations to focus on more sophisticated threats and other high-value initiatives. The [Action center](auto-investigation-action-center.md) keeps track of all the investigations that were initiated automatically, along with details, such as investigation status, detection source, and any pending or completed actions. +The technology in automated investigation uses various inspection algorithms and is based on processes that are used by security analysts. AIR capabilities are designed to examine alerts and take immediate action to resolve breaches. AIR capabilities significantly reduce alert volume, allowing security operations to focus on more sophisticated threats and other high-value initiatives. The [Action center](auto-investigation-action-center.md) keeps track of all the investigations that were initiated automatically, along with details, such as investigation status, detection source, and any pending or completed actions. > [!TIP] > Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-automated-investigations-abovefoldlink).