diff --git a/windows/security/threat-protection/microsoft-defender-atp/auto-investigation-action-center.md b/windows/security/threat-protection/microsoft-defender-atp/auto-investigation-action-center.md index 67192e12e8..c2c022f1ad 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/auto-investigation-action-center.md +++ b/windows/security/threat-protection/microsoft-defender-atp/auto-investigation-action-center.md @@ -1,14 +1,14 @@ --- -title: Manage actions related to automated investigation and remediation -description: Use the action center to manage actions related to automated investigation and response +title: View details and results of automated investigations +description: Use the action center to view details and results following an automated investigation keywords: action, center, autoir, automated, investigation, response, remediation search.product: eADQiWindows 10XVcnh ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security -ms.author: macapara -author: mjcaparas +ms.author: deniseb +author: denisebmsft ms.localizationpriority: medium manager: dansimp audience: ITPro @@ -16,27 +16,41 @@ ms.collection: M365-security-compliance ms.topic: article --- -# Manage actions related to automated investigation and remediation +# View details and results of automated investigations -The Action center aggregates all investigations that require an action for an investigation to proceed or be completed. +When an automated investigation runs, a verdict is generated for each piece of evidence investigated. Verdicts can be *Malicious*, *Suspicious*, or *Clean*. Depending on the type of threat and resulting verdict, remediation actions occur automatically or upon approval by your organization’s security operations team. -![Image of Action center page](images/action-center.png) +Pending and completed actions are listed in the Action center ([https://securitycenter.windows.com/action-center](https://securitycenter.windows.com/action-center)) and the Investigations list ([https://securitycenter.windows.com/investigations](https://securitycenter.windows.com/investigations)). -The action center consists of two main tabs: -- Pending actions - Displays a list of ongoing investigations that require attention. A recommended action is presented to the analyst, which they can approve or reject. -- History - Acts as an audit log for: - - All actions taken by AutoIR or approved by an analyst with ability to undo actions that support this capability (for example, quarantine file). - - All commands ran and remediation actions applied in Live Response with ability to undo actions that support this capability. - - Remediation actions applied by Windows Defender AV with ability to undo actions that support this capability. +## The Action center + +![Action center page](images/action-center.png) + +The action center consists of two main tabs, as described in the following table. + + +|Tab |Description | +|---------|---------| +|Pending actions |Displays a list of ongoing investigations that require attention. Recommended actions are presented that your security operations team can approve or reject. | +|History |Acts as an audit log for all of the following:
- All actions taken by automated investigation and remediation in Microsoft Defender ATP
Actions that were approved by your security operations team (some actions, such as sending a file to quarantine, can be undone)
- All commands ran and remediation actions that were applied in Live Response (some actions can be undone)
- Remediation actions applied by Windows Defender Antivirus (some actions can be undone) | Use the Customize columns drop-down menu to select columns that you'd like to show or hide. From this view, you can also download the entire list in CSV format using the **Export** feature, specify the number of items to show per page, and navigate between pages. - >[!NOTE] >The tab will only appear if there are pending actions for that category. +## Investigations page + +![Investigations page](images/mdatp-investigations.jpg) + +On the **Investigations** page, you'll find a list of all automated investigations. Select an item in the list to view additional information about that automated investigation. + +Use the Customize columns drop-down menu to select columns that you'd like to show or hide. + +From this view, you can also download the entire list in CSV format using the **Export** feature, specify the number of items to show per page, and navigate between pages. + ### Approve or reject an action You'll need to manually approve or reject pending actions on each of these categories for the automated actions to proceed. diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/mdatp-investigations.jpg b/windows/security/threat-protection/microsoft-defender-atp/images/mdatp-investigations.jpg new file mode 100644 index 0000000000..6fe755e857 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/mdatp-investigations.jpg differ