deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-16 23:37:22 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

AutoIR revisions

Browse Source
This commit is contained in:
Denise Vangel-MSFT 2020-02-20 14:52:42 -08:00
parent ac6c580fe8
commit 349ef5b90e
2 changed files with 28 additions and 14 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

42
windows/security/threat-protection/microsoft-defender-atp/auto-investigation-action-center.md
View File

@ -1,14 +1,14 @@
--- ---
title: Manage actions related to automated investigation and remediation title: View details and results of automated investigations
description: Use the action center to manage actions related to automated investigation and response description: Use the action center to view details and results following an automated investigation
keywords: action, center, autoir, automated, investigation, response, remediation keywords: action, center, autoir, automated, investigation, response, remediation
search.product: eADQiWindows 10XVcnh search.product: eADQiWindows 10XVcnh
ms.prod: w10 ms.prod: w10
ms.mktglfcycl: deploy ms.mktglfcycl: deploy
ms.sitesec: library ms.sitesec: library
ms.pagetype: security ms.pagetype: security
ms.author: macapara ms.author: deniseb
author: mjcaparas author: denisebmsft
ms.localizationpriority: medium ms.localizationpriority: medium
manager: dansimp manager: dansimp
audience: ITPro audience: ITPro
@ -16,27 +16,41 @@ ms.collection: M365-security-compliance
ms.topic: article ms.topic: article
--- ---
# Manage actions related to automated investigation and remediation # View details and results of automated investigations
The Action center aggregates all investigations that require an action for an investigation to proceed or be completed. When an automated investigation runs, a verdict is generated for each piece of evidence investigated. Verdicts can be *Malicious*, *Suspicious*, or *Clean*. Depending on the type of threat and resulting verdict, remediation actions occur automatically or upon approval by your organizations security operations team.
![Image of Action center page](images/action-center.png) Pending and completed actions are listed in the Action center ([https://securitycenter.windows.com/action-center](https://securitycenter.windows.com/action-center)) and the Investigations list ([https://securitycenter.windows.com/investigations](https://securitycenter.windows.com/investigations)).
The action center consists of two main tabs: ## The Action center
- Pending actions - Displays a list of ongoing investigations that require attention. A recommended action is presented to the analyst, which they can approve or reject.
- History - Acts as an audit log for: ![Action center page](images/action-center.png)
- All actions taken by AutoIR or approved by an analyst with ability to undo actions that support this capability (for example, quarantine file).
- All commands ran and remediation actions applied in Live Response with ability to undo actions that support this capability. The action center consists of two main tabs, as described in the following table.
- Remediation actions applied by Windows Defender AV with ability to undo actions that support this capability.
|Tab |Description |
|---------|---------|
|Pending actions |Displays a list of ongoing investigations that require attention. Recommended actions are presented that your security operations team can approve or reject. |
|History |Acts as an audit log for all of the following: <br/>- All actions taken by automated investigation and remediation in Microsoft Defender ATP <br/>Actions that were approved by your security operations team (some actions, such as sending a file to quarantine, can be undone) <br/>- All commands ran and remediation actions that were applied in Live Response (some actions can be undone) <br/>- Remediation actions applied by Windows Defender Antivirus (some actions can be undone) |
Use the Customize columns drop-down menu to select columns that you'd like to show or hide. Use the Customize columns drop-down menu to select columns that you'd like to show or hide.
From this view, you can also download the entire list in CSV format using the **Export** feature, specify the number of items to show per page, and navigate between pages. From this view, you can also download the entire list in CSV format using the **Export** feature, specify the number of items to show per page, and navigate between pages.
>[!NOTE] >[!NOTE]
>The tab will only appear if there are pending actions for that category. >The tab will only appear if there are pending actions for that category.
## Investigations page
![Investigations page](images/mdatp-investigations.jpg)
On the **Investigations** page, you'll find a list of all automated investigations. Select an item in the list to view additional information about that automated investigation.
Use the Customize columns drop-down menu to select columns that you'd like to show or hide.
From this view, you can also download the entire list in CSV format using the **Export** feature, specify the number of items to show per page, and navigate between pages.
### Approve or reject an action ### Approve or reject an action
You'll need to manually approve or reject pending actions on each of these categories for the automated actions to proceed. You'll need to manually approve or reject pending actions on each of these categories for the automated actions to proceed.

BIN
windows/security/threat-protection/microsoft-defender-atp/images/mdatp-investigations.jpg Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 46 KiB