diff --git a/windows/security/threat-protection/TOC.md b/windows/security/threat-protection/TOC.md index 3946fe4807..7fbe04c2fc 100644 --- a/windows/security/threat-protection/TOC.md +++ b/windows/security/threat-protection/TOC.md @@ -72,6 +72,7 @@ #### [Automated investigation and remediation](microsoft-defender-atp/automated-investigations.md) ##### [Learn about the automated investigation and remediation dashboard](microsoft-defender-atp/manage-auto-investigation.md) +#####[Manage actions related to automated investigation and remediation](microsoft-defender-atp/auto-investigation-action-center.md) #### [Secure score](microsoft-defender-atp/overview-secure-score.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/TOC.md b/windows/security/threat-protection/microsoft-defender-atp/TOC.md index 0f9409ab26..e8ce0c9dd9 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/TOC.md +++ b/windows/security/threat-protection/microsoft-defender-atp/TOC.md @@ -75,6 +75,7 @@ ### [Automated investigation and remediation](automated-investigations.md) #### [Learn about the automated investigation and remediation dashboard](manage-auto-investigation.md) +#### [Manage actions related to automated investigation and remediation](auto-investigation-action-center.md) ### [Secure score](overview-secure-score.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/auto-investigation-action-center.md b/windows/security/threat-protection/microsoft-defender-atp/auto-investigation-action-center.md new file mode 100644 index 0000000000..1527dff194 --- /dev/null +++ b/windows/security/threat-protection/microsoft-defender-atp/auto-investigation-action-center.md @@ -0,0 +1,54 @@ +--- +title: Manage actions related to automated investigation and remediation +description: Use the action center to manage actions related to automated investigation and response +keywords: action, center, autoir, automated, investigation, response, remediation +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: article +--- + +# Manage actions related to automated investigation and remediation + +The Action center aggregates all investigations that require an action for an investigation to proceed or be completed. + +![Image of Action center page](images/action-center.png) + +The action center consists of two main tabs: +- Pending actions - Displays a list of ongoing investigations that require attention. A recommended action is presented to the analyst, which they can approve or reject. +- History - Acts as an audit log for: + - All actions taken by AutoIR or approved by an analyst with ability to undo actions that support this capability (for example, quarantine file). + - All commands ran and remediation actions applied in Live Response with ability to undo actions that support this capability. + - Remediation actions applied by Windows Defender AV with ability to undo actions that support this capability. + + + + +Use the Customize columns drop-down menu to select columns that you'd like to show or hide. + +From this view, you can also download the entire list in CSV format using the **Export** feature, specify the number of items to show per page, and navigate between pages. + + +>[!NOTE] +>The tab will only appear if there are pending actions for that category. + +### Approve or reject an action +You'll need to manually approve or reject pending actions on each of these categories for the automated actions to proceed. + +Selecting an investigation from any of the categories opens a panel where you can approve or reject the remediation. Other details such as file or service details, investigation details, and alert details are displayed. + +From the panel, you can click on the Open investigation page link to see the investigation details. + +You also have the option of selecting multiple investigations to approve or reject actions on multiple investigations. + +##Related topics +- [Automated investigation and investigation](automated-investigations.md) +- [Learn about the automated investigations dashboard](manage-auto-investigation.md) \ No newline at end of file diff --git a/windows/security/threat-protection/microsoft-defender-atp/evaluate-atp.md b/windows/security/threat-protection/microsoft-defender-atp/evaluate-atp.md index 1abeaeef86..1939474a15 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/evaluate-atp.md +++ b/windows/security/threat-protection/microsoft-defender-atp/evaluate-atp.md @@ -1,8 +1,8 @@ --- title: Evaluate Microsoft Defender Advanced Threat Protection ms.reviewer: -description: -keywords: +description: Evaluate the different security capabilities in Microsoft Defender ATP. +keywords: attack surface reduction, evaluate, next, generation, protection search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: w10 @@ -16,7 +16,6 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 08/10/2018 --- # Evaluate Microsoft Defender ATP diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/action-center.png b/windows/security/threat-protection/microsoft-defender-atp/images/action-center.png new file mode 100644 index 0000000000..02ad4445e6 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/action-center.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/manage-auto-investigation.md b/windows/security/threat-protection/microsoft-defender-atp/manage-auto-investigation.md index 4db5431253..1edf8dcca8 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/manage-auto-investigation.md +++ b/windows/security/threat-protection/microsoft-defender-atp/manage-auto-investigation.md @@ -162,37 +162,9 @@ If there are pending actions on an Automated investigation, you'll see a pop up ![Image of pending actions](images/pending-actions.png) -When you click on the pending actions link, you'll be taken to the pending actions page. You can also navigate to the page from the navigation page by going to **Automated investigation** > **Pending actions**. +When you click on the pending actions link, you'll be taken to the Action center. You can also navigate to the page from the navigation page by going to **Automated investigation** > **Action center**. For more information, see [Action center](auto-investigation-action-center.md). -The pending actions view aggregates all investigations that require an action for an investigation to proceed or be completed. - -![Image of pending actions page](images/atp-pending-actions-list.png) - -Use the Customize columns drop-down menu to select columns that you'd like to show or hide. - -From this view, you can also download the entire list in CSV format using the **Export** feature, specify the number of items to show per page, and navigate between pages. - -Pending actions are grouped together in the following tabs: -- Quarantine file -- Remove persistence -- Stop process -- Expand pivot -- Quarantine service - ->[!NOTE] ->The tab will only appear if there are pending actions for that category. - -### Approve or reject an action -You'll need to manually approve or reject pending actions on each of these categories for the automated actions to proceed. - -Selecting an investigation from any of the categories opens a panel where you can approve or reject the remediation. Other details such as file or service details, investigation details, and alert details are displayed. - -![Image of pending action selected](images/atp-pending-actions-file.png) - -From the panel, you can click on the Open investigation page link to see the investigation details. - -You also have the option of selecting multiple investigations to approve or reject actions on multiple investigations. - ## Related topic - [Investigate Microsoft Defender ATP alerts](investigate-alerts.md) +- [Manage actions related to automated investigation and remediation](auto-investigation-action-center.md)