mirror of
https://github.com/MicrosoftDocs/windows-itpro-docs.git
synced 2025-06-20 04:43:37 +00:00
add conceptual content for automated investigation
This commit is contained in:
Joey Caparas
@ -30,14 +30,31 @@ ms.date: 04/16/2018
|
||||
The Windows Defender ATP service has a wide breadth of visibility on multiple machines. With this kind of optics, the service generates a multitude of alerts. The volume of alerts generated can be challenging for a typical security operations team to individually address.
|
||||
|
||||
|
||||
To address this challenge, Windows Defender ATP uses Automated investigations to dramatically reduce the volume of alerts that need to be investigated individually. The Automated investigation feature leverages various inspection algorithms, and processes used by analysts to examine alerts and take immediate remediation action to resolve breaches. This significantly reduces alert volume, allowing security operations experts to focus on more sophisticated threats and other high value initiatives.
|
||||
To address this challenge, Windows Defender ATP uses Automated investigations to dramatically reduce the volume of alerts that need to be investigated individually. The Automated investigation feature leverages various inspection algorithms, and processes used by analysts (such as playbooks) to examine alerts and take immediate remediation action to resolve breaches. This significantly reduces alert volume, allowing security operations experts to focus on more sophisticated threats and other high value initiatives.
|
||||
|
||||
The automated investigations list aggregates all the investigations that have been initiated automatically and shows other details such as its status, detection source, and the date for when the investigation was initiated.
|
||||
The Automated investigations list shows all the investigations that have been initiated automatically and shows other details such as its status, detection source, and the date for when the investigation was initiated.
|
||||
|
||||
## Understand the Automated investigation flow
|
||||
Alerts are typically generated from a machine and all automated investigations start from an alert. Any alert that contains an entity (that Windows Defender ATP supports an investigation for) can undergo automated investigation.
|
||||
|
||||
When an alert that contains a supported entity is seen, the automated investigation then proceeds and analyzes each entity within the alert. It determines whether an entity can be incriminated or exonerated. The outcome from the analysis of each entity is categorized in the **Entities** tab and you'll be able to see the determination for each entity type, such as whether it was determined to be malicious, suspicious, or clean.
|
||||
[BENNY I'M NOT SURE IF WE WANT TO GO INTO THE DETAILS OF SENDING THE FILE INTO DETONATION ETC.]
|
||||
|
||||
Depending on how you set up the machine groups and the level of automation to apply on the group, the automated investigation can remediate the alert. For more information, see [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md). The default machine group is configured for semi-automatic remediation. This means that any malicious entity that needs to be remediated requires an approval and the investigation is added to the **Pending actions** section.
|
||||
|
||||
When a pending action is approved, the entity is then remediated and is reflected in the **Entities** tab of the investigation.
|
||||
|
||||
While an investigation is running, any other alert generated from the machine will be added to an ongoing automated investigation until that investigation is completed. In addition, if the same threat is seen on other machines, those machines are added to the investigation.You'll be able to see up to nine machines in the **Machines** tab. If the threat is seen on more than nine machines, you have the option to expand the view from the **Pending actions** view.
|
||||
|
||||
An investigation is only considered complete if there are no pending actions on it. That's also the only time that the **Pending actions history** tab is displayed.
|
||||
|
||||
|
||||
## Manage Automated investigations
|
||||
By default, the automated investigations list displays investigations initiated in the last week. You can also choose to select other time ranges from the drop-down menu or specify a custom range.
|
||||
|
||||
>[!NOTE]
|
||||
>If your organization has implemented role-based access to manage portal access, only authorized users or user groups who have permission to view the machine or machine group will be able to view the entire investigation.
|
||||
|
||||
Use the **Customize columns** drop-down menu to select columns that you'd like to show or hide.
|
||||
|
||||
From this view, you can also download the entire list in CSV format using the **Export** button, specify the number of items to show per page, and navigate between pages. You also have the flexibility to filter the list based on your preferred criteria.
|
||||
@ -88,7 +105,7 @@ Filter using manually added tags that capture the context of an Automated invest
|
||||
**Machines**</br>
|
||||
You can filter the Automated investigations list to zone in a specific machine to see other investigations related to the machine.
|
||||
|
||||
**machine groups**</br>
|
||||
**Machine groups**</br>
|
||||
Apply this filter to see specific machine groups that you might have created.
|
||||
|
||||
**Comments**</br>
|
||||
@ -97,7 +114,7 @@ Select between filtering the list between Automated investigations that have com
|
||||
## Analyze Automated investigations
|
||||
You can view the details of an Automated investigation to see details such as the investigation graph, alerts associated with the investigation, the machine that was investigated, and other information.
|
||||
|
||||
In this view, you'll see the name of the investigation, when it started and the duration of time that has passed in the status state.
|
||||
In this view, you'll see the name of the investigation, when it started and ended. The pending time is the elapsed time since the investigation started and waited for a user to approve a pending action or for a machine to come back online.
|
||||
|
||||
The comments and tags allow you to add and review tags and comments that were added about the investigation.
|
||||
|
||||
@ -115,7 +132,11 @@ You'll also have access to the following sections that help you see details of t
|
||||
- Entities
|
||||
- Log
|
||||
- Pending actions
|
||||
>[!NOTE]
|
||||
>The Pending actions tab is only displayed if there are actual pending actions.
|
||||
- Pending actions history
|
||||
>[!NOTE]
|
||||
>The Pending actions history tab is only displayed when an investigation is complete.
|
||||
|
||||
In any of the sections, you can customize columns to further expand to limit the details you see in a section.
|
||||
|
||||
@ -125,6 +146,8 @@ The investigation graph provides a graphical representation of an Automated inve
|
||||
### Alerts
|
||||
Shows details such as a short description of the alert that initiated the Automated investigation, severity, category, the machine associated with the alert, user, time in queue, status, investigation state, and who the investigation is assigned to.
|
||||
|
||||
Additional alerts seen on a machine can be added to an automated investigation as long as the investigation is ongoing.
|
||||
|
||||
Selecting an alert using the check box brings up the alerts details pane where you have the option of opening the alert page, manage the alert by changing its status, see alert details, automated investigation details, related machine, logged-on users, and comments and history.
|
||||
|
||||
Clicking on an alert title brings you the alert page.
|
||||
@ -132,6 +155,8 @@ Clicking on an alert title brings you the alert page.
|
||||
### Machines
|
||||
Shows details the machine name, IP address, group, users, operating system, remediation level, investigation count, and when it was last investigated.
|
||||
|
||||
Machines that show the same threat can be added to an ongoing investigation and will be displayed in this tab. If the same threat is seen on more than nine machines, you have the option to expand the view from the **Pending actions** view.
|
||||
|
||||
Selecting a machine using the checkbox brings up the machine details pane where you can see more information such as machine details and logged-on users.
|
||||
|
||||
Clicking on an machine name brings you the machine page.
|
||||
@ -140,7 +165,7 @@ Clicking on an machine name brings you the machine page.
|
||||
Shows details related to threats associated with this investigation.
|
||||
|
||||
### Entities
|
||||
Shows details about entities such as files, process, services, drives, and IP addresses. The table details such as the number of entities that were analyzed. You'll gain insight into details as how many are infected, remediated, suspicious, verified, or determined to be clean.
|
||||
Shows details about entities such as files, process, services, drives, and IP addresses. The table details such as the number of entities that were analyzed. You'll gain insight into details such as how many are remediated, suspicious, or determined to be clean.
|
||||
|
||||
### Log
|
||||
Gives a chronological detailed view of all the investigation actions taken on the alert. You'll see the action type, action, status, machine name, description of the action, comments entered by analysts who may have worked on the investigation, execution start time, duration, pending duration.
|
||||
@ -152,7 +177,7 @@ Available filters include action type, action, status, machine name, and descrip
|
||||
You can also click on an action to bring up the details pane where you'll see information such as the summary of the action and input data.
|
||||
|
||||
### Pending actions history
|
||||
This tab is displayed if there are pending actions for which a decision was made.
|
||||
This tab is only displayed when an investigation is complete and shows all pending actions taken during the investigation.
|
||||
|
||||
|
||||
## Pending actions
|
||||
|
||||
Reference in New Issue
Block a user