deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-29 05:37:22 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Update manage-auto-investigation.md

Browse Source
This commit is contained in:
Denise Vangel-MSFT 2021-01-27 16:45:31 -08:00
parent 2acd0ceafa
commit 63ae75858f
1 changed files with 19 additions and 31 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

50
windows/security/threat-protection/microsoft-defender-atp/manage-auto-investigation.md
View File

@ -17,7 +17,7 @@ ms.collection:
- m365-security-compliance - m365-security-compliance
- m365initiative-defender-endpoint - m365initiative-defender-endpoint
ms.topic: conceptual ms.topic: conceptual
ms.date: 12/15/2020 ms.date: 01/27/2021
ms.technology: mde ms.technology: mde
--- ---
@ -78,24 +78,21 @@ In Microsoft Defender for Endpoint, all verdicts are [tracked and viewable in th
## Review pending actions ## Review pending actions
1. Go to the Microsoft Defender Security Center ([https://securitycenter.windows.com](https://securitycenter.windows.com)) and sign in. You'll see the [Security operations dashboard](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/security-operations-dashboard). 1. Go to the Microsoft 365 security center ([https://security.microsoft.com](https://security.microsoft.com)) and sign in..
2. In the navigation pane, choose **Action center**.
2. On the Security operations dashboard, in the navigation pane on the left, choose **Automated investigations** > **Action center**. 3. Review the items on the **Pending** tab.
4. Select an action to open its flyout pane.
3. Review any items on the **Pending** tab. 5. In the flyout pane, review the information, and then take one of the following steps:
- Select **Open investigation page** to view more details about the investigation.
4. Select an investigation from any of the categories to open a panel where you can approve or reject remediation actions. - Select **Approve** to initiate a pending action.
- Select **Reject** to prevent a pending action from being taken.
Other details such as file or service details, investigation details, and alert details are displayed. From the panel, you can select the **Open investigation page** link to see the investigation details. You can also select multiple investigations to approve or reject actions on multiple investigations. - Select **Go hunt** to go into [Advanced hunting](advanced-hunting-overview.md).
## Review completed actions ## Review completed actions
1. Go to the Microsoft Defender Security Center ([https://securitycenter.windows.com](https://securitycenter.windows.com)) and sign in. You'll see the [Security operations dashboard](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/security-operations-dashboard). 1. Go to the Microsoft 365 security center ([https://security.microsoft.com](https://security.microsoft.com)) and sign in..
2. In the navigation pane, choose **Action center**.
2. On the Security operations dashboard, in the navigation pane on the left, choose **Automated investigations** > **Action center**. 3. Review the items on the **History** tab.
3. Select the **History** tab. (If need be, expand the time period to display more data.)
4. Select an item to view more details about that remediation action. 4. Select an item to view more details about that remediation action.
## Undo completed actions ## Undo completed actions
@ -108,24 +105,15 @@ If youve determined that a device or a file is not a threat, you can undo rem
### To undo multiple actions at one time ### To undo multiple actions at one time
1. Go to the Action center ([https://securitycenter.windows.com/action-center](https://securitycenter.windows.com/action-center)) and sign in. 1. Go to the Action center ([https://security.microsoft.com/action-center](https://security.microsoft.com/action-center)) and sign in.
2. On the **History** tab, select an action that you want to undo. Its flyout pane opens.
2. On the **History** tab, select the actions that you want to undo. 3. In the flyout pane, select **Undo**.
3. In the pane on the right side of the screen, select **Undo**.
### To remove a file from quarantine across multiple devices ### To remove a file from quarantine across multiple devices
1. Go to the Action center ([https://security.microsoft.com/action-center](https://security.microsoft.com/action-center)) and sign in.
1. Go to the Action center ([https://securitycenter.windows.com/action-center](https://securitycenter.windows.com/action-center)) and sign in. 2. On the **History** tab, select an item that has the Action type **Quarantine file**.
3. In the flyout pane, select **Apply to X more instances of this file**, and then select **Undo**.
2. On the **History** tab, select a file that has the Action type **Quarantine file**.
![Action center](images/autoir-action-center-1.png)
3. In the pane on the right side of the screen, select **Apply to X more instances of this file**, and then select **Undo**.
![Quarantine file](images/autoir-quarantine-file-1.png)
## Next steps ## Next steps