From 8ac1a0c76e06dfa8fe30b3500b1054cfb20180e9 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Thu, 28 Jan 2021 13:05:02 -0800 Subject: [PATCH] Update automated-investigations.md --- .../automated-investigations.md | 35 ++++++------------- 1 file changed, 10 insertions(+), 25 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/automated-investigations.md b/windows/security/threat-protection/microsoft-defender-atp/automated-investigations.md index 07eec2614a..f61cac6f26 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/automated-investigations.md +++ b/windows/security/threat-protection/microsoft-defender-atp/automated-investigations.md @@ -46,31 +46,6 @@ This article provides an overview of AIR and includes links to next steps and ad When an alert is triggered, a security playbook goes into effect. Depending on the security playbook, an automated investigation can start. For example, suppose a malicious file resides on a device. When that file is detected, an alert is triggered, and the automated investigation process begins. Microsoft Defender for Endpoint checks to see if the malicious file is present on any other devices in the organization. Details from the investigation, including verdicts (*Malicious*, *Suspicious*, and *No threats found*) are available during and after the automated investigation. To learn more about what happens after a verdict is reached, see [Automated investigation results and remediation actions](manage-auto-investigation.md#automated-investigation-results-and-remediation-actions). ->[!NOTE] ->Currently, AIR only supports the following OS versions: ->- Windows Server 2019 ->- Windows 10, version 1709 (OS Build 16299.1085 with [KB4493441](https://support.microsoft.com/help/4493441/windows-10-update-kb4493441)) or later ->- Windows 10, version 1803 (OS Build 17134.704 with [KB4493464](https://support.microsoft.com/help/4493464/windows-10-update-kb4493464)) or later ->- Windows 10, version [1803](https://docs.microsoft.com/windows/release-information/status-windows-10-1809-and-windows-server-2019) or later - -## Details of an automated investigation - -During and after an automated investigation, you can view details about the investigation. Select a triggering alert to view the investigation details. From there, you can go to the **Investigation graph**, **Alerts**, **Devices**, **Evidence**, **Entities**, and **Log** tabs. - -|Tab |Description | -|:--|:--| -|**Alerts**| The alert(s) that started the investigation. | -|**Devices** |The device(s) that are impacted by the threat. | -|**Mailboxes** |The mailbox(s) that are impacted by the threat | -|**Users** | The user account(s) that are impacted by the threat | -|**Evidence** |The evidences raised by alerts/investigations, with verdicts (*Malicious*, *Suspicious*, or *No threats found*, along with remediation status. | -|**Entities** |Details about each analyzed entity, including a determination for each entity type (*Malicious*, *Suspicious*, or *No threats found*). | -|**Log** |The chronological, detailed view of all the investigation actions taken on the alert.| -|**Pending actions** |If there are any actions awaiting approval as a result of the investigation, the **Pending actions** tab is displayed. On the **Pending actions** tab, you can approve or reject each action. | - -> [!IMPORTANT] -> Go to the **[Action center](auto-investigation-action-center.md)** to get an aggregated view all pending actions and manage remediation actions. The **Action center** also acts as an audit trail for all automated investigation actions. - ## How an automated investigation expands its scope While an investigation is running, any other alerts generated from the device are added to an ongoing automated investigation until that investigation is completed. In addition, if the same threat is seen on other devices, those devices are added to the investigation. @@ -87,6 +62,16 @@ Depending on the [level of automation](automation-levels.md) set for your organi All remediation actions, whether pending or completed, can be viewed in the [Action Center](auto-investigation-action-center.md) ([https://securitycenter.windows.com](https://securitycenter.windows.com)). If necessary, your security operations team can undo a remediation action. (See [Review and approve remediation actions following an automated investigation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/manage-auto-investigation).) +## Requirements for AIR + +Your organization must have Defender for Endpoint. See [Minimum requirements for Microsoft Defender for Endpoint](minimum-requirements.md) + +Currently, AIR only supports the following OS versions: +- Windows Server 2019 +- Windows 10, version 1709 (OS Build 16299.1085 with [KB4493441](https://support.microsoft.com/help/4493441/windows-10-update-kb4493441)) or later +- Windows 10, version 1803 (OS Build 17134.704 with [KB4493464](https://support.microsoft.com/help/4493464/windows-10-update-kb4493464)) or later +- Windows 10, version [1803](https://docs.microsoft.com/windows/release-information/status-windows-10-1809-and-windows-server-2019) or later + ## Next steps - [Review and approve remediation actions following an automated investigation](manage-auto-investigation.md)