From 0c5d83786e197895f5ce32f2b373085a582df757 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Fri, 21 Feb 2020 10:32:29 -0800 Subject: [PATCH 1/2] Update manage-auto-investigation.md --- .../manage-auto-investigation.md | 18 ++++++++++++++++-- 1 file changed, 16 insertions(+), 2 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/manage-auto-investigation.md b/windows/security/threat-protection/microsoft-defender-atp/manage-auto-investigation.md index 04e76fc5f1..2114c8e188 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/manage-auto-investigation.md +++ b/windows/security/threat-protection/microsoft-defender-atp/manage-auto-investigation.md @@ -21,7 +21,22 @@ ms.topic: conceptual When an automated investigation runs, a verdict is generated for each piece of evidence investigated. Verdicts can be *Malicious*, *Suspicious*, or *Clean*. Depending on the type of threat and resulting verdict, remediation actions occur automatically or upon approval by your organization’s security operations team. For example, some actions, such as removing malware, are taken automatically. Other actions require review and approval to proceed. -As a best practice, make sure to approve (or reject) pending actions as soon as possible. This helps your automated investigations complete in a timely manner. +## Remediation actions + +When a verdict of *Malicious* is reached for a piece of evidence, Microsoft Defender Advanced Threat Protection takes one of the following remediation actions automatically: +- Quarantine file +- Remove registry key +- Kill process +- Stop service +- Remove registry key +- Disable driver +- Remove scheduled task + +Evidence determined as *Suspicious* results in pending actions that require approval. As a best practice, make sure to approve (or reject) pending actions as soon as possible. This helps your automated investigations complete in a timely manner. + +No actions are taken when evidence is determined to be *Clean*. + +In Microsoft Defender Advanced Threat Protection, all verdicts are tracked and viewable in the Microsoft Defender Security Center. ## Review pending actions @@ -35,7 +50,6 @@ As a best practice, make sure to approve (or reject) pending actions as soon as You can also select multiple investigations to approve or reject actions on multiple investigations. - ## Review completed actions From c884a85484cc9907322a6169ce0733436eb74b85 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Fri, 21 Feb 2020 10:38:06 -0800 Subject: [PATCH 2/2] AIR fixes --- .../auto-investigation-action-center.md | 4 +--- .../microsoft-defender-atp/automated-investigations.md | 6 ++++++ .../microsoft-defender-atp/manage-auto-investigation.md | 4 +++- 3 files changed, 10 insertions(+), 4 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/auto-investigation-action-center.md b/windows/security/threat-protection/microsoft-defender-atp/auto-investigation-action-center.md index d297b71baf..fdb2c392fa 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/auto-investigation-action-center.md +++ b/windows/security/threat-protection/microsoft-defender-atp/auto-investigation-action-center.md @@ -18,8 +18,7 @@ ms.topic: article # View details and results of automated investigations - -Pending and completed actions are listed in the Action center ([https://securitycenter.windows.com/action-center](https://securitycenter.windows.com/action-center)) and the Investigations list ([https://securitycenter.windows.com/investigations](https://securitycenter.windows.com/investigations)). +Pending and completed [remediation actions](manage-auto-investigation.md#remediation-actions) are listed in the **Action center** ([https://securitycenter.windows.com/action-center](https://securitycenter.windows.com/action-center)) and the **Investigations** page ([https://securitycenter.windows.com/investigations](https://securitycenter.windows.com/investigations)). >[!NOTE] >If your organization has implemented role-based access to manage portal access, only authorized users or user groups who have permission to view the machine or machine group will be able to view the entire investigation. @@ -65,7 +64,6 @@ On the **Investigations** page, you can view details and use filters to focus on |**Tags** |Filter using manually added tags that capture the context of an automated investigation.| |**Comments** |Select between filtering the list between automated investigations that have comments and those that don't.| - ## Automated investigation status An automated investigation can be have one of the following status values: diff --git a/windows/security/threat-protection/microsoft-defender-atp/automated-investigations.md b/windows/security/threat-protection/microsoft-defender-atp/automated-investigations.md index 346bd331f0..17a56b7252 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/automated-investigations.md +++ b/windows/security/threat-protection/microsoft-defender-atp/automated-investigations.md @@ -85,3 +85,9 @@ When a pending action is approved, the entity is then remediated and this new st ## Next step - [Learn about the automated investigations dashboard](manage-auto-investigation.md) + +## Related articles + +- [Automated investigation and response in Office 365 Advanced Threat Protection](https://docs.microsoft.com/microsoft-365/security/office-365-security/office-365-air) + +- [Automated investigation and response in Microsoft Threat Protection](https://docs.microsoft.com/microsoft-365/security/mtp/mtp-autoir) \ No newline at end of file diff --git a/windows/security/threat-protection/microsoft-defender-atp/manage-auto-investigation.md b/windows/security/threat-protection/microsoft-defender-atp/manage-auto-investigation.md index 2114c8e188..8289129ad0 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/manage-auto-investigation.md +++ b/windows/security/threat-protection/microsoft-defender-atp/manage-auto-investigation.md @@ -63,4 +63,6 @@ In Microsoft Defender Advanced Threat Protection, all verdicts are tracked and v ## Related articles -[Advanced Hunting](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-overview) \ No newline at end of file +- [Automated investigation and response in Office 365 Advanced Threat Protection](https://docs.microsoft.com/microsoft-365/security/office-365-security/office-365-air) + +- [Automated investigation and response in Microsoft Threat Protection](https://docs.microsoft.com/microsoft-365/security/mtp/mtp-autoir) \ No newline at end of file