deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-21 13:23:36 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Update auto-investigation-action-center.md

Browse Source
This commit is contained in:
Denise Vangel-MSFT
2020-02-20 15:46:11 -08:00
parent 56d4931638
commit b92b2c9586
1 changed files with 36 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

39
windows/security/threat-protection/microsoft-defender-atp/auto-investigation-action-center.md
View File

@ -22,13 +22,15 @@ When an automated investigation runs, a verdict is generated for each piece of e
Pending and completed actions are listed in the Action center ([https://securitycenter.windows.com/action-center](https://securitycenter.windows.com/action-center)) and the Investigations list ([https://securitycenter.windows.com/investigations](https://securitycenter.windows.com/investigations)).
>[!NOTE]
>If your organization has implemented role-based access to manage portal access, only authorized users or user groups who have permission to view the machine or machine group will be able to view the entire investigation.
## The Action center
![Action center page](images/action-center.png)
The action center consists of two main tabs, as described in the following table.
|Tab |Description |
|---------|---------|
|Pending actions |Displays a list of ongoing investigations that require attention. Recommended actions are presented that your security operations team can approve or reject. <br/><br/>**NOTE**: The Pending tab appears only if there are pending actions to be approved (or rejected). |
@ -38,17 +40,48 @@ Use the **Customize columns** menu to select columns that you'd like to show or
You can also download the entire list in CSV format using the **Export** feature, specify the number of items to show per page, and navigate between pages.
## Investigations page
![Investigations page](images/mdatp-investigations.jpg)
![Image of Auto investigations page](images/atp-auto-investigations-list.png)
On the **Investigations** page, you'll find a list of all automated investigations. Select an item in the list to view additional information about that automated investigation.
By default, the automated investigations list displays investigations initiated in the last week. You can also choose to select other time ranges from the drop-down menu or specify a custom range.
Use the **Customize columns** menu to select columns that you'd like to show or hide.
From this view, you can also download the entire list in CSV format using the **Export** feature, specify the number of items to show per page, and navigate between pages.
### Filters and details
On the **Investigations** page, you can view details and use filters to focus on specific information. Filters include the following:
- **Status** (see the details below)
- **Triggering alert** (The alert that initiated the automated investigation)
- **Detection source** (The source of the alert that initiated the automated investigation.)
- **Entities** (these can include device or machines, and machine groups. You can filter the automated investigations list to zone in a specific machine to see other investigations related to the machine, or to see specific machine groups that you might have created.)
- **Threat** (The category of threat detected during the automated investigation.)
- **Tags** (Filter using manually added tags that capture the context of an automated investigation.)
- **Comments** (Select between filtering the list between automated investigations that have comments and those that don't.)
## Automated investigation status
An automated investigation can be have one of the following status values:
|Status |Description |
|---------|---------|
| No threats found | No malicious entities found during the investigation. |
| Failed | A problem has interrupted the investigation, preventing it from completing. |
| Partially remediated | A problem prevented the remediation of some malicious entities. |
| Pending action | Remediation actions require review and approval. |
| Waiting for machine | Investigation paused. The investigation will resume as soon as the machine is available. |
| Queued | Investigation has been queued and will resume as soon as other remediation activities are completed. |
| Running | Investigation ongoing. Malicious entities found will be remediated. |
| Remediated | Malicious entities found were successfully remediated. |
| Terminated by system | Investigation was stopped by the system. |
| Terminated by user | A user stopped the investigation before it could complete. |
| Partially investigated | Entities directly related to the alert have been investigated. However, a problem stopped the investigation of collateral entities. |
## Next steps
[View and approve remediation actions](manage-auto-investigation.md)