deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-16 19:03:46 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Merging changes synced from https://github.com/MicrosoftDocs/windows-docs-pr (branch live)

Browse Source
This commit is contained in:
officedocspr
2020-02-21 17:07:40 +00:00
parent 69400184ec 285806fe25
commit e4189c2f6e
9 changed files with 245 additions and 179 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
windows/client-management/mdm/policy-configuration-service-provider.md
View File

@ -15,6 +15,8 @@ ms.date: 07/18/2019
# Policy CSP
> [!WARNING]
> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
The Policy configuration service provider enables the enterprise to configure policies on Windows 10. Use this configuration service provider to configure any company policies.
@ -615,6 +617,9 @@ The following diagram shows the Policy configuration service provider in tree fo
<dd>
<a href="./policy-csp-bluetooth.md#bluetooth-servicesallowedlist" id="bluetooth-servicesallowedlist">Bluetooth/ServicesAllowedList</a>
</dd>
<dd>
<a href="./policy-csp-bluetooth.md#bluetooth-setminimumencryptionkeysize"id=bluetooth-setminimumencryptionkeysize>Bluetooth/SetMinimumEncryptionKeySize</a>
</dd>
</dl>
### Browser policies

75
windows/client-management/mdm/policy-csp-bluetooth.md
View File

@ -7,14 +7,15 @@ ms.prod: w10
ms.technology: windows
author: manikadhiman
ms.localizationpriority: medium
ms.date: 09/27/2019
ms.date: 02/12/2020
ms.reviewer:
manager: dansimp
---
# Policy CSP - Bluetooth
> [!WARNING]
> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
<hr/>
@ -40,6 +41,9 @@ manager: dansimp
<dd>
<a href="#bluetooth-servicesallowedlist">Bluetooth/ServicesAllowedList</a>
</dd>
<dd>
<a href="#bluetooth-setminimumencryptionkeysize">Bluetooth/SetMinimumEncryptionKeySize</a>
</dd>
</dl>
@ -390,6 +394,72 @@ The default value is an empty string. For more information, see [ServicesAllowed
<!--/Description-->
<!--/Policy-->
<hr/>
<!--Policy-->
<a href="" id="bluetooth-setminimumencryptionkeysize"></a>**Bluetooth/SetMinimumEncryptionKeySize**
<!--SupportedSKUs-->
<table>
<tr>
<th>Windows Edition</th>
<th>Supported?</th>
</tr>
<tr>
<td>Home</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
<tr>
<td>Pro</td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>7</sup></td>
</tr>
<tr>
<td>Business</td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>7</sup></td>
</tr>
<tr>
<td>Enterprise</td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>7</sup></td>
</tr>
<tr>
<td>Education</td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>7</sup></td>
</tr>
</table>
<!--/SupportedSKUs-->
<hr/>
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
Added in the next major release of Windows 10.
There are multiple levels of encryption strength when pairing Bluetooth devices. This policy helps prevent weaker devices cryptographically being used in high security environments.
<!--/Description-->
<!--SupportedValues-->
The following list shows the supported values:
- 0 (default) - All Bluetooth traffic is allowed.
- N - A number from 1 through 16 representing the bytes that must be used in the encryption process. Currently, 16 is the largest allowed value for N and 16 bytes is the largest key size that Bluetooth supports. If you want to enforce Windows to always use Bluetooth encryption, ignoring the precise encryption key strength, use 1 as the value for N.
For more information on allowed key sizes, refer to Bluetooth Core Specification v5.1.
<!--/SupportedValues-->
<!--Example-->
<!--/Example-->
<!--Validation-->
<!--/Validation-->
<!--/Policy-->
<hr/>
Footnotes:
@ -400,6 +470,7 @@ Footnotes:
- 4 - Added in Windows 10, version 1803.
- 5 - Added in Windows 10, version 1809.
- 6 - Added in Windows 10, version 1903.
- 7 - Added in the next major release of Windows 10.
<!--/Policies-->

2
windows/client-management/troubleshoot-stop-errors.md
View File

@ -59,7 +59,7 @@ To troubleshoot Stop error messages, follow these general steps:
3. Run the [Machine Memory Dump Collector](https://home.diagnostics.support.microsoft.com/selfhelp?knowledgebasearticlefilter=2027760&wa=wsignin1.0) Windows diagnostic package. This diagnostic tool is used to collect machine memory dump files and check for known solutions.
4. Run [Microsoft Safety Scanner](http://www.microsoft.com/security/scanner/en-us/default.aspx) or any other virus detection program that includes checks of the Master Boot Record for infections.
4. Run [Microsoft Safety Scanner](https://www.microsoft.com/security/scanner/en-us/default.aspx) or any other virus detection program that includes checks of the Master Boot Record for infections.
5. Make sure that there is sufficient free space on the hard disk. The exact requirement varies, but we recommend 1015 percent free disk space.

4
windows/client-management/troubleshoot-windows-freeze.md
View File

@ -251,7 +251,7 @@ If the physical computer is still running in a frozen state, follow these steps
Pool Monitor shows you the number of allocations and outstanding bytes of allocation by type of pool and the tag that is passed into calls of ExAllocatePoolWithTag.
Learn [how to use Pool Monitor](https://support.microsoft.com/help/177415) and how to [use the data to troubleshoot pool leaks](http://blogs.technet.com/b/markrussinovich/archive/2009/03/26/3211216.aspx).
Learn [how to use Pool Monitor](https://support.microsoft.com/help/177415) and how to [use the data to troubleshoot pool leaks](https://blogs.technet.com/b/markrussinovich/archive/2009/03/26/3211216.aspx).
### Use memory dump to collect data for the virtual machine that's running in a frozen state
@ -284,4 +284,4 @@ On Windows Server 2008, you may not have enough free disk space to generate a co
Additionally, on Windows Server 2008 Service Pack (SP2), there's a second option if the system drive doesn't have sufficient space. Namely, you can use the DedicatedDumpFile registry entry. To learn how to use the registry entry, see [New behavior in Windows Vista and Windows Server 2008](https://support.microsoft.com/help/969028).
For more information, see [How to use the DedicatedDumpFile registry value to overcome space limitations on the system drive](http://blogs.msdn.com/b/ntdebugging/archive/2010/04/02/how-to-use-the-dedicateddumpfile-registry-value-to-overcome-space-limitations-on-the-system-drive-when-capturing-a-system-memory-dump.aspx).
For more information, see [How to use the DedicatedDumpFile registry value to overcome space limitations on the system drive](https://blogs.msdn.com/b/ntdebugging/archive/2010/04/02/how-to-use-the-dedicateddumpfile-registry-value-to-overcome-space-limitations-on-the-system-drive-when-capturing-a-system-memory-dump.aspx).

8
windows/security/threat-protection/TOC.md
View File

@ -103,10 +103,10 @@
###### [Investigate entities on machines](microsoft-defender-atp/live-response.md)
###### [Live response command examples](microsoft-defender-atp/live-response-command-examples.md)
### [Automated investigation and remediation]()
#### [Automated investigation and remediation overview](microsoft-defender-atp/automated-investigations.md)
#### [Use the automated investigation and remediation dashboard](microsoft-defender-atp/manage-auto-investigation.md)
#### [Manage actions related to automated investigation and remediation](microsoft-defender-atp/auto-investigation-action-center.md)
### [Automated investigation and remediation (AIR)]()
#### [Overview of AIR](microsoft-defender-atp/automated-investigations.md)
#### [View details and results of automated investigations](microsoft-defender-atp/auto-investigation-action-center.md)
#### [View and approve remediation actions](microsoft-defender-atp/manage-auto-investigation.md)
### [Secure score](microsoft-defender-atp/overview-secure-score.md)
### [Threat analytics](microsoft-defender-atp/threat-analytics.md)

6
windows/security/threat-protection/index.md
View File

@ -100,9 +100,9 @@ Endpoint detection and response capabilities are put in place to detect, investi
In conjunction with being able to quickly respond to advanced attacks, Microsoft Defender ATP offers automatic investigation and remediation capabilities that help reduce the volume of alerts in minutes at scale.
- [Automated investigation and remediation](microsoft-defender-atp/automated-investigations.md)
- [Threat remediation](microsoft-defender-atp/automated-investigations.md#how-threats-are-remediated)
- [Manage automated investigation](microsoft-defender-atp/manage-auto-investigation.md)
- [Analyze automated investigation](microsoft-defender-atp/manage-auto-investigation.md#analyze-automated-investigations)
- [Overview of automated investigation and remediation](microsoft-defender-atp/automated-investigations.md)
- [View details and results of automated investigations](microsoft-defender-atp/auto-investigation-action-center.md)
- [View and approve remediation actions](microsoft-defender-atp/manage-auto-investigation.md)
<a name="ss"></a>

156
windows/security/threat-protection/microsoft-defender-atp/auto-investigation-action-center.md
View File

@ -1,14 +1,14 @@
---
title: Manage actions related to automated investigation and remediation
description: Use the action center to manage actions related to automated investigation and response
title: View details and results of automated investigations
description: Use the action center to view details and results following an automated investigation
keywords: action, center, autoir, automated, investigation, response, remediation
search.product: eADQiWindows 10XVcnh
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.author: deniseb
author: denisebmsft
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
@ -16,36 +16,144 @@ ms.collection: M365-security-compliance
ms.topic: article
---
# Manage actions related to automated investigation and remediation
# View details and results of automated investigations
The Action center aggregates all investigations that require an action for an investigation to proceed or be completed.
![Image of Action center page](images/action-center.png)
Pending and completed actions are listed in the Action center ([https://securitycenter.windows.com/action-center](https://securitycenter.windows.com/action-center)) and the Investigations list ([https://securitycenter.windows.com/investigations](https://securitycenter.windows.com/investigations)).
The action center consists of two main tabs:
- Pending actions - Displays a list of ongoing investigations that require attention. A recommended action is presented to the analyst, which they can approve or reject.
- History - Acts as an audit log for:
- All actions taken by AutoIR or approved by an analyst with ability to undo actions that support this capability (for example, quarantine file).
- All commands ran and remediation actions applied in Live Response with ability to undo actions that support this capability.
- Remediation actions applied by Windows Defender AV with ability to undo actions that support this capability.
>[!NOTE]
>If your organization has implemented role-based access to manage portal access, only authorized users or user groups who have permission to view the machine or machine group will be able to view the entire investigation.
Use the Customize columns drop-down menu to select columns that you'd like to show or hide.
## The Action center
![Action center page](images/action-center.png)
The action center consists of two main tabs, as described in the following table.
|Tab |Description |
|---------|---------|
|Pending actions |Displays a list of ongoing investigations that require attention. Recommended actions are presented that your security operations team can approve or reject. <br/><br/>**NOTE**: The Pending tab appears only if there are pending actions to be approved (or rejected). |
|History |Acts as an audit log for all of the following: <br/>- All actions taken by automated investigation and remediation in Microsoft Defender ATP <br/>Actions that were approved by your security operations team (some actions, such as sending a file to quarantine, can be undone) <br/>- All commands ran and remediation actions that were applied in Live Response sessions (some actions can be undone) <br/>- Remediation actions that were applied by Windows Defender Antivirus (some actions can be undone) |
Use the **Customize columns** menu to select columns that you'd like to show or hide.
You can also download the entire list in CSV format using the **Export** feature, specify the number of items to show per page, and navigate between pages.
## The Investigations page
![Image of Auto investigations page](images/atp-auto-investigations-list.png)
On the **Investigations** page, you'll find a list of all automated investigations. Select an item in the list to view additional information about that automated investigation.
By default, the automated investigations list displays investigations initiated in the last week. You can also choose to select other time ranges from the drop-down menu or specify a custom range.
Use the **Customize columns** menu to select columns that you'd like to show or hide.
From this view, you can also download the entire list in CSV format using the **Export** feature, specify the number of items to show per page, and navigate between pages.
### Filters for the list of investigations
>[!NOTE]
>The tab will only appear if there are pending actions for that category.
On the **Investigations** page, you can view details and use filters to focus on specific information. The following table lists available filters:
### Approve or reject an action
You'll need to manually approve or reject pending actions on each of these categories for the automated actions to proceed.
|Filter |Description |
|---------|---------|
|**Status** |(See [Automated investigation status](#automated-investigation-status)) |
|**Triggering alert** | The alert that initiated the automated investigation |
|**Detection source** |The source of the alert that initiated the automated investigation. |
|**Entities** | These can include device or machines, and machine groups. You can filter the automated investigations list to zone in a specific machine to see other investigations related to the machine, or to see specific machine groups that you might have created. |
|**Threat** |The category of threat detected during the automated investigation. |
|**Tags** |Filter using manually added tags that capture the context of an automated investigation.|
|**Comments** |Select between filtering the list between automated investigations that have comments and those that don't.|
Selecting an investigation from any of the categories opens a panel where you can approve or reject the remediation. Other details such as file or service details, investigation details, and alert details are displayed.
From the panel, you can click on the Open investigation page link to see the investigation details.
## Automated investigation status
You also have the option of selecting multiple investigations to approve or reject actions on multiple investigations.
An automated investigation can be have one of the following status values:
## Related topics
- [Automated investigation and investigation](automated-investigations.md)
- [Learn about the automated investigations dashboard](manage-auto-investigation.md)
|Status |Description |
|---------|---------|
| No threats found | No malicious entities found during the investigation. |
| Failed | A problem has interrupted the investigation, preventing it from completing. |
| Partially remediated | A problem prevented the remediation of some malicious entities. |
| Pending action | Remediation actions require review and approval. |
| Waiting for machine | Investigation paused. The investigation will resume as soon as the machine is available. |
| Queued | Investigation has been queued and will resume as soon as other remediation activities are completed. |
| Running | Investigation ongoing. Malicious entities found will be remediated. |
| Remediated | Malicious entities found were successfully remediated. |
| Terminated by system | Investigation was stopped by the system. |
| Terminated by user | A user stopped the investigation before it could complete. |
| Partially investigated | Entities directly related to the alert have been investigated. However, a problem stopped the investigation of collateral entities. |
## View details about an automated investigation
![Image of investigation details window](images/atp-analyze-auto-ir.png)
You can view the details of an automated investigation to see information such as the investigation graph, alerts associated with the investigation, the machine that was investigated, and other information.
In this view, you'll see the name of the investigation, when it started and ended.
### Investigation graph
The investigation graph provides a graphical representation of an automated investigation. All investigation related information is simplified and arranged in specific sections. Clicking on any of the icons brings you the relevant section where you can view more information.
A progress ring shows two status indicators:
- Orange ring - shows the pending portion of the investigation
- Green ring - shows the running time portion of the investigation
![Image of start, end, and pending time for an automated investigation](images/atp-auto-investigation-pending.png)
In the example image, the automated investigation started on 10:26:59 AM and ended on 10:56:26 AM. Therefore, the entire investigation was running for 29 minutes and 27 seconds.
The pending time of 16 minutes and 51 seconds reflects two possible pending states: pending for asset (for example, the device might have disconnected from the network) or pending for approval.
From this view, you can also view and add comments and tags about the investigation.
### Alerts
The **Alerts** tab for an automated investigation shows details such as a short description of the alert that initiated the automated investigation, severity, category, the machine associated with the alert, user, time in queue, status, investigation state, and who the investigation is assigned to.
Additional alerts seen on a machine can be added to an automated investigation as long as the investigation is ongoing.
Selecting an alert using the check box brings up the alerts details pane where you have the option of opening the alert page, manage the alert by changing its status, see alert details, automated investigation details, related machine, logged-on users, and comments and history.
Clicking on an alert title brings you the alert page.
### Machines
The **Machines** tab Shows details the machine name, IP address, group, users, operating system, remediation level, investigation count, and when it was last investigated.
Machines that show the same threat can be added to an ongoing investigation and will be displayed in this tab. If 10 or more machines are found during this expansion process from the same entity, then that expansion action will require an approval and will be seen in the **Pending actions** view.
Selecting a machine using the checkbox brings up the machine details pane where you can see more information such as machine details and logged-on users.
Clicking on an machine name brings you the machine page.
### Evidence
The **Evidence** tab shows details related to threats associated with this investigation.
### Entities
The **Entities** tab shows details about entities such as files, process, services, drives, and IP addresses. The table details such as the number of entities that were analyzed. You'll gain insight into details such as how many are remediated, suspicious, or determined to be clean.
### Log
The **Log** tab gives a chronological detailed view of all the investigation actions taken on the alert. You'll see the action type, action, status, machine name, description of the action, comments entered by analysts who may have worked on the investigation, execution start time, duration, pending duration.
As with other sections, you can customize columns, select the number of items to show per page, and filter the log.
Available filters include action type, action, status, machine name, and description.
You can also click on an action to bring up the details pane where you'll see information such as the summary of the action and input data.
### Pending actions
If there are pending actions on an automated investigation, you'll see a pop up similar to the following image.
![Image of pending actions](images/pending-actions.png)
When you click on the pending actions link, you'll be taken to the Action center. You can also navigate to the page from the navigation page by going to **automated investigation** > **Action center**.
## Next steps
[View and approve remediation actions](manage-auto-investigation.md)

BIN
windows/security/threat-protection/microsoft-defender-atp/images/mdatp-investigations.jpg Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 46 KiB

158
windows/security/threat-protection/microsoft-defender-atp/manage-auto-investigation.md
View File

@ -1,6 +1,6 @@
---
title: Learn about the automated investigations dashboard in Microsoft Defender Security Center
description: View the automated investigations list. View the status, detection source and other details for automated investigations.
title: Review and approve actions following automated investigations in the Microsoft Defender Security Center
description: Review and approve (or reject) remediation actions following an automated investigation.
keywords: autoir, automated, investigation, detection, dashboard, source, threat types, id, tags, machines, duration, filter export
search.product: eADQiWindows 10XVcnh
search.appverid: met150
@ -8,8 +8,8 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.author: deniseb
author: denisebmsft
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
@ -17,154 +17,36 @@ ms.collection: M365-security-compliance
ms.topic: conceptual
---
# Learn about the automated investigations dashboard
By default, the automated investigations list displays investigations initiated in the last week. You can also choose to select other time ranges from the drop-down menu or specify a custom range.
# Review and approve actions following an automated investigation
>[!NOTE]
>If your organization has implemented role-based access to manage portal access, only authorized users or user groups who have permission to view the machine or machine group will be able to view the entire investigation.
When an automated investigation runs, a verdict is generated for each piece of evidence investigated. Verdicts can be *Malicious*, *Suspicious*, or *Clean*. Depending on the type of threat and resulting verdict, remediation actions occur automatically or upon approval by your organizations security operations team. For example, some actions, such as removing malware, are taken automatically. Other actions require review and approval to proceed.
Use the **Customize columns** drop-down menu to select columns that you'd like to show or hide.
As a best practice, make sure to approve (or reject) pending actions as soon as possible. This helps your automated investigations complete in a timely manner.
From this view, you can also download the entire list in CSV format using the **Export** button, specify the number of items to show per page, and navigate between pages. You also have the flexibility to filter the list based on your preferred criteria.
## Review pending actions
![Image of Auto investigations page](images/atp-auto-investigations-list.png)
1. Go to the Microsoft Defender Security Center ([https://securitycenter.windows.com](https://securitycenter.windows.com)) and sign in. This takes you to your Security dashboard.
2. On the Security dashboard, in the navigation pane on the left, choose **Automated investigations** > **Action center**.
**Filters**</br>
You can use the following operations to customize the list of automated investigations displayed:
3. Review any items on the **Pending** tab.
Selecting an investigation from any of the categories opens a panel where you can approve or reject the remediation. Other details such as file or service details, investigation details, and alert details are displayed. From the panel, you can click on the **Open investigation page** link to see the investigation details.
**Triggering alert**</br>
The alert that initiated the automated investigation.
**Status**</br>
An automated investigation can be in one of the following status:
Status | Description
:---|:---
| No threats found | No malicious entities found during the investigation.
| Failed | A problem has interrupted the investigation, preventing it from completing. |
| Partially remediated | A problem prevented the remediation of some malicious entities. |
| Pending action | Remediation actions require review and approval. |
| Waiting for machine | Investigation paused. The investigation will resume as soon as the machine is available. |
| Queued | Investigation has been queued and will resume as soon as other remediation activities are completed. |
| Running | Investigation ongoing. Malicious entities found will be remediated. |
| Remediated | Malicious entities found were successfully remediated. |
| Terminated by system | Investigation was stopped by the system. |
| Terminated by user | A user stopped the investigation before it could complete.
| Partially investigated | Entities directly related to the alert have been investigated. However, a problem stopped the investigation of collateral entities. |
You can also select multiple investigations to approve or reject actions on multiple investigations.
**Detection source**</br>
Source of the alert that initiated the automated investigation.
## Review completed actions
**Threat**</br>
The category of threat detected during the automated investigation.
1. Go to the Microsoft Defender Security Center ([https://securitycenter.windows.com](https://securitycenter.windows.com)) and sign in. This takes you to your Security dashboard.
2. On the Security dashboard, in the navigation pane on the left, choose **Automated investigations** > **Action center**.
**Tags**</br>
Filter using manually added tags that capture the context of an automated investigation.
3. Select the **History** tab. (If need be, expand the time period to display more data.)
**Machines**</br>
You can filter the automated investigations list to zone in a specific machine to see other investigations related to the machine.
4. Select an item to view more details about that remediation action.
**Machine groups**</br>
Apply this filter to see specific machine groups that you might have created.
## Related articles
**Comments**</br>
Select between filtering the list between automated investigations that have comments and those that don't.
## Analyze automated investigations
You can view the details of an automated investigation to see information such as the investigation graph, alerts associated with the investigation, the machine that was investigated, and other information.
In this view, you'll see the name of the investigation, when it started and ended.
![Image of investigation details window](images/atp-analyze-auto-ir.png)
The progress ring shows two status indicators:
- Orange ring - shows the pending portion of the investigation
- Green ring - shows the running time portion of the investigation
![Image of start, end, and pending time for an automated investigation](images/atp-auto-investigation-pending.png)
In the example image, the automated investigation started on 10:26:59 AM and ended on 10:56:26 AM. Therefore, the entire investigation was running for 29 minutes and 27 seconds.
The pending time of 16 minutes and 51 seconds reflects two possible pending states: pending for asset (for example, the device might have disconnected from the network) or pending for approval.
From this view, you can also view and add comments and tags about the investigation.
### Investigation page
The investigation page gives you a quick summary on the status, alert severity, category, and detection source.
You'll also have access to the following sections that help you see details of the investigation with finer granularity:
- Investigation graph
- Alerts
- Machines
- Evidence
- Entities
- Log
- Pending actions
>[!NOTE]
>The Pending actions tab is only displayed if there are actual pending actions.
- Pending actions history
>[!NOTE]
>The Pending actions history tab is only displayed when an investigation is complete.
In any of the sections, you can customize columns to further expand to limit the details you see in a section.
### Investigation graph
The investigation graph provides a graphical representation of an automated investigation. All investigation related information is simplified and arranged in specific sections. Clicking on any of the icons brings you the relevant section where you can view more information.
### Alerts
Shows details such as a short description of the alert that initiated the automated investigation, severity, category, the machine associated with the alert, user, time in queue, status, investigation state, and who the investigation is assigned to.
Additional alerts seen on a machine can be added to an automated investigation as long as the investigation is ongoing.
Selecting an alert using the check box brings up the alerts details pane where you have the option of opening the alert page, manage the alert by changing its status, see alert details, automated investigation details, related machine, logged-on users, and comments and history.
Clicking on an alert title brings you the alert page.
### Machines
Shows details the machine name, IP address, group, users, operating system, remediation level, investigation count, and when it was last investigated.
Machines that show the same threat can be added to an ongoing investigation and will be displayed in this tab. If 10 or more machines are found during this expansion process from the same entity, then that expansion action will require an approval and will be seen in the **Pending actions** view.
Selecting a machine using the checkbox brings up the machine details pane where you can see more information such as machine details and logged-on users.
Clicking on an machine name brings you the machine page.
### Evidence
Shows details related to threats associated with this investigation.
### Entities
Shows details about entities such as files, process, services, drives, and IP addresses. The table details such as the number of entities that were analyzed. You'll gain insight into details such as how many are remediated, suspicious, or determined to be clean.
### Log
Gives a chronological detailed view of all the investigation actions taken on the alert. You'll see the action type, action, status, machine name, description of the action, comments entered by analysts who may have worked on the investigation, execution start time, duration, pending duration.
As with other sections, you can customize columns, select the number of items to show per page, and filter the log.
Available filters include action type, action, status, machine name, and description.
You can also click on an action to bring up the details pane where you'll see information such as the summary of the action and input data.
### Pending actions history
This tab is only displayed when an investigation is complete and shows all pending actions taken during the investigation.
## Pending actions
If there are pending actions on an automated investigation, you'll see a pop up similar to the following image.
![Image of pending actions](images/pending-actions.png)
When you click on the pending actions link, you'll be taken to the Action center. You can also navigate to the page from the navigation page by going to **automated investigation** > **Action center**. For more information, see [Action center](auto-investigation-action-center.md).
## Related topic
- [Investigate Microsoft Defender ATP alerts](investigate-alerts.md)
- [Manage actions related to automated investigation and remediation](auto-investigation-action-center.md)
[Advanced Hunting](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-overview)