From edf76249a66b7aa760bcc82e23015cb6d8c2437c Mon Sep 17 00:00:00 2001 From: Benny Lakunishok Date: Wed, 2 May 2018 13:30:02 +0300 Subject: [PATCH] Update automated-investigations-windows-defender-advanced-threat-protection.md --- ...vestigations-windows-defender-advanced-threat-protection.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-atp/automated-investigations-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/automated-investigations-windows-defender-advanced-threat-protection.md index 760acda319..94e1a95594 100644 --- a/windows/security/threat-protection/windows-defender-atp/automated-investigations-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/automated-investigations-windows-defender-advanced-threat-protection.md @@ -36,7 +36,8 @@ The Automated investigations list shows all the investigations that have been in ## Understand the Automated investigation flow ### How the Automated investigation starts -Entities are the starting point for Automated investigations. When an alert contains a supported entity for Automated investigation (for example, a file) an Automated investigation starts. +Entities are the starting point for Automated investigations. When an alert contains a supported entity for Automated investigation (for example, a file) that resides on a machine that has a *supported operating system for Automated investigation then an Automated investigation can start. +*Currently only Windows 10 version 1803 (spring creators update) and above are supported operating systems for Autoamted Investigation The alerts start by analyzing the supported entities from the alert and also runs a generic machine playbook to see if there is anything else suspicious on that machine. The outcome and details from the investigation is seen in the Automated investigation view.