deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-16 07:17:24 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Merged PR 6176: Updated automated-investigations-windows-defender-advanced-threat-protection.md

Browse Source 
Updated automated-investigations-windows-defender-advanced-threat-protection.md
This commit is contained in:
Benny Lakunishok 2018-03-06 16:25:02 +00:00 committed by Joey Caparas
commit f97f28a875
1 changed files with 34 additions and 35 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

67
windows/security/threat-protection/windows-defender-atp/automated-investigations-windows-defender-advanced-threat-protection.md
View File

@ -1,7 +1,7 @@
---
title: Automated investigations in Windows Defender Advanced Threat Protection
description: View the list of automated investigations, its status, detection source and other details.
keywords: automated, investigation, detection, source, threat types, id, tags, endpoints, duration, filter export
keywords: automated, investigation, detection, source, threat types, id, tags, machines, duration, filter export
search.product: eADQiWindows 10XVcnh
ms.prod: w10
ms.mktglfcycl: deploy
@ -27,65 +27,66 @@ ms.date: 03/15/2018
>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-automated-investigations-abovefoldlink)
The Windows Defender ATP service has a wide breadth of visibility on multiple endpoints. With this kind of optics, the service generates a multitude of alerts. The volume of alerts generated can be challenging for a typical security operations team to individually address.
The Windows Defender ATP service has a wide breadth of visibility on multiple machines. With this kind of optics, the service generates a multitude of alerts. The volume of alerts generated can be challenging for a typical security operations team to individually address.
To address this challenge, Windows Defender ATP uses automated investigations to dramatically reduce the volume of alerts that need to be investigated individually. The automated investigation feature leverages on the use of artificial intelligence, inspection algorithms, and processes used by analysts to examine alerts and take immediate remediation action to resolve breaches. This significantly reduces alert volume, allowing security operations experts to focus on more sophisticated threats and other high value initiatives.
To address this challenge, Windows Defender ATP uses Automated investigations to dramatically reduce the volume of alerts that need to be investigated individually. The Automated investigation feature leverages various inspection algorithms, and processes used by analysts to examine alerts and take immediate remediation action to resolve breaches. This significantly reduces alert volume, allowing security operations experts to focus on more sophisticated threats and other high value initiatives.
The automated investigations list aggregates all the investigations that have been initiated automatically and shows other details such as its status, detection source, and the date for when the investigation was initiated.
## Sort, filter, and manage automated investigations
## Manage Automated investigations
By default, the automated investigations list displays investigations initiated in the last week. You can also choose to select other time ranges from the drop-down menu or specify a custom range.
Use the **Customize columns** drop-down menu to select columns that you'd like to show or hide.
From this view, you can also download the entire list in CSV format using the **Export to CSV** feature, specify the number of items to show per page, and navigate between pages. You also have the flexibility to filter the list based on your preferred criteria.
From this view, you can also download the entire list in CSV format using the **Export** button, specify the number of items to show per page, and navigate between pages. You also have the flexibility to filter the list based on your preferred criteria.
![Image of Auto investigations page](images/atp-auto-investigations-list.png)
**Filters**</br>
You can use the following operations to customize the list of investigations displayed during an investigation:
You can use the following operations to customize the list of Automated investigations displayed:
**Triggering alert**</br>
The source that initiated the alert.
The alert the initiated the Automated investigation.
**Status**</br>
The current state of an investigation classifications are classified as:
An Automated investigation can be in one of the following statuses:
- No threats found - No malicious entities found during the investigation.
- No threats found - No malicious entities found during the Automated investigation.
- Partially remediated - A problem prevented the remediation of some malicious entities.
- Failed - A problem has interrupted the investigation, and preventing it from completing.
- Action required - Remediation requires review and approval.
- Waiting for machine(s) - Investigation paused. The investigation will resume as soon as the machine is available.
- Queued - Investigation has been queued and will resume as soon as other remediation activities are completed.
- Failed - A problem has interrupted the Automated investigation, and preventing it from completing.
- Pending action - Remediation requires review and approval.
- Waiting for machine - Investigation paused. The investigation will resume as soon as the machine is available.
- Running - Investigation ongoing. Malicious entities found will be remediated.
- Partially investigated - The entities related to the alert were investigated but a problem stopped the Automated investigation process on collateral entities.
- Remediated - Malicious entities found were successfully remediated.
- Terminated by system - Investigation was stopped.
- Terminated by user - A user stopped the investigation before it could complete.
**Detection source**</br>
Source of the alert that initiated the investigation.
Source of the alert that initiated the Automated investigation.
**Threat**</br>
The category of threat detected during the investigation.
The category of threat detected during the Automated investigation.
**Tags**</br>
Filter using manually added tags that capture the context of an investigation.
Filter using manually added tags that capture the context of an Automated investigation.
**Machines**</br>
Multiple investigations can be initiated on an endpoint. You can filter the automated investigations list to zone in a specific endpoint to see other investigations related to the endpoint.
You can filter the Automated investigations list to zone in a specific machine to see other investigations related to the machine.
**Endpoint groups**</br>
**machine groups**</br>
Apply this filter to see specific machine groups that you might have created.
**Comments**</br>
Select between filtering the list between investigations that have comments and those that don't.
Select between filtering the list between Automated investigations that have comments and those that don't.
## Analyze automated investigations
You can view the details of an automated investigation to see details of the investigation such as the investigation graph, alerts associated with the investigation, the endpoint that was investigated, and other information.
## Analyze Automated investigations
You can view the details of an Automated investigation to see details of the investigation such as the investigation graph, alerts associated with the investigation, the machine that was investigated, and other information.
In this view, you'll see the name of the investigation, when it started and the duration of time that has passed in the status state.
@ -105,25 +106,26 @@ You'll also have access to the following sections that help you see details of t
- Entities
- Log
- Pending actions
- Pending actions history
In any of the sections, you can customize columns to further expand to limit the details you see in a section.
### Investigation graph
The investigation graph provides a graphical representation of an investigation. All investigation related information is simplified and arranged in specific sections. Clicking on any of the icons brings you the relevant section where you can view more information.
The investigation graph provides a graphical representation of an Automated investigation. All investigation related information is simplified and arranged in specific sections. Clicking on any of the icons brings you the relevant section where you can view more information.
### Alerts
Shows details such as a short description of the alert that initiated the investigation, severity, category, the machine associated with the alert, user, time in queue, status, investigation state, and who the investigation is assigned to.
Shows details such as a short description of the alert that initiated the Automated investigation, severity, category, the machine associated with the alert, user, time in queue, status, investigation state, and who the investigation is assigned to.
Selecting an alert using the checkbox brings up the alerts details pane where you have the option of opening the alert page, manage the alert by changing its status, see alert details, automated investigation details, related machine, logged-on users, and comments and history.
Clicking on an alert title brings you the alert page.
### Machines
Shows details the endpoint name, IP address, group, users, operating system, remediation level, investigation count, and when it was last investigated.
Shows details the machine name, IP address, group, users, operating system, remediation level, investigation count, and when it was last investigated.
Selecting a machine using the checkbox brings up the machine details pane where you can see more information such as machine details and logged-on users.
Clicking on an endpoint name brings you the machine page.
Clicking on an machine name brings you the machine page.
### Threats
Shows details related to threats associated with this investigation.
@ -140,8 +142,11 @@ Available filters include action type, action, status, machine name, and descrip
You can also click on an action to bring up the details pane where you'll see information such as the summary of the action and input data.
### Pending actions
This tab is displayed if there are any pending actions for which a decision is needed.
### Pending actions history
This tab is displayed if there are any pending actions on the investigation.
This tab is displayed if there are pending actions for which a decision was made.
## Pending actions on investigations
@ -149,11 +154,11 @@ The pending actions view aggregates all the file quarantine, persistence method
Use the Customize columns drop-down menu to select columns that you'd like to show or hide.
From this view, you can also download the entire list in CSV format using the **Export to CSV** feature, specify the number of items to show per page, and navigate between pages.
From this view, you can also download the entire list in CSV format using the **Export** feature, specify the number of items to show per page, and navigate between pages.
![Image of Pending actions](images/atp-pending-actions-auto-ir.png)
Selecting a file opens a panel where you can approve or decline the remediation. Other details such as file details, investigation details, and alert details are displayed.
Selecting a file opens a panel where you can approve or reject the remediation. Other details such as file details, investigation details, and alert details are displayed.
![Image of pending action selected](images/atp-pending-actions-file.png)
@ -161,9 +166,3 @@ Selecting other investigation numbers from the other pending actions categories
From the panel, you can click on the Open investigation page link to see the investigation details.