deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-15 14:57:23 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

AIR fixes

Browse Source
This commit is contained in:
Denise Vangel-MSFT 2020-02-20 16:06:35 -08:00
parent b92b2c9586
commit fa54328dd0
2 changed files with 101 additions and 158 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

93
windows/security/threat-protection/microsoft-defender-atp/auto-investigation-action-center.md
View File

@ -40,7 +40,7 @@ Use the **Customize columns** menu to select columns that you'd like to show or
You can also download the entire list in CSV format using the **Export** feature, specify the number of items to show per page, and navigate between pages. You can also download the entire list in CSV format using the **Export** feature, specify the number of items to show per page, and navigate between pages.
## Investigations page ## The Investigations page
![Image of Auto investigations page](images/atp-auto-investigations-list.png) ![Image of Auto investigations page](images/atp-auto-investigations-list.png)
@ -52,16 +52,19 @@ Use the **Customize columns** menu to select columns that you'd like to show or
From this view, you can also download the entire list in CSV format using the **Export** feature, specify the number of items to show per page, and navigate between pages. From this view, you can also download the entire list in CSV format using the **Export** feature, specify the number of items to show per page, and navigate between pages.
### Filters and details ### Filters for the list of investigations
On the **Investigations** page, you can view details and use filters to focus on specific information. Filters include the following: On the **Investigations** page, you can view details and use filters to focus on specific information. The following table lists available filters:
- **Status** (see the details below)
- **Triggering alert** (The alert that initiated the automated investigation) |Filter |Description |
- **Detection source** (The source of the alert that initiated the automated investigation.) |---------|---------|
- **Entities** (these can include device or machines, and machine groups. You can filter the automated investigations list to zone in a specific machine to see other investigations related to the machine, or to see specific machine groups that you might have created.) |**Status** |(See [Automated investigation status](#automated-investigation-status)) |
- **Threat** (The category of threat detected during the automated investigation.) |**Triggering alert** | The alert that initiated the automated investigation |
- **Tags** (Filter using manually added tags that capture the context of an automated investigation.) |**Detection source** |The source of the alert that initiated the automated investigation. |
- **Comments** (Select between filtering the list between automated investigations that have comments and those that don't.) |**Entities** | These can include device or machines, and machine groups. You can filter the automated investigations list to zone in a specific machine to see other investigations related to the machine, or to see specific machine groups that you might have created. |
|**Threat** |The category of threat detected during the automated investigation. |
|**Tags** |Filter using manually added tags that capture the context of an automated investigation.|
|**Comments** |Select between filtering the list between automated investigations that have comments and those that don't.|
## Automated investigation status ## Automated investigation status
@ -82,6 +85,76 @@ An automated investigation can be have one of the following status values:
| Terminated by user | A user stopped the investigation before it could complete. | | Terminated by user | A user stopped the investigation before it could complete. |
| Partially investigated | Entities directly related to the alert have been investigated. However, a problem stopped the investigation of collateral entities. | | Partially investigated | Entities directly related to the alert have been investigated. However, a problem stopped the investigation of collateral entities. |
## View details about an automated investigation
![Image of investigation details window](images/atp-analyze-auto-ir.png)
You can view the details of an automated investigation to see information such as the investigation graph, alerts associated with the investigation, the machine that was investigated, and other information.
In this view, you'll see the name of the investigation, when it started and ended.
### Investigation graph
The investigation graph provides a graphical representation of an automated investigation. All investigation related information is simplified and arranged in specific sections. Clicking on any of the icons brings you the relevant section where you can view more information.
A progress ring shows two status indicators:
- Orange ring - shows the pending portion of the investigation
- Green ring - shows the running time portion of the investigation
![Image of start, end, and pending time for an automated investigation](images/atp-auto-investigation-pending.png)
In the example image, the automated investigation started on 10:26:59 AM and ended on 10:56:26 AM. Therefore, the entire investigation was running for 29 minutes and 27 seconds.
The pending time of 16 minutes and 51 seconds reflects two possible pending states: pending for asset (for example, the device might have disconnected from the network) or pending for approval.
From this view, you can also view and add comments and tags about the investigation.
### Alerts
The **Alerts** tab for an automated investigation shows details such as a short description of the alert that initiated the automated investigation, severity, category, the machine associated with the alert, user, time in queue, status, investigation state, and who the investigation is assigned to.
Additional alerts seen on a machine can be added to an automated investigation as long as the investigation is ongoing.
Selecting an alert using the check box brings up the alerts details pane where you have the option of opening the alert page, manage the alert by changing its status, see alert details, automated investigation details, related machine, logged-on users, and comments and history.
Clicking on an alert title brings you the alert page.
### Machines
The **Machines** tab Shows details the machine name, IP address, group, users, operating system, remediation level, investigation count, and when it was last investigated.
Machines that show the same threat can be added to an ongoing investigation and will be displayed in this tab. If 10 or more machines are found during this expansion process from the same entity, then that expansion action will require an approval and will be seen in the **Pending actions** view.
Selecting a machine using the checkbox brings up the machine details pane where you can see more information such as machine details and logged-on users.
Clicking on an machine name brings you the machine page.
### Evidence
The **Evidence** tab shows details related to threats associated with this investigation.
### Entities
The **Entities** tab shows details about entities such as files, process, services, drives, and IP addresses. The table details such as the number of entities that were analyzed. You'll gain insight into details such as how many are remediated, suspicious, or determined to be clean.
### Log
The **Log** tab gives a chronological detailed view of all the investigation actions taken on the alert. You'll see the action type, action, status, machine name, description of the action, comments entered by analysts who may have worked on the investigation, execution start time, duration, pending duration.
As with other sections, you can customize columns, select the number of items to show per page, and filter the log.
Available filters include action type, action, status, machine name, and description.
You can also click on an action to bring up the details pane where you'll see information such as the summary of the action and input data.
### Pending actions
If there are pending actions on an automated investigation, you'll see a pop up similar to the following image.
![Image of pending actions](images/pending-actions.png)
When you click on the pending actions link, you'll be taken to the Action center. You can also navigate to the page from the navigation page by going to **automated investigation** > **Action center**.
## Next steps ## Next steps
[View and approve remediation actions](manage-auto-investigation.md) [View and approve remediation actions](manage-auto-investigation.md)

166
windows/security/threat-protection/microsoft-defender-atp/manage-auto-investigation.md
View File

@ -1,6 +1,6 @@
--- ---
title: Learn about the automated investigations dashboard in Microsoft Defender Security Center title: Review and approve actions following automated investigations in the Microsoft Defender Security Center
description: View the automated investigations list. View the status, detection source and other details for automated investigations. description: Review and approve (or reject) remediation actions following an automated investigation.
keywords: autoir, automated, investigation, detection, dashboard, source, threat types, id, tags, machines, duration, filter export keywords: autoir, automated, investigation, detection, dashboard, source, threat types, id, tags, machines, duration, filter export
search.product: eADQiWindows 10XVcnh search.product: eADQiWindows 10XVcnh
search.appverid: met150 search.appverid: met150
@ -8,8 +8,8 @@ ms.prod: w10
ms.mktglfcycl: deploy ms.mktglfcycl: deploy
ms.sitesec: library ms.sitesec: library
ms.pagetype: security ms.pagetype: security
ms.author: macapara ms.author: deniseb
author: mjcaparas author: denisebmsft
ms.localizationpriority: medium ms.localizationpriority: medium
manager: dansimp manager: dansimp
audience: ITPro audience: ITPro
@ -17,154 +17,24 @@ ms.collection: M365-security-compliance
ms.topic: conceptual ms.topic: conceptual
--- ---
# Learn about the automated investigations dashboard # Review and approve actions following an automated investigation
By default, the automated investigations list displays investigations initiated in the last week. You can also choose to select other time ranges from the drop-down menu or specify a custom range.
>[!NOTE] When an automated investigation runs, a verdict is generated for each piece of evidence investigated. Verdicts can be *Malicious*, *Suspicious*, or *Clean*. Depending on the type of threat and resulting verdict, remediation actions occur automatically or upon approval by your organizations security operations team. For example, some actions, such as removing malware, are taken automatically. Other actions require review and approval to proceed.
>If your organization has implemented role-based access to manage portal access, only authorized users or user groups who have permission to view the machine or machine group will be able to view the entire investigation.
Use the **Customize columns** drop-down menu to select columns that you'd like to show or hide. As a best practice, make sure to approve (or reject) pending actions as soon as possible. This helps your automated investigations complete in a timely manner.
From this view, you can also download the entire list in CSV format using the **Export** button, specify the number of items to show per page, and navigate between pages. You also have the flexibility to filter the list based on your preferred criteria. 1.
![Image of Auto investigations page](images/atp-auto-investigations-list.png)
You'll need to manually approve or reject pending actions on each of these categories for the automated actions to proceed.
Selecting an investigation from any of the categories opens a panel where you can approve or reject the remediation. Other details such as file or service details, investigation details, and alert details are displayed.
From the panel, you can click on the Open investigation page link to see the investigation details.
You also have the option of selecting multiple investigations to approve or reject actions on multiple investigations.
**Filters**</br> ## Related articles
You can use the following operations to customize the list of automated investigations displayed:
[Advanced Hunting](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-overview)
**Triggering alert**</br>
The alert that initiated the automated investigation.
**Status**</br>
An automated investigation can be in one of the following status:
Status | Description
:---|:---
| No threats found | No malicious entities found during the investigation.
| Failed | A problem has interrupted the investigation, preventing it from completing. |
| Partially remediated | A problem prevented the remediation of some malicious entities. |
| Pending action | Remediation actions require review and approval. |
| Waiting for machine | Investigation paused. The investigation will resume as soon as the machine is available. |
| Queued | Investigation has been queued and will resume as soon as other remediation activities are completed. |
| Running | Investigation ongoing. Malicious entities found will be remediated. |
| Remediated | Malicious entities found were successfully remediated. |
| Terminated by system | Investigation was stopped by the system. |
| Terminated by user | A user stopped the investigation before it could complete.
| Partially investigated | Entities directly related to the alert have been investigated. However, a problem stopped the investigation of collateral entities. |
**Detection source**</br>
Source of the alert that initiated the automated investigation.
**Threat**</br>
The category of threat detected during the automated investigation.
**Tags**</br>
Filter using manually added tags that capture the context of an automated investigation.
**Machines**</br>
You can filter the automated investigations list to zone in a specific machine to see other investigations related to the machine.
**Machine groups**</br>
Apply this filter to see specific machine groups that you might have created.
**Comments**</br>
Select between filtering the list between automated investigations that have comments and those that don't.
## Analyze automated investigations
You can view the details of an automated investigation to see information such as the investigation graph, alerts associated with the investigation, the machine that was investigated, and other information.
In this view, you'll see the name of the investigation, when it started and ended.
![Image of investigation details window](images/atp-analyze-auto-ir.png)
The progress ring shows two status indicators:
- Orange ring - shows the pending portion of the investigation
- Green ring - shows the running time portion of the investigation
![Image of start, end, and pending time for an automated investigation](images/atp-auto-investigation-pending.png)
In the example image, the automated investigation started on 10:26:59 AM and ended on 10:56:26 AM. Therefore, the entire investigation was running for 29 minutes and 27 seconds.
The pending time of 16 minutes and 51 seconds reflects two possible pending states: pending for asset (for example, the device might have disconnected from the network) or pending for approval.
From this view, you can also view and add comments and tags about the investigation.
### Investigation page
The investigation page gives you a quick summary on the status, alert severity, category, and detection source.
You'll also have access to the following sections that help you see details of the investigation with finer granularity:
- Investigation graph
- Alerts
- Machines
- Evidence
- Entities
- Log
- Pending actions
>[!NOTE]
>The Pending actions tab is only displayed if there are actual pending actions.
- Pending actions history
>[!NOTE]
>The Pending actions history tab is only displayed when an investigation is complete.
In any of the sections, you can customize columns to further expand to limit the details you see in a section.
### Investigation graph
The investigation graph provides a graphical representation of an automated investigation. All investigation related information is simplified and arranged in specific sections. Clicking on any of the icons brings you the relevant section where you can view more information.
### Alerts
Shows details such as a short description of the alert that initiated the automated investigation, severity, category, the machine associated with the alert, user, time in queue, status, investigation state, and who the investigation is assigned to.
Additional alerts seen on a machine can be added to an automated investigation as long as the investigation is ongoing.
Selecting an alert using the check box brings up the alerts details pane where you have the option of opening the alert page, manage the alert by changing its status, see alert details, automated investigation details, related machine, logged-on users, and comments and history.
Clicking on an alert title brings you the alert page.
### Machines
Shows details the machine name, IP address, group, users, operating system, remediation level, investigation count, and when it was last investigated.
Machines that show the same threat can be added to an ongoing investigation and will be displayed in this tab. If 10 or more machines are found during this expansion process from the same entity, then that expansion action will require an approval and will be seen in the **Pending actions** view.
Selecting a machine using the checkbox brings up the machine details pane where you can see more information such as machine details and logged-on users.
Clicking on an machine name brings you the machine page.
### Evidence
Shows details related to threats associated with this investigation.
### Entities
Shows details about entities such as files, process, services, drives, and IP addresses. The table details such as the number of entities that were analyzed. You'll gain insight into details such as how many are remediated, suspicious, or determined to be clean.
### Log
Gives a chronological detailed view of all the investigation actions taken on the alert. You'll see the action type, action, status, machine name, description of the action, comments entered by analysts who may have worked on the investigation, execution start time, duration, pending duration.
As with other sections, you can customize columns, select the number of items to show per page, and filter the log.
Available filters include action type, action, status, machine name, and description.
You can also click on an action to bring up the details pane where you'll see information such as the summary of the action and input data.
### Pending actions history
This tab is only displayed when an investigation is complete and shows all pending actions taken during the investigation.
## Pending actions
If there are pending actions on an automated investigation, you'll see a pop up similar to the following image.
![Image of pending actions](images/pending-actions.png)
When you click on the pending actions link, you'll be taken to the Action center. You can also navigate to the page from the navigation page by going to **automated investigation** > **Action center**. For more information, see [Action center](auto-investigation-action-center.md).
## Related topic
- [Investigate Microsoft Defender ATP alerts](investigate-alerts.md)
- [Manage actions related to automated investigation and remediation](auto-investigation-action-center.md)