deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-12 05:17:22 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity
windows-itpro-docs/windows/security/threat-protection/microsoft-defender-atp/auto-investigation-action-center.md
jcaparas 0e5cacdc26
space
2019-06-21 13:55:10 -07:00

2.5 KiB
Raw Blame History

title, description, keywords, search.product, ms.prod, ms.mktglfcycl, ms.sitesec, ms.pagetype, ms.author, author, ms.localizationpriority, manager, audience, ms.collection, ms.topic
title description keywords search.product ms.prod ms.mktglfcycl ms.sitesec ms.pagetype ms.author author ms.localizationpriority manager audience ms.collection ms.topic
Manage actions related to automated investigation and remediation Use the action center to manage actions related to automated investigation and response action, center, autoir, automated, investigation, response, remediation eADQiWindows 10XVcnh w10 deploy library security macapara mjcaparas medium dansimp ITPro M365-security-compliance article

Manage actions related to automated investigation and remediation

The Action center aggregates all investigations that require an action for an investigation to proceed or be completed.

Image of Action center page

The action center consists of two main tabs:

  • Pending actions - Displays a list of ongoing investigations that require attention. A recommended action is presented to the analyst, which they can approve or reject.
  • History - Acts as an audit log for:
    • All actions taken by AutoIR or approved by an analyst with ability to undo actions that support this capability (for example, quarantine file).
    • All commands ran and remediation actions applied in Live Response with ability to undo actions that support this capability.
    • Remediation actions applied by Windows Defender AV with ability to undo actions that support this capability.

Use the Customize columns drop-down menu to select columns that you'd like to show or hide.

From this view, you can also download the entire list in CSV format using the Export feature, specify the number of items to show per page, and navigate between pages.

Note

The tab will only appear if there are pending actions for that category.

Approve or reject an action

You'll need to manually approve or reject pending actions on each of these categories for the automated actions to proceed.

Selecting an investigation from any of the categories opens a panel where you can approve or reject the remediation. Other details such as file or service details, investigation details, and alert details are displayed.

From the panel, you can click on the Open investigation page link to see the investigation details.

You also have the option of selecting multiple investigations to approve or reject actions on multiple investigations.

Related topics