0
(0)

 Important

The improved Microsoft 365 Defender portal is now available. This new experience brings Defender for Endpoint, Defender for Office 365, Microsoft 365 Defender, and more into the Microsoft 365 Defender portal. Learn what’s new.

Applies to:

  • Microsoft 365 Defender

With Microsoft 365 Defender, when an automated investigation runs, details about that investigation are available both during and after the automated investigation process. If you have the necessary permissions, you can view those details in an investigation details view that provides you with up-to-date status and the ability to approve any pending actions.

(NEW) Unified investigation page

The investigation page has recently been updated to include information across your devices, email, and collaboration content. The new, unified investigation page defines a common language and provides a unified experience for automatic investigations across Microsoft Defender for Endpoint and Microsoft Defender for Office 365. To access the unified investigation page, select the link in the yellow banner you’ll see on:

Open the investigation details view

You can open the investigation details view by using one of the following methods:

Select an item in the Action center

The improved Action center (https://security.microsoft.com/action-center) brings together remediation actions across your devices, email & collaboration content, and identities. Listed actions include remediation actions that were taken automatically or manually. In the Action center, you can view actions that are awaiting approval and actions that were already approved or completed. You can also navigate to more details, such as an investigation page.

 Tip

You must have certain permissions to approve, reject, or undo actions.

  1. Go to Microsoft 365 Defender portal and sign in.
  2. In the navigation pane, choose Action center.
  3. On either the Pending or History tab, select an item. Its flyout pane opens.
  4. Review the information in the flyout pane, and then take one of the following steps:
    • Select Open investigation page to view more details about the investigation.
    • Select Approve to initiate a pending action.
    • Select Reject to prevent a pending action from being taken.
    • Select Go hunt to go into Advanced hunting.

Open an investigation from an incident details page

Use an incident details page to view detailed information about an incident, including alerts that were triggered information about any affected devices, user accounts, or mailboxes.

  1. Go to Microsoft 365 Defender portal and sign in.
  2. In the navigation pane, choose Incidents & alerts > Incidents.
  3. Select an item in the list, and then choose Open incident page.
  4. Select the Investigations tab, and then select an investigation in the list. Its flyout pane opens.
  5. Select Open investigation page.

Here’s an example.

An example of an investigation page.

Investigation details

Use the investigation details view to see past, current, and pending activity pertaining to an investigation. Here’s an example.

An example of investigation details.

In the Investigation details view, you can see information on the Investigation graphAlertsDevicesIdentitiesKey findingsEntitiesLog, and Pending actions tabs, described in the following table.

 Note

The specific tabs you see in an investigation details page depends on what your subscription includes. For example, if your subscription does not include Microsoft Defender for Office 365 Plan 2, you won’t see a Mailboxes tab.

INVESTIGATION DETAILS
Tab Description
Investigation graph Provides a visual representation of the investigation. Depicts entities and lists threats found, along with alerts and whether any actions are awaiting approval.
You can select an item on the graph to view more details. For example, selecting the Evidence icon takes you to the Evidence tab, where you can see detected entities and their verdicts.
Alerts Lists alerts associated with the investigation. Alerts can come from threat protection features on a user’s device, in Office apps, Microsoft Defender for Cloud Apps, and other Microsoft 365 Defender features.
Devices Lists devices included in the investigation along with their remediation level. (Remediation levels correspond to the automation level for device groups.)
Mailboxes Lists mailboxes that are impacted by detected threats.
Users Lists user accounts that are impacted by detected threats.
Evidence Lists pieces of evidence raised by alerts or investigations. Includes verdicts (MaliciousSuspiciousUnknown, or No threats found) and remediation status.
Entities Provides details about each analyzed entity, including a verdict for each entity type (MaliciousSuspicious, or No threats found).
Log Provides a chronological, detailed view of all the investigation actions taken after an alert was triggered.
Pending actions history Lists items that require approval to proceed. Go to the Action center (https://security.microsoft.com/action-center) to approve pending actions.

Source : Official Microsoft Brand
Editor by : BEST Antivirus KBS Team

How useful was this post?

Click on a star to rate it!

Average rating 0 / 5. Vote count: 0

No votes so far! Be the first to rate this post.

(Visited 15 times, 1 visits today)