Review and approve actions following an automated investigation

Remediation actions

When an automated investigation runs, a verdict is generated for each piece of evidence investigated. Verdicts can be Malicious, Suspicious, or No threats found. Depending on the type of threat and resulting verdict, remediation actions occur automatically or upon approval by your organization’s security operations team. For example, some actions, such as removing malware, are taken automatically. Other actions require review and approval to proceed.

When a verdict of Malicious is reached for a piece of evidence, Microsoft Defender Advanced Threat Protection takes one of the following remediation actions automatically:

  • Quarantine a file
  • Remove a registry key
  • Kill a process
  • Stop a service
  • Remove a registry key
  • Disable a driver
  • Remove a scheduled task

Evidence determined as Suspicious results in pending actions that require approval. As a best practice, make sure to approve (or reject) pending actions as soon as possible so that you automated investigations complete in a timely manner.

No actions are taken when a verdict of No threats found is reached for a piece of evidence.

In Microsoft Defender Advanced Threat Protection, all verdicts are tracked and viewable in the Microsoft Defender Security Center.

Review pending actions

  1. Go to the Microsoft Defender Security Center (https://securitycenter.windows.com) and sign in. You'll see the Security dashboard.

  2. On the Security dashboard, in the navigation pane on the left, choose Automated investigations > Action center.

  3. Review any items on the Pending tab.

    Select an investigation from any of the categories to open a panel where you can approve or reject remediation actions. Other details such as file or service details, investigation details, and alert details are displayed. From the panel, you can click on the Open investigation page link to see the investigation details.

    You can also select multiple investigations to approve or reject actions on multiple investigations.

Review completed actions

  1. Go to the Microsoft Defender Security Center (https://securitycenter.windows.com) and sign in. You'll see the Security dashboard.

  2. On the Security dashboard, in the navigation pane on the left, choose Automated investigations > Action center.

  3. Select the History tab. (If need be, expand the time period to display more data.)

  4. Select an item to view more details about that remediation action.

Next steps