View the details and results of an automated investigation

Applies to:

With Microsoft Defender for Endpoint, when an automated investigation runs, details about that investigation are available both during and after the automated investigation process. If you have the necessary permissions, you can view those details in an investigation details view. The investigation details view provides you with up-to-date status and the ability to approve any pending actions.

(NEW!) Unified investigation page

The investigation page has recently been updated to include information across your devices, email, and collaboration content. The new, unified investigation page defines a common language and provides a unified experience for automatic investigations across Microsoft Defender for Endpoint and Microsoft Defender for Office 365.


To learn more about what's changing, see (NEW!) Unified investigation page.

Open the investigation details view

You can open the investigation details view by using one of the following methods:

Select an item in the Action center

The improved Action center brings together remediation actions across your devices, email & collaboration content, and identities. Listed actions include remediation actions that were taken automatically or manually. In the Action center, you can view actions that are awaiting approval and actions that were already approved or completed. You can also navigate to more details, such as an investigation page.

  1. Go to Microsoft 365 Defender and sign in.
  2. In the navigation pane, choose Action center.
  3. On either the Pending or History tab, select an item. Its flyout pane opens.
  4. Review the information in the flyout pane, and then take one of the following steps:
    • Select Open investigation page to view more details about the investigation.
    • Select Approve to initiate a pending action.
    • Select Reject to prevent a pending action from being taken.
    • Select Go hunt to go into Advanced hunting.

Open an investigation from an incident details page

Use an incident details page to view detailed information about an incident, including alerts that were triggered information about any affected devices, user accounts, or mailboxes.

  1. Go to Microsoft 365 Defender and sign in.
  2. In the navigation pane, choose Incidents & alerts > Incidents.
  3. Select an item in the list, and then choose Open incident page.
  4. Select the Investigations tab, and then select an investigation in the list. Its flyout pane opens.
  5. Select Open investigation page.

Investigation details

Use the investigation details view to see past, current, and pending activity pertaining to an investigation. The investigation details view resembles the following image:

In the Investigation details view, you can see information on the Investigation graph, Alerts, Devices, Identities, Key findings, Entities, Log, and Pending actions tabs, described in the following table.


The specific tabs you see in an investigation details page depends on what your subscription includes. For example, if your subscription does not include Microsoft Defender for Office 365 Plan 2, you won't see a Mailboxes tab.

Tab Description
Investigation graph Provides a visual representation of the investigation. Depicts entities and lists threats found, along with alerts and whether any actions are awaiting approval.

You can select an item on the graph to view more details. For example, selecting the Evidence icon takes you to the Evidence tab, where you can see detected entities and their verdicts.

Alerts Lists alerts associated with the investigation. Alerts can come from threat protection features on a user's device, in Office apps, Defender for Cloud Apps, and other Microsoft 365 Defender features.
Devices Lists devices included in the investigation along with their remediation level. (Remediation levels correspond to the automation level for device groups.)
Mailboxes Lists mailboxes that are impacted by detected threats.
Users Lists user accounts that are impacted by detected threats.
Evidence Lists pieces of evidence raised by alerts/investigations. Includes verdicts (Malicious, Suspicious, or No threats found) and remediation status.
Entities Provides details about each analyzed entity, including a verdict for each entity type (Malicious, Suspicious, or No threats found).
Log Provides a chronological, detailed view of all the investigation actions taken after an alert was triggered.
Pending actions Lists items that require approval to proceed. Go to the Action center ( to approve pending actions.

See also