365 Defender Automated Investigation

Hitesh Mulchandani 0 Reputation points

I have a device group created that is set to full remediation. However over time there has been a grouping of alerts for "Multi-stage incident involving Execution & Command and control including Ransomware on multiple endpoints". Almost everything in there is a false positive. There are 8 assets from the device group for which 99 alerts have been generated so far. Auto remediation has been applied to 69 alerts and the investigation status for 30 alerts are either = terminated by system or partially investigated. I am trying to dive deep into the logic behind this.

Can someone help me with more information or supporting document. I have read a few posts where it says that the possibility is that the investigations pending items expired awaiting approval or there are too many actions. However neither of them is true and If I understand it correct, those references are for M365 (office 365).

Microsoft 365
Microsoft 365
Formerly Office 365, is a line of subscription services offered by Microsoft which adds to and includes the Microsoft Office product line.
3,738 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Deleted

    This answer has been deleted due to a violation of our Code of Conduct. The answer was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.

    Comments have been turned off. Learn more