365 Defender Automated Investigation
I have a device group created that is set to full remediation. However over time there has been a grouping of alerts for "Multi-stage incident involving Execution & Command and control including Ransomware on multiple endpoints". Almost everything in there is a false positive. There are 8 assets from the device group for which 99 alerts have been generated so far. Auto remediation has been applied to 69 alerts and the investigation status for 30 alerts are either = terminated by system or partially investigated. I am trying to dive deep into the logic behind this.
Can someone help me with more information or supporting document. I have read a few posts where it says that the possibility is that the investigations pending items expired awaiting approval or there are too many actions. However neither of them is true and If I understand it correct, those references are for M365 (office 365).
1 answer
Sort by: Most helpful
-
Deleted
This answer has been deleted due to a violation of our Code of Conduct. The answer was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.
Comments have been turned off. Learn more