This capability is in public preview now! We’re happy to announce that you can now audit and undo manually taken actions in Microsoft Defender ATP in the Action center in Microsoft Threat Protection. , but how do you know which devices were isolated, and how do you undo device isolation if needed? | where Category in("Credential access", "Ransomware") Or, maybe you use a slightly more advanced example with specific alert categories to view the list of devices, like this: To take this action, you could use an advanced hunting custom detection with the predefined action, “Isolate device.” Such a custom detection might look like this: Suppose, for example, that in order to slow down the spread of ransomware, your security operations team decides to isolate all of the devices connected to specific subnet in your org. The History tab tracks all remediation actions that were completed, and you can undo an action there.īut what about remediation actions that were taken manually or from an advanced hunting experience, such as isolating a device, or restricting app execution on a specific device? How do you view an audit log for those actions? The Action center brings all this together across Microsoft Threat Protection security workloads, including Office 365 Advanced Threat Protection (Office 365 ATP) and Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP).įurthermore, if you need to undo a remediation action that was taken by Microsoft Defender ATP, in most cases, you can do that in the Action center in Microsoft Threat Protection. You can also review approved actions in an audit log.
The Action center enables your security operations team to approve pending remediation actions and to remediate impacted assets. The Action center provides a unified experience for remediation actions and an audit log. The results of current and past automatic investigations and remediation actions across your organization's devices and mailboxes are visible in the Action center in Microsoft Threat Protection.
0 kommentar(er)
