However, you can investigate these alerts manually. If you see an Unsupported alert type alert status, it means that automated investigation capabilities cannot pick up that alert to run an automated investigation. Other information available in the details pane when the alert opens includes MITRE techniques, source, and additional contextual details. You can then also review the automated investigation details in your alert's details pane, to see which actions were already taken, as well as reading the alert's description for recommended actions.
For example, a process was executed but because it subsequently exhibited suspicious behaviors, the process was terminated.ĭetected: An attack was detected and is possibly still active. For example, a file either wasn't written to disk or executed.īlocked: Suspicious behavior was executed and then blocked. Prevented: The attempted suspicious action was avoided. Note the detection status for your alert. If you select any of the affected assets or entities in the alert story, the details pane will change to provide contextual information and actions for the selected object. The details pane will show the details of the selected alert at first, with details and actions related to this alert.Learn how in Investigate alerts in Microsoft Defender for Endpoint. Use the alert story to start your investigation. Entities in the alert story are expandable and clickable, to provide additional information and expedite response by allowing you to take actions right in the context of the alert page. The alert in the title will be the one in focus when you first land on your selected alert's page.
The alert story displays all entities related to the alert, interconnected by a tree view.Affected assets lists cards of devices and users affected by this alert that are clickable for further information and actions.The alert title shows the alert's name and is there to remind you which alert started your current investigation regardless of what you have selected on the page.
On the alert page, all the information will be shown in context of the selected alert. Selecting an alert's name in Defender for Endpoint will land you on its alert page.