Forum Discussion

HathMH's avatar
HathMH
Copper Contributor
Aug 04, 2022

Action Center showing a lot of Failed status

So I have assumed responsibility of the MS 365 Defender security role. I was going through the Action Center history and found some alarming things. Almost all of the automated actions have failed for an unknown length of time. I have gone as far back as the past 30 days. Every Automated email action has a Failed status when not specifically listing an status or entity in the 'Decision' or 'Decided by' columns.

 

 

Of those that failed, i can on them individually and choose to 'Open in Explorer' and there I can then select all and go for the soft delete action. But that is getting tedious to have to do that for every action, we are talking literally thousands.

 

What is the cause of this and how do I fix it?

  • GMela's avatar
    GMela
    Brass Contributor

    HathMH 

     

    The Fix is in place.... we are getting now the status "Skipped".

     

    When open the investigation page you can see in the Logs, only the "Soft delete email" Step with the Status "Skipped - The action wasn't needed, and the investigation proceeded." but the Investigation Status is "Remediated"

     

    and When checking the Email Trace you can see the Email was delivered in the JunkFolder

     

    But if you go to the Email Entitie, you can see tow steps, 

    - Junk Email folder - Delivered to junk

    -Success: Message moved to quarantine

    and checking the quarantine... is right the Emails was moved there.

     

    ... so, in my Opinion should be a "Success" instead of "Skipped"... but is better as "Failed" :xd: 

     

  • GMela's avatar
    GMela
    Brass Contributor

    HathMH 

     

    after a loong way with a MS Ticket, they confirm me that a Fix has been deployed and will reach World Wide deployment in around 2 weeks. 

  • richrico's avatar
    richrico
    Copper Contributor
    This could be because whoever was initially responsible for it didn't approve them for the automation action to continue. Although the remediation is automated, the administrator sometimes need to approve or deny the remediation action in the pending column of the Action Center. It times out when that is not done.
    • HathMH's avatar
      HathMH
      Copper Contributor
      Yes, every morning (and several times thru the day) I open up Action Center and go through the list to approve all action items. Up until a couple months ago, there used to be 100+ items to approve. Lately though, there's maybe a dozen or so if any at all. Most morning there is nothing. The support ticket has been in for a bit of time, it's been moved up to an engineer team i think. They say it may just be a UI issue. When the action items show a fail status, the automated action is still done as the emails are remediated. However, this issue along with automated actions no longer appearing in my pending list wrecks havoc on my metrics. All those that previously showed but no more are not being listed correctly in my remediated monthly metrics. Still waiting on MS to resolve this.
      • GMela's avatar
        GMela
        Brass Contributor

        HathMH 

        I am totally agree, I was receiving also every day someone actions to approve, and now, since day.... no one...  As Security Administrator this will be a great day when I do not receive any "Attack"... but I Don't think this is the case :sad:

    • HathMH's avatar
      HathMH
      Copper Contributor
      I've heard nothing from MS for over a week now. No resolution yet, but I was told there are many others that have reported this issue.
      • HeikeRitter's avatar
        HeikeRitter
        Icon for Microsoft rankMicrosoft
        I have escalated it internally again. It's already with an escalation engineer and hopefully you hear back soon. keep me updated
  • It's difficult to tell what kind of issue this is. It might be helpful to have a support ticket open to research this further. In the meantime, you could select one of those failed actions to view the side-panel page. On this page there should be a section titled latest delivery action. This section would say whether e-mails remain in mailboxes by providing a count and would be a good indicator of the current status of the emails.
    • HathMH's avatar
      HathMH
      Copper Contributor

      Unfortunately, there is no Latest delivery column. I think that is is Email Explorer.
      I do have a support ticket in, but there has been no response for over a week now. Not impressed with the Microsoft customer support.

Resources