Forum Discussion

DanielBMA's avatar
DanielBMA
Copper Contributor
Feb 02, 2024

Automated Investigation on endpoint

Long story short, we got an alert about a file being malicious. I searched our environment using both the filename and SHA1 hash and located the file on one endpoint. I initiated an investigation and the investigation status shows as "Failed" providing no causality for the failure. Is there someplace I can look to see why it failed and what I can do to correct it?

  • SKadish's avatar
    SKadish
    Brass Contributor
    Hi Daniel,

    In case you don't know by now, automated investigations have been a mess, for two months. We have over a hundred queued up or running, many with failures and errors. There is an advisory about it, go to your Microsoft 365 Admin Center and look for advisory DZ705297.
  • Joe Stocker's avatar
    Joe Stocker
    Bronze Contributor
    When the investigation shows failed, it means "At least one investigation analyzer ran into a problem where it couldn't complete properly."
    You just need to resubmit the investigation and if it continues to fail then I would recommend opening a support case.

Resources