Thanks Benny,  We got that sorted yesterday and now working a treat.

Having said that - it seems that the "Automated Investigation" is stalling even though I can clearly see that Defender on the end point has already Quarantined/Deleted the malicious file?

Is this something that needs to be troubleshooted? Any advice?

Can you give some more details as to what do you mean by stalling?

Hi Ben, I have an alert for:
"Windows Defender AV detected 'Tiggre' malware" that has now been running for 2h 45mins...?

I need to get some more details on why has it been running so long, is the investigation pending as it is waiting for the machine? waiting for a pending action approval?
Can you check the log and see what is the latest action it is performing or pending?

Maybe I'm doing something stupid, but that's the info I'm after too 

I can see it's gathered 52 logs - they are all listed as completed.

Opps... - now I can see on the right that I needed to check the status "Queued" - there are 2 of these

It's waiting to Read File - on the machine's C drive - and this is actually the OnBoarding.cmd file...

So even though I have now been able to view the file contents (assuming this means it has successfully retrieved the file?) and this process is still listed as being Queued??

Feel free to let me know what else I should be checking?

Thanks Benny,

I'm just reviewing some of the details that the Investigation goes thru + the fact that it's taking quite some time to run thru all the logs (having said that this is a Test VM in Hyper-V on my laptop - so the speed is not great - now strongly considering adding a second SSD for VM's to run from)

It might be useful to have an Alert at the Users end "Your PC has detected some potentially malicous files and is now running an Automated Investigation by Windows Defender ATP" ?? 

OR - once we can add an option to automatically isolate this - "Your PC has detected some potentially malicous files and has now been placed in Quarantine pending an Automated Investigation by Windows Defender ATP - you will only be able to use Outlook & Skype until complete"

Ideally this would still allow Quick Assist? the Message could be customized with the Corporate logo + Help Desk contact details & a link to start Quick Assist? 

Thanks for the suggestions David.
These are ideas we are already considering.

Let me know if you need anything else.