So we are setting up a SOC with MD ATP and recently we were attacked by a wide phishing attack.
One of the users actually filled in his credentials and thus the phisher was inside and send more phishing mails to nearly everybody inside the organization.
Each of those mails contained an excel file which, after remediation, we clicked "Stop & quarantined" on its file page in securitycenter (Windows).
Now we also saw that the only place we can review the action is by clicking "action center" on the actual file page of the excel.
Isn't there a central view where we can see all files which were stopped and quarantined like that?
Or shouldn't we use the "Stop & Quarantine" function like this and should we work with indicators?
Thx for the feedback!