Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community

Automated Investigation on endpoint

Copper Contributor

Long story short, we got an alert about a file being malicious. I searched our environment using both the filename and SHA1 hash and located the file on one endpoint. I initiated an investigation and the investigation status shows as "Failed" providing no causality for the failure. Is there someplace I can look to see why it failed and what I can do to correct it?

2 Replies
When the investigation shows failed, it means "At least one investigation analyzer ran into a problem where it couldn't complete properly."
You just need to resubmit the investigation and if it continues to fail then I would recommend opening a support case.
Hi Daniel,

In case you don't know by now, automated investigations have been a mess, for two months. We have over a hundred queued up or running, many with failures and errors. There is an advisory about it, go to your Microsoft 365 Admin Center and look for advisory DZ705297.