mirror of
https://github.com/MicrosoftDocs/windows-itpro-docs.git
synced 2025-05-19 16:57:23 +00:00
some formatting changes
This commit is contained in:
Dani Halfin
parent
2c92dc49d9
commit
006798b25b
@ -28,7 +28,7 @@ ms.date: 5/1/2020
|
||||
|
||||
The new alert page in Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) provides full context to the alert, by combining attack signals and alerts related to the selected alert, to construct a detailed alert story.
|
||||
|
||||
Quickly triage, investigate and take effective action on alerts that affect your organization. Understand why they were triggered, and their impact from one location.
|
||||
Quickly triage, investigate, and take effective action on alerts that affect your organization. Understand why they were triggered, and their impact from one location.
|
||||
|
||||
## Getting started with an alert
|
||||
|
||||
@ -41,7 +41,7 @@ Clicking on an alert's name in Microsoft Defender ATP will land you on its alert
|
||||
|
||||
|
||||
|
||||
Note the detection status for your alert. Blocked, prevented or remediated means actions were already taken by Microsoft Defender ATP.
|
||||
Note the detection status for your alert. Blocked, prevented, or remediated means actions were already taken by Microsoft Defender ATP.
|
||||
Start by reviewing the *automated investigation details* in your alert's [details pane](#take-action-from-the-details-pane), to see which actions were already taken, as well as reading the alert's description for recommended actions.
|
||||
|
||||
|
||||
@ -52,7 +52,7 @@ Other information available in the details pane when the alert opens includes MI
|
||||
|
||||
Clicking on a device or a user card in the affected assets sections will switch to the details of the device or user in the details pane.
|
||||
|
||||
- **For devices** the details pane will display information about the device itself, like Domain, Operating System, and IP. Active alerts and the logged on users on that device are also available. You can take immediate action by isolating the device, restricting app execution or running an antivirus scan. Alternatively, you could collect an investigation package, initiate an automated investigation or go to the machine page to investigate from the device's point of view.
|
||||
- **For devices** the details pane will display information about the device itself, like Domain, Operating System, and IP. Active alerts and the logged on users on that device are also available. You can take immediate action by isolating the device, restricting app execution, or running an antivirus scan. Alternatively, you could collect an investigation package, initiate an automated investigation, or go to the machine page to investigate from the device's point of view.
|
||||
- **For users** the details pane will display detailed user information, such as the user's SAM name and SID, as well as logon types performed by this user and any alerts and incidents related to it. You can click *Open user page* to continue the investigation from that user's point of view.
|
||||
|
||||
|
||||
@ -77,9 +77,10 @@ Once you've selected an entity of interest, the details pane will change to disp
|
||||
Once you're done investigating, go back to the alert you started with, mark the alert's status as **Resolved** and classify it as either **False alert** or **True alert**. Classifying alerts helps tune this capability to provide more true alerts and less false alerts.
|
||||
|
||||
If you classify it as a true alert, you can also select a determination, as shown in the image below.
|
||||
|
||||
|
||||
|
||||
If you are experiencing a false alert with a line-of-business application, create a supression rule to avoid this type of alert in the future
|
||||
If you are experiencing a false alert with a line-of-business application, create a suppression rule to avoid this type of alert in the future.
|
||||
|
||||
|
||||
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user