mirror of
https://github.com/MicrosoftDocs/windows-itpro-docs.git
synced 2025-06-19 04:13:41 +00:00
Merge branch 'atp-FEB' of https://github.com/Microsoft/win-cpub-itpro-docs into atp-FEB
This commit is contained in:
Joey Caparas
@ -66,7 +66,8 @@ Reviewing the various alerts and their severity can help you decide on the appro
|
||||
- Windows Defender AV
|
||||
- Windows Defender ATP
|
||||
|
||||
>[!NOTE] The Windows Defender AV filter will only appear if your endpoints are using Windows Defender as the default real-time protection antimalware product.
|
||||
>[!NOTE]
|
||||
>The Windows Defender AV filter will only appear if your endpoints are using Windows Defender as the default real-time protection antimalware product.
|
||||
|
||||
**Time period**</br>
|
||||
- 1 day
|
||||
@ -82,7 +83,7 @@ Reviewing the various alerts and their severity can help you decide on the appro
|
||||
The group view allows for efficient alert triage and management.
|
||||
|
||||
### Use the Alert management pane
|
||||
Selecting an alert brings up the **Alert management** pane where you can manage alerts and see details about the alert.
|
||||
Selecting an alert brings up the **Alert management** pane where you can manage and see details about the alert.
|
||||
|
||||
You can take the following management actions on an alert from the **Alert management** pane:
|
||||
|
||||
|
||||
Binary file not shown.
|
Before Width: | Height: | Size: 17 KiB After Width: | Height: | Size: 92 KiB |
BIN
windows/keep-secure/images/atp-alert-timeline.png
Normal file
BIN
windows/keep-secure/images/atp-alert-timeline.png
Normal file
Binary file not shown.
|
After Width: | Height: | Size: 187 KiB |
BIN
windows/keep-secure/images/atp-incident-graph.png
Normal file
BIN
windows/keep-secure/images/atp-incident-graph.png
Normal file
Binary file not shown.
|
After Width: | Height: | Size: 132 KiB |
Binary file not shown.
|
Before Width: | Height: | Size: 2.0 KiB After Width: | Height: | Size: 1.9 KiB |
@ -38,43 +38,38 @@ The **Alert process tree** takes alert triage and investigation to the next leve
|
||||
|
||||
|
||||
|
||||
The alert process tree expands to display the execution path of the alert, its evidence, and related events that occurred in proximity - before and after - the alert.
|
||||
The **Alert process tree** expands to display the execution path of the alert, its evidence, and related events that occurred in proximity - before and after - the alert.
|
||||
|
||||
You’ll see markers that indicate related events. These icons also indicate the events that triggered the alert.
|
||||
You’ll see markers  that indicate related events. These icons also indicate the events that triggered the alert.
|
||||
|
||||
>[!NOTE]
|
||||
>The alert process tree might not be available in some alerts.
|
||||
|
||||
Selecting an indicator within the alert process tree brings up the **Alert details** pane where you can take a deeper look at the details about the alert.
|
||||
|
||||
You can take the following management actions on an alert from the **Alert management** pane:
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
Selecting an indicator within the alert process tree brings up the **Alert details** pane where you can take a deeper look at the details about the alert. It displays rich information about the selected process, file, IP address, and other details – while remaining on the alert page, so you never leave the current context of your investigation.
|
||||
|
||||
|
||||
## Incident graph
|
||||
The incident graph provides a visual representation of where an alert was seen, events that triggered the alert, and which other machines are affected by the event. It provides an illustrated alert footprint on the original machine and expands to show the footprint of each alert event on other machines.
|
||||
The **Incident graph** provides a visual representation of where an alert was seen, events that triggered the alert, and which other machines are affected by the event. It provides an illustrated alert footprint on the original machine and expands to show the footprint of each alert event on other machines.
|
||||
|
||||
You can click the circles on the incident graph to expand the nodes and view the associated events or files related to the alert.
|
||||
|
||||
|
||||
## Alert spotlight
|
||||
The alert spotlight feature helps ease investigations by highlighting alerts related to a specific machine and events. You can highlight an alert and its related events in the machine timeline to increase your focus during an investigation.
|
||||
You can click the circles on the incident graph to expand the nodes and view the associated events or files related to the alert. It expands alert evidence to connect to other machines it was observed on by file and process.
|
||||
|
||||
You can click on the machine link from the alert view to see the alerts related to the machine.
|
||||
The Windows Defender ATP service keeps track of "known processes" such as system files like PowerShell and others, that often trigger alerts. These alerts can be considered benign and very prevalent (on almost all machines) – so there is little to no value in expanding the **Incident graph** to other machines these files were observed on.
|
||||
|
||||
> [!NOTE]
|
||||
> This shortcut is not available from the Incident graph machine links.
|
||||
Alerts related to these processes include specific command lines that are generally the basis for the alert. You can use command lines as a criterion for expanding to other machines.
|
||||
|
||||
Alerts related to the machine are displayed under the **Alerts related to this machine** section.
|
||||
Clicking on an alert row takes you the to the date in which the alert was flagged on **Machine timeline**. This eliminates the need to manually filter and drag the machine timeline marker to when the alert was seen on that machine.
|
||||
The **Incident graph** also shows that ‘the same command’ (for the same known process) was observed on other machines, ensuring the accuracy and value of the Incident Graph’s expansion.
|
||||
|
||||
You can also choose to highlight an alert from the **Alerts related to this machine** or from the **Machine timeline** section to see the correlation between the alert and other events that occurred on the machine. Right-click on any alert from either section and select **Mark related events**. This highlights alerts and events that are related and helps differentiate between the other alerts listed in the timeline. Highlighted events are displayed in all filtering modes whether you choose to view the timeline by **Detections**, **Behaviours**, or **Verbose**.
|
||||
The **Incident graph** also supports IP Addresses as a criterion of expansion, showing the potential scope of alert evidence without having to change context by navigating to the IP Address page.
|
||||
|
||||
You can also remove the highlight by right-clicking a highlighted alert and selecting **Unmark related events**.
|
||||
|
||||
## Alert timeline
|
||||
The **Alert timeline** feature helps ease investigations by highlighting alerts related to a specific machine and events.
|
||||
|
||||
|
||||
|
||||
Selecting an alert detail brings up the **Details pane** where you'll be able to see more information about the alert such as file details, detections, instances of it observed worldwide, and in the organization.
|
||||
|
||||
### Related topics
|
||||
- [View the Windows Defender Advanced Threat Protection Dashboard](dashboard-windows-defender-advanced-threat-protection.md)
|
||||
|
||||
@ -150,106 +150,9 @@ For prevalent files in the organization, a warning is shown before an action is
|
||||
|
||||
3. Type a comment and select **Yes** to take action on the file. The file will be allowed to run in the organization.
|
||||
|
||||
## Isolate files from the network
|
||||
Depending on the severity of the attack and the sensitivity of the machine, you might want to isolate the machine from the network. This action can help prevent the attacker from controlling the compromised machine and performing further activities such as data exfiltration and lateral movement.
|
||||
|
||||
This machine isolation feature disconnects the compromised machine from the network while retaining connectivity to the Windows Defender ATP service, which continues to monitor the machine.
|
||||
|
||||
>[!NOTE]
|
||||
>You’ll be able to reconnect the machine back to the network at any time.
|
||||
|
||||
## Isolate machine
|
||||
1. Select the machine that you want to isolate. You can select or search for a machine from any of the following views:
|
||||
|
||||
- **Dashboard** – Select the machine name from the Top machines with active alerts section.
|
||||
- **Alerts queue** - Select the machine name beside the machine icon from the alerts queue.
|
||||
- **Machines view** - Select the machine name from the list of machines.
|
||||
- **Search box** - Select Machine from the drop-down menu and enter the machine name.
|
||||
|
||||
2. Open the **Actions** menu and select **Isolate machine**.
|
||||
|
||||
|
||||
|
||||
3. Type a comment (optional) and select **Yes** to take action on the machine.
|
||||
>[!NOTE]
|
||||
>The machine will remain connected to the Windows Defender ATP service even if it is isolated from the network.
|
||||
|
||||
The Action center shows the submission information:
|
||||
|
||||
|
||||
- **Submission time** – Shows when the isolation action was submitted.
|
||||
- **Submitting user** – Shows who submitted the action on the machine. You can view the comments provided by the user by selecting the information icon.
|
||||
- **Status** – Indicates any pending actions or the results of completed actions.
|
||||
|
||||
When the isolation configuration is applied, there will be a new event in the machine timeline.
|
||||
|
||||
**Notification on machine user**:</br>
|
||||
When a machine is being isolated, the following notification is displayed to inform the user that the machine is being isolated from the network:
|
||||
|
||||
|
||||
|
||||
## Undo machine isolation
|
||||
Depending on the severity of the attack and the state of the machine you can choose to release the machine isolation after you have verified that the compromised machine has been remediated.
|
||||
|
||||
1. Select a machine that was previously isolated.
|
||||
|
||||
2. Open the **Actions** menu and select **Undo machine isolation**.
|
||||
|
||||
|
||||
|
||||
3. Type a comment (optional) and select **Yes** to take action on the file. The machine will be reconnected to the network.
|
||||
|
||||
## Collect an investigation package from a machine
|
||||
As part of the investigation or response process, you can collect an investigation package from a machine. By collecting the investigation package, you can identify the current state of the machine and further understand the tools and techniques used by the attacker.
|
||||
|
||||
You can download the package (Zip file) and investigate the events that occurred on a machine.
|
||||
|
||||
The package contains the following folders:
|
||||
|
||||
Folder | Description
|
||||
:---|:---
|
||||
Autoruns | Contains a set of files that each represent the content of the registry of a known auto start entry point (ASEP) to help identify attacker’s persistency on the machine. </br></br> NOTE: If the registry key is not found, the file will contain the following message: “ERROR: The system was unable to find the specified registry key or value.”
|
||||
Installed program | This CSV file contains the list of installed program that can help identify what is currently installed on the machine. For more information, see [Win32_Product class](https://go.microsoft.com/fwlink/?linkid=841509).
|
||||
Network connections | This folder contains a set of data points related to the connectivity information which can help in identifying connectivity to suspicious URLs/attacker’s command & control or any lateral movement/remote connections.</br></br> - ActiveNetworkConnections.txt – Displays protocol statistics and current TCP/IP network connections. Provides the ability to look for suspicious connectivity made by a process. </br></br> - Arp.txt – Displays the current address resolution protocol (ARP) cache tables for all interfaces. </br> ARP cache can reveal additional hosts on a network that have been compromised or suspicious systems on the network that night have been used to run an internal attack.</br></br> - Dnscache.txt - Displays the contents of the DNS client resolver cache, which includes both entries preloaded from the local Hosts file and any recently obtained resource records for name queries resolved by the computer. This can help in identifying suspicious connections. </br></br> - Ipconfig.txt – Displays the full TCP/IP configuration for all adapters. Adapters can represent physical interfaces, such as installed network adapters, or logical interfaces, such as dial-up connections.
|
||||
Prefetch files | Windows Prefetch files are designed to speed up the application startup process. It can be used to track all the files recently used in the system and find traces for applications that might have been deleted but can still be found in the prefetch file list. </br></br> - Prefetch folder – Contains a copy of the prefetch files from `%SystemRoot%\Prefetch`. NOTE: It is suggested to download a prefetch file viewer to view the prefetch files. </br></br> - PrefetchFilesList.txt – Contains the list of all the copied files which can be used to track if there were any copy failures to the prefetch folder.
|
||||
Processes | Contains a CSV file listing the running processes which provides the ability to identify current processes running on the machine. This can be useful when identify if there is a suspicious process and its state.
|
||||
Scheduled tasks | Contains a CSV file listing the scheduled tasks which can be used to identify routines performed automatically on a chosen machine to look for a suspicious code set to run automatically.
|
||||
Security event log | Contains the security event log which contains records of login/logout activity or other security-related events specified by the system's audit policy. NOTE: Open the event log file using Event viewer.
|
||||
Services | Contains the services.txt file which lists services and their states.
|
||||
SMB sessions | Lists shared access to files, printers, and serial ports and miscellaneous communications between nodes on a network. This can help identify data exfiltration or lateral movement. </br></br> Contains files for SMBInboundSessions and SMBOutboundSession. </br></br> NOTE: If the file contains the following message: “ERROR: The system was unable to find the specified registry key or value.”, it means that there were no SMB sessions of this type (inbound or outbound).
|
||||
Temp Directories | Contains a set of text files that lists the files located in %Temp% for every user in the system. </br></br> This can help to track suspicious files that an attacker may dropped on the system. </br></br> NOTE: If the file contains the following message: “The system cannot find the path specified”, it means that there is no temp directory for this user, and might be because the user didn’t log in to the system.
|
||||
Users and Groups | Provides a list of files that each represent a group and its members.
|
||||
CollectionSummaryReport.xls | This file is a summary of the investigation package collection, it contains the list of data points, the command used to extract the data, the execution status, and the error code in case of failure. You can use this report to track if the package includes all the expected data and identify if there were any errors.
|
||||
|
||||
## Collect investigation package
|
||||
1. Select the machine that you want to investigate. You can select or search for a machine from any of the following views:
|
||||
|
||||
- **Dashboard** – Select the machine name from the Top machines with active alerts section.
|
||||
- **Alerts queue** – Select the machine name beside the machine icon from the alerts queue.
|
||||
- **Machines view** – Select the heading of the machine name from the machines view.
|
||||
- **Search box** – Select Machine from the drop-down menu and enter the machine name.
|
||||
|
||||
2. Open the **Actions** menu and select **Collect investigation package**.
|
||||
|
||||
The Action center shows the submission information:
|
||||
|
||||
|
||||
- **Submission time** – Shows when the action was submitted.
|
||||
- **Submitting user** - Shows who submitted the action on the file. You can view the comments provided by the user by selecting the information icon.
|
||||
- **Status** - Indicates if the package was successfully collected from the network. When the collection is complete, you can download the package.
|
||||
|
||||
3. Select **Package available** to download the package. </br>
|
||||
When the package is available a new event will be added to the machine timeline.</br>
|
||||
You can download the package from the machine page, or the Action center.
|
||||
|
||||
|
||||
|
||||
You can also search for historical packages in the machine timeline.
|
||||
|
||||
## Check activity details in Action center
|
||||
The Action center provides information on actions that were taken on a machine or file. You’ll be able to view the details on the last action that were taken on a file such as stopped and quarantined files or blocked files.
|
||||
|
||||
You’ll also be able to view if a machine was isolated and if an investigation package is available from a machine. All related details are also shown, for example, submission time, submitting user, and if the action succeeded or failed.
|
||||
The **Action center** provides information on actions that were taken on a machine or file. You’ll be able to view the details on the last action that were taken on a file such as stopped and quarantined files or blocked files.
|
||||
|
||||
|
||||
|
||||
|
||||
@ -202,9 +202,7 @@ CollectionSummaryReport.xls | This file is a summary of the investigation packag
|
||||
You can also search for historical packages in the machine timeline.
|
||||
|
||||
## Check activity details in Action center
|
||||
The **Action center** provides information on actions that were taken on a machine or file. You’ll be able to view the details on the last action that were taken on a file such as stopped and quarantined files or blocked files.
|
||||
|
||||
You’ll also be able to view if a machine was isolated and if an investigation package is available from a machine. All related details are also shown, for example, submission time, submitting user, and if the action succeeded or failed.
|
||||
The **Action center** provides information on actions that were taken on a machine or file. You’ll be able to view if a machine was isolated and if an investigation package is available from a machine. All related details are also shown, for example, submission time, submitting user, and if the action succeeded or failed.
|
||||
|
||||
|
||||
|
||||
|
||||
Reference in New Issue
Block a user