deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-29 13:47:23 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

New page techniques feature

Browse Source
This commit is contained in:
schmurky 2021-02-03 14:26:32 +08:00
parent 659936eb28
commit 12cd49bcf5
1 changed files with 61 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

61
windows/security/threat-protection/microsoft-defender-atp/techniques-device-timeline.md Normal file
View File

@ -0,0 +1,61 @@
---
title: Techniques in the device timeline
description: Understanding MITRE ATT&CK techniques grouping in the device timeline in Microsoft Defender for Endpoint
keywords: device timeline, endpoint, MITRE, MITRE ATT&CK, techniques, tactices
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: maccruz
author: schmurky
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: article
ms.technology: mde
---
# ATT&CK techniques in the device timeline
**Applies to:**
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
In Microsoft Defender for Endpoint, **Techniques** are a grouping of events that when taken together indicate activity associated with certain [MITRE ATT&CK](https://attack.mitre.org/) techniques or sub-techniques.
This feature simplifies the investigation experience by helping analysts understand at a glance whether suspicious activities happened on or affected a device and whether those activities indicate a need for closer investigation.
## Techniques in the device timeline
For public preview customers, Techniques are available by default and are shown together with events when a device's timeline is viewed.
[TIMELINE screenshot]
Techniques are highlighted in bold text and appear with a blue icon on the left. The corresponding MITRE ATT&CK ID and technique name also appears as tags under Additional information.
Selecting a Technique opens the side pane and shows additional information and insights like related ATT&CK techniques, tactics, and descriptions.
Search and Export options are also available for Techniques.
## Filtering to view techniques or events only
To view only either events or techniques, select Filters from the device timeline and choose your preferred Data type to view.
[FILTER screenshot]
IMPORTANT: Event group filters do not affect Techniques, so when Techniques data type is selected, all techniques are shown.
To view File events only without Techniques, select Events data type and File events event group.
Selecting Techniques automatically shows all techniques.
## See also
- [View and organize the Devices list](machines-view-overview.md)
- [Microsoft Defender for Endpoint device timeline event flags](device-timeline-event-flag.md)