deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-23 14:23:38 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Update investigate alerts

Browse Source
This commit is contained in:
schmurky
2020-12-16 12:40:15 +08:00
parent 58dfa1011e
commit 15a4b4c989
1 changed files with 19 additions and 49 deletions
Download Patch File Download Diff File Expand all files Collapse all files

68
windows/security/threat-protection/microsoft-defender-atp/investigate-alerts.md
View File

@ -20,7 +20,7 @@ ms.topic: article
ms.date: 04/24/2018 ms.date: 04/24/2018
--- ---
# Investigate Microsoft Defender Advanced Threat Protection alerts # Investigate alerts in Microsoft Defender for Endpoint
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
@ -35,70 +35,40 @@ ms.date: 04/24/2018
Investigate alerts that are affecting your network, understand what they mean, and how to resolve them. Investigate alerts that are affecting your network, understand what they mean, and how to resolve them.
Click an alert to see the alert details view and the various tiles that provide information about the alert. Select an alert from the alerts queue to go to alert page. This view contains the alert title, the affected assets, the details side pane, and the alert story.
From the alert details view, you can manage an alert and see alert data such as severity, category, technique, along with other information that can help you make better decisions on how to approach them. From the alert page, you can begin your investigation by selecting the affected assets or any of the entities under the alert story tree view. The details pane automatically populates with further information about what you selected. To see what kind of information you can view here, read [Review alerts in Microsoft Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/review-alerts).
The techniques reflected in the card are based on [MITRE enterprise techniques](https://attack.mitre.org/techniques/enterprise/). ## Investigate using the alert story
You'll also see a status of the automated investigation on the upper right corner. Clicking on the link will take you to the Automated investigations view. For more information, see [Automated investigations](automated-investigations.md). The alert story details why the alert was triggered, related events that happened before and after, as well as other related entities.
![Image of the alert page](images/atp-alert-view.png) Entities are clickable and every entity that isn't an alert is expandable using the expand icon on the right side of that entity's card. The entity in focus will be indicated by a blue stripe to the left side of that entity's card, with the alert in the title being in focus at first.
The alert context tile shows the where, who, and when context of the alert. As with other pages, you can click on the icon beside the name or user account to bring up the device or user details pane. The alert details view also has a status tile that shows the status of the alert in the queue. You'll also see a description and a set of recommended actions which you can expand. Expand entities to view details at-a-glance about them. Clicking on an entity will switch the context of the details pane to this entity, and will allow you to review further information, as well as manage that entity. Clicking on *...* to the right of the entity card will reveal all actions available for that entity. These same actions appear in the details pane when that entity is in focus.
For more information about managing alerts, see [Manage alerts](manage-alerts.md). > [!NOTE]
> The alert story section may contain more than one alert, with additional alerts related to the same execution tree appearing before or after the alert you've selected.
The alert details page also shows the alert process tree, an incident graph, and an artifact timeline. ![An example of an alert story with an alert in focus and some expanded cards](images/alert-story-tree.png)
You can click on the device link from the alert view to navigate to the device. The alert will be highlighted automatically, and the timeline will display the appearance of the alert and its evidence in the **Device timeline**. If the alert appeared more than once on the device, the latest occurrence will be displayed in the **Device timeline**. ## Take action from the details pane
Alerts attributed to an adversary or actor display a colored tile with the actor's name. Once you've selected an entity of interest, the details pane will change to display information about the selected entity type, historic information, when its available, and offer controls to **take action** on this entity directly from the alert page.
![A detailed view of an alert when clicked](images/atp-actor-alert.png) Once you're done investigating, go back to the alert you started with, mark the alert's status as **Resolved** and classify it as either **False alert** or **True alert**. Classifying alerts helps tune this capability to provide more true alerts and less false alerts.
Click on the actor's name to see the threat intelligence profile of the actor, including a brief overview of the actor, their interests or targets, their tools, tactics, and processes (TTPs), and areas where they've been observed worldwide. You will also see a set of recommended actions to take. If you classify it as a true alert, you can also select a determination, as shown in the image below.
Some actor profiles include a link to download a more comprehensive threat intelligence report. ![A snippet of the details pane with a resolved alert and the determination drop-down expanded](images/alert-details-resolved-true.png)
![Image of detailed actor profile](images/atp-detailed-actor.png) If you are experiencing a false alert with a line-of-business application, create a suppression rule to avoid this type of alert in the future.
The detailed alert profile helps you understand who the attackers are, who they target, what techniques, tools, and procedures (TTPs) they use, which geolocations they are active in, and finally, what recommended actions you may take. In many cases, you can download a more detailed Threat Intelligence report about this attacker or campaign for offline reading. ![actions and classification in the details pane with the suppression rule highlighted](images/alert-false-suppression-rule.png)
## Alert process tree > [!TIP]
The **Alert process tree** takes alert triage and investigation to the next level, displaying the aggregated alert and surrounding evidence that occurred within the same execution context and time period. This rich triage and investigation context is available on the alert page. > If you're experiencing any issues not described above, use the 🙂 button to provide feedback or open a support ticket.
![Image of the alert process tree](images/atp-alert-process-tree.png)
The **Alert process tree** expands to display the execution path of the alert and related evidence that occurred around the same period. Items marked with a thunderbolt icon should be given priority during investigation.
>[!NOTE]
>The alert process tree might not show for some alerts, including alerts not triggered directly by process activity.
Clicking in the circle immediately to the left of the indicator displays its details.
![Image of the alert details pane](images/atp-alert-mgt-pane.png)
The alert details pane helps you take a deeper look at the details about the alert. It displays rich information about the execution details, file details, detections, observed worldwide, observed in organization, and other details taken from the entity's page while remaining on the alert page, so you never leave the current context of your investigation.
## Incident graph
The **Incident Graph** provides a visual representation of the organizational footprint of the alert and its evidence: where the evidence that triggered the alert was observed on other devices. It provides a graphical mapping from the original device and evidence expanding to show other devices in the organization where the triggering evidence was also observed.
![Image of the Incident graph](images/atp-incident-graph.png)
The **Incident Graph** supports expansion by File, Process, command line, or Destination IP Address, as appropriate.
The **Incident Graph** expansion by destination IP Address, shows the organizational footprint of communications with this IP Address without having to change context by navigating to the IP Address page.
You can click the full circles on the incident graph to expand the nodes and view the expansion to other devices where the matching criteria were observed.
## Artifact timeline
The **Artifact timeline** feature provides an additional view of the evidence that triggered the alert on the device, and shows the date and time the evidence triggering the alert was observed, as well as the first time it was observed on the device. This can help in understanding if the evidence was first observed at the time of the alert, or whether it was observed on the device earlier - without triggering an alert.
![Image of artifact timeline](images/atp-alert-timeline.png)
Selecting an alert detail brings up the **Details pane** where you'll be able to see more information about the alert such as file details, detections, instances of it observed worldwide, and in the organization.
## Related topics ## Related topics
- [View and organize the Microsoft Defender for Endpoint Alerts queue](alerts-queue.md) - [View and organize the Microsoft Defender for Endpoint Alerts queue](alerts-queue.md)