deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-13 13:57:22 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

Merged PR 12254: add metatag

Browse Source 
add metatag
This commit is contained in:
Joey Caparas 2018-10-22 18:27:54 +00:00
commit 20407a977d
24 changed files with 395 additions and 32 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
.gitattributes vendored Normal file
View File

@ -0,0 +1,14 @@
# Set the default behavior, in case people don't have core.autocrlf set.
* text=auto
# Explicitly declare text files you want to always be normalized and converted
# to native line endings on checkout.
*.c text
*.h text
# Declare files that will always have CRLF line endings on checkout.
*.sln text eol=crlf
# Denote all files that are truly binary and should not be modified.
*.png binary
*.jpg binary

24
.openpublishing.publish.config.json
View File

@ -101,6 +101,22 @@
"moniker_groups": [],
"version": 0
},
{
"docset_name": "license",
"build_source_folder": "windows/license",
"build_output_subfolder": "license",
"locale": "en-us",
"monikers": [],
"moniker_ranges": [],
"open_to_public_contributors": false,
"type_mapping": {
"Conceptual": "Content",
"ManagedReference": "Content",
"RestApi": "Content"
},
"build_entry_point": "docs",
"template_folder": "_themes"
},
{
"docset_name": "mdop-VSTS",
"build_source_folder": "mdop",
@ -511,11 +527,11 @@
]
},
"need_generate_pdf_url_template": true,
"need_generate_pdf": false,
"need_generate_intellisense": false,
"Targets": {
"targets": {
"Pdf": {
"template_folder": "_themes.pdf"
}
}
},
"need_generate_pdf": false,
"need_generate_intellisense": false
}

3
README.md Normal file
View File

@ -0,0 +1,3 @@
## Microsoft Open Source Code of Conduct
This project has adopted the [Microsoft Open Source Code of Conduct](https://opensource.microsoft.com/codeofconduct/).
For more information see the [Code of Conduct FAQ](https://opensource.microsoft.com/codeofconduct/faq/) or contact [opencode@microsoft.com](mailto:opencode@microsoft.com) with any additional questions or comments.

7
browsers/internet-explorer/ie11-ieak/ieak-information-and-downloads.md
View File

@ -2,10 +2,10 @@
ms.localizationpriority: medium
ms.mktglfcycl: support
ms.pagetype: security
description: The Internet Explorer Administration Kit (IEAK) simplifies the creation, deployment, and management of customized Internet Explorer packages. You can use the IEAK to configure the out-of-box Internet Explorer experience or to manage user settings after Internet Explorer deployment.
description: The Internet Explorer Administration Kit (IEAK) simplifies the creation, deployment, and management of customized Internet Explorer packages. Use the IEAK to configure the out-of-box Internet Explorer experience or to manage user settings after Internet Explorer deployment.
author: shortpatti
ms.author: pashort
ms.manager: elizapo
ms.manager: dougkim
ms.prod: ie11
ms.assetid:
title: Internet Explorer Administration Kit (IEAK) information and downloads
@ -15,8 +15,11 @@ ms.date: 05/10/2018
# Internet Explorer Administration Kit (IEAK) information and downloads
>Applies to: Windows 10
The Internet Explorer Administration Kit (IEAK) simplifies the creation, deployment, and management of customized Internet Explorer packages. You can use the IEAK to configure the out-of-box Internet Explorer experience or to manage user settings after Internet Explorer deployment. To find more information on the IEAK, see [What IEAK can do for you](what-ieak-can-do-for-you.md).
## Internet Explorer Administration Kit 11 (IEAK 11)
[IEAK 11 documentation](index.md)

2
mdop/mbam-v25/planning-for-mbam-25-groups-and-accounts.md
View File

@ -88,7 +88,7 @@ Create the following accounts for the Reports feature.
<td align="left"><p>Reports read-only domain access group</p></td>
<td align="left"><p>Group</p></td>
<td align="left"><p>Reporting role domain group</p></td>
<td align="left"><p>Name of the domain group whose members have read-only access to the reports in the Administration and Monitoring Website.</p></td>
<td align="left"><p>Specifies the domain user group that has read-only access to the reports in the Administration and Monitoring Website. The group you specify must be the same group you specified for the Reports Read Only Access Group parameter when the web apps are enabled.</p></td>
</tr>
<tr class="even">
<td align="left"><p>Compliance and Audit Database domain user account</p></td>

1
windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md
View File

@ -17,6 +17,7 @@ Requirements:
- AD-joined PC running Windows 10, version 1709
- Enterprise has MDM service already configured
- Enterprise AD must be registered with Azure AD
- Device should not already be enrolled in Intune using the classic agents (devices manged using agents will fail enrollment with error 0x80180026)
> [!Tip]
> [How to configure automatic registration of Windows domain-joined devices with Azure Active Directory](https://docs.microsoft.com/en-us/azure/active-directory/active-directory-conditional-access-automatic-device-registration-setup)

2
windows/client-management/mdm/vpn-ddf-file.md
View File

@ -1384,7 +1384,7 @@ This topic shows the OMA DM device description framework (DDF) for the **VPN** c
## Related topics
[VPN configurtion service provider](vpn-csp.md)
[VPN configuration service provider](vpn-csp.md)
 

2
windows/deployment/windows-autopilot/enrollment-status.md
View File

@ -31,7 +31,7 @@ The Windows Autopilot Enrollment Status page displaying the status of the comple
- Show custom error message when an error occurs.
- Allow users to collect logs about installation errors.
## Installation progresss tracked
## Installation progress tracked
The Enrollment Status page tracks a subset of the available MDM CSP policies that are delivered to the device as part of the complete device configuration process. The specific types of policies that are tracked include:

51
windows/deployment/windows-autopilot/existing-devices.md
View File

@ -24,12 +24,22 @@ This topic describes how to convert Windows 7 domain-joined computers to Azure A
- System Center Configuration Manager Current Branch (1806) OR System Center Configuration Manager Technical Preview (1808)
- The [Windows ADK](https://developer.microsoft.com/en-us/windows/hardware/windows-assessment-deployment-kit) 1803 or later
- Note: Config Mgr 1806 or later is required to [support](https://docs.microsoft.com/sccm/core/plan-design/configs/support-for-windows-10#windows-10-adk) the Windows ADK 1809.
- Assigned Microsoft Intune Licenses
- Azure Active Directory Premium
- Windows 10 version 1809 or later imported into Config Mgr as an Operating System Image
## Procedures
### Configure the Enrollment Status Page (optional)
If desired, you can set up an [enrollment status page](https://docs.microsoft.com/windows/deployment/windows-autopilot/enrollment-status) for Autopilot using Intune.
To enable and configure the enrollment and status page:
1. Open [Intune in the Azure portal](https://aka.ms/intuneportal).
2. [Set up an enrollment status page](https://docs.microsoft.com/intune/windows-enrollment-status).
### Create the JSON file
>[!TIP]
@ -66,36 +76,34 @@ This topic describes how to convert Windows 7 domain-joined computers to Azure A
#### Retrieve profiles in Autopilot for existing devices JSON format
```
Get-AutopilotProfile | ConvertTo-AutopilotConfigurationJSON >
Get-AutopilotProfile | ConvertTo-AutopilotConfigurationJSON
```
See the following sample output:
<pre style="overflow-y: visible">
PS C:\> Get-AutopilotProfile | ConvertTo-AutopilotConfigurationJSON
{
"CloudAssignedTenantId": "1537de22-988c-4e93-b8a5-83890f34a69b",
"Version": 2049,
"Comment_CloudAssignedOobeConfig": "0x7FFFFFFF",
"Comment_Version": "0x801",
"Comment_File": "Profile Autopilot Profile",
"CloudAssignedAadServerData": "{\"ZeroTouchConfig\":{\"CloudAssignedTenantUpn\":\"\",\"CloudAssignedTenantDomain\":\"M365x373186.onmicrosoft.com\"}}",
"CloudAssignedOobeConfig": 30,
"CloudAssignedDomainJoinMethod": 0,
"ZtdCorrelationId": "7F9E6025-1E13-45F3-BF82-A3E8C5B59EAC",
"CloudAssignedLockdownConfig": 0,
"CloudAssignedTenantDomain": "M365x373186.onmicrosoft.com"
"CloudAssignedTenantId": "1537de22-988c-4e93-b8a5-83890f34a69b",
"CloudAssignedForcedEnrollment": 1,
"Version": 2049,
"Comment_File": "Profile Autopilot Profile",
"CloudAssignedAadServerData": "{\"ZeroTouchConfig\":{\"CloudAssignedTenantUpn\":\"\",\"ForcedEnrollment\":1,\"CloudAssignedTenantDomain\":\"M365x373186.onmicrosoft.com\"}}",
"CloudAssignedTenantDomain": "M365x373186.onmicrosoft.com",
"CloudAssignedDomainJoinMethod": 0,
"CloudAssignedOobeConfig": 28,
"ZtdCorrelationId": "7F9E6025-1E13-45F3-BF82-A3E8C5B59EAC"
}</pre>
Each profile is encapsulated within braces **{ }**. In the previous example, a single profile is displayed.
See the following table for a description of properties used in the JSON file.
See the following table for a description of properties used in the JSON file.
| Property | Description |
| --- | --- |
| Version (number, optional) | The version number that identifies the format of the JSON file. For Windows 10 1809, the version specified must be 2049. |
| CloudAssignedTenantId (guid, required) | The Azure Active Directory tenant ID that should be used. This is the GUID for the tenant, and can be found in properties of the tenant. The value should not include braces. |
| CloudAssignedTenantDomain (string, required) | The Azure Active Directory tenant name that should be used, e.g. tenant.onmicrosoft.com. |
| CloudAssignedOobeConfig (number, required) | This is a bitmap that shows which Autopilot settings were configured. Values include: SkipCortanaOptIn = 1, OobeUserNotLocalAdmin = 2, SkipExpressSettings = 4, SkipOemRegistration = 8, SkipEula = 16
| CloudAssignedOobeConfig (number, required) | This is a bitmap that shows which Autopilot settings were configured. Values include: SkipCortanaOptIn = 1, OobeUserNotLocalAdmin = 2, SkipExpressSettings = 4, SkipOemRegistration = 8, SkipEula = 16 |
| CloudAssignedDomainJoinMethod (number, required) | This property should be set to 0 and specifies that the device should join Azure AD. |
| CloudAssignedForcedEnrollment (number, required) | Specifies that the device should require AAD Join and MDM enrollment. <br>0 = not required, 1 = required. |
| ZtdCorrelationId (guid, required) | A unique GUID (without braces) that will be provided to Intune as part of the registration process. ZtdCorrelationId will be included in enrollment message as “OfflineAutoPilotEnrollmentCorrelator”. This attribute will be present only if the enrollment is taking place on a device registered with Zero Touch Provisioning via offline registration.|
@ -107,7 +115,7 @@ See the following table for a description of properties used in the JSON file.
```
Get-AutopilotProfile | ConvertTo-AutopilotConfigurationJSON | Out-File c:\Autopilot\AutopilotConfigurationFile.json -Encoding ASCII
```
**IMPORTANT**: The file name must be named **AutopilotConfigurationFile.json** in addition to being encoded as ASCII or ANSI.
**IMPORTANT**: The file name must be named **AutopilotConfigurationFile.json** in addition to being encoded as ASCII/ANSI.
If preferred, you can save the profile to a text file and edit in Notepad. In Notepad, when you choose **Save as** you must select Save as type: **All Files** and choose ANSI from the drop-down list next to **Encoding**. See the following example.
@ -116,7 +124,8 @@ See the following table for a description of properties used in the JSON file.
After saving the file, move the file to a location suitable as an SCCM package source.
>[!IMPORTANT]
>Multiple JSON profile files can be used, but each must be named **AutopilotConfigurationFile.json** in order for OOBE to follow the Autopilot experience. The file also must be encoded as ANSI. Saving the file with Unicode or UTF-8 encoding or saving it with a different file name will cause Windows 10 OOBE to not follow the Autopilot experience.
>Multiple JSON profile files can be used, but each must be named **AutopilotConfigurationFile.json** in order for OOBE to follow the Autopilot experience. The file also must be encoded as ANSI. <br><br>**Saving the file with Unicode or UTF-8 encoding or saving it with a different file name will cause Windows 10 OOBE to not follow the Autopilot experience**.<br>
### Create a package containing the JSON file
@ -130,6 +139,8 @@ See the following table for a description of properties used in the JSON file.
- <u>Program Type</u>: **Do not create a program**
4. Click **Next** twice and then click **Close**.
**NOTE**: If you change user-driven Autopilot profile settings in Intune at a later date, you must also update the JSON file and redistribute the associated Config Mgr package.
### Create a target collection
>[!NOTE]
@ -272,8 +283,12 @@ Next, ensure that all content required for the task sequence is deployed to dist
The Task Sequence will download content, reboot, format the drives and install Windows 10. The device will then proceed to be prepared for Autopilot. Once the task sequence has completed the device will boot into OOBE and provide an Autopilot experience.
![refresh-1](images/up-1.png)
![refresh-2](images/up-2.png)
![refresh-3](images/up-3.png)
### Register the device for Windows Autopilot
Devices provisioned through Autopilot will only receive the guided OOBE Autopilot experience on first boot. There is currently no automatic registration into Windows Autopilot. Therefore, once updated to Windows 10, the device should be registered to ensure a continued Autopilot experience in the event of PC reset.
Devices provisioned through Autopilot will only receive the guided OOBE Autopilot experience on first boot. There is currently no automatic registration into Windows Autopilot. Therefore, once updated to Windows 10, the device should be registered to ensure a continued Autopilot experience in the event of PC reset.
For more information, see [Adding devices to Windows Autopilot](https://docs.microsoft.com/windows/deployment/windows-autopilot/add-devices).

BIN
windows/deployment/windows-autopilot/images/up-1.PNG Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 47 KiB

BIN
windows/deployment/windows-autopilot/images/up-2.PNG Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 24 KiB

BIN
windows/deployment/windows-autopilot/images/up-3.PNG Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 35 KiB

2
windows/license/TOC.yml Normal file
View File

@ -0,0 +1,2 @@
- name: Index
href: index.md

3
windows/license/breadcrumb/toc.yml Normal file
View File

@ -0,0 +1,3 @@
- name: Docs
tocHref: /
topicHref: /

47
windows/license/docfx.json Normal file
View File

@ -0,0 +1,47 @@
{
"build": {
"content": [
{
"files": [
"**/*.md",
"**/*.yml"
],
"exclude": [
"**/obj/**",
"**/includes/**",
"_themes/**",
"_themes.pdf/**",
"README.md",
"LICENSE",
"LICENSE-CODE",
"ThirdPartyNotices"
]
}
],
"resource": [
{
"files": [
"**/*.png",
"**/*.jpg"
],
"exclude": [
"**/obj/**",
"**/includes/**",
"_themes/**",
"_themes.pdf/**"
]
}
],
"overwrite": [],
"externalReference": [],
"globalMetadata": {
"breadcrumb_path": "/license/breadcrumb/toc.json",
"extendBreadcrumb": true,
"feedback_system": "None"
},
"fileMetadata": {},
"template": [],
"dest": "license",
"markdownEngineName": "markdig"
}
}

1
windows/license/index.md Normal file
View File

@ -0,0 +1 @@
# Welcome to license!

5
windows/security/threat-protection/TOC.md
View File

@ -17,7 +17,10 @@
#### [Endpoint detection and response](windows-defender-atp/overview-endpoint-detection-response.md)
##### [Security operations dashboard](windows-defender-atp/security-operations-dashboard-windows-defender-advanced-threat-protection.md)
##### [Incidents queue](windows-defender-atp/incidents-queue.md)
###### [View and organize the Incidents queue](windows-defender-atp/view-incidents-queue.md)
###### [Manage incidents](windows-defender-atp/manage-incidents-windows-defender-advanced-threat-protection.md)
###### [Investigate incidents](windows-defender-atp/investigate-incidents-windows-defender-advanced-threat-protection.md)
##### Alerts queue

8
windows/security/threat-protection/auditing/how-to-list-xml-elements-in-eventdata.md
View File

@ -7,7 +7,7 @@ ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
author: tedhardyMSFT
ms.date: 10/18/2018
ms.date: 10/22/2018
---
# How to get a list of XML data name elements in EventData
@ -85,9 +85,9 @@ PS C:\WINDOWS\system32> $SecEvents.events[100].Template
## Mapping data name elements to the names in an event description
You can use the <Template> and <Description> to map the data name elements that appear in XML view to the names that appear in the event description.
You can use the &lt;Template&gt; and &lt;Description&gt; to map the data name elements that appear in XML view to the names that appear in the event description.
The <Description> is just the format string (if youre used to Console.Writeline or sprintf statements) and the <Template> is the source of the input parameters for the <Description>.
The &lt;Description&gt; is just the format string (if youre used to Console.Writeline or sprintf statements) and the &lt;Template&gt; is the source of the input parameters for the &lt;Description&gt;.
Using Security event 4734 as an example:
@ -125,5 +125,5 @@ For the "Subject: Security Id:" text element, it will use the fourth element in
For "Additional Information Privileges:", it would use the eighth element "PrivelegeList".
A caveat to this is an oft-overlooked property of events called Version (in the <SYSTEM> element) that indicates the revision of the event schema and description. Most events have 1 version (all events have Version =0 like the Security/4734 example) but a few events like Security/4624 or Security/4688 have at least 3 versions (versions 0, 1, 2) depending on the OS version where the event is generated. Only the latest version is used for generating events in the Security log. In any case, the Event Version where the Template is taken from should use the same Event Version for the Description.
A caveat to this is an oft-overlooked property of events called Version (in the &lt;SYSTEM&gt; element) that indicates the revision of the event schema and description. Most events have 1 version (all events have Version =0 like the Security/4734 example) but a few events like Security/4624 or Security/4688 have at least 3 versions (versions 0, 1, 2) depending on the OS version where the event is generated. Only the latest version is used for generating events in the Security log. In any case, the Event Version where the Template is taken from should use the same Event Version for the Description.

4
windows/security/threat-protection/windows-defender-atp/TOC.md
View File

@ -17,6 +17,10 @@
#### [Incidents queue](incidents-queue.md)
##### [View and organize the Incidents queue](view-incidents-queue.md)
##### [Manage incidents](manage-incidents-windows-defender-advanced-threat-protection.md)
##### [Investigate incidents](investigate-incidents-windows-defender-advanced-threat-protection.md)
#### Alerts queue

35
windows/security/threat-protection/windows-defender-atp/incidents-queue.md Normal file
View File

@ -0,0 +1,35 @@
---
title: Incidents queue in Windows Defender ATP
description:
keywords: incidents, aggregate, investigations, queue, ttp
search.product: eADQiWindows 10XVcnh
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: medium
ms.date: 10/08/2018
---
# Incidents queue in Windows Defender ATP
**Applies to:**
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
[!include[Prerelease information](prerelease.md)]
When a cybersecurity threat is emerging, or a potential attacker is deploying its tactics, techniques/tools, and procedures (TTPs) on the network, Windows Defender ATP will quickly trigger alerts and launch matching automatic investigations.
Windows Defender ATP applies correlation analytics and aggregates all related alerts and investigations into an incident. Doing so helps narrate a broader story of an attack, thus providing you with the right visuals (upgraded incident graph) and data representations to understand and deal with complex cross-entity threats to your organization's network.
## In this section
Topic | Description
:---|:---
[View and organize the Incidents queue](view-incidents-queue.md)| See the list of incidents and learn how to apply filters to limit the list and get a more focused view.
[Manage incidents](manage-incidents-windows-defender-advanced-threat-protection.md) | Learn how to manage incidents by assigning it, updating its status, or setting its classification and other actions.
[Investigate incidents](investigate-incidents-windows-defender-advanced-threat-protection.md)| See associated alerts, manage the incident, see alert metadata, and visualizations to help you investigate an incident.

78
windows/security/threat-protection/windows-defender-atp/investigate-incidents-windows-defender-advanced-threat-protection.md Normal file
View File

@ -0,0 +1,78 @@
---
title: Investigate incidents in Windows Defender ATP
description: See associated alerts, manage the incident, and see alert metadata to help you investigate an incident
keywords: investigate, incident, alerts, metadata, risk, detection source, affected machines, patterns, correlation
search.product: eADQiWindows 10XVcnh
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: medium
ms.date: 10/08/2018
---
# Investigate incidents in Windows Defender ATP
**Applies to:**
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
[!include[Prerelease information](prerelease.md)]
Investigate incidents that affect your network, understand what they mean, and collate evidence to resolve them.
## Analyze incident details
Click an incident to see the **Incident pane**. Select **Open incident page** to see the incident details and related information (alerts, machines, investigations, evidence, graph).
![Image of incident details](images/atp-incident-details.png)
### Alerts
You can investigate the alerts and see how they were linked together in an incident.
Alerts are grouped into incidents based on the following reasons:
- Automated investigation - The automated investigation triggered the linked alert while investigating the original alert
- File characteristics - The files associated with the alert have similar characteristics
- Manual association - A user manually linked the alerts
- Proximate time - The alerts were triggered on the same machine within a certain timeframe
- Same file - The files associated with the alert are exactly the same
![Image of alerts tab in incident page showing the Linked by tool tip](images/atp-incidents-alerts-tooltip.png)
![Image of alerts tab with incident details page showing the reasons the alerts were linked together in that incident](images/atp-incidents-alerts-reason.png)
You can also manage an alert and see alert metadata along with other information. For more information, see [Investigate alerts](investigate-alerts-windows-defender-advanced-threat-protection.md).
### Machines
You can also investigate the machines that are part of, or related to, a given incident. For more information, see [Investigate machines](investigate-machines-windows-defender-advanced-threat-protection.md).
![Image of machines tab in incident details page](images/atp-incident-machine-tab.png)
### Investigations
Select **Investigations** to see all the automatic investigations launched by the system in response to the incident alerts.
![Image of investigations tab in incident details page](images/atp-incident-investigations-tab.png)
## Going through the evidence
Windows Defender Advanced Threat Protection automatically investigates all the incidents' supported events and suspicious entities in the alerts, providing you with auto-response and information about the important files, processes, services, and more. This helps quickly detect and block potential threats in the incident.
Each of the analyzed entities will be marked as infected, remediated, or suspicious.
![Image of evidence tab in incident details page](images/atp-incident-evidence-tab.png)
## Visualizing associated cybersecurity threats
Windows Defender Advanced Threat Protection aggregates the threat information into an incident so you can see the patterns and correlations coming in from various data points. You can view such correlation through the incident graph.
### Incident graph
The **Graph** tells the story of the cybersecurity attack. For example, it shows you what was the entry point, which indicator of compromise or activity was observed on which machine. etc.
![Image of the incident graph](images/atp-incident-graph-tab.png)
You can click the circles on the incident graph to view the details of the malicious files, associated file detections, how many instances has there been worldwide, whether its been observed in your organization, if so, how many instances.
![Image of indcident details](images/atp-incident-graph-details.png)
## Related topics
- [Incidents queue](incidents-queue.md)
- [View and organize the Incidents queue](view-incidents-queue.md)
- [Manage incidents](manage-incidents-windows-defender-advanced-threat-protection.md)

61
windows/security/threat-protection/windows-defender-atp/manage-incidents-windows-defender-advanced-threat-protection.md Normal file
View File

@ -0,0 +1,61 @@
---
title: Manage Windows Defender ATP incidents
description: Manage incidents by assigning it, updating its status, or setting its classification.
keywords: incidents, manage, assign, status, classification, true alert, false alert
search.product: eADQiWindows 10XVcnh
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: medium
ms.date: 010/08/2018
---
# Manage Windows Defender ATP incidents
**Applies to:**
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
[!include[Prerelease information](prerelease.md)]
Managing incidents is an important part of every cybersecurity operation. You can manage incidents by selecting an incident from the **Incidents queue** or the **Incidents management pane**. You can assign incidents to yourself, change the status, classify, rename, or comment on them to keep track of their progress.
![Image of the incidents management pane](images/atp-incidents-mgt-pane.png)
Selecting an incident from the **Incidents queue** brings up the **Incident management pane** where you can open the incident page for details.
![Image of incident detail page](images/atp-incident-details-page.png)
## Assign incidents
If an incident has not been assigned yet, you can select **Assign to me** to assign the incident to yourself. Doing so assumes ownership of not just the incident, but also all the alerts associated with it.
## Change the incident status
You can categorize incidents (as **Active**, or **Resolved**) by changing their status as your investigation progresses. This helps you organize and manage how your team can respond to incidents.
For example, your SoC analyst can review the urgent **Active** incidents for the day, and decide to assign them to himself for investigation.
Alternatively, your SoC analyst might set the incident as **Resolved** if the incident has been remediated.
## Classify the incident
You can choose not to set a classification, or decide to specify whether an incident is true or false. Doing so helps the team see patterns and learn from them.
## Rename incident
By default, incidents are assigned with numbers. You can rename the incident if your organization uses a naming convention for easier cybersecurity threat identification.
![Image of incident renaming](images/atp-rename-incident.png)
## Add comments and view the history of an incident
You can add comments and view historical events about an incident to see previous changes made to it.
Whenever a change or comment is made to an alert, it is recorded in the Comments and history section.
Added comments instantly appear on the pane.
## Related topics
- [Incidents queue](incidents-queue.md)
- [View and organize the Incidents queue](view-incidents-queue.md)
- [Investigate incidents](investigate-incidents-windows-defender-advanced-threat-protection.md)

3
windows/security/threat-protection/windows-defender-atp/preview-windows-defender-advanced-threat-protection.md
View File

@ -42,6 +42,9 @@ The following features are included in the preview release:
- [Threat analytics](threat-analytics.md)<br>
Threat Analytics is a set of interactive reports published by the Windows Defender ATP research team as soon as emerging threats and outbreaks are identified. The reports help security operations teams assess impact on their environment and provides recommended actions to contain, increase organizational resilience, and prevent specific threats.
- [Incidents](incidents-queue.md)<br>
Windows Defender ATP applies correlation analytics and aggregates all related alerts and investigations into an incident. Doing so helps narrate a broader story of an attack, thus providing you with the right visuals (upgraded incident graph) and data representations to understand and deal with complex cross-entity threats to your organization's network.
- [Custom detection](overview-custom-detections.md)<br>
With custom detections, you can create custom queries to monitor events for any kind of behavior such as suspicious or emerging threats. This can be done by leveraging the power of Advanced hunting through the creation of custom detection rules.

74
windows/security/threat-protection/windows-defender-atp/view-incidents-queue.md Normal file
View File

@ -0,0 +1,74 @@
---
title: View and organize the Incidents queue
description: See the list of incidents and learn how to apply filters to limit the list and get a more focused view.
keywords: view, organize, incidents, aggregate, investigations, queue, ttp
search.product: eADQiWindows 10XVcnh
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: medium
ms.date: 10/08/2018
---
# View and organize the Windows Defender Advanced Threat Protection Incidents queue
**Applies to:**
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
[!include[Prerelease information](prerelease.md)]
The **Incidents queue** shows a collection of incidents that were flagged from machines in your network. It helps you sort through incidents to prioritize and create an informed cybersecurity response decision.
By default, the queue displays incidents seen in the last 30 days, with the most recent incident showing at the top of the list, helping you see the most recent incidents first.
There are several options you can choose from to customize the Incidents queue view.
On the top navigation you can:
- Customize columns to add or remove columns
- Modify the number of items to view per page
- Select the items to show per page
- Batch-select the incidents to assign
- Navigate between pages
- Apply filters
![Image of incidents queue](images/atp-incident-queue.png)
## Sort and filter the incidents queue
You can apply the following filters to limit the list of incidents and get a more focused view.
Incident severity | Description
:---|:---
High </br>(Red) | Threats often associated with advanced persistent threats (APT). These incidents indicate a high risk due to the severity of damage they can inflict on machines.
Medium </br>(Orange) | Threats rarely observed in the organization, such as anomalous registry change, execution of suspicious files, and observed behaviors typical of attack stages.
Low </br>(Yellow) | Threats associated with prevalent malware and hack-tools that do not necessarily indicate an advanced threat targeting the organization.
Informational </br>(Grey) | Informational incidents are those that might not be considered harmful to the network but might be good to keep track of.
### Category
Incidents are categorized based on the description of the stage by which the cybersecurity kill chain is in. This view helps the threat analyst to determine priority, urgency, and corresponding response strategy to deploy based on context.
### Alerts
Indicates the number of alerts associated with or part of the incidents.
### Machines
You can limit to show only the machines at risk which are associated with incidents.
### Users
You can limit to show only the users of the machines at risk which are associated with incidents.
### Assigned to
You can choose to show between unassigned incidents or those which are assigned to you.
### Status
You can choose to limit the list of incidents shown based on their status to see which ones are active or resolved
### Classification
Use this filter to choose between focusing on incidents flagged as true or false incidents.
## Related topics
- [Incidents queue](incidents-queue.md)
- [Manage incidents](manage-incidents-windows-defender-advanced-threat-protection.md)
- [Investigate incidents](investigate-incidents-windows-defender-advanced-threat-protection.md)