deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-14 14:27:22 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

Deleted manage-incidents-windows-defender-advanced-threat-protection.md

Browse Source
This commit is contained in:
Joey Caparas 2018-10-09 16:07:45 +00:00
parent f18509765f
commit 22cbd2ab45
1 changed files with 0 additions and 61 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

61
windows/security/threat-protection/windows-defender-atp/manage-incidents-windows-defender-advanced-threat-protection.md
View File

@ -1,61 +0,0 @@
---
title: Manage Windows Defender ATP incidents
description: Manage incidents by assigning it, updating its status, or setting its classification.
keywords: incidents, manage, assign, status, classification, true alert, false alert
search.product: eADQiWindows 10XVcnh
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: medium
ms.date: 010/08/2018
---
# Manage Windows Defender ATP incidents
**Applies to:**
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
[!include[Prerelease information](prerelease.md)]
Managing incidents is an important part of every cybersecurity operation. You can manage incidents by selecting an incident from the **Incidents queue** or the **Incidents management pane**. You can assign incidents to yourself, change the status, classify, rename, or comment on them to keep track of their progress.
![Image of the incidents management pane](images/atp-incidents-mgt-pane.png)
Selecting an incident from the **Incidents queue** brings up the **Incident management pane** where you can open the incident page for details.
![Image of incident detail page](images/atp-incident-details-page.png)
## Assign incidents
If an incident has not been assigned yet, you can select **Assign to me** to assign the incident to yourself. Doing so assumes ownership of not just the incident, but also all the alerts associated with it.
## Change the incident status
You can categorize incidents (as **Active**, or **Resolved**) by changing their status as your investigation progresses. This helps you organize and manage how your team can respond to incidents.
For example, your SoC analyst can review the urgent **Active** incidents for the day, and decide to assign them to himself for investigation.
Alternatively, your SoC analyst might set the incident as **Resolved** if the incident has been remediated.
## Classify the incident
You can choose not to set a classification, or decide to specify whether an incident is true or false. Doing so helps the team see patterns and learn from them.
## Rename incident
By default, incidents are assigned with numbers. You can rename the incident if your organization uses a naming convention for easier cybersecurity threat identification.
![Image of incident renaming](images/atp-rename-incident.png)
## Add comments and view the history of an incident
You can add comments and view historical events about an incident to see previous changes made to it.
Whenever a change or comment is made to an alert, it is recorded in the Comments and history section.
Added comments instantly appear on the pane.
## Related topics
- [Incidents queue](incidents-queue.md)
- [View and organize the Incidents queue](view-incidents-queue.md)
- [Investigate incidents](investigate-incidents-windows-defender-advanced-threat-protection.md)