updated content

2025-05-14 22:37:22 +00:00 · 2019-05-02 15:43:31 -07:00 · 2019-05-02 15:43:31 -07:00 · 231200ea5b
commit 231200ea5b
parent c861fdb52a
8 changed files with 35 additions and 44 deletions
--- a/windows/security/threat-protection/windows-defender-atp/automated-investigations-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/automated-investigations-windows-defender-advanced-threat-protection.md
@ -25,12 +25,14 @@ ms.date: 12/04/2018
 The Windows Defender ATP service has a wide breadth of visibility on multiple machines. With this kind of optics, the service generates a multitude of alerts. The volume of alerts generated can be challenging for a typical security operations team to individually address.


-To address this challenge, Windows Defender ATP uses Automated investigations to significantly reduce the volume of alerts that need to be investigated individually. The Automated investigation feature leverages various inspection algorithms, and processes used by analysts (such as playbooks) to examine alerts and take immediate remediation action to resolve breaches. This significantly reduces alert volume, allowing security operations experts to focus on more sophisticated threats and other high value initiatives. 
+To address this challenge, Windows Defender ATP uses Automated investigations to significantly reduce the volume of alerts that need to be investigated individually. The Automated investigation feature leverages various inspection algorithms, and processes used by analysts (such as playbooks) to examine alerts and take immediate remediation action to resolve breaches. This significantly reduces alert volume, allowing security operations experts to focus on more sophisticated threats and other high value initiatives.

-The Automated investigations list shows all the investigations that have been initiated automatically and shows other details such as its status, detection source, and the date for when the investigation was initiated. 
+The Automated investigations list shows all the investigations that have been initiated automatically and shows other details such as its status, detection source, and the date for when the investigation was initiated.

 ## Understand the Automated investigation flow
+
 ### How the Automated investigation starts
+
 Entities are the starting point for Automated investigations. When an alert contains a supported entity for Automated investigation (for example, a file) that resides on a machine that has a supported operating system for Automated investigation then an Automated investigation can start.

 >[!NOTE]
@ -40,6 +42,7 @@ Entities are the starting point for Automated investigations. When an alert cont
 The alerts start by analyzing the supported entities from the alert and also runs a generic machine playbook to see if there is anything else suspicious on that machine. The outcome and details from the investigation is seen in the Automated investigation view.

 ### Details of an Automated investigation
+
 As the investigation proceeds, you'll be able to view the details of the investigation. Selecting a triggering alert brings you to the investigation details view where you can pivot from the **Investigation graph**, **Alerts**, **Machines**, **Threats**, **Entities**, and **Log** tabs.

 In the **Alerts** tab, you'll see the alert that started the investigation. 
@ -61,11 +64,12 @@ While an investigation is running, any other alert generated from the machine wi
 If an incriminated entity is seen in another machine, the Automated investigation will expand the investigation to include that machine and a generic machine playbook will start on that machine. If 10 or more machines are found during this expansion process from the same entity, then that expansion action will require an approval and will be seen in the **Pending actions** view.

 ### How threats are remediated
+
 Depending on how you set up the machine groups and their level of automation, the Automated investigation will either require user approval (default) or automatically remediate threats.

 You can configure the following levels of automation:

-Automation level | Description 
+Automation level | Description
 :---|:---
 Not protected | Machines will not get any automated investigations run on them.
 Semi - require approval for any remediation | This is the default automation level.<br><br>  An approval is needed for any remediation action. 
@ -80,10 +84,5 @@ The default machine group is configured for semi-automatic remediation. This mea
 When a pending action is approved, the entity is then remediated and this new state is reflected in the **Entities** tab of the investigation.

 ## Related topic
- [Learn about the automated investigations dashboard](manage-auto-investigation-windows-defender-advanced-threat-protection.md)
-
-
-
-
-

+- [Learn about the automated investigations dashboard](manage-auto-investigation-windows-defender-advanced-threat-protection.md)
--- a/windows/security/threat-protection/windows-defender-atp/images/action-center-details.png
+++ b/windows/security/threat-protection/windows-defender-atp/images/action-center-details.png
--- a/windows/security/threat-protection/windows-defender-atp/images/atp-action-center-with-info.png
+++ b/windows/security/threat-protection/windows-defender-atp/images/atp-action-center-with-info.png
--- a/windows/security/threat-protection/windows-defender-atp/images/atp-actions-release-from-isolation.png
+++ b/windows/security/threat-protection/windows-defender-atp/images/atp-actions-release-from-isolation.png
--- a/windows/security/threat-protection/windows-defender-atp/images/atp-actions-release-from-isoloation.png
+++ b/windows/security/threat-protection/windows-defender-atp/images/atp-actions-release-from-isoloation.png
--- a/windows/security/threat-protection/windows-defender-atp/images/isolate-machine.png
+++ b/windows/security/threat-protection/windows-defender-atp/images/isolate-machine.png
--- a/windows/security/threat-protection/windows-defender-atp/investigate-machines-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/investigate-machines-windows-defender-advanced-threat-protection.md
@ -51,16 +51,19 @@ The machine details section provides information such as the domain, OS, and hea

 ## Response actions

-Response actions run along the top of the page, and include:
+Response actions run along the top of a specific machine page and include:

 - Manage tags
 - Initiate Automated Investigation
 - Initiate Live Response Session
+
+Other actions are enabled if there is an investigation happening on that machine:
+
 - Collect investigation package
 - Run antivirus scan
 - Restrict app execution
 - Isolate machine
- Action center (only enabled if there are investigations happening on that machine)
+- Action center

 You can take response actions in the action center, in a specific machine page, or in a specific file page.

--- a/windows/security/threat-protection/windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection.md
@ -27,7 +27,20 @@ ms.topic: article

 Quickly respond to detected attacks by isolating machines or collecting an investigation package. After taking action on machines, you can check activity details on the Action center.

-Response actions run along the top of a specific machine page.
+Response actions run along the top of a specific machine page and include:
+
+- Manage tags
+- Initiate Automated Investigation
+- Initiate Live Response Session
+
+Other actions are enabled if there is an investigation happening on that machine:
+
+- Collect investigation package
+- Run antivirus scan
+- Restrict app execution
+- Isolate machine
+- Action center
+
 ![Image of response actions](images/response-actions.png)

 You can find machine pages from any of the following views:
@ -150,47 +163,22 @@ This machine isolation feature disconnects the compromised machine from the netw
 On Windows 10, version 1709 or later, you'll have additional control over the network isolation level. You can also choose to enable Outlook and Skype for Business connectivity (a.k.a 'Selective Isolation').

 >[!NOTE]
->You’ll be able to reconnect the machine back to the network at any time.
+>You’ll be able to reconnect the machine back to the network at any time. The button on the machine page will change to say **Release from isolation**, and then you take the same steps as isolating the machine.

 Once you have selected **Isolate machine** on the machine page, type a comment and select **Confirm**. The Action center will show the scan information and the machine timeline will include a new event.

-    ![Image of isolate machine](images/atp-actions-isolate-machine.png)
+![Image of isolate machine](images/isolate-machine.png)

-3. Select the check-box if you'd like to enable Outlook and Skype communication while the machine is isolated (a.k.a. 'Selective Isolation').
-
-    ![Image of isolation confirmation](images/atp-confirm-isolate.png)
-
-4. Type a comment and select **Yes, isolate machine** to take action on the machine.
-  
-    >[!NOTE]
-    >The machine will remain connected to the Windows Defender ATP service even if it is isolated from the network. If you've chosen to enable Outlook and Skype for Business communication, then you'll be able to communicate to the user while the machine is isolated.
-
-   The Action center shows the submission information:
-    ![Image of machine isolation](images/atp-machine-isolation.png)
-
-   - **Submission time** - Shows when the action was submitted.
-   - **Status** - Indicates any pending actions or the results of completed actions. Additional indications will be provided if you've enabled Outlook and Skype for Business communication.  
-
-When the isolation configuration is applied, a new event is reflected in the machine timeline.
+>[!NOTE]
+>The machine will remain connected to the Windows Defender ATP service even if it is isolated from the network. If you've chosen to enable Outlook and Skype for Business communication, then you'll be able to communicate to the user while the machine is isolated.

 **Notification on machine user**:</br>
 When a machine is being isolated, the following notification is displayed to inform the user that the machine is being isolated from the network:

 ![Image of no network connection](images/atp-notification-isolate.png)

-### Release machine from isolation
-Depending on the severity of the attack and the state of the machine you can choose to release the machine from isolation after you have verified that the compromised machine has been remediated.
-
-1.	Select a machine that was previously isolated.
-
-2.	Open the **Actions** menu and select **Release from isolation**.
-
-    ![Image of release from isolation](images/atp-actions-release-from-isolation.png)
-
-3.	Type a comment and select **Yes, release machine** to take action on the machine. The machine will be reconnected to the network.
-
-
 ## Check activity details in Action center
+
 The **Action center** provides information on actions that were taken on a machine or file. You’ll be able to view the following details:

 - Investigation package collection
@ -198,9 +186,10 @@ The **Action center** provides information on actions that were taken on a machi
 - App restriction
 - Machine isolation

-All other related details are also shown, for example, submission time, submitting user, and if the action succeeded or failed.
+All other related details are also shown, for example, submission date/time, submitting user, and if the action succeeded or failed.

-![Image of action center with information](images/atp-action-center-with-info.png)
+![Image of action center with information](images/action-center-details.png)

 ## Related topic
+
 - [Take response actions on a file](respond-file-alerts-windows-defender-advanced-threat-protection.md)