From 2b66ffbc4fd8d936247edcac842ec2307a24f4d5 Mon Sep 17 00:00:00 2001 From: Joey Caparas Date: Thu, 12 May 2016 11:32:50 +1000 Subject: [PATCH] incorporate Michael Shalev's feedback --- ...ows-defender-advanced-threat-protection.md | 26 +++++++++++-------- 1 file changed, 15 insertions(+), 11 deletions(-) diff --git a/windows/keep-secure/investigate-alerts-windows-defender-advanced-threat-protection.md b/windows/keep-secure/investigate-alerts-windows-defender-advanced-threat-protection.md index 11667c6d43..0fa1932083 100644 --- a/windows/keep-secure/investigate-alerts-windows-defender-advanced-threat-protection.md +++ b/windows/keep-secure/investigate-alerts-windows-defender-advanced-threat-protection.md @@ -12,7 +12,7 @@ ms.sitesec: library **Applies to:** -- Windows 10 Insider Preview +- Windows 10 Insider Preview Build 14332 or later - Windows Defender Advanced Threat Protection (Windows Defender ATP) [Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.] @@ -23,11 +23,11 @@ There are three alert severity levels, described in the following table. Alert severity | Description :---|:--- -High (Red) | Threats often associated with APT. These alerts pose a high risk due to the severity of the damage they might inflict on endpoints. -Medium (Orange) | Threats considered to be abnormal or suspicious in nature such as anomalous registry modifications and loading of executable files. -Low (Yellow) | Threats associated with prevalent malware and hack-tools that pose a lower risk to endpoints. +High (Red) | Threats often associated with Advanced Persistent Threats (APT). These alerts indicate a high risk due to the severity of damage they can inflict on endpoints. +Medium (Orange) | Threats rarely observed in the organization, such as anomalous registry change, execution of suspicious files, and observed behaviors typical of attack stages. +Low (Yellow) | Threats associated with prevalent malware and hack-tools that do not appear to indicate an advanced threat targeting the organization. -Reviewing the various alerts and their severity can help you take the appropriate action to protect your organization's endpoints. +Reviewing the various alerts and their severity can help you decide on the appropriate action to protect your organization's endpoints. Alerts are organized in three queues, by their workflow status: @@ -35,18 +35,22 @@ Alerts are organized in three queues, by their workflow status: - **In progress** - **Resolved** -You can investigate alerts by clicking an alert in [any of the alert queues](alerts-queue-windows-defender-advanced-threat-protection.md). +To begin investigating, click on an alert in [any of the alert queues](alerts-queue-windows-defender-advanced-threat-protection.md). -Details about the alert is displayed such as: -- Alert information such as when it was last observed +Details displayed about the alert include: +- When the alert was last observed - Alert description - Recommended actions -- The scope of the breach -- The alert timeline +- The potential scope of breach +- The indicators that triggered the alert ![A detailed view of an alert when clicked](images/alert-details.png) -Depending on the type of alert, you click on the name to see a detailed report about the threat. You'll see information such as a brief introduction of the threat, its interests, tools, tactics, and processes, and the areas it affects worldwide. +Alerts attributed to an adversary or actor display a colored tile with the actor name. + +Click on the actor's name to see a threat intelligence profile of the actor, including a brief overview of the actor, their interests or targets, tools, tactics, and processes (TTPs) as well as areas where it's active worldwide. You will also see a set of recommended actions to take. + +Some actor profiles include a link to download a more comprehensive threat intelligence report. ### Related topics - [View the Windows Defender Advanced Threat Protection Dashboard](dashboard-windows-defender-advanced-threat-protection.md)