deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-15 02:13:43 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

incorporate Michael Shalev's feedback

Browse Source
This commit is contained in:
Joey Caparas
2016-05-12 11:32:50 +10:00
parent 06394da8fc
commit 2b66ffbc4f
1 changed files with 15 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files

26
windows/keep-secure/investigate-alerts-windows-defender-advanced-threat-protection.md
View File

@ -12,7 +12,7 @@ ms.sitesec: library
**Applies to:**
- Windows 10 Insider Preview
- Windows 10 Insider Preview Build 14332 or later
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
<span style="color:#ED1C24;">[Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.]</span>
@ -23,11 +23,11 @@ There are three alert severity levels, described in the following table.
Alert severity | Description
:---|:---
High (Red) | Threats often associated with APT. These alerts pose a high risk due to the severity of the damage they might inflict on endpoints.
Medium (Orange) | Threats considered to be abnormal or suspicious in nature such as anomalous registry modifications and loading of executable files.
Low (Yellow) | Threats associated with prevalent malware and hack-tools that pose a lower risk to endpoints.
High (Red) | Threats often associated with Advanced Persistent Threats (APT). These alerts indicate a high risk due to the severity of damage they can inflict on endpoints.
Medium (Orange) | Threats rarely observed in the organization, such as anomalous registry change, execution of suspicious files, and observed behaviors typical of attack stages.
Low (Yellow) | Threats associated with prevalent malware and hack-tools that do not appear to indicate an advanced threat targeting the organization.
Reviewing the various alerts and their severity can help you take the appropriate action to protect your organization's endpoints.
Reviewing the various alerts and their severity can help you decide on the appropriate action to protect your organization's endpoints.
Alerts are organized in three queues, by their workflow status:
@ -35,18 +35,22 @@ Alerts are organized in three queues, by their workflow status:
- **In progress**
- **Resolved**
You can investigate alerts by clicking an alert in [any of the alert queues](alerts-queue-windows-defender-advanced-threat-protection.md).
To begin investigating, click on an alert in [any of the alert queues](alerts-queue-windows-defender-advanced-threat-protection.md).
Details about the alert is displayed such as:
- Alert information such as when it was last observed
Details displayed about the alert include:
- When the alert was last observed
- Alert description
- Recommended actions
- The scope of the breach
- The alert timeline
- The potential scope of breach
- The indicators that triggered the alert
![A detailed view of an alert when clicked](images/alert-details.png)
Depending on the type of alert, you click on the name to see a detailed report about the threat. You'll see information such as a brief introduction of the threat, its interests, tools, tactics, and processes, and the areas it affects worldwide.
Alerts attributed to an adversary or actor display a colored tile with the actor name.
Click on the actor's name to see a threat intelligence profile of the actor, including a brief overview of the actor, their interests or targets, tools, tactics, and processes (TTPs) as well as areas where it's active worldwide. You will also see a set of recommended actions to take.
Some actor profiles include a link to download a more comprehensive threat intelligence report.
### Related topics
- [View the Windows Defender Advanced Threat Protection Dashboard](dashboard-windows-defender-advanced-threat-protection.md)