Merge branch 'atp-rs4' of https://cpubwin.visualstudio.com/_git/it-client into atp-rs4

2025-05-16 07:17:24 +00:00 · 2018-03-06 14:40:54 -08:00 · 2018-03-06 14:40:54 -08:00 · 3286a08569
commit 3286a08569
parent a8ce6a39ab c7ccf0c903
3 changed files with 46 additions and 39 deletions
--- a/windows/security/threat-protection/windows-defender-atp/advanced-hunting-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/advanced-hunting-windows-defender-advanced-threat-protection.md
@ -82,7 +82,15 @@ The following tables are exposed as part of advanced hunting:
 - **MiscEvents** - Stores several types of events, including Windows Defender Exploit Guard, Windows Defender SmartScreen, Windows Defender Application Guard, and Firewall events.
 - **SuspiciousEvents** - Stores all events that deviate from typical event behavior
-## Results set in advanced hunting
+## Saved queries
 we provide built it saved queries, that will give you an initial starting point to hunt on you organizational data and provide you additional examples of the query langauge capabilties.
 we provide the following capabilities - 
 - save a query - simply click on the "Save as" button and name your query. you have 2 options of saving - 1. **Shared queries** section - visible to all users in the tenant. 2. **My queries** section - visible only to the user who saved the query
 - update a query - open the query, update the query content and click "Save".
 - delete a query - right click on the query you want to delete, and select the "delete" option.
 ## Results set capabilities in advanced hunting
 The results set has several capabilities to provide you with effective investigation, including:
@ -91,7 +99,7 @@ The results set has several capabilities to provide you with effective investiga
 ![Image of Windows Defender ATP advanced hunting results set](images/atp-advanced-hunting-results-set.png)
-## Filter results in advanced hunting
+## Filters on results in advanced hunting
 In advanced hunting, you can use the advanced filter on the output results set of the query. 
 The filters provide an overview of the result set where 
 each column has it's own section and shows the distinct values that appear in the column and their prevalence.
--- a/windows/security/threat-protection/windows-defender-atp/automated-investigations-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/automated-investigations-windows-defender-advanced-threat-protection.md
@ -1,7 +1,7 @@
 ---
 title: Automated investigations in Windows Defender Advanced Threat Protection
 description: View the list of automated investigations, its status, detection source and other details.
-keywords: automated, investigation, detection, source, threat types, id, tags, endpoints, duration, filter export
+keywords: automated, investigation, detection, source, threat types, id, tags, machines, duration, filter export
 search.product: eADQiWindows 10XVcnh
 ms.prod: w10
 ms.mktglfcycl: deploy
@ -27,65 +27,66 @@ ms.date: 03/15/2018
 >Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-automated-investigations-abovefoldlink)
-The Windows Defender ATP service has a wide breadth of visibility on multiple endpoints. With this kind of optics, the service generates a multitude of alerts. The volume of alerts generated can be challenging for a typical security operations team to individually address.
+The Windows Defender ATP service has a wide breadth of visibility on multiple machines. With this kind of optics, the service generates a multitude of alerts. The volume of alerts generated can be challenging for a typical security operations team to individually address.
-To address this challenge, Windows Defender ATP uses automated investigations to dramatically reduce the volume of alerts that need to be investigated individually. The automated investigation feature leverages on the use of artificial intelligence, inspection algorithms, and processes used by analysts to examine alerts and take immediate remediation action to resolve breaches. This significantly reduces alert volume, allowing security operations experts to focus on more sophisticated threats and other high value initiatives. 
+To address this challenge, Windows Defender ATP uses Automated investigations to dramatically reduce the volume of alerts that need to be investigated individually. The Automated investigation feature leverages various inspection algorithms, and processes used by analysts to examine alerts and take immediate remediation action to resolve breaches. This significantly reduces alert volume, allowing security operations experts to focus on more sophisticated threats and other high value initiatives. 
 The automated investigations list aggregates all the investigations that have been initiated automatically and shows other details such as its status, detection source, and the date for when the investigation was initiated. 
-## Sort, filter, and manage automated investigations
+## Manage Automated investigations
 By default, the automated investigations list displays investigations initiated in the last week. You can also choose to select other time ranges from the drop-down menu or specify a custom range. 
 Use the **Customize columns** drop-down menu to select columns that you'd like to show or hide. 
-From this view, you can also download the entire list in CSV format using the **Export to CSV** feature, specify the number of items to show per page, and navigate between pages. You also have the flexibility to filter the list based on your preferred criteria.
+From this view, you can also download the entire list in CSV format using the **Export** button, specify the number of items to show per page, and navigate between pages. You also have the flexibility to filter the list based on your preferred criteria.
 ![Image of Auto investigations page](images/atp-auto-investigations-list.png)
 **Filters**</br>
-You can use the following operations to customize the list of investigations displayed during an investigation:
+You can use the following operations to customize the list of Automated investigations displayed:
 **Triggering alert**</br>
-The source that initiated the alert.
+The alert the initiated the Automated investigation.
 **Status**</br>
-The current state of an investigation classifications are classified as:
+An Automated investigation can be in one of the following statuses:
- No threats found - No malicious entities found during the investigation.
+- No threats found - No malicious entities found during the Automated investigation.
 - Partially remediated - A problem prevented the remediation of some malicious entities.
- Failed - A problem has interrupted the investigation, and preventing it from completing.
+- Failed - A problem has interrupted the Automated investigation, and preventing it from completing.
- Action required - Remediation requires review and approval.
+- Pending action - Remediation requires review and approval.
- Waiting for machine(s) - Investigation paused. The investigation will resume as soon as the machine is available.
+- Waiting for machine - Investigation paused. The investigation will resume as soon as the machine is available.
 - Queued - Investigation has been queued and will resume as soon as other remediation activities are completed.
 - Running - Investigation ongoing. Malicious entities found will be remediated.
 - Partially investigated - The entities related to the alert were investigated but a problem stopped the Automated investigation process on collateral entities.
 - Remediated - Malicious entities found were successfully remediated.
 - Terminated by system - Investigation was stopped.
 - Terminated by user - A user stopped the investigation before it could complete.
 **Detection source**</br>
-Source of the alert that initiated the investigation. 
+Source of the alert that initiated the Automated investigation. 
 **Threat**</br>
-The category of threat detected during the investigation.
+The category of threat detected during the Automated investigation.
 **Tags**</br>
-Filter using manually added tags that capture the context of an investigation.
+Filter using manually added tags that capture the context of an Automated investigation.
 **Machines**</br>
-Multiple investigations can be initiated on an endpoint. You can filter the automated investigations list to zone in a specific endpoint to see other investigations related to the endpoint.
+You can filter the Automated investigations list to zone in a specific machine to see other investigations related to the machine.
-**Endpoint groups**</br>
+**machine groups**</br>
 Apply this filter to see specific machine groups that you might have created.
 **Comments**</br>
-Select between filtering the list between investigations that have comments and those that don't.
+Select between filtering the list between Automated investigations that have comments and those that don't.
-## Analyze automated investigations 
+## Analyze Automated investigations 
-You can view the details of an automated investigation to see details of the investigation such as the investigation graph, alerts associated with the investigation, the endpoint that was investigated, and other information.
+You can view the details of an Automated investigation to see details of the investigation such as the investigation graph, alerts associated with the investigation, the machine that was investigated, and other information.
 In this view, you'll see the name of the investigation, when it started and the duration of time that has passed in the status state.
@ -105,25 +106,26 @@ You'll also have access to the following sections that help you see details of t
 - Entities
 - Log
 - Pending actions
 - Pending actions history
 In any of the sections, you can customize columns to further expand to limit the details you see in a section.
 ### Investigation graph
-The investigation graph provides a graphical representation of an investigation. All investigation related information is simplified and arranged in specific sections. Clicking on any of the icons brings you the relevant section where you can view more information.
+The investigation graph provides a graphical representation of an Automated investigation. All investigation related information is simplified and arranged in specific sections. Clicking on any of the icons brings you the relevant section where you can view more information.
 ### Alerts
-Shows details such as a short description of the alert that initiated the investigation, severity, category, the machine associated with the alert, user, time in queue, status, investigation state, and who the investigation is assigned to. 
+Shows details such as a short description of the alert that initiated the Automated investigation, severity, category, the machine associated with the alert, user, time in queue, status, investigation state, and who the investigation is assigned to. 
 Selecting an alert using the checkbox brings up the alerts details pane where you have the option of opening the alert page, manage the alert by changing its status, see alert details, automated investigation details, related machine, logged-on users, and comments and history. 
 Clicking on an alert title brings you the alert page.
 ### Machines
-Shows details the endpoint name, IP address, group, users, operating system, remediation level, investigation count, and when it was last investigated.
+Shows details the machine name, IP address, group, users, operating system, remediation level, investigation count, and when it was last investigated.
 Selecting a machine using the checkbox brings up the machine details pane where you can see more information such as machine details and logged-on users.
-Clicking on an endpoint name brings you the machine page.
+Clicking on an machine name brings you the machine page.
 ### Threats
 Shows details related to threats associated with this investigation.
@ -140,8 +142,11 @@ Available filters include action type, action, status, machine name, and descrip
 You can also click on an action to bring up the details pane where you'll see information such as the summary of the action and input data. 
 ### Pending actions
 This tab is displayed if there are any pending actions for which a decision is needed.
 ### Pending actions history
-This tab is displayed if there are any pending actions on the investigation.
+This tab is displayed if there are pending actions for which a decision was made.
 ## Pending actions on investigations
@ -149,11 +154,11 @@ The pending actions view aggregates all the file quarantine, persistence method
 Use the Customize columns drop-down menu to select columns that you'd like to show or hide. 
-From this view, you can also download the entire list in CSV format using the **Export to CSV** feature, specify the number of items to show per page, and navigate between pages.
+From this view, you can also download the entire list in CSV format using the **Export** feature, specify the number of items to show per page, and navigate between pages.
 ![Image of Pending actions](images/atp-pending-actions-auto-ir.png)
-Selecting a file opens a panel where you can approve or decline the remediation. Other details such as file details, investigation details, and alert details are displayed.
+Selecting a file opens a panel where you can approve or reject the remediation. Other details such as file details, investigation details, and alert details are displayed.
 ![Image of pending action selected](images/atp-pending-actions-file.png)
@ -161,9 +166,3 @@ Selecting other investigation numbers from the other pending actions categories
 From the panel, you can click on the Open investigation page link to see the investigation details.
--- a/windows/security/threat-protection/windows-defender-atp/portal-overview-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/portal-overview-windows-defender-advanced-threat-protection.md
@ -52,7 +52,7 @@ Area | Description
 :---|:---
 (1) Navigation pane | Use the navigation pane to move between the **Dashboards**, **Alerts queue**, **Machines list**, **Service health**, **Settings**, and **Endpoint management**.
 **Dashboards**	| Enables you to view the Security operations, the Security analytics dashboard, or 
-**Alerts queue** | Enables you to view separate queues of new, in progress, resolved alerts, alerts assigned to you, and suppression rules.
+**Alerts** | Enables you to view separate queues of new, in progress, resolved alerts, alerts assigned to you, and suppression rules.
 **Automated investigations** | Displays a list of automated investigations that's been conducted in the network, the status of each investigation and other details such as when the investigation started and the duration of the investigation.
 **Machines list** | Displays the list of machines that are onboarded to Windows Defender ATP, some information about them, and the corresponding number of alerts.
 **Service health** | Provides information on the current status of the Window Defender ATP service. You'll be able to verify that the service health is healthy or if there are current issues.