deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-14 14:27:22 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

Updated configure-microsoft-threat-experts.md

Browse Source
This commit is contained in:
Dolcita Montemayor 2019-03-20 22:17:17 +00:00
parent c65feac7fd
commit 36309df1b2
1 changed files with 11 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

22
windows/security/threat-protection/windows-defender-atp/configure-microsoft-threat-experts.md
View File

@ -105,23 +105,23 @@ You can partner with Microsoft Threat Experts who can be engaged directly from w
## Sample questions to ask a Microsoft threat expert ## Sample questions to ask a Microsoft threat expert
**Alert information** **Alert information**
We see a new type of alert for a living-off-the-land binary: [AlertID]. Can you tell us something more about this alert and how we can investigate further? - We see a new type of alert for a living-off-the-land binary: [AlertID]. Can you tell us something more about this alert and how we can investigate further?
Weve observed two similar attacks which try to execute malicious PowerShell scripts but generate different alerts. One is "Suspicious Powershell command line" and the other is "A malicious file was detected based on indication provided by O365". What is the difference? - Weve observed two similar attacks which try to execute malicious PowerShell scripts but generate different alerts. One is "Suspicious Powershell command line" and the other is "A malicious file was detected based on indication provided by O365". What is the difference?
I receive an odd alert today for abnormal number of failed logins from a high profile users device. I cannot find any further evidence around these sign-in attempts. How can Windows Defender see these attempts? What type of sign-ins are being monitored? - I receive an odd alert today for abnormal number of failed logins from a high profile users device. I cannot find any further evidence around these sign-in attempts. How can Windows Defender see these attempts? What type of sign-ins are being monitored?
Can you give more context or insights about this alert: “Suspicious behavior by a system utility was observed”. - Can you give more context or insights about this alert: “Suspicious behavior by a system utility was observed”.
**Possible machine compromise** **Possible machine compromise**
Can you please help answer why we see “Unknown process observed?” This is seen quite frequently on many machines and we would appreciate input on whether this is related to malicious activity. - Can you please help answer why we see “Unknown process observed?” This is seen quite frequently on many machines and we would appreciate input on whether this is related to malicious activity.
Can you help validate a possible compromise on the following system on [date] with similar behaviors as the previous [malware name] malware detection on the same system in [month]? - Can you help validate a possible compromise on the following system on [date] with similar behaviors as the previous [malware name] malware detection on the same system in [month]?
**Threat intelligence details** **Threat intelligence details**
This morning, we detected a phishing email that delivered a malicious Word document to a user. This caused a series of suspicious events which triggered multiple Windows Defender alerts for <malware name> malware. Do you have any information on this malware? If yes, can you please send me a link? - This morning, we detected a phishing email that delivered a malicious Word document to a user. This caused a series of suspicious events which triggered multiple Windows Defender alerts for <malware name> malware. Do you have any information on this malware? If yes, can you please send me a link?
I recently saw a [social media reference e.g. Twitter or blog] post about a threat that is targeting my industry. Can you help me understand what protection WDATP provides against this threat actor? - I recently saw a [social media reference e.g. Twitter or blog] post about a threat that is targeting my industry. Can you help me understand what protection WDATP provides against this threat actor?
**Microsoft Threat Experts alert communications** **Microsoft Threat Experts alert communications**
Can your incident response team help us address the targeted attack notification that we got? - Can your incident response team help us address the targeted attack notification that we got?
I received this targeted attack notification from Microsoft Threat Experts. We dont have our own incident response team. What can we do now, and how can we contain the incident? - I received this targeted attack notification from Microsoft Threat Experts. We dont have our own incident response team. What can we do now, and how can we contain the incident?
I received a targeted attack notification from Microsoft Threat Experts. What data can you provide to us that we can pass on to our incident response team? - I received a targeted attack notification from Microsoft Threat Experts. What data can you provide to us that we can pass on to our incident response team?
>[!NOTE] >[!NOTE]
>Microsoft Threat Experts is a managed cybersecurity hunting service and not an incident response service. However, the experts can seamlessly transition the investigation to Microsoft Cybersecurity Solutions Group (CSG)'s Detection and Response Team (DART) services, when necessary. You can also opt to engage with your own incident response team to address issues that requires an incident response. >Microsoft Threat Experts is a managed cybersecurity hunting service and not an incident response service. However, the experts can seamlessly transition the investigation to Microsoft Cybersecurity Solutions Group (CSG)'s Detection and Response Team (DART) services, when necessary. You can also opt to engage with your own incident response team to address issues that requires an incident response.