From f57e1d16f5d1942db81fd918322964e4bb251bd9 Mon Sep 17 00:00:00 2001 From: mshalev Date: Thu, 16 Feb 2017 10:30:16 +0200 Subject: [PATCH] Update investigate-user-entity-windows-defender-advanced-threat-protection.md --- ...ows-defender-advanced-threat-protection.md | 28 +++++++++---------- 1 file changed, 14 insertions(+), 14 deletions(-) diff --git a/windows/keep-secure/investigate-user-entity-windows-defender-advanced-threat-protection.md b/windows/keep-secure/investigate-user-entity-windows-defender-advanced-threat-protection.md index d004304ff2..d4a84e3c38 100644 --- a/windows/keep-secure/investigate-user-entity-windows-defender-advanced-threat-protection.md +++ b/windows/keep-secure/investigate-user-entity-windows-defender-advanced-threat-protection.md @@ -22,30 +22,30 @@ localizationpriority: high [Some information relates to pre-released product, which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.] -## Investigate user entities -Identify user accounts with the most active alerts and investigate the associated alerts to identify possible lateral movement between machines and potential compromised credentials cases. +## Investigate user account entities +Identify user accounts with the most active alerts (displayed on dashboard as "Users at risk") and and investigate cases of potential compromised credentials, or pivot on the associated user account when investigating an alert or machine to identify possible lateral movement between machines with that user account. -You can find user account information from the following views: +You can find user account information in the following views: - Dashboard -- Alerts queue +- Alert queue - Machine details page -A clickable user account link is available from these views. You'll be taken to the user account details page where more details about the account is shown. +A clickable user account link is available in these views, that will take you to the user account details page where more details about the user account are shown. -When you investigate a user entity, you'll see: +When you investigate a user account entity, you'll see: - User account details and Logged on machines - Alerts related to this user -- Observed in organization +- Observed in organization (machines logged on to) -![Image of the user entity details page](images/atp-user-details-view.png) +![Image of the user account entity details page](images/atp-user-details-view.png) -The user entity details and logged on machines section display various attributes about the user entity. You'll see details such as when the user was first and last seen and the total number of machines the user logged in to. You'll also see the machines that the user was most and least frequently logged in to. +The user account entity details and logged on machines section display various attributes about the user account. You'll see details such as when the user was first and last seen and the total number of machines the user logged on to. You'll also see a list of the machines that the user logged on to, and can expand these to see details of the logon events on each machine. -The **Alerts related to this user** section provides a list of alerts that are associated with the user. This list is a simplified version of the [Alerts queue](alerts-queue-windows-defender-advanced-threat-protection.md), and shows the date when the last activity was detected, a short description of the alert, the machine associated with the alert, the alert's severity, the alert's status in the queue, and who is addressing the alert. +The **Alerts related to this user** section provides a list of alerts that are associated with the user account. This list is a filtered view of the [Alert queue](alerts-queue-windows-defender-advanced-threat-protection.md), and shows alerts where the user context is the selected user account, the date when the last activity was detected, a short description of the alert, the machine associated with the alert, the alert's severity, the alert's status in the queue, and who is assigned the alert. -The **Observed in organization** section allows you to specify a date range to see the total number of observed users logged in to specific machine and which machines the user most frequently and least frequently logged in to. +The **Observed in organization** section allows you to specify a date range to see a list of machines where this user was observed logged on to, and the most frequent and least frequent logged on user account on each of these machines. -You'll also be able to determine the machine health state from the machine icon and color as well as the description of the machine health state. Clicking on the icon displays more details regarding machine health. +The machine health state is displayed in the machine icon and color as well as in a description text. Clicking on the icon displays additional details regarding machine health. ![Image of observed in organization section](images/atp-observed-in-organization.png) @@ -55,9 +55,9 @@ You'll also be able to determine the machine health state from the machine icon 2. Enter the user account in the **Search** field. 3. Click the search icon or press **Enter**. -A list of users with matches are displayed in a list. You'll see the username, when the user was last seen, and the total number of machines it was observed on in the last 30 days. +A list of users matching the query text is displayed. You'll see the user account's domain and name, when the user account was last seen, and the total number of machines it was observed logged on to in the last 30 days. -You can filter the results by the following days: +You can filter the results by the following time periods: - 1 day - 3 days - 7 days