deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-08 02:27:22 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

incorporate SME feedback

Browse Source
This commit is contained in:
Joey Caparas 2016-04-22 19:19:05 +10:00
parent d58fa50155
commit 441dd021ba
6 changed files with 101 additions and 97 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

17
windows/keep-secure/dashboard-windows-advanced-threat-protection.md
View File

@ -17,17 +17,18 @@ ms.sitesec: library
The **Dashboard** displays a snapshot of:
- The latest active alerts on your network
- Top machines with active alerts
- Alert trends
- Alert mapping
- Machines reporting
- Top machines with active alerts
- The overall status of Windows Defender ATP for the past 30 days
- Machines with active malware detections
You can explore and investigate alerts and machines to quickly determine if, where, and when suspicious activities occurred in your network to help you understand the context they appeared in.
From the **Dashboard** you will see aggregated events to facilitate the identification of significant events or behaviors on a machine. You can also drill down into granular events and low-level indicators.
## View ATP alerts
It also has clickable tiles that give visual cues on the overall health status of your organization. Each tile opens a detailed view of the corresponding overview.
## ATP alerts
You can view the overall number of active ATP alerts from the last 30 days in your network from the **ATP alerts** tile. Alerts are grouped into **New** and **In progress**.
![Click on each slice or severity to see a list of alerts from the past 30 days](images/atp.png)
@ -38,7 +39,7 @@ See the [View and organize the Windows Defender Advanced Threat Protection Alert
The **Latest ATP alerts** section includes the latest active alerts in your network. Each row includes an alert severity category and a short description of the alert. Click an alert to see its detailed view, or **Alerts queue** at the top of the list to go directly to the Alerts queue. See the [Investigate Windows Defender Advanced Threat Protection alerts](investigate-alerts-windows-advanced-threat-protection.md) and [View and organize the Windows Defender Advanced Threat Protection Alerts queue](alerts-queue-windows-advanced-threat-protection.md) topics for more information.
## View machines at risk
## Machines at risk
This tile shows you a list of machines with the highest number of active alerts. The total number of alerts for each machine is shown in a circle next to the machine name, and then further categorized by severity levels at the far end of the tile (hover over each severity bar to its label).
![The Machines at risk tile shows a list of machines with the highest number of alerts, and a breakdown of the severity of the alerts](images/machines-at-risk.png)
@ -47,17 +48,17 @@ Click the name of the machine to see details about that machine. See the [Invest
You can also click **Machines view** at the top of the tile to go directly to the **Machines view**, sorted by the number of active alerts. See the [Investigate machines in the Windows Defender Advanced Threat Protection Machines view](machines-view-windows-advanced-threat-protection.md) topic for more information.
## Keep track of the overall status of your network
## Status
The **Status** tile informs you if the service is active and running and the specific number of machines (endpoints) reporting to Windows Defender ATP.
![The Status tile shows an overall indicator of the service and the total number of machines reporting to the service](images/status-tile.png)
## See total number of reporting machines
## Machines reporting
The **Machines reporting** tile shows a bar graph that represents the number of machines reporting alerts daily. Hover over individual bars on the graph to see the exact number of machines reporting in each day.
![The Machines reporting tile shows the number of machines reporting each day for the past 30 days](images/machines-reporting-tile.png)
## Investigate machines with active malware detections
## Machines with active malware detections
The **Active malware** tile will only appear if your endpoints are using Windows Defender.
Active malware is defined as threats that are actively executing at the time of detection.

BIN
windows/keep-secure/images/alert-details.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 72 KiB

BIN
windows/keep-secure/images/timeline.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 40 KiB

After

Width:  |  Height:  |  Size: 58 KiB

87
windows/keep-secure/investigate-alerts-windows-advanced-threat-protection.md
View File

@ -14,81 +14,34 @@ ms.sitesec: library
<span style="color:#ED1C24;">[Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.]</span>
Alerts in Windows Defender ATP indicate possible security breaches on endpoints in your organization. The **Dashboard** provides a quick view of active alerts, their severity levels, and information on the machines with the most active alerts.
Alerts in Windows Defender ATP indicate possible security breaches on endpoints in your organization.
You can investigate alerts by clicking an alert in [any of the alert queues](alerts-queue-windows-advanced-threat-protection.md).
There are three alert severity levels, described in the following table.
Alert severity | Description
:---|:---
High (Red) | Threats often associated with APT. These alerts pose a high risk due to the severity of the damage they might inflict on endpoints.
Medium (Orange) | Threats considered to be abnormal or suspicious in nature such as anomalous registry modifications and loading of executable files.
Low (Yellow) | Threats associated with prevalent malware and hack-tools that pose a lower risk to endpoints.
Reviewing the various alerts and their severity can help you take the appropriate action to protect your organization's endpoints.
## Investigate a machine
Investigate the details of an alert raised on a specific machine to identify other behaviors or events that might be related to the alert or the potential scope of breach.
Alerts are organized in three queues, by their workflow status:
You can click on affected machines whenever you see them in the portal to open a detailed report about that machine. Affected machines are identified in the following areas:
- **New**
- **In progress**
- **Resolved**
- The [Machines view](machines-view-windows-advanced-threat-protection.md)
- The [Alerts queue](alerts-queue-windows-advanced-threat-protection.md)
- The [Dashboard](dashboard-windows-advanced-threat-protection.md)
- Any individual alert
- Any individual file details view
- Any IP address or domain details view
You can investigate alerts by clicking an alert in [any of the alert queues](alerts-queue-windows-advanced-threat-protection.md).
When you investigate a specific machine, you'll see:
Details about the alert is displayed such as:
- Alert information such as when it was last observed
- Alert description
- Recommended actions
- The scope of the breach
- The alert timeline
- **Machine details**, **Machine IP Addresses**, and **Machine Reporting**
- **Alerts related to this machine**
- **Machine timeline**
The machine details, IP, and reporting sections display some attributes of the machine such as its name, domain, OS, IP address, and how long it's been reporting telemetry to the Windows Defender ATP service.
The **Alerts related to this machine** section provides a list of alerts that are associated with the machine. This list is a simplified version of the [Alerts queue](alerts-queue-windows-advanced-threat-protection.md), and shows the date that the alert was detected, a short description of the alert, the alert's severity, the alert's threat category, and the alert's status in the queue.
The **Machine timeline** section provides a chronological view of the events and associated alerts that have been observed on the machine.
You'll see an aggregated view of alerts, a short description of the alert, details on the action taken, and which user ran the action. This helps you see significant activities or behaviors that occurred on a machine within your network in relation to a specific time frame. Several icons are used to identify various detections and their current state. For more information, see [Windows Defender ATP icons](portal-overview-windows-defender-advanced-threat-protection.md#windows-defender-atp-icons).
This feature also enables you to selectively drill down into a behavior or event that occurred within a given time period. You can view the temporal sequence of events that occurred on a machine over a specified time period.
![The timeline shows an interactive history of the alerts seen on a machine](images/timeline.png)
Use the search bar to look for specific alerts or files associated with the machine.
You can also filter by:
- Signed or unsigned files
- Detections mode: displays Windows ATP Alerts and detections
- Behaviors mode: displays "detections" and selected events of interest
- Verbose mode: displays "behaviors" (including "detections"), and all reported events
- Logged on users, System, Network, or Local service
Use the time-based slider to filter events from a specific date. By default, the machine timeline is set to display the events of the current day.
Using the slider updates the listed alerts to the date that you select. Displayed events are filtered from that date and older.
The slider is helpful when you're investigating a particular alert on a machine. You can navigate from the **Alerts view** and click on the machine associated with the alert to jump to the specific date when the alert was observed, enabling you to investigate the events that took place around the alert.
From the **Machine view**, you can also navigate to the file, IP, or URL view and the timeline associated with an alert is retained, helping you view the investigation from different angles and retain the context of the event time line.
From the list of events that are displayed in the timeline, you can examine the behaviors or events in to help identify indicators of interests such as files and IP addresses to help determine the scope of a breach. You can then use the information to respond to events and keep your system secure.
Windows Defender ATP monitors and captures questionable behavior on Windows 10 machines and displays the process tree flow in the **Machine timeline**. This gives you better context of the behavior which can contribute to understanding the correlation between events, files, and IP addresses in relation to the machine.
![The process tree shows you a hierarchical history of processes and events on the machine](images/machine-investigation.png)
**Investigate a machine:**
1. Select the machine that you want to investigate. You can select or search a machine from any of the following views:
- **Dashboard** - click the machine name from the **Top machines with active alerts** section
- **Alerts queue** - click the machine name beside the machine icon
- **Machines view** - click the heading of the machine name
- **Search box** - select **Machine** from the drop-down menu and enter the machine name
2. Information about the specific machine is displayed.
**Use the machine timeline**
1. Use the sort and filter feature to narrow down the search results.
2. Use the timeline search box to filter specific indicators that appear in the machine timeline.
3. Click the expand icon ![The expand icon looks like a plus symbol](images/expand.png) in the timeline row or click anywhere on the row to see additional information about the alert, behavior, or event.
[A detailed view of an alert when clicked](alert-details.png)
## Investigate a file
Investigate the details of a file associated with a specific alert, behavior, or event to help determine if the file exhibits malicious activities, identify the attack motivation, and understand the potential scope of the breach.

71
windows/keep-secure/machines-view-windows-advanced-threat-protection.md
View File

@ -67,6 +67,77 @@ You can also download a full list of all the machines in your organization, in C
**Note**: Exporting the list depends on the number of machines in your organization. It can take a significant amount of time to download, depending on how large your organization is.
Exporting the list in CSV format displays the data in an unfiltered manner. The CSV file will include all machines in the organization, regardless of any filtering applied in the view itself.
## Investigate a machine
Investigate the details of an alert raised on a specific machine to identify other behaviors or events that might be related to the alert or the potential scope of breach.
You can click on affected machines whenever you see them in the portal to open a detailed report about that machine. Affected machines are identified in the following areas:
- The [Machines view](machines-view-windows-advanced-threat-protection.md)
- The [Alerts queue](alerts-queue-windows-advanced-threat-protection.md)
- The [Dashboard](dashboard-windows-advanced-threat-protection.md)
- Any individual alert
- Any individual file details view
- Any IP address or domain details view
When you investigate a specific machine, you'll see:
- **Machine details**, **Machine IP Addresses**, and **Machine Reporting**
- **Alerts related to this machine**
- **Machine timeline**
The machine details, IP, and reporting sections display some attributes of the machine such as its name, domain, OS, IP address, and how long it's been reporting telemetry to the Windows Defender ATP service.
The **Alerts related to this machine** section provides a list of alerts that are associated with the machine. This list is a simplified version of the [Alerts queue](alerts-queue-windows-advanced-threat-protection.md), and shows the date that the alert was detected, a short description of the alert, the alert's severity, the alert's threat category, and the alert's status in the queue.
The **Machine timeline** section provides a chronological view of the events and associated alerts that have been observed on the machine.
You'll see an aggregated view of alerts, a short description of the alert, details on the action taken, and which user ran the action. This helps you see significant activities or behaviors that occurred on a machine within your network in relation to a specific time frame. Several icons are used to identify various detections and their current state. For more information, see [Windows Defender ATP icons](portal-overview-windows-defender-advanced-threat-protection.md#windows-defender-atp-icons).
This feature also enables you to selectively drill down into a behavior or event that occurred within a given time period. You can view the temporal sequence of events that occurred on a machine over a specified time period.
![The timeline shows an interactive history of the alerts seen on a machine](images/timeline.png)
Use the search bar to look for specific alerts or files associated with the machine.
You can also filter by:
- Signed or unsigned files
- Detections mode: displays Windows ATP Alerts and detections
- Behaviors mode: displays "detections" and selected events of interest
- Verbose mode: displays "behaviors" (including "detections"), and all reported events
- Logged on users, System, Network, or Local service
Use the time-based slider to filter events from a specific date. By default, the machine timeline is set to display the events of the current day.
Using the slider updates the listed alerts to the date that you select. Displayed events are filtered from that date and older.
The slider is helpful when you're investigating a particular alert on a machine. You can navigate from the **Alerts view** and click on the machine associated with the alert to jump to the specific date when the alert was observed, enabling you to investigate the events that took place around the alert.
From the **Machine view**, you can also navigate to the file, IP, or URL view and the timeline associated with an alert is retained, helping you view the investigation from different angles and retain the context of the event time line.
From the list of events that are displayed in the timeline, you can examine the behaviors or events in to help identify indicators of interests such as files and IP addresses to help determine the scope of a breach. You can then use the information to respond to events and keep your system secure.
Windows Defender ATP monitors and captures questionable behavior on Windows 10 machines and displays the process tree flow in the **Machine timeline**. This gives you better context of the behavior which can contribute to understanding the correlation between events, files, and IP addresses in relation to the machine.
![The process tree shows you a hierarchical history of processes and events on the machine](images/machine-investigation.png)
**Investigate a machine:**
1. Select the machine that you want to investigate. You can select or search a machine from any of the following views:
- **Dashboard** - click the machine name from the **Top machines with active alerts** section
- **Alerts queue** - click the machine name beside the machine icon
- **Machines view** - click the heading of the machine name
- **Search box** - select **Machine** from the drop-down menu and enter the machine name
2. Information about the specific machine is displayed.
**Use the machine timeline**
1. Use the sort and filter feature to narrow down the search results.
2. Use the timeline search box to filter specific indicators that appear in the machine timeline.
3. Click the expand icon ![The expand icon looks like a plus symbol](images/expand.png) in the timeline row or click anywhere on the row to see additional information about the alert, behavior, or event.
### Related topics
- [View the Windows Defender Advanced Threat Protection Dashboard](dashboard-windows-advanced-threat-protection.md)
- [View and organize the Windows Defender Advanced Threat Protection Alerts queue](alerts-queue-windows-advanced-threat-protection.md)

23
windows/keep-secure/use-windows-defender-advanced-threat-protection.md
View File

@ -26,34 +26,13 @@ A typical security breach investigation requires a member of a security operatio
Security operation teams can use Windows Defender ATP Portal to carry out this end-to-end process without having to leave the portal.
Teams can monitor the overall status of enterprise endpoints from the **Dashboard**, gain insight on the various alerts, their category, when they were observed, and how long theyve been in the network at a glance.
## Windows Defender ATP alerts
Alerts in the portal help to notify you of detected threat behaviors or activities on your endpoints.
The **Dashboard** and **Alerts queue** provide important information about your endpoints that can help you address alerts.
The **Dashboard** groups or categorizes active alerts into **New** or **In progress** queues, and supports filtering by severity levels. It also has clickable tiles that give visual cues on the overall health status of your organization. Each tile opens a detailed view of the corresponding overview.
Alerts are organized in three queues, by their workflow status:
- **New**
- **In progress**
- **Resolved**
There are three alert severity levels, described in the following table.
Alert severity | Description
:---|:---
High (Red) | Threats often associated with APT. These alerts pose a high risk due to the severity of the damage they might inflict on endpoints.
Medium (Orange) | Threats considered to be abnormal or suspicious in nature such as anomalous registry modifications and loading of executable files.
Low (Yellow) | Threats associated with prevalent malware and hack-tools that pose a lower risk to endpoints.
### In this section
Topic | Description
:---|:---
[View the Dashboard](dashboard-windows-advanced-threat-protection.md) | The Windows Defender ATP **Dashboard** provides a snapshot of your network. You can view aggregates of alerts, the overall status of the service of the endpoints on your network, investigate machines, files, and URLs, and see snapshots of threats seen on machines.
[View and organize the Alerts queue](alerts-queue-windows-advanced-threat-protection.md) | You can sort and filter alerts across your network, and drill down on individual alert queues such as new, in progress, or resolved queues.
[Investigate alerts](investigate-alerts-windows-advanced-threat-protection.md)| Investigate alerts in Windows Defender ATP which might indicate possible security breaches on endpoints in your organization.
[Investigate alerts](investigate-alerts-windows-advanced-threat-protection.md) Investigate alerts in Windows Defender ATP which might indicate possible security breaches on endpoints in your organization.
[Investigate machines](machines-view-windows-advanced-threat-protection.md) | The **Machines view** shows a list of the machines in your network, the corresponding number of active alerts for each machine categorized by alert severity levels, as well as the number of threats.
[Submit files to the Deep analysis feature](deep-analysis-windows-advanced-threat-protection.md) | You can submit files for deep analysis to see detailed information about the files activities, observed behaviors, and associated artifacts (such as dropped files, registry modifications, and communications with IPs).
[Manage alerts](manage-alerts-windows-advanced-threat-protection.md) | The **Manage Alert** menu on every alert lets you change an alert's status, resolve it, suppress it, or contribute comments about the alert.