deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-16 07:17:24 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

fix content

Browse Source
This commit is contained in:
Joey Caparas 2017-02-03 19:40:11 -08:00
parent fc766a17b7
commit 44d2548e05
1 changed files with 63 additions and 46 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

109
windows/keep-secure/alerts-queue-windows-defender-advanced-threat-protection.md
View File

@ -21,9 +21,8 @@ localizationpriority: high
- Windows 10 Pro Education
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
As a security operations team member, you can manage Windows Defender ATP alerts as part of your routine activities. Alerts will appear in queues according to their current status.
The **Alerts queue** shows a list of alerts that were flagged from endpoints in your network. Alerts appear in queues according to their current status. In any of the queues, you'll see details such as the severity of alerts and the number of machines where the alerts were seen.
## Organize the alerts queue
Alerts are organized in three queues, by their workflow status:
- **New**
@ -39,28 +38,21 @@ To see a list of alerts, click any of the queues under the **Alerts queue** opti
## Sort and filter the alerts
You can sort and filter the alerts by using the available filters or clicking columns that allow you to sort the view in ascending or descending order.
![Image of alerts queue grouped](images/atp-alerts-group.png)
The alerts view contains the following columns:
- **Title** A brief description of the alert
- **Machine and user** Machine where the alert was seen and the user entity associated with the alert
- **Severity** Alert severity level
- **Last activity** Last seen activity related to the alert
- **Time in queue** Number of days the alert has been in the queue
- **Status** Indicates the queue status
- **Assigned to** Shows who is addressing the alert
![Alerts queue with numbers](images/alerts-queue-numbered.png)
### Filter the alerts list
You can use the following filters to limit the list of alerts displayed during an investigation:
(1) You can use the following filters to limit the list of alerts displayed during an investigation:
**Severity**</br>
- Low
- Medium
- High
- Informational
Informational alerts are those that might not be considered harmful to the network but might be good to keep track of.
Alert severity | Description
:---|:---
High </br>(Red) | Threats often associated with advanced persistent threats (APT). These alerts indicate a high risk due to the severity of damage they can inflict on endpoints.
Medium </br>(Orange) | Threats rarely observed in the organization, such as anomalous registry change, execution of suspicious files, and observed behaviors typical of attack stages.
Low </br>(Yellow) | Threats associated with prevalent malware and hack-tools that do not appear to indicate an advanced threat targeting the organization.
Informational </br>(Grey) | Informational alerts are those that might not be considered harmful to the network but might be good to keep track of.
Reviewing the various alerts and their severity can help you decide on the appropriate action to protect your organization's endpoints.
**Detection source**</br>
- Windows Defender AV
@ -76,31 +68,52 @@ Informational alerts are those that might not be considered harmful to the netwo
- 6 months
**View**</br>
- Flat view - Shows alerts in a chronological order as an alert surfaces.
- Grouped view - Groups alerts based on commonalities such as alert ID, file hash, or malware family.
- **Flat view** - Lists alerts individually with alerts that has the latest activity displayed at the top surfaces.
- **Grouped view** - Groups alerts by alert ID, file hash, malware family and others to enable more efficient alert triage and management. Alert grouping reduces the number of rows in the queue by aggregating categories together.
The group view allows for efficient alert triage and management.
### Use the Alert management pane [JOEY - FIX THE NUMBERING, SELECT ALERT FIRST, MAKE NUMBER 4 TO NUMBER 2]
(2) Select alert </br>
Selecting an alert brings up the Alert management pane.
(3) You can take immediate action on an alert and see details about an alert from the Alert management pane. You can change the status of an alert from new, in progress, or resolved.
(4) Alert classification </br>
You can also select the alert classification to indicate if the alert is a true alert or a false alert.
You can also assign the alert to yourself if the alert is not yet being addressed, and view related activity on the machine.
(5) Comments and history </br>
View comments from other security operations personnel and see historical information about the alert or add your own comments.
### Bulk edit alerts
Select multiple alerts (Ctrl or Shift select) and manage or edit alerts together, which allows resolving multiple similar alerts in one go.
![Alerts queue bulk edit](images/alerts-q-bulk.png)
### Related topics
- [Understand the Windows Defender Advanced Threat Protection Dashboard](dashboard-windows-defender-advanced-threat-protection.md)
- [Investigate Windows Defender Advanced Threat Protection alerts](investigate-alerts-windows-defender-advanced-threat-protection.md)
- [Investigate machines in the Windows Defender ATP Machines view](investigate-machines-windows-defender-advanced-threat-protection.md)
- [Investigate a file associated with a Windows Defender ATP alert](investigate-files-windows-defender-advanced-threat-protection.md)
- [Investigate an IP address associated with a Windows Defender ATP alert](investigate-ip-windows-defender-advanced-threat-protection.md)
- [Investigate a domain associated with a Windows Defender ATP alert](investigate-domain-windows-defender-advanced-threat-protection.md)
- [Manage Windows Defender Advanced Threat Protection alerts](manage-alerts-windows-defender-advanced-threat-protection.md)
The following table and screenshot demonstrate the main areas of the **Alerts queue**.
![Screenshot of the Dashboard showing the New Alerts list and navigation bar](images/atp-alerts-q.png)
====================
Highlighted area|Area name|Description
:---|:---|:---
(1)|**Alerts queue**| Select to show **New**, **In Progress**, or **Resolved alerts**
(2)|Alerts|Each alert shows:<ul><li>The severity of an alert as a colored bar</li><li>A short description of the alert, including the category and name of the threat actor (in cases where the attribution is possible)</li><li>The machine and user associated to the alert</li><li>The severity of the alert</li><li>The date when the last activity was seen</li><li>The number of days the alert has been in the queue</li><li>The status of the alert in the queue</li><li>Who the alert is assigned to</li><li>A **Manage Alert** menu icon ![The menu icon looks like three periods stacked on top of each other](images/menu-icon.png) that allows you to manage the alert and go to the machine timeline</li></ul>Selecting an alert brings up the alert management pane which shows information on the alert such as its status in the queue, alert classification, who is addressing the alert, related activity on the machine, and historical information.
(3)|Alerts sorting and filters | You can sort alerts by: <ul><li>**Severity**</li><li>**Detection source**</li><li>**Time period** </li><li>**Group view or Flat view** </li></ul> For more information, see [Sort and filter the Alerts queue](#sort-and-filter-the-alerts-queue) for more details.
The alerts view contains the following columns:
- **Title** A brief description of the alert
- **Machine and user** Machine where the alert was seen and the user entity associated with the alert
- **Severity** Alert severity level
- **Last activity** Last seen activity related to the alert
- **Time in queue** Number of days the alert has been in the queue
- **Status** Indicates the queue status
- **Assigned to** Shows who is addressing the alert
## Alert severity levels
Alert severity | Description
:---|:---
High (Red) | Threats often associated with advanced persistent threats (APT). These alerts indicate a high risk due to the severity of damage they can inflict on endpoints.
Medium (Orange) | Threats rarely observed in the organization, such as anomalous registry change, execution of suspicious files, and observed behaviors typical of attack stages.
Low (Yellow) | Threats associated with prevalent malware and hack-tools that do not appear to indicate an advanced threat targeting the organization.
Reviewing the various alerts and their severity can help you decide on the appropriate action to protect your organization's endpoints.
## Sort and filter the Alerts queue
You can filter and sort (or "pivot") the Alerts queue to identify specific alerts based on certain criteria.
@ -112,8 +125,8 @@ You can filter and sort (or "pivot") the Alerts queue to identify specific alert
- **Detection source** - Windows Defender Antivirus or Windows Defender
- **Time period** - 1, 3, 7, 30 days, or 6 months
- **Group view or Flat view**
- Flat view - lists alerts individually with alerts that has the latest activity displayed at the top
- Group view - sorts the alerts by alert ID, file hash, malware family and others to enable more efficient alert triage and management. Alert grouping reduces the number of rows in the queue by aggregating categories together.
- Flat view -
- Group view - sorts the alerts
(2) Alert management pane </br>
You can take immediate action on an alert and see details about an alert from the Alert management pane. You can change the status of an alert from new, in progress, or resolved.
@ -133,11 +146,15 @@ You can also edit alerts by bulk by selecting multiple alerts (Ctrl or Shift sel
![Alerts queue bulk edit](images/alerts-q-bulk.png)
### Related topics
- [Understand the Windows Defender Advanced Threat Protection Dashboard](dashboard-windows-defender-advanced-threat-protection.md)
- [Investigate Windows Defender Advanced Threat Protection alerts](investigate-alerts-windows-defender-advanced-threat-protection.md)
- [Investigate machines in the Windows Defender ATP Machines view](investigate-machines-windows-defender-advanced-threat-protection.md)
- [Investigate a file associated with a Windows Defender ATP alert](investigate-files-windows-defender-advanced-threat-protection.md)
- [Investigate an IP address associated with a Windows Defender ATP alert](investigate-ip-windows-defender-advanced-threat-protection.md)
- [Investigate a domain associated with a Windows Defender ATP alert](investigate-domain-windows-defender-advanced-threat-protection.md)
- [Manage Windows Defender Advanced Threat Protection alerts](manage-alerts-windows-defender-advanced-threat-protection.md)
The following table and screenshot demonstrate the main areas of the **Alerts queue**.
![Screenshot of the Dashboard showing the New Alerts list and navigation bar](images/atp-alerts-q.png)
Highlighted area|Area name|Description
:---|:---|:---
(1)|**Alerts queue**| Select to show **New**, **In Progress**, **Resolved alerts**, or **Assigned to me**
(2)|Alerts|Each alert shows:<ul><li>The severity of an alert as a colored bar</li><li>A short description of the alert, including the category and name of the threat actor (in cases where the attribution is possible)</li><li>The machine and user associated to the alert</li><li>The severity of the alert</li><li>The date when the last activity was seen</li><li>The number of days the alert has been in the queue</li><li>The status of the alert in the queue</li><li>Who the alert is assigned to</li><li>A **Manage Alert** menu icon ![The menu icon looks like three periods stacked on top of each other](images/menu-icon.png) that allows you to manage the alert and go to the machine timeline</li></ul>Selecting an alert brings up the alert management pane which shows information on the alert such as its status in the queue, alert classification, who is addressing the alert, related activity on the machine, and historical information.
(3)|Alerts sorting and filters | You can sort alerts by: <ul><li>**Severity**</li><li>**Detection source**</li><li>**Time period** </li><li>**Group view or Flat view** </li></ul> For more information, see [Sort and filter the Alerts queue](#sort-and-filter-the-alerts-queue) for more details.