From cbd7a32c3628da7d25f12f11ed7ff0ab0ae31a30 Mon Sep 17 00:00:00 2001 From: Joey Caparas Date: Wed, 8 Nov 2017 17:16:59 -0800 Subject: [PATCH 1/3] wdav and atp alerts --- ...ows-defender-advanced-threat-protection.md | 24 +++++++++++++++---- ...ows-defender-advanced-threat-protection.md | 2 +- 2 files changed, 20 insertions(+), 6 deletions(-) diff --git a/windows/threat-protection/windows-defender-atp/alerts-queue-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/alerts-queue-windows-defender-advanced-threat-protection.md index a4b8d93002..d73a80c764 100644 --- a/windows/threat-protection/windows-defender-atp/alerts-queue-windows-defender-advanced-threat-protection.md +++ b/windows/threat-protection/windows-defender-atp/alerts-queue-windows-defender-advanced-threat-protection.md @@ -47,20 +47,20 @@ To see a list of alerts, click any of the queues under the **Alerts queue** opti ## Sort, filter, and group the alerts list You can sort and filter the alerts using the available filters or clicking on a column's header that will sort the view in ascending or descending order. -**Time period**
+### Time period - 1 day - 3 days - 7 days - 30 days - 6 months -**OS Platform**
+### OS Platform - Windows 10 - Windows Server 2012 R2 - Windows Server 2016 - Other -**Severity**
+### Severity Alert severity | Description :---|:--- @@ -71,7 +71,21 @@ Informational
(Grey) | Informational alerts are those that might not be con Reviewing the various alerts and their severity can help you decide on the appropriate action to protect your organization's endpoints. -**Detection source**
+#### Understanding alert severity +It is important to understand that the Windows Defender Antivirus (Windows Defender AV) and Windows Defender ATP alert severities are different because they represent different scopes. + +The Windows Defender AV threat severity represents the absolute severity of the detected threat (malware), and is assigned based on the potential risk to the individual machine, if infected. + +The Windows Defender ATP alert severity represents the severity of the detected behavior, the actual risk to the machine but more importantly the potential risk to the organization. + +So, for example: +- The severity of a Windows Defender ATP alert about a Windows Defender AV detected threat that was completely prevented and did not infect the machine is categorized as ‘Informational’ because there was no actual damage incurred. +- An alert about a commercial malware was detected while executing, but blocked and remediated by Windows Defender AV, is categorized as ‘Low’ because it may have caused some damage to the individual machine but poses no organizational threat. +- An alert about malware detected while executing which can pose a threat not only to the individual machine but to the organization, regardless if it was eventually blocked, may be ranked as ‘Medium’ or ‘High’. +- Suspicious behavioral alerts which were not blocked or remediated will be ranked ‘Low’, ‘Medium’ or ‘High’ following the same organizational threat considerations. + + +### Detection source - Windows Defender AV - Windows Defender ATP - Windows Defender SmartScreen @@ -80,7 +94,7 @@ Reviewing the various alerts and their severity can help you decide on the appro >[!NOTE] >The Windows Defender Antivirus filter will only appear if your endpoints are using Windows Defender Antivirus as the default real-time protection antimalware product. -**View**
+### View - **Flat view** - Lists alerts individually with alerts having the latest activity displayed at the top. - **Grouped view** - Groups alerts by alert ID, file hash, malware family, or other attribute to enable more efficient alert triage and management. Alert grouping reduces the number of rows in the queue by aggregating similar alerts together. diff --git a/windows/threat-protection/windows-defender-atp/experiment-custom-ti-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/experiment-custom-ti-windows-defender-advanced-threat-protection.md index b196a3f4fa..e92c2218ce 100644 --- a/windows/threat-protection/windows-defender-atp/experiment-custom-ti-windows-defender-advanced-threat-protection.md +++ b/windows/threat-protection/windows-defender-atp/experiment-custom-ti-windows-defender-advanced-threat-protection.md @@ -148,7 +148,7 @@ This step will guide you in exploring the custom alert in the portal. ![Image of sample custom ti alert in the portal](images/atp-sample-custom-ti-alert.png) > [!NOTE] -> It can take up to 15 minutes for the alert to appear in the portal. +> There is a latency time of approximately 20 minutes between the the time a custom TI is introduced and when an alert appears in the portal. ## Related topics - [Understand threat intelligence concepts](threat-indicator-concepts-windows-defender-advanced-threat-protection.md) From 5709a6732a55a0c35974671e750f3ab521439218 Mon Sep 17 00:00:00 2001 From: Joey Caparas Date: Thu, 9 Nov 2017 13:13:22 -0800 Subject: [PATCH 2/3] fix quotes --- ...rts-queue-windows-defender-advanced-threat-protection.md | 6 +++--- ...custom-ti-windows-defender-advanced-threat-protection.md | 2 +- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/windows/threat-protection/windows-defender-atp/alerts-queue-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/alerts-queue-windows-defender-advanced-threat-protection.md index d73a80c764..a89494bfc1 100644 --- a/windows/threat-protection/windows-defender-atp/alerts-queue-windows-defender-advanced-threat-protection.md +++ b/windows/threat-protection/windows-defender-atp/alerts-queue-windows-defender-advanced-threat-protection.md @@ -79,10 +79,10 @@ The Windows Defender AV threat severity represents the absolute severity of the The Windows Defender ATP alert severity represents the severity of the detected behavior, the actual risk to the machine but more importantly the potential risk to the organization. So, for example: -- The severity of a Windows Defender ATP alert about a Windows Defender AV detected threat that was completely prevented and did not infect the machine is categorized as ‘Informational’ because there was no actual damage incurred. +- The severity of a Windows Defender ATP alert about a Windows Defender AV detected threat that was completely prevented and did not infect the machine is categorized as "Informational" because there was no actual damage incurred. - An alert about a commercial malware was detected while executing, but blocked and remediated by Windows Defender AV, is categorized as ‘Low’ because it may have caused some damage to the individual machine but poses no organizational threat. -- An alert about malware detected while executing which can pose a threat not only to the individual machine but to the organization, regardless if it was eventually blocked, may be ranked as ‘Medium’ or ‘High’. -- Suspicious behavioral alerts which were not blocked or remediated will be ranked ‘Low’, ‘Medium’ or ‘High’ following the same organizational threat considerations. +- An alert about malware detected while executing which can pose a threat not only to the individual machine but to the organization, regardless if it was eventually blocked, may be ranked as "Medium" or "High". +- Suspicious behavioral alerts which were not blocked or remediated will be ranked "Low", "Medium" or "High" following the same organizational threat considerations. ### Detection source diff --git a/windows/threat-protection/windows-defender-atp/experiment-custom-ti-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/experiment-custom-ti-windows-defender-advanced-threat-protection.md index e92c2218ce..5250f2f639 100644 --- a/windows/threat-protection/windows-defender-atp/experiment-custom-ti-windows-defender-advanced-threat-protection.md +++ b/windows/threat-protection/windows-defender-atp/experiment-custom-ti-windows-defender-advanced-threat-protection.md @@ -148,7 +148,7 @@ This step will guide you in exploring the custom alert in the portal. ![Image of sample custom ti alert in the portal](images/atp-sample-custom-ti-alert.png) > [!NOTE] -> There is a latency time of approximately 20 minutes between the the time a custom TI is introduced and when an alert appears in the portal. +> There is a latency time of approximately 20 minutes between the the time a custom TI is introduced and when it takes effect. ## Related topics - [Understand threat intelligence concepts](threat-indicator-concepts-windows-defender-advanced-threat-protection.md) From bf4ef40a17d5f93ebcda4b98eff4b2a55fdf5243 Mon Sep 17 00:00:00 2001 From: Joey Caparas Date: Thu, 9 Nov 2017 14:11:17 -0800 Subject: [PATCH 3/3] fix quotes --- .../alerts-queue-windows-defender-advanced-threat-protection.md | 2 +- ...ent-custom-ti-windows-defender-advanced-threat-protection.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/threat-protection/windows-defender-atp/alerts-queue-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/alerts-queue-windows-defender-advanced-threat-protection.md index a89494bfc1..f262dc08a7 100644 --- a/windows/threat-protection/windows-defender-atp/alerts-queue-windows-defender-advanced-threat-protection.md +++ b/windows/threat-protection/windows-defender-atp/alerts-queue-windows-defender-advanced-threat-protection.md @@ -80,7 +80,7 @@ The Windows Defender ATP alert severity represents the severity of the detected So, for example: - The severity of a Windows Defender ATP alert about a Windows Defender AV detected threat that was completely prevented and did not infect the machine is categorized as "Informational" because there was no actual damage incurred. -- An alert about a commercial malware was detected while executing, but blocked and remediated by Windows Defender AV, is categorized as ‘Low’ because it may have caused some damage to the individual machine but poses no organizational threat. +- An alert about a commercial malware was detected while executing, but blocked and remediated by Windows Defender AV, is categorized as "Low" because it may have caused some damage to the individual machine but poses no organizational threat. - An alert about malware detected while executing which can pose a threat not only to the individual machine but to the organization, regardless if it was eventually blocked, may be ranked as "Medium" or "High". - Suspicious behavioral alerts which were not blocked or remediated will be ranked "Low", "Medium" or "High" following the same organizational threat considerations. diff --git a/windows/threat-protection/windows-defender-atp/experiment-custom-ti-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/experiment-custom-ti-windows-defender-advanced-threat-protection.md index 5250f2f639..8003743e5d 100644 --- a/windows/threat-protection/windows-defender-atp/experiment-custom-ti-windows-defender-advanced-threat-protection.md +++ b/windows/threat-protection/windows-defender-atp/experiment-custom-ti-windows-defender-advanced-threat-protection.md @@ -148,7 +148,7 @@ This step will guide you in exploring the custom alert in the portal. ![Image of sample custom ti alert in the portal](images/atp-sample-custom-ti-alert.png) > [!NOTE] -> There is a latency time of approximately 20 minutes between the the time a custom TI is introduced and when it takes effect. +> There is a latency time of approximately 20 minutes between the the time a custom TI is introduced and when it becomes effective. ## Related topics - [Understand threat intelligence concepts](threat-indicator-concepts-windows-defender-advanced-threat-protection.md)