diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-block-file.png b/windows/security/threat-protection/windows-defender-atp/images/atp-block-file.png new file mode 100644 index 0000000000..3f7e3dba8a Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/atp-block-file.png differ diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-stop-quarantine.png b/windows/security/threat-protection/windows-defender-atp/images/atp-stop-quarantine.png index b2ae248d35..db6082c4e1 100644 Binary files a/windows/security/threat-protection/windows-defender-atp/images/atp-stop-quarantine.png and b/windows/security/threat-protection/windows-defender-atp/images/atp-stop-quarantine.png differ diff --git a/windows/security/threat-protection/windows-defender-atp/manage-alerts-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/manage-alerts-windows-defender-advanced-threat-protection.md index 7c0cf793b2..426598ba29 100644 --- a/windows/security/threat-protection/windows-defender-atp/manage-alerts-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/manage-alerts-windows-defender-advanced-threat-protection.md @@ -87,20 +87,20 @@ Create custom rules to control when alerts are suppressed, or resolved. You can ![Image of alert status](images/atp-create-suppression-rule.png) -3. Choose the context for suppressing the alert. +3. Enter an alert title then select an indicator of compromise from the drop-down list. ![Image of alert status](images/atp-new-suppression-rule.png) > [!NOTE] > You cannot create a custom or blank suppression rule. You must start from an existing alert. -4. Specify the conditions for when the rule is applied: - - Alert title - - Indicator of compromise (IOC) - - Suppression conditions +4. Specify the suppression conditions by entering values for any of the following: + - Sha1 + - File name + - Folder path > [!NOTE] - > The SHA1 of the alert cannot be modified, however you can clear the SHA1 to remove it from the suppression conditions. + > The SHA1 of the alert cannot be modified, however you can clear the SHA1 to remove it from the suppression conditions by removing the deselecting the checkbox. 5. Specify the action and scope on the alert.
You can automatically resolve an alert or hide it from the portal. Alerts that are automatically resolved will appear in the resolved section of the alerts queue. Alerts that are marked as hidden will be suppressed from the entire system, both on the machine's associated alerts and from the dashboard. You can also specify to suppress the alert on the machine only or the whole organization. diff --git a/windows/security/threat-protection/windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md index a0090c2660..2266ded539 100644 --- a/windows/security/threat-protection/windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md @@ -59,7 +59,7 @@ The action takes effect on machines with Windows 10, version 1703 or later, wher 2. Open the **Actions menu** and select **Stop and Quarantine File**. ![Image of stop and quarantine file action](images/atp-stop-quarantine-file.png) -3. Type a comment and select **Yes, stop and quarantine** to take action on the file. +3. Specify a reason, then click **Yes, stop and quarantine**. ![Image of stop and quarantine file](images/atp-stop-quarantine.png) The Action center shows the submission information: @@ -116,13 +116,27 @@ You can prevent further propagation of an attack in your organization by banning ### Enable the block file feature +Before you can block files, you'll need to enable the feature. + 1. In the navigation pane, select **Settings** > **Advanced features** > **Block file**. 2. Toggle the setting between **On** and **Off** and select **Save preferences**. ![Image of advanced settings for block file feature](images/atp-preferences-setup.png) -3. Type a comment and select **Yes, block file** to take action on the file. +### Block a file +1. Select the file you want to block. You can select a file from any of the following views or use the Search box: + + - **Alerts** - click the corresponding links from the Description or Details in the Artifact timeline + - **Search box** - select File from the drop–down menu and enter the file name + +2. Open the **Actions menu** and select **Block**. + + ![Image of block action](images/atp-action-block-file.png) + +9. Specify a reason and select **Yes, block file** to take action on the file. + + ![Image of block file action](images/atp-block-file.png) The Action center shows the submission information: ![Image of block file](images/atp-blockfile.png)