deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-16 10:53:43 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

more content

Browse Source
This commit is contained in:
jcaparas
2017-02-06 17:51:18 -08:00
parent 0fa096e1b2
commit 616ab55ac2
2 changed files with 19 additions and 13 deletions
Download Patch File Download Diff File Expand all files Collapse all files

BIN
windows/keep-secure/images/atp-thunderbolt-icon.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 2.0 KiB

After

Width:  |  Height:  |  Size: 1.9 KiB

32
windows/keep-secure/investigate-alerts-windows-defender-advanced-threat-protection.md
View File

@ -38,30 +38,35 @@ The **Alert process tree** takes alert triage and investigation to the next leve
![Image of the alert process tree](images/atp-alert-process-tree.png)
The alert process tree expands to display the execution path of the alert, its evidence, and related events that occurred in proximity - before and after - the alert.
The **Alert process tree** expands to display the execution path of the alert, its evidence, and related events that occurred in proximity - before and after - the alert.
Youll see markers ![Image of thunderbolt icon](images/atp-thunderbolt-icon.png)that indicate related events. These icons also indicate the events that triggered the alert.
Youll see markers ![Image of thunderbolt icon](images/atp-thunderbolt-icon.png) that indicate related events. These icons also indicate the events that triggered the alert.
>[!NOTE]
>The alert process tree might not be available in some alerts.
Selecting an indicator within the alert process tree brings up the **Alert details** pane where you can take a deeper look at the details about the alert.
You can take the following management actions on an alert from the **Alert management** pane:
Selecting an indicator within the alert process tree brings up the **Alert details** pane where you can take a deeper look at the details about the alert. It displays rich information about the selected process, file, IP address, and other details while remaining on the alert page, so you never leave the current context of your investigation.
## Incident graph
The incident graph provides a visual representation of where an alert was seen, events that triggered the alert, and which other machines are affected by the event. It provides an illustrated alert footprint on the original machine and expands to show the footprint of each alert event on other machines.
The **Incident graph** provides a visual representation of where an alert was seen, events that triggered the alert, and which other machines are affected by the event. It provides an illustrated alert footprint on the original machine and expands to show the footprint of each alert event on other machines.
You can click the circles on the incident graph to expand the nodes and view the associated events or files related to the alert. It expands alert evidence to connect to other machines it was observed on by file and process.
The Windows Defender ATP service keeps track of "known processes" such as system files like PowerShell and others, that often trigger alerts. These alerts can be considered benign and very prevalent (on almost all machines) so there is little to no value in expanding the **Incident graph** to other machines these files were observed on.
Alerts related to these processes include specific command lines that are generally the basis for the alert. You can use command lines as a criterion for expanding to other machines.
The **Incident graph** also shows that the same command (for the same known process) was observed on other machines, ensuring the accuracy and value of the Incident Graphs expansion.
The **Incident graph** also supports IP Addresses as a criterion of expansion, showing the potential scope of alert evidence without having to change context by navigating to the IP Address page.
You can click the circles on the incident graph to expand the nodes and view the associated events or files related to the alert.
## Alert spotlight
The alert spotlight feature helps ease investigations by highlighting alerts related to a specific machine and events. You can highlight an alert and its related events in the machine timeline to increase your focus during an investigation.
The **Alert spotlight** feature helps ease investigations by highlighting alerts related to a specific machine and events. You can highlight an alert and its related events in the machine timeline to increase your focus during an investigation.
You can click on the machine link from the alert view to see the alerts related to the machine.
@ -69,6 +74,7 @@ You can click on the machine link from the alert view to see the alerts related
> This shortcut is not available from the Incident graph machine links.
Alerts related to the machine are displayed under the **Alerts related to this machine** section.
Clicking on an alert row takes you the to the date in which the alert was flagged on **Machine timeline**. This eliminates the need to manually filter and drag the machine timeline marker to when the alert was seen on that machine.
You can also choose to highlight an alert from the **Alerts related to this machine** or from the **Machine timeline** section to see the correlation between the alert and other events that occurred on the machine. Right-click on any alert from either section and select **Mark related events**. This highlights alerts and events that are related and helps differentiate between the other alerts listed in the timeline. Highlighted events are displayed in all filtering modes whether you choose to view the timeline by **Detections**, **Behaviours**, or **Verbose**.