From 6ce0f557261e335993f5c621c7f2cbf1f17fa244 Mon Sep 17 00:00:00 2001 From: Joey Caparas Date: Wed, 24 Oct 2018 10:56:27 -0700 Subject: [PATCH] update --- ...-machines-windows-defender-advanced-threat-protection.md | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-atp/investigate-machines-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/investigate-machines-windows-defender-advanced-threat-protection.md index 0d6147cd7b..cc74d3e88b 100644 --- a/windows/security/threat-protection/windows-defender-atp/investigate-machines-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/investigate-machines-windows-defender-advanced-threat-protection.md @@ -118,9 +118,11 @@ Use the search bar to look for specific timeline events. Harness the power of us >[!NOTE] > For firewall events to be displayed, you'll need to enable the audit policy, see [Audit Filtering Platform connection](https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-filtering-platform-connection). >Firewall covers the following events: ->- [5157](https://docs.microsoft.com/windows/security/threat-protection/auditing/event-5157) - blocked connection ->- [5031](https://docs.microsoft.com/windows/security/threat-protection/auditing/event-5031) - application blocked from accepting incoming connections on the network >- [5025](https://docs.microsoft.com/windows/security/threat-protection/auditing/event-5025) - firewall service stopped +>- [5031](https://docs.microsoft.com/windows/security/threat-protection/auditing/event-5031) - application blocked from accepting incoming connections on the network +>- [5157](https://docs.microsoft.com/windows/security/threat-protection/auditing/event-5157) - blocked connection + + - **User account** – Click the drop-down button to filter the machine timeline by the following user associated events: