mirror of
https://github.com/MicrosoftDocs/windows-itpro-docs.git
synced 2025-05-28 05:07:23 +00:00
incorporate feedback from sme
This commit is contained in:
Joey Caparas
parent
bfe6aa6f34
commit
6f63fffebc
@ -48,7 +48,7 @@ Highlighted area|Area name|Description
|
||||
2 | Alert selected | Select an alert to bring up the **Alert management pane** to manage and see details about the alert.
|
||||
3 | Alert management pane | View and manage alerts without leaving the alerts queue view.
|
||||
|
||||
### Filter the alerts list
|
||||
### Sort, filter, and group the alerts list
|
||||
You can use the following filters to limit the list of alerts displayed during an investigation:
|
||||
|
||||
**Severity**</br>
|
||||
@ -57,7 +57,7 @@ Alert severity | Description
|
||||
:---|:---
|
||||
High </br>(Red) | Threats often associated with advanced persistent threats (APT). These alerts indicate a high risk due to the severity of damage they can inflict on endpoints.
|
||||
Medium </br>(Orange) | Threats rarely observed in the organization, such as anomalous registry change, execution of suspicious files, and observed behaviors typical of attack stages.
|
||||
Low </br>(Yellow) | Threats associated with prevalent malware and hack-tools that do not appear to indicate an advanced threat targeting the organization.
|
||||
Low </br>(Yellow) | Threats associated with prevalent malware and hack-tools that do not necessarily indicate an advanced threat targeting the organization.
|
||||
Informational </br>(Grey) | Informational alerts are those that might not be considered harmful to the network but might be good to keep track of.
|
||||
|
||||
Reviewing the various alerts and their severity can help you decide on the appropriate action to protect your organization's endpoints.
|
||||
@ -77,26 +77,34 @@ Reviewing the various alerts and their severity can help you decide on the appro
|
||||
- 6 months
|
||||
|
||||
**View**</br>
|
||||
- **Flat view** - Lists alerts individually with alerts that has the latest activity displayed at the top.
|
||||
- **Grouped view** - Groups alerts by alert ID, file hash, malware family and others to enable more efficient alert triage and management. Alert grouping reduces the number of rows in the queue by aggregating categories together.
|
||||
- **Flat view** - Lists alerts individually with alerts having the latest activity displayed at the top.
|
||||
- **Grouped view** - Groups alerts by alert ID, file hash, malware family, or other attribute to enable more efficient alert triage and management. Alert grouping reduces the number of rows in the queue by aggregating alerts together.
|
||||
|
||||
The group view allows for efficient alert triage and management.
|
||||
|
||||
### Use the Alert management pane
|
||||
Selecting an alert brings up the **Alert management** pane where you can manage and see details about the alert.
|
||||
|
||||
You can take the following management actions on an alert from the **Alert management** pane:
|
||||
You can take immediate action on an alert and see details about an alert in the **Alert management** pane:
|
||||
|
||||
- Change the status of an alert from new, in progress, or resolved
|
||||
- Specify the alert classification from true alert or false alert
|
||||
- See related activity on the machine
|
||||
- Add and view comments about the alert
|
||||
- Change the status of an alert from new, to in progress, or resolved.
|
||||
- Specify the alert classification from true alert or false alert.
|
||||
Selecting true alert displays the **Determination** drop-down list to provide additional information about the true alert:
|
||||
- APT
|
||||
- Malware
|
||||
- Security personnel
|
||||
- Security testing
|
||||
- Unwanted software
|
||||
- Other
|
||||
- Assign the alert to yourself if the alert is not yet assigned.
|
||||
- View related activity on the machine.
|
||||
- Add and view comments about the alert.
|
||||
|
||||
>[!NOTE]
|
||||
>You can also access the **Alert management** pane from the machine details view by selecting an alert in the **Alerts related to this machine** section.
|
||||
|
||||
### Bulk edit alerts
|
||||
Select multiple alerts (Ctrl or Shift select) and manage or edit alerts together, which allows resolving multiple similar alerts in one go.
|
||||
Select multiple alerts (Ctrl or Shift select) and manage or edit alerts together, which allows resolving multiple similar alerts in one action.
|
||||
|
||||
|
||||
|
||||
|
||||
@ -25,52 +25,54 @@ localizationpriority: high
|
||||
|
||||
You can click an alert in any of the [alert queues](alerts-queue-windows-defender-advanced-threat-protection.md) to begin an investigation. Selecting an alert brings up the **Alert management pane**, while clicking an alert brings you the alert details view where general information about the alert, some recommended actions, an alert process tree, an incident graph, and an alert timeline is shown.
|
||||
|
||||
Alerts attributed to an adversary or actor display a colored tile with the actor name.
|
||||
You can click on the machine link from the alert view to navigate to the machine. The alert will be highlighted automatically, and the timeline will display the appearance of the alert and its evidence in the **Machine timeline**. If the alert appeared more than once on the machine, the latest occurrence will be displayed in the **Machine timeline**.
|
||||
|
||||
Alerts attributed to an adversary or actor display a colored tile with the actor's name.
|
||||
|
||||
|
||||
|
||||
Click on the actor's name to see the threat intelligence profile of the actor, including a brief overview of the actor, their interests or targets, tools, tactics, and processes (TTPs) as well as locations where it's active worldwide. You will also see a set of recommended actions to take.
|
||||
Click on the actor's name to see the threat intelligence profile of the actor, including a brief overview of the actor, their interests or targets, their tools, tactics, and processes (TTPs) and areas where they've been observed worldwide. You will also see a set of recommended actions to take.
|
||||
|
||||
Some actor profiles include a link to download a more comprehensive threat intelligence report.
|
||||
|
||||
## Alert process tree
|
||||
The **Alert process tree** takes alert triage and investigation to the next level by displaying the alert and its evidence with other events that occurred in the same execution context and time. This broad triage context of the alert and surrounding events is available on the alert page.
|
||||
The **Alert process tree** takes alert triage and investigation to the next level, displaying the alert and related evidence and other events that occurred within the same execution context and time. This rich triage context of the alert and surrounding events is available on the alert page.
|
||||
|
||||
|
||||
|
||||
The **Alert process tree** expands to display the execution path of the alert, its evidence, and related events that occurred in proximity - before and after - the alert.
|
||||
The **Alert process tree** expands to display the execution path of the alert, its evidence, and related events that occurred in the minutes - before and after - the alert.
|
||||
|
||||
You’ll see markers  that indicate related events. These icons also indicate the events that triggered the alert.
|
||||
The alert and related events or evidence have circles with thunderbolt icons inside them.
|
||||
|
||||
>[!NOTE]
|
||||
>The alert process tree might not be available in some alerts.
|
||||
|
||||
Selecting an indicator within the alert process tree brings up the **Alert details** pane where you can take a deeper look at the details about the alert. It displays rich information about the selected process, file, IP address, and other details – while remaining on the alert page, so you never leave the current context of your investigation.
|
||||
Clicking in the circle immediately to the left of the indicator displays the **Alert details** pane where you can take a deeper look at the details about the alert. It displays rich information about the selected process, file, IP address, and other details taken from the entity's page – while remaining on the alert page, so you never leave the current context of your investigation.
|
||||
|
||||
|
||||
|
||||
## Incident graph
|
||||
The **Incident graph** provides a visual representation of where an alert was seen, events that triggered the alert, and which other machines are affected by the event. It provides an illustrated alert footprint on the original machine and expands to show the footprint of each alert event on other machines.
|
||||
The **Incident Graph** provides a visual representation of the organizational footprint of the alert and its evidence: where the evidence that triggered the alert was observed on other machines. It provides a graphical mapping from the original machine and evidence expanding to show other machines in the organization where the triggering evidence was also observed.
|
||||
|
||||
|
||||
|
||||
You can click the circles on the incident graph to expand the nodes and view the associated events or files related to the alert. It expands alert evidence to connect to other machines it was observed on by file and process.
|
||||
The **Incident Graph** previously supported expansion by File and Process, and now supports expansion by additional criteria: known processes and Destination IP Address.
|
||||
|
||||
The Windows Defender ATP service keeps track of "known processes" such as system files like PowerShell and others, that often trigger alerts. These alerts can be considered benign and very prevalent (on almost all machines) – so there is little to no value in expanding the **Incident graph** to other machines these files were observed on.
|
||||
The Windows Defender ATP service keeps track of "known processes". Alerts related to known processes mostly include specific command lines, that combined are the basis for the alert. The **Incident Graph** supports expanding known processes with their command line to display other machines where the known process and the same command line were observed.
|
||||
|
||||
Alerts related to these processes include specific command lines that are generally the basis for the alert. You can use command lines as a criterion for expanding to other machines.
|
||||
|
||||
The **Incident graph** also shows that ‘the same command’ (for the same known process) was observed on other machines, ensuring the accuracy and value of the Incident Graph’s expansion.
|
||||
|
||||
The **Incident graph** also supports IP Addresses as a criterion of expansion, showing the potential scope of alert evidence without having to change context by navigating to the IP Address page.
|
||||
The **Incident Graph** expansion by destination IP Address, shows the organizational footprint of communications with this IP Address without having to change context by navigating to the IP Address page.
|
||||
|
||||
You can click the full circles on the incident graph to expand the nodes and view the expansion to other machines where the matching criteria were observed.
|
||||
|
||||
## Alert timeline
|
||||
The **Alert timeline** feature helps ease investigations by highlighting alerts related to a specific machine and events.
|
||||
The **Alert timeline** feature provides an addition view of the evidence that triggered the alert on the machine, and shows the date and time the evidence triggering the alert was observed, as well as the first time it was observed on the machine. This can help in understanding if the evidence was first observed at the time of the alert, or whether it was observed on the machine earlier - without triggering an alert.
|
||||
|
||||
|
||||
|
||||
Selecting an alert detail brings up the **Details pane** where you'll be able to see more information about the alert such as file details, detections, instances of it observed worldwide, and in the organization.
|
||||
|
||||
|
||||
|
||||
### Related topics
|
||||
- [View the Windows Defender Advanced Threat Protection Dashboard](dashboard-windows-defender-advanced-threat-protection.md)
|
||||
- [View and organize the Windows Defender Advanced Threat Protection Alerts queue](alerts-queue-windows-defender-advanced-threat-protection.md)
|
||||
|
||||
@ -46,16 +46,19 @@ The machine details, total logged on users and machine reporting sections displa
|
||||
|
||||
Clicking on the number of total logged on users in the Logged on user tile opens the Users Details pane that displays the following information for logged on users in the past 30 days:
|
||||
|
||||
- User account domain\\user account name
|
||||
- Date and time they were last observed on the machine
|
||||
- Date and time they were first observed on the machine
|
||||
- Interactive and remote interactive logins
|
||||
- Network, batch, and system logins
|
||||
|
||||
|
||||
|
||||
You'll also see details such as days seen, first seen, last seen, and user type.
|
||||
|
||||
For more information, see [Investigate user entities](investigate-user-entity-windows-defender-advanced-threat-protection.md).
|
||||
|
||||
The **Alerts related to this machine** section provides a list of alerts that are associated with the machine. This list is a simplified version of the [Alerts queue](alerts-queue-windows-defender-advanced-threat-protection.md), and shows the date when the last activity was detected, a short description of the alert, the user associated with the alert, the alert's severity, the alert's status in the queue, and who is addressing the alert.
|
||||
|
||||
You can also choose to highlight an alert from the **Alerts related to this machine** or from the **Machine timeline** section to see the correlation between the alert and other events that occurred on the machine by right-clicking on the alert and selecting **Select and mark events**. This highlights alerts and related events and helps distinguish from other alerts and events appearing in the timeline. Highlighted events are displayed in all filtering modes whether you choose to view the timeline by **Detections**, **Behaviors**, or **Verbose**.
|
||||
|
||||
The **Machine timeline** section provides a chronological view of the events and associated alerts that have been observed on the machine.
|
||||
|
||||
This feature also enables you to selectively drill down into events that occurred within a given time period. You can view the temporal sequence of events that occurred on a machine over a specified time period.
|
||||
|
||||
@ -23,19 +23,22 @@ localizationpriority: high
|
||||
|
||||
<span style="color:#ED1C24;">[Some information relates to pre-released product, which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.]</span>
|
||||
|
||||
The **Machines view** shows a list of the machines in your network, the corresponding number of active alerts for each machine categorized by alert severity levels, and the number of active malware detections. This view allows you to identify machines with the highest risk at a glance, and keep track of all the machines that are reporting sensor data in your network.
|
||||
|
||||
Use the Machines view in these two main scenarios:
|
||||
The **Machines view** shows a list of the machines in your network, the domain of each machine, when it last reported and the local IP Address it reported on, its **Health state**, the number of active alerts on each machine categorized by alert severity level, and the number of active malware detections. This view allows viewing machines ranked by risk or sensor health state, and keeping track of all machines that are reporting sensor data in your network.
|
||||
|
||||
- **During onboarding**
|
||||
- During the onboarding process, the Machines view gradually gets populated with endpoints as they begin to report sensor data. Use this view to track your onboarded endpoints as they appear. Use the available features to sort and filer to see which endpoints have most recently reported sensor data, or download the complete endpoint list as a CSV file for offline analysis.
|
||||
Use the Machines view in these main scenarios:
|
||||
|
||||
- **During onboarding**</br>
|
||||
During the onboarding process, the **Machines view** is gradually populated with endpoints as they begin to report sensor data. Use this view to track your onboarded endpoints as they come online. Sort and filter by time of last report, **Active malware category**, or **Sensor health state**, or download the complete endpoint list as a CSV file for offline analysis.
|
||||
- **Day-to-day work**
|
||||
- The **Machines view** enables you to identify machines that are most at risk in a glance. High-risk machines are those with the greatest number and highest-severity alerts. By sorting the machines by risk, you'll be able to identify the most vulnerable machines and take action on them.
|
||||
The **Machines view** enables easy identification of machines most at risk in a glance. High-risk machines have the greatest number and highest-severity alerts; **Sensor health state** provides another dimension to rank machines. Sorting machines by **Active alerts**, and then by **Sensor health state** helps identify the most vulnerable machines and take action on them.
|
||||
|
||||
## Sort, filter, and download the list of machines from the Machines view
|
||||
You can filter and sort (or “pivot”) the Machines view by clicking any column header to sort the view in ascending or descending order.
|
||||
You can sort the **Machines view** by clicking on any column header to sort the view in ascending or descending order.
|
||||
|
||||
You can also download the entire list using the export feature.
|
||||
Filter the **Machines view** by time period, **Active malware categories**, or **Sensor health state** to focus on certain sets of machines, according to the desired criteria.
|
||||
|
||||
You can also download the entire list in CSV format using the **Export to CSV** feature.
|
||||
|
||||
|
||||
|
||||
@ -58,7 +61,7 @@ Filter the list to view specific machines grouped together by the following malw
|
||||
- **General malware** – Malware are malicious programs that perform unwanted actions, including actions that can disrupt, cause direct damage, and facilitate intrusion and data theft. Some malware can replicate and spread from one machine to another. Others are able to receive commands from remote attackers and perform activities associated with cyberattacks.
|
||||
- **Unwanted software** – Unwanted software is a category of applications that install and perform undesirable activity without adequate user consent. These applications are not necessarily malicious, but their behaviors often negatively impact the computing experience, even appearing to invade user privacy. Many of these applications display advertising, modify browser settings, and install bundled software.
|
||||
|
||||
**Machine health state**</br>
|
||||
**Sensor health state**</br>
|
||||
Filter the list to view specific machines grouped together by the following machine health states:
|
||||
|
||||
- **Active** – Machines that are actively reporting sensor data to the service.
|
||||
@ -66,16 +69,15 @@ Filter the list to view specific machines grouped together by the following mach
|
||||
- **Inactive** – Machines that have completely stopped sending signals for more than 7 days.
|
||||
|
||||
## Export machine list to CSV
|
||||
You can download a full list of all the machines in your organization, in CSV format. Click the **Manage Alert** menu icon  to download the entire list as a CSV file.
|
||||
You can download a full list of all the machines in your organization, in CSV format. Click the **Manage** menu icon  to download the entire list as a CSV file.
|
||||
|
||||
**Note**: Exporting the list depends on the number of machines in your organization. It can take a significant amount of time to download, depending on how large your organization is.
|
||||
**Note**: Exporting the list depends on the number of machines in your organization. It might take a significant amount of time to download, depending on how large your organization is.
|
||||
Exporting the list in CSV format displays the data in an unfiltered manner. The CSV file will include all machines in the organization, regardless of any filtering applied in the view itself.
|
||||
|
||||
### Sort the Machines view
|
||||
You can sort the **Machines view** by the following columns:
|
||||
|
||||
- **Machine name** - Name or GUID of the machine
|
||||
- **Domain** - Domain the machine belongs to
|
||||
- **Last seen** - Date and time when the machine last reported sensor data
|
||||
- **Internal IP** - Local internal Internet Protocol (IP) address of the machine
|
||||
- **Health State** – Indicates if the machine is misconfigured or is not sending sensor data
|
||||
@ -83,7 +85,7 @@ You can sort the **Machines view** by the following columns:
|
||||
- **Active malware detections** - Number of active malware detections reported by the machine
|
||||
|
||||
> [!NOTE]
|
||||
> The **Active alerts** and **Active malware detections** filter column will only appear if your endpoints are using [Windows Defender](windows-defender-in-windows-10.md) as the default real-time protection antimalware product.
|
||||
> The **Active malware detections** filter column will only appear if your endpoints are using [Windows Defender](windows-defender-in-windows-10.md) as the active real-time protection antimalware product.
|
||||
|
||||
|
||||
### Related topics
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user