deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-14 14:27:22 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

Merge branch 'atp-FEB' of https://github.com/Microsoft/win-cpub-itpro-docs into atp-FEB

Browse Source
This commit is contained in:
Joey Caparas 2017-02-23 10:48:40 -08:00
commit 73b7a220c5
30 changed files with 194 additions and 104 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
windows/keep-secure/TOC.md
View File

@ -751,7 +751,7 @@
###### [Filter events from a specific date](investigate-machines-windows-defender-advanced-threat-protection.md#filter-events-from-a-specific-date) ###### [Filter events from a specific date](investigate-machines-windows-defender-advanced-threat-protection.md#filter-events-from-a-specific-date)
###### [Export machine timeline events](investigate-machines-windows-defender-advanced-threat-protection.md#export-machine-timeline-events) ###### [Export machine timeline events](investigate-machines-windows-defender-advanced-threat-protection.md#export-machine-timeline-events)
###### [Navigate between pages](investigate-machines-windows-defender-advanced-threat-protection.md#navigate-between-pages) ###### [Navigate between pages](investigate-machines-windows-defender-advanced-threat-protection.md#navigate-between-pages)
##### [Investigate a user account](investigate-user-entity-windows-defender-advanced-threat-protection.md) ##### [Investigate a user account](investigate-user-windows-defender-advanced-threat-protection.md)
##### [Manage alerts](manage-alerts-windows-defender-advanced-threat-protection.md) ##### [Manage alerts](manage-alerts-windows-defender-advanced-threat-protection.md)
##### [Take response actions](response-actions-windows-defender-advanced-threat-protection.md) ##### [Take response actions](response-actions-windows-defender-advanced-threat-protection.md)
###### [Take response actions on a machine](respond-machine-alerts-windows-defender-advanced-threat-protection.md) ###### [Take response actions on a machine](respond-machine-alerts-windows-defender-advanced-threat-protection.md)

8
windows/keep-secure/advanced-features-windows-defender-advacned-threat-protection.md
View File

@ -20,13 +20,11 @@ localizationpriority: high
- Windows 10 Pro Education - Windows 10 Pro Education
- Windows Defender Advanced Threat Protection (Windows Defender ATP) - Windows Defender Advanced Threat Protection (Windows Defender ATP)
<span style="color:#ED1C24;">[Some information relates to pre-released product, which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.]</span>
1. In the navigation pane, select **Preferences setup** > **Advanced features**. 1. In the navigation pane, select **Preferences setup** > **Advanced features**.
2. Select the advanced feature you want to configure and toggle the setting between **On** and **Off**. 2. Select the advanced feature you want to configure and toggle the setting between **On** and **Off**.
3. Click **Save preferences**. 3. Click **Save preferences**.
## Related topics ## Related topics
- [Update general settings](general-settings-windows-defender-advanced-threat-protection.md) - [Update general settings in Windows Defender ATP](general-settings-windows-defender-advanced-threat-protection.md)
- [Turn on the preview experience](preview-settings-windows-defender-advanced-threat-protection.md) - [Turn on the preview experience in Windows Defender ATP](preview-settings-windows-defender-advanced-threat-protection.md)
- [Configure email notifications](configure-email-notifications-windows-defender-advanced-threat-protection.md) - [Configure email notifications in Windows Defender ATP](configure-email-notifications-windows-defender-advanced-threat-protection.md)

13
windows/keep-secure/alerts-queue-windows-defender-advanced-threat-protection.md
View File

@ -21,8 +21,6 @@ localizationpriority: high
- Windows 10 Pro Education - Windows 10 Pro Education
- Windows Defender Advanced Threat Protection (Windows Defender ATP) - Windows Defender Advanced Threat Protection (Windows Defender ATP)
<span style="color:#ED1C24;">[Some information relates to pre-released product, which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.]</span>
The **Alerts queue** shows a list of alerts that were flagged from endpoints in your network. Alerts are displayed in queues according to their current status. In any of the queues, you'll see details such as the severity of alerts and the number of machines where the alerts were seen. The **Alerts queue** shows a list of alerts that were flagged from endpoints in your network. Alerts are displayed in queues according to their current status. In any of the queues, you'll see details such as the severity of alerts and the number of machines where the alerts were seen.
Alerts are organized in queues by their workflow status or assignment: Alerts are organized in queues by their workflow status or assignment:
@ -45,7 +43,7 @@ You can sort and filter the alerts by using the available filters or clicking co
Highlighted area|Area name|Description Highlighted area|Area name|Description
:---|:---|:--- :---|:---|:---
1 | Alert filters | Filter the list of alerts by severity, detection source, time period, or change the view from flat to grouped. 1 | Alert filters | Filter the list of alerts by severity, detection source, time period, or change the view from flat to grouped.
2 | Alert selected | Select an alert to bring up the **Alert management pane** to manage and see details about the alert. 2 | Alert selected | Select an alert to bring up the **Alert management** to manage and see details about the alert.
3 | Alert management pane | View and manage alerts without leaving the alerts queue view. 3 | Alert management pane | View and manage alerts without leaving the alerts queue view.
### Sort, filter, and group the alerts list ### Sort, filter, and group the alerts list
@ -108,11 +106,14 @@ Select multiple alerts (Ctrl or Shift select) and manage or edit alerts together
![Alerts queue bulk edit](images/alerts-q-bulk.png) ![Alerts queue bulk edit](images/alerts-q-bulk.png)
### Related topics ## Related topics
- [Understand the Windows Defender Advanced Threat Protection Dashboard](dashboard-windows-defender-advanced-threat-protection.md) - [View the Windows Defender Advanced Threat Protection Dashboard](dashboard-windows-defender-advanced-threat-protection.md)
- [Investigate Windows Defender Advanced Threat Protection alerts](investigate-alerts-windows-defender-advanced-threat-protection.md) - [Investigate Windows Defender Advanced Threat Protection alerts](investigate-alerts-windows-defender-advanced-threat-protection.md)
- [Investigate machines in the Windows Defender ATP Machines view](investigate-machines-windows-defender-advanced-threat-protection.md)
- [Investigate a file associated with a Windows Defender ATP alert](investigate-files-windows-defender-advanced-threat-protection.md) - [Investigate a file associated with a Windows Defender ATP alert](investigate-files-windows-defender-advanced-threat-protection.md)
- [Investigate an IP address associated with a Windows Defender ATP alert](investigate-ip-windows-defender-advanced-threat-protection.md) - [Investigate an IP address associated with a Windows Defender ATP alert](investigate-ip-windows-defender-advanced-threat-protection.md)
- [Investigate a domain associated with a Windows Defender ATP alert](investigate-domain-windows-defender-advanced-threat-protection.md) - [Investigate a domain associated with a Windows Defender ATP alert](investigate-domain-windows-defender-advanced-threat-protection.md)
- [View and organize the Windows Defender ATP Machines view](machines-view-overview-windows-defender-advanced-threat-protection.md)
- [Investigate machines in the Windows Defender ATP Machines view](investigate-machines-windows-defender-advanced-threat-protection.md)
- [Investigate a user account in Windows Defender ATP](investigate-user-windows-defender-advanced-threat-protection.md)
- [Manage Windows Defender Advanced Threat Protection alerts](manage-alerts-windows-defender-advanced-threat-protection.md) - [Manage Windows Defender Advanced Threat Protection alerts](manage-alerts-windows-defender-advanced-threat-protection.md)
- [Take response actions in Windows Defender ATP](response-actions-windows-defender-advanced-threat-protection.md)

8
windows/keep-secure/check-sensor-status-windows-defender-advanced-threat-protection.md
View File

@ -11,7 +11,7 @@ author: mjcaparas
localizationpriority: high localizationpriority: high
--- ---
# Check sensor health state # Check sensor health state in Windows Defender ATP
**Applies to:** **Applies to:**
@ -23,7 +23,7 @@ localizationpriority: high
<span style="color:#ED1C24;">[Some information relates to pre-released product, which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.]</span> <span style="color:#ED1C24;">[Some information relates to pre-released product, which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.]</span>
The sensor health tile provides information on the individual endpoints ability to provide sensor data and communicate with the Windows Defender ATP service. It reports how many machines require attention and helps you identify problematic machines and take actions to correct known issues. The sensor health tile provides information on the individual endpoints ability to provide sensor data and communicate with the Windows Defender ATP service. It reports how many machines require attention and helps you identify problematic machines and take action to correct known issues.
![Windows Defender ATP sensor health tile](images/atp-sensor-health-filter.png) ![Windows Defender ATP sensor health tile](images/atp-sensor-health-filter.png)
@ -51,5 +51,5 @@ In the **Machines view**, you can download a full list of all the machines in yo
>[!NOTE] >[!NOTE]
>Export the list in CSV format to display the unfiltered data. The CSV file will include all machines in the organization, regardless of any filtering applied in the view itself and can take a significant amount of time to download, depending on how large your organization is. >Export the list in CSV format to display the unfiltered data. The CSV file will include all machines in the organization, regardless of any filtering applied in the view itself and can take a significant amount of time to download, depending on how large your organization is.
## Related topics ## Related topic
- [Fix unhealthy sensors](fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md) - [Fix unhealthy sensors in Windows Defender ATP](fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md)

7
windows/keep-secure/configure-email-notifications-windows-defender-advanced-threat-protection.md
View File

@ -11,7 +11,7 @@ author: mjcaparas
localizationpriority: high localizationpriority: high
--- ---
# Configure email notifications # Configure email notifications in Windows Defender ATP
**Applies to:** **Applies to:**
@ -61,3 +61,8 @@ This section lists various issues that you may encounter when using email notifi
1. Check that the Windows Defender ATP email notifications are not sent to the Junk Email folder. Mark them as Not junk. 1. Check that the Windows Defender ATP email notifications are not sent to the Junk Email folder. Mark them as Not junk.
2. Check that your email security product is not blocking the email notifications from Windows Defender ATP. 2. Check that your email security product is not blocking the email notifications from Windows Defender ATP.
3. Check your email application rules that might be catching and moving your Windows Defender ATP email notifications. 3. Check your email application rules that might be catching and moving your Windows Defender ATP email notifications.
## Related topics
- [Update general settings in Windows Defender ATP](general-settings-windows-defender-advanced-threat-protection.md)
- [Turn on advanced features in Windows Defender ATP](advanced-features-windows-defender-advacned-threat-protection.md)
- [Turn on the preview experience in Windows Defender ATP](preview-settings-windows-defender-advanced-threat-protection.md)

9
windows/keep-secure/dashboard-windows-defender-advanced-threat-protection.md
View File

@ -111,11 +111,14 @@ The **Daily machines reporting** tile shows a bar graph that represents the numb
![The Machines reporting tile shows the number of machines reporting each day for the past 30 days](images/machines-reporting-tile.png) ![The Machines reporting tile shows the number of machines reporting each day for the past 30 days](images/machines-reporting-tile.png)
### Related topics ## Related topics
- [Alerts overview](alerts-queue-windows-defender-advanced-threat-protection.md) - [View and organize the Windows Defender Advanced Threat Protection Alerts queue ](alerts-queue-windows-defender-advanced-threat-protection.md)
- [Investigate Windows Defender Advanced Threat Protection alerts](investigate-alerts-windows-defender-advanced-threat-protection.md) - [Investigate Windows Defender Advanced Threat Protection alerts](investigate-alerts-windows-defender-advanced-threat-protection.md)
- [Investigate machines in the Windows Defender ATP Machines view](investigate-machines-windows-defender-advanced-threat-protection.md)
- [Investigate a file associated with a Windows Defender ATP alert](investigate-files-windows-defender-advanced-threat-protection.md) - [Investigate a file associated with a Windows Defender ATP alert](investigate-files-windows-defender-advanced-threat-protection.md)
- [Investigate an IP address associated with a Windows Defender ATP alert](investigate-ip-windows-defender-advanced-threat-protection.md) - [Investigate an IP address associated with a Windows Defender ATP alert](investigate-ip-windows-defender-advanced-threat-protection.md)
- [Investigate a domain associated with a Windows Defender ATP alert](investigate-domain-windows-defender-advanced-threat-protection.md) - [Investigate a domain associated with a Windows Defender ATP alert](investigate-domain-windows-defender-advanced-threat-protection.md)
- [View and organize the Windows Defender ATP Machines view](machines-view-overview-windows-defender-advanced-threat-protection.md)
- [Investigate machines in the Windows Defender ATP Machines view](investigate-machines-windows-defender-advanced-threat-protection.md)
- [Investigate a user account in Windows Defender ATP ](investigate-user-windows-defender-advanced-threat-protection.md)
- [Manage Windows Defender Advanced Threat Protection alerts](manage-alerts-windows-defender-advanced-threat-protection.md) - [Manage Windows Defender Advanced Threat Protection alerts](manage-alerts-windows-defender-advanced-threat-protection.md)
- [Take response actions in Windows Defender ATP](response-actions-windows-defender-advanced-threat-protection.md)

5
windows/keep-secure/fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md
View File

@ -11,7 +11,7 @@ author: mjcaparas
localizationpriority: high localizationpriority: high
--- ---
# Fix unhealthy sensors # Fix unhealthy sensors in Windows Defender ATP
**Applies to:** **Applies to:**
@ -75,3 +75,6 @@ If the endpoints aren't reporting correctly, you might need to check that the Wi
If your endpoints are running a third-party antimalware client, the Windows Defender ATP agent needs the Windows Defender Early Launch Antimalware (ELAM) driver to be enabled. If your endpoints are running a third-party antimalware client, the Windows Defender ATP agent needs the Windows Defender Early Launch Antimalware (ELAM) driver to be enabled.
If you took corrective actions and the machine status is still misconfigured, [open a support ticket](http://go.microsoft.com/fwlink/?LinkID=761093&clcid=0x409). If you took corrective actions and the machine status is still misconfigured, [open a support ticket](http://go.microsoft.com/fwlink/?LinkID=761093&clcid=0x409).
## Related topic
- [Check sensor health state in Windows Defender ATP](check-sensor-status-windows-defender-advanced-threat-protection.md)

8
windows/keep-secure/general-settings-windows-defender-advanced-threat-protection.md
View File

@ -20,8 +20,6 @@ localizationpriority: high
- Windows 10 Pro Education - Windows 10 Pro Education
- Windows Defender Advanced Threat Protection (Windows Defender ATP) - Windows Defender Advanced Threat Protection (Windows Defender ATP)
<span style="color:#ED1C24;">[Some information relates to pre-released product, which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.]</span>
During the onboarding process, a wizard takes you through the general settings of Windows Defender ATP. After onboarding, you might want to update some settings which you'll be able to do through the **Preferences setup** menu. During the onboarding process, a wizard takes you through the general settings of Windows Defender ATP. After onboarding, you might want to update some settings which you'll be able to do through the **Preferences setup** menu.
1. In the navigation pane, select **Preferences setup** > **General**. 1. In the navigation pane, select **Preferences setup** > **General**.
@ -33,6 +31,6 @@ During the onboarding process, a wizard takes you through the general settings o
## Related topics ## Related topics
- [Turn on advanced features](advanced-features-windows-defender-advacned-threat-protection.md) - [Turn on advanced features in Windows Defender ATP](advanced-features-windows-defender-advacned-threat-protection.md)
- [Turn on the preview experience](preview-settings-windows-defender-advanced-threat-protection.md) - [Turn on the preview experience in Windows Defender ATP ](preview-settings-windows-defender-advanced-threat-protection.md)
- [Configure email notifications](configure-email-notifications-windows-defender-advanced-threat-protection.md) - [Configure email notifications in Windows Defender ATP](configure-email-notifications-windows-defender-advanced-threat-protection.md)

BIN
windows/keep-secure/images/alerts-q-bulk.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 134 KiB

After

Width:  |  Height:  |  Size: 120 KiB

BIN
windows/keep-secure/images/alerts-queue-numbered.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 228 KiB

After

Width:  |  Height:  |  Size: 201 KiB

BIN
windows/keep-secure/images/atp-notification-file.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 22 KiB

After

Width:  |  Height:  |  Size: 24 KiB

BIN
windows/keep-secure/images/atp-notification-isolate.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 26 KiB

BIN
windows/keep-secure/images/atp-sensor-filter.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 382 KiB

After

Width:  |  Height:  |  Size: 597 KiB

BIN
windows/keep-secure/images/rules-legend.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 34 KiB

After

Width:  |  Height:  |  Size: 104 KiB

14
windows/keep-secure/investigate-alerts-windows-defender-advanced-threat-protection.md
View File

@ -21,8 +21,6 @@ localizationpriority: high
- Windows 10 Pro Education - Windows 10 Pro Education
- Windows Defender Advanced Threat Protection (Windows Defender ATP) - Windows Defender Advanced Threat Protection (Windows Defender ATP)
<span style="color:#ED1C24;">[Some information relates to pre-released product, which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.]</span>
You can click an alert in any of the [alert queues](alerts-queue-windows-defender-advanced-threat-protection.md) to begin an investigation. Selecting an alert brings up the **Alert management pane**, while clicking an alert brings you the alert details view where general information about the alert, some recommended actions, an alert process tree, an incident graph, and an alert timeline is shown. You can click an alert in any of the [alert queues](alerts-queue-windows-defender-advanced-threat-protection.md) to begin an investigation. Selecting an alert brings up the **Alert management pane**, while clicking an alert brings you the alert details view where general information about the alert, some recommended actions, an alert process tree, an incident graph, and an alert timeline is shown.
You can click on the machine link from the alert view to navigate to the machine. The alert will be highlighted automatically, and the timeline will display the appearance of the alert and its evidence in the **Machine timeline**. If the alert appeared more than once on the machine, the latest occurrence will be displayed in the **Machine timeline**. You can click on the machine link from the alert view to navigate to the machine. The alert will be highlighted automatically, and the timeline will display the appearance of the alert and its evidence in the **Machine timeline**. If the alert appeared more than once on the machine, the latest occurrence will be displayed in the **Machine timeline**.
@ -74,3 +72,15 @@ The **Alert timeline** feature provides an addition view of the evidence that tr
![Image of alert timeline](images/atp-alert-timeline.png) ![Image of alert timeline](images/atp-alert-timeline.png)
Selecting an alert detail brings up the **Details pane** where you'll be able to see more information about the alert such as file details, detections, instances of it observed worldwide, and in the organization. Selecting an alert detail brings up the **Details pane** where you'll be able to see more information about the alert such as file details, detections, instances of it observed worldwide, and in the organization.
## Related topics
- [View the Windows Defender Advanced Threat Protection Dashboard](dashboard-windows-defender-advanced-threat-protection.md)
- [View and organize the Windows Defender Advanced Threat Protection Alerts queue ](alerts-queue-windows-defender-advanced-threat-protection.md)
- [Investigate a file associated with a Windows Defender ATP alert](investigate-files-windows-defender-advanced-threat-protection.md)
- [Investigate an IP address associated with a Windows Defender ATP alert](investigate-ip-windows-defender-advanced-threat-protection.md)
- [Investigate a domain associated with a Windows Defender ATP alert](investigate-domain-windows-defender-advanced-threat-protection.md)
- [View and organize the Windows Defender ATP Machines view](machines-view-overview-windows-defender-advanced-threat-protection.md)
- [Investigate machines in the Windows Defender ATP Machines view](investigate-machines-windows-defender-advanced-threat-protection.md)
- [Investigate a user account in Windows Defender ATP](investigate-user-windows-defender-advanced-threat-protection.md)
- [Manage Windows Defender Advanced Threat Protection alerts](manage-alerts-windows-defender-advanced-threat-protection.md)
- [Take response actions in Windows Defender ATP](response-actions-windows-defender-advanced-threat-protection.md)

12
windows/keep-secure/investigate-domain-windows-defender-advanced-threat-protection.md
View File

@ -42,3 +42,15 @@ The **Communication with URL in organization** section provides a chronological
3. Click the search icon or press **Enter**. Details about the URL are displayed. Note: search results will only be returned for URLs observed in communications from machines in the organization. 3. Click the search icon or press **Enter**. Details about the URL are displayed. Note: search results will only be returned for URLs observed in communications from machines in the organization.
4. Use the search filters to define the search criteria. You can also use the timeline search box to filter the displayed results of all machines in the organization observed communicating with the URL, the file associated with the communication and the last date observed. 4. Use the search filters to define the search criteria. You can also use the timeline search box to filter the displayed results of all machines in the organization observed communicating with the URL, the file associated with the communication and the last date observed.
5. Clicking any of the machine names will take you to that machine's view, where you can continue investigate reported alerts, behaviors, and events. 5. Clicking any of the machine names will take you to that machine's view, where you can continue investigate reported alerts, behaviors, and events.
## Related topics
- [View the Windows Defender Advanced Threat Protection Dashboard](dashboard-windows-defender-advanced-threat-protection.md)
- [View and organize the Windows Defender Advanced Threat Protection Alerts queue ](alerts-queue-windows-defender-advanced-threat-protection.md)
- [Investigate Windows Defender Advanced Threat Protection alerts](investigate-alerts-windows-defender-advanced-threat-protection.md)
- [Investigate a file associated with a Windows Defender ATP alert](investigate-files-windows-defender-advanced-threat-protection.md)
- [Investigate an IP address associated with a Windows Defender ATP alert](investigate-ip-windows-defender-advanced-threat-protection.md)
- [View and organize the Windows Defender ATP Machines view](machines-view-overview-windows-defender-advanced-threat-protection.md)
- [Investigate machines in the Windows Defender ATP Machines view](investigate-machines-windows-defender-advanced-threat-protection.md)
- [Investigate a user account in Windows Defender ATP](investigate-user-windows-defender-advanced-threat-protection.md)
- [Manage Windows Defender Advanced Threat Protection alerts](manage-alerts-windows-defender-advanced-threat-protection.md)
- [Take response actions in Windows Defender ATP](response-actions-windows-defender-advanced-threat-protection.md)

14
windows/keep-secure/investigate-files-windows-defender-advanced-threat-protection.md
View File

@ -20,8 +20,6 @@ localizationpriority: high
- Windows 10 Pro Education - Windows 10 Pro Education
- Windows Defender Advanced Threat Protection (Windows Defender ATP) - Windows Defender Advanced Threat Protection (Windows Defender ATP)
<span style="color:#ED1C24;">[Some information relates to pre-released product, which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.]</span>
Investigate the details of a file associated with a specific alert, behavior, or event to help determine if the file exhibits malicious activities, identify the attack motivation, and understand the potential scope of the breach. Investigate the details of a file associated with a specific alert, behavior, or event to help determine if the file exhibits malicious activities, identify the attack motivation, and understand the potential scope of the breach.
You can get information from the following sections in the file view: You can get information from the following sections in the file view:
@ -52,3 +50,15 @@ The **Most recent observed machines with the file** section allows you to specif
![Image of most recent observed machine with the file](images/atp-observed-machines.png) ![Image of most recent observed machine with the file](images/atp-observed-machines.png)
This allows for greater accuracy in defining entities to display such as if and when an entity was observed in the organization. For example, if youre trying to identify the origin of a network communication to a certain IP Address within a 10-minute period on a given date, you can specify that exact time interval, and see only files that communicated with that IP Address at that time, drastically reducing unnecessary scrolling and searching. This allows for greater accuracy in defining entities to display such as if and when an entity was observed in the organization. For example, if youre trying to identify the origin of a network communication to a certain IP Address within a 10-minute period on a given date, you can specify that exact time interval, and see only files that communicated with that IP Address at that time, drastically reducing unnecessary scrolling and searching.
## Related topics
- [View the Windows Defender Advanced Threat Protection Dashboard](dashboard-windows-defender-advanced-threat-protection.md)
- [View and organize the Windows Defender Advanced Threat Protection Alerts queue ](alerts-queue-windows-defender-advanced-threat-protection.md)
- [Investigate Windows Defender Advanced Threat Protection alerts](investigate-alerts-windows-defender-advanced-threat-protection.md)
- [Investigate an IP address associated with a Windows Defender ATP alert](investigate-ip-windows-defender-advanced-threat-protection.md)
- [Investigate a domain associated with a Windows Defender ATP alert](investigate-domain-windows-defender-advanced-threat-protection.md)
- [View and organize the Windows Defender ATP Machines view](machines-view-overview-windows-defender-advanced-threat-protection.md)
- [Investigate machines in the Windows Defender ATP Machines view](investigate-machines-windows-defender-advanced-threat-protection.md)
- [Investigate a user account in Windows Defender ATP](investigate-user-windows-defender-advanced-threat-protection.md)
- [Manage Windows Defender Advanced Threat Protection alerts](manage-alerts-windows-defender-advanced-threat-protection.md)
- [Take response actions in Windows Defender ATP](response-actions-windows-defender-advanced-threat-protection.md)

12
windows/keep-secure/investigate-ip-windows-defender-advanced-threat-protection.md
View File

@ -50,3 +50,15 @@ Details about the IP address are displayed, including: registration details (if
Use the search filters to define the search criteria. You can also use the timeline search box to filter the displayed results of all machines in the organization observed communicating with the IP address, the file associated with the communication and the last date observed. Use the search filters to define the search criteria. You can also use the timeline search box to filter the displayed results of all machines in the organization observed communicating with the IP address, the file associated with the communication and the last date observed.
Clicking any of the machine names will take you to that machine's view, where you can continue investigate reported alerts, behaviors, and events. Clicking any of the machine names will take you to that machine's view, where you can continue investigate reported alerts, behaviors, and events.
## Related topics
- [View the Windows Defender Advanced Threat Protection Dashboard](dashboard-windows-defender-advanced-threat-protection.md)
- [View and organize the Windows Defender Advanced Threat Protection Alerts queue ](alerts-queue-windows-defender-advanced-threat-protection.md)
- [Investigate Windows Defender Advanced Threat Protection alerts](investigate-alerts-windows-defender-advanced-threat-protection.md)
- [Investigate a file associated with a Windows Defender ATP alert](investigate-files-windows-defender-advanced-threat-protection.md)
- [Investigate a domain associated with a Windows Defender ATP alert](investigate-domain-windows-defender-advanced-threat-protection.md)
- [View and organize the Windows Defender ATP Machines view](machines-view-overview-windows-defender-advanced-threat-protection.md)
- [Investigate machines in the Windows Defender ATP Machines view](investigate-machines-windows-defender-advanced-threat-protection.md)
- [Investigate a user account in Windows Defender ATP](investigate-user-windows-defender-advanced-threat-protection.md)
- [Manage Windows Defender Advanced Threat Protection alerts](manage-alerts-windows-defender-advanced-threat-protection.md)
- [Take response actions in Windows Defender ATP](response-actions-windows-defender-advanced-threat-protection.md)

16
windows/keep-secure/investigate-machines-windows-defender-advanced-threat-protection.md
View File

@ -21,8 +21,6 @@ localizationpriority: high
- Windows 10 Pro Education - Windows 10 Pro Education
- Windows Defender Advanced Threat Protection (Windows Defender ATP) - Windows Defender Advanced Threat Protection (Windows Defender ATP)
<span style="color:#ED1C24;">[Some information relates to pre-released product, which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.]</span>
## Investigate machines ## Investigate machines
Investigate the details of an alert raised on a specific machine to identify other behaviors or events that might be related to the alert or the potential scope of breach. Investigate the details of an alert raised on a specific machine to identify other behaviors or events that might be related to the alert or the potential scope of breach.
@ -55,7 +53,7 @@ Clicking on the number of total logged on users in the Logged on user tile opens
You'll also see details such as logon types for each user account, the user group, and when the account was logged in. You'll also see details such as logon types for each user account, the user group, and when the account was logged in.
For more information, see [Investigate user entities](investigate-user-entity-windows-defender-advanced-threat-protection.md). For more information, see [Investigate user entities](investigate-user-windows-defender-advanced-threat-protection.md).
The **Alerts related to this machine** section provides a list of alerts that are associated with the machine. This list is a simplified version of the [Alerts queue](alerts-queue-windows-defender-advanced-threat-protection.md), and shows the date when the last activity was detected, a short description of the alert, the user associated with the alert, the alert's severity, the alert's status in the queue, and who is addressing the alert. The **Alerts related to this machine** section provides a list of alerts that are associated with the machine. This list is a simplified version of the [Alerts queue](alerts-queue-windows-defender-advanced-threat-protection.md), and shows the date when the last activity was detected, a short description of the alert, the user associated with the alert, the alert's severity, the alert's status in the queue, and who is addressing the alert.
@ -111,3 +109,15 @@ You can also use the [Alerts spotlight](investigate-alerts-windows-defender-adva
Expand an event to view associated processes related to the event. Click on the circle next to any process or IP address in the process tree to investigating further into the identified processes. This action brings up the **Details pane** which includes execution context of processes, network communications and a summary of metadata on the file or IP address. Expand an event to view associated processes related to the event. Click on the circle next to any process or IP address in the process tree to investigating further into the identified processes. This action brings up the **Details pane** which includes execution context of processes, network communications and a summary of metadata on the file or IP address.
This enhances the in-context information across investigation and exploration activities, reducing the need to switch between contexts. It lets you focus on the task of tracing associations between attributes without leaving the current context. This enhances the in-context information across investigation and exploration activities, reducing the need to switch between contexts. It lets you focus on the task of tracing associations between attributes without leaving the current context.
## Related topics
- [View the Windows Defender Advanced Threat Protection Dashboard](dashboard-windows-defender-advanced-threat-protection.md)
- [View and organize the Windows Defender Advanced Threat Protection Alerts queue ](alerts-queue-windows-defender-advanced-threat-protection.md)
- [Investigate Windows Defender Advanced Threat Protection alerts](investigate-alerts-windows-defender-advanced-threat-protection.md)
- [Investigate a file associated with a Windows Defender ATP alert](investigate-files-windows-defender-advanced-threat-protection.md)
- [Investigate an IP address associated with a Windows Defender ATP alert](investigate-ip-windows-defender-advanced-threat-protection.md)
- [Investigate a domain associated with a Windows Defender ATP alert](investigate-domain-windows-defender-advanced-threat-protection.md)
- [View and organize the Windows Defender ATP Machines view](machines-view-overview-windows-defender-advanced-threat-protection.md)
- [Investigate a user account in Windows Defender ATP](investigate-user-windows-defender-advanced-threat-protection.md)
- [Manage Windows Defender Advanced Threat Protection alerts](manage-alerts-windows-defender-advanced-threat-protection.md)
- [Take response actions in Windows Defender ATP](response-actions-windows-defender-advanced-threat-protection.md)

14
windows/keep-secure/investigate-user-entity-windows-defender-advanced-threat-protection.md → windows/keep-secure/investigate-user-windows-defender-advanced-threat-protection.md
View File

@ -20,8 +20,6 @@ localizationpriority: high
- Windows 10 Pro Education - Windows 10 Pro Education
- Windows Defender Advanced Threat Protection (Windows Defender ATP) - Windows Defender Advanced Threat Protection (Windows Defender ATP)
<span style="color:#ED1C24;">[Some information relates to pre-released product, which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.]</span>
## Investigate user account entities ## Investigate user account entities
Identify user accounts with the most active alerts (displayed on dashboard as "Users at risk") and investigate cases of potential compromised credentials, or pivot on the associated user account when investigating an alert or machine to identify possible lateral movement between machines with that user account. Identify user accounts with the most active alerts (displayed on dashboard as "Users at risk") and investigate cases of potential compromised credentials, or pivot on the associated user account when investigating an alert or machine to identify possible lateral movement between machines with that user account.
@ -63,3 +61,15 @@ You can filter the results by the following time periods:
- 7 days - 7 days
- 30 days - 30 days
- 6 months - 6 months
## Related topics
- [View the Windows Defender Advanced Threat Protection Dashboard](dashboard-windows-defender-advanced-threat-protection.md)
- [View and organize the Windows Defender Advanced Threat Protection Alerts queue ](alerts-queue-windows-defender-advanced-threat-protection.md)
- [Investigate Windows Defender Advanced Threat Protection alerts](investigate-alerts-windows-defender-advanced-threat-protection.md)
- [Investigate a file associated with a Windows Defender ATP alert](investigate-files-windows-defender-advanced-threat-protection.md)
- [Investigate an IP address associated with a Windows Defender ATP alert](investigate-ip-windows-defender-advanced-threat-protection.md)
- [Investigate a domain associated with a Windows Defender ATP alert](investigate-domain-windows-defender-advanced-threat-protection.md)
- [View and organize the Windows Defender ATP Machines view](machines-view-overview-windows-defender-advanced-threat-protection.md)
- [Investigate machines in the Windows Defender ATP Machines view](investigate-machines-windows-defender-advanced-threat-protection.md)
- [Manage Windows Defender Advanced Threat Protection alerts](manage-alerts-windows-defender-advanced-threat-protection.md)
- [Take response actions in Windows Defender ATP](response-actions-windows-defender-advanced-threat-protection.md)

19
windows/keep-secure/machines-view-overview-windows-defender-advanced-threat-protection.md
View File

@ -11,7 +11,7 @@ author: mjcaparas
localizationpriority: high localizationpriority: high
--- ---
# View and organize the Windows Defender ATP machines view # View and organize the Windows Defender ATP Machines view
**Applies to:** **Applies to:**
@ -21,9 +21,6 @@ localizationpriority: high
- Windows 10 Pro Education - Windows 10 Pro Education
- Windows Defender Advanced Threat Protection (Windows Defender ATP) - Windows Defender Advanced Threat Protection (Windows Defender ATP)
<span style="color:#ED1C24;">[Some information relates to pre-released product, which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.]</span>
The **Machines view** shows a list of the machines in your network, the domain of each machine, when it last reported and the local IP Address it reported on, its **Health state**, the number of active alerts on each machine categorized by alert severity level, and the number of active malware detections. This view allows viewing machines ranked by risk or sensor health state, and keeping track of all machines that are reporting sensor data in your network. The **Machines view** shows a list of the machines in your network, the domain of each machine, when it last reported and the local IP Address it reported on, its **Health state**, the number of active alerts on each machine categorized by alert severity level, and the number of active malware detections. This view allows viewing machines ranked by risk or sensor health state, and keeping track of all machines that are reporting sensor data in your network.
Use the Machines view in these main scenarios: Use the Machines view in these main scenarios:
@ -42,7 +39,6 @@ You can also download the entire list in CSV format using the **Export to CSV**
![Image of machines view with list of machines](images/atp-machines-view-list.png) ![Image of machines view with list of machines](images/atp-machines-view-list.png)
### Filter the Machines view
You can use the following filters to limit the list of machines displayed during an investigation: You can use the following filters to limit the list of machines displayed during an investigation:
**Time period**</br> **Time period**</br>
@ -74,7 +70,7 @@ You can download a full list of all the machines in your organization, in CSV f
**Note**: Exporting the list depends on the number of machines in your organization. It might take a significant amount of time to download, depending on how large your organization is. **Note**: Exporting the list depends on the number of machines in your organization. It might take a significant amount of time to download, depending on how large your organization is.
Exporting the list in CSV format displays the data in an unfiltered manner. The CSV file will include all machines in the organization, regardless of any filtering applied in the view itself. Exporting the list in CSV format displays the data in an unfiltered manner. The CSV file will include all machines in the organization, regardless of any filtering applied in the view itself.
### Sort the Machines view ## Sort the Machines view
You can sort the **Machines view** by the following columns: You can sort the **Machines view** by the following columns:
- **Machine name** - Name or GUID of the machine - **Machine name** - Name or GUID of the machine
@ -88,11 +84,14 @@ You can sort the **Machines view** by the following columns:
> The **Active malware detections** filter column will only appear if your endpoints are using [Windows Defender](windows-defender-in-windows-10.md) as the active real-time protection antimalware product. > The **Active malware detections** filter column will only appear if your endpoints are using [Windows Defender](windows-defender-in-windows-10.md) as the active real-time protection antimalware product.
### Related topics ## Related topics
- [Understand the Windows Defender Advanced Threat Protection Dashboard](dashboard-windows-defender-advanced-threat-protection.md) - [View the Windows Defender Advanced Threat Protection Dashboard](dashboard-windows-defender-advanced-threat-protection.md)
- [Alerts overview](alerts-queue-windows-defender-advanced-threat-protection.md) - [View and organize the Windows Defender Advanced Threat Protection Alerts queue ](alerts-queue-windows-defender-advanced-threat-protection.md)
- [Investigate Windows Defender Advanced Threat Protection alerts](investigate-alerts-windows-defender-advanced-threat-protection.md) - [Investigate Windows Defender Advanced Threat Protection alerts](investigate-alerts-windows-defender-advanced-threat-protection.md)
- [Manage Windows Defender Advanced Threat Protection alerts](manage-alerts-windows-defender-advanced-threat-protection.md)
- [Investigate a file associated with a Windows Defender ATP alert](investigate-files-windows-defender-advanced-threat-protection.md) - [Investigate a file associated with a Windows Defender ATP alert](investigate-files-windows-defender-advanced-threat-protection.md)
- [Investigate an IP address associated with a Windows Defender ATP alert](investigate-ip-windows-defender-advanced-threat-protection.md) - [Investigate an IP address associated with a Windows Defender ATP alert](investigate-ip-windows-defender-advanced-threat-protection.md)
- [Investigate a domain associated with a Windows Defender ATP alert](investigate-domain-windows-defender-advanced-threat-protection.md) - [Investigate a domain associated with a Windows Defender ATP alert](investigate-domain-windows-defender-advanced-threat-protection.md)
- [Investigate machines in the Windows Defender ATP Machines view](investigate-machines-windows-defender-advanced-threat-protection.md)
- [Investigate a user account in Windows Defender ATP](investigate-user-windows-defender-advanced-threat-protection.md)
- [Manage Windows Defender Advanced Threat Protection alerts](manage-alerts-windows-defender-advanced-threat-protection.md)
- [Take response actions in Windows Defender ATP](response-actions-windows-defender-advanced-threat-protection.md)

13
windows/keep-secure/manage-alerts-windows-defender-advanced-threat-protection.md
View File

@ -89,6 +89,8 @@ The context of the rule lets you tailor the queue to ensure that only alerts you
![Click the settings icon and then Suppression rules to create and modify rules](images/atp-suppression-rules.png) ![Click the settings icon and then Suppression rules to create and modify rules](images/atp-suppression-rules.png)
The list of suppression rules shows all the rules that users in your organization have created. The list of suppression rules shows all the rules that users in your organization have created.
![Suppression rules show the rule name or title, the context, the date, and an icon to delete the rule](images/rules-legend.png)
Each rule shows: Each rule shows:
- (1) The title of the alert that is suppressed - (1) The title of the alert that is suppressed
@ -96,14 +98,15 @@ Each rule shows:
- (3) The date when the alert was suppressed - (3) The date when the alert was suppressed
- (4) An option to delete the suppression rule, which will cause alerts with this title to be displayed in the queue from this point onwards. - (4) An option to delete the suppression rule, which will cause alerts with this title to be displayed in the queue from this point onwards.
![Suppression rules show the rule name or title, the context, the date, and an icon to delete the rule](images/rules-legend.png)
## Related topics
### Related topics
- [View the Windows Defender Advanced Threat Protection Dashboard](dashboard-windows-defender-advanced-threat-protection.md) - [View the Windows Defender Advanced Threat Protection Dashboard](dashboard-windows-defender-advanced-threat-protection.md)
- [View and organize the Windows Defender Advanced Threat Protection Alerts queue](alerts-queue-windows-defender-advanced-threat-protection.md) - [View and organize the Windows Defender Advanced Threat Protection Alerts queue ](alerts-queue-windows-defender-advanced-threat-protection.md)
- [Investigate Windows Defender Advanced Threat Protection alerts](investigate-alerts-windows-defender-advanced-threat-protection.md) - [Investigate Windows Defender Advanced Threat Protection alerts](investigate-alerts-windows-defender-advanced-threat-protection.md)
- [Investigate machines in the Windows Defender ATP Machines view](investigate-machines-windows-defender-advanced-threat-protection.md)
- [Investigate a file associated with a Windows Defender ATP alert](investigate-files-windows-defender-advanced-threat-protection.md) - [Investigate a file associated with a Windows Defender ATP alert](investigate-files-windows-defender-advanced-threat-protection.md)
- [Investigate an IP address associated with a Windows Defender ATP alert](investigate-ip-windows-defender-advanced-threat-protection.md) - [Investigate an IP address associated with a Windows Defender ATP alert](investigate-ip-windows-defender-advanced-threat-protection.md)
- [Investigate a domain associated with a Windows Defender ATP alert](investigate-domain-windows-defender-advanced-threat-protection.md) - [Investigate a domain associated with a Windows Defender ATP alert](investigate-domain-windows-defender-advanced-threat-protection.md)
- [View and organize the Windows Defender ATP Machines view](machines-view-overview-windows-defender-advanced-threat-protection.md)
- [Investigate machines in the Windows Defender ATP Machines view](investigate-machines-windows-defender-advanced-threat-protection.md)
- [Investigate a user account in Windows Defender ATP](investigate-user-windows-defender-advanced-threat-protection.md)
- [Take response actions in Windows Defender ATP](response-actions-windows-defender-advanced-threat-protection.md)

2
windows/keep-secure/portal-overview-windows-defender-advanced-threat-protection.md
View File

@ -67,5 +67,5 @@ Icon | Description
![Thunderbolt icon](images/atp-thunderbolt-icon.png) | Indicates events that triggered an alert in the **Alert process tree**. ![Thunderbolt icon](images/atp-thunderbolt-icon.png) | Indicates events that triggered an alert in the **Alert process tree**.
### Related topic ## Related topic
[Use the Windows Defender Advanced Threat Protection portal](use-windows-defender-advanced-threat-protection.md) [Use the Windows Defender Advanced Threat Protection portal](use-windows-defender-advanced-threat-protection.md)

8
windows/keep-secure/preview-settings-windows-defender-advanced-threat-protection.md
View File

@ -20,14 +20,12 @@ localizationpriority: high
- Windows 10 Pro Education - Windows 10 Pro Education
- Windows Defender Advanced Threat Protection (Windows Defender ATP) - Windows Defender Advanced Threat Protection (Windows Defender ATP)
<span style="color:#ED1C24;">[Some information relates to pre-released product, which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.]</span>
Turn on the preview experience setting to be among the first to try upcoming features. Turn on the preview experience setting to be among the first to try upcoming features.
1. In the navigation pane, select **Preferences setup** > **Preview experience**. 1. In the navigation pane, select **Preferences setup** > **Preview experience**.
2. Toggle the setting between **On** and **Off** and select **Save preferences**. 2. Toggle the setting between **On** and **Off** and select **Save preferences**.
## Related topics ## Related topics
- [Update general settings](general-settings-windows-defender-advanced-threat-protection.md) - [Update general settings in Windows Defender ATP](general-settings-windows-defender-advanced-threat-protection.md)
- [Turn on advanced features](advanced-features-windows-defender-advacned-threat-protection.md) - [Turn on advanced features in Windows Defender ATP](advanced-features-windows-defender-advacned-threat-protection.md)
- [Configure email notifications](configure-email-notifications-windows-defender-advanced-threat-protection.md) - [Configure email notifications in Windows Defender ATP](configure-email-notifications-windows-defender-advanced-threat-protection.md)

2
windows/keep-secure/preview-windows-defender-advanced-threat-protection.md
View File

@ -23,7 +23,7 @@ localizationpriority: high
Windows Defender ATP adds various feature enhancements and capabilities in the February 2017 preview release. Windows Defender ATP adds various feature enhancements and capabilities in the February 2017 preview release.
Be among the first to try upcoming features by turning on the preview experience feature. For more information, see [Turn on the preview experience](preview-settings-windows-defender-advanced-threat-protection.md) Be among the first to try upcoming features by turning on the preview experience feature. For more information, see [Turn on the preview experience](preview-settings-windows-defender-advanced-threat-protection.md).
<span style="color:#ED1C24;">[Some information relates to pre-released product, which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.]</span> <span style="color:#ED1C24;">[Some information relates to pre-released product, which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.]</span>

61
windows/keep-secure/respond-file-alerts-windows-defender-advanced-threat-protection.md
View File

@ -21,7 +21,7 @@ localizationpriority: high
- Windows 10 Pro Education - Windows 10 Pro Education
- Windows Defender Advanced Threat Protection (Windows Defender ATP) - Windows Defender Advanced Threat Protection (Windows Defender ATP)
<span style="color:#ED1C24;">[Some information relates to pre-released product, which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.]</span> <span style="color:#ED1C24;">[Some information relates to prereleased product, which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.]</span>
You can take action on file related alerts to quickly respond to detected attacks by stopping and quarantining files or blocking a file. After taking action on files, you can check activity details on the Action center. You can take action on file related alerts to quickly respond to detected attacks by stopping and quarantining files or blocking a file. After taking action on files, you can check activity details on the Action center.
@ -40,10 +40,10 @@ The action takes effect on machines with the latest Windows 10 Insider Preview b
### Stop and quarantine files ### Stop and quarantine files
1. Select the file you want to stop and quarantine. You can select a file from any of the following views or use the Search box: 1. Select the file you want to stop and quarantine. You can select a file from any of the following views or use the Search box:
- **Alerts** - click the corresponding links from the Description or Details in the Alert timeline **Alerts** - click the corresponding links from the Description or Details in the Alert timeline
- **Search box** - select File from the drop-down menu and enter the file name **Search box** - select File from the dropdown menu and enter the file name
2. Open the **Action menu** and select **Stop & Quarantine File**. 2. Open the **Actions menu** and select **Stop & Quarantine File**.
![Image of stop and quarantine file action](images/atp-stop-quarantine-file.png) ![Image of stop and quarantine file action](images/atp-stop-quarantine-file.png)
3. Type a comment (optional), and select **Yes** to take action on the file. The comment will be saved in the Action center for reference. 3. Type a comment (optional), and select **Yes** to take action on the file. The comment will be saved in the Action center for reference.
@ -51,11 +51,11 @@ The action takes effect on machines with the latest Windows 10 Insider Preview b
The Action center shows the submission information: The Action center shows the submission information:
![Image of stop and quarantine file action center](images/atp-stopnquarantine-file.png) ![Image of stop and quarantine file action center](images/atp-stopnquarantine-file.png)
- **Submission time** Shows when the action was submitted. **Submission time** - Shows when the action was submitted.
- **Submitting user** Shows who submitted the action on the file. You can view the comments provided by the user by selecting the information icon. **Submitting user** - Shows who submitted the action on the file. You can view the comments provided by the user by selecting the information icon.
- **Pending** Shows the number of machines where the file is yet to be stopped and quarantined from. This can take time for cases when the machine is offline or not connected to the network. **Pending** - Shows the number of machines where the file is yet to be stopped and quarantined from. This can take time for cases when the machine is offline or not connected to the network.
- **Success** Shows the number of machines where the file has been stopped and quarantined. **Success** - Shows the number of machines where the file has been stopped and quarantined.
- **Failed** Shows the number of machines where the action failed and details about the failure. **Failed** - Shows the number of machines where the action failed and details about the failure.
4. Select any of the status indicators to view more information about the action. For example, select **Failed** to see where the action failed. 4. Select any of the status indicators to view more information about the action. For example, select **Failed** to see where the action failed.
@ -67,7 +67,7 @@ When the file is being removed from an endpoint, the following notification is s
In the machine timeline, a new event is added for each machine where a file was stopped and quarantined. In the machine timeline, a new event is added for each machine where a file was stopped and quarantined.
>[!NOTE] >[!NOTE]
>The **Action** button is turned off for files signed by Microsoft as well as trusted third-party publishers to prevent the removal of critical system files and files used by important applications. >The **Action** button is turned off for files signed by Microsoft as well as trusted thirdparty publishers to prevent the removal of critical system files and files used by important applications.
![Image of action button turned off](images/atp-file-action.png) ![Image of action button turned off](images/atp-file-action.png)
@ -76,15 +76,15 @@ For prevalent files in the organization, a warning is shown before an action is
### Remove file from quarantine ### Remove file from quarantine
You can roll back and remove a file from quarantine if youve determined that its clean after an investigation. Run the following command on each machine where the file was quarantined. You can roll back and remove a file from quarantine if youve determined that its clean after an investigation. Run the following command on each machine where the file was quarantined.
1. Open an elevated command-line prompt on the endpoint: 1. Open an elevated commandline prompt on the endpoint:
a. Go to **Start** and type cmd. a. Go to **Start** and type cmd.
b. Right-click **Command prompt** and select **Run as administrator**. b. Rightclick **Command prompt** and select **Run as administrator**.
2. Enter the following command, and press **Enter**: 2. Enter the following command, and press **Enter**:
``` ```
“%ProgramFiles%\Windows Defender\MpCmdRun.exe” -Restore -Name EUS:Win32/CustomEnterpriseBlock All “%ProgramFiles%\Windows Defender\MpCmdRun.exe” Restore Name EUS:Win32/CustomEnterpriseBlock All
``` ```
>[!NOTE] >[!NOTE]
>Windows Defender ATP will remove all files that were quarantined on this machine in the last 30 days. >Windows Defender ATP will remove all files that were quarantined on this machine in the last 30 days.
@ -93,7 +93,7 @@ You can roll back and remove a file from quarantine if youve determined that
You can prevent further propagation of an attack in your organization by banning potentially malicious files or suspected malware. If you know a potentially malicious file, you can block it. This operation will prevent it from being read, written, or executed on machines in your organization. You can prevent further propagation of an attack in your organization by banning potentially malicious files or suspected malware. If you know a potentially malicious file, you can block it. This operation will prevent it from being read, written, or executed on machines in your organization.
>[!NOTE] >[!NOTE]
>This feature is only available if your organization uses Windows Defender and Cloud-based protection is enabled. For more information, see [Manage cloud-based protection](configure-windows-defender-in-windows-10.md). </br></br> >This feature is only available if your organization uses Windows Defender Antivirus and Cloudbased protection is enabled. For more information, see [Manage cloudbased protection](configure-windows-defender-in-windows-10.md). </br></br>
This feature is designed to prevent suspected malware (or potentially malicious files) from being downloaded from the web. The coverage will be extended over time. The action takes effect on machines with the latest Windows 10 Insider Preview build. This feature is designed to prevent suspected malware (or potentially malicious files) from being downloaded from the web. The coverage will be extended over time. The action takes effect on machines with the latest Windows 10 Insider Preview build.
### Enable the block file feature ### Enable the block file feature
@ -108,9 +108,9 @@ The Action center shows the submission information:
![Image of block file](images/atp-blockfile.png) ![Image of block file](images/atp-blockfile.png)
- **Submission time** Shows when the action was submitted. **Submission time** - Shows when the action was submitted.
- **Submitting user** - Shows who submitted the action on the file. You can view the comments provided by the user by selecting the information icon. **Submitting user** - Shows who submitted the action on the file. You can view the comments provided by the user by selecting the information icon.
- **Status** -Indicates whether the file was added to or removed from the blacklist. **Status** - Indicates whether the file was added to or removed from the blacklist.
When the file is blocked, there will be a new event in the machine timeline.</br> When the file is blocked, there will be a new event in the machine timeline.</br>
@ -129,9 +129,9 @@ For prevalent files in the organization, a warning is shown before an action is
### Remove file from blocked list ### Remove file from blocked list
1. Select the file you want to remove from the blocked list. You can select a file from any of the following views or use the Search box: 1. Select the file you want to remove from the blocked list. You can select a file from any of the following views or use the Search box:
- **Alerts** - Click the file links from the Description or Details in the Alert timeline **Alerts** - Click the file links from the Description or Details in the Alert timeline
- **Machines view** - Click the file links in the Description or Details columns in the Observed on machine section **Machines view** - Click the file links in the Description or Details columns in the Observed on machine section
- **Search box** - Select File from the drop-down menu and enter the file name **Search box** - Select File from the dropdown menu and enter the file name
2. Open the **Actions** menu and select **Remove file from blocked list**. 2. Open the **Actions** menu and select **Remove file from blocked list**.
@ -174,19 +174,19 @@ When the sample is collected, Windows Defender ATP runs the file in is a secure
**Submit files for deep analysis:** **Submit files for deep analysis:**
1. Select the file that you want to submit for deep analysis. You can select or search a file from any of the following views: 1. Select the file that you want to submit for deep analysis. You can select or search a file from any of the following views:
- Alerts - click the file links from the **Description** or **Details** in the Alert timeline Alerts - click the file links from the **Description** or **Details** in the Alert timeline
- **Machines View** - click the file links from the **Description** or **Details** in the **Machine in organization** section **Machines View** - click the file links from the **Description** or **Details** in the **Machine in organization** section
- Search box - select **File** from the drop-down menu and enter the file name Search box - select **File** from the dropdown menu and enter the file name
2. In the **Deep analysis** section of the file view, click **Submit**. 2. In the **Deep analysis** section of the file view, click **Submit**.
![You can only submit PE files in the file details seciton](images/submit-file.png) ![You can only submit PE files in the file details section](images/submit-file.png)
>**Note**&nbsp;&nbsp;Only PE files are supported, including _.exe_ and _.dll_ files >**Note**&nbsp;&nbsp;Only PE files are supported, including _.exe_ and _.dll_ files
A progress bar is displayed and provides information on the different stages of the analysis. You can then view the report when the analysis is done. A progress bar is displayed and provides information on the different stages of the analysis. You can then view the report when the analysis is done.
> [!NOTE] > [!NOTE]
> Depending on machine availability, sample collection time can vary. There is a 3-hour timeout for sample collection. The collection will fail and the operation will abort if there is no online Windows 10 machine reporting at that time. You can re-submit files for deep analysis to get fresh data on the file. > Depending on machine availability, sample collection time can vary. There is a 3hour timeout for sample collection. The collection will fail and the operation will abort if there is no online Windows 10 machine reporting at that time. You can resubmit files for deep analysis to get fresh data on the file.
### View deep analysis reports ### View deep analysis reports
@ -194,8 +194,8 @@ View the deep analysis report that Windows Defender ATP provides to see the deta
You can view the comprehensive report that provides details on: You can view the comprehensive report that provides details on:
- Observed behaviors Observed behaviors
- Associated artifacts Associated artifacts
The details provided can help you investigate if there are indications of a potential attack. The details provided can help you investigate if there are indications of a potential attack.
@ -218,11 +218,14 @@ If you encounter a problem when trying to submit a file, try each of the followi
a. Change the following registry entry and values to change the policy on specific endpoints: a. Change the following registry entry and values to change the policy on specific endpoints:
``` ```
HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection
Value = 0 - block sample collection Value = 0 block sample collection
Value = 1 - allow sample collection Value = 1 allow sample collection
``` ```
5. Change the organizational unit through the Group Policy. For more information, see [Configure with Group Policy](configure-endpoints-gp-windows-defender-advanced-threat-protection.md). 5. Change the organizational unit through the Group Policy. For more information, see [Configure with Group Policy](configure-endpoints-gp-windows-defender-advanced-threat-protection.md).
6. If these steps do not resolve the issue, contact [winatp@microsoft.com](mailto:winatp@microsoft.com). 6. If these steps do not resolve the issue, contact [winatp@microsoft.com](mailto:winatp@microsoft.com).
> [!NOTE] > [!NOTE]
> If the value *AllowSampleCollection* is not available, the client will allow sample collection by default. > If the value *AllowSampleCollection* is not available, the client will allow sample collection by default.
## Related topics
[Take response actions on a machine](respond-machine-alerts-windows-defender-advanced-threat-protection.md)

31
windows/keep-secure/respond-machine-alerts-windows-defender-advanced-threat-protection.md
View File

@ -38,7 +38,7 @@ This machine isolation feature disconnects the compromised machine from the netw
1. Select the machine that you want to isolate. You can select or search for a machine from any of the following views: 1. Select the machine that you want to isolate. You can select or search for a machine from any of the following views:
- **Dashboard** Select the machine name from the Top machines with active alerts section. - **Dashboard** - Select the machine name from the Top machines with active alerts section.
- **Alerts queue** - Select the machine name beside the machine icon from the alerts queue. - **Alerts queue** - Select the machine name beside the machine icon from the alerts queue.
- **Machines view** - Select the machine name from the list of machines. - **Machines view** - Select the machine name from the list of machines.
- **Search box** - Select Machine from the drop-down menu and enter the machine name. - **Search box** - Select Machine from the drop-down menu and enter the machine name.
@ -54,16 +54,16 @@ This machine isolation feature disconnects the compromised machine from the netw
The Action center shows the submission information: The Action center shows the submission information:
![Image of machine isolation](images/atp-machine-isolation.png) ![Image of machine isolation](images/atp-machine-isolation.png)
- **Submission time** Shows when the isolation action was submitted. - **Submission time** - Shows when the isolation action was submitted.
- **Submitting user** Shows who submitted the action on the machine. You can view the comments provided by the user by selecting the information icon. - **Submitting user** - Shows who submitted the action on the machine. You can view the comments provided by the user by selecting the information icon.
- **Status** Indicates any pending actions or the results of completed actions. - **Status** - Indicates any pending actions or the results of completed actions.
When the isolation configuration is applied, there will be a new event in the machine timeline. When the isolation configuration is applied, there will be a new event in the machine timeline.
**Notification on machine user**:</br> **Notification on machine user**:</br>
When a machine is being isolated, the following notification is displayed to inform the user that the machine is being isolated from the network: When a machine is being isolated, the following notification is displayed to inform the user that the machine is being isolated from the network:
![Image of no network connection](images/atp-no-network-connection.png) ![Image of no network connection](images/atp-notification-isolate.png)
## Undo machine isolation ## Undo machine isolation
Depending on the severity of the attack and the state of the machine you can choose to release the machine isolation after you have verified that the compromised machine has been remediated. Depending on the severity of the attack and the state of the machine you can choose to release the machine isolation after you have verified that the compromised machine has been remediated.
@ -86,31 +86,31 @@ The package contains the following folders:
Folder | Description Folder | Description
:---|:--- :---|:---
Autoruns | Contains a set of files that each represent the content of the registry of a known auto start entry point (ASEP) to help identify attackers persistency on the machine. </br></br> NOTE: If the registry key is not found, the file will contain the following message: “ERROR: The system was unable to find the specified registry key or value.” Autoruns | Contains a set of files that each represent the content of the registry of a known auto start entry point (ASEP) to help identify attackers persistency on the machine. </br></br> NOTE: If the registry key is not found, the file will contain the following message: “ERROR: The system was unable to find the specified registry key or value.”
Installed program | This CSV file contains the list of installed program that can help identify what is currently installed on the machine. For more information, see [Win32_Product class](https://go.microsoft.com/fwlink/?linkid=841509). Installed programs | This .CSV file contains the list of installed programs that can help identify what is currently installed on the machine. For more information, see [Win32_Product class](https://go.microsoft.com/fwlink/?linkid=841509).
Network connections | This folder contains a set of data points related to the connectivity information which can help in identifying connectivity to suspicious URLs, attackers command and control (C&C) infrastructure, any lateral movement, or remote connections.</br></br> - ActiveNetworkConnections.txt Displays protocol statistics and current TCP/IP network connections. Provides the ability to look for suspicious connectivity made by a process. </br></br> - Arp.txt Displays the current address resolution protocol (ARP) cache tables for all interfaces. </br></br> ARP cache can reveal additional hosts on a network that have been compromised or suspicious systems on the network that night have been used to run an internal attack.</br></br> - Dnscache.txt - Displays the contents of the DNS client resolver cache, which includes both entries preloaded from the local Hosts file and any recently obtained resource records for name queries resolved by the computer. This can help in identifying suspicious connections. </br></br> - Ipconfig.txt Displays the full TCP/IP configuration for all adapters. Adapters can represent physical interfaces, such as installed network adapters, or logical interfaces, such as dial-up connections. Network connections | This folder contains a set of data points related to the connectivity information which can help in identifying connectivity to suspicious URLs, attackers command and control (C&C) infrastructure, any lateral movement, or remote connections.</br></br> - ActiveNetworkConnections.txt Displays protocol statistics and current TCP/IP network connections. Provides the ability to look for suspicious connectivity made by a process. </br></br> - Arp.txt Displays the current address resolution protocol (ARP) cache tables for all interfaces. </br></br> ARP cache can reveal additional hosts on a network that have been compromised or suspicious systems on the network that night have been used to run an internal attack.</br></br> - Dnscache.txt - Displays the contents of the DNS client resolver cache, which includes both entries preloaded from the local Hosts file and any recently obtained resource records for name queries resolved by the computer. This can help in identifying suspicious connections. </br></br> - Ipconfig.txt Displays the full TCP/IP configuration for all adapters. Adapters can represent physical interfaces, such as installed network adapters, or logical interfaces, such as dial-up connections.
Prefetch files | Windows Prefetch files are designed to speed up the application startup process. It can be used to track all the files recently used in the system and find traces for applications that might have been deleted but can still be found in the prefetch file list. </br></br> - Prefetch folder Contains a copy of the prefetch files from `%SystemRoot%\Prefetch`. NOTE: It is suggested to download a prefetch file viewer to view the prefetch files. </br></br> - PrefetchFilesList.txt Contains the list of all the copied files which can be used to track if there were any copy failures to the prefetch folder. Prefetch files | Windows Prefetch files are designed to speed up the application startup process. It can be used to track all the files recently used in the system and find traces for applications that might have been deleted but can still be found in the prefetch file list. </br></br> - Prefetch folder Contains a copy of the prefetch files from `%SystemRoot%\Prefetch`. NOTE: It is suggested to download a prefetch file viewer to view the prefetch files. </br></br> - PrefetchFilesList.txt Contains the list of all the copied files which can be used to track if there were any copy failures to the prefetch folder.
Processes | Contains a CSV file listing the running processes which provides the ability to identify current processes running on the machine. This can be useful when trying to identify if there is a suspicious process and its state. Processes | Contains a .CSV file listing the running processes which provides the ability to identify current processes running on the machine. This can be useful when identifying a suspicious process and its state.
Scheduled tasks | Contains a CSV file listing the scheduled tasks which can be used to identify routines performed automatically on a chosen machine to look for a suspicious code set to run automatically. Scheduled tasks | Contains a .CSV file listing the scheduled tasks which can be used to identify routines performed automatically on a chosen machine to look for suspicious code which was set to run automatically.
Security event log | Contains the security event log which contains records of login or logout activity, or other security-related events specified by the system's audit policy. </br></br>NOTE: Open the event log file using Event viewer. Security event log | Contains the security event log which contains records of login or logout activity, or other security-related events specified by the system's audit policy. </br></br>NOTE: Open the event log file using Event viewer.
Services | Contains the services.txt file which lists services and their states. Services | Contains the services.txt file which lists services and their states.
Windows Server Message Block (SMB) sessions | Lists shared access to files, printers, and serial ports and miscellaneous communications between nodes on a network. This can help identify data exfiltration or lateral movement. </br></br> Contains files for SMBInboundSessions and SMBOutboundSession. </br></br> NOTE: If the file contains the following message: “ERROR: The system was unable to find the specified registry key or value.”, it means that there were no SMB sessions of this type (inbound or outbound). Windows Server Message Block (SMB) sessions | Lists shared access to files, printers, and serial ports and miscellaneous communications between nodes on a network. This can help identify data exfiltration or lateral movement. </br></br> Contains files for SMBInboundSessions and SMBOutboundSession. </br></br> NOTE: If the file contains the following message: “ERROR: The system was unable to find the specified registry key or value.”, it means that there were no SMB sessions of this type (inbound or outbound).
Temp Directories | Contains a set of text files that lists the files located in %Temp% for every user in the system. </br></br> This can help to track suspicious files that an attacker may dropped on the system. </br></br> NOTE: If the file contains the following message: “The system cannot find the path specified”, it means that there is no temp directory for this user, and might be because the user didnt log in to the system. Temp Directories | Contains a set of text files that lists the files located in %Temp% for every user in the system. </br></br> This can help to track suspicious files that an attacker may have dropped on the system. </br></br> NOTE: If the file contains the following message: “The system cannot find the path specified”, it means that there is no temp directory for this user, and might be because the user didnt log in to the system.
Users and Groups | Provides a list of files that each represent a group and its members. Users and Groups | Provides a list of files that each represent a group and its members.
CollectionSummaryReport.xls | This file is a summary of the investigation package collection, it contains the list of data points, the command used to extract the data, the execution status, and the error code in case of failure. You can use this report to track if the package includes all the expected data and identify if there were any errors. CollectionSummaryReport.xls | This file is a summary of the investigation package collection, it contains the list of data points, the command used to extract the data, the execution status, and the error code in case of failure. You can use this report to track if the package includes all the expected data and identify if there were any errors.
1. Select the machine that you want to investigate. You can select or search for a machine from any of the following views: 1. Select the machine that you want to investigate. You can select or search for a machine from any of the following views:
- **Dashboard** Select the machine name from the Top machines with active alerts section. - **Dashboard** - Select the machine name from the Top machines with active alerts section.
- **Alerts queue** Select the machine name beside the machine icon from the alerts queue. - **Alerts queue** - Select the machine name beside the machine icon from the alerts queue.
- **Machines view** Select the heading of the machine name from the machines view. - **Machines view** - Select the heading of the machine name from the machines view.
- **Search box** Select Machine from the drop-down menu and enter the machine name. - **Search box** - Select Machine from the drop-down menu and enter the machine name.
2. Open the **Actions** menu and select **Collect investigation package**. 2. Open the **Actions** menu and select **Collect investigation package**.
The Action center shows the submission information: The Action center shows the submission information:
![Image of investigation package in action center](images/atp-investigation-package-action-center.png) ![Image of investigation package in action center](images/atp-investigation-package-action-center.png)
- **Submission time** Shows when the action was submitted. - **Submission time** - Shows when the action was submitted.
- **Submitting user** - Shows who submitted the action on the file. You can view the comments provided by the user by selecting the information icon. - **Submitting user** - Shows who submitted the action on the file. You can view the comments provided by the user by selecting the information icon.
- **Status** - Indicates if the package was successfully collected from the network. When the collection is complete, you can download the package. - **Status** - Indicates if the package was successfully collected from the network. When the collection is complete, you can download the package.
@ -126,3 +126,6 @@ CollectionSummaryReport.xls | This file is a summary of the investigation packag
The **Action center** provides information on actions that were taken on a machine or file. Youll be able to view if a machine was isolated and if an investigation package is available from a machine. All related details are also shown, for example, submission time, submitting user, and if the action succeeded or failed. The **Action center** provides information on actions that were taken on a machine or file. Youll be able to view if a machine was isolated and if an investigation package is available from a machine. All related details are also shown, for example, submission time, submitting user, and if the action succeeded or failed.
![Image of action center with information](images/atp-action-center-with-info.png) ![Image of action center with information](images/atp-action-center-with-info.png)
## Related topics
- [Take response actions on a file](respond-file-alerts-windows-defender-advanced-threat-protection.md)

12
windows/keep-secure/response-actions-windows-defender-advanced-threat-protection.md
View File

@ -33,3 +33,15 @@ Topic | Description
:---|:--- :---|:---
[Take response actions on a machine](respond-machine-alerts-windows-defender-advanced-threat-protection.md)| Isolate machines or collect an investigation package. [Take response actions on a machine](respond-machine-alerts-windows-defender-advanced-threat-protection.md)| Isolate machines or collect an investigation package.
[Take response actions on a file](respond-file-alerts-windows-defender-advanced-threat-protection.md)| Stop and quarantine files or block a file from your network. [Take response actions on a file](respond-file-alerts-windows-defender-advanced-threat-protection.md)| Stop and quarantine files or block a file from your network.
## Related topics
- [View the Windows Defender Advanced Threat Protection Dashboard](dashboard-windows-defender-advanced-threat-protection.md)
- [View and organize the Windows Defender Advanced Threat Protection Alerts queue ](alerts-queue-windows-defender-advanced-threat-protection.md)
- [Investigate Windows Defender Advanced Threat Protection alerts](investigate-alerts-windows-defender-advanced-threat-protection.md)
- [Investigate a file associated with a Windows Defender ATP alert](investigate-files-windows-defender-advanced-threat-protection.md)
- [Investigate an IP address associated with a Windows Defender ATP alert](investigate-ip-windows-defender-advanced-threat-protection.md)
- [Investigate a domain associated with a Windows Defender ATP alert](investigate-domain-windows-defender-advanced-threat-protection.md)
- [View and organize the Windows Defender ATP Machines view](machines-view-overview-windows-defender-advanced-threat-protection.md)
- [Investigate machines in the Windows Defender ATP Machines view](investigate-machines-windows-defender-advanced-threat-protection.md)
- [Investigate a user account in Windows Defender ATP](investigate-user-windows-defender-advanced-threat-protection.md)
- [Manage Windows Defender Advanced Threat Protection alerts](manage-alerts-windows-defender-advanced-threat-protection.md)

4
windows/keep-secure/settings-windows-defender-advanced-threat-protection.md
View File

@ -50,8 +50,8 @@ Setting the time zone also changes the times for all Windows Defender ATP views.
To set the time zone: To set the time zone:
1. Click the **Settings** menu ![Settings icon](images/settings.png). 1. Click the **Settings** menu ![Settings icon](images/settings.png).
2. Select the **Timezone:UTC** indicator. 2. Select the **Timezone UTC** indicator.
3. The time zone indicator changes to **Timezone:Local**. Click it again to change back to **Timezone:UTC**. 3. Select **Timezone Local** or **-8:00**.
## Suppression rules ## Suppression rules
The suppression rules control what alerts are suppressed. You can suppress alerts so that certain activities are not flagged as suspicious. For more information see, [Suppress alerts](manage-alerts-windows-defender-advanced-threat-protection.md#suppress-alerts). The suppression rules control what alerts are suppressed. You can suppress alerts so that certain activities are not flagged as suspicious. For more information see, [Suppress alerts](manage-alerts-windows-defender-advanced-threat-protection.md#suppress-alerts).

4
windows/keep-secure/use-windows-defender-advanced-threat-protection.md
View File

@ -43,9 +43,9 @@ Topic | Description
[Investigate alerts](investigate-alerts-windows-defender-advanced-threat-protection.md)| Investigate alerts in Windows Defender ATP which might indicate possible security breaches on endpoints in your organization. [Investigate alerts](investigate-alerts-windows-defender-advanced-threat-protection.md)| Investigate alerts in Windows Defender ATP which might indicate possible security breaches on endpoints in your organization.
[Investigate files](investigate-files-windows-defender-advanced-threat-protection.md) | Investigate the details of a file associated with a specific alert, behavior, or event to help determine if the file exhibits malicious activities, identify the attack motivation, and understand the potential scope of the breach. [Investigate files](investigate-files-windows-defender-advanced-threat-protection.md) | Investigate the details of a file associated with a specific alert, behavior, or event to help determine if the file exhibits malicious activities, identify the attack motivation, and understand the potential scope of the breach.
[Investigate an IP address](investigate-ip-windows-defender-advanced-threat-protection.md) | Examine possible communication between your machines and external Internet protocol (IP) addresses. [Investigate an IP address](investigate-ip-windows-defender-advanced-threat-protection.md) | Examine possible communication between your machines and external Internet protocol (IP) addresses.
[Investigate a domain](investigate-domain-windows-defender-advanced-threat-protection.md) | Investigate a domain to see if machines and servers in your enterprise network have been communicating with a known malicious domain.
[View and organize the Machines view](machines-view-overview-windows-defender-advanced-threat-protection.md)| You can sort, filter, and exporting the machine list. [View and organize the Machines view](machines-view-overview-windows-defender-advanced-threat-protection.md)| You can sort, filter, and exporting the machine list.
[Investigate machines](investigate-machines-windows-defender-advanced-threat-protection.md) | The **Machines view** shows a list of the machines in your network, the corresponding number of active alerts for each machine categorized by alert severity levels, as well as the number of threats. [Investigate machines](investigate-machines-windows-defender-advanced-threat-protection.md) | The **Machines view** shows a list of the machines in your network, the corresponding number of active alerts for each machine categorized by alert severity levels, as well as the number of threats.
[Investigate a domain](investigate-domain-windows-defender-advanced-threat-protection.md) | Investigate a domain to see if machines and servers in your enterprise network have been communicating with a known malicious domain. [Investigate a user account](investigate-user-windows-defender-advanced-threat-protection.md)| Investigate user accounts with the most active alerts.
[Investigate a user account](investigate-user-entity-windows-defender-advanced-threat-protection.md)| Investigate user accounts with the most active alerts.
[Manage alerts](manage-alerts-windows-defender-advanced-threat-protection.md) | The **Manage Alert** menu on every alert lets you change an alert's status, resolve it, suppress it, or contribute comments about the alert. [Manage alerts](manage-alerts-windows-defender-advanced-threat-protection.md) | The **Manage Alert** menu on every alert lets you change an alert's status, resolve it, suppress it, or contribute comments about the alert.
[Take response actions](response-actions-windows-defender-advanced-threat-protection.md)| Take action on a machine or file to quickly respond to detected attacks. [Take response actions](response-actions-windows-defender-advanced-threat-protection.md)| Take action on a machine or file to quickly respond to detected attacks.