deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-28 05:07:23 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Update alerts-queue.md

Browse Source
This commit is contained in:
lomayor 2019-05-28 11:20:09 -07:00 committed by GitHub
parent df8afa7bd8
commit 77d59ec66f
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 24 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

24
windows/security/threat-protection/microsoft-defender-atp/alerts-queue.md
View File

@ -63,6 +63,30 @@ So, for example:
- An alert about malware detected while executing which can pose a threat not only to the individual machine but to the organization, regardless if it was eventually blocked, may be ranked as "Medium" or "High".
- Suspicious behavioral alerts which were not blocked or remediated will be ranked "Low", "Medium" or "High" following the same organizational threat considerations.
#### Understanding alert categories
We've redefined the alert categories to align to the [enterprise attack tactics](https://attack.mitre.org/tactics/enterprise/) in the [MITRE ATT&CK matrix](https://attack.mitre.org/). New category names apply to all new alerts. Existing alerts will retain the previous category names.
The table below lists the current categories and how they generally map to previous categories.
| New category | Previous categories | Detected threat activity or component |
|----------------------|----------------------|-------------|
| Collection | - | Locating and collecting data for exfiltration |
| Command and control | CommandAndControl | Connecting to attacker-controlled network infrastructure to relay data or receive commands |
| Credential access | CredentialTheft | Obtaining valid credentials to extend control over devices and other resources in the network |
| Defense evasion | - | Avoiding security controls by, for example, turning off security apps, deleting implants, and running rootkits |
| Discovery | Reconnaissance, WebFingerprinting | Gathering information about important devices and resources, such as administrator computers, domain controllers, and file servers |
| Execution | Delivery, MalwareDownload | Launching attacker tools and malicious code, including RATs and backdoors |
| Exfiltration | Exfiltration | Extracting data from the network to an external, attacker-controlled location |
| Exploit | Exploit | Exploit code and possible exploitation activity |
| Initial access | SocialEngineering, WebExploit, DocumentExploit | Gaining initial entry to the target network, usually involving password-guessing, exploits, or phishing emails |
| Lateral movement | LateralMovement, NetworkPropagation | Moving between devices in the target network to reach critical resources or gain network persistence |
| Malware | Malware, Backdoor, Trojan, TrojanDownloader, CredentialStealing, Weaponization, RemoteAccessTool | Backdoors, trojans, and other types of malicious code |
| Persistence | Installation, Persistence | Creating autostart extensibility points (ASEPs) to remain active and survive system restarts |
| Privilege escalation | PrivilegeEscalation | Obtaining higher permission levels for code by running it in the context of a privileged process or account |
| Ransomware | Ransomware | Malware that encrypts files and extorts payment to restore access |
| Suspicious activity | General, None, NotApplicable, EnterprisePolicy, SuspiciousNetworkTraffic | Atypicaly activity that could be malware activity or part of an attack |
| Unwanted software | UnwantedSoftware | Low-reputation apps and apps that impact productivity and the user experience; detected as potentially unwanted applications (PUAs) |
### Status
You can choose to limit the list of alerts based on their status.