diff --git a/windows/keep-secure/TOC.md b/windows/keep-secure/TOC.md index c62da72162..33f672d121 100644 --- a/windows/keep-secure/TOC.md +++ b/windows/keep-secure/TOC.md @@ -765,6 +765,7 @@ ###### [Submit files for analysis](investigate-files-windows-defender-advanced-threat-protection.md#submit-files-for-analysis) ###### [View deep analysis reports](investigate-files-windows-defender-advanced-threat-protection.md#view-deep-analysis-reports) ###### [Troubleshoot deep analysis](investigate-files-windows-defender-advanced-threat-protection.md#troubleshoot-deep-analysis) +#### [Investigate a user entity](investigate-user-entity-windows-defender-advanced-threat-protection.md) #### [Investigate an IP address](investigate-ip-windows-defender-advanced-threat-protection.md) #### [Investigate a domain](investigate-domain-windows-defender-advanced-threat-protection.md) #### [Check sensor status](check-sensor-status-windows-defender-advanced-threat-protection.md) diff --git a/windows/keep-secure/dashboard-windows-defender-advanced-threat-protection.md b/windows/keep-secure/dashboard-windows-defender-advanced-threat-protection.md index 189aea5fd7..659561d360 100644 --- a/windows/keep-secure/dashboard-windows-defender-advanced-threat-protection.md +++ b/windows/keep-secure/dashboard-windows-defender-advanced-threat-protection.md @@ -21,6 +21,8 @@ localizationpriority: high - Windows 10 Pro Education - Windows Defender Advanced Threat Protection (Windows Defender ATP) +[Some information relates to pre-released product, which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.] + The **Dashboard** displays a snapshot of: - The latest active alerts on your network @@ -49,12 +51,19 @@ The **Latest ATP alerts** section includes the latest active alerts in your netw ## Machines at risk This tile shows you a list of machines with the highest number of active alerts. The total number of alerts for each machine is shown in a circle next to the machine name, and then further categorized by severity levels at the far end of the tile (hover over each severity bar to see its label). -![The Machines at risk tile shows a list of machines with the highest number of alerts, and a breakdown of the severity of the alerts](images/machines-at-risk.png) +![The Machines at risk tile shows a list of machines with the highest number of alerts, and a breakdown of the severity of the alerts](images/atp-machines-at-risk.png) Click the name of the machine to see details about that machine. For more information see, [Investigate machines in the Windows Defender Advanced Threat Protection Machines view](investigate-machines-windows-defender-advanced-threat-protection.md). You can also click **Machines view** at the top of the tile to go directly to the **Machines view**, sorted by the number of active alerts. For more information see, [Investigate machines in the Windows Defender Advanced Threat Protection Machines view](investigate-machines-windows-defender-advanced-threat-protection.md). +## Users at risk +The tile shows you a list of user accounts with the most active alerts. The total number of alerts for each user is shown in a circle next to the user account, and then further categorized by severity levels at the far end of the tile (hover over each severity bar to see its label). + +![User accounts at risk tile shows a list of user accounts with the highest number of alerts and a breakdown of the severity of the alerts](images/atp-users-at-risk.png) + +Click the user account to see details about the user account. For more information see [Investigate a user entity in Windows Defender Advanced Threat Protection] + ## Machines with active malware detections The **Machines with active malware detections** tile will only appear if your endpoints are using Windows Defender. diff --git a/windows/keep-secure/images/alert-details.png b/windows/keep-secure/images/alert-details.png index a60ba27373..ad520f97ee 100644 Binary files a/windows/keep-secure/images/alert-details.png and b/windows/keep-secure/images/alert-details.png differ diff --git a/windows/keep-secure/images/atp-machines-at-risk.png b/windows/keep-secure/images/atp-machines-at-risk.png new file mode 100644 index 0000000000..e733606c0c Binary files /dev/null and b/windows/keep-secure/images/atp-machines-at-risk.png differ diff --git a/windows/keep-secure/images/atp-user-details-view.png b/windows/keep-secure/images/atp-user-details-view.png new file mode 100644 index 0000000000..b0732653d6 Binary files /dev/null and b/windows/keep-secure/images/atp-user-details-view.png differ diff --git a/windows/keep-secure/images/atp-users-at-risk.png b/windows/keep-secure/images/atp-users-at-risk.png new file mode 100644 index 0000000000..4e86dbb2f5 Binary files /dev/null and b/windows/keep-secure/images/atp-users-at-risk.png differ diff --git a/windows/keep-secure/investigate-ip-windows-defender-advanced-threat-protection.md b/windows/keep-secure/investigate-ip-windows-defender-advanced-threat-protection.md index 381ee7be12..17735d3ae1 100644 --- a/windows/keep-secure/investigate-ip-windows-defender-advanced-threat-protection.md +++ b/windows/keep-secure/investigate-ip-windows-defender-advanced-threat-protection.md @@ -24,7 +24,7 @@ Examine possible communication between your machines and external internet proto Identifying all machines in the organization that communicated with a suspected or known malicious IP address, such as Command and Control (C2) servers, helps determine the potential scope of breach, associated files, and infected machines. -You can information from the following sections in the IP address view: +You can find information from the following sections in the IP address view: - IP address details - IP in organization diff --git a/windows/keep-secure/investigate-machines-windows-defender-advanced-threat-protection.md b/windows/keep-secure/investigate-machines-windows-defender-advanced-threat-protection.md index 2a501755f5..909776112c 100644 --- a/windows/keep-secure/investigate-machines-windows-defender-advanced-threat-protection.md +++ b/windows/keep-secure/investigate-machines-windows-defender-advanced-threat-protection.md @@ -44,7 +44,7 @@ When you investigate a specific machine, you'll see: The machine details, total logged on users and machine reporting sections display various attributes about the machine. You’ll see details such as machine name, health status, actions you can take on the machine, domain, operating system (OS), total logged on users and who frequently and less frequently logged on, IP address, and how long it's been reporting sensor data to the Windows Defender ATP service. -Clicking on the number of total logged on users in the Logged on user tile opens the **Users Details** pane that displays the following information for logged on users in the past 30 days: +Clicking on the number of total logged on users in the Logged on user tile opens the Users Details pane that displays the following information for logged on users in the past 30 days: - User account domain\\user account name - Date and time they were last observed on the machine @@ -52,6 +52,8 @@ Clicking on the number of total logged on users in the Logged on user tile opens ![Image of user details pane](images/atp-user-details-pane.png) + For more information see [Investigate user entities](investigate-user-entity-windows-defender-advanced-threat-protection.md). + The **Alerts related to this machine** section provides a list of alerts that are associated with the machine. This list is a simplified version of the [Alerts queue](alerts-queue-windows-defender-advanced-threat-protection.md), and shows the date when the last activity was detected, a short description of the alert, the user associated with the alert, the alert's severity, the alert's status in the queue, and who is addressing the alert. The **Machine timeline** section provides a chronological view of the events and associated alerts that have been observed on the machine. diff --git a/windows/keep-secure/investigate-user-entity-windows-defender-advanced-threat-protection.md b/windows/keep-secure/investigate-user-entity-windows-defender-advanced-threat-protection.md new file mode 100644 index 0000000000..60afef1f25 --- /dev/null +++ b/windows/keep-secure/investigate-user-entity-windows-defender-advanced-threat-protection.md @@ -0,0 +1,46 @@ +--- +title: Investigate user entities in Windows Defender Advanced Threat Protection +description: Use the investigation options to investigate alerts related to a user account. +keywords: investigate, account, user, user entity, alert, windows defender atp +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +author: mjcaparas +localizationpriority: high +--- +# Investigate a user account associated with a Windows Defender ATP alert + +**Applies to:** + +- Windows 10 Enterprise +- Windows 10 Education +- Windows 10 Pro +- Windows 10 Pro Education +- Windows Defender Advanced Threat Protection (Windows Defender ATP) + +[Some information relates to pre-released product, which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.] + +## Investigate user entities +Identify user accounts with the most active alerts and investigate the associated alerts to identify possible lateral movement between machines and potential compromised credentials cases. + +You can find user account information from the following views: +- Dashboard +- Alerts queue +- Machine details page + +A clickable user account link is available from all these views. You'll be taken to the user account details page where more details about the account is shown. + +When you investigate a user entity, you'll see: +- User account details and Logged on machines +- Alerts related to this user +- Observed in organization + +![Image of the user entity details page](images/atp-user-details-view.png) + +The user entity details and logged on machines section display various attributes about the user entity. You'll see details such as when the user was first and last seen and the total number of machines the user logged in to. + +The **Alerts related to this user** section provides a list of alerts that are associated with the user. This list is a simplified version of the [Alerts queue](alerts-queue-windows-defender-advanced-threat-protection.md), and shows the date when the last activity was detected, a short description of the alert, the machine associated with the alert, the alert's severity, the alert's status in the queue, and who is addressing the alert. + +The **Observed in organization** section allows you to specify a date range to see the total number of observed users logged in to specific machine and which machines the user most frequently and least frequently logged in to.