deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-13 22:07:22 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

user entity content

Browse Source
This commit is contained in:
Joey Caparas 2017-02-10 15:51:32 -08:00
parent a85192b7c7
commit 787b2bd798
9 changed files with 61 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
windows/keep-secure/TOC.md
View File

@ -765,6 +765,7 @@
###### [Submit files for analysis](investigate-files-windows-defender-advanced-threat-protection.md#submit-files-for-analysis) ###### [Submit files for analysis](investigate-files-windows-defender-advanced-threat-protection.md#submit-files-for-analysis)
###### [View deep analysis reports](investigate-files-windows-defender-advanced-threat-protection.md#view-deep-analysis-reports) ###### [View deep analysis reports](investigate-files-windows-defender-advanced-threat-protection.md#view-deep-analysis-reports)
###### [Troubleshoot deep analysis](investigate-files-windows-defender-advanced-threat-protection.md#troubleshoot-deep-analysis) ###### [Troubleshoot deep analysis](investigate-files-windows-defender-advanced-threat-protection.md#troubleshoot-deep-analysis)
#### [Investigate a user entity](investigate-user-entity-windows-defender-advanced-threat-protection.md)
#### [Investigate an IP address](investigate-ip-windows-defender-advanced-threat-protection.md) #### [Investigate an IP address](investigate-ip-windows-defender-advanced-threat-protection.md)
#### [Investigate a domain](investigate-domain-windows-defender-advanced-threat-protection.md) #### [Investigate a domain](investigate-domain-windows-defender-advanced-threat-protection.md)
#### [Check sensor status](check-sensor-status-windows-defender-advanced-threat-protection.md) #### [Check sensor status](check-sensor-status-windows-defender-advanced-threat-protection.md)

11
windows/keep-secure/dashboard-windows-defender-advanced-threat-protection.md
View File

@ -21,6 +21,8 @@ localizationpriority: high
- Windows 10 Pro Education - Windows 10 Pro Education
- Windows Defender Advanced Threat Protection (Windows Defender ATP) - Windows Defender Advanced Threat Protection (Windows Defender ATP)
<span style="color:#ED1C24;">[Some information relates to pre-released product, which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.]</span>
The **Dashboard** displays a snapshot of: The **Dashboard** displays a snapshot of:
- The latest active alerts on your network - The latest active alerts on your network
@ -49,12 +51,19 @@ The **Latest ATP alerts** section includes the latest active alerts in your netw
## Machines at risk ## Machines at risk
This tile shows you a list of machines with the highest number of active alerts. The total number of alerts for each machine is shown in a circle next to the machine name, and then further categorized by severity levels at the far end of the tile (hover over each severity bar to see its label). This tile shows you a list of machines with the highest number of active alerts. The total number of alerts for each machine is shown in a circle next to the machine name, and then further categorized by severity levels at the far end of the tile (hover over each severity bar to see its label).
![The Machines at risk tile shows a list of machines with the highest number of alerts, and a breakdown of the severity of the alerts](images/machines-at-risk.png) ![The Machines at risk tile shows a list of machines with the highest number of alerts, and a breakdown of the severity of the alerts](images/atp-machines-at-risk.png)
Click the name of the machine to see details about that machine. For more information see, [Investigate machines in the Windows Defender Advanced Threat Protection Machines view](investigate-machines-windows-defender-advanced-threat-protection.md). Click the name of the machine to see details about that machine. For more information see, [Investigate machines in the Windows Defender Advanced Threat Protection Machines view](investigate-machines-windows-defender-advanced-threat-protection.md).
You can also click **Machines view** at the top of the tile to go directly to the **Machines view**, sorted by the number of active alerts. For more information see, [Investigate machines in the Windows Defender Advanced Threat Protection Machines view](investigate-machines-windows-defender-advanced-threat-protection.md). You can also click **Machines view** at the top of the tile to go directly to the **Machines view**, sorted by the number of active alerts. For more information see, [Investigate machines in the Windows Defender Advanced Threat Protection Machines view](investigate-machines-windows-defender-advanced-threat-protection.md).
## Users at risk
The tile shows you a list of user accounts with the most active alerts. The total number of alerts for each user is shown in a circle next to the user account, and then further categorized by severity levels at the far end of the tile (hover over each severity bar to see its label).
![User accounts at risk tile shows a list of user accounts with the highest number of alerts and a breakdown of the severity of the alerts](images/atp-users-at-risk.png)
Click the user account to see details about the user account. For more information see [Investigate a user entity in Windows Defender Advanced Threat Protection]
## Machines with active malware detections ## Machines with active malware detections
The **Machines with active malware detections** tile will only appear if your endpoints are using Windows Defender. The **Machines with active malware detections** tile will only appear if your endpoints are using Windows Defender.

BIN
windows/keep-secure/images/alert-details.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 105 KiB

After

Width:  |  Height:  |  Size: 105 KiB

BIN
windows/keep-secure/images/atp-machines-at-risk.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 34 KiB

BIN
windows/keep-secure/images/atp-user-details-view.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 185 KiB

BIN
windows/keep-secure/images/atp-users-at-risk.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 36 KiB

2
windows/keep-secure/investigate-ip-windows-defender-advanced-threat-protection.md
View File

@ -24,7 +24,7 @@ Examine possible communication between your machines and external internet proto
Identifying all machines in the organization that communicated with a suspected or known malicious IP address, such as Command and Control (C2) servers, helps determine the potential scope of breach, associated files, and infected machines. Identifying all machines in the organization that communicated with a suspected or known malicious IP address, such as Command and Control (C2) servers, helps determine the potential scope of breach, associated files, and infected machines.
You can information from the following sections in the IP address view: You can find information from the following sections in the IP address view:
- IP address details - IP address details
- IP in organization - IP in organization

4
windows/keep-secure/investigate-machines-windows-defender-advanced-threat-protection.md
View File

@ -44,7 +44,7 @@ When you investigate a specific machine, you'll see:
The machine details, total logged on users and machine reporting sections display various attributes about the machine. Youll see details such as machine name, health status, actions you can take on the machine, domain, operating system (OS), total logged on users and who frequently and less frequently logged on, IP address, and how long it's been reporting sensor data to the Windows Defender ATP service. The machine details, total logged on users and machine reporting sections display various attributes about the machine. Youll see details such as machine name, health status, actions you can take on the machine, domain, operating system (OS), total logged on users and who frequently and less frequently logged on, IP address, and how long it's been reporting sensor data to the Windows Defender ATP service.
Clicking on the number of total logged on users in the Logged on user tile opens the **Users Details** pane that displays the following information for logged on users in the past 30 days: Clicking on the number of total logged on users in the Logged on user tile opens the Users Details pane that displays the following information for logged on users in the past 30 days:
- User account domain\\user account name - User account domain\\user account name
- Date and time they were last observed on the machine - Date and time they were last observed on the machine
@ -52,6 +52,8 @@ Clicking on the number of total logged on users in the Logged on user tile opens
![Image of user details pane](images/atp-user-details-pane.png) ![Image of user details pane](images/atp-user-details-pane.png)
For more information see [Investigate user entities](investigate-user-entity-windows-defender-advanced-threat-protection.md).
The **Alerts related to this machine** section provides a list of alerts that are associated with the machine. This list is a simplified version of the [Alerts queue](alerts-queue-windows-defender-advanced-threat-protection.md), and shows the date when the last activity was detected, a short description of the alert, the user associated with the alert, the alert's severity, the alert's status in the queue, and who is addressing the alert. The **Alerts related to this machine** section provides a list of alerts that are associated with the machine. This list is a simplified version of the [Alerts queue](alerts-queue-windows-defender-advanced-threat-protection.md), and shows the date when the last activity was detected, a short description of the alert, the user associated with the alert, the alert's severity, the alert's status in the queue, and who is addressing the alert.
The **Machine timeline** section provides a chronological view of the events and associated alerts that have been observed on the machine. The **Machine timeline** section provides a chronological view of the events and associated alerts that have been observed on the machine.

46
windows/keep-secure/investigate-user-entity-windows-defender-advanced-threat-protection.md Normal file
View File

@ -0,0 +1,46 @@
---
title: Investigate user entities in Windows Defender Advanced Threat Protection
description: Use the investigation options to investigate alerts related to a user account.
keywords: investigate, account, user, user entity, alert, windows defender atp
search.product: eADQiWindows 10XVcnh
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: mjcaparas
localizationpriority: high
---
# Investigate a user account associated with a Windows Defender ATP alert
**Applies to:**
- Windows 10 Enterprise
- Windows 10 Education
- Windows 10 Pro
- Windows 10 Pro Education
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
<span style="color:#ED1C24;">[Some information relates to pre-released product, which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.]</span>
## Investigate user entities
Identify user accounts with the most active alerts and investigate the associated alerts to identify possible lateral movement between machines and potential compromised credentials cases.
You can find user account information from the following views:
- Dashboard
- Alerts queue
- Machine details page
A clickable user account link is available from all these views. You'll be taken to the user account details page where more details about the account is shown.
When you investigate a user entity, you'll see:
- User account details and Logged on machines
- Alerts related to this user
- Observed in organization
![Image of the user entity details page](images/atp-user-details-view.png)
The user entity details and logged on machines section display various attributes about the user entity. You'll see details such as when the user was first and last seen and the total number of machines the user logged in to.
The **Alerts related to this user** section provides a list of alerts that are associated with the user. This list is a simplified version of the [Alerts queue](alerts-queue-windows-defender-advanced-threat-protection.md), and shows the date when the last activity was detected, a short description of the alert, the machine associated with the alert, the alert's severity, the alert's status in the queue, and who is addressing the alert.
The **Observed in organization** section allows you to specify a date range to see the total number of observed users logged in to specific machine and which machines the user most frequently and least frequently logged in to.