WTP - new topics

windows/security/threat-protection/TOC.md

@@ -30,6 +30,12 @@
 #### [Application control](windows-defender-application-control/windows-defender-application-control.md)
 #### [Exploit protection](windows-defender-exploit-guard/exploit-protection-exploit-guard.md)
 #### [Network protection](windows-defender-exploit-guard/network-protection-exploit-guard.md)
+
+#### [Web threat protection]()
+##### [Monitor web security](web-threat-protection-monitoring.md)
+##### [Respond to web threats](web-threat-protection-response.md)
+##### [Web threat protection overview](web-threat-protection-overview.md) 
+
 #### [Controlled folder access](windows-defender-exploit-guard/controlled-folders-exploit-guard.md)
 #### [Attack surface reduction](windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md)
 #### [Network firewall](windows-firewall/windows-firewall-with-advanced-security.md)

windows/security/threat-protection/microsoft-defender-atp/web-threat-protection-monitoring.md

@@ -33,7 +33,7 @@ Web threat protection lets you monitor your organization’s web browsing securi
     ![Image of the card showing web threats protection summary](images/wtp-summary.png)
 
 >[!Note]
->It can take up to 12 hours from the time a block occurs and the time the block is reflected in the cards or the domain list.
+>It can take up to 12 hours before a block is reflected in the cards or the domain list.
 
 ## Types of web threats
 Web threat protection categorizes malicious and unwanted websites as:
@@ -52,6 +52,5 @@ The page provides an aggregated domain-level view along with the following infor
 Selecting a domain opens a flyout that shows the list of URLs in that domain and the list machines with access attempts.
 
 ## Related topics
-- [Monitor web security](web-threat-protection-monitoring.md)
-- [Respond to web threats](web-threat-protection-response.md)
-- [Notifications on Windows and web browsers](web-threat-protection-end-user-notifications)
+- [Web threat protection overview](web-threat-protection-overview.md)
+- [Respond to web threats](web-threat-protection-response.md)

windows/security/threat-protection/microsoft-defender-atp/web-threat-protection-overview.md

@@ -38,15 +38,9 @@ To turn on network protection on devices:
 >[!Note]
 >If you set network protection set to **Audit only**, blocking will be unavailable. Also, you will be able to detect and log attempts to access malicious and unwanted websites on Microsoft Edge only.
 
-## Reporting and policy deployment latencies
-Note the following latencies when blocking URLs or domains or when monitoring web activity:
-- After you add a URL or domain to your custom indicator list, it takes approximately an hour before your machines receive the new setting and start blocking the website.
-- While alerts are generated almost in real-time, the web threat protection reports can have a 12-hour delay from the time a block occurs and the time the block is reflected in the cards or the domain list.
 
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-advancedhunting-belowfoldlink)
-
-
-## Related topics
-- [Monitor web security](web-threat-protection-monitoring.md)
-- [Respond to web threats](web-threat-protection-response.md)
-- [Notifications on Windows and web browsers](web-threat-protection-end-user-notifications)
+## In this section
+Topic | Description
+:---|:---
+[Monitor web security](web-threat-protection-monitoring.md) | Monitor attempts to access malicious and unwanted websites. 
+[Respond to web threats](web-threat-protection-response.md) | Investigate and manage alerts related to malicious and unwanted websites. Understand how end users are notified whenever a web threat is blocked.

windows/security/threat-protection/microsoft-defender-atp/web-threat-protection-response.md

@@ -0,0 +1,72 @@
+---
+title: Respond to web threats in Microsoft Defender ATP
+description: Respond to alerts related to malicious and unwanted websites. Understand how web threat protection informs end users through their web browsers and Windows notifications
+keywords: web threat protection, web browsing, alerts, response, security, phishing, malware, exploit, websites, network protection, Edge, Internet Explorer, Chrome, Firefox, web browser, notifications, end users, Windows notifications, blocking page,
+search.product: eADQiWindows 10XVcnh
+search.appverid: met150
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: lomayor
+author: lomayor
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance 
+ms.topic: article
+ms.date: 08/30/2019
+---
+
+# Respond to web threats
+
+>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-advancedhunting-abovefoldlink)
+
+Web threat protection in Microsoft Defender APT lets you efficiently investigate and respond to alerts related to malicious websites and websites in your custom indicator list.
+
+## View web threat alerts
+Microsoft Defender ATP generates the following [alerts](manage-alerts.md) for malicious or suspicious web activity:
+- **Suspicious connection blocked by network protection** — this alert is generated when an attempt to access a malicious website or a website in your custom indicator list is stopped by network protection in blocked mode
+- **Suspicious connection detected by network protection** — this alert is generated when an attempt to access a malicious website or a website in your custom indicator list is detected by network protection in audit mode
+
+Each alert provides the following information: 
+- Machine that attempted to access the blocked website
+- Application or program used to send the web request
+- Malicious URL or URL in the custom indicator list
+- Recommended actions for this type of detections
+
+![Image of an alert related to web threat protection](images/wtp-alert.png)
+
+>[!Note]
+>To reduce the volume of alerts, Microsoft Defender ATP consolidates web threat protection detections for the same domain on the same machine each day to a single alert. Only one alert is generated and counted into the [web protection report](web-threat-protection-monitoring.md).
+
+## Inspect website details
+You can dive deeper by selecting the URL or domain of the website in the alert. This opens a page about that particular website providing various information, including:
+- All machines that attempted to access the URL or domain
+- All incidents and alerts related to the URL or domain
+- How frequent the URL or domain was seen in events in your organization
+
+![Image of the domain or URL entity details page](images/wtp-website-details.png)
+
+[Learn more about URL or domain entity pages](investigate-domain.md)
+
+## Inspect the machine
+You can also check the machine that attempted to access a blocked URL. Selecting the name of the machine on the alert page opens a page with comprehensive information about the machine.
+
+[Learn more about machine entity pages](investigate-machines.md)
+
+## Web browser and Windows notifications for end users
+
+With web threat protection in Microsoft Defender ATP, your end users will be blocked from visiting malicious or unwanted websites using Microsoft Edge or other browsers.
+
+Because blocking is performed by [network protection](network-protection-exploit-guard.md), they will see a generic error from the web browser. They will also see a notification from Windows.
+
+![Image of Microsoft Edge showing a 403 error and the Windows notification](images/wtp-browser-blocking-page.png)
+*Web threat blocked by Microsoft Edge*
+
+![Image of Chrome showing a secure connection warning and the Windows notification](images/wtp-browser-blocking-page.png)
+*Web threat blocked by the Chrome web browser*
+
+## Related topics
+- [Web threat protection overview](web-threat-protection-overview.md)
+- [Monitor web security](web-threat-protection-monitoring.md)