Merge branch 'master' into maximvelichko-patch-3

2025-05-12 13:27:23 +00:00 · 2021-03-08 11:38:29 -08:00 · 2021-03-08 11:38:29 -08:00 · 84f30365b2
commit 84f30365b2
parent d2d3616507 8cf00c2239
11 changed files with 20 additions and 6 deletions
--- a/windows/security/threat-protection/microsoft-defender-atp/images/alert-landing-view-upd.png
+++ b/windows/security/threat-protection/microsoft-defender-atp/images/alert-landing-view-upd.png
--- a/windows/security/threat-protection/microsoft-defender-atp/images/detection-status-detected-upd.png
+++ b/windows/security/threat-protection/microsoft-defender-atp/images/detection-status-detected-upd.png
--- a/windows/security/threat-protection/microsoft-defender-atp/images/detection-status-detected.png
+++ b/windows/security/threat-protection/microsoft-defender-atp/images/detection-status-detected.png
--- a/windows/security/threat-protection/microsoft-defender-atp/images/detection-status-prevented-mac-upd.png
+++ b/windows/security/threat-protection/microsoft-defender-atp/images/detection-status-prevented-mac-upd.png
--- a/windows/security/threat-protection/microsoft-defender-atp/images/detection-status-prevented-mac.png
+++ b/windows/security/threat-protection/microsoft-defender-atp/images/detection-status-prevented-mac.png
--- a/windows/security/threat-protection/microsoft-defender-atp/images/detstat-blocked.png
+++ b/windows/security/threat-protection/microsoft-defender-atp/images/detstat-blocked.png
--- a/windows/security/threat-protection/microsoft-defender-atp/images/detstat-detected.png
+++ b/windows/security/threat-protection/microsoft-defender-atp/images/detstat-detected.png
--- a/windows/security/threat-protection/microsoft-defender-atp/images/detstat-prevented.png
+++ b/windows/security/threat-protection/microsoft-defender-atp/images/detstat-prevented.png
--- a/windows/security/threat-protection/microsoft-defender-atp/images/device-page-details.png
+++ b/windows/security/threat-protection/microsoft-defender-atp/images/device-page-details.png
--- a/windows/security/threat-protection/microsoft-defender-atp/images/user-page-details.PNG
+++ b/windows/security/threat-protection/microsoft-defender-atp/images/user-page-details.PNG
--- a/windows/security/threat-protection/microsoft-defender-atp/review-alerts.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/review-alerts.md
@ -44,23 +44,37 @@ Selecting an alert's name in Defender for Endpoint will land you on its alert pa
 3. The **alert story** displays all entities related to the alert, interconnected by a tree view. The alert in the title will be the one in focus when you first land on your selected alert's page. Entities in the alert story are expandable and clickable, to provide additional information and expedite response by allowing you to take actions right in the context of the alert page. Use the alert story to start your investigation. Learn how in [Investigate alerts in Microsoft Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/investigate-alerts).
 4. The **details pane** will show the details of the selected alert at first, with details and actions related to this alert. If you select any of the affected assets or entities in the alert story, the details pane will change to provide contextual information and actions for the selected object.

-![An alert page when you first land on it](images/alert-landing-view.png)
+Note the detection status for your alert. 
+- Prevented – The attempted suspicious action was avoided. For example, a file either wasn’t written to disk or executed.
+![An alert page showing threat was prevented](images/detstat-prevented.png)
+- Blocked – Suspicious behavior was executed and then blocked. For example, a process was executed but because it subsequently exhibited suspicious behaviors, the process was terminated.
+![An alert page showing threat was blocked](images/detstat-blocked.png)
+- Detected – An attack was detected and is possibly still active.
+![An alert page showing threat was detected](images/detstat-detected.png)

-Note the detection status for your alert. Blocked, or prevented means actions were already taken by Defender for Endpoint.
-Start by reviewing the *automated investigation details* in your alert's details pane, to see which actions were already taken, as well as reading the alert's description for recommended actions.
+
+
+
+You can then also review the *automated investigation details* in your alert's details pane, to see which actions were already taken, as well as reading the alert's description for recommended actions.

 ![A snippet of the details pane with the alert description and automatic investigation sections highlighted](images/alert-air-and-alert-description.png)

 Other information available in the details pane when the alert opens includes MITRE techniques, source, and additional contextual details.

+
+
+
 ## Review affected assets

 Selecting a device or a user card in the affected assets sections will switch to the details of the device or user in the details pane.

- **For devices** the details pane will display information about the device itself, like Domain, Operating System, and IP. Active alerts and the logged on users on that device are also available. You can take immediate action by isolating the device, restricting app execution, or running an antivirus scan. Alternatively, you could collect an investigation package, initiate an automated investigation, or go to the device page to investigate from the device's point of view.
- **For users** the details pane will display detailed user information, such as the user's SAM name and SID, as well as logon types performed by this user and any alerts and incidents related to it. You can select *Open user page* to continue the investigation from that user's point of view.
+- **For devices**, the details pane will display information about the device itself, like Domain, Operating System, and IP. Active alerts and the logged on users on that device are also available. You can take immediate action by isolating the device, restricting app execution, or running an antivirus scan. Alternatively, you could collect an investigation package, initiate an automated investigation, or go to the device page to investigate from the device's point of view.

-   ![A snippet of the details pane when a device is selected](images/alert-device-details.png)
+   ![A snippet of the details pane when a device is selected](images/device-page-details.png)
+
+- **For users**, the details pane will display detailed user information, such as the user's SAM name and SID, as well as logon types performed by this user and any alerts and incidents related to it. You can select *Open user page* to continue the investigation from that user's point of view.
+
+   ![A snippet of the details pane when a user is selected](images/user-page-details.png)


 ## Related topics