diff --git a/windows/keep-secure/TOC.md b/windows/keep-secure/TOC.md index a5656c2c63..a6635cfc08 100644 --- a/windows/keep-secure/TOC.md +++ b/windows/keep-secure/TOC.md @@ -738,34 +738,34 @@ #### [Understand the Dashboard](dashboard-windows-defender-advanced-threat-protection.md) #### [Use the Windows Defender ATP portal](use-windows-defender-advanced-threat-protection.md) #### [Alerts queue overview](alerts-queue-windows-defender-advanced-threat-protection.md) -##### [Investigate alerts](investigate-alerts-windows-defender-advanced-threat-protection.md) -###### [Alert process tree](investigate-alerts-windows-defender-advanced-threat-protection.md#alert-process-tree) -###### [Incident graph](investigate-alerts-windows-defender-advanced-threat-protection.md#incident-graph) -###### [Alert timeline](investigate-alerts-windows-defender-advanced-threat-protection.md#alert-timeline) -##### [Consume alerts and create custom threat intelligence](configure-siem-windows-defender-advanced-threat-protection.md) -###### [Configure an Azure Active Directory application for SIEM integration](configure-aad-windows-defender-advanced-threat-protection.md) -###### [Configure Splunk to consume Windows Defender ATP alerts](configure-splunk-windows-defender-advanced-threat-protection.md) -###### [Configure HP ArcSight to consume Windows Defender ATP alerts](configure-arcsight-windows-defender-advanced-threat-protection.md) -###### [Understand threat intelligence concepts](threat-indicator-concepts-windows-defender-advanced-threat-protection.md) -####### [Enable the custom threat intelligence application](enable-custom-ti-windows-defender-advanced-threat-protection.md) -####### [Create custom threat intelligence using REST API](custom-ti-api-windows-defender-advanced-threat-protection.md) -####### [Troubleshoot custom threat intelligence issues](troubleshoot-custom-ti-windows-defender-advanced-threat-protection.md) -##### [Manage alerts](manage-alerts-windows-defender-advanced-threat-protection.md) +#### [Investigate alerts](investigate-alerts-windows-defender-advanced-threat-protection.md) +##### [Alert process tree](investigate-alerts-windows-defender-advanced-threat-protection.md#alert-process-tree) +##### [Incident graph](investigate-alerts-windows-defender-advanced-threat-protection.md#incident-graph) +##### [Alert timeline](investigate-alerts-windows-defender-advanced-threat-protection.md#alert-timeline) +#### [Consume alerts and create custom threat intelligence](configure-siem-windows-defender-advanced-threat-protection.md) +##### [Configure an Azure Active Directory application for SIEM integration](configure-aad-windows-defender-advanced-threat-protection.md) +##### [Configure Splunk to consume Windows Defender ATP alerts](configure-splunk-windows-defender-advanced-threat-protection.md) +##### [Configure HP ArcSight to consume Windows Defender ATP alerts](configure-arcsight-windows-defender-advanced-threat-protection.md) +##### [Understand threat intelligence concepts](threat-indicator-concepts-windows-defender-advanced-threat-protection.md) +###### [Enable the custom threat intelligence application](enable-custom-ti-windows-defender-advanced-threat-protection.md) +###### [Create custom threat intelligence using REST API](custom-ti-api-windows-defender-advanced-threat-protection.md) +###### [Troubleshoot custom threat intelligence issues](troubleshoot-custom-ti-windows-defender-advanced-threat-protection.md) +#### [Manage alerts](manage-alerts-windows-defender-advanced-threat-protection.md) #### [Machines view overview](machines-view-overview-windows-defender-advanced-threat-protection.md) -##### [Investigate machines](investigate-machines-windows-defender-advanced-threat-protection.md) -###### [Search for specific alerts](investigate-machines-windows-defender-advanced-threat-protection.md#search-for-specific-alerts) -###### [Filter events from a specific date](investigate-machines-windows-defender-advanced-threat-protection.md#filter-events-from-a-specific-date) -###### [Export machine timeline events](investigate-machines-windows-defender-advanced-threat-protection.md#export-machine-timeline-events) -###### [Navigate between pages](investigate-machines-windows-defender-advanced-threat-protection.md#navigate-between-pages) -##### [Respond to machine alerts](respond-machine-alerts-windows-defender-advanced-threat-protection.md) -###### [Isolate machines from the network](respond-machine-alerts-windows-defender-advanced-threat-protection.md#isolate-machines-from-the-network) -###### [Undo machine isolation](respond-machine-alerts-windows-defender-advanced-threat-protection.md#undo-machine-isolation) -###### [Collect investigation package](respond-machine-alerts-windows-defender-advanced-threat-protection.md#collect-investigation-package) -###### [Check activity details in Action center](respond-machine-alerts-windows-defender-advanced-threat-protection.md#check-activity-details-in-action-center) -##### [Check sensor status](check-sensor-status-windows-defender-advanced-threat-protection.md) -###### [Fix unhealthy sensors](fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md) -####### [Inactive machines](fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md#inactive-machines) -####### [Misconfigured machines](fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md#misconfigured-machines) +#### [Investigate machines](investigate-machines-windows-defender-advanced-threat-protection.md) +##### [Search for specific alerts](investigate-machines-windows-defender-advanced-threat-protection.md#search-for-specific-alerts) +##### [Filter events from a specific date](investigate-machines-windows-defender-advanced-threat-protection.md#filter-events-from-a-specific-date) +##### [Export machine timeline events](investigate-machines-windows-defender-advanced-threat-protection.md#export-machine-timeline-events) +##### [Navigate between pages](investigate-machines-windows-defender-advanced-threat-protection.md#navigate-between-pages) +#### [Respond to machine alerts](respond-machine-alerts-windows-defender-advanced-threat-protection.md) +##### [Isolate machines from the network](respond-machine-alerts-windows-defender-advanced-threat-protection.md#isolate-machines-from-the-network) +##### [Undo machine isolation](respond-machine-alerts-windows-defender-advanced-threat-protection.md#undo-machine-isolation) +##### [Collect investigation package](respond-machine-alerts-windows-defender-advanced-threat-protection.md#collect-investigation-package) +##### [Check activity details in Action center](respond-machine-alerts-windows-defender-advanced-threat-protection.md#check-activity-details-in-action-center) +#### [Check sensor status](check-sensor-status-windows-defender-advanced-threat-protection.md) +##### [Fix unhealthy sensors](fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md) +###### [Inactive machines](fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md#inactive-machines) +###### [Misconfigured machines](fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md#misconfigured-machines) #### [Investigate files](investigate-files-windows-defender-advanced-threat-protection.md) ##### [Respond to file related alerts](respond-file-alerts-windows-defender-advanced-threat-protection.md) ###### [Stop and quarantine files in your network](respond-file-alerts-windows-defender-advanced-threat-protection.md#stop-and-quarantine-files-in-your-network) diff --git a/windows/keep-secure/images/atp-actor-report.png b/windows/keep-secure/images/atp-actor-report.png new file mode 100644 index 0000000000..c7c4d60928 Binary files /dev/null and b/windows/keep-secure/images/atp-actor-report.png differ diff --git a/windows/keep-secure/investigate-alerts-windows-defender-advanced-threat-protection.md b/windows/keep-secure/investigate-alerts-windows-defender-advanced-threat-protection.md index 2c7ff91645..a27a01816b 100644 --- a/windows/keep-secure/investigate-alerts-windows-defender-advanced-threat-protection.md +++ b/windows/keep-secure/investigate-alerts-windows-defender-advanced-threat-protection.md @@ -25,7 +25,7 @@ localizationpriority: high You can click an alert in any of the [alert queues](alerts-queue-windows-defender-advanced-threat-protection.md) to begin an investigation. Selecting an alert brings up the **Alert management pane**, while clicking an alert brings you the alert details view where general information about the alert, some recommended actions, an alert process tree, an incident graph, and an alert timeline is shown. -You can click on the machine link from the alert view to navigate to the machine. The alert will be highlighted automatically, and the timeline will display the appearance of the alert and its evidence in the **Machine timeline**. If the alert appeared more than once on the machine, the latest occurrence will be displayed in the **Machine timeline**. +You can click on the machine link from the alert view to navigate to the machine. The alert will be highlighted automatically, and the timeline will display the appearance of the alert and its evidence in the **Machine timeline**. If the alert appeared more than once on the machine, the latest occurrence will be displayed in the **Machine timeline**. Alerts attributed to an adversary or actor display a colored tile with the actor's name. @@ -35,6 +35,10 @@ Click on the actor's name to see the threat intelligence profile of the actor, i Some actor profiles include a link to download a more comprehensive threat intelligence report. +![Image of detailed actor profile](images/atp-actor-report.png) + +The detailed alert profile helps you understand who the attackers are, who they target, what techniques, tools, and procedures (TTPs) they use, which geolocations they are active in, and finally, what recommended actions you may take. In many cases, you can download a more detailed Threat Intelligence report about this attacker or campaign for offline reading. + ## Alert process tree The **Alert process tree** takes alert triage and investigation to the next level, displaying the alert and related evidence and other events that occurred within the same execution context and time. This rich triage context of the alert and surrounding events is available on the alert page. diff --git a/windows/keep-secure/investigate-machines-windows-defender-advanced-threat-protection.md b/windows/keep-secure/investigate-machines-windows-defender-advanced-threat-protection.md index 8e1e9a8499..30b7b98916 100644 --- a/windows/keep-secure/investigate-machines-windows-defender-advanced-threat-protection.md +++ b/windows/keep-secure/investigate-machines-windows-defender-advanced-threat-protection.md @@ -51,7 +51,7 @@ Clicking on the number of total logged on users in the Logged on user tile opens ![Image of user details pane](images/atp-user-details-pane.png) -You'll also see details such as logon types for each user account, the user group, and when the account was logged in. +You'll also see details such as logon types for each user account, the user group, and when the account was logged in. For more information, see [Investigate user entities](investigate-user-entity-windows-defender-advanced-threat-protection.md). @@ -75,12 +75,13 @@ Use the search bar to look for specific alerts or files associated with the mach - **Detections mode**: displays Windows ATP Alerts and detections - **Behaviors mode**: displays "detections" and selected events of interest - **Verbose mode**: displays "behaviors" (including "detections"), and all reported events -- **User** – Click the drop-down button to filter the machine timeline by the following users associated to an action taken that triggered an alert: +- **User** – Click the drop-down button to filter the machine timeline by the following user associated events: - Logon users - System - Network - Local service + ### Filter events from a specific date Use the time-based slider to filter events from a specific date. By default, the machine timeline is set to display the events of the current day. @@ -102,6 +103,7 @@ From the list of events that are displayed in the timeline, you can examine the ![Image of machine timeline details pane](images/atp-machine-timeline-details-panel.png) + You can also use the [Alerts spotlight](investigate-alerts-windows-defender-advanced-threat-protection.md#alert-timeline) feature to see the correlation between alerts and events on a specific machine. Expand an event to view associated processes related to the event. Click on the circle next to any process or IP address in the process tree to investigating further into the identified processes. This action brings up the **Details pane** which includes execution context of processes, network communications and a summary of metadata on the file or IP address.