From 430d1095d49030dd213b9a2ee3de5b0675bde7dc Mon Sep 17 00:00:00 2001 From: Dolcita Montemayor Date: Mon, 27 Aug 2018 05:19:34 +0000 Subject: [PATCH 01/10] Updated view-incidents-queue.md --- .../windows-defender-atp/view-incidents-queue.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-atp/view-incidents-queue.md b/windows/security/threat-protection/windows-defender-atp/view-incidents-queue.md index a4c3e60b0e..35bd903043 100644 --- a/windows/security/threat-protection/windows-defender-atp/view-incidents-queue.md +++ b/windows/security/threat-protection/windows-defender-atp/view-incidents-queue.md @@ -17,9 +17,9 @@ ms.date: 09/03/2018 **Applies to:** - Windows Defender Advanced Threat Protection (Windows Defender ATP) -[!include[Prerelease information](prerelease.md)] +[!include[Prerelease information](prerelease.md)] -The **Incidents queue** shows a collection of correlated alerts that were flagged from machines in your network. It helps you sort through incidents to prioritize and create an informed cybersecurity response decision. +The **Incidents queue** shows a collection of incidents that were flagged from machines in your network. It helps you sort through incidents to prioritize and create an informed cybersecurity response decision. By default, the queue displays incidents seen in the last 30 days, with the most recent incident showing at the top of the list, helping you see the most recent incidents first. From cf793d401faec2e93febc9fa6141f6a943fcc1fd Mon Sep 17 00:00:00 2001 From: Dolcita Montemayor Date: Mon, 27 Aug 2018 05:25:16 +0000 Subject: [PATCH 02/10] Updated view-incidents-queue.md --- .../windows-defender-atp/view-incidents-queue.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-atp/view-incidents-queue.md b/windows/security/threat-protection/windows-defender-atp/view-incidents-queue.md index 35bd903043..54c08ae96e 100644 --- a/windows/security/threat-protection/windows-defender-atp/view-incidents-queue.md +++ b/windows/security/threat-protection/windows-defender-atp/view-incidents-queue.md @@ -49,7 +49,7 @@ Informational
(Grey) | Informational incidents are those that might not be Incidents are categorized based on the description of the stage by which the cybersecurity kill chain is in. This view helps the threat analyst to determine priority, urgency, and corresponding response strategy to deploy based on context. ### Alerts -Indicates the number of alerts associated with or relevant to the incidents. +Indicates the number of alerts associated with or part of the incidents. ### Machines @@ -65,7 +65,7 @@ You can choose to show between unassigned incidents or those which are assigned You can choose to limit the list of incidents shown based on their status to see which ones are active or resolved ### Classification -Use this filter to choose between focusing on incidents flagged as true alerts or false alerts. +Use this filter to choose between focusing on incidents flagged as true or false incidents. ## Related topics - [Incidents queue](incidents-queue.md) From 526ed80cbb3830ece401181ac25eed2473ab36bb Mon Sep 17 00:00:00 2001 From: Dolcita Montemayor Date: Mon, 27 Aug 2018 06:09:48 +0000 Subject: [PATCH 03/10] Updated manage-incidents-windows-defender-advanced-threat-protection.md --- ...ts-windows-defender-advanced-threat-protection.md | 12 +++++------- 1 file changed, 5 insertions(+), 7 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-atp/manage-incidents-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/manage-incidents-windows-defender-advanced-threat-protection.md index d1b84625de..83dc1dd39b 100644 --- a/windows/security/threat-protection/windows-defender-atp/manage-incidents-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/manage-incidents-windows-defender-advanced-threat-protection.md @@ -18,12 +18,10 @@ ms.date: 09/03/2018 **Applies to:** - Windows Defender Advanced Threat Protection (Windows Defender ATP) -[!include[Prerelease information](prerelease.md)] +[!include[Prerelease information](prerelease.md)] -Windows Defender ATP notifies you of cybersecurity incidents in your network though an aggregated view of correlated alerts from possible malicious events, attributes, and contextual information. - -You can manage incidents by selecting an incident from the **Incidents queue** or the **Incidents management pane**. +Managing incidents is important as part of every cybersecurity operation. You can manage incidents by selecting an incident from the **Incidents queue** or the **Incidents management pane**. You can assign incidents to yourself, change the status, classify, rename, or comment on them to keep track of its progress. ![Image of the incidents management pane](images/atp-incidents-mgt-pane.png) @@ -33,17 +31,17 @@ Selecting an incident from the **Incidents queue** brings up the **Incident mana ## Assign incidents -If an incident has not been assigned yet, you can select **Assign to me** to assign the incident to yourself. +If an incident has not been assigned yet, you can select **Assign to me** to assign the incident to yourself. Doing so assumes ownership of not just the incident, but also all the alerts associated with it. ## Change the incident status You can categorize incidents (as **Active**, or **Resolved**) by changing their status as your investigation progresses. This helps you organize and manage how your team can respond to incidents. For example, your SoC analyst can review the urgent **Active** incidents for the day, and decide to assign them to himself for investigation. -Alternatively, your SoC analyst might assign the incident as **Resolved** if the incident is known as benign, or if it is coming from a machine that is irrelevant (such as one belonging to a security administrator), or if it has been dealt with through a series of investigations. +Alternatively, your SoC analyst might assign the incident as **Resolved** if the incident has been remediated. ## Classify the incident -You can choose not to set a classification, or decide to specify whether an incident is a true alert or a false alert. Doing so helps the team see patterns and learn from them. +You can choose not to set a classification, or decide to specify whether an incident is a true or false. Doing so helps the team see patterns and learn from them. ## Rename incident By default, incidents are assigned with numbers. You can rename the incident if your organization uses a naming convention for easier cybersecurity threat identification. From 732f117a0bcf3be40da560bfcca294bb1e9d7922 Mon Sep 17 00:00:00 2001 From: Dolcita Montemayor Date: Mon, 27 Aug 2018 06:14:29 +0000 Subject: [PATCH 04/10] Updated manage-incidents-windows-defender-advanced-threat-protection.md --- ...e-incidents-windows-defender-advanced-threat-protection.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-atp/manage-incidents-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/manage-incidents-windows-defender-advanced-threat-protection.md index 83dc1dd39b..3c6199ece0 100644 --- a/windows/security/threat-protection/windows-defender-atp/manage-incidents-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/manage-incidents-windows-defender-advanced-threat-protection.md @@ -38,10 +38,10 @@ You can categorize incidents (as **Active**, or **Resolved**) by changing their For example, your SoC analyst can review the urgent **Active** incidents for the day, and decide to assign them to himself for investigation. -Alternatively, your SoC analyst might assign the incident as **Resolved** if the incident has been remediated. +Alternatively, your SoC analyst might set the incident as **Resolved** if the incident has been remediated. ## Classify the incident -You can choose not to set a classification, or decide to specify whether an incident is a true or false. Doing so helps the team see patterns and learn from them. +You can choose not to set a classification, or decide to specify whether an incident is true or false. Doing so helps the team see patterns and learn from them. ## Rename incident By default, incidents are assigned with numbers. You can rename the incident if your organization uses a naming convention for easier cybersecurity threat identification. From 850598954334d65f20e9d61029a5ea70d6e4650c Mon Sep 17 00:00:00 2001 From: Dolcita Montemayor Date: Mon, 27 Aug 2018 06:15:34 +0000 Subject: [PATCH 05/10] Updated manage-incidents-windows-defender-advanced-threat-protection.md --- ...age-incidents-windows-defender-advanced-threat-protection.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-atp/manage-incidents-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/manage-incidents-windows-defender-advanced-threat-protection.md index 3c6199ece0..765ec4a552 100644 --- a/windows/security/threat-protection/windows-defender-atp/manage-incidents-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/manage-incidents-windows-defender-advanced-threat-protection.md @@ -21,7 +21,7 @@ ms.date: 09/03/2018 [!include[Prerelease information](prerelease.md)] -Managing incidents is important as part of every cybersecurity operation. You can manage incidents by selecting an incident from the **Incidents queue** or the **Incidents management pane**. You can assign incidents to yourself, change the status, classify, rename, or comment on them to keep track of its progress. +Managing incidents is important as part of every cybersecurity operation. You can manage incidents by selecting an incident from the **Incidents queue** or the **Incidents management pane**. You can assign incidents to yourself, change the status, classify, rename, or comment on them to keep track of their progress. ![Image of the incidents management pane](images/atp-incidents-mgt-pane.png) From 3b919bbae780d6d1caafc4176d194b44ac317520 Mon Sep 17 00:00:00 2001 From: Dolcita Montemayor Date: Mon, 27 Aug 2018 06:25:22 +0000 Subject: [PATCH 06/10] Updated investigate-incidents-windows-defender-advanced-threat-protection.md --- ...indows-defender-advanced-threat-protection.md | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-atp/investigate-incidents-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/investigate-incidents-windows-defender-advanced-threat-protection.md index ab0f55d5c6..f7c5d6587f 100644 --- a/windows/security/threat-protection/windows-defender-atp/investigate-incidents-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/investigate-incidents-windows-defender-advanced-threat-protection.md @@ -18,32 +18,32 @@ ms.date: 09/03/2018 **Applies to:** - Windows Defender Advanced Threat Protection (Windows Defender ATP) -[!include[Prerelease information](prerelease.md)] +[!include[Prerelease information](prerelease.md)] Investigate incidents that affect your network, understand what they mean, and collate evidence to resolve them. ## Analyze incident details -Click an incident to see the **Incident pane**. Select **Open incident page** to see the incident details and related information (alerts, machines, investigations, evidence, graph) that you need to investigate. +Click an incident to see the **Incident pane**. Select **Open incident page** to see the incident details and related information (alerts, machines, investigations, evidence, graph). ![Image of incident details](images/atp-incident-details.png) ### Alerts -You can investigate the associated alerts, manage an alert, and see alert metadata along with other information that can help you make better decisions on how to approach them. For more information, see [Investigate alerts](investigate-alerts-windows-defender-advanced-threat-protection.md). +You can investigate the associated alerts, manage an alert, and see alert metadata along with other information. For more information, see [Investigate alerts](investigate-alerts-windows-defender-advanced-threat-protection.md). ### Machines -You can also investigate the machines that are at risk in a given incident. For more information, see [Investigate machines](investigate-machines-windows-defender-advanced-threat-protection.md). +You can also investigate the machines that are part of or related to a given incident. For more information, see [Investigate machines](investigate-machines-windows-defender-advanced-threat-protection.md). ![Image of machines tab in incident details page](images/atp-incident-machine-tab.png) ### Investigations -Select **Investigations** to see the summary of the ongoing investigations, the detection source, affected machines, and their duration. +Select **Investigations** to see all the automatic investigations launched by the system in response to the incident alerts. ![Image of investigations tab in incident details page](images/atp-incident-investigations-tab.png) ## Going through the evidence It helps your organization to see a summary and the status of the evidence collated through the incident. -Your team lead, for example, can take a quick look at the Evidence page to know how many has been analyzed or remediated so far, out of all the evidence collated. It helps in the decision of ramping the investigating team’s efforts up or down. +Your team lead, for example, can take a quick look at the Evidence page to know how many has been analyzed or remediated so far, out of all the evidence collated. ![Image of evidence tab in incident details page](images/atp-incident-evidence-tab.png) @@ -51,11 +51,11 @@ Your team lead, for example, can take a quick look at the Evidence page to know Windows Defender Advanced Threat Protection aggregates the threat information into an incident so you can see the patterns and correlations coming in from various data points. You can view such correlation through the incident graph. ### Incident graph -The **Graph** provides a visual representation of how the alerts and its evidence are inter-related. +The **Graph** provides a visual representation of the story of the cybersecurity attack (for example, what is the entry point, which indicator of compromise or activity was observed on which machine). ![Image of the incident graph](images/atp-incident-graph-tab.png) -You can click the circles on the incident graph to view the details of the malicious files, associated file detections, how many instances has there been worldwide, whether it’s been observed in your organization, if so, how many instances. +You can click the circles on the incident graph to view the details of the malicious files, associated file detections, how many instances has there been worldwide, whether it’s been observed in your organization, if so, how many instances. ![Image of indcident details](images/atp-incident-graph-details.png) From 60775db58fecc3cb6d0214420ec12c57e8c3c17d Mon Sep 17 00:00:00 2001 From: Dolcita Montemayor Date: Mon, 27 Aug 2018 06:27:16 +0000 Subject: [PATCH 07/10] Updated investigate-incidents-windows-defender-advanced-threat-protection.md --- ...e-incidents-windows-defender-advanced-threat-protection.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-atp/investigate-incidents-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/investigate-incidents-windows-defender-advanced-threat-protection.md index f7c5d6587f..adeddf86ab 100644 --- a/windows/security/threat-protection/windows-defender-atp/investigate-incidents-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/investigate-incidents-windows-defender-advanced-threat-protection.md @@ -31,7 +31,7 @@ Click an incident to see the **Incident pane**. Select **Open incident page** to You can investigate the associated alerts, manage an alert, and see alert metadata along with other information. For more information, see [Investigate alerts](investigate-alerts-windows-defender-advanced-threat-protection.md). ### Machines -You can also investigate the machines that are part of or related to a given incident. For more information, see [Investigate machines](investigate-machines-windows-defender-advanced-threat-protection.md). +You can also investigate the machines that are part of, or related to, a given incident. For more information, see [Investigate machines](investigate-machines-windows-defender-advanced-threat-protection.md). ![Image of machines tab in incident details page](images/atp-incident-machine-tab.png) @@ -51,7 +51,7 @@ Your team lead, for example, can take a quick look at the Evidence page to know Windows Defender Advanced Threat Protection aggregates the threat information into an incident so you can see the patterns and correlations coming in from various data points. You can view such correlation through the incident graph. ### Incident graph -The **Graph** provides a visual representation of the story of the cybersecurity attack (for example, what is the entry point, which indicator of compromise or activity was observed on which machine). +The **Graph** provides tells the story of the cybersecurity attack (for example, what is the entry point, which indicator of compromise or activity was observed on which machine). ![Image of the incident graph](images/atp-incident-graph-tab.png) From bc845f76017d7613867756a0eb446bd7cc14fd96 Mon Sep 17 00:00:00 2001 From: Dolcita Montemayor Date: Mon, 27 Aug 2018 06:27:49 +0000 Subject: [PATCH 08/10] Updated investigate-incidents-windows-defender-advanced-threat-protection.md --- ...ate-incidents-windows-defender-advanced-threat-protection.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-atp/investigate-incidents-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/investigate-incidents-windows-defender-advanced-threat-protection.md index adeddf86ab..f8720f6dd0 100644 --- a/windows/security/threat-protection/windows-defender-atp/investigate-incidents-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/investigate-incidents-windows-defender-advanced-threat-protection.md @@ -51,7 +51,7 @@ Your team lead, for example, can take a quick look at the Evidence page to know Windows Defender Advanced Threat Protection aggregates the threat information into an incident so you can see the patterns and correlations coming in from various data points. You can view such correlation through the incident graph. ### Incident graph -The **Graph** provides tells the story of the cybersecurity attack (for example, what is the entry point, which indicator of compromise or activity was observed on which machine). +The **Graph** tells the story of the cybersecurity attack (for example, what is the entry point, which indicator of compromise or activity was observed on which machine). ![Image of the incident graph](images/atp-incident-graph-tab.png) From ced07b203dcafa511b85c2514c2527e0d4613bd6 Mon Sep 17 00:00:00 2001 From: Dolcita Montemayor Date: Mon, 27 Aug 2018 06:30:11 +0000 Subject: [PATCH 09/10] Updated investigate-incidents-windows-defender-advanced-threat-protection.md --- ...ate-incidents-windows-defender-advanced-threat-protection.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-atp/investigate-incidents-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/investigate-incidents-windows-defender-advanced-threat-protection.md index f8720f6dd0..0ba5358b49 100644 --- a/windows/security/threat-protection/windows-defender-atp/investigate-incidents-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/investigate-incidents-windows-defender-advanced-threat-protection.md @@ -51,7 +51,7 @@ Your team lead, for example, can take a quick look at the Evidence page to know Windows Defender Advanced Threat Protection aggregates the threat information into an incident so you can see the patterns and correlations coming in from various data points. You can view such correlation through the incident graph. ### Incident graph -The **Graph** tells the story of the cybersecurity attack (for example, what is the entry point, which indicator of compromise or activity was observed on which machine). +The **Graph** tells the story of the cybersecurity attack. For example, it shows you what was the entry point, which indicator of compromise or activity was observed on which machine. etc. ![Image of the incident graph](images/atp-incident-graph-tab.png) From 226824eb15187854fc3d47dcc8605463fc52f596 Mon Sep 17 00:00:00 2001 From: Dolcita Montemayor Date: Mon, 27 Aug 2018 11:10:39 +0000 Subject: [PATCH 10/10] Updated manage-incidents-windows-defender-advanced-threat-protection.md --- ...age-incidents-windows-defender-advanced-threat-protection.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-atp/manage-incidents-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/manage-incidents-windows-defender-advanced-threat-protection.md index 765ec4a552..ac34fa814b 100644 --- a/windows/security/threat-protection/windows-defender-atp/manage-incidents-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/manage-incidents-windows-defender-advanced-threat-protection.md @@ -21,7 +21,7 @@ ms.date: 09/03/2018 [!include[Prerelease information](prerelease.md)] -Managing incidents is important as part of every cybersecurity operation. You can manage incidents by selecting an incident from the **Incidents queue** or the **Incidents management pane**. You can assign incidents to yourself, change the status, classify, rename, or comment on them to keep track of their progress. +Managing incidents is an important part of every cybersecurity operation. You can manage incidents by selecting an incident from the **Incidents queue** or the **Incidents management pane**. You can assign incidents to yourself, change the status, classify, rename, or comment on them to keep track of their progress. ![Image of the incidents management pane](images/atp-incidents-mgt-pane.png)