deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-19 04:13:41 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Merge branch 'atp-rs5' of https://cpubwin.visualstudio.com/_git/it-client into atp-rs5

Browse Source
This commit is contained in:
Joey Caparas
2018-08-27 11:25:39 -07:00
parent f8f5af8f82 226824eb15
commit 8b1234adf7
3 changed files with 17 additions and 19 deletions
Download Patch File Download Diff File Expand all files Collapse all files

16
windows/security/threat-protection/windows-defender-atp/investigate-incidents-windows-defender-advanced-threat-protection.md
View File

@ -18,32 +18,32 @@ ms.date: 09/03/2018
**Applies to:** **Applies to:**
- Windows Defender Advanced Threat Protection (Windows Defender ATP) - Windows Defender Advanced Threat Protection (Windows Defender ATP)
[!include[Prerelease<EFBFBD>information](prerelease.md)] [!include[Prerelease information](prerelease.md)]
Investigate incidents that affect your network, understand what they mean, and collate evidence to resolve them. Investigate incidents that affect your network, understand what they mean, and collate evidence to resolve them.
## Analyze incident details ## Analyze incident details
Click an incident to see the **Incident pane**. Select **Open incident page** to see the incident details and related information (alerts, machines, investigations, evidence, graph) that you need to investigate. Click an incident to see the **Incident pane**. Select **Open incident page** to see the incident details and related information (alerts, machines, investigations, evidence, graph).
![Image of incident details](images/atp-incident-details.png) ![Image of incident details](images/atp-incident-details.png)
### Alerts ### Alerts
You can investigate the associated alerts, manage an alert, and see alert metadata along with other information that can help you make better decisions on how to approach them. For more information, see [Investigate alerts](investigate-alerts-windows-defender-advanced-threat-protection.md). You can investigate the associated alerts, manage an alert, and see alert metadata along with other information. For more information, see [Investigate alerts](investigate-alerts-windows-defender-advanced-threat-protection.md).
### Machines ### Machines
You can also investigate the machines that are at risk in a given incident. For more information, see [Investigate machines](investigate-machines-windows-defender-advanced-threat-protection.md). You can also investigate the machines that are part of, or related to, a given incident. For more information, see [Investigate machines](investigate-machines-windows-defender-advanced-threat-protection.md).
![Image of machines tab in incident details page](images/atp-incident-machine-tab.png) ![Image of machines tab in incident details page](images/atp-incident-machine-tab.png)
### Investigations ### Investigations
Select **Investigations** to see the summary of the ongoing investigations, the detection source, affected machines, and their duration. Select **Investigations** to see all the automatic investigations launched by the system in response to the incident alerts.
![Image of investigations tab in incident details page](images/atp-incident-investigations-tab.png) ![Image of investigations tab in incident details page](images/atp-incident-investigations-tab.png)
## Going through the evidence ## Going through the evidence
It helps your organization to see a summary and the status of the evidence collated through the incident. It helps your organization to see a summary and the status of the evidence collated through the incident.
Your team lead, for example, can take a quick look at the Evidence page to know how many has been analyzed or remediated so far, out of all the evidence collated. It helps in the decision of ramping the investigating team<61>s efforts up or down. Your team lead, for example, can take a quick look at the Evidence page to know how many has been analyzed or remediated so far, out of all the evidence collated.
![Image of evidence tab in incident details page](images/atp-incident-evidence-tab.png) ![Image of evidence tab in incident details page](images/atp-incident-evidence-tab.png)
@ -51,11 +51,11 @@ Your team lead, for example, can take a quick look at the Evidence page to know
Windows Defender Advanced Threat Protection aggregates the threat information into an incident so you can see the patterns and correlations coming in from various data points. You can view such correlation through the incident graph. Windows Defender Advanced Threat Protection aggregates the threat information into an incident so you can see the patterns and correlations coming in from various data points. You can view such correlation through the incident graph.
### Incident graph ### Incident graph
The **Graph** provides a visual representation of how the alerts and its evidence are inter-related. The **Graph** tells the story of the cybersecurity attack. For example, it shows you what was the entry point, which indicator of compromise or activity was observed on which machine. etc.
![Image of the incident graph](images/atp-incident-graph-tab.png) ![Image of the incident graph](images/atp-incident-graph-tab.png)
You can click the circles on the incident graph to view the details of the malicious files, associated file detections, how many instances has there been worldwide, whether it<EFBFBD>s been observed in your organization, if so, how many instances. You can click the circles on the incident graph to view the details of the malicious files, associated file detections, how many instances has there been worldwide, whether its been observed in your organization, if so, how many instances.
![Image of indcident details](images/atp-incident-graph-details.png) ![Image of indcident details](images/atp-incident-graph-details.png)

12
windows/security/threat-protection/windows-defender-atp/manage-incidents-windows-defender-advanced-threat-protection.md
View File

@ -18,12 +18,10 @@ ms.date: 09/03/2018
**Applies to:** **Applies to:**
- Windows Defender Advanced Threat Protection (Windows Defender ATP) - Windows Defender Advanced Threat Protection (Windows Defender ATP)
[!include[Prerelease<EFBFBD>information](prerelease.md)] [!include[Prerelease information](prerelease.md)]
Windows Defender ATP notifies you of cybersecurity incidents in your network though an aggregated view of correlated alerts from possible malicious events, attributes, and contextual information. Managing incidents is an important part of every cybersecurity operation. You can manage incidents by selecting an incident from the **Incidents queue** or the **Incidents management pane**. You can assign incidents to yourself, change the status, classify, rename, or comment on them to keep track of their progress.
You can manage incidents by selecting an incident from the **Incidents queue** or the **Incidents management pane**.
![Image of the incidents management pane](images/atp-incidents-mgt-pane.png) ![Image of the incidents management pane](images/atp-incidents-mgt-pane.png)
@ -33,17 +31,17 @@ Selecting an incident from the **Incidents queue** brings up the **Incident mana
## Assign incidents ## Assign incidents
If an incident has not been assigned yet, you can select **Assign to me** to assign the incident to yourself. If an incident has not been assigned yet, you can select **Assign to me** to assign the incident to yourself. Doing so assumes ownership of not just the incident, but also all the alerts associated with it.
## Change the incident status ## Change the incident status
You can categorize incidents (as **Active**, or **Resolved**) by changing their status as your investigation progresses. This helps you organize and manage how your team can respond to incidents. You can categorize incidents (as **Active**, or **Resolved**) by changing their status as your investigation progresses. This helps you organize and manage how your team can respond to incidents.
For example, your SoC analyst can review the urgent **Active** incidents for the day, and decide to assign them to himself for investigation. For example, your SoC analyst can review the urgent **Active** incidents for the day, and decide to assign them to himself for investigation.
Alternatively, your SoC analyst might assign the incident as **Resolved** if the incident is known as benign, or if it is coming from a machine that is irrelevant (such as one belonging to a security administrator), or if it has been dealt with through a series of investigations. Alternatively, your SoC analyst might set the incident as **Resolved** if the incident has been remediated.
## Classify the incident ## Classify the incident
You can choose not to set a classification, or decide to specify whether an incident is a true alert or a false alert. Doing so helps the team see patterns and learn from them. You can choose not to set a classification, or decide to specify whether an incident is true or false. Doing so helps the team see patterns and learn from them.
## Rename incident ## Rename incident
By default, incidents are assigned with numbers. You can rename the incident if your organization uses a naming convention for easier cybersecurity threat identification. By default, incidents are assigned with numbers. You can rename the incident if your organization uses a naming convention for easier cybersecurity threat identification.

8
windows/security/threat-protection/windows-defender-atp/view-incidents-queue.md
View File

@ -17,9 +17,9 @@ ms.date: 09/03/2018
**Applies to:** **Applies to:**
- Windows Defender Advanced Threat Protection (Windows Defender ATP) - Windows Defender Advanced Threat Protection (Windows Defender ATP)
[!include[Prerelease<EFBFBD>information](prerelease.md)] [!include[Prerelease information](prerelease.md)]
The **Incidents queue** shows a collection of correlated alerts that were flagged from machines in your network. It helps you sort through incidents to prioritize and create an informed cybersecurity response decision. The **Incidents queue** shows a collection of incidents that were flagged from machines in your network. It helps you sort through incidents to prioritize and create an informed cybersecurity response decision.
By default, the queue displays incidents seen in the last 30 days, with the most recent incident showing at the top of the list, helping you see the most recent incidents first. By default, the queue displays incidents seen in the last 30 days, with the most recent incident showing at the top of the list, helping you see the most recent incidents first.
@ -49,7 +49,7 @@ Informational </br>(Grey) | Informational incidents are those that might not be
Incidents are categorized based on the description of the stage by which the cybersecurity kill chain is in. This view helps the threat analyst to determine priority, urgency, and corresponding response strategy to deploy based on context. Incidents are categorized based on the description of the stage by which the cybersecurity kill chain is in. This view helps the threat analyst to determine priority, urgency, and corresponding response strategy to deploy based on context.
### Alerts ### Alerts
Indicates the number of alerts associated with or relevant to the incidents. Indicates the number of alerts associated with or part of the incidents.
### Machines ### Machines
@ -65,7 +65,7 @@ You can choose to show between unassigned incidents or those which are assigned
You can choose to limit the list of incidents shown based on their status to see which ones are active or resolved You can choose to limit the list of incidents shown based on their status to see which ones are active or resolved
### Classification ### Classification
Use this filter to choose between focusing on incidents flagged as true alerts or false alerts. Use this filter to choose between focusing on incidents flagged as true or false incidents.
## Related topics ## Related topics
- [Incidents queue](incidents-queue.md) - [Incidents queue](incidents-queue.md)