Merge branch 'atp-rs5' of https://cpubwin.visualstudio.com/_git/it-client into atp-rs5

2025-06-19 12:23:37 +00:00 · 2018-08-27 11:25:39 -07:00
parent f8f5af8f82 226824eb15
commit 8b1234adf7
3 changed files with 17 additions and 19 deletions
--- a/windows/security/threat-protection/windows-defender-atp/investigate-incidents-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/investigate-incidents-windows-defender-advanced-threat-protection.md
@ -18,32 +18,32 @@ ms.date: 09/03/2018
 **Applies to:**
 - Windows Defender Advanced Threat Protection (Windows Defender ATP)

-[!include[Prerelease<EFBFBD>information](prerelease.md)]
+[!include[Prerelease information](prerelease.md)]

 Investigate incidents that affect your network, understand what they mean, and collate evidence to resolve them. 

 ## Analyze incident details 
-Click an incident to see the **Incident pane**. Select **Open incident page** to see the incident details and related information (alerts, machines, investigations, evidence, graph) that you need to investigate. 
+Click an incident to see the **Incident pane**. Select **Open incident page** to see the incident details and related information (alerts, machines, investigations, evidence, graph). 

 ![Image of incident details](images/atp-incident-details.png)

 ### Alerts
-You can investigate the associated alerts, manage an alert, and see alert metadata along with other information that can help you make better decisions on how to approach them. For more information, see [Investigate alerts](investigate-alerts-windows-defender-advanced-threat-protection.md). 
+You can investigate the associated alerts, manage an alert, and see alert metadata along with other information. For more information, see [Investigate alerts](investigate-alerts-windows-defender-advanced-threat-protection.md). 

 ### Machines
-You can also investigate the machines that are at risk in a given incident. For more information, see [Investigate machines](investigate-machines-windows-defender-advanced-threat-protection.md).
+You can also investigate the machines that are part of, or related to, a given incident. For more information, see [Investigate machines](investigate-machines-windows-defender-advanced-threat-protection.md).

 ![Image of machines tab in incident details page](images/atp-incident-machine-tab.png)

 ### Investigations
-Select **Investigations** to see the summary of the ongoing investigations, the detection source, affected machines, and their duration.
+Select **Investigations** to see all the automatic investigations launched by the system in response to the incident alerts.

 ![Image of investigations tab in incident details page](images/atp-incident-investigations-tab.png)

 ## Going through the evidence
 It helps your organization to see a summary and the status of the evidence collated through the incident.
 
-Your team lead, for example, can take a quick look at the Evidence page to know how many has been analyzed or remediated so far, out of all the evidence collated. It helps in the decision of ramping the investigating team<61>s efforts up or down.
+Your team lead, for example, can take a quick look at the Evidence page to know how many has been analyzed or remediated so far, out of all the evidence collated. 

 ![Image of evidence tab in incident details page](images/atp-incident-evidence-tab.png)

@ -51,11 +51,11 @@ Your team lead, for example, can take a quick look at the Evidence page to know
 Windows Defender Advanced Threat Protection aggregates the threat information into an incident so you can see the patterns and correlations coming in from various data points. You can view such correlation through the incident graph.

 ### Incident graph
-The **Graph** provides a visual representation of how the alerts and its evidence are inter-related.
+The **Graph** tells the story of the cybersecurity attack. For example, it shows you what was the entry point, which indicator of compromise or activity was observed on which machine. etc.

 ![Image of the incident graph](images/atp-incident-graph-tab.png)

-You can click the circles on the incident graph to view the details of the malicious files, associated file detections, how many instances has there been worldwide, whether it<EFBFBD>s been observed in your organization, if so, how many instances.
+You can click the circles on the incident graph to view the details of the malicious files, associated file detections, how many instances has there been worldwide, whether it’s been observed in your organization, if so, how many instances.

 ![Image of indcident details](images/atp-incident-graph-details.png)

--- a/windows/security/threat-protection/windows-defender-atp/manage-incidents-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/manage-incidents-windows-defender-advanced-threat-protection.md
@ -18,12 +18,10 @@ ms.date: 09/03/2018
 **Applies to:**
 - Windows Defender Advanced Threat Protection (Windows Defender ATP)

-[!include[Prerelease<EFBFBD>information](prerelease.md)]
+[!include[Prerelease information](prerelease.md)]


-Windows Defender ATP notifies you of cybersecurity incidents in your network though an aggregated view of correlated alerts from possible malicious events, attributes, and contextual information. 
-
-You can manage incidents by selecting an incident from the **Incidents queue** or the **Incidents management pane**.
+Managing incidents is an important part of every cybersecurity operation. You can manage incidents by selecting an incident from the **Incidents queue** or the **Incidents management pane**. You can assign incidents to yourself, change the status, classify, rename, or comment on them to keep track of their progress. 

 ![Image of the incidents management pane](images/atp-incidents-mgt-pane.png)

@ -33,17 +31,17 @@ Selecting an incident from the **Incidents queue** brings up the **Incident mana


 ## Assign incidents
-If an incident has not been assigned yet, you can select **Assign to me** to assign the incident to yourself.
+If an incident has not been assigned yet, you can select **Assign to me** to assign the incident to yourself. Doing so assumes ownership of not just the incident, but also all the alerts associated with it.

 ## Change the incident status
 You can categorize incidents (as **Active**, or **Resolved**) by changing their status as your investigation progresses. This helps you organize and manage how your team can respond to incidents.

 For example, your SoC analyst can review the urgent **Active** incidents for the day, and decide to assign them to himself for investigation.

-Alternatively, your SoC analyst might assign the incident as **Resolved** if the incident is known as benign, or if it is coming from a machine that is irrelevant (such as one belonging to a security administrator), or if it has been dealt with through a series of investigations.
+Alternatively, your SoC analyst might set the incident as **Resolved** if the incident has been remediated. 

 ## Classify the incident 
-You can choose not to set a classification, or decide to specify whether an incident is a true alert or a false alert. Doing so helps the team see patterns and learn from them.
+You can choose not to set a classification, or decide to specify whether an incident is true or false. Doing so helps the team see patterns and learn from them.

 ## Rename incident
 By default, incidents are assigned with numbers. You can rename the incident if your organization uses a naming convention for easier cybersecurity threat identification.
--- a/windows/security/threat-protection/windows-defender-atp/view-incidents-queue.md
+++ b/windows/security/threat-protection/windows-defender-atp/view-incidents-queue.md
@ -17,9 +17,9 @@ ms.date: 09/03/2018
 **Applies to:**
 - Windows Defender Advanced Threat Protection (Windows Defender ATP)

-[!include[Prerelease<EFBFBD>information](prerelease.md)]
+[!include[Prerelease information](prerelease.md)]

-The **Incidents queue** shows a collection of correlated alerts that were flagged from machines in your network. It helps you sort through incidents to prioritize and create an informed cybersecurity response decision.
+The **Incidents queue** shows a collection of incidents that were flagged from machines in your network. It helps you sort through incidents to prioritize and create an informed cybersecurity response decision.

 By default, the queue displays incidents seen in the last 30 days, with the most recent incident showing at the top of the list, helping you see the most recent incidents first.

@ -49,7 +49,7 @@ Informational </br>(Grey) | Informational incidents are those that might not be
 Incidents are categorized based on the description of the stage by which the cybersecurity kill chain is in. This view helps the threat analyst to determine priority, urgency, and corresponding response strategy to deploy based on context.

 ### Alerts
-Indicates the number of alerts associated with or relevant to the incidents.
+Indicates the number of alerts associated with or part of the incidents.


 ### Machines
@ -65,7 +65,7 @@ You can choose to show between unassigned incidents or those which are assigned
 You can choose to limit the list of incidents shown based on their status to see which ones are active or resolved

 ### Classification
-Use this filter to choose between focusing on incidents flagged as true alerts or false alerts.
+Use this filter to choose between focusing on incidents flagged as true or false incidents.

 ## Related topics
 - [Incidents queue](incidents-queue.md)