mirror of
https://github.com/MicrosoftDocs/windows-itpro-docs.git
synced 2025-06-21 13:23:36 +00:00
merge hexadite
This commit is contained in:
Joey Caparas
@ -52,6 +52,9 @@
|
||||
##### [Investigate a domain](windows-defender-atp\investigate-domain-windows-defender-advanced-threat-protection.md)
|
||||
##### [Investigate a user account](windows-defender-atp\investigate-user-windows-defender-advanced-threat-protection.md)
|
||||
|
||||
#### [Automated investigations](windows-defender-atp\automated-investigations-windows-defender-advanced-threat-protection.md)
|
||||
|
||||
|
||||
####Machines list
|
||||
##### [View and organize the Machines list](windows-defender-atp\machines-view-overview-windows-defender-advanced-threat-protection.md)
|
||||
##### [Manage machine group and tags](windows-defender-atp\investigate-machines-windows-defender-advanced-threat-protection.md#manage-machine-group-and-tags)
|
||||
|
||||
@ -42,7 +42,7 @@ To see a list of alerts, click any of the queues under the **Alerts queue** opti
|
||||
> [!NOTE]
|
||||
> By default, alerts in the queues are sorted from newest to oldest.
|
||||
|
||||
|
||||
|
||||
|
||||
## Sort, filter, and group the alerts list
|
||||
You can sort and filter the alerts using the available filters or clicking on a column's header that will sort the view in ascending or descending order.
|
||||
@ -101,6 +101,22 @@ So, for example:
|
||||
|
||||
The grouped view allows for efficient alert triage and management.
|
||||
|
||||
## Alert queue columns
|
||||
You can click on the first column to open up the **Alert management pane**. You can also select view the machine and user panes by selecting the icons beside the links.
|
||||
|
||||
Alerts are listed with the following columns:
|
||||
|
||||
- **Title** - Displays a brief description of the alert and its category.
|
||||
- **Machine and user** - Displays the machine name and user associated with the alert. You view the machine or user details pane or pivot the actual details page.
|
||||
- **Severity** - Displays the severity of the alert. Possible values are informational, low, medium, or high.
|
||||
- **Last activity** - Date and time for when the last action was taken on the alert.
|
||||
- **Time in queue** - Length of time the alert has been in the alerts queue.
|
||||
- **Detection source** - Displays the detection source of the alert.
|
||||
- **Status** - Current status of the alert. Possible values include new, in progress, or resolved.
|
||||
- **Investigation state** - Reflects the number of related investigations and it's current state.
|
||||
- **Assigned to** - Displays who is addressing the alert.
|
||||
- **Manage icon** - You can click on the icon to bring up the alert management pane where you can manage and see details about the alert.
|
||||
|
||||
### Use the Alert management pane
|
||||
Selecting an alert brings up the **Alert management** pane where you can manage and see details about the alert.
|
||||
|
||||
|
||||
@ -0,0 +1,170 @@
|
||||
---
|
||||
title: Automated investigations in Windows Defender Advanced Threat Protection
|
||||
description: View the list of automated investigations, its status, detection source and other details.
|
||||
keywords: automated, investigation, detection, source, threat types, id, tags, endpoints, duration, filter export
|
||||
search.product: eADQiWindows 10XVcnh
|
||||
ms.prod: w10
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.pagetype: security
|
||||
ms.author: macapara
|
||||
author: mjcaparas
|
||||
ms.localizationpriority: high
|
||||
ms.date: 03/15/2018
|
||||
---
|
||||
|
||||
# Automated investigations list in Windows Defender ATP
|
||||
|
||||
**Applies to:**
|
||||
|
||||
- Windows 10 Enterprise
|
||||
- Windows 10 Education
|
||||
- Windows 10 Pro
|
||||
- Windows 10 Pro Education
|
||||
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
|
||||
|
||||
<span style="color:#ED1C24;">[Some information relates to pre-released product, which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.]</span>
|
||||
|
||||
>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-automated-investigations-abovefoldlink)
|
||||
|
||||
The Windows Defender ATP service has a wide breadth of visibility on multiple endpoints. With this kind of optics, the service generates a multitude of alerts. The volume of alerts generated can be challenging for a typical security operations team to individually address.
|
||||
|
||||
|
||||
To address this challenge, Windows Defender ATP uses automated investigations to dramatically reduce the volume of alerts that need to be investigated individually. The automated investigation feature leverages on the use of artificial intelligence, inspection algorithms, and processes used by analysts to examine alerts and take immediate remediation action to resolve breaches. This significantly reduces alert volume, allowing security operations experts to focus on more sophisticated threats and other high value initiatives.
|
||||
|
||||
The automated investigations list aggregates all the investigations that have been initiated automatically and shows other details such as its status, detection source, and the date for when the investigation was initiated.
|
||||
|
||||
|
||||
## Sort, filter, and manage automated investigations
|
||||
By default, the automated investigations list displays investigations initiated in the last week. You can also choose to select other time ranges from the drop-down menu or specify a custom range.
|
||||
|
||||
Use the **Customize columns** drop-down menu to select columns that you'd like to show or hide.
|
||||
|
||||
From this view, you can also download the entire list in CSV format using the **Export to CSV** feature, specify the number of items to show per page, and navigate between pages. You also have the flexibility to filter the list based on your preferred criteria.
|
||||
|
||||
|
||||
### Filters
|
||||
You can use the following operations to customize the list of investigations displayed during an investigation:
|
||||
|
||||
|
||||
#### ID
|
||||
A designated identification number for the investigation. You can click on the link to open the details of the investigation.
|
||||
|
||||
|
||||
#### Status
|
||||
The current state of an investigation classifications are classified as:
|
||||
|
||||
|
||||
- No threats found - No malicious entities found during the investigation.
|
||||
- Partially remediated - A problem prevented the remediation of some malicious entities.
|
||||
- Failed - A problem has interrupted the investigation, and preventing it from completing.
|
||||
- Action required - Remediation requires review and approval.
|
||||
- Waiting for machine(s) - Investigation paused. The investigation will resume as soon as the machine is available.
|
||||
- Queued - Investigation has been queued and will resume as soon as other remediation activities are completed.
|
||||
- Running - Investigation ongoing. Malicious entities found will be remediated.
|
||||
- Remediated - Malicious entities found were successfully remediated.
|
||||
- Terminated by system - Investigation was stopped.
|
||||
|
||||
#### Detection source
|
||||
Source of the alert that initiated the investigation.
|
||||
|
||||
#### Automated investigation
|
||||
The alert that initiated the investigation.
|
||||
|
||||
#### Threat types
|
||||
The category of threat detected during the investigation.
|
||||
|
||||
|
||||
#### Tags
|
||||
Filter using manually added tags that capture the context of an investigation.
|
||||
|
||||
#### Machines
|
||||
Multiple investigations can be initiated on an endpoint. You can filter the automated investigations list to zone in a specific endpoint to see other investigations related to the endpoint.
|
||||
|
||||
#### Status details
|
||||
You can filter based on the current status of ongoing or completed investigations.
|
||||
|
||||
#### Endpoint groups
|
||||
Apply this filter to see specific machine groups that you might have created.
|
||||
|
||||
#### Comments
|
||||
Select between filtering the list between investigations that have comments and those that don't.
|
||||
|
||||
## Analyze automated investigations
|
||||
You can view the details of an automated investigation to see details of the investigation such as the investigation graph, alerts associated with the investigation, the endpoint that was investigated, and other information.
|
||||
|
||||
In this view, you<6F>ll see the name of the investigation, when it started and the duration of time that has passed in the status state.
|
||||
|
||||
The comments and tags allow you to add and review tags and comments that were added about the investigation.
|
||||
|
||||
### Investigation page
|
||||
The investigation page gives you a quick summary on the status, alert severity, category, and detection source.
|
||||
|
||||
You<EFBFBD>ll also have access to the following sections that help you see details of the investigation with finer granularity:
|
||||
|
||||
- Investigation graph
|
||||
- Alerts
|
||||
- Machines
|
||||
- Threats
|
||||
- Entities
|
||||
- Log
|
||||
- Pending actions
|
||||
|
||||
In any of the sections, you can customize columns to further expand to limit the details you see in a section.
|
||||
|
||||
### Investigation graph
|
||||
The investigation graph provides a graphical representation of an investigation. All investigation related information is simplified and arranged in specific sections. Clicking on any of the icons brings you the relevant section where you can view more information.
|
||||
|
||||
### Alerts
|
||||
Shows details such as a short description of the alert that initiated the investigation, severity, category, the machine associated with the alert, user, time in queue, status, investigation state, and who the investigation is assigned to.
|
||||
|
||||
Selecting an alert using the checkbox brings up the alerts details pane where you have the option of opening the alert page, manage the alert by changing its status, see alert details, automated investigation details, related machine, logged-on users, and comments and history.
|
||||
|
||||
Clicking on an alert title brings you the alert page.
|
||||
|
||||
### Machines
|
||||
Shows details the endpoint name, IP address, group, users, operating system, remediation level, investigation count, and when it was last investigated.
|
||||
|
||||
Selecting a machine using the checkbox brings up the machine details pane where you can see more information such as machine details and logged-on users.
|
||||
|
||||
Clicking on an endpoint name brings you the machine page.
|
||||
|
||||
### Threats
|
||||
Shows details related to threats associated with this investigation.
|
||||
|
||||
### Entities
|
||||
Shows details about entities such as files, process, services, drives, and IP addresses. The table details such as the number of entities that were analyzed. You<6F>ll gain insight into details as how many are infected, remediated, suspicious, verified, or determined to be clean.
|
||||
|
||||
### Log
|
||||
Gives a chronological detailed view of all the investigation actions taken on the alert. You<6F>ll see the action type, action, status, machine name, description of the action, comments entered by analysts who may have worked on the investigation, execution start time, duration, pending duration.
|
||||
|
||||
As with other sections, you can customize columns, select the number of items to show per page, and filter the log.
|
||||
|
||||
Available filters include action type, action, status, machine name, and description.
|
||||
|
||||
You can also click on an action to bring up the details pane where you<6F>ll see information such as the summary of the action and input data.
|
||||
|
||||
### Pending actions history
|
||||
This tab is displayed if there are any pending actions on the investigation.
|
||||
|
||||
|
||||
|
||||
## Pending actions on investigations
|
||||
The pending actions view aggregates all the files and processes that require action for an investigation to proceed / completed.
|
||||
|
||||
Use the Customize columns drop-down menu to select columns that you'd like to show or hide.
|
||||
|
||||
From this view, you can also download the entire list in CSV format using the **Export to CSV** feature, specify the number of items to show per page, and navigate between pages.
|
||||
|
||||
Selecting a file opens a panel where information such as file details, investigation details, and alert details is displayed.
|
||||
|
||||
Selecting a process also opens a panel where information such as process details, investigation details, alert details, comments and history is displayed.
|
||||
|
||||
From either of these views, you can click on the Open investigation page link to see the investigation details.
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
@ -54,10 +54,7 @@ For more information see, [Alerts overview](alerts-queue-windows-defender-advanc
|
||||
|
||||
The **Latest active alerts** section includes the latest active alerts in your network. Each row includes an alert severity category and a short description of the alert. Click an alert to see its detailed view, or **Alerts queue** at the top of the list to go directly to the Alerts queue. For more information see, [Investigate Windows Defender Advanced Threat Protection alerts](investigate-alerts-windows-defender-advanced-threat-protection.md) and [Alerts overview](alerts-queue-windows-defender-advanced-threat-protection.md).
|
||||
|
||||
## Daily machines reporting
|
||||
The **Daily machines reporting** tile shows a bar graph that represents the number of machines reporting daily in the last 30 days. Hover over individual bars on the graph to see the exact number of machines reporting in each day.
|
||||
|
||||
|
||||
|
||||
## Machines at risk
|
||||
This tile shows you a list of machines with the highest number of active alerts. The total number of alerts for each machine is shown in a circle next to the machine name, and then further categorized by severity levels at the far end of the tile (hover over each severity bar to see its label).
|
||||
@ -68,13 +65,6 @@ Click the name of the machine to see details about that machine. For more inform
|
||||
|
||||
You can also click **Machines list** at the top of the tile to go directly to the **Machines list**, sorted by the number of active alerts. For more information see, [Investigate machines in the Windows Defender Advanced Threat Protection Machines list](investigate-machines-windows-defender-advanced-threat-protection.md).
|
||||
|
||||
## Users at risk
|
||||
The tile shows you a list of user accounts with the most active alerts.
|
||||
|
||||
|
||||
|
||||
Click the user account to see details about the user account. For more information see [Investigate a user account](investigate-user-windows-defender-advanced-threat-protection.md).
|
||||
|
||||
## Machines with active malware detections
|
||||
The **Machines with active malware detections** tile will only appear if your endpoints are using Windows Defender Antivirus.
|
||||
|
||||
@ -101,6 +91,33 @@ Clicking on any of these categories will navigate to the [Machines list](investi
|
||||
> The **Machines with active malware detections** tile will only appear if your endpoints are using [Windows Defender Antivirus](https://technet.microsoft.com/library/mt622091(v=vs.85).aspx) as the default real-time protection antimalware product.
|
||||
|
||||
|
||||
## Daily machines reporting
|
||||
The **Daily machines reporting** tile shows a bar graph that represents the number of machines reporting daily in the last 30 days. Hover over individual bars on the graph to see the exact number of machines reporting in each day.
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
## Active automated investigations
|
||||
You can view the overall number of automated investigations from the last 30 days in your network from the **Active automated investigations** tile. Investigations are grouped into **Pending asset**, **Running**, and **Pending approval**.
|
||||
|
||||
|
||||
|
||||
|
||||
## Automated investigations statistics
|
||||
This tile shows statistics related to automated investigations in the last 30 days. It shows the number of investigations completed, the number of successfully remediated investigations, the average pending time it takes for an investigaiton to be initiated, the average time it takes to remediate an alert, the number of alerts investigated, and the number of hours of automation saved from a typical manual investigation.
|
||||
|
||||
|
||||
|
||||
You can click on **Investigations completed**, **Successfully remediated**, and **Alerts investigated** to navigate to the **Invesgations** page, filtered by the appropriate category. This lets you see a detailed breakdown of investigations in context.
|
||||
|
||||
## Users at risk
|
||||
The tile shows you a list of user accounts with the most active alerts.
|
||||
|
||||
|
||||
|
||||
Click the user account to see details about the user account. For more information see [Investigate a user account](investigate-user-windows-defender-advanced-threat-protection.md).
|
||||
|
||||
|
||||
## Sensor health
|
||||
The **Sensor health** tile provides information on the individual endpoint’s ability to provide sensor data to the Windows Defender ATP service. It reports how many machines require attention and helps you identify problematic machines.
|
||||
|
||||
Binary file not shown.
|
After Width: | Height: | Size: 13 KiB |
Binary file not shown.
|
After Width: | Height: | Size: 26 KiB |
Binary file not shown.
|
After Width: | Height: | Size: 76 KiB |
Binary file not shown.
|
After Width: | Height: | Size: 130 KiB |
@ -37,11 +37,11 @@ You can use the [Windows Defender ATP portal](https://securitycenter.windows.com
|
||||
## Windows Defender ATP portal
|
||||
When you open the portal, you’ll see the main areas of the application:
|
||||
|
||||
|
||||
|
||||
|
||||
- (1) Navigation pane
|
||||
- (2) Main portal
|
||||
- (3) Search, Feedback, Settings, Help and support
|
||||
- (3) Search, Tech community, Time settings, Help and support, Feedback
|
||||
|
||||
> [!NOTE]
|
||||
> Malware related detections will only appear if your endpoints are using [Windows Defender Antivirus](https://technet.microsoft.com/library/mt622091(v=vs.85).aspx) as the default real-time protection antimalware product.
|
||||
@ -51,15 +51,16 @@ You can navigate through the portal using the menu options available in all sect
|
||||
Area | Description
|
||||
:---|:---
|
||||
(1) Navigation pane | Use the navigation pane to move between the **Dashboards**, **Alerts queue**, **Machines list**, **Service health**, **Preferences setup**, and **Endpoint management**.
|
||||
**Dashboards** | Enables you to view the Security operations or the Security analytics dashboard.
|
||||
**Dashboards** | Enables you to view the Security operations, the Security analytics dashboard, or
|
||||
**Alerts queue** | Enables you to view separate queues of new, in progress, resolved alerts, alerts assigned to you, and suppression rules.
|
||||
**Automated investigations** | Displays a list of automated investigations that's been conducted in the network, the status of each investigation and other details such as when the investigation started and the duration of the investigation.
|
||||
**Machines list** | Displays the list of machines that are onboarded to Windows Defender ATP, some information about them, and the corresponding number of alerts.
|
||||
**Service health** | Provides information on the current status of the Window Defender ATP service. You'll be able to verify that the service health is healthy or if there are current issues.
|
||||
**Advanced hunting** | Advanced hunting allows you to proactively hunt and investigate across your organization using a powerful search and query tool.
|
||||
**Preferences setup** | Shows the settings you selected during onboarding and lets you update your industry preferences and retention policy period. You can also set other configuration settings such as email notifications, activate the preview experience, enable or turn off advanced features, SIEM integration, threat intel API, build Power BI reports, and set baselines for the Security analytics dashboard.
|
||||
**Endpoint management** | Provides access to endpoints such as clients and servers. Allows you to download the onboarding configuration package for endpoints. It also provides access to endpoint offboarding.
|
||||
**Community center** | Access the Community center to learn, collaborate, and share experiences about the product.
|
||||
(2) Main portal| Main area where you will see the different views such as the Dashboards, Alerts queue, and Machines list.
|
||||
(3) Search bar, Feedback, Settings, Help and support | **Search** - Provides access to the search bar where you can search for file, IP, machine, URL, and user. Displays the Search box: the drop-down list allows you to select the entity type and then enter the search query text. </br> **Feedback** - Access the feedback button to provide comments about the portal. </br> **Settings** - Gives you access to the configuration settings where you can set time zones and view license information. </br> **Help and support** - Gives you access to the Windows Defender ATP guide, Microsoft support, and Premier support.
|
||||
**(2) Main portal** | Main area where you will see the different views such as the Dashboards, Alerts queue, and Machines list.
|
||||
**(3) Search, Community center, Time settings, Notifications, Help and support, Feedback** | **Search** - Provides access to the search bar where you can search for file, IP, machine, URL, and user. Displays the Search box: the drop-down list allows you to select the entity type and then enter the search query text.</br></br> **Community center** -Access the Community center to learn, collaborate, and share experiences about the product. </br></br> **Time settings** - Gives you access to the configuration settings where you can set time zones and view license information. **Time settings** - Gives you access to the configuration settings where you can set time zones and view license information. </br></br> **Help and support** - Gives you access to the Windows Defender ATP guide, Microsoft support, and Premier support.</br></br> **Feedback** - Access the feedback button to provide comments about the portal.
|
||||
|
||||
## Windows Defender ATP icons
|
||||
The following table provides information on the icons used all throughout the portal:
|
||||
|
||||
Reference in New Issue
Block a user