deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-16 02:43:43 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Create investigate-ip-windows-defender-advanced-threat-protection.md

Browse Source
This commit is contained in:
jcaparas
2016-04-22 19:33:32 +10:00
parent b593977f6a
commit 8e82efc3ca
1 changed files with 41 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

41
windows/keep-secure/investigate-ip-windows-defender-advanced-threat-protection.md Normal file
View File

@ -0,0 +1,41 @@
---
title: Investigate Windows Defender Advanced Threat Protection IP address
description: Use the investigation options to examine possible communication between machines and external IP addresses.
keywords: investigate, investigation, IP address
search.product: eADQiWindows 10XVcnh
ms.prod: W10
ms.mktglfcycl: deploy
ms.sitesec: library
author: mjcaparas
---
# Investigate an IP address
Examine possible communication between your machines and external internet protocol (IP) addresses.
Identifying all machines in the organization that communicated with a suspected or known malicious IP address, such as Command and Control (C2) servers, helps determine the potential scope of breach, associated files, and infected machines.
You can information from the following sections in the IP address view:
- IP address details
- IP in organization
- Communication with IP from organization
The IP address details section shows attributes of the IP address such as its ASN and its reverse IPs.
The **IP in organization** section provides details on the prevalence of the IP address in the organization.
The **Communication with IP in organization** section provides a chronological view on the events and associated alerts that were observed on the IP address.
**Investigate an external IP:**
1. Select **IP** from the **Search bar** drop-down menu.
2. Enter the IP address in the **Search** field.
3. Click the search icon or press **Enter**.
Details about the IP address are displayed, including: registration details (if available), reverse IPs (for example, domains), prevalence of machines in the organization that communicated with this IP Address (during selectable time period), and the machines in the organization that were observed communicating with this IP address.
> **Note**  Search results will only be returned for IP addresses observed in communication with machines in the organization.
Use the search filters to define the search criteria. You can also use the timeline search box to filter the displayed results of all machines in the organization observed communicating with the IP address, the file associated with the communication and the last date observed.
Clicking any of the machine names will take you to that machine's view, where you can continue investigate reported alerts, behaviors, and events.