deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-19 16:57:23 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

feedback loop 1

Browse Source
This commit is contained in:
Dani Halfin 2020-05-07 00:02:33 -07:00
parent 8f084f078a
commit 8ec175022e
1 changed files with 25 additions and 17 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

42
windows/security/threat-protection/microsoft-defender-atp/review-alerts.md
View File

@ -35,12 +35,19 @@ Quickly triage, investigate and take effective action on alerts that affect your
Clicking on an alert's name in Microsoft Defender ATP will land you on its alert page. On the alert page, all the information will be shown in context of the selected alert. Each alert page consists of 4 sections: Clicking on an alert's name in Microsoft Defender ATP will land you on its alert page. On the alert page, all the information will be shown in context of the selected alert. Each alert page consists of 4 sections:
1. **The alert title** shows the alert's name and is there to remind you which alert started your current investigation regardless of what you have selected on the page. 1. **The alert title** shows the alert's name and is there to remind you which alert started your current investigation regardless of what you have selected on the page.
2. **Affected assets** lists cards of devices and users affected by this alert that are clickable for further information and actions. 2. [**Affected assets**](#review-affected-assets) lists cards of devices and users affected by this alert that are clickable for further information and actions.
3. **The alert story** displays all entities related to the alert, interconnected by a tree view in chronological order. The alert in the title will be the one in focus when you first land on your selected alert's page. Entities in the alert story are expandable and clickable, to provide additional information and expedite response by allowing you to take actions right in the context of the alert page. 3. [**The alert story**](#investigate-using-the-alert-story) displays all entities related to the alert, interconnected by a tree view. The alert in the title will be the one in focus when you first land on your selected alert's page. Entities in the alert story are expandable and clickable, to provide additional information and expedite response by allowing you to take actions right in the context of the alert page.
4. **The details pane** will show the details of the selected alert at first, with details and actions related to this alert. If you click on any of the affected assets or entities in the alert story, the details pane will change to provide contextual information and actions for the selected object. 4. [**The details pane**](#take-action-from-the-details-pane) will show the details of the selected alert at first, with details and actions related to this alert. If you click on any of the affected assets or entities in the alert story, the details pane will change to provide contextual information and actions for the selected object.
![An alert page when you first land on it](images/alert-landing-view.png) ![An alert page when you first land on it](images/alert-landing-view.png)
Note the detection status for your alert. Blocked, prevented or remediated would mean actions were already taken by Microsoft Defender ATP.
Start by reviewing the *automated investigation details* in your alert's [details pane](#take-action-from-the-details-pane), to see which actions were already taken, as well as reading the alert's description for recommended actions.
![A snippet of the details pane with the alert description and automatic investigation sections highlighted](images/alert-air-and-alert-description.png)
Other information available in the details pane when the alert opens includes MITRE techniques, source, and additional contextual details.
## Review affected assets ## Review affected assets
Clicking on a device or a user card in the affected assets sections will switch to the details of the device or user in the details pane. Clicking on a device or a user card in the affected assets sections will switch to the details of the device or user in the details pane.
@ -52,7 +59,7 @@ Clicking on a device or a user card in the affected assets sections will switch
## Investigate using the alert story ## Investigate using the alert story
The alert story details why the alert was triggered, related events that happened before and after in chronological order, as well as other related entities. The alert story details why the alert was triggered, related events that happened before and after, as well as other related entities.
Entities are clickable and every entity that isn't an alert is expandable using the expand icon on the right side of that entity's card. The entity in focus will be indicated by a blue stripe to the left side of that entity's card, with the alert in the title being in focus at first. Entities are clickable and every entity that isn't an alert is expandable using the expand icon on the right side of that entity's card. The entity in focus will be indicated by a blue stripe to the left side of that entity's card, with the alert in the title being in focus at first.
@ -65,23 +72,24 @@ Expand entities to view details at-a-glance about them. Clicking on an entity wi
## Take action from the details pane ## Take action from the details pane
Once you've selected an entity of interest, the details pane will change to display information about the selected entity type, historic information when its available, and offer controls to **take action** on this entity directly from the alert page. Once you've selected an entity of interest, the details pane will change to display information about the selected entity type, historic information, when its available, and offer controls to **take action** on this entity directly from the alert page.
Aside for device and user, detailed in the [affected assets part](#review-affected-assets), the following entity types are available: Once you're done investigating, go back to the alert you started with, mark the alert's status as **Resolved** and classify it as either **False alert** or **True alert**. Classifying alerts helps tune this capability to provide more true alerts and less false alerts.
- Alert
- Command
- File
- Network connection
- Process
- Registry
- Script
- URL
Once you're done investigating, go back to the alert you started with, mark the alert's status as **Resolved** and classify it as either **False alert** or **True alert**. If you classify it as a true alert, you can also select a determination.
If you classify it as a true alert, you can also select a determination, as shown in the image below.
![A snippet of the details pane with a resolved alert and the determination drop-down expanded](images/alert-details-resolved-true.png) ![A snippet of the details pane with a resolved alert and the determination drop-down expanded](images/alert-details-resolved-true.png)
If you are experiencing a false alert with a line-of-business application, create a supression rule to avoid this type of alert in the future
![actions and classification in the details pane with the suppression rule highlighted](images/alert-false-suppression-rule.png)
>[!TIP]
>If you're experiencing any issues not described above, use the 🙂 button to provide feedback or open a support ticket.
## Transitioning to the new alert page
When making the move to the new alert page you will notice that we have centralized information from the alert process tree, the incident graph, and the artifact timeline into the [alert story](#investigate-using-the-alert-story), with some information available through the [affected assets](#review-affected-assets) section. Any additional information has been consolidated into the details pane for the relevant entities.
## Related topics ## Related topics
- [Incidents overview](incidents-overview.md) - [Incidents overview](incidents-overview.md)