diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/detection-status-detected.png b/windows/security/threat-protection/microsoft-defender-atp/images/detection-status-detected.png new file mode 100644 index 0000000000..a629704d07 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/detection-status-detected.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/detection-status-prevented-mac.png b/windows/security/threat-protection/microsoft-defender-atp/images/detection-status-prevented-mac.png new file mode 100644 index 0000000000..785afce704 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/detection-status-prevented-mac.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/review-alerts.md b/windows/security/threat-protection/microsoft-defender-atp/review-alerts.md index 8c8681dc5c..8739ed92c3 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/review-alerts.md +++ b/windows/security/threat-protection/microsoft-defender-atp/review-alerts.md @@ -52,14 +52,23 @@ Note the detection status for your alert. - Blocked – Suspicious behavior was executed and then blocked. For example, a process was executed but because it subsequently exhibited suspicious behaviors, the process was terminated. - Detected – An attack was detected and is possibly still active. + + +![Detection status detected in Windows](images/detection-status-detected.png) + Blocked or prevented means actions were already taken by Defender for Endpoint. -Start by reviewing the *automated investigation details* in your alert's details pane, to see which actions were already taken, as well as reading the alert's description for recommended actions. +You can then also review the *automated investigation details* in your alert's details pane, to see which actions were already taken, as well as reading the alert's description for recommended actions. ![A snippet of the details pane with the alert description and automatic investigation sections highlighted](images/alert-air-and-alert-description.png) Other information available in the details pane when the alert opens includes MITRE techniques, source, and additional contextual details. +For alerts from Mac and Linux devices, remediation actions can be seen within the alert story as well as in the details pane. + +![Detection status detected in Mac](images/detection-status-prevented-mac.png) + + ## Review affected assets Selecting a device or a user card in the affected assets sections will switch to the details of the device or user in the details pane.