deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-15 14:57:23 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

general updates

Browse Source
This commit is contained in:
Joey Caparas 2017-09-20 14:39:40 -07:00
parent 56c18eb36a
commit 93b2bc88b7
3 changed files with 6 additions and 22 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
windows/threat-protection/windows-defender-atp/api-portal-mapping-windows-defender-advanced-threat-protection.md
View File

@ -77,7 +77,7 @@ Field numbers match the numbers in the images below.
![Image of artifact timeline with numbers](images/atp-siem-mapping3.png) ![Image of artifact timeline with numbers](images/atp-siem-mapping3.png)
![Image of alert timeline with numbers](images/atp-siem-mapping4.png) ![Image of artifact timeline with numbers](images/atp-siem-mapping4.png)
![Image machine view](images/atp-mapping6.png) ![Image machine view](images/atp-mapping6.png)

14
windows/threat-protection/windows-defender-atp/investigate-machines-windows-defender-advanced-threat-protection.md
View File

@ -93,18 +93,8 @@ Use the search bar to look for specific timeline events. Harness the power of us
- Behaviors mode: displays "detections" and selected events of interest - Behaviors mode: displays "detections" and selected events of interest
- Verbose mode: displays all raw events without aggregation or filtering - Verbose mode: displays all raw events without aggregation or filtering
- **Event type** - Click the drop-down button to filter by the following levels: - **Event type** - Click the drop-down button to filter by events such as Windows - Windows Defender ATP alerts, Windows Defender Application Guard events, registry events, file events, and others.
- Windows Defender ATP alerts
- Windows Defender AV alerts
- Response actions
- AppGuard related events
- Windows Defender Device Guard events
- Process events
- Network events
- File events
- Registry events
- Load DLL events
- Other events <br><br>
Filtering by event type allows you to define precise queries so that you see events with a specific focus. For example, you can search for a file name, then filter the results to only see Process events matching the search criteria or to only view file events, or even better: to view only network events over a period of time to make sure no suspicious outbound communications go unnoticed. Filtering by event type allows you to define precise queries so that you see events with a specific focus. For example, you can search for a file name, then filter the results to only see Process events matching the search criteria or to only view file events, or even better: to view only network events over a period of time to make sure no suspicious outbound communications go unnoticed.
- **User account** Click the drop-down button to filter the machine timeline by the following user associated events: - **User account** Click the drop-down button to filter the machine timeline by the following user associated events:

12
windows/threat-protection/windows-defender-atp/machines-view-overview-windows-defender-advanced-threat-protection.md
View File

@ -60,19 +60,14 @@ You can use the following filters to limit the list of machines displayed during
- Mac OS - Mac OS
- Other - Other
**Health**</br>
- All
- Well configure
- Requires attention - Depending on the Windows Defender security controls configured in your enterprise, you'll see various available filters.
**Sensor health state**</br> **Sensor health state**</br>
Filter the list to view specific machines grouped together by the following machine health states: Filter the list to view specific machines grouped together by the following machine health states:
- **Active** Machines that are actively reporting sensor data to the service. - **Active** Machines that are actively reporting sensor data to the service.
- **Misconfigured** Machines that have impaired communications with service or are unable to send sensor data. Misconfigured machines can further be classified to: - **Misconfigured** Machines that have impaired communications with service or are unable to send sensor data. Misconfigured machines can further be classified to:
- Impaired communications
- No sensor data - No sensor data
- Impaired communications
For more information on how to address issues on misconfigured machines see, [Fix unhealthy sensors](fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md). For more information on how to address issues on misconfigured machines see, [Fix unhealthy sensors](fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md).
- **Inactive** Machines that have completely stopped sending signals for more than 7 days. - **Inactive** Machines that have completely stopped sending signals for more than 7 days.
@ -85,6 +80,7 @@ Filter the list to view specific machines that are well configured or require at
- **Well configured** - Machines have the Windows Defender security controls well configured. - **Well configured** - Machines have the Windows Defender security controls well configured.
- **Requires attention** - Machines where improvements can be made to increase the overall security posture of your organization. - **Requires attention** - Machines where improvements can be made to increase the overall security posture of your organization.
For more information, see [View the Security Analytics dashboard](security-analytics-dashboard-windows-defender-advanced-threat-protection.md).
**Malware category alerts**</br> **Malware category alerts**</br>
Filter the list to view specific machines grouped together by the following malware categories: Filter the list to view specific machines grouped together by the following malware categories:
@ -109,13 +105,11 @@ Exporting the list in CSV format displays the data in an unfiltered manner. The
You can sort the **Machines list** by the following columns: You can sort the **Machines list** by the following columns:
- **Machine name** - Name or GUID of the machine - **Machine name** - Name or GUID of the machine
- **Domain** - Domain where the machine is joined in
- **OS Platform** - Indicates the OS of the machine
- **Health State** Indicates if the machine is misconfigured or is not sending sensor data - **Health State** Indicates if the machine is misconfigured or is not sending sensor data
- **Last seen** - Date and time when the machine last reported sensor data - **Last seen** - Date and time when the machine last reported sensor data
- **Internal IP** - Local internal Internet Protocol (IP) address of the machine - **Internal IP** - Local internal Internet Protocol (IP) address of the machine
- **Active Alerts** - Number of alerts reported by the machine by severity - **Active Alerts** - Number of alerts reported by the machine by severity
- **Active malware detections** - Number of active malware detections reported by the machine - **Active malware alerts** - Number of active malware detections reported by the machine
> [!NOTE] > [!NOTE]
> The **Active malware detections** filter column will only appear if your endpoints are using [Windows Defender](../windows-defender-antivirus/windows-defender-antivirus-in-windows-10.md) as the active real-time protection antimalware product. > The **Active malware detections** filter column will only appear if your endpoints are using [Windows Defender](../windows-defender-antivirus/windows-defender-antivirus-in-windows-10.md) as the active real-time protection antimalware product.