mirror of
https://github.com/MicrosoftDocs/windows-itpro-docs.git
synced 2025-05-28 13:17:23 +00:00
update manage alerts
This commit is contained in:
Joey Caparas
parent
c1d464a482
commit
ab0b95be2c
@ -88,44 +88,6 @@ If you have specific machine groups that you're interested in checking the alert
|
||||
Use this filter to focus on alerts that are related to high profile threats. You can see the full list of high-profile threats in [Threat analytics](threat-analytics-dashboard-windows-defender-advanced-threat-protection.md).
|
||||
|
||||
|
||||
## Manage alerts
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
Selecting an alert brings up the **Alert management** pane where you can manage and see details about the alert.
|
||||
|
||||
|
||||
|
||||
You can take immediate action on an alert and see details about an alert in the **Alert management** pane:
|
||||
|
||||
- Change the status of an alert from new, to in progress, or resolved.
|
||||
- Specify the alert classification from true alert or false alert by selecting **In progress**.
|
||||
Selecting true alert displays the **Determination** drop-down list to provide additional information about the true alert:
|
||||
- APT
|
||||
- Malware
|
||||
- Security personnel
|
||||
- Security testing
|
||||
- Unwanted software
|
||||
- Other
|
||||
- Assign the alert to yourself if the alert is not yet assigned.
|
||||
- View related activity on the machine.
|
||||
- Add and view comments about the alert.
|
||||
|
||||
>[!NOTE]
|
||||
>You can also access the **Alert management** pane from the machine details view by selecting an alert in the **Alerts related to this machine** section.
|
||||
|
||||
### Use the User details pane
|
||||
Selecting a user brings up the **User details** pane where you can see information such as machine details, related alerts, last IP address, when the machine was first and last seen reporting to the service, and information on the logged on users.
|
||||
|
||||
|
||||
|
||||
### Bulk edit alerts
|
||||
Select multiple alerts (Ctrl or Shift select) and manage or edit alerts together, which allows resolving multiple similar alerts in one action.
|
||||
|
||||
|
||||
|
||||
## Related topics
|
||||
- [Manage Windows Defender Advanced Threat Protection alerts](manage-alerts-windows-defender-advanced-threat-protection.md)
|
||||
- [Investigate Windows Defender Advanced Threat Protection alerts](investigate-alerts-windows-defender-advanced-threat-protection.md)
|
||||
|
||||
Binary file not shown.
|
Before Width: | Height: | Size: 80 KiB After Width: | Height: | Size: 76 KiB |
Binary file not shown.
|
Before Width: | Height: | Size: 53 KiB After Width: | Height: | Size: 68 KiB |
Binary file not shown.
|
Before Width: | Height: | Size: 87 KiB After Width: | Height: | Size: 115 KiB |
@ -10,48 +10,30 @@ ms.pagetype: security
|
||||
ms.author: macapara
|
||||
author: mjcaparas
|
||||
ms.localizationpriority: medium
|
||||
ms.date: 04/24/2018
|
||||
ms.date: 09/03/2018
|
||||
---
|
||||
|
||||
# Manage Windows Defender Advanced Threat Protection alerts
|
||||
|
||||
**Applies to:**
|
||||
|
||||
|
||||
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
|
||||
|
||||
|
||||
|
||||
>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-managealerts-abovefoldlink)
|
||||
|
||||
Windows Defender ATP notifies you of possible malicious events, attributes, and contextual information through alerts. A summary of new alerts is displayed in the **Security operations dashboard**, and you can access all alerts in the **Alerts queue** menu.
|
||||
Windows Defender ATP notifies you of possible malicious events, attributes, and contextual information through alerts. A summary of new alerts is displayed in the **Security operations dashboard**, and you can access all alerts in the **Alerts queue**.
|
||||
|
||||
You can manage alerts by selecting an alert in the **Alerts queue** or the **Alerts related to this machine** section of the machine details view.
|
||||
|
||||
Selecting an alert in either of those places brings up the **Alert management pane**.
|
||||
|
||||
|
||||
|
||||
|
||||
## Change the status of an alert
|
||||
|
||||
You can categorize alerts (as **New**, **In Progress**, or **Resolved**) by changing their status as your investigation progresses. This helps you organize and manage how your team can respond to alerts.
|
||||
|
||||
For example, a team leader can review all **New** alerts, and decide to assign them to the **In Progress** queue for further analysis.
|
||||
|
||||
Alternatively, the team leader might assign the alert to the **Resolved** queue if they know the alert is benign, coming from a machine that is irrelevant (such as one belonging to a security administrator), or is being dealt with through an earlier alert.
|
||||
|
||||
## Alert classification
|
||||
You can specify if an alert is a true alert or a false alert.
|
||||
## Link to another incident
|
||||
You can create a new incident from the alert or link to an existing incident.
|
||||
|
||||
## Assign alerts
|
||||
If an alert is no yet assigned, you can select **Assign to me** to assign the alert to yourself.
|
||||
|
||||
## Add comments and view the history of an alert
|
||||
You can add comments and view historical events about an alert to see previous changes made to the alert.
|
||||
|
||||
Whenever a change or comment is made to an alert, it is recorded in the **Comments and history** section.
|
||||
|
||||
Added comments instantly appear on the pane.
|
||||
|
||||
## Suppress alerts
|
||||
There might be scenarios where you need to suppress alerts from appearing in Windows Defender Security Center. Windows Defender ATP lets you create suppression rules for specific alerts that are known to be innocuous such as known tools or processes in your organization.
|
||||
@ -80,32 +62,18 @@ Create custom rules to control when alerts are suppressed, or resolved. You can
|
||||
|
||||
1. Select the alert you'd like to suppress. This brings up the **Alert management** pane.
|
||||
|
||||
2. Scroll down to the **Create a supression rule** section.
|
||||
2. Select **Create a supression rule**.
|
||||
|
||||
|
||||
|
||||
3. Enter an alert title then select an indicator of compromise from the drop-down list.
|
||||
|
||||
|
||||
|
||||
> [!NOTE]
|
||||
> You cannot create a custom or blank suppression rule. You must start from an existing alert.
|
||||
|
||||
4. Specify the suppression conditions by entering values for any of the following:
|
||||
- Sha1
|
||||
- File name
|
||||
- Folder path
|
||||
|
||||
> [!NOTE]
|
||||
> The SHA1 of the alert cannot be modified, however you can clear the SHA1 to remove it from the suppression conditions by removing the deselecting the checkbox.
|
||||
3. Select the **Trigerring IOC**.
|
||||
|
||||
5. Specify the action and scope on the alert. <br>
|
||||
You can automatically resolve an alert or hide it from the portal. Alerts that are automatically resolved will appear in the resolved section of the alerts queue. Alerts that are marked as hidden will be suppressed from the entire system, both on the machine's associated alerts and from the dashboard. You can also specify to suppress the alert on the machine only or the whole organization.
|
||||
4. Specify the action and scope on the alert. <br>
|
||||
You can automatically resolve an alert or hide it from the portal. Alerts that are automatically resolved will appear in the resolved section of the alerts queue. Alerts that are marked as hidden will be suppressed from the entire system, both on the machine's associated alerts and from the dashboard. You can also specify to suppress the alert on a specific machine group.
|
||||
|
||||
6. Click **Save and close**.
|
||||
5. Enter a rule name and a comment.
|
||||
|
||||
6. Click **Save**.
|
||||
|
||||
### View the list of suppression rules
|
||||
#### View the list of suppression rules
|
||||
|
||||
1. In the navigation pane, select **Settings** > **Alert suppression**.
|
||||
|
||||
@ -113,6 +81,28 @@ Create custom rules to control when alerts are suppressed, or resolved. You can
|
||||
|
||||
For more information on managing suppression rules, see [Manage suppression rules](manage-suppression-rules-windows-defender-advanced-threat-protection.md)
|
||||
|
||||
## Change the status of an alert
|
||||
|
||||
You can categorize alerts (as **New**, **In Progress**, or **Resolved**) by changing their status as your investigation progresses. This helps you organize and manage how your team can respond to alerts.
|
||||
|
||||
For example, a team leader can review all **New** alerts, and decide to assign them to the **In Progress** queue for further analysis.
|
||||
|
||||
Alternatively, the team leader might assign the alert to the **Resolved** queue if they know the alert is benign, coming from a machine that is irrelevant (such as one belonging to a security administrator), or is being dealt with through an earlier alert.
|
||||
|
||||
|
||||
|
||||
## Alert classification
|
||||
You can choose not to set a classification, or specify if an alert is a true alert or a false alert.
|
||||
|
||||
|
||||
## Add comments and view the history of an alert
|
||||
You can add comments and view historical events about an alert to see previous changes made to the alert.
|
||||
|
||||
Whenever a change or comment is made to an alert, it is recorded in the **Comments and history** section.
|
||||
|
||||
Added comments instantly appear on the pane.
|
||||
|
||||
|
||||
## Related topics
|
||||
- [Manage suppression rules](manage-suppression-rules-windows-defender-advanced-threat-protection.md)
|
||||
- [View and organize the Windows Defender Advanced Threat Protection Alerts queue ](alerts-queue-windows-defender-advanced-threat-protection.md)
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user