check in all incident content

windows/security/threat-protection/TOC.md

@@ -16,6 +16,12 @@
 #### [Next generation protection](windows-defender-antivirus/windows-defender-antivirus-in-windows-10.md)
 #### [Endpoint detection and response](windows-defender-atp/overview-endpoint-detection-response.md)
 ##### [Security operations dashboard](windows-defender-atp/security-operations-dashboard-windows-defender-advanced-threat-protection.md)
+##### [Incidents queue](windows-defender-atp/incidents-queue.md)
+###### [View and organize the Incidents queue](windows-defender-atp/view-incidents-queue.md)
+###### [Manage incidents](windows-defender-atp/manage-incidents-windows-defender-advanced-threat-protection.md)
+###### [Investigate incidents](windows-defender-atp/investigate-incidents-windows-defender-advanced-threat-protection.md)
+
+
 ##### Alerts queue
 ###### [View and organize the Alerts queue](windows-defender-atp/alerts-queue-windows-defender-advanced-threat-protection.md)
 ###### [Manage alerts](windows-defender-atp/manage-alerts-windows-defender-advanced-threat-protection.md)

windows/security/threat-protection/windows-defender-atp/TOC.md

@@ -14,6 +14,13 @@
 ### [Next generation protection](../windows-defender-antivirus/windows-defender-antivirus-in-windows-10.md)
 ### [Endpoint detection and response](overview-endpoint-detection-response.md)
 #### [Security operations dashboard](security-operations-dashboard-windows-defender-advanced-threat-protection.md)
+
+#### [Incidents queue](incidents-queue.md)
+##### [View and organize the Incidents queue](view-incidents-queue.md)
+##### [Manage incidents](manage-incidents-windows-defender-advanced-threat-protection.md)
+##### [Investigate incidents](investigate-incidents-windows-defender-advanced-threat-protection.md)
+
+
 #### Alerts queue
 ##### [View and organize the Alerts queue](alerts-queue-windows-defender-advanced-threat-protection.md)
 ##### [Manage alerts](manage-alerts-windows-defender-advanced-threat-protection.md)

windows/security/threat-protection/windows-defender-atp/get-started.md

@@ -13,7 +13,7 @@ ms.localizationpriority: high
 ms.date: 09/03/2018
 ---
 
-## Get started with Windows Defender Advanced Threat Protection
+# Get started with Windows Defender Advanced Threat Protection
 Learn about the minimum requirements and initial steps you need to take to get started with Windows Defender ATP.
 
 The following capabilities are available across multiple products that make up the Windows Defender ATP platform. 

windows/security/threat-protection/windows-defender-atp/incidents-queue.md

@@ -0,0 +1,35 @@
+---
+title: Incidents queue in Windows Defender ATP
+description:
+keywords: incidents, aggregate, investigations, queue, ttp
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: high
+ms.date: 09/03/2018
+---
+
+# Incidents queue in Windows Defender ATP
+**Applies to:**
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+
+[!include[Prerelease information](prerelease.md)]
+
+When a cybersecurity threat is emerging, or a potential attacker is deploying its tactics, techniques/tools, and procedures (TTPs) on the network, Windows Defender ATP will quickly trigger alerts and launch matching automatic investigations. 
+
+Windows Defender ATP applies correlation analytics and aggregates all related alerts and investigations into an incident. Doing so helps narrate a broader story of an attack, thus providing you with the right visuals (upgraded incident graph) and data representations to understand and deal with complex cross-entity threats to your organization's network.
+ 
+
+## In this section
+
+Topic | Description 
+:---|:---
+[View and organize the Incidents queue](view-incidents-queue.md)|  See the list of incidents and learn how to apply filters to limit the list and get a more focused view.
+[Manage incidents](manage-incidents-windows-defender-advanced-threat-protection.md) | Leanr how to manage incidents by assigning it, updating its status, or setting its classification and other actions.
+[Investigate incidents](investigate-incidents-windows-defender-advanced-threat-protection.md)|  See associated alerts, manage the incident, see alert metadata, and visualizations to help you investigate an incident.
+
+

windows/security/threat-protection/windows-defender-atp/investigate-incidents-windows-defender-advanced-threat-protection.md

@@ -0,0 +1,64 @@
+---
+title: Investigate incidents in Windows Defender ATP
+description: See associated alerts, manage the incident, and see alert metadata to help you investigate an incident 
+keywords: investigate, incident, alerts, metadata, risk, detection source, affected machines, patterns, correlation
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: medium
+ms.date: 0
+
+# Investigate incidents in Windows Defender ATP
+
+**Applies to:**
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+
+[!include[Prerelease information](prerelease.md)]
+
+Investigate incidents that affect your network, understand what they mean, and collate evidence to resolve them. 
+
+## Analyze incident details 
+Click an incident to see the **Incident pane**. Select **Open incident page** to see the incident details and related information (alerts, machines, investigations, evidence, graph) that you need to investigate. 
+
+![Image of incident details](images/atp-incident-details.png)
+
+### Alerts
+You can investigate the associated alerts, manage an alert, and see alert metadata along with other information that can help you make better decisions on how to approach them. For more information, see [Investigate alerts](investigate-alerts-windows-defender-advanced-threat-protection.md). 
+
+### Machines
+You can also investigate the machines that are at risk in a given incident. For more information, see [Investigate machines](investigate-machines-windows-defender-advanced-threat-protection.md).
+
+![Image of machines tab in incident details page](images/atp-incident-machine-tab.png)
+
+### Investigations
+Select **Investigations** to see the summary of the ongoing investigations, the detection source, affected machines, and their duration.
+
+![Image of investigations tab in incident details page](images/atp-incident-investigations-tab.png)
+
+## Going through the evidence
+It helps your organization to see a summary and the status of the evidence collated through the incident.
+ 
+Your team lead, for example, can take a quick look at the Evidence page to know how many has been analyzed or remediated so far, out of all the evidence collated. It helps in the decision of ramping the investigating team’s efforts up or down.
+
+![Image of evidence tab in incident details page](images/atp-incident-evidence-tab.png)
+
+## Visualizing associated cybersecurity threats 
+Windows Defender Advanced Threat Protection aggregates the threat information into an incident so you can see the patterns and correlations coming in from various data points. You can view such correlation through the incident graph.
+
+### Incident graph
+The **Graph** provides a visual representation of how the alerts and its evidence are inter-related.
+
+![Image of the incident graph](images/atp-incident-graph-tab.png)
+
+You can click the circles on the incident graph to view the details of the malicious files, associated file detections, how many instances has there been worldwide, whether it’s been observed in your organization, if so, how many instances.
+
+![Image of indcident details](images/atp-incident-graph-details.png)
+
+## Related topics
+
+
+

windows/security/threat-protection/windows-defender-atp/manage-incidents-windows-defender-advanced-threat-protection.md

@@ -0,0 +1,60 @@
+---
+title: Manage Windows Defender ATP incidents
+description: Manage incidents by assigning it, updating its status, or setting its classification. 
+keywords: incidents, manage, assign, status, classification, true alert, false alert
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: medium
+ms.date: 0
+
+# Manage Windows Defender ATP incidents
+
+**Applies to:**
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+
+[!include[Prerelease information](prerelease.md)]
+
+
+Windows Defender ATP notifies you of cybersecurity incidents in your network though an aggregated view of correlated alerts from possible malicious events, attributes, and contextual information. 
+
+You can manage incidents by selecting an incident from the **Incidents queue** or the **Incidents management pane**.
+
+![Image of the incidents management pane](images/atp-incidents-mgt-pane.png)
+
+Selecting an incident from the **Incidents queue** brings up the **Incident management pane** where you can open the incident page for details.
+
+![Image of incident detail page](images/atp-incident-details-page.png)
+
+
+## Assign incidents
+If an incident has not been assigned yet, you can select **Assign to me** to assign the incident to yourself.
+
+## Change the incident status
+You can categorize incidents (as **Active**, or **Resolved**) by changing their status as your investigation progresses. This helps you organize and manage how your team can respond to incidents.
+
+For example, your SoC analyst can review the urgent **Active** incidents for the day, and decide to assign them to himself for investigation.
+
+Alternatively, your SoC analyst might assign the incident as **Resolved** if the incident is known as benign, or if it is coming from a machine that is irrelevant (such as one belonging to a security administrator), or if it has been dealt with through a series of investigations.
+
+## Classify the incident 
+You can choose not to set a classification, or decide to specify whether an incident is a true alert or a false alert. Doing so helps the team see patterns and learn from them.
+
+## Rename incident
+By default, incidents are assigned with numbers. You can rename the incident if your organization uses a naming convention for easier cybersecurity threat identification.
+
+![Image of incident renaming](images/atp-rename-incident.png)
+
+## Add comments and view the history of an incident
+You can add comments and view historical events about an incident to see previous changes made to it.
+
+Whenever a change or comment is made to an alert, it is recorded in the Comments and history section.
+
+Added comments instantly appear on the pane.
+
+## Related topics
+- [View and organize the Incidents queue](view-incidents-queue.md)

windows/security/threat-protection/windows-defender-atp/view-incidents-queue.md

@@ -0,0 +1,70 @@
+---
+title: View and organize the Incidents queue
+description: See the list of incidents and learn how to apply filters to limit the list and get a more focused view.
+keywords: view, organize, incidents, aggregate, investigations, queue, ttp
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: high
+ms.date: 09/03/2018
+---
+
+# View and organize the Windows Defender Advanced Threat Protection Incidents queue
+**Applies to:**
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+
+[!include[Prerelease information](prerelease.md)]
+
+The **Incidents queue** shows a collection of correlated alerts that were flagged from machines in your network. It helps you sort through incidents to prioritize and create an informed cybersecurity response decision.
+
+By default, the queue displays incidents seen in the last 30 days, with the most recent incident showing at the top of the list, helping you see the most recent incidents first.
+
+There are several options you can choose from to customize the Incidents queue view. 
+
+On the top navigation you can:
+- Customize columns to add or remove columns 
+- Modify the number of items to view per page
+- Select the items to show per page
+- Batch-select the incidents to assign 
+- Navigate between pages
+- Apply filters
+
+![Image of incidents queue](images/atp-incident-queue.png)
+
+## Sort and filter the incidents queue
+You can apply the following filters to limit the list of incidents and get a more focused view.
+
+Incident severity | Description
+:---|:---
+High </br>(Red) | Threats often associated with advanced persistent threats (APT). These incidents indicate a high risk due to the severity of damage they can inflict on machines.
+Medium </br>(Orange) | Threats rarely observed in the organization, such as anomalous registry change, execution of suspicious files, and observed behaviors typical of attack stages.
+Low </br>(Yellow) | Threats associated with prevalent malware and hack-tools that do not necessarily indicate an advanced threat targeting the organization.
+Informational </br>(Grey) | Informational incidents are those that might not be considered harmful to the network but might be good to keep track of.
+
+### Category
+Incidents are categorized based on the description of the stage by which the cybersecurity kill chain is in. This view helps the threat analyst to determine priority, urgency, and corresponding response strategy to deploy based on context.
+
+### Alerts
+Indicates the number of alerts associated with or relevant to the incidents.
+
+
+### Machines
+You can limit to show only the machines at risk which are associated with incidents.
+
+### Users
+You can limit to show only the users of the machines at risk which are associated with incidents. 
+
+### Assigned to
+You can choose to show between unassigned incidents or those which are assigned to you.
+
+### Status
+You can choose to limit the list of incidents shown based on their status to see which ones are active or resolved
+
+### Classification
+Use this filter to choose between focusing on incidents flagged as true alerts or false alerts.
+
+## Related topics