deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-13 13:57:22 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

Create investigate-files-windows-defender-advanced-threat-protection.md

Browse Source
This commit is contained in:
jcaparas 2016-04-22 19:29:38 +10:00
parent 5cd1406704
commit b593977f6a
1 changed files with 38 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

38
windows/keep-secure/investigate-files-windows-defender-advanced-threat-protection.md Normal file
View File

@ -0,0 +1,38 @@
---
title: Investigate Windows Defender Advanced Threat Protection files
description: Use the investigation options to get details on files associated with alerts, behaviours, or events.
keywords: investigate, investigation, files, malicious activity, attack motivation
search.product: eADQiWindows 10XVcnh
ms.prod: W10
ms.mktglfcycl: deploy
ms.sitesec: library
author: mjcaparas
---
## Investigate a file
Investigate the details of a file associated with a specific alert, behavior, or event to help determine if the file exhibits malicious activities, identify the attack motivation, and understand the potential scope of the breach.
You can get information from the following sections in the file view:
- File details
- Deep analysis
- File in organization
- Observed in organization
The file details section shows attributes of the file such as its MD5 hash or number and its prevalence worldwide.
The **Deep analysis** section provides the option of submitting a file for deep analysis to gain detailed visibility on observed suspicious behaviors, and associated artifacts. For more information on submitting files for deep analysis, see the **Deep analysis** topic.
The **File in organization** section provides details on the prevalence of the file and the name observed in the organization.
The **Observed in organization** section provides a chronological view on the events and associated alerts that were observed on the file.
You'll see a list of machines associated with the file and a description of the action taken by the file.
**Investigate a file**
1. Select the file you want to investigate. You can select a file from any of the following views or use the Search box:
- Alerts - click the file links from the **Description** or **Details** in the Alert timeline
- Machines view - click the file links in the **Description** or **Details** columns in the **Observed on machine** section
- Search box - select **File** from the drop-down menu and enter the file name
2. View the file details.
3. Use the search filters to define the search criteria. You can also use the timeline search box to further filter displayed search results.