diff --git a/windows/keep-secure/investigate-files-windows-defender-advanced-threat-protection.md b/windows/keep-secure/investigate-files-windows-defender-advanced-threat-protection.md new file mode 100644 index 0000000000..0973daa63f --- /dev/null +++ b/windows/keep-secure/investigate-files-windows-defender-advanced-threat-protection.md @@ -0,0 +1,38 @@ +--- +title: Investigate Windows Defender Advanced Threat Protection files +description: Use the investigation options to get details on files associated with alerts, behaviours, or events. +keywords: investigate, investigation, files, malicious activity, attack motivation +search.product: eADQiWindows 10XVcnh +ms.prod: W10 +ms.mktglfcycl: deploy +ms.sitesec: library +author: mjcaparas +--- +## Investigate a file +Investigate the details of a file associated with a specific alert, behavior, or event to help determine if the file exhibits malicious activities, identify the attack motivation, and understand the potential scope of the breach. + +You can get information from the following sections in the file view: + +- File details +- Deep analysis +- File in organization +- Observed in organization + +The file details section shows attributes of the file such as its MD5 hash or number and its prevalence worldwide. + +The **Deep analysis** section provides the option of submitting a file for deep analysis to gain detailed visibility on observed suspicious behaviors, and associated artifacts. For more information on submitting files for deep analysis, see the **Deep analysis** topic. + +The **File in organization** section provides details on the prevalence of the file and the name observed in the organization. + +The **Observed in organization** section provides a chronological view on the events and associated alerts that were observed on the file. + +You'll see a list of machines associated with the file and a description of the action taken by the file. + +**Investigate a file** + +1. Select the file you want to investigate. You can select a file from any of the following views or use the Search box: + - Alerts - click the file links from the **Description** or **Details** in the Alert timeline + - Machines view - click the file links in the **Description** or **Details** columns in the **Observed on machine** section + - Search box - select **File** from the drop-down menu and enter the file name +2. View the file details. +3. Use the search filters to define the search criteria. You can also use the timeline search box to further filter displayed search results.