Merge pull request #819 from Microsoft/atp-tomeralpert
updates to machine and file investigation
Elizabeth Ross
GitHub
@ -24,14 +24,14 @@ localizationpriority: high
|
||||
|
||||
<span id="sccm1606"/>
|
||||
## Configure endpoints using System Center Configuration Manager (current branch) version 1606
|
||||
System Center Configuration Manager (current branch) version 1606, has UI integrated support for configuring and managing Windows Defender ATP on endpoints. For more information, see [Support for Windows Defender Advanced Threat Protection service](https://go.microsoft.com/fwlink/p/?linkid=823682).
|
||||
System Center Configuration Manager (SCCM) (current branch) version 1606, has UI integrated support for configuring and managing Windows Defender ATP on endpoints. For more information, see [Support for Windows Defender Advanced Threat Protection service](https://go.microsoft.com/fwlink/p/?linkid=823682).
|
||||
|
||||
>[!NOTE]
|
||||
> If you’re using SCCM client version 1606 with server version 1610 or above, you must upgrade the client version to match the server version.
|
||||
|
||||
<span id="sccm1602"/>
|
||||
## Configure endpoints using System Center Configuration Manager earlier versions
|
||||
You can use System Center Configuration Manager’s existing functionality to create a policy to configure your endpoints. This is supported in the following System Center Configuration Manager versions:
|
||||
You can use existing System Center Configuration Manager functionality to create a policy to configure your endpoints. This is supported in the following System Center Configuration Manager versions:
|
||||
|
||||
- System Center 2012 Configuration Manager
|
||||
- System Center 2012 R2 Configuration Manager
|
||||
|
||||
|
After Width: | Height: | Size: 432 KiB |
|
After Width: | Height: | Size: 120 KiB |
|
After Width: | Height: | Size: 58 KiB |
|
Before Width: | Height: | Size: 92 KiB After Width: | Height: | Size: 66 KiB |
|
Before Width: | Height: | Size: 187 KiB After Width: | Height: | Size: 79 KiB |
|
After Width: | Height: | Size: 133 KiB |
|
After Width: | Height: | Size: 599 KiB |
|
Before Width: | Height: | Size: 132 KiB After Width: | Height: | Size: 26 KiB |
|
Before Width: | Height: | Size: 212 KiB After Width: | Height: | Size: 572 KiB |
|
Before Width: | Height: | Size: 114 KiB After Width: | Height: | Size: 180 KiB |
|
Before Width: | Height: | Size: 66 KiB After Width: | Height: | Size: 79 KiB |
|
Before Width: | Height: | Size: 51 KiB After Width: | Height: | Size: 48 KiB |
|
Before Width: | Height: | Size: 205 KiB After Width: | Height: | Size: 143 KiB |
@ -1,6 +1,6 @@
|
||||
---
|
||||
title: Investigate Windows Defender Advanced Threat Protection alerts
|
||||
description: Use the investigation options to get details on which alerts are affecting your network, what they mean, and how to resolve them.
|
||||
description: Use the investigation options to get details on alerts are affecting your network, what they mean, and how to resolve them.
|
||||
keywords: investigate, investigation, machines, machine, endpoints, endpoint, alerts queue, dashboard, IP address, file, submit, submissions, deep analysis, timeline, search, domain, URL, IP
|
||||
search.product: eADQiWindows 10XVcnh
|
||||
ms.prod: w10
|
||||
@ -15,30 +15,35 @@ localizationpriority: high
|
||||
|
||||
**Applies to:**
|
||||
|
||||
- Windows 10 Enterprise
|
||||
- Windows 10 Education
|
||||
- Windows 10 Pro
|
||||
- Windows 10 Pro Education
|
||||
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
|
||||
|
||||
You can click an alert in any of the [alert queues](alerts-queue-windows-defender-advanced-threat-protection.md) to begin an investigation. Selecting an alert brings up the **Alert management pane**, while clicking an alert brings you the alert details view where general information about the alert, some recommended actions, an alert process tree, an incident graph, and an alert timeline is shown.
|
||||
Investigate alerts that are affecting your network, what they mean, and how to resolve them. Use the alert details view to see various tiles that provide information about alerts. You can also manage an alert and see alert metadata along with other information that can help you make better decisions on how to approach them.
|
||||
|
||||
|
||||
|
||||
|
||||
The alert context tile shows the where, who, and when context of the alert. As with other pages, you can click on the icon beside the name or user account to bring up the machine or user details pane. The alert details view also has a status tile that shows the status of the alert in the queue. You'll also see a description and a set of recommended actions which you can expand.
|
||||
|
||||
For more information about managing alerts, see [Manage alerts](manage-alerts-windows-defender-advanced-threat-protection.md).
|
||||
|
||||
The alert details page also shows the alert process tree, an incident graph, and an alert timeline.
|
||||
|
||||
You can click on the machine link from the alert view to navigate to the machine. The alert will be highlighted automatically, and the timeline will display the appearance of the alert and its evidence in the **Machine timeline**. If the alert appeared more than once on the machine, the latest occurrence will be displayed in the **Machine timeline**.
|
||||
|
||||
Alerts attributed to an adversary or actor display a colored tile with the actor's name.
|
||||
|
||||
|
||||
|
||||
|
||||
Click on the actor's name to see the threat intelligence profile of the actor, including a brief overview of the actor, their interests or targets, their tools, tactics, and processes (TTPs) and areas where they've been observed worldwide. You will also see a set of recommended actions to take.
|
||||
|
||||
Some actor profiles include a link to download a more comprehensive threat intelligence report.
|
||||
|
||||
|
||||
|
||||
|
||||
The detailed alert profile helps you understand who the attackers are, who they target, what techniques, tools, and procedures (TTPs) they use, which geolocations they are active in, and finally, what recommended actions you may take. In many cases, you can download a more detailed Threat Intelligence report about this attacker or campaign for offline reading.
|
||||
|
||||
## Alert process tree
|
||||
The **Alert process tree** takes alert triage and investigation to the next level, displaying the alert and related evidence and other events that occurred within the same execution context and time. This rich triage context of the alert and surrounding events is available on the alert page.
|
||||
The **Alert process tree** takes alert triage and investigation to the next level, displaying the alert and related evidence, together with other events that occurred within the same execution context and time. This rich triage context of the alert and surrounding events is available on the alert page.
|
||||
|
||||
|
||||
|
||||
@ -46,11 +51,15 @@ The **Alert process tree** expands to display the execution path of the alert, i
|
||||
|
||||
The alert and related events or evidence have circles with thunderbolt icons inside them.
|
||||
|
||||
|
||||
>[!NOTE]
|
||||
>The alert process tree might not be available in some alerts.
|
||||
|
||||
Clicking in the circle immediately to the left of the indicator displays the **Alert details** pane where you can take a deeper look at the details about the alert. It displays rich information about the selected process, file, IP address, and other details taken from the entity's page – while remaining on the alert page, so you never leave the current context of your investigation.
|
||||
Clicking in the circle immediately to the left of the indicator displays its details.
|
||||
|
||||
|
||||
|
||||
The alert details pane helps you take a deeper look at the details about the alert. It displays rich information about the execution details, file details, detections, observed worldwide, observed in organization, and other details taken from the entity's page – while remaining on the alert page, so you never leave the current context of your investigation.
|
||||
|
||||
|
||||
## Incident graph
|
||||
@ -58,9 +67,7 @@ The **Incident Graph** provides a visual representation of the organizational f
|
||||
|
||||
|
||||
|
||||
The **Incident Graph** previously supported expansion by File and Process, and now supports expansion by additional criteria: known processes and Destination IP Address.
|
||||
|
||||
The Windows Defender ATP service keeps track of "known processes". Alerts related to known processes mostly include specific command lines, that combined are the basis for the alert. The **Incident Graph** supports expanding known processes with their command line to display other machines where the known process and the same command line were observed.
|
||||
The **Incident Graph** supports expansion by File, Process, command line, or Destination IP Address, as appropriate.
|
||||
|
||||
The **Incident Graph** expansion by destination IP Address, shows the organizational footprint of communications with this IP Address without having to change context by navigating to the IP Address page.
|
||||
|
||||
|
||||
@ -15,10 +15,6 @@ localizationpriority: high
|
||||
|
||||
**Applies to:**
|
||||
|
||||
- Windows 10 Enterprise
|
||||
- Windows 10 Education
|
||||
- Windows 10 Pro
|
||||
- Windows 10 Pro Education
|
||||
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
|
||||
|
||||
## Investigate machines
|
||||
@ -55,7 +51,9 @@ You'll also see details such as logon types for each user account, the user grou
|
||||
|
||||
For more information, see [Investigate user entities](investigate-user-windows-defender-advanced-threat-protection.md).
|
||||
|
||||
The **Alerts related to this machine** section provides a list of alerts that are associated with the machine. This list is a filtered version of the [Alerts queue](alerts-queue-windows-defender-advanced-threat-protection.md), and shows the date when the alert's last activity was detected, a short description of the alert, the user account associated with the alert, the alert's severity, the alert's status in the queue, and who is addressing the alert.
|
||||
The **Alerts related to this machine** section provides a list of alerts that are associated with the machine. You can also manage alerts from this section by clicking the circle icons to the left of the alert (or using Ctrl or Shift + click to select multiple alerts).
|
||||
|
||||
This list is a filtered version of the [Alerts queue](alerts-queue-windows-defender-advanced-threat-protection.md), and shows the date when the alert's last activity was detected, a short description of the alert, the user account associated with the alert, the alert's severity, the alert's status in the queue, and who is addressing the alert. You'll also see a list of displayed alerts and you'll be able to quickly know the total number of alerts on the machine.
|
||||
|
||||
You can also choose to highlight an alert from the **Alerts related to this machine** or from the **Machine timeline** section to see the correlation between the alert and its related events on the machine by right-clicking on the alert and selecting **Select and mark events**. This highlights the alert and its related events and helps distinguish them from other alerts and events appearing in the timeline. Highlighted events are displayed in all information levels whether you choose to view the timeline by **Detections**, **Behaviors**, or **Verbose**.
|
||||
|
||||
|
||||