diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/techniques-cmd.png b/windows/security/threat-protection/microsoft-defender-atp/images/techniques-cmd.png new file mode 100644 index 0000000000..881b6aac22 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/techniques-cmd.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/techniques-hunting.png b/windows/security/threat-protection/microsoft-defender-atp/images/techniques-hunting.png new file mode 100644 index 0000000000..2969a418ef Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/techniques-hunting.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/techniques-sha1.png b/windows/security/threat-protection/microsoft-defender-atp/images/techniques-sha1.png new file mode 100644 index 0000000000..bc18a8fed6 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/techniques-sha1.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/timeline-columns.png b/windows/security/threat-protection/microsoft-defender-atp/images/timeline-columns.png new file mode 100644 index 0000000000..8c6a1403e4 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/timeline-columns.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/techniques-device-timeline.md b/windows/security/threat-protection/microsoft-defender-atp/techniques-device-timeline.md index 354403163d..baa3deac5f 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/techniques-device-timeline.md +++ b/windows/security/threat-protection/microsoft-defender-atp/techniques-device-timeline.md @@ -52,18 +52,18 @@ Select the specific *Attack technique* to open the related ATT&CK technique page You can copy an entity's details when you see a blue icon on the right. For instance, to copy a related file's SHA1, select the blue page icon. -![Copy entity details](images/techniques-side-pane-clickable.png) +![Copy entity details](images/techniques-sha1.png) You can do the same for command lines. -![Copy command line](images/techniques-side-pane-command.png) +![Copy command line](images/techniques-cmd.png) ## Investigate related events To use [advanced hunting](advanced-hunting-overview.md) to find events related to the selected Technique, select **Hunt for related events**. This leads to the advanced hunting page with a query to find events related to the Technique. -![Hunt for related events](images/techniques-hunt-for-related-events.png) +![Hunt for related events](images/techniques-hunting.png) >[!NOTE] >Querying using the **Hunt for related events** button from a Technique side pane displays all the events related to the identified technique but does not include the Technique itself in the query results. @@ -78,7 +78,7 @@ You can customize which columns to expose. You can also filter for flagged event ### Choose columns to expose You can choose which columns to expose in the timeline by selecting the **Choose columns** button. -![Customize columns](images/filter-customize-columns.png) +![Customize columns](images/timeline-columns.png) From there you can select which information set to include.