diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-alerts-selected.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-alerts-selected.png index 3290ef44c9..6ed0c8bffb 100644 Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-alerts-selected.png and b/windows/security/threat-protection/microsoft-defender-atp/images/atp-alerts-selected.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-incident-details-page.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-incident-details-page.png index b8117dc41d..d18b5d3f75 100644 Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-incident-details-page.png and b/windows/security/threat-protection/microsoft-defender-atp/images/atp-incident-details-page.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-incident-details.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-incident-details.png index c937e8fd04..37098592d8 100644 Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-incident-details.png and b/windows/security/threat-protection/microsoft-defender-atp/images/atp-incident-details.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-incident-device-tab.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-incident-device-tab.png new file mode 100644 index 0000000000..8e0bd0d850 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/atp-incident-device-tab.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-incident-evidence-tab.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-incident-evidence-tab.png index ffb98eef37..a193aca139 100644 Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-incident-evidence-tab.png and b/windows/security/threat-protection/microsoft-defender-atp/images/atp-incident-evidence-tab.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-incident-graph-details.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-incident-graph-details.png index a952df593f..23760ac321 100644 Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-incident-graph-details.png and b/windows/security/threat-protection/microsoft-defender-atp/images/atp-incident-graph-details.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-incident-graph-tab.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-incident-graph-tab.png index 4a5462d01a..484b8df5b2 100644 Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-incident-graph-tab.png and b/windows/security/threat-protection/microsoft-defender-atp/images/atp-incident-graph-tab.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-incident-investigations-tab.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-incident-investigations-tab.png index 62f5f70047..1f30dfb9aa 100644 Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-incident-investigations-tab.png and b/windows/security/threat-protection/microsoft-defender-atp/images/atp-incident-investigations-tab.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-incident-machine-tab.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-incident-machine-tab.png deleted file mode 100644 index dc353f8c25..0000000000 Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-incident-machine-tab.png and /dev/null differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-incidents-alerts-reason.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-incidents-alerts-reason.png index f0dcb7626b..1f08635316 100644 Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-incidents-alerts-reason.png and b/windows/security/threat-protection/microsoft-defender-atp/images/atp-incidents-alerts-reason.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-incidents-mgt-pane.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-incidents-mgt-pane.png index 5292a0a77f..8d89569ba2 100644 Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-incidents-mgt-pane.png and b/windows/security/threat-protection/microsoft-defender-atp/images/atp-incidents-mgt-pane.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-portal-onboarding-linux-2.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-portal-onboarding-linux-2.png index 7dd1c6d0e6..e46e820fc0 100644 Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-portal-onboarding-linux-2.png and b/windows/security/threat-protection/microsoft-defender-atp/images/atp-portal-onboarding-linux-2.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-portal-onboarding-linux.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-portal-onboarding-linux.png index 232b46993b..91c96bddc7 100644 Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-portal-onboarding-linux.png and b/windows/security/threat-protection/microsoft-defender-atp/images/atp-portal-onboarding-linux.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-user-details-view.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-user-details-view.png new file mode 100644 index 0000000000..89dfff1d11 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/atp-user-details-view.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/device-reports.png b/windows/security/threat-protection/microsoft-defender-atp/images/device-reports.png new file mode 100644 index 0000000000..81c4d4305e Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/device-reports.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/machine-reports.png b/windows/security/threat-protection/microsoft-defender-atp/images/machine-reports.png deleted file mode 100644 index 44bf616eb0..0000000000 Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/machine-reports.png and /dev/null differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/manage-tags.png b/windows/security/threat-protection/microsoft-defender-atp/images/manage-tags.png index 9fc89ec6de..b7516b62e6 100644 Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/manage-tags.png and b/windows/security/threat-protection/microsoft-defender-atp/images/manage-tags.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/mdatp-apis.png b/windows/security/threat-protection/microsoft-defender-atp/images/mdatp-apis.png index 26eed612da..dbdb4f4df6 100644 Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/mdatp-apis.png and b/windows/security/threat-protection/microsoft-defender-atp/images/mdatp-apis.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/more-manage-tags.png b/windows/security/threat-protection/microsoft-defender-atp/images/more-manage-tags.png index 3f40a773d0..c0b0f5a3f0 100644 Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/more-manage-tags.png and b/windows/security/threat-protection/microsoft-defender-atp/images/more-manage-tags.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/mte-eod-alerts.png b/windows/security/threat-protection/microsoft-defender-atp/images/mte-eod-alerts.png index 895a4973e6..8088e53c33 100644 Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/mte-eod-alerts.png and b/windows/security/threat-protection/microsoft-defender-atp/images/mte-eod-alerts.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/mte-eod-machines.png b/windows/security/threat-protection/microsoft-defender-atp/images/mte-eod-machines.png index 5d227c08c3..a3130681bb 100644 Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/mte-eod-machines.png and b/windows/security/threat-protection/microsoft-defender-atp/images/mte-eod-machines.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/new-tags.png b/windows/security/threat-protection/microsoft-defender-atp/images/new-tags.png index 952183b048..40f2d1fd91 100644 Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/new-tags.png and b/windows/security/threat-protection/microsoft-defender-atp/images/new-tags.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/specific-device.png b/windows/security/threat-protection/microsoft-defender-atp/images/specific-device.png new file mode 100644 index 0000000000..cda879624b Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/specific-device.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/specific-machine.png b/windows/security/threat-protection/microsoft-defender-atp/images/specific-machine.png deleted file mode 100644 index 0ad322d1e2..0000000000 Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/specific-machine.png and /dev/null differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/wtp-website-details.png b/windows/security/threat-protection/microsoft-defender-atp/images/wtp-website-details.png index dd601b87bf..b849575d88 100644 Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/wtp-website-details.png and b/windows/security/threat-protection/microsoft-defender-atp/images/wtp-website-details.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/investigate-incidents.md b/windows/security/threat-protection/microsoft-defender-atp/investigate-incidents.md index 12e2afce99..1bdc888c78 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/investigate-incidents.md +++ b/windows/security/threat-protection/microsoft-defender-atp/investigate-incidents.md @@ -55,7 +55,7 @@ You can also manage an alert and see alert metadata along with other information ### Devices You can also investigate the devices that are part of, or related to, a given incident. For more information, see [Investigate devices](investigate-machines.md). -![Image of devices tab in incident details page](images/atp-incident-machine-tab.png) +![Image of devices tab in incident details page](images/atp-incident-device-tab.png) ### Investigations Select **Investigations** to see all the automatic investigations launched by the system in response to the incident alerts. diff --git a/windows/security/threat-protection/microsoft-defender-atp/investigate-machines.md b/windows/security/threat-protection/microsoft-defender-atp/investigate-machines.md index fcf29f3565..2eaf162f7f 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/investigate-machines.md +++ b/windows/security/threat-protection/microsoft-defender-atp/investigate-machines.md @@ -43,7 +43,7 @@ When you investigate a specific device, you'll see: - Cards (active alerts, logged on users, security assessment) - Tabs (alerts, timeline, security recommendations, software inventory, discovered vulnerabilities) -![Image of device view](images/specific-machine.png) +![Image of device view](images/specific-device.png) ## Device details diff --git a/windows/security/threat-protection/microsoft-defender-atp/investigate-user.md b/windows/security/threat-protection/microsoft-defender-atp/investigate-user.md index e086f41f6b..42c831afab 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/investigate-user.md +++ b/windows/security/threat-protection/microsoft-defender-atp/investigate-user.md @@ -27,52 +27,47 @@ ms.date: 04/24/2018 ## Investigate user account entities -Identify user accounts with the most active alerts (displayed on dashboard as "Users at risk") and investigate cases of potential compromised credentials, or pivot on the associated user account when investigating an alert or machine to identify possible lateral movement between machines with that user account. +Identify user accounts with the most active alerts (displayed on dashboard as "Users at risk") and investigate cases of potential compromised credentials, or pivot on the associated user account when investigating an alert or device to identify possible lateral movement between devices with that user account. You can find user account information in the following views: - Dashboard - Alert queue -- Machine details page +- Device details page A clickable user account link is available in these views, that will take you to the user account details page where more details about the user account are shown. When you investigate a user account entity, you'll see: -- User account details, Azure Advanced Threat Protection (Azure ATP) alerts, and Logged on machines +- User account details, Azure Advanced Threat Protection (Azure ATP) alerts, and logged on devices, role, logon type, and other details +- Overview of the incidents and user's devices - Alerts related to this user -- Observed in organization (machines logged on to) +- Observed in organization (devices logged on to) -![Image of the user account entity details page](images/atp-user-details-view-azureatp.png) - -The user account details, Azure ATP alerts, and logged on machines cards display various attributes about the user account. +![Image of the user account entity details page](images/atp-user-details-view.png) ### User details -The **User details** card provides information about the user, such as when the user was first and last seen. Depending on the integration features you've enabled, you'll see other details. For example, if you enable the Skype for business integration, you'll be able to contact the user from the portal. - -### Azure Advanced Threat Protection - -The **Azure Advanced Threat Protection** card will contain a link that will take you to the Azure ATP page, if you have enabled the Azure ATP feature, and there are alerts related to the user. The Azure ATP page will provide more information about the alerts. This card also provides details such as the last AD site, total group memberships, and login failure associated with the user. +The **User details** pane on left provides information about the user, such as related open incidents, active alerts, SAM name, SID, Azure ATP alerts, number of devices the user is logged on to, when the user was first and last seen, role, and logon types. Depending on the integration features you've enabled, you'll see other details. For example, if you enable the Skype for business integration, you'll be able to contact the user from the portal. The **Azure ATP alerts** section contains a link that will take you to the Azure ATP page, if you have enabled the Azure ATP feature, and there are alerts related to the user. The Azure ATP page will provide more information about the alerts. >[!NOTE] >You'll need to enable the integration on both Azure ATP and Microsoft Defender ATP to use this feature. In Microsoft Defender ATP, you can enable this feature in advanced features. For more information on how to enable advanced features, see [Turn on advanced features](advanced-features.md). -### Logged on machines +The Overview, Alerts, and Observed in organization are different tabs that display various attributes about the user account. -The **Logged on machines** card shows a list of the machines that the user has logged on to. You can expand these to see details of the log-on events for each machine. +### Overview -## Alerts related to this user +The **Overview** tab shows the incidents details and a list of the devices that the user has logged on to. You can expand these to see details of the log-on events for each device. -The **Alerts related to this user** section provides a list of alerts that are associated with the user account. This list is a filtered view of the [Alert queue](alerts-queue.md), and shows alerts where the user context is the selected user account, the date when the last activity was detected, a short description of the alert, the machine associated with the alert, the alert's severity, the alert's status in the queue, and who is assigned the alert. +### Alerts -## Observed in organization +The **Alerts** tab provides a list of alerts that are associated with the user account. This list is a filtered view of the [Alert queue](alerts-queue.md), and shows alerts where the user context is the selected user account, the date when the last activity was detected, a short description of the alert, the device associated with the alert, the alert's severity, the alert's status in the queue, and who is assigned the alert. -The **Observed in organization** section allows you to specify a date range to see a list of machines where this user was observed logged on to, the most frequent and least frequent logged on user account for each of these machines, and total observed users on each machine. +### Observed in organization -Selecting an item on the Observed in organization table will expand the item, revealing more details about the machine. Directly selecting a link within an item will send you to the corresponding page. +The **Observed in organization** tab allows you to specify a date range to see a list of devices where this user was observed logged on to, the most frequent and least frequent logged on user account for each of these devices, and total observed users on each device. -![Image of observed in organization section](images/atp-observed-in-organization.png) +Selecting an item on the Observed in organization table will expand the item, revealing more details about the device. Directly selecting a link within an item will send you to the corresponding page. ## Search for specific user accounts @@ -80,7 +75,7 @@ Selecting an item on the Observed in organization table will expand the item, re 2. Enter the user account in the **Search** field. 3. Click the search icon or press **Enter**. -A list of users matching the query text is displayed. You'll see the user account's domain and name, when the user account was last seen, and the total number of machines it was observed logged on to in the last 30 days. +A list of users matching the query text is displayed. You'll see the user account's domain and name, when the user account was last seen, and the total number of devices it was observed logged on to in the last 30 days. You can filter the results by the following time periods: @@ -96,6 +91,6 @@ You can filter the results by the following time periods: - [Manage Microsoft Defender Advanced Threat Protection alerts](manage-alerts.md) - [Investigate Microsoft Defender Advanced Threat Protection alerts](investigate-alerts.md) - [Investigate a file associated with a Microsoft Defender ATP alert](investigate-files.md) -- [Investigate machines in the Microsoft Defender ATP Machines list](investigate-machines.md) +- [Investigate devices in the Microsoft Defender ATP Devices list](investigate-machines.md) - [Investigate an IP address associated with a Microsoft Defender ATP alert](investigate-ip.md) - [Investigate a domain associated with a Microsoft Defender ATP alert](investigate-domain.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/machine-reports.md b/windows/security/threat-protection/microsoft-defender-atp/machine-reports.md index 2dcc622eb9..657d949a15 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/machine-reports.md +++ b/windows/security/threat-protection/microsoft-defender-atp/machine-reports.md @@ -26,7 +26,7 @@ ms.topic: article The devices status report provides high-level information about the devices in your organization. The report includes trending information showing the sensor health state, antivirus status, OS platforms, and Windows 10 versions. The dashboard is structured into two sections: - ![Image of the device report](images/machine-reports.png) + ![Image of the device report](images/device-reports.png) Section | Description :---|:---