Create investigate-domain-windows-defender-advanced-threat-protection.md

windows/keep-secure/investigate-domain-windows-defender-advanced-threat-protection.md

@@ -0,0 +1,33 @@
+---
+title: Investigate Windows Defender Advanced Threat Protection domains
+description: Use the investigation options to see if machines and servers have been communicating with malicious domains. 
+search.product: eADQiWindows 10XVcnh 
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: mjcaparas
+---
+# Investigate a domain
+
+Investigate a domain to see if machines and servers in your enterprise network have been communicating with a known malicious domain. 
+
+You can see information from the following sections in the URL view:
+
+- URL details
+- URL in organization
+- Prevalence in organization
+- Communication with URL from organization
+
+The URL address details section shows attributes of the URL such as its contacts and nameservers.
+
+The **URL in organization** section provides details on the prevalence of the URL in the organization. 
+
+The **Communication with URL in organization** section provides a chronological view on the events and associated alerts that were observed on the URL.
+
+**Investigate a domain:**
+
+1. Select **URL** from the **Search bar** drop-down menu. 
+2. Enter the URL in the **Search** field. 
+3. Click the search icon   or press **Enter**. Details about the URL are displayed. Note: search results will only be returned for URLs observed in communications from machines in the organization.
+4. Use the search filters to define the search criteria. You can also use the timeline search box to filter the displayed results of all machines in the organization observed communicating with the URL, the file associated with the communication and the last date observed.
+5. Clicking any of the machine names will take you to that machine's view, where you can continue investigate reported alerts, behaviors, and events.