diff --git a/windows/keep-secure/images/alert-details.png b/windows/keep-secure/images/alert-details.png index 327c6514f5..a60ba27373 100644 Binary files a/windows/keep-secure/images/alert-details.png and b/windows/keep-secure/images/alert-details.png differ diff --git a/windows/keep-secure/images/atp-thunderbolt-icon.png b/windows/keep-secure/images/atp-thunderbolt-icon.png new file mode 100644 index 0000000000..2323c097b7 Binary files /dev/null and b/windows/keep-secure/images/atp-thunderbolt-icon.png differ diff --git a/windows/keep-secure/investigate-alerts-windows-defender-advanced-threat-protection.md b/windows/keep-secure/investigate-alerts-windows-defender-advanced-threat-protection.md index d47bfa08d9..322a9a40e4 100644 --- a/windows/keep-secure/investigate-alerts-windows-defender-advanced-threat-protection.md +++ b/windows/keep-secure/investigate-alerts-windows-defender-advanced-threat-protection.md @@ -27,12 +27,12 @@ You can click an alert in any of the [alert queues](alerts-queue-windows-defende Alerts attributed to an adversary or actor display a colored tile with the actor name. +![A detailed view of an alert when clicked](images/alert-details.png) + Click on the actor's name to see a threat intelligence profile of the actor, including a brief overview of the actor, their interests or targets, tools, tactics, and processes (TTPs) as well as areas where it's active worldwide. You will also see a set of recommended actions to take. Some actor profiles include a link to download a more comprehensive threat intelligence report. -![A detailed view of an alert when clicked](images/alert-details.png) - ## Alert process tree The **Alert process tree** takes alert triage and investigation to the next level by displaying the alert and its evidence with other events that occurred in the same execution context and time. This broad triage context of the alert and surrounding events is available on the alert page. @@ -40,11 +40,20 @@ The **Alert process tree** takes alert triage and investigation to the next leve The alert process tree expands to display the execution path of the alert, its evidence, and related events that occurred in proximity - before and after - the alert. -You’ll see markers (thunderbolt icon) that indicate related events. +You’ll see markers ![Image of thunderbolt icon](images/atp-thunderbolt-icon.png)that indicate related events. These icons also indicate the events that triggered the alert. >[!NOTE] >The alert process tree might not be available in some alerts. +Selecting an indicator within the alert process tree brings up the **Alert details** pane where you can take a deeper look at the details about the alert. + +You can take the following management actions on an alert from the **Alert management** pane: + + + + + + ## Incident graph The incident graph provides a visual representation of where an alert was seen, events that triggered the alert, and which other machines are affected by the event. It provides an illustrated alert footprint on the original machine and expands to show the footprint of each alert event on other machines.