diff --git a/windows/security/threat-protection/windows-defender-atp/alerts-queue-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/alerts-queue-windows-defender-advanced-threat-protection.md index bebf68a14f..03b2788ece 100644 --- a/windows/security/threat-protection/windows-defender-atp/alerts-queue-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/alerts-queue-windows-defender-advanced-threat-protection.md @@ -16,45 +16,28 @@ ms.date: 04/24/2018 # View and organize the Windows Defender Advanced Threat Protection Alerts queue **Applies to:** - - - Windows Defender Advanced Threat Protection (Windows Defender ATP) >Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-alertsq-abovefoldlink) -The **Alerts queue** shows a list of alerts that were flagged from machines in your network. Alerts are displayed in queues according to their current status. In each queue, you'll see details such as the severity of alerts and the number of machines the alerts were raised on. +The **Alerts queue** shows a list of alerts that were flagged from machines in your network. By default, the queue displays alerts seen in the last 30 days in a grouped view, with the most recent alerts showing at the top of the list, helping you see the most recent alerts first. -Alerts are organized in queues by their workflow status or assignment: +There are several options you can choose from to customize the alerts queue view. -- **New** -- **In progress** -- **Resolved** -- **Assigned to me** +On the top navigation you can: +- Select grouped view or list view +- Customize columns to add or remove columns +- Select the items to show per page +- Navigate between pages +- Apply filters -To see a list of alerts, click any of the queues under the **Alerts queue** option in the navigation pane. -> [!NOTE] -> By default, alerts in the queues are sorted from newest to oldest. +![Image of alerts queue](images/alerts-queue-list.png) -![Image of alerts queue](images/atp-new-alerts-list.png) - -## Sort, filter, and group the alerts list -You can sort and filter the alerts using the available filters or clicking on a column's header that will sort the view in ascending or descending order. - -### Time period -- 1 day -- 3 days -- 7 days -- 30 days -- 6 months - -### OS Platform - - Windows 10 - - Windows Server 2012 R2 - - Windows Server 2016 - - Other +## Sort, filter, and group the alerts queue +You can apply the following filters to limit the list of alerts and get a more focused view the alerts. ### Severity @@ -79,40 +62,38 @@ So, for example: - An alert about malware detected while executing which can pose a threat not only to the individual machine but to the organization, regardless if it was eventually blocked, may be ranked as "Medium" or "High". - Suspicious behavioral alerts which were not blocked or remediated will be ranked "Low", "Medium" or "High" following the same organizational threat considerations. +### Status +You can choose to limit the list of alerts based on their status. + +### Investigation state +Corresponds to the automated investigation state. + +### Assigned to +You can choose between showing alerts that are assigned to you or automation. ### Detection source -- Windows Defender AV -- Windows Defender ATP -- Windows Defender SmartScreen -- Others +Select the source that triggered the alert detection. >[!NOTE] >The Windows Defender Antivirus filter will only appear if machines are using Windows Defender Antivirus as the default real-time protection antimalware product. -### View -- **Flat view** - Lists alerts individually with alerts having the latest activity displayed at the top. -- **Grouped view** - Groups alerts by alert ID, file hash, malware family, or other attribute to enable more efficient alert triage and management. Alert grouping reduces the number of rows in the queue by aggregating similar alerts together. +### OS platform +Limit the alerts queue view by selecting the OS platform that you're interested in investigating. + +### Machine group +If you have specific machine groups that you're interested in checking the alerts on, you can select the groups to limit the alerts queue view to display just those machine groups. + +### Associated threat +Use this filter to focus on alerts that are related to high profile threats. You can see the full list of high-profile threats in [Threat analytics](threat-analytics-dashboard-windows-defender-advanced-threat-protection.md). + + +## Manage alerts -The grouped view allows for efficient alert triage and management. -## Alert queue columns -You can click on the first column to open up the **Alert management pane**. You can also select view the machine and user panes by selecting the icons beside the links. -Alerts are listed with the following columns: -- **Title** - Displays a brief description of the alert and its category. -- **Machine and user** - Displays the machine name and user associated with the alert. You view the machine or user details pane or pivot the actual details page. -- **Severity** - Displays the severity of the alert. Possible values are informational, low, medium, or high. -- **Last activity** - Date and time for when the last action was taken on the alert. -- **Time in queue** - Length of time the alert has been in the alerts queue. -- **Detection source** - Displays the detection source of the alert. -- **Status** - Current status of the alert. Possible values include new, in progress, or resolved. -- **Investigation state** - Reflects the number of related investigations and it's current state. -- **Assigned to** - Displays who is addressing the alert. -- **Manage icon** - You can click on the icon to bring up the alert management pane where you can manage and see details about the alert. -### Use the Alert management pane Selecting an alert brings up the **Alert management** pane where you can manage and see details about the alert. ![Image of an alert selected](images/atp-alerts-selected.png) diff --git a/windows/security/threat-protection/windows-defender-atp/images/alerts-queue-list.png b/windows/security/threat-protection/windows-defender-atp/images/alerts-queue-list.png new file mode 100644 index 0000000000..44fb65afbc Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/alerts-queue-list.png differ diff --git a/windows/security/threat-protection/windows-defender-atp/overview-endpoint-detection-response.md b/windows/security/threat-protection/windows-defender-atp/overview-endpoint-detection-response.md index c0c66d2f42..8902506c49 100644 --- a/windows/security/threat-protection/windows-defender-atp/overview-endpoint-detection-response.md +++ b/windows/security/threat-protection/windows-defender-atp/overview-endpoint-detection-response.md @@ -35,7 +35,7 @@ Security operations dashboard | This is where the endpoint detection and respons Alerts queue | This dashboard shows all the alerts that were seen on machines. Learn how you can view and organize the queue, or how to manage and investigate alerts. Machines list | Shows a list of machines where alerts have been generated. Learn how you can investigate machines, or how to search for specific events in a timeline, and others. Take response actions | Learn about the available response actions and how to apply them on machines and files. -Security operations + diff --git a/windows/security/threat-protection/windows-defender-atp/security-operations-dashboard-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/security-operations-dashboard-windows-defender-advanced-threat-protection.md index 428fd93504..0fdb2ab3d7 100644 --- a/windows/security/threat-protection/windows-defender-atp/security-operations-dashboard-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/security-operations-dashboard-windows-defender-advanced-threat-protection.md @@ -24,7 +24,7 @@ The **Security operations dashboard** is where the endpoint detection and respon The dashboard displays a snapshot of: -- The latest active alerts on your network +- Active alerts - Machines at risk - Sensor health - Service health