Add images

2025-06-21 05:13:40 +00:00 · 2021-02-03 15:48:07 +08:00
parent faa0be1b04
commit ea606c4442
5 changed files with 44 additions and 8 deletions
--- a/windows/security/threat-protection/microsoft-defender-atp/images/filter-customize-columns.png
+++ b/windows/security/threat-protection/microsoft-defender-atp/images/filter-customize-columns.png
--- a/windows/security/threat-protection/microsoft-defender-atp/images/techniques-hunt-for-related-events.png
+++ b/windows/security/threat-protection/microsoft-defender-atp/images/techniques-hunt-for-related-events.png
--- a/windows/security/threat-protection/microsoft-defender-atp/images/techniques-side-pane-clickable.png
+++ b/windows/security/threat-protection/microsoft-defender-atp/images/techniques-side-pane-clickable.png
--- a/windows/security/threat-protection/microsoft-defender-atp/images/techniques-side-pane-command.png
+++ b/windows/security/threat-protection/microsoft-defender-atp/images/techniques-side-pane-command.png
--- a/windows/security/threat-protection/microsoft-defender-atp/techniques-device-timeline.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/techniques-device-timeline.md
@ -1,6 +1,6 @@
 ---
-title: Techniques in the device timeline
-description: Understanding MITRE ATT&CK techniques grouping in the device timeline in Microsoft Defender for Endpoint
+title: Device timeline techniques
+description: Understanding the device timeline in Microsoft Defender for Endpoint
 keywords: device timeline, endpoint, MITRE, MITRE ATT&CK, techniques, tactics
 search.product: eADQiWindows 10XVcnh
 search.appverid: met150
@ -18,12 +18,17 @@ ms.topic: article
 ms.technology: mde
 ---

-# ATT&CK techniques in the device timeline
+# Techniques in the device timeline


 **Applies to:**
 - [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)

+
+Selecting any device from the [Devices list](machines-view-overview.md) brings you to the individual device's page. On the device page, you can select the **Timeline** tab to view all the events related to the device. 
+
+## Understand techniques in the timeline
+
 >[!IMPORTANT]
 >Some information relates to a prereleased product feature in public preview which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.

@ -31,7 +36,6 @@ In Microsoft Defender for Endpoint, **Techniques** are a grouping of events that

 This feature simplifies the investigation experience by helping analysts understand at a glance whether suspicious activities happened on or affected a device and whether those activities indicate a need for closer investigation.

-## Techniques in the device timeline

 For public preview customers, Techniques are available by default and are shown together with events when a device's timeline is viewed. 

@ -39,11 +43,44 @@ For public preview customers, Techniques are available by default and are shown

 Techniques are highlighted in bold text and appear with a blue icon on the left. The corresponding MITRE ATT&CK ID and technique name also appears as tags under Additional information. 

-Selecting a Technique opens the side pane and shows additional information and insights like related ATT&CK techniques, tactics, and descriptions.
-
 Search and Export options are also available for Techniques.

-## Filtering to view techniques or events only
+## Investigate using the side pane
+
+Selecting a Technique opens the side pane and shows additional information and insights like related ATT&CK techniques, tactics, and descriptions. 
+
+Selecting the specific *Attack technique* opens the related ATT&CK technique page where you can find more information about it.
+
+You can also select event entities to copy them using the blue icon on the right. For instance, to copy a related file's SHA1, select the blue page icon.
+
+![Copy entity details](images/techniques-side-pane-clickable.png)
+
+You can do the same even for command lines.
+
+![Copy command line](images/techniques-side-pane-command.png)
+
+
+## Investigate related events
+
+To use [advanced hunting](advanced-hunting-overview.md) to find events related to the selected technique, you can select **Hunt for related events**. This leads to the advanced hunting section.
+
+![Hunt for related events](images/techniques-hunt-for-related-events.png)
+
+
+
+
+## Customize your device timeline
+
+On the upper right-hand side of the device timeline, you can choose a date range to limit the number of events and techniques in the timeline. You can also customize which columns to expose an filter for flagged events, by data type, or by event group.
+
+### Choose columns to expose
+You can choose which columns to expose in the timeline by selecting the **Choose columns** button.
+
+![Customize columns](images/filter-customize-columns.png)
+
+From there you can select which information set to include.
+
+### Filter to view techniques or events only

 To view only either events or techniques, select Filters from the device timeline and choose your preferred Data type to view.

@ -57,7 +94,6 @@ To view File events only without Techniques, select Events data type and File ev
 Selecting Techniques automatically shows all techniques. 

 ## See also
-
 - [View and organize the Devices list](machines-view-overview.md)
 - [Microsoft Defender for Endpoint device timeline event flags](device-timeline-event-flag.md)