diff --git a/windows/security/threat-protection/microsoft-defender-atp/alerts-queue.md b/windows/security/threat-protection/microsoft-defender-atp/alerts-queue.md index da4a174d2c..5d013d5737 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/alerts-queue.md +++ b/windows/security/threat-protection/microsoft-defender-atp/alerts-queue.md @@ -63,6 +63,30 @@ So, for example: - An alert about malware detected while executing which can pose a threat not only to the individual machine but to the organization, regardless if it was eventually blocked, may be ranked as "Medium" or "High". - Suspicious behavioral alerts which were not blocked or remediated will be ranked "Low", "Medium" or "High" following the same organizational threat considerations. +#### Understanding alert categories +We've redefined the alert categories to align to the [enterprise attack tactics](https://attack.mitre.org/tactics/enterprise/) in the [MITRE ATT&CK matrix](https://attack.mitre.org/). New category names apply to all new alerts. Existing alerts will retain the previous category names. + +The table below lists the current categories and how they generally map to previous categories. + +| New category | Previous categories | Detected threat activity or component | +|----------------------|----------------------|-------------| +| Collection | - | Locating and collecting data for exfiltration | +| Command and control | CommandAndControl | Connecting to attacker-controlled network infrastructure to relay data or receive commands | +| Credential access | CredentialTheft | Obtaining valid credentials to extend control over devices and other resources in the network | +| Defense evasion | - | Avoiding security controls by, for example, turning off security apps, deleting implants, and running rootkits | +| Discovery | Reconnaissance, WebFingerprinting | Gathering information about important devices and resources, such as administrator computers, domain controllers, and file servers | +| Execution | Delivery, MalwareDownload | Launching attacker tools and malicious code, including RATs and backdoors | +| Exfiltration | Exfiltration | Extracting data from the network to an external, attacker-controlled location | +| Exploit | Exploit | Exploit code and possible exploitation activity | +| Initial access | SocialEngineering, WebExploit, DocumentExploit | Gaining initial entry to the target network, usually involving password-guessing, exploits, or phishing emails | +| Lateral movement | LateralMovement, NetworkPropagation | Moving between devices in the target network to reach critical resources or gain network persistence | +| Malware | Malware, Backdoor, Trojan, TrojanDownloader, CredentialStealing, Weaponization, RemoteAccessTool | Backdoors, trojans, and other types of malicious code | +| Persistence | Installation, Persistence | Creating autostart extensibility points (ASEPs) to remain active and survive system restarts | +| Privilege escalation | PrivilegeEscalation | Obtaining higher permission levels for code by running it in the context of a privileged process or account | +| Ransomware | Ransomware | Malware that encrypts files and extorts payment to restore access | +| Suspicious activity | General, None, NotApplicable, EnterprisePolicy, SuspiciousNetworkTraffic | Atypicaly activity that could be malware activity or part of an attack | +| Unwanted software | UnwantedSoftware | Low-reputation apps and apps that impact productivity and the user experience; detected as potentially unwanted applications (PUAs) | + ### Status You can choose to limit the list of alerts based on their status. diff --git a/windows/security/threat-protection/microsoft-defender-atp/alerts.md b/windows/security/threat-protection/microsoft-defender-atp/alerts.md index 05fcb78399..3817d34a9a 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/alerts.md +++ b/windows/security/threat-protection/microsoft-defender-atp/alerts.md @@ -46,7 +46,7 @@ status | Enum | Specifies the current status of the alert. Possible values are: investigationState | Nullable Enum | The current state of the investigation. Possible values are: 'Unknown', 'Terminated', 'SuccessfullyRemediated', 'Benign Failed PartiallyRemediated', 'Running', 'PendingApproval', 'PendingResource', 'PartiallyInvestigated', 'TerminatedByUser', 'TerminatedBySystem', 'Queued', 'InnerFailure', 'PreexistingAlert', 'UnsupportedOs', 'UnsupportedAlertType', 'SuppressedAlert' . classification | Nullable Enum | Specification of the alert. Possible values are: 'Unknown', 'FalsePositive', 'TruePositive'. determination | Nullable Enum | Specifies the determination of the alert. Possible values are: 'NotAvailable', 'Apt', 'Malware', 'SecurityPersonnel', 'SecurityTesting', 'UnwantedSoftware', 'Other'. -category| String | Category of the alert. The property values are: 'None', 'SuspiciousActivity', 'Malware', 'CredentialTheft', 'Exploit', 'WebExploit', 'DocumentExploit', 'PrivilegeEscalation', 'Persistence', 'RemoteAccessTool', 'CommandAndControl', 'SuspiciousNetworkTraffic', 'Ransomware', 'MalwareDownload', 'Reconnaissance', 'WebFingerprinting', 'Weaponization', 'Delivery', 'SocialEngineering', 'CredentialStealing', 'Installation', 'Backdoor', 'Trojan', 'TrojanDownloader', 'LateralMovement', 'ExplorationEnumeration', 'NetworkPropagation', 'Exfiltration', 'NotApplicable', 'EnterprisePolicy' and 'General' . +category| String | Category of the alert. Possible values are: 'Collection', 'Command and control', 'Credential access', 'Defense evasion', 'Discovery', 'Execution', 'Exfiltration', 'Exploit', 'Initial access', 'Lateral movement', 'Malware', 'Persistence', 'Privilege escalation', 'Ransomware', 'Suspicious activity', 'Unwanted software'. detectionSource | string | Detection source. threatFamilyName | string | Threat family. title | string | Alert title.