|
1 | | -## Manage investigate alerts |
2 | 1 |
|
3 | | -You can manage alerts by selecting an alert in the Alerts queue or the Alerts tab of the Device page for an individual device. Selecting an alert in either of those places brings up the Alert management pane. |
| 2 | +You can manage alerts by selecting an alert in the Alerts queue or the Alerts tab of the Device page for an individual device. Selecting an alert in either of those places brings up the Alert management pane. |
4 | 3 |
|
5 | 4 | :::image type="content" source="../media/alert-queue.png" alt-text="Screenshot of the Microsoft Defender XDR Alerts Queue page." lightbox="../media/alert-queue.png"::: |
6 | 5 |
|
7 | 6 | ## Alert management |
8 | 7 |
|
9 | | -You can view and set metadata about the Alert preview or Alert details page. |
| 8 | +You can view and set metadata on the Alert preview or Alert details page. |
10 | 9 |
|
11 | 10 | :::image type="content" source="../media/alert-manage.png" alt-text="Screenshot of the Microsoft Defender XDR Alert details page." lightbox="../media/alert-manage.png"::: |
12 | 11 |
|
13 | | -The metadata fields include and actions include: |
| 12 | +The metadata fields and actions include: |
14 | 13 |
|
15 | 14 | ### Severity |
16 | 15 |
|
17 | 16 | - **High (Red)** - Alerts commonly seen associated with advanced persistent threats (APT). These alerts indicate a high risk because of the severity of damage they can inflict on devices. Examples include credential theft tools activities, ransomware activities not associated with any group, tampering with security sensors, or any malicious activities indicative of a human adversary. |
18 | 17 |
|
19 | 18 | - **Medium (Orange) -** Alerts from endpoint detection and response post-breach behaviors that might be a part of an advanced persistent threat (APT). This includes observed behaviors typical of attack stages, anomalous registry change, execution of suspicious files, and so forth. Although some might be part of internal security testing, it requires investigation as it might also be a part of an advanced attack. |
20 | 19 |
|
21 | | -- **Low (Yellow)** - Alerts on threats associated with prevalent malware. For example, hack-tools, non-malware hack tools, such as running exploration commands, clearing logs, etc. often don't indicate an advanced threat targeting the organization. It could also come from an isolated security tool testing by a user in your organization. |
| 20 | +- **Low (Yellow)** - Alerts on threats associated with prevalent malware. For example, hack-tools, nonmalware hack tools, such as running exploration commands, clearing logs, etc. often don't indicate an advanced threat targeting the organization. It could also come from an isolated security tool testing by a user in your organization. |
22 | 21 |
|
23 | 22 | - **Informational (Grey)** - Alerts that might not be considered harmful to the network but can drive organizational security awareness on potential security issues. |
24 | 23 |
|
25 | | -Microsoft Defender Antivirus (Microsoft Defender AV) and Defender for Endpoint alert severities are different because they represent different scopes. The Microsoft Defender AV threat severity represents the absolute severity of the detected threat (malware) and is assigned based on the potential risk to the individual device if infected. |
| 24 | +Microsoft Defender Antivirus (Microsoft Defender AV) and Defender for Endpoint alert severities are different because they represent different scopes. The Microsoft Defender AV threat severity represents the absolute severity of the detected threat (malware) and is assigned based on the potential risk to the individual device if infected. |
26 | 25 |
|
27 | 26 | The Defender for Endpoint alert severity represents the severity of the detected behavior, the actual risk to the device, and most importantly, the potential risk to the organization. |
28 | 27 |
|
@@ -111,7 +110,7 @@ Alternatively, the team leader might assign the alert to the Resolved queue if t |
111 | 110 |
|
112 | 111 | ### Alert classification |
113 | 112 |
|
114 | | -You can choose not to set a classification or specify whether an alert is a true alert or a false alert. It's important to provide the classification of true positive/false positive because it is used to monitor alert quality and make alerts more accurate. The "determination" field defines extra fidelity for a "true positive" classification. |
| 113 | +You can choose not to set a classification or specify whether an alert is a true alert or a false alert. It's important to provide the classification of true positive/false positive because it's used to monitor alert quality and make alerts more accurate. The "determination" field defines extra fidelity for a "true positive" classification. |
115 | 114 |
|
116 | 115 | ### Add comments and view the history of an alert |
117 | 116 |
|
|
0 commit comments