Join Pete Zerger for an in-depth discussion in this video Investigating alerts in the ATP portal, part of Microsoft Cybersecurity Stack: Advanced Identity and Endpoint Protection.
- [Instructor] Windows Defender Advanced Threat Protection, or ATP, is a cloud service that includes a portal where we can investigate alerts that are effecting our network, what they mean, and how to resolve them. We'll start by browsing to the Windows Defender ATP portal at securitycenter.windows.com and logging in with kinetECO energy Azure Active Directory account. With browsing from the left navigation pane I'll select a new alert based on a recent detection by Defender ATP, and I'll use the alert details view to see various tiles that provide alert info and meta data.
I'll select this suspected credential theft activity alert, and from the actions pane, if I select manage alert, I'll get a new menu on the right that allows me to take ownership of this alert, change its status or add comments as I complete my investigation. The alert context tile shows where, who, and when in the context of the alert, and I can click on the icon beside the name or the user account to bring up machine or user details in the alert pane.
This details view also has a status tile that shows alert status and recommended actions for remediation just below my top pane. If this alert was attributed to a specific threat actor in the world there would be a red colored pane with the name of an adversary or a threat actor, and when there is a specific threat actor associated with an alert, you can click on the actor's name to see the threat intelligence profile, an overview of their interest and targets, their tools and tactics, et cetera.
We're dealing with something a bit more pedestrian here. Some one in my environment has downloaded a tool known to be used for stealing credentials. So there's no specific threat actor in this case. Now the detailed alert profile helps us understand more about the nature of the threat. So I can see here that this tool has been associated with credential threat in the past, so I'm going to scroll down and look at a bit more detail. So I can see in the alert process tree the specific file information associated with the alert.
So in this case someone has downloaded and installed mimikatz, a pretty popular tool for credential theft, in the environment. And that process tree will expand to show me all of the files in the execution path of the alert, its evident, its related event, and the file at the core of the event will be designated with a thunder bolt. And from here I can pivot in one of two directions. I can click on the file itself or I can go down and see additional information about the alert.
So I'm going to keep going and I'll look at the incident graph, which simply gives me additional visualization by showing me the file, the process, and giving me a better picture of the scope of this alert in my environment. So I can see here I'm more or less dealing with one machine and one alert, but this takes me to a point that I can begin to see the scope in terms of effected files and effected computers. If I go a bit further here for this particular machine I'm going to see the artifact timeline. So this gives me a bit of additional information, specifically the date and time when this breach or this alert was raised.
So if I select the alert details pane over here to the right I can now see more information about the instances of this observed worldwide, and if I scroll down and look to the left here I can see the prevalent within my own organization also. I'll scroll back up, and selecting an alert detail brings up the details pane where you'll see more information about the alert such as the file details, detections, instances of it observed worldwide as well, when we scroll down, the instances observed within our organization.
From this point in time we can now take ownership of this alert, change its status, and begin to take actions. And those are the basics of investigating alerts in Windows Defender ATP.
- Configuring virtual-based security
- Securing email
- Implementing post-breach defense
- Protecting the cloud with Azure AD
- Using Windows Defender ATP
- Managing privileged access in Azure