Forum Discussion

Maximilian Grandahl Lærum's avatar
Maximilian Grandahl Lærum
Brass Contributor
Aug 12, 2019

MDATP and Incident Handling

Hi!    We do security incident handling based on incidents in MDATP. But we find it troublesome that a incident can contain several computers.  The fact that alerts tied to the same computer end...
incidents
MDATP
suggestion
HeikeRitter's avatar
HeikeRitter
Icon for Microsoft rankMicrosoft
Aug 12, 2019

Maximilian Grandahl Lærum That's the value of incidents! It brings together all related alerts of this attack. If you only want to see alerts from one specific machine, please use the machine page for this specific machine.

Maximilian Grandahl Lærum's avatar
Maximilian Grandahl Lærum
Brass Contributor
Aug 13, 2019

HeikeRitter Hmm.. How about this senario:

 

So say for example you have 150 offices world wide, and you get a Incident in MDATP containing 20 computers. 

 

The type of malware requires additional actions to be taken by local IT per office. 

 

You now dispatch 20 tickets containing the recommended actions, one for each office per computer.

If the ATP Incident now contains all these 20 computers, referring to the ATP Incident would be messy. As you get partial ATP Incident completion when the local tickets gets resolved. 

 

I guess you could dispatch tickets based on alerts instead, but then again, you could have several alerts per computer. That again makes Incidents containing one machine a better reference. 

 

I'm curious to what MS sees as best practice here. 

 

Hope that made some sense and that I managed to explain the scenario (⌐■_■)