Investigate a domain associated with a Windows Defender ATP alert
- Windows 10 Enterprise
- Windows 10 Education
- Windows 10 Pro
- Windows 10 Pro Education
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
Want to experience Windows Defender ATP? Sign up for a free trial.
Investigate a domain to see if machines and servers in your enterprise network have been communicating with a known malicious domain.
You can investigate a domain by using the search feature or by clicking on a domain link from the Machine timeline.
You can see information from the following sections in the URL view:
- URL details, Contacts, Nameservers
- Alerts related to this URL
- URL in organization
- Most recent observed machines with URL
The URL details, contacts, and nameservers sections display various attributes about the URL.
Alerts related to this URL
The Alerts related to this URL section provides a list of alerts that are associated with the URL.
URL in organization
The URL in organization section provides details on the prevalence of the URL in the organization.
Most recent observed machinew with URL
The Most recent observed machinew with URL section provides a chronological view on the events and associated alerts that were observed on the URL.
Investigate a domain:
- Select URL from the Search bar drop-down menu.
- Enter the URL in the Search field.
- Click the search icon or press Enter. Details about the URL are displayed. Note: search results will only be returned for URLs observed in communications from machines in the organization.
- Use the search filters to define the search criteria. You can also use the timeline search box to filter the displayed results of all machines in the organization observed communicating with the URL, the file associated with the communication and the last date observed.
- Clicking any of the machine names will take you to that machine's view, where you can continue investigate reported alerts, behaviors, and events.
- View the Windows Defender Advanced Threat Protection Security operations dashboard
- View and organize the Windows Defender Advanced Threat Protection Alerts queue
- Investigate Windows Defender Advanced Threat Protection alerts
- Investigate a file associated with a Windows Defender ATP alert
- Investigate an IP address associated with a Windows Defender ATP alert
- View and organize the Windows Defender ATP Machines list
- Investigate machines in the Windows Defender ATP Machines list
- Investigate a user account in Windows Defender ATP
- Manage Windows Defender Advanced Threat Protection alerts
- Take response actions in Windows Defender ATP