deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-15 23:07:23 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

exclusion list topic

Browse Source
This commit is contained in:
Joey Caparas 2018-03-12 20:29:02 -07:00
parent 7fe3faa2ab
commit 0265826d6d
5 changed files with 124 additions and 130 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
windows/security/threat-protection/TOC.md
View File

@ -194,8 +194,9 @@
##### [Enable Threat intel](windows-defender-atp\enable-custom-ti-windows-defender-advanced-threat-protection.md)
##### [Enable SIEM integration](windows-defender-atp\enable-siem-integration-windows-defender-advanced-threat-protection.md)
####Rules
[Manage suppression rules](windows-defender-atp\manage-alerts-windows-defender-advanced-threat-protection.md#manage-suppression-rules)
[Manage automation allowed or blocked lists]
[Manage suppression rules](windows-defender-atp\manage-suppression-rules-windows-defender-advanced-threat-protection.md)
[Manage automation exclusion lists](windows-defender-atp\manage-automation-exclusion-list-windows-defender-advanced-threat-protection.md)
#### [Configure Windows Defender ATP time zone settings](windows-defender-atp\settings-windows-defender-advanced-threat-protection.md)

5
windows/security/threat-protection/windows-defender-atp/manage-alerts-windows-defender-advanced-threat-protection.md
View File

@ -56,7 +56,7 @@ Whenever a change or comment is made to an alert, it is recorded in the **Commen
Added comments instantly appear on the pane.
## Manage suppression rules
## Suppress alerts
There might be scenarios where you need to suppress alerts from appearing in the Windows Defender ATP portal. Windows Defender ATP lets you create suppression rules for specific alerts that are known to be innocuous such as known tools or processes in your organization.
Suppression rules can be created from an existing alert. They can be disabled and reenabled if needed.
@ -114,9 +114,10 @@ Create custom rules to control when alerts are suppressed, or resolved. You can
2. The list of suppression rules shows all the rules that users in your organization have created.
You can select rules to tun a rule on or off.
For more information on managing suppression rules, see [Manage suppression rules](manage-suppression-rules-windows-defender-advanced-threat-protection.md)
## Related topics
- [Manage suppression rules](manage-suppression-rules-windows-defender-advanced-threat-protection.md)
- [View and organize the Windows Defender Advanced Threat Protection Alerts queue ](alerts-queue-windows-defender-advanced-threat-protection.md)
- [Investigate Windows Defender Advanced Threat Protection alerts](investigate-alerts-windows-defender-advanced-threat-protection.md)
- [Investigate a file associated with a Windows Defender ATP alert](investigate-files-windows-defender-advanced-threat-protection.md)

69
windows/security/threat-protection/windows-defender-atp/manage-automation-exclusion-list-windows-defender-advanced-threat-protection.md Normal file
View File

@ -0,0 +1,69 @@
---
title: Manage automation exclusion lists
description: Add automation exclusions so that you can control what items are automatically blocked or allowed during an automatic investigation.
keywords: manage, automation, exclusion, whitelist, blacklist, block, clean, malicious
search.product: eADQiWindows 10XVcnh
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: high
ms.date: 04/16/2018
---
# Manage automation exclusions
**Applies to:**
- Windows 10 Enterprise
- Windows 10 Education
- Windows 10 Pro
- Windows 10 Pro Education
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
[!include[Prerelease information](prerelease.md)]
>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-automationexclusionlist-abovefoldlink)
Automation exclusions allow you to create exclusion lists that dictate whether the automated investigation will proceed with an action or not. You can define the conditions for when attributes are marked as malicious or clean.
When you configure the exclusion list to identify specific attributes as malicious, the automated investigation automatically blocks it. Alternatively, if an exclusion list identifies specific attributes to be clean, then it's considered safe and is not analyzed.
## Add an exclusion
1. In the navigation pane, select **Settings** > **Rules** > **Automation allowed/blocked list**.
2. Select the attribute tab you'd like to create an exclusion for.
3. Create an exclusion rule by selecting the attribute and specifying the exclusion type. For each attribute you'll need to specify details and the following required values:
- **Files** - Hash value
- **Certificate** - PEM certificate file
- **IP address** - IP address
- **DNS** - **DNS**
- **Email address** - Email address
4. Click **Update rule**.
## Edit an exclusion
1. In the navigation pane, select **Settings** > **Rules** > **Automation allowed/blocked list**.
2. Select the attribute tab you'd like to edit the exclusion for.
3. Update the details of the rule and click **Update rule**.
## Delete an exclusion
1. In the navigation pane, select **Settings** > **Rules** > **Automation allowed/blocked list**.
2. Select the attribute tab that you'd like to delete a rule for.
3. Select the list type by clicking the check-box beside the list type.
4. Click **Delete**.
## Related topics
- Automation file uploads
- Automation folder exclusions

126
windows/security/threat-protection/windows-defender-atp/manage-automation-list-windows-defender-advanced-threat-protection.md
View File

@ -1,126 +0,0 @@
---
title: Manage automation blocked or allowed lists
description: Add
keywords: manage alerts, manage, alerts, status, new, in progress, resolved, resolve alerts, suppress, supression, rules, context, history, comments, changes
search.product: eADQiWindows 10XVcnh
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: high
ms.date: 04/16/2018
---
# Manage Windows Defender Advanced Threat Protection alerts
**Applies to:**
- Windows 10 Enterprise
- Windows 10 Education
- Windows 10 Pro
- Windows 10 Pro Education
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
[!include[Prerelease information](prerelease.md)]
>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-managealerts-abovefoldlink)
Windows Defender ATP notifies you of possible malicious events, attributes, and contextual information through alerts. A summary of new alerts is displayed in the **Security operations dashboard**, and you can access all alerts in the **Alerts queue** menu.
You can manage alerts by selecting an alert in the **Alerts queue** or the **Alerts related to this machine** section of the machine details view.
Selecting an alert in either of those places brings up the **Alert management pane**.
![Image of alert status](images/atp-alert-status.png)
## Change the status of an alert
You can categorize alerts (as **New**, **In Progress**, or **Resolved**) by changing their status as your investigation progresses. This helps you organize and manage how your team can respond to alerts.
For example, a team leader can review all **New** alerts, and decide to assign them to the **In Progress** queue for further analysis.
Alternatively, the team leader might assign the alert to the **Resolved** queue if they know the alert is benign, coming from a machine that is irrelevant (such as one belonging to a security administrator), or is being dealt with through an earlier alert.
## Alert classification
You can specify if an alert is a true alert or a false alert.
## Assign alerts
If an alert is no yet assigned, you can select **Assign to me** to assign the alert to yourself.
## Add comments and view the history of an alert
You can add comments and view historical events about an alert to see previous changes made to the alert.
Whenever a change or comment is made to an alert, it is recorded in the **Comments and history** section.
Added comments instantly appear on the pane.
## Manage suppression rules
There might be scenarios where you need to suppress alerts from appearing in the Windows Defender ATP portal. Windows Defender ATP lets you create suppression rules for specific alerts that are known to be innocuous such as known tools or processes in your organization.
Suppression rules can be created from an existing alert. They can be disabled and reenabled if needed.
When a suppression rule is created, it will take effect from the point when the rule is created. The rule will not affect existing alerts already in the queue prior to the rule creation. The rule will only be applied on alerts that satisfy the conditions set after the rule is created.
There are two contexts for a suppression rule that you can choose from:
- **Suppress alert on this machine**
- **Suppress alert in my organization**
The context of the rule lets you tailor what gets surfaced into the portal and ensure that only real security alerts are surfaced into the portal.
You can use the examples in the following table to help you choose the context for a suppression rule:
| **Context** | **Definition** | **Example scenarios** |
|:--------------------------------------|:------------------------------------------------------------------------------------------------------------------------------------------------------------|:-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| **Suppress alert on this machine** | Alerts with the same alert title and on that specific machine only will be suppressed. <br /><br />All other alerts on that machine will not be suppressed. | <ul><li>A security researcher is investigating a malicious script that has been used to attack other machines in your organization.</li><li>A developer regularly creates PowerShell scripts for their team.</li></ul> |
| **Suppress alert in my organization** | Alerts with the same alert title on any machine will be suppressed. | <ul><li>A benign administrative tool is used by everyone in your organization.</li></ul> |
### Suppress an alert and create a new suppression rule:
Create custom rules to control when alerts are suppressed, or resolved. You can control the context for when an alert is suppressed by specifying the alert title, Indicator of compromise, and the conditions. After specifying the context, youll be able to configure the action and scope on the alert.
1. Select the alert you'd like to suppress. This brings up the **Alert management** pane.
2. Scroll down to the **Create a supression rule** section.
![Image of alert status](images/atp-create-suppression-rule.png)
3. Choose the context for suppressing the alert.
![Image of alert status](images/atp-new-suppression-rule.png)
> [!NOTE]
> You cannot create a custom or blank suppression rule. You must start from an existing alert.
4. Specify the conditions for when the rule is applied:
- Alert title
- Indicator of compromise (IOC)
- Suppression conditions
> [!NOTE]
> The SHA1 of the alert cannot be modified, however you can clear the SHA1 to remove it from the suppression conditions.
5. Specify the action and scope on the alert. <br>
You can automatically resolve an alert or hide it from the portal. Alerts that are automatically resolved will appear in the resolved section of the alerts queue. Alerts that are marked as hidden will be suppressed from the entire system, both on the machine's associated alerts and from the dashboard. You can also specify to suppress the alert on the machine only or the whole organization.
6. Click **Save and close**.
### View the list of suppression rules
1. In the navigation pane, select **Settings** > **Rules** > **Alert suppression**.
2. The list of suppression rules shows all the rules that users in your organization have created.
You can select rules to tun a rule on or off.
## Related topics
- [View and organize the Windows Defender Advanced Threat Protection Alerts queue ](alerts-queue-windows-defender-advanced-threat-protection.md)
- [Investigate Windows Defender Advanced Threat Protection alerts](investigate-alerts-windows-defender-advanced-threat-protection.md)
- [Investigate a file associated with a Windows Defender ATP alert](investigate-files-windows-defender-advanced-threat-protection.md)
- [Investigate machines in the Windows Defender ATP Machines list](investigate-machines-windows-defender-advanced-threat-protection.md)
- [Investigate an IP address associated with a Windows Defender ATP alert](investigate-ip-windows-defender-advanced-threat-protection.md)
- [Investigate a domain associated with a Windows Defender ATP alert](investigate-domain-windows-defender-advanced-threat-protection.md)
- [Investigate a user account in Windows Defender ATP](investigate-user-windows-defender-advanced-threat-protection.md)

49
windows/security/threat-protection/windows-defender-atp/manage-suppression-rules-windows-defender-advanced-threat-protection.md Normal file
View File

@ -0,0 +1,49 @@
---
title: Manage Windows Defender Advanced Threat Protection suppression rules
description: Manage suppression rules
keywords: manage suppression, rules, rule name, scope, action, alerts, turn on, turn off
search.product: eADQiWindows 10XVcnh
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: high
ms.date: 04/16/2018
---
# Manage suppression rules
**Applies to:**
- Windows 10 Enterprise
- Windows 10 Education
- Windows 10 Pro
- Windows 10 Pro Education
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
[!include[Prerelease information](prerelease.md)]
>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-suppressionrules-abovefoldlink)
There might be scenarios where you need to suppress alerts from appearing in the portal. You can create suppression rules for specific alerts that are known to be innocuous such as known tools or processes in your organization. For more information on how to suppress alerts, see [Suppress alerts](manage-alerts-windows-defender-advanced-threat-protection.md#suppress-alerts).
You can view a list of all the suppression rules and manage them in one place. You can also turn an alert suppression rule on or off.
## Turn a suppression rule on or off
1. In the navigation pane, select **Settings** > **Rules** > **Alert suppression**. The list of suppression rules that users in your organization have created is displayed.
2. Select a rule by clicking on the check-box beside the rule name.
3. Click **Turn rule on** or **Turn rule off**.
## View details of a suppression rule
1. In the navigation pane, select **Settings** > **Rules** > **Alert suppression**. The list of suppression rules that users in your organization have created is displayed.
2. Click on a rule name. Details of the rule is displayed. You'll see the rule details such as status, scope, action, number of matching alerts, created by, and date when the rule was created. You can also view associated alerts and the rule conditions.
## Related topics
- [Manage alerts](manage-alerts-windows-defender-advanced-threat-protection.md)