From 12b0f388ae30aee726baa7198ec019f91ae9d288 Mon Sep 17 00:00:00 2001 From: Joey Caparas Date: Fri, 17 May 2019 09:01:50 -0700 Subject: [PATCH] add live response --- windows/security/threat-protection/TOC.md | 2 ++ .../threat-protection/microsoft-defender-atp/TOC.md | 5 ++++- .../microsoft-defender-atp/advanced-features.md | 9 +++++++++ .../microsoft-defender-atp/user-roles.md | 12 ++++++++++++ 4 files changed, 27 insertions(+), 1 deletion(-) diff --git a/windows/security/threat-protection/TOC.md b/windows/security/threat-protection/TOC.md index 5e6e8ba6e7..0ef9254dbd 100644 --- a/windows/security/threat-protection/TOC.md +++ b/windows/security/threat-protection/TOC.md @@ -67,6 +67,8 @@ ####### [View deep analysis reports](microsoft-defender-atp/respond-file-alerts.md#view-deep-analysis-reports) ####### [Troubleshoot deep analysis](microsoft-defender-atp/respond-file-alerts.md#troubleshoot-deep-analysis) +###### [Investigate entities using Live response](windows-defender-atp/live-response.md) +#######[Live response command examples](windows-defender-atp/live-response-command-examples.md) #### [Automated investigation and remediation](microsoft-defender-atp/automated-investigations.md) ##### [Learn about the automated investigation and remediation dashboard](microsoft-defender-atp/manage-auto-investigation.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/TOC.md b/windows/security/threat-protection/microsoft-defender-atp/TOC.md index ff56d248c9..cb802c617a 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/TOC.md +++ b/windows/security/threat-protection/microsoft-defender-atp/TOC.md @@ -70,7 +70,10 @@ ###### [Submit files for analysis](respond-file-alerts.md#submit-files-for-analysis) ###### [View deep analysis reports](respond-file-alerts.md#view-deep-analysis-reports) ###### [Troubleshoot deep analysis](respond-file-alerts.md#troubleshoot-deep-analysis) - + +##### [Investigate entities using Live response](live-response.md) +###### [Live response command examples](live-response-command-examples.md) + ### [Automated investigation and remediation](automated-investigations.md) #### [Learn about the automated investigation and remediation dashboard](manage-auto-investigation.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-features.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-features.md index 71a5e64239..330900f19c 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/advanced-features.md +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-features.md @@ -31,6 +31,15 @@ Use the following advanced features to get better protected from potentially mal ## Automated investigation When you enable this feature, you'll be able to take advantage of the automated investigation and remediation features of the service. For more information, see [Automated investigations](automated-investigations.md). +## Live response +When you enable this feature, users with the appropriate permissions can initiate a live response session on machines. + +For more information on role assignments see, [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md). + +## Live response unsigned script execution +Enabling this feature allows you to run unsigned scripts in a live response session. + + ## Auto-resolve remediated alerts For tenants created on or after Windows 10, version 1809 the automated investigations capability is configured by default to resolve alerts where the automated analysis result status is "No threats found" or "Remediated". If you don’t want to have alerts auto-resolved, you’ll need to manually turn off the feature. diff --git a/windows/security/threat-protection/microsoft-defender-atp/user-roles.md b/windows/security/threat-protection/microsoft-defender-atp/user-roles.md index fd2f77e7a0..b680c1471d 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/user-roles.md +++ b/windows/security/threat-protection/microsoft-defender-atp/user-roles.md @@ -46,6 +46,18 @@ The following steps guide you on how to create roles in Microsoft Defender Secur >This setting is only available in the Microsoft Defender ATP administrator (default) role. - **Manage security settings** - Users can configure alert suppression settings, manage allowed/blocked lists for automation, manage folder exclusions for automation, onboard and offboard machines, and manage email notifications. + + - **Live response capabilities** - Users can take basic or advanced live response commands.
+ - Basic commands allow users to: + - Start a live response session + - Run read only live response commands on a remote machine + - Advanced commands allow users to: + - Run basic actions + - Download a file from the remote machine + - View a script from the files library + - Run a script on the remote machine from the files library take read and write commands. + + For more information on the available commands, see [Investigate machines using Live response](live-response.md). 4. Click **Next** to assign the role to an Azure AD group.