diff --git a/windows/security/threat-protection/TOC.md b/windows/security/threat-protection/TOC.md index c2d26e8f57..f3396e65c3 100644 --- a/windows/security/threat-protection/TOC.md +++ b/windows/security/threat-protection/TOC.md @@ -439,16 +439,8 @@ ### [Microsoft Threat Experts](microsoft-defender-atp/microsoft-threat-experts.md) -### [Threat analytics](microsoft-defender-atp/threat-analytics.md) - - - - - - - - - +### [Threat analytics overview](microsoft-defender-atp/threat-analytics.md) +#### [Read the analyst report](microsoft-defender-atp/threat-analytics-analyst-reports.md) ## [How-to]() diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/ta-analyst-report-small.png b/windows/security/threat-protection/microsoft-defender-atp/images/ta-analyst-report-small.png new file mode 100644 index 0000000000..c71d67f43f Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/ta-analyst-report-small.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/ta-analyst-report.png b/windows/security/threat-protection/microsoft-defender-atp/images/ta-analyst-report.png index 8106b9e665..957d61d441 100644 Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/ta-analyst-report.png and b/windows/security/threat-protection/microsoft-defender-atp/images/ta-analyst-report.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/threat-analytics-analyst-reports.md b/windows/security/threat-protection/microsoft-defender-atp/threat-analytics-analyst-reports.md new file mode 100644 index 0000000000..30c8152b76 --- /dev/null +++ b/windows/security/threat-protection/microsoft-defender-atp/threat-analytics-analyst-reports.md @@ -0,0 +1,85 @@ +--- +title: Understand the analyst report section in threat analytics +ms.reviewer: +description: Learn about the analyst report section of each threat analytics report. Understand how it provides information about threats, mitigations, detections, advanced hunting queries, and more. +keywords: analyst report, threat analytics, detections, advanced hunting queries, mitigations, +search.product: eADQiWindows 10XVcnh +search.appverid: met150 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: lomayor +author: lomayor +ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: article +--- + +# Understand the analyst report in threat analytics + +[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] + +**Applies to:** +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) + +Each [threat analytics report](threat-analytics.md) includes dynamic sections and a comprehensive written section called the _analyst report_. To access this section, open the report about the tracked threat and select the **Analyst report** tab. + + + +_Analyst report section of a threat analytics report_ + +## Scan the analyst report +Each section of the analyst report is designed to provide actionable information. While reports vary, most reports include the sections described in the following table. + +| Report section | Description | +|--|--| +| Executive summary | Overview of the threat, including when it was first seen, its motivations, notable events, major targets, and distinct tools and techniques. You can use this information to further assess how to prioritize the threat in the context of your industry, geographic location, and network. | +| Analysis | Technical information about the threats, including the details of an attack and how attackers might utilize a new technique or attack surface | +| MITRE ATT&CK techniques observed | How observed techniques map to the [MITRE ATT&CK attack framework](https://attack.mitre.org/) | +| [Mitigations](#apply-additional-mitigations) | Recommendations that can stop or help reduce the impact of the threat. This section also includes mitigations that aren't tracked dynamically as part of the threat analytics report. | +| [Detection details](#understand-how-each-threat-can-be-detected) | Specific and generic detections provided by Microsoft security solutions that can surface activity or components associated with the threat. | +| [Advanced hunting](#find-subtle-threat-artifacts-using-advanced-hunting) | [Advanced hunting queries](advanced-hunting-overview.md) for proactively identifying possible threat activity. Most queries are provided to supplement detections, especially for locating potentially malicious components or behaviors that couldn't be dynamically assessed to be malicious. | +| References | Microsoft and third-party publications referenced by analysts during the creation of the report. Threat analytics content is based on data validated by Microsoft researchers. Information from publicly available, third-party sources are identified clearly as such. | +| Change log | The time the report was published and when significant changes were made to the report. | + +## Apply additional mitigations +Threat analytics dynamically tracks the [status of security updates and secure configurations](threat-analytics.md#mitigations-review-list-of-mitigations-and-the-status-of-your-devices). This information is available as charts and tables in the **Mitigations** tab. + +In addition to these tracked mitigations, the analyst report also discusses mitigations that are _not_ dynamically monitored. Here are some examples of important mitigations that are not dynamically tracked: + +- Block emails with _.lnk_ attachments or other suspicious file types +- Randomize local administrator passwords +- Educate end users about phishing email and other threat vectors +- Turn on specific [attack surface reduction rules](attack-surface-reduction.md) + +While you can use the **Mitigations** tab to assess your security posture against a threat, these recommendations let you take additional steps towards improving your security posture. Carefully read all the mitigation guidance in the analyst report and apply them whenever possible. + +## Understand how each threat can be detected +The analyst report also provides the detections from Microsoft Defender for Endpoint antivirus and _endpoint detection and response_ (EDR) capabilities. + +### Antivirus detections +These detections are available on devices with [Microsoft Defender Antivirus](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10) turned on. When these detections occur on devices that have been onboarded to Microsoft Defender for Endpoint, they also trigger alerts that light up the charts in the report. + +>[!NOTE] +>The analyst report also lists **generic detections** that can identify a wide-range of threats, in addition to components or behaviors specific to the tracked threat. These generic detections don't reflect in the charts. + +### Endpoint detection and response (EDR) alerts +EDR alerts are raised for [devices onboarded to Microsoft Defender for Endpoint](onboard-configure.md). These alerts generally rely on security signals collected by the Microsoft Defender for Endpoint sensor and other endpoint capabilities—such as antivirus, network protection, tamper protection—that serve as powerful signal sources. + +Like the list of antivirus detections, some EDR alerts are designed to generically flag suspicious behavior that might not be associated with the tracked threat. In such cases, the report will clearly identify the alert as "generic" and that it doesn't influence any of the charts in the report. + +## Find subtle threat artifacts using advanced hunting +While detections allow you to identify and stop the tracked threat automatically, many attack activities leave subtle traces that require additional inspection. Some attack activities exhibit behaviors that can also be normal, so detecting them dynamically can result in operational noise or even false positives. + +[Advanced hunting](advanced-hunting-overview.md) provides a query interface based on Kusto Query Language that simplifies locating subtle indicators of threat activity. It also allows you to surface contextual information and verify whether indicators are connected to a threat. + +Advanced hunting queries in the analyst reports have been vetted by Microsoft analysts and are ready for you to run in the [advanced hunting query editor](https://securitycenter.windows.com/advanced-hunting). You can also use the queries to create [custom detection rules](custom-detection-rules.md) that trigger alerts for future matches. + + +## Related topics +- [Threat analytics overview](threat-analytics.md) +- [Proactively find threats with advanced hunting](advanced-hunting-overview.md) +- [Custom detection rules](custom-detection-rules.md) \ No newline at end of file diff --git a/windows/security/threat-protection/microsoft-defender-atp/threat-analytics.md b/windows/security/threat-protection/microsoft-defender-atp/threat-analytics.md index cb44743101..5618f4c5a4 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/threat-analytics.md +++ b/windows/security/threat-protection/microsoft-defender-atp/threat-analytics.md @@ -41,7 +41,7 @@ Threat analytics is a set of reports from expert Microsoft security researchers - Common attack surfaces - Prevalent malware -Each report provides a detailed analysis of a threat and extensive guidance on how to defend against the threat. It also incorporates data from your network, indicating whether the threat is active and if you have applicable security updates and recommended settings in place. +Each report provides a detailed analysis of a threat and extensive guidance on how to defend against that threat. It also incorporates data from your network, indicating whether the threat is active and if you have applicable protections in place. Watch this short video to learn more about how threat analytics can help you track the latest threats and stop them.
@@ -54,7 +54,7 @@ The threat analytics dashboard is a great jump off point for getting to the repo - **Latest threats**—lists the most recently published threat reports, along with the number of devices with active and resolved alerts. - **High-impact threats**—lists the threats that have had the highest impact to the organization. This section ranks threats by the number of devices that have active alerts. -- **Threat summary**—shows the overall impact of all the threats reported in threat analytics by showing the number of threats with active and resolved alerts. +- **Threat summary**—shows the overall impact of tracked threats by showing the number of threats with active and resolved alerts. Select a threat from the dashboard to view the report for that threat. @@ -64,38 +64,43 @@ Select a threat from the dashboard to view the report for that threat. Each threat analytics report provides information in three sections: **Overview**, **Analyst report**, and **Mitigations**. -### Quickly understand a threat and assess its impact to your network in the overview +### Overview: Quickly understand the threat, assess its impact, and review defenses The **Overview** section provides a preview of the detailed analyst report. It also provides charts that highlight the impact of the threat to your organization and your exposure through misconfigured and unpatched devices.  _Overview section of a threat analytics report_ -#### Organizational impact +#### Assess the impact to your organization Each report includes charts designed to provide information about the organizational impact of a threat: - **Devices with alerts**—shows the current number of distinct devices that have been impacted by the threat. A device is categorized as **Active** if there is at least one alert associated with that threat and **Resolved** if *all* alerts associated with the threat on the device have been resolved. - **Devices with alerts over time**—shows the number of distinct devices with **Active** and **Resolved** alerts over time. The number of resolved alerts indicates how quickly your organization responds to alerts associated with a threat. Ideally, the chart should be showing alerts resolved within a few days. -#### Organizational resilience and exposure +#### Review security resilience and posture Each report includes charts that provide an overview of how resilient your organization is against a given threat: - **Security configuration status**—shows the number of devices that have applied the recommended security settings that can help mitigate the threat. Devices are considered **Secure** if they have applied _all_ the tracked settings. - **Vulnerability patching status**—shows the number of devices that have applied security updates or patches that address vulnerabilities exploited by the threat. -### Get expert insight from the analyst report +### Analyst report: Get expert insight from Microsoft security researchers Go to the **Analyst report** section to read through the detailed expert write-up. Most reports provide detailed descriptions of attack chains, including tactics and techniques mapped to the MITRE ATT&CK framework, exhaustive lists of recommendations, and powerful [threat hunting](advanced-hunting-overview.md) guidance. - -_Analyst report section of a threat analytics report_ +[Learn more about the analyst report](threat-analytics-analyst-reports.md) -### Review list of mitigations and the status of your devices -In the **Mitigations** section, review the list of specific actionable recommendations that can help you increase your organizational resilience against the threat. The list of tracked mitigations includes recommended settings and vulnerability patches. It also shows the number of devices that don't have these mitigations in place. +### Mitigations: Review list of mitigations and the status of your devices +In the **Mitigations** section, review the list of specific actionable recommendations that can help you increase your organizational resilience against the threat. The list of tracked mitigations includes: +- **Security updates**—deployment of security updates or patches for vulnerabilities +- **Microsoft Defender Antivirus settings** + - Security intelligence version + - Cloud-delivered protection + - Potentially unwanted application (PUA) protection + - Real-time protection + Mitigation information in this section incorporates data from [threat and vulnerability management](next-gen-threat-and-vuln-mgt.md), which also provides detailed drill-down information from various links in the report.  _Mitigations section of a threat analytics report_ - ## Additional report details and limitations When using the reports, keep the following in mind: @@ -107,4 +112,5 @@ When using the reports, keep the following in mind: ## Related topics - [Proactively find threats with advanced hunting](advanced-hunting-overview.md) -- [Assess and resolve security weaknesses and exposures](next-gen-threat-and-vuln-mgt.md) +- [Understand the analyst report section](threat-analytics-analyst-reports.md) +- [Assess and resolve security weaknesses and exposures](next-gen-threat-and-vuln-mgt.md) \ No newline at end of file diff --git a/windows/security/threat-protection/microsoft-defender-atp/tvm-prerequisites.md b/windows/security/threat-protection/microsoft-defender-atp/tvm-prerequisites.md index 6f64c59f54..ef781abcdd 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/tvm-prerequisites.md +++ b/windows/security/threat-protection/microsoft-defender-atp/tvm-prerequisites.md @@ -42,6 +42,7 @@ Ensure that your devices: > Windows 10 Version 1903 | [KB 4512941](https://support.microsoft.com/help/4512941/windows-10-update-kb4512941) - Are onboarded to [Microsoft Intune](https://docs.microsoft.com/mem/intune/fundamentals/what-is-intune) and [Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/mem/configmgr/protect/deploy-use/endpoint-protection-configure) to help remediate threats found by threat and vulnerability management. If you're using Configuration Manager, update your console to the latest version. + - **Note**: If you have the Intune connection enabled, you get an option to create an Intune security task when creating a remediation request. This option does not appear if the connection is not set. - Have at least one security recommendation that can be viewed in the device page - Are tagged or marked as co-managed diff --git a/windows/security/threat-protection/microsoft-defender-atp/tvm-remediation.md b/windows/security/threat-protection/microsoft-defender-atp/tvm-remediation.md index edc7850d76..37f460afea 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/tvm-remediation.md +++ b/windows/security/threat-protection/microsoft-defender-atp/tvm-remediation.md @@ -36,6 +36,8 @@ The threat and vulnerability management capability in Microsoft Defender for End To use this capability, enable your Microsoft Intune connections. In the Microsoft Defender Security Center, navigate to **Settings** > **General** > **Advanced features**. Scroll down and look for **Microsoft Intune connection**. By default, the toggle is turned off. Turn your **Microsoft Intune connection** toggle **On**. +**Note**: If you have the Intune connection enabled, you get an option to create an Intune security task when creating a remediation request. This option does not appear if the connection is not set. + See [Use Intune to remediate vulnerabilities identified by Microsoft Defender for Endpoint](https://docs.microsoft.com/intune/atp-manage-vulnerabilities) for details. ### Remediation request steps diff --git a/windows/security/threat-protection/microsoft-defender-atp/tvm-vulnerable-devices-report.md b/windows/security/threat-protection/microsoft-defender-atp/tvm-vulnerable-devices-report.md index fa51efb6f6..5ce499f8fe 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/tvm-vulnerable-devices-report.md +++ b/windows/security/threat-protection/microsoft-defender-atp/tvm-vulnerable-devices-report.md @@ -23,11 +23,6 @@ ms.topic: article [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] -> [!IMPORTANT] -> **Vulnerable devices report is currently in public preview**