deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-15 14:57:23 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

fix overview and config topics

Browse Source
This commit is contained in:
Joey Caparas 2018-08-12 18:16:55 -07:00
parent 901ffc81f5
commit 21d209eb71
10 changed files with 302 additions and 282 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
windows/security/threat-protection/TOC.md
View File

@ -33,7 +33,7 @@
##### [Next gen protection](windows-defender-antivirus\evaluate-windows-defender-antivirus.md) ##### [Next gen protection](windows-defender-antivirus\evaluate-windows-defender-antivirus.md)
### [Onboard and configure machines to Windows Defender ATP](onboard.md) ### [Configuration and management](onboard.md)
#### [Onboard machines - need to revise this page](windows-defender-atp\onboard-configure-windows-defender-advanced-threat-protection.md) #### [Onboard machines - need to revise this page](windows-defender-atp\onboard-configure-windows-defender-advanced-threat-protection.md)
##### [Onboard previous versions of Windows](windows-defender-atp\onboard-downlevel-windows-defender-advanced-threat-protection.md) ##### [Onboard previous versions of Windows](windows-defender-atp\onboard-downlevel-windows-defender-advanced-threat-protection.md)
##### [Onboard Windows 10 machines](windows-defender-atp\configure-endpoints-windows-defender-advanced-threat-protection.md) ##### [Onboard Windows 10 machines](windows-defender-atp\configure-endpoints-windows-defender-advanced-threat-protection.md)

17
windows/security/threat-protection/onboard.md
View File

@ -1,5 +1,5 @@
--- ---
title: Configure Windows Defender ATP title: Configure and manage Windows Defender ATP capabilities
description: description:
keywords: keywords:
search.product: eADQiWindows 10XVcnh search.product: eADQiWindows 10XVcnh
@ -13,12 +13,19 @@ ms.localizationpriority: high
ms.date: 07/01/2018 ms.date: 07/01/2018
--- ---
# Configure Windows Defender ATP # Onboard, configure, and manage Windows Defender ATP capabilities
Configure all the Windows Defender ATP capabilities to get the best security protection for your organization. Configure and manage all the Windows Defender ATP capabilities to get the best security protection for your organization.
## In this section ## In this section
Topic | Description
:---|:---
[Onboard machines to Windows Defender Security Center](windows-defender-atp/onboard-configure-windows-defender-advanced-threat-protection) | Onboard machines to the platform. [Onboard machines to Windows Defender Security Center](windows-defender-atp/onboard-configure-windows-defender-advanced-threat-protection) | Onboard machines to the platform.
[Configure attack surface reduction capabilities](configure-attack-surface-reduction.md) [Configure attack surface reduction capabilities](windows-defender-atp/configure-attack-surface-reduction.md) | By ensuring configuration settings are properly set and exploit mitigation techniques are applied, these set of capabilities resist attacks and exploitations.
[Configure next generation protection]() [Configure next generation protection](windows-defender-antivirus/configure-windows-defender-antivirus-features.md) | Configure next generation protection to catch all types of emerging threats.
[Configure Windows Defender Security Center settings](windows-defender-atp/preferences-setup-windows-defender-advanced-threat-protection.md) | Configure portal related settings such as general settings, advanced features, enable the preview experience and others.
[Manage auto investigation and remediation](windows-defender-atp/manage-auto-investigation-windows-defender-advanced-threat-protection.md) | Learn how you can manage and view the details of an automated investigation.
[]

185
windows/security/threat-protection/windows-defender-atp/automated-investigations-windows-defender-advanced-threat-protection.md
View File

@ -20,7 +20,6 @@ ms.date: 05/21/2018
- Windows Defender Advanced Threat Protection (Windows Defender ATP) - Windows Defender Advanced Threat Protection (Windows Defender ATP)
BENNY: look at this page and see if there are "settings/ configurations" if yes, point them to the settings page and remove it from here.
>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-automated-investigations-abovefoldlink) >Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-automated-investigations-abovefoldlink)
@ -80,190 +79,6 @@ The default machine group is configured for semi-automatic remediation. This mea
When a pending action is approved, the entity is then remediated and this new state is reflected in the **Entities** tab of the investigation. When a pending action is approved, the entity is then remediated and this new state is reflected in the **Entities** tab of the investigation.
## Manage Automated investigations
By default, the Automated investigations list displays investigations initiated in the last week. You can also choose to select other time ranges from the drop-down menu or specify a custom range.
>[!NOTE]
>If your organization has implemented role-based access to manage portal access, only authorized users or user groups who have permission to view the machine or machine group will be able to view the entire investigation.
Use the **Customize columns** drop-down menu to select columns that you'd like to show or hide.
From this view, you can also download the entire list in CSV format using the **Export** button, specify the number of items to show per page, and navigate between pages. You also have the flexibility to filter the list based on your preferred criteria.
![Image of Auto investigations page](images/atp-auto-investigations-list.png)
**Filters**</br>
You can use the following operations to customize the list of Automated investigations displayed:
**Triggering alert**</br>
The alert the initiated the Automated investigation.
**Status**</br>
An Automated investigation can be in one of the following status:
Status | Description
:---|:---
| No threats found | No malicious entities found during the investigation.
| Failed | A problem has interrupted the investigation, preventing it from completing. |
| Partially remediated | A problem prevented the remediation of some malicious entities. |
| Pending | Remediation actions require review and approval. |
| Waiting for machine | Investigation paused. The investigation will resume as soon as the machine is available. |
| Queued | Investigation has been queued and will resume as soon as other remediation activities are completed. |
| Running | Investigation ongoing. Malicious entities found will be remediated. |
| Remediated | Malicious entities found were successfully remediated. |
| Terminated by system | Investigation was stopped by the system. |
| Terminated by user | A user stopped the investigation before it could complete.
| Partially investigated | Entities directly related to the alert have been investigated. However, a problem stopped the investigation of collateral entities. |
**Detection source**</br>
Source of the alert that initiated the Automated investigation.
**Threat**</br>
The category of threat detected during the Automated investigation.
**Tags**</br>
Filter using manually added tags that capture the context of an Automated investigation.
**Machines**</br>
You can filter the Automated investigations list to zone in a specific machine to see other investigations related to the machine.
**Machine groups**</br>
Apply this filter to see specific machine groups that you might have created.
**Comments**</br>
Select between filtering the list between Automated investigations that have comments and those that don't.
## Analyze Automated investigations
You can view the details of an Automated investigation to see information such as the investigation graph, alerts associated with the investigation, the machine that was investigated, and other information.
In this view, you'll see the name of the investigation, when it started and ended.
![Image of investigation details window](images/atp-analyze-auto-ir.png)
The progress ring shows two status indicators:
- Orange ring - shows the pending portion of the investigation
- Green ring - shows the running time portion of the investigation
![Image of start, end, and pending time for an automated investigation](images/atp-auto-investigation-pending.png)
In the example image, the automated investigation started on 10:26:59 AM and ended on 10:56:26 AM. Therefore, the entire investigation was running for 29 minutes and 27 seconds.
The pending time of 16 minutes and 51 seconds reflects two possible pending states: pending for asset (for example, the device might have disconnected from the network) or pending for approval.
From this view, you can also view and add comments and tags about the investigation.
### Investigation page
The investigation page gives you a quick summary on the status, alert severity, category, and detection source.
You'll also have access to the following sections that help you see details of the investigation with finer granularity:
- Investigation graph
- Alerts
- Machines
- Threats
- Entities
- Log
- Pending actions
>[!NOTE]
>The Pending actions tab is only displayed if there are actual pending actions.
- Pending actions history
>[!NOTE]
>The Pending actions history tab is only displayed when an investigation is complete.
In any of the sections, you can customize columns to further expand to limit the details you see in a section.
### Investigation graph
The investigation graph provides a graphical representation of an Automated investigation. All investigation related information is simplified and arranged in specific sections. Clicking on any of the icons brings you the relevant section where you can view more information.
### Alerts
Shows details such as a short description of the alert that initiated the Automated investigation, severity, category, the machine associated with the alert, user, time in queue, status, investigation state, and who the investigation is assigned to.
Additional alerts seen on a machine can be added to an Automated investigation as long as the investigation is ongoing.
Selecting an alert using the check box brings up the alerts details pane where you have the option of opening the alert page, manage the alert by changing its status, see alert details, Automated investigation details, related machine, logged-on users, and comments and history.
Clicking on an alert title brings you the alert page.
### Machines
Shows details the machine name, IP address, group, users, operating system, remediation level, investigation count, and when it was last investigated.
Machines that show the same threat can be added to an ongoing investigation and will be displayed in this tab. If 10 or more machines are found during this expansion process from the same entity, then that expansion action will require an approval and will be seen in the **Pending actions** view.
Selecting a machine using the checkbox brings up the machine details pane where you can see more information such as machine details and logged-on users.
Clicking on an machine name brings you the machine page.
### Threats
Shows details related to threats associated with this investigation.
### Entities
Shows details about entities such as files, process, services, drives, and IP addresses. The table details such as the number of entities that were analyzed. You'll gain insight into details such as how many are remediated, suspicious, or determined to be clean.
### Log
Gives a chronological detailed view of all the investigation actions taken on the alert. You'll see the action type, action, status, machine name, description of the action, comments entered by analysts who may have worked on the investigation, execution start time, duration, pending duration.
As with other sections, you can customize columns, select the number of items to show per page, and filter the log.
Available filters include action type, action, status, machine name, and description.
You can also click on an action to bring up the details pane where you'll see information such as the summary of the action and input data.
### Pending actions history
This tab is only displayed when an investigation is complete and shows all pending actions taken during the investigation.
## Pending actions
If there are pending actions on an Automated investigation, you'll see a pop up similar to the following image.
![Image of pending actions](images\atp-pending-actions-notification.png)
When you click on the pending actions link, you'll be taken to the pending actions page. You can also navigate to the page from the navigation page by going to **Automated investigation** > **Pending actions**.
The pending actions view aggregates all investigations that require an action for an investigation to proceed or be completed.
![Image of pending actions page](images/atp-pending-actions-list.png)
Use the Customize columns drop-down menu to select columns that you'd like to show or hide.
From this view, you can also download the entire list in CSV format using the **Export** feature, specify the number of items to show per page, and navigate between pages.
Pending actions are grouped together in the following tabs:
- Quarantine file
- Remove persistence
- Stop process
- Expand pivot
- Quarantine service
>[!NOTE]
>The tab will only appear if there are pending actions for that category.
### Approve or reject an action
You'll need to manually approve or reject pending actions on each of these categories for the automated actions to proceed.
![Image of list of pending actions](images/atp-approve-reject-action.png)
Selecting an investigation from any of the categories opens a panel where you can approve or reject the remediation. Other details such as file or service details, investigation details, and alert details are displayed.
![Image of pending action selected](images/atp-pending-actions-file.png)
From the panel, you can click on the Open investigation page link to see the investigation details.
You also have the option of selecting multiple investigations to approve or reject actions on multiple investigations.
![Image of multiple investigations selected](images/atp-pending-actions-multiple.png)
## Related topic
- [Investigate Windows Defender ATP alerts](investigate-alerts-windows-defender-advanced-threat-protection.md)

0
windows/security/threat-protection/configure-attack-surface-reduction.md → windows/security/threat-protection/windows-defender-atp/configure-attack-surface-reduction.md
View File

199
windows/security/threat-protection/windows-defender-atp/manage-auto-investigation-windows-defender-advanced-threat-protection.md Normal file
View File

@ -0,0 +1,199 @@
---
title: Manage automated investigations to investigate and remediate threats in Windows Defender Security Center
description: View the list of automated investigations, its status, detection source and other details.
keywords: automated, investigation, detection, source, threat types, id, tags, machines, duration, filter export
search.product: eADQiWindows 10XVcnh
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: medium
ms.date: 05/21/2018
---
# Manage automated investigations in Windows Defender Security Center
By default, the Automated investigations list displays investigations initiated in the last week. You can also choose to select other time ranges from the drop-down menu or specify a custom range.
>[!NOTE]
>If your organization has implemented role-based access to manage portal access, only authorized users or user groups who have permission to view the machine or machine group will be able to view the entire investigation.
Use the **Customize columns** drop-down menu to select columns that you'd like to show or hide.
From this view, you can also download the entire list in CSV format using the **Export** button, specify the number of items to show per page, and navigate between pages. You also have the flexibility to filter the list based on your preferred criteria.
![Image of Auto investigations page](images/atp-auto-investigations-list.png)
**Filters**</br>
You can use the following operations to customize the list of Automated investigations displayed:
**Triggering alert**</br>
The alert the initiated the Automated investigation.
**Status**</br>
An Automated investigation can be in one of the following status:
Status | Description
:---|:---
| No threats found | No malicious entities found during the investigation.
| Failed | A problem has interrupted the investigation, preventing it from completing. |
| Partially remediated | A problem prevented the remediation of some malicious entities. |
| Pending | Remediation actions require review and approval. |
| Waiting for machine | Investigation paused. The investigation will resume as soon as the machine is available. |
| Queued | Investigation has been queued and will resume as soon as other remediation activities are completed. |
| Running | Investigation ongoing. Malicious entities found will be remediated. |
| Remediated | Malicious entities found were successfully remediated. |
| Terminated by system | Investigation was stopped by the system. |
| Terminated by user | A user stopped the investigation before it could complete.
| Partially investigated | Entities directly related to the alert have been investigated. However, a problem stopped the investigation of collateral entities. |
**Detection source**</br>
Source of the alert that initiated the Automated investigation.
**Threat**</br>
The category of threat detected during the Automated investigation.
**Tags**</br>
Filter using manually added tags that capture the context of an Automated investigation.
**Machines**</br>
You can filter the Automated investigations list to zone in a specific machine to see other investigations related to the machine.
**Machine groups**</br>
Apply this filter to see specific machine groups that you might have created.
**Comments**</br>
Select between filtering the list between Automated investigations that have comments and those that don't.
## Analyze Automated investigations
You can view the details of an Automated investigation to see information such as the investigation graph, alerts associated with the investigation, the machine that was investigated, and other information.
In this view, you'll see the name of the investigation, when it started and ended.
![Image of investigation details window](images/atp-analyze-auto-ir.png)
The progress ring shows two status indicators:
- Orange ring - shows the pending portion of the investigation
- Green ring - shows the running time portion of the investigation
![Image of start, end, and pending time for an automated investigation](images/atp-auto-investigation-pending.png)
In the example image, the automated investigation started on 10:26:59 AM and ended on 10:56:26 AM. Therefore, the entire investigation was running for 29 minutes and 27 seconds.
The pending time of 16 minutes and 51 seconds reflects two possible pending states: pending for asset (for example, the device might have disconnected from the network) or pending for approval.
From this view, you can also view and add comments and tags about the investigation.
### Investigation page
The investigation page gives you a quick summary on the status, alert severity, category, and detection source.
You'll also have access to the following sections that help you see details of the investigation with finer granularity:
- Investigation graph
- Alerts
- Machines
- Threats
- Entities
- Log
- Pending actions
>[!NOTE]
>The Pending actions tab is only displayed if there are actual pending actions.
- Pending actions history
>[!NOTE]
>The Pending actions history tab is only displayed when an investigation is complete.
In any of the sections, you can customize columns to further expand to limit the details you see in a section.
### Investigation graph
The investigation graph provides a graphical representation of an Automated investigation. All investigation related information is simplified and arranged in specific sections. Clicking on any of the icons brings you the relevant section where you can view more information.
### Alerts
Shows details such as a short description of the alert that initiated the Automated investigation, severity, category, the machine associated with the alert, user, time in queue, status, investigation state, and who the investigation is assigned to.
Additional alerts seen on a machine can be added to an Automated investigation as long as the investigation is ongoing.
Selecting an alert using the check box brings up the alerts details pane where you have the option of opening the alert page, manage the alert by changing its status, see alert details, Automated investigation details, related machine, logged-on users, and comments and history.
Clicking on an alert title brings you the alert page.
### Machines
Shows details the machine name, IP address, group, users, operating system, remediation level, investigation count, and when it was last investigated.
Machines that show the same threat can be added to an ongoing investigation and will be displayed in this tab. If 10 or more machines are found during this expansion process from the same entity, then that expansion action will require an approval and will be seen in the **Pending actions** view.
Selecting a machine using the checkbox brings up the machine details pane where you can see more information such as machine details and logged-on users.
Clicking on an machine name brings you the machine page.
### Threats
Shows details related to threats associated with this investigation.
### Entities
Shows details about entities such as files, process, services, drives, and IP addresses. The table details such as the number of entities that were analyzed. You'll gain insight into details such as how many are remediated, suspicious, or determined to be clean.
### Log
Gives a chronological detailed view of all the investigation actions taken on the alert. You'll see the action type, action, status, machine name, description of the action, comments entered by analysts who may have worked on the investigation, execution start time, duration, pending duration.
As with other sections, you can customize columns, select the number of items to show per page, and filter the log.
Available filters include action type, action, status, machine name, and description.
You can also click on an action to bring up the details pane where you'll see information such as the summary of the action and input data.
### Pending actions history
This tab is only displayed when an investigation is complete and shows all pending actions taken during the investigation.
## Pending actions
If there are pending actions on an Automated investigation, you'll see a pop up similar to the following image.
![Image of pending actions](images\atp-pending-actions-notification.png)
When you click on the pending actions link, you'll be taken to the pending actions page. You can also navigate to the page from the navigation page by going to **Automated investigation** > **Pending actions**.
The pending actions view aggregates all investigations that require an action for an investigation to proceed or be completed.
![Image of pending actions page](images/atp-pending-actions-list.png)
Use the Customize columns drop-down menu to select columns that you'd like to show or hide.
From this view, you can also download the entire list in CSV format using the **Export** feature, specify the number of items to show per page, and navigate between pages.
Pending actions are grouped together in the following tabs:
- Quarantine file
- Remove persistence
- Stop process
- Expand pivot
- Quarantine service
>[!NOTE]
>The tab will only appear if there are pending actions for that category.
### Approve or reject an action
You'll need to manually approve or reject pending actions on each of these categories for the automated actions to proceed.
![Image of list of pending actions](images/atp-approve-reject-action.png)
Selecting an investigation from any of the categories opens a panel where you can approve or reject the remediation. Other details such as file or service details, investigation details, and alert details are displayed.
![Image of pending action selected](images/atp-pending-actions-file.png)
From the panel, you can click on the Open investigation page link to see the investigation details.
You also have the option of selecting multiple investigations to approve or reject actions on multiple investigations.
![Image of multiple investigations selected](images/atp-pending-actions-multiple.png)
## Related topic
- [Investigate Windows Defender ATP alerts](investigate-alerts-windows-defender-advanced-threat-protection.md)

6
windows/security/threat-protection/windows-defender-atp/overview-endpoint-detection-response.md
View File

@ -16,19 +16,19 @@ ms.date: 09/12/2018
# Overview of endpoint detection and response # Overview of endpoint detection and response
The endpoint detection and response capabilities in Windows Defender ATP continuosly monitors your organization for possible attacks against systems, networks, or users in your organzation. It helps detect, investigate, and quickly respond to threats. The endpoint detection and response capabilities in Windows Defender ATP continuously monitors your organization for possible attacks against systems, networks, or users in your organization. It helps detect, investigate, and quickly respond to threats.
The detection capability finds the attacks that made it past all other defenses and surfaces them through alerts. The detection capability finds the attacks that made it past all other defenses and surfaces them through alerts.
The platform provides various ways for you to investigate an incident and allows you to pivot in various views to help you approach an investigation through multiple possible vectors. The platform provides various ways for you to investigate an incident and allows you to pivot in various views to help you approach an investigation through multiple possible vectors.
The response capabilities gives you the power to prompty remediate threats by taking action on the affected entities. The response capabilities gives you the power to promptly remediate threats by taking action on the affected entities.
## In this section ## In this section
[Alerts queue](alerts-queue-endpoint-detection-response.md)| View the alerts surfaced in Windows Defender Security Center. [Alerts queue](alerts-queue-endpoint-detection-response.md)| View the alerts surfaced in Windows Defender Security Center.
[Machines list](machines-list-endpoint-detection-response.md) | Learn how you can view and manage the machines list, manage machine groups, and investigate machine related alerts. [Machines list](machines-list-endpoint-detection-response.md) | Learn how you can view and manage the machines list, manage machine groups, and investigate machine related alerts.
[Take response actions](response-actions-windows-defender-advanced-threat-protection.md)| Take response actions on machines and files to quickly respond to detected attacks and contain threats. [Take response actions](response-actions-windows-defender-advanced-threat-protection.md)| Take response actions on machines and files to quickly respond to detected attacks and contain threats.
[Query data using advanced hunting](advanced-hunting-windows-defender-advanced-threat-protection.md)| Proactively hunt for possible threats accross your organization using a powerful search and query tool. [Query data using advanced hunting](advanced-hunting-windows-defender-advanced-threat-protection.md)| Pr actively hunt for possible threats across your organization using a powerful search and query tool.

75
windows/security/threat-protection/windows-defender-atp/overview-secure-score-windows-defender-advanced-threat-protection.md Normal file
View File

@ -0,0 +1,75 @@
---
title: Overview of Secure score in Windows Defender Security Center
description:
keywords:
search.product: eADQiWindows 10XVcnh
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: medium
ms.date: 03/12/2018
---
# Overview of Secure score in Windows Defender Security Center
The Secure score dashboard expands your visibility into the overall security posture of your organization. From this dashboard, you'll be able to quickly assess the security posture of your organization, see machines that require attention, as well as recommendations for actions to further reduce the attack surface in your organization - all in one place. From there you can take action based on the recommended configuration baselines.
>[!IMPORTANT]
> This feature is available for machines on Windows 10, version 1703 or later.
The **Secure score dashboard** displays a snapshot of:
- Microsoft Secure score
- Windows Defender security controls
- Improvement opportunities
- Security score over time
![Secure score dashboard](images/ss1.png)
## Microsoft secure score
The Microsoft secure score tile is reflective of the sum of all the Windows Defender security controls that are configured according to the recommended baseline and Office 365 controls. It allows you to drill down into each portal for further analysis. You can also improve this score by taking the steps in configuring each of the security controls in the optimal settings.
![Image of Microsoft secure score tile](images/mss.png)
Each Windows Defender security control contributes 100 points to the score. The total number is reflective of the score potential and calculated by multiplying the number of supported security controls (Windows Defender security controls pillars) by the maximum points that each pillar contributes (maximum of 100 points for each pillar).
The Office 365 Secure Score looks at your settings and activities and compares them to a baseline established by Microsoft. For more information, see [Introducing the Office 365 Secure Score](https://support.office.com/en-us/article/introducing-the-office-365-secure-score-c9e7160f-2c34-4bd0-a548-5ddcc862eaef#howtoaccess).
In the example image, the total points for the Windows security controls and Office 365 add up to 718 points.
You can set the baselines for calculating the score of Windows Defender security controls on the Secure score dashboard through the **Settings**. For more information, see [Enable Secure score security controls](enable-secure-score-windows-defender-advanced-threat-protection.md).
## Windows Defender security controls
The security controls tile shows a bar graph where each bar represents a Windows Defender security control. Each bar reflects the number of machines that are well configured and those that require **any kind of attention** for each security control. Hovering on top of the individual bars will show exact numbers for each category. Machines that are green are well configured, while machines that are orange require some level of attention.
![Windows Defender security controls](images/wdsc.png)
## Improvement opportunities
Improve your score by taking the recommended improvement actions listed on this tile. The goal is to reduce the gap between the perfect score and the current score for each control.
Click on each control to see the recommended optimizations.
![Improvement opportunities](images/io.png)
The numbers beside the green triangle icon on each recommended action represents the number of points you can gain by taking the action. When added together, the total number makes up the numerator in the fraction for each segment in the Improvement opportunities tile.
>[!IMPORTANT]
>Recommendations that do not display a green triangle icon are informational only and no action is required.
Clicking **View machines** in a specific recommendation opens up the **Machines list** with filters applied to show only the list of machines where the recommendation is applicable. You can export the list in Excel to create a target collection and apply relevant policies using a management solution of your choice.
The following image shows an example list of machines where the EDR sensor is not turned on.
![Image of view machines list with a filter applied](images/atp-security-analytics-view-machines2.png)
## Security score over time
You can track the progression of your organizational security posture over time using this tile. It displays the overall and individual control scores in a historical trend line enabling you to see how taking the recommended actions increase your overall security posture.
![Image of the security score over time tile](images/ssot.png)
You can click on specific date points to see the total score for that security control is on a particular date.
## Related topic

6
windows/security/threat-protection/windows-defender-atp/overview.md
View File

@ -21,7 +21,11 @@ Understand the concepts behind the capabilities in Windows Defender ATP.
Topic | Description Topic | Description
:---|:--- :---|:---
[Windows Defender Security Center](../windows-defender-atp/use-windows-defender-advanced-threat-protection.md) |
[Attack surface reduction](overview-attack-surface-reduction.md) | Understand the capabilities in attack surface reduction so you can leverage them to protect the perimeter of your organization. [Attack surface reduction](overview-attack-surface-reduction.md) | Understand the capabilities in attack surface reduction so you can leverage them to protect the perimeter of your organization.
[Next generation protection](../windows-defender-antivirus/windows-defender-antivirus-in-windows-10.md) | Learn about the antivirus capabilities in Windows Defender ATP so you can protect desktops, portable computers, and servers. [Next generation protection](../windows-defender-antivirus/windows-defender-antivirus-in-windows-10.md) | Learn about the antivirus capabilities in Windows Defender ATP so you can protect desktops, portable computers, and servers.
[Endpoint detection and response](overview-endpoint-detection-response.md) | [Endpoint detection and response](overview-endpoint-detection-response.md) | Understand how Windows Defender ATP continuously monitors your organization for possible attacks against systems, networks, or users in your organization.
[Auto investigation]() | In conjunction with being able to quickly respond to advanced attacks, Windows Defender ATP offers automatic investigation and remediation capabilities that help reduce the volume of alerts in minutes at scale.
[Secure score](over) |
[Advanced hunting]() |

81
windows/security/threat-protection/windows-defender-atp/secure-score-dashboard-windows-defender-advanced-threat-protection.md
View File

@ -1,6 +1,6 @@
--- ---
title: View the Secure Score dashboard in Windows Defender ATP title: Configure the security controls in Secure score
description: Use the Secure Score dashboard to assess and improve the security state of your organization by analyzing various security control tiles. description: Configure the security controls in Secure score
keywords: secure score, dashboard, security recommendations, security control state, security score, score improvement, microsoft secure score, security controls, security control, improvement opportunities, edr, antivirus, av, os security updates keywords: secure score, dashboard, security recommendations, security control state, security score, score improvement, microsoft secure score, security controls, security control, improvement opportunities, edr, antivirus, av, os security updates
search.product: eADQiWindows 10XVcnh search.product: eADQiWindows 10XVcnh
ms.prod: w10 ms.prod: w10
@ -12,77 +12,7 @@ ms.localizationpriority: medium
ms.date: 04/24/2018 ms.date: 04/24/2018
--- ---
# View the Windows Defender Advanced Threat Protection Secure score dashboard # Configure the security controls in Secure score
**Applies to:**
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-sadashboard-abovefoldlink)
The Secure score dashboard expands your visibility into the overall security posture of your organization. From this dashboard, you'll be able to quickly assess the security posture of your organization, see machines that require attention, as well as recommendations for actions to further reduce the attack surface in your organization - all in one place. From there you can take action based on the recommended configuration baselines.
>[!IMPORTANT]
> This feature is available for machines on Windows 10, version 1703 or later.
The **Secure score dashboard** displays a snapshot of:
- Microsoft Secure score
- Windows Defender security controls
- Improvement opportunities
- Security score over time
![Secure score dashboard](images/ss1.png)
## Microsoft secure score
The Microsoft secure score tile is reflective of the sum of all the Windows Defender security controls that are configured according to the recommended baseline and Office 365 controls. It allows you to drill down into each portal for further analysis. You can also improve this score by taking the steps in configuring each of the security controls in the optimal settings.
![Image of Microsoft secure score tile](images/mss.png)
Each Windows Defender security control contributes 100 points to the score. The total number is reflective of the score potential and calculated by multiplying the number of supported security controls (Windows Defender security controls pillars) by the maximum points that each pillar contributes (maximum of 100 points for each pillar).
The Office 365 Secure Score looks at your settings and activities and compares them to a baseline established by Microsoft. For more information, see [Introducing the Office 365 Secure Score](https://support.office.com/en-us/article/introducing-the-office-365-secure-score-c9e7160f-2c34-4bd0-a548-5ddcc862eaef#howtoaccess).
In the example image, the total points for the Windows security controls and Office 365 add up to 718 points.
You can set the baselines for calculating the score of Windows Defender security controls on the Secure score dashboard through the **Settings**. For more information, see [Enable Secure score security controls](enable-secure-score-windows-defender-advanced-threat-protection.md).
## Windows Defender security controls
The security controls tile shows a bar graph where each bar represents a Windows Defender security control. Each bar reflects the number of machines that are well configured and those that require **any kind of attention** for each security control. Hovering on top of the individual bars will show exact numbers for each category. Machines that are green are well configured, while machines that are orange require some level of attention.
![Windows Defender security controls](images/wdsc.png)
## Improvement opportunities
Improve your score by taking the recommended improvement actions listed on this tile. The goal is to reduce the gap between the perfect score and the current score for each control.
Click on each control to see the recommended optimizations.
![Improvement opportunities](images/io.png)
The numbers beside the green triangle icon on each recommended action represents the number of points you can gain by taking the action. When added together, the total number makes up the numerator in the fraction for each segment in the Improvement opportunities tile.
>[!IMPORTANT]
>Recommendations that do not display a green triangle icon are informational only and no action is required.
Clicking **View machines** in a specific recommendation opens up the **Machines list** with filters applied to show only the list of machines where the recommendation is applicable. You can export the list in Excel to create a target collection and apply relevant policies using a management solution of your choice.
The following image shows an example list of machines where the EDR sensor is not turned on.
![Image of view machines list with a filter applied](images/atp-security-analytics-view-machines2.png)
## Security score over time
You can track the progression of your organizational security posture over time using this tile. It displays the overall and individual control scores in a historical trend line enabling you to see how taking the recommended actions increase your overall security posture.
![Image of the security score over time tile](images/ssot.png)
You can click on specific date points to see the total score for that security control is on a particular date.
## Improve your secure score by applying improvement recommendations
Each security control lists recommendations that you can take to increase the security posture of your organization. Each security control lists recommendations that you can take to increase the security posture of your organization.
### Endpoint detection and response (EDR) optimization ### Endpoint detection and response (EDR) optimization
@ -339,10 +269,7 @@ For more information, see [Manage Windows Defender Credential Guard](https://doc
>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-sadashboard-belowfoldlink) >Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-sadashboard-belowfoldlink)
## Related topics ## Related topics
- [Understand the Windows Defender Advanced Threat Protection portal](use-windows-defender-advanced-threat-protection.md) - [Overview of Secure score](overview-secure-score-windows-defender-advanced-threat-protection.md)
- [Portal overview](portal-overview-windows-defender-advanced-threat-protection.md)
- [View the Security operations dashboard](security-operations-dashboard-windows-defender-advanced-threat-protection.md)
- [View the Threat analytics dashboard and take recommended mitigation actions](threat-analytics-dashboard-windows-defender-advanced-threat-protection.md)

13
windows/security/threat-protection/windows-defender-atp/use-windows-defender-advanced-threat-protection.md
View File

@ -1,5 +1,5 @@
--- ---
title: Use the Windows Defender Advanced Threat Protection portal title: Overview of Windoww Defender Security Center
description: Learn about the features on Windows Defender Security Center, including how alerts work, and suggestions on how to investigate possible breaches and attacks. description: Learn about the features on Windows Defender Security Center, including how alerts work, and suggestions on how to investigate possible breaches and attacks.
keywords: dashboard, alerts queue, manage alerts, investigation, investigate alerts, investigate machines, submit files, deep analysis, high, medium, low, severity, ioc, ioa keywords: dashboard, alerts queue, manage alerts, investigation, investigate alerts, investigate machines, submit files, deep analysis, high, medium, low, severity, ioc, ioa
search.product: eADQiWindows 10XVcnh search.product: eADQiWindows 10XVcnh
@ -13,18 +13,11 @@ ms.localizationpriority: medium
ms.date: 03/12/2018 ms.date: 03/12/2018
--- ---
# Use the Windows Defender Advanced Threat Protection portal # Overview of Windows Defender Security Center
**Applies to:**
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-usewdatp-abovefoldlink) >Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-usewdatp-abovefoldlink)
You can use Windows Defender Security Center to carry out an end-to-end security breach investigation through the dashboards. Windows Defender Security Center is the portal where you can access Windows Defender Advanced Threat Protection capabilities.
Use the **Security operations** dashboard to gain insight on the various alerts on machines and users in your network. Use the **Security operations** dashboard to gain insight on the various alerts on machines and users in your network.