deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-14 22:37:22 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

updated content

Browse Source
This commit is contained in:
Beth Levin 2019-05-02 15:43:31 -07:00
parent c861fdb52a
commit 231200ea5b
8 changed files with 35 additions and 44 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
windows/security/threat-protection/windows-defender-atp/automated-investigations-windows-defender-advanced-threat-protection.md
View File

@ -30,7 +30,9 @@ To address this challenge, Windows Defender ATP uses Automated investigations to
The Automated investigations list shows all the investigations that have been initiated automatically and shows other details such as its status, detection source, and the date for when the investigation was initiated. The Automated investigations list shows all the investigations that have been initiated automatically and shows other details such as its status, detection source, and the date for when the investigation was initiated.
## Understand the Automated investigation flow ## Understand the Automated investigation flow
### How the Automated investigation starts ### How the Automated investigation starts
Entities are the starting point for Automated investigations. When an alert contains a supported entity for Automated investigation (for example, a file) that resides on a machine that has a supported operating system for Automated investigation then an Automated investigation can start. Entities are the starting point for Automated investigations. When an alert contains a supported entity for Automated investigation (for example, a file) that resides on a machine that has a supported operating system for Automated investigation then an Automated investigation can start.
>[!NOTE] >[!NOTE]
@ -40,6 +42,7 @@ Entities are the starting point for Automated investigations. When an alert cont
The alerts start by analyzing the supported entities from the alert and also runs a generic machine playbook to see if there is anything else suspicious on that machine. The outcome and details from the investigation is seen in the Automated investigation view. The alerts start by analyzing the supported entities from the alert and also runs a generic machine playbook to see if there is anything else suspicious on that machine. The outcome and details from the investigation is seen in the Automated investigation view.
### Details of an Automated investigation ### Details of an Automated investigation
As the investigation proceeds, you'll be able to view the details of the investigation. Selecting a triggering alert brings you to the investigation details view where you can pivot from the **Investigation graph**, **Alerts**, **Machines**, **Threats**, **Entities**, and **Log** tabs. As the investigation proceeds, you'll be able to view the details of the investigation. Selecting a triggering alert brings you to the investigation details view where you can pivot from the **Investigation graph**, **Alerts**, **Machines**, **Threats**, **Entities**, and **Log** tabs.
In the **Alerts** tab, you'll see the alert that started the investigation. In the **Alerts** tab, you'll see the alert that started the investigation.
@ -61,6 +64,7 @@ While an investigation is running, any other alert generated from the machine wi
If an incriminated entity is seen in another machine, the Automated investigation will expand the investigation to include that machine and a generic machine playbook will start on that machine. If 10 or more machines are found during this expansion process from the same entity, then that expansion action will require an approval and will be seen in the **Pending actions** view. If an incriminated entity is seen in another machine, the Automated investigation will expand the investigation to include that machine and a generic machine playbook will start on that machine. If 10 or more machines are found during this expansion process from the same entity, then that expansion action will require an approval and will be seen in the **Pending actions** view.
### How threats are remediated ### How threats are remediated
Depending on how you set up the machine groups and their level of automation, the Automated investigation will either require user approval (default) or automatically remediate threats. Depending on how you set up the machine groups and their level of automation, the Automated investigation will either require user approval (default) or automatically remediate threats.
You can configure the following levels of automation: You can configure the following levels of automation:
@ -80,10 +84,5 @@ The default machine group is configured for semi-automatic remediation. This mea
When a pending action is approved, the entity is then remediated and this new state is reflected in the **Entities** tab of the investigation. When a pending action is approved, the entity is then remediated and this new state is reflected in the **Entities** tab of the investigation.
## Related topic ## Related topic
- [Learn about the automated investigations dashboard](manage-auto-investigation-windows-defender-advanced-threat-protection.md) - [Learn about the automated investigations dashboard](manage-auto-investigation-windows-defender-advanced-threat-protection.md)

BIN
windows/security/threat-protection/windows-defender-atp/images/action-center-details.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 29 KiB

BIN
windows/security/threat-protection/windows-defender-atp/images/atp-action-center-with-info.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 48 KiB

BIN
windows/security/threat-protection/windows-defender-atp/images/atp-actions-release-from-isolation.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 16 KiB

BIN
windows/security/threat-protection/windows-defender-atp/images/atp-actions-release-from-isoloation.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 16 KiB

BIN
windows/security/threat-protection/windows-defender-atp/images/isolate-machine.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 21 KiB

7
windows/security/threat-protection/windows-defender-atp/investigate-machines-windows-defender-advanced-threat-protection.md
View File

@ -51,16 +51,19 @@ The machine details section provides information such as the domain, OS, and hea
## Response actions ## Response actions
Response actions run along the top of the page, and include: Response actions run along the top of a specific machine page and include:
- Manage tags - Manage tags
- Initiate Automated Investigation - Initiate Automated Investigation
- Initiate Live Response Session - Initiate Live Response Session
Other actions are enabled if there is an investigation happening on that machine:
- Collect investigation package - Collect investigation package
- Run antivirus scan - Run antivirus scan
- Restrict app execution - Restrict app execution
- Isolate machine - Isolate machine
- Action center (only enabled if there are investigations happening on that machine) - Action center
You can take response actions in the action center, in a specific machine page, or in a specific file page. You can take response actions in the action center, in a specific machine page, or in a specific file page.

51
windows/security/threat-protection/windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection.md
View File

@ -27,7 +27,20 @@ ms.topic: article
Quickly respond to detected attacks by isolating machines or collecting an investigation package. After taking action on machines, you can check activity details on the Action center. Quickly respond to detected attacks by isolating machines or collecting an investigation package. After taking action on machines, you can check activity details on the Action center.
Response actions run along the top of a specific machine page. Response actions run along the top of a specific machine page and include:
- Manage tags
- Initiate Automated Investigation
- Initiate Live Response Session
Other actions are enabled if there is an investigation happening on that machine:
- Collect investigation package
- Run antivirus scan
- Restrict app execution
- Isolate machine
- Action center
![Image of response actions](images/response-actions.png) ![Image of response actions](images/response-actions.png)
You can find machine pages from any of the following views: You can find machine pages from any of the following views:
@ -150,47 +163,22 @@ This machine isolation feature disconnects the compromised machine from the netw
On Windows 10, version 1709 or later, you'll have additional control over the network isolation level. You can also choose to enable Outlook and Skype for Business connectivity (a.k.a 'Selective Isolation'). On Windows 10, version 1709 or later, you'll have additional control over the network isolation level. You can also choose to enable Outlook and Skype for Business connectivity (a.k.a 'Selective Isolation').
>[!NOTE] >[!NOTE]
>Youll be able to reconnect the machine back to the network at any time. >Youll be able to reconnect the machine back to the network at any time. The button on the machine page will change to say **Release from isolation**, and then you take the same steps as isolating the machine.
Once you have selected **Isolate machine** on the machine page, type a comment and select **Confirm**. The Action center will show the scan information and the machine timeline will include a new event. Once you have selected **Isolate machine** on the machine page, type a comment and select **Confirm**. The Action center will show the scan information and the machine timeline will include a new event.
![Image of isolate machine](images/atp-actions-isolate-machine.png) ![Image of isolate machine](images/isolate-machine.png)
3. Select the check-box if you'd like to enable Outlook and Skype communication while the machine is isolated (a.k.a. 'Selective Isolation').
![Image of isolation confirmation](images/atp-confirm-isolate.png)
4. Type a comment and select **Yes, isolate machine** to take action on the machine.
>[!NOTE] >[!NOTE]
>The machine will remain connected to the Windows Defender ATP service even if it is isolated from the network. If you've chosen to enable Outlook and Skype for Business communication, then you'll be able to communicate to the user while the machine is isolated. >The machine will remain connected to the Windows Defender ATP service even if it is isolated from the network. If you've chosen to enable Outlook and Skype for Business communication, then you'll be able to communicate to the user while the machine is isolated.
The Action center shows the submission information:
![Image of machine isolation](images/atp-machine-isolation.png)
- **Submission time** - Shows when the action was submitted.
- **Status** - Indicates any pending actions or the results of completed actions. Additional indications will be provided if you've enabled Outlook and Skype for Business communication.
When the isolation configuration is applied, a new event is reflected in the machine timeline.
**Notification on machine user**:</br> **Notification on machine user**:</br>
When a machine is being isolated, the following notification is displayed to inform the user that the machine is being isolated from the network: When a machine is being isolated, the following notification is displayed to inform the user that the machine is being isolated from the network:
![Image of no network connection](images/atp-notification-isolate.png) ![Image of no network connection](images/atp-notification-isolate.png)
### Release machine from isolation
Depending on the severity of the attack and the state of the machine you can choose to release the machine from isolation after you have verified that the compromised machine has been remediated.
1. Select a machine that was previously isolated.
2. Open the **Actions** menu and select **Release from isolation**.
![Image of release from isolation](images/atp-actions-release-from-isolation.png)
3. Type a comment and select **Yes, release machine** to take action on the machine. The machine will be reconnected to the network.
## Check activity details in Action center ## Check activity details in Action center
The **Action center** provides information on actions that were taken on a machine or file. Youll be able to view the following details: The **Action center** provides information on actions that were taken on a machine or file. Youll be able to view the following details:
- Investigation package collection - Investigation package collection
@ -198,9 +186,10 @@ The **Action center** provides information on actions that were taken on a machi
- App restriction - App restriction
- Machine isolation - Machine isolation
All other related details are also shown, for example, submission time, submitting user, and if the action succeeded or failed. All other related details are also shown, for example, submission date/time, submitting user, and if the action succeeded or failed.
![Image of action center with information](images/atp-action-center-with-info.png) ![Image of action center with information](images/action-center-details.png)
## Related topic ## Related topic
- [Take response actions on a file](respond-file-alerts-windows-defender-advanced-threat-protection.md) - [Take response actions on a file](respond-file-alerts-windows-defender-advanced-threat-protection.md)