deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-07 01:57:21 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

Merge remote-tracking branch 'refs/remotes/origin/master' into vs-8388390

Browse Source
This commit is contained in:
LizRoss 2016-08-10 08:48:05 -07:00
commit 2b0a850902
30 changed files with 56 additions and 27 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
windows/keep-secure/alerts-queue-windows-defender-advanced-threat-protection.md
View File

@ -8,6 +8,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: mjcaparas
localizationpriority: high
---
# View and organize the Windows Defender Advanced Threat Protection Alerts queue

9
windows/keep-secure/assign-portal-access-windows-defender-advanced-threat-protection.md
View File

@ -1,6 +1,6 @@
---
title: Assign user access to the Windows Defender Advanced Threat Protection portal
description: Assign read and write or read only access to the Windows Defender Advanced Threat Protection portal.
description: Assign read and write or read only access to the Windows Defender Advanced Threat Protection portal.
keywords: assign user roles, assign read and write access, assign read only access, user, user roles, roles
search.product: eADQiWindows 10XVcnh
ms.prod: w10
@ -8,6 +8,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: mjcaparas
localizationpriority: high
---
# Assign user access to the Windows Defender ATP portal
@ -30,14 +31,14 @@ Users with full access can log in, view all system information and resolve alert
Assigning full access rights requires adding the users to the “Security Administrator” or “Global Administrator” AAD built-in roles.
**Read only access** <br>
Users with read only access can log in, view all alerts, and related information.
Users with read only access can log in, view all alerts, and related information.
They will not be able to change alert states, submit files for deep analysis or perform any state changing operations.
Assigning read only access rights requires adding the users to the “Security Reader” AAD built-in role.
Use the following steps to assign security roles:
- Preparations:
- Install Azure PowerShell. For more information see, [How to install and configure Azure PowerShell](https://azure.microsoft.com/en-us/documentation/articles/powershell-install-configure/).<br>
- Install Azure PowerShell. For more information see, [How to install and configure Azure PowerShell](https://azure.microsoft.com/en-us/documentation/articles/powershell-install-configure/).<br>
> [!NOTE]
> You need to run the PowerShell cmdlets in an elevated command-line.

1
windows/keep-secure/configure-aad-windows-defender-advanced-threat-protection.md
View File

@ -8,6 +8,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: mjcaparas
localizationpriority: high
---
# Configure an Azure Active Directory application for SIEM integration

3
windows/keep-secure/configure-arcsight-windows-defender-advanced-threat-protection.md
View File

@ -8,6 +8,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: mjcaparas
localizationpriority: high
---
# Configure HP ArcSight to consume Windows Defender ATP alerts
@ -56,7 +57,7 @@ The following steps assume that you have completed all the required steps in [Be
5. In the form fill in the following required fields with these values:
>[!NOTE]
>All other values in the form are optional and can be left blank.
<table>
<tbody style="vertical-align:top;">
<tr>

1
windows/keep-secure/configure-endpoints-gp-windows-defender-advanced-threat-protection.md
View File

@ -8,6 +8,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: mjcaparas
localizationpriority: high
---
# Configure endpoints using Group Policy

21
windows/keep-secure/configure-endpoints-mdm-windows-defender-advanced-threat-protection.md
View File

@ -8,6 +8,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: mjcaparas
localizationpriority: high
---
# Configure endpoints using Mobile Device Management tools
@ -20,7 +21,7 @@ author: mjcaparas
- Windows 10 Pro Education
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
You can use mobile device management (MDM) solutions to configure endpoints. Windows Defender ATP supports MDMs by providing OMA-URIs to create policies to manage endpoints.
You can use mobile device management (MDM) solutions to configure endpoints. Windows Defender ATP supports MDMs by providing OMA-URIs to create policies to manage endpoints.
For more information on using Windows Defender ATP CSP see, [WindowsAdvancedThreatProtection CSP](https://msdn.microsoft.com/en-us/library/windows/hardware/mt723296(v=vs.85).aspx) and [WindowsAdvancedThreatProtection DDF file](https://msdn.microsoft.com/en-us/library/windows/hardware/mt723297(v=vs.85).aspx).
@ -28,10 +29,10 @@ For more information on using Windows Defender ATP CSP see, [WindowsAdvancedThre
For more information on using Windows Defender ATP CSP see, [WindowsAdvancedThreatProtection CSP](https://msdn.microsoft.com/en-us/library/windows/hardware/mt723296(v=vs.85).aspx) and [WindowsAdvancedThreatProtection DDF file](https://msdn.microsoft.com/en-us/library/windows/hardware/mt723297(v=vs.85).aspx).
### Onboard and monitor endpoints
### Onboard and monitor endpoints
1. Open the Microsoft Intune configuration package .zip file (*WindowsDefenderATPOnboardingPackage.zip*) that you downloaded from the service onboarding wizard. You can also get the package from the [Windows Defender ATP portal](https://securitycenter.windows.com/):
a. Click **Endpoint Management** on the **Navigation pane**.
b. Select **Mobile Device Management/Microsoft Intune**, click **Download package** and save the .zip file.
@ -51,8 +52,8 @@ Onboarding | ./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/Onboarding | S
Health Status for onboarded machines | ./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/HealthState/SenseIsRunning | Boolean | TRUE | Windows Defender ATP service is running
| ./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/HealthState/OnBoardingState | Integer | 1 | Onboarded to Windows Defender ATP
| ./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/HealthState/OrgId | String | Use OrgID from onboarding file | Onboarded to Organization ID
Configuration for onboarded machines | ./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/Configuration/SampleSharing | Integer | 0 or 1 <br> Default value: 1 | Windows Defender ATP Sample sharing is enabled
Configuration for onboarded machines | ./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/Configuration/SampleSharing | Integer | 0 or 1 <br> Default value: 1 | Windows Defender ATP Sample sharing is enabled
> [!NOTE]
> The **Health Status for onboarded machines** policy uses read-only properties and can't be remediated.
@ -67,12 +68,12 @@ For security reasons, the package used to offboard endpoints will expire 30 days
1. Get the offboarding package from the [Windows Defender ATP portal](https://securitycenter.windows.com/):
a. Click **Endpoint Management** on the **Navigation pane**.
b. Under **Endpoint offboarding** section, select **Mobile Device Management /Microsoft Intune**, click **Download package** and save the .zip file.
2. Extract the contents of the .zip file to a shared, read-only location that can be accessed by the network administrators who will deploy the package. You should have a file named *WindowsDefenderATP_valid_until_YYYY-MM-DD.offboarding*.
3. Use the Microsoft Intune custom configuration policy to deploy the following supported OMA-URI settings. For more information on Microsoft Intune policy settings see, [Windows 10 policy settings in Microsoft Intune](https://docs.microsoft.com/en-us/intune/deploy-use/windows-10-policy-settings-in-microsoft-intune).
3. Use the Microsoft Intune custom configuration policy to deploy the following supported OMA-URI settings. For more information on Microsoft Intune policy settings see, [Windows 10 policy settings in Microsoft Intune](https://docs.microsoft.com/en-us/intune/deploy-use/windows-10-policy-settings-in-microsoft-intune).
Offboarding - Use the offboarding policies to remove configuration settings on endpoints. These policies can be sub-categorized to:
- Offboarding
@ -81,7 +82,7 @@ Offboarding - Use the offboarding policies to remove configuration settings on e
Policy | OMA-URI | Type | Value | Description
:---|:---|:---|:---|:---
Offboarding | ./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/Offboarding | String | Copy content from offboarding MDM file | Offboarding
Offboarding | ./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/Offboarding | String | Copy content from offboarding MDM file | Offboarding
Health Status for offboarded machines | ./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/HealthState/SenseIsRunning | Boolean | FALSE |Windows Defender ATP service is not running
| ./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/HealthState/OnBoardingState | Integer | 0 | Offboarded from Windows Defender ATP
@ -92,5 +93,5 @@ Offboarding | ./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/Offboarding |
## Related topics
- [Configure endpoints using Group Policy](configure-endpoints-gp-windows-defender-advanced-threat-protection.md)
- [Configure endpoints using System Center Configuration Manager](configure-endpoints-sccm-windows-defender-advanced-threat-protection.md)
- [Configure endpoints using a local script](configure-endpoints-script-windows-defender-advanced-threat-protection.md)
- [Configure endpoints using a local script](configure-endpoints-script-windows-defender-advanced-threat-protection.md)
- [Troubleshoot Windows Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md)

1
windows/keep-secure/configure-endpoints-sccm-windows-defender-advanced-threat-protection.md
View File

@ -8,6 +8,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: mjcaparas
localizationpriority: high
---
# Configure endpoints using System Center Configuration Manager

1
windows/keep-secure/configure-endpoints-script-windows-defender-advanced-threat-protection.md
View File

@ -8,6 +8,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: mjcaparas
localizationpriority: high
---
# Configure endpoints using a local script

3
windows/keep-secure/configure-endpoints-windows-defender-advanced-threat-protection.md
View File

@ -8,6 +8,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: mjcaparas
localizationpriority: high
---
# Configure Windows Defender ATP endpoints
@ -20,7 +21,7 @@ author: mjcaparas
- Windows 10 Pro Education
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
Endpoints in your organization must be configured so that the Windows Defender ATP service can get telemetry from them. There are various methods and deployment tools that you can use to configure the endpoints in your organization.
Endpoints in your organization must be configured so that the Windows Defender ATP service can get telemetry from them. There are various methods and deployment tools that you can use to configure the endpoints in your organization.
Windows Defender ATP supports the following deployment tools and methods:

3
windows/keep-secure/configure-proxy-internet-windows-defender-advanced-threat-protection.md
View File

@ -8,6 +8,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: mjcaparas
localizationpriority: high
---
@ -79,7 +80,7 @@ Verify the proxy configuration completed successfully, that WinHTTP can discover
```
HardDrivePath\WDATPConnectivityAnalyzer.cmd
```
Replace *HardDrivePath* with the path where the WDATPConnectivityAnalyzer tool was downloaded to, for example
Replace *HardDrivePath* with the path where the WDATPConnectivityAnalyzer tool was downloaded to, for example
```text
C:\Work\tools\WDATPConnectivityAnalyzer\WDATPConnectivityAnalyzer.cmd
```

1
windows/keep-secure/configure-siem-windows-defender-advanced-threat-protection.md
View File

@ -8,6 +8,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: mjcaparas
localizationpriority: high
---
# Configure security information and events management (SIEM) tools to consume alerts

1
windows/keep-secure/configure-splunk-windows-defender-advanced-threat-protection.md
View File

@ -8,6 +8,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: mjcaparas
localizationpriority: high
---
# Configure Splunk to consume Windows Defender ATP alerts

1
windows/keep-secure/dashboard-windows-defender-advanced-threat-protection.md
View File

@ -8,6 +8,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: mjcaparas
localizationpriority: high
---
# View the Windows Defender Advanced Threat Protection Dashboard

4
windows/keep-secure/data-storage-privacy-windows-defender-advanced-threat-protection.md
View File

@ -8,6 +8,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: mjcaparas
localizationpriority: high
---
# Windows Defender ATP data storage and privacy
@ -44,7 +45,7 @@ Microsoft does not mine your data for advertising or for any other purpose other
When onboarding the service for the first time, you can choose to store your data in Microsoft Azure datacenters in Europe or United States. Once configured, you cannot change the location where your data is stored. This provides a convenient way to minimize compliance risk by actively selecting the geographic locations where your data will reside. Microsoft will not transfer the data from the specified geolocation.
## Is my data isolated from other customer data?
Yes, your data is isolated through access authentication and logical segregation based on customer identifier. Each customer can only access data collected from its own organization and generic data that Microsoft provides.
Yes, your data is isolated through access authentication and logical segregation based on customer identifier. Each customer can only access data collected from its own organization and generic data that Microsoft provides.
## How does Microsoft prevent malicious insider activities and abuse of high privilege roles?
@ -70,4 +71,3 @@ Your data will be kept for a period of at least 90 days, during which it will be
## Can Microsoft help us maintain regulatory compliance?
Microsoft provides customers with detailed information about Microsoft's security and compliance programs, including audit reports and compliance packages, to help customers assess Windows Defender ATP services against their own legal and regulatory requirements. Windows Defender ATP has a roadmap for obtaining national, regional and industry-specific certifications, starting with ISO 27001. The service is designed, implemented, and maintained according to the compliance and privacy principles of ISO 27001, as well as Microsofts compliance standards.
By providing customers with compliant, independently-verified services, Microsoft makes it easier for customers to achieve compliance for the infrastructure and applications they run, including this new Microsoft cloud service.

1
windows/keep-secure/defender-compatibility-windows-defender-advanced-threat-protection.md
View File

@ -8,6 +8,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: mjcaparas
localizationpriority: high
---
# Windows Defender compatibility

1
windows/keep-secure/event-error-codes-windows-defender-advanced-threat-protection.md
View File

@ -8,6 +8,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: iaanw
localizationpriority: high
---

15
windows/keep-secure/investigate-alerts-windows-defender-advanced-threat-protection.md
View File

@ -8,6 +8,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: mjcaparas
localizationpriority: high
---
# Investigate Windows Defender Advanced Threat Protection alerts
@ -56,25 +57,25 @@ Some actor profiles include a link to download a more comprehensive threat intel
![A detailed view of an alert when clicked](images/alert-details.png)
## Incident graph
The incident graph provides a visual representation of where an alert was seen, events that triggered the alert, and which other machines are affected by the event. It provides an illustrated alert footprint on the original machine and expands to show the footprint of each alert event on other machines.
The incident graph provides a visual representation of where an alert was seen, events that triggered the alert, and which other machines are affected by the event. It provides an illustrated alert footprint on the original machine and expands to show the footprint of each alert event on other machines.
You can click the circles on the incident graph to expand the nodes and view the associated events or files related to the alert.
You can click the circles on the incident graph to expand the nodes and view the associated events or files related to the alert.
## Alert spotlight
The alert spotlight feature helps ease investigations by highlighting alerts related to a specific machine and events. You can highlight an alert and its related events in the machine timeline to increase your focus during an investigation.
You can click on the machine link from the alert view to see the alerts related to the machine.
You can click on the machine link from the alert view to see the alerts related to the machine.
> [!NOTE]
> This shortcut is not available from the Incident graph machine links.
Alerts related to the machine are displayed under the **Alerts related to this machine** section.
Clicking on an alert row takes you the to the date in which the alert was flagged on **Machine timeline**. This eliminates the need to manually filter and drag the machine timeline marker to when the alert was seen on that machine.
Alerts related to the machine are displayed under the **Alerts related to this machine** section.
Clicking on an alert row takes you the to the date in which the alert was flagged on **Machine timeline**. This eliminates the need to manually filter and drag the machine timeline marker to when the alert was seen on that machine.
You can also choose to highlight an alert from the **Alerts related to this machine** or from the **Machine timeline** section to see the correlation between the alert and other events that occurred on the machine. Right-click on any alert from either section and select **Mark related events**. This highlights alerts and events that are related and helps differentiate between the other alerts listed in the timeline. Highlighted events are displayed in all filtering modes whether you choose to view the timeline by **Detections**, **Behaviours**, or **Verbose**.
You can also choose to highlight an alert from the **Alerts related to this machine** or from the **Machine timeline** section to see the correlation between the alert and other events that occurred on the machine. Right-click on any alert from either section and select **Mark related events**. This highlights alerts and events that are related and helps differentiate between the other alerts listed in the timeline. Highlighted events are displayed in all filtering modes whether you choose to view the timeline by **Detections**, **Behaviours**, or **Verbose**.
You can also remove the highlight by right-clicking a highlighted alert and selecting **Unmark related events**.
You can also remove the highlight by right-clicking a highlighted alert and selecting **Unmark related events**.
### Related topics

3
windows/keep-secure/investigate-domain-windows-defender-advanced-threat-protection.md
View File

@ -1,13 +1,14 @@
---
title: Investigate Windows Defender Advanced Threat Protection domains
description: Use the investigation options to see if machines and servers have been communicating with malicious domains.
keywords: investigate domain, domain, malicious domain, windows defender atp, alert, URL
keywords: investigate domain, domain, malicious domain, windows defender atp, alert, URL
search.product: eADQiWindows 10XVcnh
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: mjcaparas
localizationpriority: high
---
# Investigate a domain associated with a Windows Defender ATP alert

1
windows/keep-secure/investigate-files-windows-defender-advanced-threat-protection.md
View File

@ -8,6 +8,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: mjcaparas
localizationpriority: high
---
# Investigate a file associated with a Windows Defender ATP alert

1
windows/keep-secure/investigate-ip-windows-defender-advanced-threat-protection.md
View File

@ -8,6 +8,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: mjcaparas
localizationpriority: high
---
# Investigate an IP address associated with a Windows Defender ATP alert

1
windows/keep-secure/investigate-machines-windows-defender-advanced-threat-protection.md
View File

@ -8,6 +8,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: mjcaparas
localizationpriority: high
---
# Investigate machines in the Windows Defender ATP Machines view

1
windows/keep-secure/manage-alerts-windows-defender-advanced-threat-protection.md
View File

@ -8,6 +8,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: mjcaparas
localizationpriority: high
---
# Manage Windows Defender Advanced Threat Protection alerts

1
windows/keep-secure/minimum-requirements-windows-defender-advanced-threat-protection.md
View File

@ -8,6 +8,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: iaanw
localizationpriority: high
---
# Minimum requirements for Windows Defender ATP

1
windows/keep-secure/onboard-configure-windows-defender-advanced-threat-protection.md
View File

@ -8,6 +8,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: iaanw
localizationpriority: high
---
# Onboard and set up Windows Defender Advanced Threat Protection

1
windows/keep-secure/portal-overview-windows-defender-advanced-threat-protection.md
View File

@ -8,6 +8,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: DulceMV
localizationpriority: high
---
# Windows Defender Advanced Threat Protection portal overview

1
windows/keep-secure/settings-windows-defender-advanced-threat-protection.md
View File

@ -8,6 +8,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: DulceMV
localizationpriority: high
---
# Windows Defender Advanced Threat Protection settings

1
windows/keep-secure/troubleshoot-onboarding-windows-defender-advanced-threat-protection.md
View File

@ -8,6 +8,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: mjcaparas
localizationpriority: high
---
# Troubleshoot Windows Defender Advanced Threat Protection onboarding issues

1
windows/keep-secure/troubleshoot-windows-defender-advanced-threat-protection.md
View File

@ -8,6 +8,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: mjcaparas
localizationpriority: high
---
# Troubleshoot Windows Defender Advanced Threat Protection

1
windows/keep-secure/use-windows-defender-advanced-threat-protection.md
View File

@ -8,6 +8,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: mjcaparas
localizationpriority: high
---
# Use the Windows Defender Advanced Threat Protection portal

1
windows/keep-secure/windows-defender-advanced-threat-protection.md
View File

@ -8,6 +8,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: mjcaparas
localizationpriority: high
---
# Windows Defender Advanced Threat Protection