mirror of
https://github.com/MicrosoftDocs/windows-itpro-docs.git
synced 2025-06-07 18:17:22 +00:00
Merge remote-tracking branch 'refs/remotes/origin/master' into vs-8388390
This commit is contained in:
LizRoss
commit
2b0a850902
@ -8,6 +8,7 @@ ms.mktglfcycl: deploy
|
|||||||
ms.sitesec: library
|
ms.sitesec: library
|
||||||
ms.pagetype: security
|
ms.pagetype: security
|
||||||
author: mjcaparas
|
author: mjcaparas
|
||||||
|
localizationpriority: high
|
||||||
---
|
---
|
||||||
|
|
||||||
# View and organize the Windows Defender Advanced Threat Protection Alerts queue
|
# View and organize the Windows Defender Advanced Threat Protection Alerts queue
|
||||||
|
|||||||
@ -1,6 +1,6 @@
|
|||||||
---
|
---
|
||||||
title: Assign user access to the Windows Defender Advanced Threat Protection portal
|
title: Assign user access to the Windows Defender Advanced Threat Protection portal
|
||||||
description: Assign read and write or read only access to the Windows Defender Advanced Threat Protection portal.
|
description: Assign read and write or read only access to the Windows Defender Advanced Threat Protection portal.
|
||||||
keywords: assign user roles, assign read and write access, assign read only access, user, user roles, roles
|
keywords: assign user roles, assign read and write access, assign read only access, user, user roles, roles
|
||||||
search.product: eADQiWindows 10XVcnh
|
search.product: eADQiWindows 10XVcnh
|
||||||
ms.prod: w10
|
ms.prod: w10
|
||||||
@ -8,6 +8,7 @@ ms.mktglfcycl: deploy
|
|||||||
ms.sitesec: library
|
ms.sitesec: library
|
||||||
ms.pagetype: security
|
ms.pagetype: security
|
||||||
author: mjcaparas
|
author: mjcaparas
|
||||||
|
localizationpriority: high
|
||||||
---
|
---
|
||||||
|
|
||||||
# Assign user access to the Windows Defender ATP portal
|
# Assign user access to the Windows Defender ATP portal
|
||||||
@ -30,14 +31,14 @@ Users with full access can log in, view all system information and resolve alert
|
|||||||
Assigning full access rights requires adding the users to the “Security Administrator” or “Global Administrator” AAD built-in roles.
|
Assigning full access rights requires adding the users to the “Security Administrator” or “Global Administrator” AAD built-in roles.
|
||||||
|
|
||||||
**Read only access** <br>
|
**Read only access** <br>
|
||||||
Users with read only access can log in, view all alerts, and related information.
|
Users with read only access can log in, view all alerts, and related information.
|
||||||
They will not be able to change alert states, submit files for deep analysis or perform any state changing operations.
|
They will not be able to change alert states, submit files for deep analysis or perform any state changing operations.
|
||||||
Assigning read only access rights requires adding the users to the “Security Reader” AAD built-in role.
|
Assigning read only access rights requires adding the users to the “Security Reader” AAD built-in role.
|
||||||
|
|
||||||
Use the following steps to assign security roles:
|
Use the following steps to assign security roles:
|
||||||
- Preparations:
|
- Preparations:
|
||||||
- Install Azure PowerShell. For more information see, [How to install and configure Azure PowerShell](https://azure.microsoft.com/en-us/documentation/articles/powershell-install-configure/).<br>
|
- Install Azure PowerShell. For more information see, [How to install and configure Azure PowerShell](https://azure.microsoft.com/en-us/documentation/articles/powershell-install-configure/).<br>
|
||||||
|
|
||||||
> [!NOTE]
|
> [!NOTE]
|
||||||
> You need to run the PowerShell cmdlets in an elevated command-line.
|
> You need to run the PowerShell cmdlets in an elevated command-line.
|
||||||
|
|
||||||
|
|||||||
@ -8,6 +8,7 @@ ms.mktglfcycl: deploy
|
|||||||
ms.sitesec: library
|
ms.sitesec: library
|
||||||
ms.pagetype: security
|
ms.pagetype: security
|
||||||
author: mjcaparas
|
author: mjcaparas
|
||||||
|
localizationpriority: high
|
||||||
---
|
---
|
||||||
|
|
||||||
# Configure an Azure Active Directory application for SIEM integration
|
# Configure an Azure Active Directory application for SIEM integration
|
||||||
|
|||||||
@ -8,6 +8,7 @@ ms.mktglfcycl: deploy
|
|||||||
ms.sitesec: library
|
ms.sitesec: library
|
||||||
ms.pagetype: security
|
ms.pagetype: security
|
||||||
author: mjcaparas
|
author: mjcaparas
|
||||||
|
localizationpriority: high
|
||||||
---
|
---
|
||||||
|
|
||||||
# Configure HP ArcSight to consume Windows Defender ATP alerts
|
# Configure HP ArcSight to consume Windows Defender ATP alerts
|
||||||
@ -56,7 +57,7 @@ The following steps assume that you have completed all the required steps in [Be
|
|||||||
5. In the form fill in the following required fields with these values:
|
5. In the form fill in the following required fields with these values:
|
||||||
>[!NOTE]
|
>[!NOTE]
|
||||||
>All other values in the form are optional and can be left blank.
|
>All other values in the form are optional and can be left blank.
|
||||||
|
|
||||||
<table>
|
<table>
|
||||||
<tbody style="vertical-align:top;">
|
<tbody style="vertical-align:top;">
|
||||||
<tr>
|
<tr>
|
||||||
|
|||||||
@ -8,6 +8,7 @@ ms.mktglfcycl: deploy
|
|||||||
ms.sitesec: library
|
ms.sitesec: library
|
||||||
ms.pagetype: security
|
ms.pagetype: security
|
||||||
author: mjcaparas
|
author: mjcaparas
|
||||||
|
localizationpriority: high
|
||||||
---
|
---
|
||||||
|
|
||||||
# Configure endpoints using Group Policy
|
# Configure endpoints using Group Policy
|
||||||
|
|||||||
@ -8,6 +8,7 @@ ms.mktglfcycl: deploy
|
|||||||
ms.sitesec: library
|
ms.sitesec: library
|
||||||
ms.pagetype: security
|
ms.pagetype: security
|
||||||
author: mjcaparas
|
author: mjcaparas
|
||||||
|
localizationpriority: high
|
||||||
---
|
---
|
||||||
|
|
||||||
# Configure endpoints using Mobile Device Management tools
|
# Configure endpoints using Mobile Device Management tools
|
||||||
@ -20,7 +21,7 @@ author: mjcaparas
|
|||||||
- Windows 10 Pro Education
|
- Windows 10 Pro Education
|
||||||
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
|
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
|
||||||
|
|
||||||
You can use mobile device management (MDM) solutions to configure endpoints. Windows Defender ATP supports MDMs by providing OMA-URIs to create policies to manage endpoints.
|
You can use mobile device management (MDM) solutions to configure endpoints. Windows Defender ATP supports MDMs by providing OMA-URIs to create policies to manage endpoints.
|
||||||
|
|
||||||
For more information on using Windows Defender ATP CSP see, [WindowsAdvancedThreatProtection CSP](https://msdn.microsoft.com/en-us/library/windows/hardware/mt723296(v=vs.85).aspx) and [WindowsAdvancedThreatProtection DDF file](https://msdn.microsoft.com/en-us/library/windows/hardware/mt723297(v=vs.85).aspx).
|
For more information on using Windows Defender ATP CSP see, [WindowsAdvancedThreatProtection CSP](https://msdn.microsoft.com/en-us/library/windows/hardware/mt723296(v=vs.85).aspx) and [WindowsAdvancedThreatProtection DDF file](https://msdn.microsoft.com/en-us/library/windows/hardware/mt723297(v=vs.85).aspx).
|
||||||
|
|
||||||
@ -28,10 +29,10 @@ For more information on using Windows Defender ATP CSP see, [WindowsAdvancedThre
|
|||||||
|
|
||||||
For more information on using Windows Defender ATP CSP see, [WindowsAdvancedThreatProtection CSP](https://msdn.microsoft.com/en-us/library/windows/hardware/mt723296(v=vs.85).aspx) and [WindowsAdvancedThreatProtection DDF file](https://msdn.microsoft.com/en-us/library/windows/hardware/mt723297(v=vs.85).aspx).
|
For more information on using Windows Defender ATP CSP see, [WindowsAdvancedThreatProtection CSP](https://msdn.microsoft.com/en-us/library/windows/hardware/mt723296(v=vs.85).aspx) and [WindowsAdvancedThreatProtection DDF file](https://msdn.microsoft.com/en-us/library/windows/hardware/mt723297(v=vs.85).aspx).
|
||||||
|
|
||||||
### Onboard and monitor endpoints
|
### Onboard and monitor endpoints
|
||||||
|
|
||||||
1. Open the Microsoft Intune configuration package .zip file (*WindowsDefenderATPOnboardingPackage.zip*) that you downloaded from the service onboarding wizard. You can also get the package from the [Windows Defender ATP portal](https://securitycenter.windows.com/):
|
1. Open the Microsoft Intune configuration package .zip file (*WindowsDefenderATPOnboardingPackage.zip*) that you downloaded from the service onboarding wizard. You can also get the package from the [Windows Defender ATP portal](https://securitycenter.windows.com/):
|
||||||
|
|
||||||
a. Click **Endpoint Management** on the **Navigation pane**.
|
a. Click **Endpoint Management** on the **Navigation pane**.
|
||||||
|
|
||||||
b. Select **Mobile Device Management/Microsoft Intune**, click **Download package** and save the .zip file.
|
b. Select **Mobile Device Management/Microsoft Intune**, click **Download package** and save the .zip file.
|
||||||
@ -51,8 +52,8 @@ Onboarding | ./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/Onboarding | S
|
|||||||
Health Status for onboarded machines | ./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/HealthState/SenseIsRunning | Boolean | TRUE | Windows Defender ATP service is running
|
Health Status for onboarded machines | ./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/HealthState/SenseIsRunning | Boolean | TRUE | Windows Defender ATP service is running
|
||||||
| ./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/HealthState/OnBoardingState | Integer | 1 | Onboarded to Windows Defender ATP
|
| ./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/HealthState/OnBoardingState | Integer | 1 | Onboarded to Windows Defender ATP
|
||||||
| ./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/HealthState/OrgId | String | Use OrgID from onboarding file | Onboarded to Organization ID
|
| ./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/HealthState/OrgId | String | Use OrgID from onboarding file | Onboarded to Organization ID
|
||||||
Configuration for onboarded machines | ./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/Configuration/SampleSharing | Integer | 0 or 1 <br> Default value: 1 | Windows Defender ATP Sample sharing is enabled
|
Configuration for onboarded machines | ./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/Configuration/SampleSharing | Integer | 0 or 1 <br> Default value: 1 | Windows Defender ATP Sample sharing is enabled
|
||||||
|
|
||||||
|
|
||||||
> [!NOTE]
|
> [!NOTE]
|
||||||
> The **Health Status for onboarded machines** policy uses read-only properties and can't be remediated.
|
> The **Health Status for onboarded machines** policy uses read-only properties and can't be remediated.
|
||||||
@ -67,12 +68,12 @@ For security reasons, the package used to offboard endpoints will expire 30 days
|
|||||||
1. Get the offboarding package from the [Windows Defender ATP portal](https://securitycenter.windows.com/):
|
1. Get the offboarding package from the [Windows Defender ATP portal](https://securitycenter.windows.com/):
|
||||||
|
|
||||||
a. Click **Endpoint Management** on the **Navigation pane**.
|
a. Click **Endpoint Management** on the **Navigation pane**.
|
||||||
|
|
||||||
b. Under **Endpoint offboarding** section, select **Mobile Device Management /Microsoft Intune**, click **Download package** and save the .zip file.
|
b. Under **Endpoint offboarding** section, select **Mobile Device Management /Microsoft Intune**, click **Download package** and save the .zip file.
|
||||||
|
|
||||||
2. Extract the contents of the .zip file to a shared, read-only location that can be accessed by the network administrators who will deploy the package. You should have a file named *WindowsDefenderATP_valid_until_YYYY-MM-DD.offboarding*.
|
2. Extract the contents of the .zip file to a shared, read-only location that can be accessed by the network administrators who will deploy the package. You should have a file named *WindowsDefenderATP_valid_until_YYYY-MM-DD.offboarding*.
|
||||||
|
|
||||||
3. Use the Microsoft Intune custom configuration policy to deploy the following supported OMA-URI settings. For more information on Microsoft Intune policy settings see, [Windows 10 policy settings in Microsoft Intune](https://docs.microsoft.com/en-us/intune/deploy-use/windows-10-policy-settings-in-microsoft-intune).
|
3. Use the Microsoft Intune custom configuration policy to deploy the following supported OMA-URI settings. For more information on Microsoft Intune policy settings see, [Windows 10 policy settings in Microsoft Intune](https://docs.microsoft.com/en-us/intune/deploy-use/windows-10-policy-settings-in-microsoft-intune).
|
||||||
|
|
||||||
Offboarding - Use the offboarding policies to remove configuration settings on endpoints. These policies can be sub-categorized to:
|
Offboarding - Use the offboarding policies to remove configuration settings on endpoints. These policies can be sub-categorized to:
|
||||||
- Offboarding
|
- Offboarding
|
||||||
@ -81,7 +82,7 @@ Offboarding - Use the offboarding policies to remove configuration settings on e
|
|||||||
|
|
||||||
Policy | OMA-URI | Type | Value | Description
|
Policy | OMA-URI | Type | Value | Description
|
||||||
:---|:---|:---|:---|:---
|
:---|:---|:---|:---|:---
|
||||||
Offboarding | ./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/Offboarding | String | Copy content from offboarding MDM file | Offboarding
|
Offboarding | ./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/Offboarding | String | Copy content from offboarding MDM file | Offboarding
|
||||||
Health Status for offboarded machines | ./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/HealthState/SenseIsRunning | Boolean | FALSE |Windows Defender ATP service is not running
|
Health Status for offboarded machines | ./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/HealthState/SenseIsRunning | Boolean | FALSE |Windows Defender ATP service is not running
|
||||||
| ./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/HealthState/OnBoardingState | Integer | 0 | Offboarded from Windows Defender ATP
|
| ./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/HealthState/OnBoardingState | Integer | 0 | Offboarded from Windows Defender ATP
|
||||||
|
|
||||||
@ -92,5 +93,5 @@ Offboarding | ./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/Offboarding |
|
|||||||
## Related topics
|
## Related topics
|
||||||
- [Configure endpoints using Group Policy](configure-endpoints-gp-windows-defender-advanced-threat-protection.md)
|
- [Configure endpoints using Group Policy](configure-endpoints-gp-windows-defender-advanced-threat-protection.md)
|
||||||
- [Configure endpoints using System Center Configuration Manager](configure-endpoints-sccm-windows-defender-advanced-threat-protection.md)
|
- [Configure endpoints using System Center Configuration Manager](configure-endpoints-sccm-windows-defender-advanced-threat-protection.md)
|
||||||
- [Configure endpoints using a local script](configure-endpoints-script-windows-defender-advanced-threat-protection.md)
|
- [Configure endpoints using a local script](configure-endpoints-script-windows-defender-advanced-threat-protection.md)
|
||||||
- [Troubleshoot Windows Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md)
|
- [Troubleshoot Windows Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md)
|
||||||
|
|||||||
@ -8,6 +8,7 @@ ms.mktglfcycl: deploy
|
|||||||
ms.sitesec: library
|
ms.sitesec: library
|
||||||
ms.pagetype: security
|
ms.pagetype: security
|
||||||
author: mjcaparas
|
author: mjcaparas
|
||||||
|
localizationpriority: high
|
||||||
---
|
---
|
||||||
|
|
||||||
# Configure endpoints using System Center Configuration Manager
|
# Configure endpoints using System Center Configuration Manager
|
||||||
|
|||||||
@ -8,6 +8,7 @@ ms.mktglfcycl: deploy
|
|||||||
ms.sitesec: library
|
ms.sitesec: library
|
||||||
ms.pagetype: security
|
ms.pagetype: security
|
||||||
author: mjcaparas
|
author: mjcaparas
|
||||||
|
localizationpriority: high
|
||||||
---
|
---
|
||||||
|
|
||||||
# Configure endpoints using a local script
|
# Configure endpoints using a local script
|
||||||
|
|||||||
@ -8,6 +8,7 @@ ms.mktglfcycl: deploy
|
|||||||
ms.sitesec: library
|
ms.sitesec: library
|
||||||
ms.pagetype: security
|
ms.pagetype: security
|
||||||
author: mjcaparas
|
author: mjcaparas
|
||||||
|
localizationpriority: high
|
||||||
---
|
---
|
||||||
|
|
||||||
# Configure Windows Defender ATP endpoints
|
# Configure Windows Defender ATP endpoints
|
||||||
@ -20,7 +21,7 @@ author: mjcaparas
|
|||||||
- Windows 10 Pro Education
|
- Windows 10 Pro Education
|
||||||
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
|
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
|
||||||
|
|
||||||
Endpoints in your organization must be configured so that the Windows Defender ATP service can get telemetry from them. There are various methods and deployment tools that you can use to configure the endpoints in your organization.
|
Endpoints in your organization must be configured so that the Windows Defender ATP service can get telemetry from them. There are various methods and deployment tools that you can use to configure the endpoints in your organization.
|
||||||
|
|
||||||
Windows Defender ATP supports the following deployment tools and methods:
|
Windows Defender ATP supports the following deployment tools and methods:
|
||||||
|
|
||||||
|
|||||||
@ -8,6 +8,7 @@ ms.mktglfcycl: deploy
|
|||||||
ms.sitesec: library
|
ms.sitesec: library
|
||||||
ms.pagetype: security
|
ms.pagetype: security
|
||||||
author: mjcaparas
|
author: mjcaparas
|
||||||
|
localizationpriority: high
|
||||||
---
|
---
|
||||||
|
|
||||||
|
|
||||||
@ -79,7 +80,7 @@ Verify the proxy configuration completed successfully, that WinHTTP can discover
|
|||||||
```
|
```
|
||||||
HardDrivePath\WDATPConnectivityAnalyzer.cmd
|
HardDrivePath\WDATPConnectivityAnalyzer.cmd
|
||||||
```
|
```
|
||||||
Replace *HardDrivePath* with the path where the WDATPConnectivityAnalyzer tool was downloaded to, for example
|
Replace *HardDrivePath* with the path where the WDATPConnectivityAnalyzer tool was downloaded to, for example
|
||||||
```text
|
```text
|
||||||
C:\Work\tools\WDATPConnectivityAnalyzer\WDATPConnectivityAnalyzer.cmd
|
C:\Work\tools\WDATPConnectivityAnalyzer\WDATPConnectivityAnalyzer.cmd
|
||||||
```
|
```
|
||||||
|
|||||||
@ -8,6 +8,7 @@ ms.mktglfcycl: deploy
|
|||||||
ms.sitesec: library
|
ms.sitesec: library
|
||||||
ms.pagetype: security
|
ms.pagetype: security
|
||||||
author: mjcaparas
|
author: mjcaparas
|
||||||
|
localizationpriority: high
|
||||||
---
|
---
|
||||||
|
|
||||||
# Configure security information and events management (SIEM) tools to consume alerts
|
# Configure security information and events management (SIEM) tools to consume alerts
|
||||||
|
|||||||
@ -8,6 +8,7 @@ ms.mktglfcycl: deploy
|
|||||||
ms.sitesec: library
|
ms.sitesec: library
|
||||||
ms.pagetype: security
|
ms.pagetype: security
|
||||||
author: mjcaparas
|
author: mjcaparas
|
||||||
|
localizationpriority: high
|
||||||
---
|
---
|
||||||
|
|
||||||
# Configure Splunk to consume Windows Defender ATP alerts
|
# Configure Splunk to consume Windows Defender ATP alerts
|
||||||
|
|||||||
@ -8,6 +8,7 @@ ms.mktglfcycl: deploy
|
|||||||
ms.sitesec: library
|
ms.sitesec: library
|
||||||
ms.pagetype: security
|
ms.pagetype: security
|
||||||
author: mjcaparas
|
author: mjcaparas
|
||||||
|
localizationpriority: high
|
||||||
---
|
---
|
||||||
|
|
||||||
# View the Windows Defender Advanced Threat Protection Dashboard
|
# View the Windows Defender Advanced Threat Protection Dashboard
|
||||||
|
|||||||
@ -8,6 +8,7 @@ ms.mktglfcycl: deploy
|
|||||||
ms.sitesec: library
|
ms.sitesec: library
|
||||||
ms.pagetype: security
|
ms.pagetype: security
|
||||||
author: mjcaparas
|
author: mjcaparas
|
||||||
|
localizationpriority: high
|
||||||
---
|
---
|
||||||
|
|
||||||
# Windows Defender ATP data storage and privacy
|
# Windows Defender ATP data storage and privacy
|
||||||
@ -44,7 +45,7 @@ Microsoft does not mine your data for advertising or for any other purpose other
|
|||||||
When onboarding the service for the first time, you can choose to store your data in Microsoft Azure datacenters in Europe or United States. Once configured, you cannot change the location where your data is stored. This provides a convenient way to minimize compliance risk by actively selecting the geographic locations where your data will reside. Microsoft will not transfer the data from the specified geolocation.
|
When onboarding the service for the first time, you can choose to store your data in Microsoft Azure datacenters in Europe or United States. Once configured, you cannot change the location where your data is stored. This provides a convenient way to minimize compliance risk by actively selecting the geographic locations where your data will reside. Microsoft will not transfer the data from the specified geolocation.
|
||||||
|
|
||||||
## Is my data isolated from other customer data?
|
## Is my data isolated from other customer data?
|
||||||
Yes, your data is isolated through access authentication and logical segregation based on customer identifier. Each customer can only access data collected from its own organization and generic data that Microsoft provides.
|
Yes, your data is isolated through access authentication and logical segregation based on customer identifier. Each customer can only access data collected from its own organization and generic data that Microsoft provides.
|
||||||
|
|
||||||
## How does Microsoft prevent malicious insider activities and abuse of high privilege roles?
|
## How does Microsoft prevent malicious insider activities and abuse of high privilege roles?
|
||||||
|
|
||||||
@ -70,4 +71,3 @@ Your data will be kept for a period of at least 90 days, during which it will be
|
|||||||
## Can Microsoft help us maintain regulatory compliance?
|
## Can Microsoft help us maintain regulatory compliance?
|
||||||
Microsoft provides customers with detailed information about Microsoft's security and compliance programs, including audit reports and compliance packages, to help customers assess Windows Defender ATP services against their own legal and regulatory requirements. Windows Defender ATP has a roadmap for obtaining national, regional and industry-specific certifications, starting with ISO 27001. The service is designed, implemented, and maintained according to the compliance and privacy principles of ISO 27001, as well as Microsoft’s compliance standards.
|
Microsoft provides customers with detailed information about Microsoft's security and compliance programs, including audit reports and compliance packages, to help customers assess Windows Defender ATP services against their own legal and regulatory requirements. Windows Defender ATP has a roadmap for obtaining national, regional and industry-specific certifications, starting with ISO 27001. The service is designed, implemented, and maintained according to the compliance and privacy principles of ISO 27001, as well as Microsoft’s compliance standards.
|
||||||
By providing customers with compliant, independently-verified services, Microsoft makes it easier for customers to achieve compliance for the infrastructure and applications they run, including this new Microsoft cloud service.
|
By providing customers with compliant, independently-verified services, Microsoft makes it easier for customers to achieve compliance for the infrastructure and applications they run, including this new Microsoft cloud service.
|
||||||
|
|
||||||
|
|||||||
@ -8,6 +8,7 @@ ms.mktglfcycl: deploy
|
|||||||
ms.sitesec: library
|
ms.sitesec: library
|
||||||
ms.pagetype: security
|
ms.pagetype: security
|
||||||
author: mjcaparas
|
author: mjcaparas
|
||||||
|
localizationpriority: high
|
||||||
---
|
---
|
||||||
|
|
||||||
# Windows Defender compatibility
|
# Windows Defender compatibility
|
||||||
|
|||||||
@ -8,6 +8,7 @@ ms.mktglfcycl: deploy
|
|||||||
ms.sitesec: library
|
ms.sitesec: library
|
||||||
ms.pagetype: security
|
ms.pagetype: security
|
||||||
author: iaanw
|
author: iaanw
|
||||||
|
localizationpriority: high
|
||||||
---
|
---
|
||||||
|
|
||||||
|
|
||||||
|
|||||||
@ -8,6 +8,7 @@ ms.mktglfcycl: deploy
|
|||||||
ms.sitesec: library
|
ms.sitesec: library
|
||||||
ms.pagetype: security
|
ms.pagetype: security
|
||||||
author: mjcaparas
|
author: mjcaparas
|
||||||
|
localizationpriority: high
|
||||||
---
|
---
|
||||||
|
|
||||||
# Investigate Windows Defender Advanced Threat Protection alerts
|
# Investigate Windows Defender Advanced Threat Protection alerts
|
||||||
@ -56,25 +57,25 @@ Some actor profiles include a link to download a more comprehensive threat intel
|
|||||||
|
|
||||||
|
|
||||||
## Incident graph
|
## Incident graph
|
||||||
The incident graph provides a visual representation of where an alert was seen, events that triggered the alert, and which other machines are affected by the event. It provides an illustrated alert footprint on the original machine and expands to show the footprint of each alert event on other machines.
|
The incident graph provides a visual representation of where an alert was seen, events that triggered the alert, and which other machines are affected by the event. It provides an illustrated alert footprint on the original machine and expands to show the footprint of each alert event on other machines.
|
||||||
|
|
||||||
You can click the circles on the incident graph to expand the nodes and view the associated events or files related to the alert.
|
You can click the circles on the incident graph to expand the nodes and view the associated events or files related to the alert.
|
||||||
|
|
||||||
## Alert spotlight
|
## Alert spotlight
|
||||||
The alert spotlight feature helps ease investigations by highlighting alerts related to a specific machine and events. You can highlight an alert and its related events in the machine timeline to increase your focus during an investigation.
|
The alert spotlight feature helps ease investigations by highlighting alerts related to a specific machine and events. You can highlight an alert and its related events in the machine timeline to increase your focus during an investigation.
|
||||||
|
|
||||||
You can click on the machine link from the alert view to see the alerts related to the machine.
|
You can click on the machine link from the alert view to see the alerts related to the machine.
|
||||||
|
|
||||||
|
|
||||||
> [!NOTE]
|
> [!NOTE]
|
||||||
> This shortcut is not available from the Incident graph machine links.
|
> This shortcut is not available from the Incident graph machine links.
|
||||||
|
|
||||||
Alerts related to the machine are displayed under the **Alerts related to this machine** section.
|
Alerts related to the machine are displayed under the **Alerts related to this machine** section.
|
||||||
Clicking on an alert row takes you the to the date in which the alert was flagged on **Machine timeline**. This eliminates the need to manually filter and drag the machine timeline marker to when the alert was seen on that machine.
|
Clicking on an alert row takes you the to the date in which the alert was flagged on **Machine timeline**. This eliminates the need to manually filter and drag the machine timeline marker to when the alert was seen on that machine.
|
||||||
|
|
||||||
You can also choose to highlight an alert from the **Alerts related to this machine** or from the **Machine timeline** section to see the correlation between the alert and other events that occurred on the machine. Right-click on any alert from either section and select **Mark related events**. This highlights alerts and events that are related and helps differentiate between the other alerts listed in the timeline. Highlighted events are displayed in all filtering modes whether you choose to view the timeline by **Detections**, **Behaviours**, or **Verbose**.
|
You can also choose to highlight an alert from the **Alerts related to this machine** or from the **Machine timeline** section to see the correlation between the alert and other events that occurred on the machine. Right-click on any alert from either section and select **Mark related events**. This highlights alerts and events that are related and helps differentiate between the other alerts listed in the timeline. Highlighted events are displayed in all filtering modes whether you choose to view the timeline by **Detections**, **Behaviours**, or **Verbose**.
|
||||||
|
|
||||||
You can also remove the highlight by right-clicking a highlighted alert and selecting **Unmark related events**.
|
You can also remove the highlight by right-clicking a highlighted alert and selecting **Unmark related events**.
|
||||||
|
|
||||||
|
|
||||||
### Related topics
|
### Related topics
|
||||||
|
|||||||
@ -1,13 +1,14 @@
|
|||||||
---
|
---
|
||||||
title: Investigate Windows Defender Advanced Threat Protection domains
|
title: Investigate Windows Defender Advanced Threat Protection domains
|
||||||
description: Use the investigation options to see if machines and servers have been communicating with malicious domains.
|
description: Use the investigation options to see if machines and servers have been communicating with malicious domains.
|
||||||
keywords: investigate domain, domain, malicious domain, windows defender atp, alert, URL
|
keywords: investigate domain, domain, malicious domain, windows defender atp, alert, URL
|
||||||
search.product: eADQiWindows 10XVcnh
|
search.product: eADQiWindows 10XVcnh
|
||||||
ms.prod: w10
|
ms.prod: w10
|
||||||
ms.mktglfcycl: deploy
|
ms.mktglfcycl: deploy
|
||||||
ms.sitesec: library
|
ms.sitesec: library
|
||||||
ms.pagetype: security
|
ms.pagetype: security
|
||||||
author: mjcaparas
|
author: mjcaparas
|
||||||
|
localizationpriority: high
|
||||||
---
|
---
|
||||||
# Investigate a domain associated with a Windows Defender ATP alert
|
# Investigate a domain associated with a Windows Defender ATP alert
|
||||||
|
|
||||||
|
|||||||
@ -8,6 +8,7 @@ ms.mktglfcycl: deploy
|
|||||||
ms.sitesec: library
|
ms.sitesec: library
|
||||||
ms.pagetype: security
|
ms.pagetype: security
|
||||||
author: mjcaparas
|
author: mjcaparas
|
||||||
|
localizationpriority: high
|
||||||
---
|
---
|
||||||
# Investigate a file associated with a Windows Defender ATP alert
|
# Investigate a file associated with a Windows Defender ATP alert
|
||||||
|
|
||||||
|
|||||||
@ -8,6 +8,7 @@ ms.mktglfcycl: deploy
|
|||||||
ms.sitesec: library
|
ms.sitesec: library
|
||||||
ms.pagetype: security
|
ms.pagetype: security
|
||||||
author: mjcaparas
|
author: mjcaparas
|
||||||
|
localizationpriority: high
|
||||||
---
|
---
|
||||||
# Investigate an IP address associated with a Windows Defender ATP alert
|
# Investigate an IP address associated with a Windows Defender ATP alert
|
||||||
|
|
||||||
|
|||||||
@ -8,6 +8,7 @@ ms.mktglfcycl: deploy
|
|||||||
ms.sitesec: library
|
ms.sitesec: library
|
||||||
ms.pagetype: security
|
ms.pagetype: security
|
||||||
author: mjcaparas
|
author: mjcaparas
|
||||||
|
localizationpriority: high
|
||||||
---
|
---
|
||||||
|
|
||||||
# Investigate machines in the Windows Defender ATP Machines view
|
# Investigate machines in the Windows Defender ATP Machines view
|
||||||
|
|||||||
@ -8,6 +8,7 @@ ms.mktglfcycl: deploy
|
|||||||
ms.sitesec: library
|
ms.sitesec: library
|
||||||
ms.pagetype: security
|
ms.pagetype: security
|
||||||
author: mjcaparas
|
author: mjcaparas
|
||||||
|
localizationpriority: high
|
||||||
---
|
---
|
||||||
|
|
||||||
# Manage Windows Defender Advanced Threat Protection alerts
|
# Manage Windows Defender Advanced Threat Protection alerts
|
||||||
|
|||||||
@ -8,6 +8,7 @@ ms.mktglfcycl: deploy
|
|||||||
ms.sitesec: library
|
ms.sitesec: library
|
||||||
ms.pagetype: security
|
ms.pagetype: security
|
||||||
author: iaanw
|
author: iaanw
|
||||||
|
localizationpriority: high
|
||||||
---
|
---
|
||||||
|
|
||||||
# Minimum requirements for Windows Defender ATP
|
# Minimum requirements for Windows Defender ATP
|
||||||
|
|||||||
@ -8,6 +8,7 @@ ms.mktglfcycl: deploy
|
|||||||
ms.sitesec: library
|
ms.sitesec: library
|
||||||
ms.pagetype: security
|
ms.pagetype: security
|
||||||
author: iaanw
|
author: iaanw
|
||||||
|
localizationpriority: high
|
||||||
---
|
---
|
||||||
|
|
||||||
# Onboard and set up Windows Defender Advanced Threat Protection
|
# Onboard and set up Windows Defender Advanced Threat Protection
|
||||||
|
|||||||
@ -8,6 +8,7 @@ ms.mktglfcycl: deploy
|
|||||||
ms.sitesec: library
|
ms.sitesec: library
|
||||||
ms.pagetype: security
|
ms.pagetype: security
|
||||||
author: DulceMV
|
author: DulceMV
|
||||||
|
localizationpriority: high
|
||||||
---
|
---
|
||||||
|
|
||||||
# Windows Defender Advanced Threat Protection portal overview
|
# Windows Defender Advanced Threat Protection portal overview
|
||||||
|
|||||||
@ -8,6 +8,7 @@ ms.mktglfcycl: deploy
|
|||||||
ms.sitesec: library
|
ms.sitesec: library
|
||||||
ms.pagetype: security
|
ms.pagetype: security
|
||||||
author: DulceMV
|
author: DulceMV
|
||||||
|
localizationpriority: high
|
||||||
---
|
---
|
||||||
|
|
||||||
# Windows Defender Advanced Threat Protection settings
|
# Windows Defender Advanced Threat Protection settings
|
||||||
|
|||||||
@ -8,6 +8,7 @@ ms.mktglfcycl: deploy
|
|||||||
ms.sitesec: library
|
ms.sitesec: library
|
||||||
ms.pagetype: security
|
ms.pagetype: security
|
||||||
author: mjcaparas
|
author: mjcaparas
|
||||||
|
localizationpriority: high
|
||||||
---
|
---
|
||||||
|
|
||||||
# Troubleshoot Windows Defender Advanced Threat Protection onboarding issues
|
# Troubleshoot Windows Defender Advanced Threat Protection onboarding issues
|
||||||
|
|||||||
@ -8,6 +8,7 @@ ms.mktglfcycl: deploy
|
|||||||
ms.sitesec: library
|
ms.sitesec: library
|
||||||
ms.pagetype: security
|
ms.pagetype: security
|
||||||
author: mjcaparas
|
author: mjcaparas
|
||||||
|
localizationpriority: high
|
||||||
---
|
---
|
||||||
# Troubleshoot Windows Defender Advanced Threat Protection
|
# Troubleshoot Windows Defender Advanced Threat Protection
|
||||||
|
|
||||||
|
|||||||
@ -8,6 +8,7 @@ ms.mktglfcycl: deploy
|
|||||||
ms.sitesec: library
|
ms.sitesec: library
|
||||||
ms.pagetype: security
|
ms.pagetype: security
|
||||||
author: mjcaparas
|
author: mjcaparas
|
||||||
|
localizationpriority: high
|
||||||
---
|
---
|
||||||
|
|
||||||
# Use the Windows Defender Advanced Threat Protection portal
|
# Use the Windows Defender Advanced Threat Protection portal
|
||||||
|
|||||||
@ -8,6 +8,7 @@ ms.mktglfcycl: deploy
|
|||||||
ms.sitesec: library
|
ms.sitesec: library
|
||||||
ms.pagetype: security
|
ms.pagetype: security
|
||||||
author: mjcaparas
|
author: mjcaparas
|
||||||
|
localizationpriority: high
|
||||||
---
|
---
|
||||||
|
|
||||||
# Windows Defender Advanced Threat Protection
|
# Windows Defender Advanced Threat Protection
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user