mirror of
https://github.com/MicrosoftDocs/windows-itpro-docs.git
synced 2025-06-27 00:03:45 +00:00
Beth Levin
GitHub
@ -459,7 +459,7 @@
|
||||
####### [Get machine related alerts](microsoft-defender-atp/get-machine-related-alerts.md)
|
||||
####### [Get installed software](microsoft-defender-atp/get-installed-software.md)
|
||||
####### [Get discovered vulnerabilities](microsoft-defender-atp/get-discovered-vulnerabilities.md)
|
||||
####### [Get security recommendation](microsoft-defender-atp/get-security-recommendations.md)
|
||||
####### [Get security recommendations](microsoft-defender-atp/get-security-recommendations.md)
|
||||
####### [Add or Remove machine tags](microsoft-defender-atp/add-or-remove-machine-tags.md)
|
||||
####### [Find machines by IP](microsoft-defender-atp/find-machines-by-ip.md)
|
||||
|
||||
|
||||
Binary file not shown.
|
After Width: | Height: | Size: 32 KiB |
Binary file not shown.
|
After Width: | Height: | Size: 33 KiB |
Binary file not shown.
|
After Width: | Height: | Size: 18 KiB |
Binary file not shown.
|
After Width: | Height: | Size: 45 KiB |
@ -24,14 +24,15 @@ ms.topic: conceptual
|
||||
|
||||
The Microsoft Defender ATP service is constantly being updated to include new feature enhancements and capabilities.
|
||||
|
||||
> [!TIP]
|
||||
> Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-preview-abovefoldlink)
|
||||
> [!TIP]
|
||||
> Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-preview-abovefoldlink)
|
||||
|
||||
Learn about new features in the Microsoft Defender ATP preview release and be among the first to try upcoming features by turning on the preview experience.
|
||||
|
||||
For more information on new capabilities that are generally available, see [What's new in Microsoft Defender ATP](whats-new-in-microsoft-defender-atp.md).
|
||||
|
||||
## Turn on preview features
|
||||
|
||||
You'll have access to upcoming features which you can provide feedback on to help improve the overall experience before features are generally available.
|
||||
|
||||
Turn on the preview experience setting to be among the first to try upcoming features.
|
||||
@ -41,12 +42,13 @@ Turn on the preview experience setting to be among the first to try upcoming fea
|
||||
2. Toggle the setting between **On** and **Off** and select **Save preferences**.
|
||||
|
||||
## Preview features
|
||||
|
||||
The following features are included in the preview release:
|
||||
- [Microsoft Defender ATP for Linux](microsoft-defender-atp-linux.md) <br> Microsoft Defender ATP now adds support for Linux. Learn how to install, configure, update, and use Microsoft Defender ATP for Linux.
|
||||
|
||||
- [Threat & Vulnerability Management API support](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-list) <BR>Run Threat & Vulnerability Management-related API calls such as get your organization's threat exposure score or device secure score, software and machine vulnerability inventory, software version distribution, machine vulnerability information, security recommendation information.
|
||||
|
||||
- [Threat & Vulnerability supported operating systems and platforms](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-supported-os) <BR>Ensure that you meet the operating system or platform requisites for Threat & Vulnerability Management so the activities in your devices are properly accounted for. Threat & Vulnerability Management supports Windows 7, Windows 10 1607-1703, Windows 10 1709+, Windows Server 2008R2, Windows Server 2012R2, Windows Server 2016, Windows Server 2019.
|
||||
|
||||
- [Threat & Vulnerability supported operating systems and platforms](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-supported-os) <BR> Ensure that you meet the operating system or platform requisites for Threat & Vulnerability Management so the activities in your devices are properly accounted for. Threat & Vulnerability Management supports Windows 7, Windows 10 1607-1703, Windows 10 1709+, Windows Server 2008R2, Windows Server 2012R2, Windows Server 2016, Windows Server 2019. <BR> <BR> Secure Configuration Assessment (SCA) supports Windows 10 1709+, Windows Server 2008R2, Windows Server 2012R2, Windows Server 2016, and Windows Server 2019. See [Secure Configuration Assessment (SCA) for Windows Server now in public preview](https://techcommunity.microsoft.com/t5/microsoft-defender-atp/secure-configuration-assessment-sca-for-windows-server-now-in/ba-p/1243885) and [Reducing risk with new Threat & Vulnerability Management capabilities](https://techcommunity.microsoft.com/t5/microsoft-defender-atp/reducing-risk-with-new-threat-amp-vulnerability-management/ba-p/978145) blogs for more information.
|
||||
|
||||
- [Threat & Vulnerability Management granular exploit details](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-weaknesses) <BR> You can now see a comprehensive set of details on the vulnerabilities found in your machine to give you informed decision on your next steps. The threat insights icon now shows more granular details, such as if the exploit is a part of an exploit kit, connected to specific advanced persistent campaigns or activity groups for which, Threat Analytics report links are provided that you can read, has associated zero-day exploitation news, disclosures, or related security advisories.
|
||||
|
||||
|
||||
@ -8,121 +8,131 @@ ms.prod: w10
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.pagetype: security
|
||||
ms.author: dolmont
|
||||
author: DulceMontemayor
|
||||
ms.author: ellevin
|
||||
author: levinec
|
||||
ms.localizationpriority: medium
|
||||
manager: dansimp
|
||||
audience: ITPro
|
||||
ms.collection: M365-security-compliance
|
||||
ms.topic: conceptual
|
||||
ms.date: 04/11/2019
|
||||
---
|
||||
# Remediation and exception
|
||||
# Remediation activities and exceptions
|
||||
|
||||
**Applies to:**
|
||||
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
|
||||
|
||||
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-portaloverview-abovefoldlink)
|
||||
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-portaloverview-abovefoldlink)
|
||||
|
||||
>[!NOTE]
|
||||
>To use this capability, enable your Microsoft Intune connections. Navigate to **Settings** > **General** > **Advanced features**. Scroll down and look for **Microsoft Intune connection**. By default, the toggle is turned off. Turn your **Microsoft Intune connection** toggle on.
|
||||
|
||||
After your organization's cybersecurity weaknesses are identified and mapped to actionable security recommendations, you can start creating security tasks through the integration with Microsoft Intune where remediation tickets are created.
|
||||
After your organization's cybersecurity weaknesses are identified and mapped to actionable [security recommendations](tvm-security-recommendation.md), you can start creating security tasks through the integration with Microsoft Intune where remediation tickets are created.
|
||||
|
||||
You can lower down your organization's exposure from vulnerabilities and increase your security configuration by remediating the security recommendations.
|
||||
Lower your organization's exposure from vulnerabilities and increase your security configuration by remediating the security recommendations.
|
||||
|
||||
## Navigate through your remediation options
|
||||
You can access the remediation page in a few places in the portal:
|
||||
- Security recommendation flyout panel
|
||||
- Remediation in the navigation menu
|
||||
- Top remediation activities widget in the dashboard
|
||||
## Remediation
|
||||
|
||||
*Security recommendation flyout page*
|
||||
<br>You'll see your remediation options when you select one of the security recommendation blocks from your **Top security recommendations** widget in the dashboard.
|
||||
1. From the flyout panel, you'll see the security recommendation details including your next steps. Click **Remediation options**.
|
||||
2. In the **Remediation options** page, select **Open a ticket in Intune (for AAD joined devices)**.
|
||||
## How remediation requests work
|
||||
|
||||
When you submit a remediation request from Threat & Vulnerability Management, it kicks-off a remediation activity. A security task is created which will be tracked in the Threat & Vulnerability Management **Remediation** page, and a remediation ticket is created in Microsoft Intune.
|
||||
|
||||
The dashboard will show the status of your top remediation activities. Select any of the entries to go to the **Remediation** page. You can mark the remediation activity as completed after the IT admin team remediates the task.
|
||||
|
||||
## Accessing the Remediation page
|
||||
|
||||
You can access the Remediation page in a few places in the portal:
|
||||
|
||||
- Security recommendations flyout panel
|
||||
- Navigation menu
|
||||
- Top remediation activities in the dashboard
|
||||
|
||||
### Security recommendation flyout page
|
||||
|
||||
You'll see remediation options when you select one of the security recommendations in the [Security recommendations page](tvm-security-recommendation.md).
|
||||
|
||||
1. From the flyout panel, you'll see the security recommendation details including next steps. Select **Remediation options**.
|
||||
2. In the **Remediation options** page, select **Open a ticket in Intune (for AAD joined devices)**.
|
||||
3. Select a remediation due date.
|
||||
4. Add notes to give your IT administrator a context of your remediation request. For example, you can indicate urgency of the remediation request to avoid potential exposure to a recent exploit activity, or if the request is a part of compliance.
|
||||
|
||||
>[!NOTE]
|
||||
>If your request involves remediating more than 10,000 machines, we will only send 10,000 machines for remediation to Intune.
|
||||
|
||||
3. Select a remediation due date.
|
||||
4. Add notes to give your IT administrator a context of your remediation request. For example, you can indicate urgency of the remediation request to avoid potential exposure to a recent exploit activity, or if the request is a part of compliance.
|
||||
|
||||
If you want to check how the ticket shows up in Intune, see [Use Intune to remediate vulnerabilities identified by Microsoft Defender ATP](https://docs.microsoft.com/intune/atp-manage-vulnerabilities) for details.
|
||||
|
||||
*Remediation in the navigation menu*
|
||||
1. Go to the Threat & Vulnerability Management navigation menu and select **Remediation** to open up the list of remediation activities and exceptions found in your organization. You can filter your view based on remediation type, machine remediation progress, and exception justification. If you want to see the remediation activities of software which have reached their end-of-life, select **Software uninstall** from the **Remediation type** filter. If you want to see the remediation activities of software and software versions which have reached their end-of-life, select **Software update** from the **Remediation type** filter. Select **In progress** then click **Apply**.
|
||||
### Navigation menu
|
||||
|
||||
1. Go to the Threat & Vulnerability Management navigation menu and select **Remediation** to open up the list of remediation activities and exceptions found in your organization.
|
||||
|
||||
To see software which has reached end-of-support, select **Software uninstall** from the **Remediation type** filter. For specific software versions which have reached end-of-support, select **Software update** from the **Remediation type** filter. Select **In progress** then **Apply**.
|
||||
|
||||
|
||||
2. Select the remediation activity that you need to see or process.
|
||||
|
||||
2. Select the remediation activity that you want to view.
|
||||
|
||||
|
||||
*Top remediation activities widget in the dashboard*
|
||||
1. Go to the Threat & Vulnerability Management dashboard and scroll down to the **Top remediation activities** widget. The list is sorted and prioritized based on what is listed in the **Top security recommendations**.
|
||||
2. Select the remediation activity that you need to see or process.
|
||||
### Top remediation activities card the dashboard
|
||||
|
||||
## How it works
|
||||
1. Go to the Threat & Vulnerability Management dashboard and scroll down to the **Top remediation activities** card. The list is sorted and prioritized based on what is listed in the **Top security recommendations**.
|
||||
2. Select the remediation activity that you want to view.
|
||||
|
||||
When you submit a remediation request from Threat & Vulnerability Management, it kicks-off a remediation activity.
|
||||
|
||||
It creates a security task which will be tracked in Threat & Vulnerability Management **Remediation** page, and it also creates a remediation ticket in Microsoft Intune.
|
||||
## Exception options
|
||||
|
||||
The dashboard will show that status of your top remediation activities. Click any of the entries and it will take you to the **Remediation** page. You can mark the remediation activity as completed after the IT administration team remediates the task.
|
||||
You can file exceptions to exclude certain recommendation from showing up in reports and affecting your [configuration score](configuration-score.md).
|
||||
|
||||
## When to file for exception instead of remediating issues
|
||||
You can file exceptions to exclude certain recommendation from showing up in reports and affecting your configuration score.
|
||||
|
||||
When you select a security recommendation, it opens up a flyout screen with details and options for your next step. You can either **Open software page**, choose from **Remediation options**, go through **Exception options** to file for exceptions, or **Report inaccuracy**.
|
||||
|
||||
Select **Exception options** and a flyout screen opens.
|
||||
When you select a [security recommendation](tvm-security-recommendation.md), it opens a flyout screen with details and options for your next steps. Select **Exception options** to fill out the justification and context.
|
||||
|
||||
|
||||
|
||||
### Exception justification
|
||||
|
||||
If the security recommendation stemmed from a false positive report, or if there are existing business justification that blocks the remediation, such as compensating control, productivity needs, compliance, or if there's already a planned remediation grace period, you can file an exception and indicate the reason. The following list details the justifications behind the exception options:
|
||||
|
||||
- **Compensating/alternate control** - A 3rd party control that mitigates this recommendation exists, for example, if Network Firewall - - prevents access to a machine, third party antivirus
|
||||
- **Productivity/business need** - Remediation will impact productivity or interrupt business-critical workflow
|
||||
- **Accept risk** - Poses low risk and/or implementing a compensating control is too expensive
|
||||
- **Planned remediation (grace)** - Already planned but is awaiting execution or authorization
|
||||
- **Other** - False positive
|
||||
|
||||
|
||||
|
||||
- **Compensating/alternate control** - A 3rd party control that mitigates this recommendation exists, for example, if Network Firewall - - prevents access to a machine, third party antivirus
|
||||
- **Productivity/business need** - Remediation will impact productivity or interrupt business-critical workflow
|
||||
- **Accept risk** - Poses low risk and/or implementing a compensating control is too expensive
|
||||
- **Planned remediation (grace)** - Already planned but is awaiting execution or authorization
|
||||
- **Other** - False positive
|
||||
|
||||
### Exception visibility
|
||||
The exceptions you've filed will show up in the **Remediation** page, in the **Exceptions** tab.
|
||||
However, you also have the option to filter your view based on exception justification, type, and status.
|
||||
|
||||
|
||||
### Where to find exceptions
|
||||
|
||||
The exceptions you've filed will show up in the **Remediation** page, in the **Exceptions** tab. You can filter your view based on exception justification, type, and status.
|
||||
|
||||
|
||||
|
||||
Aside from that, there's also an option to **Show exceptions** at the bottom of the **Top security recommendations** card in the dashboard.
|
||||
You can also select **Show exceptions** at the bottom of the **Top security recommendations** card in the dashboard. Selecting the link opens a filtered view in the **Security recommendations** page of recommendations with an "Exception" status.
|
||||
|
||||
|
||||
|
||||
Clicking the link opens up to the **Security recommendations** page, where you can select the item exempted item with details.
|
||||
### Exception actions and statuses
|
||||
|
||||
|
||||
You can take the following actions on an exception:
|
||||
|
||||
### Actions on exceptions
|
||||
- Cancel - You can cancel the exceptions you've filed any time
|
||||
- Resurface - Your exception automatically becomes void and resurfaces in the security recommendation list when dynamic environmental factors change, which adversely affect the exposure impact associated with a recommendation that had previously been excluded
|
||||
- Cancel - You can cancel the exceptions you've filed any time
|
||||
- Resurface - Your exception automatically becomes void and resurfaces in the security recommendation list when dynamic environmental factors change, which adversely affect the exposure impact associated with a recommendation that had previously been excluded
|
||||
|
||||
### Exception status
|
||||
- **Canceled** - The exception has been canceled and is no longer in effect
|
||||
- **Expired** - The exception that you've filed is no longer in effect
|
||||
- **In effect** - The exception that you've filed is in progress
|
||||
The following statuses will be a part of an exception:
|
||||
|
||||
- **Canceled** - The exception has been canceled and is no longer in effect
|
||||
- **Expired** - The exception that you've filed is no longer in effect
|
||||
- **In effect** - The exception that you've filed is in progress
|
||||
|
||||
### Exception impact on scores
|
||||
|
||||
Creating an exception can potentially affect the Exposure Score (for both types of weaknesses) and Configuration Score (for configurations) of your organization in the following manner:
|
||||
- **No impact** - Removes the recommendation from the lists (which can be reverse through filters), but will not affect the scores
|
||||
- **Mitigation-like impact** - As if the recommendation was mitigated (and scores will be adjusted accordingly) when you select it as a compensating control.
|
||||
- **Hybrid** - Provides visibility on both No impact and Mitigation-like impact. It shows both the Exposure Score and Configuration Score results out of the exception option that you made
|
||||
|
||||
- **No impact** - Removes the recommendation from the lists (which can be reverse through filters), but will not affect the scores
|
||||
- **Mitigation-like impact** - As if the recommendation was mitigated (and scores will be adjusted accordingly) when you select it as a compensating control.
|
||||
- **Hybrid** - Provides visibility on both No impact and Mitigation-like impact. It shows both the Exposure Score and Configuration Score results out of the exception option that you made
|
||||
|
||||
The exception impact shows on both the Security recommendations page column and in the flyout pane.
|
||||
|
||||
|
||||
|
||||
## Related topics
|
||||
|
||||
- [Supported operating systems and platforms](tvm-supported-os.md)
|
||||
- [Risk-based Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md)
|
||||
- [Threat & Vulnerability Management dashboard overview](tvm-dashboard-insights.md)
|
||||
@ -132,11 +142,9 @@ The exception impact shows on both the Security recommendations page column and
|
||||
- [Software inventory](tvm-software-inventory.md)
|
||||
- [Weaknesses](tvm-weaknesses.md)
|
||||
- [Scenarios](threat-and-vuln-mgt-scenarios.md)
|
||||
- [Configure data access for Threat & Vulnerability Management roles](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/user-roles#create-roles-and-assign-the-role-to-an-azure-active-directory-group)
|
||||
- [Score APIs](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/score)
|
||||
- [Vulnerability APIs](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/vulnerability)
|
||||
- [Software APIs](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/software)
|
||||
- [Machine APIs](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/machine)
|
||||
- [Recommendation APIs](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/vulnerability)
|
||||
|
||||
|
||||
- [Configure data access for Threat & Vulnerability Management roles](user-roles.md#create-roles-and-assign-the-role-to-an-azure-active-directory-group)
|
||||
- [Recommendation APIs](vulnerability.md)
|
||||
- [Machine APIs](machine.md)
|
||||
- [Score APIs](score.md)
|
||||
- [Software APIs](software.md)
|
||||
- [Vulnerability APIs](vulnerability.md)
|
||||
|
||||
@ -22,7 +22,7 @@ ms.topic: article
|
||||
|
||||
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
|
||||
|
||||
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-portaloverview-abovefoldlink)
|
||||
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-portaloverview-abovefoldlink)
|
||||
|
||||
[!include[Prerelease information](../../includes/prerelease.md)]
|
||||
|
||||
@ -33,11 +33,11 @@ Operating system | Security assessment support
|
||||
Windows 7 | Operating System (OS) vulnerabilities
|
||||
Windows 8.1 | Not supported
|
||||
Windows 10 1607-1703 | Operating System (OS) vulnerabilities
|
||||
Windows 10 1709+ |Operating System (OS) vulnerabilities<br/>Software product vulnerabilities<br/>Operating System (OS) configuration assessment<br/>Security controls configuration assessment<br/>Software product configuration assessment
|
||||
Windows Server 2008R2 | Operating System (OS) vulnerabilities<br/>Software product vulnerabilities
|
||||
Windows Server 2012R2 | Operating System (OS) vulnerabilities<br/>Software product vulnerabilities
|
||||
Windows Server 2016 | Operating System (OS) vulnerabilities<br/>Software product vulnerabilities
|
||||
Windows Server 2019 | Operating System (OS) vulnerabilities<br/>Software product vulnerabilities
|
||||
Windows 10 1709+ |Operating System (OS) vulnerabilities<br/>Software product vulnerabilities<br/>Operating System (OS) configuration assessment<br/>Security controls configuration assessment<br/>Software product configuration assessment
|
||||
Windows Server 2008R2 | Operating System (OS) vulnerabilities<br/>Software product vulnerabilities<br/>Operating System (OS) configuration assessment<br/>Security controls configuration assessment<br/>Software product configuration assessment
|
||||
Windows Server 2012R2 | Operating System (OS) vulnerabilities<br/>Software product vulnerabilities<br/>Operating System (OS) configuration assessment<br/>Security controls configuration assessment<br/>Software product configuration assessment
|
||||
Windows Server 2016 | Operating System (OS) vulnerabilities<br/>Software product vulnerabilities<br/>Operating System (OS) configuration assessment<br/>Security controls configuration assessment<br/>Software product configuration assessment
|
||||
Windows Server 2019 | Operating System (OS) vulnerabilities<br/>Software product vulnerabilities<br/>Operating System (OS) configuration assessment<br/>Security controls configuration assessment<br/>Software product configuration assessment
|
||||
MacOS | Not supported (planned)
|
||||
Linux | Not supported (planned)
|
||||
|
||||
|
||||
Reference in New Issue
Block a user