mirror of
https://github.com/MicrosoftDocs/windows-itpro-docs.git
synced 2025-05-14 14:27:22 +00:00
updates
This commit is contained in:
Beth Levin
parent
f996fb3383
commit
47b92093c3
@ -82,7 +82,7 @@ If you have enabled the Azure ATP feature and there are alerts related to the ma
|
||||
|
||||
### Logged on users
|
||||
|
||||
The "Logged on users" tile shows the amount of users who have logged on in the past 30 days, along with the most and least frequent users. Selecting the"See all users" hyperlink opens the details pane that displays information such as user and logon type, and first/last seen. For more information, see [Investigate user entities](investigate-user-windows-defender-advanced-threat-protection.md).
|
||||
The "Logged on users" tile shows the amount of users who have logged on in the past 30 days, along with the most and least frequent users. Selecting the "See all users" link opens the details pane that displays information such as user type, logon type, and first/last seen. For more information, see [Investigate user entities](investigate-user-windows-defender-advanced-threat-protection.md).
|
||||
|
||||
|
||||
|
||||
@ -94,11 +94,11 @@ The Security assessments tile shows the overall exposure level, security recomme
|
||||
|
||||
## Tabs
|
||||
|
||||
The five tabs under the cards section show relevant security and threat prevention information related to the machine.
|
||||
The five tabs under the cards section show relevant security and threat prevention information related to the machine. In every tab, you can customize the columns that are shown.
|
||||
|
||||
### Alerts
|
||||
|
||||
The **Alerts** section provides a list of alerts that are associated with the machine. This list is a filtered version of the [Alerts queue](alerts-queue-windows-defender-advanced-threat-protection.md), and shows a short description of the alert, severity (high, medium, low, informational), status in the queue (new, in progress, resolved), classification (not set, false alert, true alert), investigation state, category of alert, who is addressing the alert, and last activity.
|
||||
The **Alerts** section provides a list of alerts that are associated with the machine. This list is a filtered version of the [Alerts queue](alerts-queue-windows-defender-advanced-threat-protection.md), and shows a short description of the alert, severity (high, medium, low, informational), status in the queue (new, in progress, resolved), classification (not set, false alert, true alert), investigation state, category of alert, who is addressing the alert, and last activity. You can also filter the alerts and customize the columns.
|
||||
|
||||
|
||||
|
||||
@ -110,9 +110,7 @@ To see a full page view of an alert including incident graph and process tree, s
|
||||
|
||||
The **Timeline** section provides a chronological view of the events and associated alerts that have been observed on the machine. This can help you correlate any events, files, and IP addresses in relation to the machine.
|
||||
|
||||
Timeline also enables you to selectively drill down into events that occurred within a given time period. You can view the temporal sequence of events that occurred on a machine over a selected time period.
|
||||
|
||||
To further control your view, you can filter by event groups or customize the columns.
|
||||
Timeline also enables you to selectively drill down into events that occurred within a given time period. You can view the temporal sequence of events that occurred on a machine over a selected time period. To further control your view, you can filter by event groups or customize the columns.
|
||||
|
||||
>[!NOTE]
|
||||
> For firewall events to be displayed, you'll need to enable the audit policy, see [Audit Filtering Platform connection](https://docs.microsoft.com/windows/security/threat-protection/auditing/audit-filtering-platform-connection).
|
||||
@ -129,9 +127,19 @@ Some of the functionality includes:
|
||||
- Use the search bar to look for specific timeline events.
|
||||
- Filter events from a specific date
|
||||
- Select the calendar icon in the upper left of the table to display events in the past day, week, 30 days, or custom range. By default, the machine timeline is set to display the events from the past 30 days.
|
||||
- Use the timeline to jump to a specific moment in time by highlighting the section. The arrows on the timelime pinpoint automated investigations
|
||||
- Use the timeline to jump to a specific moment in time by highlighting the section. The arrows on the timeline pinpoint automated investigations
|
||||
- Export detailed machine timeline events
|
||||
- You can choose to export the machine timeline for the current date or a specified date range up to seven days.
|
||||
- Export the machine timeline for the current date or a specified date range up to seven days.
|
||||
|
||||
Along with event time and users, one of the main categories on the timeline is "Details". They describe what happened in the events. The list of possible details are:
|
||||
|
||||
- Contained by Application Guard
|
||||
- Active threat detected - when the detection happened, the threat was executing (i.e. it was running)
|
||||
- Remediation unsuccessful - remediation was invoked but failed
|
||||
- Remediation successful - the threat was stopped and cleaned up
|
||||
- Warning bypassed by user - SmartScreen warning appeared but the user dismissed it
|
||||
- Suspicious script detected
|
||||
- Alert category (e.g. lateral movement)- if the event is correlated to an alert, the tag will show the alert category
|
||||
|
||||
You can also use the [Artifact timeline](investigate-alerts-windows-defender-advanced-threat-protection.md#artifact-timeline) feature to see the correlation between alerts and events on a specific machine.
|
||||
|
||||
|
||||
@ -20,10 +20,9 @@ ms.topic: article
|
||||
# Take response actions on a file
|
||||
|
||||
**Applies to:**
|
||||
|
||||
- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
|
||||
|
||||
|
||||
|
||||
>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-responddile-abovefoldlink)
|
||||
|
||||
Quickly respond to detected attacks by stopping and quarantining files or blocking a file. After taking action on files, you can check activity details on the Action center.
|
||||
@ -34,6 +33,7 @@ Quickly respond to detected attacks by stopping and quarantining files or blocki
|
||||
You can also submit files for deep analysis to run the file in a secure cloud sandbox. When the analysis is complete, you'll get a detailed report that provides information about the behavior of the file.
|
||||
|
||||
## Stop and quarantine files in your network
|
||||
|
||||
You can contain an attack in your organization by stopping the malicious process and quarantine the file where it was observed.
|
||||
|
||||
>[!IMPORTANT]
|
||||
@ -50,12 +50,13 @@ The action takes effect on machines with Windows 10, version 1703 or later, wher
|
||||
>You’ll be able to restore the file from quarantine at any time.
|
||||
|
||||
### Stop and quarantine files
|
||||
1. Select the file you want to stop and quarantine. You can select a file from any of the following views or use the Search box:
|
||||
|
||||
- **Alerts** - click the corresponding links from the Description or Details in the Artifact timeline
|
||||
- **Search box** - select File from the drop–down menu and enter the file name
|
||||
1. Select the file you want to stop and quarantine. You can select a file from any of the following views or use the Search box:
|
||||
|
||||
2. Open the **Actions menu** and select **Stop and Quarantine File**.
|
||||
- **Alerts** - click the corresponding links from the Description or Details in the Artifact timeline
|
||||
- **Search box** - select File from the drop–down menu and enter the file name
|
||||
|
||||
2. Open the **Actions menu** and select **Stop and Quarantine File**.
|
||||
|
||||
|
||||
|
||||
@ -88,15 +89,16 @@ In the machine timeline, a new event is added for each machine where a file was
|
||||
For prevalent files in the organization, a warning is shown before an action is implemented to validate that the operation is intended.
|
||||
|
||||
## Remove file from quarantine
|
||||
|
||||
You can roll back and remove a file from quarantine if you’ve determined that it’s clean after an investigation. Run the following command on each machine where the file was quarantined.
|
||||
|
||||
1. Open an elevated command–line prompt on the machine:
|
||||
1. Open an elevated command–line prompt on the machine:
|
||||
|
||||
a. Go to **Start** and type cmd.
|
||||
a. Go to **Start** and type cmd.
|
||||
|
||||
b. Right–click **Command prompt** and select **Run as administrator**.
|
||||
b. Right–click **Command prompt** and select **Run as administrator**.
|
||||
|
||||
2. Enter the following command, and press **Enter**:
|
||||
2. Enter the following command, and press **Enter**:
|
||||
```
|
||||
“%ProgramFiles%\Windows Defender\MpCmdRun.exe” –Restore –Name EUS:Win32/CustomEnterpriseBlock –All
|
||||
```
|
||||
@ -105,6 +107,7 @@ You can roll back and remove a file from quarantine if you’ve determined that
|
||||
> Windows Defender ATP will restore all files that were quarantined on this machine in the last 30 days.
|
||||
|
||||
## Block files in your network
|
||||
|
||||
You can prevent further propagation of an attack in your organization by banning potentially malicious files or suspected malware. If you know a potentially malicious portable executable (PE) file, you can block it. This operation will prevent it from being read, written, or executed on machines in your organization.
|
||||
|
||||
>[!IMPORTANT]
|
||||
@ -114,40 +117,40 @@ You can prevent further propagation of an attack in your organization by banning
|
||||
>- This response action is available for machines on Windows 10, version 1703 or later.
|
||||
>- The allow or block function cannot be done on files if the file's classification exists on the device's cache prior to the allow or block action.
|
||||
|
||||
|
||||
|
||||
>[!NOTE]
|
||||
> The PE file needs to be in the machine timeline for you to be able to take this action.
|
||||
>- There may be a couple of minutes of latency between the time the action is taken and the actual file being blocked.
|
||||
|
||||
### Enable the block file feature
|
||||
|
||||
Before you can block files, you'll need to enable the feature.
|
||||
|
||||
1. In the navigation pane, select **Settings** > **Advanced features** > **Block file**.
|
||||
1. In the navigation pane, select **Settings** > **Advanced features** > **Block file**.
|
||||
|
||||
2. Toggle the setting between **On** and **Off** and select **Save preferences**.
|
||||
|
||||
2. Toggle the setting between **On** and **Off** and select **Save preferences**.
|
||||
|
||||
|
||||
|
||||
### Block a file
|
||||
1. Select the file you want to block. You can select a file from any of the following views or use the Search box:
|
||||
|
||||
- **Alerts** - click the corresponding links from the Description or Details in the Artifact timeline
|
||||
- **Search box** - select File from the drop–down menu and enter the file name
|
||||
1. Select the file you want to block. You can select a file from any of the following views or use the Search box:
|
||||
|
||||
- **Alerts** - click the corresponding links from the Description or Details in the Artifact timeline
|
||||
- **Search box** - select File from the drop–down menu and enter the file name
|
||||
|
||||
2. Open the **Actions menu** and select **Block**.
|
||||
|
||||
2. Open the **Actions menu** and select **Block**.
|
||||
|
||||
|
||||
|
||||
3. Specify a reason and select **Yes, block file** to take action on the file.
|
||||
|
||||
|
||||
|
||||
|
||||
The Action center shows the submission information:
|
||||
|
||||
|
||||
- **Submission time** - Shows when the action was submitted. <br>
|
||||
- **Submitting user** - Shows who submitted the action on the file. You can view the comments provided by the user by selecting the information icon. <br>
|
||||
- **Submission time** - Shows when the action was submitted.
|
||||
- **Submitting user** - Shows who submitted the action on the file. You can view the comments provided by the user by selecting the information icon.
|
||||
- **Status** - Indicates whether the file was added to or removed from the blacklist.
|
||||
|
||||
When the file is blocked, there will be a new event in the machine timeline.</br>
|
||||
@ -168,24 +171,24 @@ When a file is being blocked on the machine, the following notification is displ
|
||||
For prevalent files in the organization, a warning is shown before an action is implemented to validate that the operation is intended.
|
||||
|
||||
## Remove file from blocked list
|
||||
1. Select the file you want to remove from the blocked list. You can select a file from any of the following views or use the Search box:
|
||||
|
||||
- **Alerts** - Click the file links from the Description or Details in the Artifact timeline <br>
|
||||
- **Search box** - Select File from the drop–down menu and enter the file name
|
||||
1. Select the file you want to remove from the blocked list. You can select a file from any of the following views or use the Search box:
|
||||
|
||||
2. Open the **Actions** menu and select **Remove file from blocked list**.
|
||||
- **Alerts** - Click the file links from the Description or Details in the Artifact timeline
|
||||
- **Search box** - Select File from the drop–down menu and enter the file name
|
||||
|
||||
2. Open the **Actions** menu and select **Remove file from blocked list**.
|
||||
|
||||
|
||||
|
||||
3. Type a comment and select **Yes** to take action on the file. The file will be allowed to run in the organization.
|
||||
|
||||
|
||||
## Check activity details in Action center
|
||||
|
||||
The **Action center** provides information on actions that were taken on a machine or file. You’ll be able to view the details on the last action that were taken on a file such as stopped and quarantined files or blocked files.
|
||||
|
||||
|
||||
|
||||
## Deep analysis
|
||||
|
||||
Cyber security investigations are typically triggered by an alert. Alerts are related to one or more observed files that are often new or unknown. Clicking a file takes you to the file view where you can see the file's metadata. To enrich the data related to the file, you can submit the file for deep analysis.
|
||||
|
||||
The deep analysis feature executes a file in a secure, fully instrumented cloud environment. Deep analysis results show the file's activities, observed behaviors, and associated artifacts, such as dropped files, registry modifications, and communication with IPs.
|
||||
@ -213,10 +216,12 @@ When the sample is collected, Windows Defender ATP runs the file in is a secure
|
||||
|
||||
**Submit files for deep analysis:**
|
||||
|
||||
1. Select the file that you want to submit for deep analysis. You can select or search a file from any of the following views: <br>
|
||||
- Alerts - click the file links from the **Description** or **Details** in the Artifact timeline <br>
|
||||
- **Machines list** - click the file links from the **Description** or **Details** in the **Machine in organization** section <br>
|
||||
- Search box - select **File** from the drop–down menu and enter the file name <br>
|
||||
1. Select the file that you want to submit for deep analysis. You can select or search a file from any of the following views:
|
||||
|
||||
- Alerts - click the file links from the **Description** or **Details** in the Artifact timeline
|
||||
- **Machines list** - click the file links from the **Description** or **Details** in the **Machine in organization** section
|
||||
- Search box - select **File** from the drop–down menu and enter the file name
|
||||
|
||||
2. In the **Deep analysis** section of the file view, click **Submit**.
|
||||
|
||||
|
||||
@ -239,7 +244,6 @@ You can view the comprehensive report that provides details on the following sec
|
||||
|
||||
The details provided can help you investigate if there are indications of a potential attack.
|
||||
|
||||
|
||||
1. Select the file you submitted for deep analysis.
|
||||
2. Click **See the report below**. Information on the analysis is displayed.
|
||||
|
||||
@ -249,7 +253,6 @@ The details provided can help you investigate if there are indications of a pote
|
||||
|
||||
If you encounter a problem when trying to submit a file, try each of the following troubleshooting steps.
|
||||
|
||||
|
||||
1. Ensure that the file in question is a PE file. PE files typically have _.exe_ or _.dll_ extensions (executable programs or applications).
|
||||
2. Ensure the service has access to the file, that it still exists, and has not been corrupted or modified.
|
||||
3. You can wait a short while and try to submit the file again, in case the queue is full or there was a temporary connection or communication error.
|
||||
@ -257,15 +260,15 @@ If you encounter a problem when trying to submit a file, try each of the followi
|
||||
|
||||
```
|
||||
Path: HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection
|
||||
Name: AllowSampleCollection
|
||||
Name: AllowSampleCollection
|
||||
Type: DWORD
|
||||
Hexadecimal value :
|
||||
Hexadecimal value :
|
||||
Value = 0 – block sample collection
|
||||
Value = 1 – allow sample collection
|
||||
```
|
||||
5. Change the organizational unit through the Group Policy. For more information, see [Configure with Group Policy](configure-endpoints-gp-windows-defender-advanced-threat-protection.md).
|
||||
6. If these steps do not resolve the issue, contact [winatp@microsoft.com](mailto:winatp@microsoft.com).
|
||||
|
||||
|
||||
## Related topic
|
||||
|
||||
- [Take response actions on a machine](respond-machine-alerts-windows-defender-advanced-threat-protection.md)
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user