diff --git a/windows/configuration/manage-connections-from-windows-operating-system-components-to-microsoft-services.md b/windows/configuration/manage-connections-from-windows-operating-system-components-to-microsoft-services.md index e95ca70d41..713019ca33 100644 --- a/windows/configuration/manage-connections-from-windows-operating-system-components-to-microsoft-services.md +++ b/windows/configuration/manage-connections-from-windows-operating-system-components-to-microsoft-services.md @@ -25,7 +25,7 @@ If you want to minimize connections from Windows to Microsoft services, or confi You can configure telemetry at the Security level, turn off Windows Defender telemetry and MSRT reporting, and turn off all other connections to Microsoft network endpoints as described in this article to help prevent Windows from sending any data to Microsoft. There are many reasons why these communications are enabled by default, such as updating malware definitions and maintain current certificate revocation lists, which is why we strongly recommend against this. This data helps us deliver a secure, reliable, and more delightful personalized experience. -To help make it easier to deploy settings to restrict connections from Windows 10 to Microsoft, you can apply the [Windows Restricted Traffic Limited Functionality Baseline](https://go.microsoft.com/fwlink/?linkid=828887). This baseline was created in the same way as the [Windows security baselines](/windows/device-security/windows-security-baselines) that are often used to efficiently configure Windows to a known secure state. Running the Windows Restricted Traffic Limited Functionality Baseline on devices in your organization will allow you to quickly configure all of the settings covered in this document. However, some of the settings reduce the functionality and security configuration of your device and are therefore not recommended. Make sure should you've chosen the right settings configuration for your environment before applying. You should not extract this package to the the windows\\system32 folder because it will not apply correctly. Applying this baseline is equivalent to applying the Windows 10 steps covered in this article. +To help make it easier to deploy settings to restrict connections from Windows 10 to Microsoft, you can apply the [Windows Restricted Traffic Limited Functionality Baseline](https://go.microsoft.com/fwlink/?linkid=828887). This baseline was created in the same way as the [Windows security baselines](/windows/device-security/windows-security-baselines) that are often used to efficiently configure Windows to a known secure state. Running the Windows Restricted Traffic Limited Functionality Baseline on devices in your organization will allow you to quickly configure all of the settings covered in this document. However, some of the settings reduce the functionality and security configuration of your device and are therefore not recommended. Make sure should you've chosen the right settings configuration for your environment before applying. You should not extract this package to the windows\\system32 folder because it will not apply correctly. Applying this baseline is equivalent to applying the Windows 10 steps covered in this article. We are always striving to improve our documentation and welcome your feedback. You can provide feedback by contacting telmhelp@microsoft.com. diff --git a/windows/deployment/upgrade/upgrade-readiness-deployment-script.md b/windows/deployment/upgrade/upgrade-readiness-deployment-script.md index 2e289b8a5b..fa59c94780 100644 --- a/windows/deployment/upgrade/upgrade-readiness-deployment-script.md +++ b/windows/deployment/upgrade/upgrade-readiness-deployment-script.md @@ -68,7 +68,7 @@ To run the Upgrade Readiness deployment script: 5. After you finish editing the parameters in RunConfig.bat, you are ready to run the script. If you are using the Pilot version, run RunConfig.bat from an elevated command prompt. If you are using the Deployment version, use ConfigMgr or other software deployment service to run RunConfig.bat as system. -The deployment script displays the following exit codes to let ddfyou know if it was successful, or if an error was encountered. +The deployment script displays the following exit codes to let you know if it was successful, or if an error was encountered.
@@ -259,5 +259,26 @@ The deployment script displays the following exit codes to let ddfyou know if it + + + + + + + + + + + + + + + + + + + + +
43 - Function **EndImpersonatingLoggedOnUser** failed with an unexpected exception. Check the logs for the exception message and HResult.
44 - Diagtrack.dll version is old, so Auth Proxy will not work.Update the PC using Windows Update/Windows Server Update Services.
45 - Diagrack.dll was not found.Update the PC using Windows Update/Windows Server Update Services.
46 - **DisableEnterpriseAuthProxy** property should be set to **1** for **ClientProxy=Telemetry** to work.Set the **DisableEnterpriseAuthProxy** registry property to **1** at key path **HKLM:\SOFTWARE\Policies\Microsoft\Windows\DataCollection**.
47 - **TelemetryProxyServer** is not present in key path **HKLM:\SOFTWARE\Policies\Microsoft\Windows\DataCollection**.**ClientProxy** selected is **Telemetry**, but you need to add **TelemetryProxyServer** in key path **HKLM:\SOFTWARE\Policies\Microsoft\Windows\DataCollection**.
48 - **CommercialID** mentioned in RunConfig.bat should be a GUID.**CommercialID** is mentioned in RunConfig.bat, but it is not a GUID. Copy the commercialID from your workspace. To find the commercialID, in the OMS portal click **Upgrade Readiness > Settings**.
diff --git a/windows/threat-protection/TOC.md b/windows/threat-protection/TOC.md index bd6bc5f1e7..c0eb96f69d 100644 --- a/windows/threat-protection/TOC.md +++ b/windows/threat-protection/TOC.md @@ -25,7 +25,7 @@ #### [Investigate files](windows-defender-atp\investigate-files-windows-defender-advanced-threat-protection.md) #### [Investigate an IP address](windows-defender-atp\investigate-ip-windows-defender-advanced-threat-protection.md) #### [Investigate a domain](windows-defender-atp\investigate-domain-windows-defender-advanced-threat-protection.md) -#### [View and organize the Machines view](windows-defender-atp\machines-view-overview-windows-defender-advanced-threat-protection.md) +#### [View and organize the Machines list](windows-defender-atp\machines-view-overview-windows-defender-advanced-threat-protection.md) #### [Investigate machines](windows-defender-atp\investigate-machines-windows-defender-advanced-threat-protection.md) ##### [Search for specific alerts](windows-defender-atp\investigate-machines-windows-defender-advanced-threat-protection.md#search-for-specific-alerts) ##### [Filter events from a specific date](windows-defender-atp\investigate-machines-windows-defender-advanced-threat-protection.md#filter-events-from-a-specific-date) @@ -72,8 +72,10 @@ #### [Turn on advanced features](windows-defender-atp\advanced-features-windows-defender-advanced-threat-protection.md) #### [Turn on preview experience](windows-defender-atp\preview-settings-windows-defender-advanced-threat-protection.md) #### [Configure email notifications](windows-defender-atp\configure-email-notifications-windows-defender-advanced-threat-protection.md) +#### [Enable SIEM integration](windows-defender-atp\enable-siem-integration-windows-defender-advanced-threat-protection.md) +#### [Enable Threat intel API](windows-defender-atp\enable-custom-ti-windows-defender-advanced-threat-protection.md) ### [Windows Defender ATP settings](windows-defender-atp\settings-windows-defender-advanced-threat-protection.md) -### [Windows Defender ATP service status](windows-defender-atp\service-status-windows-defender-advanced-threat-protection.md) +### [Windows Defender ATP service health](windows-defender-atp\service-status-windows-defender-advanced-threat-protection.md) ### [Troubleshoot Windows Defender ATP](windows-defender-atp\troubleshoot-windows-defender-advanced-threat-protection.md) ### [Review events and errors on endpoints with Event Viewer](windows-defender-atp\event-error-codes-windows-defender-advanced-threat-protection.md) ### [Windows Defender Antivirus compatibility](windows-defender-atp\defender-compatibility-windows-defender-advanced-threat-protection.md) @@ -156,4 +158,4 @@ ## [Block untrusted fonts in an enterprise](block-untrusted-fonts-in-enterprise.md) -## [Change history for Threat Protection](change-history-for-threat-protection.md) \ No newline at end of file +## [Change history for Threat Protection](change-history-for-threat-protection.md) diff --git a/windows/threat-protection/windows-defender-atp/check-sensor-status-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/check-sensor-status-windows-defender-advanced-threat-protection.md index 22861fbaa2..4fc24b0318 100644 --- a/windows/threat-protection/windows-defender-atp/check-sensor-status-windows-defender-advanced-threat-protection.md +++ b/windows/threat-protection/windows-defender-atp/check-sensor-status-windows-defender-advanced-threat-protection.md @@ -30,10 +30,19 @@ There are two status indicators on the tile that provide information on the numb - **Inactive** - Machines that have stopped reporting to the Windows Defender ATP service for more than seven days in the past month. - **Misconfigured** - These machines might partially be reporting sensor data to the Windows Defender ATP service and might have configuration errors that need to be corrected. -Clicking any of the groups directs you to Machines view, filtered according to your choice. +Clicking any of the groups directs you to Machines list, filtered according to your choice. ![Windows Defender ATP sensor filter](images/atp-sensor-filter.png) + + +You can also download the entire list in CSV format using the **Export to CSV** feature. For more information on filters, see [View and organize the Machines list](machines-view-overview-windows-defender-advanced-threat-protection.md). + You can filter the health state list by the following status: - **Active** - Machines that are actively reporting to the Windows Defender ATP service. - **Inactive** - Machines that have stopped reporting to the Windows Defender ATP service. @@ -45,7 +54,7 @@ You can view the machine details when you click on a misconfigured or inactive m ![Windows Defender ATP sensor filter](images/atp-machine-health-details.png) -In the **Machines view**, you can download a full list of all the machines in your organization in a CSV format. To download, click the **Manage Alert** menu icon on the top corner of the page. +In the **Machines list**, you can download a full list of all the machines in your organization in a CSV format. To download, click the **Manage Alert** menu icon on the top corner of the page. >[!NOTE] >Export the list in CSV format to display the unfiltered data. The CSV file will include all machines in the organization, regardless of any filtering applied in the view itself and can take a significant amount of time to download, depending on how large your organization is. diff --git a/windows/threat-protection/windows-defender-atp/configure-email-notifications-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/configure-email-notifications-windows-defender-advanced-threat-protection.md index 8084bd32aa..494eb84889 100644 --- a/windows/threat-protection/windows-defender-atp/configure-email-notifications-windows-defender-advanced-threat-protection.md +++ b/windows/threat-protection/windows-defender-atp/configure-email-notifications-windows-defender-advanced-threat-protection.md @@ -35,7 +35,7 @@ The email notification includes basic information about the alert and a link to ## Set up email notifications for alerts The email notifications feature is turned off by default. Turn it on to start receiving email notifications. -1. On the navigation pane, select **Preferences Setup** > **Email Notifications**. +1. On the navigation pane, select **Preferences setup** > **Email Notifications**. 2. Toggle the setting between **On** and **Off**. 3. Select the alert severity level that you’d like your recipients to receive: - **High** – Select this level to send notifications for high-severity alerts. diff --git a/windows/threat-protection/windows-defender-atp/configure-endpoints-gp-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/configure-endpoints-gp-windows-defender-advanced-threat-protection.md index c6e02becaf..703871c3fd 100644 --- a/windows/threat-protection/windows-defender-atp/configure-endpoints-gp-windows-defender-advanced-threat-protection.md +++ b/windows/threat-protection/windows-defender-atp/configure-endpoints-gp-windows-defender-advanced-threat-protection.md @@ -28,7 +28,7 @@ localizationpriority: high ## Onboard endpoints 1. Open the GP configuration package .zip file (*WindowsDefenderATPOnboardingPackage.zip*) that you downloaded from the service onboarding wizard. You can also get the package from the [Windows Defender ATP portal](https://securitycenter.windows.com/): - a. Click **Endpoint Management** on the **Navigation pane**. + a. Click **Endpoint management** on the **Navigation pane**. b. Select **Group Policy**, click **Download package** and save the .zip file. @@ -74,6 +74,31 @@ You can use Group Policy (GP) to configure settings, such as settings for the sa >[!NOTE] > If you don't set a value, the default value is to enable sample collection. +### Configure reporting frequency settings +Windows Defender ATP reporting frequency was tested over a large number of machines and is optimized to provide a recommended balance between speed and performance. + +In cases where high-value assets or machines are at high risk, you can configure the reporting frequency to expedite mode, allowing the machine to report at a higher frequency. + +> [!NOTE] +> Using the Expedite mode might have an impact on the machine's battery usage and actual bandwidth used for sensor data. You should consider this when these measures are critical. + +For each endpoint, you can configure a registry key value that determines how frequent a machine reports sensor data to the portal. + +The configuration is set through the following registry key entry: + +``` +Path: “HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection” +Name: "latency" +Value: Normal or Expedite +``` +Where:
+Key type is a string.
+Possible values are: +- Normal - sets reporting frequency from the endpoint to Normal mode for the optimal speed and performance balance +- Expedite - sets reporting frequency from the endpoint to Expedite mode + +The default value in case the registry key doesn’t exist is Normal. + ### Offboard endpoints For security reasons, the package used to offboard endpoints will expire 30 days after the date it was downloaded. Expired offboarding packages sent to an endpoint will be rejected. When downloading an offboarding package you will be notified of the packages expiry date and it will also be included in the package name. @@ -82,7 +107,7 @@ For security reasons, the package used to offboard endpoints will expire 30 days 1. Get the offboarding package from the [Windows Defender ATP portal](https://securitycenter.windows.com/): - a. Click **Endpoint Management** on the **Navigation pane**. + a. Click **Endpoint management** on the **Navigation pane**. b. Click the **Endpoint offboarding** section. @@ -104,16 +129,20 @@ For security reasons, the package used to offboard endpoints will expire 30 days 9. Click **OK** and close any open GPMC windows. +> [!IMPORTANT] +> Offboarding causes the machine to stop sending sensor data to the portal but data from the machine, including reference to any alerts it has had will be retained for up to 6 months. + + ## Monitor endpoint configuration With Group Policy there isn’t an option to monitor deployment of policies on the endpoints. Monitoring can be done directly on the portal, or by using the different deployment tools. ## Monitor endpoints using the portal 1. Go to the [Windows Defender ATP portal](https://securitycenter.windows.com/). -2. Click **Machines view**. +2. Click **Machines list**. 3. Verify that endpoints are appearing. > [!NOTE] -> It can take several days for endpoints to start showing on the **Machines view**. This includes the time it takes for the policies to be distributed to the endpoint, the time it takes before the user logs on, and the time it takes for the endpoint to start reporting. +> It can take several days for endpoints to start showing on the **Machines list**. This includes the time it takes for the policies to be distributed to the endpoint, the time it takes before the user logs on, and the time it takes for the endpoint to start reporting. ## Related topics diff --git a/windows/threat-protection/windows-defender-atp/configure-endpoints-mdm-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/configure-endpoints-mdm-windows-defender-advanced-threat-protection.md index d714ae09df..a17a666708 100644 --- a/windows/threat-protection/windows-defender-atp/configure-endpoints-mdm-windows-defender-advanced-threat-protection.md +++ b/windows/threat-protection/windows-defender-atp/configure-endpoints-mdm-windows-defender-advanced-threat-protection.md @@ -33,7 +33,7 @@ For more information on using Windows Defender ATP CSP see, [WindowsAdvancedThre 1. Open the Microsoft Intune configuration package .zip file (*WindowsDefenderATPOnboardingPackage.zip*) that you downloaded from the service onboarding wizard. You can also get the package from the [Windows Defender ATP portal](https://securitycenter.windows.com/): - a. Select **Endpoint Management** on the **Navigation pane**. + a. Select **Endpoint management** on the **Navigation pane**. b. Select **Mobile Device Management/Microsoft Intune** > **Download package** and save the .zip file. @@ -80,7 +80,7 @@ For more information on using Windows Defender ATP CSP see, [WindowsAdvancedThre ![Microsoft Intune manage deployment](images/atp-intune-manage-deployment.png) -When the policy is deployed and is propagated, endpoints will be shown in the **Machines view**. +When the policy is deployed and is propagated, endpoints will be shown in the **Machines list**. You can use the following onboarding policies to deploy configuration settings on endpoints. These policies can be sub-categorized to: - Onboarding @@ -99,12 +99,13 @@ Configuration for onboarded machines: telemetry reporting frequency | ./Device/V > [!NOTE] > - The **Health Status for onboarded machines** policy uses read-only properties and can't be remediated. > - Configuration of telemetry reporting frequency is only available for machines on Windows 10, version 1703. +> - Using the Expedite mode might have an impact on the machine's battery usage and actual bandwidth used for sensor data. You should consider this when these measures are critical. ### Using the Azure Intune Portal to deploy Windows Defender Advanced Threat Protection policies on Windows 10 1607 and higher 1. Open the Microsoft Intune configuration package .zip file (*WindowsDefenderATPOnboardingPackage.zip*) that you downloaded from the service onboarding wizard. You can also get the package from the [Windows Defender ATP portal](https://securitycenter.windows.com/): - a. Select **Endpoint Management** on the **Navigation pane**. + a. Select **Endpoint management** on the **Navigation pane**. b. Select **Mobile Device Management/Microsoft Intune** > **Download package** and save the .zip file. @@ -156,7 +157,7 @@ For security reasons, the package used to offboard endpoints will expire 30 days 1. Get the offboarding package from the [Windows Defender ATP portal](https://securitycenter.windows.com/): - a. Click **Endpoint Management** on the **Navigation pane**. + a. Click **Endpoint management** on the **Navigation pane**. b. Click the **Endpoint offboarding** section. @@ -180,6 +181,8 @@ Health Status for offboarded machines: Onboarding State | ./Device/Vendor/MSFT/W > [!NOTE] > The **Health Status for offboarded machines** policy uses read-only properties and can't be remediated. +> [!IMPORTANT] +> Offboarding causes the machine to stop sending sensor data to the portal but data from the machine, including reference to any alerts it has had will be retained for up to 6 months. ## Related topics - [Configure endpoints using Group Policy](configure-endpoints-gp-windows-defender-advanced-threat-protection.md) diff --git a/windows/threat-protection/windows-defender-atp/configure-endpoints-sccm-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/configure-endpoints-sccm-windows-defender-advanced-threat-protection.md index 89f4c7887d..8406829b2f 100644 --- a/windows/threat-protection/windows-defender-atp/configure-endpoints-sccm-windows-defender-advanced-threat-protection.md +++ b/windows/threat-protection/windows-defender-atp/configure-endpoints-sccm-windows-defender-advanced-threat-protection.md @@ -39,7 +39,7 @@ You can use System Center Configuration Manager’s existing functionality to cr 1. Open the SCCM configuration package .zip file (*WindowsDefenderATPOnboardingPackage.zip*) that you downloaded from the service onboarding wizard. You can also get the package from the [Windows Defender ATP portal](https://securitycenter.windows.com/): - a. Click **Endpoint Management** on the **Navigation pane**. + a. Click **Endpoint management** on the **Navigation pane**. b. Select **System Center Configuration Manager 2012/2012 R2/1511/1602**, click **Download package**, and save the .zip file. @@ -61,7 +61,7 @@ This rule should be a *remediating* compliance rule configuration item that sets The configuration is set through the following registry key entry: -```text +``` Path: “HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection” Name: "AllowSampleCollection" Value: 0 or 1 @@ -76,6 +76,31 @@ The default value in case the registry key doesn’t exist is 1. For more information about System Center Configuration Manager Compliance see [Compliance Settings in Configuration Manager](https://technet.microsoft.com/library/gg681958.aspx). +### Configure reporting frequency settings +Windows Defender ATP reporting frequency was tested over a large number of machines and is optimized to provide a recommended balance between speed and performance. + +In cases where high-value assets or machines are at high risk, you can configure the reporting frequency to expedite mode, allowing the machine to report at a higher frequency. + +> [!NOTE] +> Using the Expedite mode might have an impact on the machine's battery usage and actual bandwidth used for sensor data. You should consider this when these measures are critical. + +For each endpoint, you can configure a registry key value that determines how frequent a machine reports sensor data to the portal. + +The configuration is set through the following registry key entry: + +``` +Path: “HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection” +Name: "latency" +Value: Normal or Expedite +``` +Where:
+Key type is a string.
+Possible values are: +- Normal - sets reporting frequency from the endpoint to Normal mode for the optimal speed and performance balance +- Expedite - sets reporting frequency from the endpoint to Expedite mode + +The default value in case the registry key doesn’t exist is Normal. + ### Offboard endpoints @@ -86,7 +111,7 @@ For security reasons, the package used to offboard endpoints will expire 30 days 1. Get the offboarding package from the [Windows Defender ATP portal](https://securitycenter.windows.com/): - a. Click **Endpoint Management** on the **Navigation pane**. + a. Click **Endpoint management** on the **Navigation pane**. b. Click the **Endpoint offboarding** section. @@ -94,12 +119,14 @@ For security reasons, the package used to offboard endpoints will expire 30 days 2. Extract the contents of the .zip file to a shared, read-only location that can be accessed by the network administrators who will deploy the package. You should have a file named *WindowsDefenderATPOffboardingScript_valid_until_YYYY-MM-DD.cmd*. -3. Import the configuration package by following the steps in the [How to Create Packages and Programs in Configuration Manager](https://technet.microsoft.com/library/gg682112.aspx#BKMK_Import) topic. - -4. Deploy the package by following the steps in the [How to Deploy Packages and Programs in Configuration Manager](https://technet.microsoft.com/library/gg682178.aspx) topic. +3. Deploy the package by following the steps in the [How to Deploy Packages and Programs in Configuration Manager](https://technet.microsoft.com/library/gg682178.aspx) topic. a. Choose a predefined device collection to deploy the package to. +> [!IMPORTANT] +> Offboarding causes the machine to stop sending sensor data to the portal but data from the machine, including reference to any alerts it has had will be retained for up to 6 months. + + ### Monitor endpoint configuration Monitoring with SCCM consists of two parts: diff --git a/windows/threat-protection/windows-defender-atp/configure-endpoints-script-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/configure-endpoints-script-windows-defender-advanced-threat-protection.md index 31b9b673c4..1bde6ab2f6 100644 --- a/windows/threat-protection/windows-defender-atp/configure-endpoints-script-windows-defender-advanced-threat-protection.md +++ b/windows/threat-protection/windows-defender-atp/configure-endpoints-script-windows-defender-advanced-threat-protection.md @@ -23,10 +23,13 @@ localizationpriority: high You can also manually onboard individual endpoints to Windows Defender ATP. You might want to do this first when testing the service before you commit to onboarding all endpoints in your network. +> [!NOTE] +> The script has been optimized to be used on a limited number of machines (1-10 machines). To deploy to scale, use other deployment options. For more information on using other deployment options, see [Configure Windows Defender ATP endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md). + ## Onboard endpoints 1. Open the GP configuration package .zip file (*WindowsDefenderATPOnboardingPackage.zip*) that you downloaded from the service onboarding wizard. You can also get the package from the [Windows Defender ATP portal](https://securitycenter.windows.com/): - a. Click **Endpoint Management** on the **Navigation pane**. + a. Click **Endpoint management** on the **Navigation pane**. b. Select **Local Script**, click **Download package** and save the .zip file. @@ -54,7 +57,7 @@ You can manually configure the sample sharing setting on the endpoint by using * The configuration is set through the following registry key entry: -```text +``` Path: “HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection” Name: "AllowSampleCollection" Value: 0 or 1 @@ -76,7 +79,7 @@ For security reasons, the package used to offboard endpoints will expire 30 days 1. Get the offboarding package from the [Windows Defender ATP portal](https://securitycenter.windows.com/): - a. Click **Endpoint Management** on the **Navigation pane**. + a. Click **Endpoint management** on the **Navigation pane**. b. Click the **Endpoint offboarding** section. @@ -96,6 +99,10 @@ For security reasons, the package used to offboard endpoints will expire 30 days 5. Press the **Enter** key or click **OK**. +> [!IMPORTANT] +> Offboarding causes the machine to stop sending sensor data to the portal but data from the machine, including reference to any alerts it has had will be retained for up to 6 months. + + ## Monitor endpoint configuration You can follow the different verification steps in the [Troubleshoot onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md) to verify that the script completed successfully and the agent is running. @@ -104,7 +111,7 @@ Monitoring can also be done directly on the portal, or by using the different de ### Monitor endpoints using the portal 1. Go to the Windows Defender ATP portal. -2. Click **Machines view**. +2. Click **Machines list**. 3. Verify that endpoints are appearing. diff --git a/windows/threat-protection/windows-defender-atp/configure-proxy-internet-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/configure-proxy-internet-windows-defender-advanced-threat-protection.md index 914544f7c1..6c9b1b4da5 100644 --- a/windows/threat-protection/windows-defender-atp/configure-proxy-internet-windows-defender-advanced-threat-protection.md +++ b/windows/threat-protection/windows-defender-atp/configure-proxy-internet-windows-defender-advanced-threat-protection.md @@ -86,10 +86,6 @@ Europe |```*.blob.core.windows.net```
```crl.microsoft.com```
```eu.vorte If a proxy or firewall is blocking anonymous traffic, as Windows Defender ATP sensor is connecting from system context, make sure anonymous traffic is permitted in the above listed URLs. - If you selected US as your region, you should permit anonymous traffic for URLs listed in both Central US and East US (2). - - If you selected EU as your region, you should permit anonymous traffic for URLs listed in both West Europe and North Europe. - ## Verify client connectivity to Windows Defender ATP service URLs diff --git a/windows/threat-protection/windows-defender-atp/dashboard-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/dashboard-windows-defender-advanced-threat-protection.md index e8de1cb1b4..07eb913511 100644 --- a/windows/threat-protection/windows-defender-atp/dashboard-windows-defender-advanced-threat-protection.md +++ b/windows/threat-protection/windows-defender-atp/dashboard-windows-defender-advanced-threat-protection.md @@ -24,10 +24,12 @@ localizationpriority: high The **Dashboard** displays a snapshot of: - The latest active alerts on your network -- Machines reporting -- Top machines with active alerts -- The overall status of Windows Defender ATP for the past 30 days -- Machines with active malware detections +- Daily machines reporting +- Machines at risk +- Users at risk +- Machines with active malware alerts +- Sensor health +- Service health You can explore and investigate alerts and machines to quickly determine if, where, and when suspicious activities occurred in your network to help you understand the context they appeared in. @@ -38,7 +40,7 @@ It also has clickable tiles that give visual cues on the overall health state of ## ATP alerts You can view the overall number of active ATP alerts from the last 30 days in your network from the **ATP alerts** tile. Alerts are grouped into **New** and **In progress**. -![Click on each slice or severity to see a list of alerts from the past 30 days](images/atp.png) +![Click on each slice or severity to see a list of alerts from the past 30 days](images/atp-alerts-tile.png) Each group is further sub-categorized into their corresponding alert severity levels. Click the number of alerts inside each alert ring to see a sorted view of that category's queue (**New** or **In progress**). @@ -51,9 +53,9 @@ This tile shows you a list of machines with the highest number of active alerts. ![The Machines at risk tile shows a list of machines with the highest number of alerts, and a breakdown of the severity of the alerts](images/atp-machines-at-risk.png) -Click the name of the machine to see details about that machine. For more information see, [Investigate machines in the Windows Defender Advanced Threat Protection Machines view](investigate-machines-windows-defender-advanced-threat-protection.md). +Click the name of the machine to see details about that machine. For more information see, [Investigate machines in the Windows Defender Advanced Threat Protection Machines list](investigate-machines-windows-defender-advanced-threat-protection.md). -You can also click **Machines list** at the top of the tile to go directly to the **Machines view**, sorted by the number of active alerts. For more information see, [Investigate machines in the Windows Defender Advanced Threat Protection Machines view](investigate-machines-windows-defender-advanced-threat-protection.md). +You can also click **Machines list** at the top of the tile to go directly to the **Machines list**, sorted by the number of active alerts. For more information see, [Investigate machines in the Windows Defender Advanced Threat Protection Machines list](investigate-machines-windows-defender-advanced-threat-protection.md). ## Users at risk The tile shows you a list of user accounts with the most active alerts. The total number of alerts for each user is shown in a circle next to the user account, and then further categorized by severity levels at the far end of the tile (hover over each severity bar to see its label). @@ -69,19 +71,20 @@ Active malware is defined as threats that were actively executing at the time of Hover over each bar to see the number of active malware detections (as **Malware detections**) and the number of endpoints with at least one active detection (as **Machines**) over the past 30 days. -![The Machines with active malware detections tile shows the number of threats and machines for each threat category](images/machines-active-threats-tile.png) +![The Machines with active malware detections tile shows the number of threats and machines for each threat category](images/atp-machines-active-threats-tile.png) The chart is sorted into five categories: -- **Password stealer** - threats that attempt to steal credentials. - **Ransomware** - threats that prevent user access to a machine or its files and demand payment to restore access. +- **Credential theft** - threats that attempt to steal credentials. - **Exploit** - threats that use software vulnerabilities to infect machines. -- **Threat** - all other threats that don't fit into the **Password stealer**, **Ransomware**, or **Exploit** categories. This includes trojans, worms, backdoors, and viruses. -- **Low severity** - threats with low severity, including adware and potentially unwanted software such as browser modifiers. +- **Backdoor** - threats that gives a malicious hacker access to and control of machines. +- **General** - threats that perform unwanted actions, including actions that can disrupt, cause direct damage, and facilitate intrusion and data theft. +- **PUA** - applications that install and perform undesirable activity without adequate user consent. Threats are considered "active" if there is a very high probability that the malware was executing on your network, as opposed to statically located on-disk. -Clicking on any of these categories will navigate to the [Machines view](investigate-machines-windows-defender-advanced-threat-protection.md), filtered by the appropriate category. This lets you see a detailed breakdown of which machines have active malware detections, and how many threats were detected per machine. +Clicking on any of these categories will navigate to the [Machines list](investigate-machines-windows-defender-advanced-threat-protection.md), filtered by the appropriate category. This lets you see a detailed breakdown of which machines have active malware detections, and how many threats were detected per machine. > [!NOTE] > The **Machines with active malware detections** tile will only appear if your endpoints are using [Windows Defender Antivirus](https://technet.microsoft.com/library/mt622091(v=vs.85).aspx) as the default real-time protection antimalware product. @@ -93,21 +96,21 @@ The **Sensor health** tile provides information on the individual endpoint’s a There are two status indicators that provide information on the number of machines that are not reporting properly to the service: - **Inactive** - Machines that have stopped reporting to the Windows Defender ATP service for more than seven days in the past month. -- **Misconfigured** – These machines might partially be reporting telemetry to the Windows Defender ATP service and might have configuration errors that need to be corrected. +- **Misconfigured** – These machines might partially be reporting sensor data to the Windows Defender ATP service and might have configuration errors that need to be corrected. -When you click any of the groups, you’ll be directed to machines list, filtered according to your choice. For more information, see [Check sensor health state](check-sensor-status-windows-defender-advanced-threat-protection.md) and [Investigate machines](investigate-machines-windows-defender-advanced-threat-protection.md). +When you click any of the groups, you’ll be directed to machines list, filtered according to your choice. For more information, see [Check sensor state](check-sensor-status-windows-defender-advanced-threat-protection.md) and [Investigate machines](investigate-machines-windows-defender-advanced-threat-protection.md). ## Service health The **Service health** tile informs you if the service is active or if there are issues. ![The Service health tile shows an overall indicator of the service](images/status-tile.png) -For more information on the service status, see [Check the Windows Defender ATP service status](service-status-windows-defender-advanced-threat-protection.md). +For more information on the service health, see [Check the Windows Defender ATP service health](service-status-windows-defender-advanced-threat-protection.md). ## Daily machines reporting The **Daily machines reporting** tile shows a bar graph that represents the number of machines reporting alerts daily in the last 30 days. Hover over individual bars on the graph to see the exact number of machines reporting in each day. -![The Machines reporting tile shows the number of machines reporting each day for the past 30 days](images/machines-reporting-tile.png) +![Image of daily machines reporting tile](images/atp-daily-machines-reporting.png) ## Related topics - [View and organize the Windows Defender Advanced Threat Protection Alerts queue ](alerts-queue-windows-defender-advanced-threat-protection.md) @@ -115,8 +118,8 @@ The **Daily machines reporting** tile shows a bar graph that represents the numb - [Investigate a file associated with a Windows Defender ATP alert](investigate-files-windows-defender-advanced-threat-protection.md) - [Investigate an IP address associated with a Windows Defender ATP alert](investigate-ip-windows-defender-advanced-threat-protection.md) - [Investigate a domain associated with a Windows Defender ATP alert](investigate-domain-windows-defender-advanced-threat-protection.md) -- [View and organize the Windows Defender ATP Machines view](machines-view-overview-windows-defender-advanced-threat-protection.md) -- [Investigate machines in the Windows Defender ATP Machines view](investigate-machines-windows-defender-advanced-threat-protection.md) +- [View and organize the Windows Defender ATP Machines list](machines-view-overview-windows-defender-advanced-threat-protection.md) +- [Investigate machines in the Windows Defender ATP Machines list](investigate-machines-windows-defender-advanced-threat-protection.md) - [Investigate a user account in Windows Defender ATP ](investigate-user-windows-defender-advanced-threat-protection.md) - [Manage Windows Defender Advanced Threat Protection alerts](manage-alerts-windows-defender-advanced-threat-protection.md) - [Take response actions in Windows Defender ATP](response-actions-windows-defender-advanced-threat-protection.md) diff --git a/windows/threat-protection/windows-defender-atp/fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md index a301137ca4..8b5493c587 100644 --- a/windows/threat-protection/windows-defender-atp/fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md +++ b/windows/threat-protection/windows-defender-atp/fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md @@ -36,7 +36,7 @@ A reinstalled or renamed machine will generate a new machine entity in Windows D **Machine was offboarded**
If the machine was offboarded it will still appear in machines list. After 7 days, the machine health state should change to inactive. -Do you expect a machine to be in ‘Active’ status? [Open a CSS ticket](https://support.microsoft.com/en-us/getsupport?wf=0&tenant=ClassicCommercial&oaspworkflow=start_1.0.0.0&locale=en-us&supportregion=en-us&pesid=16055&ccsid=636206786382823561). +Do you expect a machine to be in ‘Active’ status? [Open a support ticket ticket](https://support.microsoft.com/en-us/getsupport?wf=0&tenant=ClassicCommercial&oaspworkflow=start_1.0.0.0&locale=en-us&supportregion=en-us&pesid=16055&ccsid=636206786382823561). ## Misconfigured machines Misconfigured machines can further be classified to: diff --git a/windows/threat-protection/windows-defender-atp/images/atp-alerts-queue-user.png b/windows/threat-protection/windows-defender-atp/images/atp-alerts-queue-user.png new file mode 100644 index 0000000000..61ff260c38 Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-alerts-queue-user.png differ diff --git a/windows/threat-protection/windows-defender-atp/images/atp-alerts-selected.png b/windows/threat-protection/windows-defender-atp/images/atp-alerts-selected.png new file mode 100644 index 0000000000..8cf482904e Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-alerts-selected.png differ diff --git a/windows/threat-protection/windows-defender-atp/images/atp-alerts-tile.png b/windows/threat-protection/windows-defender-atp/images/atp-alerts-tile.png new file mode 100644 index 0000000000..ed3cf79941 Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-alerts-tile.png differ diff --git a/windows/threat-protection/windows-defender-atp/images/atp-alertsq2.png b/windows/threat-protection/windows-defender-atp/images/atp-alertsq2.png new file mode 100644 index 0000000000..2b0253847e Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-alertsq2.png differ diff --git a/windows/threat-protection/windows-defender-atp/images/atp-azure-ui-user-access.png b/windows/threat-protection/windows-defender-atp/images/atp-azure-ui-user-access.png index dd7fe7dc4d..f62d84df10 100644 Binary files a/windows/threat-protection/windows-defender-atp/images/atp-azure-ui-user-access.png and b/windows/threat-protection/windows-defender-atp/images/atp-azure-ui-user-access.png differ diff --git a/windows/threat-protection/windows-defender-atp/images/atp-daily-machines-reporting.png b/windows/threat-protection/windows-defender-atp/images/atp-daily-machines-reporting.png new file mode 100644 index 0000000000..e46f058e86 Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-daily-machines-reporting.png differ diff --git a/windows/threat-protection/windows-defender-atp/images/atp-machines-active-threats-tile.png b/windows/threat-protection/windows-defender-atp/images/atp-machines-active-threats-tile.png new file mode 100644 index 0000000000..fd0625088a Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-machines-active-threats-tile.png differ diff --git a/windows/threat-protection/windows-defender-atp/images/atp-machines-at-risk.png b/windows/threat-protection/windows-defender-atp/images/atp-machines-at-risk.png index 219e958d7d..cfa3cbda3e 100644 Binary files a/windows/threat-protection/windows-defender-atp/images/atp-machines-at-risk.png and b/windows/threat-protection/windows-defender-atp/images/atp-machines-at-risk.png differ diff --git a/windows/threat-protection/windows-defender-atp/images/atp-machines-list-misconfigured.png b/windows/threat-protection/windows-defender-atp/images/atp-machines-list-misconfigured.png new file mode 100644 index 0000000000..3de8f88a28 Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-machines-list-misconfigured.png differ diff --git a/windows/threat-protection/windows-defender-atp/images/atp-machines-list-view.png b/windows/threat-protection/windows-defender-atp/images/atp-machines-list-view.png new file mode 100644 index 0000000000..746d043732 Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-machines-list-view.png differ diff --git a/windows/threat-protection/windows-defender-atp/images/atp-main-portal.png b/windows/threat-protection/windows-defender-atp/images/atp-main-portal.png index 2aa75b7dca..3336f8a1ac 100644 Binary files a/windows/threat-protection/windows-defender-atp/images/atp-main-portal.png and b/windows/threat-protection/windows-defender-atp/images/atp-main-portal.png differ diff --git a/windows/threat-protection/windows-defender-atp/images/atp-sensor-health-filter.png b/windows/threat-protection/windows-defender-atp/images/atp-sensor-health-filter.png index b82d66a85a..1face3083d 100644 Binary files a/windows/threat-protection/windows-defender-atp/images/atp-sensor-health-filter.png and b/windows/threat-protection/windows-defender-atp/images/atp-sensor-health-filter.png differ diff --git a/windows/threat-protection/windows-defender-atp/images/atp-users-at-risk.png b/windows/threat-protection/windows-defender-atp/images/atp-users-at-risk.png index cd43cdf607..c2b81ca99a 100644 Binary files a/windows/threat-protection/windows-defender-atp/images/atp-users-at-risk.png and b/windows/threat-protection/windows-defender-atp/images/atp-users-at-risk.png differ diff --git a/windows/threat-protection/windows-defender-atp/images/components.png b/windows/threat-protection/windows-defender-atp/images/components.png index 840f1cb0df..04ab864727 100644 Binary files a/windows/threat-protection/windows-defender-atp/images/components.png and b/windows/threat-protection/windows-defender-atp/images/components.png differ diff --git a/windows/threat-protection/windows-defender-atp/images/rules-legend.png b/windows/threat-protection/windows-defender-atp/images/rules-legend.png index a48783c6e3..7739ccfda2 100644 Binary files a/windows/threat-protection/windows-defender-atp/images/rules-legend.png and b/windows/threat-protection/windows-defender-atp/images/rules-legend.png differ diff --git a/windows/threat-protection/windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection.md index 58805fa39c..e456a18096 100644 --- a/windows/threat-protection/windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection.md +++ b/windows/threat-protection/windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection.md @@ -79,8 +79,8 @@ Selecting an alert detail brings up the **Details pane** where you'll be able to - [Investigate a file associated with a Windows Defender ATP alert](investigate-files-windows-defender-advanced-threat-protection.md) - [Investigate an IP address associated with a Windows Defender ATP alert](investigate-ip-windows-defender-advanced-threat-protection.md) - [Investigate a domain associated with a Windows Defender ATP alert](investigate-domain-windows-defender-advanced-threat-protection.md) -- [View and organize the Windows Defender ATP Machines view](machines-view-overview-windows-defender-advanced-threat-protection.md) -- [Investigate machines in the Windows Defender ATP Machines view](investigate-machines-windows-defender-advanced-threat-protection.md) +- [View and organize the Windows Defender ATP Machines list](machines-view-overview-windows-defender-advanced-threat-protection.md) +- [Investigate machines in the Windows Defender ATP Machines list](investigate-machines-windows-defender-advanced-threat-protection.md) - [Investigate a user account in Windows Defender ATP](investigate-user-windows-defender-advanced-threat-protection.md) - [Manage Windows Defender Advanced Threat Protection alerts](manage-alerts-windows-defender-advanced-threat-protection.md) - [Take response actions in Windows Defender ATP](response-actions-windows-defender-advanced-threat-protection.md) diff --git a/windows/threat-protection/windows-defender-atp/investigate-domain-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/investigate-domain-windows-defender-advanced-threat-protection.md index d0e04eabe5..b107b3b042 100644 --- a/windows/threat-protection/windows-defender-atp/investigate-domain-windows-defender-advanced-threat-protection.md +++ b/windows/threat-protection/windows-defender-atp/investigate-domain-windows-defender-advanced-threat-protection.md @@ -49,8 +49,8 @@ The **Communication with URL in organization** section provides a chronological - [Investigate Windows Defender Advanced Threat Protection alerts](investigate-alerts-windows-defender-advanced-threat-protection.md) - [Investigate a file associated with a Windows Defender ATP alert](investigate-files-windows-defender-advanced-threat-protection.md) - [Investigate an IP address associated with a Windows Defender ATP alert](investigate-ip-windows-defender-advanced-threat-protection.md) -- [View and organize the Windows Defender ATP Machines view](machines-view-overview-windows-defender-advanced-threat-protection.md) -- [Investigate machines in the Windows Defender ATP Machines view](investigate-machines-windows-defender-advanced-threat-protection.md) +- [View and organize the Windows Defender ATP Machines list](machines-view-overview-windows-defender-advanced-threat-protection.md) +- [Investigate machines in the Windows Defender ATP Machines list](investigate-machines-windows-defender-advanced-threat-protection.md) - [Investigate a user account in Windows Defender ATP](investigate-user-windows-defender-advanced-threat-protection.md) - [Manage Windows Defender Advanced Threat Protection alerts](manage-alerts-windows-defender-advanced-threat-protection.md) - [Take response actions in Windows Defender ATP](response-actions-windows-defender-advanced-threat-protection.md) diff --git a/windows/threat-protection/windows-defender-atp/investigate-files-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/investigate-files-windows-defender-advanced-threat-protection.md index e45a3d17d3..ebf5a67b89 100644 --- a/windows/threat-protection/windows-defender-atp/investigate-files-windows-defender-advanced-threat-protection.md +++ b/windows/threat-protection/windows-defender-atp/investigate-files-windows-defender-advanced-threat-protection.md @@ -57,8 +57,8 @@ This allows for greater accuracy in defining entities to display such as if and - [Investigate Windows Defender Advanced Threat Protection alerts](investigate-alerts-windows-defender-advanced-threat-protection.md) - [Investigate an IP address associated with a Windows Defender ATP alert](investigate-ip-windows-defender-advanced-threat-protection.md) - [Investigate a domain associated with a Windows Defender ATP alert](investigate-domain-windows-defender-advanced-threat-protection.md) -- [View and organize the Windows Defender ATP Machines view](machines-view-overview-windows-defender-advanced-threat-protection.md) -- [Investigate machines in the Windows Defender ATP Machines view](investigate-machines-windows-defender-advanced-threat-protection.md) +- [View and organize the Windows Defender ATP Machines list](machines-view-overview-windows-defender-advanced-threat-protection.md) +- [Investigate machines in the Windows Defender ATP Machines list](investigate-machines-windows-defender-advanced-threat-protection.md) - [Investigate a user account in Windows Defender ATP](investigate-user-windows-defender-advanced-threat-protection.md) - [Manage Windows Defender Advanced Threat Protection alerts](manage-alerts-windows-defender-advanced-threat-protection.md) - [Take response actions in Windows Defender ATP](response-actions-windows-defender-advanced-threat-protection.md) diff --git a/windows/threat-protection/windows-defender-atp/investigate-ip-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/investigate-ip-windows-defender-advanced-threat-protection.md index 1b792ae89e..b531ee93f6 100644 --- a/windows/threat-protection/windows-defender-atp/investigate-ip-windows-defender-advanced-threat-protection.md +++ b/windows/threat-protection/windows-defender-atp/investigate-ip-windows-defender-advanced-threat-protection.md @@ -57,8 +57,8 @@ Clicking any of the machine names will take you to that machine's view, where yo - [Investigate Windows Defender Advanced Threat Protection alerts](investigate-alerts-windows-defender-advanced-threat-protection.md) - [Investigate a file associated with a Windows Defender ATP alert](investigate-files-windows-defender-advanced-threat-protection.md) - [Investigate a domain associated with a Windows Defender ATP alert](investigate-domain-windows-defender-advanced-threat-protection.md) -- [View and organize the Windows Defender ATP Machines view](machines-view-overview-windows-defender-advanced-threat-protection.md) -- [Investigate machines in the Windows Defender ATP Machines view](investigate-machines-windows-defender-advanced-threat-protection.md) +- [View and organize the Windows Defender ATP Machines list](machines-view-overview-windows-defender-advanced-threat-protection.md) +- [Investigate machines in the Windows Defender ATP Machines list](investigate-machines-windows-defender-advanced-threat-protection.md) - [Investigate a user account in Windows Defender ATP](investigate-user-windows-defender-advanced-threat-protection.md) - [Manage Windows Defender Advanced Threat Protection alerts](manage-alerts-windows-defender-advanced-threat-protection.md) - [Take response actions in Windows Defender ATP](response-actions-windows-defender-advanced-threat-protection.md) diff --git a/windows/threat-protection/windows-defender-atp/investigate-machines-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/investigate-machines-windows-defender-advanced-threat-protection.md index 5073e541f6..0c4eaeb6e2 100644 --- a/windows/threat-protection/windows-defender-atp/investigate-machines-windows-defender-advanced-threat-protection.md +++ b/windows/threat-protection/windows-defender-atp/investigate-machines-windows-defender-advanced-threat-protection.md @@ -1,6 +1,6 @@ --- -title: Investigate machines in the Windows Defender ATP Machines view -description: Investigate affected machines in your network by reviewing alerts, network connection information, and service health on the Machines view. +title: Investigate machines in the Windows Defender ATP Machines list +description: Investigate affected machines in your network by reviewing alerts, network connection information, and service health on the Machines list. keywords: machines, endpoints, machine, endpoint, alerts queue, alerts, machine name, domain, last seen, internal IP, active alerts, threat category, filter, sort, review alerts, network, connection, type, password stealer, ransomware, exploit, threat, low severity search.product: eADQiWindows 10XVcnh ms.prod: w10 @@ -11,7 +11,7 @@ author: mjcaparas localizationpriority: high --- -# Investigate machines in the Windows Defender ATP Machines view +# Investigate machines in the Windows Defender ATP Machines list **Applies to:** @@ -26,7 +26,7 @@ Investigate the details of an alert raised on a specific machine to identify oth You can click on affected machines whenever you see them in the portal to open a detailed report about that machine. Affected machines are identified in the following areas: -- The [Machines view](investigate-machines-windows-defender-advanced-threat-protection.md) +- The [Machines list](investigate-machines-windows-defender-advanced-threat-protection.md) - The [Alerts queue](alerts-queue-windows-defender-advanced-threat-protection.md) - The [Dashboard](dashboard-windows-defender-advanced-threat-protection.md) - Any individual alert @@ -97,7 +97,7 @@ You can also export detailed event data from the machine timeline to conduct off ### Navigate between pages Use the events per page drop-down to choose the number of alerts you’d like to see on the page. You can choose to display 20, 50, or 100 events per page. You can also move between pages by clicking **Older** or **Newer**. -From the **Machines view**, you can also navigate to the file, IP, or URL view and the timeline associated with an alert is retained, helping you view the investigation from different angles and retain the context of the event time line. +From the **Machines list**, you can also navigate to the file, IP, or URL view and the timeline associated with an alert is retained, helping you view the investigation from different angles and retain the context of the event time line. From the list of events that are displayed in the timeline, you can examine the behaviors or events in to help identify indicators of interests such as files and IP addresses to help determine the scope of a breach. You can then use the information to respond to events and keep your system secure. @@ -117,7 +117,7 @@ This enhances the ‘in-context’ information across investigation and explorat - [Investigate a file associated with a Windows Defender ATP alert](investigate-files-windows-defender-advanced-threat-protection.md) - [Investigate an IP address associated with a Windows Defender ATP alert](investigate-ip-windows-defender-advanced-threat-protection.md) - [Investigate a domain associated with a Windows Defender ATP alert](investigate-domain-windows-defender-advanced-threat-protection.md) -- [View and organize the Windows Defender ATP Machines view](machines-view-overview-windows-defender-advanced-threat-protection.md) +- [View and organize the Windows Defender ATP Machines list](machines-view-overview-windows-defender-advanced-threat-protection.md) - [Investigate a user account in Windows Defender ATP](investigate-user-windows-defender-advanced-threat-protection.md) - [Manage Windows Defender Advanced Threat Protection alerts](manage-alerts-windows-defender-advanced-threat-protection.md) - [Take response actions in Windows Defender ATP](response-actions-windows-defender-advanced-threat-protection.md) diff --git a/windows/threat-protection/windows-defender-atp/investigate-user-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/investigate-user-windows-defender-advanced-threat-protection.md index e0b1346b9e..9f45aa0817 100644 --- a/windows/threat-protection/windows-defender-atp/investigate-user-windows-defender-advanced-threat-protection.md +++ b/windows/threat-protection/windows-defender-atp/investigate-user-windows-defender-advanced-threat-protection.md @@ -69,7 +69,7 @@ You can filter the results by the following time periods: - [Investigate a file associated with a Windows Defender ATP alert](investigate-files-windows-defender-advanced-threat-protection.md) - [Investigate an IP address associated with a Windows Defender ATP alert](investigate-ip-windows-defender-advanced-threat-protection.md) - [Investigate a domain associated with a Windows Defender ATP alert](investigate-domain-windows-defender-advanced-threat-protection.md) -- [View and organize the Windows Defender ATP Machines view](machines-view-overview-windows-defender-advanced-threat-protection.md) -- [Investigate machines in the Windows Defender ATP Machines view](investigate-machines-windows-defender-advanced-threat-protection.md) +- [View and organize the Windows Defender ATP Machines list](machines-view-overview-windows-defender-advanced-threat-protection.md) +- [Investigate machines in the Windows Defender ATP Machines list](investigate-machines-windows-defender-advanced-threat-protection.md) - [Manage Windows Defender Advanced Threat Protection alerts](manage-alerts-windows-defender-advanced-threat-protection.md) - [Take response actions in Windows Defender ATP](response-actions-windows-defender-advanced-threat-protection.md) diff --git a/windows/threat-protection/windows-defender-atp/manage-alerts-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/manage-alerts-windows-defender-advanced-threat-protection.md index 4f1523a324..9dd0f7d8b2 100644 --- a/windows/threat-protection/windows-defender-atp/manage-alerts-windows-defender-advanced-threat-protection.md +++ b/windows/threat-protection/windows-defender-atp/manage-alerts-windows-defender-advanced-threat-protection.md @@ -105,7 +105,7 @@ Each rule shows: - [Investigate a file associated with a Windows Defender ATP alert](investigate-files-windows-defender-advanced-threat-protection.md) - [Investigate an IP address associated with a Windows Defender ATP alert](investigate-ip-windows-defender-advanced-threat-protection.md) - [Investigate a domain associated with a Windows Defender ATP alert](investigate-domain-windows-defender-advanced-threat-protection.md) -- [View and organize the Windows Defender ATP Machines view](machines-view-overview-windows-defender-advanced-threat-protection.md) -- [Investigate machines in the Windows Defender ATP Machines view](investigate-machines-windows-defender-advanced-threat-protection.md) +- [View and organize the Windows Defender ATP Machines list](machines-view-overview-windows-defender-advanced-threat-protection.md) +- [Investigate machines in the Windows Defender ATP Machines list](investigate-machines-windows-defender-advanced-threat-protection.md) - [Investigate a user account in Windows Defender ATP](investigate-user-windows-defender-advanced-threat-protection.md) - [Take response actions in Windows Defender ATP](response-actions-windows-defender-advanced-threat-protection.md) diff --git a/windows/threat-protection/windows-defender-atp/minimum-requirements-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/minimum-requirements-windows-defender-advanced-threat-protection.md index 6eb46cb27f..82efa42cc1 100644 --- a/windows/threat-protection/windows-defender-atp/minimum-requirements-windows-defender-advanced-threat-protection.md +++ b/windows/threat-protection/windows-defender-atp/minimum-requirements-windows-defender-advanced-threat-protection.md @@ -41,9 +41,9 @@ For more information, see [Windows 10 Licensing](https://www.microsoft.com/en-us ### Network and data storage and configuration requirements When you run the onboarding wizard for the first time, you must choose where your Windows Defender Advanced Threat Protection-related information is stored: either in a European or United States datacenter. -> **Notes**   -- You cannot change your data storage location after the first-time setup. -- Review the [Windows Defender ATP data storage and privacy](data-storage-privacy-windows-defender-advanced-threat-protection.md) for more information on where and how Microsoft stores your data. +> [!NOTE] +> - You cannot change your data storage location after the first-time setup. +> - Review the [Windows Defender ATP data storage and privacy](data-storage-privacy-windows-defender-advanced-threat-protection.md) for more information on where and how Microsoft stores your data. ### Endpoint hardware and software requirements @@ -68,7 +68,7 @@ The Windows Defender ATP sensor can utilize up to 5MB daily of bandwidth to com For more information on additional proxy configuration settings see, [Configure Windows Defender ATP endpoint proxy and Internet connectivity settings](configure-proxy-internet-windows-defender-advanced-threat-protection.md) . -Before you configure endpoints, the telemetry and diagnostics service must be enabled. The service is enabled by default in Windows 10, but if it has been disabled you can turn it on by following the instructions in the [Troubleshoot Windows Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md) section. +Before you configure endpoints, the telemetry and diagnostics service must be enabled. The service is enabled by default in Windows 10. ### Telemetry and diagnostics settings You must ensure that the telemetry and diagnostics service is enabled on all the endpoints in your organization. diff --git a/windows/threat-protection/windows-defender-atp/portal-overview-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/portal-overview-windows-defender-advanced-threat-protection.md index 3e1b3c8a80..32b9dc366e 100644 --- a/windows/threat-protection/windows-defender-atp/portal-overview-windows-defender-advanced-threat-protection.md +++ b/windows/threat-protection/windows-defender-atp/portal-overview-windows-defender-advanced-threat-protection.md @@ -45,14 +45,15 @@ You can navigate through the portal using the menu options available in all sect Area | Description :---|:--- (1) Search bar, Feedback, Settings, Help and support | **Search** - Provides access to the search bar where you can search for file, IP, machine, URL, and user. Displays the Search box: the drop-down list allows you to select the entity type and then enter the search query text.
**Feedback** -Access the feedback button to provide comments about the portal.
**Settings** - Gives you access to the configuration settings where you can set time zones, alert suppression rules, and license information.
**Help and support** - Gives you access to the Windows Defender ATP guide, Microsoft support, and Premier support. -(2) Navigation pane | Use the navigation pane to move between the **Dashboard**, **Alerts queue**, **Machines view**, **Service health**, **Preferences setup**, and **Enpoint Management**. +(2) Navigation pane | Use the navigation pane to move between the **Dashboard**, **Alerts queue**, **Machines list**, **Service health**, **Preferences setup**, and **Endpoint management**. +(3) Main portal| Main area where you will see the different views such as the Dashboard, Alerts queue, and Machines list. **Dashboard** | Provides clickable tiles that open detailed information on various alerts that have been detected in your organization. **Alerts queue** | Enables you to view separate queues of new, in progress, and resolved alerts. -**Machines view** | Displays the list of machines that are onboarded to Windows Defender ATP, some information about them, and the corresponding number of alerts. -**Service health** | Provides information on the current status of the Window Defender ATP service. You'll be able to verify that the service status is healthy or if there are current issues. +**Machines list** | Displays the list of machines that are onboarded to Windows Defender ATP, some information about them, and the corresponding number of alerts. +**Service health** | Provides information on the current status of the Window Defender ATP service. You'll be able to verify that the service health is healthy or if there are current issues. **Preferences setup** | Shows the settings you selected during onboarding and lets you update your industry preferences and retention policy period. You can also set email notifications, activate the preview experience, and enable or turn off advanced features. -**Endpoint Management** | Allows you to download the onboarding configuration package. It provides access to endpoint offboarding. -(3) Main portal| Main area where you will see the different views such as the Dashboard, Alerts queue, and Machines view. +**Endpoint management** | Allows you to download the onboarding configuration package. It provides access to endpoint offboarding. + ## Windows Defender ATP icons The following table provides information on the icons used all throughout the portal: diff --git a/windows/threat-protection/windows-defender-atp/preferences-setup-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/preferences-setup-windows-defender-advanced-threat-protection.md index dab6725222..e2904380b5 100644 --- a/windows/threat-protection/windows-defender-atp/preferences-setup-windows-defender-advanced-threat-protection.md +++ b/windows/threat-protection/windows-defender-atp/preferences-setup-windows-defender-advanced-threat-protection.md @@ -30,3 +30,5 @@ Topic | Description [Enable advanced features](advanced-features-windows-defender-advanced-threat-protection.md)| Enable features such as **Block file** and other features that require integration with other products. [Enable the preview experience](preview-settings-windows-defender-advanced-threat-protection.md) | Allows you to turn on preview features so you can try upcoming features. [Configure email notifications](configure-email-notifications-windows-defender-advanced-threat-protection.md) | Enables you to configure and identify a group of individuals who will immediately be informed of new alerts through email notifications. +[Enable SIEM integration](enable-siem-integration-windows-defender-advanced-threat-protection.md) | Enable security information and event management (SIEM) integration to pull alerts from the Windows Defender ATP portal using your SIEM solution. +[Enable Threat intel API](enable-custom-ti-windows-defender-advanced-threat-protection.md) | Before you can create custom threat intelligence (TI) using REST API, you'll need to set up the custom threat intelligence application. diff --git a/windows/threat-protection/windows-defender-atp/response-actions-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/response-actions-windows-defender-advanced-threat-protection.md index a22e882c62..597cefb9a1 100644 --- a/windows/threat-protection/windows-defender-atp/response-actions-windows-defender-advanced-threat-protection.md +++ b/windows/threat-protection/windows-defender-atp/response-actions-windows-defender-advanced-threat-protection.md @@ -40,7 +40,7 @@ Topic | Description - [Investigate a file associated with a Windows Defender ATP alert](investigate-files-windows-defender-advanced-threat-protection.md) - [Investigate an IP address associated with a Windows Defender ATP alert](investigate-ip-windows-defender-advanced-threat-protection.md) - [Investigate a domain associated with a Windows Defender ATP alert](investigate-domain-windows-defender-advanced-threat-protection.md) -- [View and organize the Windows Defender ATP Machines view](machines-view-overview-windows-defender-advanced-threat-protection.md) -- [Investigate machines in the Windows Defender ATP Machines view](investigate-machines-windows-defender-advanced-threat-protection.md) +- [View and organize the Windows Defender ATP Machines list](machines-view-overview-windows-defender-advanced-threat-protection.md) +- [Investigate machines in the Windows Defender ATP Machines list](investigate-machines-windows-defender-advanced-threat-protection.md) - [Investigate a user account in Windows Defender ATP](investigate-user-windows-defender-advanced-threat-protection.md) - [Manage Windows Defender Advanced Threat Protection alerts](manage-alerts-windows-defender-advanced-threat-protection.md) diff --git a/windows/threat-protection/windows-defender-atp/service-status-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/service-status-windows-defender-advanced-threat-protection.md index 6c8623a564..088b4ed61a 100644 --- a/windows/threat-protection/windows-defender-atp/service-status-windows-defender-advanced-threat-protection.md +++ b/windows/threat-protection/windows-defender-atp/service-status-windows-defender-advanced-threat-protection.md @@ -1,7 +1,7 @@ --- -title: Check the Windows Defender ATP service status -description: Check Windows Defender ATP service status, see if the service is experiencing issues and review previous issues that have been resolved. -keywords: dashboard, service, issues, service status, current issues, status history, summary of impact, preliminary root cause, resolution, resolution time, expected resolution time +title: Check the Windows Defender ATP service health +description: Check Windows Defender ATP service health, see if the service is experiencing issues and review previous issues that have been resolved. +keywords: dashboard, service, issues, service health, current issues, status history, summary of impact, preliminary root cause, resolution, resolution time, expected resolution time search.product: eADQiWindows 10XVcnh ms.prod: w10 ms.mktglfcycl: deploy @@ -11,7 +11,7 @@ author: mjcaparas localizationpriority: high --- -# Check the Windows Defender Advanced Threat Protection service status +# Check the Windows Defender Advanced Threat Protection service health **Applies to:** @@ -21,11 +21,11 @@ localizationpriority: high - Windows 10 Pro Education - Windows Defender Advanced Threat Protection (Windows Defender ATP) -The **Service health** provides information on the current status of the Window Defender ATP service. You'll be able to verify that the service status is healthy or if there are current issues. If there are issues, you'll see details related to the issue such as when the issue was detected, what the preliminary root cause is, and the expected resolution time. +The **Service health** provides information on the current status of the Window Defender ATP service. You'll be able to verify that the service health is healthy or if there are current issues. If there are issues, you'll see details related to the issue such as when the issue was detected, what the preliminary root cause is, and the expected resolution time. You'll also see information on historical issues that have been resolved and details such as the date and time when the issue was resolved. When there are no issues on the service, you'll see a healthy status. -You can view details on the service status by clicking the tile from the **Dashboard** or selecting the **Service health** menu from the navigation pane. +You can view details on the service health by clicking the tile from the **Dashboard** or selecting the **Service health** menu from the navigation pane. The **Service health** details page has the following tabs: @@ -33,7 +33,7 @@ The **Service health** details page has the following tabs: - **Status History** ## Current issues -The **Current issues** tab shows the current state of the Windows Defender ATP service. When the service is running smoothly a healthy service status is shown. If there are issues seen, the following service details are shown to help you gain better insight about the issue: +The **Current issues** tab shows the current state of the Windows Defender ATP service. When the service is running smoothly a healthy service health is shown. If there are issues seen, the following service details are shown to help you gain better insight about the issue: - Date and time for when the issue was detected - A short description of the issue diff --git a/windows/threat-protection/windows-defender-atp/troubleshoot-onboarding-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/troubleshoot-onboarding-windows-defender-advanced-threat-protection.md index 85ad29fad8..6e7445cde4 100644 --- a/windows/threat-protection/windows-defender-atp/troubleshoot-onboarding-windows-defender-advanced-threat-protection.md +++ b/windows/threat-protection/windows-defender-atp/troubleshoot-onboarding-windows-defender-advanced-threat-protection.md @@ -24,12 +24,12 @@ localizationpriority: high You might need to troubleshoot the Windows Defender ATP onboarding process if you encounter issues. This page provides detailed steps to troubleshoot onboarding issues that might occur when deploying with one of the deployment tools and common errors that might occur on the endpoints. -If you have completed the endpoint onboarding process and don't see endpoints in the [Machines view](investigate-machines-windows-defender-advanced-threat-protection.md) after an hour, it might indicate an endpoint onboarding or connectivity problem. +If you have completed the endpoint onboarding process and don't see endpoints in the [Machines list](investigate-machines-windows-defender-advanced-threat-protection.md) after an hour, it might indicate an endpoint onboarding or connectivity problem. ## Troubleshoot onboarding when deploying with Group Policy Deployment with Group Policy is done by running the onboarding script on the endpoints. The Group Policy console does not indicate if the deployment has succeeded or not. -If you have completed the endpoint onboarding process and don't see endpoints in the [Machines view](investigate-machines-windows-defender-advanced-threat-protection.md) after an hour, you can check the output of the script on the endpoints. For more information, see [Troubleshoot onboarding when deploying with a script on the endpoint](#troubleshoot-onboarding-when-deploying-with-a-script-on-the-endpoint). +If you have completed the endpoint onboarding process and don't see endpoints in the [Machines list](investigate-machines-windows-defender-advanced-threat-protection.md) after an hour, you can check the output of the script on the endpoints. For more information, see [Troubleshoot onboarding when deploying with a script on the endpoint](#troubleshoot-onboarding-when-deploying-with-a-script-on-the-endpoint). If the script completes successfully, see [Troubleshoot onboarding issues on the endpoint](#troubleshoot-onboarding-issues-on-the-endpoint) for additional errors that might occur. @@ -43,7 +43,7 @@ When onboarding endpoints using the following versions of System Center Configur Deployment with the above-mentioned versions of System Center Configuration Manager is done by running the onboarding script on the endpoints. You can track the deployment in the Configuration Manager Console. -If the deployment fails, you can check the output of the script on the endpoints. For more information, see [Troubleshoot onboarding when deploying with a script on the endpoint](#troubleshoot-onboarding-when-deploying-with-a-script-on-the-endpoint). +If the deployment fails, you can check the output of the script on the endpoints. If the onboarding completed successfully but the endpoints are not showing up in the **Machines list** after an hour, see [Troubleshoot onboarding issues on the endpoint](#troubleshoot-onboarding-issues-on-the-endpoint) for additional errors that might occur. @@ -64,7 +64,7 @@ Event ID | Error Type | Resolution steps :---|:---|:--- 5 | Offboarding data was found but couldn't be deleted | Check the permissions on the registry, specifically ```HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection```. 10 | Onboarding data couldn't be written to registry | Check the permissions on the registry, specifically
```HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat```.
Verify that the script was ran as an administrator. -15 | Failed to start SENSE service |Check the service status (```sc query sense``` command). Make sure it's not in an intermediate state (*'Pending_Stopped'*, *'Pending_Running'*) and try to run the script again (with administrator rights). +15 | Failed to start SENSE service |Check the service health (```sc query sense``` command). Make sure it's not in an intermediate state (*'Pending_Stopped'*, *'Pending_Running'*) and try to run the script again (with administrator rights). 15 | Failed to start SENSE service | If the message of the error is: System error 577 has occurred. You need to enable the Windows Defender ELAM driver, see [Ensure that Windows Defender is not disabled by a policy](#ensure-that-windows-defender-is-not-disabled-by-a-policy) for instructions. 30 | The script failed to wait for the service to start running | The service could have taken more time to start or has encountered errors while trying to start. For more information on events and errors related to SENSE, see [Review events and errors on endpoints with Event viewer](event-error-codes-windows-defender-advanced-threat-protection.md). 35 | The script failed to find needed onboarding status registry value | When the SENSE service starts for the first time, it writes onboarding status to the registry location
```HKLM\SOFTWARE\Microsoft\Windows Advanced Threat Protection\Status```.
The script failed to find it after several seconds. You can manually test it and check if it's there. For more information on events and errors related to SENSE, see [Review events and errors on endpoints with Event viewer](event-error-codes-windows-defender-advanced-threat-protection.md). @@ -82,13 +82,13 @@ Use the following tables to understand the possible causes of issues while onboa - Known issues with non-compliance table - Mobile Device Management (MDM) event logs table -If none of the event logs and troubleshooting steps work, download the Local script from the **Endpoint Management** section of the portal, and run it in an elevated command prompt. +If none of the event logs and troubleshooting steps work, download the Local script from the **Endpoint management** section of the portal, and run it in an elevated command prompt. **Microsoft Intune error codes and OMA-URIs**: Error Code Hex | Error Code Dec | Error Description | OMA-URI | Possible cause and troubleshooting steps :---|:---|:---|:---|:--- -0x87D1FDE8 | -2016281112 | Remediation failed | Onboarding
Offboarding | **Possible cause:** Onboarding or offboarding failed on a wrong blob: wrong signature or missing PreviousOrgIds fields.

**Troubleshooting steps:**
Check the event IDs in the [View agent onboarding errors in the endpoint event log](#view-agent-onboarding-errors-in-the-endpoint-event-log) section.

Check the MDM event logs in the following table or follow the instructions in [Diagnose MDM failures in Windows 10](https://msdn.microsoft.com/library/windows/hardware/mt632120%28v=vs.85%29.aspx). +0x87D1FDE8 | -2016281112 | Remediation failed | Onboarding
Offboarding | **Possible cause:** Onboarding or offboarding failed on a wrong blob: wrong signature or missing PreviousOrgIds fields.

**Troubleshooting steps:**
Check the event IDs in the [View agent onboarding errors in the endpoint event log](#view-agent-onboarding-errors-in-the-endpoint-event-log) section.

Check the MDM event logs in the following table or follow the instructions in [Diagnose MDM failures in Windows 10](https://msdn.microsoft.com/library/windows/hardware/mt632120%28v=vs.85%29.aspx). | | | Onboarding
Offboarding
SampleSharing | **Possible cause:** Windows Defender ATP Policy registry key does not exist or the OMA DM client doesn't have permissions to write to it.

**Troubleshooting steps:** Ensure that the following registry key exists: ```HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection```.

If it doesn't exist, open an elevated command and add the key. | | | SenseIsRunning
OnboardingState
OrgId | **Possible cause:** An attempt to remediate by read-only property. Onboarding has failed.

**Troubleshooting steps:** Check the troubleshooting steps in [Troubleshoot Windows Defender Advanced Threat Protection onboarding issues](#troubleshoot-windows-defender-advanced-threat-protection-onboarding-issues).

Check the MDM event logs in the following table or follow the instructions in [Diagnose MDM failures in Windows 10](https://msdn.microsoft.com/library/windows/hardware/mt632120%28v=vs.85%29.aspx). | | | All | **Possible cause:** Attempt to deploy Windows Defender ATP on non-supported SKU/Platform, particularly Holographic SKU.

Currently is supported platforms: Enterprise, Education, and Professional.
Server is not supported. diff --git a/windows/threat-protection/windows-defender-atp/use-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/use-windows-defender-advanced-threat-protection.md index e614c969ca..6b8436e6ef 100644 --- a/windows/threat-protection/windows-defender-atp/use-windows-defender-advanced-threat-protection.md +++ b/windows/threat-protection/windows-defender-atp/use-windows-defender-advanced-threat-protection.md @@ -44,7 +44,7 @@ Topic | Description [Investigate files](investigate-files-windows-defender-advanced-threat-protection.md) | Investigate the details of a file associated with a specific alert, behavior, or event to help determine if the file exhibits malicious activities, identify the attack motivation, and understand the potential scope of the breach. [Investigate an IP address](investigate-ip-windows-defender-advanced-threat-protection.md) | Examine possible communication between your machines and external Internet protocol (IP) addresses. [Investigate a domain](investigate-domain-windows-defender-advanced-threat-protection.md) | Investigate a domain to see if machines and servers in your enterprise network have been communicating with a known malicious domain. -[View and organize the Machines view](machines-view-overview-windows-defender-advanced-threat-protection.md)| You can sort, filter, and exporting the machine list. +[View and organize the Machines list](machines-view-overview-windows-defender-advanced-threat-protection.md)| You can sort, filter, and exporting the machine list. [Investigate machines](investigate-machines-windows-defender-advanced-threat-protection.md) | The **Machines list** shows a list of the machines in your network, the corresponding number of active alerts for each machine categorized by alert severity levels, as well as the number of threats. [Investigate a user account](investigate-user-windows-defender-advanced-threat-protection.md)| Investigate user accounts with the most active alerts. [Manage alerts](manage-alerts-windows-defender-advanced-threat-protection.md) | The **Manage Alert** menu on every alert lets you change an alert's status, resolve it, suppress it, or contribute comments about the alert.