mirror of
https://github.com/MicrosoftDocs/windows-itpro-docs.git
synced 2025-05-16 15:27:22 +00:00
Merge branch 'atp-rs4' of https://cpubwin.visualstudio.com/_git/it-client into atp-rs4
This commit is contained in:
Joey Caparas
commit
4e2d56b660
@ -47,11 +47,21 @@ For more information, see [Investigate a user account](investigate-user-windows-
|
||||
## Skype for Business integration
|
||||
Enabling the Skype for Business integration gives you the ability to communicate with users using Skype for Business, email, or phone. This can be handy when you need to communicate with the user and mitigate risks.
|
||||
|
||||
## Azure Advanced Threat Protection integration
|
||||
The integration with Azure Advanced Threat Protection allows you to pivot directly into another Microsoft Identity security product. Azure Advanced Threat Protection augments an investigation with additional insights about a suspected compromised account and related resources. By enabling this feature, you'll enrich the machine-based investigation capability by pivoting across the network from an identify point of view.
|
||||
|
||||
|
||||
>[!NOTE]
|
||||
>You'll need to have the appropriate license to enable this feature.
|
||||
|
||||
## Office 365 Threat Intelligence connection
|
||||
This feature is only available if you have an active Office 365 E5 or the Threat Intelligence add-on. For more information, see the Office 365 Enterprise E5 product page.
|
||||
|
||||
When you enable this feature, you'll be able to incorporate data from Office 365 Advanced Threat Protection into the Windows Defender ATP portal to conduct a holistic security investigation across Office 365 mailboxes and Windows machines.
|
||||
|
||||
>[!NOTE]
|
||||
>You'll need to have the appropriate license to enable this feature.
|
||||
|
||||
To receive contextual machine integration in Office 365 Threat Intelligence, you'll need to enable the Windows Defender ATP settings in the Security & Compliance dashboard. For more information, see [Office 365 Threat Intelligence overview](https://support.office.com/en-us/article/Office-365-Threat-Intelligence-overview-32405DA5-BEE1-4A4B-82E5-8399DF94C512).
|
||||
|
||||
## Enable advanced features
|
||||
|
||||
@ -85,5 +85,117 @@ For more information see, [Manage Azure AD group and role membership](https://te
|
||||
|
||||
|
||||
|
||||
## Role-based access control
|
||||
|
||||
With the robust security capabilities available in the Windows Defender ATP portal, it is crucial to provide the right access only to authorized roles and groups. Using role-based access control (RBAC), you can segregate roles and groups within your security operations team or organization to grant appropriate access to the Windows Defender ATP portal. Based on the roles and groups you create, you have fine-grained control over what users with access to the portal can do.
|
||||
|
||||
The implementation of role-based access control in Windows Defender ATP is based on Azure Active Directory user groups.
|
||||
|
||||
To implement role-based access, you'll need to define admin roles, assign corresponding permissions, and set the Azure Active Directory (Azure AD) user groups assigned to the roles.
|
||||
|
||||
### Before you begin
|
||||
|
||||
When you first log in to the Windows Defender ATP portal, you’re granted either full access or read only access. Full access rights are granted to users with Security Administrator or Global Administrator roles in Azure AD. Read only access is granted to users with a Security Reader role in Azure AD.
|
||||
|
||||
> [!WARNING]
|
||||
> Before enabling the feature, it’s important that you have a Global Administrator role in Azure AD and that have your Azure AD groups ready to reduce the risk of being locked out of the portal.
|
||||
>
|
||||
> Only those with Azure AD Global Administrator rights will be able to create and assign roles in the Windows Defender ATP portal, therefore, having the right groups ready in Azure AD is important.
|
||||
>
|
||||
> Turning on role-based access control will cause users with read-only permissions to lose access until they are assigned to a role. Users with admin permissions are automatically assigned the global administrator role with full permissions.
|
||||
|
||||
To use RBAC in Windows Defender ATP, you’ll need to enable it.
|
||||
|
||||
After opting in to use RBAC, you cannot revert to the initial roles as when you first logged into the portal.
|
||||
|
||||
## Create user roles and assign the role to a group
|
||||
|
||||
1. In the navigation pane, select **Preferences setup > Role based access control > Roles**.
|
||||
|
||||
2. Click **Add new role**.
|
||||
|
||||
3. Enter the user group name, description, and active permissions you’d like to assign to the group.
|
||||
|
||||
- **User group name**
|
||||
|
||||
- **Description**
|
||||
|
||||
- **Active permissions**
|
||||
- **View data** – Users can view information in the portal.
|
||||
- **Investigate alerts** – Users can manage alerts, initiate automated investigations, collect investigation packages, manage machine tags, and export machine timeline.
|
||||
- **Approve or take action** – Users can take response actions and approve or dismiss pending remediation actions.
|
||||
- **Manage system settings** – Users can configure settings, SIEM and threat intel API settings, advanced settings, preview features, and automated file uploads.
|
||||
- **Manage security settings** – Users can configure alert suppression settings, manage allowed or blocked lists for automation, manage folder exclusions for automation, onboard and offboard machines, and manage email notifications.
|
||||
- **Monitor dashboards** – Users can view all dashboards.
|
||||
|
||||
4. Click **Next** to assign the user to a group.
|
||||
|
||||
5. Use the filter to select the Azure AD group that you'd like the user to be a part of.
|
||||
|
||||
6. Click **Save and close**.
|
||||
|
||||
7. Apply the configuration settings.
|
||||
|
||||
## Edit user roles
|
||||
|
||||
1. Select the user role you'd like to edit.
|
||||
|
||||
2. Click **Edit**.
|
||||
|
||||
3. Modify the details or the memberships that the user role is a part of.
|
||||
|
||||
4. Click **Save and close**.
|
||||
|
||||
## Delete user roles
|
||||
|
||||
1. Select the user role row you'd like to delete.
|
||||
|
||||
2. Click the drop-down button and select **Delete role**.
|
||||
|
||||
## Manage machine groups
|
||||
|
||||
Create machine groups and set automated remediation levels on them, configure the rules to apply on the group, and assign the group to an Azure AD group and role. After configuring the groups and assignments, rank the group so that the corresponding rule is applied.
|
||||
|
||||
### Add machine group
|
||||
|
||||
1. In the navigation pane, select **Preferences setup > Role based access control > Machine groups**.
|
||||
|
||||
2. Click **Add machine group**.
|
||||
|
||||
3. Set the machine group details, configure an association rule, preview the results, then assign the group to an Azure user group:
|
||||
|
||||
- **Name**
|
||||
|
||||
- **Remediation level for automated investigations**
|
||||
- **No remediation**
|
||||
- **Require approval (all folders)**
|
||||
- **Require approval (non-temp folders)**
|
||||
- **Require approval (core folders)**
|
||||
- **Fully automated**
|
||||
|
||||
- **Description**
|
||||
|
||||
- **Matching rule** – you can apply the rule based on machine name, domain, tag, or OS version.
|
||||
|
||||
>[!TIP]
|
||||
>If you want to group machines by organizational unit, you can configure the registry key for the group affiliation. For more information on device tagging, see [Manage machine group and tags](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-atp/investigate-machines-windows-defender-advanced-threat-protection#manage-machine-group-and-tags).
|
||||
|
||||
4. Review the result of the preview of matched machines. If you are satisfied with the rules, click the **Access** tab.
|
||||
|
||||
5. Assign the user groups that can access the machine group you created. The assignment you set here determines what the group can see in the portal. For example, if you assign a user group to only see machines with a specific tag then their view of the Machines list will be limited based on the tags you set in the rule.
|
||||
|
||||
6. Click **Close**.
|
||||
|
||||
7. Apply the configuration settings.
|
||||
|
||||
## Rank rules on machine groups
|
||||
|
||||
After creating groups, setting the remediation levels on them, and assigning user groups that can access the machine group, you’ll need to rank the rules that are applied on the groups.
|
||||
|
||||
You can promote or demote the rank of a group so that the rules applied is of higher or lower level. The evaluation order is applied from higher rank to lower rank. The higher rank should apply to the most machines.
|
||||
|
||||
You can also edit and delete groups.
|
||||
|
||||
By default, there will always be a group for ungrouped machines. This group is designed to aggregate all the machines that didn’t meet any of the conditions set in the other machine groups. The default remediation for this group is Require approval, but you can also define the remediation level for the group.
|
||||
|
||||
>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-portalaccess-belowfoldlink)
|
||||
|
||||
@ -18,6 +18,7 @@ ms.date: 03/05/2018
|
||||
|
||||
- Windows Server 2012 R2
|
||||
- Windows Server 2016
|
||||
- Windows Server version 1803
|
||||
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
|
||||
|
||||
[!include[Prerelease information](prerelease.md)]
|
||||
@ -30,7 +31,7 @@ Windows Defender ATP supports the onboarding of the following servers:
|
||||
- Windows Server 2012 R2
|
||||
- Windows Server 2016
|
||||
|
||||
## Onboard server endpoints
|
||||
## Onboard Windows Server 2012 R2 and Windows Server 2016
|
||||
|
||||
To onboard your servers to Windows Defender ATP, you’ll need to:
|
||||
|
||||
@ -79,6 +80,30 @@ Once completed, you should see onboarded servers in the portal within an hour.
|
||||
| winatp-gw-neu.microsoft.com | 443 |
|
||||
| winatp-gw-weu.microsoft.com | 443 |
|
||||
|
||||
## Onboard Windows Server, version 1803 [NEED TO CHECK FINAL PRODUCT NAME FOR THIS SERVER]
|
||||
You’ll be able to onboard in the same method available for Windows 10 client endpoints. For more information, see [Configure client endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md). Support for Windows Server, version 1803 provides deeper insight into activities happening on the server, coverage for kernel and memory attack, and enables response actions on Windows Server endpoint as well.
|
||||
|
||||
1. Install the latest Windows Server Insider build on an endpoint. For more information, see [Windows Server Insider Preview](https://www.microsoft.com/en-us/software-download/windowsinsiderpreviewserver).
|
||||
|
||||
2. Configure Windows Defender ATP onboarding settings on the Server endpoint. For more information, see [Windows Defender ATP client onboarding](configure-endpoints-windows-defender-advanced-threat-protection.md).
|
||||
|
||||
3. If you’re running a third party antimalware solution, you'll need to apply the following Windows Defender AV passive mode settings and verify it was configured correctly:
|
||||
|
||||
a. Set the following registry entry:
|
||||
- Path: `HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection`
|
||||
- Name: ForceDefenderPassiveMode
|
||||
- Value: 1
|
||||
|
||||
b. Run the following PowerShell command to verify that the passive mode was configured:
|
||||
```Get-WinEvent -FilterHashtable @{ProviderName="Microsoft-Windows-Sense" ;ID=84}```
|
||||
|
||||
c. Confirm that a recent event containing the passive mode event is found:
|
||||
|
||||
|
||||
4. Run the following command to check if Windows Defender AV is installed:
|
||||
```sc query Windefend```
|
||||
|
||||
If the result is ‘The specified service does not exist as an installed service’, then you'll need to install Windows Defender AV. For more information, see [Windows Defender Antivirus in Windows 10](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10).
|
||||
|
||||
### Offboard server endpoints
|
||||
To offboard the server, you can uninstall the MMA agent from the server or detach it from reporting to your Windows Defender ATP workspace. After offboarding the agent, the server will no longer send sensor data to Windows Defender ATP.
|
||||
|
||||
Binary file not shown.
|
After Width: | Height: | Size: 339 KiB |
Binary file not shown.
|
After Width: | Height: | Size: 431 KiB |
Binary file not shown.
|
After Width: | Height: | Size: 339 KiB |
Binary file not shown.
|
After Width: | Height: | Size: 33 KiB |
@ -36,24 +36,32 @@ You can click on affected machines whenever you see them in the portal to open a
|
||||
- Any IP address or domain details view
|
||||
|
||||
When you investigate a specific machine, you'll see:
|
||||
- Machine details, Logged on users, and Machine Reporting
|
||||
- Machine details, Azure Advanced Threat Protection (Azure ATP) alerts, Logged on users, and Machine Reporting
|
||||
- Alerts related to this machine
|
||||
- Machine timeline
|
||||
|
||||
|
||||
|
||||
|
||||
The machine details, Azure ATP alerts, total logged on users, and machine reporting sections display various attributes about the machine.
|
||||
|
||||
The machine details, total logged on users, and machine reporting sections display various attributes about the machine.
|
||||
|
||||
The machine details tile provides information such as the domain and OS of the machine. If there's an investigation package available on the machine, you'll see a link that allows you to download the package.
|
||||
|
||||
For more information on how to take action on a machine, see [Take response action on a machine](respond-machine-alerts-windows-defender-advanced-threat-protection.md).
|
||||
|
||||
If you have enabled the Azure ATP feature and there are alerts related to the machine, you can click on the link that will take you to the Azure ATP page where more information about the alerts are provided. The Azure ATP tile also provides details such as the last Azure Active Directory site information and total domain group memberships.
|
||||
|
||||
>[!NOTE]
|
||||
>You’ll need to enable the integration between Windows Defender ATP and Azure Advanced Threat Protection to use this feature.
|
||||
|
||||
For more information on how to enable the Azure ATP integration, see [Turn on advanced features](advanced-features-windows-defender-advanced-threat-protection.md).
|
||||
|
||||
Clicking on the number of total logged on users in the Logged on users tile opens the Users Details pane that displays the following information for logged on users in the past 30 days:
|
||||
|
||||
- Interactive and remote interactive logins
|
||||
- Network, batch, and system logins
|
||||
|
||||
|
||||
|
||||
|
||||
You'll also see details such as logon types for each user account, the user group, and when the account logon occurred.
|
||||
|
||||
|
||||
@ -16,10 +16,6 @@ ms.date: 03/05/2018
|
||||
|
||||
**Applies to:**
|
||||
|
||||
- Windows 10 Enterprise
|
||||
- Windows 10 Education
|
||||
- Windows 10 Pro
|
||||
- Windows 10 Pro Education
|
||||
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
|
||||
|
||||
|
||||
@ -37,13 +33,25 @@ You can find user account information in the following views:
|
||||
A clickable user account link is available in these views, that will take you to the user account details page where more details about the user account are shown.
|
||||
|
||||
When you investigate a user account entity, you'll see:
|
||||
- User account details and Logged on machines
|
||||
- User account details, Azure Advanced Threat Protection (Azure ATP) alerts, and Logged on machines
|
||||
- Alerts related to this user
|
||||
- Observed in organization (machines logged on to)
|
||||
|
||||
|
||||
|
||||
|
||||
The user account entity details and logged on machines section display various attributes about the user account. You'll see details such as when the user was first and last seen and the total number of machines the user logged on to. You'll also see a list of the machines that the user logged on to, and can expand these to see details of the logon events on each machine.
|
||||
The user account entity details, Azure ATP alerts, and logged on machines sections display various attributes about the user account.
|
||||
|
||||
The user entity tile provides details about the user such as when the user was first and last seen. Depending on the integration features you enable, you'll see other details. For example, if you enable the Skype for business integration, you'll be able to contact the user from the portal.
|
||||
|
||||
If you have enabled the Azure ATP feature and there are alerts related to the user, you can click on the link that will take you to the Azure ATP page where more information about the alerts are provided. The Azure ATP tile also provides details such as the last AD site, total group memberships, and login failure associated with the user.
|
||||
|
||||
You'll also see a list of the machines that the user logged on to, and can expand these to see details of the logon events on each machine.
|
||||
|
||||
>[!NOTE]
|
||||
>You'll need to enable the integration between Windows Defender ATP and Azure ATP to use this feature.
|
||||
|
||||
|
||||
For more information on how to enable advanced features, see [Turn on advanced features](advanced-features-windows-defender-advanced-threat-protection.md).
|
||||
|
||||
The **Alerts related to this user** section provides a list of alerts that are associated with the user account. This list is a filtered view of the [Alert queue](alerts-queue-windows-defender-advanced-threat-protection.md), and shows alerts where the user context is the selected user account, the date when the last activity was detected, a short description of the alert, the machine associated with the alert, the alert's severity, the alert's status in the queue, and who is assigned the alert.
|
||||
|
||||
|
||||
@ -128,6 +128,8 @@ You must configure the signature updates on the Windows Defender ATP endpoints w
|
||||
|
||||
When Windows Defender Antivirus is not the active antimalware in your organization and you use the Windows Defender ATP service, Windows Defender Antivirus goes on passive mode. If your organization has disabled Windows Defender Antivirus through group policy or other methods, machines that are onboarded to Windows Defender ATP must be excluded from this group policy.
|
||||
|
||||
Depending on the server version you're onboarding, you might need to configure a Group Policy setting to run on passive mode. For more information, see [Configure server endpoints](configure-server-endpoints-windows-defender-advanced-threat-protection.md).
|
||||
|
||||
For more information, see [Windows Defender Antivirus compatibility](../windows-defender-antivirus/windows-defender-antivirus-compatibility.md).
|
||||
|
||||
## Windows Defender Antivirus Early Launch Antimalware (ELAM) driver is enabled
|
||||
|
||||
@ -47,6 +47,9 @@ You must configure the signature updates on the Windows Defender ATP endpoints w
|
||||
|
||||
When Windows Defender Antivirus is not the active antimalware in your organization and you use the Windows Defender ATP service, Windows Defender Antivirus goes on passive mode. If your organization has disabled Windows Defender Antivirus through group policy or other methods, machines that are onboarded to Windows Defender ATP must be excluded from this group policy.
|
||||
|
||||
If you are onboarding servers and Windows Defender Antivirus is not the active antimalware on your servers, you shouldn't uninstall Windows Defender Antivirus. You'll need to configure it to run on passive mode. For more information, see [Configure server endpoints](configure-server-endpoints-windows-defender-advanced-threat-protection.md).
|
||||
|
||||
|
||||
For more information, see [Windows Defender Antivirus compatibility](../windows-defender-antivirus/windows-defender-antivirus-compatibility.md).
|
||||
|
||||
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user