update preview, threat analytics

windows/security/threat-protection/TOC.md

@@ -61,12 +61,14 @@
 
 #### [Auto investigation and remediation](windows-defender-atp/automated-investigations-windows-defender-advanced-threat-protection.md)
 #### [Secure score](windows-defender-atp/overview-secure-score-windows-defender-advanced-threat-protection.md)
-##### [Threat analytics dashboard](windows-defender-atp/threat-analytics-dashboard-windows-defender-advanced-threat-protection.md)
+##### [Threat analytics](windows-defender-atp/threat-analytics-windows-defender-advanced-threat-protection.md)
+###### [Threat analytics for Spectre and Meltdown](windows-defender-atp/threat-analytics-dashboard-windows-defender-advanced-threat-protection.md)
 #### [Advanced hunting](windows-defender-atp/overview-hunting-windows-defender-advanced-threat-protection.md)
 ##### [Query data using Advanced hunting](windows-defender-atp/advanced-hunting-windows-defender-advanced-threat-protection.md)
 ###### [Advanced hunting reference](windows-defender-atp/advanced-hunting-reference-windows-defender-advanced-threat-protection.md)
 ###### [Advanced hunting query language best practices](windows-defender-atp/advanced-hunting-best-practices-windows-defender-advanced-threat-protection.md)
-
+##### [Custom detections](windows-defender-atp/overview-custom-detections.md)
+###### [Create custom detections rules](windows-defender-atp/custom-detection-rules.md)
 
 
 #### [Management and APIs](windows-defender-atp/management-apis.md)

windows/security/threat-protection/index.md

@@ -93,7 +93,7 @@ Windows Defender ATP includes a secure score to help you dynamically assess the
 **Advanced hunting**<br>
 Create custom threat intelligence and use a powerful search and query tool to hunt for possible threats in your organization.
 
-- Custom detection
+- [Custom detection](windows-defender-atp/overview-custom-detections.md)
 - [Realtime and historical hunting](windows-defender-atp/advanced-hunting-windows-defender-advanced-threat-protection.md)
 
 <a name="apis"></a>

windows/security/threat-protection/windows-defender-atp/TOC.md

@@ -64,6 +64,8 @@
 #### [Query data using Advanced hunting](advanced-hunting-windows-defender-advanced-threat-protection.md)
 ##### [Advanced hunting reference](advanced-hunting-reference-windows-defender-advanced-threat-protection.md)
 ##### [Advanced hunting query language best practices](advanced-hunting-best-practices-windows-defender-advanced-threat-protection.md)
+#### [Custom detections](overview-custom-detections.md)
+#####[Create custom detections rules](custom-detection-rules.md)
 
 
 

windows/security/threat-protection/windows-defender-atp/configure-server-endpoints-windows-defender-advanced-threat-protection.md

@@ -97,8 +97,8 @@ Agent Resource    |    Ports
 | winatp-gw-aus.microsoft.com | 443| 
 | winatp-gw-aue.microsoft.com |443 | 
 
-## Onboard Windows Server, version 1803
-You’ll be able to onboard in the same method available for Windows 10 client machines. For more information, see  [Onboard Windows 10 machines](configure-endpoints-windows-defender-advanced-threat-protection.md). Support for Windows Server, version 1803 provides deeper insight into activities happening on the server, coverage for kernel and memory attack detection, and enables response actions on Windows Server endpoint as well. 
+## Onboard Windows Server, version 1803 and Windows Server 2019
+You’ll be able to onboard in the same method available for Windows 10 client machines. For more information, see  [Onboard Windows 10 machines](configure-endpoints-windows-defender-advanced-threat-protection.md). Support for Windows Server, version 1803 and Windows 2019 provides deeper insight into activities happening on the server, coverage for kernel and memory attack detection, and enables response actions on Windows Server endpoint as well. 
 
 1. Configure Windows Defender ATP onboarding settings on the server. For more information, see [Onboard Windows 10 machines](configure-endpoints-windows-defender-advanced-threat-protection.md). 
 
@@ -134,7 +134,7 @@ The following capabilities are included in this integration:
     > Automated onboarding is only applicable for Windows Server 2012 R2 and Windows Server 2016.
 
 - Servers monitored by  Azure Security Center will also be available in Windows Defender ATP - Azure Security Center seamlessly connects to the Windows Defender ATP tenant, providing a single view across clients and servers.  In addition, Windows Defender ATP alerts will be available in the Azure Security Center console.
-- Server investigation -  Azure Security Center customers can access the Windows Defender ATP portal to perform detailed investigation to uncover the scope of a potential breach
+- Server investigation -  Azure Security Center customers can access Windows Defender Security Center to perform detailed investigation to uncover the scope of a potential breach
 
 >[!IMPORTANT]
 >- When you use Azure Security Center to monitor servers, a Windows Defender ATP tenant is automatically created. The Windows Defender ATP data is stored in Europe by default. 
@@ -143,7 +143,7 @@ The following capabilities are included in this integration:
 
 
 ## Offboard servers 
-You can offboard Windows Server, version 1803 in the same method available for Windows 10 client machines. 
+You can offboard Windows Server, version 1803 and Windows 2019 in the same method available for Windows 10 client machines. 
 
 For other server versions, you have two options to offboard servers from the service:
 - Uninstall the MMA agent

windows/security/threat-protection/windows-defender-atp/custom-detection-rules.md

@@ -0,0 +1,63 @@
+---
+title: Create custom detection rules in Windows Defender ATP
+description: Learn how to create custom detections rules based on advanced hunting queries
+keywords: create custom detections, detections, advanced hunting, hunt, detect, query
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: high
+ms.date: 09/03/2018
+---
+
+
+# Create custom detections rules
+**Applies to:**
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+
+[!include[Prerelease information](prerelease.md)]
+
+1.	In the navigation pane, select **Advanced hunting**.
+
+2.	Select an existing query that you’d like to base the monitor on or create a new query.
+
+3.	Select **Create detection rule**.
+
+4.	Specify the alert details:
+
+    a.	Alert title
+    b.	Severity
+    c.	Category
+    d.	Description
+    e.	Recommended actions
+
+5.	Click **Create**.
+
+> [!TIP]
+> TIP #1: Running the query for the first time before saving it can help you find any mistakes or errors and give you a preview of the data you can expect to be returned.<br>
+> When a new detection rule is created, it will run for the first time (it might take a few minutes) and raise any alerts created by this rule. After that, the rule will automatically run every 24 hours. <br>
+> TIP #2: Since the detection automatically runs every 24 hours, it's best to query data in the last 24 hours.
+
+## Manage existing custom detection rules
+View existing rules in your network, see the last results of each rule, navigate to view all alerts that were created by each rule. You can also modify existing rules.
+
+1.	In the navigation pane, select **Settings** > **Custom detections**. You'll see all the detections  created in the system.
+
+2.	Select one of the rules to take any of the following actions:
+   - Open related alerts– See all the alerts that were raised based to this rule
+   - Run – Run the selected detection immediately. 
+
+   > [!NOTE]
+   > The next run for the query will be in 24 hours after the last run.
+    
+  - Edit – Modify the settings of the rule.
+  - Modify query - View and edit the query itself. 
+  - Turn off – Stop the query from running.
+  - Delete
+
+
+## Related topic
+- [Custom detections overview](overview-custom-detections.md)

windows/security/threat-protection/windows-defender-atp/overview-custom-detections.md

@@ -0,0 +1,33 @@
+---
+title: Custom detections overview
+description: Understand how how you can leverage the power of advanced hunting to create custom detections
+keywords: custom detections, detections, advanced hunting, hunt, detect, query
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: high
+ms.date: 09/03/2018
+---
+
+
+# Custom detections overview
+**Applies to:**
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+
+[!include[Prerelease information](prerelease.md)]
+
+Alerts in Windows Defender ATP are surfaced through the system based on signals gathered from endpoints. With custom detections, you can create custom queries to monitor events for any kind of behavior such as suspicious or emerging threats.
+
+This can be done by leveraging the power of Advanced hunting through the creation of custom detection rules. 
+Custom detections are queries that run periodically every 24 hours and can be configured so that when the query meets the criteria you set, alerts are created and are surfaced in Windows Defender Security Center. These alerts will be treated like any other alert in the system.
+
+This capability is particularly useful for scenarios when you want to pro-actively prevent threats and be notified quickly of emerging threats.
+
+## Related topic
+- [Create custom detection rules](custom-detection-rules.md)
+
+

windows/security/threat-protection/windows-defender-atp/preview-windows-defender-advanced-threat-protection.md

@@ -44,6 +44,9 @@ Onboard supported versions of Windows machines so that they can send sensor data
   - Windows 8.1 Enterprise
   - Windows 8.1 Pro 
 
+- [Onboard Windows Server 2019](configure-server-endpoints-windows-defender-advanced-threat-protection.md#onboard-windows-server-version-1803-and-windows-server-2019) <br>
+You'll be able to onboard Windows Server 2019 
+
 - [Integration with Azure Security Center](configure-server-endpoints-windows-defender-advanced-threat-protection.md#integration-with-azure-security-center)<br>
 Windows Defender ATP integrates with Azure Security Center to provide a comprehensive server protection solution. With this integration Azure Security Center can leverage the power of Windows Defender ATP to provide improved threat detection for Windows Servers.
 
@@ -52,6 +55,7 @@ Windows Defender ATP integrates with Azure Security Center to provide a comprehe
 - [Integration with Microsoft Cloud App Security](overview-mcas-integration.md)<br>
 Microsoft Cloud App Security leverages Windows Defender ATP endpoint signals to allow direct visibility into cloud application usage including the use of unsupported cloud services (shadow IT) from all Windows Defender ATP monitored machines.
 
+
  
 
 >Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-preview-belowfoldlink)  

windows/security/threat-protection/windows-defender-atp/threat-analytics-dashboard-windows-defender-advanced-threat-protection.md

@@ -1,5 +1,5 @@
 ---
-title: Windows Defender Advanced Threat Protection Threat analytics
+title: Threat analytics for Spectre and Meltdown
 description: Get a tailored organizational risk evaluation and actionable steps you can take to minimize risks in your organization.
 keywords: threat analytics, risk evaluation, OS mitigation, microcode mitigation, mitigation status 
 search.product: eADQiWindows 10XVcnh
@@ -45,6 +45,7 @@ To access Threat analytics, from the navigation pane select **Dashboards** > **T
 Click a section of each chart to get a list of the machines in the corresponding mitigation status.
 
 ## Related topics
+- [Threat analtyics](threat-analytics-windows-defender-advanced-threat-protection.md)
 - [Overview of Secure Score in Windows Defender Security Center](overview-secure-score-windows-defender-advanced-threat-protection.md)
 - [Configure the security controls in Secure score](secure-score-dashboard-windows-defender-advanced-threat-protection.md)
 

windows/security/threat-protection/windows-defender-atp/threat-analytics-windows-defender-advanced-threat-protection.md

@@ -0,0 +1,62 @@
+---
+title: Windows Defender Advanced Threat Protection Threat analytics
+description: Get a tailored organizational risk evaluation and actionable steps you can take to minimize risks in your organization.
+keywords: threat analytics, risk evaluation, OS mitigation, microcode mitigation, mitigation status 
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: medium
+ms.date: 09/03/2018
+---
+
+# Threat analytics 
+**Applies to:**
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+
+[!include[Prerelease information](prerelease.md)]
+
+Cyber threats are emerging more frequently and prevalently. It is critical for enterprises to be able to quickly assess their security posture, including impact, and organizational resilience in the context of specific emerging threats. 
+
+Threat analytics helps security operations teams continually assess their environment for emerging threats and outbreaks within minutes and take actions to contain and increase organizational resilience.  
+
+>[!NOTE]
+>Threat analytics requires all Windows Defender ATP components to be running, including Next generation protection and Attack surface reduction.
+
+Microsoft security teams continuously updates Windows Defender ATP Threat analytics with data on identified emerging threats.
+
+Each threat report provides a summary to describe details such as where the threat is coming from, where it’s been seen, or techniques and tools that were used by the threat. 
+
+The dashboard shows the impact in your organization through the following tiles:
+- Machines with alerts – shows the current distinct number of impacted machines in your organization 
+- Machines with alerts over time – shows the distinct number of impacted over time
+- Mitigation recommendations – provides specific actionable recommendations to take for the threat can be contained
+- Mitigation status – shows the current distinct number of machines that have been mitigated, unmitigated, and unavailable
+- Mitigation status over time - shows the distinct number of machines that have been mitigated, unmitigated, and unavailable over time
+
+![Image of a threat analytics report](images/threat-analytics-report.png)
+
+## Organizational impact
+You can assess the organizational impact of a threat using the Machines with alerts and Machines with alerts over time tiles.
+
+The **Machine with alerts** shows the specific number of **Active alerts** and **Resolved alerts**. Clicking on the **Active** or **Resolved** parts of the pies brings you to the Alerts queue filtered based on the specific threat alerts so security operations teams can investigate and respond to contain this threat.
+
+The **Machine with alerts over time**, shows the number of distinct machines with **Active** and **Resolved alerts over time**. An indication of threat containment is reflected by the number of **Resolved alerts**. Total number of Resolved alerts increasing over time is a good indication of threat containment.
+
+
+## Organizational resilience
+The** Mitigation recommendations** section provides specific actionable recommendations to improve your visibility into this threat and increase your organizational resilience.
+
+The **Mitigation status** and **Mitigation status over time** shows the endpoint configuration status assessed based on the recommended mitigations. Clicking on the **Mitigated** or **Unmitigated** parts of the pies brings you to the Machines list filtered based on the machines that are missing at least one specific threat mitigation.
+
+
+>[!NOTE]:
+>The Unavailable category indicates that there is no data available from the specific machine yet. 
+
+
+## Related topics
+- [Threat analytics for Spectre and Meltdown](threat-analytics-dashboard-windows-defender-advanced-threat-protection.md)
+