deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-12 13:27:23 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

WTP - new topics

Browse Source
This commit is contained in:
lomayor 2019-08-16 13:46:35 -07:00
parent 648f9d71d8
commit 63615748de
4 changed files with 72 additions and 127 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

BIN
windows/security/threat-protection/microsoft-defender-atp/images/wtp-blocks-over-time.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 40 KiB

BIN
windows/security/threat-protection/microsoft-defender-atp/images/wtp-summary.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 22 KiB

57
windows/security/threat-protection/microsoft-defender-atp/web-threat-protection-monitoring.md Normal file
View File

@ -0,0 +1,57 @@
---
title: Monitoring web browsing security in Microsoft Defender ATP
description: Use web threat protection in Microsoft Defender ATP to monitor web browsing security
keywords: web threat protection, web browsing, monitoring, reports, cards, domain list, security, phishing, malware, exploit, websites, network protection, Edge, Internet Explorer, Chrome, Firefox, web browser
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: lomayor
author: lomayor
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: article
ms.date: 08/30/2019
---
# Monitor web browsing security
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-advancedhunting-abovefoldlink)
Web threat protection lets you monitor your organizations web browsing security through reports under **Reports > Web protection** in the Microsoft Defender Security Center. The report contains the following cards that provide blocking statistics from web threat protection:
- **Web threat protection blocks over time** — this trending card displays the number of web threats blocked by type during the selected time period (Last 30 days, Last 3 months, Last 6 months)
![Image of the card showing web threats protection blocks over time](images/wtp-blocks-over-time.png)
- **Web threat protection summary** — this card displays total blocks in the past 30 days, showing distribution across the different types of web threats. Clicking a slice opens the list of the domains of the URLs that were blocked.
![Image of the card showing web threats protection summary](images/wtp-summary.png)
>[!Note]
>It can take up to 12 hours from the time a block occurs and the time the block is reflected in the cards or the domain list.
## Types of web threats
Web threat protection categorizes malicious and unwanted websites as:
- Phishing — websites that contain spoofed web forms and other phishing mechanisms designed to trick users into divulging their credentials
- Malicious — websites in that host malware and exploit code
- Custom indicator — websites, represented by URLs or domains, that you have added to your indicator list for blocking
## View the domain list
Clicking on specific web threat category in the **Web threat protection summary** card opens the **Domains** page with a list of the blocked domains prefiltered under that threat category.
The page provides an aggregated domain-level view along with the following information for each domain:
- **Access count** — number of requests for pages in the domain
- **Blocks** — number of times requests are blocked
- **Access trend** — change in number of access attempts
- **Threat category** — type of web threat
- **Machines** — number of machines with access attempts
Selecting a domain opens a flyout that shows the list of URLs in that domain and the list machines with access attempts.
## Related topics
- [Monitor web security](web-threat-protection-monitoring.md)
- [Respond to web threats](web-threat-protection-response.md)
- [Notifications on Windows and web browsers](web-threat-protection-end-user-notifications)

142
windows/security/threat-protection/microsoft-defender-atp/web-threat-protection-overview.md
View File

@ -27,138 +27,26 @@ Web threat protection in Microsoft Defender ATP secures your devices against web
With web threat protection in Microsoft Defender ATP, you get:
- Comprehensive visibility of web browsing security
- Investigation capabilities over web-related threat activity through alerts and comprehensive profiles of URLs and the machines that access these URLs
- A full set of security features that track general access trends to unwanted websites
- A full set of security features that track general access trends to malicious and unwanted websites
## Prerequisites
Web threat protection uses network protection to provide web browsing security on Microsoft Edge and popular third-party browsers (Chrome, Firefox, etc.).
To enable network protection on devices, you can do the following:
- Edit the Microsoft Defender ATP security baseline under Web & Network Protection to enable network protection before deploying or redeploying it. Learn about reviewing and assigning the Microsoft Defender ATP security baseline
- Turn network protection on using Intune device configuration, SCCM, Group Policy, or your MDM solution. Read more about enabling network protection
Web threat protection uses network protection to provide web browsing security on Microsoft Edge and third-party web browsers.
To turn on network protection on devices:
- Edit the Microsoft Defender ATP security baseline under **Web & Network Protection** to enable network protection before deploying or redeploying it. [Learn about reviewing and assigning the Microsoft Defender ATP security baseline](configure-machines-security-baseline.md#review-and-assign-the-microsoft-defender-atp-security-baseline)
- Turn network protection on using Intune device configuration, SCCM, Group Policy, or your MDM solution. [Read more about enabling network protection](enable-network-protection.md)
>[!Note]
>With network protection set to “audit only”, blocking will be unavailable. Also, you will be able to detect and log attempts to access to malicious websites on Microsoft Edge only.
A typical query starts with a table name followed by a series of operators separated by **|**.
In the following example, we start with the table name **ProcessCreationEvents** and add piped elements as needed.
![Image of Microsoft Defender ATP Advanced hunting query](images/advanced-hunting-query-example.png)
First, we define a time filter to review only records from the previous seven days.
We then add a filter on the _FileName_ to contain only instances of _powershell.exe_.
Afterwards, we add a filter on the _ProcessCommandLine_.
Finally, we project only the columns we're interested in exploring and limit the results to 100 and click **Run query**.
You have the option of expanding the screen view so you can focus on your hunting query and related results.
### Use operators
The query language is very powerful and has a lot of available operators, some of them are -
- **where** - Filter a table to the subset of rows that satisfy a predicate.
- **summarize** - Produce a table that aggregates the content of the input table.
- **join** - Merge the rows of two tables to form a new table by matching values of the specified column(s) from each table.
- **count** - Return the number of records in the input record set.
- **top** - Return the first N records sorted by the specified columns.
- **limit** - Return up to the specified number of rows.
- **project** - Select the columns to include, rename or drop, and insert new computed columns.
- **extend** - Create calculated columns and append them to the result set.
- **makeset** - Return a dynamic (JSON) array of the set of distinct values that Expr takes in the group
- **find** - Find rows that match a predicate across a set of tables.
To see a live example of these operators, run them as part of the **Get started** section.
## Access query language documentation
For more information on the query language and supported operators, see [Query Language](https://docs.microsoft.com/azure/log-analytics/query-language/query-language).
## Use exposed tables in Advanced hunting
The following tables are exposed as part of Advanced hunting:
- **AlertEvents** - Alerts on Microsoft Defender Security Center
- **MachineInfo** - Machine information, including OS information
- **MachineNetworkInfo** - Network properties of machines, including adapters, IP and MAC addresses, as well as connected networks and domains
- **ProcessCreationEvents** - Process creation and related events
- **NetworkCommunicationEvents** - Network connection and related events
- **FileCreationEvents** - File creation, modification, and other file system events
- **RegistryEvents** - Creation and modification of registry entries
- **LogonEvents** - Login and other authentication events
- **ImageLoadEvents** - DLL loading events
- **MiscEvents** - Multiple event types, such as process injection, creation of scheduled tasks, and LSASS access attempts
These tables include data from the last 30 days.
## Use shared queries
Shared queries are prepopulated queries that give you a starting point on running queries on your organization's data. It includes a couple of examples that help demonstrate the query language capabilities.
![Image of shared queries](images/atp-shared-queries.png)
You can save, edit, update, or delete queries.
### Save a query
You can create or modify a query and save it as your own query or share it with users who are in the same tenant.
1. Create or modify a query.
2. Click the **Save query** drop-down button and select **Save as**.
3. Enter a name for the query.
![Image of saving a query](images/advanced-hunting-save-query.png)
4. Select the folder where you'd like to save the query.
- Shared queries - Allows other users in the tenant to access the query
- My query - Accessible only to the user who saved the query
5. Click **Save**.
### Update a query
These steps guide you on modifying and overwriting an existing query.
1. Edit an existing query.
2. Click the **Save**.
### Delete a query
1. Right-click on a query you want to delete.
![Image of delete query](images/atp-delete-query.png)
2. Select **Delete** and confirm that you want to delete the query.
## Result set capabilities in Advanced hunting
The result set has several capabilities to provide you with effective investigation, including:
- Columns that return entity-related objects, such as Machine name, Machine ID, File name, SHA1, User, IP, and URL, are linked to their entity pages in Microsoft Defender Security Center.
- You can right-click on a cell in the result set and add a filter to your written query. The current filtering options are **include**, **exclude** or **advanced filter**, which provides additional filtering options on the cell value. These cell values are part of the row set.
![Image of Microsoft Defender ATP Advanced hunting result set](images/atp-advanced-hunting-results-filter.png)
## Filter results in Advanced hunting
In Advanced hunting, you can use the advanced filter on the output result set of the query.
The filters provide an overview of the result set where
each column has it's own section and shows the distinct values that appear in the column and their prevalence.
You can refine your query based on the filter by clicking the "+" or "-" buttons on the values that you want to include or exclude and click **Run query**.
![Image of Advanced hunting filter](images/atp-filter-advanced-hunting.png)
The filter selections will resolve as an additional query term and the results will be updated accordingly.
## Public Advanced hunting query GitHub repository
Check out the [Advanced hunting repository](https://github.com/Microsoft/WindowsDefenderATP-Hunting-Queries). Contribute and use example queries shared by our customers.
>If you set network protection set to **Audit only**, blocking will be unavailable. Also, you will be able to detect and log attempts to access malicious and unwanted websites on Microsoft Edge only.
## Reporting and policy deployment latencies
Note the following latencies when blocking URLs or domains or when monitoring web activity:
- After you add a URL or domain to your custom indicator list, it takes approximately an hour before your machines receive the new setting and start blocking the website.
- While alerts are generated almost in real-time, the web threat protection reports can have a 12-hour delay from the time a block occurs and the time the block is reflected in the cards or the domain list.
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-advancedhunting-belowfoldlink)
## Related topic
- [Advanced hunting reference](advanced-hunting-reference.md)
- [Advanced hunting query language best practices](advanced-hunting-best-practices.md)
## Related topics
- [Monitor web security](web-threat-protection-monitoring.md)
- [Respond to web threats](web-threat-protection-response.md)
- [Notifications on Windows and web browsers](web-threat-protection-end-user-notifications)