diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/wtp-blocks-over-time.png b/windows/security/threat-protection/microsoft-defender-atp/images/wtp-blocks-over-time.png new file mode 100644 index 0000000000..9e23bb92a6 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/wtp-blocks-over-time.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/wtp-summary.png b/windows/security/threat-protection/microsoft-defender-atp/images/wtp-summary.png new file mode 100644 index 0000000000..7e6c5b8d7c Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/wtp-summary.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/web-threat-protection-monitoring.md b/windows/security/threat-protection/microsoft-defender-atp/web-threat-protection-monitoring.md new file mode 100644 index 0000000000..30dcceeed1 --- /dev/null +++ b/windows/security/threat-protection/microsoft-defender-atp/web-threat-protection-monitoring.md @@ -0,0 +1,57 @@ +--- +title: Monitoring web browsing security in Microsoft Defender ATP +description: Use web threat protection in Microsoft Defender ATP to monitor web browsing security +keywords: web threat protection, web browsing, monitoring, reports, cards, domain list, security, phishing, malware, exploit, websites, network protection, Edge, Internet Explorer, Chrome, Firefox, web browser +search.product: eADQiWindows 10XVcnh +search.appverid: met150 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: lomayor +author: lomayor +ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: article +ms.date: 08/30/2019 +--- + +# Monitor web browsing security + +>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-advancedhunting-abovefoldlink) + +Web threat protection lets you monitor your organization’s web browsing security through reports under **Reports > Web protection** in the Microsoft Defender Security Center. The report contains the following cards that provide blocking statistics from web threat protection: + +- **Web threat protection blocks over time** — this trending card displays the number of web threats blocked by type during the selected time period (Last 30 days, Last 3 months, Last 6 months) + + ![Image of the card showing web threats protection blocks over time](images/wtp-blocks-over-time.png) + +- **Web threat protection summary** — this card displays total blocks in the past 30 days, showing distribution across the different types of web threats. Clicking a slice opens the list of the domains of the URLs that were blocked. + + ![Image of the card showing web threats protection summary](images/wtp-summary.png) + +>[!Note] +>It can take up to 12 hours from the time a block occurs and the time the block is reflected in the cards or the domain list. + +## Types of web threats +Web threat protection categorizes malicious and unwanted websites as: +- Phishing — websites that contain spoofed web forms and other phishing mechanisms designed to trick users into divulging their credentials +- Malicious — websites in that host malware and exploit code +- Custom indicator — websites, represented by URLs or domains, that you have added to your indicator list for blocking + +## View the domain list +Clicking on specific web threat category in the **Web threat protection summary** card opens the **Domains** page with a list of the blocked domains prefiltered under that threat category. +The page provides an aggregated domain-level view along with the following information for each domain: +- **Access count** — number of requests for pages in the domain +- **Blocks** — number of times requests are blocked +- **Access trend** — change in number of access attempts +- **Threat category** — type of web threat +- **Machines** — number of machines with access attempts +Selecting a domain opens a flyout that shows the list of URLs in that domain and the list machines with access attempts. + +## Related topics +- [Monitor web security](web-threat-protection-monitoring.md) +- [Respond to web threats](web-threat-protection-response.md) +- [Notifications on Windows and web browsers](web-threat-protection-end-user-notifications) \ No newline at end of file diff --git a/windows/security/threat-protection/microsoft-defender-atp/web-threat-protection-overview.md b/windows/security/threat-protection/microsoft-defender-atp/web-threat-protection-overview.md index b055197090..a39cb25bb9 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/web-threat-protection-overview.md +++ b/windows/security/threat-protection/microsoft-defender-atp/web-threat-protection-overview.md @@ -27,138 +27,26 @@ Web threat protection in Microsoft Defender ATP secures your devices against web With web threat protection in Microsoft Defender ATP, you get: - Comprehensive visibility of web browsing security - Investigation capabilities over web-related threat activity through alerts and comprehensive profiles of URLs and the machines that access these URLs -- A full set of security features that track general access trends to unwanted websites +- A full set of security features that track general access trends to malicious and unwanted websites ## Prerequisites -Web threat protection uses network protection to provide web browsing security on Microsoft Edge and popular third-party browsers (Chrome, Firefox, etc.). -To enable network protection on devices, you can do the following: -- Edit the Microsoft Defender ATP security baseline under Web & Network Protection to enable network protection before deploying or redeploying it. Learn about reviewing and assigning the Microsoft Defender ATP security baseline -- Turn network protection on using Intune device configuration, SCCM, Group Policy, or your MDM solution. Read more about enabling network protection +Web threat protection uses network protection to provide web browsing security on Microsoft Edge and third-party web browsers. +To turn on network protection on devices: +- Edit the Microsoft Defender ATP security baseline under **Web & Network Protection** to enable network protection before deploying or redeploying it. [Learn about reviewing and assigning the Microsoft Defender ATP security baseline](configure-machines-security-baseline.md#review-and-assign-the-microsoft-defender-atp-security-baseline) +- Turn network protection on using Intune device configuration, SCCM, Group Policy, or your MDM solution. [Read more about enabling network protection](enable-network-protection.md) >[!Note] ->With network protection set to “audit only”, blocking will be unavailable. Also, you will be able to detect and log attempts to access to malicious websites on Microsoft Edge only. - - - -A typical query starts with a table name followed by a series of operators separated by **|**. - -In the following example, we start with the table name **ProcessCreationEvents** and add piped elements as needed. - -![Image of Microsoft Defender ATP Advanced hunting query](images/advanced-hunting-query-example.png) - -First, we define a time filter to review only records from the previous seven days. - -We then add a filter on the _FileName_ to contain only instances of _powershell.exe_. - -Afterwards, we add a filter on the _ProcessCommandLine_. - -Finally, we project only the columns we're interested in exploring and limit the results to 100 and click **Run query**. - -You have the option of expanding the screen view so you can focus on your hunting query and related results. - -### Use operators -The query language is very powerful and has a lot of available operators, some of them are - - -- **where** - Filter a table to the subset of rows that satisfy a predicate. -- **summarize** - Produce a table that aggregates the content of the input table. -- **join** - Merge the rows of two tables to form a new table by matching values of the specified column(s) from each table. -- **count** - Return the number of records in the input record set. -- **top** - Return the first N records sorted by the specified columns. -- **limit** - Return up to the specified number of rows. -- **project** - Select the columns to include, rename or drop, and insert new computed columns. -- **extend** - Create calculated columns and append them to the result set. -- **makeset** - Return a dynamic (JSON) array of the set of distinct values that Expr takes in the group -- **find** - Find rows that match a predicate across a set of tables. - -To see a live example of these operators, run them as part of the **Get started** section. - -## Access query language documentation - -For more information on the query language and supported operators, see [Query Language](https://docs.microsoft.com/azure/log-analytics/query-language/query-language). - -## Use exposed tables in Advanced hunting - -The following tables are exposed as part of Advanced hunting: - -- **AlertEvents** - Alerts on Microsoft Defender Security Center -- **MachineInfo** - Machine information, including OS information -- **MachineNetworkInfo** - Network properties of machines, including adapters, IP and MAC addresses, as well as connected networks and domains -- **ProcessCreationEvents** - Process creation and related events -- **NetworkCommunicationEvents** - Network connection and related events -- **FileCreationEvents** - File creation, modification, and other file system events -- **RegistryEvents** - Creation and modification of registry entries -- **LogonEvents** - Login and other authentication events -- **ImageLoadEvents** - DLL loading events -- **MiscEvents** - Multiple event types, such as process injection, creation of scheduled tasks, and LSASS access attempts - -These tables include data from the last 30 days. - -## Use shared queries -Shared queries are prepopulated queries that give you a starting point on running queries on your organization's data. It includes a couple of examples that help demonstrate the query language capabilities. - -![Image of shared queries](images/atp-shared-queries.png) - -You can save, edit, update, or delete queries. - -### Save a query -You can create or modify a query and save it as your own query or share it with users who are in the same tenant. - -1. Create or modify a query. - -2. Click the **Save query** drop-down button and select **Save as**. - -3. Enter a name for the query. - - ![Image of saving a query](images/advanced-hunting-save-query.png) - -4. Select the folder where you'd like to save the query. - - Shared queries - Allows other users in the tenant to access the query - - My query - Accessible only to the user who saved the query - -5. Click **Save**. - -### Update a query -These steps guide you on modifying and overwriting an existing query. - -1. Edit an existing query. - -2. Click the **Save**. - -### Delete a query -1. Right-click on a query you want to delete. - - ![Image of delete query](images/atp-delete-query.png) - -2. Select **Delete** and confirm that you want to delete the query. - -## Result set capabilities in Advanced hunting - -The result set has several capabilities to provide you with effective investigation, including: - -- Columns that return entity-related objects, such as Machine name, Machine ID, File name, SHA1, User, IP, and URL, are linked to their entity pages in Microsoft Defender Security Center. -- You can right-click on a cell in the result set and add a filter to your written query. The current filtering options are **include**, **exclude** or **advanced filter**, which provides additional filtering options on the cell value. These cell values are part of the row set. - -![Image of Microsoft Defender ATP Advanced hunting result set](images/atp-advanced-hunting-results-filter.png) - -## Filter results in Advanced hunting -In Advanced hunting, you can use the advanced filter on the output result set of the query. -The filters provide an overview of the result set where -each column has it's own section and shows the distinct values that appear in the column and their prevalence. - -You can refine your query based on the filter by clicking the "+" or "-" buttons on the values that you want to include or exclude and click **Run query**. - -![Image of Advanced hunting filter](images/atp-filter-advanced-hunting.png) - -The filter selections will resolve as an additional query term and the results will be updated accordingly. - - - -## Public Advanced hunting query GitHub repository -Check out the [Advanced hunting repository](https://github.com/Microsoft/WindowsDefenderATP-Hunting-Queries). Contribute and use example queries shared by our customers. +>If you set network protection set to **Audit only**, blocking will be unavailable. Also, you will be able to detect and log attempts to access malicious and unwanted websites on Microsoft Edge only. +## Reporting and policy deployment latencies +Note the following latencies when blocking URLs or domains or when monitoring web activity: +- After you add a URL or domain to your custom indicator list, it takes approximately an hour before your machines receive the new setting and start blocking the website. +- While alerts are generated almost in real-time, the web threat protection reports can have a 12-hour delay from the time a block occurs and the time the block is reflected in the cards or the domain list. >Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-advancedhunting-belowfoldlink) -## Related topic -- [Advanced hunting reference](advanced-hunting-reference.md) -- [Advanced hunting query language best practices](advanced-hunting-best-practices.md) + +## Related topics +- [Monitor web security](web-threat-protection-monitoring.md) +- [Respond to web threats](web-threat-protection-response.md) +- [Notifications on Windows and web browsers](web-threat-protection-end-user-notifications) \ No newline at end of file