From 414a24535c238b6328d4e228c551252f5784257d Mon Sep 17 00:00:00 2001 From: Yoni Heiblum Date: Sun, 6 May 2018 13:28:10 +0000 Subject: [PATCH 1/3] Updated configure-email-notifications-windows-defender-advanced-threat-protection.md --- ...cations-windows-defender-advanced-threat-protection.md | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-atp/configure-email-notifications-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/configure-email-notifications-windows-defender-advanced-threat-protection.md index c182936b37..42cf9bf182 100644 --- a/windows/security/threat-protection/windows-defender-atp/configure-email-notifications-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/configure-email-notifications-windows-defender-advanced-threat-protection.md @@ -30,11 +30,13 @@ ms.date: 05/01/2018 You can configure Windows Defender ATP to send email notifications to specified recipients for new alerts. This feature enables you to identify a group of individuals who will immediately be informed and can act on alerts based on their severity. > [!NOTE] -> Only users with full access can configure email notifications. If you've chosen to use role-based access control (RBAC), users with Security Administrator or Global Administrator roles can configure email notifications. +> Only users with 'Manage security settings' permissions can configure email notifications. If you've chosen to use basic permissions management, users with Security Administrator or Global Administrator roles can configure email notifications. You can set the alert severity levels that trigger notifications. You can also add or remove recipients of the email notification. New recipients get notified about alerts encountered after they are added. For more information about alerts, see [View and organize the Alerts queue](alerts-queue-windows-defender-advanced-threat-protection.md). -If you're using role-based access control (RBAC), recipients will only receive notifications based on the machine group that they are a part of. +If you're using role-based access control (RBAC), recipients will only receive notifications based on the machine groups that were configured in the notification rule. +Users with the proper permission can only create, edit, or delete notifications that are limited to their machine group management scope. +Only users assigned to the Global administrator role can manage notification rules that are configured for all machine groups. The email notification includes basic information about the alert and a link to the portal where you can do further investigation. @@ -49,7 +51,7 @@ You can create rules that determine the machines and alert severities to send em 3. Specify the General information: - **Rule name** - - **Machines** - Choose whether to notify recipients for all alerts on all machines or on selected machine group. If you choose to only send on a selected machine group, make sure that the machine group has been created. For more information, see [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md). + - **Machines** - Choose whether to notify recipients for alerts on all machines (Global administrator role only) or on selected machine groups. For more information, see [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md). - **Alert severity** - Choose the alert severity level 4. Click **Next**. From e83b00588cb6a9e30be5bab10bfe44b22fed1b59 Mon Sep 17 00:00:00 2001 From: Yoni Heiblum Date: Sun, 6 May 2018 13:34:27 +0000 Subject: [PATCH 2/3] Updated rbac-windows-defender-advanced-threat-protection.md --- .../rbac-windows-defender-advanced-threat-protection.md | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-atp/rbac-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/rbac-windows-defender-advanced-threat-protection.md index fdb452e1ad..7fc722d5a1 100644 --- a/windows/security/threat-protection/windows-defender-atp/rbac-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/rbac-windows-defender-advanced-threat-protection.md @@ -76,17 +76,18 @@ Someone with a Windows Defender ATP Global administrator role has unrestricted a 2. Click **Add role**. -3. Enter the role name, description, and active permissions you’d like to assign to the role. +3. Enter the role name, description, and permissions you’d like to assign to the role. - **Role name** - **Description** - - **Active permissions** + - **Permissions** - **View data** - Users can view information in the portal. - **Investigate alerts** - Users can manage alerts, initiate automated investigations, collect investigation packages, manage machine tags, and export machine timeline. - **Approve or take action** - Users can take response actions and approve or dismiss pending remediation actions. - **Manage system settings** - Users can configure settings, SIEM and threat intel API settings, advanced settings, preview features, and automated file uploads. + - **Manage security settings** - Users can configure alert suppression settings, manage allowed/blocked lists for automation, manage folder exclusions for automation, onboard and offboard machines, and manage email notifications. 4. Click **Next** to assign the role to an Azure AD group. @@ -102,13 +103,13 @@ Someone with a Windows Defender ATP Global administrator role has unrestricted a 2. Click **Edit**. -3. Modify the details or the groups that the role is a part of. +3. Modify the details or the groups that are assigned to the role. 4. Click **Save and close**. ## Delete roles -1. Select the role row you'd like to delete. +1. Select the role you'd like to delete. 2. Click the drop-down button and select **Delete role**. From feea9ac2224d3371aa1b99de67e57a0889f0212a Mon Sep 17 00:00:00 2001 From: Yoni Heiblum Date: Sun, 6 May 2018 13:38:55 +0000 Subject: [PATCH 3/3] Updated machine-groups-windows-defender-advanced-threat-protection.md --- ...-groups-windows-defender-advanced-threat-protection.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-atp/machine-groups-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/machine-groups-windows-defender-advanced-threat-protection.md index 72b5a1ee22..4e2100d5a6 100644 --- a/windows/security/threat-protection/windows-defender-atp/machine-groups-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/machine-groups-windows-defender-advanced-threat-protection.md @@ -39,7 +39,7 @@ As part of the process of creating a machine group, you'll: - Rank the machine group relative to other groups after it is created >[!NOTE] ->All machine groups are accessible to all users if you don’t assign any Azure AD groups to them. +>A machine group is accessible to all users if you don’t assign any Azure AD groups to it. ## Add a machine group @@ -58,7 +58,7 @@ As part of the process of creating a machine group, you'll: >[!TIP] >If you want to group machines by organizational unit, you can configure the registry key for the group affiliation. For more information on device tagging, see [Manage machine group and tags](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-atp/investigate-machines-windows-defender-advanced-threat-protection#manage-machine-group-and-tags). -4. Review the result of the preview of matched machines. If you are satisfied with the rules, click the **Access** tab. +4. Preview several machines that will be matched by this rule. If you are satisfied with the rule, click the **Access** tab. 5. Assign the user groups that can access the machine group you created. @@ -72,11 +72,11 @@ As part of the process of creating a machine group, you'll: You can promote or demote the rank of a machine group so that it is given higher or lower priority during matching. When a machine is matched to more than one group, it is added only to the highest ranked group. You can also edit and delete groups. >[!WARNING] ->Deleting a machine group may affect email notification rules. If a machine group that's part of an email notification rule is the only machine group in that rule, that email notification rule will be deleted along with the machine group. +>Deleting a machine group may affect email notification rules. If a machine group is configured under an email notification rule it will be removed from that rule. If the machine group is the only group configured for an email notification, that email notification rule will be deleted along with the machine group. By default, machine groups are accessible to all users with portal access. You can change the default behavior by assigning Azure AD user groups to the machine group. -Machines that are not matched to any groups are added to grouped machines (default) group. You cannot change the rank of this group or delete it. However, you can change the remediation level of this group, and define the Azure AD user groups that can access this group. +Machines that are not matched to any groups are added to Ungrouped machines (default) group. You cannot change the rank of this group or delete it. However, you can change the remediation level of this group, and define the Azure AD user groups that can access this group. >[!NOTE] > - Applying changes to machine group configuration may take up to several minutes.