Added the following new policies for Windows 10, version 1803:
- Bluetooth/AllowPromptedProximalConnections +
- KioskBrowser/EnableEndSessionButton
- LocalPoliciesSecurityOptions/DomainMember_DigitallyEncryptOrSignSecureChannelDataAlways
- LocalPoliciesSecurityOptions/DomainMember_DigitallyEncryptSecureChannelDataWhenPossible
- LocalPoliciesSecurityOptions/DomainMember_DisableMachineAccountPasswordChanges diff --git a/windows/client-management/mdm/policy-configuration-service-provider.md b/windows/client-management/mdm/policy-configuration-service-provider.md index cee3c040d7..f3472fae60 100644 --- a/windows/client-management/mdm/policy-configuration-service-provider.md +++ b/windows/client-management/mdm/policy-configuration-service-provider.md @@ -1950,7 +1950,10 @@ The following diagram shows the Policy configuration service provider in tree fo KioskBrowser/DefaultURL
- - KioskBrowser/EnableHomeButton + KioskBrowser/EnableEndSessionButton + +
- + KioskBrowser/EnableHomeButton
-
KioskBrowser/EnableNavigationButtons
diff --git a/windows/client-management/mdm/policy-csp-kioskbrowser.md b/windows/client-management/mdm/policy-csp-kioskbrowser.md
index 583d9b17cd..863f6e7bce 100644
--- a/windows/client-management/mdm/policy-csp-kioskbrowser.md
+++ b/windows/client-management/mdm/policy-csp-kioskbrowser.md
@@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 04/06/2018
+ms.date: 04/11/2018
---
# Policy CSP - KioskBrowser
@@ -32,6 +32,9 @@ These policies currently only apply to Kiosk Browser app. Kiosk Browser is a Mic
- KioskBrowser/DefaultURL
+- + KioskBrowser/EnableEndSessionButton +
- KioskBrowser/EnableHomeButton
@@ -76,7 +79,6 @@ These policies currently only apply to Kiosk Browser app. Kiosk Browser is a Mic [Scope](./policy-configuration-service-provider.md#policy-scope): > [!div class = "checklist"] -> * User > * Device
@@ -123,7 +125,6 @@ Added in Windows 10, version 1803. List of exceptions to the blocked website URL [Scope](./policy-configuration-service-provider.md#policy-scope): > [!div class = "checklist"] -> * User > * Device
@@ -170,7 +171,6 @@ Added in Windows 10, version 1803. List of blocked website URLs (with wildcard s [Scope](./policy-configuration-service-provider.md#policy-scope): > [!div class = "checklist"] -> * User > * Device
@@ -187,6 +187,58 @@ Added in Windows 10, version 1803. Configures the default URL kiosk browsers to
+ +**KioskBrowser/EnableEndSessionButton** + + ++
+ + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + ++ +Home +Pro +Business +Enterprise +Education +Mobile +Mobile Enterprise ++ +
4
+ + + +Enables kiosk browser's end session button. When the policy is enabled, the kiosk browser enables a button to reset the browser by navigating back to the default URL and clearing the browsing data (cache, cookies, etc). When the user clicks on the button, the app will prompt the user for confirmation to end the session. + + + + + + + + + + + + + +
+ **KioskBrowser/EnableHomeButton** @@ -217,7 +269,6 @@ Added in Windows 10, version 1803. Configures the default URL kiosk browsers to [Scope](./policy-configuration-service-provider.md#policy-scope): > [!div class = "checklist"] -> * User > * Device
@@ -264,7 +315,6 @@ Added in Windows 10, version 1803. Enable/disable kiosk browser's home button. [Scope](./policy-configuration-service-provider.md#policy-scope): > [!div class = "checklist"] -> * User > * Device
@@ -311,7 +361,6 @@ Added in Windows 10, version 1803. Enable/disable kiosk browser's navigation but [Scope](./policy-configuration-service-provider.md#policy-scope): > [!div class = "checklist"] -> * User > * Device
diff --git a/windows/client-management/mdm/policy-csp-taskscheduler.md b/windows/client-management/mdm/policy-csp-taskscheduler.md index 7fee0be3b0..4ac73d9f96 100644 --- a/windows/client-management/mdm/policy-csp-taskscheduler.md +++ b/windows/client-management/mdm/policy-csp-taskscheduler.md @@ -65,7 +65,7 @@ ms.date: 03/12/2018 -Added in Windows 10, version 1803. This setting determines whether the specific task is enabled (1) or disabled (0). Default: Enabled. +Added in Windows 10, version 1803. This setting determines whether the specific task is enabled (1) or disabled (0). Default: Disabled. diff --git a/windows/security/threat-protection/TOC.md b/windows/security/threat-protection/TOC.md index d5c63e1673..f91ae2f8f5 100644 --- a/windows/security/threat-protection/TOC.md +++ b/windows/security/threat-protection/TOC.md @@ -23,24 +23,25 @@ #### [Preview features](windows-defender-atp\preview-windows-defender-advanced-threat-protection.md) #### [Data storage and privacy](windows-defender-atp\data-storage-privacy-windows-defender-advanced-threat-protection.md) #### [Assign user access to the portal](windows-defender-atp\assign-portal-access-windows-defender-advanced-threat-protection.md) -### [Onboard endpoints and set up access](windows-defender-atp\onboard-configure-windows-defender-advanced-threat-protection.md) -#### [Configure client endpoints](windows-defender-atp\configure-endpoints-windows-defender-advanced-threat-protection.md) -##### [Configure endpoints using Group Policy](windows-defender-atp\configure-endpoints-gp-windows-defender-advanced-threat-protection.md) -##### [Configure endpoints using System Center Configuration Manager](windows-defender-atp\configure-endpoints-sccm-windows-defender-advanced-threat-protection.md) -##### [Configure endpoints using Mobile Device Management tools](windows-defender-atp\configure-endpoints-mdm-windows-defender-advanced-threat-protection.md) -###### [Configure endpoints using Microsoft Intune](windows-defender-atp\configure-endpoints-mdm-windows-defender-advanced-threat-protection.md#configure-endpoints-using-microsoft-intune) -##### [Configure endpoints using a local script](windows-defender-atp\configure-endpoints-script-windows-defender-advanced-threat-protection.md) -##### [Configure non-persistent virtual desktop infrastructure (VDI) machines](windows-defender-atp\configure-endpoints-vdi-windows-defender-advanced-threat-protection.md) -#### [Configure server endpoints](windows-defender-atp\configure-server-endpoints-windows-defender-advanced-threat-protection.md) -#### [Configure non-Windows endpoints](windows-defender-atp\configure-endpoints-non-windows-windows-defender-advanced-threat-protection.md) -#### [Run a detection test on a newly onboarded endpoint](windows-defender-atp\run-detection-test-windows-defender-advanced-threat-protection.md) +### [Onboard machines](windows-defender-atp\onboard-configure-windows-defender-advanced-threat-protection.md) +#### [Onboard Windows 10 machines](windows-defender-atp\configure-endpoints-windows-defender-advanced-threat-protection.md) +##### [Onboard machines using Group Policy](windows-defender-atp\configure-endpoints-gp-windows-defender-advanced-threat-protection.md) +##### [Onboard machines using System Center Configuration Manager](windows-defender-atp\configure-endpoints-sccm-windows-defender-advanced-threat-protection.md) +##### [Onboard machines using Mobile Device Management tools](windows-defender-atp\configure-endpoints-mdm-windows-defender-advanced-threat-protection.md) +###### [Onboard machines using Microsoft Intune](windows-defender-atp\configure-endpoints-mdm-windows-defender-advanced-threat-protection.md#onboard-windows-10-machines-using-microsoft-intune) +##### [Onboard machines using a local script](windows-defender-atp\configure-endpoints-script-windows-defender-advanced-threat-protection.md) +##### [Onboard non-persistent virtual desktop infrastructure (VDI) machines](windows-defender-atp\configure-endpoints-vdi-windows-defender-advanced-threat-protection.md) +#### [Onboard servers](windows-defender-atp\configure-server-endpoints-windows-defender-advanced-threat-protection.md) +#### [Onboard non-Windows machines](windows-defender-atp\configure-endpoints-non-windows-windows-defender-advanced-threat-protection.md) +#### [Run a detection test on a newly onboarded machine](windows-defender-atp\run-detection-test-windows-defender-advanced-threat-protection.md) +#### [Run simulated attacks on machines](windows-defender-atp\attack-simulations-windows-defender-advanced-threat-protection.md) #### [Configure proxy and Internet connectivity settings](windows-defender-atp\configure-proxy-internet-windows-defender-advanced-threat-protection.md) #### [Troubleshoot onboarding issues](windows-defender-atp\troubleshoot-onboarding-windows-defender-advanced-threat-protection.md) ### [Understand the Windows Defender ATP portal](windows-defender-atp\use-windows-defender-advanced-threat-protection.md) #### [Portal overview](windows-defender-atp\portal-overview-windows-defender-advanced-threat-protection.md) -#### [View the Security operations dashboard](windows-defender-atp\dashboard-windows-defender-advanced-threat-protection.md) -#### [View the Secure score dashboard](windows-defender-atp\security-analytics-dashboard-windows-defender-advanced-threat-protection.md) -#### [View the Threat analytics dashboard](windows-defender-atp\threat-analytics-windows-defender-advanced-threat-protection.md) +#### [View the Security operations dashboard](windows-defender-atp\security-operations-dashboard-windows-defender-advanced-threat-protection.md) +#### [View the Secure Score dashboard and improve your secure score](windows-defender-atp\secure-score-dashboard-windows-defender-advanced-threat-protection.md) +#### [View the Threat analytics dashboard and take recommended mitigation actions](windows-defender-atp\threat-analytics-dashboard-windows-defender-advanced-threat-protection.md) ###Investigate and remediate threats ####Alerts queue @@ -53,6 +54,9 @@ ##### [Investigate a domain](windows-defender-atp\investigate-domain-windows-defender-advanced-threat-protection.md) ##### [Investigate a user account](windows-defender-atp\investigate-user-windows-defender-advanced-threat-protection.md) + + + ####Machines list ##### [View and organize the Machines list](windows-defender-atp\machines-view-overview-windows-defender-advanced-threat-protection.md) ##### [Manage machine group and tags](windows-defender-atp\investigate-machines-windows-defender-advanced-threat-protection.md#manage-machine-group-and-tags) @@ -84,6 +88,11 @@ ####### [View deep analysis reports](windows-defender-atp\respond-file-alerts-windows-defender-advanced-threat-protection.md#view-deep-analysis-reports) ####### [Troubleshoot deep analysis](windows-defender-atp\respond-file-alerts-windows-defender-advanced-threat-protection.md#troubleshoot-deep-analysis) +#### [Use Automated investigation to investigate and remediate threats](windows-defender-atp\automated-investigations-windows-defender-advanced-threat-protection.md) +#### [Query data using Advanced hunting](windows-defender-atp\advanced-hunting-windows-defender-advanced-threat-protection.md) +##### [Advanced hunting reference](windows-defender-atp\advanced-hunting-reference-windows-defender-advanced-threat-protection.md) +##### [Advanced hunting query language best practices](windows-defender-atp\advanced-hunting-best-practices-windows-defender-advanced-threat-protection.md) + ###API and SIEM support #### [Pull alerts to your SIEM tools](windows-defender-atp\configure-siem-windows-defender-advanced-threat-protection.md) ##### [Enable SIEM integration](windows-defender-atp\enable-siem-integration-windows-defender-advanced-threat-protection.md) @@ -172,20 +181,38 @@ ##### [Inactive machines](windows-defender-atp\fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md#inactive-machines) ##### [Misconfigured machines](windows-defender-atp\fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md#misconfigured-machines) #### [Check service health](windows-defender-atp\service-status-windows-defender-advanced-threat-protection.md) -### [Configure Windows Defender ATP preferences settings](windows-defender-atp\preferences-setup-windows-defender-advanced-threat-protection.md) -#### [Update general settings](windows-defender-atp\general-settings-windows-defender-advanced-threat-protection.md) -#### [Enable advanced features](windows-defender-atp\advanced-features-windows-defender-advanced-threat-protection.md) -#### [Enable preview experience](windows-defender-atp\preview-settings-windows-defender-advanced-threat-protection.md) -#### [Configure email notifications](windows-defender-atp\configure-email-notifications-windows-defender-advanced-threat-protection.md) -#### [Enable SIEM integration](windows-defender-atp\enable-siem-integration-windows-defender-advanced-threat-protection.md) -#### [Enable Threat intel API](windows-defender-atp\enable-custom-ti-windows-defender-advanced-threat-protection.md) -#### [Enable and create Power BI reports using Windows Defender ATP data](windows-defender-atp\powerbi-reports-windows-defender-advanced-threat-protection.md) -#### [Enable Security Analytics security controls](windows-defender-atp\enable-security-analytics-windows-defender-advanced-threat-protection.md) +### [Configure Windows Defender ATP Settings](windows-defender-atp\preferences-setup-windows-defender-advanced-threat-protection.md) + +####General +##### [Update data retention settings](windows-defender-atp\data-retention-settings-windows-defender-advanced-threat-protection.md) +##### [Configure alert notifications](windows-defender-atp\configure-email-notifications-windows-defender-advanced-threat-protection.md) +##### [Enable and create Power BI reports using Windows Defender ATP data](windows-defender-atp\powerbi-reports-windows-defender-advanced-threat-protection.md) +##### [Enable Secure score security controls](windows-defender-atp\enable-secure-score-windows-defender-advanced-threat-protection.md) +##### [Configure advanced features](windows-defender-atp\advanced-features-windows-defender-advanced-threat-protection.md) + +####Permissions +##### [Manage portal access using RBAC](windows-defender-atp\rbac-windows-defender-advanced-threat-protection.md) +##### [Create and manage machine groups](windows-defender-atp\machine-groups-windows-defender-advanced-threat-protection.md) + +####APIs +##### [Enable Threat intel](windows-defender-atp\enable-custom-ti-windows-defender-advanced-threat-protection.md) +##### [Enable SIEM integration](windows-defender-atp\enable-siem-integration-windows-defender-advanced-threat-protection.md) + +####Rules +##### [Manage suppression rules](windows-defender-atp\manage-suppression-rules-windows-defender-advanced-threat-protection.md) +##### [Manage automation allowed/blocked](windows-defender-atp\manage-automation-allowed-blocked-list-windows-defender-advanced-threat-protection.md) +##### [Manage automation file uploads](windows-defender-atp\manage-automation-file-uploads-windows-defender-advanced-threat-protection.md) +##### [Manage automation folder exclusions](windows-defender-atp\manage-automation-folder-exclusions-windows-defender-advanced-threat-protection.md) + +####Machine management +##### [Onboarding machines](windows-defender-atp\onboard-configure-windows-defender-advanced-threat-protection.md) +##### [Offboarding machines](windows-defender-atp\offboard-machines-windows-defender-advanced-threat-protection.md) + +### [Configure Windows Defender ATP time zone settings](windows-defender-atp\time-settings-windows-defender-advanced-threat-protection.md) -### [Configure Windows Defender ATP time zone settings](windows-defender-atp\settings-windows-defender-advanced-threat-protection.md) ### [Access the Windows Defender ATP Community Center](windows-defender-atp\community-windows-defender-advanced-threat-protection.md) ### [Troubleshoot Windows Defender ATP](windows-defender-atp\troubleshoot-windows-defender-advanced-threat-protection.md) -#### [Review events and errors on endpoints with Event Viewer](windows-defender-atp\event-error-codes-windows-defender-advanced-threat-protection.md) +#### [Review events and errors on machines with Event Viewer](windows-defender-atp\event-error-codes-windows-defender-advanced-threat-protection.md) ### [Windows Defender Antivirus compatibility with Windows Defender ATP](windows-defender-atp\defender-compatibility-windows-defender-advanced-threat-protection.md) ## [Windows Defender Antivirus in Windows 10](windows-defender-antivirus\windows-defender-antivirus-in-windows-10.md) diff --git a/windows/security/threat-protection/device-guard/steps-to-deploy-windows-defender-application-control.md b/windows/security/threat-protection/device-guard/steps-to-deploy-windows-defender-application-control.md index 1ca9c16abd..459bdc15be 100644 --- a/windows/security/threat-protection/device-guard/steps-to-deploy-windows-defender-application-control.md +++ b/windows/security/threat-protection/device-guard/steps-to-deploy-windows-defender-application-control.md @@ -6,7 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.localizationpriority: high author: brianlic-msft -ms.date: 02/13/2018 +ms.date: 04/17/2018 --- # Steps to Deploy Windows Defender Application Control @@ -60,6 +60,7 @@ Unless your use scenarios explicitly require them, Microsoft recommends that you - rcsi.exe - system.management.automation.dll - windbg.exe +- wmic.exe [1]A vulnerability in bginfo.exe has been fixed in the latest version 4.22. If you use BGInfo, for security, make sure to download and run the latest version here [BGInfo 4.22](https://docs.microsoft.com/en-us/sysinternals/downloads/bginfo). Note that BGInfo versions earlier than 4.22 are still vulnerable and should be blocked. @@ -77,6 +78,7 @@ Unless your use scenarios explicitly require them, Microsoft recommends that you |Oddvar Moe |@Oddvarmoe| |Alex Ionescu | @aionescu| |Lee Christensen|@tifkin_| +|Vladas Bulavas | Kaspersky Lab |
diff --git a/windows/security/threat-protection/windows-defender-antivirus/utilize-microsoft-cloud-protection-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/utilize-microsoft-cloud-protection-windows-defender-antivirus.md index 64d10e48a1..19ec7eb974 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/utilize-microsoft-cloud-protection-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/utilize-microsoft-cloud-protection-windows-defender-antivirus.md @@ -52,7 +52,7 @@ Read the following blogposts for detailed protection stories involving cloud-pro ## Get cloud-delivered protection -Cloud-delivered protection is enabled by default, however you may need to re-enable it if it has been disabled as part of previous organizational policies. +Cloud-delivered protection is enabled by default. However, you may need to re-enable it if it has been disabled as part of previous organizational policies. >[!TIP] >You can also visit the Windows Defender Testground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the feature is working and see how it works. diff --git a/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10.md b/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10.md index 3a8432cbaf..541ca154a0 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10.md +++ b/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10.md @@ -22,7 +22,7 @@ ms.date: 04/17/2018 Windows Defender Antivirus is a built-in antimalware solution that provides security and antimalware management for desktops, portable computers, and servers. -This library of documentation is aimed for enterprise security administrators who are either considering deployment, or have already deployed and are wanting to manage and configure Windows Defender AV on PC endpoints in their network. +This library of documentation is for enterprise security administrators who are either considering deployment, or have already deployed and are wanting to manage and configure Windows Defender AV on PC endpoints in their network. For more important information about running Windows Defender on a server platform, see [Windows Defender Antivirus on Windows Server 2016](windows-defender-antivirus-on-windows-server-2016.md). diff --git a/windows/security/threat-protection/windows-defender-atp/advanced-features-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/advanced-features-windows-defender-advanced-threat-protection.md index fee57495f2..8b0591b338 100644 --- a/windows/security/threat-protection/windows-defender-atp/advanced-features-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/advanced-features-windows-defender-advanced-threat-protection.md @@ -1,7 +1,7 @@ --- -title: Turn on advanced features in Windows Defender ATP +title: Configure advanced features in Windows Defender ATP description: Turn on advanced features such as block file in Windows Defender Advanced Threat Protection. -keywords: advanced features, preferences setup, block file +keywords: advanced features, settings, block file search.product: eADQiWindows 10XVcnh ms.prod: w10 ms.mktglfcycl: deploy @@ -10,10 +10,10 @@ ms.pagetype: security ms.author: macapara author: mjcaparas ms.localizationpriority: high -ms.date: 10/16/2017 +ms.date: 04/17/2018 --- -# Turn on advanced features in Windows Defender ATP +# Configure advanced features in Windows Defender ATP **Applies to:** @@ -23,7 +23,7 @@ ms.date: 10/16/2017 - Windows 10 Pro Education - Windows Defender Advanced Threat Protection (Windows Defender ATP) - +[!include[Prerelease information](prerelease.md)] >Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-advancedfeats-abovefoldlink) @@ -31,6 +31,9 @@ Depending on the Microsoft security products that you use, some advanced feature Turn on the following advanced features to get better protected from potentially malicious files and gain better insight during security investigations: +## Automated investigation +When you enable this feature, you'll be able to take advantage of the automated investigation and remediation features of the service. For more information, see [Automated investigations](automated-investigations-windows-defender-advanced-threat-protection.md). + ## Block file This feature is only available if your organization uses Windows Defender Antivirus as the active antimalware solution and that the cloud-based protection feature is enabled. @@ -47,22 +50,50 @@ For more information, see [Investigate a user account](investigate-user-windows- ## Skype for Business integration Enabling the Skype for Business integration gives you the ability to communicate with users using Skype for Business, email, or phone. This can be handy when you need to communicate with the user and mitigate risks. +## Azure Advanced Threat Protection integration +The integration with Azure Advanced Threat Protection allows you to pivot directly into another Microsoft Identity security product. Azure Advanced Threat Protection augments an investigation with additional insights about a suspected compromised account and related resources. By enabling this feature, you'll enrich the machine-based investigation capability by pivoting across the network from an identify point of view. + + +>[!NOTE] +>You'll need to have the appropriate license to enable this feature. + +### Enable the Windows Defender ATP integration from the Azure ATP portal +To receive contextual machine integration in Azure ATP, you'll also need to enable the feature in the Azure ATP portal. + +1. Login to the [Azure portal](https://portal.atp.azure.com/) with a Global Administrator or Security Administrator role. + +2. Click **Create a workspace** or use your primary workspace. + +3. Toggle the Integration setting to **On** and click **Save**. + +When you complete the integration steps on both portals, you'll be able to see relevant alerts in the machine details or user details page. + ## Office 365 Threat Intelligence connection This feature is only available if you have an active Office 365 E5 or the Threat Intelligence add-on. For more information, see the Office 365 Enterprise E5 product page. When you enable this feature, you'll be able to incorporate data from Office 365 Advanced Threat Protection into the Windows Defender ATP portal to conduct a holistic security investigation across Office 365 mailboxes and Windows machines. +>[!NOTE] +>You'll need to have the appropriate license to enable this feature. + To receive contextual machine integration in Office 365 Threat Intelligence, you'll need to enable the Windows Defender ATP settings in the Security & Compliance dashboard. For more information, see [Office 365 Threat Intelligence overview](https://support.office.com/en-us/article/Office-365-Threat-Intelligence-overview-32405DA5-BEE1-4A4B-82E5-8399DF94C512). +## Microsoft Intune connection +This feature is only available if you have an active Microsoft Intune (Intune) license. + +When you enable this feature, you'll be able to share Windows Defender ATP device information to Intune and enhance policy enforcement. + +>[!NOTE] +>You'll need to enable the integration on both Intune and Windows Defender ATP to use this feature. + + ## Enable advanced features 1. In the navigation pane, select **Preferences setup** > **Advanced features**. 2. Select the advanced feature you want to configure and toggle the setting between **On** and **Off**. 3. Click **Save preferences**. ## Related topics -- [Update general settings in Windows Defender ATP](general-settings-windows-defender-advanced-threat-protection.md) -- [Turn on the preview experience in Windows Defender ATP](preview-settings-windows-defender-advanced-threat-protection.md) -- [Configure email notifications in Windows Defender ATP](configure-email-notifications-windows-defender-advanced-threat-protection.md) -- [Enable SIEM integration in Windows Defender ATP](enable-siem-integration-windows-defender-advanced-threat-protection.md) -- [Enable the custom threat intelligence API in Windows Defender ATP](enable-custom-ti-windows-defender-advanced-threat-protection.md) -- [Create and build Power BI reports](powerbi-reports-windows-defender-advanced-threat-protection.md) \ No newline at end of file +- [Update data retention settings](data-retention-settings-windows-defender-advanced-threat-protection.md) +- [Configure alert notifications](configure-email-notifications-windows-defender-advanced-threat-protection.md) +- [Enable and create Power BI reports using Windows Defender ATP data](powerbi-reports-windows-defender-advanced-threat-protection.md) +- [Enable Secure Score security controls](enable-secure-score-windows-defender-advanced-threat-protection.md) diff --git a/windows/security/threat-protection/windows-defender-atp/advanced-hunting-best-practices-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/advanced-hunting-best-practices-windows-defender-advanced-threat-protection.md new file mode 100644 index 0000000000..49284ab1d1 --- /dev/null +++ b/windows/security/threat-protection/windows-defender-atp/advanced-hunting-best-practices-windows-defender-advanced-threat-protection.md @@ -0,0 +1,96 @@ +--- +title: Advanced hunting best practices in Windows Defender ATP +description: Learn about Advanced hunting best practices such as what filters and keywords to use to effectively query data. +keywords: advanced hunting, best practices, keyword, filters, atp query, query atp data, intellisense, atp telemetry, events, events telemetry, azure log analytics +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: high +ms.date: 04/17/2018 +--- + +# Advanced hunting query best practices Windows Defender ATP + +**Applies to:** + +- Windows 10 Enterprise +- Windows 10 Education +- Windows 10 Pro +- Windows 10 Pro Education +- Windows Defender Advanced Threat Protection (Windows Defender ATP) + +[!include[Prerelease information](prerelease.md)] + +>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-bestpractices-abovefoldlink) + +## Performance best practices +The following best practices serve as a guideline of query performance best practices and for you to get faster results and be able to run complex queries. +- Use time filters first. Azure Kusto is highly optimized to utilize time filters. For more information, see [Azure Kusto](https://docs.microsoft.com/connectors/kusto/). +- Put filters that are expected to remove most of the data in the beginning of the query, following the time filter. +- Use 'has' keyword over 'contains' when looking for full tokens. +- Use looking in specific column rather than using full text search across all columns. +- When joining between two tables - choose the table with less rows to be the first one (left-most). +- When joining between two tables - project only needed columns from both sides of the join. + +## Query tips and pitfalls + +### Unique Process IDs +Process IDs are recycled in Windows and reused for new processes and therefore can't serve as a unique identifier for a specific process. +To address this issue, Windows Defender ATP created the time process. To get a unique identifier for a process on a specific machine, use the process ID together with the process creation time. + + +So, when you join data based on a specific process or summarize data for each process, you'll need to use a machine identifier (either MachineId or ComputerName), a process ID (ProcessId or InitiatingProcessId) and the process creation time (ProcessCreationTime or InitiatingProcessCreationTime) + +The following example query is created to find processes that access more than 10 IP addresses over port 445 (SMB) - possibly scanning for file shares. + +Example query: +``` +NetworkCommunicationEvents +| where RemotePort == 445 and EventTime > ago(12h) and InitiatingProcessId !in (0, 4) +| summarize RemoteIPCount=dcount(RemoteIP) by ComputerName, InitiatingProcessId, InitiatingProcessCreationTime, InitiatingProcessFileName +| where RemoteIPCount > 10 +``` + +The query summarizes by both InitiatingProcessId and InitiatingProcessCreationTime - to make sure the query looks at a single process, and not mixing multiple processes with the same process ID. + +### Using command line queries + +Command lines may vary - when applicable, filter on file names and do fuzzy matching. + +There are numerous ways to construct a command line to accomplish a task. + +For example, a malicious attacker could specify the process image file name without a path, with full path, without the file extension, using environment variables, add quotes, and others. In addition, the attacker can also change the order of some parameters, add multiple quotes or spaces, and much more. + +To create more durable queries using command lines, we recommended the following guidelines: +- Identify the known processes (such as net.exe, psexec.exe, and others) by matching on the filename fields, instead of filtering on the command line field. +- When querying for command line arguments, don't look for an exact match on multiple unrelated arguments in a certain order. Instead, use regular expressions or use multiple separate contains operators. +- Use case insensitive matches. For example, use '=~', 'in~', 'contains' instead of '==', 'in' or 'contains_cs' +- To mitigate DOS command line obfuscation techniques, consider removing quotes, replacing commas with spaces, and replacing multiple consecutive spaces with a single space. This is just the start of handling DOS obfuscation techniques, but it does mitigate the most common ones. + +The following example query shows various ways to construct a query that looks for the file *net.exe* to stop the Windows Defender Firewall service: + +``` +// Non-durable query - do not use +ProcessCreationEvents +| where ProcessCommandLine == "net stop MpsSvc" +| limit 10 + +// Better query - filters on filename, does case-insensitive matches +ProcessCreationEvents +| where EventTime > ago(7d) and FileName in~ ("net.exe", "net1.exe") and ProcessCommandLine contains "stop" and ProcessCommandLine contains "MpsSvc" + +// Best query also ignores quotes +ProcessCreationEvents +| where EventTime > ago(7d) and FileName in~ ("net.exe", "net1.exe") +| extend CanonicalCommandLine=replace("\"", "", ProcessCommandLine) +| where CanonicalCommandLine contains "stop" and CanonicalCommandLine contains "MpsSvc" +``` + +>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-bestpractices-belowfoldlink) + + + diff --git a/windows/security/threat-protection/windows-defender-atp/advanced-hunting-reference-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/advanced-hunting-reference-windows-defender-advanced-threat-protection.md new file mode 100644 index 0000000000..db6c9b6f35 --- /dev/null +++ b/windows/security/threat-protection/windows-defender-atp/advanced-hunting-reference-windows-defender-advanced-threat-protection.md @@ -0,0 +1,107 @@ +--- +title: Advanced hunting reference in Windows Defender ATP +description: Learn about Advanced hunting table reference such as column name, data type, and description +keywords: advanced hunting, atp query, query atp data, intellisense, atp telemetry, events, events telemetry, azure log analytics, column name, data type, description +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: high +ms.date: 04/17/2018 +--- + +# Advanced hunting reference in Windows Defender ATP + +**Applies to:** + +- Windows 10 Enterprise +- Windows 10 Education +- Windows 10 Pro +- Windows 10 Pro Education +- Windows Defender Advanced Threat Protection (Windows Defender ATP) + +[!include[Prerelease information](prerelease.md)] + +>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink) + + +## Advanced hunting table reference +When you run a query using Advanced hunting, a table with columns is returned as a result. + +Use the following table to understand what the columns represent, its data type, and their description. + +| Column name | Data type | Description +:---|:--- |:--- +| AccountDomain | string | Domain of the account. | +| AccountName | string | User name of the account. | +| AccountSid | string | Security Identifier (SID) of the account. | +| ActionType | string | Type of activity that triggered the event. | +| AdditionalFields | string | Additional information about the event in JSON array format. | +| AlertId | string | Unique identifier for the alert. | +| ComputerName | string | Fully qualified domain name (FQDN) of the machine. | +| EventId | int | Unique identifier used by Event Tracing for Windows (ETW) for the event type. | +| EventTime | datetime | Date and time when the event was recorded. | +| EventType | string | Table where the record is stored. | +| FileName | string | Name of the file that the recorded action was applied to. | +| FileOriginIp | string | IP address where the file was downloaded from. | +| FileOriginReferrerUrl | string | URL of the web page that links to the downloaded file. | +| FileOriginUrl | string | URL where the file was downloaded from. | +| FolderPath | string | Folder containing the file that the recorded action was applied to. | +| InitiatingProcessAccountDomain | string | Domain of the account that ran the process responsible for the event. | +| InitiatingProcessAccountName | string | User name of the account that ran the process responsible for the event. | +| InitiatingProcessAccountSid | string | Security Identifier (SID) of the account that ran the process responsible for the event. | +| InitiatingProcessCommandLine | string | Command line used to run the process that initiated the event. | +| InitiatingProcessCreationTime | datetime | Date and time when the process that initiated the event was started. | +| InitiatingProcessFileName | string | Name of the process that initiated the event. | +| InitiatingProcessFolderPath | string | Folder containing the process (image file) that initiated the event. | +| InitiatingProcessId | int | Process ID (PID) of the process that initiated the event. | +| InitiatingProcessIntegrityLevel | string | Integrity level of the process that initiated the event. Windows assigns integrity levels to processes based on certain characteristics, such as if they were launched from an internet download. These integrity levels influence permissions to resources. | +| InitiatingProcessMd5 | string | MD5 hash of the process (image file) that initiated the event. | +| InitiatingProcessParentCreationTime | datetime | Date and time when the parent of the process responsible for the event was started. | +| InitiatingProcessParentId | int | Process ID (PID) of the parent process that spawned the process responsible for the event. | +| InitiatingProcessParentName | string | Name of the parent process that spawned the process responsible for the event. | +| InitiatingProcessSha1 | string | SHA-1 of the process (image file) that initiated the event. | +| InitiatingProcessSha256 | string | SHA-256 of the process (image file) that initiated the event. | +| InitiatingProcessTokenElevation | string | Token type indicating the presence or absence of User Access Control (UAC) privilege elevation applied to the process that initiated the event. | +| IsAzureADJoined | boolean | Boolean indicator of whether machine is joined to the Azure Active Directory. | +| LocalIP | string | IP address assigned to the local machine used during communication. | +| LocalPort | int | TCP port on the local machine used during communication. | +| LoggedOnUsers | string | List of all users that are logged on the machine at the time of the event in JSON array format. | +| LogonType | string | Type of logon session, specifically:
- **Interactive** - User physically interacts with the machine using the local keyboard and screen.
- **Remote interactive (RDP) logons** - User interacts with the machine remotely using Remote Desktop, Terminal Services, Remote Assistance, or other RDP clients.
- **Network** - Session initiated when the machine is accessed using PsExec or when shared resources on the machine, such as printers and shared folders, are accessed.
- **Batch** - Session initiated by scheduled tasks.
- **Service** - Session initiated by services as they start.
+| MachineGroup | string | Machine group of the machine. This group is used by role-based access control to determine access to the machine. | +| MachineId | string | Unique identifier for the machine in the service. | +| MD5 | string | MD5 hash of the file that the recorded action was applied to. | +| NetworkCardIPs | string | List of all network adapters on the machine, including their MAC addresses and assigned IP addresses, in JSON array format. | +| OSArchitecture | string | Architecture of the operating system running on the machine. | +| OSBuild | string | Build version of the operating system running on the machine. | +| OSPlatform | string | Platform of the operating system running on the machine. This indicates specific operating systems, including variations within the same family, such as Windows 10 and Windows 7. | +| PreviousRegistryKey | string | Original registry key of the registry value before it was modified. | +| PreviousRegistryValueData | string | Original data of the registry value before it was modified. | +| PreviousRegistryValueName | string | Original name of the registry value before it was modified. | +| PreviousRegistryValueType | string | Original data type of the registry value before it was modified. | +| ProcessCommandline | string | Command line used to create the new process. | +| ProcessCreationTime | datetime | Date and time the process was created. | +| ProcessId | int | Process ID (PID) of the newly created process. | +| ProcessIntegrityLevel | string | Integrity level of the newly created process. Windows assigns integrity levels to processes based on certain characteristics, such as if they were launched from an internet downloaded. These integrity levels influence permissions to resources. | +| ProcessTokenElevation | string | Token type indicating the presence or absence of User Access Control (UAC) privilege elevation applied to the newly created process. | +| ProviderId | string | Unique identifier for the Event Tracing for Windows (ETW) provider that collected the event log. | +| RegistryKey | string | Registry key that the recorded action was applied to. | +| RegistryValueData | string | Data of the registry value that the recorded action was applied to. | +| RegistryValueName | string | Name of the registry value that the recorded action was applied to. | +| RegistryValueType | string | Data type, such as binary or string, of the registry value that the recorded action was applied to. | +| RemoteIP | string | IP address that was being connected to. | +| RemotePort | int | TCP port on the remote device that was being connected to. | +| RemoteUrl | string | URL or fully qualified domain name (FQDN) that was being connected to. | +| ReportIndex | long | Event identifier that is unique among the same event type. | +| SHA1 | string | SHA-1 of the file that the recorded action was applied to. | +| SHA256 | string | SHA-256 of the file that the recorded action was applied to. + +>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-advancedhuntingref-belowfoldlink) + +## Related topic +- [Query data using Advanced hunting](advanced-hunting-windows-defender-advanced-threat-protection.md) +- [Advanced hunting query language best practices](/advanced-hunting-best-practices-windows-defender-advanced-threat-protection.md) + diff --git a/windows/security/threat-protection/windows-defender-atp/advanced-hunting-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/advanced-hunting-windows-defender-advanced-threat-protection.md new file mode 100644 index 0000000000..f523b1c8d1 --- /dev/null +++ b/windows/security/threat-protection/windows-defender-atp/advanced-hunting-windows-defender-advanced-threat-protection.md @@ -0,0 +1,164 @@ +--- +title: Query data using Advanced hunting in Windows Defender ATP +description: Learn about Advanced hunting in Windows Defender ATP and how to query ATP data. +keywords: advanced hunting, atp query, query atp data, intellisense, atp telemetry, events, events telemetry, azure log analytics +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: high +ms.date: 04/17/2018 +--- + +# Query data using Advanced hunting in Windows Defender ATP + +**Applies to:** + +- Windows 10 Enterprise +- Windows 10 Education +- Windows 10 Pro +- Windows 10 Pro Education +- Windows Defender Advanced Threat Protection (Windows Defender ATP) + +[!include[Prerelease information](prerelease.md)] + + +>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-advancedhunting-abovefoldlink) + +Advanced hunting allows you to proactively hunt for possible threats across your organization using a powerful search and query tool. Take advantage of the following capabilities: + +- **Powerful query language with IntelliSense** - Built on top of a query language that gives you the flexibility you need to take hunting to the next level. +- **Query the stored telemetry** - The telemetry data is accessible in tables for you to query. For example, you can query process creation, network communication, and many other event types. +- **Links to portal** - Certain query results, such as machine names and file names are actually direct links to the portal, consolidating the Advanced hunting query experience and the existing portal investigation experience. +- **Query examples** - A welcome page provides examples designed to get you started and get you familiar with the tables and the query language. + +To get you started in querying your data, you can use the basic or Advanced query examples that have some preloaded queries for you to understand the basic query syntax. + + + +## Use advanced hunting to query data + +A typical query starts with a table name followed by a series of operators separated by **|**. + +In the following example, we start with the table name **ProcessCreationEvents** and add piped elements as needed. + + + +First, we define a time filter to review only records from the previous seven days. + +We then add a filter on the _FileName_ to contain only instances of _powershell.exe_. + +Afterwards, we add a filter on the _ProcessCommandLine_ +Finally, we project only the columns we're interested in exploring and limit the results to 100 and click **Run query**. + +### Use operators +The query language is very powerful and has a lot of available operators, some of them are - + +- **where** - Filter a table to the subset of rows that satisfy a predicate. +- **summarize** - Produce a table that aggregates the content of the input table. +- **join** - Merge the rows of two tables to form a new table by matching values of the specified column(s) from each table. +- **count** - Return the number of records in the input record set. +- **top** - Return the first N records sorted by the specified columns. +- **limit** - Return up to the specified number of rows. +- **project** - Select the columns to include, rename or drop, and insert new computed columns. +- **extend** - Create calculated columns and append them to the result set. +- **makeset** - Return a dynamic (JSON) array of the set of distinct values that Expr takes in the group +- **find** - Find rows that match a predicate across a set of tables. + +To see a live example of these operators, run them as part of the **Get started** section. + +## Access query language documentation + +For more information on the query language and supported operators, see [Query Language](https://docs.loganalytics.io/docs/Language-Reference/). + +## Use exposed tables in Advanced hunting + +The following tables are exposed as part of Advanced hunting: + +- **AlertEvents** - Stores alerts related information +- **MachineInfo** - Stores machines properties +- **ProcessCreationEvents** - Stores process creation events +- **NetworkCommunicationEvents** - Stores network communication events +- **FileCreationEvents** - Stores file creation, modification, and rename events +- **RegistryEvents** - Stores registry key creation, modification, rename and deletion events +- **LogonEvents** - Stores login events +- **ImageLoadEvents** - Stores load dll events +- **MiscEvents** - Stores several types of events, including Windows Defender blocks (Windows Defender Antivirus, Exploit Guard, Windows Defender SmartScreen, Windows Defender Application Guard, and Firewall), process injection events, access to LSASS processes, and others. + +These tables include data from the last 30 days. + +## Use shared queries +Shared queries are prepopulated queries that give you a starting point on running queries on your organization's data. It includes a couple of examples that help demonstrate the query language capabilities. + + + +You can save, edit, update, or delete queries. + +### Save a query +You can create or modify a query and save it as your own query or share it with users who are in the same tenant. + +1. Create or modify a query. + +2. Click the **Save query** drop-down button and select **Save as**. + +3. Enter a name for the query. + +  + +4. Select the folder where you'd like to save the query. + - Shared queries - Allows other users in the tenant to access the query + - My query - Accessible only to the user who saved the query + +5. Click **Save**. + +### Update a query +These steps guide you on modifying and overwriting an existing query. + +1. Edit an existing query. + +2. Click the **Save**. + +### Delete a query +1. Right-click on a query you want to delete. + +  + +2. Select **Delete** and confirm that you want to delete the query. + +## Result set capabilities in Advanced hunting + +The result set has several capabilities to provide you with effective investigation, including: + +- Columns that return entity-related objects, such as Machine name, Machine ID, File name, SHA1, User, IP, and URL, are linked to their entity pages in the Windows Defender ATP portal. +- You can right-click on a cell in the result set and add a filter to your written query. The current filtering options are **include**, **exclude** or **advanced filter**, which provides additional filtering options on the cell value. These cell values are part of the row set. + + + +## Filter results in Advanced hunting +In Advanced hunting, you can use the advanced filter on the output result set of the query. +The filters provide an overview of the result set where +each column has it's own section and shows the distinct values that appear in the column and their prevalence. + +You can refine your query based on the filter by clicking the "+" or "-" buttons on the values that you want to include or exclude and click **Run query**. + + + +The filter selections will resolve as an additional query term and the results will be updated accordingly. + + + +## Public Advanced Hunting query GitHub repository +Check out the [Advanced Hunting repository](https://github.com/Microsoft/WindowsDefenderATP-Hunting-Queries). Contribute and use example queries shared by our customers. + + +>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-advancedhunting-belowfoldlink) + +## Related topic +- [Advanced hunting reference](advanced-hunting-reference-windows-defender-advanced-threat-protection.md) +- [Advanced hunting query language best practices](/advanced-hunting-best-practices-windows-defender-advanced-threat-protection.md) + + + diff --git a/windows/security/threat-protection/windows-defender-atp/alerts-queue-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/alerts-queue-windows-defender-advanced-threat-protection.md index 489d6db5d4..26eef896ca 100644 --- a/windows/security/threat-protection/windows-defender-atp/alerts-queue-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/alerts-queue-windows-defender-advanced-threat-protection.md @@ -10,7 +10,7 @@ ms.pagetype: security ms.author: macapara author: mjcaparas ms.localizationpriority: high -ms.date: 03/12/2018 +ms.date: 04/17/2018 --- # View and organize the Windows Defender Advanced Threat Protection Alerts queue @@ -23,11 +23,11 @@ ms.date: 03/12/2018 - Windows 10 Pro Education - Windows Defender Advanced Threat Protection (Windows Defender ATP) - +[!include[Prerelease information](prerelease.md)] >Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-alertsq-abovefoldlink) -The **Alerts queue** shows a list of alerts that were flagged from endpoints in your network. Alerts are displayed in queues according to their current status. In each queue, you'll see details such as the severity of alerts and the number of machines the alerts were raised on. +The **Alerts queue** shows a list of alerts that were flagged from machines in your network. Alerts are displayed in queues according to their current status. In each queue, you'll see details such as the severity of alerts and the number of machines the alerts were raised on. Alerts are organized in queues by their workflow status or assignment: @@ -35,14 +35,13 @@ Alerts are organized in queues by their workflow status or assignment: - **In progress** - **Resolved** - **Assigned to me** -- **Suppression rules** To see a list of alerts, click any of the queues under the **Alerts queue** option in the navigation pane. > [!NOTE] > By default, alerts in the queues are sorted from newest to oldest. - + ## Sort, filter, and group the alerts list You can sort and filter the alerts using the available filters or clicking on a column's header that will sort the view in ascending or descending order. @@ -64,12 +63,11 @@ You can sort and filter the alerts using the available filters or clicking on a Alert severity | Description :---|:--- -High (Red) | Threats often associated with advanced persistent threats (APT). These alerts indicate a high risk due to the severity of damage they can inflict on endpoints. +High (Red) | Threats often associated with advanced persistent threats (APT). These alerts indicate a high risk due to the severity of damage they can inflict on machines. Medium (Orange) | Threats rarely observed in the organization, such as anomalous registry change, execution of suspicious files, and observed behaviors typical of attack stages. Low (Yellow) | Threats associated with prevalent malware and hack-tools that do not necessarily indicate an advanced threat targeting the organization. Informational (Grey) | Informational alerts are those that might not be considered harmful to the network but might be good to keep track of. -Reviewing the various alerts and their severity can help you decide on the appropriate action to protect your organization's endpoints. #### Understanding alert severity It is important to understand that the Windows Defender Antivirus (Windows Defender AV) and Windows Defender ATP alert severities are different because they represent different scopes. @@ -92,7 +90,8 @@ So, for example: - Others >[!NOTE] ->The Windows Defender Antivirus filter will only appear if your endpoints are using Windows Defender Antivirus as the default real-time protection antimalware product. +>The Windows Defender Antivirus filter will only appear if machines are using Windows Defender Antivirus as the default real-time protection antimalware product. + ### View - **Flat view** - Lists alerts individually with alerts having the latest activity displayed at the top. @@ -100,6 +99,22 @@ So, for example: The grouped view allows for efficient alert triage and management. +## Alert queue columns +You can click on the first column to open up the **Alert management pane**. You can also select view the machine and user panes by selecting the icons beside the links. + +Alerts are listed with the following columns: + +- **Title** - Displays a brief description of the alert and its category. +- **Machine and user** - Displays the machine name and user associated with the alert. You view the machine or user details pane or pivot the actual details page. +- **Severity** - Displays the severity of the alert. Possible values are informational, low, medium, or high. +- **Last activity** - Date and time for when the last action was taken on the alert. +- **Time in queue** - Length of time the alert has been in the alerts queue. +- **Detection source** - Displays the detection source of the alert. +- **Status** - Current status of the alert. Possible values include new, in progress, or resolved. +- **Investigation state** - Reflects the number of related investigations and it's current state. +- **Assigned to** - Displays who is addressing the alert. +- **Manage icon** - You can click on the icon to bring up the alert management pane where you can manage and see details about the alert. + ### Use the Alert management pane Selecting an alert brings up the **Alert management** pane where you can manage and see details about the alert. @@ -134,14 +149,11 @@ Select multiple alerts (Ctrl or Shift select) and manage or edit alerts together  ## Related topics -- [View the Windows Defender Advanced Threat Protection Security operations dashboard](dashboard-windows-defender-advanced-threat-protection.md) -- [View the Windows Defender Advanced Threat Protection Secure score dashboard](security-analytics-dashboard-windows-defender-advanced-threat-protection.md) +- [Manage Windows Defender Advanced Threat Protection alerts](manage-alerts-windows-defender-advanced-threat-protection.md) - [Investigate Windows Defender Advanced Threat Protection alerts](investigate-alerts-windows-defender-advanced-threat-protection.md) - [Investigate a file associated with a Windows Defender ATP alert](investigate-files-windows-defender-advanced-threat-protection.md) +- [Investigate machines in the Windows Defender ATP Machines list](investigate-machines-windows-defender-advanced-threat-protection.md) - [Investigate an IP address associated with a Windows Defender ATP alert](investigate-ip-windows-defender-advanced-threat-protection.md) - [Investigate a domain associated with a Windows Defender ATP alert](investigate-domain-windows-defender-advanced-threat-protection.md) -- [View and organize the Windows Defender ATP Machines list](machines-view-overview-windows-defender-advanced-threat-protection.md) -- [Investigate machines in the Windows Defender ATP Machines list](investigate-machines-windows-defender-advanced-threat-protection.md) - [Investigate a user account in Windows Defender ATP](investigate-user-windows-defender-advanced-threat-protection.md) -- [Manage Windows Defender Advanced Threat Protection alerts](manage-alerts-windows-defender-advanced-threat-protection.md) -- [Take response actions in Windows Defender ATP](response-actions-windows-defender-advanced-threat-protection.md) + diff --git a/windows/security/threat-protection/windows-defender-atp/assign-portal-access-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/assign-portal-access-windows-defender-advanced-threat-protection.md index ac64b927c8..4b947eec35 100644 --- a/windows/security/threat-protection/windows-defender-atp/assign-portal-access-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/assign-portal-access-windows-defender-advanced-threat-protection.md @@ -10,7 +10,7 @@ ms.pagetype: security ms.author: macapara author: mjcaparas ms.localizationpriority: high -ms.date: 10/16/2017 +ms.date: 04/17/2018 --- # Assign user access to the Windows Defender ATP portal @@ -24,18 +24,33 @@ ms.date: 10/16/2017 - Office 365 - Windows Defender Advanced Threat Protection (Windows Defender ATP) - +[!include[Prerelease information](prerelease.md)] >Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-assignaccess-abovefoldlink) -Windows Defender ATP users and access permissions are managed in Azure Active Directory (AAD). Use the following methods to assign security roles. +Windows Defender ATP supports two ways to manage permissions: -## Assign user access using Azure PowerShell +- **Basic permissions management**: Set permissions to either full access or read-only. +- **Role-based access control (RBAC)**: Set granular permissions by defining roles, assigning Azure AD user groups to the roles, and granting the user groups access to machine groups. For more information on RBAC, see [Manage portal access using role-based access control](rbac-windows-defender-advanced-threat-protection.md). + +> [!NOTE] +>If you have already assigned basic permissions, you may switch to RBAC anytime. Consider the following before making the switch: + +>- Users with full access (Security Administrators) are automatically assigned the default **Global administrator** role, which also has full access. Only global administrators can manage permissions using RBAC. +>- Users that have read-only access (Security Readers) will lose access to the portal until they are assigned a role. Note that only Azure AD user groups can be assigned a role under RBAC. +>- After switching to RBAC, you will not be able to switch back to using basic permissions management. + +## Use basic permissions management +Refer to the instructions below to use basic permissions management. You can use either Azure PowerShell or the Azure Portal. + +For granular control over permissions, [switch to role-based access control](rbac-windows-defender-advanced-threat-protection.md). + +### Assign user access using Azure PowerShell You can assign users with one of the following levels of permissions: - Full access (Read and Write) -- Read only access +- Read-only access -### Before you begin +#### Before you begin - Install Azure PowerShell. For more information see, [How to install and configure Azure PowerShell](https://azure.microsoft.com/documentation/articles/powershell-install-configure/).
> [!NOTE] @@ -43,8 +58,6 @@ You can assign users with one of the following levels of permissions: - Connect to your Azure Active Directory. For more information see, [Connect-MsolService](https://msdn.microsoft.com/library/dn194123.aspx). - - **Full access**
Users with full access can log in, view all system information and resolve alerts, submit files for deep analysis, and download the onboarding package. Assigning full access rights requires adding the users to the “Security Administrator” or “Global Administrator” AAD built-in roles. @@ -67,7 +80,7 @@ Add-MsolRoleMember -RoleName "Security Reader" -RoleMemberEmailAddress “reader For more information see, [Manage Azure AD group and role membership](https://technet.microsoft.com/library/321d532e-407d-4e29-a00a-8afbe23008dd#BKMK_ManageGroups). -## Assign user access using the Azure portal +### Assign user access using the Azure portal 1. Go to the [Azure portal](https://portal.azure.com). @@ -86,4 +99,8 @@ For more information see, [Manage Azure AD group and role membership](https://te  + >Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-portalaccess-belowfoldlink) + +## Related topic +- [Manage portal access using RBAC](rbac-windows-defender-advanced-threat-protection.md) diff --git a/windows/security/threat-protection/windows-defender-atp/attack-simulations-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/attack-simulations-windows-defender-advanced-threat-protection.md new file mode 100644 index 0000000000..b0954a8441 --- /dev/null +++ b/windows/security/threat-protection/windows-defender-atp/attack-simulations-windows-defender-advanced-threat-protection.md @@ -0,0 +1,63 @@ +--- +title: Experience Windows Defender ATP through simulated attacks +description: Run the provided attack scenario simulations to experience how Windows Defender ATP can detect, investigate, and respond to breaches. +keywords: wdatp, test, scenario, attack, simulation, simulated, diy, windows defender advanced threat protection +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: lomayor +author: lomayor +ms.localizationpriority: high +ms.date: 28/02/2018 +--- + +# Experience Windows Defender ATP through simulated attacks + +**Applies to:** + +- Windows 10 Enterprise +- Windows 10 Education +- Windows 10 Pro +- Windows 10 Pro Education +- Windows Defender Advanced Threat Protection (Windows Defender ATP) + +[!include[Prerelease information](prerelease.md)] + +>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-attacksimulations-abovefoldlink) + +You might want to experience Windows Defender ATP before you onboard more than a few machines to the service. To do this, you can run controlled attack simulations on a few test machines. After running the simulated attacks, you can review how Windows Defender ATP surfaces malicious activity and explore how it enables an efficient response. + +## Before you begin + +To run any of the provided simulations, you need at least [one onboarded machine](onboard-configure-windows-defender-advanced-threat-protection.md). + +Read the walkthrough document provided with each attack scenario. Each document includes OS and application requirements as well as detailed instructions that are specific to an attack scenario. + +## Run a simulation + +1. In **Help** > **Simulations & tutorials**, select which of the available attack scenarios you would like to simulate: + + - **Scenario 1: Document drops backdoor** - simulates delivery of a socially engineered lure document. The document launches a specially crafted backdoor that gives attackers control. + + - **Scenario 2: PowerShell script in fileless attack** - simulates a fileless attack that relies on PowerShell, showcasing attack surface reduction and machine learning detection of malicious memory activity. + + - **Scenario 3: Automated incident response** - triggers Automated investigation, which automatically hunts for and remediates breach artifacts to scale your incident response capacity. + +2. Download and read the corresponding walkthrough document provided with your selected scenario. + +3. Download the simulation file or copy the simulation script by navigating to **Help** > **Simulations & tutorials**. You can choose to download the file or script on the test machine but it's not mandatory. + +4. Run the simulation file or script on the test machine as instructed in the walkthrough document. + +>[!NOTE] +>Simulation files or scripts mimic attack activity but are actually benign and will not harm or compromise the test machine. + + +>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-attacksimulations-belowfoldlink) + + +## Related topics +- [Onboard machines](onboard-configure-windows-defender-advanced-threat-protection.md) +- [Onboard Windows 10 machines](configure-endpoints-windows-defender-advanced-threat-protection.md) \ No newline at end of file diff --git a/windows/security/threat-protection/windows-defender-atp/automated-investigations-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/automated-investigations-windows-defender-advanced-threat-protection.md new file mode 100644 index 0000000000..6046993dba --- /dev/null +++ b/windows/security/threat-protection/windows-defender-atp/automated-investigations-windows-defender-advanced-threat-protection.md @@ -0,0 +1,266 @@ +--- +title: Use Automated investigations to investigate and remediate threats +description: View the list of automated investigations, its status, detection source and other details. +keywords: automated, investigation, detection, source, threat types, id, tags, machines, duration, filter export +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: high +ms.date: 04/17/2018 +--- + +# Use Automated investigations to investigate and remediate threats + +**Applies to:** + +- Windows 10 Enterprise +- Windows 10 Education +- Windows 10 Pro +- Windows 10 Pro Education +- Windows Defender Advanced Threat Protection (Windows Defender ATP) + +[!include[Prerelease information](prerelease.md)] + +>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-automated-investigations-abovefoldlink) + +The Windows Defender ATP service has a wide breadth of visibility on multiple machines. With this kind of optics, the service generates a multitude of alerts. The volume of alerts generated can be challenging for a typical security operations team to individually address. + + +To address this challenge, Windows Defender ATP uses Automated investigations to significantly reduce the volume of alerts that need to be investigated individually. The Automated investigation feature leverages various inspection algorithms, and processes used by analysts (such as playbooks) to examine alerts and take immediate remediation action to resolve breaches. This significantly reduces alert volume, allowing security operations experts to focus on more sophisticated threats and other high value initiatives. + +The Automated investigations list shows all the investigations that have been initiated automatically and shows other details such as its status, detection source, and the date for when the investigation was initiated. + +## Understand the Automated investigation flow +### How the Automated investigation starts +Entities are the starting point for Automated investigations. When an alert contains a supported entity for Automated investigation (for example, a file) an Automated investigation starts. + +The alerts start by analyzing the supported entities from the alert and also runs a generic machine playbook to see if there is anything else suspicious on that machine. The outcome and details from the investigation is seen in the Automated investigation view. + +### Details of an Automated investigation +As the investigation proceeds, you'll be able to view the details of the investigation. Selecting a triggering alert brings you to the investigation details view where you can pivot from the **Investigation graph**, **Alerts**, **Machines**, **Threats**, **Entities**, and **Log** tabs. + +In the **Alerts** tab, you'll see the alert that started the investigation. + +The **Machines** tab shows where the alert was seen. + +The **Threats** tab shows the entities that were found to be malicious during the investigation. + +During an Automated investigation, details about each analyzed entity is categorized in the **Entities** tab. You'll be able to see the determination for each entity type, such as whether it was determined to be malicious, suspicious, or clean. + +The **Log** tab reflects the chronological detailed view of all the investigation actions taken on the alert. + +If there are pending actions on the investigation, the **Pending actions** tab will be displayed where you can approve or reject actions. + +### How an Automated investigation expands its scope + +While an investigation is running, any other alert generated from the machine will be added to an ongoing Automated investigation until that investigation is completed. In addition, if the same threat is seen on other machines, those machines are added to the investigation. + +If an incriminated entity is seen in another machine, the Automated investigation will expand the investigation to include that machine and a generic machine playbook will start on that machine. If 10 or more machines are found during this expansion process from the same entity, then that expansion action will require an approval and will be seen in the **Pending actions** view. + +### How threats are remediated +Depending on how you set up the machine groups and their level of automation, the Automated investigation will either automaticlly remediate threats or require user approval (this is the default). For more information, see [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md). + +The default machine group is configured for semi-automatic remediation. This means that any malicious entity that needs to be remediated requires an approval and the investigation is added to the **Pending actions** section, this can be changed to fully automatic so that no user approval is needed. + +When a pending action is approved, the entity is then remediated and this new state is reflected in the **Entities** tab of the investigation. + +### How an Automated investigation is completed +When the Automated investigation completes its analysis, and all pending actions are resolved, an investigation is considered complete. It's important to understand that an investigation is only considered complete if there are no pending actions on it. + + +## Manage Automated investigations +By default, the Automated investigations list displays investigations initiated in the last week. You can also choose to select other time ranges from the drop-down menu or specify a custom range. + +>[!NOTE] +>If your organization has implemented role-based access to manage portal access, only authorized users or user groups who have permission to view the machine or machine group will be able to view the entire investigation. + +Use the **Customize columns** drop-down menu to select columns that you'd like to show or hide. + +From this view, you can also download the entire list in CSV format using the **Export** button, specify the number of items to show per page, and navigate between pages. You also have the flexibility to filter the list based on your preferred criteria. + + + + +**Filters** +You can use the following operations to customize the list of Automated investigations displayed: + + +**Triggering alert** +The alert the initiated the Automated investigation. + +**Status** +An Automated investigation can be in one of the following status: + +Status | Description +:---|:--- +| No threats found | No malicious entities found during the investigation. +| Failed | A problem has interrupted the investigation, preventing it from completing. | +| Partially remediated | A problem prevented the remediation of some malicious entities. | +| Action required | Remediation actions require review and approval. | +| Waiting for machine | Investigation paused. The investigation will resume as soon as the machine is available. | +| Queued | Investigation has been queued and will resume as soon as other remediation activities are completed. | +| Running | Investigation ongoing. Malicious entities found will be remediated. | +| Remediated | Malicious entities found were successfully remediated. | +| Terminated by system | Investigation was stopped due to. | +| Terminated by user | A user stopped the investigation before it could complete. | +| Not applicable | Automated investigations do not apply to this alert type. | +| Partially investigated | Entities directly related to the alert have been investigated. However, a problem stopped the investigation of collateral entities. | +| Automated investigation not applicable to alert type | Automated investigation does not apply to this alert type. | +| Automated investigation does not support OS | Machine is running an OS that is not supported by Automated investigation. | +| Automated investigation unavailable for preexisting alert | Automated investigation does not apply to alerts that were generated before it was deployed. | +| Automated investigation unavailable for suppressed alert | Automated investigation does not apply to suppressed alerts. | + + +**Detection source** +Source of the alert that initiated the Automated investigation. + +**Threat** +The category of threat detected during the Automated investigation. + + +**Tags** +Filter using manually added tags that capture the context of an Automated investigation. + +**Machines** +You can filter the Automated investigations list to zone in a specific machine to see other investigations related to the machine. + +**Machine groups** +Apply this filter to see specific machine groups that you might have created. + +**Comments** +Select between filtering the list between Automated investigations that have comments and those that don't. + +## Analyze Automated investigations +You can view the details of an Automated investigation to see information such as the investigation graph, alerts associated with the investigation, the machine that was investigated, and other information. + +In this view, you'll see the name of the investigation, when it started and ended. + + + +The progress ring shows two status indicators: +- Orange ring - shows the pending portion of the investigation +- Green ring - shows the running time portion of the investigation + + + +In the example image, the automated investigation started on 10:26:59 AM and ended on 10:56:26 AM. Therefore, the entire investigation was running for 29 minutes and 27 seconds. + +The pending time of 16 minutes and 51 seconds reflects two possible pending states: pending for asset (for example, the device might have disconnected from the network) or pending for approval. + +From this view, you can also view and add comments and tags about the investigation. + +### Investigation page +The investigation page gives you a quick summary on the status, alert severity, category, and detection source. + +You'll also have access to the following sections that help you see details of the investigation with finer granularity: + +- Investigation graph +- Alerts +- Machines +- Threats +- Entities +- Log +- Pending actions + + >[!NOTE] + >The Pending actions tab is only displayed if there are actual pending actions. + +- Pending actions history + + >[!NOTE] + >The Pending actions history tab is only displayed when an investigation is complete. + +In any of the sections, you can customize columns to further expand to limit the details you see in a section. + +### Investigation graph +The investigation graph provides a graphical representation of an Automated investigation. All investigation related information is simplified and arranged in specific sections. Clicking on any of the icons brings you the relevant section where you can view more information. + +### Alerts +Shows details such as a short description of the alert that initiated the Automated investigation, severity, category, the machine associated with the alert, user, time in queue, status, investigation state, and who the investigation is assigned to. + +Additional alerts seen on a machine can be added to an Automated investigation as long as the investigation is ongoing. + +Selecting an alert using the check box brings up the alerts details pane where you have the option of opening the alert page, manage the alert by changing its status, see alert details, Automated investigation details, related machine, logged-on users, and comments and history. + +Clicking on an alert title brings you the alert page. + +### Machines +Shows details the machine name, IP address, group, users, operating system, remediation level, investigation count, and when it was last investigated. + +Machines that show the same threat can be added to an ongoing investigation and will be displayed in this tab. If 10 or more machines are found during this expansion process from the same entity, then that expansion action will require an approval and will be seen in the **Pending actions** view. + +Selecting a machine using the checkbox brings up the machine details pane where you can see more information such as machine details and logged-on users. + +Clicking on an machine name brings you the machine page. + +### Threats +Shows details related to threats associated with this investigation. + +### Entities +Shows details about entities such as files, process, services, drives, and IP addresses. The table details such as the number of entities that were analyzed. You'll gain insight into details such as how many are remediated, suspicious, or determined to be clean. + +### Log +Gives a chronological detailed view of all the investigation actions taken on the alert. You'll see the action type, action, status, machine name, description of the action, comments entered by analysts who may have worked on the investigation, execution start time, duration, pending duration. + +As with other sections, you can customize columns, select the number of items to show per page, and filter the log. + +Available filters include action type, action, status, machine name, and description. + +You can also click on an action to bring up the details pane where you'll see information such as the summary of the action and input data. + +### Pending actions history +This tab is only displayed when an investigation is complete and shows all pending actions taken during the investigation. + + +## Pending actions +If there are pending actions on an Automated investigation, you'll see a pop up similar to the following image. + + + +When you click on the pending actions link, you'll be taken to the pending actions page. You can also navigate to the page from the navigation page by going to **Automated investigation** > **Pending actions**. + + +The pending actions view aggregates all investigations that require an action for an investigation to proceed or be completed. + + + +Use the Customize columns drop-down menu to select columns that you'd like to show or hide. + +From this view, you can also download the entire list in CSV format using the **Export** feature, specify the number of items to show per page, and navigate between pages. + +Pending actions are grouped together in the following tabs: +- Quarantine file +- Remove persistence +- Stop process +- Expand pivot +- Quarantine service + +>[!NOTE] +>The tab will only appear if there are pending actions for that category. + +### Approve or reject an action +You'll need to manually approve or reject pending actions on each of these categories for the automated actions to proceed. + + + + +Selecting an investigation from any of the categories opens a panel where you can approve or reject the remediation. Other details such as file or service details, investigation details, and alert details are displayed. + + + +From the panel, you can click on the Open investigation page link to see the investigation details. + +You also have the option of selecting multiple investigations to approve or reject actions on multiple investigations. + + + +## Related topic +- [Investigate Windows Defender ATP alerts](investigate-alerts-windows-defender-advanced-threat-protection.md) + + + + diff --git a/windows/security/threat-protection/windows-defender-atp/check-sensor-status-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/check-sensor-status-windows-defender-advanced-threat-protection.md index a18a381387..6a933ada64 100644 --- a/windows/security/threat-protection/windows-defender-atp/check-sensor-status-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/check-sensor-status-windows-defender-advanced-threat-protection.md @@ -10,7 +10,7 @@ ms.pagetype: security ms.author: macapara author: mjcaparas ms.localizationpriority: high -ms.date: 10/16/2017 +ms.date: 04/17/2018 --- # Check sensor health state in Windows Defender ATP @@ -27,7 +27,7 @@ ms.date: 10/16/2017 >Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-checksensor-abovefoldlink) -The sensor health tile provides information on the individual endpoint’s ability to provide sensor data and communicate with the Windows Defender ATP service. It reports how many machines require attention and helps you identify problematic machines and take action to correct known issues. +The sensor health tile provides information on the individual machine’s ability to provide sensor data and communicate with the Windows Defender ATP service. It reports how many machines require attention and helps you identify problematic machines and take action to correct known issues.  diff --git a/windows/security/threat-protection/windows-defender-atp/community-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/community-windows-defender-advanced-threat-protection.md index 17cd076296..f56d8e3bae 100644 --- a/windows/security/threat-protection/windows-defender-atp/community-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/community-windows-defender-advanced-threat-protection.md @@ -10,7 +10,7 @@ ms.pagetype: security ms.author: macapara author: mjcaparas ms.localizationpriority: high -ms.date: 11/30/2017 +ms.date: 04/17/2018 --- diff --git a/windows/security/threat-protection/windows-defender-atp/configure-arcsight-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/configure-arcsight-windows-defender-advanced-threat-protection.md index c9a8873e08..668943dd4d 100644 --- a/windows/security/threat-protection/windows-defender-atp/configure-arcsight-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/configure-arcsight-windows-defender-advanced-threat-protection.md @@ -34,7 +34,7 @@ Configuring the HP ArcSight Connector tool requires several configuration files This section guides you in getting the necessary information to set and use the required configuration files correctly. -- Make sure you have enabled the SIEM integration feature from the **Preferences setup** menu. For more information, see [Enable SIEM integration in Windows Defender ATP](enable-siem-integration-windows-defender-advanced-threat-protection.md). +- Make sure you have enabled the SIEM integration feature from the **Settings** menu. For more information, see [Enable SIEM integration in Windows Defender ATP](enable-siem-integration-windows-defender-advanced-threat-protection.md). - Have the file you saved from enabling the SIEM integration feature ready. You'll need to get the following values: - OAuth 2.0 Token refresh URL @@ -105,7 +105,7 @@ The following steps assume that you have completed all the required steps in [Be Browse to the location of the *wdatp-connector.properties* file. The name must match the file provided in the .zip that you downloaded. Refresh Token -You can obtain a refresh token in two ways: by generating a refresh token from the **SIEM integration preferences setup** page or using the restutil tool.
For more information on generating a refresh token from the **Preferences setup** , see [Enable SIEM integration in Windows Defender ATP](enable-siem-integration-windows-defender-advanced-threat-protection.md). **Get your refresh token using the restutil tool:** a. Open a command prompt. Navigate to C:\\*folder_location*\current\bin where *folder_location* represents the location where you installed the tool. b. Type: `arcsight restutil token -config` from the bin directory. A Web browser window will open. c. Type in your credentials then click on the password field to let the page redirect. In the login prompt, enter your credentials. d. A refresh token is shown in the command prompt. e. Copy and paste it into the **Refresh Token** field. +You can obtain a refresh token in two ways: by generating a refresh token from the **SIEM settings** page or using the restutil tool.
For more information on generating a refresh token from the **Preferences setup** , see [Enable SIEM integration in Windows Defender ATP](enable-siem-integration-windows-defender-advanced-threat-protection.md). **Get your refresh token using the restutil tool:** a. Open a command prompt. Navigate to C:\\*folder_location*\current\bin where *folder_location* represents the location where you installed the tool. b. Type: `arcsight restutil token -config` from the bin directory. A Web browser window will open. c. Type in your credentials then click on the password field to let the page redirect. In the login prompt, enter your credentials. d. A refresh token is shown in the command prompt. e. Copy and paste it into the **Refresh Token** field.
Key type is a string.
Possible values are: -- Normal - sets reporting frequency from the endpoint to Normal mode for the optimal speed and performance balance -- Expedite - sets reporting frequency from the endpoint to Expedite mode +- Normal - sets reporting frequency from the machine to Normal mode for the optimal speed and performance balance +- Expedite - sets reporting frequency from the machine to Expedite mode The default value in case the registry key doesn’t exist is Normal. -### Offboard endpoints -For security reasons, the package used to offboard endpoints will expire 30 days after the date it was downloaded. Expired offboarding packages sent to an endpoint will be rejected. When downloading an offboarding package you will be notified of the packages expiry date and it will also be included in the package name. +## Offboard machines using Group Policy +For security reasons, the package used to Offboard machines will expire 30 days after the date it was downloaded. Expired offboarding packages sent to a machine will be rejected. When downloading an offboarding package you will be notified of the packages expiry date and it will also be included in the package name. > [!NOTE] -> Onboarding and offboarding policies must not be deployed on the same endpoint at the same time, otherwise this will cause unpredictable collisions. +> Onboarding and offboarding policies must not be deployed on the same machine at the same time, otherwise this will cause unpredictable collisions. 1. Get the offboarding package from the [Windows Defender ATP portal](https://securitycenter.windows.com/): - a. Click **Endpoint management** > **Clients** on the **Navigation pane**. + a. In the navigation pane, select **Settings** > **Machine management** > **Offboarding**. - b. Click the **Endpoint offboarding** section. + b. Select Windows 10 as the operating system. + + c. In the **Deployment method** field, select **Group policy**. - c. Select **Group Policy**, click **Download package** and save the .zip file. + d. Click **Download package** and save the .zip file. -2. Extract the contents of the .zip file to a shared, read-only location that can be accessed by the endpoints. You should have a file named *WindowsDefenderATPOffboardingScript_valid_until_YYYY-MM-DD.cmd*. +2. Extract the contents of the .zip file to a shared, read-only location that can be accessed by the machine. You should have a file named *WindowsDefenderATPOffboardingScript_valid_until_YYYY-MM-DD.cmd*. 3. Open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx) (GPMC), right-click the Group Policy Object (GPO) you want to configure and click **Edit**. @@ -144,22 +150,22 @@ For security reasons, the package used to offboard endpoints will expire 30 days > Offboarding causes the machine to stop sending sensor data to the portal but data from the machine, including reference to any alerts it has had will be retained for up to 6 months. -## Monitor endpoint configuration -With Group Policy there isn’t an option to monitor deployment of policies on the endpoints. Monitoring can be done directly on the portal, or by using the different deployment tools. +## Monitor machine configuration +With Group Policy there isn’t an option to monitor deployment of policies on the machines. Monitoring can be done directly on the portal, or by using the different deployment tools. -## Monitor endpoints using the portal +## Monitor machines using the portal 1. Go to the [Windows Defender ATP portal](https://securitycenter.windows.com/). 2. Click **Machines list**. -3. Verify that endpoints are appearing. +3. Verify that machines are appearing. > [!NOTE] -> It can take several days for endpoints to start showing on the **Machines list**. This includes the time it takes for the policies to be distributed to the endpoint, the time it takes before the user logs on, and the time it takes for the endpoint to start reporting. +> It can take several days for machines to start showing on the **Machines list**. This includes the time it takes for the policies to be distributed to the machine, the time it takes before the user logs on, and the time it takes for the endpoint to start reporting. ## Related topics -- [Configure endpoints using System Center Configuration Manager](configure-endpoints-sccm-windows-defender-advanced-threat-protection.md) -- [Configure endpoints using Mobile Device Management tools](configure-endpoints-mdm-windows-defender-advanced-threat-protection.md) -- [Configure endpoints using a local script](configure-endpoints-script-windows-defender-advanced-threat-protection.md) -- [Configure non-persistent virtual desktop infrastructure (VDI) machines](configure-endpoints-vdi-windows-defender-advanced-threat-protection.md) -- [Run a detection test on a newly onboarded Windows Defender ATP endpoint](run-detection-test-windows-defender-advanced-threat-protection.md) +- [Onboard Windows 10 machines using System Center Configuration Manager](configure-endpoints-sccm-windows-defender-advanced-threat-protection.md) +- [Onboard Windows 10 machines using Mobile Device Management tools](configure-endpoints-mdm-windows-defender-advanced-threat-protection.md) +- [Onboard Windows 10 machines using a local script](configure-endpoints-script-windows-defender-advanced-threat-protection.md) +- [Onboard non-persistent virtual desktop infrastructure (VDI) machines](configure-endpoints-vdi-windows-defender-advanced-threat-protection.md) +- [Run a detection test on a newly onboarded Windows Defender ATP machines](run-detection-test-windows-defender-advanced-threat-protection.md) - [Troubleshoot Windows Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md) diff --git a/windows/security/threat-protection/windows-defender-atp/configure-endpoints-mdm-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/configure-endpoints-mdm-windows-defender-advanced-threat-protection.md index 0ced4ceb82..fc37a29fbc 100644 --- a/windows/security/threat-protection/windows-defender-atp/configure-endpoints-mdm-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/configure-endpoints-mdm-windows-defender-advanced-threat-protection.md @@ -1,7 +1,7 @@ --- -title: Configure endpoints using Mobile Device Management tools -description: Use Mobile Device Management tools to deploy the configuration package on endpoints so that they are onboarded to the service. -keywords: configure endpoints using mdm, endpoint management, configure Windows ATP endpoints, configure Windows Defender Advanced Threat Protection endpoints, mdm +title: Onboard Windows 10 machines using Mobile Device Management tools +description: Use Mobile Device Management tools to deploy the configuration package on machines so that they are onboarded to the service. +keywords: onboard machines using mdm, machine management, onboard Windows ATP machines, onboard Windows Defender Advanced Threat Protection machines, mdm search.product: eADQiWindows 10XVcnh ms.prod: w10 ms.mktglfcycl: deploy @@ -10,10 +10,10 @@ ms.pagetype: security ms.author: macapara author: mjcaparas ms.localizationpriority: high -ms.date: 11/06/2017 +ms.date: 04/17/2018 --- -# Configure endpoints using Mobile Device Management tools +# Onboard Windows 10 machines using Mobile Device Management tools **Applies to:** @@ -23,11 +23,9 @@ ms.date: 11/06/2017 - Windows 10 Pro Education - Windows Defender Advanced Threat Protection (Windows Defender ATP) - - >Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-configureendpointsmdm-abovefoldlink) -You can use mobile device management (MDM) solutions to configure endpoints. Windows Defender ATP supports MDMs by providing OMA-URIs to create policies to manage endpoints. +You can use mobile device management (MDM) solutions to configure machines. Windows Defender ATP supports MDMs by providing OMA-URIs to create policies to manage machines. For more information on using Windows Defender ATP CSP see, [WindowsAdvancedThreatProtection CSP](https://msdn.microsoft.com/library/windows/hardware/mt723296(v=vs.85).aspx) and [WindowsAdvancedThreatProtection DDF file](https://msdn.microsoft.com/library/windows/hardware/mt723297(v=vs.85).aspx). @@ -36,20 +34,21 @@ If you're using Microsoft Intune, you must have the device MDM Enrolled. Otherwi For more information on enabling MDM with Microsoft Intune, see [Setup Windows Device Management](https://docs.microsoft.com/intune-classic/deploy-use/set-up-windows-device-management-with-microsoft-intune). -## Configure endpoints using Microsoft Intune +## Onboard machines using Microsoft Intune For more information on using Windows Defender ATP CSP see, [WindowsAdvancedThreatProtection CSP](https://msdn.microsoft.com/library/windows/hardware/mt723296(v=vs.85).aspx) and [WindowsAdvancedThreatProtection DDF file](https://msdn.microsoft.com/library/windows/hardware/mt723297(v=vs.85).aspx). - ### Using the Azure Intune Portal to deploy Windows Defender Advanced Threat Protection policies on Windows 10 1607 and higher 1. Open the Microsoft Intune configuration package .zip file (*WindowsDefenderATPOnboardingPackage.zip*) that you downloaded from the service onboarding wizard. You can also get the package from the [Windows Defender ATP portal](https://securitycenter.windows.com/): - a. Select **Endpoint management** > **Clients** on the **Navigation pane**. + a. In the navigation pane, select **Settings** > **Machine management** > **Onboarding**. - b. Select **Mobile Device Management/Microsoft Intune** > **Download package** and save the .zip file. + b. Select Windows 10 as the operating system. -  + c. In the **Deployment method** field, select **Mobile Device Management / Microsoft Intune**. + + d. Click **Download package**, and save the .zip file. 2. Extract the contents of the .zip file to a shared, read-only location that can be accessed by the network administrators who will deploy the package. You should have a file named *WindowsDefenderATP.onboarding*. @@ -103,16 +102,17 @@ For more information on using Windows Defender ATP CSP see, [WindowsAdvancedThre  - -### Onboard and monitor endpoints using the classic Intune console +### Onboard and monitor machines using the classic Intune console 1. Open the Microsoft Intune configuration package .zip file (*WindowsDefenderATPOnboardingPackage.zip*) that you downloaded from the service onboarding wizard. You can also get the package from the [Windows Defender ATP portal](https://securitycenter.windows.com/): - a. Select **Endpoint management** > **Clients** on the **Navigation pane**. + a. In the navigation pane, select **Settings** > **Machine management** > **Onboarding**. - b. Select **Mobile Device Management/Microsoft Intune** > **Download package** and save the .zip file. + b. Select Windows 10 as the operating system. -  + c. In the **Deployment method** field, select **Mobile Device Management / Microsoft Intune**. + + d. Click **Download package**, and save the .zip file. 2. Extract the contents of the .zip file to a shared, read-only location that can be accessed by the network administrators who will deploy the package. You should have a file named *WindowsDefenderATP.onboarding*. @@ -155,9 +155,9 @@ For more information on using Windows Defender ATP CSP see, [WindowsAdvancedThre  -When the policy is deployed and is propagated, endpoints will be shown in the **Machines list**. +When the policy is deployed and is propagated, machines will be shown in the **Machines list**. -You can use the following onboarding policies to deploy configuration settings on endpoints. These policies can be sub-categorized to: +You can use the following onboarding policies to deploy configuration settings on machines. These policies can be sub-categorized to: - Onboarding - Health Status for onboarded machines - Configuration for onboarded machines @@ -179,31 +179,29 @@ Configuration for onboarded machines: diagnostic data reporting frequency | ./De >[!TIP] -> After onboarding the endpoint, you can choose to run a detection test to verify that an endpoint is properly onboarded to the service. For more information, see [Run a detection test on a newly onboarded Windows Defender ATP endpoint](run-detection-test-windows-defender-advanced-threat-protection.md). +> After onboarding the machine, you can choose to run a detection test to verify that a machine is properly onboarded to the service. For more information, see [Run a detection test on a newly onboarded Windows Defender ATP machine](run-detection-test-windows-defender-advanced-threat-protection.md). - - - -### Offboard and monitor endpoints - -For security reasons, the package used to offboard endpoints will expire 30 days after the date it was downloaded. Expired offboarding packages sent to an endpoint will be rejected. When downloading an offboarding package you will be notified of the packages expiry date and it will also be included in the package name. +## Offboard and monitor machines using Mobile Device Management tools +For security reasons, the package used to Offboard machines will expire 30 days after the date it was downloaded. Expired offboarding packages sent to a machine will be rejected. When downloading an offboarding package you will be notified of the packages expiry date and it will also be included in the package name. > [!NOTE] -> Onboarding and offboarding policies must not be deployed on the same endpoint at the same time, otherwise this will cause unpredictable collisions. +> Onboarding and offboarding policies must not be deployed on the same machine at the same time, otherwise this will cause unpredictable collisions. 1. Get the offboarding package from the [Windows Defender ATP portal](https://securitycenter.windows.com/): - a. Click **Endpoint management** > **Clients** on the **Navigation pane**. + a. In the navigation pane, select **Settings** > **Machine management** > **Offboarding**. - b. Click the **Endpoint offboarding** section. + b. Select Windows 10 as the operating system. - c. Select **Mobile Device Management /Microsoft Intune**, click **Download package** and save the .zip file. + c. In the **Deployment method** field, select **Mobile Device Management / Microsoft Intune**. + + d. Click **Download package**, and save the .zip file. 2. Extract the contents of the .zip file to a shared, read-only location that can be accessed by the network administrators who will deploy the package. You should have a file named *WindowsDefenderATP_valid_until_YYYY-MM-DD.offboarding*. 3. Use the Microsoft Intune custom configuration policy to deploy the following supported OMA-URI settings. For more information on Microsoft Intune policy settings see, [Windows 10 policy settings in Microsoft Intune](https://docs.microsoft.com/en-us/intune/deploy-use/windows-10-policy-settings-in-microsoft-intune). -Offboarding - Use the offboarding policies to remove configuration settings on endpoints. These policies can be sub-categorized to: +Offboarding - Use the offboarding policies to remove configuration settings on machines. These policies can be sub-categorized to: - Offboarding - Health Status for offboarded machines - Configuration for offboarded machines @@ -221,9 +219,9 @@ Health Status for offboarded machines: Onboarding State | ./Device/Vendor/MSFT/W > Offboarding causes the machine to stop sending sensor data to the portal but data from the machine, including reference to any alerts it has had will be retained for up to 6 months. ## Related topics -- [Configure endpoints using Group Policy](configure-endpoints-gp-windows-defender-advanced-threat-protection.md) -- [Configure endpoints using System Center Configuration Manager](configure-endpoints-sccm-windows-defender-advanced-threat-protection.md) -- [Configure endpoints using a local script](configure-endpoints-script-windows-defender-advanced-threat-protection.md) -- [Configure non-persistent virtual desktop infrastructure (VDI) machines](configure-endpoints-vdi-windows-defender-advanced-threat-protection.md) -- [Run a detection test on a newly onboarded Windows Defender ATP endpoint](run-detection-test-windows-defender-advanced-threat-protection.md) +- [Onboard Windows 10 machines using Group Policy](configure-endpoints-gp-windows-defender-advanced-threat-protection.md) +- [Onboard Windows 10 machines using System Center Configuration Manager](configure-endpoints-sccm-windows-defender-advanced-threat-protection.md) +- [Onboard Windows 10 machines using a local script](configure-endpoints-script-windows-defender-advanced-threat-protection.md) +- [Onboard non-persistent virtual desktop infrastructure (VDI) machines](configure-endpoints-vdi-windows-defender-advanced-threat-protection.md) +- [Run a detection test on a newly onboarded Windows Defender ATP machine](run-detection-test-windows-defender-advanced-threat-protection.md) - [Troubleshoot Windows Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md) diff --git a/windows/security/threat-protection/windows-defender-atp/configure-endpoints-non-windows-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/configure-endpoints-non-windows-windows-defender-advanced-threat-protection.md index f98fcf98cf..60fdf52cf6 100644 --- a/windows/security/threat-protection/windows-defender-atp/configure-endpoints-non-windows-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/configure-endpoints-non-windows-windows-defender-advanced-threat-protection.md @@ -1,7 +1,7 @@ --- -title: Configure non-Windows endpoints in Windows Defender ATP -description: Configure non-Winodws endpoints so that they can send sensor data to the Windows Defender ATP service. -keywords: configure endpoints non-Windows endpoints, macos, linux, endpoint management, configure Windows ATP endpoints, configure Windows Defender Advanced Threat Protection endpoints +title: Onboard non-Windows machines to the Windows Defender ATP service +description: Configure non-Winodws machines so that they can send sensor data to the Windows Defender ATP service. +keywords: onboard non-Windows machines, macos, linux, machine management, configure Windows ATP machines, configure Windows Defender Advanced Threat Protection machines search.product: eADQiWindows 10XVcnh ms.prod: w10 ms.mktglfcycl: deploy @@ -9,10 +9,10 @@ ms.sitesec: library ms.pagetype: security author: mjcaparas localizationpriority: high -ms.date: 12/12/2017 +ms.date: 04/17/2018 --- -# Configure non-Windows endpoints +# Onboard non-Windows machines **Applies to:** @@ -28,20 +28,21 @@ Windows Defender ATP provides a centralized security operations experience for W You'll need to know the exact Linux distros and macOS X versions that are compatible with Windows Defender ATP for the integration to work. -## Onboard non-Windows endpoints -You'll need to take the following steps to oboard non-Windows endpoints: +You'll need to take the following steps to onboard non-Windows machines: 1. Turn on third-party integration 2. Run a detection test ### Turn on third-party integration -1. In Windows Defender Security Center portal, select **Endpoint management** > **Clients** > **Non-Windows**. Make sure the third-party solution is listed. +1. In the navigation pane, select **Settings** > **Machine management** > **Onboarding**. Make sure the third-party solution is listed. -2. Toggle the third-party provider switch button to turn on the third-party solution integration. +2. Select Mac and Linux as the operating system. -3. Click **Generate access token** button and then **Copy**. +3. Turn on the third-party solution integration. -4. You’ll need to copy and paste the token to the third-party solution you’re using. The implementation may vary depending on the solution. +4. Click **Generate access token** button and then **Copy**. + +5. You’ll need to copy and paste the token to the third-party solution you’re using. The implementation may vary depending on the solution. >[!WARNING] @@ -52,21 +53,21 @@ Create an EICAR test file by saving the string displayed on the portal in an emp The file should trigger a detection and a corresponding alert on Windows Defender ATP. -### Offboard non-Windows endpoints -To effectively offboard the endpoints from the service, you'll need to disable the data push on the third-party portal first then switch the toggle to off in Windows Defender Security Center. The toggle in the portal only blocks the data inbound flow. +## Offboard non-Windows machines +To effectively offboard the machine from the service, you'll need to disable the data push on the third-party portal first then switch the toggle to off in Windows Defender Security Center. The toggle in the portal only blocks the data inbound flow. 1. Follow the third-party documentation to opt-out on the third-party service side. -2. In Windows Defender Security Center portal, select **Endpoint management**> **Non-Windows**. +2. In the navigation pane, select **Settings** > **Machine management** > **Onboarding**. -3. Toggle the third-party provider switch button to turn stop diagnostic data from endpoints. +3. Turn off the third-party solution integration. >[!WARNING] ->If you decide to turn on the third-party integration again after disabling the integration, you'll need to regenerate the token and reapply it on endpoints. +>If you decide to turn on the third-party integration again after disabling the integration, you'll need to regenerate the token and reapply it on machines. ## Related topics -- [Configure Windows Defender ATP client endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md) -- [Configure server endpoints](configure-server-endpoints-windows-defender-advanced-threat-protection.md) +- [Onboard Windows 10 machines](configure-endpoints-windows-defender-advanced-threat-protection.md) +- [Onboard servers](configure-server-endpoints-windows-defender-advanced-threat-protection.md) - [Configure proxy and Internet connectivity settings](configure-proxy-internet-windows-defender-advanced-threat-protection.md) - [Troubleshooting Windows Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md) \ No newline at end of file diff --git a/windows/security/threat-protection/windows-defender-atp/configure-endpoints-sccm-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/configure-endpoints-sccm-windows-defender-advanced-threat-protection.md index de4aa4ddca..1da2299153 100644 --- a/windows/security/threat-protection/windows-defender-atp/configure-endpoints-sccm-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/configure-endpoints-sccm-windows-defender-advanced-threat-protection.md @@ -1,7 +1,7 @@ --- -title: Configure endpoints using System Center Configuration Manager -description: Use System Center Configuration Manager to deploy the configuration package on endpoints so that they are onboarded to the service. -keywords: configure endpoints using sccm, endpoint management, configure Windows ATP endpoints, configure Windows Defender Advanced Threat Protection endpoints, sccm +title: Onboard Windows 10 machines using System Center Configuration Manager +description: Use System Center Configuration Manager to deploy the configuration package on machines so that they are onboarded to the service. +keywords: onboard machines using sccm, machine management, configure Windows ATP machines, configure Windows Defender Advanced Threat Protection machines, sccm search.product: eADQiWindows 10XVcnh ms.prod: w10 ms.mktglfcycl: deploy @@ -10,10 +10,10 @@ ms.pagetype: security ms.author: macapara author: mjcaparas ms.localizationpriority: high -ms.date: 11/06/2017 +ms.date: 04/17/2018 --- -# Configure endpoints using System Center Configuration Manager +# Onboard Windows 10 machines using System Center Configuration Manager **Applies to:** @@ -24,33 +24,38 @@ ms.date: 11/06/2017 - Windows Defender Advanced Threat Protection (Windows Defender ATP) - System Center 2012 Configuration Manager or later versions - +[!include[Prerelease information](prerelease.md)] >Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-configureendpointssccm-abovefoldlink) -## Configure endpoints using System Center Configuration Manager (current branch) version 1606 -System Center Configuration Manager (SCCM) (current branch) version 1606, has UI integrated support for configuring and managing Windows Defender ATP on endpoints. For more information, see [Support for Windows Defender Advanced Threat Protection service](https://go.microsoft.com/fwlink/p/?linkid=823682). +## Onboard Windows 10 machines using System Center Configuration Manager (current branch) version 1606 +System Center Configuration Manager (SCCM) (current branch) version 1606, has UI integrated support for configuring and managing Windows Defender ATP on machines. For more information, see [Support for Windows Defender Advanced Threat Protection service](https://go.microsoft.com/fwlink/p/?linkid=823682). >[!NOTE] > If you’re using SCCM client version 1606 with server version 1610 or above, you must upgrade the client version to match the server version. -## Configure endpoints using System Center Configuration Manager earlier versions -You can use existing System Center Configuration Manager functionality to create a policy to configure your endpoints. This is supported in the following System Center Configuration Manager versions: +## Onboard Windows 10 machines using System Center Configuration Manager earlier versions +You can use existing System Center Configuration Manager functionality to create a policy to configure your machines. This is supported in the following System Center Configuration Manager versions: - System Center 2012 Configuration Manager - System Center 2012 R2 Configuration Manager - System Center Configuration Manager (current branch), version 1511 - System Center Configuration Manager (current branch), version 1602 -### Onboard endpoints +### Onboard machines using System Center Configuration Manager + 1. Open the SCCM configuration package .zip file (*WindowsDefenderATPOnboardingPackage.zip*) that you downloaded from the service onboarding wizard. You can also get the package from the [Windows Defender ATP portal](https://securitycenter.windows.com/): - a. Click **Endpoint management** > **Clients** on the **Navigation pane**. + a. In the navigation pane, select **Settings** > **Machine management** > **Onboarding**. + + b. Select Windows 10 as the operating system. - b. Select **System Center Configuration Manager 2012/2012 R2/1511/1602**, click **Download package**, and save the .zip file. + c. In the **Deployment method** field, select **System Center Configuration Manager 2012/2012 R2/1511/1602**. + + d. Click **Download package**, and save the .zip file. 2. Extract the contents of the .zip file to a shared, read-only location that can be accessed by the network administrators who will deploy the package. You should have a file named *WindowsDefenderATPOnboardingScript.cmd*. @@ -62,12 +67,12 @@ You can use existing System Center Configuration Manager functionality to create > Windows Defender ATP doesn't support onboarding during the [Out-Of-Box Experience (OOBE)](https://answers.microsoft.com/en-us/windows/wiki/windows_10/how-to-complete-the-windows-10-out-of-box/47e3f943-f000-45e3-8c5c-9d85a1a0cf87) phase. Make sure users complete OOBE after running Windows installation or upgrading. >[!TIP] -> After onboarding the endpoint, you can choose to run a detection test to verify that an endpoint is properly onboarded to the service. For more information, see [Run a detection test on a newly onboarded Windows Defender ATP endpoint](run-detection-test-windows-defender-advanced-threat-protection.md). +> After onboarding the machine, you can choose to run a detection test to verify that an machine is properly onboarded to the service. For more information, see [Run a detection test on a newly onboarded Windows Defender ATP machine](run-detection-test-windows-defender-advanced-threat-protection.md). ### Configure sample collection settings -For each endpoint, you can set a configuration value to state whether samples can be collected from the endpoint when a request is made through the Windows Defender ATP portal to submit a file for deep analysis. +For each machine, you can set a configuration value to state whether samples can be collected from the machine when a request is made through the Windows Defender ATP portal to submit a file for deep analysis. -You can set a compliance rule for configuration item in System Center Configuration Manager to change the sample share setting on an endpoint. +You can set a compliance rule for configuration item in System Center Configuration Manager to change the sample share setting on a machine. This rule should be a *remediating* compliance rule configuration item that sets the value of a registry key on targeted machines to make sure they’re complaint. The configuration is set through the following registry key entry: @@ -80,8 +85,8 @@ Value: 0 or 1 Where:
Key type is a D-WORD.
Possible values are: -- 0 - doesn't allow sample sharing from this endpoint -- 1 - allows sharing of all file types from this endpoint +- 0 - doesn't allow sample sharing from this machine +- 1 - allows sharing of all file types from this machine The default value in case the registry key doesn’t exist is 1. @@ -95,7 +100,7 @@ In cases where high-value assets or machines are at high risk, you can configure > [!NOTE] > Using the Expedite mode might have an impact on the machine's battery usage and actual bandwidth used for sensor data. You should consider this when these measures are critical. -For each endpoint, you can configure a registry key value that determines how frequent a machine reports sensor data to the portal. +For each machine, you can configure a registry key value that determines how frequent a machine reports sensor data to the portal. The configuration is set through the following registry key entry: @@ -107,26 +112,28 @@ Value: Normal or Expedite Where:
Key type is a string.
Possible values are: -- Normal - sets reporting frequency from the endpoint to Normal mode for the optimal speed and performance balance -- Expedite - sets reporting frequency from the endpoint to Expedite mode +- Normal - sets reporting frequency from the machine to Normal mode for the optimal speed and performance balance +- Expedite - sets reporting frequency from the machine to Expedite mode The default value in case the registry key doesn’t exist is Normal. -### Offboard endpoints +## Offboard machines using System Center Configuration Manager -For security reasons, the package used to offboard endpoints will expire 30 days after the date it was downloaded. Expired offboarding packages sent to an endpoint will be rejected. When downloading an offboarding package you will be notified of the packages expiry date and it will also be included in the package name. +For security reasons, the package used to Offboard machines will expire 30 days after the date it was downloaded. Expired offboarding packages sent to an machine will be rejected. When downloading an offboarding package you will be notified of the packages expiry date and it will also be included in the package name. > [!NOTE] -> Onboarding and offboarding policies must not be deployed on the same endpoint at the same time, otherwise this will cause unpredictable collisions. +> Onboarding and offboarding policies must not be deployed on the same machine at the same time, otherwise this will cause unpredictable collisions. 1. Get the offboarding package from the [Windows Defender ATP portal](https://securitycenter.windows.com/): - a. Click **Endpoint management** > **Clients** on the **Navigation pane**. + a. In the navigation pane, select **Settings** > **Machine management** > **Offboarding**. - b. Click the **Endpoint offboarding** section. + b. Select Windows 10 as the operating system. - c. Select **System Center Configuration Manager System Center Configuration Manager 2012/2012 R2/1511/1602**, click **Download package**, and save the .zip file. + c. In the **Deployment method** field, select **System Center Configuration Manager 2012/2012 R2/1511/1602**. + + d. Click **Download package**, and save the .zip file. 2. Extract the contents of the .zip file to a shared, read-only location that can be accessed by the network administrators who will deploy the package. You should have a file named *WindowsDefenderATPOffboardingScript_valid_until_YYYY-MM-DD.cmd*. @@ -138,12 +145,12 @@ For security reasons, the package used to offboard endpoints will expire 30 days > Offboarding causes the machine to stop sending sensor data to the portal but data from the machine, including reference to any alerts it has had will be retained for up to 6 months. -### Monitor endpoint configuration +### Monitor machine configuration Monitoring with SCCM consists of two parts: -1. Confirming the configuration package has been correctly deployed and is running (or has successfully run) on the endpoints in your network. +1. Confirming the configuration package has been correctly deployed and is running (or has successfully run) on the machines in your network. -2. Checking that the endpoints are compliant with the Windows Defender ATP service (this ensures the endpoint can complete the onboarding process and can continue to report data to the service). +2. Checking that the machines are compliant with the Windows Defender ATP service (this ensures the machine can complete the onboarding process and can continue to report data to the service). **To confirm the configuration package has been correctly deployed:** @@ -155,11 +162,11 @@ Monitoring with SCCM consists of two parts: 4. Review the status indicators under **Completion Statistics** and **Content Status**. -If there are failed deployments (endpoints with **Error**, **Requirements Not Met**, or **Failed statuses**), you may need to troubleshoot the endpoints. For more information see, [Troubleshoot Windows Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md). +If there are failed deployments (machines with **Error**, **Requirements Not Met**, or **Failed statuses**), you may need to troubleshoot the machines. For more information see, [Troubleshoot Windows Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md).  -**Check that the endpoints are compliant with the Windows Defender ATP service:**
+**Check that the machines are compliant with the Windows Defender ATP service:**
You can set a compliance rule for configuration item in System Center Configuration Manager to monitor your deployment. This rule should be a *non-remediating* compliance rule configuration item that monitors the value of a registry key on targeted machines. @@ -173,9 +180,9 @@ Value: “1” For more information about System Center Configuration Manager Compliance see [Compliance Settings in Configuration Manager](https://technet.microsoft.com/library/gg681958.aspx). ## Related topics -- [Configure endpoints using Group Policy](configure-endpoints-gp-windows-defender-advanced-threat-protection.md) -- [Configure endpoints using Mobile Device Management tools](configure-endpoints-mdm-windows-defender-advanced-threat-protection.md) -- [Configure endpoints using a local script](configure-endpoints-script-windows-defender-advanced-threat-protection.md) -- [Configure non-persistent virtual desktop infrastructure (VDI) machines](configure-endpoints-vdi-windows-defender-advanced-threat-protection.md) -- [Run a detection test on a newly onboarded Windows Defender ATP endpoint](run-detection-test-windows-defender-advanced-threat-protection.md) +- [Onboard Windows 10 machines using Group Policy](configure-endpoints-gp-windows-defender-advanced-threat-protection.md) +- [Onboard Windows 10 machines using Mobile Device Management tools](configure-endpoints-mdm-windows-defender-advanced-threat-protection.md) +- [Onboard Windows 10 machines using a local script](configure-endpoints-script-windows-defender-advanced-threat-protection.md) +- [Onboard non-persistent virtual desktop infrastructure (VDI) machines](configure-endpoints-vdi-windows-defender-advanced-threat-protection.md) +- [Run a detection test on a newly onboarded Windows Defender ATP machine](run-detection-test-windows-defender-advanced-threat-protection.md) - [Troubleshoot Windows Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md) diff --git a/windows/security/threat-protection/windows-defender-atp/configure-endpoints-script-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/configure-endpoints-script-windows-defender-advanced-threat-protection.md index f1219c9897..51910b2668 100644 --- a/windows/security/threat-protection/windows-defender-atp/configure-endpoints-script-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/configure-endpoints-script-windows-defender-advanced-threat-protection.md @@ -1,7 +1,7 @@ --- -title: Configure Windows Defender ATP endpoints using a local script -description: Use a local script to deploy the configuration package on endpoints so that they are onboarded to the service. -keywords: configure endpoints using a local script, endpoint management, configure Windows ATP endpoints, configure Windows Defender Advanced Threat Protection endpoints +title: Onboard Windows 10 machines using a local script +description: Use a local script to deploy the configuration package on machines so that they are onboarded to the service. +keywords: configure machines using a local script, machine management, configure Windows ATP machines, configure Windows Defender Advanced Threat Protection machines search.product: eADQiWindows 10XVcnh ms.prod: w10 ms.mktglfcycl: deploy @@ -10,10 +10,10 @@ ms.pagetype: security ms.author: macapara author: mjcaparas ms.localizationpriority: high -ms.date: 11/06/2017 +ms.date: 04/17/2018 --- -# Configure endpoints using a local script +# Onboard Windows 10 machines using a local script **Applies to:** @@ -23,26 +23,31 @@ ms.date: 11/06/2017 - Windows 10 Pro Education - Windows Defender Advanced Threat Protection (Windows Defender ATP) +[!include[Prerelease information](prerelease.md)] >Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-configureendpointsscript-abovefoldlink) -You can also manually onboard individual endpoints to Windows Defender ATP. You might want to do this first when testing the service before you commit to onboarding all endpoints in your network. +You can also manually onboard individual machines to Windows Defender ATP. You might want to do this first when testing the service before you commit to onboarding all machines in your network. > [!NOTE] -> The script has been optimized to be used on a limited number of machines (1-10 machines). To deploy to scale, use other deployment options. For more information on using other deployment options, see [Configure Windows Defender ATP endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md). +> The script has been optimized to be used on a limited number of machines (1-10 machines). To deploy to scale, use other deployment options. For more information on using other deployment options, see [Onboard Window 10 machines](configure-endpoints-windows-defender-advanced-threat-protection.md). -## Onboard endpoints +## Onboard machines 1. Open the GP configuration package .zip file (*WindowsDefenderATPOnboardingPackage.zip*) that you downloaded from the service onboarding wizard. You can also get the package from the [Windows Defender ATP portal](https://securitycenter.windows.com/): - a. Click **Endpoint management** > **Clients** on the **Navigation pane**. + a. In the navigation pane, select **Settings** > **Machine management** > **Onboarding**. - b. Select **Local Script**, click **Download package** and save the .zip file. + b. Select Windows 10 as the operating system. + c. In the **Deployment method** field, select **Local Script**. -2. Extract the contents of the configuration package to a location on the endpoint you want to onboard (for example, the Desktop). You should have a file named *WindowsDefenderATPOnboardingScript.cmd*. + d. Click **Download package** and save the .zip file. -3. Open an elevated command-line prompt on the endpoint and run the script: + +2. Extract the contents of the configuration package to a location on the machine you want to onboard (for example, the Desktop). You should have a file named *WindowsDefenderATPOnboardingScript.cmd*. + +3. Open an elevated command-line prompt on the machine and run the script: a. Go to **Start** and type **cmd**. @@ -54,16 +59,16 @@ You can also manually onboard individual endpoints to Windows Defender ATP. You 5. Press the **Enter** key or click **OK**. -For information on how you can manually validate that the endpoint is compliant and correctly reports sensor data see, [Troubleshoot Windows Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md). +For information on how you can manually validate that the machine is compliant and correctly reports sensor data see, [Troubleshoot Windows Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md). >[!TIP] -> After onboarding the endpoint, you can choose to run a detection test to verify that an endpoint is properly onboarded to the service. For more information, see [Run a detection test on a newly onboarded Windows Defender ATP endpoint](run-detection-test-windows-defender-advanced-threat-protection.md). +> After onboarding the machine, you can choose to run a detection test to verify that an machine is properly onboarded to the service. For more information, see [Run a detection test on a newly onboarded Windows Defender ATP endpoint](run-detection-test-windows-defender-advanced-threat-protection.md). ## Configure sample collection settings -For each endpoint, you can set a configuration value to state whether samples can be collected from the endpoint when a request is made through the Windows Defender ATP portal to submit a file for deep analysis. +For each machine, you can set a configuration value to state whether samples can be collected from the machine when a request is made through the Windows Defender ATP portal to submit a file for deep analysis. -You can manually configure the sample sharing setting on the endpoint by using *regedit* or creating and running a *.reg* file. +You can manually configure the sample sharing setting on the machine by using *regedit* or creating and running a *.reg* file. The configuration is set through the following registry key entry: @@ -75,29 +80,31 @@ Value: 0 or 1 Where:
Name type is a D-WORD.
Possible values are: -- 0 - doesn't allow sample sharing from this endpoint -- 1 - allows sharing of all file types from this endpoint +- 0 - doesn't allow sample sharing from this machine +- 1 - allows sharing of all file types from this machine The default value in case the registry key doesn’t exist is 1. -## Offboard endpoints -For security reasons, the package used to offboard endpoints will expire 30 days after the date it was downloaded. Expired offboarding packages sent to an endpoint will be rejected. When downloading an offboarding package you will be notified of the packages expiry date and it will also be included in the package name. +## Offboard machines using a local script +For security reasons, the package used to Offboard machines will expire 30 days after the date it was downloaded. Expired offboarding packages sent to an machine will be rejected. When downloading an offboarding package you will be notified of the packages expiry date and it will also be included in the package name. > [!NOTE] -> Onboarding and offboarding policies must not be deployed on the same endpoint at the same time, otherwise this will cause unpredictable collisions. +> Onboarding and offboarding policies must not be deployed on the same machine at the same time, otherwise this will cause unpredictable collisions. 1. Get the offboarding package from the [Windows Defender ATP portal](https://securitycenter.windows.com/): - a. Click **Endpoint management** on the **Navigation pane**. + a. In the navigation pane, select **Settings** > **Machine management** > **Offboarding**. - b. Click the **Endpoint offboarding** section. + b. Select Windows 10 as the operating system. - c. Select **Group Policy**, click **Download package** and save the .zip file. + c. In the **Deployment method** field, select **Local Script**. -2. Extract the contents of the .zip file to a shared, read-only location that can be accessed by the endpoints. You should have a file named *WindowsDefenderATPOffboardingScript_valid_until_YYYY-MM-DD.cmd*. + d. Click **Download package** and save the .zip file. -3. Open an elevated command-line prompt on the endpoint and run the script: +2. Extract the contents of the .zip file to a shared, read-only location that can be accessed by the machines. You should have a file named *WindowsDefenderATPOffboardingScript_valid_until_YYYY-MM-DD.cmd*. + +3. Open an elevated command-line prompt on the machine and run the script: a. Go to **Start** and type **cmd**. @@ -113,23 +120,23 @@ For security reasons, the package used to offboard endpoints will expire 30 days > Offboarding causes the machine to stop sending sensor data to the portal but data from the machine, including reference to any alerts it has had will be retained for up to 6 months. -## Monitor endpoint configuration +## Monitor machine configuration You can follow the different verification steps in the [Troubleshoot onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md) to verify that the script completed successfully and the agent is running. Monitoring can also be done directly on the portal, or by using the different deployment tools. -### Monitor endpoints using the portal +### Monitor machines using the portal 1. Go to the Windows Defender ATP portal. 2. Click **Machines list**. -3. Verify that endpoints are appearing. +3. Verify that machines are appearing. ## Related topics -- [Configure endpoints using Group Policy](configure-endpoints-gp-windows-defender-advanced-threat-protection.md) -- [Configure endpoints using System Center Configuration Manager](configure-endpoints-sccm-windows-defender-advanced-threat-protection.md) -- [Configure endpoints using Mobile Device Management tools](configure-endpoints-mdm-windows-defender-advanced-threat-protection.md) -- [Configure non-persistent virtual desktop infrastructure (VDI) machines](configure-endpoints-vdi-windows-defender-advanced-threat-protection.md) -- [Run a detection test on a newly onboarded Windows Defender ATP endpoint](run-detection-test-windows-defender-advanced-threat-protection.md) +- [Onboard Windows 10 machines using Group Policy](configure-endpoints-gp-windows-defender-advanced-threat-protection.md) +- [Onboard Windows 10 machines using System Center Configuration Manager](configure-endpoints-sccm-windows-defender-advanced-threat-protection.md) +- [Onboard Windows 10 machines using Mobile Device Management tools](configure-endpoints-mdm-windows-defender-advanced-threat-protection.md) +- [Onboard non-persistent virtual desktop infrastructure (VDI) machines](configure-endpoints-vdi-windows-defender-advanced-threat-protection.md) +- [Run a detection test on a newly onboarded Windows Defender ATP machine](run-detection-test-windows-defender-advanced-threat-protection.md) - [Troubleshoot Windows Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md) diff --git a/windows/security/threat-protection/windows-defender-atp/configure-endpoints-vdi-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/configure-endpoints-vdi-windows-defender-advanced-threat-protection.md index 06efff80c7..477529fa7d 100644 --- a/windows/security/threat-protection/windows-defender-atp/configure-endpoints-vdi-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/configure-endpoints-vdi-windows-defender-advanced-threat-protection.md @@ -1,7 +1,7 @@ --- -title: Configure non-persistent virtual desktop infrastructure (VDI) machines +title: Onboard non-persistent virtual desktop infrastructure (VDI) machines description: Deploy the configuration package on virtual desktop infrastructure (VDI) machine so that they are onboarded to Windows Defender ATP the service. -keywords: configure virtual desktop infrastructure (VDI) machine, vdi, endpoint management, configure Windows ATP endpoints, configure Windows Defender Advanced Threat Protection endpoints +keywords: configure virtual desktop infrastructure (VDI) machine, vdi, machine management, configure Windows ATP endpoints, configure Windows Defender Advanced Threat Protection endpoints search.product: eADQiWindows 10XVcnh ms.prod: w10 ms.mktglfcycl: deploy @@ -10,15 +10,15 @@ ms.pagetype: security ms.author: macapara author: mjcaparas ms.localizationpriority: high -ms.date: 10/16/2017 +ms.date: 04/17/2018 --- -# Configure non-persistent virtual desktop infrastructure (VDI) machines +# Onboard non-persistent virtual desktop infrastructure (VDI) machines **Applies to:** - Virtual desktop infrastructure (VDI) machines - +[!include[Prerelease information](prerelease.md)] >Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-configvdi-abovefoldlink) @@ -40,9 +40,13 @@ You can onboard VDI machines using a single entry or multiple entries for each m 1. Open the VDI configuration package .zip file (*WindowsDefenderATPOnboardingPackage.zip*) that you downloaded from the service onboarding wizard. You can also get the package from the [Windows Defender ATP portal](https://securitycenter.windows.com/): - a. Click **Endpoint management** > **Clients** on the **Navigation pane**. + a. In the navigation pane, select **Settings** > **Machine management** > **Onboarding**. - b. Select **VDI onboarding scripts for non-persistent endpoints** then click **Download package** and save the .zip file. + b. Select Windows 10 as the operating system. + + c. In the **Deployment method** field, select **VDI onboarding scripts for non-persistent endpoints**. + + d. Click **Download package** and save the .zip file. 2. Copy the extracted files from the .zip into `golden/master` image under the path `C:\WINDOWS\System32\GroupPolicy\Machine\Scripts\Startup`. You should have a folder called `WindowsDefenderATPOnboardingPackage` containing the file `WindowsDefenderATPOnboardingScript.cmd`. @@ -67,9 +71,13 @@ You can onboard VDI machines using a single entry or multiple entries for each m 6. Test your solution: a. Create a pool with one machine. + b. Logon to machine. + c. Logoff from machine. + d. Logon to machine with another user. + e. **For single entry for each machine**: Check only one entry in the Windows Defender ATP portal.
**For multiple entries for each machine**: Check multiple entries in the Windows Defender ATP portal. @@ -78,10 +86,10 @@ You can onboard VDI machines using a single entry or multiple entries for each m 8. Use the search function by entering the machine name and select **Machine** as search type. ## Related topics -- [Configure endpoints using Group Policy](configure-endpoints-gp-windows-defender-advanced-threat-protection.md) -- [Configure endpoints using System Center Configuration Manager](configure-endpoints-sccm-windows-defender-advanced-threat-protection.md) -- [Configure endpoints using Mobile Device Management tools](configure-endpoints-mdm-windows-defender-advanced-threat-protection.md) -- [Configure endpoints using a local script](configure-endpoints-script-windows-defender-advanced-threat-protection.md) +- [Onboard Windows 10 machines using Group Policy](configure-endpoints-gp-windows-defender-advanced-threat-protection.md) +- [Onboard Windows 10 machines using System Center Configuration Manager](configure-endpoints-sccm-windows-defender-advanced-threat-protection.md) +- [Onboard Windows 10 machines using Mobile Device Management tools](configure-endpoints-mdm-windows-defender-advanced-threat-protection.md) +- [Onboard Windows 10 machines using a local script](configure-endpoints-script-windows-defender-advanced-threat-protection.md) - [Troubleshoot Windows Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md) diff --git a/windows/security/threat-protection/windows-defender-atp/configure-endpoints-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/configure-endpoints-windows-defender-advanced-threat-protection.md index 4afc560682..e6d78d4bb0 100644 --- a/windows/security/threat-protection/windows-defender-atp/configure-endpoints-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/configure-endpoints-windows-defender-advanced-threat-protection.md @@ -1,7 +1,7 @@ --- -title: Configure Windows Defender ATP client endpoints -description: Configure client endpoints so that they can send sensor data to the Windows Defender ATP sensor. -keywords: configure client endpoints, endpoint management, configure Windows ATP endpoints, configure Windows Defender Advanced Threat Protection endpoints +title: Onboard Windows 10 machines on Windows Defender ATP +description: Onboard Windows 10 machines so that they can send sensor data to the Windows Defender ATP sensor +keywords: Onboard Windows 10 machines, group policy, system center configuration manager, mobile device management, local script, gp, sccm, mdm, intune search.product: eADQiWindows 10XVcnh ms.prod: w10 ms.mktglfcycl: deploy @@ -10,10 +10,10 @@ ms.pagetype: security ms.author: macapara author: mjcaparas ms.localizationpriority: high -ms.date: 10/16/2017 +ms.date: 04/17/2018 --- -# Configure Windows Defender ATP client endpoints +# Onboard Windows 10 machines **Applies to:** @@ -23,9 +23,9 @@ ms.date: 10/16/2017 - Windows 10 Pro Education - Windows Defender Advanced Threat Protection (Windows Defender ATP) +[!include[Prerelease information](prerelease.md)] - -Endpoints in your organization must be configured so that the Windows Defender ATP service can get sensor data from them. There are various methods and deployment tools that you can use to configure the endpoints in your organization. +Machines in your organization must be configured so that the Windows Defender ATP service can get sensor data from them. There are various methods and deployment tools that you can use to configure the machines in your organization. Windows Defender ATP supports the following deployment tools and methods: @@ -37,11 +37,11 @@ Windows Defender ATP supports the following deployment tools and methods: ## In this section Topic | Description :---|:--- -[Configure endpoints using Group Policy](configure-endpoints-gp-windows-defender-advanced-threat-protection.md) | Use Group Policy to deploy the configuration package on endpoints. -[Configure endpoints using System Center Configuration Manager](configure-endpoints-sccm-windows-defender-advanced-threat-protection.md) | You can use either use System Center Configuration Manager (current branch) version 1606 or System Center Configuration Manager(current branch) version 1602 or earlier to deploy the configuration package on endpoints. -[Configure endpoints using Mobile Device Management tools](configure-endpoints-mdm-windows-defender-advanced-threat-protection.md) | Use Mobile Device Management tools or Microsoft Intune to deploy the configuration package on endpoints. -[Configure endpoints using a local script](configure-endpoints-script-windows-defender-advanced-threat-protection.md) | Learn how to use the local script to deploy the configuration package on endpoints. -[Configure non-persistent virtual desktop infrastructure (VDI) machines](configure-endpoints-vdi-windows-defender-advanced-threat-protection.md) | Learn how to use the configuration package to configure VDI machines. +[Onboard Windows 10 machines using Group Policy](configure-endpoints-gp-windows-defender-advanced-threat-protection.md) | Use Group Policy to deploy the configuration package on machines. +[Onboard Windows 10 machines using System Center Configuration Manager](configure-endpoints-sccm-windows-defender-advanced-threat-protection.md) | You can use either use System Center Configuration Manager (current branch) version 1606 or System Center Configuration Manager(current branch) version 1602 or earlier to deploy the configuration package on machines. +[Onboard Windows 10 machines using Mobile Device Management tools](configure-endpoints-mdm-windows-defender-advanced-threat-protection.md) | Use Mobile Device Management tools or Microsoft Intune to deploy the configuration package on machine. +[Onboard Windows 10 machines using a local script](configure-endpoints-script-windows-defender-advanced-threat-protection.md) | Learn how to use the local script to deploy the configuration package on endpoints. +[Onboard non-persistent virtual desktop infrastructure (VDI) machines](configure-endpoints-vdi-windows-defender-advanced-threat-protection.md) | Learn how to use the configuration package to configure VDI machines. >Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-configureendpoints-belowfoldlink) \ No newline at end of file diff --git a/windows/security/threat-protection/windows-defender-atp/configure-proxy-internet-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/configure-proxy-internet-windows-defender-advanced-threat-protection.md index cd4942e214..ac747f99f5 100644 --- a/windows/security/threat-protection/windows-defender-atp/configure-proxy-internet-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/configure-proxy-internet-windows-defender-advanced-threat-protection.md @@ -1,5 +1,5 @@ --- -title: Configure endpoint proxy and Internet connection settings +title: Configure machine proxy and Internet connection settings description: Configure the Windows Defender ATP proxy and internet settings to enable communication with the cloud service. keywords: configure, proxy, internet, internet connectivity, settings, proxy settings, netsh, winhttp, proxy server search.product: eADQiWindows 10XVcnh @@ -14,7 +14,7 @@ ms.date: 10/16/2017 --- -# Configure endpoint proxy and Internet connectivity settings +# Configure machine proxy and Internet connectivity settings **Applies to:** @@ -39,7 +39,7 @@ The WinHTTP configuration setting is independent of the Windows Internet (WinINe - Web Proxy Auto-discovery Protocol (WPAD) > [!NOTE] -> If you're using Transparent proxy or WPAD in your network topology, you don't need special endpoint configuration settings. For more information on Windows Defender ATP URL exclusions in the proxy, see [Enable access to Windows Defender ATP service URLs in the proxy server](#enable-access-to-windows-defender-atp-service-urls-in-the-proxy-server). +> If you're using Transparent proxy or WPAD in your network topology, you don't need special configuration settings. For more information on Windows Defender ATP URL exclusions in the proxy, see [Enable access to Windows Defender ATP service URLs in the proxy server](#enable-access-to-windows-defender-atp-service-urls-in-the-proxy-server). - Manual static proxy configuration: @@ -99,7 +99,7 @@ Verify the proxy configuration completed successfully, that WinHTTP can discover 1. Download the [connectivity verification tool](https://go.microsoft.com/fwlink/p/?linkid=823683) to the PC where Windows Defender ATP sensor is running on. -2. Extract the contents of WDATPConnectivityAnalyzer on the endpoint. +2. Extract the contents of WDATPConnectivityAnalyzer on the machine. 3. Open an elevated command-line: @@ -135,5 +135,5 @@ If at least one of the connectivity options returns a (200) status, then the Win However, if the connectivity check results indicate a failure, an HTTP error is displayed (see HTTP Status Codes). You can then use the URLs in the table shown in [Enable access to Windows Defender ATP service URLs in the proxy server](#enable-access-to-windows-defender-atp-service-urls-in-the-proxy-server). The URLs you'll use will depend on the region selected during the onboarding procedure. ## Related topics -- [Configure Windows Defender ATP endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md) +- [Onboard Windows 10 machines](configure-endpoints-windows-defender-advanced-threat-protection.md) - [Troubleshoot Windows Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md) diff --git a/windows/security/threat-protection/windows-defender-atp/configure-server-endpoints-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/configure-server-endpoints-windows-defender-advanced-threat-protection.md index 551c97fea5..c55f7851c0 100644 --- a/windows/security/threat-protection/windows-defender-atp/configure-server-endpoints-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/configure-server-endpoints-windows-defender-advanced-threat-protection.md @@ -1,7 +1,7 @@ --- -title: Configure Windows Defender ATP server endpoints -description: Configure server endpoints so that they can send sensor data to the Windows Defender ATP sensor. -keywords: configure server endpoints, server, server onboarding, endpoint management, configure Windows ATP server endpoints, configure Windows Defender Advanced Threat Protection server endpoints +title: Onboard servers to the Windows Defender ATP service +description: Onboard servers so that they can send sensor data to the Windows Defender ATP sensor. +keywords: onboard server, server, server onboarding, machine management, configure Windows ATP servers, onboard Windows Defender Advanced Threat Protection servers search.product: eADQiWindows 10XVcnh ms.prod: w10 ms.mktglfcycl: deploy @@ -9,15 +9,16 @@ ms.sitesec: library ms.pagetype: security author: mjcaparas localizationpriority: high -ms.date: 04/04/2018 +ms.date: 04/17/2018 --- -# Configure Windows Defender ATP server endpoints +# Onboard servers to the Windows Defender ATP service **Applies to:** - Windows Server 2012 R2 - Windows Server 2016 +- Windows Server, version 1803 - Windows Defender Advanced Threat Protection (Windows Defender ATP) [!include[Prerelease information](prerelease.md)] @@ -29,8 +30,9 @@ Windows Defender ATP extends support to also include the Windows Server operatin Windows Defender ATP supports the onboarding of the following servers: - Windows Server 2012 R2 - Windows Server 2016 +- Windows Server, version 1803 -## Onboard server endpoints +## Onboard Windows Server 2012 R2 and Windows Server 2016 To onboard your servers to Windows Defender ATP, you’ll need to: @@ -38,16 +40,16 @@ To onboard your servers to Windows Defender ATP, you’ll need to: - If you're already leveraging System Center Operations Manager (SCOM) or Operations Management Suite (OMS), simply attach the Microsoft Monitoring Agent (MMA) to report to your Windows Defender ATP workspace through [Multi Homing support](https://blogs.technet.microsoft.com/msoms/2016/05/26/oms-log-analytics-agent-multi-homing-support/). Otherwise, install and configure MMA to report sensor data to Windows Defender ATP as instructed below. >[!TIP] -> After onboarding the endpoint, you can choose to run a detection test to verify that an endpoint is properly onboarded to the service. For more information, see [Run a detection test on a newly onboarded Windows Defender ATP endpoint](run-detection-test-windows-defender-advanced-threat-protection.md). +> After onboarding the machine, you can choose to run a detection test to verify that it is properly onboarded to the service. For more information, see [Run a detection test on a newly onboarded Windows Defender ATP endpoint](run-detection-test-windows-defender-advanced-threat-protection.md). ### Turn on Server monitoring from the Windows Defender Security Center portal -1. In the navigation pane, select **Endpoint management** > **Servers**. +1. In the navigation pane, select **Settings** > **Machine management** > **Onboarding**. -2. Click **Turn on server monitoring** and confirm that you'd like to proceed with the environment set up. When the set up completes, the **Workspace ID** and **Workspace key** fields are populated with unique values. You'll need to use these values to configure the MMA agent. - -  +2. Select Windows server 2012, 2012R2 and 2016 as the operating system. + +3. Click **Turn on server monitoring** and confirm that you'd like to proceed with the environment set up. When the set up completes, the **Workspace ID** and **Workspace key** fields are populated with unique values. You'll need to use these values to configure the MMA agent. ### Install and configure Microsoft Monitoring Agent (MMA) to report sensor data to Windows Defender ATP @@ -64,7 +66,8 @@ To onboard your servers to Windows Defender ATP, you’ll need to: Once completed, you should see onboarded servers in the portal within an hour. -### Configure server endpoint proxy and Internet connectivity settings +### Configure server proxy and Internet connectivity settings + - Each Windows server must be able to connect to the Internet using HTTPS. This connection can be direct, using a proxy, or through the [OMS Gateway](https://docs.microsoft.com/en-us/azure/log-analytics/log-analytics-oms-gateway). - If a proxy or firewall is blocking all traffic by default and allowing only specific domains through or HTTPS scanning (SSL inspection) is enabled, make sure that the following URLs are white-listed to permit communication with Windows Defender ATP service: @@ -79,21 +82,43 @@ Once completed, you should see onboarded servers in the portal within an hour. | winatp-gw-neu.microsoft.com | 443 | | winatp-gw-weu.microsoft.com | 443 | +## Onboard Windows Server, version 1803 +You’ll be able to onboard in the same method available for Windows 10 client machines. For more information, see [Onboard Windows 10 machines](configure-endpoints-windows-defender-advanced-threat-protection.md). Support for Windows Server, version 1803 provides deeper insight into activities happening on the server, coverage for kernel and memory attack detection, and enables response actions on Windows Server endpoint as well. -## Offboard server endpoints +1. Install the latest Windows Server Insider build on a machine. For more information, see [Windows Server Insider Preview](https://www.microsoft.com/en-us/software-download/windowsinsiderpreviewserver). + +2. Configure Windows Defender ATP onboarding settings on the server. For more information, see [Onboard Windows 10 machines](configure-endpoints-windows-defender-advanced-threat-protection.md). + +3. If you’re running a third party antimalware solution, you'll need to apply the following Windows Defender AV passive mode settings and verify it was configured correctly: + + a. Set the following registry entry: + - Path: `HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection` + - Name: ForceDefenderPassiveMode + - Value: 1 + + b. Run the following PowerShell command to verify that the passive mode was configured: + ```Get-WinEvent -FilterHashtable @{ProviderName="Microsoft-Windows-Sense" ;ID=84}``` + + c. Confirm that a recent event containing the passive mode event is found: +  + +4. Run the following command to check if Windows Defender AV is installed: + ```sc query Windefend``` + + If the result is ‘The specified service does not exist as an installed service’, then you'll need to install Windows Defender AV. For more information, see [Windows Defender Antivirus in Windows 10](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10). + +## Offboard servers You have two options to offboard servers from the service: - Uninstall the MMA agent - Remove the Windows Defender ATP workspace configuration +>[!NOTE] +>Offboarding causes the server to stop sending sensor data to the portal but data from the server, including reference to any alerts it has had will be retained for up to 6 months. ### Uninstall servers by uinstalling the MMA agent To offboard the server, you can uninstall the MMA agent from the server or detach it from reporting to your Windows Defender ATP workspace. After offboarding the agent, the server will no longer send sensor data to Windows Defender ATP. For more information, see [To disable an agent](https://docs.microsoft.com/en-us/azure/log-analytics/log-analytics-windows-agents#to-disable-an-agent). ->[!NOTE] ->Offboarding causes the server to stop sending sensor data to the portal but data from the server, including reference to any alerts it has had will be retained for up to 6 months. - - ### Remove the Windows Defender ATP workspace configuration To offboard the server, you can use either of the following methods: @@ -110,11 +135,14 @@ To offboard the server, you can use either of the following methods: #### Run a PowerShell command to remove the configuration -1. Get your workspace ID by going to **Endpoint management** > **Servers**: - -  +1. Get your Workspace ID: + a. In the navigation pane, select **Settings** > **Machine management** > **Onboarding**. -2. Open an elevated PowerShell and run the following command. Use the workspace ID you obtained and replacing `WorkspaceID`: + b. Select **Windows server 2012, 2012R2 and 2016** as the operating system and get your Workspace ID: + +  + +2. Open an elevated PowerShell and run the following command. Use the Workspace ID you obtained and replacing `WorkspaceID`: ``` # Load agent scripting object @@ -124,11 +152,10 @@ To offboard the server, you can use either of the following methods: # Reload the configuration and apply changes $AgentCfg.ReloadConfiguration() ``` - ## Related topics -- [Configure Windows Defender ATP client endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md) -- [Configure non-Windows endpoints](configure-endpoints-non-windows-windows-defender-advanced-threat-protection.md) +- [Onboard Windows 10 machines](configure-endpoints-windows-defender-advanced-threat-protection.md) +- [Onboard non-Windows machines](configure-endpoints-non-windows-windows-defender-advanced-threat-protection.md) - [Configure proxy and Internet connectivity settings](configure-proxy-internet-windows-defender-advanced-threat-protection.md) -- [Run a detection test on a newly onboarded Windows Defender ATP endpoint](run-detection-test-windows-defender-advanced-threat-protection.md) +- [Run a detection test on a newly onboarded Windows Defender ATP machine](run-detection-test-windows-defender-advanced-threat-protection.md) - [Troubleshooting Windows Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md) diff --git a/windows/security/threat-protection/windows-defender-atp/configure-siem-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/configure-siem-windows-defender-advanced-threat-protection.md index e3847a41ad..f2ab846f15 100644 --- a/windows/security/threat-protection/windows-defender-atp/configure-siem-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/configure-siem-windows-defender-advanced-threat-protection.md @@ -23,11 +23,9 @@ ms.date: 10/16/2017 - Windows 10 Pro Education - Windows Defender Advanced Threat Protection (Windows Defender ATP) - - >Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-configuresiem-abovefoldlink) -## Pull alerts using supported security information and events management (SIEM) tools +## Pull alerts using security information and events management (SIEM) tools Windows Defender ATP supports (SIEM) tools to pull alerts. Windows Defender ATP exposes alerts through an HTTPS endpoint hosted in Azure. The endpoint can be configured to pull alerts from your enterprise tenant in Azure Active Directory (AAD) using the OAuth 2.0 authentication protocol for an AAD application that represents the specific SIEM connector installed in your environment. @@ -56,7 +54,7 @@ For more information, see [Pull Windows Defender ATP alerts using REST API](pull Topic | Description :---|:--- -[Enable SIEM integration in Windows Defender ATP](enable-siem-integration-windows-defender-advanced-threat-protection.md)| Learn about enabling the SIEM integration feature in the **Preferences setup** page in the portal so that you can use and generate the required information to configure supported SIEM tools. +[Enable SIEM integration in Windows Defender ATP](enable-siem-integration-windows-defender-advanced-threat-protection.md)| Learn about enabling the SIEM integration feature in the **Settings** page in the portal so that you can use and generate the required information to configure supported SIEM tools. [Configure Splunk to pull Windows Defender ATP alerts](configure-splunk-windows-defender-advanced-threat-protection.md)| Learn about installing the REST API Modular Input app and other configuration settings to enable Splunk to pull Windows Defender ATP alerts. [Configure HP ArcSight to pull Windows Defender ATP alerts](configure-arcsight-windows-defender-advanced-threat-protection.md)| Learn about installing the HP ArcSight REST FlexConnector package and the files you need to configure ArcSight to pull Windows Defender ATP alerts. [Windows Defender ATP alert API fields](api-portal-mapping-windows-defender-advanced-threat-protection.md) | Understand what data fields are exposed as part of the alerts API and how they map to the Windows Defender ATP portal. diff --git a/windows/security/threat-protection/windows-defender-atp/configure-splunk-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/configure-splunk-windows-defender-advanced-threat-protection.md index ed2b034f45..be0b750935 100644 --- a/windows/security/threat-protection/windows-defender-atp/configure-splunk-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/configure-splunk-windows-defender-advanced-threat-protection.md @@ -32,7 +32,7 @@ You'll need to configure Splunk so that it can pull Windows Defender ATP alerts. ## Before you begin - Install the [REST API Modular Input app](https://splunkbase.splunk.com/app/1546/) in Splunk. -- Make sure you have enabled the **SIEM integration** feature from the **Preferences setup** menu. For more information, see [Enable SIEM integration in Windows Defender ATP](enable-siem-integration-windows-defender-advanced-threat-protection.md) +- Make sure you have enabled the **SIEM integration** feature from the **Settings** menu. For more information, see [Enable SIEM integration in Windows Defender ATP](enable-siem-integration-windows-defender-advanced-threat-protection.md) - Have the details file you saved from enabling the **SIEM integration** feature ready. You'll need to get the following values: - OAuth 2 Token refresh URL @@ -105,7 +105,7 @@ You'll need to configure Splunk so that it can pull Windows Defender ATP alerts.Polling Interval -Number of seconds that Splunk will ping the Windows Defender ATP endpoint. Accepted values are in seconds. +Number of seconds that Splunk will ping the Windows Defender ATP machine. Accepted values are in seconds. Set sourcetype diff --git a/windows/security/threat-protection/windows-defender-atp/custom-ti-api-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/custom-ti-api-windows-defender-advanced-threat-protection.md index 05d249bdc3..8af91533b7 100644 --- a/windows/security/threat-protection/windows-defender-atp/custom-ti-api-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/custom-ti-api-windows-defender-advanced-threat-protection.md @@ -10,7 +10,7 @@ ms.pagetype: security ms.author: macapara author: mjcaparas ms.localizationpriority: high -ms.date: 03/27/2018 +ms.date: 04/17/2018 --- # Create custom alerts using the threat intelligence (TI) application program interface (API) @@ -23,7 +23,7 @@ ms.date: 03/27/2018 - Windows 10 Pro Education - Windows Defender Advanced Threat Protection (Windows Defender ATP) - +[!include[Prerelease information](prerelease.md)] >Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-customti-abovefoldlink) @@ -59,7 +59,7 @@ For this URL: Each tenant has a defined quota that limits the number of possible alert definitions, IOCs and another quota for IOCs of Action different than “equals” in the system. If you upload data beyond this quota, you'll encounter an HTTP error status code 507 (Insufficient Storage). ## Request an access token from the token issuing endpoint -Windows Defender ATP Threat Intelligence API uses OAuth 2.0. In the context of Windows Defender ATP, the alert definitions are a protected resource. To issue tokens for ad-hoc, non-automatic operations you can use the **Preferences settings** page and click the **Generate Token** button. However, if you’d like to create an automated client, you need to use the “Client Credentials Grant” flow. For more information, see the [OAuth 2.0 authorization framework](https://tools.ietf.org/html/rfc6749#section-4.4). +Windows Defender ATP Threat Intelligence API uses OAuth 2.0. In the context of Windows Defender ATP, the alert definitions are a protected resource. To issue tokens for ad-hoc, non-automatic operations you can use the **Settings** page and click the **Generate Token** button. However, if you’d like to create an automated client, you need to use the “Client Credentials Grant” flow. For more information, see the [OAuth 2.0 authorization framework](https://tools.ietf.org/html/rfc6749#section-4.4). For more information about the authorization flow, see [OAuth 2.0 authorization flow](https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-protocols-oauth-code#oauth-20-authorization-flow). diff --git a/windows/security/threat-protection/windows-defender-atp/data-retention-settings-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/data-retention-settings-windows-defender-advanced-threat-protection.md new file mode 100644 index 0000000000..2c31b1365d --- /dev/null +++ b/windows/security/threat-protection/windows-defender-atp/data-retention-settings-windows-defender-advanced-threat-protection.md @@ -0,0 +1,46 @@ +--- +title: Update data retention settings for Windows Defender Advanced Threat Protection +description: Update data retention settings by selecting between 30 days to 180 days. +keywords: data, storage, settings, retention, update +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: high +ms.date: 04/17/2018 +--- +# Update data retention settings for Windows Defender ATP + +**Applies to:** + +- Windows 10 Enterprise +- Windows 10 Education +- Windows 10 Pro +- Windows 10 Pro Education +- Windows Defender Advanced Threat Protection (Windows Defender ATP) + +[!include[Prerelease information](prerelease.md)] + +>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-gensettings-abovefoldlink) + +During the onboarding process, a wizard takes you through the general settings of Windows Defender ATP. After onboarding, you might want to update the data retention settings. + +1. In the navigation pane, select **Settings** > **General** > **Data rention**. + +2. Select the data retention duration from the drop-down list. + + > [!NOTE] + > Other settings are not editable. + +3. Click **Save preferences**. + + +## Related topics +- [Update data retention settings](data-retention-settings-windows-defender-advanced-threat-protection.md) +- [Configure alert notifications in Windows Defender ATP](configure-email-notifications-windows-defender-advanced-threat-protection.md) +- [Enable and create Power BI reports using Windows Defender ATP data](powerbi-reports-windows-defender-advanced-threat-protection.md) +- [Enable Secure Score security controls](enable-secure-score-windows-defender-advanced-threat-protection.md) +- [Configure advanced features](advanced-features-windows-defender-advanced-threat-protection.md) diff --git a/windows/security/threat-protection/windows-defender-atp/data-storage-privacy-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/data-storage-privacy-windows-defender-advanced-threat-protection.md index a650f8fe1f..e262cc5244 100644 --- a/windows/security/threat-protection/windows-defender-atp/data-storage-privacy-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/data-storage-privacy-windows-defender-advanced-threat-protection.md @@ -27,7 +27,7 @@ This section covers some of the most frequently asked questions regarding privac ## What data does Windows Defender ATP collect? -Microsoft will collect and store information from your configured endpoints in a database specific to the service for administration, tracking, and reporting purposes. +Microsoft will collect and store information from your configured machines in a database specific to the service for administration, tracking, and reporting purposes. Information collected includes file data (such as file names, sizes, and hashes), process data (running processes, hashes), registry data, network connection data (host IPs and ports), and machine details (such as machine identifiers, names, and the operating system version). diff --git a/windows/security/threat-protection/windows-defender-atp/defender-compatibility-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/defender-compatibility-windows-defender-advanced-threat-protection.md index 4e082b67d2..09ed79f526 100644 --- a/windows/security/threat-protection/windows-defender-atp/defender-compatibility-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/defender-compatibility-windows-defender-advanced-threat-protection.md @@ -10,7 +10,7 @@ ms.pagetype: security ms.author: macapara author: mjcaparas ms.localizationpriority: high -ms.date: 11/28/2017 +ms.date: 04/17/2018 --- # Windows Defender Antivirus compatibility with Windows Defender ATP @@ -33,12 +33,12 @@ The Windows Defender Advanced Threat Protection agent depends on Windows Defende >[!IMPORTANT] >Windows Defender ATP does not adhere to the Windows Defender Antivirus Exclusions settings. -You must configure the signature updates on the Windows Defender ATP endpoints whether Windows Defender Antivirus is the active antimalware or not. For more information, see [Manage Windows Defender Antivirus updates and apply baselines](../windows-defender-antivirus/manage-updates-baselines-windows-defender-antivirus.md). +You must configure the signature updates on the Windows Defender ATP machines whether Windows Defender Antivirus is the active antimalware or not. For more information, see [Manage Windows Defender Antivirus updates and apply baselines](../windows-defender-antivirus/manage-updates-baselines-windows-defender-antivirus.md). -If an onboarded endpoint is protected by a third-party antimalware client, Windows Defender Antivirus on that endpoint will enter into passive mode. +If an onboarded machine is protected by a third-party antimalware client, Windows Defender Antivirus on that endpoint will enter into passive mode. Windows Defender Antivirus will continue to receive updates, and the *mspeng.exe* process will be listed as a running a service, but it will not perform scans and will not replace the running third-party antimalware client. -The Windows Defender Antivirus interface will be disabled, and users on the endpoint will not be able to use Windows Defender Antivirus to perform on-demand scans or configure most options. +The Windows Defender Antivirus interface will be disabled, and users on the machine will not be able to use Windows Defender Antivirus to perform on-demand scans or configure most options. For more information, see the [Windows Defender Antivirus and Windows Defender ATP compatibility topic](../windows-defender-antivirus/windows-defender-antivirus-compatibility.md). diff --git a/windows/security/threat-protection/windows-defender-atp/enable-custom-ti-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/enable-custom-ti-windows-defender-advanced-threat-protection.md index def73c0599..4864c55ad8 100644 --- a/windows/security/threat-protection/windows-defender-atp/enable-custom-ti-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/enable-custom-ti-windows-defender-advanced-threat-protection.md @@ -10,7 +10,7 @@ ms.pagetype: security ms.author: macapara author: mjcaparas ms.localizationpriority: high -ms.date: 10/16/2017 +ms.date: 04/17/2018 --- # Enable the custom threat intelligence API in Windows Defender ATP @@ -23,13 +23,13 @@ ms.date: 10/16/2017 - Windows 10 Pro Education - Windows Defender Advanced Threat Protection (Windows Defender ATP) - +[!include[Prerelease information](prerelease.md)] >Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-enablecustomti-abovefoldlink) Before you can create custom threat intelligence (TI) using REST API, you'll need to set up the custom threat intelligence application through the Windows Defender ATP portal. -1. In the navigation pane, select **Preference Setup** > **Threat intel API**. +1. In the navigation pane, select **Settings** > **APIs** > **Threat intel**.  @@ -47,7 +47,7 @@ You’ll need to use the access token in the Authorization header when doing RES ## Related topics - [Understand threat intelligence concepts](threat-indicator-concepts-windows-defender-advanced-threat-protection.md) -- [Enable the custom threat intelligence API in Windows Defender ATP](enable-custom-ti-windows-defender-advanced-threat-protection.md) +- [Create custom alerts using the threat intelligence API](custom-ti-api-windows-defender-advanced-threat-protection.md) - [PowerShell code examples for the custom threat intelligence API](powershell-example-code-windows-defender-advanced-threat-protection.md) - [Python code examples for the custom threat intelligence API](python-example-code-windows-defender-advanced-threat-protection.md) - [Experiment with custom threat intelligence alerts](experiment-custom-ti-windows-defender-advanced-threat-protection.md) diff --git a/windows/security/threat-protection/windows-defender-atp/enable-secure-score-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/enable-secure-score-windows-defender-advanced-threat-protection.md new file mode 100644 index 0000000000..9e6c2f081b --- /dev/null +++ b/windows/security/threat-protection/windows-defender-atp/enable-secure-score-windows-defender-advanced-threat-protection.md @@ -0,0 +1,46 @@ +--- +title: Enable Secure Score in Windows Defender ATP +description: Set the baselines for calculating the score of Windows Defender security controls on the Secure Score dashboard. +keywords: enable secure score, baseline, calculation, analytics, score, secure score dashboard, dashboard +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: high +ms.date: 04/17/2018 +--- + +# Enable Secure Score security controls + +**Applies to:** + +- Windows 10 Enterprise +- Windows 10 Education +- Windows 10 Pro +- Windows 10 Pro Education +- Windows Defender Advanced Threat Protection (Windows Defender ATP) + +[!include[Prerelease information](prerelease.md)] + +Set the baselines for calculating the score of Windows Defender security controls on the Secure Score dashboard. If you use third-party solutions, consider excluding the corresponding controls from the calculations. + + >[!NOTE] + >Changes might take up to a few hours to reflect on the dashboard. + +1. In the navigation pane, select **Settings** > **General** > **Secure Score**. + +  + +2. Select the security control, then toggle the setting between **On** and **Off**. + +3. Click **Save preferences**. + +## Related topics +- [View the Secure Score dashboard](secure-score-dashboard-windows-defender-advanced-threat-protection.md) +- [Update data retention settings for Windows Defender ATP](data-retention-settings-windows-defender-advanced-threat-protection.md) +- [Configure alert notifications in Windows Defender ATP](configure-email-notifications-windows-defender-advanced-threat-protection.md) +- [Enable and create Power BI reports using Windows Defender ATP data](powerbi-reports-windows-defender-advanced-threat-protection.md) +- [Configure advanced features in Windows Defender ATP](/advanced-features-windows-defender-advanced-threat-protection.md) \ No newline at end of file diff --git a/windows/security/threat-protection/windows-defender-atp/enable-security-analytics-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/enable-security-analytics-windows-defender-advanced-threat-protection.md deleted file mode 100644 index fc7325015e..0000000000 --- a/windows/security/threat-protection/windows-defender-atp/enable-security-analytics-windows-defender-advanced-threat-protection.md +++ /dev/null @@ -1,49 +0,0 @@ ---- -title: Enable Secure score security controls in Windows Defender ATP -description: Set the baselines for calculating the score of Windows Defender security controls on the Secure score dashboard. -keywords: secure score, baseline, calculation, score, secure score dashboard, dashboard, windows defender antivirus, av, exploit guard, application guard, smartscreen -search.product: eADQiWindows 10XVcnh -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security -ms.author: macapara -author: mjcaparas -ms.localizationpriority: high -ms.date: 03/12/2018 ---- - -# Enable Secure score security controls - -**Applies to:** - -- Windows 10 Enterprise -- Windows 10 Education -- Windows 10 Pro -- Windows 10 Pro Education -- Windows Defender Advanced Threat Protection (Windows Defender ATP) - - - -Set the baselines for calculating the score of Windows Defender security controls on the Secure score dashboard. If you use third-party solutions, consider excluding the corresponding controls from the calculations. - - >[!NOTE] - >Changes might take up to a few hours to reflect on the dashboard. - -1. In the navigation pane, select **Preferences setup** > **Secure score**. - -  - -2. Select the security control, then toggle the setting between **On** and **Off**. - -3. Click **Save preferences**. - -## Related topics -- [View the Secure score dashboard](security-analytics-dashboard-windows-defender-advanced-threat-protection.md) -- [Update general settings in Windows Defender ATP](general-settings-windows-defender-advanced-threat-protection.md) -- [Turn on advanced features in Windows Defender ATP](advanced-features-windows-defender-advanced-threat-protection.md) -- [Turn on the preview experience in Windows Defender ATP](preview-settings-windows-defender-advanced-threat-protection.md) -- [Configure email notifications in Windows Defender ATP](configure-email-notifications-windows-defender-advanced-threat-protection.md) -- [Enable SIEM integration in Windows Defender ATP](enable-siem-integration-windows-defender-advanced-threat-protection.md) -- [Enable the custom threat intelligence API in Windows Defender ATP](enable-custom-ti-windows-defender-advanced-threat-protection.md) -- [Create and build Power BI reports](powerbi-reports-windows-defender-advanced-threat-protection.md) \ No newline at end of file diff --git a/windows/security/threat-protection/windows-defender-atp/enable-siem-integration-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/enable-siem-integration-windows-defender-advanced-threat-protection.md index c444afe13d..9b39935b31 100644 --- a/windows/security/threat-protection/windows-defender-atp/enable-siem-integration-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/enable-siem-integration-windows-defender-advanced-threat-protection.md @@ -10,7 +10,7 @@ ms.pagetype: security ms.author: macapara author: mjcaparas ms.localizationpriority: high -ms.date: 11/21/2017 +ms.date: 04/17/2018 --- # Enable SIEM integration in Windows Defender ATP @@ -29,9 +29,9 @@ ms.date: 11/21/2017 Enable security information and event management (SIEM) integration so you can pull alerts from the Windows Defender ATP portal using your SIEM solution or by connecting directly to the alerts REST API. -1. In the navigation pane, select **Preferences setup** > **SIEM integration**. +1. In the navigation pane, select **Settings** > **APIs** > **SIEM**. -  +  2. Select **Enable SIEM integration**. This activates the **SIEM connector access details** section with pre-populated values and an application is created under you Azure Active Directory (AAD) tenant. diff --git a/windows/security/threat-protection/windows-defender-atp/event-error-codes-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/event-error-codes-windows-defender-advanced-threat-protection.md index 79a751c4a0..7dbc500f97 100644 --- a/windows/security/threat-protection/windows-defender-atp/event-error-codes-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/event-error-codes-windows-defender-advanced-threat-protection.md @@ -1,5 +1,5 @@ --- -title: Review events and errors on endpoints with Event Viewer +title: Review events and errors using Event Viewer description: Get descriptions and further troubleshooting steps (if required) for all events reported by the Windows Defender ATP service. keywords: troubleshoot, event viewer, log summary, failure code, failed, Windows Defender Advanced Threat Protection service, cannot start, broken, can't start search.product: eADQiWindows 10XVcnh @@ -10,11 +10,11 @@ ms.pagetype: security ms.author: macapara author: mjcaparas ms.localizationpriority: high -ms.date: 10/16/2017 +ms.date: 04/17/2018 --- -# Review events and errors on endpoints with Event Viewer +# Review events and errors using Event Viewer **Applies to:** @@ -25,14 +25,14 @@ ms.date: 10/16/2017 - Windows 10 Pro Education - Windows Defender Advanced Threat Protection (Windows Defender ATP) +[!include[Prerelease information](prerelease.md)] +You can review event IDs in the [Event Viewer](https://msdn.microsoft.com/library/aa745633(v=bts.10).aspx) on individual machines. -You can review event IDs in the [Event Viewer](https://msdn.microsoft.com/library/aa745633(v=bts.10).aspx) on individual endpoints. - -For example, if endpoints are not appearing in the **Machines list**, you might need to look for event IDs on the endpoints. You can then use this table to determine further troubleshooting steps. +For example, if machines are not appearing in the **Machines list**, you might need to look for event IDs on the machines. You can then use this table to determine further troubleshooting steps. > [!NOTE] -> It can take several days for endpoints to begin reporting to the Windows Defender ATP service. +> It can take several days for machines to begin reporting to the Windows Defender ATP service. **Open Event Viewer and find the Windows Defender ATP service event log:** @@ -65,7 +65,7 @@ For example, if endpoints are not appearing in the **Machines list**, you might2 Windows Defender Advanced Threat Protection service shutdown. -Occurs when the endpoint is shut down or offboarded. +Occurs when the machine is shut down or offboarded. Normal operating notification; no action required. @@ -91,17 +91,17 @@ The service could not contact the external processing servers at that URL. 6 Windows Defender Advanced Threat Protection service is not onboarded and no onboarding parameters were found. -The endpoint did not onboard correctly and will not be reporting to the portal. +The machine did not onboard correctly and will not be reporting to the portal. Onboarding must be run before starting the service. +See [Onboard Windows 10 machines](configure-endpoints-windows-defender-advanced-threat-protection.md).
Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages.
-See [Configure Windows Defender ATP endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md).7 Windows Defender Advanced Threat Protection service failed to read the onboarding parameters. Failure: ```variable```. -Variable = detailed error description. The endpoint did not onboard correctly and will not be reporting to the portal. +Variable = detailed error description. The machine did not onboard correctly and will not be reporting to the portal. Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages. +See [Onboard Windows 10 machines](configure-endpoints-windows-defender-advanced-threat-protection.md).
-See [Configure Windows Defender ATP endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md).8 @@ -109,28 +109,28 @@ See [Configure Windows Defender ATP endpoints](configure-endpoints-windows-defen**During onboarding:** The service failed to clean its configuration during the onboarding. The onboarding process continues.
**During offboarding:** The service failed to clean its configuration during the offboarding. The offboarding process finished but the service keeps running.**Onboarding:** No action required. +See [Onboard Windows 10 machines](configure-endpoints-windows-defender-advanced-threat-protection.md).
**Offboarding:** Reboot the system.
-See [Configure Windows Defender ATP endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md).9 Windows Defender Advanced Threat Protection service failed to change its start type. Failure code: ```variable```. -**During onboarding:** The endpoint did not onboard correctly and will not be reporting to the portal. +
**During offboarding:** Failed to change the service start type. The offboarding process continues.**During onboarding:** The machine did not onboard correctly and will not be reporting to the portal.
**During offboarding:** Failed to change the service start type. The offboarding process continues.Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages. +See [Onboard Windows 10 machines](configure-endpoints-windows-defender-advanced-threat-protection.md).
-See [Configure Windows Defender ATP endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md).10 Windows Defender Advanced Threat Protection service failed to persist the onboarding information. Failure code: ```variable```. -The endpoint did not onboard correctly and will not be reporting to the portal. +The machine did not onboard correctly and will not be reporting to the portal. Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages. +See [Onboard Windows 10 machines](configure-endpoints-windows-defender-advanced-threat-protection.md).
-See [Configure Windows Defender ATP endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md).11 Onboarding or re-onboarding of Windows Defender Advanced Threat Protection service completed. -The endpoint onboarded correctly. +The machine onboarded correctly. Normal operating notification; no action required. +It may take several hours for the machine to appear in the portal.
-It may take several hours for the endpoint to appear in the portal.12 @@ -157,7 +157,7 @@ The service could not contact the external processing servers at that URL.An error occurred with the Windows telemetry service. [Ensure the diagnostic data service is enabled](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md#ensure-the-diagnostics-service-is-enabled). +See [Onboard Windows 10 machines](configure-endpoints-windows-defender-advanced-threat-protection.md).
Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages.
-See [Configure Windows Defender ATP endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md).18 @@ -181,25 +181,25 @@ If this error persists after a system restart, ensure all Windows updates have f25 Windows Defender Advanced Threat Protection service failed to reset health status in the registry. Failure code: ```variable```. -The endpoint did not onboard correctly. + The machine did not onboard correctly. It will report to the portal, however the service may not appear as registered in SCCM or the registry. Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages. +See [Onboard Windows 10 machines](configure-endpoints-windows-defender-advanced-threat-protection.md).
-See [Configure Windows Defender ATP endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md).26 Windows Defender Advanced Threat Protection service failed to set the onboarding status in the registry. Failure code: ```variable```. -The endpoint did not onboard correctly.
+The machine did not onboard correctly.
It will report to the portal, however the service may not appear as registered in SCCM or the registry.Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages. +See [Onboard Windows 10 machines](configure-endpoints-windows-defender-advanced-threat-protection.md).
-See [Configure Windows Defender ATP endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md).27 Windows Defender Advanced Threat Protection service failed to enable SENSE aware mode in Windows Defender Antivirus. Onboarding process failed. Failure code: ```variable```. -Normally, Windows Defender Antivirus will enter a special passive state if another real-time antimalware product is running properly on the endpoint, and the endpoint is reporting to Windows Defender ATP. +Normally, Windows Defender Antivirus will enter a special passive state if another real-time antimalware product is running properly on the machine, and the machine is reporting to Windows Defender ATP. Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages.
-See [Configure Windows Defender ATP endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md).
+See [Onboard Windows 10 machines](configure-endpoints-windows-defender-advanced-threat-protection.md).
Ensure real-time antimalware protection is running properly.@@ -208,14 +208,14 @@ Ensure real-time antimalware protection is running properly. An error occurred with the Windows telemetry service. [Ensure the diagnostic data service is enabled](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md#ensure-the-diagnostic-data-service-is-enabled). +See [Onboard Windows 10 machines](configure-endpoints-windows-defender-advanced-threat-protection.md).
Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages.
-See [Configure Windows Defender ATP endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md).30 Windows Defender Advanced Threat Protection service failed to disable SENSE aware mode in Windows Defender Antivirus. Failure code: ```variable```. -Normally, Windows Defender Antivirus will enter a special passive state if another real-time antimalware product is running properly on the endpoint, and the endpoint is reporting to Windows Defender ATP. +Normally, Windows Defender Antivirus will enter a special passive state if another real-time antimalware product is running properly on the machine, and the machine is reporting to Windows Defender ATP. Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages.
-See [Configure Windows Defender ATP endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md)
+See [Onboard Windows 10 machines](configure-endpoints-windows-defender-advanced-threat-protection.md)
Ensure real-time antimalware protection is running properly.@@ -233,9 +233,9 @@ Ensure real-time antimalware protection is running properly. 33 Windows Defender Advanced Threat Protection service failed to persist SENSE GUID. Failure code: ```variable```. -A unique identifier is used to represent each endpoint that is reporting to the portal.
+A unique identifier is used to represent each machine that is reporting to the portal. -
If the identifier does not persist, the same machine might appear twice in the portal.Check registry permissions on the endpoint to ensure the service can update the registry. +Check registry permissions on the machine to ensure the service can update the registry. 34 @@ -243,7 +243,7 @@ If the identifier does not persist, the same machine might appear twice in the pAn error occurred with the Windows telemetry service. [Ensure the diagnostic data service is enabled](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md#ensure-the-diagnostic-data-service-is-enabled). +See [Onboard Windows 10 machines](configure-endpoints-windows-defender-advanced-threat-protection.md).
Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages.
-See [Configure Windows Defender ATP endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md).35 @@ -337,6 +337,6 @@ See [Configure Windows Defender ATP endpoints](configure-endpoints-windows-defen >Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-eventerrorcodes-belowfoldlink) ## Related topics -- [Configure Windows Defender ATP endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md) -- [Configure endpoint proxy and Internet connectivity settings](configure-proxy-internet-windows-defender-advanced-threat-protection.md) +- [Onboard Windows 10 machines](configure-endpoints-windows-defender-advanced-threat-protection.md) +- [Configure machine proxy and Internet connectivity settings](configure-proxy-internet-windows-defender-advanced-threat-protection.md) - [Troubleshoot Windows Defender ATP](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md) diff --git a/windows/security/threat-protection/windows-defender-atp/experiment-custom-ti-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/experiment-custom-ti-windows-defender-advanced-threat-protection.md index 5652ee66e3..5a34950b31 100644 --- a/windows/security/threat-protection/windows-defender-atp/experiment-custom-ti-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/experiment-custom-ti-windows-defender-advanced-threat-protection.md @@ -152,8 +152,8 @@ This step will guide you in exploring the custom alert in the portal. ## Related topics - [Understand threat intelligence concepts](threat-indicator-concepts-windows-defender-advanced-threat-protection.md) -- [Create custom alerts using the threat intelligence API](custom-ti-api-windows-defender-advanced-threat-protection.md) - [Enable the custom threat intelligence API in Windows Defender ATP](enable-custom-ti-windows-defender-advanced-threat-protection.md) +- [Create custom alerts using the threat intelligence API](custom-ti-api-windows-defender-advanced-threat-protection.md) - [PowerShell code examples for the custom threat intelligence API](powershell-example-code-windows-defender-advanced-threat-protection.md) - [Python code examples for the custom threat intelligence API](python-example-code-windows-defender-advanced-threat-protection.md) - [Troubleshoot custom threat intelligence issues](troubleshoot-custom-ti-windows-defender-advanced-threat-protection.md) diff --git a/windows/security/threat-protection/windows-defender-atp/fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md index b31dad703f..d35ec1554e 100644 --- a/windows/security/threat-protection/windows-defender-atp/fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md @@ -54,7 +54,7 @@ This status indicates that there's limited communication between the machine and The following suggested actions can help fix issues related to a misconfigured machine with impaired communications: -- [Ensure the endpoint has Internet connection](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md#ensure-the-endpoint-has-an-internet-connection) +- [Ensure the machine has Internet connection](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md#troubleshoot-onboarding-issues-on-the-machine) The Window Defender ATP sensor requires Microsoft Windows HTTP (WinHTTP) to report sensor data and communicate with the Windows Defender ATP service. - [Verify client connectivity to Windows Defender ATP service URLs](configure-proxy-internet-windows-defender-advanced-threat-protection.md#verify-client-connectivity-to-windows-defender-atp-service-urls) @@ -66,17 +66,17 @@ If you took corrective actions and the machine status is still misconfigured, [o A misconfigured machine with status ‘No sensor data’ has communication with the service but can only report partial sensor data. Follow theses actions to correct known issues related to a misconfigured machine with status ‘No sensor data’: -- [Ensure the endpoint has Internet connection](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md#ensure-the-endpoint-has-an-internet-connection) +- [Ensure the machine has Internet connection](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md#troubleshoot-onboarding-issues-on-the-machine) The Window Defender ATP sensor requires Microsoft Windows HTTP (WinHTTP) to report sensor data and communicate with the Windows Defender ATP service. - [Verify client connectivity to Windows Defender ATP service URLs](configure-proxy-internet-windows-defender-advanced-threat-protection.md#verify-client-connectivity-to-windows-defender-atp-service-urls) Verify the proxy configuration completed successfully, that WinHTTP can discover and communicate through the proxy server in your environment, and that the proxy server allows traffic to the Windows Defender ATP service URLs. - [Ensure the diagnostic data service is enabled](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md#ensure-the-diagnostics-service-is-enabled) -If the endpoints aren't reporting correctly, you might need to check that the Windows 10 diagnostic data service is set to automatically start and is running on the endpoint. +If the machines aren't reporting correctly, you might need to check that the Windows 10 diagnostic data service is set to automatically start and is running on the endpoint. - [Ensure that Windows Defender Antivirus is not disabled by policy](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md#ensure-that-windows-defender-antivirus-is-not-disabled-by-a-policy) -If your endpoints are running a third-party antimalware client, the Windows Defender ATP agent needs the Windows Defender Antivirus Early Launch Antimalware (ELAM) driver to be enabled. +If your machines are running a third-party antimalware client, the Windows Defender ATP agent needs the Windows Defender Antivirus Early Launch Antimalware (ELAM) driver to be enabled. If you took corrective actions and the machine status is still misconfigured, [open a support ticket](http://go.microsoft.com/fwlink/?LinkID=761093&clcid=0x409). diff --git a/windows/security/threat-protection/windows-defender-atp/general-settings-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/general-settings-windows-defender-advanced-threat-protection.md deleted file mode 100644 index 7c8b6ad443..0000000000 --- a/windows/security/threat-protection/windows-defender-atp/general-settings-windows-defender-advanced-threat-protection.md +++ /dev/null @@ -1,47 +0,0 @@ ---- -title: Update general Windows Defender Advanced Threat Protection settings -description: Update your general Windows Defender Advanced Threat Protection settings such as data retention or industry after onboarding. -keywords: general settings, settings, update settings -search.product: eADQiWindows 10XVcnh -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security -ms.author: macapara -author: mjcaparas -ms.localizationpriority: high -ms.date: 10/16/2017 ---- -# Update general Windows Defender ATP settings - -**Applies to:** - -- Windows 10 Enterprise -- Windows 10 Education -- Windows 10 Pro -- Windows 10 Pro Education -- Windows Defender Advanced Threat Protection (Windows Defender ATP) - - - ->Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-gensettings-abovefoldlink) - -During the onboarding process, a wizard takes you through the general settings of Windows Defender ATP. After onboarding, you might want to update some settings which you'll be able to do through the **Preferences setup** menu. - -1. In the navigation pane, select **Preferences setup** > **General**. - -2. Modify settings such as data retention policy or the industry that best describes your organization. - - > [!NOTE] - > Other settings are not editable. - -3. Click **Save preferences**. - - -## Related topics -- [Turn on advanced features in Windows Defender ATP](advanced-features-windows-defender-advanced-threat-protection.md) -- [Turn on the preview experience in Windows Defender ATP](preview-settings-windows-defender-advanced-threat-protection.md) -- [Configure email notifications in Windows Defender ATP](configure-email-notifications-windows-defender-advanced-threat-protection.md) -- [Enable SIEM integration in Windows Defender ATP](enable-siem-integration-windows-defender-advanced-threat-protection.md) -- [Enable the custom threat intelligence API in Windows Defender ATP](enable-custom-ti-windows-defender-advanced-threat-protection.md) -- [Create and build Power BI reports](powerbi-reports-windows-defender-advanced-threat-protection.md) \ No newline at end of file diff --git a/windows/security/threat-protection/windows-defender-atp/images/Failed.png b/windows/security/threat-protection/windows-defender-atp/images/Failed.png new file mode 100644 index 0000000000..6cef8a46db Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/Failed.png differ diff --git a/windows/security/threat-protection/windows-defender-atp/images/No threats found.png b/windows/security/threat-protection/windows-defender-atp/images/No threats found.png new file mode 100644 index 0000000000..11eb05d7c6 Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/No threats found.png differ diff --git a/windows/security/threat-protection/windows-defender-atp/images/Partially investigated.png b/windows/security/threat-protection/windows-defender-atp/images/Partially investigated.png new file mode 100644 index 0000000000..430acc7c42 Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/Partially investigated.png differ diff --git a/windows/security/threat-protection/windows-defender-atp/images/Partially remediated.png b/windows/security/threat-protection/windows-defender-atp/images/Partially remediated.png new file mode 100644 index 0000000000..c3060b51b0 Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/Partially remediated.png differ diff --git a/windows/security/threat-protection/windows-defender-atp/images/Pending.png b/windows/security/threat-protection/windows-defender-atp/images/Pending.png new file mode 100644 index 0000000000..b5a27d0a58 Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/Pending.png differ diff --git a/windows/security/threat-protection/windows-defender-atp/images/Remediated.png b/windows/security/threat-protection/windows-defender-atp/images/Remediated.png new file mode 100644 index 0000000000..9f13d8e5dc Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/Remediated.png differ diff --git a/windows/security/threat-protection/windows-defender-atp/images/Running.png b/windows/security/threat-protection/windows-defender-atp/images/Running.png new file mode 100644 index 0000000000..5de179503f Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/Running.png differ diff --git a/windows/security/threat-protection/windows-defender-atp/images/Terminated by system.png b/windows/security/threat-protection/windows-defender-atp/images/Terminated by system.png new file mode 100644 index 0000000000..f1d7bb0531 Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/Terminated by system.png differ diff --git a/windows/security/threat-protection/windows-defender-atp/images/advanced-hunting-query-example.PNG b/windows/security/threat-protection/windows-defender-atp/images/advanced-hunting-query-example.PNG new file mode 100644 index 0000000000..3958d9a532 Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/advanced-hunting-query-example.PNG differ diff --git a/windows/security/threat-protection/windows-defender-atp/images/advanced-hunting-save-query.PNG b/windows/security/threat-protection/windows-defender-atp/images/advanced-hunting-save-query.PNG new file mode 100644 index 0000000000..2da889163c Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/advanced-hunting-save-query.PNG differ diff --git a/windows/security/threat-protection/windows-defender-atp/images/alerts-q-bulk.png b/windows/security/threat-protection/windows-defender-atp/images/alerts-q-bulk.png index 4a2c0fa98e..bafa469657 100644 Binary files a/windows/security/threat-protection/windows-defender-atp/images/alerts-q-bulk.png and b/windows/security/threat-protection/windows-defender-atp/images/alerts-q-bulk.png differ diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-active-investigations-tile.png b/windows/security/threat-protection/windows-defender-atp/images/atp-active-investigations-tile.png new file mode 100644 index 0000000000..6950882187 Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/atp-active-investigations-tile.png differ diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-advanced-hunting-query.png b/windows/security/threat-protection/windows-defender-atp/images/atp-advanced-hunting-query.png new file mode 100644 index 0000000000..c148c887c1 Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/atp-advanced-hunting-query.png differ diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-advanced-hunting-results-filter.PNG b/windows/security/threat-protection/windows-defender-atp/images/atp-advanced-hunting-results-filter.PNG new file mode 100644 index 0000000000..40d4cf3b5c Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/atp-advanced-hunting-results-filter.PNG differ diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-advanced-hunting-results-set.png b/windows/security/threat-protection/windows-defender-atp/images/atp-advanced-hunting-results-set.png new file mode 100644 index 0000000000..cfec514362 Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/atp-advanced-hunting-results-set.png differ diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-advanced-hunting.png b/windows/security/threat-protection/windows-defender-atp/images/atp-advanced-hunting.png new file mode 100644 index 0000000000..f43355e6e2 Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/atp-advanced-hunting.png differ diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-alert-details.png b/windows/security/threat-protection/windows-defender-atp/images/atp-alert-details.png index 89fd66df5f..f98240f439 100644 Binary files a/windows/security/threat-protection/windows-defender-atp/images/atp-alert-details.png and b/windows/security/threat-protection/windows-defender-atp/images/atp-alert-details.png differ diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-alert-page.png b/windows/security/threat-protection/windows-defender-atp/images/atp-alert-page.png index 379423a53a..7ae7d3aa20 100644 Binary files a/windows/security/threat-protection/windows-defender-atp/images/atp-alert-page.png and b/windows/security/threat-protection/windows-defender-atp/images/atp-alert-page.png differ diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-alert-timeline.png b/windows/security/threat-protection/windows-defender-atp/images/atp-alert-timeline.png index 12537a9efb..b34d5f4779 100644 Binary files a/windows/security/threat-protection/windows-defender-atp/images/atp-alert-timeline.png and b/windows/security/threat-protection/windows-defender-atp/images/atp-alert-timeline.png differ diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-alert-view.png b/windows/security/threat-protection/windows-defender-atp/images/atp-alert-view.png new file mode 100644 index 0000000000..1b6c2dfa10 Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/atp-alert-view.png differ diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-alerts-queue-user.png b/windows/security/threat-protection/windows-defender-atp/images/atp-alerts-queue-user.png index 745712f857..00185b3daa 100644 Binary files a/windows/security/threat-protection/windows-defender-atp/images/atp-alerts-queue-user.png and b/windows/security/threat-protection/windows-defender-atp/images/atp-alerts-queue-user.png differ diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-alerts-related-to-machine.PNG b/windows/security/threat-protection/windows-defender-atp/images/atp-alerts-related-to-machine.PNG index af1915fb0b..dcaa87034d 100644 Binary files a/windows/security/threat-protection/windows-defender-atp/images/atp-alerts-related-to-machine.PNG and b/windows/security/threat-protection/windows-defender-atp/images/atp-alerts-related-to-machine.PNG differ diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-alerts-selected.png b/windows/security/threat-protection/windows-defender-atp/images/atp-alerts-selected.png index eaacfa5256..4fcc40c32c 100644 Binary files a/windows/security/threat-protection/windows-defender-atp/images/atp-alerts-selected.png and b/windows/security/threat-protection/windows-defender-atp/images/atp-alerts-selected.png differ diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-alerts-tile.png b/windows/security/threat-protection/windows-defender-atp/images/atp-alerts-tile.png index ed3cf79941..7a975960a1 100644 Binary files a/windows/security/threat-protection/windows-defender-atp/images/atp-alerts-tile.png and b/windows/security/threat-protection/windows-defender-atp/images/atp-alerts-tile.png differ diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-alertsq2.png b/windows/security/threat-protection/windows-defender-atp/images/atp-alertsq2.png index a2960ce201..7d65413066 100644 Binary files a/windows/security/threat-protection/windows-defender-atp/images/atp-alertsq2.png and b/windows/security/threat-protection/windows-defender-atp/images/atp-alertsq2.png differ diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-analyze-auto-ir.png b/windows/security/threat-protection/windows-defender-atp/images/atp-analyze-auto-ir.png new file mode 100644 index 0000000000..ec8235b996 Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/atp-analyze-auto-ir.png differ diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-approve-reject-action.png b/windows/security/threat-protection/windows-defender-atp/images/atp-approve-reject-action.png new file mode 100644 index 0000000000..f96acc7694 Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/atp-approve-reject-action.png differ diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-auto-investigation-pending.png b/windows/security/threat-protection/windows-defender-atp/images/atp-auto-investigation-pending.png new file mode 100644 index 0000000000..f006033aef Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/atp-auto-investigation-pending.png differ diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-auto-investigations-list.png b/windows/security/threat-protection/windows-defender-atp/images/atp-auto-investigations-list.png new file mode 100644 index 0000000000..b2cdc68a24 Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/atp-auto-investigations-list.png differ diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-automated-investigations-statistics.png b/windows/security/threat-protection/windows-defender-atp/images/atp-automated-investigations-statistics.png new file mode 100644 index 0000000000..82565d784f Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/atp-automated-investigations-statistics.png differ diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-azure-atp-machine-user.png b/windows/security/threat-protection/windows-defender-atp/images/atp-azure-atp-machine-user.png new file mode 100644 index 0000000000..c2c13fe289 Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/atp-azure-atp-machine-user.png differ diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-azure-atp-machine.png b/windows/security/threat-protection/windows-defender-atp/images/atp-azure-atp-machine.png new file mode 100644 index 0000000000..62e88527b3 Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/atp-azure-atp-machine.png differ diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-block-file.png b/windows/security/threat-protection/windows-defender-atp/images/atp-block-file.png new file mode 100644 index 0000000000..3f7e3dba8a Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/atp-block-file.png differ diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-community-center.png b/windows/security/threat-protection/windows-defender-atp/images/atp-community-center.png new file mode 100644 index 0000000000..96c73fc027 Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/atp-community-center.png differ diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-conditional-access-numbered.png b/windows/security/threat-protection/windows-defender-atp/images/atp-conditional-access-numbered.png new file mode 100644 index 0000000000..c9ff0c1688 Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/atp-conditional-access-numbered.png differ diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-conditional-access.png b/windows/security/threat-protection/windows-defender-atp/images/atp-conditional-access.png new file mode 100644 index 0000000000..c8126f92a3 Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/atp-conditional-access.png differ diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-create-dashboard.png b/windows/security/threat-protection/windows-defender-atp/images/atp-create-dashboard.png index 1918a2064d..fc628073fc 100644 Binary files a/windows/security/threat-protection/windows-defender-atp/images/atp-create-dashboard.png and b/windows/security/threat-protection/windows-defender-atp/images/atp-create-dashboard.png differ diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-dashboard-security-analytics-9.png b/windows/security/threat-protection/windows-defender-atp/images/atp-dashboard-security-analytics-9.png new file mode 100644 index 0000000000..f40dff2c63 Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/atp-dashboard-security-analytics-9.png differ diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-dashboard-security-analytics-full.png b/windows/security/threat-protection/windows-defender-atp/images/atp-dashboard-security-analytics-full.png index 2c44e15d09..e4ec0ca34e 100644 Binary files a/windows/security/threat-protection/windows-defender-atp/images/atp-dashboard-security-analytics-full.png and b/windows/security/threat-protection/windows-defender-atp/images/atp-dashboard-security-analytics-full.png differ diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-delete-query.png b/windows/security/threat-protection/windows-defender-atp/images/atp-delete-query.png new file mode 100644 index 0000000000..703204c040 Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/atp-delete-query.png differ diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-download-connector.png b/windows/security/threat-protection/windows-defender-atp/images/atp-download-connector.png index 9405ae0d6e..fc1a15b8e1 100644 Binary files a/windows/security/threat-protection/windows-defender-atp/images/atp-download-connector.png and b/windows/security/threat-protection/windows-defender-atp/images/atp-download-connector.png differ diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-enable-security-analytics.png b/windows/security/threat-protection/windows-defender-atp/images/atp-enable-security-analytics.png index 1fa1650882..0ada1afc87 100644 Binary files a/windows/security/threat-protection/windows-defender-atp/images/atp-enable-security-analytics.png and b/windows/security/threat-protection/windows-defender-atp/images/atp-enable-security-analytics.png differ diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-file-action.png b/windows/security/threat-protection/windows-defender-atp/images/atp-file-action.png index 5982447692..6d0e7a9d55 100644 Binary files a/windows/security/threat-protection/windows-defender-atp/images/atp-file-action.png and b/windows/security/threat-protection/windows-defender-atp/images/atp-file-action.png differ diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-filter-advanced-hunting.png b/windows/security/threat-protection/windows-defender-atp/images/atp-filter-advanced-hunting.png new file mode 100644 index 0000000000..2787e7d147 Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/atp-filter-advanced-hunting.png differ diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-image.png b/windows/security/threat-protection/windows-defender-atp/images/atp-image.png new file mode 100644 index 0000000000..e3f4b5b27f Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/atp-image.png differ diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-improv-opps-9.png b/windows/security/threat-protection/windows-defender-atp/images/atp-improv-opps-9.png new file mode 100644 index 0000000000..99a4376f93 Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/atp-improv-opps-9.png differ diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-improv-opps.png b/windows/security/threat-protection/windows-defender-atp/images/atp-improv-opps.png index 0f5ef13a77..692238433d 100644 Binary files a/windows/security/threat-protection/windows-defender-atp/images/atp-improv-opps.png and b/windows/security/threat-protection/windows-defender-atp/images/atp-improv-opps.png differ diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-machine-details-view.png b/windows/security/threat-protection/windows-defender-atp/images/atp-machine-details-view.png index 6a005352c5..97529ae015 100644 Binary files a/windows/security/threat-protection/windows-defender-atp/images/atp-machine-details-view.png and b/windows/security/threat-protection/windows-defender-atp/images/atp-machine-details-view.png differ diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-machine-details-view2.png b/windows/security/threat-protection/windows-defender-atp/images/atp-machine-details-view2.png new file mode 100644 index 0000000000..5ce3e0d034 Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/atp-machine-details-view2.png differ diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-machine-health-details.png b/windows/security/threat-protection/windows-defender-atp/images/atp-machine-health-details.png index 63431efa68..9dd1e801dd 100644 Binary files a/windows/security/threat-protection/windows-defender-atp/images/atp-machine-health-details.png and b/windows/security/threat-protection/windows-defender-atp/images/atp-machine-health-details.png differ diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-machine-timeline-details-panel.png b/windows/security/threat-protection/windows-defender-atp/images/atp-machine-timeline-details-panel.png index b5dee50cd9..e2e3ae3944 100644 Binary files a/windows/security/threat-protection/windows-defender-atp/images/atp-machine-timeline-details-panel.png and b/windows/security/threat-protection/windows-defender-atp/images/atp-machine-timeline-details-panel.png differ diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-machine-timeline-export.png b/windows/security/threat-protection/windows-defender-atp/images/atp-machine-timeline-export.png index 0be9abed27..45f38aa956 100644 Binary files a/windows/security/threat-protection/windows-defender-atp/images/atp-machine-timeline-export.png and b/windows/security/threat-protection/windows-defender-atp/images/atp-machine-timeline-export.png differ diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-machine-timeline-filter.png b/windows/security/threat-protection/windows-defender-atp/images/atp-machine-timeline-filter.png index 8047e53b44..bbf578bd52 100644 Binary files a/windows/security/threat-protection/windows-defender-atp/images/atp-machine-timeline-filter.png and b/windows/security/threat-protection/windows-defender-atp/images/atp-machine-timeline-filter.png differ diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-machines-at-risk.png b/windows/security/threat-protection/windows-defender-atp/images/atp-machines-at-risk.png index cfa3cbda3e..9347d09c04 100644 Binary files a/windows/security/threat-protection/windows-defender-atp/images/atp-machines-at-risk.png and b/windows/security/threat-protection/windows-defender-atp/images/atp-machines-at-risk.png differ diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-machines-list-view2.png b/windows/security/threat-protection/windows-defender-atp/images/atp-machines-list-view2.png new file mode 100644 index 0000000000..692b21869f Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/atp-machines-list-view2.png differ diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-mapping5.png b/windows/security/threat-protection/windows-defender-atp/images/atp-mapping5.png index c405166f01..d3291b5cd5 100644 Binary files a/windows/security/threat-protection/windows-defender-atp/images/atp-mapping5.png and b/windows/security/threat-protection/windows-defender-atp/images/atp-mapping5.png differ diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-mdm-onboarding-package.png b/windows/security/threat-protection/windows-defender-atp/images/atp-mdm-onboarding-package.png index d8d2aea802..2645ee2e58 100644 Binary files a/windows/security/threat-protection/windows-defender-atp/images/atp-mdm-onboarding-package.png and b/windows/security/threat-protection/windows-defender-atp/images/atp-mdm-onboarding-package.png differ diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-mma.png b/windows/security/threat-protection/windows-defender-atp/images/atp-mma.png index 37219b5b0b..df43379ab5 100644 Binary files a/windows/security/threat-protection/windows-defender-atp/images/atp-mma.png and b/windows/security/threat-protection/windows-defender-atp/images/atp-mma.png differ diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-ms-secure-score-9.png b/windows/security/threat-protection/windows-defender-atp/images/atp-ms-secure-score-9.png new file mode 100644 index 0000000000..3d3330a2db Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/atp-ms-secure-score-9.png differ diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-ms-secure-score.png b/windows/security/threat-protection/windows-defender-atp/images/atp-ms-secure-score.png new file mode 100644 index 0000000000..860899d286 Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/atp-ms-secure-score.png differ diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-new-alerts-list.png b/windows/security/threat-protection/windows-defender-atp/images/atp-new-alerts-list.png new file mode 100644 index 0000000000..b9a758e159 Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/atp-new-alerts-list.png differ diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-new-suppression-rule.png b/windows/security/threat-protection/windows-defender-atp/images/atp-new-suppression-rule.png index b330f34ac1..3b4cf3197c 100644 Binary files a/windows/security/threat-protection/windows-defender-atp/images/atp-new-suppression-rule.png and b/windows/security/threat-protection/windows-defender-atp/images/atp-new-suppression-rule.png differ diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-no-subscriptions-found.png b/windows/security/threat-protection/windows-defender-atp/images/atp-no-subscriptions-found.png index 24b6aee777..b538946141 100644 Binary files a/windows/security/threat-protection/windows-defender-atp/images/atp-no-subscriptions-found.png and b/windows/security/threat-protection/windows-defender-atp/images/atp-no-subscriptions-found.png differ diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-not-authorized-to-access-portal.png b/windows/security/threat-protection/windows-defender-atp/images/atp-not-authorized-to-access-portal.png index 020eeac764..738c1470e7 100644 Binary files a/windows/security/threat-protection/windows-defender-atp/images/atp-not-authorized-to-access-portal.png and b/windows/security/threat-protection/windows-defender-atp/images/atp-not-authorized-to-access-portal.png differ diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-notification-action.png b/windows/security/threat-protection/windows-defender-atp/images/atp-notification-action.png new file mode 100644 index 0000000000..ca06a6bea9 Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/atp-notification-action.png differ diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-notifications.png b/windows/security/threat-protection/windows-defender-atp/images/atp-notifications.png new file mode 100644 index 0000000000..ec00bdcb5e Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/atp-notifications.png differ diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-onboard-endpoints-WDATP-portal.png b/windows/security/threat-protection/windows-defender-atp/images/atp-onboard-endpoints-WDATP-portal.png index a0c18757a8..ee2cf3dc71 100644 Binary files a/windows/security/threat-protection/windows-defender-atp/images/atp-onboard-endpoints-WDATP-portal.png and b/windows/security/threat-protection/windows-defender-atp/images/atp-onboard-endpoints-WDATP-portal.png differ diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-org-sec-score.png b/windows/security/threat-protection/windows-defender-atp/images/atp-org-sec-score.png index 729042ed30..a109efd09c 100644 Binary files a/windows/security/threat-protection/windows-defender-atp/images/atp-org-sec-score.png and b/windows/security/threat-protection/windows-defender-atp/images/atp-org-sec-score.png differ diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-pending-actions-auto-ir.png b/windows/security/threat-protection/windows-defender-atp/images/atp-pending-actions-auto-ir.png new file mode 100644 index 0000000000..8c38cc18a2 Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/atp-pending-actions-auto-ir.png differ diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-pending-actions-file.png b/windows/security/threat-protection/windows-defender-atp/images/atp-pending-actions-file.png new file mode 100644 index 0000000000..006d7c1a3f Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/atp-pending-actions-file.png differ diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-pending-actions-list.png b/windows/security/threat-protection/windows-defender-atp/images/atp-pending-actions-list.png new file mode 100644 index 0000000000..55113991e6 Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/atp-pending-actions-list.png differ diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-pending-actions-multiple.png b/windows/security/threat-protection/windows-defender-atp/images/atp-pending-actions-multiple.png new file mode 100644 index 0000000000..f0878a6699 Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/atp-pending-actions-multiple.png differ diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-pending-actions-notification.png b/windows/security/threat-protection/windows-defender-atp/images/atp-pending-actions-notification.png new file mode 100644 index 0000000000..af05f88e0b Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/atp-pending-actions-notification.png differ diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-portal-sensor.png b/windows/security/threat-protection/windows-defender-atp/images/atp-portal-sensor.png index 4a41dff7b6..06147c025e 100644 Binary files a/windows/security/threat-protection/windows-defender-atp/images/atp-portal-sensor.png and b/windows/security/threat-protection/windows-defender-atp/images/atp-portal-sensor.png differ diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-preferences-setup.png b/windows/security/threat-protection/windows-defender-atp/images/atp-preferences-setup.png index 74b6e5fae6..f271f16509 100644 Binary files a/windows/security/threat-protection/windows-defender-atp/images/atp-preferences-setup.png and b/windows/security/threat-protection/windows-defender-atp/images/atp-preferences-setup.png differ diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-save-query.png b/windows/security/threat-protection/windows-defender-atp/images/atp-save-query.png new file mode 100644 index 0000000000..0e8c9e12d2 Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/atp-save-query.png differ diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-sec-ops-1.png b/windows/security/threat-protection/windows-defender-atp/images/atp-sec-ops-1.png new file mode 100644 index 0000000000..ae8d72d307 Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/atp-sec-ops-1.png differ diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-sec-ops-dashboard.png b/windows/security/threat-protection/windows-defender-atp/images/atp-sec-ops-dashboard.png new file mode 100644 index 0000000000..5a4816bf80 Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/atp-sec-ops-dashboard.png differ diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-security-analytics-view-machines2.png b/windows/security/threat-protection/windows-defender-atp/images/atp-security-analytics-view-machines2.png index 20e5f4f5fa..f80648993e 100644 Binary files a/windows/security/threat-protection/windows-defender-atp/images/atp-security-analytics-view-machines2.png and b/windows/security/threat-protection/windows-defender-atp/images/atp-security-analytics-view-machines2.png differ diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-security-controls-9.png b/windows/security/threat-protection/windows-defender-atp/images/atp-security-controls-9.png new file mode 100644 index 0000000000..9ce191083b Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/atp-security-controls-9.png differ diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-security-controls.png b/windows/security/threat-protection/windows-defender-atp/images/atp-security-controls.png new file mode 100644 index 0000000000..023881cd9b Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/atp-security-controls.png differ diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-security-score-over-time-9.png b/windows/security/threat-protection/windows-defender-atp/images/atp-security-score-over-time-9.png new file mode 100644 index 0000000000..8afeee9566 Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/atp-security-score-over-time-9.png differ diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-security-score-over-time.png b/windows/security/threat-protection/windows-defender-atp/images/atp-security-score-over-time.png index 9cbf01f81a..3bfad3afc3 100644 Binary files a/windows/security/threat-protection/windows-defender-atp/images/atp-security-score-over-time.png and b/windows/security/threat-protection/windows-defender-atp/images/atp-security-score-over-time.png differ diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-sensor-filter.png b/windows/security/threat-protection/windows-defender-atp/images/atp-sensor-filter.png index 76267fb27f..f3de71739d 100644 Binary files a/windows/security/threat-protection/windows-defender-atp/images/atp-sensor-filter.png and b/windows/security/threat-protection/windows-defender-atp/images/atp-sensor-filter.png differ diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-server-offboarding-workspaceid.png b/windows/security/threat-protection/windows-defender-atp/images/atp-server-offboarding-workspaceid.png new file mode 100644 index 0000000000..1d1cbb4448 Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/atp-server-offboarding-workspaceid.png differ diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-server-onboarding-workspaceid.png b/windows/security/threat-protection/windows-defender-atp/images/atp-server-onboarding-workspaceid.png index ef0a1a23bc..1c3154f188 100644 Binary files a/windows/security/threat-protection/windows-defender-atp/images/atp-server-onboarding-workspaceid.png and b/windows/security/threat-protection/windows-defender-atp/images/atp-server-onboarding-workspaceid.png differ diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-shared-queries.png b/windows/security/threat-protection/windows-defender-atp/images/atp-shared-queries.png new file mode 100644 index 0000000000..bdcc1997eb Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/atp-shared-queries.png differ diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-siem-integration.png b/windows/security/threat-protection/windows-defender-atp/images/atp-siem-integration.png index 2ce7dbc637..d611574dbc 100644 Binary files a/windows/security/threat-protection/windows-defender-atp/images/atp-siem-integration.png and b/windows/security/threat-protection/windows-defender-atp/images/atp-siem-integration.png differ diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-stop-quarantine.png b/windows/security/threat-protection/windows-defender-atp/images/atp-stop-quarantine.png index b2ae248d35..db6082c4e1 100644 Binary files a/windows/security/threat-protection/windows-defender-atp/images/atp-stop-quarantine.png and b/windows/security/threat-protection/windows-defender-atp/images/atp-stop-quarantine.png differ diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-subscription-expired.png b/windows/security/threat-protection/windows-defender-atp/images/atp-subscription-expired.png index 7a6c15ebbb..8fc24beeab 100644 Binary files a/windows/security/threat-protection/windows-defender-atp/images/atp-subscription-expired.png and b/windows/security/threat-protection/windows-defender-atp/images/atp-subscription-expired.png differ diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-suspicious-activities-tile.png b/windows/security/threat-protection/windows-defender-atp/images/atp-suspicious-activities-tile.png new file mode 100644 index 0000000000..0989362804 Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/atp-suspicious-activities-tile.png differ diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-threat-intel-api.png b/windows/security/threat-protection/windows-defender-atp/images/atp-threat-intel-api.png index 70a7ce9fee..0b532a888a 100644 Binary files a/windows/security/threat-protection/windows-defender-atp/images/atp-threat-intel-api.png and b/windows/security/threat-protection/windows-defender-atp/images/atp-threat-intel-api.png differ diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-tile-sensor-health.png b/windows/security/threat-protection/windows-defender-atp/images/atp-tile-sensor-health.png index 3aa0b451bc..dce4ee3f5e 100644 Binary files a/windows/security/threat-protection/windows-defender-atp/images/atp-tile-sensor-health.png and b/windows/security/threat-protection/windows-defender-atp/images/atp-tile-sensor-health.png differ diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-user-details-view-azureatp.png b/windows/security/threat-protection/windows-defender-atp/images/atp-user-details-view-azureatp.png new file mode 100644 index 0000000000..2fcb58e44f Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/atp-user-details-view-azureatp.png differ diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-user-details.png b/windows/security/threat-protection/windows-defender-atp/images/atp-user-details.png index eb1366d9cb..94c0f5cd1f 100644 Binary files a/windows/security/threat-protection/windows-defender-atp/images/atp-user-details.png and b/windows/security/threat-protection/windows-defender-atp/images/atp-user-details.png differ diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-verify-passive-mode.png b/windows/security/threat-protection/windows-defender-atp/images/atp-verify-passive-mode.png new file mode 100644 index 0000000000..32907fedb6 Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/atp-verify-passive-mode.png differ diff --git a/windows/security/threat-protection/windows-defender-atp/images/dashboard.png b/windows/security/threat-protection/windows-defender-atp/images/dashboard.png new file mode 100644 index 0000000000..974708504f Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/dashboard.png differ diff --git a/windows/security/threat-protection/windows-defender-atp/images/io.png b/windows/security/threat-protection/windows-defender-atp/images/io.png new file mode 100644 index 0000000000..a03e5fb917 Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/io.png differ diff --git a/windows/security/threat-protection/windows-defender-atp/images/mss.png b/windows/security/threat-protection/windows-defender-atp/images/mss.png new file mode 100644 index 0000000000..63a22c2e50 Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/mss.png differ diff --git a/windows/security/threat-protection/windows-defender-atp/images/no-threats-found.png b/windows/security/threat-protection/windows-defender-atp/images/no-threats-found.png new file mode 100644 index 0000000000..fc3ee208d2 Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/no-threats-found.png differ diff --git a/windows/security/threat-protection/windows-defender-atp/images/no_threats_found.png b/windows/security/threat-protection/windows-defender-atp/images/no_threats_found.png new file mode 100644 index 0000000000..4db61c4162 Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/no_threats_found.png differ diff --git a/windows/security/threat-protection/windows-defender-atp/images/partially-investigated.png b/windows/security/threat-protection/windows-defender-atp/images/partially-investigated.png new file mode 100644 index 0000000000..225988f58b Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/partially-investigated.png differ diff --git a/windows/security/threat-protection/windows-defender-atp/images/partially_investigated.png b/windows/security/threat-protection/windows-defender-atp/images/partially_investigated.png new file mode 100644 index 0000000000..469ec08f53 Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/partially_investigated.png differ diff --git a/windows/security/threat-protection/windows-defender-atp/images/partially_remediated.png b/windows/security/threat-protection/windows-defender-atp/images/partially_remediated.png new file mode 100644 index 0000000000..b381112d21 Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/partially_remediated.png differ diff --git a/windows/security/threat-protection/windows-defender-atp/images/save-query.png b/windows/security/threat-protection/windows-defender-atp/images/save-query.png new file mode 100644 index 0000000000..719a1a7113 Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/save-query.png differ diff --git a/windows/security/threat-protection/windows-defender-atp/images/securescore.png b/windows/security/threat-protection/windows-defender-atp/images/securescore.png new file mode 100644 index 0000000000..2b8104bd7d Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/securescore.png differ diff --git a/windows/security/threat-protection/windows-defender-atp/images/ss1.png b/windows/security/threat-protection/windows-defender-atp/images/ss1.png new file mode 100644 index 0000000000..ebd17712d6 Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/ss1.png differ diff --git a/windows/security/threat-protection/windows-defender-atp/images/ssot.png b/windows/security/threat-protection/windows-defender-atp/images/ssot.png new file mode 100644 index 0000000000..a21b675f64 Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/ssot.png differ diff --git a/windows/security/threat-protection/windows-defender-atp/images/status-tile.png b/windows/security/threat-protection/windows-defender-atp/images/status-tile.png index 78812e3248..452918b63f 100644 Binary files a/windows/security/threat-protection/windows-defender-atp/images/status-tile.png and b/windows/security/threat-protection/windows-defender-atp/images/status-tile.png differ diff --git a/windows/security/threat-protection/windows-defender-atp/images/terminated-by-system.png b/windows/security/threat-protection/windows-defender-atp/images/terminated-by-system.png new file mode 100644 index 0000000000..7db354747c Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/terminated-by-system.png differ diff --git a/windows/security/threat-protection/windows-defender-atp/images/terminated_by_system.png b/windows/security/threat-protection/windows-defender-atp/images/terminated_by_system.png new file mode 100644 index 0000000000..f2d59131d5 Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/terminated_by_system.png differ diff --git a/windows/security/threat-protection/windows-defender-atp/images/wdsc.png b/windows/security/threat-protection/windows-defender-atp/images/wdsc.png new file mode 100644 index 0000000000..3cd583ed74 Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/wdsc.png differ diff --git a/windows/security/threat-protection/windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection.md index b4fae526ee..840ac36b91 100644 --- a/windows/security/threat-protection/windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection.md @@ -1,7 +1,7 @@ --- title: Investigate Windows Defender Advanced Threat Protection alerts description: Use the investigation options to get details on alerts are affecting your network, what they mean, and how to resolve them. -keywords: investigate, investigation, machines, machine, endpoints, endpoint, alerts queue, dashboard, IP address, file, submit, submissions, deep analysis, timeline, search, domain, URL, IP +keywords: investigate, investigation, machines, machine, alerts queue, dashboard, IP address, file, submit, submissions, deep analysis, timeline, search, domain, URL, IP search.product: eADQiWindows 10XVcnh ms.prod: w10 ms.mktglfcycl: deploy @@ -10,7 +10,7 @@ ms.pagetype: security ms.author: macapara author: mjcaparas ms.localizationpriority: high -ms.date: 10/16/2017 +ms.date: 04/17/2018 --- # Investigate Windows Defender Advanced Threat Protection alerts @@ -19,17 +19,17 @@ ms.date: 10/16/2017 - Windows Defender Advanced Threat Protection (Windows Defender ATP) - +[!include[Prerelease information](prerelease.md)] >Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-investigatealerts-abovefoldlink) -Investigate alerts that are affecting your network, what they mean, and how to resolve them. +Investigate alerts that are affecting your network, understand what they mean, and how to resolve them. Click an alert to see the alert details view and the various tiles that provide information about the alert. -You can also manage an alert and see alert metadata along with other information that can help you make better decisions on how to approach them. +You can also manage an alert and see alert metadata along with other information that can help you make better decisions on how to approach them. You'll also see a status of the automated investigation on the upper right corner. Clicking on the link will take you to the Automated investigations view. For more information, see [Automated investigations](automated-investigations-windows-defender-advanced-threat-protection.md). - + The alert context tile shows the where, who, and when context of the alert. As with other pages, you can click on the icon beside the name or user account to bring up the machine or user details pane. The alert details view also has a status tile that shows the status of the alert in the queue. You'll also see a description and a set of recommended actions which you can expand. @@ -91,13 +91,12 @@ The **Artifact timeline** feature provides an addition view of the evidence that Selecting an alert detail brings up the **Details pane** where you'll be able to see more information about the alert such as file details, detections, instances of it observed worldwide, and in the organization. ## Related topics -- [View the Windows Defender Advanced Threat Protection Security operations dashboard](dashboard-windows-defender-advanced-threat-protection.md) - [View and organize the Windows Defender Advanced Threat Protection Alerts queue ](alerts-queue-windows-defender-advanced-threat-protection.md) +- [Manage Windows Defender Advanced Threat Protection alerts](manage-alerts-windows-defender-advanced-threat-protection.md) - [Investigate a file associated with a Windows Defender ATP alert](investigate-files-windows-defender-advanced-threat-protection.md) +- [Investigate machines in the Windows Defender ATP Machines list](investigate-machines-windows-defender-advanced-threat-protection.md) - [Investigate an IP address associated with a Windows Defender ATP alert](investigate-ip-windows-defender-advanced-threat-protection.md) - [Investigate a domain associated with a Windows Defender ATP alert](investigate-domain-windows-defender-advanced-threat-protection.md) -- [View and organize the Windows Defender ATP Machines list](machines-view-overview-windows-defender-advanced-threat-protection.md) -- [Investigate machines in the Windows Defender ATP Machines list](investigate-machines-windows-defender-advanced-threat-protection.md) - [Investigate a user account in Windows Defender ATP](investigate-user-windows-defender-advanced-threat-protection.md) -- [Manage Windows Defender Advanced Threat Protection alerts](manage-alerts-windows-defender-advanced-threat-protection.md) -- [Take response actions in Windows Defender ATP](response-actions-windows-defender-advanced-threat-protection.md) + + diff --git a/windows/security/threat-protection/windows-defender-atp/investigate-domain-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/investigate-domain-windows-defender-advanced-threat-protection.md index f4f611b986..9d2442bd7c 100644 --- a/windows/security/threat-protection/windows-defender-atp/investigate-domain-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/investigate-domain-windows-defender-advanced-threat-protection.md @@ -10,7 +10,7 @@ ms.pagetype: security ms.author: macapara author: mjcaparas ms.localizationpriority: high -ms.date: 10/16/2017 +ms.date: 04/17/2018 --- # Investigate a domain associated with a Windows Defender ATP alert @@ -22,7 +22,7 @@ ms.date: 10/16/2017 - Windows 10 Pro Education - Windows Defender Advanced Threat Protection (Windows Defender ATP) - +[!include[Prerelease information](prerelease.md)] >Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-investigatedomain-abovefoldlink) @@ -58,13 +58,10 @@ The **Most recent observed machinew with URL** section provides a chronological 5. Clicking any of the machine names will take you to that machine's view, where you can continue investigate reported alerts, behaviors, and events. ## Related topics -- [View the Windows Defender Advanced Threat Protection Security operations dashboard](dashboard-windows-defender-advanced-threat-protection.md) - [View and organize the Windows Defender Advanced Threat Protection Alerts queue ](alerts-queue-windows-defender-advanced-threat-protection.md) +- [Manage Windows Defender Advanced Threat Protection alerts](manage-alerts-windows-defender-advanced-threat-protection.md) - [Investigate Windows Defender Advanced Threat Protection alerts](investigate-alerts-windows-defender-advanced-threat-protection.md) - [Investigate a file associated with a Windows Defender ATP alert](investigate-files-windows-defender-advanced-threat-protection.md) -- [Investigate an IP address associated with a Windows Defender ATP alert](investigate-ip-windows-defender-advanced-threat-protection.md) -- [View and organize the Windows Defender ATP Machines list](machines-view-overview-windows-defender-advanced-threat-protection.md) - [Investigate machines in the Windows Defender ATP Machines list](investigate-machines-windows-defender-advanced-threat-protection.md) +- [Investigate an IP address associated with a Windows Defender ATP alert](investigate-ip-windows-defender-advanced-threat-protection.md) - [Investigate a user account in Windows Defender ATP](investigate-user-windows-defender-advanced-threat-protection.md) -- [Manage Windows Defender Advanced Threat Protection alerts](manage-alerts-windows-defender-advanced-threat-protection.md) -- [Take response actions in Windows Defender ATP](response-actions-windows-defender-advanced-threat-protection.md) diff --git a/windows/security/threat-protection/windows-defender-atp/investigate-files-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/investigate-files-windows-defender-advanced-threat-protection.md index df24b9a27b..8303abcda1 100644 --- a/windows/security/threat-protection/windows-defender-atp/investigate-files-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/investigate-files-windows-defender-advanced-threat-protection.md @@ -10,7 +10,7 @@ ms.pagetype: security ms.author: macapara author: mjcaparas ms.localizationpriority: high -ms.date: 10/16/2017 +ms.date: 04/17/2018 --- # Investigate a file associated with a Windows Defender ATP alert @@ -22,7 +22,7 @@ ms.date: 10/16/2017 - Windows 10 Pro Education - Windows Defender Advanced Threat Protection (Windows Defender ATP) - +[!include[Prerelease information](prerelease.md)] >Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-investigatefiles-abovefoldlink) @@ -63,13 +63,10 @@ The **Most recent observed machines with the file** section allows you to specif This allows for greater accuracy in defining entities to display such as if and when an entity was observed in the organization. For example, if you’re trying to identify the origin of a network communication to a certain IP Address within a 10-minute period on a given date, you can specify that exact time interval, and see only files that communicated with that IP Address at that time, drastically reducing unnecessary scrolling and searching. ## Related topics -- [View the Windows Defender Advanced Threat Protection Security operations dashboard](dashboard-windows-defender-advanced-threat-protection.md) - [View and organize the Windows Defender Advanced Threat Protection Alerts queue ](alerts-queue-windows-defender-advanced-threat-protection.md) +- [Manage Windows Defender Advanced Threat Protection alerts](manage-alerts-windows-defender-advanced-threat-protection.md) - [Investigate Windows Defender Advanced Threat Protection alerts](investigate-alerts-windows-defender-advanced-threat-protection.md) +- [Investigate machines in the Windows Defender ATP Machines list](investigate-machines-windows-defender-advanced-threat-protection.md) - [Investigate an IP address associated with a Windows Defender ATP alert](investigate-ip-windows-defender-advanced-threat-protection.md) - [Investigate a domain associated with a Windows Defender ATP alert](investigate-domain-windows-defender-advanced-threat-protection.md) -- [View and organize the Windows Defender ATP Machines list](machines-view-overview-windows-defender-advanced-threat-protection.md) -- [Investigate machines in the Windows Defender ATP Machines list](investigate-machines-windows-defender-advanced-threat-protection.md) -- [Investigate a user account in Windows Defender ATP](investigate-user-windows-defender-advanced-threat-protection.md) -- [Manage Windows Defender Advanced Threat Protection alerts](manage-alerts-windows-defender-advanced-threat-protection.md) -- [Take response actions in Windows Defender ATP](response-actions-windows-defender-advanced-threat-protection.md) +- [Investigate a user account in Windows Defender ATP](investigate-user-windows-defender-advanced-threat-protection.md) \ No newline at end of file diff --git a/windows/security/threat-protection/windows-defender-atp/investigate-ip-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/investigate-ip-windows-defender-advanced-threat-protection.md index 01828ef7ff..a22179f273 100644 --- a/windows/security/threat-protection/windows-defender-atp/investigate-ip-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/investigate-ip-windows-defender-advanced-threat-protection.md @@ -10,7 +10,7 @@ ms.pagetype: security ms.author: macapara author: mjcaparas ms.localizationpriority: high -ms.date: 10/16/2017 +ms.date: 04/17/2018 --- # Investigate an IP address associated with a Windows Defender ATP alert @@ -65,13 +65,10 @@ Use the search filters to define the search criteria. You can also use the timel Clicking any of the machine names will take you to that machine's view, where you can continue investigate reported alerts, behaviors, and events. ## Related topics -- [View the Windows Defender Advanced Threat Protection Security operations dashboard](dashboard-windows-defender-advanced-threat-protection.md) - [View and organize the Windows Defender Advanced Threat Protection Alerts queue ](alerts-queue-windows-defender-advanced-threat-protection.md) +- [Manage Windows Defender Advanced Threat Protection alerts](manage-alerts-windows-defender-advanced-threat-protection.md) - [Investigate Windows Defender Advanced Threat Protection alerts](investigate-alerts-windows-defender-advanced-threat-protection.md) - [Investigate a file associated with a Windows Defender ATP alert](investigate-files-windows-defender-advanced-threat-protection.md) -- [Investigate a domain associated with a Windows Defender ATP alert](investigate-domain-windows-defender-advanced-threat-protection.md) -- [View and organize the Windows Defender ATP Machines list](machines-view-overview-windows-defender-advanced-threat-protection.md) - [Investigate machines in the Windows Defender ATP Machines list](investigate-machines-windows-defender-advanced-threat-protection.md) +- [Investigate a domain associated with a Windows Defender ATP alert](investigate-domain-windows-defender-advanced-threat-protection.md) - [Investigate a user account in Windows Defender ATP](investigate-user-windows-defender-advanced-threat-protection.md) -- [Manage Windows Defender Advanced Threat Protection alerts](manage-alerts-windows-defender-advanced-threat-protection.md) -- [Take response actions in Windows Defender ATP](response-actions-windows-defender-advanced-threat-protection.md) diff --git a/windows/security/threat-protection/windows-defender-atp/investigate-machines-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/investigate-machines-windows-defender-advanced-threat-protection.md index e9940d0a2b..9fb3644bae 100644 --- a/windows/security/threat-protection/windows-defender-atp/investigate-machines-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/investigate-machines-windows-defender-advanced-threat-protection.md @@ -1,7 +1,7 @@ --- title: Investigate machines in the Windows Defender ATP Machines list description: Investigate affected machines by reviewing alerts, network connection information, adding machine tags and groups, and checking the service health. -keywords: machines, endpoints, tags, groups, endpoint, alerts queue, alerts, machine name, domain, last seen, internal IP, active alerts, threat category, filter, sort, review alerts, network, connection, type, password stealer, ransomware, exploit, threat, low severity, service heatlh +keywords: machines, tags, groups, endpoint, alerts queue, alerts, machine name, domain, last seen, internal IP, active alerts, threat category, filter, sort, review alerts, network, connection, type, password stealer, ransomware, exploit, threat, low severity, service heatlh search.product: eADQiWindows 10XVcnh ms.prod: w10 ms.mktglfcycl: deploy @@ -10,7 +10,7 @@ ms.pagetype: security ms.author: macapara author: mjcaparas ms.localizationpriority: high -ms.date: 10/16/2017 +ms.date: 04/17/2018 --- # Investigate machines in the Windows Defender ATP Machines list @@ -19,8 +19,6 @@ ms.date: 10/16/2017 - Windows Defender Advanced Threat Protection (Windows Defender ATP) - - >Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-investigatemachines-abovefoldlink) ## Investigate machines @@ -30,87 +28,55 @@ You can click on affected machines whenever you see them in the portal to open a - The [Machines list](investigate-machines-windows-defender-advanced-threat-protection.md) - The [Alerts queue](alerts-queue-windows-defender-advanced-threat-protection.md) -- The [Security operations dashboard](dashboard-windows-defender-advanced-threat-protection.md) +- The [Security operations dashboard](security-operations-dashboard-windows-defender-advanced-threat-protection.md) - Any individual alert - Any individual file details view - Any IP address or domain details view When you investigate a specific machine, you'll see: -- Machine details, Logged on users, and Machine Reporting +- Machine details, Logged on users, Machine risk, and Machine Reporting - Alerts related to this machine - Machine timeline - + -The machine details, total logged on users, and machine reporting sections display various attributes about the machine. +The machine details, logged on users, machine risk, and machine reporting sections display various attributes about the machine. +**Machine details** The machine details tile provides information such as the domain and OS of the machine. If there's an investigation package available on the machine, you'll see a link that allows you to download the package. For more information on how to take action on a machine, see [Take response action on a machine](respond-machine-alerts-windows-defender-advanced-threat-protection.md). -Clicking on the number of total logged on users in the Logged on users tile opens the Users Details pane that displays the following information for logged on users in the past 30 days: + +**Logged on users** +Clicking on the logged on users in the Logged on users tile opens the Users Details pane that displays the following information for logged on users in the past 30 days: - Interactive and remote interactive logins - Network, batch, and system logins - + You'll also see details such as logon types for each user account, the user group, and when the account logon occurred. For more information, see [Investigate user entities](investigate-user-windows-defender-advanced-threat-protection.md). -## Manage machine group and tags -Machine group and tags support proper mapping of the network, enabling you to attach different tags to machines to capture context and to enable dynamic groups creation as part of an incident. +**Machine risk** +The Machine risk tile shows the overall risk assessment of a machine. A machine's risk level is determined using the number of active alerts and their severity levels. You can influence a machine's risk level by resolving associated alerts manually or automatically and also by suppressing an alert. It's also indicators of the active threats that machines could be exposed to. -Machine related properties are being extended to account for: - -- Group affiliation -- Dynamic context capturing - - - -### Group machines -Machine group affiliation can represent geographic location, specific activity, importance level and others. Grouping machines with similar attributes can be handy when you need to apply contextual action on a specific list of machines. After creating groups, you can apply the Group filter on the Machines list to get a narrowed list of machines. - -Machine group is defined in the following registry key entry of the machine: - -- Registry key: `HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection\DeviceTagging\` -- Registry key value (string): Group - - -### Set standard tags on machines -Dynamic context capturing is achieved using tags. By tagging machines, you can keep track of individual machines in your organization. After adding tags on machines, you can apply the Tags filter on the Machines list to get a narrowed list of machines with the tag. - -1. Select the machine that you want to manage tags on. You can select or search for a machine from any of the following views: - - - **Security operations dashboard** - Select the machine name from the Top machines with active alerts section. - - **Alerts queue** - Select the machine name beside the machine icon from the alerts queue. - - **Machines list** - Select the machine name from the list of machines. - - **Search box** - Select Machine from the drop-down menu and enter the machine name. - - You can also get to the alert page through the file and IP views. - -2. Open the **Actions** menu and select **Manage tags**. - -  - -3. Enter tags on the machine. To add more tags, click the + icon. -4. Click **Save and close**. - -  - - Tags are added to the machine view and will also be reflected on the **Machines list** view. You can then use the **Tags** or **Groups** filter to see the relevant list of machines. - -### Manage machine tags -You can manage tags from the Actions button or by selecting a machine from the Machines list and opening the machine details panel. - - +**Azure Advanced Threat Protection** +If you have enabled the Azure ATP feature and there are alerts related to the machine, you can click on the link that will take you to the Azure ATP page where more information about the alerts are provided. +>[!NOTE] +>You'll need to enable the integration on both Azure ATP and Windows Defender ATP to use this feature. In Windows Defender ATP, you can enable this feature in advanced features. For more information on how to enable advanced features, see [Turn on advanced features](advanced-features-windows-defender-advanced-threat-protection.md). +**Machine reporting** +Provides the last internal IP and external IP of the machine. It also shows when the machine was first and last seen reporting to the service. ## Alerts related to this machine The **Alerts related to this machine** section provides a list of alerts that are associated with the machine. You can also manage alerts from this section by clicking the circle icons to the left of the alert (or using Ctrl or Shift + click to select multiple alerts). + + This list is a filtered version of the [Alerts queue](alerts-queue-windows-defender-advanced-threat-protection.md), and shows the date when the alert's last activity was detected, a short description of the alert, the user account associated with the alert, the alert's severity, the alert's status in the queue, and who is addressing the alert. You can also choose to highlight an alert from the **Alerts related to this machine** or from the **Machine timeline** section to see the correlation between the alert and its related events on the machine by right-clicking on the alert and selecting **Select and mark events**. This highlights the alert and its related events and helps distinguish them from other alerts and events appearing in the timeline. Highlighted events are displayed in all information levels whether you choose to view the timeline by **Detections**, **Behaviors**, or **Verbose**. @@ -184,20 +150,71 @@ From the list of events that are displayed in the timeline, you can examine the You can also use the [Alerts spotlight](investigate-alerts-windows-defender-advanced-threat-protection.md#artifact-timeline) feature to see the correlation between alerts and events on a specific machine. -Expand an event to view associated processes related to the event. Click on the circle next to any process or IP address in the process tree to investigate additional details of the identified processes. This action brings up the **Details pane** which includes execution context of processes, network communications and a summary of metadata on the file or IP address. +Expand an event to view associated processes related to the event. Click on the circle next to any process or IP address in the process tree to investigate additional details of the identified processes. This action brings up the **Details pane** which includes execution context of processes, network communications and a summary of meta data on the file or IP address. The details pane enriches the ‘in-context’ information across investigation and exploration activities, reducing the need to switch between contexts. It lets you focus on the task of tracing associations between attributes without leaving the current context. +## Add machine tags +You can add tags on machines during an investigation. Machine tags support proper mapping of the network, enabling you to attach different tags to capture context and to enable dynamic list creation as part of an incident. + +You can add tags on machines using the following ways: +- By setting a registry key value +- By using the portal + +### Add machine tags by setting a registry key value +Add tags on machines which can be used as a filter in Machines list view. You can limit the machines in the list by selecting the Tag filter on the Machines list. + +Machines with similar tags can be handy when you need to apply contextual action on a specific list of machines. + +Use the following registry key entry to add a tag on a machine: + +- Registry key: `HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection\DeviceTagging\` +- Registry key value (string): Group + + +### Add machine tags using the portal +Dynamic context capturing is achieved using tags. By tagging machines, you can keep track of individual machines in your organization. After adding tags on machines, you can apply the Tags filter on the Machines list to get a narrowed list of machines with the tag. + +1. Select the machine that you want to manage tags on. You can select or search for a machine from any of the following views: + + - **Security operations dashboard** - Select the machine name from the Top machines with active alerts section. + - **Alerts queue** - Select the machine name beside the machine icon from the alerts queue. + - **Machines list** - Select the machine name from the list of machines. + - **Search box** - Select Machine from the drop-down menu and enter the machine name. + + You can also get to the alert page through the file and IP views. + +2. Open the **Actions** menu and select **Manage tags**. + +  + +3. Enter tags on the machine. To add more tags, click the + icon. +4. Click **Save and close**. + +  + + Tags are added to the machine view and will also be reflected on the **Machines list** view. You can then use the **Tags** filter to see the relevant list of machines. + +### Manage machine tags +You can manage tags from the Actions button or by selecting a machine from the Machines list and opening the machine details panel. + + + +## Use machine groups in an investigation +Machine group affiliation can represent geographic location, specific activity, importance level and others. + +You can create machine groups in the context of role-based access (RBAC) to control who can take specific action or who can see information on a specific machine group or groups by assigning the machine group to a user group. For more information, see [Manage portal access using role-based access control](rbac-windows-defender-advanced-threat-protection.md). + +You can also use machine groups to assign specific remediation levels to apply during automated investigations. For more information, see [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md). + +In an investigation, you can filter the Machines list to just specific machine groups by using the Groups filter. ## Related topics -- [View the Windows Defender Advanced Threat Protection Security operations dashboard](dashboard-windows-defender-advanced-threat-protection.md) - [View and organize the Windows Defender Advanced Threat Protection Alerts queue ](alerts-queue-windows-defender-advanced-threat-protection.md) +- [Manage Windows Defender Advanced Threat Protection alerts](manage-alerts-windows-defender-advanced-threat-protection.md) - [Investigate Windows Defender Advanced Threat Protection alerts](investigate-alerts-windows-defender-advanced-threat-protection.md) - [Investigate a file associated with a Windows Defender ATP alert](investigate-files-windows-defender-advanced-threat-protection.md) - [Investigate an IP address associated with a Windows Defender ATP alert](investigate-ip-windows-defender-advanced-threat-protection.md) - [Investigate a domain associated with a Windows Defender ATP alert](investigate-domain-windows-defender-advanced-threat-protection.md) -- [View and organize the Windows Defender ATP Machines list](machines-view-overview-windows-defender-advanced-threat-protection.md) - [Investigate a user account in Windows Defender ATP](investigate-user-windows-defender-advanced-threat-protection.md) -- [Manage Windows Defender Advanced Threat Protection alerts](manage-alerts-windows-defender-advanced-threat-protection.md) -- [Take response actions in Windows Defender ATP](response-actions-windows-defender-advanced-threat-protection.md) diff --git a/windows/security/threat-protection/windows-defender-atp/investigate-user-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/investigate-user-windows-defender-advanced-threat-protection.md index 7d166a4ede..46a2f46c0e 100644 --- a/windows/security/threat-protection/windows-defender-atp/investigate-user-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/investigate-user-windows-defender-advanced-threat-protection.md @@ -10,16 +10,12 @@ ms.pagetype: security ms.author: macapara author: mjcaparas ms.localizationpriority: high -ms.date: 10/16/2017 +ms.date: 04/17/2018 --- # Investigate a user account in Windows Defender ATP **Applies to:** -- Windows 10 Enterprise -- Windows 10 Education -- Windows 10 Pro -- Windows 10 Pro Education - Windows Defender Advanced Threat Protection (Windows Defender ATP) @@ -37,17 +33,32 @@ You can find user account information in the following views: A clickable user account link is available in these views, that will take you to the user account details page where more details about the user account are shown. When you investigate a user account entity, you'll see: -- User account details and Logged on machines +- User account details, Azure Advanced Threat Protection (Azure ATP) alerts, and Logged on machines - Alerts related to this user - Observed in organization (machines logged on to) - + -The user account entity details and logged on machines section display various attributes about the user account. You'll see details such as when the user was first and last seen and the total number of machines the user logged on to. You'll also see a list of the machines that the user logged on to, and can expand these to see details of the logon events on each machine. +**User details** +The user account entity details, Azure ATP alerts, and logged on machines sections display various attributes about the user account. -The **Alerts related to this user** section provides a list of alerts that are associated with the user account. This list is a filtered view of the [Alert queue](alerts-queue-windows-defender-advanced-threat-protection.md), and shows alerts where the user context is the selected user account, the date when the last activity was detected, a short description of the alert, the machine associated with the alert, the alert's severity, the alert's status in the queue, and who is assigned the alert. +The user entity tile provides details about the user such as when the user was first and last seen. Depending on the integration features you enable, you'll see other details. For example, if you enable the Skype for business integration, you'll be able to contact the user from the portal. -The **Observed in organization** section allows you to specify a date range to see a list of machines where this user was observed logged on to, and the most frequent and least frequent logged on user account on each of these machines. +**Azure Advanced Threat Protection** +If you have enabled the Azure ATP feature and there are alerts related to the user, you can click on the link that will take you to the Azure ATP page where more information about the alerts are provided. The Azure ATP tile also provides details such as the last AD site, total group memberships, and login failure associated with the user. + +>[!NOTE] +>You'll need to enable the integration on both Azure ATP and Windows Defender ATP to use this feature. In Windows Defender ATP, you can enable this feature in advanced features. For more information on how to enable advanced features, see [Turn on advanced features](advanced-features-windows-defender-advanced-threat-protection.md). + +**Logged on machines** +You'll also see a list of the machines that the user logged on to, and can expand these to see details of the logon events on each machine. + + +## Alerts related to this user +This section provides a list of alerts that are associated with the user account. This list is a filtered view of the [Alert queue](alerts-queue-windows-defender-advanced-threat-protection.md), and shows alerts where the user context is the selected user account, the date when the last activity was detected, a short description of the alert, the machine associated with the alert, the alert's severity, the alert's status in the queue, and who is assigned the alert. + +## Observed in organization +This section allows you to specify a date range to see a list of machines where this user was observed logged on to, and the most frequent and least frequent logged on user account on each of these machines. The machine health state is displayed in the machine icon and color as well as in a description text. Clicking on the icon displays additional details regarding machine health. @@ -69,13 +80,11 @@ You can filter the results by the following time periods: - 6 months ## Related topics -- [View the Windows Defender Advanced Threat Protection Security operations dashboard](dashboard-windows-defender-advanced-threat-protection.md) - [View and organize the Windows Defender Advanced Threat Protection Alerts queue ](alerts-queue-windows-defender-advanced-threat-protection.md) +- [Manage Windows Defender Advanced Threat Protection alerts](manage-alerts-windows-defender-advanced-threat-protection.md) - [Investigate Windows Defender Advanced Threat Protection alerts](investigate-alerts-windows-defender-advanced-threat-protection.md) - [Investigate a file associated with a Windows Defender ATP alert](investigate-files-windows-defender-advanced-threat-protection.md) +- [Investigate machines in the Windows Defender ATP Machines list](investigate-machines-windows-defender-advanced-threat-protection.md) - [Investigate an IP address associated with a Windows Defender ATP alert](investigate-ip-windows-defender-advanced-threat-protection.md) - [Investigate a domain associated with a Windows Defender ATP alert](investigate-domain-windows-defender-advanced-threat-protection.md) -- [View and organize the Windows Defender ATP Machines list](machines-view-overview-windows-defender-advanced-threat-protection.md) -- [Investigate machines in the Windows Defender ATP Machines list](investigate-machines-windows-defender-advanced-threat-protection.md) -- [Manage Windows Defender Advanced Threat Protection alerts](manage-alerts-windows-defender-advanced-threat-protection.md) -- [Take response actions in Windows Defender ATP](response-actions-windows-defender-advanced-threat-protection.md) + diff --git a/windows/security/threat-protection/windows-defender-atp/is-domain-seen-in-org-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/is-domain-seen-in-org-windows-defender-advanced-threat-protection.md index c2e2c9f696..240d558937 100644 --- a/windows/security/threat-protection/windows-defender-atp/is-domain-seen-in-org-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/is-domain-seen-in-org-windows-defender-advanced-threat-protection.md @@ -10,7 +10,7 @@ ms.pagetype: security ms.author: macapara author: mjcaparas ms.localizationpriority: high -ms.date: 10/16/2017 +ms.date: 04/17/2018 --- # Is domain seen in org diff --git a/windows/security/threat-protection/windows-defender-atp/licensing-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/licensing-windows-defender-advanced-threat-protection.md index 4e8281d86e..b866964b62 100644 --- a/windows/security/threat-protection/windows-defender-atp/licensing-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/licensing-windows-defender-advanced-threat-protection.md @@ -22,6 +22,7 @@ ms.date: 10/16/2017 - Windows 10 Pro Education - Windows Defender Advanced Threat Protection (Windows Defender ATP) +[!include[Prerelease information](prerelease.md)] >Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-validatelicense-abovefoldlink) @@ -117,20 +118,20 @@ When accessing the [Windows Defender ATP portal](https://SecurityCenter.Windows. 10. You are almost done. Before you can start using Windows Defender ATP you'll need to: - - [Onboard endpoints and setup access](https://technet.microsoft.com/en-us/itpro/windows/keep-secure/configure-endpoints-windows-defender-advanced-threat-protection) + - [Onboard Windows 10 machines](configure-endpoints-windows-defender-advanced-threat-protection.md) - Run detection test (optional) -  +  > [!IMPORTANT] - > If you click **Start using Windows Defender ATP** before onboarding endpoints you will receive the following notification: + > If you click **Start using Windows Defender ATP** before onboarding machines you will receive the following notification: > -11. After onboarding endpoints you can click **Start using Windows Defender ATP**. You will now launch Windows Defender ATP for the first time. +11. After onboarding machines you can click **Start using Windows Defender ATP**. You will now launch Windows Defender ATP for the first time. -  +  ## Related topics -- [Onboard and set up Windows Defender Advanced Threat Protection](onboard-configure-windows-defender-advanced-threat-protection.md) -- [Troubleshoot onboarding process and error messages](troubleshoot-onboarding-error-messages-windows-defender-advanced-threat-protection.md) \ No newline at end of file +- [Onboard machines to the Windows Defender Advanced Threat Protection service](onboard-configure-windows-defender-advanced-threat-protection.md) +- [Troubleshoot onboarding process and portal access issues](troubleshoot-onboarding-error-messages-windows-defender-advanced-threat-protection.md) \ No newline at end of file diff --git a/windows/security/threat-protection/windows-defender-atp/machine-groups-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/machine-groups-windows-defender-advanced-threat-protection.md new file mode 100644 index 0000000000..454d1a3aec --- /dev/null +++ b/windows/security/threat-protection/windows-defender-atp/machine-groups-windows-defender-advanced-threat-protection.md @@ -0,0 +1,94 @@ +--- +title: Create and manage machine groups in Windows Defender ATP +description: Create machine groups and set automated remediation levels on them by confiring the rules that apply on the group +keywords: machine groups, groups, remediation, level, rules, aad group, role, assign, rank +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: high +ms.date: 04/17/2018 +--- + +# Create and manage machine groups in Windows Defender ATP +**Applies to:** + +- Windows 10 Enterprise +- Windows 10 Education +- Windows 10 Pro +- Windows 10 Pro Education +- Azure Active Directory +- Office 365 +- Windows Defender Advanced Threat Protection (Windows Defender ATP) + +[!include[Prerelease information](prerelease.md)] + +In an enterprise scenario, security operation teams are typically assigned a set of machines. These machines are grouped together based on a set of attributes such as their domains, computer names, or designated tags. + +In Windows Defender ATP, you can create machine groups and use them to: +- Limit access to related alerts and data to specific Azure AD user groups with [assigned RBAC roles](rbac-windows-defender-advanced-threat-protection.md) +- Configure different auto-remediation settings for different sets of machines + +As part of the process of creating a machine group, you'll: +- Set the automated remediation level for that group +- Define a matching rule based on the machine name, domain, tags, and OS platform to determine which machines belong to the group. If a machine is also matched to other groups, it is added only to the highest ranked machine group. +- Determine access to machine group +- Rank the machine group relative to other groups after it is created + +>[!NOTE] +>All machine groups are accessible to all users if you don’t assign any Azure AD groups to them. + + +## Add a machine group + +1. In the navigation pane, select **Settings > Permissions > Machine groups**. + +2. Click **Add machine group**. + +3. Set the machine group details, configure an association rule, preview the results, then assign the group to an Azure user group: + + - **Name** + + - **Remediation level for automated investigations** + - **No remediation** + - **Require approval (all folders)** + - **Require approval (non-temp folders)** + - **Require approval (core folders)** + - **Fully automated** + + - **Description** + + - **Matching rule** – you can apply the rule based on machine name, domain, tag, or OS version. + + >[!TIP] + >If you want to group machines by organizational unit, you can configure the registry key for the group affiliation. For more information on device tagging, see [Manage machine group and tags](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-atp/investigate-machines-windows-defender-advanced-threat-protection#manage-machine-group-and-tags). + +4. Review the result of the preview of matched machines. If you are satisfied with the rules, click the **Access** tab. + +5. Assign the user groups that can access the machine group you created. + + >[!NOTE] + >You can only grant access to Azure AD user groups that have been assigned to RBAC roles. + +6. Click **Close**. + +7. Apply the configuration settings. + +## Understand matching and manage groups +You can promote the rank of a machine group so that it is given higher priority during matching. When a machine is matched to more than one group, it is added only to the highest ranked group. You can also edit and delete groups. + +By default, machine groups are accessible to all users with portal access. You can change the default behavior by assigning Azure AD user groups to the machine group. + +Machines that are not matched to any groups are added to Ungrouped machines (default) group. You cannot change the rank of this group or delete it. However, you can change the remediation level of this group, and define the Azure AD user groups that can access this group. + +>[!NOTE] +>Applying changes to machine group configuration may take up to several minutes. + + + + +## Related topic +- [Manage portal access using role-based based access control](rbac-windows-defender-advanced-threat-protection.md) \ No newline at end of file diff --git a/windows/security/threat-protection/windows-defender-atp/machines-view-overview-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/machines-view-overview-windows-defender-advanced-threat-protection.md index b25f671461..278725340f 100644 --- a/windows/security/threat-protection/windows-defender-atp/machines-view-overview-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/machines-view-overview-windows-defender-advanced-threat-protection.md @@ -10,7 +10,7 @@ ms.pagetype: security ms.author: macapara author: mjcaparas ms.localizationpriority: high -ms.date: 03/12/2018 +ms.date: 04/17/2018 --- # View and organize the Windows Defender ATP Machines list @@ -23,8 +23,6 @@ ms.date: 03/12/2018 - Windows 10 Pro Education - Windows Defender Advanced Threat Protection (Windows Defender ATP) - - >Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-machinesview-abovefoldlink) The **Machines list** shows a list of the machines in your network, the domain of each machine, when it last reported and the local IP Address it reported on, its **Health state**, the number of active alerts on each machine categorized by alert severity level, and the number of active malware detections. This view allows viewing machines ranked by risk or sensor health state, and keeping track of all machines that are reporting sensor data in your network. @@ -32,7 +30,7 @@ The **Machines list** shows a list of the machines in your network, the domain o Use the Machines list in these main scenarios: - **During onboarding**
- During the onboarding process, the **Machines list** is gradually populated with endpoints as they begin to report sensor data. Use this view to track your onboarded endpoints as they come online. Sort and filter by time of last report, **Active malware category**, or **Sensor health state**, or download the complete endpoint list as a CSV file for offline analysis. + During the onboarding process, the **Machines list** is gradually populated with machines as they begin to report sensor data. Use this view to track your onboarded endpoints as they come online. Sort and filter by time of last report, **Active malware category**, or **Sensor health state**, or download the complete endpoint list as a CSV file for offline analysis. - **Day-to-day work**
The **Machines list** enables easy identification of machines most at risk in a glance. High-risk machines have the greatest number and highest-severity alerts; **Sensor health state** provides another dimension to rank machines. Sorting machines by **Active alerts**, and then by **Sensor health state** helps identify the most vulnerable machines and take action on them. @@ -43,7 +41,7 @@ Filter the **Machines list** by **Time**, **OS Platform**, **Health**, **Securit You can also download the entire list in CSV format using the **Export to CSV** feature. - + You can use the following filters to limit the list of machines displayed during an investigation: @@ -54,6 +52,9 @@ You can use the following filters to limit the list of machines displayed during - 30 days - 6 months +**Risk level** +Machine risk levels are indicators of the active threats that machines could be exposed to. A machine's risk level is determined using the number of active alerts and their severity levels. You can influence a machine's risk level by resolving associated alerts manually or automatically and also by suppressing an alert. + **OS Platform** - Windows 10 - Windows Server 2012 R2 @@ -80,7 +81,7 @@ Filter the list to view specific machines that are well configured or require at - **Well configured** - Machines have the Windows Defender security controls well configured. - **Requires attention** - Machines where improvements can be made to increase the overall security posture of your organization. -For more information, see [View the Secure score dashboard](security-analytics-dashboard-windows-defender-advanced-threat-protection.md). +For more information, see [View the Secure Score dashboard](secure-score-dashboard-windows-defender-advanced-threat-protection.md). **Malware category alerts** Filter the list to view specific machines grouped together by the following malware categories: @@ -92,13 +93,14 @@ Filter the list to view specific machines grouped together by the following malw - **General malware** – Malware are malicious programs that perform unwanted actions, including actions that can disrupt, cause direct damage, and facilitate intrusion and data theft. Some malware can replicate and spread from one machine to another. Others are able to receive commands from remote attackers and perform activities associated with cyberattacks. - **PUA** – Unwanted software is a category of applications that install and perform undesirable activity without adequate user consent. These applications are not necessarily malicious, but their behaviors often negatively impact the computing experience, even appearing to invade user privacy. Many of these applications display advertising, modify browser settings, and install bundled software. -## Groups and tags -You can filter the list based on the grouping and tagging that you've added to individual machines. For more information, see [Manage machine group and tags](investigate-machines-windows-defender-advanced-threat-protection.md#manage-machine-group-and-tags). +**Groups and tags** +You can filter the list based on the grouping and tagging that you've added to individual machines. ## Export machine list to CSV You can download a full list of all the machines in your organization, in CSV format. Click the **Export to CSV** button to download the entire list as a CSV file. -**Note**: Exporting the list depends on the number of machines in your organization. It might take a significant amount of time to download, depending on how large your organization is. +>[NOTE] +> Exporting the list depends on the number of machines in your organization. It might take a significant amount of time to download, depending on how large your organization is. Exporting the list in CSV format displays the data in an unfiltered manner. The CSV file will include all machines in the organization, regardless of any filtering applied in the view itself. ## Sort the Machines list @@ -112,17 +114,10 @@ You can sort the **Machines list** by the following columns: - **Active malware alerts** - Number of active malware detections reported by the machine > [!NOTE] -> The **Active malware detections** filter column will only appear if your endpoints are using [Windows Defender Antivirus](../windows-defender-antivirus/windows-defender-antivirus-in-windows-10.md) as the active real-time protection antimalware product. +> The **Active malware detections** filter column will only appear if your machines are using [Windows Defender Antivirus](../windows-defender-antivirus/windows-defender-antivirus-in-windows-10.md) as the active real-time protection antimalware product. ## Related topics -- [View the Windows Defender Advanced Threat Protection Security operations dashboard](dashboard-windows-defender-advanced-threat-protection.md) -- [View and organize the Windows Defender Advanced Threat Protection Alerts queue ](alerts-queue-windows-defender-advanced-threat-protection.md) -- [Investigate Windows Defender Advanced Threat Protection alerts](investigate-alerts-windows-defender-advanced-threat-protection.md) -- [Investigate a file associated with a Windows Defender ATP alert](investigate-files-windows-defender-advanced-threat-protection.md) -- [Investigate an IP address associated with a Windows Defender ATP alert](investigate-ip-windows-defender-advanced-threat-protection.md) -- [Investigate a domain associated with a Windows Defender ATP alert](investigate-domain-windows-defender-advanced-threat-protection.md) - [Investigate machines in the Windows Defender ATP Machines list](investigate-machines-windows-defender-advanced-threat-protection.md) -- [Investigate a user account in Windows Defender ATP](investigate-user-windows-defender-advanced-threat-protection.md) -- [Manage Windows Defender Advanced Threat Protection alerts](manage-alerts-windows-defender-advanced-threat-protection.md) -- [Take response actions in Windows Defender ATP](response-actions-windows-defender-advanced-threat-protection.md) + + diff --git a/windows/security/threat-protection/windows-defender-atp/manage-alerts-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/manage-alerts-windows-defender-advanced-threat-protection.md index 496720c009..5912acb1a8 100644 --- a/windows/security/threat-protection/windows-defender-atp/manage-alerts-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/manage-alerts-windows-defender-advanced-threat-protection.md @@ -10,7 +10,7 @@ ms.pagetype: security ms.author: macapara author: mjcaparas ms.localizationpriority: high -ms.date: 10/16/2017 +ms.date: 04/17/2018 --- # Manage Windows Defender Advanced Threat Protection alerts @@ -23,7 +23,7 @@ ms.date: 10/16/2017 - Windows 10 Pro Education - Windows Defender Advanced Threat Protection (Windows Defender ATP) - +[!include[Prerelease information](prerelease.md)] >Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-managealerts-abovefoldlink) @@ -87,20 +87,20 @@ Create custom rules to control when alerts are suppressed, or resolved. You can  -3. Choose the context for suppressing the alert. +3. Enter an alert title then select an indicator of compromise from the drop-down list.  > [!NOTE] > You cannot create a custom or blank suppression rule. You must start from an existing alert. -4. Specify the conditions for when the rule is applied: - - Alert title - - Indicator of compromise (IOC) - - Suppression conditions +4. Specify the suppression conditions by entering values for any of the following: + - Sha1 + - File name + - Folder path > [!NOTE] - > The SHA1 of the alert cannot be modified, however you can clear the SHA1 to remove it from the suppression conditions. + > The SHA1 of the alert cannot be modified, however you can clear the SHA1 to remove it from the suppression conditions by removing the deselecting the checkbox. 5. Specify the action and scope on the alert.
You can automatically resolve an alert or hide it from the portal. Alerts that are automatically resolved will appear in the resolved section of the alerts queue. Alerts that are marked as hidden will be suppressed from the entire system, both on the machine's associated alerts and from the dashboard. You can also specify to suppress the alert on the machine only or the whole organization. @@ -110,20 +110,18 @@ Create custom rules to control when alerts are suppressed, or resolved. You can ### View the list of suppression rules -1. Click **Alerts queue** > **Suppression rules**. +1. In the navigation pane, select **Settings** > **Rules** > **Alert suppression**. 2. The list of suppression rules shows all the rules that users in your organization have created. -You can select rules to open up the **Alert management** pane. From there, you can activate previously disabled rules. +For more information on managing suppression rules, see [Manage suppression rules](manage-suppression-rules-windows-defender-advanced-threat-protection.md) ## Related topics -- [View the Windows Defender Advanced Threat Protection Security operations dashboard](dashboard-windows-defender-advanced-threat-protection.md) +- [Manage suppression rules](manage-suppression-rules-windows-defender-advanced-threat-protection.md) - [View and organize the Windows Defender Advanced Threat Protection Alerts queue ](alerts-queue-windows-defender-advanced-threat-protection.md) - [Investigate Windows Defender Advanced Threat Protection alerts](investigate-alerts-windows-defender-advanced-threat-protection.md) - [Investigate a file associated with a Windows Defender ATP alert](investigate-files-windows-defender-advanced-threat-protection.md) +- [Investigate machines in the Windows Defender ATP Machines list](investigate-machines-windows-defender-advanced-threat-protection.md) - [Investigate an IP address associated with a Windows Defender ATP alert](investigate-ip-windows-defender-advanced-threat-protection.md) - [Investigate a domain associated with a Windows Defender ATP alert](investigate-domain-windows-defender-advanced-threat-protection.md) -- [View and organize the Windows Defender ATP Machines list](machines-view-overview-windows-defender-advanced-threat-protection.md) -- [Investigate machines in the Windows Defender ATP Machines list](investigate-machines-windows-defender-advanced-threat-protection.md) - [Investigate a user account in Windows Defender ATP](investigate-user-windows-defender-advanced-threat-protection.md) -- [Take response actions in Windows Defender ATP](response-actions-windows-defender-advanced-threat-protection.md) diff --git a/windows/security/threat-protection/windows-defender-atp/manage-automation-allowed-blocked-list-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/manage-automation-allowed-blocked-list-windows-defender-advanced-threat-protection.md new file mode 100644 index 0000000000..1f68016ea9 --- /dev/null +++ b/windows/security/threat-protection/windows-defender-atp/manage-automation-allowed-blocked-list-windows-defender-advanced-threat-protection.md @@ -0,0 +1,73 @@ +--- +title: Manage automation allowed/blocked lists +description: Create lists that control what items are automatically blocked or allowed during an automatic investigation. +keywords: manage, automation, whitelist, blacklist, block, clean, malicious +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: high +ms.date: 04/17/2018 +--- + +# Manage automation allowed/blocked lists + +**Applies to:** + +- Windows 10 Enterprise +- Windows 10 Education +- Windows 10 Pro +- Windows 10 Pro Education +- Windows Defender Advanced Threat Protection (Windows Defender ATP) + +[!include[Prerelease information](prerelease.md)] + +>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-automationexclusionlist-abovefoldlink) + +Create a rule to control which entities are automatically incriminated or exonerated during Automated investigations. + +Entities added to the allowed list are considered safe and will not be analyzed during Automated investigations. + +Entities added to the blocked list are considered malicious and will be remediated during Automated investigations. + +You can define the conditions for when entities are identified as malicious or safe based on certain attributes such as hash values or certificates. + +## Create an allowed or blocked list +1. In the navigation pane, select **Settings** > **Rules** > **Automation allowed/blocked list**. + +2. Select the type of entity you'd like to create an exclusion for. You can choose any of the following entities: + - File hash + - Certificate + +3. Click **Add system exclusion**. + +4. For each attribute specify the exclusion type, details, and the following required values: + + - **Files** - Hash value + - **Certificate** - PEM certificate file + +5. Click **Update rule**. + +## Edit a list +1. In the navigation pane, select **Settings** > **Rules** > **Automation allowed/blocked list**. + +2. Select the type of entity you'd like to edit the list from. + +3. Update the details of the rule and click **Update rule**. + +## Delete a list +1. In the navigation pane, select **Settings** > **Rules** > **Automation allowed/blocked list**. + +2. Select the type of entity you'd like to delete the list from. + +3. Select the list type by clicking the check-box beside the list type. + +4. Click **Delete**. + + +## Related topics +- [Manage automation file uploads](manage-automation-file-uploads-windows-defender-advanced-threat-protection.md) +- [Manage automation folder exclusions](manage-automation-folder-exclusions-windows-defender-advanced-threat-protection.md) \ No newline at end of file diff --git a/windows/security/threat-protection/windows-defender-atp/manage-automation-file-uploads-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/manage-automation-file-uploads-windows-defender-advanced-threat-protection.md new file mode 100644 index 0000000000..f6b88381ff --- /dev/null +++ b/windows/security/threat-protection/windows-defender-atp/manage-automation-file-uploads-windows-defender-advanced-threat-protection.md @@ -0,0 +1,50 @@ +--- +title: Manage automation file uploads +description: Enable content analysis and configure the file extension and email attachment extensions that will be sumitted for analysis +keywords: automation, file, uploads, content, analysis, file, extension, email, attachment +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: high +ms.date: 04/17/2018 +--- + +# Manage automation file uploads + +**Applies to:** + +- Windows 10 Enterprise +- Windows 10 Education +- Windows 10 Pro +- Windows 10 Pro Education +- Windows Defender Advanced Threat Protection (Windows Defender ATP) + +[!include[Prerelease information](prerelease.md)] + +>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-automationefileuploads-abovefoldlink) + +Enable the content analysis capability so that certain files and email attachments can automatically be uploaded to the cloud for additional inspection in Automated investigation. + +Identify the files and email attachments by specifying the file extension names and email attachment extension names. + +For example, if you add *exe* and *bat* as file or attachment extension names, then all files or attachments with those extensions will automatically be sent to the cloud for additional inspection during Automated investigation. + +## Add file extension names and attachment extension names. + +1. In the navigation pane, select **Settings** > **Rules** > **Automation file uploads**. + +2. Toggle the content analysis setting between **On** and **Off**. + +3. Configure the following extension names and separate extension names with a comma: + - **File extension names** - Suspicious files except email attachments will be submitted for additional inspection + - **Attachment extension names** - Suspicious email attachments with these extension names will be submitted for additional inspection + + + +## Related topics +- [Manage automation allowed/blocked lists](manage-automation-allowed-blocked-list-windows-defender-advanced-threat-protection.md) +- [Manage automation folder exclusions](manage-automation-folder-exclusions-windows-defender-advanced-threat-protection.md) \ No newline at end of file diff --git a/windows/security/threat-protection/windows-defender-atp/manage-automation-folder-exclusions-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/manage-automation-folder-exclusions-windows-defender-advanced-threat-protection.md new file mode 100644 index 0000000000..c7d1e70c54 --- /dev/null +++ b/windows/security/threat-protection/windows-defender-atp/manage-automation-folder-exclusions-windows-defender-advanced-threat-protection.md @@ -0,0 +1,78 @@ +--- +title: Manage automation folder exclusions +description: Add automation folder exclusions to control the files that are excluded from an automated investigation. +keywords: manage, automation, exclusion, whitelist, blacklist, block, clean, malicious +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: high +ms.date: 04/17/2018 +--- + +# Manage automation folder exclusions + +**Applies to:** + +- Windows 10 Enterprise +- Windows 10 Education +- Windows 10 Pro +- Windows 10 Pro Education +- Windows Defender Advanced Threat Protection (Windows Defender ATP) + +[!include[Prerelease information](prerelease.md)] + +>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-automationexclusionfolder-abovefoldlink) + +Automation folder exclusions allow you to specify folders that the Automated investigation will skip. + +You can control the following attributes about the folder that you'd like to be skipped: +- Folders +- Extensions of the files +- File names + + +**Folders**
+You can specify a folder and its subfolders to be skipped. You can use wild cards so that all files under the directory is skipped by the automated investigation. + +**Extensions**
+You can specify the extensions to exclude in a specific directory. The extensions are a way to prevent an attacker from using an excluded folder to hide an exploit. The extensions explicitly define which files to ignore. + +**File names**
+You can specify the file names that you want to be excluded in a specific directory. The names are a way to prevent an attacker from using an excluded folder to hide an exploit. The names explicitly define which files to ignore. + + + +## Add an automation folder exclusion +1. In the navigation pane, select **Settings** > **Rules** > **Automation folder exclusions**. + +2. Click **New folder exclusion**. + +3. Enter the folder details: + + - Folder + - Extensions + - File names + - Description + + +4. Click **Save**. + +## Edit an automation folder exclusion +1. In the navigation pane, select **Settings** > **Rules** > **Automation folder exclusions**. + +2. Click **Edit** on the folder exclusion. + +3. Update the details of the rule and click **Save**. + +## Remove an automation folder exclusion +1. In the navigation pane, select **Settings** > **Rules** > **Automation folder exclusions**. +2. Click **Remove exclusion**. + + +## Related topics +- [Manage automation allowed/blocked lists](manage-automation-allowed-blocked-list-windows-defender-advanced-threat-protection.md) +- [Manage automation file uploads](manage-automation-file-uploads-windows-defender-advanced-threat-protection.md) diff --git a/windows/security/threat-protection/windows-defender-atp/manage-suppression-rules-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/manage-suppression-rules-windows-defender-advanced-threat-protection.md new file mode 100644 index 0000000000..c06aea4230 --- /dev/null +++ b/windows/security/threat-protection/windows-defender-atp/manage-suppression-rules-windows-defender-advanced-threat-protection.md @@ -0,0 +1,49 @@ +--- +title: Manage Windows Defender Advanced Threat Protection suppression rules +description: Manage suppression rules +keywords: manage suppression, rules, rule name, scope, action, alerts, turn on, turn off +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: high +ms.date: 04/17/2018 +--- + +# Manage suppression rules + +**Applies to:** + +- Windows 10 Enterprise +- Windows 10 Education +- Windows 10 Pro +- Windows 10 Pro Education +- Windows Defender Advanced Threat Protection (Windows Defender ATP) + +[!include[Prerelease information](prerelease.md)] + +>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-suppressionrules-abovefoldlink) + +There might be scenarios where you need to suppress alerts from appearing in the portal. You can create suppression rules for specific alerts that are known to be innocuous such as known tools or processes in your organization. For more information on how to suppress alerts, see [Suppress alerts](manage-alerts-windows-defender-advanced-threat-protection.md#suppress-alerts). + +You can view a list of all the suppression rules and manage them in one place. You can also turn an alert suppression rule on or off. + +## Turn a suppression rule on or off +1. In the navigation pane, select **Settings** > **Rules** > **Alert suppression**. The list of suppression rules that users in your organization have created is displayed. + +2. Select a rule by clicking on the check-box beside the rule name. + +3. Click **Turn rule on** or **Turn rule off**. + +## View details of a suppression rule + +1. In the navigation pane, select **Settings** > **Rules** > **Alert suppression**. The list of suppression rules that users in your organization have created is displayed. + +2. Click on a rule name. Details of the rule is displayed. You'll see the rule details such as status, scope, action, number of matching alerts, created by, and date when the rule was created. You can also view associated alerts and the rule conditions. + +## Related topics +- [Manage alerts](manage-alerts-windows-defender-advanced-threat-protection.md) + diff --git a/windows/security/threat-protection/windows-defender-atp/minimum-requirements-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/minimum-requirements-windows-defender-advanced-threat-protection.md index 368f43a52c..3983d79af5 100644 --- a/windows/security/threat-protection/windows-defender-atp/minimum-requirements-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/minimum-requirements-windows-defender-advanced-threat-protection.md @@ -1,7 +1,7 @@ --- title: Minimum requirements for Windows Defender ATP -description: Minimum network and data storage configuration, endpoint hardware and software requirements, and deployment channel requirements for Windows Defender ATP. -keywords: minimum requirements, Windows Defender Advanced Threat Protection minimum requirements, network and data storage, endpoint, endpoint configuration, deployment channel +description: Minimum network and data storage configuration, machine hardware and software requirements, and deployment channel requirements for Windows Defender ATP. +keywords: minimum requirements, Windows Defender Advanced Threat Protection minimum requirements, network and data storage, machine configuration, deployment channel search.product: eADQiWindows 10XVcnh ms.prod: w10 ms.mktglfcycl: deploy @@ -10,7 +10,7 @@ ms.pagetype: security ms.author: macapara author: mjcaparas ms.localizationpriority: high -ms.date: 03/21/2018 +ms.date: 04/17/2018 --- # Minimum requirements for Windows Defender ATP @@ -23,9 +23,9 @@ ms.date: 03/21/2018 - Windows 10 Pro Education - Windows Defender Advanced Threat Protection (Windows Defender ATP) +[!include[Prerelease information](prerelease.md)] - -There are some minimum requirements for onboarding your network and endpoints. +There are some minimum requirements for onboarding machines to the service. >Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-minreqs-abovefoldlink) @@ -49,7 +49,7 @@ When you run the onboarding wizard for the first time, you must choose where you > - You cannot change your data storage location after the first-time setup. > - Review the [Windows Defender ATP data storage and privacy](data-storage-privacy-windows-defender-advanced-threat-protection.md) for more information on where and how Microsoft stores your data. -### Endpoint hardware and software requirements +### Hardware and software requirements The Windows Defender ATP agent only supports the following editions of Windows 10: @@ -58,30 +58,30 @@ The Windows Defender ATP agent only supports the following editions of Windows 1 - Windows 10 Pro - Windows 10 Pro Education -Endpoints on your network must be running one of these editions. +Machines on your network must be running one of these editions. -The hardware requirements for Windows Defender ATP on endpoints is the same as those for the supported editions. +The hardware requirements for Windows Defender ATP on machines is the same as those for the supported editions. > [!NOTE] -> Endpoints that are running mobile versions of Windows are not supported. +> Machines that are running mobile versions of Windows are not supported. #### Internet connectivity -Internet connectivity on endpoints is required either directly or through proxy. +Internet connectivity on machines is required either directly or through proxy. The Windows Defender ATP sensor can utilize a daily average bandwidth of 5MB to communicate with the Windows Defender ATP cloud service and report cyber data. -For more information on additional proxy configuration settings see, [Configure Windows Defender ATP endpoint proxy and Internet connectivity settings](configure-proxy-internet-windows-defender-advanced-threat-protection.md) . +For more information on additional proxy configuration settings see, [Configure machine proxy and Internet connectivity settings](configure-proxy-internet-windows-defender-advanced-threat-protection.md) . -Before you configure endpoints, the diagnostic data service must be enabled. The service is enabled by default in Windows 10. +Before you onboard machines, the diagnostic data service must be enabled. The service is enabled by default in Windows 10. ### Diagnostic data settings -You must ensure that the diagnostic data service is enabled on all the endpoints in your organization. +You must ensure that the diagnostic data service is enabled on all the machines in your organization. By default, this service is enabled, but it's good practice to check to ensure that you'll get sensor data from them. **Use the command line to check the Windows 10 diagnostic data service startup type**: -1. Open an elevated command-line prompt on the endpoint: +1. Open an elevated command-line prompt on the machine: a. Go to **Start** and type **cmd**. @@ -124,15 +124,20 @@ If the **START_TYPE** is not set to **AUTO_START**, then you'll need to set the ## Windows Defender Antivirus signature updates are configured The Windows Defender ATP agent depends on the ability of Windows Defender Antivirus to scan files and provide information about them. -You must configure the signature updates on the Windows Defender ATP endpoints whether Windows Defender Antivirus is the active antimalware or not. For more information, see [Manage Windows Defender Antivirus updates and apply baselines](../windows-defender-antivirus/manage-updates-baselines-windows-defender-antivirus.md). +You must configure the signature updates on the Windows Defender ATP machines whether Windows Defender Antivirus is the active antimalware or not. For more information, see [Manage Windows Defender Antivirus updates and apply baselines](../windows-defender-antivirus/manage-updates-baselines-windows-defender-antivirus.md). When Windows Defender Antivirus is not the active antimalware in your organization and you use the Windows Defender ATP service, Windows Defender Antivirus goes on passive mode. If your organization has disabled Windows Defender Antivirus through group policy or other methods, machines that are onboarded to Windows Defender ATP must be excluded from this group policy. +Depending on the server version you're onboarding, you might need to configure a Group Policy setting to run on passive mode. For more information, see [Onboard servers](configure-server-endpoints-windows-defender-advanced-threat-protection.md). + For more information, see [Windows Defender Antivirus compatibility](../windows-defender-antivirus/windows-defender-antivirus-compatibility.md). ## Windows Defender Antivirus Early Launch Antimalware (ELAM) driver is enabled -If you're running Windows Defender Antivirus as the primary antimalware product on your endpoints, the Windows Defender ATP agent will successfully onboard. +If you're running Windows Defender Antivirus as the primary antimalware product on your machines, the Windows Defender ATP agent will successfully onboard. If you're running a third-party antimalware client and use Mobile Device Management solutions or System Center Configuration Manager (current branch) version 1606, you'll need to ensure that the Windows Defender Antivirus ELAM driver is enabled. For more information, see [Ensure that Windows Defender Antivirus is not disabled by policy](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md#ensure-that-windows-defender-antivirus-is-not-disabled-by-a-policy). >Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=technet-wd-atp-minreq-belowfoldlink1) + +## Related topic +- [Validate licensing and complete setup](licensing-windows-defender-advanced-threat-protection.md) diff --git a/windows/security/threat-protection/windows-defender-atp/offboard-machines-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/offboard-machines-windows-defender-advanced-threat-protection.md new file mode 100644 index 0000000000..78710989d2 --- /dev/null +++ b/windows/security/threat-protection/windows-defender-atp/offboard-machines-windows-defender-advanced-threat-protection.md @@ -0,0 +1,47 @@ +--- +title: Offboard machines from the Windows Defender ATP service +description: Onboard Windows 10 machines, servers, non-Windows machines from the Windows Defender ATP service +keywords: offboarding, windows defender advanced threat protection offboarding, windows atp offboarding +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: high +ms.date: 04/17/2018 +--- + +# Offboard machines from the Windows Defender ATP service + +**Applies to:** + +- Windows 10 Enterprise +- Windows 10 Education +- Windows 10 Pro +- Windows 10 Pro Education +- macOS +- Linux +- Windows Server 2012 R2 +- Windows Server 2016 +- Windows Defender Advanced Threat Protection (Windows Defender ATP) + +[!include[Prerelease information](prerelease.md)] + +>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-offboardmachines-abovefoldlink) + +Follow the corresponding instructions depending on your preferred deployment method. + +## Offboard Windows 10 machines + - [Offboard machines using a local script](configure-endpoints-script-windows-defender-advanced-threat-protection.md#offboard-machines-using-a-local-script) + - [Offboard machines using Group Policy](configure-endpoints-gp-windows-defender-advanced-threat-protection.md#offboard-machines-using-group-policy) + - [Offboard machines using System Center Configuration Manager](configure-endpoints-sccm-windows-defender-advanced-threat-protection.md#offboard-machines-using-system-center-configuration-manager) + - [Offboard machines using Mobile Device Management tools](configure-endpoints-mdm-windows-defender-advanced-threat-protection.md#offboard-and-monitor-machines-using-mobile-device-management-tools) + +## Offboard Servers + - [Offboard servers](configure-server-endpoints-windows-defender-advanced-threat-protection.md#offboard-servers) + +## Offboard non-Windows machines + - [Offboard non-Windows machines](configure-endpoints-non-windows-windows-defender-advanced-threat-protection.md#offboard-non-windows-machines) + diff --git a/windows/security/threat-protection/windows-defender-atp/onboard-configure-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/onboard-configure-windows-defender-advanced-threat-protection.md index 17df4fab03..84c7cee481 100644 --- a/windows/security/threat-protection/windows-defender-atp/onboard-configure-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/onboard-configure-windows-defender-advanced-threat-protection.md @@ -1,7 +1,7 @@ --- -title: Onboard endpoints and set up the Windows Defender ATP user access -description: Set up user access in Azure Active Directory and use Group Policy, SCCM, or do manual registry changes to onboard endpoints to the service. -keywords: onboarding, windows defender advanced threat protection onboarding, windows atp onboarding, sccm, group policy, mdm, local script +title: Onboard machines to the Windows Defender ATP service +description: Onboard Windows 10 machines, servers, non-Windows machines and learn how to run a detection test. +keywords: onboarding, windows defender advanced threat protection onboarding, windows atp onboarding, sccm, group policy, mdm, local script, detection test search.product: eADQiWindows 10XVcnh ms.prod: w10 ms.mktglfcycl: deploy @@ -10,10 +10,10 @@ ms.pagetype: security ms.author: macapara author: mjcaparas ms.localizationpriority: high -ms.date: 11/21/2017 +ms.date: 04/17/2018 --- -# Onboard and set up Windows Defender Advanced Threat Protection +# Onboard machines to the Windows Defender ATP service **Applies to:** @@ -21,15 +21,19 @@ ms.date: 11/21/2017 - Windows 10 Education - Windows 10 Pro - Windows 10 Pro Education +- macOS +- Linux +- Windows Server 2012 R2 +- Windows Server 2016 - Windows Defender Advanced Threat Protection (Windows Defender ATP) - +[!include[Prerelease information](prerelease.md)] >Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-onboardconfigure-abovefoldlink) You need to onboard to Windows Defender ATP before you can use the service. -For more information, see [Onboard your Windows 10 endpoints to Windows Defender ATP](https://www.youtube.com/watch?v=JT7VGYfeRlA&feature=youtu.be). +For more information, see [Onboard your Windows 10 machines to Windows Defender ATP](https://www.youtube.com/watch?v=JT7VGYfeRlA&feature=youtu.be). ## Licensing requirements Windows Defender Advanced Threat Protection requires one of the following Microsoft Volume Licensing offers: @@ -43,19 +47,23 @@ For more information, see [Windows 10 Licensing](https://www.microsoft.com/en-us ## Windows Defender Antivirus configuration requirement The Windows Defender ATP agent depends on the ability of Windows Defender Antivirus to scan files and provide information about them. -You must configure the signature updates on the Windows Defender ATP endpoints whether Windows Defender Antivirus is the active antimalware or not. For more information, see [Manage Windows Defender Antivirus updates and apply baselines](../windows-defender-antivirus/manage-updates-baselines-windows-defender-antivirus.md). +You must configure the signature updates on the Windows Defender ATP machines whether Windows Defender Antivirus is the active antimalware or not. For more information, see [Manage Windows Defender Antivirus updates and apply baselines](../windows-defender-antivirus/manage-updates-baselines-windows-defender-antivirus.md). When Windows Defender Antivirus is not the active antimalware in your organization and you use the Windows Defender ATP service, Windows Defender Antivirus goes on passive mode. If your organization has disabled Windows Defender Antivirus through group policy or other methods, machines that are onboarded to Windows Defender ATP must be excluded from this group policy. +If you are onboarding servers and Windows Defender Antivirus is not the active antimalware on your servers, you shouldn't uninstall Windows Defender Antivirus. You'll need to configure it to run on passive mode. For more information, see [Onboard servers](configure-server-endpoints-windows-defender-advanced-threat-protection.md). + + For more information, see [Windows Defender Antivirus compatibility](../windows-defender-antivirus/windows-defender-antivirus-compatibility.md). ## In this section Topic | Description :---|:--- -[Configure client endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md) | You'll need to configure endpoints for it to report to the Windows Defender ATP service. Learn about the tools and methods you can use to configure endpoints in your enterprise. -[Configure non-Windows endpoints](configure-endpoints-non-windows-windows-defender-advanced-threat-protection.md) | Windows Defender ATP provides a centralized security operations experience for Windows as well as non-Windows platforms. You'll be able to see alerts from various supported operating systems (OS) in the Windows Defender ATP portal and better protect your organization's network. This experience leverages on a third-party security products sensor data. -[Configure server endpoints](configure-server-endpoints-windows-defender-advanced-threat-protection.md) | Onboard Windows Server 2012 R2 and Windows Server 2016 to Windows Defender ATP +[Onboard Windows 10 machines](configure-endpoints-windows-defender-advanced-threat-protection.md) | You'll need to onboard machines for it to report to the Windows Defender ATP service. Learn about the tools and methods you can use to configure machines in your enterprise. +[Onboard servers](configure-server-endpoints-windows-defender-advanced-threat-protection.md) | Onboard Windows Server 2012 R2 and Windows Server 2016 to Windows Defender ATP +[Onboard non-Windows machines](configure-endpoints-non-windows-windows-defender-advanced-threat-protection.md) | Windows Defender ATP provides a centralized security operations experience for Windows as well as non-Windows platforms. You'll be able to see alerts from various supported operating systems (OS) in the Windows Defender ATP portal and better protect your organization's network. This experience leverages on a third-party security products' sensor data. +[Run a detection test on a newly onboarded machine](run-detection-test-windows-defender-advanced-threat-protection.md) | Run a script on a newly onboarded machine to verify that it is properly reporting to the Windows Defender ATP service. [Configure proxy and Internet settings](configure-proxy-internet-windows-defender-advanced-threat-protection.md)| Enable communication with the Windows Defender ATP cloud service by configuring the proxy and Internet connectivity settings. [Troubleshoot onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md) | Learn about resolving issues that might arise during onboarding. diff --git a/windows/security/threat-protection/windows-defender-atp/portal-overview-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/portal-overview-windows-defender-advanced-threat-protection.md index 14d4fc1ac4..ce444d924a 100644 --- a/windows/security/threat-protection/windows-defender-atp/portal-overview-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/portal-overview-windows-defender-advanced-threat-protection.md @@ -1,16 +1,16 @@ --- title: Windows Defender Advanced Threat Protection portal overview description: Use the Windows Defender ATP portal to monitor your enterprise network and assist in responding to alerts to potential advanced persistent threat (APT) activity or data breaches. -keywords: Windows Defender ATP portal, portal, cybersecurity threat intelligence, dashboard, alerts queue, machines list, preferences setup, endpoint management, advanced attacks +keywords: Windows Defender ATP portal, portal, cybersecurity threat intelligence, dashboard, alerts queue, machines list, settings, machine management, advanced attacks search.product: eADQiWindows 10XVcnh ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security ms.author: macapara -author: DulceMV +author: mjcaparas ms.localizationpriority: high -ms.date: 03/12/2018 +ms.date: 04/17/2018 --- # Windows Defender Advanced Threat Protection portal overview @@ -23,7 +23,7 @@ ms.date: 03/12/2018 - Windows 10 Pro Education - Windows Defender Advanced Threat Protection (Windows Defender ATP) - +[!include[Prerelease information](prerelease.md)] >Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-portaloverview-abovefoldlink) @@ -37,29 +37,29 @@ You can use the [Windows Defender ATP portal](https://securitycenter.windows.com ## Windows Defender ATP portal When you open the portal, you’ll see the main areas of the application: -  +  - (1) Navigation pane - (2) Main portal -- (3) Search, Feedback, Settings, Help and support +- (3) Search, Community center, Time settings, Help and support, Feedback > [!NOTE] -> Malware related detections will only appear if your endpoints are using [Windows Defender Antivirus](https://technet.microsoft.com/library/mt622091(v=vs.85).aspx) as the default real-time protection antimalware product. +> Malware related detections will only appear if your machines are using [Windows Defender Antivirus](https://technet.microsoft.com/library/mt622091(v=vs.85).aspx) as the default real-time protection antimalware product. You can navigate through the portal using the menu options available in all sections. Refer to the following table for a description of each section. Area | Description :---|:--- -(1) Navigation pane | Use the navigation pane to move between the **Dashboards**, **Alerts queue**, **Machines list**, **Service health**, **Preferences setup**, and **Endpoint management**. -**Dashboards** | Allows you to access the Security operations or the Secure score dashboard. -**Alerts queue** | Allows you to view separate queues: new, in progress, resolved alerts, alerts assigned to you, and suppression rules. +(1) Navigation pane | Use the navigation pane to move between the **Dashboards**, **Alerts queue**, **Automated investigations**, **Machines list**, **Service health**, **Advanced hunting**, and **Settings**. +**Dashboards** | Access the Security operations, the Secure Score, or Threat analytics dashboard. +**Alerts** | View separate queues of new, in progress, resolved alerts, alerts assigned to you. +**Automated investigations** | Displays a list of automated investigations that's been conducted in the network, the status of each investigation and other details such as when the investigation started and the duration of the investigation. **Machines list** | Displays the list of machines that are onboarded to Windows Defender ATP, some information about them, and the corresponding number of alerts. **Service health** | Provides information on the current status of the Window Defender ATP service. You'll be able to verify that the service health is healthy or if there are current issues. -**Preferences setup** | Shows the settings you selected during onboarding and lets you update your industry preferences and retention policy period. You can also set other configuration settings such as email notifications, activate the preview experience, enable or turn off advanced features, SIEM integration, threat intel API, build Power BI reports, and set baselines for the Secure score dashboard. -**Endpoint management** | Provides access to endpoints such as clients and servers. Allows you to download the onboarding configuration package for endpoints. It also provides access to endpoint offboarding. -**Community center** | Access the Community center to learn, collaborate, and share experiences about the product. -(2) Main portal| Main area where you will see the different views such as the Dashboards, Alerts queue, and Machines list. -(3) Search bar, Feedback, Settings, Help and support | **Search** - Provides access to the search bar where you can search for file, IP, machine, URL, and user. Displays the Search box: the drop-down list allows you to select the entity type and then enter the search query text. **Feedback** - Access the feedback button to provide comments about the portal. **Settings** - Gives you access to the configuration settings where you can set time zones and view license information. **Help and support** - Gives you access to the Windows Defender ATP guide, Microsoft support, and Premier support. +**Advanced hunting** | Advanced hunting allows you to proactively hunt and investigate across your organization using a powerful search and query tool. +**Settings** | Shows the settings you selected during onboarding and lets you update your industry preferences and retention policy period. You can also set other configuration settings such as email notifications, activate the preview experience, enable or turn off advanced features, SIEM integration, threat intel API, build Power BI reports, and set baselines for the Secure Score dashboard. +**(2) Main portal** | Main area where you will see the different views such as the Dashboards, Alerts queue, and Machines list. +**(3) Search, Community center, Time settings, Help and support, Feedback** | **Search** - Provides access to the search bar where you can search for file, IP, machine, URL, and user. Displays the Search box: the drop-down list allows you to select the entity type and then enter the search query text. **Community center** -Access the Community center to learn, collaborate, and share experiences about the product. **Time settings** - Gives you access to the configuration settings where you can set time zones and view license information. **Help and support** - Gives you access to the Windows Defender ATP guide, Microsoft support, and Premier support. **Feedback** - Access the feedback button to provide comments about the portal. ## Windows Defender ATP icons The following table provides information on the icons used all throughout the portal: @@ -97,6 +97,20 @@ Icon | Description | Memory allocation | Process injection | Powershell command run + | Community center + | Notifications + | Automated investigation - no threats found + | Automated investigation - failed + | Automated investigation - partially investigated + | Automated investigation - terminated by system + | Automated investigation - pending + | Automated investigation - running + | Automated investigation - remediated + | Automated investigation - partially remediated -## Related topic -[Use the Windows Defender Advanced Threat Protection portal](use-windows-defender-advanced-threat-protection.md) \ No newline at end of file + +## Related topics +- [Understand the Windows Defender Advanced Threat Protection portal](use-windows-defender-advanced-threat-protection.md) +- [View the Security operations dashboard](security-operations-dashboard-windows-defender-advanced-threat-protection.md) +- [View the Secure Score dashboard and improve your secure score](secure-score-dashboard-windows-defender-advanced-threat-protection.md) +- [View the Threat analytics dashboard and take recommended mitigation actions](threat-analytics-dashboard-windows-defender-advanced-threat-protection.md) \ No newline at end of file diff --git a/windows/security/threat-protection/windows-defender-atp/powerbi-reports-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/powerbi-reports-windows-defender-advanced-threat-protection.md index 36517f85e2..e92d59ee73 100644 --- a/windows/security/threat-protection/windows-defender-atp/powerbi-reports-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/powerbi-reports-windows-defender-advanced-threat-protection.md @@ -1,7 +1,7 @@ --- title: Create and build Power BI reports using Windows Defender ATP data description: Get security insights by creating and building Power BI dashboards using data from Windows Defender ATP and other data sources. -keywords: preferences setup, power bi, power bi service, power bi desktop, reports, dashboards, connectors , security insights, mashup +keywords: settings, power bi, power bi service, power bi desktop, reports, dashboards, connectors , security insights, mashup search.product: eADQiWindows 10XVcnh ms.prod: w10 ms.mktglfcycl: deploy @@ -9,7 +9,7 @@ ms.sitesec: library ms.pagetype: security author: mjcaparas localizationpriority: high -ms.date: 03/16/2018 +ms.date: 04/17/2018 --- # Create and build Power BI reports using Windows Defender ATP data @@ -32,24 +32,26 @@ Windows Defender ATP supports the use of Power BI data connectors to enable you Data connectors integrate seamlessly in Power BI, and make it easy for power users to query, shape and combine data to build reports and dashboards that meet the needs of your organization. You can easily get started by: -- Creating a dashboard on the Power BI service: - - From the Windows Defender ATP portal or - - From the Power BI portal +- Creating a dashboard on the Power BI service - Building a custom dashboard on Power BI Desktop and tweaking it to fit the visual analytics and reporting requirements of your organization You can access these options from the Windows Defender ATP portal. Both the Power BI service and Power BI Desktop are supported. -## Create a Power BI dashboard from the Windows Defender ATP portal +## Create a Windows Defender ATP dashboard on Power BI service Windows Defender ATP makes it easy to create a Power BI dashboard by providing an option straight from the portal. -1. In the navigation pane, select **Preferences setup** > **Power BI reports**. - -  +1. In the navigation pane, select **Settings** > **General** > **Power BI reports**. -2. Click **Create dashboard**. You'll see a notification that things are being loaded. +2. Click **Create dashboard**. + +  + + You'll see a notification that things are being loaded.  + >[!NOTE] + >Loading your data in the Power BI service can take a few minutes. 3. Specify the following details: - **extensionDataSourceKind**: WDATPConnector @@ -62,7 +64,7 @@ Windows Defender ATP makes it easy to create a Power BI dashboard by providing a  -5. Click **Accept**. Power BI service will start downloading your Windows Defender ATP data from Microsoft Graph. After a successful login, you'll see a notification that data is being imported: +5. Click **Accept**. Power BI service will start downloading your Windows Defender ATP data from Microsoft Graph. After a successful login, you'll see a notification that data is being imported:  @@ -78,7 +80,6 @@ Windows Defender ATP makes it easy to create a Power BI dashboard by providing a For more information, see [Create a Power BI dashboard from a report](https://powerbi.microsoft.com/en-us/documentation/powerbi-service-create-a-dashboard/). - ## Create a Power BI dashboard from the Power BI portal 1. Login to [Power BI](https://powerbi.microsoft.com/). @@ -126,11 +127,11 @@ You can create a custom dashboard in Power BI Desktop to create visualizations t ### Before you begin 1. Make sure you use Power BI Desktop June 2017 and above. [Download the latest version](https://powerbi.microsoft.com/en-us/desktop/). -2. In the Windows Defender ATP portal navigation pane, select **Preferences setup** > **Power BI reports**. +2. In the navigation pane, select **Settings** > **General** > **Power BI reports**. 3. Click **Download connector** to download the WDATPPowerBI.zip file and extract it. -  +  4. Create a new directory `Microsoft Power BI Desktop\Custom Connectors` under the user's Documents folder. @@ -154,12 +155,14 @@ After completing the steps in the Before you begin section, you can proceed with 1. Open WDATPPowerBI.pbit from the zip with Power BI Desktop. -2. If this is the first time you’re using Power BI with Windows Defender ATP, you’ll need to sign in and give consent to Windows Defender ATP Power BI app. By providing consent, you’re allowing Windows Defender ATP Power BI to sign in and read your profile, access your data, and be used for report refresh. +2. If this is the first time you’re using Power BI with Windows Defender ATP, you’ll need to sign in and give consent to Windows Defender ATP Power BI app. By providing consent, you’re allowing Windows Defender ATP Power BI to sign in and read your profile, and access your data. -  +  3. Click **Accept**. Power BI Desktop will start downloading your Windows Defender ATP data from Microsoft Graph. When all data has been downloaded, you can proceed to customize your reports. + + ## Mashup Windows Defender ATP data with other data sources You can use Power BI Desktop to analyse data from Windows Defender ATP and mash that data up with other data sources to gain better security perspective in your organization. @@ -173,9 +176,9 @@ You can use Power BI Desktop to analyse data from Windows Defender ATP and mash  -4. If this is the first time you’re using Power BI with Windows Defender ATP, you’ll need to sign in and give consent to Windows Defender ATP Power BI app. By providing consent, you’re allowing Windows Defender ATP Power BI to sign in and read your profile, access your data, and be used for report refresh. +4. If this is the first time you’re using Power BI with Windows Defender ATP, you’ll need to sign in and give consent to Windows Defender ATP Power BI app. By providing consent, you’re allowing Windows Defender ATP Power BI to sign in and read your profile, and access your data. -  +  5. Click **Accept**. Power BI Desktop will start downloading your Windows Defender ATP data from Microsoft Graph. When all data has been downloaded, you can proceed to customize your reports. @@ -187,13 +190,14 @@ You can use Power BI Desktop to analyse data from Windows Defender ATP and mash 8. Add visuals and select fields from the available data sources. -## Related topics -- [Update general settings in Windows Defender ATP](general-settings-windows-defender-advanced-threat-protection.md) -- [Turn on advanced features in Windows Defender ATP](advanced-features-windows-defender-advanced-threat-protection.md) -- [Turn on the preview experience in Windows Defender ATP](preview-settings-windows-defender-advanced-threat-protection.md) -- [Configure email notifications in Windows Defender ATP](configure-email-notifications-windows-defender-advanced-threat-protection.md) -- [Enable SIEM integration in Windows Defender ATP](enable-siem-integration-windows-defender-advanced-threat-protection.md) -- [Enable the custom threat intelligence API in Windows Defender ATP](enable-custom-ti-windows-defender-advanced-threat-protection.md) +## Using the Power BI reports +There are a couple of tabs on the report that's generated: + +- Machine and alerts +- Investigation results and action center +- Secure Score + +In general, if you know of a specific threat name, CVE, or KB, you can identify machines with unpatched vulnerabilities that might be leveraged by threats. This report also helps you determine whether machine-level mitigations are configured correctly on the machines and prioritize those that might need attention. diff --git a/windows/security/threat-protection/windows-defender-atp/powershell-example-code-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/powershell-example-code-windows-defender-advanced-threat-protection.md index 38a4ba668d..36e285cce8 100644 --- a/windows/security/threat-protection/windows-defender-atp/powershell-example-code-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/powershell-example-code-windows-defender-advanced-threat-protection.md @@ -10,7 +10,7 @@ ms.pagetype: security ms.author: macapara author: mjcaparas ms.localizationpriority: high -ms.date: 10/16/2017 +ms.date: 04/17/2018 --- # PowerShell code examples for the custom threat intelligence API @@ -23,7 +23,7 @@ ms.date: 10/16/2017 - Windows 10 Pro Education - Windows Defender Advanced Threat Protection (Windows Defender ATP) - +[!include[Prerelease information](prerelease.md)] This article provides PowerShell code examples for using the custom threat intelligence API. @@ -38,7 +38,7 @@ These code examples demonstrate the following tasks: ## Step 1: Obtain an Azure AD access token The following example demonstrates how to obtain an Azure AD access token that you can use to call methods in the custom threat intelligence API. After you obtain a token, you have 60 minutes to use this token in calls to the custom threat intelligence API before the token expires. After the token expires, you can generate a new token. -Replace the *authUrl*, *clientid*, and *clientSecret* values with the ones you got from **Preferences settings** page in the portal: +Replace the *authUrl*, *clientid*, and *clientSecret* values with the ones you got from **Settings** page in the portal: ```powershell $authUrl = 'Your Authorization URL' @@ -180,8 +180,8 @@ $ioc = ## Related topics - [Understand threat intelligence concepts](threat-indicator-concepts-windows-defender-advanced-threat-protection.md) -- [Create custom alerts using the threat intelligence API](custom-ti-api-windows-defender-advanced-threat-protection.md) - [Enable the custom threat intelligence API in Windows Defender ATP](enable-custom-ti-windows-defender-advanced-threat-protection.md) +- [Create custom alerts using the threat intelligence API](custom-ti-api-windows-defender-advanced-threat-protection.md) - [Python code examples for the custom threat intelligence API](python-example-code-windows-defender-advanced-threat-protection.md) - [Experiment with custom threat intelligence alerts](experiment-custom-ti-windows-defender-advanced-threat-protection.md) - [Troubleshoot custom threat intelligence issues](troubleshoot-custom-ti-windows-defender-advanced-threat-protection.md) diff --git a/windows/security/threat-protection/windows-defender-atp/preferences-setup-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/preferences-setup-windows-defender-advanced-threat-protection.md index a21cd910cd..4d00c68de1 100644 --- a/windows/security/threat-protection/windows-defender-atp/preferences-setup-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/preferences-setup-windows-defender-advanced-threat-protection.md @@ -1,7 +1,7 @@ --- -title: Configure Windows Defender ATP preferences settings -description: Use the preferences setup to configure and update your preferences settings such as enabling advanced features, preview experience, email notifications, or custom threat intelligence. -keywords: preferences settings, settings, advanced features, preview experience, email notifications, custom threat intelligence +title: Configure Windows Defender ATP settings +description: Use the settings page to configure general settings, permissions, apis, and rules. +keywords: settings, general settings, permissions, apis, rules search.product: eADQiWindows 10XVcnh ms.prod: w10 ms.mktglfcycl: deploy @@ -10,9 +10,9 @@ ms.pagetype: security ms.author: macapara author: mjcaparas ms.localizationpriority: high -ms.date: 10/16/2017 +ms.date: 04/17/2018 --- -# Configure Windows Defender ATP preferences settings +# Configure Windows Defender ATP settings **Applies to:** @@ -22,20 +22,19 @@ ms.date: 10/16/2017 - Windows 10 Pro Education - Windows Defender Advanced Threat Protection (Windows Defender ATP) - +[!include[Prerelease information](prerelease.md)] >Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-prefsettings-abovefoldlink) -Use the **Preferences setup** menu to modify general settings, advanced features, enable the preview experience, email notifications, and the custom threat intelligence feature. +Use the **Settings** menu to modify general settings, advanced features, enable the preview experience, email notifications, and the custom threat intelligence feature. ## In this section Topic | Description :---|:--- -[Update general settings](general-settings-windows-defender-advanced-threat-protection.md) | Modify your general settings that were previously defined as part of the onboarding process. -[Enable advanced features](advanced-features-windows-defender-advanced-threat-protection.md)| Enable features such as **Block file** and other features that require integration with other products. -[Enable the preview experience](preview-settings-windows-defender-advanced-threat-protection.md) | Allows you to turn on preview features so you can try upcoming features. -[Configure email notifications](configure-email-notifications-windows-defender-advanced-threat-protection.md) | Enables you to configure and identify a group of individuals who will immediately be informed of new alerts through email notifications. -[Enable SIEM integration](enable-siem-integration-windows-defender-advanced-threat-protection.md) | Enable security information and event management (SIEM) integration to pull alerts from the Windows Defender ATP portal using your SIEM solution. -[Enable Threat intel API](enable-custom-ti-windows-defender-advanced-threat-protection.md) | Before you can create custom threat intelligence (TI) using REST API, you'll need to set up the custom threat intelligence application. -[Create and build Power BI reports](powerbi-reports-windows-defender-advanced-threat-protection.md) | Get security insights by creating and building Power BI dashboards using data from Windows Defender ATP and other data sources. +[Update general settings](data-retention-settings-windows-defender-advanced-threat-protection.md) | Modify your general settings that were previously defined as part of the onboarding process. +Permissions | Manage portal access using RBAC as well as machine groups. +APIs | Enable the threat intel and SIEM integration. +Rules | Configure suppressions rules and automation settings. +Machine management | Onboard and offboard machines. + diff --git a/windows/security/threat-protection/windows-defender-atp/preview-settings-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/preview-settings-windows-defender-advanced-threat-protection.md index b6de75210b..6f65f14423 100644 --- a/windows/security/threat-protection/windows-defender-atp/preview-settings-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/preview-settings-windows-defender-advanced-threat-protection.md @@ -1,7 +1,7 @@ --- title: Turn on the preview experience in Windows Defender ATP description: Turn on the preview experience in Windows Defender Advanced Threat Protection to try upcoming features. -keywords: advanced features, preferences setup, block file +keywords: advanced features, settings, block file search.product: eADQiWindows 10XVcnh ms.prod: w10 ms.mktglfcycl: deploy @@ -10,7 +10,7 @@ ms.pagetype: security ms.author: macapara author: mjcaparas ms.localizationpriority: high -ms.date: 10/16/2017 +ms.date: 04/17/2018 --- # Turn on the preview experience in Windows Defender ATP @@ -22,21 +22,21 @@ ms.date: 10/16/2017 - Windows 10 Pro Education - Windows Defender Advanced Threat Protection (Windows Defender ATP) - +[!include[Prerelease information](prerelease.md)] >Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-previewsettings-abovefoldlink) Turn on the preview experience setting to be among the first to try upcoming features. -1. In the navigation pane, select **Preferences setup** > **Preview experience**. +1. In the navigation pane, select **Settings** > **Preview experience**. -  +  2. Toggle the setting between **On** and **Off** and select **Save preferences**. ## Related topics -- [Update general settings in Windows Defender ATP](general-settings-windows-defender-advanced-threat-protection.md) +- [Update general settings in Windows Defender ATP](data-retention-settings-windows-defender-advanced-threat-protection.md) - [Turn on advanced features in Windows Defender ATP](advanced-features-windows-defender-advanced-threat-protection.md) - [Configure email notifications in Windows Defender ATP](configure-email-notifications-windows-defender-advanced-threat-protection.md) - [Enable SIEM integration in Windows Defender ATP](enable-siem-integration-windows-defender-advanced-threat-protection.md) diff --git a/windows/security/threat-protection/windows-defender-atp/preview-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/preview-windows-defender-advanced-threat-protection.md index a05e77c9a2..4d92a145bd 100644 --- a/windows/security/threat-protection/windows-defender-atp/preview-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/preview-windows-defender-advanced-threat-protection.md @@ -10,7 +10,7 @@ ms.pagetype: security ms.author: macapara author: mjcaparas ms.localizationpriority: high -ms.date: 11/30/2017 +ms.date: 04/17/2018 --- # Windows Defender ATP preview features @@ -23,31 +23,31 @@ ms.date: 11/30/2017 - Windows 10 Pro Education - Windows Defender Advanced Threat Protection (Windows Defender ATP) - +[!include[Prerelease information](prerelease.md)] The Windows Defender ATP service is constantly being updated to include new feature enhancements and capabilities. >Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-preview-abovefoldlink) + Learn about new features in the Windows Defender ATP preview release and be among the first to try upcoming features by turning on the preview experience. You'll have access to upcoming features which you can provide feedback on to help improve the overall experience before features are generally available. Turn on the preview experience setting to be among the first to try upcoming features. -1. In the navigation pane, select **Preferences setup** > **Preview experience**. - -  +1. In the navigation pane, select **Settings** > **General** > **Advanced features** > **Preview features**. 2. Toggle the setting between **On** and **Off** and select **Save preferences**. ## Preview features The following features are included in the preview release: -- [Configure server endpoints](configure-server-endpoints-windows-defender-advanced-threat-protection.md)
+- [Onboard servers](configure-server-endpoints-windows-defender-advanced-threat-protection.md)
Windows Defender ATP supports the onboarding of the following servers: - Windows Server 2012 R2 - Windows Server 2016 + - Windows Server, version 1803 - [Create and build Power BI reports using Windows Defender ATP data](powerbi-reports-windows-defender-advanced-threat-protection.md)
Windows Defender ATP supports the use of Power BI data connectors to enable you to connect and access Windows Defender ATP data using Microsoft Graph. @@ -55,12 +55,6 @@ Windows Defender ATP supports the use of Power BI data connectors to enable you - [Use the Windows Defender ATP exposed APIs](exposed-apis-windows-defender-advanced-threat-protection.md)
Windows Defender ATP exposes much of the available data and actions using a set of programmatic APIs that are part of the Microsoft Intelligence Security Graph. Those APIs will enable you, to automate workflows and innovate based on Windows Defender ATP capabilities. -- [Configure non-Windows endpoints](configure-endpoints-non-windows-windows-defender-advanced-threat-protection.md)
-Windows Defender ATP provides a centralized security operations experience for Windows as well as non-Windows platforms. You'll be able to see alerts from various supported operating systems (OS) in the Windows Defender ATP portal and better protect your organization's network. This experience leverages on a third-party security products' sensor data. - -- [Access the Windows Defender ATP Community Center](community-windows-defender-advanced-threat-protection.md)
-The Windows Defender ATP Community Center is a place where community members can learn, collaborate, and share experiences about the product. Access and join the community to learn and interact with other members on product specific information. - >Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-preview-belowfoldlink) diff --git a/windows/security/threat-protection/windows-defender-atp/pull-alerts-using-rest-api-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/pull-alerts-using-rest-api-windows-defender-advanced-threat-protection.md index 412d63e5fe..d3de2bec95 100644 --- a/windows/security/threat-protection/windows-defender-atp/pull-alerts-using-rest-api-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/pull-alerts-using-rest-api-windows-defender-advanced-threat-protection.md @@ -10,7 +10,7 @@ ms.pagetype: security ms.author: macapara author: mjcaparas ms.localizationpriority: high -ms.date: 10/16/2017 +ms.date: 04/17/2018 --- # Pull Windows Defender ATP alerts using REST API @@ -23,7 +23,7 @@ ms.date: 10/16/2017 - Windows 10 Pro Education - Windows Defender Advanced Threat Protection (Windows Defender ATP) - +[!include[Prerelease information](prerelease.md)] >Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-pullalerts-abovefoldlink) @@ -74,7 +74,7 @@ The response will include an access token and expiry information. ```json { "token_type": "Bearer", - "expires_in": "3599", + "expires_in": "3599" "ext_expires_in": "0", "expires_on": "1488720683", "not_before": "1488720683", @@ -103,7 +103,9 @@ Use optional query parameters to specify and control the amount of data returned Name | Value| Description :---|:---|:--- -DateTime?sinceTimeUtc | string | Defines the time alerts are retrieved from based from `LastProccesedTimeUtc` time to current time.
**NOTE**: When not specified, all alerts generated in the last two hours are retrieved. +DateTime?sinceTimeUtc | string | Defines the lower time bound alerts are retrieved from, based on field:
`LastProccesedTimeUtc`
The time range will be: from sinceTimeUtc time to current time.
**NOTE**: When not specified, all alerts generated in the last two hours are retrieved. +DateTime?untilTimeUtc | string | Defines the upper time bound alerts are retrieved.
The time range will be: from `sinceTimeUtc` time to `untilTimeUtc` time.
**NOTE**: When not specified, the default value will be the current time. +string ago | string | Pulls alerts in the following time range: from `(current_time - ago)` time to `current_time` time.
Value should be set according to **ISO 8601** duration format
E.g. `ago=PT10M` will pull alerts received in the last 10 minutes. int?limit | int | Defines the number of alerts to be retrieved. Most recent alerts will be retrieved based on the number defined.
**NOTE**: When not specified, all alerts available in the time range will be retrieved. ### Request example diff --git a/windows/security/threat-protection/windows-defender-atp/python-example-code-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/python-example-code-windows-defender-advanced-threat-protection.md index b3bcae08b4..278e02f9bb 100644 --- a/windows/security/threat-protection/windows-defender-atp/python-example-code-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/python-example-code-windows-defender-advanced-threat-protection.md @@ -10,7 +10,7 @@ ms.pagetype: security ms.author: macapara author: mjcaparas ms.localizationpriority: high -ms.date: 10/16/2017 +ms.date: 04/17/2018 --- # Python code examples for the custom threat intelligence API @@ -23,7 +23,7 @@ ms.date: 10/16/2017 - Windows 10 Pro Education - Windows Defender Advanced Threat Protection (Windows Defender ATP) - +[!include[Prerelease information](prerelease.md)] ## Before you begin You must [install](http://docs.python-requests.org/en/master/user/install/#install) the "[requests](http://docs.python-requests.org/en/master/)" python library. @@ -39,7 +39,7 @@ These code examples demonstrate the following tasks: ## Step 1: Obtain an Azure AD access token The following example demonstrates how to obtain an Azure AD access token that you can use to call methods in the custom threat intelligence API. After you obtain a token, you have 60 minutes to use this token in calls to the custom threat intelligence API before the token expires. After the token expires, you can generate a new token. -Replace the *auth_url*, *client_id*, and *client_secret* values with the ones you got from **Preferences settings** page in the portal: +Replace the *auth_url*, *client_id*, and *client_secret* values with the ones you got from **Settings** page in the portal: ``` import json @@ -183,8 +183,8 @@ with requests.Session() as session: ## Related topics - [Understand threat intelligence concepts](threat-indicator-concepts-windows-defender-advanced-threat-protection.md) -- [Create custom alerts using the threat intelligence API](custom-ti-api-windows-defender-advanced-threat-protection.md) - [Enable the custom threat intelligence API in Windows Defender ATP](enable-custom-ti-windows-defender-advanced-threat-protection.md) +- [Create custom alerts using the threat intelligence API](custom-ti-api-windows-defender-advanced-threat-protection.md) - [PowerShell code examples for the custom threat intelligence API](powershell-example-code-windows-defender-advanced-threat-protection.md) - [Experiment with custom threat intelligence alerts](experiment-custom-ti-windows-defender-advanced-threat-protection.md) - [Troubleshoot custom threat intelligence issues](troubleshoot-custom-ti-windows-defender-advanced-threat-protection.md) diff --git a/windows/security/threat-protection/windows-defender-atp/rbac-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/rbac-windows-defender-advanced-threat-protection.md new file mode 100644 index 0000000000..8b7ad9f93e --- /dev/null +++ b/windows/security/threat-protection/windows-defender-atp/rbac-windows-defender-advanced-threat-protection.md @@ -0,0 +1,116 @@ +--- +title: Use role-based access control to grant fine-grained access to the Windows Defender ATP portal +description: Create roles and groups within your security operations to grant access to the portal. +keywords: rbac, role, based, access, control, groups, control, tier, aad +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: high +ms.date: 04/17/2018 +--- + +# Manage portal access using role-based access control +**Applies to:** + +- Windows 10 Enterprise +- Windows 10 Education +- Windows 10 Pro +- Windows 10 Pro Education +- Azure Active Directory +- Office 365 +- Windows Defender Advanced Threat Protection (Windows Defender ATP) + +[!include[Prerelease information](prerelease.md)] + +>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-rbac-abovefoldlink) + + +Using role-based access control (RBAC), you can create roles and groups within your security operations team to grant appropriate access to the portal. Based on the roles and groups you create, you have fine-grained control over what users with access to the portal can see and do. + +Large geo-distributed security operations teams typically adopt a tier-based model to assign and authorize access to security portals. Typical tiers include the following three levels: + +Tier | Description +:---|:--- +Tier 1 | **Local security operations team / IT team**
This team usually triages and investigates alerts contained within their geolocation and escalates to Tier 2 in cases where an active remediation is required. +Tier 2 | **Regional security operations team**
This team can see all the machines for their region and perform remediation actions. +Tier 3 | **Global security operations team**
This team consists of security experts and are authorized to see and perform all actions from the portal. + +Windows Defender ATP RBAC is designed to support your tier- or role-based model of choice and gives you granular control over what roles can see, machines they can access, and actions they can take. The RBAC framework is centered around the following controls: + +- **Control who can take specific action** + - Create custom roles and control what Windows Defender ATP capabilities they can access with granularity. + +- **Control who can see information on specific machine group or groups** + - [Create machine groups](machine-groups-windows-defender-advanced-threat-protection.md) by specific criteria such as names, tags, domains, and others, then grant role access to them using a specific Azure AD user group. + +To implement role-based access, you'll need to define admin roles, assign corresponding permissions, and assign Azure Active Directory (Azure AD) user groups assigned to the roles. + + +### Before you begin +Before using RBAC, it's important that you understand the roles that can grant permissions and the consequences of turning on RBAC. + + +> [!WARNING] +> Before enabling the feature, it's important that you have a Global Administrator role or Security Administrator role in Azure AD and that you have your Azure AD groups ready to reduce the risk of being locked out of the portal. + +When you first log in to the Windows Defender ATP portal, you're granted either full access or read only access. Full access rights are granted to users with Security Administrator or Global Administrator roles in Azure AD. Read only access is granted to users with a Security Reader role in Azure AD. + +Someone with a Windows Defender ATP Global administrator role has unrestricted access to all machines, regardless of their machine group association and the Azure AD user groups assignments + +> [!WARNING] +> Initially, only those with Azure AD Global Administrator or Security Administrator rights will be able to create and assign roles in the Windows Defender ATP portal, therefore, having the right groups ready in Azure AD is important. +> +> **Turning on role-based access control will cause users with read-only permissions (for example, users assigned to Azure AD Security reader role) to lose access until they are assigned to a role.** +> +>Users with admin permissions are automatically assigned the default built-in Windows Defender ATP global administrator role with full permissions. After opting in to use RBAC, you can assign additional users that are not Azure AD Global or Security Administrators to the Windows Defender ATP global administrator role. +> +> After opting in to use RBAC, you cannot revert to the initial roles as when you first logged into the portal. + +## Create roles and assign the role to a group + +1. In the navigation pane, select **Settings > Role based access control > Roles**. + +2. Click **Add role**. + +3. Enter the role name, description, and active permissions you’d like to assign to the role. + + - **Role name** + + - **Description** + + - **Active permissions** + - **View data** - Users can view information in the portal. + - **Investigate alerts** - Users can manage alerts, initiate automated investigations, collect investigation packages, manage machine tags, and export machine timeline. + - **Approve or take action** - Users can take response actions and approve or dismiss pending remediation actions. + - **Manage system settings** - Users can configure settings, SIEM and threat intel API settings, advanced settings, preview features, and automated file uploads. + +4. Click **Next** to assign the role to an Azure AD group. + +5. Use the filter to select the Azure AD group that you’d like to add to this role. + +6. Click **Save and close**. + +7. Apply the configuration settings. + +## Edit roles + +1. Select the role you'd like to edit. + +2. Click **Edit**. + +3. Modify the details or the groups that the role is a part of. + +4. Click **Save and close**. + +## Delete roles + +1. Select the role row you'd like to delete. + +2. Click the drop-down button and select **Delete role**. + +## Related topic +- [Create and manage machine groups in Windows Defender ATP](machine-groups-windows-defender-advanced-threat-protection.md) \ No newline at end of file diff --git a/windows/security/threat-protection/windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md index c3162d20c2..0e5f08d3d5 100644 --- a/windows/security/threat-protection/windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md @@ -10,7 +10,7 @@ ms.pagetype: security ms.author: macapara author: mjcaparas ms.localizationpriority: high -ms.date: 03/06/2018 +ms.date: 04/17/2018 --- # Take response actions on a file @@ -57,23 +57,25 @@ The action takes effect on machines with Windows 10, version 1703 or later, wher - **Search box** - select File from the drop–down menu and enter the file name 2. Open the **Actions menu** and select **Stop and Quarantine File**. +  -3. Type a comment and select **Yes, stop and quarantine** to take action on the file. +3. Specify a reason, then click **Yes, stop and quarantine**. +  - The Action center shows the submission information: + The Action center shows the submission information:  - - **Submission time** - Shows when the action was submitted. - - **Success** - Shows the number of machines where the file has been stopped and quarantined. - - **Failed** - Shows the number of machines where the action failed and details about the failure. - - **Pending** - Shows the number of machines where the file is yet to be stopped and quarantined from. This can take time for cases when the machine is offline or not connected to the network. + - **Submission time** - Shows when the action was submitted. + - **Success** - Shows the number of machines where the file has been stopped and quarantined. + - **Failed** - Shows the number of machines where the action failed and details about the failure. + - **Pending** - Shows the number of machines where the file is yet to be stopped and quarantined from. This can take time for cases when the machine is offline or not connected to the network. 4. Select any of the status indicators to view more information about the action. For example, select **Failed** to see where the action failed. **Notification on machine user**: -When the file is being removed from an endpoint, the following notification is shown: +When the file is being removed from a machine, the following notification is shown:  @@ -89,7 +91,7 @@ For prevalent files in the organization, a warning is shown before an action is ## Remove file from quarantine You can roll back and remove a file from quarantine if you’ve determined that it’s clean after an investigation. Run the following command on each machine where the file was quarantined. -1. Open an elevated command–line prompt on the endpoint: +1. Open an elevated command–line prompt on the machine: a. Go to **Start** and type cmd. @@ -116,14 +118,27 @@ You can prevent further propagation of an attack in your organization by banning ### Enable the block file feature -1. In the navigation pane, select **Preference Setup** > **Advanced features** > **Block file**. +Before you can block files, you'll need to enable the feature. + +1. In the navigation pane, select **Settings** > **Advanced features** > **Block file**. 2. Toggle the setting between **On** and **Off** and select **Save preferences**. + +  + +### Block a file +1. Select the file you want to block. You can select a file from any of the following views or use the Search box: -  + - **Alerts** - click the corresponding links from the Description or Details in the Artifact timeline + - **Search box** - select File from the drop–down menu and enter the file name +2. Open the **Actions menu** and select **Block**. + +  -3. Type a comment and select **Yes, block file** to take action on the file. +3. Specify a reason and select **Yes, block file** to take action on the file. + +  The Action center shows the submission information:  @@ -135,7 +150,7 @@ You can prevent further propagation of an attack in your organization by banning When the file is blocked, there will be a new event in the machine timeline. **Notification on machine user**: -When a file is being blocked on the endpoint, the following notification is displayed to inform the user that the file was blocked: +When a file is being blocked on the machine, the following notification is displayed to inform the user that the file was blocked:  @@ -150,7 +165,6 @@ For prevalent files in the organization, a warning is shown before an action is 1. Select the file you want to remove from the blocked list. You can select a file from any of the following views or use the Search box: - **Alerts** - Click the file links from the Description or Details in the Artifact timeline
- - **Machines list** - Click the file links in the Description or Details columns in the Observed on machine section
- **Search box** - Select File from the drop–down menu and enter the file name 2. Open the **Actions** menu and select **Remove file from blocked list**. @@ -235,7 +249,7 @@ If you encounter a problem when trying to submit a file, try each of the followi 3. You can wait a short while and try to submit the file again, in case the queue is full or there was a temporary connection or communication error. 4. Verify the policy setting enables sample collection and try to submit the file again. - a. Change the following registry entry and values to change the policy on specific endpoints: + a. Change the following registry entry and values to change the policy on specific machines: ``` HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection Value = 0 – block sample collection @@ -247,5 +261,5 @@ HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection > [!NOTE] > If the value *AllowSampleCollection* is not available, the client will allow sample collection by default. -## Related topics +## Related topic - [Take response actions on a machine](respond-machine-alerts-windows-defender-advanced-threat-protection.md) diff --git a/windows/security/threat-protection/windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection.md index adcfd622e0..ac9d6c02de 100644 --- a/windows/security/threat-protection/windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection.md @@ -73,6 +73,7 @@ The package contains the following folders:  The Action center shows the submission information: +  - **Submission time** - Shows when the action was submitted. @@ -247,5 +248,5 @@ All other related details are also shown, for example, submission time, submitti  -## Related topics +## Related topic - [Take response actions on a file](respond-file-alerts-windows-defender-advanced-threat-protection.md) diff --git a/windows/security/threat-protection/windows-defender-atp/response-actions-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/response-actions-windows-defender-advanced-threat-protection.md index 6092b45364..f4a083f835 100644 --- a/windows/security/threat-protection/windows-defender-atp/response-actions-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/response-actions-windows-defender-advanced-threat-protection.md @@ -38,15 +38,3 @@ Topic | Description :---|:--- [Take response actions on a machine](respond-machine-alerts-windows-defender-advanced-threat-protection.md)| Isolate machines or collect an investigation package. [Take response actions on a file](respond-file-alerts-windows-defender-advanced-threat-protection.md)| Stop and quarantine files or block a file from your network. - -## Related topics -- [View the Windows Defender Advanced Threat Protection Security operations dashboard](dashboard-windows-defender-advanced-threat-protection.md) -- [View and organize the Windows Defender Advanced Threat Protection Alerts queue ](alerts-queue-windows-defender-advanced-threat-protection.md) -- [Investigate Windows Defender Advanced Threat Protection alerts](investigate-alerts-windows-defender-advanced-threat-protection.md) -- [Investigate a file associated with a Windows Defender ATP alert](investigate-files-windows-defender-advanced-threat-protection.md) -- [Investigate an IP address associated with a Windows Defender ATP alert](investigate-ip-windows-defender-advanced-threat-protection.md) -- [Investigate a domain associated with a Windows Defender ATP alert](investigate-domain-windows-defender-advanced-threat-protection.md) -- [View and organize the Windows Defender ATP Machines list](machines-view-overview-windows-defender-advanced-threat-protection.md) -- [Investigate machines in the Windows Defender ATP Machines list](investigate-machines-windows-defender-advanced-threat-protection.md) -- [Investigate a user account in Windows Defender ATP](investigate-user-windows-defender-advanced-threat-protection.md) -- [Manage Windows Defender Advanced Threat Protection alerts](manage-alerts-windows-defender-advanced-threat-protection.md) diff --git a/windows/security/threat-protection/windows-defender-atp/run-detection-test-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/run-detection-test-windows-defender-advanced-threat-protection.md index 9be70be191..f74f0543b9 100644 --- a/windows/security/threat-protection/windows-defender-atp/run-detection-test-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/run-detection-test-windows-defender-advanced-threat-protection.md @@ -1,7 +1,7 @@ --- -title: Run a detection test on a newly onboarded Windows Defender ATP endpoint -description: Run the detection script on a newly onboarded endpoint to verify that it is properly onboarded to the Windows Defender ATP service. -keywords: detection test, detection, powershell, script, verify, onboarding, windows defender advanced threat protection onboarding, clients, servers, endpoint, test +title: Run a detection test on a newly onboarded Windows Defender ATP machine +description: Run the detection script on a newly onboarded machine to verify that it is properly onboarded to the Windows Defender ATP service. +keywords: detection test, detection, powershell, script, verify, onboarding, windows defender advanced threat protection onboarding, clients, servers, test search.product: eADQiWindows 10XVcnh ms.prod: w10 ms.mktglfcycl: deploy @@ -13,7 +13,7 @@ ms.localizationpriority: high ms.date: 11/06/2017 --- -# Run a detection test on a newly onboarded Windows Defender ATP endpoint +# Run a detection test on a newly onboarded Windows Defender ATP machine **Applies to:** @@ -24,9 +24,9 @@ ms.date: 11/06/2017 - Windows Defender Advanced Threat Protection (Windows Defender ATP) -Run the following PowerShell script on a newly onboarded endpoint to verify that it is properly reporting to the Windows Defender ATP service. +Run the following PowerShell script on a newly onboarded machine to verify that it is properly reporting to the Windows Defender ATP service. -1. Open an elevated command-line prompt on the endpoint and run the script: +1. Open an elevated command-line prompt on the machine and run the script: a. Go to **Start** and type **cmd**. @@ -40,8 +40,8 @@ Run the following PowerShell script on a newly onboarded endpoint to verify that powershell.exe -NoExit -ExecutionPolicy Bypass -WindowStyle Hidden (New-Object System.Net.WebClient).DownloadFile('http://127.0.0.1/1.exe', 'C:\test-WDATP-test\invoice.exe');Start-Process 'C:\test-WDATP-test\invoice.exe' ``` -The Command Prompt window will close automatically. If successful, the detection test will be marked as completed and a new alert will appear in the portal for the onboarded endpoint in approximately 10 minutes. +The Command Prompt window will close automatically. If successful, the detection test will be marked as completed and a new alert will appear in the portal for the onboarded machine in approximately 10 minutes. ## Related topics -- [Configure client endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md) -- [Configure server endpoints](configure-server-endpoints-windows-defender-advanced-threat-protection.md) \ No newline at end of file +- [Onboard Windows 10 machines](configure-endpoints-windows-defender-advanced-threat-protection.md) +- [Onboard servers](configure-server-endpoints-windows-defender-advanced-threat-protection.md) \ No newline at end of file diff --git a/windows/security/threat-protection/windows-defender-atp/secure-score-dashboard-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/secure-score-dashboard-windows-defender-advanced-threat-protection.md new file mode 100644 index 0000000000..43e1cf6abb --- /dev/null +++ b/windows/security/threat-protection/windows-defender-atp/secure-score-dashboard-windows-defender-advanced-threat-protection.md @@ -0,0 +1,351 @@ +--- +title: View the Secure Score dashboard in Windows Defender ATP +description: Use the Secure Score dashboard to assess and improve the security state of your organization by analyzing various security control tiles. +keywords: secure score, dashboard, security recommendations, security control state, security score, score improvement, microsoft secure score, security controls, security control, improvement opportunities, edr, antivirus, av, os security updates +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +author: mjcaparas +localizationpriority: high +ms.date: 04/17/2018 +--- + +# View the Windows Defender Advanced Threat Protection Secure score dashboard + +**Applies to:** + +- Windows 10 Enterprise +- Windows 10 Education +- Windows 10 Pro +- Windows 10 Pro Education +- Windows Defender Advanced Threat Protection (Windows Defender ATP) + +[!include[Prerelease information](prerelease.md)] + +>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-sadashboard-abovefoldlink) + + +The Secure score dashboard expands your visibility into the overall security posture of your organization. From this dashboard, you'll be able to quickly assess the security posture of your organization, see machines that require attention, as well as recommendations for actions to further reduce the attack surface in your organization - all in one place. From there you can take action based on the recommended configuration baselines. + +>[!IMPORTANT] +> This feature is available for machines on Windows 10, version 1703 or later. + + +The **Secure score dashboard** displays a snapshot of: +- Microsoft Secure score +- Windows Defender security controls +- Improvement opportunities +- Security score over time + + + +## Microsoft secure score +The Microsoft secure score tile is reflective of the sum of all the Windows Defender security controls that are configured according to the recommended baseline and Office 365 controls. It allows you to drill down into each portal for further analysis. You can also improve this score by taking the steps in configuring each of the security controls in the optimal settings. + + + +Each Windows Defender security control contributes 100 points to the score. The total number is reflective of the score potential and calculated by multiplying the number of supported security controls (Windows Defender security controls pillars) by the maximum points that each pillar contributes (maximum of 100 points for each pillar). + +The Office 365 Secure Score looks at your settings and activities and compares them to a baseline established by Microsoft. For more information, see [Introducing the Office 365 Secure Score](https://support.office.com/en-us/article/introducing-the-office-365-secure-score-c9e7160f-2c34-4bd0-a548-5ddcc862eaef#howtoaccess). + +In the example image, the total points for the Windows security controls and Office 365 add up to 718 points. + +You can set the baselines for calculating the score of Windows Defender security controls on the Secure score dashboard through the **Settings**. For more information, see [Enable Secure score security controls](enable-secure-score-windows-defender-advanced-threat-protection.md). + +## Windows Defender security controls +The security controls tile shows a bar graph where each bar represents a Windows Defender security control. Each bar reflects the number of machines that are well configured and those that require **any kind of attention** for each security control. Hovering on top of the individual bars will show exact numbers for each category. Machines that are green are well configured, while machines that are orange require some level of attention. + + + + +## Improvement opportunities +Improve your score by taking the recommended improvement actions listed on this tile. The goal is to reduce the gap between the perfect score and the current score for each control. + +Click on each control to see the recommended optimizations. + + + +The numbers beside the green triangle icon on each recommended action represents the number of points you can gain by taking the action. When added together, the total number makes up the numerator in the fraction for each segment in the Improvement opportunities tile. + +>[!IMPORTANT] +>Recommendations that do not display a green triangle icon are informational only and no action is required. + +Clicking **View machines** in a specific recommendation opens up the **Machines list** with filters applied to show only the list of machines where the recommendation is applicable. You can export the list in Excel to create a target collection and apply relevant policies using a management solution of your choice. + +The following image shows an example list of machines where the EDR sensor is not turned on. + + + +## Security score over time +You can track the progression of your organizational security posture over time using this tile. It displays the overall and individual control scores in a historical trend line enabling you to see how taking the recommended actions increase your overall security posture. + + + +You can click on specific date points to see the total score for that security control is on a particular date. + +## Improve your secure score by applying improvement recommendations +Each security control lists recommendations that you can take to increase the security posture of your organization. + +### Endpoint detection and response (EDR) optimization +For an machine to be considered "well configured", it must comply to a minimum baseline configuration setting. This tile shows you a specific list of actions you must apply on endpoints so that the minimum baseline configuration setting for your Endpoint detection and response tool. + +>[!IMPORTANT] +>This feature is available for machines on Windows 10, version 1607 or later. + +#### Minimum baseline configuration setting for EDR: +- Windows Defender ATP sensor is on +- Data collection is working correctly +- Communication to Windows Defender ATP service is not impaired + +##### Recommended actions: +You can take the following actions to increase the overall security score of your organization: +- Turn on sensor +- Fix sensor data collection +- Fix impaired communications + +For more information, see [Fix unhealthy sensors](fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md). + +### Windows Defender Antivirus (Windows Defender AV) optimization +For a machine to be considered "well configured", it must comply to a minimum baseline configuration setting. This tile shows you a specific list of actions you must apply on endpoints so that the minimum baseline configuration setting for Windows Defender AV is fulfilled. + +>[!IMPORTANT] +>This feature is available for machines on Windows 10, version 1607 or later. + +#### Minimum baseline configuration setting for Windows Defender AV: +Machines are considered "well configured" for Windows Defender AV if the following requirements are met: + +- Windows Defender AV is reporting correctly +- Windows Defender AV is turned on +- Signature definitions are up to date +- Real-time protection is on +- Potentially Unwanted Application (PUA) protection is enabled + +##### Recommended actions: +You can take the following actions to increase the overall security score of your organization: + +>[!NOTE] +> For the Windows Defender Antivirus properties to show, you'll need to ensure that the Windows Defender Antivirus Cloud-based protection is properly configured on the machine. + +- Fix antivirus reporting + - This recommendation is displayed when the Windows Defender Antivirus is not properly configured to report its health state. For more information on fixing the reporting, see [Configure and validate network connections](../windows-defender-antivirus/configure-network-connections-windows-defender-antivirus.md). +- Turn on antivirus +- Update antivirus definitions +- Turn on real-time protection +- Turn on PUA protection + +For more information, see [Configure Windows Defender Antivirus](../windows-defender-antivirus/configure-windows-defender-antivirus-features.md). + + +### OS security updates optimization +This tile shows you the exact number of machines that require the latest security updates. It also shows machines that are running on the latest Windows Insider preview build and serves as a reminder to ensure that users should run the latest builds. + +>[!IMPORTANT] +>This feature is available for machines on Windows 10, version 1607 or later. + +You can take the following actions to increase the overall security score of your organization: +- Install the latest security updates +- Fix sensor data collection + - The Windows Defender ATP service relies on sensor data collection to determine the security state of a machine. The service will not be able to determine the security state of machines that are not reporting sensor data properly. Therefore, it's important to ensure that sensor data collection is working properly. For more information, see [Fix unhealthy sensors](fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md). + +For more information, see [Windows Update Troubleshooter](https://support.microsoft.com/en-us/help/4027322/windows-windows-update-troubleshooter). + + +### Windows Defender Exploit Guard (Windows Defender EG) optimization +For a machine to be considered "well configured", it must comply to a minimum baseline configuration setting. This tile shows you a specific list of actions you must apply on machines so that the minimum baseline configuration setting for Windows Defender EG is fulfilled. When endpoints are configured according to the baseline you'll be able to see Windows Defender EG events on the Windows Defender ATP Machine timeline. + + +>[!IMPORTANT] +>This security control is only applicable for machines with Windows 10, version 1709 or later. + +#### Minimum baseline configuration setting for Windows Defender EG: +Machines are considered "well configured" for Windows Defender EG if the following requirements are met: + +- System level protection settings are configured correctly +- Attack Surface Reduction rules are configured correctly +- Controlled Folder Access setting is configured correctly + +##### System level protection: +The following system level configuration settings must be set to **On or Force On**: + +1. Control Flow Guard +2. Data Execution Prevention (DEP) +3. Randomize memory allocations (Bottom-up ASLR) +4. Validate exception chains (SEHOP) +5. Validate heap integrity + +>[!NOTE] +>The setting **Force randomization for images (Mandatory ASLR)** is currently excluded from the baseline. +>Consider configuring **Force randomization for images (Mandatory ASLR)** to **On or Force On** for better protection. + +##### Attack Surface Reduction (ASR) rules: +The following ASR rules must be configured to **Block mode**: + +Rule description | GUIDs +-|- +Block executable content from email client and webmail | BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550 +Block Office applications from creating child processes | D4F940AB-401B-4EFC-AADC-AD5F3C50688A +Block Office applications from creating executable content | 3B576869-A4EC-4529-8536-B80A7769E899 +Impede JavaScript and VBScript to launch executables | D3E037E1-3EB8-44C8-A917-57927947596D +Block execution of potentially obfuscated scripts | 5BEB7EFE-FD9A-4556-801D-275E5FFC04CC +Block Win32 imports from Macro code in Office | 92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B + + + +>[!NOTE] +>The setting **Block Office applications from injecting into other processes** with GUID 75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84 is excluded from the baseline. +>Consider enabling this rule in **Audit** or **Block mode** for better protection. + + +##### Controlled Folder Access +The Controlled Folder Access setting must be configured to **Audit mode** or **Enabled**. + +>[!NOTE] +> Audit mode, allows you to see audit events in the Windows Defender ATP Machine timeline however it does not block suspicious applications. +>Consider enabling Controlled Folder Access for better protection. + +##### Recommended actions: +You can take the following actions to increase the overall security score of your organization: +- Turn on all system-level Exploit Protection settings +- Set all ASR rules to enabled or audit mode +- Turn on Controlled Folder Access +- Turn on Windows Defender Antivirus on compatible machines + +For more information, see [Windows Defender Exploit Guard](../windows-defender-exploit-guard/windows-defender-exploit-guard.md). + +### Windows Defender Application Guard (Windows Defender AG) optimization +For a machine to be considered "well configured", it must comply to a minimum baseline configuration setting. This tile shows you a specific list of actions you must apply on endpoints so that the minimum baseline configuration setting for Windows Defender AG is fulfilled. When endpoints are configured according to the baseline you'll be able to see Windows Defender AG events on the Windows Defender ATP Machine timeline. + +>[!IMPORTANT] +>This security control is only applicable for machines with Windows 10, version 1709 or later. + +#### Minimum baseline configuration setting for Windows Defender AG: +Machines are considered "well configured" for Windows Defender AG if the following requirements are met: + +- Hardware and software prerequisites are met +- Windows Defender AG is turned on compatible machines +- Managed mode is turned on + +##### Recommended actions: +You can take the following actions to increase the overall security score of your organization: +- Ensure hardware and software prerequisites are met + + >[!NOTE] + >This improvement item does not contribute to the security score in itself because it's not a prerequisite for Windows Defender AG. It gives an indication of a potential reason why Windows Defender AG is not turned on. + +- Turn on Windows Defender AG on compatible machines +- Turn on managed mode + + +For more information, see [Windows Defender Application Guard overview](../windows-defender-application-guard/wd-app-guard-overview.md). + + +### Windows Defender SmartScreen optimization +For a machine to be considered "well configured", it must comply to a minimum baseline configuration setting. This tile shows you a specific list of actions you must apply on endpoints so that the minimum baseline configuration setting for Windows Defender SmartScreen is fulfilled. + +>[!IMPORTANT] +>This security control is only applicable for machines with Windows 10, version 1709 or later. + +#### Minimum baseline configuration setting for Windows Defender SmartScreen: +The following settings must be configured with the following settings: +- Check apps and files: **Warn** or **Block** +- SmartScreen for Microsoft Edge: **Warn** or **Block** +- SmartScreen for Microsoft store apps: **Warn** or **Off** + + +You can take the following actions to increase the overall security score of your organization: +- Set **Check app and files** to **Warn** or **Block** +- Set **SmartScreen for Microsoft Edge** to **Warn** or **Block** +- Set **SmartScreen for Microsoft store apps** to **Warn** or **Off** + +For more information, see [Windows Defender SmartScreen](../windows-defender-smartscreen/windows-defender-smartscreen-overview.md). + + + +### Windows Defender Firewall optimization +For a machine to be considered "well configured", Windows Defender Firewall must be turned on and enabled for all profiles and inbound connections are blocked by default. This tile shows you a specific list of actions you must apply on endpoints so that the minimum baseline configuration setting for Windows Defender Firewall is fulfilled. + +>[!IMPORTANT] +>This security control is only applicable for machines with Windows 10, version 1709 or later. + +#### Minimum baseline configuration setting for Windows Defender Firewall + +- Windows Defender Firewall is turned on for all network connections +- Secure domain profile by enabling Windows Defender Firewall and ensure that Inbound connections is set to Blocked +- Secure private profile by enabling Windows Defender Firewall and ensure that Inbound connections is set to Blocked +- Secure public profile is configured by enabling Windows Defender Firewall and ensure that Inbound connections is set to Blocked + +For more information on Windows Defender Firewall settings, see [Planning settings for a basic firewall policy](https://docs.microsoft.com/en-us/windows/security/identity-protection/windows-firewall/planning-settings-for-a-basic-firewall-policy). + +>[!NOTE] +> If Windows Defender Firewall is not your primary firewall, consider excluding it from the security score calculations and make sure that your third-party firewall is configured in a securely. + + +##### Recommended actions: +You can take the following actions to increase the overall security score of your organization: +- Turn on firewall +- Secure domain profile +- Secure private profile +- Secure public profile +- Verify secure configuration of third-party firewall +- Fix sensor data collection + - The Windows Defender ATP service relies on sensor data collection to determine the security state of a machine. The service will not be able to determine the security state of machines that are not reporting sensor data properly. Therefore, it's important to ensure that sensor data collection is working properly. For more information, see [Fix unhealthy sensors](fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md). + +For more information, see [Windows Defender Firewall with Advanced Security](https://docs.microsoft.com/en-us/windows/security/identity-protection/windows-firewall/windows-firewall-with-advanced-security). + +### BitLocker optimization +For a machine to be considered "well configured", it must comply to a minimum baseline configuration setting. This tile shows you a specific list of actions you must apply on endpoints so that the minimum baseline configuration setting for BitLocker is fulfilled. + +>[!IMPORTANT] +>This security control is only applicable for machines with Windows 10, version 1803 or later. + +#### Minimum baseline configuration setting for BitLocker +- Ensure all supported internal drives are encrypted +- Ensure that all suspended protection on drives resume protection +- Ensure that drives are compatible + + +##### Recommended actions: +You can take the following actions to increase the overall security score of your organization: +- Encrypt all supported drives +- Resume protection on all drives +- Ensure drive compatibility +- Fix sensor data collection + - The Windows Defender ATP service relies on sensor data collection to determine the security state of a machine. The service will not be able to determine the security state of machines that are not reporting sensor data properly. Therefore, it's important to ensure that sensor data collection is working properly. For more information, see [Fix unhealthy sensors](fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md). + +For more information, see [Bitlocker](https://docs.microsoft.com/windows/security/information-protection/bitlocker/bitlocker-overview). + +### Windows Defender Credential Guard optimization +For a machine to be considered "well configured", it must comply to a minimum baseline configuration setting. This tile shows you a specific list of actions you must apply on endpoints so that the minimum baseline configuration setting for Windows Defender Credential Guard is fulfilled. + +>[!IMPORTANT] +>This security control is only applicable for machines with Windows 10, version 1709 or later. + +#### Minimum baseline configuration setting for Windows Defender Credential Guard: +Machines are considered "well configured" for Windows Defender Credential Guard if the following requirements are met: + +- Hardware and software prerequisites are met +- Windows Defender Credential Guard is turned on on compatible machines + + +##### Recommended actions: +You can take the following actions to increase the overall security score of your organization: + +- Ensure hardware and software prerequisites are met +- Turn on Credential Guard +- Fix sensor data collection + - The Windows Defender ATP service relies on sensor data collection to determine the security state of a machine. The service will not be able to determine the security state of machines that are not reporting sensor data properly. Therefore, it's important to ensure that sensor data collection is working properly. For more information, see [Fix unhealthy sensors](fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md). + +For more information, see [Manage Windows Defender Credential Guard](https://docs.microsoft.com/windows/security/identity-protection/credential-guard/credential-guard-manage). + +>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-sadashboard-belowfoldlink) + +## Related topics +- [Understand the Windows Defender Advanced Threat Protection portal](use-windows-defender-advanced-threat-protection.md) +- [Portal overview](portal-overview-windows-defender-advanced-threat-protection.md) +- [View the Security operations dashboard](security-operations-dashboard-windows-defender-advanced-threat-protection.md) +- [View the Threat analytics dashboard and take recommended mitigation actions](threat-analytics-dashboard-windows-defender-advanced-threat-protection.md) + + + diff --git a/windows/security/threat-protection/windows-defender-atp/security-analytics-dashboard-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/security-analytics-dashboard-windows-defender-advanced-threat-protection.md deleted file mode 100644 index 6ea27c4f75..0000000000 --- a/windows/security/threat-protection/windows-defender-atp/security-analytics-dashboard-windows-defender-advanced-threat-protection.md +++ /dev/null @@ -1,256 +0,0 @@ ---- -title: View the Secure score dashboard in Windows Defender ATP -description: Use the Secure score dashboard to assess and improve the security state of your organization by analyzing various security control tiles. -keywords: secure score, dashboard, security recommendations, security control state, security score, score improvement, organizational security score, security coverage, security control, improvement opportunities, edr, antivirus, av, os security updates -search.product: eADQiWindows 10XVcnh -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security -author: mjcaparas -localizationpriority: high -ms.date: 03/12/2018 ---- - -# View the Windows Defender Advanced Threat Protection Secure score dashboard - -**Applies to:** - -- Windows 10 Enterprise -- Windows 10 Education -- Windows 10 Pro -- Windows 10 Pro Education -- Windows Defender Advanced Threat Protection (Windows Defender ATP) - - - ->Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-sadashboard-abovefoldlink) - - -The Secure score dashboard expands your visibility into the overall security posture of your organization. From this dashboard, you'll be able to quickly assess the security posture of your organization, see machines that require attention, as well as recommendations for actions to further reduce the attack surface in your organization - all in one place. From there you can take action based on the recommended configuration baselines. - ->[!IMPORTANT] -> This feature is available for machines on Windows 10, version 1703 or later. - -The **Secure score dashboard** displays a snapshot of: -- Organizational security score -- Security coverage -- Improvement opportunities -- Security score over time - - - -## Organizational security score -The organization security score is reflective of the average score of all the Windows Defender security controls that are configured according to the recommended baseline. You can improve this score by taking the steps in configuring each of the security controls in the optimal settings. - - - -Each Windows Defender security control from the **Security coverage** tile contributes 100 points to the organizational security score. - -The denominator is reflective of the organizational score potential and calculated by multiplying the number of supported security controls (Security coverage pillars) by the maximum points that each pillar contributes (maximum of 100 points for each pillar). - - -In the example image, the total points from the **Improvement opportunities** tile add up to 321 points for the six pillars from the **Security coverage** tile. - -You can set the baselines for calculating the score of Windows Defender security controls on the Secure score dashboard through the **Preferences settings**. For more information, see [Enable Secure score security controls](enable-security-analytics-windows-defender-advanced-threat-protection.md). - -## Security coverage -The security coverage tile shows a bar graph where each bar represents a Windows Defender security control. Each bar reflects the number of machines that are well configured and those that require **any kind of attention** for each security control. Hovering on top of the individual bars will show exact numbers for each category. Machines that are green are well configured, while machines that are orange require some level of attention. - - - - -## Improvement opportunities -Improve your organizational security score by taking the recommended improvement actions listed on this tile. The goal is to reduce the gap between the perfect score and the current score for each control. - -Click on each control to see the recommended optimizations. - - - -The numbers beside the green triangle icon on each recommended action represents the number of points you can gain by taking the action. When added together, the total number makes up the numerator in the fraction for each segment in the Improvement opportunities tile. - ->[!IMPORTANT] ->Recommendations that do not display a green triangle icon are informational only and no action is required. - -Clicking **View machines** in a specific recommendation opens up the **Machines list** with filters applied to show only the list of machines where the recommendation is applicable. You can export the list in Excel to create a target collection and apply relevant policies using a management solution of your choice. - -The following image shows an example list of machines where the EDR sensor is not turned on. - - - -## Security score over time -You can track the progression of your organizational security posture over time using this tile. It displays the overall and individual control scores in a historical trend line enabling you to see how taking the recommended actions increase your overall security posture. - - - -You can click on specific date points to see the total score for that security control is on a particular date. - -### Endpoint detection and response (EDR) optimization -For an endpoint to be considered "well configured", it must comply to a minimum baseline configuration setting. This tile shows you a specific list of actions you must apply on endpoints so that the minimum baseline configuration setting for your Endpoint detection and response tool. - -#### Minimum baseline configuration setting for EDR: -- Windows Defender ATP sensor is on -- Data collection is working correctly -- Communication to Windows Defender ATP service is not impaired - -#### Minimum baseline configuration setting for EDR: -You can take the following actions to increase the overall security score of your organization: -- Turn on sensor -- Fix sensor data collection -- Fix impaired communications - -For more information, see [Fix unhealthy sensors](fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md). - -### Windows Defender Antivirus (Windows Defender AV) optimization -For an endpoint to be considered "well configured", it must comply to a minimum baseline configuration setting. This tile shows you a specific list of actions you must apply on endpoints so that the minimum baseline configuration setting for Windows Defender AV is fulfilled. - -#### Minimum baseline configuration setting for Windows Defender AV: -Endpoints are considered "well configured" for Windows Defender AV if the following requirements are met: - -- Windows Defender AV is reporting correctly -- Windows Defender AV is turned on -- Signature definitions are up to date -- Real-time protection is on -- Potentially Unwanted Application (PUA) protection is enabled - -##### Recommended actions: -You can take the following actions to increase the overall security score of your organization: - ->[!NOTE] -> For the Windows Defender Antivirus properties to show, you'll need to ensure that the Windows Defender Antivirus Cloud-based protection is properly configured on the endpoint. - -- Fix antivirus reporting - - This recommendation is displayed when the Windows Defender Antivirus is not properly configured to report its health state. For more information on fixing the reporting, see [Configure and validate network connections](../windows-defender-antivirus/configure-network-connections-windows-defender-antivirus.md). -- Turn on antivirus -- Update antivirus definitions -- Turn on real-time protection -- Turn on PUA protection - -For more information, see [Configure Windows Defender Antivirus](../windows-defender-antivirus/configure-windows-defender-antivirus-features.md). - - -### OS security updates optimization -This tile shows you the exact number of machines that require the latest security updates. It also shows machines that are running on the latest Windows Insider preview build and serves as a reminder to ensure that users should run the latest builds. - -You can take the following actions to increase the overall security score of your organization: -- Install the latest security updates -- Fix sensor data collection - - The Windows Defender ATP service relies on sensor data collection to determine the security state of a machine. The service will not be able to determine the security state of machines that are not reporting sensor data properly. Therefore, it's important to ensure that sensor data collection is working properly. For more information, see [Fix unhealthy sensors](fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md). - -For more information, see [Windows Update Troubleshooter](https://support.microsoft.com/en-us/help/4027322/windows-windows-update-troubleshooter). - - -### Windows Defender Exploit Guard (Windows Defender EG) optimization -For an endpoint to be considered "well configured", it must comply to a minimum baseline configuration setting. This tile shows you a specific list of actions you must apply on endpoints so that the minimum baseline configuration setting for Windows Defender EG is fulfilled. When endpoints are configured according to the baseline you'll be able to see Windows Defender EG events on the Windows Defender ATP Machine timeline. - -#### Minimum baseline configuration setting for Windows Defender EG: -Endpoints are considered "well configured" for Windows Defender EG if the following requirements are met: - -- System level protection settings are configured correctly -- Attack Surface Reduction rules are configured correctly -- Controlled Folder Access setting is configured correctly - -##### System level protection: -The following system level configuration settings must be set to **On or Force On**: - -1. Control Flow Guard -2. Data Execution Prevention (DEP) -3. Randomize memory allocations (Bottom-up ASLR) -4. Validate exception chains (SEHOP) -5. Validate heap integrity - ->[!NOTE] ->The setting **Force randomization for images (Mandatory ASLR)** is currently excluded from the baseline. ->Consider configuring **Force randomization for images (Mandatory ASLR)** to **On or Force On** for better protection. - -##### Attack Surface Reduction (ASR) rules: -The following ASR rules must be configured to **Block mode**: - -Rule description | GUIDs --|- -Block executable content from email client and webmail | BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550 -Block Office applications from creating child processes | D4F940AB-401B-4EFC-AADC-AD5F3C50688A -Block Office applications from creating executable content | 3B576869-A4EC-4529-8536-B80A7769E899 -Impede JavaScript and VBScript to launch executables | D3E037E1-3EB8-44C8-A917-57927947596D -Block execution of potentially obfuscated scripts | 5BEB7EFE-FD9A-4556-801D-275E5FFC04CC -Block Win32 imports from Macro code in Office | 92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B - - ->[!NOTE] ->The setting **Block Office applications from injecting into other processes** with GUID 75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84 is excluded from the baseline. ->Consider enabling this rule in **Audit** or **Block mode** for better protection. - - -##### Controlled Folder Access -The Controlled Folder Access setting must be configured to **Audit mode** or **Enabled**. - ->[!NOTE] -> Audit mode, allows you to see audit events in the Windows Defender ATP Machine timeline however it does not block suspicious applications. ->Consider enabling Controlled Folder Access for better protection. - -##### Recommended actions: -You can take the following actions to increase the overall security score of your organization: -- Turn on all system-level Exploit Protection settings -- Set all ASR rules to enabled or audit mode -- Turn on Controlled Folder Access -- Turn on Windows Defender Antivirus on compatible machines - -For more information, see [Windows Defender Exploit Guard](../windows-defender-exploit-guard/windows-defender-exploit-guard.md). - -### Windows Defender Application Guard (Windows Defender AG) optimization -For an endpoint to be considered "well configured", it must comply to a minimum baseline configuration setting. This tile shows you a specific list of actions you must apply on endpoints so that the minimum baseline configuration setting for Windows Defender AG is fulfilled. When endpoints are configured according to the baseline you'll be able to see Windows Defender AG events on the Windows Defender ATP Machine timeline. - -#### Minimum baseline configuration setting for Windows Defender AG: -Endpoints are considered "well configured" for Windows Defender AG if the following requirements are met: - -- Hardware and software prerequisites are met -- Windows Defender AG is turned on compatible machines -- Managed mode is turned on - -##### Recommended actions: -You can take the following actions to increase the overall security score of your organization: -- Ensure hardware and software prerequisites are met - - >[!NOTE] - >This improvement item does not contribute to the security score in itself because it's not a prerequisite for Windows Defender AG. It gives an indication of a potential reason why Windows Defender AG is not turned on. - -- Turn on Windows Defender AG on compatible machines -- Turn on managed mode - - -For more information, see [Windows Defender Application Guard overview](../windows-defender-application-guard/wd-app-guard-overview.md). - - -### Windows Defender SmartScreen optimization -For an endpoint to be considered "well configured", it must comply to a minimum baseline configuration setting. This tile shows you a specific list of actions you must apply on endpoints so that the minimum baseline configuration setting for Windows Defender SmartScreen is fulfilled. - -#### Minimum baseline configuration setting for Windows Defender SmartScreen: -The following settings must be configured with the following settings: -- Check apps and files: **Warn** or **Block** -- SmartScreen for Microsoft Edge: **Warn** or **Block** -- SmartScreen for Microsoft store apps: **Warn** or **Off** - - -You can take the following actions to increase the overall security score of your organization: -- Set **Check app and files** to **Warn** or **Block** -- Set **SmartScreen for Microsoft Edge** to **Warn** or **Block** -- Set **SmartScreen for Microsoft store apps** to **Warn** or **Off** - -For more information, see [Windows Defender SmartScreen](../windows-defender-smartscreen/windows-defender-smartscreen-overview.md). - ->Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-sadashboard-belowfoldlink) - -## Related topics -- [Enable Secure score security controls](enable-security-analytics-windows-defender-advanced-threat-protection.md) -- [View the Security operations dashboard](dashboard-windows-defender-advanced-threat-protection.md) -- [View and organize the Windows Defender Advanced Threat Protection Alerts queue ](alerts-queue-windows-defender-advanced-threat-protection.md) -- [Investigate Windows Defender Advanced Threat Protection alerts](investigate-alerts-windows-defender-advanced-threat-protection.md) -- [Investigate a file associated with a Windows Defender ATP alert](investigate-files-windows-defender-advanced-threat-protection.md) -- [Investigate an IP address associated with a Windows Defender ATP alert](investigate-ip-windows-defender-advanced-threat-protection.md) -- [Investigate a domain associated with a Windows Defender ATP alert](investigate-domain-windows-defender-advanced-threat-protection.md) -- [View and organize the Windows Defender ATP Machines list](machines-view-overview-windows-defender-advanced-threat-protection.md) -- [Investigate machines in the Windows Defender ATP Machines list](investigate-machines-windows-defender-advanced-threat-protection.md) -- [Investigate a user account in Windows Defender ATP ](investigate-user-windows-defender-advanced-threat-protection.md) -- [Manage Windows Defender Advanced Threat Protection alerts](manage-alerts-windows-defender-advanced-threat-protection.md) -- [Take response actions in Windows Defender ATP](response-actions-windows-defender-advanced-threat-protection.md) - diff --git a/windows/security/threat-protection/windows-defender-atp/dashboard-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/security-operations-dashboard-windows-defender-advanced-threat-protection.md similarity index 74% rename from windows/security/threat-protection/windows-defender-atp/dashboard-windows-defender-advanced-threat-protection.md rename to windows/security/threat-protection/windows-defender-atp/security-operations-dashboard-windows-defender-advanced-threat-protection.md index 1846ca83c2..7b4b053ce3 100644 --- a/windows/security/threat-protection/windows-defender-atp/dashboard-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/security-operations-dashboard-windows-defender-advanced-threat-protection.md @@ -10,7 +10,7 @@ ms.pagetype: security ms.author: macapara author: mjcaparas ms.localizationpriority: high -ms.date: 11/01/2017 +ms.date: 04/17/2018 --- # View the Windows Defender Advanced Threat Protection Security operations dashboard @@ -23,20 +23,25 @@ ms.date: 11/01/2017 - Windows 10 Pro Education - Windows Defender Advanced Threat Protection (Windows Defender ATP) - +[!include[Prerelease information](prerelease.md)] >Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-secopsdashboard-abovefoldlink) The **Security operations dashboard** displays a snapshot of: - The latest active alerts on your network -- Daily machines reporting - Machines at risk -- Users at risk - Machines with active malware alerts +- Daily machines reporting +- Active automated investigations +- Automated investigations statistics +- Users at risk +- Suspicious activities - Sensor health - Service health + + You can explore and investigate alerts and machines to quickly determine if, where, and when suspicious activities occurred in your network to help you understand the context they appeared in. From the **Security operations dashboard** you will see aggregated events to facilitate the identification of significant events or behaviors on a machine. You can also drill down into granular events and low-level indicators. @@ -54,10 +59,7 @@ For more information see, [Alerts overview](alerts-queue-windows-defender-advanc The **Latest active alerts** section includes the latest active alerts in your network. Each row includes an alert severity category and a short description of the alert. Click an alert to see its detailed view, or **Alerts queue** at the top of the list to go directly to the Alerts queue. For more information see, [Investigate Windows Defender Advanced Threat Protection alerts](investigate-alerts-windows-defender-advanced-threat-protection.md) and [Alerts overview](alerts-queue-windows-defender-advanced-threat-protection.md). -## Daily machines reporting -The **Daily machines reporting** tile shows a bar graph that represents the number of machines reporting daily in the last 30 days. Hover over individual bars on the graph to see the exact number of machines reporting in each day. - ## Machines at risk This tile shows you a list of machines with the highest number of active alerts. The total number of alerts for each machine is shown in a circle next to the machine name, and then further categorized by severity levels at the far end of the tile (hover over each severity bar to see its label). @@ -68,19 +70,12 @@ Click the name of the machine to see details about that machine. For more inform You can also click **Machines list** at the top of the tile to go directly to the **Machines list**, sorted by the number of active alerts. For more information see, [Investigate machines in the Windows Defender Advanced Threat Protection Machines list](investigate-machines-windows-defender-advanced-threat-protection.md). -## Users at risk -The tile shows you a list of user accounts with the most active alerts. - - - -Click the user account to see details about the user account. For more information see [Investigate a user account](investigate-user-windows-defender-advanced-threat-protection.md). - ## Machines with active malware detections -The **Machines with active malware detections** tile will only appear if your endpoints are using Windows Defender Antivirus. +The **Machines with active malware detections** tile will only appear if your machines are using Windows Defender Antivirus. Active malware is defined as threats that were actively executing at the time of detection. -Hover over each bar to see the number of active malware detections (as **Malware detections**) and the number of endpoints with at least one active detection (as **Machines**) over the past 30 days. +Hover over each bar to see the number of active malware detections (as **Malware detections**) and the number of machines with at least one active detection (as **Machines**) over the past 30 days.  @@ -98,12 +93,44 @@ Threats are considered "active" if there is a very high probability that the mal Clicking on any of these categories will navigate to the [Machines list](investigate-machines-windows-defender-advanced-threat-protection.md), filtered by the appropriate category. This lets you see a detailed breakdown of which machines have active malware detections, and how many threats were detected per machine. > [!NOTE] -> The **Machines with active malware detections** tile will only appear if your endpoints are using [Windows Defender Antivirus](https://technet.microsoft.com/library/mt622091(v=vs.85).aspx) as the default real-time protection antimalware product. +> The **Machines with active malware detections** tile will only appear if your machines are using [Windows Defender Antivirus](https://technet.microsoft.com/library/mt622091(v=vs.85).aspx) as the default real-time protection antimalware product. +## Daily machines reporting +The **Daily machines reporting** tile shows a bar graph that represents the number of machines reporting daily in the last 30 days. Hover over individual bars on the graph to see the exact number of machines reporting in each day. + + + + + +## Active automated investigations +You can view the overall number of automated investigations from the last 30 days in your network from the **Active automated investigations** tile. Investigations are grouped into **Waiting for machine**, **Running**, and **Pending approval**. + + + + +## Automated investigations statistics +This tile shows statistics related to automated investigations in the last 30 days. It shows the number of investigations completed, the number of successfully remediated investigations, the average pending time it takes for an investigaiton to be initiated, the average time it takes to remediate an alert, the number of alerts investigated, and the number of hours of automation saved from a typical manual investigation. + + + +You can click on **Automated investigations**, **Remidated investigations**, and **Alerts investigated** to navigate to the **Invesgations** page, filtered by the appropriate category. This lets you see a detailed breakdown of investigations in context. + +## Users at risk +The tile shows you a list of user accounts with the most active alerts and the number of alerts seen on high, medium, or low alerts. + + + +Click the user account to see details about the user account. For more information see [Investigate a user account](investigate-user-windows-defender-advanced-threat-protection.md). + +## Suspicious activities +This tile shows audit events based on detections from various security components. + + + ## Sensor health -The **Sensor health** tile provides information on the individual endpoint’s ability to provide sensor data to the Windows Defender ATP service. It reports how many machines require attention and helps you identify problematic machines. +The **Sensor health** tile provides information on the individual machine’s ability to provide sensor data to the Windows Defender ATP service. It reports how many machines require attention and helps you identify problematic machines.  @@ -126,13 +153,8 @@ For more information on the service health, see [Check the Windows Defender ATP >Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-secopsdashboard-belowfoldlink) ## Related topics -- [View and organize the Windows Defender Advanced Threat Protection Alerts queue ](alerts-queue-windows-defender-advanced-threat-protection.md) -- [Investigate Windows Defender Advanced Threat Protection alerts](investigate-alerts-windows-defender-advanced-threat-protection.md) -- [Investigate a file associated with a Windows Defender ATP alert](investigate-files-windows-defender-advanced-threat-protection.md) -- [Investigate an IP address associated with a Windows Defender ATP alert](investigate-ip-windows-defender-advanced-threat-protection.md) -- [Investigate a domain associated with a Windows Defender ATP alert](investigate-domain-windows-defender-advanced-threat-protection.md) -- [View and organize the Windows Defender ATP Machines list](machines-view-overview-windows-defender-advanced-threat-protection.md) -- [Investigate machines in the Windows Defender ATP Machines list](investigate-machines-windows-defender-advanced-threat-protection.md) -- [Investigate a user account in Windows Defender ATP ](investigate-user-windows-defender-advanced-threat-protection.md) -- [Manage Windows Defender Advanced Threat Protection alerts](manage-alerts-windows-defender-advanced-threat-protection.md) -- [Take response actions in Windows Defender ATP](response-actions-windows-defender-advanced-threat-protection.md) +- [Understand the Windows Defender Advanced Threat Protection portal](use-windows-defender-advanced-threat-protection.md) +- [Portal overview](portal-overview-windows-defender-advanced-threat-protection.md) +- [View the Secure Score dashboard and improve your secure score](secure-score-dashboard-windows-defender-advanced-threat-protection.md) +- [View the Threat analytics dashboard and take recommended mitigation actions](threat-analytics-dashboard-windows-defender-advanced-threat-protection.md) + diff --git a/windows/security/threat-protection/windows-defender-atp/service-status-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/service-status-windows-defender-advanced-threat-protection.md index fb58b3850a..0e0c2d60c4 100644 --- a/windows/security/threat-protection/windows-defender-atp/service-status-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/service-status-windows-defender-advanced-threat-protection.md @@ -10,7 +10,7 @@ ms.pagetype: security ms.author: macapara author: mjcaparas ms.localizationpriority: high -ms.date: 10/16/2017 +ms.date: 04/17/2018 --- # Check the Windows Defender Advanced Threat Protection service health @@ -23,7 +23,7 @@ ms.date: 10/16/2017 - Windows 10 Pro Education - Windows Defender Advanced Threat Protection (Windows Defender ATP) - +[!include[Prerelease information](prerelease.md)] >Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-servicestatus-abovefoldlink) @@ -57,4 +57,4 @@ When an issue is resolved, it gets recorded in the **Status history** tab. The **Status history** tab reflects all the historical issues that were seen and resolved. You'll see details of the resolved issues along with the other information that were included while it was being resolved. ### Related topic -- [View the Security operations dashboard](dashboard-windows-defender-advanced-threat-protection.md) +- [View the Security operations dashboard](security-operations-dashboard-windows-defender-advanced-threat-protection.md) diff --git a/windows/security/threat-protection/windows-defender-atp/supported-apis-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/supported-apis-windows-defender-advanced-threat-protection.md index 6277924353..6e4c10056a 100644 --- a/windows/security/threat-protection/windows-defender-atp/supported-apis-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/supported-apis-windows-defender-advanced-threat-protection.md @@ -10,7 +10,7 @@ ms.pagetype: security ms.author: macapara author: mjcaparas ms.localizationpriority: high -ms.date: 10/16/2017 +ms.date: 04/17/2018 --- # Supported Windows Defender ATP query APIs @@ -23,6 +23,7 @@ ms.date: 10/16/2017 - Windows 10 Pro Education - Windows Defender Advanced Threat Protection (Windows Defender ATP) +[!include[Prerelease information](prerelease.md)] >Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-supportedapis-abovefoldlink) @@ -39,3 +40,5 @@ IP | Run API calls such as get IP related alerts, IP related machines, IP statis Machines | Run API calls such as find machine information by IP, get machines, get machines by ID, information about logged on users, and alerts related to a given machine ID. User | Run API calls such as get alert related user information, user information, user related alerts, and user related machines. +## Related topic +- [Use the Windows Defender ATP exposed APIs](exposed-apis-windows-defender-advanced-threat-protection.md) diff --git a/windows/security/threat-protection/windows-defender-atp/threat-analytics-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/threat-analytics-dashboard-windows-defender-advanced-threat-protection.md similarity index 87% rename from windows/security/threat-protection/windows-defender-atp/threat-analytics-windows-defender-advanced-threat-protection.md rename to windows/security/threat-protection/windows-defender-atp/threat-analytics-dashboard-windows-defender-advanced-threat-protection.md index e2bb30d5ac..1b25b996dc 100644 --- a/windows/security/threat-protection/windows-defender-atp/threat-analytics-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/threat-analytics-dashboard-windows-defender-advanced-threat-protection.md @@ -50,5 +50,10 @@ To access Threat analytics, from the navigation pane select **Dashboards** > **T Click a section of each chart to get a list of the machines in the corresponding mitigation status. +## Related topics +- [Understand the Windows Defender Advanced Threat Protection portal](use-windows-defender-advanced-threat-protection.md) +- [Portal overview](portal-overview-windows-defender-advanced-threat-protection.md) +- [View the Security operations dashboard](security-operations-dashboard-windows-defender-advanced-threat-protection.md) +- [View the Secure Score dashboard and improve your secure score](secure-score-dashboard-windows-defender-advanced-threat-protection.md) diff --git a/windows/security/threat-protection/windows-defender-atp/threat-indicator-concepts-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/threat-indicator-concepts-windows-defender-advanced-threat-protection.md index 54edd18d8c..3324909b34 100644 --- a/windows/security/threat-protection/windows-defender-atp/threat-indicator-concepts-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/threat-indicator-concepts-windows-defender-advanced-threat-protection.md @@ -10,7 +10,7 @@ ms.pagetype: security ms.author: macapara author: mjcaparas ms.localizationpriority: high -ms.date: 10/16/2017 +ms.date: 04/17/2018 --- # Understand threat intelligence concepts @@ -23,7 +23,7 @@ ms.date: 10/16/2017 - Windows 10 Pro Education - Windows Defender Advanced Threat Protection (Windows Defender ATP) - +[!include[Prerelease information](prerelease.md)] >Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-threatindicator-abovefoldlink) @@ -52,8 +52,8 @@ Here is an example of an IOC: IOCs have a many-to-one relationship with alert definitions such that an alert definition can have many IOCs that correspond to it. ## Related topics -- [Create custom alerts using the threat intelligence API](custom-ti-api-windows-defender-advanced-threat-protection.md) - [Enable the custom threat intelligence API in Windows Defender ATP](enable-custom-ti-windows-defender-advanced-threat-protection.md) +- [Create custom alerts using the threat intelligence API](custom-ti-api-windows-defender-advanced-threat-protection.md) - [PowerShell code examples for the custom threat intelligence API](powershell-example-code-windows-defender-advanced-threat-protection.md) - [Python code examples for the custom threat intelligence API](python-example-code-windows-defender-advanced-threat-protection.md) - [Experiment with custom threat intelligence alerts](experiment-custom-ti-windows-defender-advanced-threat-protection.md) diff --git a/windows/security/threat-protection/windows-defender-atp/settings-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/time-settings-windows-defender-advanced-threat-protection.md similarity index 96% rename from windows/security/threat-protection/windows-defender-atp/settings-windows-defender-advanced-threat-protection.md rename to windows/security/threat-protection/windows-defender-atp/time-settings-windows-defender-advanced-threat-protection.md index b376019c6a..8f05637899 100644 --- a/windows/security/threat-protection/windows-defender-atp/settings-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/time-settings-windows-defender-advanced-threat-protection.md @@ -63,9 +63,9 @@ To set the time zone: To apply different date formats for Windows Defender ATP, use regional settings for Internet Explorer (IE) and Microsoft Edge (Edge). If you're using another browser such as Google Chrome, follow the required steps to change the time and date settings for that browser. -**Internet Explorer (IE) and Microsoft Edge (Edge)** +**Internet Explorer (IE) and Microsoft Edge** -IE and Edge use the **Region** settings configured in the **Clocks, Language, and Region** option in the Control panel. +IE and Microsoft Edge use the **Region** settings configured in the **Clocks, Language, and Region** option in the Control panel. #### Known issues with regional formats diff --git a/windows/security/threat-protection/windows-defender-atp/troubleshoot-custom-ti-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/troubleshoot-custom-ti-windows-defender-advanced-threat-protection.md index d6dbef14e6..b020424608 100644 --- a/windows/security/threat-protection/windows-defender-atp/troubleshoot-custom-ti-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/troubleshoot-custom-ti-windows-defender-advanced-threat-protection.md @@ -23,7 +23,7 @@ ms.date: 02/26/2018 - Windows 10 Pro Education - Windows Defender Advanced Threat Protection (Windows Defender ATP) - +[!include[Prerelease information](prerelease.md)] You might need to troubleshoot issues while using the custom threat intelligence feature. @@ -53,8 +53,8 @@ If your client secret expires or if you've misplaced the copy provided when you ## Related topics - [Understand threat intelligence concepts](threat-indicator-concepts-windows-defender-advanced-threat-protection.md) -- [Create custom alerts using the threat intelligence API](custom-ti-api-windows-defender-advanced-threat-protection.md) - [Enable the custom threat intelligence API in Windows Defender ATP](enable-custom-ti-windows-defender-advanced-threat-protection.md) +- [Create custom alerts using the threat intelligence API](custom-ti-api-windows-defender-advanced-threat-protection.md) - [PowerShell code examples for the custom threat intelligence API](powershell-example-code-windows-defender-advanced-threat-protection.md) - [Python code examples for the custom threat intelligence API](python-example-code-windows-defender-advanced-threat-protection.md) - [Experiment with custom threat intelligence alerts](experiment-custom-ti-windows-defender-advanced-threat-protection.md) diff --git a/windows/security/threat-protection/windows-defender-atp/troubleshoot-onboarding-error-messages-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/troubleshoot-onboarding-error-messages-windows-defender-advanced-threat-protection.md index 67e7ed903c..ae602776bf 100644 --- a/windows/security/threat-protection/windows-defender-atp/troubleshoot-onboarding-error-messages-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/troubleshoot-onboarding-error-messages-windows-defender-advanced-threat-protection.md @@ -50,10 +50,10 @@ For both cases you should contact Microsoft support at [General Windows Defender If while accessing the Windows Defender ATP portal you get a **Your subscription has expired** message, your online service subscription has expired. Windows Defender ATP subscription, like any other online service subscription, has an expiration date. -You can choose to renew or extend the license at any point in time. When accessing the portal after the expiration date a **Your subscription has expired** message will be presented with an option to download the endpoint offboarding package, should you choose to not renew the license. +You can choose to renew or extend the license at any point in time. When accessing the portal after the expiration date a **Your subscription has expired** message will be presented with an option to download the machine offboarding package, should you choose to not renew the license. > [!NOTE] -> For security reasons, the package used to offboard endpoints will expire 30 days after the date it was downloaded. Expired offboarding packages sent to an endpoint will be rejected. When downloading an offboarding package you will be notified of the packages expiry date and it will also be included in the package name. +> For security reasons, the package used to Offboard machines will expire 30 days after the date it was downloaded. Expired offboarding packages sent to a machine will be rejected. When downloading an offboarding package you will be notified of the packages expiry date and it will also be included in the package name.  @@ -73,4 +73,4 @@ You'll need to whitelist the `security.windows.com` and all sub-domains under it ## Related topics -- [Validating licensing provisioning and completing setup for Windows Defender ATP](licensing-windows-defender-advanced-threat-protection.md) \ No newline at end of file +- [Validate licensing provisioning and complete setup for Windows Defender ATP](licensing-windows-defender-advanced-threat-protection.md) \ No newline at end of file diff --git a/windows/security/threat-protection/windows-defender-atp/troubleshoot-onboarding-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/troubleshoot-onboarding-windows-defender-advanced-threat-protection.md index 0dd01e9e60..637bf8c04f 100644 --- a/windows/security/threat-protection/windows-defender-atp/troubleshoot-onboarding-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/troubleshoot-onboarding-windows-defender-advanced-threat-protection.md @@ -1,6 +1,6 @@ --- title: Troubleshoot Windows Defender ATP onboarding issues -description: Troubleshoot issues that might arise during the onboarding of endpoints or to the Windows Defender ATP service. +description: Troubleshoot issues that might arise during the onboarding of machines or to the Windows Defender ATP service. keywords: troubleshoot onboarding, onboarding issues, event viewer, data collection and preview builds, sensor data and diagnostics search.product: eADQiWindows 10XVcnh ms.prod: w10 @@ -10,7 +10,7 @@ ms.pagetype: security ms.author: macapara author: mjcaparas ms.localizationpriority: high -ms.date: 11/21/2017 +ms.date: 04/17/2018 --- # Troubleshoot Windows Defender Advanced Threat Protection onboarding issues @@ -25,37 +25,37 @@ ms.date: 11/21/2017 - Windows Server 2012 R2 - Windows Server 2016 - +[!include[Prerelease information](prerelease.md)] You might need to troubleshoot the Windows Defender ATP onboarding process if you encounter issues. -This page provides detailed steps to troubleshoot onboarding issues that might occur when deploying with one of the deployment tools and common errors that might occur on the endpoints. +This page provides detailed steps to troubleshoot onboarding issues that might occur when deploying with one of the deployment tools and common errors that might occur on the machines. -If you have completed the endpoint onboarding process and don't see endpoints in the [Machines list](investigate-machines-windows-defender-advanced-threat-protection.md) after an hour, it might indicate an endpoint onboarding or connectivity problem. +If you have completed the onboarding process and don't see machines in the [Machines list](investigate-machines-windows-defender-advanced-threat-protection.md) after an hour, it might indicate an onboarding or connectivity problem. ## Troubleshoot onboarding when deploying with Group Policy -Deployment with Group Policy is done by running the onboarding script on the endpoints. The Group Policy console does not indicate if the deployment has succeeded or not. +Deployment with Group Policy is done by running the onboarding script on the machines. The Group Policy console does not indicate if the deployment has succeeded or not. -If you have completed the endpoint onboarding process and don't see endpoints in the [Machines list](investigate-machines-windows-defender-advanced-threat-protection.md) after an hour, you can check the output of the script on the endpoints. For more information, see [Troubleshoot onboarding when deploying with a script on the endpoint](#troubleshoot-onboarding-when-deploying-with-a-script-on-the-endpoint). +If you have completed the onboarding process and don't see machines in the [Machines list](investigate-machines-windows-defender-advanced-threat-protection.md) after an hour, you can check the output of the script on the machines. For more information, see [Troubleshoot onboarding when deploying with a script](#troubleshoot-onboarding-when-deploying-with-a-script). -If the script completes successfully, see [Troubleshoot onboarding issues on the endpoint](#troubleshoot-onboarding-issues-on-the-endpoint) for additional errors that might occur. +If the script completes successfully, see [Troubleshoot onboarding issues](#troubleshoot-onboarding-issues) for additional errors that might occur. ## Troubleshoot onboarding issues when deploying with System Center Configuration Manager -When onboarding endpoints using the following versions of System Center Configuration Manager: +When onboarding machines using the following versions of System Center Configuration Manager: - System Center 2012 Configuration Manager - System Center 2012 R2 Configuration Manager - System Center Configuration Manager (current branch) version 1511 - System Center Configuration Manager (current branch) version 1602 -Deployment with the above-mentioned versions of System Center Configuration Manager is done by running the onboarding script on the endpoints. You can track the deployment in the Configuration Manager Console. +Deployment with the above-mentioned versions of System Center Configuration Manager is done by running the onboarding script on the machines. You can track the deployment in the Configuration Manager Console. -If the deployment fails, you can check the output of the script on the endpoints. +If the deployment fails, you can check the output of the script on the machines. -If the onboarding completed successfully but the endpoints are not showing up in the **Machines list** after an hour, see [Troubleshoot onboarding issues on the endpoint](#troubleshoot-onboarding-issues-on-the-endpoint) for additional errors that might occur. +If the onboarding completed successfully but the machines are not showing up in the **Machines list** after an hour, see [Troubleshoot onboarding issues](#troubleshoot-onboarding-issues) for additional errors that might occur. -## Troubleshoot onboarding when deploying with a script on the endpoint +## Troubleshoot onboarding when deploying with a script -**Check the result of the script on the endpoint**: +**Check the result of the script on the machine**: 1. Click **Start**, type **Event Viewer**, and press **Enter**. 2. Go to **Windows Logs** > **Application**. @@ -70,17 +70,17 @@ Event ID | Error Type | Resolution steps :---|:---|:--- 5 | Offboarding data was found but couldn't be deleted | Check the permissions on the registry, specifically ```HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection```. 10 | Onboarding data couldn't be written to registry | Check the permissions on the registry, specifically
```HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat```.
Verify that the script was ran as an administrator. -15 | Failed to start SENSE service |Check the service health (```sc query sense``` command). Make sure it's not in an intermediate state (*'Pending_Stopped'*, *'Pending_Running'*) and try to run the script again (with administrator rights).
If the endpoint is running Windows 10, version 1607 and running the command `sc query sense` returns `START_PENDING`, reboot the machine. If rebooting the machine doesn't address the issue, upgrade to KB4015217 and try onboarding again. +15 | Failed to start SENSE service |Check the service health (```sc query sense``` command). Make sure it's not in an intermediate state (*'Pending_Stopped'*, *'Pending_Running'*) and try to run the script again (with administrator rights).
If the machine is running Windows 10, version 1607 and running the command `sc query sense` returns `START_PENDING`, reboot the machine. If rebooting the machine doesn't address the issue, upgrade to KB4015217 and try onboarding again. 15 | Failed to start SENSE service | If the message of the error is: System error 577 has occurred. You need to enable the Windows Defender Antivirus ELAM driver, see [Ensure that Windows Defender Antivirus is not disabled by a policy](#ensure-that-windows-defender-antivirus-is-not-disabled-by-a-policy) for instructions. -30 | The script failed to wait for the service to start running | The service could have taken more time to start or has encountered errors while trying to start. For more information on events and errors related to SENSE, see [Review events and errors on endpoints with Event viewer](event-error-codes-windows-defender-advanced-threat-protection.md). -35 | The script failed to find needed onboarding status registry value | When the SENSE service starts for the first time, it writes onboarding status to the registry location
```HKLM\SOFTWARE\Microsoft\Windows Advanced Threat Protection\Status```.
The script failed to find it after several seconds. You can manually test it and check if it's there. For more information on events and errors related to SENSE, see [Review events and errors on endpoints with Event viewer](event-error-codes-windows-defender-advanced-threat-protection.md). -40 | SENSE service onboarding status is not set to **1** | The SENSE service has failed to onboard properly. For more information on events and errors related to SENSE, see [Review events and errors on endpoints with Event viewer](event-error-codes-windows-defender-advanced-threat-protection.md). +30 | The script failed to wait for the service to start running | The service could have taken more time to start or has encountered errors while trying to start. For more information on events and errors related to SENSE, see [Review events and errors using Event viewer](event-error-codes-windows-defender-advanced-threat-protection.md). +35 | The script failed to find needed onboarding status registry value | When the SENSE service starts for the first time, it writes onboarding status to the registry location
```HKLM\SOFTWARE\Microsoft\Windows Advanced Threat Protection\Status```.
The script failed to find it after several seconds. You can manually test it and check if it's there. For more information on events and errors related to SENSE, see [Review events and errors using Event viewer](event-error-codes-windows-defender-advanced-threat-protection.md). +40 | SENSE service onboarding status is not set to **1** | The SENSE service has failed to onboard properly. For more information on events and errors related to SENSE, see [Review events and errors using Event viewer](event-error-codes-windows-defender-advanced-threat-protection.md). 65 | Insufficient privileges| Run the script again with administrator privileges. ## Troubleshoot onboarding issues using Microsoft Intune You can use Microsoft Intune to check error codes and attempt to troubleshoot the cause of the issue. -If you have configured policies in Intune and they are not propagated on endpoints, you might need to configure automatic MDM enrollment. For more information, see the [Configure automatic MDM enrollment](https://go.microsoft.com/fwlink/?linkid=829597) section. +If you have configured policies in Intune and they are not propagated on machines, you might need to configure automatic MDM enrollment. For more information, see the [Configure automatic MDM enrollment](https://go.microsoft.com/fwlink/?linkid=829597) section. Use the following tables to understand the possible causes of issues while onboarding: @@ -88,14 +88,14 @@ Use the following tables to understand the possible causes of issues while onboa - Known issues with non-compliance table - Mobile Device Management (MDM) event logs table -If none of the event logs and troubleshooting steps work, download the Local script from the **Endpoint management** section of the portal, and run it in an elevated command prompt. +If none of the event logs and troubleshooting steps work, download the Local script from the **Machine management** section of the portal, and run it in an elevated command prompt. **Microsoft Intune error codes and OMA-URIs**: Error Code Hex | Error Code Dec | Error Description | OMA-URI | Possible cause and troubleshooting steps :---|:---|:---|:---|:--- -0x87D1FDE8 | -2016281112 | Remediation failed | Onboarding
Offboarding | **Possible cause:** Onboarding or offboarding failed on a wrong blob: wrong signature or missing PreviousOrgIds fields.
**Troubleshooting steps:**
Check the event IDs in the [View agent onboarding errors in the endpoint event log](#view-agent-onboarding-errors-in-the-endpoint-event-log) section.
Check the MDM event logs in the following table or follow the instructions in [Diagnose MDM failures in Windows 10](https://msdn.microsoft.com/library/windows/hardware/mt632120%28v=vs.85%29.aspx). +0x87D1FDE8 | -2016281112 | Remediation failed | Onboarding
Offboarding | **Possible cause:** Onboarding or offboarding failed on a wrong blob: wrong signature or missing PreviousOrgIds fields.
**Troubleshooting steps:**
Check the event IDs in the [View agent onboarding errors in the machine event log](#view-agent-onboarding-errors-in-the-endpoint-event-log) section.
Check the MDM event logs in the following table or follow the instructions in [Diagnose MDM failures in Windows 10](https://msdn.microsoft.com/library/windows/hardware/mt632120%28v=vs.85%29.aspx). | | | | Onboarding
Offboarding
SampleSharing | **Possible cause:** Windows Defender ATP Policy registry key does not exist or the OMA DM client doesn't have permissions to write to it.
**Troubleshooting steps:** Ensure that the following registry key exists: ```HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection```
If it doesn't exist, open an elevated command and add the key. | | | | SenseIsRunning
OnboardingState
OrgId | **Possible cause:** An attempt to remediate by read-only property. Onboarding has failed.
**Troubleshooting steps:** Check the troubleshooting steps in [Troubleshoot Windows Defender Advanced Threat Protection onboarding issues](#troubleshoot-windows-defender-advanced-threat-protection-onboarding-issues).
Check the MDM event logs in the following table or follow the instructions in [Diagnose MDM failures in Windows 10](https://msdn.microsoft.com/library/windows/hardware/mt632120%28v=vs.85%29.aspx). || | | All | **Possible cause:** Attempt to deploy Windows Defender ATP on non-supported SKU/Platform, particularly Holographic SKU.
Currently is supported platforms: Enterprise, Education, and Professional.
Server is not supported. @@ -125,16 +125,16 @@ ID | Severity | Event description | Troubleshooting steps :---|:---|:---|:--- 1819 | Error | Windows Defender Advanced Threat Protection CSP: Failed to Set Node's Value. NodeId: (%1), TokenName: (%2), Result: (%3). | Download the [Cumulative Update for Windows 10, 1607](https://go.microsoft.com/fwlink/?linkid=829760). -## Troubleshoot onboarding issues on the endpoint -If the deployment tools used does not indicate an error in the onboarding process, but endpoints are still not appearing in the machines list in an hour, go through the following verification topics to check if an error occurred with the Windows Defender ATP agent: -- [View agent onboarding errors in the endpoint event log](#view-agent-onboarding-errors-in-the-endpoint-event-log) +## Troubleshoot onboarding issues on the machine +If the deployment tools used does not indicate an error in the onboarding process, but machines are still not appearing in the machines list in an hour, go through the following verification topics to check if an error occurred with the Windows Defender ATP agent: +- [View agent onboarding errors in the machine event log](#view-agent-onboarding-errors-in-the-endpoint-event-log) - [Ensure the diagnostic data service is enabled](#ensure-the-diagnostics-service-is-enabled) - [Ensure the service is set to start](#ensure-the-service-is-set-to-start) -- [Ensure the endpoint has an Internet connection](#ensure-the-endpoint-has-an-internet-connection) +- [Ensure the machine has an Internet connection](#ensure-the-endpoint-has-an-internet-connection) - [Ensure that Windows Defender Antivirus is not disabled by a policy](#ensure-that-windows-defender-antivirus-is-not-disabled-by-a-policy) -### View agent onboarding errors in the endpoint event log +### View agent onboarding errors in the machine event log 1. Click **Start**, type **Event Viewer**, and press **Enter**. @@ -155,16 +155,16 @@ If the deployment tools used does not indicate an error in the onboarding proces Event ID | Message | Resolution steps :---|:---|:--- -5 | Windows Defender Advanced Threat Protection service failed to connect to the server at _variable_ | [Ensure the endpoint has Internet access](#ensure-the-endpoint-has-an-internet-connection). -6 | Windows Defender Advanced Threat Protection service is not onboarded and no onboarding parameters were found. Failure code: _variable_ | [Run the onboarding script again](configure-endpoints-windows-defender-advanced-threat-protection.md). -7 | Windows Defender Advanced Threat Protection service failed to read the onboarding parameters. Failure code: _variable_ | [Ensure the endpoint has Internet access](#ensure-the-endpoint-has-an-internet-connection), then run the entire onboarding process again. -9 | Windows Defender Advanced Threat Protection service failed to change its start type. Failure code: variable | If the event happened during onboarding, reboot and re-attempt running the onboarding script. For more information, see [Run the onboarding script again](configure-endpoints-windows-defender-advanced-threat-protection.md).
If the event happened during offboarding, contact support. -10 | Windows Defender Advanced Threat Protection service failed to persist the onboarding information. Failure code: variable | If the event happened during onboarding, re-attempt running the onboarding script. For more information, see [Run the onboarding script again](configure-endpoints-windows-defender-advanced-threat-protection.md).
If the problem persists, contact support. -15 | Windows Defender Advanced Threat Protection cannot start command channel with URL: _variable_ | [Ensure the endpoint has Internet access](#ensure-the-endpoint-has-an-internet-connection). -17 | Windows Defender Advanced Threat Protection service failed to change the Connected User Experiences and Telemetry service location. Failure code: variable | [Run the onboarding script again](configure-endpoints-windows-defender-advanced-threat-protection.md). If the problem persists, contact support. +5 | Windows Defender Advanced Threat Protection service failed to connect to the server at _variable_ | [Ensure the machine has Internet access](#ensure-the-endpoint-has-an-internet-connection). +6 | Windows Defender Advanced Threat Protection service is not onboarded and no onboarding parameters were found. Failure code: _variable_ | [Run the onboarding script again](configure-endpoints-script-windows-defender-advanced-threat-protection.md). +7 | Windows Defender Advanced Threat Protection service failed to read the onboarding parameters. Failure code: _variable_ | [Ensure the machine has Internet access](#ensure-the-endpoint-has-an-internet-connection), then run the entire onboarding process again. +9 | Windows Defender Advanced Threat Protection service failed to change its start type. Failure code: variable | If the event happened during onboarding, reboot and re-attempt running the onboarding script. For more information, see [Run the onboarding script again](configure-endpoints-script-windows-defender-advanced-threat-protection.md).
If the event happened during offboarding, contact support. +10 | Windows Defender Advanced Threat Protection service failed to persist the onboarding information. Failure code: variable | If the event happened during onboarding, re-attempt running the onboarding script. For more information, see [Run the onboarding script again](configure-endpoints-script-windows-defender-advanced-threat-protection.md).
If the problem persists, contact support. +15 | Windows Defender Advanced Threat Protection cannot start command channel with URL: _variable_ | [Ensure the machine has Internet access](#ensure-the-endpoint-has-an-internet-connection). +17 | Windows Defender Advanced Threat Protection service failed to change the Connected User Experiences and Telemetry service location. Failure code: variable | [Run the onboarding script again](configure-endpoints-script-windows-defender-advanced-threat-protection.md). If the problem persists, contact support. 25 | Windows Defender Advanced Threat Protection service failed to reset health status in the registry. Failure code: _variable_ | Contact support. 27 | Failed to enable Windows Defender Advanced Threat Protection mode in Windows Defender. Onboarding process failed. Failure code: variable | Contact support. -29 | Failed to read the offboarding parameters. Error type: %1, Error code: %2, Description: %3 | Ensure the endpoint has Internet access, then run the entire offboarding process again. +29 | Failed to read the offboarding parameters. Error type: %1, Error code: %2, Description: %3 | Ensure the machine has Internet access, then run the entire offboarding process again. 30 | Failed to disable $(build.sense.productDisplayName) mode in Windows Defender Advanced Threat Protection. Failure code: %1 | Contact support. 32 | $(build.sense.productDisplayName) service failed to request to stop itself after offboarding process. Failure code: %1 | Verify that the service start type is manual and reboot the machine. 55 | Failed to create the Secure ETW autologger. Failure code: %1 | Reboot the machine. @@ -174,11 +174,11 @@ Event ID | Message | Resolution steps 69 | The service is stopped. Service name: %1 | Start the mentioned service. Contact support if persists.
-There are additional components on the endpoint that the Windows Defender ATP agent depends on to function properly. If there are no onboarding related errors in the Windows Defender ATP agent event log, proceed with the following steps to ensure that the additional components are configured correctly. +There are additional components on the machine that the Windows Defender ATP agent depends on to function properly. If there are no onboarding related errors in the Windows Defender ATP agent event log, proceed with the following steps to ensure that the additional components are configured correctly. ### Ensure the diagnostic data service is enabled -If the endpoints aren't reporting correctly, you might need to check that the Windows 10 diagnostic data service is set to automatically start and is running on the endpoint. The service might have been disabled by other programs or user configuration changes. +If the machines aren't reporting correctly, you might need to check that the Windows 10 diagnostic data service is set to automatically start and is running on the machine. The service might have been disabled by other programs or user configuration changes. First, you should check that the service is set to start automatically when Windows starts, then you should check that the service is currently running (and start it if it isn't). @@ -186,7 +186,7 @@ First, you should check that the service is set to start automatically when Wind **Use the command line to check the Windows 10 diagnostic data service startup type**: -1. Open an elevated command-line prompt on the endpoint: +1. Open an elevated command-line prompt on the machine: a. Click **Start**, type **cmd**, and press **Enter**. @@ -207,7 +207,7 @@ First, you should check that the service is set to start automatically when Wind **Use the command line to set the Windows 10 diagnostic data service to automatically start:** -1. Open an elevated command-line prompt on the endpoint: +1. Open an elevated command-line prompt on the machine: a. Click **Start**, type **cmd**, and press **Enter**. @@ -233,7 +233,7 @@ First, you should check that the service is set to start automatically when Wind sc start diagtrack ``` -### Ensure the endpoint has an Internet connection +### Ensure the machine has an Internet connection The Window Defender ATP sensor requires Microsoft Windows HTTP (WinHTTP) to report sensor data and communicate with the Windows Defender ATP service. @@ -248,7 +248,7 @@ If the verification fails and your environment is using a proxy to connect to th **Symptom**: Onboarding successfully completes, but you see error 577 when trying to start the service. -**Solution**: If your endpoints are running a third-party antimalware client, the Windows Defender ATP agent needs the Windows Defender Early Launch Antimalware (ELAM) driver to be enabled. You must ensure that it's not disabled in system policy. +**Solution**: If your machines are running a third-party antimalware client, the Windows Defender ATP agent needs the Windows Defender Early Launch Antimalware (ELAM) driver to be enabled. You must ensure that it's not disabled in system policy. - Depending on the tool that you use to implement policies, you'll need to verify that the following Windows Defender policies are cleared: @@ -259,7 +259,7 @@ If the verification fails and your environment is using a proxy to connect to th - ```