deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-13 05:47:23 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

Merge branch 'master' of https://github.com/MicrosoftDocs/windows-docs-pr

Browse Source
This commit is contained in:
Jreeds001 2020-04-21 16:54:00 -07:00
commit 75b246f18f
4 changed files with 66 additions and 46 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

45
windows/security/threat-protection/microsoft-defender-atp/advanced-features.md
View File

@ -20,6 +20,7 @@ ms.topic: article
# Configure advanced features in Microsoft Defender ATP
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedfeats-abovefoldlink)
@ -30,32 +31,36 @@ Use the following advanced features to get better protected from potentially mal
## Automated investigation
When you enable this feature, you'll be able to take advantage of the automated investigation and remediation features of the service. For more information, see [Automated investigation](automated-investigations.md).
Turn on this feature to take advantage of the automated investigation and remediation features of the service. For more information, see [Automated investigation](automated-investigations.md).
## Live response
When you enable this feature, users with the appropriate permissions can initiate a live response session on machines.
Turn on this feature so that users with the appropriate permissions can start a live response session on machines.
For more information on role assignments see, [Create and manage roles](user-roles.md).
For more information about role assignments, see [Create and manage roles](user-roles.md).
## Live response unsigned script execution
Enabling this feature allows you to run unsigned scripts in a live response session.
## Auto-resolve remediated alerts
## Autoresolve remediated alerts
For tenants created on or after Windows 10, version 1809 the automated investigation and remediation capability is configured by default to resolve alerts where the automated analysis result status is "No threats found" or "Remediated". If you dont want to have alerts auto-resolved, youll need to manually turn off the feature.
For tenants created on or after Windows 10, version 1809 the automated investigation and remediation capability is configured by default to resolve alerts where the automated analysis result status is "No threats found" or "Remediated". If you don't want to have alerts auto-resolved, you'll need to manually turn off the feature.
>[!TIP]
>For tenants created prior that version, you'll need to manually turn this feature on from the [Advanced features](https://securitycenter.windows.com/preferences2/integration) page.
>[!NOTE]
> - The result of the auto-resolve action may influence the Machine risk level calculation which is based on the active alerts found on a machine.
>
>- The result of the auto-resolve action may influence the Machine risk level calculation which is based on the active alerts found on a machine.
>- If a security operations analyst manually sets the status of an alert to "In progress" or "Resolved" the auto-resolve capability will not overwrite it.
## Allow or block file
Blocking is only available if your organization uses Windows Defender Antivirus as the active antimalware solution, and if the cloud-based protection feature is enabled.
Blocking is only available if your organization fulfills these requirements:
- Uses Windows Defender Antivirus as the active antimalware solution and,
- The cloud-based protection feature is enabled
This feature enables you to block potentially malicious files in your network. Blocking a file will prevent it from being read, written, or executed on machines in your organization.
@ -69,24 +74,22 @@ To turn **Allow or block** files on:
1. Select **Save preferences** at the bottom of the page.
Once you have enabled this feature, you can [block files](respond-file-alerts.md#allow-or-block-file) via the **Add Indicator** tab on a file's profile page.
After turning on this feature, you can [block files](respond-file-alerts.md#allow-or-block-file) via the **Add Indicator** tab on a file's profile page.
## Custom network indicators
Enabling this feature allows you to create indicators for IP addresses, domains, or URLs which determine whether they will be allowed or blocked based on your custom indicator list.
Turning on this feature allows you to create indicators for IP addresses, domains, or URLs, which determine whether they will be allowed or blocked based on your custom indicator list.
To use this feature, machines must be running Windows 10 version 1709 or later. They should also have network protection in block mode and version 4.18.1906.3 or later of the antimalware platform [see KB 4052623](https://go.microsoft.com/fwlink/?linkid=2099834).
To use this feature, machines must be running Windows 10 version 1709 or later. They should also have network protection in block mode and version 4.18.1906.3 or later of the antimalware platform [see KB 4052623](https://go.microsoft.com/fwlink/?linkid=2099834).
For more information, see [Manage indicators](manage-indicators.md).
>[!NOTE]
>Network protection leverages reputation services that process requests in locations that might be outside of the location you have selected for your Microsoft Defender ATP data.
## Show user details
When you enable this feature, you'll be able to see user details stored in Azure Active Directory including a user's picture, name, title, and department information when investigating user account entities. You can find user account information in the following views:
Turn on this feature so that you can see user details stored in Azure Active Directory. Details include a user's picture, name, title, and department information when investigating user account entities. You can find user account information in the following views:
- Security operations dashboard
- Alert queue
@ -110,25 +113,25 @@ The integration with Azure Advanced Threat Protection allows you to pivot direct
## Microsoft Secure Score
Forwards Microsoft Defender ATP signals to Microsoft Secure Score in the Microsoft 365 security center. Turning this feature on gives Microsoft Secure Score visibility into the devices security posture. Forwarded data is stored and processed in the same location as the your Microsoft Secure Score data.
Forwards Microsoft Defender ATP signals to Microsoft Secure Score in the Microsoft 365 security center. Turning on this feature gives Microsoft Secure Score visibility into the devices security posture. Forwarded data is stored and processed in the same location as the your Microsoft Secure Score data.
### Enable the Microsoft Defender ATP integration from the Azure ATP portal
To receive contextual machine integration in Azure ATP, you'll also need to enable the feature in the Azure ATP portal.
1. Login to the [Azure portal](https://portal.atp.azure.com/) with a Global Administrator or Security Administrator role.
1. Log in to the [Azure portal](https://portal.atp.azure.com/) with a Global Administrator or Security Administrator role.
2. Click **Create your instance**.
3. Toggle the Integration setting to **On** and click **Save**.
When you complete the integration steps on both portals, you'll be able to see relevant alerts in the machine details or user details page.
After completing the integration steps on both portals, you'll be able to see relevant alerts in the machine details or user details page.
## Office 365 Threat Intelligence connection
This feature is only available if you have an active Office 365 E5 or the Threat Intelligence add-on. For more information, see the Office 365 Enterprise E5 product page.
When you enable this feature, you'll be able to incorporate data from Office 365 Advanced Threat Protection into Microsoft Defender Security Center to conduct a holistic security investigation across Office 365 mailboxes and Windows machines.
When you turn this feature on, you'll be able to incorporate data from Office 365 Advanced Threat Protection into Microsoft Defender Security Center to conduct a comprehensive security investigation across Office 365 mailboxes and Windows machines.
>[!NOTE]
>You'll need to have the appropriate license to enable this feature.
@ -137,7 +140,7 @@ To receive contextual machine integration in Office 365 Threat Intelligence, you
## Microsoft Threat Experts
Out of the two Microsoft Threat Expert components, targeted attack notification is in general availability, while experts-on-demand capability is still in preview. You can only use the experts-on-demand capability if you have applied for preview and your application has been approved. You can receive targeted attack notifications from Microsoft Threat Experts through your Microsoft Defender ATP portal's alerts dashboard and via email if you configure it.
Out of the two Microsoft Threat Expert components, targeted attack notification is in general availability. Experts-on-demand capability is still in preview. You can only use the experts-on-demand capability if you have applied for preview and your application has been approved. You can receive targeted attack notifications from Microsoft Threat Experts through your Microsoft Defender ATP portal's alerts dashboard and via email if you configure it.
>[!NOTE]
>The Microsoft Threat Experts capability in Microsoft Defender ATP is available with an E5 license for [Enterprise Mobility + Security](https://www.microsoft.com/cloud-platform/enterprise-mobility-security).
@ -151,11 +154,11 @@ Enabling this setting forwards Microsoft Defender ATP signals to Microsoft Cloud
## Azure Information Protection
Turning this setting on forwards signals to Azure Information Protection, giving data owners and administrators visibility into protected data on onboarded machines and machine risk ratings.
Turning on this setting allows signals to be forwarded to Azure Information Protection. It gives data owners and administrators visibility into protected data on onboarded machines and machine risk ratings.
## Microsoft Intune connection
Microsoft Defender ATP can be integrated with [Microsoft Intune](https://docs.microsoft.com/intune/what-is-intune) to [enable device risk-based conditional access](https://docs.microsoft.com/intune/advanced-threat-protection#enable-windows-defender-atp-in-intune). When you [enable this feature](configure-conditional-access.md), you'll be able to share Microsoft Defender ATP device information with Intune, enhancing policy enforcement.
Microsoft Defender ATP can be integrated with [Microsoft Intune](https://docs.microsoft.com/intune/what-is-intune) to [enable device risk-based conditional access](https://docs.microsoft.com/intune/advanced-threat-protection#enable-windows-defender-atp-in-intune). When you [turn on this feature](configure-conditional-access.md), you'll be able to share Microsoft Defender ATP device information with Intune, enhancing policy enforcement.
>[!IMPORTANT]
>You'll need to enable the integration on both Intune and Microsoft Defender ATP to use this feature. For more information on specific steps, see [Configure Conditional Access in Microsoft Defender ATP](configure-conditional-access.md).
@ -176,7 +179,7 @@ When you enable Intune integration, Intune will automatically create a classic C
Learn about new features in the Microsoft Defender ATP preview release and be among the first to try upcoming features by turning on the preview experience.
You'll have access to upcoming features which you can provide feedback on to help improve the overall experience before features are generally available.
You'll have access to upcoming features, which you can provide feedback on to help improve the overall experience before features are generally available.
## Enable advanced features

38
windows/security/threat-protection/microsoft-defender-atp/alerts-queue.md
View File

@ -21,11 +21,12 @@ ms.date: 03/27/2020
# View and organize the Microsoft Defender Advanced Threat Protection Alerts queue
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-alertsq-abovefoldlink)
The **Alerts queue** shows a list of alerts that were flagged from machines in your network. By default, the queue displays alerts seen in the last 30 days in a grouped view, with the most recent alerts showing at the top of the list, helping you see the most recent alerts first.
The **Alerts queue** shows a list of alerts that were flagged from machines in your network. By default, the queue displays alerts seen in the last 30 days in a grouped view. The most recent alerts are showed at the top of the list helping you see the most recent alerts first.
>[!NOTE]
>The alerts queue is significantly reduced with automated investigation and remediation, allowing security operations experts to focus on more sophisticated threats and other high value initiatives. When an alert contains a supported entity for automated investigation (for example, a file) in a machine that has a supported operating system for it, an automated investigation and remediation can start. For more information on automated investigations, see [Overview of Automated investigations](automated-investigations.md).
@ -33,6 +34,7 @@ The **Alerts queue** shows a list of alerts that were flagged from machines in y
There are several options you can choose from to customize the alerts queue view.
On the top navigation you can:
- Select grouped view or list view
- Customize columns to add or remove columns
- Select the items to show per page
@ -42,32 +44,36 @@ On the top navigation you can:
![Image of alerts queue](images/alerts-queue-list.png)
## Sort, filter, and group the alerts queue
You can apply the following filters to limit the list of alerts and get a more focused view the alerts.
### Severity
Alert severity | Description
:---|:---
High </br>(Red) | Alerts commonly seen associated with advanced persistent threats (APT). These alerts indicate a high risk due to the severity of damage they can inflict on machines. Some examples of these are credential theft tools activities, ransomware activities not associated with any group, tampering with security sensors, or any malicious activities indicative of a human adversary.
High </br>(Red) | Alerts commonly seen associated with advanced persistent threats (APT). These alerts indicate a high risk because of the severity of damage they can inflict on machines. Some examples are: credential theft tools activities, ransomware activities not associated with any group, tampering with security sensors, or any malicious activities indicative of a human adversary.
Medium </br>(Orange) | Alerts from endpoint detection and response post-breach behaviors that might be a part of an advanced persistent threat (APT). This includes observed behaviors typical of attack stages, anomalous registry change, execution of suspicious files, and so forth. Although some might be part of internal security testing, it requires investigation as it might also be a part of an advanced attack.
Low </br>(Yellow) | Alerts on threats associated with prevalent malware, hack-tools, non-malware hack tools, such as running exploration commands, clearing logs, etc., that often do not indicate an advanced threat targeting the organization. It could also come from an isolated security tool testing by a user in your organization.
Low </br>(Yellow) | Alerts on threats associated with prevalent malware. For example, hack-tools, non-malware hack tools, such as running exploration commands, clearing logs, etc., that often do not indicate an advanced threat targeting the organization. It could also come from an isolated security tool testing by a user in your organization.
Informational </br>(Grey) | Alerts that might not be considered harmful to the network but can drive organizational security awareness on potential security issues.
#### Understanding alert severity
It is important to understand that the Windows Defender Antivirus (Windows Defender AV) and Microsoft Defender ATP alert severities are different because they represent different scopes.
Windows Defender Antivirus (Windows Defender AV) and Microsoft Defender ATP alert severities are different because they represent different scopes.
The Windows Defender AV threat severity represents the absolute severity of the detected threat (malware), and is assigned based on the potential risk to the individual machine, if infected.
The Microsoft Defender ATP alert severity represents the severity of the detected behavior, the actual risk to the machine but more importantly the potential risk to the organization.
So, for example:
- The severity of a Microsoft Defender ATP alert about a Windows Defender AV detected threat that was completely prevented and did not infect the machine is categorized as "Informational" because there was no actual damage incurred.
- The severity of a Microsoft Defender ATP alert about a Windows Defender AV detected threat that was completely prevented and did not infect the machine is categorized as "Informational" because there was no actual damage.
- An alert about a commercial malware was detected while executing, but blocked and remediated by Windows Defender AV, is categorized as "Low" because it may have caused some damage to the individual machine but poses no organizational threat.
- An alert about malware detected while executing which can pose a threat not only to the individual machine but to the organization, regardless if it was eventually blocked, may be ranked as "Medium" or "High".
- Suspicious behavioral alerts which were not blocked or remediated will be ranked "Low", "Medium" or "High" following the same organizational threat considerations.
- Suspicious behavioral alerts, which weren't blocked or remediated will be ranked "Low", "Medium" or "High" following the same organizational threat considerations.
#### Understanding alert categories
We've redefined the alert categories to align to the [enterprise attack tactics](https://attack.mitre.org/tactics/enterprise/) in the [MITRE ATT&CK matrix](https://attack.mitre.org/). New category names apply to all new alerts. Existing alerts will retain the previous category names.
We've redefined the alert categories to align to the [enterprise attack tactics](https://attack.mitre.org/tactics/enterprise/) in the [MITRE ATT&CK matrix](https://attack.mitre.org/). New category names apply to all new alerts. Existing alerts will keep the previous category names.
The table below lists the current categories and how they generally map to previous categories.
@ -92,39 +98,43 @@ The table below lists the current categories and how they generally map to previ
### Status
You can choose to limit the list of alerts based on their status.
### Investigation state
Corresponds to the automated investigation state.
### Category
You can choose to filter the queue to display specific types of malicious activity.
### Assigned to
You can choose between showing alerts that are assigned to you or automation.
### Detection source
Select the source that triggered the alert detection. Microsoft Threat Experts preview participants can now filter and see detections from the new threat experts managed hunting service.
Select the source that triggered the alert detection. Microsoft Threat Experts preview participants can now filter and see detections from the new threat experts-managed hunting service.
>[!NOTE]
>The Windows Defender Antivirus filter will only appear if machines are using Windows Defender Antivirus as the default real-time protection antimalware product.
### OS platform
Limit the alerts queue view by selecting the OS platform that you're interested in investigating.
### Machine group
If you have specific machine groups that you're interested in checking the alerts on, you can select the groups to limit the alerts queue view to display just those machine groups.
If you have specific machine groups that you're interested in checking, you can select the groups to limit the alerts queue view.
### Associated threat
Use this filter to focus on alerts that are related to high profile threats. You can see the full list of high-profile threats in [Threat analytics](threat-analytics.md).
## Related topics
- [Manage Microsoft Defender Advanced Threat Protection alerts](manage-alerts.md)
- [Investigate Microsoft Defender Advanced Threat Protection alerts](investigate-alerts.md)
- [Investigate a file associated with a Microsoft Defender ATP alert](investigate-files.md)

7
windows/security/threat-protection/microsoft-defender-atp/alerts.md
View File

@ -23,6 +23,7 @@ ms.topic: article
- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
## Methods
Method |Return Type |Description
:---|:---|:---
[Get alert](get-alert-info-by-id.md) | [Alert](alerts.md) | Get a single [alert](alerts.md) object.
@ -37,7 +38,8 @@ Method |Return Type |Description
## Properties
Property | Type | Description
Property | Type | Description
:---|:---|:---
id | String | Alert ID.
title | String | Alert title.
@ -61,7 +63,6 @@ threatFamilyName | String | Threat family.
machineId | String | ID of a [machine](machine.md) entity that is associated with the alert.
comments | List of Alert comments | Alert Comment is an object that contains: comment string, createdBy string and createTime date time.
### Response example for getting single alert:
```
@ -73,7 +74,7 @@ GET https://api.securitycenter.windows.com/api/alerts/da637084217856368682_-2929
"id": "da637084217856368682_-292920499",
"incidentId": 66860,
"investigationId": 4416234,
"investigationState": "Running",
"investigationState": "Running",
"assignedTo": "secop@contoso.com",
"severity": "Low",
"status": "New",

22
windows/security/threat-protection/microsoft-defender-atp/api-explorer.md
View File

@ -1,7 +1,7 @@
---
title: API Explorer in Microsoft Defender ATP
ms.reviewer:
description: Use the API Explorer to construct and perform API queries, test and send requests for any available API
description: Use the API Explorer to construct and do API queries, test, and send requests for any available API
keywords: api, explorer, send, request, get, post,
search.product: eADQiWindows 10XVcnh
search.appverid: met150
@ -19,14 +19,16 @@ ms.topic: conceptual
---
# API Explorer
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
The Microsoft Defender ATP API Explorer is a tool that helps you explore various Microsoft Defender ATP APIs interactively.
The API Explorer makes it easy to construct and perform API queries, test and send requests for any available Microsoft Defender ATP API endpoint. You can also use the API Explorer to perform actions or find data that might not yet be available through the user interface.
The API Explorer makes it easy to construct and do API queries, test, and send requests for any available Microsoft Defender ATP API endpoint. Use the API Explorer to take actions or find data that might not yet be available through the user interface.
The tool is useful during app development because it allows you to perform API queries that respect your user access settings, reducing the need to generate access tokens.
The tool is useful during app development. It allows you to perform API queries that respect your user access settings, reducing the need to generate access tokens.
You can also use the tool to explore the gallery of sample queries, copy result code samples, and generate debug information.
@ -34,26 +36,30 @@ With the API Explorer, you can:
- Run requests for any method and see responses in real-time
- Quickly browse through the API samples and learn what parameters they support
- Make API calls with ease; no need to authenticate beyond the management portal sign-in
- Make API calls with ease; no need to authenticate beyond the management portal sign in
## Access API Explorer
From the left navigation menu, select **Partners & APIs** > **API Explorer**.
## Supported APIs
## Supported APIs
API Explorer supports all the APIs offered by Microsoft Defender ATP.
The list of supported APIs is available in the [APIs documentation](apis-intro.md).
## Get started with the API Explorer
1. In the left pane, there is a list of sample requests that you can use.
2. Follow the links and click **Run query**.
Some of the samples may require specifying a parameter in the URL, for example, {machine- id}.
Some of the samples may require specifying a parameter in the URL, for example, {machine- ID}.
## FAQ
**Do I need to have an API token to use the API Explorer?** <br>
Credentials to access an API are not needed since the API Explorer uses the Microsoft Defender ATP management portal token whenever it makes a request.
Credentials to access an API aren't needed. The API Explorer uses the Microsoft Defender ATP management portal token whenever it makes a request.
The logged-in user authentication credential is used to verify that the API Explorer is authorized to access data on your behalf.
Specific API requests are limited based on your RBAC privileges; for example, a request to "Submit indicator" is limited to the security admin role.
Specific API requests are limited based on your RBAC privileges. For example, a request to "Submit indicator" is limited to the security admin role.