deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-18 08:17:23 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Fifth set of doc updates - machine ---> device

Browse Source
This commit is contained in:
ManikaDhiman 2020-05-26 15:07:28 -07:00
parent 5ea82401f0
commit 7c81fd4217
54 changed files with 264 additions and 264 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
windows/security/threat-protection/microsoft-defender-atp/partner-applications.md
View File

@ -38,7 +38,7 @@ Microsoft Defender ATP supports SIEM integration through a variety of methods -
Ticketing solution integration helps to implement manual and automatic response processes. Microsoft Defender ATP can help to create tickets automatically when an alert is generated and resolve the alerts when tickets are closed using the alerts API.
## Security orchestration and automation response (SOAR) integration
Orchestration solutions can help build playbooks and integrate the rich data model and actions that Microsoft Defender ATP APIs expose to orchestrate responses, such as query for device data, trigger machine isolation, block/allow, resolve alert and others.
Orchestration solutions can help build playbooks and integrate the rich data model and actions that Microsoft Defender ATP APIs expose to orchestrate responses, such as query for device data, trigger device isolation, block/allow, resolve alert and others.
## External alert correlation and Automated investigation and remediation
Microsoft Defender ATP offers unique automated investigation and remediation capabilities to drive incident response at scale.

2
windows/security/threat-protection/microsoft-defender-atp/partner-integration.md
View File

@ -42,7 +42,7 @@ Microsoft Defender ATP adds support for this scenario in the following forms:
- Once an alert is generated, the signal is shared across all Microsoft Defender ATP protected endpoints in the enterprise. Microsoft Defender ATP takes immediate automated or operator-assisted response to address the alert.
## Scenario 2: Security orchestration and automation response (SOAR) integration
Orchestration solutions can help build playbooks and integrate the rich data model and actions that Microsoft Defender ATP APIs exposes to orchestrate responses, such as query for device data, trigger machine isolation, block/allow, resolve alert and others.
Orchestration solutions can help build playbooks and integrate the rich data model and actions that Microsoft Defender ATP APIs exposes to orchestrate responses, such as query for device data, trigger device isolation, block/allow, resolve alert and others.
## Scenario 3: Indicators matching
Indicator of compromise (IoCs) matching is an essential feature in every endpoint protection solution. This capability is available in Microsoft Defender ATP and gives the ability to set a list of indicators for prevention, detection and exclusion of entities. One can define the action to be taken as well as the duration for when to apply the action.

30
windows/security/threat-protection/microsoft-defender-atp/portal-overview.md
View File

@ -1,7 +1,7 @@
---
title: Microsoft Defender Advanced Threat Protection portal overview
description: Microsoft Defender Security Center can monitor your enterprise network and assist in responding to potential advanced persistent threats (APT) or data breaches.
keywords: Microsoft Defender Security Center, portal, cybersecurity threat intelligence, dashboard, alerts queue, machines list, settings, machine management, advanced attacks
keywords: Microsoft Defender Security Center, portal, cybersecurity threat intelligence, dashboard, alerts queue, devices list, settings, device management, advanced attacks
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: w10
@ -42,27 +42,27 @@ When you open the portal, you'll see:
![Microsoft Defender Advanced Threat Protection portal](images/mdatp-portal-overview.png)
> [!NOTE]
> Malware related detections will only appear if your machines are using Windows Defender Antivirus as the default real-time protection antimalware product.
> Malware related detections will only appear if your devices are using Windows Defender Antivirus as the default real-time protection antimalware product.
You can navigate through the portal using the menu options available in all sections. Refer to the following table for a description of each section.
Area | Description
:---|:---
**(1) Navigation pane** | Use the navigation pane to move between **Dashboards**, **Incidents**, **Machines list**, **Alerts queue**, **Automated investigations**, **Advanced hunting**, **Reports**, **Partners & APIs**, **Threat & Vulnerability Management**, **Evaluation and tutorials**, **Service health**, **Configuration management**, and **Settings**. Select the horizontal lines at the top of the navigation pane to show or hide it.
**Dashboards** | Access the active automated investigations, active alerts, automated investigations statistics, machines at risk, users at risk, machines with sensor issues, service health, detection sources, and daily machines reporting dashboards.
**(1) Navigation pane** | Use the navigation pane to move between **Dashboards**, **Incidents**, **Devices list**, **Alerts queue**, **Automated investigations**, **Advanced hunting**, **Reports**, **Partners & APIs**, **Threat & Vulnerability Management**, **Evaluation and tutorials**, **Service health**, **Configuration management**, and **Settings**. Select the horizontal lines at the top of the navigation pane to show or hide it.
**Dashboards** | Access the active automated investigations, active alerts, automated investigations statistics, devices at risk, users at risk, devices with sensor issues, service health, detection sources, and daily devices reporting dashboards.
**Incidents** | View alerts that have been aggregated as incidents.
**Machines list** | Displays the list of machines that are onboarded to Microsoft Defender ATP, some information about them, and their exposure and risk levels.
**Alerts queue** | View alerts generated from machines in your organizations.
**Devices list** | Displays the list of devices that are onboarded to Microsoft Defender ATP, some information about them, and their exposure and risk levels.
**Alerts queue** | View alerts generated from devices in your organizations.
**Automated investigations** | Displays automated investigations that have been conducted in the network, triggering alert, the status of each investigation and other details such as when the investigation started and the duration of the investigation.
**Advanced hunting** | Advanced hunting allows you to proactively hunt and investigate across your organization using a powerful search and query tool.
**Reports** | View graphs detailing threat protection, machine health and compliance, web protection, and vulnerability.
**Reports** | View graphs detailing threat protection, device health and compliance, web protection, and vulnerability.
**Partners & APIs** | View supported partner connections, which enhance the detection, investigation, and threat intelligence capabilities of the platform. You can also view connected applications, the API explorer, API usage overview, and data export settings.
**Threat & Vulnerability management** | View your configuration score, exposure score, exposed machines, vulnerable software, and take action on top security recommendations.
**Evaluation and tutorials** | Manage test machines, attack simulations, and reports. Learn and experience the Microsoft Defender ATP capabilities through a guided walk-through in a trial environment.
**Threat & Vulnerability management** | View your configuration score, exposure score, exposed devices, vulnerable software, and take action on top security recommendations.
**Evaluation and tutorials** | Manage test devices, attack simulations, and reports. Learn and experience the Microsoft Defender ATP capabilities through a guided walk-through in a trial environment.
**Service health** | Provides information on the current status of the Microsoft Defender ATP service. You'll be able to verify that the service health is healthy or if there are current issues.
**Configuration management** | Displays on-boarded machines, your organizations' security baseline, predictive analysis, web protection coverage, and allows you to perform attack surface management on your machines.
**Settings** | Shows the settings you selected during onboarding and lets you update your industry preferences and retention policy period. You can also set other configuration settings such as permissions, APIs, rules, machine management, IT service management, and network assessments.
**(2) Search, Community center, Localization, Help and support, Feedback** | **Search** - search by machine, file, user, URL, IP, vulnerability, software, and recommendation. </br></br> **Community center** - Access the Community center to learn, collaborate, and share experiences about the product. </br></br> **Localization** - Set time zones. </br></br> **Help and support** - Access the Microsoft Defender ATP guide, Microsoft and Microsoft Premier support, license information, simulations & tutorials, Microsoft Defender ATP evaluation lab, consult a threat expert.</br></br> **Feedback** - Provide comments about what you like or what we can do better.
**Configuration management** | Displays on-boarded devices, your organizations' security baseline, predictive analysis, web protection coverage, and allows you to perform attack surface management on your devices.
**Settings** | Shows the settings you selected during onboarding and lets you update your industry preferences and retention policy period. You can also set other configuration settings such as permissions, APIs, rules, device management, IT service management, and network assessments.
**(2) Search, Community center, Localization, Help and support, Feedback** | **Search** - search by device, file, user, URL, IP, vulnerability, software, and recommendation. </br></br> **Community center** - Access the Community center to learn, collaborate, and share experiences about the product. </br></br> **Localization** - Set time zones. </br></br> **Help and support** - Access the Microsoft Defender ATP guide, Microsoft and Microsoft Premier support, license information, simulations & tutorials, Microsoft Defender ATP evaluation lab, consult a threat expert.</br></br> **Feedback** - Provide comments about what you like or what we can do better.
> [!NOTE]
> For devices with high resolution DPI scaling issues, please see [Windows scaling issues for high-DPI devices](https://support.microsoft.com/help/3025083/windows-scaling-issues-for-high-dpi-devices) for possible solutions.
@ -77,10 +77,10 @@ Icon | Description
![Alert icon](images/alert-icon.png)| Alert Indication of an activity correlated with advanced attacks.
![Detection icon](images/detection-icon.png)| Detection Indication of a malware threat detection.
![Active threat icon](images/active-threat-icon.png)| Active threat Threats actively executing at the time of detection.
![Remediated icon](images/remediated-icon.png)| Remediated Threat removed from the machine.
![Not remediated icon](images/not-remediated-icon.png)| Not remediated Threat not removed from the machine.
![Remediated icon](images/remediated-icon.png)| Remediated Threat removed from the device.
![Not remediated icon](images/not-remediated-icon.png)| Not remediated Threat not removed from the device.
![Thunderbolt icon](images/atp-thunderbolt-icon.png)| Indicates events that triggered an alert in the **Alert process tree**.
![Machine icon](images/atp-machine-icon.png)| Machine icon
![Device icon](images/atp-machine-icon.png)| Device icon
![Windows Defender AV events icon](images/atp-windows-defender-av-events-icon.png)| Windows Defender Antivirus events
![Application Guard events icon](images/atp-Application-Guard-events-icon.png)| Windows Defender Application Guard events
![Device Guard events icon](images/atp-Device-Guard-events-icon.png)| Windows Defender Device Guard events

10
windows/security/threat-protection/microsoft-defender-atp/powerbi-reports.md
View File

@ -30,7 +30,7 @@ ms.topic: article
> Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-powerbireports-abovefoldlink)
Understand the security status of your organization, including the status of machines, alerts, and investigations using the Microsoft Defender ATP reporting feature that integrates with Power BI.
Understand the security status of your organization, including the status of devices, alerts, and investigations using the Microsoft Defender ATP reporting feature that integrates with Power BI.
Microsoft Defender ATP supports the use of Power BI data connectors to enable you to connect and access Microsoft Defender ATP data using Microsoft Graph.
@ -74,7 +74,7 @@ Microsoft Defender ATP makes it easy to create a Power BI dashboard by providing
![Image of importing data](images/atp-powerbi-importing.png)
>[!NOTE]
>Depending on the number of onboarded machines, loading your data in the Power BI service can take several minutes. A larger number of machines might take longer to load.
>Depending on the number of onboarded devices, loading your data in the Power BI service can take several minutes. A larger number of devices might take longer to load.
When importing data is completed and the dataset is ready, youll the following notification:
@ -117,7 +117,7 @@ For more information, see [Create a Power BI dashboard from a report](https://po
![Image of importing data](images/atp-powerbi-importing.png)
>[!NOTE]
>Depending on the number of onboarded machines, loading your data in the Power BI service can take several minutes. A larger number of machines might take longer to load.
>Depending on the number of onboarded devices, loading your data in the Power BI service can take several minutes. A larger number of devices might take longer to load.
When importing data is completed and the dataset is ready, youll the following notification:
@ -197,11 +197,11 @@ You can use Power BI Desktop to analyze data from Microsoft Defender ATP and mas
## Using the Power BI reports
There are a couple of tabs on the report that's generated:
- Machine and alerts
- Device and alerts
- Investigation results and action center
- Secure Score
In general, if you know of a specific threat name, CVE, or KB, you can identify machines with unpatched vulnerabilities that might be leveraged by threats. This report also helps you determine whether machine-level mitigations are configured correctly on the machines and prioritize those that might need attention.
In general, if you know of a specific threat name, CVE, or KB, you can identify devices with unpatched vulnerabilities that might be leveraged by threats. This report also helps you determine whether device-level mitigations are configured correctly on the devices and prioritize those that might need attention.
## Related topic

4
windows/security/threat-protection/microsoft-defender-atp/preferences-setup.md
View File

@ -31,7 +31,7 @@ Use the **Settings** menu to modify general settings, advanced features, enable
Topic | Description
:---|:---
General settings | Modify your general settings that were previously defined as part of the onboarding process.
Permissions | Manage portal access using RBAC as well as machine groups.
Permissions | Manage portal access using RBAC as well as device groups.
APIs | Enable the threat intel and SIEM integration.
Rules | Configure suppressions rules and automation settings.
Machine management | Onboard and offboard machines.
Device management | Onboard and offboard devices.

6
windows/security/threat-protection/microsoft-defender-atp/prepare-deployment.md
View File

@ -135,7 +135,7 @@ Microsoft Defender ATP supports two ways to manage permissions:
- **Role-based access control (RBAC)**: Set granular permissions by defining
roles, assigning Azure AD user groups to the roles, and granting the user
groups access to machine groups. For more information. see [Manage portal access using role-based access control](rbac.md).
groups access to device groups. For more information. see [Manage portal access using role-based access control](rbac.md).
Microsoft recommends leveraging RBAC to ensure that only users that have a
business justification can access Microsoft Defender ATP.
@ -150,7 +150,7 @@ structure required for your environment.
| Tier | Description | Permission Required |
|--------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------------------|
| Tier 1 | **Local security operations team / IT team**<br>This team usually triages and investigates alerts contained within their geolocation and escalates to Tier 2 in cases where an active remediation is required. | |
| Tier 2 | **Regional security operations team**<br>This team can see all the machines for their region and perform remediation actions. | View data |
| Tier 2 | **Regional security operations team**<br>This team can see all the devices for their region and perform remediation actions. | View data |
| Tier 3 | **Global security operations team**<br>This team consists of security experts and are authorized to see and perform all actions from the portal. | View data <br> Alerts investigation Active remediation actions <br> Alerts investigation Active remediation actions <br> Manage portal system settings <br> Manage security settings |
@ -171,7 +171,7 @@ how the endpoint security suite should be enabled.
| Component | Description | Adoption Order Rank |
|-----------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------------------|
| Endpoint Detection & Response (EDR) | Microsoft Defender ATP endpoint detection and response capabilities provide advanced attack detections that are near real-time and actionable. Security analysts can prioritize alerts effectively, gain visibility into the full scope of a breach, and take response actions to remediate threats. <br> [Learn more.](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/overview-endpoint-detection-response) | 1 |
|Threat & Vulnerability Management (TVM)|Threat & Vulnerability Management is a component of Microsoft Defender ATP, and provides both security administrators and security operations teams with unique value, including: <br> - Real-time endpoint detection and response (EDR) insights correlated with endpoint vulnerabilities <br> - Invaluable machine vulnerability context during incident investigations <br> - Built-in remediation processes through Microsoft Intune and Microsoft System Center Configuration Manager <br> [Learn more](https://techcommunity.microsoft.com/t5/Windows-Defender-ATP/Introducing-a-risk-based-approach-to-threat-and-vulnerability/ba-p/377845).| 2 |
|Threat & Vulnerability Management (TVM)|Threat & Vulnerability Management is a component of Microsoft Defender ATP, and provides both security administrators and security operations teams with unique value, including: <br> - Real-time endpoint detection and response (EDR) insights correlated with endpoint vulnerabilities <br> - Invaluable device vulnerability context during incident investigations <br> - Built-in remediation processes through Microsoft Intune and Microsoft System Center Configuration Manager <br> [Learn more](https://techcommunity.microsoft.com/t5/Windows-Defender-ATP/Introducing-a-risk-based-approach-to-threat-and-vulnerability/ba-p/377845).| 2 |
| Next Generation Protection (NGP) | Microsoft Defender Antivirus is a built-in antimalware solution that provides next generation protection for desktops, portable computers, and servers. Windows Defender Antivirus includes: <br> -Cloud-delivered protection for near-instant detection and blocking of new and emerging threats. Along with machine learning and the Intelligent Security Graph, cloud-delivered protection is part of the next-gen technologies that power Windows Defender Antivirus. <br> - Always-on scanning using advanced file and process behavior monitoring and other heuristics (also known as "real-time protection"). <br> - Dedicated protection updates based on machine-learning, human and automated big-data analysis, and in-depth threat resistance research. <br> [Learn more](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10). |3 |
| Attack Surface Reduction (ASR) | Attack surface reduction capabilities in Microsoft Defender ATP helps protect the devices and applications in the organization from new and emerging threats. <br> [Learn more.](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/overview-attack-surface-reduction) | 4 |
| Auto Investigation & Remediation (AIR) | Microsoft Defender ATP uses Automated investigations to significantly reduce the volume of alerts that need to be investigated individually. The Automated investigation feature leverages various inspection algorithms, and processes used by analysts (such as playbooks) to examine alerts and take immediate remediation action to resolve breaches. This significantly reduces alert volume, allowing security operations experts to focus on more sophisticated threats and other high value initiatives. <br>[Learn more.](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/automated-investigations-windows-defender-advanced-threat-protection) | Not applicable |

8
windows/security/threat-protection/microsoft-defender-atp/preview.md
View File

@ -55,11 +55,11 @@ The following features are included in the preview release:
- [Threat & Vulnerability supported operating systems and platforms](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-supported-os) <BR> Ensure that you meet the operating system or platform requisites for Threat & Vulnerability Management so the activities in your devices are properly accounted for. Threat & Vulnerability Management supports Windows 7, Windows 10 1607-1703, Windows 10 1709+, Windows Server 2008R2, Windows Server 2012R2, Windows Server 2016, Windows Server 2019. <BR> <BR> Secure Configuration Assessment (SCA) supports Windows 10 1709+, Windows Server 2008R2, Windows Server 2012R2, Windows Server 2016, and Windows Server 2019. See [Secure Configuration Assessment (SCA) for Windows Server now in public preview](https://techcommunity.microsoft.com/t5/microsoft-defender-atp/secure-configuration-assessment-sca-for-windows-server-now-in/ba-p/1243885) and [Reducing risk with new Threat & Vulnerability Management capabilities](https://techcommunity.microsoft.com/t5/microsoft-defender-atp/reducing-risk-with-new-threat-amp-vulnerability-management/ba-p/978145) blogs for more information.
- [Threat & Vulnerability Management granular exploit details](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-weaknesses) <BR> You can now see a comprehensive set of details on the vulnerabilities found in your machine to give you informed decision on your next steps. The threat insights icon now shows more granular details, such as if the exploit is a part of an exploit kit, connected to specific advanced persistent campaigns or activity groups for which, Threat Analytics report links are provided that you can read, has associated zero-day exploitation news, disclosures, or related security advisories.
- [Threat & Vulnerability Management granular exploit details](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-weaknesses) <BR> You can now see a comprehensive set of details on the vulnerabilities found in your device to give you informed decision on your next steps. The threat insights icon now shows more granular details, such as if the exploit is a part of an exploit kit, connected to specific advanced persistent campaigns or activity groups for which, Threat Analytics report links are provided that you can read, has associated zero-day exploitation news, disclosures, or related security advisories.
- [Threat & Vulnerability Management Report inaccuracy](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation#report-inaccuracy) <BR> You can report a false positive when you see any vague, inaccurate, incomplete, or already remediated [security recommendation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation#report-inaccuracy), [software inventory](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-software-inventory#report-inaccuracy), and [discovered vulnerabilities](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-weaknesses#report-inaccuracy).
- [Machine health and compliance report](machine-reports.md) <br/> The machine health and compliance report provides high-level information about the devices in your organization.
- [Device health and compliance report](machine-reports.md) <br/> The device health and compliance report provides high-level information about the devices in your organization.
- [Information protection](information-protection-in-windows-overview.md)<BR>
Information protection is an integral part of Microsoft 365 Enterprise suite, providing intelligent protection to keep sensitive data secure while enabling productivity in the workplace. Microsoft Defender ATP is seamlessly integrated in Microsoft Threat Protection to provide a complete and comprehensive data loss prevention (DLP) solution for Windows devices.
@ -67,12 +67,12 @@ Information protection is an integral part of Microsoft 365 Enterprise suite, pr
>[!NOTE]
>Partially available from Windows 10, version 1809.
- [Integration with Microsoft Cloud App Security](microsoft-cloud-app-security-integration.md) <BR> Microsoft Cloud App Security leverages Microsoft Defender ATP endpoint signals to allow direct visibility into cloud application usage including the use of unsupported cloud services (shadow IT) from all Microsoft Defender ATP monitored machines.
- [Integration with Microsoft Cloud App Security](microsoft-cloud-app-security-integration.md) <BR> Microsoft Cloud App Security leverages Microsoft Defender ATP endpoint signals to allow direct visibility into cloud application usage including the use of unsupported cloud services (shadow IT) from all Microsoft Defender ATP monitored devices.
>[!NOTE]
>Available from Windows 10, version 1809 or later.
- [Onboard Windows Server 2019](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints#windows-server-version-1803-and-windows-server-2019) <BR> Microsoft Defender ATP now adds support for Windows Server 2019. You'll be able to onboard Windows Server 2019 in the same method available for Windows 10 client machines.
- [Onboard Windows Server 2019](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints#windows-server-version-1803-and-windows-server-2019) <BR> Microsoft Defender ATP now adds support for Windows Server 2019. You'll be able to onboard Windows Server 2019 in the same method available for Windows 10 client devices.
- [Power BI reports using Microsoft Defender ATP data](powerbi-reports.md) <br>
Microsoft Defender ATP makes it easy to create a Power BI dashboard by providing an option straight from the portal.

14
windows/security/threat-protection/microsoft-defender-atp/production-deployment.md
View File

@ -57,7 +57,7 @@ In this deployment scenario, you'll be guided through the steps on:
>[!NOTE]
>For the purpose of guiding you through a typical deployment, this scenario will only cover the use of Microsoft Endpoint Configuration Manager. Microsoft Defender ATP supports the use of other onboarding tools but will not cover those scenarios in the deployment guide. For more information, see [Onboard machines to Microsoft Defender ATP](onboard-configure.md).
>For the purpose of guiding you through a typical deployment, this scenario will only cover the use of Microsoft Endpoint Configuration Manager. Microsoft Defender ATP supports the use of other onboarding tools but will not cover those scenarios in the deployment guide. For more information, see [Onboard devices to Microsoft Defender ATP](onboard-configure.md).
## Check license state
@ -88,7 +88,7 @@ To gain access into which licenses are provisioned to your company, and to check
## Tenant Configuration
When accessing [Microsoft Defender Security Center](https://securitycenter.windows.com/) for the first time there will be a set up wizard that will guide you through some initial steps. At the end of the setup wizard there will be a dedicated cloud instance of Microsoft Defender ATP created. The easiest method is to perform these steps from a Windows 10 client machine.
When accessing [Microsoft Defender Security Center](https://securitycenter.windows.com/) for the first time there will be a set up wizard that will guide you through some initial steps. At the end of the setup wizard there will be a dedicated cloud instance of Microsoft Defender ATP created. The easiest method is to perform these steps from a Windows 10 client device.
1. From a web browser, navigate to <https://securitycenter.windows.com>.
@ -211,20 +211,20 @@ Use netsh to configure a system-wide static proxy.
For example: netsh winhttp set proxy 10.0.0.6:8080
### Proxy Configuration for down-level machines
### Proxy Configuration for down-level devices
Down-Level machines include Windows 7 SP1 and Windows 8.1 workstations as well
Down-Level devices include Windows 7 SP1 and Windows 8.1 workstations as well
as Windows Server 2008 R2, Windows Sever 2012, Windows Server 2012 R2, and
versions of Windows Server 2016 prior to Windows Server CB 1803. These operating
systems will have the proxy configured as part of the Microsoft Management Agent
to handle communication from the endpoint to Azure. Refer to the
Microsoft Management Agent Fast Deployment Guide for information on how a proxy
is configured on these machines.
is configured on these devices.
### Proxy Service URLs
URLs that include v20 in them are only needed if you have Windows 10, version
1803 or later machines. For example, ```us-v20.events.data.microsoft.com``` is only
needed if the machine is on Windows 10, version 1803 or later.
1803 or later devices. For example, ```us-v20.events.data.microsoft.com``` is only
needed if the device is on Windows 10, version 1803 or later.
Service location | Microsoft.com DNS record
-|-

8
windows/security/threat-protection/microsoft-defender-atp/pull-alerts-using-rest-api.md
View File

@ -28,7 +28,7 @@ ms.topic: article
>[!Note]
>- [Microsoft Defender ATP Alert](alerts.md) is composed from one or more detections.
>- [Microsoft Defender ATP Detection](api-portal-mapping.md) is composed from the suspicious event occurred on the Machine and its related Alert details.
>- [Microsoft Defender ATP Detection](api-portal-mapping.md) is composed from the suspicious event occurred on the Device and its related Alert details.
>-The Microsoft Defender ATP Alert API is the latest API for alert consumption and contain a detailed list of related evidence for each alert. For more information, see [Alert methods and properties](alerts.md) and [List alerts](get-alerts.md).
Microsoft Defender ATP supports the OAuth 2.0 protocol to pull detections from the API.
@ -114,9 +114,9 @@ sinceTimeUtc | DateTime | Defines the lower time bound alerts are retrieved from
untilTimeUtc | DateTime | Defines the upper time bound alerts are retrieved. <br> The time range will be: from `sinceTimeUtc` time to `untilTimeUtc` time. <br><br> **NOTE**: When not specified, the default value will be the current time.
ago | string | Pulls alerts in the following time range: from `(current_time - ago)` time to `current_time` time. <br><br> Value should be set according to **ISO 8601** duration format <br> E.g. `ago=PT10M` will pull alerts received in the last 10 minutes.
limit | int | Defines the number of alerts to be retrieved. Most recent alerts will be retrieved based on the number defined.<br><br> **NOTE**: When not specified, all alerts available in the time range will be retrieved.
machinegroups | string | Specifies machine groups to pull alerts from. <br><br> **NOTE**: When not specified, alerts from all machine groups will be retrieved. <br><br> Example: <br><br> ```https://wdatp-alertexporter-eu.securitycenter.windows.com/api/Alerts/?machinegroups=UKMachines&machinegroups=FranceMachines```
DeviceCreatedMachineTags | string | Single machine tag from the registry.
CloudCreatedMachineTags | string | Machine tags that were created in Microsoft Defender Security Center.
machinegroups | string | Specifies device groups to pull alerts from. <br><br> **NOTE**: When not specified, alerts from all device groups will be retrieved. <br><br> Example: <br><br> ```https://wdatp-alertexporter-eu.securitycenter.windows.com/api/Alerts/?machinegroups=UKMachines&machinegroups=FranceMachines```
DeviceCreatedMachineTags | string | Single device tag from the registry.
CloudCreatedMachineTags | string | Device tags that were created in Microsoft Defender Security Center.
### Request example
The following example demonstrates how to retrieve all the detections in your organization.

2
windows/security/threat-protection/microsoft-defender-atp/raw-data-export-event-hub.md
View File

@ -63,7 +63,7 @@ Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://w
- Each event hub message in Azure Event Hubs contains list of records.
- Each record contains the event name, the time Microsoft Defender ATP received the event, the tenant it belongs (you will only get events from your tenant), and the event in JSON format in a property called "**properties**".
- For more information about the schema of Microsoft Defender ATP events, see [Advanced Hunting overview](advanced-hunting-overview.md).
- In Advanced Hunting, the **DeviceInfo** table has a column named **MachineGroup** which contains the group of the machine. Here every event will be decorated with this column as well. See [Machine Groups](machine-groups.md) for more information.
- In Advanced Hunting, the **DeviceInfo** table has a column named **MachineGroup** which contains the group of the device. Here every event will be decorated with this column as well. See [Device Groups](machine-groups.md) for more information.
## Data types mapping:

4
windows/security/threat-protection/microsoft-defender-atp/raw-data-export-storage.md
View File

@ -64,7 +64,7 @@ Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://w
- Each blob contains multiple rows.
- Each row contains the event name, the time Microsoft Defender ATP received the event, the tenant it belongs (you will only get events from your tenant), and the event in JSON format in a property called "properties".
- For more information about the schema of Microsoft Defender ATP events, see [Advanced Hunting overview](advanced-hunting-overview.md).
- In Advanced Hunting, the **DeviceInfo** table has a column named **MachineGroup** which contains the group of the machine. Here every event will be decorated with this column as well. See [Machine Groups](machine-groups.md) for more information.
- In Advanced Hunting, the **DeviceInfo** table has a column named **MachineGroup** which contains the group of the device. Here every event will be decorated with this column as well. See [Device Groups](machine-groups.md) for more information.
## Data types mapping:
@ -80,7 +80,7 @@ In order to get the data types for our events properties do the following:
```
- Here is an example for Machine Info event:
- Here is an example for Device Info event:
![Image of event hub resource ID](images/machine-info-datatype-example.png)

12
windows/security/threat-protection/microsoft-defender-atp/rbac.md
View File

@ -35,16 +35,16 @@ Large geo-distributed security operations teams typically adopt a tier-based mod
Tier | Description
:---|:---
Tier 1 | **Local security operations team / IT team** <br> This team usually triages and investigates alerts contained within their geolocation and escalates to Tier 2 in cases where an active remediation is required.
Tier 2 | **Regional security operations team** <br> This team can see all the machines for their region and perform remediation actions.
Tier 2 | **Regional security operations team** <br> This team can see all the devices for their region and perform remediation actions.
Tier 3 | **Global security operations team** <br> This team consists of security experts and are authorized to see and perform all actions from the portal.
Microsoft Defender ATP RBAC is designed to support your tier- or role-based model of choice and gives you granular control over what roles can see, machines they can access, and actions they can take. The RBAC framework is centered around the following controls:
Microsoft Defender ATP RBAC is designed to support your tier- or role-based model of choice and gives you granular control over what roles can see, devices they can access, and actions they can take. The RBAC framework is centered around the following controls:
- **Control who can take specific action**
- Create custom roles and control what Microsoft Defender ATP capabilities they can access with granularity.
- **Control who can see information on specific machine group or groups**
- [Create machine groups](machine-groups.md) by specific criteria such as names, tags, domains, and others, then grant role access to them using a specific Azure Active Directory (Azure AD) user group.
- **Control who can see information on specific device group or groups**
- [Create device groups](machine-groups.md) by specific criteria such as names, tags, domains, and others, then grant role access to them using a specific Azure Active Directory (Azure AD) user group.
To implement role-based access, you'll need to define admin roles, assign corresponding permissions, and assign Azure AD user groups assigned to the roles.
@ -58,7 +58,7 @@ Before using RBAC, it's important that you understand the roles that can grant p
When you first log in to Microsoft Defender Security Center, you're granted either full access or read only access. Full access rights are granted to users with Security Administrator or Global Administrator roles in Azure AD. Read only access is granted to users with a Security Reader role in Azure AD.
Someone with a Microsoft Defender ATP Global administrator role has unrestricted access to all machines, regardless of their machine group association and the Azure AD user groups assignments
Someone with a Microsoft Defender ATP Global administrator role has unrestricted access to all devices, regardless of their device group association and the Azure AD user groups assignments
> [!WARNING]
> Initially, only those with Azure AD Global Administrator or Security Administrator rights will be able to create and assign roles in Microsoft Defender Security Center, therefore, having the right groups ready in Azure AD is important.
@ -72,4 +72,4 @@ Someone with a Microsoft Defender ATP Global administrator role has unrestricted
## Related topic
- [Create and manage machine groups in Microsoft Defender ATP](machine-groups.md)
- [Create and manage device groups in Microsoft Defender ATP](machine-groups.md)

8
windows/security/threat-protection/microsoft-defender-atp/recommendation.md
View File

@ -30,7 +30,7 @@ Method |Return Type |Description
[List all recommendations](get-all-recommendations.md) | Recommendation collection | Retrieves a list of all security recommendations affecting the organization
[Get recommendation by Id](get-recommendation-by-id.md) | Recommendation | Retrieves a security recommendation by its ID
[Get recommendation software](get-recommendation-software.md)| [Software](software.md) | Retrieves a security recommendation related to a specific software
[Get recommendation machines](get-recommendation-machines.md)|MachineRef collection | Retrieves a list of machines associated with the security recommendation
[Get recommendation devices](get-recommendation-machines.md)|MachineRef collection | Retrieves a list of devices associated with the security recommendation
[Get recommendation vulnerabilities](get-recommendation-vulnerabilities.md) | [Vulnerability](vulnerability.md) collection | Retrieves a list of vulnerabilities associated with the security recommendation
@ -53,7 +53,7 @@ remediationType | String | Remediation type. Possible values are: “Configurati
Status | Enum | Recommendation exception status. Possible values are: “Active” and “Exception”
configScoreImpact | Double | Configuration score impact
exposureImpacte | Double | Exposure score impact
totalMachineCount | Long | Number of installed machines
exposedMachinesCount | Long | Number of installed machines that are exposed to vulnerabilities
nonProductivityImpactedAssets | Long | Number of machines which are not affected
totalMachineCount | Long | Number of installed devices
exposedMachinesCount | Long | Number of installed devices that are exposed to vulnerabilities
nonProductivityImpactedAssets | Long | Number of devices which are not affected
relatedComponent | String | Related software component

52
windows/security/threat-protection/microsoft-defender-atp/respond-file-alerts.md
View File

@ -60,13 +60,13 @@ You can contain an attack in your organization by stopping the malicious process
>[!IMPORTANT]
>You can only take this action if:
>
> - The machine you're taking the action on is running Windows 10, version 1703 or later
> - The device you're taking the action on is running Windows 10, version 1703 or later
> - The file does not belong to trusted third-party publishers or not signed by Microsoft
> - Windows Defender Antivirus must at least be running on Passive mode. For more information, see [Windows Defender Antivirus compatibility](../windows-defender-antivirus/windows-defender-antivirus-compatibility.md).
The **Stop and Quarantine File** action includes stopping running processes, quarantining the files, and deleting persistent data, such as any registry keys.
This action takes effect on machines with Windows 10, version 1703 or later, where the file was observed in the last 30 days.
This action takes effect on devices with Windows 10, version 1703 or later, where the file was observed in the last 30 days.
>[!NOTE]
>Youll be able to restore the file from quarantine at any time.
@ -80,7 +80,7 @@ This action takes effect on machines with Windows 10, version 1703 or later, whe
>[!NOTE]
>The stop and quarantine file action is limited to a maximum of 1000 machines. To stop a file on a larger number of machines, see [Add indicator to block or allow file](#add-indicator-to-block-or-allow-a-file).
>The stop and quarantine file action is limited to a maximum of 1000 devices. To stop a file on a larger number of devices, see [Add indicator to block or allow file](#add-indicator-to-block-or-allow-a-file).
2. Go to the top bar and select **Stop and Quarantine File**.
@ -94,26 +94,26 @@ This action takes effect on machines with Windows 10, version 1703 or later, whe
![Image of stop and quarantine file action center](images/atp-stopnquarantine-file.png)
- **Submission time** - Shows when the action was submitted.
- **Success** - Shows the number of machines where the file has been stopped and quarantined.
- **Failed** - Shows the number of machines where the action failed and details about the failure.
- **Pending** - Shows the number of machines where the file is yet to be stopped and quarantined from. This can take time for cases when the machine is offline or not connected to the network.
- **Success** - Shows the number of devices where the file has been stopped and quarantined.
- **Failed** - Shows the number of devices where the action failed and details about the failure.
- **Pending** - Shows the number of devices where the file is yet to be stopped and quarantined from. This can take time for cases when the device is offline or not connected to the network.
4. Select any of the status indicators to view more information about the action. For example, select **Failed** to see where the action failed.
**Notification on machine user**:</br>
When the file is being removed from a machine, the following notification is shown:
**Notification on device user**:</br>
When the file is being removed from a device, the following notification is shown:
![Image of notification on machine user](images/atp-notification-file.png)
![Image of notification on device user](images/atp-notification-file.png)
In the machine timeline, a new event is added for each machine where a file was stopped and quarantined.
In the device timeline, a new event is added for each device where a file was stopped and quarantined.
For files that widely used throughout an organization, a warning is shown before an action is implemented, to validate that the operation is intended.
## Restore file from quarantine
You can roll back and remove a file from quarantine if youve determined that its clean after an investigation. Run the following command on each machine where the file was quarantined.
You can roll back and remove a file from quarantine if youve determined that its clean after an investigation. Run the following command on each device where the file was quarantined.
1. Open an elevated commandline prompt on the machine:
1. Open an elevated commandline prompt on the device:
a. Go to **Start** and type _cmd_.
@ -128,11 +128,11 @@ You can roll back and remove a file from quarantine if youve determined that
> [!NOTE]
> In some scenarios, the **ThreatName** may appear as: EUS:Win32/CustomEnterpriseBlock!cl.
>
> Microsoft Defender ATP will restore all custom blocked files that were quarantined on this machine in the last 30 days.
> Microsoft Defender ATP will restore all custom blocked files that were quarantined on this device in the last 30 days.
## Add indicator to block or allow a file
You can prevent further propagation of an attack in your organization by banning potentially malicious files or suspected malware. If you know a potentially malicious portable executable (PE) file, you can block it. This operation will prevent it from being read, written, or executed on machines in your organization.
You can prevent further propagation of an attack in your organization by banning potentially malicious files or suspected malware. If you know a potentially malicious portable executable (PE) file, you can block it. This operation will prevent it from being read, written, or executed on devices in your organization.
>[!IMPORTANT]
>
@ -140,11 +140,11 @@ You can prevent further propagation of an attack in your organization by banning
>
>- The Antimalware client version must be 4.18.1901.x or later.
>- This feature is designed to prevent suspected malware (or potentially malicious files) from being downloaded from the web. It currently supports portable executable (PE) files, including _.exe_ and _.dll_ files. The coverage will be extended over time.
>- This response action is available for machines on Windows 10, version 1703 or later.
>- This response action is available for devices on Windows 10, version 1703 or later.
>- The allow or block function cannot be done on files if the file's classification exists on the device's cache prior to the allow or block action.
>[!NOTE]
> The PE file needs to be in the machine timeline for you to be able to take this action.
> The PE file needs to be in the device timeline for you to be able to take this action.
>
> There may be a couple of minutes of latency between the time the action is taken and the actual file being blocked.
@ -154,7 +154,7 @@ To start blocking files, you first need to [turn the **Block or allow** feature
### Allow or block file
When you add an indicator hash for a file, you can choose to raise an alert and block the file whenever a machine in your organization attempts to run it.
When you add an indicator hash for a file, you can choose to raise an alert and block the file whenever a device in your organization attempts to run it.
Files automatically blocked by an indicator won't show up in the files's Action center, but the alerts will still be visible in the Alerts queue.
@ -178,18 +178,18 @@ If a file is not already stored by Microsoft Defender ATP, you cannot download i
## Consult a threat expert
You can consult a Microsoft threat expert for more insights regarding a potentially compromised machine or already compromised ones. Microsoft Threat Experts can be engaged directly from within the Microsoft Defender Security Center for timely and accurate response. Experts provide insights not just regarding a potentially compromised machine, but also to better understand complex threats, targeted attack notifications that you get, or if you need more information about the alerts, or a threat intelligence context that you see on your portal dashboard.
You can consult a Microsoft threat expert for more insights regarding a potentially compromised device or already compromised ones. Microsoft Threat Experts can be engaged directly from within the Microsoft Defender Security Center for timely and accurate response. Experts provide insights not just regarding a potentially compromised device, but also to better understand complex threats, targeted attack notifications that you get, or if you need more information about the alerts, or a threat intelligence context that you see on your portal dashboard.
See [Consult a Microsoft Threat Expert](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-microsoft-threat-experts#consult-a-microsoft-threat-expert-about-suspicious-cybersecurity-activities-in-your-organization) for details.
## Check activity details in Action center
The **Action center** provides information on actions that were taken on a machine or file. Youll be able to view the following details:
The **Action center** provides information on actions that were taken on a device or file. Youll be able to view the following details:
- Investigation package collection
- Antivirus scan
- App restriction
- Machine isolation
- Device isolation
All other related details are also shown, for example, submission date/time, submitting user, and if the action succeeded or failed.
@ -213,24 +213,24 @@ Use the deep analysis feature to investigate the details of any file, usually du
>[!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RE4aAYy?rel=0]
**Submit for deep analysis** is enabled when the file is available in the Microsoft Defender ATP backend sample collection, or if it was observed on a Windows 10 machine that supports submitting to deep analysis.
**Submit for deep analysis** is enabled when the file is available in the Microsoft Defender ATP backend sample collection, or if it was observed on a Windows 10 device that supports submitting to deep analysis.
> [!NOTE]
> Only files from Windows 10 can be automatically collected.
You can also manually submit a sample through the [Microsoft Security Center Portal](https://www.microsoft.com/security/portal/submission/submit.aspx) if the file was not observed on a Windows 10 machine, and wait for **Submit for deep analysis** button to become available.
You can also manually submit a sample through the [Microsoft Security Center Portal](https://www.microsoft.com/security/portal/submission/submit.aspx) if the file was not observed on a Windows 10 device, and wait for **Submit for deep analysis** button to become available.
> [!NOTE]
> Due to backend processing flows in the Microsoft Security Center Portal, there could be up to 10 minutes of latency between file submission and availability of the deep analysis feature in Microsoft Defender ATP.
When the sample is collected, Microsoft Defender ATP runs the file in is a secure environment and creates a detailed report of observed behaviors and associated artifacts, such as files dropped on machines, communication to IPs, and registry modifications.
When the sample is collected, Microsoft Defender ATP runs the file in is a secure environment and creates a detailed report of observed behaviors and associated artifacts, such as files dropped on devices, communication to IPs, and registry modifications.
**Submit files for deep analysis:**
1. Select the file that you want to submit for deep analysis. You can select or search a file from any of the following views:
- Alerts - click the file links from the **Description** or **Details** in the Artifact timeline
- **Machines list** - click the file links from the **Description** or **Details** in the **Machine in organization** section
- **Devices list** - click the file links from the **Description** or **Details** in the **Device in organization** section
- Search box - select **File** from the dropdown menu and enter the file name
2. In the **Deep analysis** tab of the file view, click **Submit**.
@ -242,7 +242,7 @@ When the sample is collected, Microsoft Defender ATP runs the file in is a secur
A progress bar is displayed and provides information on the different stages of the analysis. You can then view the report when the analysis is done.
> [!NOTE]
> Depending on machine availability, sample collection time can vary. There is a 3hour timeout for sample collection. The collection will fail and the operation will abort if there is no online Windows 10 machine reporting at that time. You can resubmit files for deep analysis to get fresh data on the file.
> Depending on device availability, sample collection time can vary. There is a 3hour timeout for sample collection. The collection will fail and the operation will abort if there is no online Windows 10 device reporting at that time. You can resubmit files for deep analysis to get fresh data on the file.
**View deep analysis reports**
@ -283,5 +283,5 @@ If you encounter a problem when trying to submit a file, try each of the followi
## Related topics
- [Take response actions on a machine](respond-machine-alerts.md)
- [Take response actions on a device](respond-machine-alerts.md)
- [Investigate files](investigate-files.md)

8
windows/security/threat-protection/microsoft-defender-atp/restrict-code-execution.md
View File

@ -24,14 +24,14 @@ ms.topic: article
## API description
Restrict execution of all applications on the machine except a predefined set.
Restrict execution of all applications on the device except a predefined set.
## Limitations
1. Rate limitations for this API are 100 calls per minute and 1500 calls per hour.
[!include[Machine actions note](../../includes/machineactionsnote.md)]
[!include[Device actions note](../../includes/machineactionsnote.md)]
## Permissions
One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md)
@ -44,7 +44,7 @@ Delegated (work or school account) | Machine.RestrictExecution | 'Restrict code
>[!Note]
> When obtaining a token using user credentials:
>- The user needs to have at least the following role permission: 'Active remediation actions' (See [Create and manage roles](user-roles.md) for more information)
>- The user needs to have access to the machine, based on machine group settings (See [Create and manage machine groups](machine-groups.md) for more information)
>- The user needs to have access to the device, based on device group settings (See [Create and manage device groups](machine-groups.md) for more information)
## HTTP request
```
@ -84,5 +84,5 @@ Content-type: application/json
```
- To remove code execution restriction from a machine, see [Remove app restriction](unrestrict-code-execution.md).
- To remove code execution restriction from a device, see [Remove app restriction](unrestrict-code-execution.md).

2
windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-api.md
View File

@ -40,7 +40,7 @@ Delegated (work or school account) | AdvancedQuery.Read | 'Run advanced queries'
>[!Note]
> When obtaining a token using user credentials:
>- The user needs to have 'View Data' AD role
>- The user needs to have access to the machine, based on machine group settings (See [Create and manage machine groups](machine-groups.md) for more information)
>- The user needs to have access to the device, based on device group settings (See [Create and manage device groups](machine-groups.md) for more information)
## HTTP request
```

14
windows/security/threat-protection/microsoft-defender-atp/run-av-scan.md
View File

@ -1,7 +1,7 @@
---
title: Run antivirus scan API
description: Use this API to create calls related to running an antivirus scan on a machine.
keywords: apis, graph api, supported apis, remove machine from isolation
description: Use this API to create calls related to running an antivirus scan on a device.
keywords: apis, graph api, supported apis, remove device from isolation
search.product: eADQiWindows 10XVcnh
ms.prod: w10
ms.mktglfcycl: deploy
@ -24,14 +24,14 @@ ms.topic: article
## API description
Initiate Windows Defender Antivirus scan on a machine.
Initiate Windows Defender Antivirus scan on a device.
## Limitations
1. Rate limitations for this API are 100 calls per minute and 1500 calls per hour.
[!include[Machine actions note](../../includes/machineactionsnote.md)]
[!include[Device actions note](../../includes/machineactionsnote.md)]
## Permissions
One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md)
@ -44,7 +44,7 @@ Delegated (work or school account) | Machine.Scan | 'Scan machine'
>[!Note]
> When obtaining a token using user credentials:
>- The user needs to have at least the following role permission: 'Active remediation actions' (See [Create and manage roles](user-roles.md) for more information)
>- The user needs to have access to the machine, based on machine group settings (See [Create and manage machine groups](machine-groups.md) for more information)
>- The user needs to have access to the device, based on device group settings (See [Create and manage device groups](machine-groups.md) for more information)
## HTTP request
```
@ -68,8 +68,8 @@ ScanType| String | Defines the type of the Scan. **Required**.
**ScanType** controls the type of scan to perform and can be one of the following:
- **Quick** Perform quick scan on the machine
- **Full** Perform full scan on the machine
- **Quick** Perform quick scan on the device
- **Full** Perform full scan on the device

14
windows/security/threat-protection/microsoft-defender-atp/run-detection-test.md
View File

@ -1,6 +1,6 @@
---
title: Run a detection test on a newly onboarded Microsoft Defender ATP machine
description: Run the detection script on a newly onboarded machine to verify that it is properly onboarded to the Microsoft Defender ATP service.
title: Run a detection test on a newly onboarded Microsoft Defender ATP device
description: Run the detection script on a newly onboarded device to verify that it is properly onboarded to the Microsoft Defender ATP service.
keywords: detection test, detection, powershell, script, verify, onboarding, windows defender advanced threat protection onboarding, clients, servers, test
search.product: eADQiWindows 10XVcnh
search.appverid: met150
@ -17,7 +17,7 @@ ms.collection: M365-security-compliance
ms.topic: article
---
# Run a detection test on a newly onboarded Microsoft Defender ATP machine
# Run a detection test on a newly onboarded Microsoft Defender ATP device
**Applies to:**
- Supported Windows 10 versions
@ -28,10 +28,10 @@ ms.topic: article
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
Run the following PowerShell script on a newly onboarded machine to verify that it is properly reporting to the Microsoft Defender ATP service.
Run the following PowerShell script on a newly onboarded device to verify that it is properly reporting to the Microsoft Defender ATP service.
1. Create a folder: 'C:\test-MDATP-test'.
2. Open an elevated command-line prompt on the machine and run the script:
2. Open an elevated command-line prompt on the device and run the script:
1. Go to **Start** and type **cmd**.
@ -45,8 +45,8 @@ Run the following PowerShell script on a newly onboarded machine to verify that
powershell.exe -NoExit -ExecutionPolicy Bypass -WindowStyle Hidden $ErrorActionPreference= 'silentlycontinue';(New-Object System.Net.WebClient).DownloadFile('http://127.0.0.1/1.exe', 'C:\\test-MDATP-test\\invoice.exe');Start-Process 'C:\\test-MDATP-test\\invoice.exe'
```
The Command Prompt window will close automatically. If successful, the detection test will be marked as completed and a new alert will appear in the portal for the onboarded machine in approximately 10 minutes.
The Command Prompt window will close automatically. If successful, the detection test will be marked as completed and a new alert will appear in the portal for the onboarded device in approximately 10 minutes.
## Related topics
- [Onboard Windows 10 machines](configure-endpoints.md)
- [Onboard Windows 10 devices](configure-endpoints.md)
- [Onboard servers](configure-server-endpoints.md)

8
windows/security/threat-protection/microsoft-defender-atp/score.md
View File

@ -1,7 +1,7 @@
---
title: Score methods and properties
description: Retrieves your organization's exposure score, device secure score, and exposure score by machine group
keywords: apis, graph api, supported apis, score, exposure score, device secure score, exposure score by machine group
description: Retrieves your organization's exposure score, device secure score, and exposure score by device group
keywords: apis, graph api, supported apis, score, exposure score, device secure score, exposure score by device group
search.product: eADQiWindows 10XVcnh
ms.prod: w10
ms.mktglfcycl: deploy
@ -29,7 +29,7 @@ Method |Return Type |Description
:---|:---|:---
[Get exposure score](get-exposure-score.md) | [Score](score.md) | Get the organizational exposure score.
[Get device secure score](get-device-secure-score.md) | [Score](score.md) | Get the organizational device secure score.
[List exposure score by machine group](get-machine-group-exposure-score.md)| [Score](score.md) | List scores by machine group.
[List exposure score by device group](get-machine-group-exposure-score.md)| [Score](score.md) | List scores by device group.
## Properties
@ -37,4 +37,4 @@ Property | Type | Description
:---|:---|:---
Score | Double | The current score.
Time | DateTime | The date and time in which the call for this API was made.
RbacGroupName | String | The machine group name.
RbacGroupName | String | The device group name.

40
windows/security/threat-protection/microsoft-defender-atp/security-operations-dashboard.md
View File

@ -1,7 +1,7 @@
---
title: Microsoft Defender Security Center Security operations dashboard
description: Use the dashboard to identify machines at risk, keep track of the status of the service, and see statistics and information about machines and alerts.
keywords: dashboard, alerts, new, in progress, resolved, risk, machines at risk, infections, reporting, statistics, charts, graphs, health, active malware detections, threat category, categories, password stealer, ransomware, exploit, threat, low severity, active malware
description: Use the dashboard to identify devices at risk, keep track of the status of the service, and see statistics and information about devices and alerts.
keywords: dashboard, alerts, new, in progress, resolved, risk, devices at risk, infections, reporting, statistics, charts, graphs, health, active malware detections, threat category, categories, password stealer, ransomware, exploit, threat, low severity, active malware
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: w10
@ -29,10 +29,10 @@ The **Security operations dashboard** is where the endpoint detection and respon
The dashboard displays a snapshot of:
- Active alerts
- Machines at risk
- Devices at risk
- Sensor health
- Service health
- Daily machines reporting
- Daily devices reporting
- Active automated investigations
- Automated investigations statistics
- Users at risk
@ -41,9 +41,9 @@ The dashboard displays a snapshot of:
![Image of Security operations dashboard](images/atp-sec-ops-dashboard.png)
You can explore and investigate alerts and machines to quickly determine if, where, and when suspicious activities occurred in your network to help you understand the context they appeared in.
You can explore and investigate alerts and devices to quickly determine if, where, and when suspicious activities occurred in your network to help you understand the context they appeared in.
From the **Security operations dashboard** you will see aggregated events to facilitate the identification of significant events or behaviors on a machine. You can also drill down into granular events and low-level indicators.
From the **Security operations dashboard** you will see aggregated events to facilitate the identification of significant events or behaviors on a device. You can also drill down into granular events and low-level indicators.
It also has clickable tiles that give visual cues on the overall health state of your organization. Each tile opens a detailed view of the corresponding overview.
@ -60,26 +60,26 @@ Each row includes an alert severity category and a short description of the aler
## Machines at risk
This tile shows you a list of machines with the highest number of active alerts. The total number of alerts for each machine is shown in a circle next to the machine name, and then further categorized by severity levels at the far end of the tile (hover over each severity bar to see its label).
## Devices at risk
This tile shows you a list of devices with the highest number of active alerts. The total number of alerts for each device is shown in a circle next to the device name, and then further categorized by severity levels at the far end of the tile (hover over each severity bar to see its label).
![The Machines at risk tile shows a list of machines with the highest number of alerts, and a breakdown of the severity of the alerts](images/machines-at-risk-tile.png)
![The Devices at risk tile shows a list of devices with the highest number of alerts, and a breakdown of the severity of the alerts](images/machines-at-risk-tile.png)
Click the name of the machine to see details about that machine. For more information see, [Investigate machines in the Microsoft Defender Advanced Threat Protection Machines list](investigate-machines.md).
Click the name of the device to see details about that device. For more information see, [Investigate devices in the Microsoft Defender Advanced Threat Protection Devices list](investigate-machines.md).
You can also click **Machines list** at the top of the tile to go directly to the **Machines list**, sorted by the number of active alerts. For more information see, [Investigate machines in the Microsoft Defender Advanced Threat Protection Machines list](investigate-machines.md).
You can also click **Devices list** at the top of the tile to go directly to the **Devices list**, sorted by the number of active alerts. For more information see, [Investigate devices in the Microsoft Defender Advanced Threat Protection Devices list](investigate-machines.md).
## Sensor health
The **Sensor health** tile provides information on the individual machines ability to provide sensor data to the Microsoft Defender ATP service. It reports how many machines require attention and helps you identify problematic machines.
The **Sensor health** tile provides information on the individual devices ability to provide sensor data to the Microsoft Defender ATP service. It reports how many devices require attention and helps you identify problematic devices.
![Sensor health tile](images/atp-tile-sensor-health.png)
There are two status indicators that provide information on the number of machines that are not reporting properly to the service:
- **Misconfigured** These machines might partially be reporting sensor data to the Microsoft Defender ATP service and might have configuration errors that need to be corrected.
- **Inactive** - Machines that have stopped reporting to the Microsoft Defender ATP service for more than seven days in the past month.
There are two status indicators that provide information on the number of devices that are not reporting properly to the service:
- **Misconfigured** These devices might partially be reporting sensor data to the Microsoft Defender ATP service and might have configuration errors that need to be corrected.
- **Inactive** - Devices that have stopped reporting to the Microsoft Defender ATP service for more than seven days in the past month.
When you click any of the groups, youll be directed to machines list, filtered according to your choice. For more information, see [Check sensor state](check-sensor-status.md) and [Investigate machines](investigate-machines.md).
When you click any of the groups, youll be directed to devices list, filtered according to your choice. For more information, see [Check sensor state](check-sensor-status.md) and [Investigate devices](investigate-machines.md).
## Service health
The **Service health** tile informs you if the service is active or if there are issues.
@ -89,15 +89,15 @@ The **Service health** tile informs you if the service is active or if there are
For more information on the service health, see [Check the Microsoft Defender ATP service health](service-status.md).
## Daily machines reporting
The **Daily machines reporting** tile shows a bar graph that represents the number of machines reporting daily in the last 30 days. Hover over individual bars on the graph to see the exact number of machines reporting in each day.
## Daily devices reporting
The **Daily devices reporting** tile shows a bar graph that represents the number of devices reporting daily in the last 30 days. Hover over individual bars on the graph to see the exact number of devices reporting in each day.
![Image of daily machines reporting tile](images/atp-daily-machines-reporting.png)
![Image of daily devices reporting tile](images/atp-daily-machines-reporting.png)
## Active automated investigations
You can view the overall number of automated investigations from the last 30 days in your network from the **Active automated investigations** tile. Investigations are grouped into **Pending action**, **Waiting for machine**, and **Running**.
You can view the overall number of automated investigations from the last 30 days in your network from the **Active automated investigations** tile. Investigations are grouped into **Pending action**, **Waiting for device**, and **Running**.
![Inmage of active automated investigations](images/atp-active-investigations-tile.png)

4
windows/security/threat-protection/microsoft-defender-atp/software.md
View File

@ -31,7 +31,7 @@ Method |Return Type |Description
[List software](get-software.md) | Software collection | List the organizational software inventory.
[Get software by Id](get-software-by-id.md) | Software | Get a specific software by its software ID.
[List software version distribution](get-software-ver-distribution.md)| Distribution collection | List software version distribution by software ID.
[List machines by software](get-machines-by-software.md)| MachineRef collection | Retrieve a list of machines that are associated with the software ID.
[List machines by software](get-machines-by-software.md)| MachineRef collection | Retrieve a list of devices that are associated with the software ID.
[List vulnerabilities by software](get-vuln-by-software.md) | [Vulnerability](vulnerability.md) collection | Retrieve a list of vulnerabilities associated with the software ID.
[Get missing KBs](get-missing-kbs-software.md) | KB collection | Get a list of missing KBs associated with the software ID
@ -45,5 +45,5 @@ Vendor | String | Software vendor name
Weaknesses | Long | Number of discovered vulnerabilities
publicExploit | Boolean | Public exploit exists for some of the vulnerabilities
activeAlert | Boolean | Active alert is associated with this software
exposedMachines | Long | Number of exposed machines
exposedMachines | Long | Number of exposed devices
impactScore | Double | Exposure score impact of this software

8
windows/security/threat-protection/microsoft-defender-atp/stop-and-quarantine-file.md
View File

@ -24,14 +24,14 @@ ms.topic: article
## API description
Stop execution of a file on a machine and delete it.
Stop execution of a file on a device and delete it.
## Limitations
1. Rate limitations for this API are 100 calls per minute and 1500 calls per hour.
[!include[Machine actions note](../../includes/machineactionsnote.md)]
[!include[Device actions note](../../includes/machineactionsnote.md)]
## Permissions
One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md)
@ -44,7 +44,7 @@ Delegated (work or school account) | Machine.StopAndQuarantine | 'Stop And Quara
>[!Note]
> When obtaining a token using user credentials:
>- The user needs to have at least the following role permission: 'Active remediation actions' (See [Create and manage roles](user-roles.md) for more information)
>- The user needs to have access to the machine, based on machine group settings (See [Create and manage machine groups](machine-groups.md) for more information)
>- The user needs to have access to the device, based on device group settings (See [Create and manage device groups](machine-groups.md) for more information)
## HTTP request
```
@ -64,7 +64,7 @@ In the request body, supply a JSON object with the following parameters:
Parameter | Type | Description
:---|:---|:---
Comment | String | Comment to associate with the action. **Required**.
Sha1 | String | Sha1 of the file to stop and quarantine on the machine. **Required**.
Sha1 | String | Sha1 of the file to stop and quarantine on the device. **Required**.
## Response
If successful, this method returns 201 - Created response code and [Machine Action](machineaction.md) in the response body.

14
windows/security/threat-protection/microsoft-defender-atp/supported-response-apis.md
View File

@ -1,7 +1,7 @@
---
title: Supported Microsoft Defender Advanced Threat Protection response APIs
description: Learn about the specific response related Microsoft Defender Advanced Threat Protection API calls.
keywords: response apis, graph api, supported apis, actor, alerts, machine, user, domain, ip, file
keywords: response apis, graph api, supported apis, actor, alerts, device, user, domain, ip, file
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: w10
@ -30,14 +30,14 @@ Learn about the supported response related API calls you can run and details suc
## In this section
Topic | Description
:---|:---
Collect investigation package | Run this to collect an investigation package from a machine.
Isolate machine | Run this to isolate a machine from the network.
Unisolate machine | Remove a machine from isolation.
Collect investigation package | Run this to collect an investigation package from a device.
Isolate device | Run this to isolate a device from the network.
Unisolate device | Remove a device from isolation.
Restrict code execution | Run this to contain an attack by stopping malicious processes. You can also lock down a device and prevent subsequent attempts of potentially malicious programs from running.
Unrestrict code execution | Run this to reverse the restriction of applications policy after you have verified that the compromised machine has been remediated.
Run antivirus scan | Remotely initiate an antivirus scan to help identify and remediate malware that might be present on a compromised machine.
Unrestrict code execution | Run this to reverse the restriction of applications policy after you have verified that the compromised device has been remediated.
Run antivirus scan | Remotely initiate an antivirus scan to help identify and remediate malware that might be present on a compromised device.
Stop and quarantine file | Run this call to stop running processes, quarantine files, and delete persistency such as registry keys.
Request sample | Run this call to request a sample of a file from a specific machine. The file will be collected from the machine and uploaded to a secure storage.
Request sample | Run this call to request a sample of a file from a specific device. The file will be collected from the device and uploaded to a secure storage.
Block file | Run this to prevent further propagation of an attack in your organization by banning potentially malicious files or suspected malware.
Unblock file | Allow a file run in the organization using Windows Defender Antivirus.
Get package SAS URI | Run this to get a URI that allows downloading an investigation package.

18
windows/security/threat-protection/microsoft-defender-atp/threat-analytics.md
View File

@ -35,8 +35,8 @@ Watch this short video to quickly understand how threat analytics can help you t
The threat analytics dashboard is a great jump off point for getting to the reports that are most relevant to your organization. It provides several overviews about the threats covered in the reports:
- **Latest threats** — lists the most recently published threat reports, along with the number of machines with resolved and unresolved alerts.
- **High-impact threats** — lists the threats that have had the highest impact on the organization in terms of the number of machines that have had related alerts, along with the number of machines with resolved and unresolved alerts.
- **Latest threats** — lists the most recently published threat reports, along with the number of devices with resolved and unresolved alerts.
- **High-impact threats** — lists the threats that have had the highest impact on the organization in terms of the number of devices that have had related alerts, along with the number of devices with resolved and unresolved alerts.
- **Threat summary** — shows the number of threats among the threats reported in threat analytics with actual alerts.
![Image of a threat analytics dashboard](images/ta_dashboard.png)
@ -51,18 +51,18 @@ Each threat report generally provides an overview of the threat and an analysis
### Organizational impact
Each report includes cards designed to provide information about the organizational impact of a threat:
- **Machines with alerts** — shows the current number of distinct machines in your organization that have been impacted by the threat. A machine is categorized as **Active** if there is at least 1 alert associated with that threat and **Resolved** if *all* alerts associated with the threat on the machine have been resolved.
- **Machines with alerts over time** — shows the number of distinct machines with **Active** and **Resolved** alerts over time. The number of resolved alerts indicates how quickly your organization responds to alerts associated with a threat. Ideally, the chart should be showing alerts resolved within a few days.
- **Devices with alerts** — shows the current number of distinct devices in your organization that have been impacted by the threat. A device is categorized as **Active** if there is at least 1 alert associated with that threat and **Resolved** if *all* alerts associated with the threat on the device have been resolved.
- **Devices with alerts over time** — shows the number of distinct devices with **Active** and **Resolved** alerts over time. The number of resolved alerts indicates how quickly your organization responds to alerts associated with a threat. Ideally, the chart should be showing alerts resolved within a few days.
### Organizational resilience
Each report also includes cards that provide an overview of how resilient your organization can be against a given threat:
- **Mitigation status** — shows the number of machines that have and have not applied mitigations for the threat. Machines are considered mitigated if they have all the measurable mitigations in place.
- **Vulnerability patching status** — shows the number of machines that have applied security updates or patches that address vulnerabilities exploited by the threat.
- **Mitigation recommendations** — lists specific actionable recommendations to improve your visibility into the threat and increase your organizational resilience. This card lists only measurable mitigations along with the number of machines that don't have these mitigations in place.
- **Mitigation status** — shows the number of devices that have and have not applied mitigations for the threat. Devices are considered mitigated if they have all the measurable mitigations in place.
- **Vulnerability patching status** — shows the number of devices that have applied security updates or patches that address vulnerabilities exploited by the threat.
- **Mitigation recommendations** — lists specific actionable recommendations to improve your visibility into the threat and increase your organizational resilience. This card lists only measurable mitigations along with the number of devices that don't have these mitigations in place.
>[!IMPORTANT]
>- Charts only reflect mitigations that are measurable, meaning an evaluation can be made on whether a machine has applied the mitigations or not. Check the report overview for additional mitigations that are not reflected in the charts.
>- Charts only reflect mitigations that are measurable, meaning an evaluation can be made on whether a device has applied the mitigations or not. Check the report overview for additional mitigations that are not reflected in the charts.
>- Even if all mitigations were measurable, they don't guarantee complete resilience. They reflect the best possible actions needed to improve resiliency.
>[!NOTE]
>Machines are counted as "unavailable" if they have been unable to transmit data to the service.
>Devices are counted as "unavailable" if they have been unable to transmit data to the service.

4
windows/security/threat-protection/microsoft-defender-atp/threat-and-vuln-mgt-scenarios.md
View File

@ -29,7 +29,7 @@ ms.topic: article
## APIs
Run Threat & Vulnerability Management-related API calls such as get your organization's threat exposure score or device secure score, software and machine vulnerability inventory, software version distribution, machine vulnerability information, security recommendation information. Learn more from this [Microsoft Tech Community blog post](https://techcommunity.microsoft.com/t5/microsoft-defender-atp/threat-amp-vulnerability-management-apis-are-now-generally/ba-p/1304615).
Run Threat & Vulnerability Management-related API calls such as get your organization's threat exposure score or device secure score, software and device vulnerability inventory, software version distribution, device vulnerability information, security recommendation information. Learn more from this [Microsoft Tech Community blog post](https://techcommunity.microsoft.com/t5/microsoft-defender-atp/threat-amp-vulnerability-management-apis-are-now-generally/ba-p/1304615).
See the following topics for related APIs:
- [Supported Microsoft Defender ATP APIs](exposed-apis-list.md)
@ -39,7 +39,7 @@ See the following topics for related APIs:
- [Software APIs](software.md)
- [Vulnerability APIs](vulnerability.md)
## Use advanced hunting query to search for machines with High active alerts or critical CVE public exploit
## Use advanced hunting query to search for devices with High active alerts or critical CVE public exploit
1. Go to **Advanced hunting** from the left-hand navigation pane of the Microsoft Defender Security Center.

2
windows/security/threat-protection/microsoft-defender-atp/threat-indicator-concepts.md
View File

@ -36,7 +36,7 @@ Before creating custom threat alerts, it's important to know the concepts behind
Alert definitions are contextual attributes that can be used collectively to identify early clues on a possible cybersecurity attack. These indicators are typically a combination of activities, characteristics, and actions taken by an attacker to successfully achieve the objective of an attack. Monitoring these combinations of attributes is critical in gaining a vantage point against attacks and possibly interfering with the chain of events before an attacker's objective is reached.
## Indicators of compromise (IOC)
IOCs are individually-known malicious events that indicate that a network or machine has already been breached. Unlike alert definitions, these indicators are considered as evidence of a breach. They are often seen after an attack has already been carried out and the objective has been reached, such as exfiltration. Keeping track of IOCs is also important during forensic investigations. Although it might not provide the ability to intervene with an attack chain, gathering these indicators can be useful in creating better defenses for possible future attacks.
IOCs are individually-known malicious events that indicate that a network or device has already been breached. Unlike alert definitions, these indicators are considered as evidence of a breach. They are often seen after an attack has already been carried out and the objective has been reached, such as exfiltration. Keeping track of IOCs is also important during forensic investigations. Although it might not provide the ability to intervene with an attack chain, gathering these indicators can be useful in creating better defenses for possible future attacks.
## Relationship between alert definitions and IOCs
In the context of Microsoft Defender ATP, alert definitions are containers for IOCs and defines the alert, including the metadata that is raised in case of a specific IOC match. Various metadata is provided as part of the alert definitions. Metadata such as alert definition name of attack, severity, and description is provided along with other options.

4
windows/security/threat-protection/microsoft-defender-atp/threat-protection-integration.md
View File

@ -38,11 +38,11 @@ Microsoft Defender ATP provides a comprehensive server protection solution, incl
Keep sensitive data secure while enabling productivity in the workplace through data discovery and data protection.
### Conditional Access
Microsoft Defender ATP's dynamic machine risk score is integrated into the Conditional Access evaluation, ensuring that only secure devices have access to resources.
Microsoft Defender ATP's dynamic device risk score is integrated into the Conditional Access evaluation, ensuring that only secure devices have access to resources.
### Microsoft Cloud App Security
Microsoft Cloud App Security leverages Microsoft Defender ATP endpoint signals to allow direct visibility into cloud application usage including the use of unsupported cloud services (shadow IT) from all Microsoft Defender ATP monitored machines.
Microsoft Cloud App Security leverages Microsoft Defender ATP endpoint signals to allow direct visibility into cloud application usage including the use of unsupported cloud services (shadow IT) from all Microsoft Defender ATP monitored devices.
### Office 365 Advanced Threat Protection (Office 365 ATP)
[Office 365 ATP](https://docs.microsoft.com/office365/securitycompliance/office-365-atp) helps protect your organization from malware in email messages or files through ATP Safe Links, ATP Safe Attachments, advanced Anti-Phishing, and spoof intelligence capabilities. The integration between Office 365 ATP and Microsoft Defender ATP enables security analysts to go upstream to investigate the entry point of an attack. Through threat intelligence sharing, attacks can be contained and blocked.

2
windows/security/threat-protection/microsoft-defender-atp/threat-protection-reports.md
View File

@ -85,4 +85,4 @@ For example, to show data about high-severity alerts only:
3. Select **Apply**.
## Related topic
- [Machine health and compliance report](machine-reports.md)
- [Device health and compliance report](machine-reports.md)

2
windows/security/threat-protection/microsoft-defender-atp/ti-indicator.md
View File

@ -50,7 +50,7 @@ severity | Enum | The severity of the indicator. possible values are: "Informati
title | String | Indicator title.
description | String | Description of the indicator.
recommendedActions | String | Recommended actions for the indicator.
rbacGroupNames | List of strings | RBAC machine group names where the indicator is exposed and active. Empty list in case it exposed to all machines.
rbacGroupNames | List of strings | RBAC device group names where the indicator is exposed and active. Empty list in case it exposed to all devices.
## Json representation

2
windows/security/threat-protection/microsoft-defender-atp/time-settings.md
View File

@ -47,7 +47,7 @@ Setting the Microsoft Defender ATP time zone to UTC will display all system time
### Local time zone
You can choose to have Microsoft Defender ATP use local time zone settings. All alerts and events will be displayed using your local time zone.
The local time zone is taken from your machines regional settings. If you change your regional settings, the Microsoft Defender ATP time zone will also change. Choosing this setting means that the timestamps displayed in Microsoft Defender ATP will be aligned to local time for all Microsoft Defender ATP users. Analysts located in different global locations will now see the Microsoft Defender ATP alerts according to their regional settings.
The local time zone is taken from your devices regional settings. If you change your regional settings, the Microsoft Defender ATP time zone will also change. Choosing this setting means that the timestamps displayed in Microsoft Defender ATP will be aligned to local time for all Microsoft Defender ATP users. Analysts located in different global locations will now see the Microsoft Defender ATP alerts according to their regional settings.
Choosing to use local time can be useful if the analysts are located in a single location. In this case it might be easier to correlate events to local time, for example when a local user clicked on a suspicious email link.

2
windows/security/threat-protection/microsoft-defender-atp/troubleshoot-live-response.md
View File

@ -55,7 +55,7 @@ If while trying to take an action during a live response session, you encounter
## Slow live response sessions or delays during initial connections
Live response leverages Microsoft Defender ATP sensor registration with WNS service in Windows.
If you are having connectivity issues with live response, please confirm the following:
1. `notify.windows.com` is not blocked in your environment. For more information see, [Configure machine proxy and Internet connectivity settings](configure-proxy-internet.md#enable-access-to-microsoft-defender-atp-service-urls-in-the-proxy-server).
1. `notify.windows.com` is not blocked in your environment. For more information see, [Configure device proxy and Internet connectivity settings](configure-proxy-internet.md#enable-access-to-microsoft-defender-atp-service-urls-in-the-proxy-server).
2. WpnService (Windows Push Notifications System Service) is not disabled.
Please refer to the articles below to fully understand the WpnService service behavior and requirements:

2
windows/security/threat-protection/microsoft-defender-atp/troubleshoot-mdatp.md
View File

@ -40,7 +40,7 @@ See the topic [Review events and errors using Event Viewer](event-error-codes.md
## Microsoft Defender ATP service fails to start after a reboot and shows error 577
If onboarding machines successfully completes but Microsoft Defender ATP does not start after a reboot and shows error 577, check that Windows Defender is not disabled by a policy.
If onboarding devices successfully completes but Microsoft Defender ATP does not start after a reboot and shows error 577, check that Windows Defender is not disabled by a policy.
For more information, see [Ensure that Windows Defender Antivirus is not disabled by policy](troubleshoot-onboarding.md#ensure-that-windows-defender-antivirus-is-not-disabled-by-a-policy).

4
windows/security/threat-protection/microsoft-defender-atp/troubleshoot-onboarding-error-messages.md
View File

@ -50,10 +50,10 @@ For both cases you should contact Microsoft support at [General Microsoft Defend
If while accessing Microsoft Defender Security Center you get a **Your subscription has expired** message, your online service subscription has expired. Microsoft Defender ATP subscription, like any other online service subscription, has an expiration date.
You can choose to renew or extend the license at any point in time. When accessing the portal after the expiration date a **Your subscription has expired** message will be presented with an option to download the machine offboarding package, should you choose to not renew the license.
You can choose to renew or extend the license at any point in time. When accessing the portal after the expiration date a **Your subscription has expired** message will be presented with an option to download the device offboarding package, should you choose to not renew the license.
> [!NOTE]
> For security reasons, the package used to Offboard machines will expire 30 days after the date it was downloaded. Expired offboarding packages sent to a machine will be rejected. When downloading an offboarding package you will be notified of the packages expiry date and it will also be included in the package name.
> For security reasons, the package used to Offboard devices will expire 30 days after the date it was downloaded. Expired offboarding packages sent to a device will be rejected. When downloading an offboarding package you will be notified of the packages expiry date and it will also be included in the package name.
![Image of subscription expired](images/atp-subscription-expired.png)

2
windows/security/threat-protection/microsoft-defender-atp/troubleshoot-onboarding.md
View File

@ -88,7 +88,7 @@ Use the following tables to understand the possible causes of issues while onboa
- Known issues with non-compliance table
- Mobile Device Management (MDM) event logs table
If none of the event logs and troubleshooting steps work, download the Local script from the **Machine management** section of the portal, and run it in an elevated command prompt.
If none of the event logs and troubleshooting steps work, download the Local script from the **Device management** section of the portal, and run it in an elevated command prompt.
**Microsoft Intune error codes and OMA-URIs**:

20
windows/security/threat-protection/microsoft-defender-atp/tvm-dashboard-insights.md
View File

@ -27,18 +27,18 @@ ms.topic: conceptual
Threat & Vulnerability Management is a component of Microsoft Defender ATP, and provides both security administrators and security operations teams with unique value, including:
- Real-time endpoint detection and response (EDR) insights correlated with endpoint vulnerabilities
- Invaluable machine vulnerability context during incident investigations
- Invaluable device vulnerability context during incident investigations
- Built-in remediation processes through Microsoft Intune and Microsoft Endpoint Configuration Manager
You can use the Threat & Vulnerability Management capability in [Microsoft Defender Security Center](https://securitycenter.windows.com/) to:
- View exposure and configuration scores side-by-side with top security recommendations, software vulnerability, remediation activities, and exposed machines
- View exposure and configuration scores side-by-side with top security recommendations, software vulnerability, remediation activities, and exposed devices
- Correlate EDR insights with endpoint vulnerabilities and process them
- Select remediation options, triage and track the remediation tasks
- Select exception options and track active exceptions
> [!NOTE]
> Machines that are not active in the last 30 days are not factored in on the data that reflects your organization's Threat & Vulnerability Management exposure score and configuration score.
> Devices that are not active in the last 30 days are not factored in on the data that reflects your organization's Threat & Vulnerability Management exposure score and configuration score.
Watch this video for a quick overview of what is in the Threat & Vulnerability Management dashboard.
@ -62,24 +62,24 @@ You can navigate through the portal using the menu options available in all sect
Area | Description
:---|:---
**Dashboard** | Get a high-level view of the organization exposure score, organization configuration score, machine exposure distribution, top security recommendations, top vulnerable software, top remediation activities, and top exposed machines data.
[**Security recommendations**](tvm-remediation.md) | See the list of security recommendations, their related components, whether software or software versions in your network have reached end-of-support, insights, number or exposed devices, impact, and request for remediation. When you select an item from the list, a flyout panel opens with vulnerability details, a link to open the software page, and remediation and exception options. You can also open a ticket in Intune if your machines are joined through Azure Active Directory and you have enabled your Intune connections in Microsoft Defender ATP.
**Dashboard** | Get a high-level view of the organization exposure score, organization configuration score, device exposure distribution, top security recommendations, top vulnerable software, top remediation activities, and top exposed devices data.
[**Security recommendations**](tvm-remediation.md) | See the list of security recommendations, their related components, whether software or software versions in your network have reached end-of-support, insights, number or exposed devices, impact, and request for remediation. When you select an item from the list, a flyout panel opens with vulnerability details, a link to open the software page, and remediation and exception options. You can also open a ticket in Intune if your devices are joined through Azure Active Directory and you have enabled your Intune connections in Microsoft Defender ATP.
[**Remediation**](tvm-remediation.md) | See the remediation activity, related component, remediation type, status, due date, option to export the remediation and process data to CSV, and active exceptions.
[**Software inventory**](tvm-software-inventory.md) | See the list of software, versions, weaknesses, whether there's an exploit found on the software, whether the software or software version has reached end-of-support, prevalence in the organization, how many were installed, how many exposed devices there are, and the numerical value of the impact. You can select each item in the list and opt to open the software page which shows the associated vulnerabilities, misconfigurations, affected machine, version distribution details, and missing KBs or security updates.
[**Weaknesses**](tvm-weaknesses.md) | See the list of common vulnerabilities and exposures, the severity, the common vulnerability scoring system (CVSS) V3 score, related software, age, when it was published, related threat alerts, and how many exposed machines there are. You can select each item in the list to see a flyout panel with the vulnerability description and other details.
[**Software inventory**](tvm-software-inventory.md) | See the list of software, versions, weaknesses, whether there's an exploit found on the software, whether the software or software version has reached end-of-support, prevalence in the organization, how many were installed, how many exposed devices there are, and the numerical value of the impact. You can select each item in the list and opt to open the software page which shows the associated vulnerabilities, misconfigurations, affected device, version distribution details, and missing KBs or security updates.
[**Weaknesses**](tvm-weaknesses.md) | See the list of common vulnerabilities and exposures, the severity, the common vulnerability scoring system (CVSS) V3 score, related software, age, when it was published, related threat alerts, and how many exposed devices there are. You can select each item in the list to see a flyout panel with the vulnerability description and other details.
## Threat & Vulnerability Management dashboard
Area | Description
:---|:---
**Selected machine groups (#/#)** | Filter the Threat & Vulnerability Management data you want to see in the dashboard and cards by machine groups. What you select in the filter applies throughout the Threat & Vulnerability management pages.
**Selected device groups (#/#)** | Filter the Threat & Vulnerability Management data you want to see in the dashboard and cards by device groups. What you select in the filter applies throughout the Threat & Vulnerability management pages.
[**Exposure score**](tvm-exposure-score.md) | See the current state of your organization's device exposure to threats and vulnerabilities. Several factors affect your organization's exposure score: weaknesses discovered in your devices, likelihood of your devices to be breached, value of the devices to your organization, and relevant alerts discovered with your devices. The goal is to lower the exposure score of your organization to be more secure. To reduce the score, you need to remediate the related security configuration issues listed in the security recommendations.
[**Configuration score**](configuration-score.md) | See the security posture of the operating system, applications, network, accounts and security controls of your organization. The goal is to remediate the related security configuration issues to increase your configuration score. Selecting the bars will take you to the **Security recommendation** page.
**Machine exposure distribution** | See how many machines are exposed based on their exposure level. Select a section in the doughnut chart to go to the **Machines list** page and view the affected machine names, exposure level, risk level, and other details such as domain, operating system platform, its health state, when it was last seen, and its tags.
**Device exposure distribution** | See how many devices are exposed based on their exposure level. Select a section in the doughnut chart to go to the **Devices list** page and view the affected device names, exposure level, risk level, and other details such as domain, operating system platform, its health state, when it was last seen, and its tags.
**Top security recommendations** | See the collated security recommendations which are sorted and prioritized based on your organization's risk exposure and the urgency that it requires. Select **Show more** to see the rest of the security recommendations in the list or **Show exceptions** for the list of recommendations that have an exception.
**Top vulnerable software** | Get real-time visibility into your organization's software inventory with a stack-ranked list of vulnerable software installed on your network's devices and how they impact your organizational exposure score. Select an item for details or **Show more** to see the rest of the vulnerable software list in the **Software inventory** page.
**Top remediation activities** | Track the remediation activities generated from the security recommendations. You can select each item on the list to see the details in the **Remediation** page or select **Show more** to view the rest of the remediation activities, and active exceptions.
**Top exposed machines** | View exposed machine names and their exposure level. Select a machine name from the list to go to the machine page where you can view the alerts, risks, incidents, security recommendations, installed software, and discovered vulnerabilities associated with the exposed machines. Select **Show more** to see the rest of the exposed machines list. From the machines list, you can manage tags, initiate automated investigations, initiate a live response session, collect an investigation package, run antivirus scan, restrict app execution, and isolate machine.
**Top exposed devices** | View exposed device names and their exposure level. Select a device name from the list to go to the device page where you can view the alerts, risks, incidents, security recommendations, installed software, and discovered vulnerabilities associated with the exposed devices. Select **Show more** to see the rest of the exposed devices list. From the devices list, you can manage tags, initiate automated investigations, initiate a live response session, collect an investigation package, run antivirus scan, restrict app execution, and isolate device.
See [Microsoft Defender ATP icons](portal-overview.md#microsoft-defender-atp-icons) for more information on the icons used throughout the portal.

12
windows/security/threat-protection/microsoft-defender-atp/tvm-exposure-score.md
View File

@ -22,7 +22,7 @@ ms.topic: conceptual
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
Your Exposure score is visible in the [Threat & Vulnerability Management dashboard](tvm-dashboard-insights.md) of the Microsoft Defender Security Center. It reflects how vulnerable your organization is to cybersecurity threats. Low exposure score means your machines are less vulnerable from exploitation.
Your Exposure score is visible in the [Threat & Vulnerability Management dashboard](tvm-dashboard-insights.md) of the Microsoft Defender Security Center. It reflects how vulnerable your organization is to cybersecurity threats. Low exposure score means your devices are less vulnerable from exploitation.
The card gives you a high-level view of your exposure score trend over time. Any spikes in the chart gives you a visual indication of a high cybersecurity threat exposure that you can investigate further.
@ -30,7 +30,7 @@ The card gives you a high-level view of your exposure score trend over time. Any
## How it works
Threat & Vulnerability Management introduces a new exposure score metric, which visually represents how exposed your machines are to imminent threats.
Threat & Vulnerability Management introduces a new exposure score metric, which visually represents how exposed your devices are to imminent threats.
The exposure score is continuously calculated on each device in the organization and influenced by the following factors:
@ -60,15 +60,15 @@ To lower your threat and vulnerability exposure, follow these steps.
- ![Red bug](images/tvm_bug_icon.png) Threat insight icon
- ![Arrow hitting a target](images/tvm_alert_icon.png) Active alert icon
2. The **Security recommendations** page will open, and a flyout for the recommendation you selected will open. The flyout panel will display a description of what you need to remediate, number of vulnerabilities, associated exploits in machines, number of exposed machines and their machine names, business impact, and a list of CVEs. Select **Open software page** option from the flyout panel. ![Example of security recommendations page with the flyout "Update Windows Server 2019" open.](images/tvm_security_recommendations_page.png)
2. The **Security recommendations** page will open, and a flyout for the recommendation you selected will open. The flyout panel will display a description of what you need to remediate, number of vulnerabilities, associated exploits in devices, number of exposed devices and their device names, business impact, and a list of CVEs. Select **Open software page** option from the flyout panel. ![Example of security recommendations page with the flyout "Update Windows Server 2019" open.](images/tvm_security_recommendations_page.png)
3. Select **Installed machines** and then the affected machine from the list. A flyout panel will open with the relevant machine details, exposure and risk levels, alert and incident activities. ![Example of the software page for Git, and a flyout open for a selected machine.](images/tvm_software_page_details.png)
3. Select **Installed devices** and then the affected device from the list. A flyout panel will open with the relevant device details, exposure and risk levels, alert and incident activities. ![Example of the software page for Git, and a flyout open for a selected device.](images/tvm_software_page_details.png)
4. Click **Open machine page** to connect to the machine and apply the selected recommendation. See [Investigate machines in the Microsoft Defender ATP Machines list](investigate-machines.md) for details. ![Example of a machine page.](images/tvm_machine_page_details.png)
4. Click **Open device page** to connect to the device and apply the selected recommendation. See [Investigate devices in the Microsoft Defender ATP Devices list](investigate-machines.md) for details. ![Example of a device page.](images/tvm_machine_page_details.png)
5. Allow a few hours for the changes to propagate in the system.
6. Review the machine **Security recommendation** tab again. The recommendation you've chosen to remediate is removed from the security recommendation list, and the exposure score decreases.
6. Review the device **Security recommendation** tab again. The recommendation you've chosen to remediate is removed from the security recommendation list, and the exposure score decreases.
## Related topics

2
windows/security/threat-protection/microsoft-defender-atp/tvm-remediation.md
View File

@ -52,7 +52,7 @@ View **Top remediation activities** in the [Threat & Vulnerability Management da
When you [submit a remediation request](tvm-security-recommendation.md#request-remediation) from the [Security recommendations page](tvm-security-recommendation.md), it kicks-off a remediation activity. A security task is created which will be tracked in the Threat & Vulnerability Management **Remediation** page, and a remediation ticket is created in Microsoft Intune.
Once you are in the Remediation page, select the remediation activity that you want to view. You can follow the remediation steps, track progress, view the related recommendation, export to CSV, or mark as complete.
![Example of the Remediation page, with a selected remediation activity, and that activity's flyout listing the description, IT service and device management tools, and machine remediation progress.](images/remediation_flyouteolsw.png)
![Example of the Remediation page, with a selected remediation activity, and that activity's flyout listing the description, IT service and device management tools, and device remediation progress.](images/remediation_flyouteolsw.png)
## Exceptions

16
windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation.md
View File

@ -33,7 +33,7 @@ Each security recommendation includes an actionable remediation recommendation w
## How it works
Each machine in the organization is scored based on three important factors to help customers to focus on the right things at the right time.
Each device in the organization is scored based on three important factors to help customers to focus on the right things at the right time.
- **Threat** - Characteristics of the vulnerabilities and exploits in your organizations' devices and breach history. Based on these factors, the security recommendations shows the corresponding links to active alerts, ongoing threat campaigns, and their corresponding threat analytic reports.
@ -51,7 +51,7 @@ Access the Security recommendations page a few different ways:
View related security recommendations in the following places:
- Software page
- Machine page
- Device page
### Navigation menu
@ -67,9 +67,9 @@ The top security recommendations lists the improvement opportunities prioritized
## Security recommendations overview
View recommendations, the number of weaknesses found, related components, threat insights, number of exposed machines, status, remediation type, remediation activities, impact to your exposure and configuration scores, and associated tags.
View recommendations, the number of weaknesses found, related components, threat insights, number of exposed devices, status, remediation type, remediation activities, impact to your exposure and configuration scores, and associated tags.
The color of the **Exposed machines** graph changes as the trend changes. If the number of exposed machines is on the rise, the color changes into red. If there's a decrease in the number of exposed machines, the color of the graph will change into green.
The color of the **Exposed devices** graph changes as the trend changes. If the number of exposed devices is on the rise, the color changes into red. If there's a decrease in the number of exposed devices, the color of the graph will change into green.
![Example of the landing page for security recommendations.](images/tvmsecrec-updated.png)
@ -92,7 +92,7 @@ From the flyout, you can do any of the following:
- **Exception options** - Submit an exception, provide justification, and set exception duration if you can't remediate the issue just yet.
>[!NOTE]
>When a change is made on a machine, it may take up to two hours for the data to be reflected in the Microsoft Defender Security Center.
>When a change is made on a device, it may take up to two hours for the data to be reflected in the Microsoft Defender Security Center.
## Request remediation
@ -108,7 +108,7 @@ See [Use Intune to remediate vulnerabilities identified by Microsoft Defender AT
1. Select a security recommendation you would like to request remediation for, and then select **Remediation options**.
2. Fill out the form, including what you are requesting remediation for, priority, due date, and optional notes. Select **Submit request**. Submitting a remediation request creates a remediation activity item within Threat & Vulnerability Management, which can be used for monitoring the remediation progress for this recommendation. This will not trigger a remediation or apply any changes to machines.
2. Fill out the form, including what you are requesting remediation for, priority, due date, and optional notes. Select **Submit request**. Submitting a remediation request creates a remediation activity item within Threat & Vulnerability Management, which can be used for monitoring the remediation progress for this recommendation. This will not trigger a remediation or apply any changes to devices.
3. Notify your IT Administrator about the new request and have them log into Intune to approve or reject the request and start a package deployment.
@ -117,7 +117,7 @@ See [Use Intune to remediate vulnerabilities identified by Microsoft Defender AT
If you want to check how the ticket shows up in Intune, see [Use Intune to remediate vulnerabilities identified by Microsoft Defender ATP](https://docs.microsoft.com/intune/atp-manage-vulnerabilities) for details.
>[!NOTE]
>If your request involves remediating more than 10,000 machines, we can only send 10,000 machines for remediation to Intune.
>If your request involves remediating more than 10,000 devices, we can only send 10,000 devices for remediation to Intune.
## File for exception
@ -136,7 +136,7 @@ When an exception is created for a recommendation, the recommendation is no long
The following list details the justifications behind the exception options:
- **Compensating/alternate control** - A 3rd party control that mitigates this recommendation exists, for example, if Network Firewall - - prevents access to a machine, third party antivirus
- **Compensating/alternate control** - A 3rd party control that mitigates this recommendation exists, for example, if Network Firewall - - prevents access to a device, third party antivirus
- **Productivity/business need** - Remediation will impact productivity or interrupt business-critical workflow
- **Accept risk** - Poses low risk and/or implementing a compensating control is too expensive
- **Planned remediation (grace)** - Already planned but is awaiting execution or authorization

18
windows/security/threat-protection/microsoft-defender-atp/tvm-software-inventory.md
View File

@ -35,11 +35,11 @@ Since it is real-time, in a matter of minutes, you will see vulnerability inform
You can access the Software inventory page by selecting **Software inventory** from the Threat & Vulnerability Management navigation menu in the [Microsoft Defender Security Center](portal-overview.md).
View software on specific machines in the individual machines pages from the [machines list](machines-view-overview.md).
View software on specific devices in the individual devices pages from the [devices list](machines-view-overview.md).
## Software inventory overview
The **Software inventory** page opens with a list of software installed in your network, vendor name, weaknesses found, threats associated with them, exposed machines, impact to exposure score, and tags. You can also filter the software inventory list view based on weaknesses found in the software, threats associated with them, and whether the software or software versions have reached end-of-support.
The **Software inventory** page opens with a list of software installed in your network, vendor name, weaknesses found, threats associated with them, exposed devices, impact to exposure score, and tags. You can also filter the software inventory list view based on weaknesses found in the software, threats associated with them, and whether the software or software versions have reached end-of-support.
![Example of the landing page for software inventory.](images/software_inventory_filter.png)
Select the software that you want to investigate and a flyout panel opens up with a more compact view of the information on the page. You can either dive deeper into the investigation and select **Open software page**, or flag any technical inconsistencies by selecting **Report inaccuracy**.
@ -50,20 +50,20 @@ Select the software that you want to investigate and a flyout panel opens up wit
Once you are in the Software inventory page and have opened the flyout panel by selecting a software to investigate, select **Open software page** (see image in the previous section). A full page will appear with all the details of a specific software and the following information:
- Side panel with vendor information, prevalence of the software in the organization (including number of machines it is installed on, and exposed machines that are not patched), whether and exploit is available, and impact to your exposure score
- Data visualizations showing the number of, and severity of, vulnerabilities and misconfigurations. Also, graphs of the number of exposed machines
- Tabs with lists of the corresponding security recommendations for the weaknesses and vulnerabilities identified, the named CVEs of discovered vulnerabilities, the names of the machines that the software is installed on, and the specific versions of the software with the number of machines that have each version installed and number of vulnerabilities.
- Side panel with vendor information, prevalence of the software in the organization (including number of devices it is installed on, and exposed devices that are not patched), whether and exploit is available, and impact to your exposure score
- Data visualizations showing the number of, and severity of, vulnerabilities and misconfigurations. Also, graphs of the number of exposed devices
- Tabs with lists of the corresponding security recommendations for the weaknesses and vulnerabilities identified, the named CVEs of discovered vulnerabilities, the names of the devices that the software is installed on, and the specific versions of the software with the number of devices that have each version installed and number of vulnerabilities.
![Software example page for Visual Studio 2017 with the software details, weaknesses, exposed devices, and more.](images/tvm-software-page-example.png)
## Software evidence
We now show evidence of where we detected a specific software on a machine from the registry, disk or both machine on where we detected a certain software.
You can find it on any machines found in the [machines list](machines-view-overview.md) in a section called "Software Evidence."
We now show evidence of where we detected a specific software on a device from the registry, disk or both device on where we detected a certain software.
You can find it on any devices found in the [devices list](machines-view-overview.md) in a section called "Software Evidence."
From the Microsoft Defender Security Center navigation panel, go to **Machines list** > select the name of a machine to open the machine page (like Computer1) > select the **Software inventory** tab > select the software name to open the flyout and view software evidence.
From the Microsoft Defender Security Center navigation panel, go to **Devices list** > select the name of a device to open the device page (like Computer1) > select the **Software inventory** tab > select the software name to open the flyout and view software evidence.
![Software evidence example of Windows 10 from the machines list, showing software evidence registry path.](images/tvm-software-evidence.png)
![Software evidence example of Windows 10 from the devices list, showing software evidence registry path.](images/tvm-software-evidence.png)
## Report inaccuracy

20
windows/security/threat-protection/microsoft-defender-atp/tvm-weaknesses.md
View File

@ -58,7 +58,7 @@ To see the rest of the vulnerabilities in the **Weaknesses** page, type CVE, the
## Weaknesses overview
If the **Exposed Machines** column shows 0, that means you are not at risk. If exposed machines exist, the next step is to remediate the vulnerabilities in those machines to reduce the risk to your assets and organization.
If the **Exposed Devices** column shows 0, that means you are not at risk. If exposed devices exist, the next step is to remediate the vulnerabilities in those devices to reduce the risk to your assets and organization.
![tvm-breach-insights](images/tvm-weaknesses-overview.png)
@ -81,28 +81,28 @@ The threat insights icon is highlighted if there are associated exploits in the
### Top vulnerable software in the dashboard
1. Go to the [Threat & Vulnerability Management dashboard](tvm-dashboard-insights.md) and scroll down to the **Top vulnerable software** widget. You will see the number of vulnerabilities found in each software along with threat information and a high-level view of the device exposure trend over time.
![Top vulnerable software card with four columns: software, weaknesses, threats, exposed machines.](images/tvm-top-vulnerable-software500.png)
![Top vulnerable software card with four columns: software, weaknesses, threats, exposed devices.](images/tvm-top-vulnerable-software500.png)
2. Select the software that you want to investigate to go a drill down page.
3. Select the **Discovered vulnerabilities** tab.
4. Select the vulnerability that you want to investigate. A flyout panel will appear with the vulnerability details, such as: CVE description, CVE ID, exploits available, CVSS V3 rating, severity, publish, and update dates.
![Windows Server 2019 drill down overview.](images/windows-server-drilldown.png)
### Discover vulnerabilities in the machine page
### Discover vulnerabilities in the device page
View related weaknesses information in the machine page.
View related weaknesses information in the device page.
1. Go to the Microsoft Defender Security Center navigation menu bar, then select the machine icon. The **Machines list** page opens.
2. In the **Machines list** page, select the machine name that you want to investigate.
<br>![Screenshot of machine list with selected machine to investigate](images/tvm_machinetoinvestigate.png)</br>
3. The machine page will open with details and response options for the machine you want to investigate.
1. Go to the Microsoft Defender Security Center navigation menu bar, then select the device icon. The **Devices list** page opens.
2. In the **Devices list** page, select the device name that you want to investigate.
<br>![Screenshot of device list with selected device to investigate](images/tvm_machinetoinvestigate.png)</br>
3. The device page will open with details and response options for the device you want to investigate.
4. Select **Discovered vulnerabilities**.
<br>![Screenshot of the machine page with details and response options](images/tvm-discovered-vulnerabilities.png)</br>
<br>![Screenshot of the device page with details and response options](images/tvm-discovered-vulnerabilities.png)</br>
5. Select the vulnerability that you want to investigate to open up a flyout panel with the CVE details, such as: vulnerability description, threat insights, and detection logic.
#### CVE Detection logic
Similar to the software evidence, we now show the detection logic we applied on a machine in order to state that it's vulnerable. This is a new section called "Detection Logic" (in any discovered vulnerability in the machine page) that shows the detection logic and source.
Similar to the software evidence, we now show the detection logic we applied on a device in order to state that it's vulnerable. This is a new section called "Detection Logic" (in any discovered vulnerability in the device page) that shows the detection logic and source.
![Detection Logic example which lists the software detected on the device and the KBs.](images/cve-detection-logic.png)

16
windows/security/threat-protection/microsoft-defender-atp/unisolate-machine.md
View File

@ -1,7 +1,7 @@
---
title: Release machine from isolation API
description: Use this API to create calls related to release a machine from isolation.
keywords: apis, graph api, supported apis, remove machine from isolation
title: Release device from isolation API
description: Use this API to create calls related to release a device from isolation.
keywords: apis, graph api, supported apis, remove device from isolation
search.product: eADQiWindows 10XVcnh
ms.prod: w10
ms.mktglfcycl: deploy
@ -17,7 +17,7 @@ ms.topic: article
---
# Release machine from isolation API
# Release device from isolation API
**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
@ -25,14 +25,14 @@ ms.topic: article
## API description
Undo isolation of a machine.
Undo isolation of a device.
## Limitations
1. Rate limitations for this API are 100 calls per minute and 1500 calls per hour.
[!include[Machine actions note](../../includes/machineactionsnote.md)]
[!include[Device actions note](../../includes/machineactionsnote.md)]
## Permissions
One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md)
@ -45,7 +45,7 @@ Delegated (work or school account) | Machine.Isolate | 'Isolate machine'
>[!Note]
> When obtaining a token using user credentials:
>- The user needs to have at least the following role permission: 'Active remediation actions' (See [Create and manage roles](user-roles.md) for more information)
>- The user needs to have access to the machine, based on machine group settings (See [Create and manage machine groups](machine-groups.md) for more information)
>- The user needs to have access to the device, based on device group settings (See [Create and manage device groups](machine-groups.md) for more information)
## HTTP request
```
@ -89,5 +89,5 @@ Content-type: application/json
```
- To isolate a machine, see [Isolate machine](isolate-machine.md).
- To isolate a device, see [Isolate device](isolate-machine.md).

10
windows/security/threat-protection/microsoft-defender-atp/unrestrict-code-execution.md
View File

@ -1,7 +1,7 @@
---
title: Remove app restriction API
description: Use this API to create calls related to removing a restriction from applications from executing.
keywords: apis, graph api, supported apis, remove machine from isolation
keywords: apis, graph api, supported apis, remove device from isolation
search.product: eADQiWindows 10XVcnh
ms.prod: w10
ms.mktglfcycl: deploy
@ -24,14 +24,14 @@ ms.topic: article
## API description
Enable execution of any application on the machine.
Enable execution of any application on the device.
## Limitations
1. Rate limitations for this API are 100 calls per minute and 1500 calls per hour.
[!include[Machine actions note](../../includes/machineactionsnote.md)]
[!include[Device actions note](../../includes/machineactionsnote.md)]
## Permissions
One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md)
@ -44,7 +44,7 @@ Delegated (work or school account) | Machine.RestrictExecution | 'Restrict code
>[!Note]
> When obtaining a token using user credentials:
>- The user needs to have at least the following role permission: 'Active remediation actions' (See [Create and manage roles](user-roles.md) for more information)
>- The user needs to have access to the machine, based on machine group settings (See [Create and manage machine groups](machine-groups.md) for more information)
>- The user needs to have access to the device, based on device group settings (See [Create and manage device groups](machine-groups.md) for more information)
## HTTP request
```
@ -86,4 +86,4 @@ Content-type: application/json
```
To restrict code execution on a machine, see [Restrict app execution](restrict-code-execution.md).
To restrict code execution on a device, see [Restrict app execution](restrict-code-execution.md).

2
windows/security/threat-protection/microsoft-defender-atp/update-alert.md
View File

@ -45,7 +45,7 @@ Delegated (work or school account) | Alert.ReadWrite | 'Read and write alerts'
>[!Note]
> When obtaining a token using user credentials:
>- The user needs to have at least the following role permission: 'Alerts investigation' (See [Create and manage roles](user-roles.md) for more information)
>- The user needs to have access to the machine associated with the alert, based on machine group settings (See [Create and manage machine groups](machine-groups.md) for more information)
>- The user needs to have access to the device associated with the alert, based on device group settings (See [Create and manage device groups](machine-groups.md) for more information)
## HTTP request
```

12
windows/security/threat-protection/microsoft-defender-atp/use.md
View File

@ -1,7 +1,7 @@
---
title: Overview of Microsoft Defender Security Center
description: Learn about the features on Microsoft Defender Security Center, including how alerts work, and suggestions on how to investigate possible breaches and attacks.
keywords: dashboard, alerts queue, manage alerts, investigation, investigate alerts, investigate machines, submit files, deep analysis, high, medium, low, severity, ioc, ioa
keywords: dashboard, alerts queue, manage alerts, investigation, investigate alerts, investigate devices, submit files, deep analysis, high, medium, low, severity, ioc, ioa
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: w10
@ -27,9 +27,9 @@ ms.topic: conceptual
Microsoft Defender Security Center is the portal where you can access Microsoft Defender Advanced Threat Protection capabilities.
Use the **Security operations** dashboard to gain insight on the various alerts on machines and users in your network.
Use the **Security operations** dashboard to gain insight on the various alerts on devices and users in your network.
Use the **Threat & Vulnerability Management** dashboard to expand your visibility on the overall security posture of your organization. You'll see machines that require attention and recommendations that can help you reduce the attack surface in your organization.
Use the **Threat & Vulnerability Management** dashboard to expand your visibility on the overall security posture of your organization. You'll see devices that require attention and recommendations that can help you reduce the attack surface in your organization.
Use the **Threat analytics** dashboard to continually assess and control risk exposure to Spectre and Meltdown.
@ -38,6 +38,6 @@ Use the **Threat analytics** dashboard to continually assess and control risk ex
Topic | Description
:---|:---
[Portal overview](portal-overview.md) | Understand the portal layout and area descriptions.
[View the Security operations dashboard](security-operations-dashboard.md) | The Microsoft Defender ATP **Security operations dashboard** provides a snapshot of your network. You can view aggregates of alerts, the overall status of the service of the machines on your network, investigate machines, files, and URLs, and see snapshots of threats seen on machines.
[View the Threat & Vulnerability Management dashboard](tvm-dashboard-insights.md) | The **Threat & Vulnerability Management dashboard** lets you view exposure and configuration scores side-by-side with top security recommendations, software vulnerability, remediation activities, and exposed machines.
[View the Threat analytics dashboard and take recommended mitigation actions](threat-analytics.md) | The **Threat analytics** dashboard helps you continually assess and control risk exposure to threats. Use the charts to quickly identify machines for the presence or absence of mitigations.
[View the Security operations dashboard](security-operations-dashboard.md) | The Microsoft Defender ATP **Security operations dashboard** provides a snapshot of your network. You can view aggregates of alerts, the overall status of the service of the devices on your network, investigate devices, files, and URLs, and see snapshots of threats seen on devices.
[View the Threat & Vulnerability Management dashboard](tvm-dashboard-insights.md) | The **Threat & Vulnerability Management dashboard** lets you view exposure and configuration scores side-by-side with top security recommendations, software vulnerability, remediation activities, and exposed devices.
[View the Threat analytics dashboard and take recommended mitigation actions](threat-analytics.md) | The **Threat analytics** dashboard helps you continually assess and control risk exposure to threats. Use the charts to quickly identify devices for the presence or absence of mitigations.

18
windows/security/threat-protection/microsoft-defender-atp/user-roles.md
View File

@ -41,7 +41,7 @@ The following steps guide you on how to create roles in Microsoft Defender Secur
>[!NOTE]
>To view Threat & Vulnerability Management data, select **Threat and vulnerability management**.
- **Alerts investigation** - Users can manage alerts, initiate automated investigations, collect investigation packages, manage machine tags, and export machine timeline.
- **Alerts investigation** - Users can manage alerts, initiate automated investigations, collect investigation packages, manage device tags, and export device timeline.
- **Active remediation actions** - Users can take response actions and approve or dismiss pending remediation actions.
- Security operations - Take response actions
- Approve or dismiss pending remediation actions
@ -51,24 +51,24 @@ The following steps guide you on how to create roles in Microsoft Defender Secur
>[!NOTE]
>To enable your Security operation personnel to choose remediation options and file exceptions, select **Threat and vulnerability management - Remediation handling**, and **Threat and vulnerability management - Exception handling**.
- **Manage portal system settings** - Users can configure storage settings, SIEM and threat intel API settings (applies globally), advanced settings, automated file uploads, roles and machine groups.
- **Manage portal system settings** - Users can configure storage settings, SIEM and threat intel API settings (applies globally), advanced settings, automated file uploads, roles and device groups.
> [!NOTE]
> This setting is only available in the Microsoft Defender ATP administrator (default) role.
- **Manage security settings** - Users can configure alert suppression settings, manage allowed/blocked lists for automation, create and manage custom detections, manage folder exclusions for automation, onboard and offboard machines, and manage email notifications.
- **Manage security settings** - Users can configure alert suppression settings, manage allowed/blocked lists for automation, create and manage custom detections, manage folder exclusions for automation, onboard and offboard devices, and manage email notifications.
- **Live response capabilities** - Users can take basic or advanced live response commands.
- Basic commands allow users to:
- Start a live response session
- Run read only live response commands on a remote machine
- Run read only live response commands on a remote device
- Advanced commands allow users to:
- Run basic actions
- Download a file from the remote machine
- Download a file from the remote device
- View a script from the files library
- Run a script on the remote machine from the files library take read and write commands.
- Run a script on the remote device from the files library take read and write commands.
For more information on the available commands, see [Investigate machines using Live response](live-response.md).
For more information on the available commands, see [Investigate devices using Live response](live-response.md).
4. Click **Next** to assign the role to an Azure AD Security group.
@ -80,7 +80,7 @@ The following steps guide you on how to create roles in Microsoft Defender Secur
> [!IMPORTANT]
> After creating roles, you'll need to create a machine group and provide access to the machine group by assigning it to a role that you just created.
> After creating roles, you'll need to create a device group and provide access to the device group by assigning it to a role that you just created.
## Edit roles
@ -102,4 +102,4 @@ The following steps guide you on how to create roles in Microsoft Defender Secur
## Related topic
- [User basic permissions to access the portal](basic-permissions.md)
- [Create and manage machine groups](machine-groups.md)
- [Create and manage device groups](machine-groups.md)

2
windows/security/threat-protection/microsoft-defender-atp/user.md
View File

@ -25,4 +25,4 @@ ms.topic: article
Method|Return Type |Description
:---|:---|:---
[List User related alerts](get-user-related-alerts.md) | [alert](alerts.md) collection | List all the alerts that are associated with a [user](user.md).
[List User related machines](get-user-related-machines.md) | [machine](machine.md) collection | List all the machines that were logged on by a [user](user.md).
[List User related devices](get-user-related-machines.md) | [machine](machine.md) collection | List all the devices that were logged on by a [user](user.md).

4
windows/security/threat-protection/microsoft-defender-atp/view-incidents-queue.md
View File

@ -23,7 +23,7 @@ ms.topic: article
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
The **Incidents queue** shows a collection of incidents that were flagged from machines in your network. It helps you sort through incidents to prioritize and create an informed cybersecurity response decision.
The **Incidents queue** shows a collection of incidents that were flagged from devices in your network. It helps you sort through incidents to prioritize and create an informed cybersecurity response decision.
By default, the queue displays incidents seen in the last 30 days, with the most recent incident showing at the top of the list, helping you see the most recent incidents first.
@ -46,7 +46,7 @@ You can apply the following filters to limit the list of incidents and get a mor
Incident severity | Description
:---|:---
High </br>(Red) | Threats often associated with advanced persistent threats (APT). These incidents indicate a high risk due to the severity of damage they can inflict on machines.
High </br>(Red) | Threats often associated with advanced persistent threats (APT). These incidents indicate a high risk due to the severity of damage they can inflict on devices.
Medium </br>(Orange) | Threats rarely observed in the organization, such as anomalous registry change, execution of suspicious files, and observed behaviors typical of attack stages.
Low </br>(Yellow) | Threats associated with prevalent malware and hack-tools that do not necessarily indicate an advanced threat targeting the organization.
Informational </br>(Grey) | Informational incidents are those that might not be considered harmful to the network but might be good to keep track of.

4
windows/security/threat-protection/microsoft-defender-atp/vulnerability.md
View File

@ -29,7 +29,7 @@ Method |Return Type |Description
:---|:---|:---
[Get all vulnerabilities](get-all-vulnerabilities.md) | Vulnerability collection | Retrieves a list of all the vulnerabilities affecting the organization
[Get vulnerability by Id](get-vulnerability-by-id.md) | Vulnerability | Retrieves vulnerability information by its ID
[List machines by vulnerability](get-machines-by-vulnerability.md)| MachineRef collection | Retrieve a list of machines that are associated with the vulnerability ID
[List devices by vulnerability](get-machines-by-vulnerability.md)| MachineRef collection | Retrieve a list of devices that are associated with the vulnerability ID
## Properties
@ -40,7 +40,7 @@ Name | String | Vulnerability title
Description | String | Vulnerability description
Severity | String | Vulnerability Severity. Possible values are: “Low”, “Medium”, “High”, “Critical”
cvssV3 | Double | CVSS v3 score
exposedMachines | Long | Number of exposed machines
exposedMachines | Long | Number of exposed devices
publishedOn | DateTime | Date when vulnerability was published
updatedOn | DateTime | Date when vulnerability was updated
publicExploit | Boolean | Public exploit exists

14
windows/security/threat-protection/microsoft-defender-atp/web-content-filtering.md
View File

@ -26,14 +26,14 @@ ms.topic: article
Web content filtering is part of [Web protection](web-protection-overview.md) in Microsoft Defender ATP. It enables your organization to track and regulate access to websites based on their content categories. Many of these websites, while not malicious, might be problematic due to compliance regulations, bandwidth usage, or other concerns.
You can configure policies across your machine groups to block certain categories, effectively preventing users within specified machine groups from accessing URLs within that category. If a category is not blocked, all your users will be able to access the URLs without disruption. However, web content filtering will continue to gather access statistics that you can use to understand web usage and inform future policy decisions. If an element on the page youre viewing is making calls to a resource which is blocked, you will see a block notification.
You can configure policies across your device groups to block certain categories, effectively preventing users within specified device groups from accessing URLs within that category. If a category is not blocked, all your users will be able to access the URLs without disruption. However, web content filtering will continue to gather access statistics that you can use to understand web usage and inform future policy decisions. If an element on the page youre viewing is making calls to a resource which is blocked, you will see a block notification.
Web content filtering is available on most major web browsers, with blocks performed by SmartScreen (Edge) and Network Protection (Internet Explorer, Chrome, Firefox, and all other browsers). See the prerequisites section for more information about browser support.
To summarize the benefits:
- Users are prevented from accessing websites in blocked categories, whether they are browsing on-premises or away
- You can conveniently deploy varied policies to various sets of users using the machine groups defined in the [Microsoft Defender ATP role-based access control settings](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/rbac)
- You can conveniently deploy varied policies to various sets of users using the device groups defined in the [Microsoft Defender ATP role-based access control settings](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/rbac)
- You can access web reports in the same central location, with visibility over actual blocks and web usage
## User experience
@ -47,8 +47,8 @@ Before trying out this feature, make sure you have the following:
- Windows 10 Enterprise E5 license
- Access to Microsoft Defender Security Center portal
- Machines running Windows 10 Anniversary Update (version 1607) or later with the latest MoCAMP update (for Network Protection on Internet Explorer, Edge, Chrome, or Firefox)
- Machines running Windows 10 May 2019 Update (version 1903) or later (for a better user experience from SmartScreen on Edge). Note that if SmartScreen is not turned on, Network Protection will take over the blocking
- Devices running Windows 10 Anniversary Update (version 1607) or later with the latest MoCAMP update (for Network Protection on Internet Explorer, Edge, Chrome, or Firefox)
- Devices running Windows 10 May 2019 Update (version 1903) or later (for a better user experience from SmartScreen on Edge). Note that if SmartScreen is not turned on, Network Protection will take over the blocking
- A valid license with a partner data provider
## Data handling
@ -99,9 +99,9 @@ From the left-hand navigation menu, select **Settings > General > Advanced Featu
### Configure web content filtering policies
Web content filtering policies specify which site categories are blocked on which machine groups. To manage the policies, go to **Settings > Rules > Web content filtering**.
Web content filtering policies specify which site categories are blocked on which device groups. To manage the policies, go to **Settings > Rules > Web content filtering**.
Use the filter to locate policies that contain certain blocked categories or are applied to specific machine groups.
Use the filter to locate policies that contain certain blocked categories or are applied to specific device groups.
### Create a policy
@ -110,7 +110,7 @@ To add a new policy:
1. Select **Add policy** on the **Web content filtering** page in **Settings**.
2. Specify a name.
3. Select the categories to block. Use the expand icon to fully expand each parent category and select specific web content categories.
4. Specify the policy scope. Select the machine groups to specify where to apply the policy. Only machines in the selected machine groups will be prevented from accessing websites in the selected categories.
4. Specify the policy scope. Select the device groups to specify where to apply the policy. Only machines in the selected machine groups will be prevented from accessing websites in the selected categories.
5. Review the summary and save the policy. The policy may take up to 15 minutes to apply to your selected machines.
>[!NOTE]

4
windows/security/threat-protection/microsoft-defender-atp/web-protection-monitoring.md
View File

@ -47,9 +47,9 @@ Select a specific web threat category in the **Web threat protection summary** c
- **Blocks** — number of times requests were blocked
- **Access trend** — change in number of access attempts
- **Threat category** — type of web threat
- **Machines** — number of machines with access attempts
- **Devices** — number of devices with access attempts
Select a domain to view the list of machines that have attempted to access URLs in that domain as well as the list of URLs.
Select a domain to view the list of devices that have attempted to access URLs in that domain as well as the list of URLs.
## Related topics
- [Web protection overview](web-protection-overview.md)

6
windows/security/threat-protection/microsoft-defender-atp/web-protection-overview.md
View File

@ -21,7 +21,7 @@ ms.topic: article
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-main-abovefoldlink&rtc=1)
Web protection in Microsoft Defender ATP is a capability made up of [Web threat protection](web-threat-protection.md) and [Web content filtering](web-content-filtering.md). Web protection lets you secure your machines against web threats and helps you regulate unwanted content. You can find Web protection reports in the Microsoft Defender Security Center by going to **Reports > Web protection**.
Web protection in Microsoft Defender ATP is a capability made up of [Web threat protection](web-threat-protection.md) and [Web content filtering](web-content-filtering.md). Web protection lets you secure your devices against web threats and helps you regulate unwanted content. You can find Web protection reports in the Microsoft Defender Security Center by going to **Reports > Web protection**.
![Image of all web protection cards](images/web-protection.png)
@ -31,7 +31,7 @@ The cards that make up web threat protection are **Web threat detections over ti
Web threat protection includes:
- Comprehensive visibility into web threats affecting your organization
- Investigation capabilities over web-related threat activity through alerts and comprehensive profiles of URLs and the machines that access these URLs
- Investigation capabilities over web-related threat activity through alerts and comprehensive profiles of URLs and the devices that access these URLs
- A full set of security features that track general access trends to malicious and unwanted websites
## Web content filtering
@ -40,7 +40,7 @@ The cards that comprise web content filtering are **Web activity by category**,
Web content filtering includes:
- Users are prevented from accessing websites in blocked categories, whether they are browsing on-premises or away
- You can conveniently deploy varied policies to various sets of users using the machine groups defined in the [Microsoft Defender ATP role-based access control settings](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/rbac)
- You can conveniently deploy varied policies to various sets of users using the device groups defined in the [Microsoft Defender ATP role-based access control settings](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/rbac)
- You can access web reports in the same central location, with visibility over actual blocks and web usage
## In this section

12
windows/security/threat-protection/microsoft-defender-atp/web-protection-response.md
View File

@ -29,7 +29,7 @@ Microsoft Defender ATP generates the following [alerts](manage-alerts.md) for ma
- **Suspicious connection detected by network protection** — this alert is generated when an attempt to access a malicious website or a website in your custom indicator list is detected by network protection in *audit only* mode
Each alert provides the following information:
- Machine that attempted to access the blocked website
- Device that attempted to access the blocked website
- Application or program used to send the web request
- Malicious URL or URL in the custom indicator list
- Recommended actions for responders
@ -37,11 +37,11 @@ Each alert provides the following information:
![Image of an alert related to web threat protection](images/wtp-alert.png)
>[!Note]
>To reduce the volume of alerts, Microsoft Defender ATP consolidates web threat detections for the same domain on the same machine each day to a single alert. Only one alert is generated and counted into the [web protection report](web-protection-monitoring.md).
>To reduce the volume of alerts, Microsoft Defender ATP consolidates web threat detections for the same domain on the same device each day to a single alert. Only one alert is generated and counted into the [web protection report](web-protection-monitoring.md).
## Inspect website details
You can dive deeper by selecting the URL or domain of the website in the alert. This opens a page about that particular URL or domain with various information, including:
- Machines that attempted to access website
- Devices that attempted to access website
- Incidents and alerts related to the website
- How frequent the website was seen in events in your organization
@ -49,10 +49,10 @@ You can dive deeper by selecting the URL or domain of the website in the alert.
[Learn more about URL or domain entity pages](investigate-domain.md)
## Inspect the machine
You can also check the machine that attempted to access a blocked URL. Selecting the name of the machine on the alert page opens a page with comprehensive information about the machine.
## Inspect the device
You can also check the device that attempted to access a blocked URL. Selecting the name of the device on the alert page opens a page with comprehensive information about the device.
[Learn more about machine entity pages](investigate-machines.md)
[Learn more about device entity pages](investigate-machines.md)
## Web browser and Windows notifications for end users

6
windows/security/threat-protection/microsoft-defender-atp/web-threat-protection.md
View File

@ -21,15 +21,15 @@ ms.topic: article
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-main-abovefoldlink&rtc=1)
Web threat protection is part of [Web protection](web-protection-overview.md) in Microsoft Defender ATP. It uses [network protection](network-protection.md) to secure your machines against web threats. By integrating with Microsoft Edge and popular third-party browsers like Chrome and Firefox, web threat protection stops web threats without a web proxy and can protect machines while they are away or on premises. Web threat protection stops access to phishing sites, malware vectors, exploit sites, untrusted or low-reputation sites, as well as sites that you have blocked in your [custom indicator list](manage-indicators.md).
Web threat protection is part of [Web protection](web-protection-overview.md) in Microsoft Defender ATP. It uses [network protection](network-protection.md) to secure your devices against web threats. By integrating with Microsoft Edge and popular third-party browsers like Chrome and Firefox, web threat protection stops web threats without a web proxy and can protect devices while they are away or on premises. Web threat protection stops access to phishing sites, malware vectors, exploit sites, untrusted or low-reputation sites, as well as sites that you have blocked in your [custom indicator list](manage-indicators.md).
>[!Note]
>It can take up to an hour for machines to receive new customer indicators.
>It can take up to an hour for devices to receive new customer indicators.
## Prerequisites
Web protection uses network protection to provide web browsing security on Microsoft Edge and third-party web browsers.
To turn on network protection on your machines:
To turn on network protection on your devices:
- Edit the Microsoft Defender ATP security baseline under **Web & Network Protection** to enable network protection before deploying or redeploying it. [Learn about reviewing and assigning the Microsoft Defender ATP security baseline](configure-machines-security-baseline.md#review-and-assign-the-microsoft-defender-atp-security-baseline)
- Turn network protection on using Intune device configuration, SCCM, Group Policy, or your MDM solution. [Read more about enabling network protection](enable-network-protection.md)

12
windows/security/threat-protection/microsoft-defender-atp/whats-new-in-microsoft-defender-atp.md
View File

@ -37,7 +37,7 @@ For more information preview features, see [Preview features](https://docs.micro
## April 2020
- [Threat & Vulnerability Management API support](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-list) <BR>Run Threat & Vulnerability Management-related API calls such as get your organization's threat exposure score or device secure score, software and machine vulnerability inventory, software version distribution, machine vulnerability information, security recommendation information. Learn more from this [Microsoft Tech Community blog post](https://techcommunity.microsoft.com/t5/microsoft-defender-atp/threat-amp-vulnerability-management-apis-are-now-generally/ba-p/1304615).
- [Threat & Vulnerability Management API support](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-list) <BR>Run Threat & Vulnerability Management-related API calls such as get your organization's threat exposure score or device secure score, software and device vulnerability inventory, software version distribution, device vulnerability information, security recommendation information. Learn more from this [Microsoft Tech Community blog post](https://techcommunity.microsoft.com/t5/microsoft-defender-atp/threat-amp-vulnerability-management-apis-are-now-generally/ba-p/1304615).
## November-December 2019
@ -65,9 +65,9 @@ For more information preview features, see [Preview features](https://docs.micro
- [Tamper Protection settings using Intune](../windows-defender-antivirus/prevent-changes-to-security-settings-with-tamper-protection.md#turn-tamper-protection-on-or-off-for-your-organization-using-intune)<br/>You can now turn Tamper Protection on (or off) for your organization in the Microsoft 365 Device Management Portal (Intune).
- [Live response](live-response.md)<BR> Get instantaneous access to a machine using a remote shell connection. Do in-depth investigative work and take immediate response actions to promptly contain identified threats - real-time.
- [Live response](live-response.md)<BR> Get instantaneous access to a device using a remote shell connection. Do in-depth investigative work and take immediate response actions to promptly contain identified threats - real-time.
- [Evaluation lab](evaluation-lab.md) <BR> The Microsoft Defender ATP evaluation lab is designed to eliminate the complexities of machine and environment configuration so that you can
- [Evaluation lab](evaluation-lab.md) <BR> The Microsoft Defender ATP evaluation lab is designed to eliminate the complexities of device and environment configuration so that you can
focus on evaluating the capabilities of the platform, running simulations, and seeing the prevention, detection, and remediation features in action.
- [Windows Server 2008 R2 SP1](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints#windows-server-2008-r2-sp1--windows-server-2012-r2-and-windows-server-2016) <BR> You can now onboard Windows Server 2008 R2 SP1.
@ -77,7 +77,7 @@ For more information preview features, see [Preview features](https://docs.micro
- [Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md) <BR> A new built-in capability that uses a risk-based approach to the discovery, prioritization, and remediation of endpoint vulnerabilities and misconfigurations.
- [Machine health and compliance report](machine-reports.md) The machine health and compliance report provides high-level information about the devices in your organization.
- [Device health and compliance report](machine-reports.md) The device health and compliance report provides high-level information about the devices in your organization.
## May 2019
@ -102,7 +102,7 @@ For more information preview features, see [Preview features](https://docs.micro
## February 2019
- [Incidents](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/incidents-queue) <BR> Incident is a new entity in Microsoft Defender ATP that brings together all relevant alerts and related entities to narrate the broader attack story, giving analysts better perspective on the purview of complex threats.
- [Onboard previous versions of Windows](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/onboard-downlevel-windows-defender-advanced-threat-protection)<BR> Onboard supported versions of Windows machines so that they can send sensor data to the Microsoft Defender ATP sensor.
- [Onboard previous versions of Windows](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/onboard-downlevel-windows-defender-advanced-threat-protection)<BR> Onboard supported versions of Windows devices so that they can send sensor data to the Microsoft Defender ATP sensor.
## October 2018
@ -159,7 +159,7 @@ Query data using advanced hunting in Microsoft Defender ATP.
- [Controlled folder access](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/enable-controlled-folders-exploit-guard)<BR>
You can now block untrusted processes from writing to disk sectors using Controlled Folder Access.
- [Onboard non-Windows machines](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/configure-endpoints-non-windows-windows-defender-advanced-threat-protection)<BR>
- [Onboard non-Windows devices](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/configure-endpoints-non-windows-windows-defender-advanced-threat-protection)<BR>
Microsoft Defender ATP provides a centralized security operations experience for Windows as well as non-Windows platforms. You'll be able to see alerts from various supported operating systems (OS) in Microsoft Defender Security Center and better protect your organization's network.
- [Role-based access control (RBAC)](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/rbac-windows-defender-advanced-threat-protection)<BR>