deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-13 05:47:23 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

WTP - new topics

Browse Source
This commit is contained in:
lomayor 2019-08-16 14:48:32 -07:00
parent 63615748de
commit 804841bb3f
7 changed files with 86 additions and 15 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
windows/security/threat-protection/TOC.md
View File

@ -30,6 +30,12 @@
#### [Application control](windows-defender-application-control/windows-defender-application-control.md) #### [Application control](windows-defender-application-control/windows-defender-application-control.md)
#### [Exploit protection](windows-defender-exploit-guard/exploit-protection-exploit-guard.md) #### [Exploit protection](windows-defender-exploit-guard/exploit-protection-exploit-guard.md)
#### [Network protection](windows-defender-exploit-guard/network-protection-exploit-guard.md) #### [Network protection](windows-defender-exploit-guard/network-protection-exploit-guard.md)
#### [Web threat protection]()
##### [Monitor web security](web-threat-protection-monitoring.md)
##### [Respond to web threats](web-threat-protection-response.md)
##### [Web threat protection overview](web-threat-protection-overview.md)
#### [Controlled folder access](windows-defender-exploit-guard/controlled-folders-exploit-guard.md) #### [Controlled folder access](windows-defender-exploit-guard/controlled-folders-exploit-guard.md)
#### [Attack surface reduction](windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md) #### [Attack surface reduction](windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md)
#### [Network firewall](windows-firewall/windows-firewall-with-advanced-security.md) #### [Network firewall](windows-firewall/windows-firewall-with-advanced-security.md)

BIN
windows/security/threat-protection/microsoft-defender-atp/images/wtp-alert.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 114 KiB

BIN
windows/security/threat-protection/microsoft-defender-atp/images/wtp-browser-blocking-page.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 344 KiB

BIN
windows/security/threat-protection/microsoft-defender-atp/images/wtp-website-details.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 67 KiB

7
windows/security/threat-protection/microsoft-defender-atp/web-threat-protection-monitoring.md
View File

@ -33,7 +33,7 @@ Web threat protection lets you monitor your organizations web browsing securi
![Image of the card showing web threats protection summary](images/wtp-summary.png) ![Image of the card showing web threats protection summary](images/wtp-summary.png)
>[!Note] >[!Note]
>It can take up to 12 hours from the time a block occurs and the time the block is reflected in the cards or the domain list. >It can take up to 12 hours before a block is reflected in the cards or the domain list.
## Types of web threats ## Types of web threats
Web threat protection categorizes malicious and unwanted websites as: Web threat protection categorizes malicious and unwanted websites as:
@ -52,6 +52,5 @@ The page provides an aggregated domain-level view along with the following infor
Selecting a domain opens a flyout that shows the list of URLs in that domain and the list machines with access attempts. Selecting a domain opens a flyout that shows the list of URLs in that domain and the list machines with access attempts.
## Related topics ## Related topics
- [Monitor web security](web-threat-protection-monitoring.md) - [Web threat protection overview](web-threat-protection-overview.md)
- [Respond to web threats](web-threat-protection-response.md) - [Respond to web threats](web-threat-protection-response.md)
- [Notifications on Windows and web browsers](web-threat-protection-end-user-notifications)

16
windows/security/threat-protection/microsoft-defender-atp/web-threat-protection-overview.md
View File

@ -38,15 +38,9 @@ To turn on network protection on devices:
>[!Note] >[!Note]
>If you set network protection set to **Audit only**, blocking will be unavailable. Also, you will be able to detect and log attempts to access malicious and unwanted websites on Microsoft Edge only. >If you set network protection set to **Audit only**, blocking will be unavailable. Also, you will be able to detect and log attempts to access malicious and unwanted websites on Microsoft Edge only.
## Reporting and policy deployment latencies
Note the following latencies when blocking URLs or domains or when monitoring web activity:
- After you add a URL or domain to your custom indicator list, it takes approximately an hour before your machines receive the new setting and start blocking the website.
- While alerts are generated almost in real-time, the web threat protection reports can have a 12-hour delay from the time a block occurs and the time the block is reflected in the cards or the domain list.
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-advancedhunting-belowfoldlink) ## In this section
Topic | Description
:---|:---
## Related topics [Monitor web security](web-threat-protection-monitoring.md) | Monitor attempts to access malicious and unwanted websites.
- [Monitor web security](web-threat-protection-monitoring.md) [Respond to web threats](web-threat-protection-response.md) | Investigate and manage alerts related to malicious and unwanted websites. Understand how end users are notified whenever a web threat is blocked.
- [Respond to web threats](web-threat-protection-response.md)
- [Notifications on Windows and web browsers](web-threat-protection-end-user-notifications)

72
windows/security/threat-protection/microsoft-defender-atp/web-threat-protection-response.md Normal file
View File

@ -0,0 +1,72 @@
---
title: Respond to web threats in Microsoft Defender ATP
description: Respond to alerts related to malicious and unwanted websites. Understand how web threat protection informs end users through their web browsers and Windows notifications
keywords: web threat protection, web browsing, alerts, response, security, phishing, malware, exploit, websites, network protection, Edge, Internet Explorer, Chrome, Firefox, web browser, notifications, end users, Windows notifications, blocking page,
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: lomayor
author: lomayor
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: article
ms.date: 08/30/2019
---
# Respond to web threats
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-advancedhunting-abovefoldlink)
Web threat protection in Microsoft Defender APT lets you efficiently investigate and respond to alerts related to malicious websites and websites in your custom indicator list.
## View web threat alerts
Microsoft Defender ATP generates the following [alerts](manage-alerts.md) for malicious or suspicious web activity:
- **Suspicious connection blocked by network protection** — this alert is generated when an attempt to access a malicious website or a website in your custom indicator list is stopped by network protection in blocked mode
- **Suspicious connection detected by network protection** — this alert is generated when an attempt to access a malicious website or a website in your custom indicator list is detected by network protection in audit mode
Each alert provides the following information:
- Machine that attempted to access the blocked website
- Application or program used to send the web request
- Malicious URL or URL in the custom indicator list
- Recommended actions for this type of detections
![Image of an alert related to web threat protection](images/wtp-alert.png)
>[!Note]
>To reduce the volume of alerts, Microsoft Defender ATP consolidates web threat protection detections for the same domain on the same machine each day to a single alert. Only one alert is generated and counted into the [web protection report](web-threat-protection-monitoring.md).
## Inspect website details
You can dive deeper by selecting the URL or domain of the website in the alert. This opens a page about that particular website providing various information, including:
- All machines that attempted to access the URL or domain
- All incidents and alerts related to the URL or domain
- How frequent the URL or domain was seen in events in your organization
![Image of the domain or URL entity details page](images/wtp-website-details.png)
[Learn more about URL or domain entity pages](investigate-domain.md)
## Inspect the machine
You can also check the machine that attempted to access a blocked URL. Selecting the name of the machine on the alert page opens a page with comprehensive information about the machine.
[Learn more about machine entity pages](investigate-machines.md)
## Web browser and Windows notifications for end users
With web threat protection in Microsoft Defender ATP, your end users will be blocked from visiting malicious or unwanted websites using Microsoft Edge or other browsers.
Because blocking is performed by [network protection](network-protection-exploit-guard.md), they will see a generic error from the web browser. They will also see a notification from Windows.
![Image of Microsoft Edge showing a 403 error and the Windows notification](images/wtp-browser-blocking-page.png)
*Web threat blocked by Microsoft Edge*
![Image of Chrome showing a secure connection warning and the Windows notification](images/wtp-browser-blocking-page.png)
*Web threat blocked by the Chrome web browser*
## Related topics
- [Web threat protection overview](web-threat-protection-overview.md)
- [Monitor web security](web-threat-protection-monitoring.md)