update settings

2025-05-15 23:07:23 +00:00 · 2018-03-12 16:12:30 -07:00 · 2018-03-12 16:12:30 -07:00 · 830a7af97c
commit 830a7af97c
parent b39c35887a
6 changed files with 138 additions and 9 deletions
--- a/windows/security/threat-protection/TOC.md
+++ b/windows/security/threat-protection/TOC.md
@ -191,10 +191,11 @@
 ##### [Manage portal access using RBAC](windows-defender-atp\rbac-windows-defender-advanced-threat-protection.md)
 ##### [Create machine groups](windows-defender-atp\machine-groups-windows-defender-advanced-threat-protection.md)
 ####APIs
-#### [Enable Threat intel](windows-defender-atp\enable-custom-ti-windows-defender-advanced-threat-protection.md)
-#### [Enable SIEM integration](windows-defender-atp\enable-siem-integration-windows-defender-advanced-threat-protection.md)
+##### [Enable Threat intel](windows-defender-atp\enable-custom-ti-windows-defender-advanced-threat-protection.md)
+##### [Enable SIEM integration](windows-defender-atp\enable-siem-integration-windows-defender-advanced-threat-protection.md)
 ####Rules
-
+[Manage suppression rules](windows-defender-atp\manage-alerts-windows-defender-advanced-threat-protection.md#manage-suppression-rules)
+[Manage automation allowed or blocked lists]

 #### [Configure Windows Defender ATP time zone settings](windows-defender-atp\settings-windows-defender-advanced-threat-protection.md)

--- a/windows/security/threat-protection/windows-defender-atp/advanced-features-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/advanced-features-windows-defender-advanced-threat-protection.md
@ -79,7 +79,9 @@ When you enable this feature, you'll be able to incorporate data from Office 365
 To receive contextual machine integration in Office 365 Threat Intelligence, you'll need to enable the Windows Defender ATP settings in the Security & Compliance dashboard. For more information, see [Office 365 Threat Intelligence overview](https://support.office.com/en-us/article/Office-365-Threat-Intelligence-overview-32405DA5-BEE1-4A4B-82E5-8399DF94C512).

 ## Microsoft Intune connection
+This feature is only available if you have an active Microsoft Intune (Intune) license. 

+When you enable this feature, you'll be able to share device information and enhance policy enforcement. Intune provides additional information about managed devices for security analytics.

 ## Enable advanced features
 1. In the navigation pane, select **Preferences setup** > **Advanced features**.
--- a/windows/security/threat-protection/windows-defender-atp/automated-investigations-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/automated-investigations-windows-defender-advanced-threat-protection.md
@ -86,7 +86,7 @@ Apply this filter to see specific machine groups that you might have created.
 Select between filtering the list between Automated investigations that have comments and those that don't.

 ## Analyze Automated investigations 
-You can view the details of an Automated investigation to see details of the investigation such as the investigation graph, alerts associated with the investigation, the machine that was investigated, and other information.
+You can view the details of an Automated investigation to see details such as the investigation graph, alerts associated with the investigation, the machine that was investigated, and other information.

 In this view, you'll see the name of the investigation, when it started and the duration of time that has passed in the status state.

--- a/windows/security/threat-protection/windows-defender-atp/manage-alerts-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/manage-alerts-windows-defender-advanced-threat-protection.md
@ -56,7 +56,7 @@ Whenever a change or comment is made to an alert, it is recorded in the **Commen

 Added comments instantly appear on the pane.

-## Suppress alerts
+## Manage suppression rules
 There might be scenarios where you need to suppress alerts from appearing in the Windows Defender ATP portal. Windows Defender ATP lets you create suppression rules for specific alerts that are known to be innocuous such as known tools or processes in your organization. 

 Suppression rules can be created from an existing alert. They can be disabled and reenabled if needed.
@ -110,11 +110,11 @@ Create custom rules to control when alerts are suppressed, or resolved. You can

 ### View the list of suppression rules

-1. Click **Alerts queue** > **Suppression rules**.
+1. In the navigation pane, select **Settings** > **Rules**  > **Alert suppression**.

 2. The list of suppression rules shows all the rules that users in your organization have created.

-You can select rules to open up the **Alert management** pane. From there, you can activate previously disabled rules.
+You can select rules to tun a rule on or off.

 ## Related topics
 - [View and organize the Windows Defender Advanced Threat Protection Alerts queue ](alerts-queue-windows-defender-advanced-threat-protection.md)
--- a/windows/security/threat-protection/windows-defender-atp/manage-automation-list-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/manage-automation-list-windows-defender-advanced-threat-protection.md
@ -0,0 +1,126 @@
+---
+title: Manage automation blocked or allowed lists
+description: Add 
+keywords: manage alerts, manage, alerts, status, new, in progress, resolved, resolve alerts, suppress, supression, rules, context, history, comments, changes
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: high
+ms.date: 04/16/2018
+---
+
+# Manage Windows Defender Advanced Threat Protection alerts
+
+**Applies to:**
+
+- Windows 10 Enterprise
+- Windows 10 Education
+- Windows 10 Pro
+- Windows 10 Pro Education
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+
+[!include[Prerelease information](prerelease.md)]
+
+>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-managealerts-abovefoldlink)
+
+Windows Defender ATP notifies you of possible malicious events, attributes, and contextual information through alerts. A summary of new alerts is displayed in the **Security operations dashboard**, and you can access all alerts in the **Alerts queue** menu.
+
+You can manage alerts by selecting an alert in the **Alerts queue** or the **Alerts related to this machine** section of the machine details view.
+
+Selecting an alert in either of those places brings up the **Alert management pane**.
+
+![Image of alert status](images/atp-alert-status.png)
+
+## Change the status of an alert
+
+You can categorize alerts (as **New**, **In Progress**, or **Resolved**) by changing their status as your investigation progresses. This helps you organize and manage how your team can respond to alerts.
+
+For example, a team leader can review all **New** alerts, and decide to assign them to the **In Progress** queue for further analysis.
+
+Alternatively, the team leader might assign the alert to the **Resolved** queue if they know the alert is benign, coming from a machine that is irrelevant (such as one belonging to a security administrator), or is being dealt with through an earlier alert.
+
+## Alert classification
+You can specify if an alert is a true alert or a false alert.
+
+## Assign alerts
+If an alert is no yet assigned, you can select **Assign to me** to assign the alert to yourself.
+
+## Add comments and view the history of an alert
+You can add comments and view historical events about an alert to see previous changes made to the alert.
+
+Whenever a change or comment is made to an alert, it is recorded in the **Comments and history** section.
+
+Added comments instantly appear on the pane.
+
+## Manage suppression rules
+There might be scenarios where you need to suppress alerts from appearing in the Windows Defender ATP portal. Windows Defender ATP lets you create suppression rules for specific alerts that are known to be innocuous such as known tools or processes in your organization. 
+
+Suppression rules can be created from an existing alert. They can be disabled and reenabled if needed.
+
+When a suppression rule is created, it will take effect from the point when the rule is created. The rule will not affect existing alerts already in the queue prior to the rule creation. The rule will only be applied on alerts that satisfy the conditions set after the rule is created.
+
+There are two contexts for a suppression rule that you can choose from:
+
+- **Suppress alert on this machine**
+- **Suppress alert in my organization**
+
+The context of the rule lets you tailor what gets surfaced into the portal and ensure that only real security alerts are surfaced into the portal.
+
+You can use the examples in the following table to help you choose the context for a suppression rule:
+
+| **Context**                           | **Definition**                                                                                                                                              | **Example scenarios**                                                                                                                                                                                                  |
+|:--------------------------------------|:------------------------------------------------------------------------------------------------------------------------------------------------------------|:-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| **Suppress alert on this machine**    | Alerts with the same alert title and on that specific machine only will be suppressed. <br /><br />All other alerts on that machine will not be suppressed. | <ul><li>A security researcher is investigating a malicious script that has been used to attack other machines in your organization.</li><li>A developer regularly creates PowerShell scripts for their team.</li></ul> |
+| **Suppress alert in my organization** | Alerts with the same alert title on any machine will be suppressed.                                                                                         | <ul><li>A benign administrative tool is used by everyone in your organization.</li></ul>                                                                                                                               |
+
+
+### Suppress an alert and create a new suppression rule:
+Create custom rules to control when alerts are suppressed, or resolved. You can control the context for when an alert is suppressed by specifying the alert title, Indicator of compromise, and the conditions. After specifying the context, you’ll be able to configure the action and scope on the alert. 
+
+1. Select the alert you'd like to suppress. This brings up the **Alert management** pane.
+
+2. Scroll down to the **Create a supression rule** section.
+
+    ![Image of alert status](images/atp-create-suppression-rule.png)
+
+3. Choose the context for suppressing the alert.
+  
+    ![Image of alert status](images/atp-new-suppression-rule.png)
+
+  > [!NOTE]
+  > You cannot create a custom or blank suppression rule. You must start from an existing alert.
+
+4. Specify the conditions for when the rule is applied:
+    - Alert title
+    - Indicator of compromise (IOC)
+    - Suppression conditions
+
+    > [!NOTE]
+    > The SHA1 of the alert cannot be modified, however you can clear the SHA1 to remove it from the suppression conditions.
+    
+5. Specify the action and scope on the alert. <br>
+   You can automatically resolve an alert or hide it from the portal. Alerts that are automatically resolved will appear in the resolved section of the alerts queue. Alerts that are marked as hidden will be suppressed from the entire system, both on the machine's associated alerts and from the dashboard. You can also specify to suppress the alert on the machine only or the whole organization.
+
+6. Click **Save and close**.
+
+
+### View the list of suppression rules
+
+1. In the navigation pane, select **Settings** > **Rules**  > **Alert suppression**.
+
+2. The list of suppression rules shows all the rules that users in your organization have created.
+
+You can select rules to tun a rule on or off.
+
+## Related topics
+- [View and organize the Windows Defender Advanced Threat Protection Alerts queue ](alerts-queue-windows-defender-advanced-threat-protection.md)
+- [Investigate Windows Defender Advanced Threat Protection alerts](investigate-alerts-windows-defender-advanced-threat-protection.md)
+- [Investigate a file associated with a Windows Defender ATP alert](investigate-files-windows-defender-advanced-threat-protection.md)
+- [Investigate machines in the Windows Defender ATP Machines list](investigate-machines-windows-defender-advanced-threat-protection.md)
+- [Investigate an IP address associated with a Windows Defender ATP alert](investigate-ip-windows-defender-advanced-threat-protection.md)
+- [Investigate a domain associated with a Windows Defender ATP alert](investigate-domain-windows-defender-advanced-threat-protection.md)
+- [Investigate a user account in Windows Defender ATP](investigate-user-windows-defender-advanced-threat-protection.md)
--- a/windows/security/threat-protection/windows-defender-atp/rbac-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/rbac-windows-defender-advanced-threat-protection.md
@ -58,13 +58,13 @@ To implement role-based access, you'll need to define admin roles, assign corres
 When you first log in to the Windows Defender ATP portal, you’re granted either full access or read only access. Full access rights are granted to users with Security Administrator or Global Administrator roles in Azure AD. Read only access is granted to users with a Security Reader role in Azure AD. 

 > [!WARNING]
-> Before enabling the feature, it’s important that you have a Global Administrator role in Azure AD and that have your Azure AD groups ready to reduce the risk of being locked out of the portal. 
+> Before enabling the feature, it's important that you have a Global Administrator role in Azure AD and that have your Azure AD groups ready to reduce the risk of being locked out of the portal. 
 >
 > Only those with Azure AD Global Administrator rights will be able to create and assign roles in the Windows Defender ATP portal, therefore, having the right groups ready in Azure AD is important.
 >
 > Turning on role-based access control will cause users with read-only permissions to lose access until they are assigned to a role. Users with admin permissions are automatically assigned the global administrator role with full permissions.

-To use RBAC in Windows Defender ATP, you’ll need to enable it. 
+To use RBAC in Windows Defender ATP, you'll need to enable it. 

 After opting in to use RBAC, you cannot revert to the initial roles as when you first logged into the portal.