From 4e6d9c4f3e0ec81bb0cb3126fed5defa70b15d30 Mon Sep 17 00:00:00 2001 From: Beth Levin Date: Mon, 11 May 2020 11:51:11 -0700 Subject: [PATCH 01/32] updates with new tests --- .../top-scoring-industry-antivirus-tests.md | 30 ++++++++----------- 1 file changed, 12 insertions(+), 18 deletions(-) diff --git a/windows/security/threat-protection/intelligence/top-scoring-industry-antivirus-tests.md b/windows/security/threat-protection/intelligence/top-scoring-industry-antivirus-tests.md index fcd89c3a81..d6ff1d762d 100644 --- a/windows/security/threat-protection/intelligence/top-scoring-industry-antivirus-tests.md +++ b/windows/security/threat-protection/intelligence/top-scoring-industry-antivirus-tests.md @@ -33,13 +33,13 @@ Windows Defender Antivirus is the [next generation protection](https://www.youtu The AV-TEST Product Review and Certification Report tests on three categories: protection, performance, and usability. The following scores are for the Protection category which has two scores: Real-World Testing and the AV-TEST reference set (known as "Prevalent Malware"). -- January - February 2020 AV-TEST Business User test: [Protection score 5.5/6.0](https://www.av-test.org/en/antivirus/business-windows-client/windows-10/february-2020/microsoft-windows-defender-antivirus-4.18-200614/) **Latest** +- January — February 2020 AV-TEST Business User test: [Protection score 5.5/6.0](https://www.av-test.org/en/antivirus/business-windows-client/windows-10/february-2020/microsoft-windows-defender-antivirus-4.18-200614/) **Latest** Windows Defender Antivirus achieved an overall Protection score of 5.5/6.0, with 21,008 malware samples used. -- November - December 2019 AV-TEST Business User test: [Protection score 6.0/6.0](https://www.av-test.org/en/antivirus/business-windows-client/windows-10/december-2019/microsoft-windows-defender-antivirus-4.18-195015/) +- November — December 2019 AV-TEST Business User test: [Protection score 6.0/6.0](https://www.av-test.org/en/antivirus/business-windows-client/windows-10/december-2019/microsoft-windows-defender-antivirus-4.18-195015/) -- September - October 2019 AV-TEST Business User test: [Protection score 5.5/6.0](https://www.av-test.org/en/antivirus/business-windows-client/windows-10/october-2019/microsoft-windows-defender-antivirus-4.18-194115/) +- September — October 2019 AV-TEST Business User test: [Protection score 5.5/6.0](https://www.av-test.org/en/antivirus/business-windows-client/windows-10/october-2019/microsoft-windows-defender-antivirus-4.18-194115/) - July — August 2019 AV-TEST Business User test: [Protection score 6.0/6.0](https://www.av-test.org/en/antivirus/business-windows-client/windows-10/august-2019/microsoft-windows-defender-antivirus-4.18-193215/) | [Analysis](https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE4kagp) @@ -47,12 +47,6 @@ The AV-TEST Product Review and Certification Report tests on three categories: p - March — April 2019 AV-TEST Business User test: [Protection score 6.0/6.0](https://www.av-test.org/en/antivirus/business-windows-client/windows-10/april-2019/microsoft-windows-defender-antivirus-4.18-191517/) | [Analysis](https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE3Esbl) -- January — February 2019 AV-TEST Business User test: [Protection score 6.0/6.0](https://www.av-test.org/en/antivirus/business-windows-client/windows-10/february-2019/microsoft-windows-defender-antivirus-4.18-190611/) | [Analysis](https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE33cdd) - -- November — December 2018 AV-TEST Business User test: [Protection score 6.0/6.0](https://www.av-test.org/en/antivirus/business-windows-client/windows-10/december-2018/microsoft-windows-defender-antivirus-4.18-185074/) | [Analysis](https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RWusR9) - -- September — October 2018 AV-TEST Business User test: [Protection score 6.0/6.0](https://www.av-test.org/en/antivirus/business-windows-client/windows-10/october-2018/microsoft-windows-defender-antivirus-4.18-184174/) | [Analysis](https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RWqOqD) - ### AV-Comparatives: Protection rating of 99.6% in the latest test Business Security Test consists of three main parts: the Real-World Protection Test that mimics online malware attacks, the Malware Protection Test where the malware enters the system from outside the internet (for example by USB), and the Performance Test that looks at the impact on the system's performance. @@ -65,17 +59,15 @@ Business Security Test consists of three main parts: the Real-World Protection T - Business Security Test 2019 (March — June): [Real-World Protection Rate 99.9%](https://www.av-comparatives.org/tests/business-security-test-2019-march-june/) | [Analysis](https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE3Esbl) -- Business Security Test 2018 (August — November): [Real-World Protection Rate 99.6%](https://www.av-comparatives.org/tests/business-security-test-2018-august-november/) - -- Business Security Test 2018 (March — June): [Real-World Protection Rate 98.7%](https://www.av-comparatives.org/tests/business-security-test-2018-march-june/) - ### SE Labs: AAA award in the latest test SE Labs tests a range of solutions used by products and services to detect and/or protect against attacks, including endpoint software, network appliances, and cloud services. -- Enterprise Endpoint Protection October — December 2019: [AAA award](https://selabs.uk/download/enterprise/epp/2019/oct-dec-2019-enterprise.pdf) **pdf** +- Enterprise Endpoint Protection January — March 2020: [AAA award](https://selabs.uk/download/enterprise/essp/2020/mar-2020-essp.pdf) **pdf** - Microsoft's next-gen protection was named one of the leading products, stopping all targeted attacks and all but two public threats. + Microsoft's next-gen protection was named one of the leading products, stopping all targeted attacks and all but one public threat. + +- Enterprise Endpoint Protection October — December 2019: [AAA award](https://selabs.uk/download/enterprise/epp/2019/oct-dec-2019-enterprise.pdf) **pdf** - Enterprise Endpoint Protection July — September 2019: [AAA award](https://selabs.uk/download/enterprise/epp/2019/jul-sep-2019-enterprise.pdf) **pdf** | [Analysis](https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE4kagp) @@ -83,8 +75,6 @@ SE Labs tests a range of solutions used by products and services to detect and/o - Enterprise Endpoint Protection January — March 2019: [AAA award](https://selabs.uk/download/enterprise/epp/2019/jan-mar-2019-enterprise.pdf) **pdf** | [Analysis](https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE3Esbl) -- Enterprise Endpoint Protection October — December 2018: [AAA award](https://selabs.uk/download/enterprise/epp/2018/oct-dec-2018-enterprise.pdf) **pdf** | [Analysis](https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE33cdd) - ## Endpoint detection & response Microsoft Defender ATP [endpoint detection and response](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response) capabilities provide advanced attack detections that are near real-time and actionable. Security analysts can prioritize alerts effectively, gain visibility into the full scope of a breach, and take response actions to remediate threats. @@ -97,7 +87,11 @@ Microsoft Defender ATP [endpoint detection and response](https://docs.microsoft. MITRE tested the ability of products to detect techniques commonly used by the targeted attack group APT3 (also known as Boron or UPS). To isolate detection capabilities, all protection and prevention features were turned off. Microsoft is happy to be one of the first EDR vendors to sign up for the MITRE evaluation based on the ATT&CK framework. The framework is widely regarded today as the most comprehensive catalog of attacker techniques and tactics. -- ATT&CK-based evaluation: [Leading optics and detection capabilities](https://www.microsoft.com/security/blog/2018/12/03/insights-from-the-mitre-attack-based-evaluation-of-windows-defender-atp/) | [Analysis](https://techcommunity.microsoft.com/t5/Windows-Defender-ATP/MITRE-evaluation-highlights-industry-leading-EDR-capabilities-in/ba-p/369831) +- ATT&CK-based evaluation of Microsoft Threat Protection — May 2020: [Leading in real-world detection](https://www.microsoft.com/security/blog/2020/05/01/microsoft-threat-protection-leads-real-world-detection-mitre-attck-evaluation/) + + Microsoft Threat Protection provided nearly 100 percent coverage across the attack chain stages. It delivered leading out-of-box visibility into attacker activities, dramatically reducing manual work for the security operations center vs. vendor solutions that relied on specific configuration changes. It also the fewest gaps in visibility, diminishing attacker ability to operate undetected. + +- ATT&CK-based evaluation of Microsoft Defender ATP — December 2018: [Leading optics and detection capabilities](https://www.microsoft.com/security/blog/2018/12/03/insights-from-the-mitre-attack-based-evaluation-of-windows-defender-atp/) | [Analysis](https://techcommunity.microsoft.com/t5/Windows-Defender-ATP/MITRE-evaluation-highlights-industry-leading-EDR-capabilities-in/ba-p/369831) Microsoft Defender ATP delivered comprehensive coverage of attacker techniques across the entire attack chain. Highlights included the breadth of telemetry, the strength of threat intelligence, and the advanced, automatic detection through machine learning, heuristics, and behavior monitoring. From 952858a783bfbd38f9a46ca9b7fbbcab465fcb73 Mon Sep 17 00:00:00 2001 From: Beth Levin Date: Mon, 11 May 2020 16:45:24 -0700 Subject: [PATCH 02/32] mtp focus --- .../top-scoring-industry-antivirus-tests.md | 33 ++++++++++++------- 1 file changed, 22 insertions(+), 11 deletions(-) diff --git a/windows/security/threat-protection/intelligence/top-scoring-industry-antivirus-tests.md b/windows/security/threat-protection/intelligence/top-scoring-industry-antivirus-tests.md index d6ff1d762d..af28a72f9c 100644 --- a/windows/security/threat-protection/intelligence/top-scoring-industry-antivirus-tests.md +++ b/windows/security/threat-protection/intelligence/top-scoring-industry-antivirus-tests.md @@ -18,7 +18,26 @@ search.appverid: met150 # Top scoring in industry tests -Microsoft Defender Advanced Threat Protection ([Microsoft Defender ATP](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp)) technologies consistently achieve high scores in independent tests, demonstrating the strength of its enterprise threat protection capabilities. Microsoft aims to be transparent about these test scores. This page summarizes the results and provides analysis. +[Microsoft Threat Protection](https://www.microsoft.com/security/business/threat-protection/integrated-threat-protection) technologies consistently achieve high scores in independent tests, demonstrating the strength of its enterprise threat protection capabilities. Microsoft aims to be transparent about these test scores. This page summarizes the results and provides analysis. + +## Microsoft Threat Protection + +[Microsoft Threat Protection](https://docs.microsoft.com/en-us/microsoft-365/security/mtp/microsoft-threat-protection) is a unified pre- and post-breach enterprise defense suite that natively coordinates detection, prevention, investigation, and response across endpoints, identities, email, and applications to provide integrated protection against sophisticated attacks. + +Microsoft Threat Protection suite protects: + +- Endpoints with [Microsoft Defender ATP](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp) - Microsoft Defender ATP is a unified endpoint platform for preventative protection, post-breach detection, automated investigation, and response. +- Email and collaboration with [Office 365 ATP](https://www.microsoft.com/microsoft-365/exchange/advance-threat-protection) - Office 365 ATP safeguards your organization against malicious threats posed by email messages, links (URLs) and collaboration tools. +- Identities with [Azure ATP](https://azure.microsoft.com/features/azure-advanced-threat-protection/) and [Azure AD Identity Protection](https://docs.microsoft.com/azure/active-directory/identity-protection/overview-identity-protection) - Azure ATP uses Active Directory signals to identify, detect, and investigate advanced threats, compromised identities, and malicious insider actions directed at your organization. +- Applications with [Microsoft Cloud App Security](https://www.microsoft.com/en-us/microsoft-365/enterprise-mobility-security/cloud-app-security) - Microsoft Cloud App Security is a comprehensive cross-SaaS solution bringing deep visibility, strong data controls, and enhanced threat protection to your cloud apps. + +### MITRE: Demonstrated real-world detection, response, and protection from advanced attacks + +Core to MITRE’s testing approach is emulating real-world attacks to understand whether solutions are able to adequately detect and respond to them. While the test focused on endpoint detection and response, MITRE’s simulated APT29 attack spans multiple attack domains, creating opportunities to empower defenders beyond just endpoint protection. Microsoft expanded defenders’ visibility beyond the endpoint with Microsoft Threat Protection (MTP). + +- ATT&CK-based evaluation of Microsoft Threat Protection — May 2020: [Leading in real-world detection](https://www.microsoft.com/security/blog/2020/05/01/microsoft-threat-protection-leads-real-world-detection-mitre-attck-evaluation/) + + Microsoft Threat Protection provided nearly 100 percent coverage across the attack chain stages. It delivered leading out-of-box visibility into attacker activities, dramatically reducing manual work for the security operations center vs. vendor solutions that relied on specific configuration changes. It also the fewest gaps in visibility, diminishing attacker ability to operate undetected. ## Next generation protection @@ -79,18 +98,10 @@ SE Labs tests a range of solutions used by products and services to detect and/o Microsoft Defender ATP [endpoint detection and response](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response) capabilities provide advanced attack detections that are near real-time and actionable. Security analysts can prioritize alerts effectively, gain visibility into the full scope of a breach, and take response actions to remediate threats. -![String of images showing EDR capabilities](./images/MITRE-Microsoft-Defender-ATP.png) - -**Read our analysis: [MITRE evaluation highlights industry-leading EDR capabilities in Windows Defender ATP](https://techcommunity.microsoft.com/t5/Windows-Defender-ATP/MITRE-evaluation-highlights-industry-leading-EDR-capabilities-in/ba-p/369831)** - ### MITRE: Industry-leading optics and detection capabilities MITRE tested the ability of products to detect techniques commonly used by the targeted attack group APT3 (also known as Boron or UPS). To isolate detection capabilities, all protection and prevention features were turned off. Microsoft is happy to be one of the first EDR vendors to sign up for the MITRE evaluation based on the ATT&CK framework. The framework is widely regarded today as the most comprehensive catalog of attacker techniques and tactics. -- ATT&CK-based evaluation of Microsoft Threat Protection — May 2020: [Leading in real-world detection](https://www.microsoft.com/security/blog/2020/05/01/microsoft-threat-protection-leads-real-world-detection-mitre-attck-evaluation/) - - Microsoft Threat Protection provided nearly 100 percent coverage across the attack chain stages. It delivered leading out-of-box visibility into attacker activities, dramatically reducing manual work for the security operations center vs. vendor solutions that relied on specific configuration changes. It also the fewest gaps in visibility, diminishing attacker ability to operate undetected. - - ATT&CK-based evaluation of Microsoft Defender ATP — December 2018: [Leading optics and detection capabilities](https://www.microsoft.com/security/blog/2018/12/03/insights-from-the-mitre-attack-based-evaluation-of-windows-defender-atp/) | [Analysis](https://techcommunity.microsoft.com/t5/Windows-Defender-ATP/MITRE-evaluation-highlights-industry-leading-EDR-capabilities-in/ba-p/369831) Microsoft Defender ATP delivered comprehensive coverage of attacker techniques across the entire attack chain. Highlights included the breadth of telemetry, the strength of threat intelligence, and the advanced, automatic detection through machine learning, heuristics, and behavior monitoring. @@ -101,6 +112,6 @@ Independent security industry tests aim to evaluate the best antivirus and secur The capabilities within Microsoft Defender ATP provide [additional layers of protection](https://cloudblogs.microsoft.com/microsoftsecure/2017/12/11/detonating-a-bad-rabbit-windows-defender-antivirus-and-layered-machine-learning-defenses) that are not factored into industry antivirus tests, and address some of the latest and most sophisticated threats. Isolating AV from the rest of Microsoft Defender ATP creates a partial picture of how Microsoft's security stack operates in the real world. For example, attack surface reduction and endpoint detection & response capabilities can help prevent malware from getting onto devices in the first place. We have proven that [Microsoft Defender ATP components catch samples](https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE2ouJA) that Windows Defender Antivirus missed in these industry tests, which is more representative of how effectively Microsoft's security suite protects customers in the real world. -With independent tests, customers can view one aspect of their security suite but can't assess the complete protection of all the security features. Microsoft is highly engaged in working with several independent testers to evolve security testing to focus on the end-to-end security stack. - [Learn more about Microsoft Defender ATP](../microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md) and evaluate it in your own network by signing up for a [90-day trial of Microsoft Defender ATP](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp), or [enabling Preview features on existing tenants](../microsoft-defender-atp/preview-settings.md). + +[Learn more about Microsoft Threat Protection](https://www.microsoft.com/security/business/threat-protection/integrated-threat-protection) or [start using the service](https://docs.microsoft.com/en-us/microsoft-365/security/mtp/mtp-enable). \ No newline at end of file From 74235156c689e7cd2e06224f4078bd5fd03525d7 Mon Sep 17 00:00:00 2001 From: Beth Levin Date: Tue, 12 May 2020 15:26:54 -0700 Subject: [PATCH 03/32] simplified --- .../intelligence/top-scoring-industry-antivirus-tests.md | 7 +------ 1 file changed, 1 insertion(+), 6 deletions(-) diff --git a/windows/security/threat-protection/intelligence/top-scoring-industry-antivirus-tests.md b/windows/security/threat-protection/intelligence/top-scoring-industry-antivirus-tests.md index af28a72f9c..1acd8e16ae 100644 --- a/windows/security/threat-protection/intelligence/top-scoring-industry-antivirus-tests.md +++ b/windows/security/threat-protection/intelligence/top-scoring-industry-antivirus-tests.md @@ -24,12 +24,7 @@ search.appverid: met150 [Microsoft Threat Protection](https://docs.microsoft.com/en-us/microsoft-365/security/mtp/microsoft-threat-protection) is a unified pre- and post-breach enterprise defense suite that natively coordinates detection, prevention, investigation, and response across endpoints, identities, email, and applications to provide integrated protection against sophisticated attacks. -Microsoft Threat Protection suite protects: - -- Endpoints with [Microsoft Defender ATP](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp) - Microsoft Defender ATP is a unified endpoint platform for preventative protection, post-breach detection, automated investigation, and response. -- Email and collaboration with [Office 365 ATP](https://www.microsoft.com/microsoft-365/exchange/advance-threat-protection) - Office 365 ATP safeguards your organization against malicious threats posed by email messages, links (URLs) and collaboration tools. -- Identities with [Azure ATP](https://azure.microsoft.com/features/azure-advanced-threat-protection/) and [Azure AD Identity Protection](https://docs.microsoft.com/azure/active-directory/identity-protection/overview-identity-protection) - Azure ATP uses Active Directory signals to identify, detect, and investigate advanced threats, compromised identities, and malicious insider actions directed at your organization. -- Applications with [Microsoft Cloud App Security](https://www.microsoft.com/en-us/microsoft-365/enterprise-mobility-security/cloud-app-security) - Microsoft Cloud App Security is a comprehensive cross-SaaS solution bringing deep visibility, strong data controls, and enhanced threat protection to your cloud apps. +Microsoft Threat Protection combines into a single solution the capabilities of [Microsoft Defender ATP](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp), [Office 365 ATP](https://www.microsoft.com/microsoft-365/exchange/advance-threat-protection), [Azure ATP](https://azure.microsoft.com/features/azure-advanced-threat-protection/), [Azure AD Identity Protection](https://docs.microsoft.com/azure/active-directory/identity-protection/overview-identity-protection), and [Microsoft Cloud App Security](https://www.microsoft.com/en-us/microsoft-365/enterprise-mobility-security/cloud-app-security). ### MITRE: Demonstrated real-world detection, response, and protection from advanced attacks From 90e57c143a43cdc4b055f1563bfbb7130969cbb2 Mon Sep 17 00:00:00 2001 From: Beth Levin Date: Fri, 15 May 2020 10:57:43 -0700 Subject: [PATCH 04/32] remove en-us --- .../intelligence/top-scoring-industry-antivirus-tests.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/windows/security/threat-protection/intelligence/top-scoring-industry-antivirus-tests.md b/windows/security/threat-protection/intelligence/top-scoring-industry-antivirus-tests.md index 1acd8e16ae..ed51f0aed3 100644 --- a/windows/security/threat-protection/intelligence/top-scoring-industry-antivirus-tests.md +++ b/windows/security/threat-protection/intelligence/top-scoring-industry-antivirus-tests.md @@ -22,9 +22,9 @@ search.appverid: met150 ## Microsoft Threat Protection -[Microsoft Threat Protection](https://docs.microsoft.com/en-us/microsoft-365/security/mtp/microsoft-threat-protection) is a unified pre- and post-breach enterprise defense suite that natively coordinates detection, prevention, investigation, and response across endpoints, identities, email, and applications to provide integrated protection against sophisticated attacks. +[Microsoft Threat Protection](https://docs.microsoft.com/microsoft-365/security/mtp/microsoft-threat-protection) is a unified pre- and post-breach enterprise defense suite that natively coordinates detection, prevention, investigation, and response across endpoints, identities, email, and applications to provide integrated protection against sophisticated attacks. -Microsoft Threat Protection combines into a single solution the capabilities of [Microsoft Defender ATP](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp), [Office 365 ATP](https://www.microsoft.com/microsoft-365/exchange/advance-threat-protection), [Azure ATP](https://azure.microsoft.com/features/azure-advanced-threat-protection/), [Azure AD Identity Protection](https://docs.microsoft.com/azure/active-directory/identity-protection/overview-identity-protection), and [Microsoft Cloud App Security](https://www.microsoft.com/en-us/microsoft-365/enterprise-mobility-security/cloud-app-security). +Microsoft Threat Protection combines into a single solution the capabilities of [Microsoft Defender ATP](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp), [Office 365 ATP](https://www.microsoft.com/microsoft-365/exchange/advance-threat-protection), [Azure ATP](https://azure.microsoft.com/features/azure-advanced-threat-protection/), [Azure AD Identity Protection](https://docs.microsoft.com/azure/active-directory/identity-protection/overview-identity-protection), and [Microsoft Cloud App Security](https://www.microsoft.com/microsoft-365/enterprise-mobility-security/cloud-app-security). ### MITRE: Demonstrated real-world detection, response, and protection from advanced attacks @@ -109,4 +109,4 @@ The capabilities within Microsoft Defender ATP provide [additional layers of pro [Learn more about Microsoft Defender ATP](../microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md) and evaluate it in your own network by signing up for a [90-day trial of Microsoft Defender ATP](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp), or [enabling Preview features on existing tenants](../microsoft-defender-atp/preview-settings.md). -[Learn more about Microsoft Threat Protection](https://www.microsoft.com/security/business/threat-protection/integrated-threat-protection) or [start using the service](https://docs.microsoft.com/en-us/microsoft-365/security/mtp/mtp-enable). \ No newline at end of file +[Learn more about Microsoft Threat Protection](https://www.microsoft.com/security/business/threat-protection/integrated-threat-protection) or [start using the service](https://docs.microsoft.com/microsoft-365/security/mtp/mtp-enable). \ No newline at end of file From 690f34eb9aa4f53a2ad753452552e8d7fefad7bd Mon Sep 17 00:00:00 2001 From: Beth Levin Date: Fri, 15 May 2020 10:59:44 -0700 Subject: [PATCH 05/32] moving file to new repo --- .../top-scoring-industry-antivirus-tests.md | 112 ------------------ 1 file changed, 112 deletions(-) delete mode 100644 windows/security/threat-protection/intelligence/top-scoring-industry-antivirus-tests.md diff --git a/windows/security/threat-protection/intelligence/top-scoring-industry-antivirus-tests.md b/windows/security/threat-protection/intelligence/top-scoring-industry-antivirus-tests.md deleted file mode 100644 index ed51f0aed3..0000000000 --- a/windows/security/threat-protection/intelligence/top-scoring-industry-antivirus-tests.md +++ /dev/null @@ -1,112 +0,0 @@ ---- -title: Top scoring in industry tests (AV-TEST, AV Comparatives, SE Labs, MITRE ATT&CK) -ms.reviewer: -description: Microsoft Defender ATP consistently achieves high scores in independent tests. View the latest scores and analysis. -keywords: Windows Defender Antivirus, av reviews, antivirus test, av testing, latest av scores, detection scores, security product testing, security industry tests, industry antivirus tests, best antivirus, av-test, av-comparatives, SE labs, MITRE ATT&CK, endpoint protection platform, EPP, endpoint detection and response, EDR, Windows 10, Microsoft Defender Antivirus, WDAV, MDATP, Microsoft Threat Protection, security, malware, av, antivirus, scores, scoring, next generation protection, ranking, success -ms.prod: w10 -ms.mktglfcycl: secure -ms.sitesec: library -ms.localizationpriority: high -ms.author: ellevin -author: levinec -manager: dansimp -audience: ITPro -ms.collection: M365-security-compliance -ms.topic: article -search.appverid: met150 ---- - -# Top scoring in industry tests - -[Microsoft Threat Protection](https://www.microsoft.com/security/business/threat-protection/integrated-threat-protection) technologies consistently achieve high scores in independent tests, demonstrating the strength of its enterprise threat protection capabilities. Microsoft aims to be transparent about these test scores. This page summarizes the results and provides analysis. - -## Microsoft Threat Protection - -[Microsoft Threat Protection](https://docs.microsoft.com/microsoft-365/security/mtp/microsoft-threat-protection) is a unified pre- and post-breach enterprise defense suite that natively coordinates detection, prevention, investigation, and response across endpoints, identities, email, and applications to provide integrated protection against sophisticated attacks. - -Microsoft Threat Protection combines into a single solution the capabilities of [Microsoft Defender ATP](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp), [Office 365 ATP](https://www.microsoft.com/microsoft-365/exchange/advance-threat-protection), [Azure ATP](https://azure.microsoft.com/features/azure-advanced-threat-protection/), [Azure AD Identity Protection](https://docs.microsoft.com/azure/active-directory/identity-protection/overview-identity-protection), and [Microsoft Cloud App Security](https://www.microsoft.com/microsoft-365/enterprise-mobility-security/cloud-app-security). - -### MITRE: Demonstrated real-world detection, response, and protection from advanced attacks - -Core to MITRE’s testing approach is emulating real-world attacks to understand whether solutions are able to adequately detect and respond to them. While the test focused on endpoint detection and response, MITRE’s simulated APT29 attack spans multiple attack domains, creating opportunities to empower defenders beyond just endpoint protection. Microsoft expanded defenders’ visibility beyond the endpoint with Microsoft Threat Protection (MTP). - -- ATT&CK-based evaluation of Microsoft Threat Protection — May 2020: [Leading in real-world detection](https://www.microsoft.com/security/blog/2020/05/01/microsoft-threat-protection-leads-real-world-detection-mitre-attck-evaluation/) - - Microsoft Threat Protection provided nearly 100 percent coverage across the attack chain stages. It delivered leading out-of-box visibility into attacker activities, dramatically reducing manual work for the security operations center vs. vendor solutions that relied on specific configuration changes. It also the fewest gaps in visibility, diminishing attacker ability to operate undetected. - -## Next generation protection - -[Windows Defender Antivirus](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10) consistently performs highly in independent tests, displaying how it is a top choice in the antivirus market. Keep in mind, these tests only provide results for antivirus and do not test for additional security protections. - -Windows Defender Antivirus is the [next generation protection](https://www.youtube.com/watch?v=Xy3MOxkX_o4) capability in the [Microsoft Defender ATP Windows 10 security stack](../microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md) that addresses the latest and most sophisticated threats today. In some cases, customers might not even know they were protected because a cyberattack is stopped [milliseconds after a campaign starts](https://cloudblogs.microsoft.com/microsoftsecure/2018/03/07/behavior-monitoring-combined-with-machine-learning-spoils-a-massive-dofoil-coin-mining-campaign). That's because Windows Defender Antivirus and other [endpoint protection platform (EPP)](https://www.microsoft.com/security/blog/2019/08/23/gartner-names-microsoft-a-leader-in-2019-endpoint-protection-platforms-magic-quadrant/) capabilities in Microsoft Defender ATP detect and stops malware at first sight with [machine learning](https://cloudblogs.microsoft.com/microsoftsecure/2018/06/07/machine-learning-vs-social-engineering), [artificial intelligence](https://cloudblogs.microsoft.com/microsoftsecure/2018/02/14/how-artificial-intelligence-stopped-an-emotet-outbreak), behavioral analysis, and other advanced technologies. -

- -**Download the latest transparency report: [Examining industry test results, November 2019](https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE4kagp)** - -### AV-TEST: Protection score of 5.5/6.0 in the latest test - -The AV-TEST Product Review and Certification Report tests on three categories: protection, performance, and usability. The following scores are for the Protection category which has two scores: Real-World Testing and the AV-TEST reference set (known as "Prevalent Malware"). - -- January — February 2020 AV-TEST Business User test: [Protection score 5.5/6.0](https://www.av-test.org/en/antivirus/business-windows-client/windows-10/february-2020/microsoft-windows-defender-antivirus-4.18-200614/) **Latest** - - Windows Defender Antivirus achieved an overall Protection score of 5.5/6.0, with 21,008 malware samples used. - -- November — December 2019 AV-TEST Business User test: [Protection score 6.0/6.0](https://www.av-test.org/en/antivirus/business-windows-client/windows-10/december-2019/microsoft-windows-defender-antivirus-4.18-195015/) - -- September — October 2019 AV-TEST Business User test: [Protection score 5.5/6.0](https://www.av-test.org/en/antivirus/business-windows-client/windows-10/october-2019/microsoft-windows-defender-antivirus-4.18-194115/) - -- July — August 2019 AV-TEST Business User test: [Protection score 6.0/6.0](https://www.av-test.org/en/antivirus/business-windows-client/windows-10/august-2019/microsoft-windows-defender-antivirus-4.18-193215/) | [Analysis](https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE4kagp) - -- May — June 2019 AV-TEST Business User test: [Protection score 6.0/6.0](https://www.av-test.org/en/antivirus/business-windows-client/windows-10/june-2019/microsoft-windows-defender-antivirus-4.18-192415/) | [Analysis](https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE3Esbl) - -- March — April 2019 AV-TEST Business User test: [Protection score 6.0/6.0](https://www.av-test.org/en/antivirus/business-windows-client/windows-10/april-2019/microsoft-windows-defender-antivirus-4.18-191517/) | [Analysis](https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE3Esbl) - -### AV-Comparatives: Protection rating of 99.6% in the latest test - -Business Security Test consists of three main parts: the Real-World Protection Test that mimics online malware attacks, the Malware Protection Test where the malware enters the system from outside the internet (for example by USB), and the Performance Test that looks at the impact on the system's performance. - -- Business Security Test 2019 (August — November): [Real-World Protection Rate 99.6%](https://www.av-comparatives.org/tests/business-security-test-2019-august-november/) **Latest** - - Windows Defender Antivirus has scored consistently high in Real-World Protection Rates over the past year, with 99.6% in the latest test. - -- Business Security Test 2019 Factsheet (August — September): [Real-World Protection Rate 99.9%](https://www.av-comparatives.org/tests/business-security-test-august-september-2019-factsheet/) | [Analysis](https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE4kagp) - -- Business Security Test 2019 (March — June): [Real-World Protection Rate 99.9%](https://www.av-comparatives.org/tests/business-security-test-2019-march-june/) | [Analysis](https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE3Esbl) - -### SE Labs: AAA award in the latest test - -SE Labs tests a range of solutions used by products and services to detect and/or protect against attacks, including endpoint software, network appliances, and cloud services. - -- Enterprise Endpoint Protection January — March 2020: [AAA award](https://selabs.uk/download/enterprise/essp/2020/mar-2020-essp.pdf) **pdf** - - Microsoft's next-gen protection was named one of the leading products, stopping all targeted attacks and all but one public threat. - -- Enterprise Endpoint Protection October — December 2019: [AAA award](https://selabs.uk/download/enterprise/epp/2019/oct-dec-2019-enterprise.pdf) **pdf** - -- Enterprise Endpoint Protection July — September 2019: [AAA award](https://selabs.uk/download/enterprise/epp/2019/jul-sep-2019-enterprise.pdf) **pdf** | [Analysis](https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE4kagp) - -- Enterprise Endpoint Protection April — June 2019: [AAA award](https://selabs.uk/download/enterprise/epp/2019/apr-jun-2019-enterprise.pdf) **pdf** | [Analysis](https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE3Esbl) - -- Enterprise Endpoint Protection January — March 2019: [AAA award](https://selabs.uk/download/enterprise/epp/2019/jan-mar-2019-enterprise.pdf) **pdf** | [Analysis](https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE3Esbl) - -## Endpoint detection & response - -Microsoft Defender ATP [endpoint detection and response](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response) capabilities provide advanced attack detections that are near real-time and actionable. Security analysts can prioritize alerts effectively, gain visibility into the full scope of a breach, and take response actions to remediate threats. - -### MITRE: Industry-leading optics and detection capabilities - -MITRE tested the ability of products to detect techniques commonly used by the targeted attack group APT3 (also known as Boron or UPS). To isolate detection capabilities, all protection and prevention features were turned off. Microsoft is happy to be one of the first EDR vendors to sign up for the MITRE evaluation based on the ATT&CK framework. The framework is widely regarded today as the most comprehensive catalog of attacker techniques and tactics. - -- ATT&CK-based evaluation of Microsoft Defender ATP — December 2018: [Leading optics and detection capabilities](https://www.microsoft.com/security/blog/2018/12/03/insights-from-the-mitre-attack-based-evaluation-of-windows-defender-atp/) | [Analysis](https://techcommunity.microsoft.com/t5/Windows-Defender-ATP/MITRE-evaluation-highlights-industry-leading-EDR-capabilities-in/ba-p/369831) - - Microsoft Defender ATP delivered comprehensive coverage of attacker techniques across the entire attack chain. Highlights included the breadth of telemetry, the strength of threat intelligence, and the advanced, automatic detection through machine learning, heuristics, and behavior monitoring. - -## To what extent are tests representative of protection in the real world? - -Independent security industry tests aim to evaluate the best antivirus and security products in an unbiased manner. However, it is important to remember that Microsoft sees a wider and broader set of threats beyond what's tested in the evaluations highlighted in this topic. For example, in an average month Microsoft's security products identify over 100 million new threats. Even if an independent tester can acquire and test 1% of those threats, that is a million tests across 20 or 30 products. In other words, the vastness of the malware landscape makes it extremely difficult to evaluate the quality of protection against real world threats. - -The capabilities within Microsoft Defender ATP provide [additional layers of protection](https://cloudblogs.microsoft.com/microsoftsecure/2017/12/11/detonating-a-bad-rabbit-windows-defender-antivirus-and-layered-machine-learning-defenses) that are not factored into industry antivirus tests, and address some of the latest and most sophisticated threats. Isolating AV from the rest of Microsoft Defender ATP creates a partial picture of how Microsoft's security stack operates in the real world. For example, attack surface reduction and endpoint detection & response capabilities can help prevent malware from getting onto devices in the first place. We have proven that [Microsoft Defender ATP components catch samples](https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE2ouJA) that Windows Defender Antivirus missed in these industry tests, which is more representative of how effectively Microsoft's security suite protects customers in the real world. - -[Learn more about Microsoft Defender ATP](../microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md) and evaluate it in your own network by signing up for a [90-day trial of Microsoft Defender ATP](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp), or [enabling Preview features on existing tenants](../microsoft-defender-atp/preview-settings.md). - -[Learn more about Microsoft Threat Protection](https://www.microsoft.com/security/business/threat-protection/integrated-threat-protection) or [start using the service](https://docs.microsoft.com/microsoft-365/security/mtp/mtp-enable). \ No newline at end of file From a3c1b88eb7f2db013a482e4fa48c694e7897b01d Mon Sep 17 00:00:00 2001 From: Beth Levin Date: Fri, 15 May 2020 11:21:01 -0700 Subject: [PATCH 06/32] remove file --- windows/security/threat-protection/TOC.md | 1 - 1 file changed, 1 deletion(-) diff --git a/windows/security/threat-protection/TOC.md b/windows/security/threat-protection/TOC.md index dac2499b3b..6b1c44a58d 100644 --- a/windows/security/threat-protection/TOC.md +++ b/windows/security/threat-protection/TOC.md @@ -656,7 +656,6 @@ ### [How Microsoft identifies malware and PUA](intelligence/criteria.md) ### [Submit files for analysis](intelligence/submission-guide.md) ### [Safety Scanner download](intelligence/safety-scanner-download.md) -### [Industry antivirus tests](intelligence/top-scoring-industry-antivirus-tests.md) ### [Industry collaboration programs](intelligence/cybersecurity-industry-partners.md) #### [Virus information alliance](intelligence/virus-information-alliance-criteria.md) #### [Microsoft virus initiative](intelligence/virus-initiative-criteria.md) From 537bb6ba7a97a8ac1cfb60d50f7b4024eefed5d8 Mon Sep 17 00:00:00 2001 From: Beth Levin Date: Fri, 15 May 2020 11:32:02 -0700 Subject: [PATCH 07/32] remove second toc --- windows/security/threat-protection/intelligence/TOC.md | 2 -- 1 file changed, 2 deletions(-) diff --git a/windows/security/threat-protection/intelligence/TOC.md b/windows/security/threat-protection/intelligence/TOC.md index 1bea408ef2..b07721ab05 100644 --- a/windows/security/threat-protection/intelligence/TOC.md +++ b/windows/security/threat-protection/intelligence/TOC.md @@ -36,8 +36,6 @@ ## [Safety Scanner download](safety-scanner-download.md) -## [Industry tests](top-scoring-industry-antivirus-tests.md) - ## [Industry collaboration programs](cybersecurity-industry-partners.md) ### [Virus information alliance](virus-information-alliance-criteria.md) From 93f7474a4be995738f6593341d1b33a2aa9f0aac Mon Sep 17 00:00:00 2001 From: amirsc3 <42802974+amirsc3@users.noreply.github.com> Date: Sun, 17 May 2020 16:19:50 +0300 Subject: [PATCH 08/32] Update production-deployment.md We should match the details from https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/configure-proxy-internet#enable-access-to-microsoft-defender-atp-service-urls-in-the-proxy-server --- .../microsoft-defender-atp/production-deployment.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/production-deployment.md b/windows/security/threat-protection/microsoft-defender-atp/production-deployment.md index 0c0a59b197..2d7a107234 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/production-deployment.md +++ b/windows/security/threat-protection/microsoft-defender-atp/production-deployment.md @@ -228,7 +228,7 @@ needed if the machine is on Windows 10, version 1803 or later. Service location | Microsoft.com DNS record -|- -Common URLs for all locations | ```crl.microsoft.com```
```ctldl.windowsupdate.com```
```events.data.microsoft.com```
```notify.windows.com```
```settings-win.data.microsoft.com``` +Common URLs for all locations | ```crl.microsoft.com/pki/crl/*```
```ctldl.windowsupdate.com```
```www.microsoft.com/pkiops/*```
```events.data.microsoft.com```
```notify.windows.com```
```settings-win.data.microsoft.com``` European Union | ```eu.vortex-win.data.microsoft.com```
```eu-v20.events.data.microsoft.com```
```usseu1northprod.blob.core.windows.net```
```usseu1westprod.blob.core.windows.net```
```winatp-gw-neu.microsoft.com```
```winatp-gw-weu.microsoft.com```
```wseu1northprod.blob.core.windows.net```
```wseu1westprod.blob.core.windows.net``` United Kingdom | ```uk.vortex-win.data.microsoft.com```
```uk-v20.events.data.microsoft.com```
```ussuk1southprod.blob.core.windows.net```
```ussuk1westprod.blob.core.windows.net```
```winatp-gw-uks.microsoft.com```
```winatp-gw-ukw.microsoft.com```
```wsuk1southprod.blob.core.windows.net```
```wsuk1westprod.blob.core.windows.net``` United States | ```us.vortex-win.data.microsoft.com```
```ussus1eastprod.blob.core.windows.net```
```ussus1westprod.blob.core.windows.net```
```ussus2eastprod.blob.core.windows.net```
```ussus2westprod.blob.core.windows.net```
```ussus3eastprod.blob.core.windows.net```
```ussus3westprod.blob.core.windows.net```
```ussus4eastprod.blob.core.windows.net```
```ussus4westprod.blob.core.windows.net```
```us-v20.events.data.microsoft.com```
```winatp-gw-cus.microsoft.com```
```winatp-gw-eus.microsoft.com```
```wsus1eastprod.blob.core.windows.net```
```wsus1westprod.blob.core.windows.net```
```wsus2eastprod.blob.core.windows.net```
```wsus2westprod.blob.core.windows.net``` From 822d161babfca265e4b0878ab595eec43e6b8fdf Mon Sep 17 00:00:00 2001 From: Joey Caparas Date: Mon, 18 May 2020 10:43:50 -0700 Subject: [PATCH 09/32] fix link --- .../microsoft-defender-atp/respond-file-alerts.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/respond-file-alerts.md b/windows/security/threat-protection/microsoft-defender-atp/respond-file-alerts.md index 9213bd067e..5989682e15 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/respond-file-alerts.md +++ b/windows/security/threat-protection/microsoft-defender-atp/respond-file-alerts.md @@ -211,7 +211,7 @@ Results of deep analysis are matched against threat intelligence and any matches Use the deep analysis feature to investigate the details of any file, usually during an investigation of an alert or for any other reason where you suspect malicious behavior. This feature is available within the **Deep analysis** tab, on the file's profile page. ->[!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RE4bGqr] +>[!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RE4aAYy?rel=0] **Submit for deep analysis** is enabled when the file is available in the Microsoft Defender ATP backend sample collection, or if it was observed on a Windows 10 machine that supports submitting to deep analysis. From 05bb9d22485b4c9b3b60352772848a67dddcd76b Mon Sep 17 00:00:00 2001 From: Joey Caparas Date: Mon, 18 May 2020 12:37:08 -0700 Subject: [PATCH 10/32] updates --- .../configure-server-endpoints.md | 15 ++++++++------- 1 file changed, 8 insertions(+), 7 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints.md b/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints.md index b7e90ca3be..7ca70934da 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints.md @@ -24,8 +24,10 @@ ms.topic: article - Windows Server 2008 R2 SP1 - Windows Server 2012 R2 - Windows Server 2016 +- Windows Server (SAC) version 1803 and later - Windows Server, version 1803 -- Windows Server, 2019 and later +- Windows Server 2019 and later +- Windows Server 2019 core edition - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) > Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-configserver-abovefoldlink) @@ -37,9 +39,9 @@ The service supports the onboarding of the following servers: - Windows Server 2008 R2 SP1 - Windows Server 2012 R2 - Windows Server 2016 -- Windows Server, version 1803 +- Windows Server (SAC) version 1803 and later - Windows Server 2019 and later - +- Windows Server 2019 core edition For a practical guidance on what needs to be in place for licensing and infrastructure, see [Protecting Windows Servers with Microsoft Defender ATP](https://techcommunity.microsoft.com/t5/What-s-New/Protecting-Windows-Server-with-Windows-Defender-ATP/m-p/267114#M128). @@ -128,9 +130,8 @@ Once completed, you should see onboarded servers in the portal within an hour. 4. Follow the onboarding instructions in [Microsoft Defender Advanced Threat Protection with Azure Security Center](https://docs.microsoft.com/azure/security-center/security-center-wdatp). - -## Windows Server, version 1803 and Windows Server 2019 -To onboard Windows Server, version 1803 or Windows Server 2019, refer to the supported methods and versions below. +## Windows Server (SAC) version 1803, Windows Server 2019, and Windows Server 2019 Core edition +To onboard Windows Server (SAC) version 1803, Windows Server 2019, or Windows Server 2019 Core edition, refer to the supported methods and versions below. > [!NOTE] > The Onboarding package for Windows Server 2019 through Microsoft Endpoint Configuration Manager currently ships a script. For more information on how to deploy scripts in Configuration Manager, see [Packages and programs in Configuration Manager](https://docs.microsoft.com/configmgr/apps/deploy-use/packages-and-programs). @@ -191,7 +192,7 @@ The following capabilities are included in this integration: ## Offboard servers -You can offboard Windows Server, version 1803 and Windows 2019 in the same method available for Windows 10 client machines. +You can offboard Windows Server (SAC), Windows Server 2019, and Windows Server 2019 Core edition in the same method available for Windows 10 client machines. For other server versions, you have two options to offboard servers from the service: - Uninstall the MMA agent From 1bd4905b54136e1041237c2636927da0737a0ccf Mon Sep 17 00:00:00 2001 From: Joey Caparas Date: Mon, 18 May 2020 12:52:37 -0700 Subject: [PATCH 11/32] edit --- .../microsoft-defender-atp/configure-server-endpoints.md | 1 - 1 file changed, 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints.md b/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints.md index 7ca70934da..78f2fede2f 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints.md @@ -25,7 +25,6 @@ ms.topic: article - Windows Server 2012 R2 - Windows Server 2016 - Windows Server (SAC) version 1803 and later -- Windows Server, version 1803 - Windows Server 2019 and later - Windows Server 2019 core edition - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) From 38c0c8ee28334661d67b958b89be8eff2c7383db Mon Sep 17 00:00:00 2001 From: Gary Moore Date: Mon, 18 May 2020 13:33:29 -0700 Subject: [PATCH 12/32] Corrected indentation and numbering in lists --- .../configure-server-endpoints.md | 38 ++++++++++--------- 1 file changed, 21 insertions(+), 17 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints.md b/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints.md index 78f2fede2f..a14525a0c9 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints.md @@ -59,21 +59,23 @@ There are two options to onboard Windows Server 2008 R2 SP1, Windows Server 2012 ### Option 1: Onboard servers through Microsoft Defender Security Center You'll need to take the following steps if you choose to onboard servers through Microsoft Defender Security Center. -- For Windows Server 2008 R2 SP1 or Windows Server 2012 R2, ensure that you install the following hotfix: + - For Windows Server 2008 R2 SP1 or Windows Server 2012 R2, ensure that you install the following hotfix: - [Update for customer experience and diagnostic telemetry](https://support.microsoft.com/en-us/help/3080149/update-for-customer-experience-and-diagnostic-telemetry) -- In addition, for Windows Server 2008 R2 SP1, ensure that you fulfill the following requirements: + - In addition, for Windows Server 2008 R2 SP1, ensure that you fulfill the following requirements: - Install the [February monthly update rollup](https://support.microsoft.com/en-us/help/4074598/windows-7-update-kb4074598) - Install either [.NET framework 4.5](https://www.microsoft.com/download/details.aspx?id=30653) (or later) or [KB3154518](https://support.microsoft.com/help/3154518/support-for-tls-system-default-versions-included-in-the-net-framework) -- For Windows Server 2008 R2 SP1 and Windows Server 2012 R2: Configure and update System Center Endpoint Protection clients. + - For Windows Server 2008 R2 SP1 and Windows Server 2012 R2: Configure and update System Center Endpoint Protection clients. -> [!NOTE] -> This step is required only if your organization uses System Center Endpoint Protection (SCEP) and you're onboarding Windows Server 2008 R2 SP1 and Windows Server 2012 R2. + > [!NOTE] + > This step is required only if your organization uses System Center Endpoint Protection (SCEP) and you're onboarding Windows Server 2008 R2 SP1 and Windows Server 2012 R2. -- Turn on server monitoring from Microsoft Defender Security Center. -- If you're already leveraging System Center Operations Manager (SCOM) or Azure Monitor (formerly known as Operations Management Suite (OMS)), attach the Microsoft Monitoring Agent (MMA) to report to your Microsoft Defender ATP workspace through Multihoming support. Otherwise, install and configure MMA to report sensor data to Microsoft Defender ATP as instructed below. For more information, see [Collect log data with Azure Log Analytics agent](https://docs.microsoft.com/azure/azure-monitor/platform/log-analytics-agent). + - Turn on server monitoring from Microsoft Defender Security Center. + - If you're already leveraging System Center Operations Manager (SCOM) or Azure Monitor (formerly known as Operations Management Suite (OMS)), attach the Microsoft Monitoring Agent (MMA) to report to your Microsoft Defender ATP workspace through Multihoming support. + + Otherwise, install and configure MMA to report sensor data to Microsoft Defender ATP as instructed below. For more information, see [Collect log data with Azure Log Analytics agent](https://docs.microsoft.com/azure/azure-monitor/platform/log-analytics-agent). > [!TIP] > After onboarding the machine, you can choose to run a detection test to verify that it is properly onboarded to the service. For more information, see [Run a detection test on a newly onboarded Microsoft Defender ATP endpoint](run-detection-test.md). @@ -84,6 +86,7 @@ Microsoft Defender ATP integrates with System Center Endpoint Protection. The in The following steps are required to enable this integration: - Install the [January 2017 anti-malware platform update for Endpoint Protection clients](https://support.microsoft.com/help/3209361/january-2017-anti-malware-platform-update-for-endpoint-protection-clie) + - Configure the SCEP client Cloud Protection Service membership to the **Advanced** setting @@ -150,20 +153,20 @@ Support for Windows Server, provide deeper insight into activities happening on 2. If you're running a third-party antimalware solution, you'll need to apply the following Windows Defender AV passive mode settings. Verify that it was configured correctly: - a. Set the following registry entry: + 1. Set the following registry entry: - Path: `HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection` - Name: ForceDefenderPassiveMode - Value: 1 - b. Run the following PowerShell command to verify that the passive mode was configured: + 1. Run the following PowerShell command to verify that the passive mode was configured: - ```PowerShell - Get-WinEvent -FilterHashtable @{ProviderName="Microsoft-Windows-Sense" ;ID=84} - ``` + ```PowerShell + Get-WinEvent -FilterHashtable @{ProviderName="Microsoft-Windows-Sense" ;ID=84} + ``` - c. Confirm that a recent event containing the passive mode event is found: + 1. Confirm that a recent event containing the passive mode event is found: - ![Image of passive mode verification result](images/atp-verify-passive-mode.png) + ![Image of passive mode verification result](images/atp-verify-passive-mode.png) 3. Run the following command to check if Windows Defender AV is installed: @@ -221,11 +224,12 @@ To offboard the server, you can use either of the following methods: #### Run a PowerShell command to remove the configuration 1. Get your Workspace ID: - a. In the navigation pane, select **Settings** > **Onboarding**. - b. Select **Windows Server 2012 R2 and 2016** as the operating system and get your Workspace ID: + 1. In the navigation pane, select **Settings** > **Onboarding**. + + 1. Select **Windows Server 2012 R2 and 2016** as the operating system and get your Workspace ID: - ![Image of server onboarding](images/atp-server-offboarding-workspaceid.png) + ![Image of server onboarding](images/atp-server-offboarding-workspaceid.png) 2. Open an elevated PowerShell and run the following command. Use the Workspace ID you obtained and replacing `WorkspaceID`: From 75b5070537527e326063fbaa6170a7a60582eafe Mon Sep 17 00:00:00 2001 From: Joey Caparas Date: Mon, 18 May 2020 13:39:13 -0700 Subject: [PATCH 13/32] chars --- .../threat-protection/microsoft-defender-atp/machine-tags.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/machine-tags.md b/windows/security/threat-protection/microsoft-defender-atp/machine-tags.md index 23a14e3ccd..9da990fe57 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/machine-tags.md +++ b/windows/security/threat-protection/microsoft-defender-atp/machine-tags.md @@ -72,7 +72,7 @@ You can also delete tags from this view. >- Windows 7 SP1 > [!NOTE] -> The maximum number of characters that can be set in a tag from the registry is 30. +> The maximum number of characters that can be set in a tag is 200. Machines with similar tags can be handy when you need to apply contextual action on a specific list of machines. From 294799b51eaf94c481fc43993c5797d90bec1352 Mon Sep 17 00:00:00 2001 From: Gary Moore Date: Mon, 18 May 2020 13:57:04 -0700 Subject: [PATCH 14/32] Fixed a few small issues --- .../microsoft-defender-atp/production-deployment.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/production-deployment.md b/windows/security/threat-protection/microsoft-defender-atp/production-deployment.md index 2d7a107234..c2a4429c26 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/production-deployment.md +++ b/windows/security/threat-protection/microsoft-defender-atp/production-deployment.md @@ -198,9 +198,9 @@ Use netsh to configure a system-wide static proxy. 1. Open an elevated command-line: - a. Go to **Start** and type **cmd**. + 1. Go to **Start** and type **cmd**. - b. Right-click **Command prompt** and select **Run as administrator**. + 1. Right-click **Command prompt** and select **Run as administrator**. 2. Enter the following command and press **Enter**: @@ -253,9 +253,9 @@ Microsoft Defender ATP is built on Azure cloud, deployed in the following region You can find the Azure IP range on [Microsoft Azure Datacenter IP Ranges](https://www.microsoft.com/en-us/download/details.aspx?id=41653). > [!NOTE] -> As a cloud-based solution, the IP range can change. It's recommended you move to DNS resolving setting. +> As a cloud-based solution, the IP address range can change. It's recommended you move to DNS resolving setting. ## Next step ||| |:-------|:-----| -|![Phase 3: Onboard](images/onboard.png)
[Phase 3: Onboard](onboarding.md) | Onboard devices to the service so the Microsoft Defender ATP service can get sensor data from them +|![Phase 3: Onboard](images/onboard.png)
[Phase 3: Onboard](onboarding.md) | Onboard devices to the service so that the Microsoft Defender ATP service can get sensor data from them. From c3d6f63ac2770bed2b5318081338a570edf1fe93 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Mon, 18 May 2020 14:55:59 -0700 Subject: [PATCH 15/32] Create configure-automated-investigations-remediation.md --- ...re-automated-investigations-remediation.md | 22 +++++++++++++++++++ 1 file changed, 22 insertions(+) create mode 100644 windows/security/threat-protection/microsoft-defender-atp/configure-automated-investigations-remediation.md diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-automated-investigations-remediation.md b/windows/security/threat-protection/microsoft-defender-atp/configure-automated-investigations-remediation.md new file mode 100644 index 0000000000..9933be63af --- /dev/null +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-automated-investigations-remediation.md @@ -0,0 +1,22 @@ +--- +title: Configure automated investigation and remediation capabilities +description: Set up your automated investigation and remediation capabilities in Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP). +keywords: configure, setup, automated, investigation, detection, alerts, remediation, response +search.product: eADQiWindows 10XVcnh +search.appverid: met150 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: deniseb +author: denisebmsft +ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: conceptual +--- + +# Configure automated investigation and remediation capabilities in Microsoft Defender Advanced Threat Protection + +If your organization is using [Microsoft Defender Advanced Threat Protection](https://docs.microsoft.com/en-us/windows/security/threat-protection/) (Microsoft Defender ATP), you have [automated investigation and remediation capabilities](https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/automated-investigations) that can save your security operations team time and effort. \ No newline at end of file From 2ad723940f7f30e3972eaee33c12deab37c773b1 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Mon, 18 May 2020 15:12:26 -0700 Subject: [PATCH 16/32] Update configure-automated-investigations-remediation.md --- ...gure-automated-investigations-remediation.md | 17 ++++++++++++++++- 1 file changed, 16 insertions(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-automated-investigations-remediation.md b/windows/security/threat-protection/microsoft-defender-atp/configure-automated-investigations-remediation.md index 9933be63af..840528dcfa 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configure-automated-investigations-remediation.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-automated-investigations-remediation.md @@ -19,4 +19,19 @@ ms.topic: conceptual # Configure automated investigation and remediation capabilities in Microsoft Defender Advanced Threat Protection -If your organization is using [Microsoft Defender Advanced Threat Protection](https://docs.microsoft.com/en-us/windows/security/threat-protection/) (Microsoft Defender ATP), you have [automated investigation and remediation capabilities](https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/automated-investigations) that can save your security operations team time and effort. \ No newline at end of file +**Applies to** + +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) + +If your organization is using [Microsoft Defender Advanced Threat Protection](https://docs.microsoft.com/en-us/windows/security/threat-protection/) (Microsoft Defender ATP), [automated investigation and remediation capabilities](https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/automated-investigations) can save your security operations team time and effort. + +Automated investigation and remediation capabilities mimic the ideal steps that a security analyst takes to investigate and remediate threats: +1. Investigate alerts that were triggered, and analyze evidence. +2. Remediate threats quickly, as appropriate. +3. Resolve alerts as remediation actions are taken, and update investigation status. +4. Find other impacted devices, and repeat steps 1-3 as necessary. + +[Learn more about automated investigation and remediation](https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/automated-investigations). + +## Configure automated investigation and remediation capabilities + From ed9fc3e066b3b847f84ad3faeae07644d1428cde Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Mon, 18 May 2020 15:15:48 -0700 Subject: [PATCH 17/32] Update configure-automated-investigations-remediation.md --- .../configure-automated-investigations-remediation.md | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-automated-investigations-remediation.md b/windows/security/threat-protection/microsoft-defender-atp/configure-automated-investigations-remediation.md index 840528dcfa..e770c378e0 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configure-automated-investigations-remediation.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-automated-investigations-remediation.md @@ -35,3 +35,13 @@ Automated investigation and remediation capabilities mimic the ideal steps that ## Configure automated investigation and remediation capabilities +To configure automated investigation and remediation, you turn the features on, and then you set up machine groups. + +### Turn on automated investigation and remediation + +1. As a global administrator or security administrator, go to the Microsoft Defender Security Center [https://securitycenter.windows.com](https://securitycenter.windows.com) and sign in. +2. In the navigation pane, choose **Settings**. +3. In the **General** section, select **Advanced features**. +4. Turn on both **Automated Investigation** and **Automatically resolve alerts**. + +### Set up machine groups \ No newline at end of file From 84401a961a7a7eac02b2cc1c2387e083b417e27d Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Mon, 18 May 2020 15:21:15 -0700 Subject: [PATCH 18/32] Update configure-automated-investigations-remediation.md --- ...onfigure-automated-investigations-remediation.md | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-automated-investigations-remediation.md b/windows/security/threat-protection/microsoft-defender-atp/configure-automated-investigations-remediation.md index e770c378e0..fbead5d7a2 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configure-automated-investigations-remediation.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-automated-investigations-remediation.md @@ -23,7 +23,7 @@ ms.topic: conceptual - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) -If your organization is using [Microsoft Defender Advanced Threat Protection](https://docs.microsoft.com/en-us/windows/security/threat-protection/) (Microsoft Defender ATP), [automated investigation and remediation capabilities](https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/automated-investigations) can save your security operations team time and effort. +If your organization is using [Microsoft Defender Advanced Threat Protection](https://docs.microsoft.com/windows/security/threat-protection/) (Microsoft Defender ATP), [automated investigation and remediation capabilities](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/automated-investigations) can save your security operations team time and effort. Automated investigation and remediation capabilities mimic the ideal steps that a security analyst takes to investigate and remediate threats: 1. Investigate alerts that were triggered, and analyze evidence. @@ -31,7 +31,7 @@ Automated investigation and remediation capabilities mimic the ideal steps that 3. Resolve alerts as remediation actions are taken, and update investigation status. 4. Find other impacted devices, and repeat steps 1-3 as necessary. -[Learn more about automated investigation and remediation](https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/automated-investigations). +[Learn more about automated investigation and remediation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/automated-investigations). ## Configure automated investigation and remediation capabilities @@ -39,9 +39,14 @@ To configure automated investigation and remediation, you turn the features on, ### Turn on automated investigation and remediation -1. As a global administrator or security administrator, go to the Microsoft Defender Security Center [https://securitycenter.windows.com](https://securitycenter.windows.com) and sign in. +1. As a global administrator or security administrator, go to the Microsoft Defender Security Center ([https://securitycenter.windows.com](https://securitycenter.windows.com)) and sign in. 2. In the navigation pane, choose **Settings**. 3. In the **General** section, select **Advanced features**. 4. Turn on both **Automated Investigation** and **Automatically resolve alerts**. -### Set up machine groups \ No newline at end of file +### Set up machine groups + +1. In the Microsoft Defender Security Center ([https://securitycenter.windows.com](https://securitycenter.windows.com)), on the **Settings** page, under **Permissions**, select **Machine groups**. +2. Select **+ Add machine group**, and create at least one machine group. In the **Automation level list**, select **Full – remediate threats automatically**. + +The automation level determines whether remediation actions are taken automatically, or only upon approval. To learn more, see [How threats are remediated](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/automated-investigations#how-threats-are-remediated). \ No newline at end of file From 334c3d689d616d0ff352eba56ef33715eb2c3ff8 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Mon, 18 May 2020 15:38:01 -0700 Subject: [PATCH 19/32] Update configure-automated-investigations-remediation.md --- ...configure-automated-investigations-remediation.md | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-automated-investigations-remediation.md b/windows/security/threat-protection/microsoft-defender-atp/configure-automated-investigations-remediation.md index fbead5d7a2..649c28d6a0 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configure-automated-investigations-remediation.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-automated-investigations-remediation.md @@ -35,7 +35,7 @@ Automated investigation and remediation capabilities mimic the ideal steps that ## Configure automated investigation and remediation capabilities -To configure automated investigation and remediation, you turn the features on, and then you set up machine groups. +To configure automated investigation and remediation, you turn the features on, and then you set up device groups. ### Turn on automated investigation and remediation @@ -44,9 +44,13 @@ To configure automated investigation and remediation, you turn the features on, 3. In the **General** section, select **Advanced features**. 4. Turn on both **Automated Investigation** and **Automatically resolve alerts**. -### Set up machine groups +### Set up device groups -1. In the Microsoft Defender Security Center ([https://securitycenter.windows.com](https://securitycenter.windows.com)), on the **Settings** page, under **Permissions**, select **Machine groups**. -2. Select **+ Add machine group**, and create at least one machine group. In the **Automation level list**, select **Full – remediate threats automatically**. +1. In the Microsoft Defender Security Center ([https://securitycenter.windows.com](https://securitycenter.windows.com)), on the **Settings** page, under **Permissions**, select **Device groups**. +2. Select **+ Add machine group**. +3. Create at least one device group, as follows: + - Specify a name and description for the device group. + - In the **Automation level list**, select a level, such as **Full – remediate threats automatically**. + - The automation level determines whether remediation actions are taken automatically, or only upon approval. To learn more, see [How threats are remediated](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/automated-investigations#how-threats-are-remediated). \ No newline at end of file From 27237ebfc96d3293b96ae20c426c6fd8ccda04aa Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Mon, 18 May 2020 15:45:50 -0700 Subject: [PATCH 20/32] Update configure-automated-investigations-remediation.md --- .../configure-automated-investigations-remediation.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-automated-investigations-remediation.md b/windows/security/threat-protection/microsoft-defender-atp/configure-automated-investigations-remediation.md index 649c28d6a0..ea978e85db 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configure-automated-investigations-remediation.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-automated-investigations-remediation.md @@ -51,6 +51,7 @@ To configure automated investigation and remediation, you turn the features on, 3. Create at least one device group, as follows: - Specify a name and description for the device group. - In the **Automation level list**, select a level, such as **Full – remediate threats automatically**. - - + - In the **Members** section, you can use one or more conditions to identify and include devices. + - On the **User access** tab, select the [Azure Active Directory groups](https://docs.microsoft.com/azure/active-directory/fundamentals/active-directory-manage-groups?context=azure/active-directory/users-groups-roles/context/ugr-context) who should have access to the device group you're creating. The automation level determines whether remediation actions are taken automatically, or only upon approval. To learn more, see [How threats are remediated](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/automated-investigations#how-threats-are-remediated). \ No newline at end of file From a569b5946fc1deba321d5fa4ee9e78438e41c5da Mon Sep 17 00:00:00 2001 From: Evan Miller Date: Mon, 18 May 2020 15:50:07 -0700 Subject: [PATCH 21/32] Changing internal 20h1 to 2004 Changed internal wording from 20h1 to Windows Holographic, version 2004 --- devices/hololens/hololens-connect-devices.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/devices/hololens/hololens-connect-devices.md b/devices/hololens/hololens-connect-devices.md index 62ec90d0f2..a220b4570c 100644 --- a/devices/hololens/hololens-connect-devices.md +++ b/devices/hololens/hololens-connect-devices.md @@ -64,7 +64,7 @@ HoloLens 2 supports the following classes of USB-C devices: - Combination PD hubs (USB A plus PD charging) > [!NOTE] -> Some mobile devices with USB-C connections present themselves to the HoloLens as ethernet adaptors, and therefore could be used in a tethering configuration, starting with the 20H1 OS. USB LTE modems that require a separate driver, and/or application installed for configuration are not supported +> Some mobile devices with USB-C connections present themselves to the HoloLens as ethernet adaptors, and therefore could be used in a tethering configuration, starting with Windows Holographic, version 2004. USB LTE modems that require a separate driver, and/or application installed for configuration are not supported ## Connect to Miracast From 6c15ab0c3f6c682fc95f4c4806fcf21efde2b962 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Mon, 18 May 2020 15:54:20 -0700 Subject: [PATCH 22/32] Update configure-automated-investigations-remediation.md --- .../configure-automated-investigations-remediation.md | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-automated-investigations-remediation.md b/windows/security/threat-protection/microsoft-defender-atp/configure-automated-investigations-remediation.md index ea978e85db..eabac5efe5 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configure-automated-investigations-remediation.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-automated-investigations-remediation.md @@ -50,8 +50,13 @@ To configure automated investigation and remediation, you turn the features on, 2. Select **+ Add machine group**. 3. Create at least one device group, as follows: - Specify a name and description for the device group. - - In the **Automation level list**, select a level, such as **Full – remediate threats automatically**. - - In the **Members** section, you can use one or more conditions to identify and include devices. + - In the **Automation level list**, select a level, such as **Full – remediate threats automatically**. The automation level determines whether remediation actions are taken automatically, or only upon approval. To learn more, see [How threats are remediated](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/automated-investigations#how-threats-are-remediated). + - In the **Members** section, use one or more conditions to identify and include devices. - On the **User access** tab, select the [Azure Active Directory groups](https://docs.microsoft.com/azure/active-directory/fundamentals/active-directory-manage-groups?context=azure/active-directory/users-groups-roles/context/ugr-context) who should have access to the device group you're creating. +4. Select **Done** when you are finished setting up your device group. -The automation level determines whether remediation actions are taken automatically, or only upon approval. To learn more, see [How threats are remediated](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/automated-investigations#how-threats-are-remediated). \ No newline at end of file +## Next steps + +- [Visit the Action Center to view pending and completed remediation actions](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/auto-investigation-action-center#the-action-center) + +- [Manage indicators for files, IP addresses, URLs, or domains that you want to allow, alert and block, or alert only](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/manage-indicators) \ No newline at end of file From a6e3acbebad233bdd16a4149247b206f82a1621d Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Mon, 18 May 2020 15:56:18 -0700 Subject: [PATCH 23/32] Update configure-automated-investigations-remediation.md --- .../configure-automated-investigations-remediation.md | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-automated-investigations-remediation.md b/windows/security/threat-protection/microsoft-defender-atp/configure-automated-investigations-remediation.md index eabac5efe5..214a50ed2c 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configure-automated-investigations-remediation.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-automated-investigations-remediation.md @@ -59,4 +59,7 @@ To configure automated investigation and remediation, you turn the features on, - [Visit the Action Center to view pending and completed remediation actions](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/auto-investigation-action-center#the-action-center) -- [Manage indicators for files, IP addresses, URLs, or domains that you want to allow, alert and block, or alert only](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/manage-indicators) \ No newline at end of file +- [Review and approve actions following an automated investigation](https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/manage-auto-investigation) + +- [Manage indicators for files, IP addresses, URLs, or domains that you want to allow, alert and block, or alert only](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/manage-indicators) + From 79bf8cff8b1b3be8e2c4bf63c4866d8fdeef8b3c Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Mon, 18 May 2020 15:57:38 -0700 Subject: [PATCH 24/32] Update configure-automated-investigations-remediation.md --- .../configure-automated-investigations-remediation.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-automated-investigations-remediation.md b/windows/security/threat-protection/microsoft-defender-atp/configure-automated-investigations-remediation.md index 214a50ed2c..7290f0aae7 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configure-automated-investigations-remediation.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-automated-investigations-remediation.md @@ -29,13 +29,13 @@ Automated investigation and remediation capabilities mimic the ideal steps that 1. Investigate alerts that were triggered, and analyze evidence. 2. Remediate threats quickly, as appropriate. 3. Resolve alerts as remediation actions are taken, and update investigation status. -4. Find other impacted devices, and repeat steps 1-3 as necessary. +4. Find other affected devices, and repeat steps 1-3 as necessary. [Learn more about automated investigation and remediation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/automated-investigations). ## Configure automated investigation and remediation capabilities -To configure automated investigation and remediation, you turn the features on, and then you set up device groups. +To configure automated investigation and remediation, you turn on the features, and then you set up device groups. ### Turn on automated investigation and remediation @@ -53,13 +53,13 @@ To configure automated investigation and remediation, you turn the features on, - In the **Automation level list**, select a level, such as **Full – remediate threats automatically**. The automation level determines whether remediation actions are taken automatically, or only upon approval. To learn more, see [How threats are remediated](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/automated-investigations#how-threats-are-remediated). - In the **Members** section, use one or more conditions to identify and include devices. - On the **User access** tab, select the [Azure Active Directory groups](https://docs.microsoft.com/azure/active-directory/fundamentals/active-directory-manage-groups?context=azure/active-directory/users-groups-roles/context/ugr-context) who should have access to the device group you're creating. -4. Select **Done** when you are finished setting up your device group. +4. Select **Done** when you're finished setting up your device group. ## Next steps - [Visit the Action Center to view pending and completed remediation actions](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/auto-investigation-action-center#the-action-center) -- [Review and approve actions following an automated investigation](https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/manage-auto-investigation) +- [Review and approve actions following an automated investigation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/manage-auto-investigation) - [Manage indicators for files, IP addresses, URLs, or domains that you want to allow, alert and block, or alert only](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/manage-indicators) From 7f9796a7ab3d5cf3779b9b4d5ff66ae46cb8a309 Mon Sep 17 00:00:00 2001 From: Beth Levin Date: Mon, 18 May 2020 15:59:29 -0700 Subject: [PATCH 25/32] redirect --- .openpublishing.redirection.json | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/.openpublishing.redirection.json b/.openpublishing.redirection.json index 7114c4343f..d58593922a 100644 --- a/.openpublishing.redirection.json +++ b/.openpublishing.redirection.json @@ -143,6 +143,11 @@ { "source_path": "windows/security/threat-protection/intelligence/av-tests.md", "redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/intelligence/top-scoring-industry-antivirus-tests", +"redirect_document_id": false +}, +{ +"source_path": "windows/security/threat-protection/intelligence/top-scoring-industry-antivirus-tests.md", +"redirect_url": "https://docs.microsoft.com/microsoft-365/security/mtp/top-scoring-industry-tests", "redirect_document_id": true }, { From 30c1b297c930e91c3b7932753155a51238fcf169 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Mon, 18 May 2020 16:00:23 -0700 Subject: [PATCH 26/32] Update TOC.md --- windows/security/threat-protection/TOC.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/windows/security/threat-protection/TOC.md b/windows/security/threat-protection/TOC.md index c01e91a50b..86b25f243a 100644 --- a/windows/security/threat-protection/TOC.md +++ b/windows/security/threat-protection/TOC.md @@ -327,8 +327,9 @@ #### [Behavioral blocking and containment](microsoft-defender-atp/behavioral-blocking-containment.md) #### [EDR in block mode](microsoft-defender-atp/edr-in-block-mode.md) -### [Automated investigation and response]() +### [Automated investigation and response (AIR)]() #### [Overview of AIR](microsoft-defender-atp/automated-investigations.md) +#### [Configure AIR capabilities](microsoft-defender-atp/configure-automated-investigations-remediation.md) ### [Advanced hunting]() #### [Advanced hunting overview](microsoft-defender-atp/advanced-hunting-overview.md) From f443bbe82526939a030cdc4799682a4f75dc57e8 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Mon, 18 May 2020 16:07:06 -0700 Subject: [PATCH 27/32] Update configure-automated-investigations-remediation.md --- .../configure-automated-investigations-remediation.md | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-automated-investigations-remediation.md b/windows/security/threat-protection/microsoft-defender-atp/configure-automated-investigations-remediation.md index 7290f0aae7..e186d05b8b 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configure-automated-investigations-remediation.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-automated-investigations-remediation.md @@ -33,18 +33,16 @@ Automated investigation and remediation capabilities mimic the ideal steps that [Learn more about automated investigation and remediation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/automated-investigations). -## Configure automated investigation and remediation capabilities - To configure automated investigation and remediation, you turn on the features, and then you set up device groups. -### Turn on automated investigation and remediation +## Turn on automated investigation and remediation 1. As a global administrator or security administrator, go to the Microsoft Defender Security Center ([https://securitycenter.windows.com](https://securitycenter.windows.com)) and sign in. 2. In the navigation pane, choose **Settings**. 3. In the **General** section, select **Advanced features**. 4. Turn on both **Automated Investigation** and **Automatically resolve alerts**. -### Set up device groups +## Set up device groups 1. In the Microsoft Defender Security Center ([https://securitycenter.windows.com](https://securitycenter.windows.com)), on the **Settings** page, under **Permissions**, select **Device groups**. 2. Select **+ Add machine group**. From db1b4cd77a5a78acbc0c91e90a291c35bec1327e Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Mon, 18 May 2020 16:07:41 -0700 Subject: [PATCH 28/32] Update configure-automated-investigations-remediation.md --- .../configure-automated-investigations-remediation.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-automated-investigations-remediation.md b/windows/security/threat-protection/microsoft-defender-atp/configure-automated-investigations-remediation.md index e186d05b8b..5068c50274 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configure-automated-investigations-remediation.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-automated-investigations-remediation.md @@ -33,7 +33,7 @@ Automated investigation and remediation capabilities mimic the ideal steps that [Learn more about automated investigation and remediation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/automated-investigations). -To configure automated investigation and remediation, you turn on the features, and then you set up device groups. +To configure automated investigation and remediation, you [turn on the features](#turn-on-automated-investigation-and-remediation), and then you [set up device groups](#set-up-device-groups). ## Turn on automated investigation and remediation From ff4677d44cb5c069758875bce24f80b2ced18c8d Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Mon, 18 May 2020 16:16:47 -0700 Subject: [PATCH 29/32] Update configure-automated-investigations-remediation.md --- .../configure-automated-investigations-remediation.md | 10 +--------- 1 file changed, 1 insertion(+), 9 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-automated-investigations-remediation.md b/windows/security/threat-protection/microsoft-defender-atp/configure-automated-investigations-remediation.md index 5068c50274..565959c537 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configure-automated-investigations-remediation.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-automated-investigations-remediation.md @@ -23,15 +23,7 @@ ms.topic: conceptual - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) -If your organization is using [Microsoft Defender Advanced Threat Protection](https://docs.microsoft.com/windows/security/threat-protection/) (Microsoft Defender ATP), [automated investigation and remediation capabilities](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/automated-investigations) can save your security operations team time and effort. - -Automated investigation and remediation capabilities mimic the ideal steps that a security analyst takes to investigate and remediate threats: -1. Investigate alerts that were triggered, and analyze evidence. -2. Remediate threats quickly, as appropriate. -3. Resolve alerts as remediation actions are taken, and update investigation status. -4. Find other affected devices, and repeat steps 1-3 as necessary. - -[Learn more about automated investigation and remediation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/automated-investigations). +If your organization is using [Microsoft Defender Advanced Threat Protection](https://docs.microsoft.com/windows/security/threat-protection/) (Microsoft Defender ATP), [automated investigation and remediation capabilities](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/automated-investigations) can save your security operations team time and effort. As outlined in [this blog post](https://techcommunity.microsoft.com/t5/microsoft-defender-atp/enhance-your-soc-with-microsoft-defender-atp-automatic/ba-p/848946), automated investigation and remediation capabilities mimic the ideal steps that a security analyst takes to investigate and remediate threats. [Learn more about automated investigation and remediation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/automated-investigations). To configure automated investigation and remediation, you [turn on the features](#turn-on-automated-investigation-and-remediation), and then you [set up device groups](#set-up-device-groups). From cf04b03279d0c83b9216af4998160eefa13ddb27 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Mon, 18 May 2020 16:21:51 -0700 Subject: [PATCH 30/32] clean -> no threats found --- .../auto-investigation-action-center.md | 2 +- .../microsoft-defender-atp/automated-investigations.md | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/auto-investigation-action-center.md b/windows/security/threat-protection/microsoft-defender-atp/auto-investigation-action-center.md index eceb1d2833..8441d9b8c8 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/auto-investigation-action-center.md +++ b/windows/security/threat-protection/microsoft-defender-atp/auto-investigation-action-center.md @@ -136,7 +136,7 @@ The **Evidence** tab shows details related to threats associated with this inves ### Entities -The **Entities** tab shows details about entities such as files, process, services, drives, and IP addresses. The table details such as the number of entities that were analyzed. You'll gain insight into details such as how many are remediated, suspicious, or determined to be clean. +The **Entities** tab shows details about entities such as files, process, services, drives, and IP addresses. The table details such as the number of entities that were analyzed. You'll gain insight into details such as how many are remediated, suspicious, or had no threats found. ### Log diff --git a/windows/security/threat-protection/microsoft-defender-atp/automated-investigations.md b/windows/security/threat-protection/microsoft-defender-atp/automated-investigations.md index 17a56b7252..3399f94ff8 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/automated-investigations.md +++ b/windows/security/threat-protection/microsoft-defender-atp/automated-investigations.md @@ -30,7 +30,7 @@ The automated investigation feature leverages various inspection algorithms, and ## How the automated investigation starts -When an alert is triggered, a security playbook goes into effect. Depending on the security playbook, an automated investigation can start. For example, suppose a malicious file resides on a machine. When that file is detected, an alert is triggered. The automated investigation process begins. Microsoft Defender ATP checks to see if the malicious file is present on any other machines in the organization. Details from the investigation, including verdicts (Malicious, Suspicious, and Clean) are available during and after the automated investigation. +When an alert is triggered, a security playbook goes into effect. Depending on the security playbook, an automated investigation can start. For example, suppose a malicious file resides on a machine. When that file is detected, an alert is triggered. The automated investigation process begins. Microsoft Defender ATP checks to see if the malicious file is present on any other machines in the organization. Details from the investigation, including verdicts (*Malicious*, *Suspicious*, and *No threats found*) are available during and after the automated investigation. >[!NOTE] >Currently, automated investigation only supports the following OS versions: @@ -48,7 +48,7 @@ During and after an automated investigation, you can view details about the inve |**Alerts**| Shows the alert that started the investigation.| |**Machines** |Shows where the alert was seen.| |**Evidence** |Shows the entities that were found to be malicious during the investigation.| -|**Entities** |Provides details about each analyzed entity, including a determination for each entity type (*Malicious*, *Suspicious*, or *Clean*). | +|**Entities** |Provides details about each analyzed entity, including a determination for each entity type (*Malicious*, *Suspicious*, or *No threats found*). | |**Log** |Shows the chronological detailed view of all the investigation actions taken on the alert.| |**Pending actions** |If there are pending actions on the investigation, the **Pending actions** tab will be displayed where you can approve or reject actions. | From e1a9b1a1d88aaee701ae649c86ed225abf027d84 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Mon, 18 May 2020 16:24:35 -0700 Subject: [PATCH 31/32] Update configure-automated-investigations-remediation.md --- .../configure-automated-investigations-remediation.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-automated-investigations-remediation.md b/windows/security/threat-protection/microsoft-defender-atp/configure-automated-investigations-remediation.md index 565959c537..ade1509553 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configure-automated-investigations-remediation.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-automated-investigations-remediation.md @@ -51,5 +51,5 @@ To configure automated investigation and remediation, you [turn on the features] - [Review and approve actions following an automated investigation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/manage-auto-investigation) -- [Manage indicators for files, IP addresses, URLs, or domains that you want to allow, alert and block, or alert only](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/manage-indicators) +- [Manage indicators for files, IP addresses, URLs, or domains](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/manage-indicators) From 910d7fcabe531d66fa45c4de7e6280795fd7cee2 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Mon, 18 May 2020 16:28:56 -0700 Subject: [PATCH 32/32] Update configure-automated-investigations-remediation.md --- .../configure-automated-investigations-remediation.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-automated-investigations-remediation.md b/windows/security/threat-protection/microsoft-defender-atp/configure-automated-investigations-remediation.md index ade1509553..8286330112 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configure-automated-investigations-remediation.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-automated-investigations-remediation.md @@ -23,7 +23,7 @@ ms.topic: conceptual - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) -If your organization is using [Microsoft Defender Advanced Threat Protection](https://docs.microsoft.com/windows/security/threat-protection/) (Microsoft Defender ATP), [automated investigation and remediation capabilities](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/automated-investigations) can save your security operations team time and effort. As outlined in [this blog post](https://techcommunity.microsoft.com/t5/microsoft-defender-atp/enhance-your-soc-with-microsoft-defender-atp-automatic/ba-p/848946), automated investigation and remediation capabilities mimic the ideal steps that a security analyst takes to investigate and remediate threats. [Learn more about automated investigation and remediation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/automated-investigations). +If your organization is using [Microsoft Defender Advanced Threat Protection](https://docs.microsoft.com/windows/security/threat-protection/) (Microsoft Defender ATP), [automated investigation and remediation capabilities](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/automated-investigations) can save your security operations team time and effort. As outlined in [this blog post](https://techcommunity.microsoft.com/t5/microsoft-defender-atp/enhance-your-soc-with-microsoft-defender-atp-automatic/ba-p/848946), these capabilities mimic the ideal steps that a security analyst takes to investigate and remediate threats. [Learn more about automated investigation and remediation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/automated-investigations). To configure automated investigation and remediation, you [turn on the features](#turn-on-automated-investigation-and-remediation), and then you [set up device groups](#set-up-device-groups).