deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-19 04:13:41 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

update management and apis

Browse Source
This commit is contained in:
Joey Caparas
2018-08-23 15:21:35 -07:00
parent 2fc5d6d08c
commit 8980fa69e7
2 changed files with 67 additions and 114 deletions
Download Patch File Download Diff File Expand all files Collapse all files

113
windows/security/threat-protection/windows-defender-atp/TOC.md
View File

@ -68,6 +68,7 @@
### [Management and APIs](management-apis.md)
#### [Understand threat intelligence concepts](threat-indicator-concepts-windows-defender-advanced-threat-protection.md)
#### [Supported Windows Defender ATP APIs](supported-apis-windows-defender-advanced-threat-protection.md)
#####Actor
###### [Get actor information](get-actor-information-windows-defender-advanced-threat-protection.md)
@ -128,7 +129,7 @@
###### [Get user related alerts](get-user-related-alerts-windows-defender-advanced-threat-protection.md)
###### [Get user related machines](get-user-related-machines-windows-defender-advanced-threat-protection.md)
#### [Understand threat intelligence concepts](threat-indicator-concepts-windows-defender-advanced-threat-protection.md)
### [Microsoft threat protection](threat-protection-integration.md)
#### [Protect users, data, and devices with conditional access](conditional-access-windows-defender-advanced-threat-protection.md)
@ -158,23 +159,7 @@
### [Access the Windows Defender Security Center Community Center](community-windows-defender-advanced-threat-protection.md)
## [Onboard machines, configure, and manage capabilities](onboard.md)
### [Onboard machines](onboard-configure-windows-defender-advanced-threat-protection.md)
#### [Onboard previous versions of Windows](onboard-downlevel-windows-defender-advanced-threat-protection.md)
#### [Onboard Windows 10 machines](configure-endpoints-windows-defender-advanced-threat-protection.md)
##### [Onboard machines using Group Policy](configure-endpoints-gp-windows-defender-advanced-threat-protection.md)
##### [Onboard machines using System Center Configuration Manager](configure-endpoints-sccm-windows-defender-advanced-threat-protection.md)
##### [Onboard machines using Mobile Device Management tools](configure-endpoints-mdm-windows-defender-advanced-threat-protection.md)
###### [Onboard machines using Microsoft Intune](configure-endpoints-mdm-windows-defender-advanced-threat-protection.md#onboard-machines-using-microsoft-intune)
##### [Onboard machines using a local script](configure-endpoints-script-windows-defender-advanced-threat-protection.md)
##### [Onboard non-persistent virtual desktop infrastructure (VDI) machines](configure-endpoints-vdi-windows-defender-advanced-threat-protection.md)
#### [Onboard servers](configure-server-endpoints-windows-defender-advanced-threat-protection.md)
#### [Onboard non-Windows machines](configure-endpoints-non-windows-windows-defender-advanced-threat-protection.md)
#### [Run a detection test on a newly onboarded machine](run-detection-test-windows-defender-advanced-threat-protection.md)
#### [Run simulated attacks on machines](attack-simulations-windows-defender-advanced-threat-protection.md)
#### [Configure proxy and Internet connectivity settings](configure-proxy-internet-windows-defender-advanced-threat-protection.md)
#### [Troubleshoot onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md)
##### [Troubleshoot subscription and portal access issues](troubleshoot-onboarding-error-messages-windows-defender-advanced-threat-protection.md)
### [Configure attack surface reduction](configure-attack-surface-reduction.md)
@ -256,20 +241,57 @@
##### [Use PowerShell cmdlets to manage next generation protection](../windows-defender-antivirus/use-powershell-cmdlets-windows-defender-antivirus.md)
##### [Use Windows Management Instrumentation (WMI) to manage next generation protection](../windows-defender-antivirus/use-wmi-windows-defender-antivirus.md)
##### [Use the mpcmdrun.exe command line tool to manage next generation protection](../windows-defender-antivirus/command-line-arguments-windows-defender-antivirus.md)
### Configure Microsoft threat protection
#### [Microsoft Cloud App Security](microsoft-cloud-app-security-config.md)
### [Manage auto investigation and remediation](manage-auto-investigation-windows-defender-advanced-threat-protection.md)
### [Configure the security controls in Secure score dashboard](secure-score-dashboard-windows-defender-advanced-threat-protection.md)
### Management and API support
#### [Onboard machines, configure, and manage capabilities](onboard.md)
##### [Onboard machines](onboard-configure-windows-defender-advanced-threat-protection.md)
###### [Onboard previous versions of Windows](onboard-downlevel-windows-defender-advanced-threat-protection.md)
###### [Onboard Windows 10 machines](configure-endpoints-windows-defender-advanced-threat-protection.md)
####### [Onboard machines using Group Policy](configure-endpoints-gp-windows-defender-advanced-threat-protection.md)
####### [Onboard machines using System Center Configuration Manager](configure-endpoints-sccm-windows-defender-advanced-threat-protection.md)
####### [Onboard machines using Mobile Device Management tools](configure-endpoints-mdm-windows-defender-advanced-threat-protection.md)
######## [Onboard machines using Microsoft Intune](configure-endpoints-mdm-windows-defender-advanced-threat-protection.md#onboard-machines-using-microsoft-intune)
####### [Onboard machines using a local script](configure-endpoints-script-windows-defender-advanced-threat-protection.md)
####### [Onboard non-persistent virtual desktop infrastructure (VDI) machines](configure-endpoints-vdi-windows-defender-advanced-threat-protection.md)
###### [Onboard servers](configure-server-endpoints-windows-defender-advanced-threat-protection.md)
###### [Onboard non-Windows machines](configure-endpoints-non-windows-windows-defender-advanced-threat-protection.md)
###### [Run a detection test on a newly onboarded machine](run-detection-test-windows-defender-advanced-threat-protection.md)
###### [Run simulated attacks on machines](attack-simulations-windows-defender-advanced-threat-protection.md)
###### [Configure proxy and Internet connectivity settings](configure-proxy-internet-windows-defender-advanced-threat-protection.md)
###### [Troubleshoot onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md)
####### [Troubleshoot subscription and portal access issues](troubleshoot-onboarding-error-messages-windows-defender-advanced-threat-protection.md)
#### [Configure Windows Defender Security Center settings](preferences-setup-windows-defender-advanced-threat-protection.md)
#####General
###### [Update data retention settings](data-retention-settings-windows-defender-advanced-threat-protection.md)
###### [Configure alert notifications](configure-email-notifications-windows-defender-advanced-threat-protection.md)
###### [Enable and create Power BI reports using Windows Defender Security center data](powerbi-reports-windows-defender-advanced-threat-protection.md)
###### [Enable Secure score security controls](enable-secure-score-windows-defender-advanced-threat-protection.md)
###### [Configure advanced features](advanced-features-windows-defender-advanced-threat-protection.md)
#####Permissions
###### [Use basic permissions to access the portal](basic-permissions-windows-defender-advanced-threat-protection.md)
###### [Manage portal access using RBAC](rbac-windows-defender-advanced-threat-protection.md)
####### [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md)
####### [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md)
####### [Create and manage machine tags](machine-tags-windows-defender-advanced-threat-protection.md)
#####APIs
###### [Enable Threat intel](enable-custom-ti-windows-defender-advanced-threat-protection.md)
###### [Enable SIEM integration](enable-siem-integration-windows-defender-advanced-threat-protection.md)
#####Rules
###### [Manage suppression rules](manage-suppression-rules-windows-defender-advanced-threat-protection.md)
###### [Manage automation allowed/blocked](manage-automation-allowed-blocked-list-windows-defender-advanced-threat-protection.md)
###### [Manage automation file uploads](manage-automation-file-uploads-windows-defender-advanced-threat-protection.md)
###### [Manage automation folder exclusions](manage-automation-folder-exclusions-windows-defender-advanced-threat-protection.md)
#####Machine management
###### [Onboarding machines](onboard-configure-windows-defender-advanced-threat-protection.md)
###### [Offboarding machines](offboard-machines-windows-defender-advanced-threat-protection.md)
##### [Configure Windows Defender Security Center time zone settings](time-settings-windows-defender-advanced-threat-protection.md)
#### [Pull alerts to your SIEM tools](configure-siem-windows-defender-advanced-threat-protection.md)
##### [Enable SIEM integration](enable-siem-integration-windows-defender-advanced-threat-protection.md)
##### [Configure Splunk to pull alerts](configure-splunk-windows-defender-advanced-threat-protection.md)
@ -292,41 +314,8 @@
#### Reporting
##### [Create and build Power BI reports using Windows Defender ATP data](powerbi-reports-windows-defender-advanced-threat-protection.md)
### [Configure Windows Defender Security Center settings](preferences-setup-windows-defender-advanced-threat-protection.md)
####General
##### [Update data retention settings](data-retention-settings-windows-defender-advanced-threat-protection.md)
##### [Configure alert notifications](configure-email-notifications-windows-defender-advanced-threat-protection.md)
##### [Enable and create Power BI reports using Windows Defender Security center data](powerbi-reports-windows-defender-advanced-threat-protection.md)
##### [Enable Secure score security controls](enable-secure-score-windows-defender-advanced-threat-protection.md)
##### [Configure advanced features](advanced-features-windows-defender-advanced-threat-protection.md)
####Permissions
##### [Use basic permissions to access the portal](basic-permissions-windows-defender-advanced-threat-protection.md)
##### [Manage portal access using RBAC](rbac-windows-defender-advanced-threat-protection.md)
###### [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md)
###### [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md)
###### [Create and manage machine tags](machine-tags-windows-defender-advanced-threat-protection.md)
####APIs
##### [Enable Threat intel](enable-custom-ti-windows-defender-advanced-threat-protection.md)
##### [Enable SIEM integration](enable-siem-integration-windows-defender-advanced-threat-protection.md)
####Rules
##### [Manage suppression rules](manage-suppression-rules-windows-defender-advanced-threat-protection.md)
##### [Manage automation allowed/blocked](manage-automation-allowed-blocked-list-windows-defender-advanced-threat-protection.md)
##### [Manage automation file uploads](manage-automation-file-uploads-windows-defender-advanced-threat-protection.md)
##### [Manage automation folder exclusions](manage-automation-folder-exclusions-windows-defender-advanced-threat-protection.md)
####Machine management
##### [Onboarding machines](onboard-configure-windows-defender-advanced-threat-protection.md)
##### [Offboarding machines](offboard-machines-windows-defender-advanced-threat-protection.md)
#### [Configure Windows Defender Security Center time zone settings](time-settings-windows-defender-advanced-threat-protection.md)
### Manage Microsoft threat protection integration
#### [Configure Microsoft Cloud App Security integration](microsoft-cloud-app-security-config.md)
## [Troubleshoot Windows Defender ATP](troubleshoot-wdatp.md)

68
windows/security/threat-protection/windows-defender-atp/management-apis.md
View File

@ -10,66 +10,30 @@ ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: high
ms.date: 07/01/2018
ms.date: 09/03/2018
---
# Overview of management and APIs
TODO: Raviv
Integrate Windows Defender Advanced Threat Protection into your existing workflows.
- [Configuration](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-atp/preferences-setup-windows-defender-advanced-threat-protection)
- [Onboarding](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-atp/onboard-configure-windows-defender-advanced-threat-protection)
- [RBAC](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-atp/rbac-windows-defender-advanced-threat-protection)
- [SIEM connectors](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-atp/configure-siem-windows-defender-advanced-threat-protection)
- [Exposed APIs](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-atp/exposed-apis-windows-defender-advanced-threat-protection)
- [Operating system baseline compliance](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/secure-score-dashboard-windows-defender-advanced-threat-protection)
- [Reporting and trends](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/powerbi-reports-windows-defender-advanced-threat-protection)
Windows Defender ATP supports a wide variety of options to ensure that customers can easily adopt the platform.
Acknowledging that customer environments and structures can vary, Windows Defender ATP was created with flexibility and granular control to fit varying customer requirements.
================
Machine onboarding is fully integrated into System Center Configuration Manager and Microsoft Intune for client machines and Azure Security Center for server machines, providing complete end-to-end experience of configuration, deployment, and monitoring. In addition, Windows Defender ATP supports Group Policy and other third-party tools used for machines management.
Scratch paper / thoughts:
*** TomerB ***
NOTE: I changed the order of the sections above - need to also ensure this is align with how the rest of the content is orgenized
Windows Defender ATP supports a wide variety of options to ensure a smooth and effective adotpion by a wide range of customers profile.
We acknoledge that each environment is different in how it is structure and operats, and the Windwos Defender ATP solution was created with the much needed flexability & granularity to address just that.
Machine onboarding is fully integrate into SCCM & Intune for client machines and ASC for server machines, providing complete E2E experience of configuraiton, deployment and monitoring. In additonal Windows Defender ATP support GP and any 3rd party tool used for machines management
Windows Defender ATP provides unparallel powerfull and flexible role based access control - defining who can see which properties, and who can performs which tasks / action. The RBAC model supports all flavors of security teams strucutre
Windows Defender ATP provides fine-grained control over what users with access to the portal can see and do through the flexibility of role-based access control (RBAC). The RBAC model supports all flavors of security teams structure:
- Globally distributed organizations and security teams
- Tiered model SOC
- Fully segregated devisions with single centralized global SOC
- Tiered model security operations teams
- Fully segregated devisions with single centralized global security operations teams
Windows Defender ATP solution is built on top of an integration ready platform
[1] It support integration with a number of SIEMs solutions and also exposes APIs to fully support any pulling all the alerts underline detection information into any SIEM solutions.
[2] For those who are already heavily invested in data enrichment and automation Windows Defender ATP rich set of APIs enbales just that
* Enriching events coming from other security systems with footpring / prevelance information
* Triggering file or machine level response actions via APIs
* Keeping systems sync-ed (Import machines tags from assets management systems into ATP, Syncronizing alerts and incidents status cross ticketing systems and ATP)
The Windows Defender ATP solution is built on top of an integration-ready platform:
- It supports integration with a number of security information and event management (SIEM) solutions and also exposes APIs to fully support pulling all the alerts and detection information into any SIEM solution.
- It supports a rich set of application programming interface (APIs) providing flexibility for those who are already heavily invested in data enrichment and automation:
- Enriching events coming from other security systems with foot print or prevalence information
- Triggering file or machine level response actions through APIs
- Keeping systems in-sync such as importing machine tags from asset management systems into Windows Defender ATP, synchronize alerts and incidents status cross ticketing systems with Windows Defender ATP.
An important aspects of machines management is the ability to analyze the environment from different, broad, perspective. This often help drive new insights and proper priority of the next "go do" item
[1] Secure score dashboard provides metrics based method of prioritizing the most important proactive security measures.
[2] Windows Defender ATP includes a built-in PowerBI based reporting solution to quickly review trends and details related to ATP alerts and secure score of your machines. ATP also supports full customization of the reports, including mesh ATP data with you own data strem to produce buisness specific report
An important aspect of machine management is the ability to analyze the environment from varying and broad perspectives. This often helps drive new insights and proper priority identification:
- The Secure score dashboard provides metrics based method of prioritizing the most important proactive security measures.
- Windows Defender ATP includes a built-in PowerBI based reporting solution to quickly review trends and details related to Windows Defender ATP alerts and secure score of machines. The platform also supports full customization of the reports, including mashing of Windows Defender ATP data with your own data stream to produce business specific reports.
*** TomerB ***
Windows Defender ATP supports a wide variety of tools to help you manage and interact with the platform so that you can integrate the service into your existing workflows.
There's a wide variety of supported management tools you can use to onboard machines to the service. The platform also supports various security information and events management (SIEM) tools that allows you to pull alerts to. The application programming interface (APIs) provides the flexibility of pulling or creating alerts programmatically.
Talk about all the tools that you can use with WDATP
OR one liner
wdatp allows you to interact with the platform and other systems
enable to manage and interact with the system
APIs, SIEM connectors, Reporting, powerbi, etc
## In this section