mirror of
https://github.com/MicrosoftDocs/windows-itpro-docs.git
synced 2025-06-20 12:53:38 +00:00
Merge branch 'atp-rs4' of https://cpubwin.visualstudio.com/_git/it-client into atp-rs4
This commit is contained in:
Joey Caparas
@ -13102,8 +13102,36 @@
|
||||
},
|
||||
{
|
||||
"source_path": "windows/security/threat-protection/windows-defender-atp/security-analytics-dashboard-windows-defender-advanced-threat-protection.md",
|
||||
"redirect_url": "/windows/security/threat-protection/windows-defender-atp/secure-score-windows-defender-advanced-threat-protection",
|
||||
"redirect_url": "/windows/security/threat-protection/windows-defender-atp/secure-score-dashboard-windows-defender-advanced-threat-protection",
|
||||
"redirect_document_id": true
|
||||
}
|
||||
},
|
||||
{
|
||||
"source_path": "windows/security/threat-protection/windows-defender-atp/dashboard-windows-defender-advanced-threat-protection.md",
|
||||
"redirect_url": "/windows/security/threat-protection/windows-defender-atp/security-operations-dashboard-windows-defender-advanced-threat-protection",
|
||||
"redirect_document_id": true
|
||||
},
|
||||
{
|
||||
"source_path": "windows/security/threat-protection/windows-defender-atp/threat-analytics-windows-defender-advanced-threat-protection.md",
|
||||
"redirect_url": "/windows/security/threat-protection/windows-defender-atp/threat-analytics-dashboard-windows-defender-advanced-threat-protection",
|
||||
"redirect_document_id": true
|
||||
},
|
||||
{
|
||||
"source_path": "windows/security/threat-protection/windows-defender-atp/general-settings-windows-defender-advanced-threat-protection.md",
|
||||
"redirect_url": "/windows/security/threat-protection/windows-defender-atp/data-retention-settings-windows-defender-advanced-threat-protection",
|
||||
"redirect_document_id": true
|
||||
},
|
||||
{
|
||||
"source_path": "windows/security/threat-protection/windows-defender-atp/enable-security-analytics-windows-defender-advanced-threat-protection.md",
|
||||
"redirect_url": "/windows/security/threat-protection/windows-defender-atp/enable-secure-score-windows-defender-advanced-threat-protection",
|
||||
"redirect_document_id": true
|
||||
},
|
||||
{
|
||||
"source_path": "windows/security/threat-protection/windows-defender-atp/settings-windows-defender-advanced-threat-protection.md",
|
||||
"redirect_url": "/windows/security/threat-protection/windows-defender-atp/time-settings-windows-defender-advanced-threat-protection",
|
||||
"redirect_document_id": true
|
||||
},
|
||||
|
||||
|
||||
|
||||
]
|
||||
}
|
||||
|
||||
@ -39,9 +39,9 @@
|
||||
#### [Troubleshoot onboarding issues](windows-defender-atp\troubleshoot-onboarding-windows-defender-advanced-threat-protection.md)
|
||||
### [Understand the Windows Defender ATP portal](windows-defender-atp\use-windows-defender-advanced-threat-protection.md)
|
||||
#### [Portal overview](windows-defender-atp\portal-overview-windows-defender-advanced-threat-protection.md)
|
||||
#### [View the Security operations dashboard](windows-defender-atp\dashboard-windows-defender-advanced-threat-protection.md)
|
||||
#### [View the Secure score dashboard and improve your secure score](windows-defender-atp\security-analytics-dashboard-windows-defender-advanced-threat-protection.md)
|
||||
#### [View the Threat analytics dashboard and take recommended mitigation actions](windows-defender-atp\threat-analytics-windows-defender-advanced-threat-protection.md)
|
||||
#### [View the Security operations dashboard](windows-defender-atp\security-operations-dashboard-windows-defender-advanced-threat-protection.md)
|
||||
#### [View the Secure Score dashboard and improve your secure score](windows-defender-atp\secure-score-dashboard-windows-defender-advanced-threat-protection.md)
|
||||
#### [View the Threat analytics dashboard and take recommended mitigation actions](windows-defender-atp\threat-analytics-dashboard-windows-defender-advanced-threat-protection.md)
|
||||
|
||||
###Investigate and remediate threats
|
||||
####Alerts queue
|
||||
@ -93,7 +93,7 @@
|
||||
##### [Advanced hunting reference](windows-defender-atp\advanced-hunting-reference-windows-defender-advanced-threat-protection.md)
|
||||
##### [Query language best practices](windows-defender-atp\advanced-hunting-best-practices-windows-defender-advanced-threat-protection.md)
|
||||
|
||||
### [Enable conditional access to better protect users, devices, and data](windows-defender-atp\conditional-access-windows-defender-advanced-threat-protection.md)
|
||||
#### [Enable conditional access to better protect users, devices, and data](windows-defender-atp\conditional-access-windows-defender-advanced-threat-protection.md)
|
||||
|
||||
###API and SIEM support
|
||||
#### [Pull alerts to your SIEM tools](windows-defender-atp\configure-siem-windows-defender-advanced-threat-protection.md)
|
||||
@ -186,11 +186,11 @@
|
||||
### [Configure Windows Defender ATP Settings](windows-defender-atp\preferences-setup-windows-defender-advanced-threat-protection.md)
|
||||
|
||||
####General
|
||||
##### [Update data retention settings](windows-defender-atp\general-settings-windows-defender-advanced-threat-protection.md)
|
||||
##### [Update data retention settings](windows-defender-atp\data-retention-settings-windows-defender-advanced-threat-protection.md)
|
||||
##### [Configure alert notifications](windows-defender-atp\configure-email-notifications-windows-defender-advanced-threat-protection.md)
|
||||
##### [Configure automation notifications](windows-defender-atp\configure-automation-notifications-windows-defender-advanced-threat-protection.md)
|
||||
##### [Enable and create Power BI reports using Windows Defender ATP data](windows-defender-atp\powerbi-reports-windows-defender-advanced-threat-protection.md)
|
||||
##### [Enable Secure score security controls](windows-defender-atp\enable-security-analytics-windows-defender-advanced-threat-protection.md)
|
||||
##### [Enable Secure score security controls](windows-defender-atp\enable-secure-score-windows-defender-advanced-threat-protection.md)
|
||||
##### [Configure advanced features](windows-defender-atp\advanced-features-windows-defender-advanced-threat-protection.md)
|
||||
|
||||
####Permissions
|
||||
@ -211,7 +211,7 @@
|
||||
##### [Onboarding machines](windows-defender-atp\onboard-configure-windows-defender-advanced-threat-protection.md)
|
||||
##### [Offboarding machines](windows-defender-atp\offboard-machines-windows-defender-advanced-threat-protection.md)
|
||||
|
||||
### [Configure Windows Defender ATP time zone settings](windows-defender-atp\settings-windows-defender-advanced-threat-protection.md)
|
||||
### [Configure Windows Defender ATP time zone settings](windows-defender-atp\time-settings-windows-defender-advanced-threat-protection.md)
|
||||
|
||||
### [Access the Windows Defender ATP Community Center](windows-defender-atp\community-windows-defender-advanced-threat-protection.md)
|
||||
### [Troubleshoot Windows Defender ATP](windows-defender-atp\troubleshoot-windows-defender-advanced-threat-protection.md)
|
||||
|
||||
@ -94,8 +94,8 @@ When you enable this feature, you'll be able to share Windows Defender ATP devic
|
||||
3. Click **Save preferences**.
|
||||
|
||||
## Related topics
|
||||
- [Update data retention settings](general-settings-windows-defender-advanced-threat-protection.md)
|
||||
- [Update data retention settings](data-retention-settings-windows-defender-advanced-threat-protection.md)
|
||||
- [Configure alert notifications](configure-email-notifications-windows-defender-advanced-threat-protection.md)
|
||||
- [Configure automation notifications](configure-automation-notifications-windows-defender-advanced-threat-protection.md)
|
||||
- [Enable and create Power BI reports using Windows Defender ATP data](powerbi-reports-windows-defender-advanced-threat-protection.md)
|
||||
- [Enable Secure Score security controls](enable-security-analytics-windows-defender-advanced-threat-protection.md)
|
||||
- [Enable Secure Score security controls](enable-secure-score-windows-defender-advanced-threat-protection.md)
|
||||
|
||||
@ -1,6 +1,6 @@
|
||||
---
|
||||
title: Advanced hunting best practices in Windows Defender ATP
|
||||
description: Learn about advanced hunting best practices such as what filters and keywords to use to effectively query data.
|
||||
description: Learn about Advanced hunting best practices such as what filters and keywords to use to effectively query data.
|
||||
keywords: advanced hunting, best practices, keyword, filters, atp query, query atp data, intellisense, atp telemetry, events, events telemetry, azure log analytics
|
||||
search.product: eADQiWindows 10XVcnh
|
||||
ms.prod: w10
|
||||
@ -39,7 +39,7 @@ The following best practices serve as a guideline of query performance best prac
|
||||
## Query tips and pitfalls
|
||||
|
||||
### Unique Process IDs
|
||||
Process IDs are recycled in Windows and reused for new processes and therefore can<EFBFBD>t serve as a unique identifier for a specific process.
|
||||
Process IDs are recycled in Windows and reused for new processes and therefore can't serve as a unique identifier for a specific process.
|
||||
To address this issue, Windows Defender ATP created the time process. To get a unique identifier for a process on a specific machine, use the process ID together with the process creation time.
|
||||
|
||||
|
||||
|
||||
@ -1,6 +1,6 @@
|
||||
---
|
||||
title: Advanced hunting reference in Windows Defender ATP
|
||||
description: Learn about advanced hunting table reference such as column name, data type, and description
|
||||
description: Learn about Advanced hunting table reference such as column name, data type, and description
|
||||
keywords: advanced hunting, atp query, query atp data, intellisense, atp telemetry, events, events telemetry, azure log analytics, column name, data type, description
|
||||
search.product: eADQiWindows 10XVcnh
|
||||
ms.prod: w10
|
||||
|
||||
@ -1,6 +1,6 @@
|
||||
---
|
||||
title: Query data using Advanced hunting in Windows Defender ATP
|
||||
description: Learn about advanced hunting in Windows Defender ATP and how to query ATP data.
|
||||
description: Learn about Advanced hunting in Windows Defender ATP and how to query ATP data.
|
||||
keywords: advanced hunting, atp query, query atp data, intellisense, atp telemetry, events, events telemetry, azure log analytics
|
||||
search.product: eADQiWindows 10XVcnh
|
||||
ms.prod: w10
|
||||
@ -32,10 +32,10 @@ Advanced hunting allows you to proactively hunt for possible threats across your
|
||||
|
||||
- **Powerful query language with IntelliSense** - Built on top of a query language that gives you the flexibility you need to take hunting to the next level.
|
||||
- **Query the stored telemetry** - The telemetry data is accessible in tables for you to query. For example, you can query process creation, network communication, and many other event types.
|
||||
- **Links to portal** - Certain query results, such as machine names and file names are actually direct links to the portal, consolidating the advanced hunting query experience and the existing portal investigation experience.
|
||||
- **Links to portal** - Certain query results, such as machine names and file names are actually direct links to the portal, consolidating the Advanced hunting query experience and the existing portal investigation experience.
|
||||
- **Query examples** - A welcome page provides examples designed to get you started and get you familiar with the tables and the query language.
|
||||
|
||||
To get you started in querying your data, you can use the basic or advanced query examples that have some preloaded queries for you to understand the basic query syntax.
|
||||
To get you started in querying your data, you can use the basic or Advanced query examples that have some preloaded queries for you to understand the basic query syntax.
|
||||
|
||||
|
||||
|
||||
@ -45,7 +45,7 @@ A typical query starts with a table name followed by a series of operators separ
|
||||
|
||||
In the following example, we start with the table name **ProcessCreationEvents** and add piped elements as needed.
|
||||
|
||||
|
||||
|
||||
|
||||
First, we define a time filter to review only records from the previous seven days.
|
||||
|
||||
@ -74,9 +74,9 @@ To see a live example of these operators, run them as part of the **Get started*
|
||||
|
||||
For more information on the query language and supported operators, see [Query Language](https://docs.loganalytics.io/docs/Language-Reference/).
|
||||
|
||||
## Use exposed tables in advanced hunting
|
||||
## Use exposed tables in Advanced hunting
|
||||
|
||||
The following tables are exposed as part of advanced hunting:
|
||||
The following tables are exposed as part of Advanced hunting:
|
||||
|
||||
- **AlertEvents** - Stores alerts related information
|
||||
- **MachineInfo** - Stores machines proprties
|
||||
@ -126,23 +126,23 @@ These steps guide you on modifying and overwriting an existing query.
|
||||
|
||||
2. Select **Delete** and confirm that you want to delete the query.
|
||||
|
||||
## Result set capabilities in advanced hunting
|
||||
## Result set capabilities in Advanced hunting
|
||||
|
||||
The result set has several capabilities to provide you with effective investigation, including:
|
||||
|
||||
- Columns that return entity-related objects, such as Machine name, Machine ID, File name, SHA1, User, IP, and URL, are linked to their entity pages in the Windows Defender ATP portal.
|
||||
- You can right-click on a cell in the result set and add a filter to your written query. The current filtering options are **include**, **exclude** or **advanced filter**, which provides additional filtering options on the cell value. These cell values are part of the row set.
|
||||
|
||||
|
||||
|
||||
|
||||
## Filter results in advanced hunting
|
||||
In advanced hunting, you can use the advanced filter on the output result set of the query.
|
||||
## Filter results in Advanced hunting
|
||||
In Advanced hunting, you can use the advanced filter on the output result set of the query.
|
||||
The filters provide an overview of the result set where
|
||||
each column has it's own section and shows the distinct values that appear in the column and their prevalence.
|
||||
|
||||
You can refine your query based on the filter by clicking the "+" or "-" buttons on the values that you want to include or exclude and click **Run query**.
|
||||
|
||||
|
||||
|
||||
|
||||
The filter selections will resolve as an additional query term and the results will be updated accordingly.
|
||||
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
---
|
||||
title: Automated investigations in Windows Defender Advanced Threat Protection
|
||||
title: Use Automated investigations to investigate and remediate threats
|
||||
description: View the list of automated investigations, its status, detection source and other details.
|
||||
keywords: automated, investigation, detection, source, threat types, id, tags, machines, duration, filter export
|
||||
search.product: eADQiWindows 10XVcnh
|
||||
@ -13,7 +13,7 @@ ms.localizationpriority: high
|
||||
ms.date: 04/16/2018
|
||||
---
|
||||
|
||||
# Automated investigations in Windows Defender ATP
|
||||
# Use Automated investigations to investigate and remediate threats
|
||||
|
||||
**Applies to:**
|
||||
|
||||
@ -155,9 +155,12 @@ You'll also have access to the following sections that help you see details of t
|
||||
- Entities
|
||||
- Log
|
||||
- Pending actions
|
||||
|
||||
>[!NOTE]
|
||||
>The Pending actions tab is only displayed if there are actual pending actions.
|
||||
|
||||
- Pending actions history
|
||||
|
||||
>[!NOTE]
|
||||
>The Pending actions history tab is only displayed when an investigation is complete.
|
||||
|
||||
@ -178,7 +181,7 @@ Clicking on an alert title brings you the alert page.
|
||||
### Machines
|
||||
Shows details the machine name, IP address, group, users, operating system, remediation level, investigation count, and when it was last investigated.
|
||||
|
||||
Machines that show the same threat can be added to an ongoing investigation and will be displayed in this tab. If the same threat is seen on more than nine machines, you have the option to expand the view from the **Pending actions** view.
|
||||
Machines that show the same threat can be added to an ongoing investigation and will be displayed in this tab. If 10 or more machines are found during this expansion process from the same entity, then that expansion action will require an approval and will be seen in the **Pending actions** view.
|
||||
|
||||
Selecting a machine using the checkbox brings up the machine details pane where you can see more information such as machine details and logged-on users.
|
||||
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
---
|
||||
title: Enable conditional access in Windows Defedener ATP
|
||||
title: Enable conditional access to better protect users, devices, and data
|
||||
description: Enable conditional access to prevent applications from running if a device is considered at risk and an application is determined to be non-compliant.
|
||||
keywords: conditional access, block applications, security level, intune,
|
||||
search.product: eADQiWindows 10XVcnh
|
||||
@ -13,7 +13,7 @@ ms.localizationpriority: high
|
||||
ms.date: 03/05/2018
|
||||
---
|
||||
|
||||
# Enable conditional access in Windows Defender ATP
|
||||
# Enable conditional access to better protect users, devices, and data
|
||||
|
||||
**Applies to:**
|
||||
|
||||
@ -37,12 +37,23 @@ The implementation of conditional access in Windows Defender ATP is based on Mic
|
||||
|
||||
The compliance policy is used with conditional access to allow only devices that fulfill one or more device compliance policy rules to access applications.
|
||||
|
||||
## Understand conditional access
|
||||
When a device is found to be at high risk, the signal is communicated to Intune. In Intune, a device compliance policy is used in conjunction with Azure AD conditional access to block access to applications. In parallel, an automated investigation and remediation process is launched.
|
||||
## Understand the conditional access flow
|
||||
When a device is found to be at high risk, the signal is communicated to Intune.
|
||||
|
||||
A device returns to a compliant state when there is lower risk seen on it. A user can still use the device while the automated investigation and remediation is taking place, but access to enterprise data is blocked until the threat is fully remediated. When the risk is removed either through manual or automated remediation, the device returns to a compliant state and access to applications is granted.
|
||||
In Intune, a device compliance policy is used in conjunction with Azure AD conditional access to block access to applications. In parallel, an automated investigation and remediation process is launched.
|
||||
|
||||
The following image shows the conditional access flow in action:
|
||||
A user can still use the device while the automated investigation and remediation is taking place, but access to enterprise data is blocked until the threat is fully remediated.
|
||||
|
||||
|
||||
To resolve the high risk found on a device, you'll need to return the device to a compliant state. A device returns to a compliant state when there is no risk seen on it.
|
||||
|
||||
There are two ways to address a risk: through manual remediation or automated remediation.
|
||||
|
||||
Manual remediation requires a secops admin to investigate an alert and address the risk seen on the device. The automated remediation is configured through configuration settings provided in the following section, [Configure conditional access](#configure-conditional-access).
|
||||
|
||||
When the risk is removed either through manual or automated remediation, the device returns to a compliant state and access to applications is granted.
|
||||
|
||||
The following example sequence of events explains conditional access in action:
|
||||
|
||||
1. A user opens a malicious file and Windows Defender ATP flags the device as high risk.
|
||||
2. The high risk assessment is passed along to Intune. In parallel, an automated investigation is initiated to remediate the identified threat. A manual remediation can also be done to remediate the identified threat.
|
||||
@ -59,11 +70,14 @@ The following image shows the conditional access flow in action:
|
||||
You'll need to take the following steps to enable conditional access:
|
||||
|
||||
1. Turn on the Microsoft Intune connection. For more information, see [Turn on advanced features](advanced-features-windows-defender-advanced-threat-protection.md).
|
||||
2. Turn on the Windows Defender ATP integration in Intune. For more information, see LINK TO THE CONTENT INTUNE WRITER IS MAKING.
|
||||
|
||||
2. Turn on the Windows Defender ATP integration in Intune. For more information, see __________
|
||||
|
||||
- Ensure that machines are enrolled. For more information see, [Set up enrollment for Windows devices](https://docs.microsoft.com/en-us/intune/windows-enroll).
|
||||
|
||||
3. Create a device compliance policy in Intune. For more information, see [Create a compliance policy in the Azure portal](https://docs.microsoft.com/en-us/intune/compliance-policy-create-windows#create-a-compliance-policy-in-the-azure-portal).
|
||||
3. Define a conditional access policy in AAD. For more information, see [Get started with conditional access in Azure Active Directory](https://docs.microsoft.com/en-us/azure/active-directory/active-directory-conditional-access-azure-portal-get-started).
|
||||
|
||||
4. Define a conditional access policy in AAD. For more information, see [Get started with conditional access in Azure Active Directory](https://docs.microsoft.com/en-us/azure/active-directory/active-directory-conditional-access-azure-portal-get-started).
|
||||
|
||||
>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-conditionalaccess-belowfoldlink)
|
||||
|
||||
|
||||
@ -62,8 +62,8 @@ You can configure Windows Defender ATP to send automation notifications to speci
|
||||
2. Confirm that you want to delete the rule.
|
||||
|
||||
## Related topics
|
||||
- [Update data retention settings](general-settings-windows-defender-advanced-threat-protection.md)
|
||||
- [Update data retention settings](data-retention-settings-windows-defender-advanced-threat-protection.md)
|
||||
- [Configure alert notifications](configure-email-notifications-windows-defender-advanced-threat-protection.md)
|
||||
- [Enable and create Power BI reports using Windows Defender ATP data](powerbi-reports-windows-defender-advanced-threat-protection.md)
|
||||
- [Enable Secure Score security controls](enable-security-analytics-windows-defender-advanced-threat-protection.md)
|
||||
- [Enable Secure Score security controls](enable-secure-score-windows-defender-advanced-threat-protection.md)
|
||||
- [Configure advanced features](advanced-features-windows-defender-advanced-threat-protection.md)
|
||||
@ -74,8 +74,8 @@ This section lists various issues that you may encounter when using email notifi
|
||||
3. Check your email application rules that might be catching and moving your Windows Defender ATP email notifications.
|
||||
|
||||
## Related topics
|
||||
- [Update data retention settings](general-settings-windows-defender-advanced-threat-protection.md)
|
||||
- [Update data retention settings](data-retention-settings-windows-defender-advanced-threat-protection.md)
|
||||
- [Configure automation notifications](configure-automation-notifications-windows-defender-advanced-threat-protection.md)
|
||||
- [Enable and create Power BI reports using Windows Defender ATP data](powerbi-reports-windows-defender-advanced-threat-protection.md)
|
||||
- [Enable Secure Score security controls](enable-security-analytics-windows-defender-advanced-threat-protection.md)
|
||||
- [Enable Secure Score security controls](enable-secure-score-windows-defender-advanced-threat-protection.md)
|
||||
- [Configure advanced features](advanced-features-windows-defender-advanced-threat-protection.md)
|
||||
@ -122,7 +122,7 @@ For security reasons, the package used to Offboard machines will expire 30 days
|
||||
|
||||
1. Get the offboarding package from the [Windows Defender ATP portal](https://securitycenter.windows.com/):
|
||||
|
||||
a. In the navigation pane, select **Settings** > **Offboarding**.
|
||||
a. In the navigation pane, select **Settings** > **Machine management** > **Offboarding**.
|
||||
|
||||
b. Select Windows 10 as the operating system.
|
||||
|
||||
|
||||
@ -189,7 +189,7 @@ For security reasons, the package used to Offboard machines will expire 30 days
|
||||
|
||||
1. Get the offboarding package from the [Windows Defender ATP portal](https://securitycenter.windows.com/):
|
||||
|
||||
a. In the navigation pane, select **Settings** > **Offboarding**.
|
||||
a. In the navigation pane, select **Settings** > **Machine management** > **Offboarding**.
|
||||
|
||||
b. Select Windows 10 as the operating system.
|
||||
|
||||
|
||||
@ -127,7 +127,7 @@ For security reasons, the package used to Offboard machines will expire 30 days
|
||||
|
||||
1. Get the offboarding package from the [Windows Defender ATP portal](https://securitycenter.windows.com/):
|
||||
|
||||
a. In the navigation pane, select **Settings** > **Offboarding**.
|
||||
a. In the navigation pane, select **Settings** > **Machine management** > **Offboarding**.
|
||||
|
||||
b. Select Windows 10 as the operating system.
|
||||
|
||||
|
||||
@ -94,7 +94,7 @@ For security reasons, the package used to Offboard machines will expire 30 days
|
||||
|
||||
1. Get the offboarding package from the [Windows Defender ATP portal](https://securitycenter.windows.com/):
|
||||
|
||||
a. In the navigation pane, select **Settings** > **Offboarding**.
|
||||
a. In the navigation pane, select **Settings** > **Machine management** > **Offboarding**.
|
||||
|
||||
b. Select Windows 10 as the operating system.
|
||||
|
||||
|
||||
@ -71,9 +71,13 @@ You can onboard VDI machines using a single entry or multiple entries for each m
|
||||
6. Test your solution:
|
||||
|
||||
a. Create a pool with one machine.
|
||||
|
||||
b. Logon to machine.
|
||||
|
||||
c. Logoff from machine.
|
||||
|
||||
d. Logon to machine with another user.
|
||||
|
||||
e. **For single entry for each machine**: Check only one entry in the Windows Defender ATP portal.<br>
|
||||
**For multiple entries for each machine**: Check multiple entries in the Windows Defender ATP portal.
|
||||
|
||||
|
||||
@ -12,7 +12,7 @@ localizationpriority: high
|
||||
ms.date: 04/16/2018
|
||||
---
|
||||
|
||||
# Onboard servers
|
||||
# Onboard servers to the Windows Defender ATP service
|
||||
|
||||
**Applies to:**
|
||||
|
||||
@ -138,7 +138,7 @@ To offboard the server, you can use either of the following methods:
|
||||
1. Get your Workspace ID:
|
||||
a. In the navigation pane, select **Settings** > **Machine management** > **Onboarding**.
|
||||
|
||||
b. Select Windows server 2012, 2012R2 and 2016 as the operating system and get your Workspace ID:
|
||||
b. Select **Windows server 2012, 2012R2 and 2016** as the operating system and get your Workspace ID:
|
||||
|
||||
|
||||
|
||||
|
||||
@ -39,9 +39,9 @@ During the onboarding process, a wizard takes you through the general settings o
|
||||
|
||||
|
||||
## Related topics
|
||||
- [Update data retention settings](general-settings-windows-defender-advanced-threat-protection.md)
|
||||
- [Update data retention settings](data-retention-settings-windows-defender-advanced-threat-protection.md)
|
||||
- [Configure alert notifications in Windows Defender ATP](configure-email-notifications-windows-defender-advanced-threat-protection.md)
|
||||
- [Configure automation notifications](configure-automation-notifications-windows-defender-advanced-threat-protection.md)
|
||||
- [Enable and create Power BI reports using Windows Defender ATP data](powerbi-reports-windows-defender-advanced-threat-protection.md)
|
||||
- [Enable Secure Score security controls](enable-security-analytics-windows-defender-advanced-threat-protection.md)
|
||||
- [Enable Secure Score security controls](enable-secure-score-windows-defender-advanced-threat-protection.md)
|
||||
- [Configure advanced features](advanced-features-windows-defender-advanced-threat-protection.md)
|
||||
@ -29,7 +29,7 @@ ms.date: 04/16/2018
|
||||
|
||||
Before you can create custom threat intelligence (TI) using REST API, you'll need to set up the custom threat intelligence application through the Windows Defender ATP portal.
|
||||
|
||||
1. In the navigation pane, select **Settings** > **Threat intel**.
|
||||
1. In the navigation pane, select **Settings** > **APIs** > **Threat intel**.
|
||||
|
||||
|
||||
|
||||
|
||||
@ -39,8 +39,8 @@ Set the baselines for calculating the score of Windows Defender security control
|
||||
3. Click **Save preferences**.
|
||||
|
||||
## Related topics
|
||||
- [View the Secure Score dashboard](security-analytics-dashboard-windows-defender-advanced-threat-protection.md)
|
||||
- [Update data retention settings for Windows Defender ATP](general-settings-windows-defender-advanced-threat-protection.md)
|
||||
- [View the Secure Score dashboard](secure-score-dashboard-windows-defender-advanced-threat-protection.md)
|
||||
- [Update data retention settings for Windows Defender ATP](data-retention-settings-windows-defender-advanced-threat-protection.md)
|
||||
- [Configure alert notifications in Windows Defender ATP](configure-email-notifications-windows-defender-advanced-threat-protection.md)
|
||||
- [Configure automation notifications in Windows Defender ATP](configure-automation-notifications-windows-defender-advanced-threat-protection.md)
|
||||
- [Enable and create Power BI reports using Windows Defender ATP data](powerbi-reports-windows-defender-advanced-threat-protection.md)
|
||||
@ -29,7 +29,7 @@ ms.date: 04/16/2018
|
||||
|
||||
Enable security information and event management (SIEM) integration so you can pull alerts from the Windows Defender ATP portal using your SIEM solution or by connecting directly to the alerts REST API.
|
||||
|
||||
1. In the navigation pane, select **Settings** > **API** > **SIEM**.
|
||||
1. In the navigation pane, select **Settings** > **APIs** > **SIEM**.
|
||||
|
||||
|
||||
|
||||
|
||||
Binary file not shown.
|
After Width: | Height: | Size: 862 B |
Binary file not shown.
|
After Width: | Height: | Size: 1018 B |
Binary file not shown.
|
After Width: | Height: | Size: 1.0 KiB |
Binary file not shown.
|
After Width: | Height: | Size: 1.1 KiB |
Binary file not shown.
|
After Width: | Height: | Size: 770 B |
Binary file not shown.
|
After Width: | Height: | Size: 1.0 KiB |
Binary file not shown.
|
After Width: | Height: | Size: 1.1 KiB |
Binary file not shown.
|
After Width: | Height: | Size: 1011 B |
Binary file not shown.
|
Before Width: | Height: | Size: 42 KiB After Width: | Height: | Size: 53 KiB |
Binary file not shown.
|
Before Width: | Height: | Size: 80 KiB After Width: | Height: | Size: 80 KiB |
Binary file not shown.
|
Before Width: | Height: | Size: 102 KiB After Width: | Height: | Size: 101 KiB |
Binary file not shown.
|
Before Width: | Height: | Size: 88 KiB After Width: | Height: | Size: 87 KiB |
Binary file not shown.
|
Before Width: | Height: | Size: 76 KiB After Width: | Height: | Size: 75 KiB |
Binary file not shown.
|
Before Width: | Height: | Size: 71 KiB After Width: | Height: | Size: 70 KiB |
Binary file not shown.
|
After Width: | Height: | Size: 1.1 KiB |
Binary file not shown.
|
After Width: | Height: | Size: 2.0 KiB |
Binary file not shown.
|
After Width: | Height: | Size: 908 B |
Binary file not shown.
|
After Width: | Height: | Size: 2.1 KiB |
Binary file not shown.
|
After Width: | Height: | Size: 3.2 KiB |
Binary file not shown.
|
After Width: | Height: | Size: 892 B |
Binary file not shown.
|
After Width: | Height: | Size: 2.0 KiB |
@ -28,7 +28,7 @@ You can click on affected machines whenever you see them in the portal to open a
|
||||
|
||||
- The [Machines list](investigate-machines-windows-defender-advanced-threat-protection.md)
|
||||
- The [Alerts queue](alerts-queue-windows-defender-advanced-threat-protection.md)
|
||||
- The [Security operations dashboard](dashboard-windows-defender-advanced-threat-protection.md)
|
||||
- The [Security operations dashboard](security-operations-dashboard-windows-defender-advanced-threat-protection.md)
|
||||
- Any individual alert
|
||||
- Any individual file details view
|
||||
- Any IP address or domain details view
|
||||
|
||||
@ -84,7 +84,7 @@ Filter the list to view specific machines that are well configured or require at
|
||||
- **Well configured** - Machines have the Windows Defender security controls well configured.
|
||||
- **Requires attention** - Machines where improvements can be made to increase the overall security posture of your organization.
|
||||
|
||||
For more information, see [View the Secure Score dashboard](security-analytics-dashboard-windows-defender-advanced-threat-protection.md).
|
||||
For more information, see [View the Secure Score dashboard](secure-score-dashboard-windows-defender-advanced-threat-protection.md).
|
||||
|
||||
**Malware category alerts**</br>
|
||||
Filter the list to view specific machines grouped together by the following malware categories:
|
||||
|
||||
@ -27,11 +27,11 @@ ms.date: 04/16/2018
|
||||
|
||||
>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-automationexclusionlist-abovefoldlink)
|
||||
|
||||
Create a rule to control which entities are automatically incriminated or exonerated during automated investigations.
|
||||
Create a rule to control which entities are automatically incriminated or exonerated during Automated investigations.
|
||||
|
||||
Entities added to the allowed list are considered safe and will not be analyzed during automated investigations.
|
||||
Entities added to the allowed list are considered safe and will not be analyzed during Automated investigations.
|
||||
|
||||
Entities added to the blocked list are considered malicious and will be remediated during automated investigations.
|
||||
Entities added to the blocked list are considered malicious and will be remediated during Automated investigations.
|
||||
|
||||
You can define the conditions for when entities are identified as malicious or safe based on certain attributes such as hash values or certificates.
|
||||
|
||||
|
||||
@ -27,11 +27,11 @@ ms.date: 04/16/2018
|
||||
|
||||
>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-automationefileuploads-abovefoldlink)
|
||||
|
||||
Enable the content analysis capability so that certain files and email attachments can automatically be uploaded to the cloud for additional inspection during automated investigations.
|
||||
Enable the content analysis capability so that certain files and email attachments can automatically be uploaded to the cloud for additional inspection in Automated investigation.
|
||||
|
||||
Identify the files and email attachments by specifying the file extension names and email attachment extension names.
|
||||
|
||||
For example, if you add *exe* and *bat* as file or attachment extension names, then all files or attachments with those extensions will automatically be sent to the cloud for additional inspection during an automated investigation.
|
||||
For example, if you add *exe* and *bat* as file or attachment extension names, then all files or attachments with those extensions will automatically be sent to the cloud for additional inspection during Automated investigation.
|
||||
|
||||
## Add file extension names and attachment extension names.
|
||||
|
||||
|
||||
@ -27,7 +27,7 @@ ms.date: 04/16/2018
|
||||
|
||||
>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-automationexclusionfolder-abovefoldlink)
|
||||
|
||||
Automation folder exclusions allow you to specify folders that the automated investigation will skip.
|
||||
Automation folder exclusions allow you to specify folders that the Automated investigation will skip.
|
||||
|
||||
You can control the following attributes about the folder that you'd like to be skipped:
|
||||
- Folders
|
||||
@ -35,13 +35,13 @@ You can control the following attributes about the folder that you'd like to be
|
||||
- File names
|
||||
|
||||
|
||||
**Folders**
|
||||
**Folders**<br>
|
||||
You can specify a folder and its subfolders to be skipped. You can use wild cards so that all files under the directory is skipped by the automated investigation.
|
||||
|
||||
**Extensions**
|
||||
**Extensions**<br>
|
||||
You can specify the extensions to exclude in a specific directory. The extensions are a way to prevent an attacker from using an excluded folder to hide an exploit. The extensions explicitly define which files to ignore.
|
||||
|
||||
**File names**
|
||||
**File names**<br>
|
||||
You can specify the file names that you want to be excluded in a specific directory. The names are a way to prevent an attacker from using an excluded folder to hide an exploit. The names explicitly define which files to ignore.
|
||||
|
||||
|
||||
|
||||
@ -25,7 +25,7 @@ ms.date: 04/16/2018
|
||||
|
||||
[!include[Prerelease information](prerelease.md)]
|
||||
|
||||
There are some minimum requirements for onboarding your network and machines.
|
||||
There are some minimum requirements for onboarding machines to the service.
|
||||
|
||||
>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-minreqs-abovefoldlink)
|
||||
|
||||
|
||||
@ -97,12 +97,20 @@ Icon | Description
|
||||
| Memory allocation
|
||||
| Process injection
|
||||
| Powershell command run
|
||||
 | Community center icon
|
||||
 | Notifications icon
|
||||
 | Community center
|
||||
 | Notifications
|
||||
 | Automated investigation - no threats found
|
||||
 | Automated investigation - failed
|
||||
 | Automated investigation - partially investigated
|
||||
 | Automated investigation - terminated by system
|
||||
 | Automated investigation - pending
|
||||
 | Automated investigation - running
|
||||
 | Automated investigation - remediated
|
||||
 | Automated investigation - partially remediated
|
||||
|
||||
|
||||
## Related topics
|
||||
- [Understand the Windows Defender Advanced Threat Protection portal](use-windows-defender-advanced-threat-protection.md)
|
||||
- [View the Security operations dashboard](dashboard-windows-defender-advanced-threat-protection.md)
|
||||
- [View the Secure Score dashboard and improve your secure score](security-analytics-dashboard-windows-defender-advanced-threat-protection.md)
|
||||
- [View the Threat analytics dashboard and take recommended mitigation actions](threat-analytics-windows-defender-advanced-threat-protection.md)
|
||||
- [View the Security operations dashboard](security-operations-dashboard-windows-defender-advanced-threat-protection.md)
|
||||
- [View the Secure Score dashboard and improve your secure score](secure-score-dashboard-windows-defender-advanced-threat-protection.md)
|
||||
- [View the Threat analytics dashboard and take recommended mitigation actions](threat-analytics-dashboard-windows-defender-advanced-threat-protection.md)
|
||||
@ -32,7 +32,7 @@ Use the **Settings** menu to modify general settings, advanced features, enable
|
||||
|
||||
Topic | Description
|
||||
:---|:---
|
||||
[Update general settings](general-settings-windows-defender-advanced-threat-protection.md) | Modify your general settings that were previously defined as part of the onboarding process.
|
||||
[Update general settings](data-retention-settings-windows-defender-advanced-threat-protection.md) | Modify your general settings that were previously defined as part of the onboarding process.
|
||||
Permissions | Manage portal access using RBAC as well as machine groups.
|
||||
APIs | Enable the threat intel and SIEM integration.
|
||||
Rules | Configure suppressions rules and automation settings.
|
||||
|
||||
@ -36,7 +36,7 @@ Turn on the preview experience setting to be among the first to try upcoming fea
|
||||
2. Toggle the setting between **On** and **Off** and select **Save preferences**.
|
||||
|
||||
## Related topics
|
||||
- [Update general settings in Windows Defender ATP](general-settings-windows-defender-advanced-threat-protection.md)
|
||||
- [Update general settings in Windows Defender ATP](data-retention-settings-windows-defender-advanced-threat-protection.md)
|
||||
- [Turn on advanced features in Windows Defender ATP](advanced-features-windows-defender-advanced-threat-protection.md)
|
||||
- [Configure email notifications in Windows Defender ATP](configure-email-notifications-windows-defender-advanced-threat-protection.md)
|
||||
- [Enable SIEM integration in Windows Defender ATP](enable-siem-integration-windows-defender-advanced-threat-protection.md)
|
||||
|
||||
@ -36,7 +36,7 @@ You'll have access to upcoming features which you can provide feedback on to hel
|
||||
|
||||
Turn on the preview experience setting to be among the first to try upcoming features.
|
||||
|
||||
1. In the navigation pane, select **Settings** > **Advanced features** > **Preview features**.
|
||||
1. In the navigation pane, select **Settings** > **General** > **Advanced features** > **Preview features**.
|
||||
|
||||
2. Toggle the setting between **On** and **Off** and select **Save preferences**.
|
||||
|
||||
|
||||
@ -52,7 +52,7 @@ The Office 365 Secure Score looks at your settings and activities and compares t
|
||||
|
||||
In the example image, the total points for the Windows security controls and Office 365 add up to 437 points.
|
||||
|
||||
You can set the baselines for calculating the score of Windows Defender security controls on the Secure Score dashboard through the **Settings**. For more information, see [Enable Secure Score security controls](enable-security-analytics-windows-defender-advanced-threat-protection.md).
|
||||
You can set the baselines for calculating the score of Windows Defender security controls on the Secure Score dashboard through the **Settings**. For more information, see [Enable Secure Score security controls](enable-secure-score-windows-defender-advanced-threat-protection.md).
|
||||
|
||||
## Windows Defender security controls
|
||||
The security controls tile shows a bar graph where each bar represents a Windows Defender security control. Each bar reflects the number of machines that are well configured and those that require **any kind of attention** for each security control. Hovering on top of the individual bars will show exact numbers for each category. Machines that are green are well configured, while machines that are orange require some level of attention.
|
||||
@ -353,8 +353,8 @@ You can take the following actions to increase the overall security score of you
|
||||
## Related topics
|
||||
- [Understand the Windows Defender Advanced Threat Protection portal](use-windows-defender-advanced-threat-protection.md)
|
||||
- [Portal overview](portal-overview-windows-defender-advanced-threat-protection.md)
|
||||
- [View the Security operations dashboard](dashboard-windows-defender-advanced-threat-protection.md)
|
||||
- [View the Threat analytics dashboard and take recommended mitigation actions](threat-analytics-windows-defender-advanced-threat-protection.md)
|
||||
- [View the Security operations dashboard](security-operations-dashboard-windows-defender-advanced-threat-protection.md)
|
||||
- [View the Threat analytics dashboard and take recommended mitigation actions](threat-analytics-dashboard-windows-defender-advanced-threat-protection.md)
|
||||
|
||||
|
||||
|
||||
@ -155,6 +155,6 @@ For more information on the service health, see [Check the Windows Defender ATP
|
||||
## Related topics
|
||||
- [Understand the Windows Defender Advanced Threat Protection portal](use-windows-defender-advanced-threat-protection.md)
|
||||
- [Portal overview](portal-overview-windows-defender-advanced-threat-protection.md)
|
||||
- [View the Secure Score dashboard and improve your secure score](security-analytics-dashboard-windows-defender-advanced-threat-protection.md)
|
||||
- [View the Threat analytics dashboard and take recommended mitigation actions](threat-analytics-windows-defender-advanced-threat-protection.md)
|
||||
- [View the Secure Score dashboard and improve your secure score](secure-score-dashboard-windows-defender-advanced-threat-protection.md)
|
||||
- [View the Threat analytics dashboard and take recommended mitigation actions](threat-analytics-dashboard-windows-defender-advanced-threat-protection.md)
|
||||
|
||||
@ -57,4 +57,4 @@ When an issue is resolved, it gets recorded in the **Status history** tab.
|
||||
The **Status history** tab reflects all the historical issues that were seen and resolved. You'll see details of the resolved issues along with the other information that were included while it was being resolved.
|
||||
|
||||
### Related topic
|
||||
- [View the Security operations dashboard](dashboard-windows-defender-advanced-threat-protection.md)
|
||||
- [View the Security operations dashboard](security-operations-dashboard-windows-defender-advanced-threat-protection.md)
|
||||
|
||||
@ -53,7 +53,7 @@ Click a section of each chart to get a list of the machines in the corresponding
|
||||
## Related topics
|
||||
- [Understand the Windows Defender Advanced Threat Protection portal](use-windows-defender-advanced-threat-protection.md)
|
||||
- [Portal overview](portal-overview-windows-defender-advanced-threat-protection.md)
|
||||
- [View the Security operations dashboard](dashboard-windows-defender-advanced-threat-protection.md)
|
||||
- [View the Secure Score dashboard and improve your secure score](security-analytics-dashboard-windows-defender-advanced-threat-protection.md)
|
||||
- [View the Security operations dashboard](security-operations-dashboard-windows-defender-advanced-threat-protection.md)
|
||||
- [View the Secure Score dashboard and improve your secure score](secure-score-dashboard-windows-defender-advanced-threat-protection.md)
|
||||
|
||||
|
||||
@ -41,8 +41,8 @@ Use the **Threat analytics** dashboard to continually assess and control risk ex
|
||||
Topic | Description
|
||||
:---|:---
|
||||
[Portal overview](portal-overview-windows-defender-advanced-threat-protection.md) | Understand the portal layout and area descriptions.
|
||||
[View the Security operations dashboard](dashboard-windows-defender-advanced-threat-protection.md) | The Windows Defender ATP **Security operations dashboard** provides a snapshot of your network. You can view aggregates of alerts, the overall status of the service of the machines on your network, investigate machines, files, and URLs, and see snapshots of threats seen on machines.
|
||||
[View the Secure Score dashboard and improve your secure score](security-analytics-dashboard-windows-defender-advanced-threat-protection.md) | The **Secure Score dashboard** expands your visibility into the overall security posture of your organization. From this dashboard, you'll be able to quickly assess the security posture of your organization, see machines that require attention, as well as recommendations for actions to further reduce the attack surface in your organization - all in one place.
|
||||
[View the Threat analytics dashboard and take recommended mitigation actions](threat-analytics-windows-defender-advanced-threat-protection.md) | The **Threat analytics** dashboard helps you continually assess and control risk exposure to Spectre and Meltdown. Use the charts to quickly identify machines for the presence or absence of mitigations.
|
||||
[View the Security operations dashboard](security-operations-dashboard-windows-defender-advanced-threat-protection.md) | The Windows Defender ATP **Security operations dashboard** provides a snapshot of your network. You can view aggregates of alerts, the overall status of the service of the machines on your network, investigate machines, files, and URLs, and see snapshots of threats seen on machines.
|
||||
[View the Secure Score dashboard and improve your secure score](secure-score-dashboard-windows-defender-advanced-threat-protection.md) | The **Secure Score dashboard** expands your visibility into the overall security posture of your organization. From this dashboard, you'll be able to quickly assess the security posture of your organization, see machines that require attention, as well as recommendations for actions to further reduce the attack surface in your organization - all in one place.
|
||||
[View the Threat analytics dashboard and take recommended mitigation actions](threat-analytics-dashboard-windows-defender-advanced-threat-protection.md) | The **Threat analytics** dashboard helps you continually assess and control risk exposure to Spectre and Meltdown. Use the charts to quickly identify machines for the presence or absence of mitigations.
|
||||
|
||||
|
||||
|
||||
@ -91,10 +91,9 @@ detect sophisticated cyber-attacks, providing:
|
||||
Topic | Description
|
||||
:---|:---
|
||||
Get started | Learn about the minimum requirements, validate licensing and complete setup, know about preview features, understand data storage and privacy, and how to assign user access to the portal.
|
||||
[Onboard machines](onboard-configure-windows-defender-advanced-threat-protection.md) | Learn about configuring client, server, and non-Windows machines. Learn how to run a detection test, configure proxy and Internet connectivity settings, and how to troubleshoot potential onboarding issues.
|
||||
[Understand the Windows Defender ATP portal](use-windows-defender-advanced-threat-protection.md) | Understand the Security operations and Secure Score dashboard, and how to navigate the portal.
|
||||
[Onboard machines](onboard-configure-windows-defender-advanced-threat-protection.md) | Learn about onboarding client, server, and non-Windows machines. Learn how to run a detection test, configure proxy and Internet connectivity settings, and how to troubleshoot potential onboarding issues.
|
||||
[Understand the Windows Defender ATP portal](use-windows-defender-advanced-threat-protection.md) | Understand the Security operations, Secure Score, and Threat analytics dashboards as well as how to navigate the portal.
|
||||
Investigate and remediate threats | Investigate alerts, machines, and take response actions to remediate threats.
|
||||
Prevent threats | Use conditional access to help better protect your users and enterprise information by making sure only secure devices have access to applications.
|
||||
API and SIEM support | Use the supported APIs to pull and create custom alerts, or automate workflows. Use the supported SIEM tools to pull alerts from the Windows Defender ATP portal.
|
||||
Reporting | Create and build Power BI reports using Windows Defender ATP data.
|
||||
Check service health and sensor state | Verify that the service is running and check the sensor state on machines.
|
||||
|
||||
Reference in New Issue
Block a user