From 9697bd40ee828a117f24a88ff2d7101838683ab6 Mon Sep 17 00:00:00 2001 From: Dulce Montemayor Date: Tue, 29 Oct 2019 00:13:26 -0700 Subject: [PATCH] Added exception details --- .../microsoft-defender-atp/tvm-remediation.md | 32 ++++++++++++++++++- 1 file changed, 31 insertions(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/tvm-remediation.md b/windows/security/threat-protection/microsoft-defender-atp/tvm-remediation.md index 674d4b0309..36ebf6ad62 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/tvm-remediation.md +++ b/windows/security/threat-protection/microsoft-defender-atp/tvm-remediation.md @@ -51,7 +51,37 @@ You also have the option to export all remediation activity data to CSV for reco The dashboard will show that status of your top remediation activities. Click any of the entries and it will take you to the **Remediation** page. You can mark the remediation activity as completed after the IT administration team remediates the task. -However, if the security recommendation stemmed from a false positive report, or if there are existing business justification that blocks the remediation, such as compensating control, productivity needs, compliance, or if there's already a planned remediation grace period, you can file an exception and indicate the reason. The exceptions you've filed will also show up in the **Remediation** page, in the **Exceptions** tab. +## When to file for exception instead of remediating issues +You can file exceptions to exclude certain recommendation from showing up in reports and affecting risk scores or secure scores. + +When you select a security recommendation, it opens up a flyout screen with details and options for next step. You can either **Open software page**, choose from **Remediation options**, go through **Exception options** to file for exceptions, or **Report inaccuracy**. + +Select **Exception options** and a flyout screen opens. +![Screenshot of exception flyout screen](images/tvm-exception-flyout.png) + +###Exception justification +If the security recommendation stemmed from a false positive report, or if there are existing business justification that blocks the remediation, such as compensating control, productivity needs, compliance, or if there's already a planned remediation grace period, you can file an exception and indicate the reason. + +Compensating/alternate control - A 3rd party control that mitigates this recommendation exists, for example, if Network Firewall prevents access to a machine, third party antivirus +Productivity/business need - Remediation will impact productivity or interrupt business-critical workflow +Accept risk - Poses low risk and/or implementing a compensating control is too expensive +Planned remediation (grace) - Already planned but is awaiting execution or authorization +Other - False positive +![Screenshot of exception reason dropdown menu](images/tvm-exception-dropdown.png) + +###Exception visibility +The exceptions you've filed will show up in the **Remediation** page, in the **Exceptions** tab. +However, you also have the option to filter your view based on exception justification, type, and status. +![Screenshot of exception tab and filters](images/tvm-exception-filters.png) + +###Actions on exceptions +- Cancel - You can cancel the exceptions you've filed any time +- Resurface - The exception that you've filed automatically becomes void and resurfaces in the security recommendation section when dynamic environmental factors change, which adversely affect the exposure impact associated with a recommendation that had previously been excluded + +###Exception status +- Cancelled - The exception has been cancelled and is no longer in effect +- Expired - The exception that you've filed is no longer in effect +- In effect - The exception that you've filed is in progress ## Related topics - [Risk-based Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md)