mirror of
https://github.com/MicrosoftDocs/windows-itpro-docs.git
synced 2025-05-14 14:27:22 +00:00
Merged PR 3469: fix bugs
fix bugs
This commit is contained in:
Joey Caparas
commit
98be7b4d56
@ -30,6 +30,7 @@
|
||||
#### [Investigate a domain](windows-defender-atp\investigate-domain-windows-defender-advanced-threat-protection.md)
|
||||
#### [View and organize the Machines list](windows-defender-atp\machines-view-overview-windows-defender-advanced-threat-protection.md)
|
||||
#### [Investigate machines](windows-defender-atp\investigate-machines-windows-defender-advanced-threat-protection.md)
|
||||
##### [Manage machine group and tags](windows-defender-atp\investigate-machines-windows-defender-advanced-threat-protection.md#manage-machine-group-and-tags)
|
||||
##### [Alerts related to this machine](windows-defender-atp\investigate-machines-windows-defender-advanced-threat-protection.md#alerts-related-to-this-machine)
|
||||
##### [Machine timeline](windows-defender-atp\investigate-machines-windows-defender-advanced-threat-protection.md#machine-timeline)
|
||||
###### [Search for specific events](windows-defender-atp\investigate-machines-windows-defender-advanced-threat-protection.md#search-for-specific-events)
|
||||
@ -40,12 +41,12 @@
|
||||
#### [Manage alerts](windows-defender-atp\manage-alerts-windows-defender-advanced-threat-protection.md)
|
||||
#### [Take response actions](windows-defender-atp\response-actions-windows-defender-advanced-threat-protection.md)
|
||||
##### [Take response actions on a machine](windows-defender-atp\respond-machine-alerts-windows-defender-advanced-threat-protection.md)
|
||||
###### [Manage machine group and tags](windows-defender-atp\respond-machine-alerts-windows-defender-advanced-threat-protection.md#manage-machine-group-and-tags)
|
||||
###### [Collect investigation package](windows-defender-atp\respond-machine-alerts-windows-defender-advanced-threat-protection.md#collect-investigation-package)
|
||||
###### [Run antivirus scan](windows-defender-atp\respond-machine-alerts-windows-defender-advanced-threat-protection.md#run-windows-defender-antivirus-scan-on-machines)
|
||||
###### [Restrict app execution](windows-defender-atp\respond-machine-alerts-windows-defender-advanced-threat-protection.md#restict-app-execution)
|
||||
###### [Remove app restriction](windows-defender-atp\respond-machine-alerts-windows-defender-advanced-threat-protection.md#remove-app-restriction)
|
||||
###### [Isolate machines from the network](windows-defender-atp\respond-machine-alerts-windows-defender-advanced-threat-protection.md#isolate-machines-from-the-network)
|
||||
###### [Undo machine isolation](windows-defender-atp\respond-machine-alerts-windows-defender-advanced-threat-protection.md#undo-machine-isolation)
|
||||
###### [Release machine from the isolation](windows-defender-atp\respond-machine-alerts-windows-defender-advanced-threat-protection.md#release-machine-from-isolation)
|
||||
###### [Check activity details in Action center](windows-defender-atp\respond-machine-alerts-windows-defender-advanced-threat-protection.md#check-activity-details-in-action-center)
|
||||
##### [Take response actions on a file](windows-defender-atp\respond-file-alerts-windows-defender-advanced-threat-protection.md)
|
||||
###### [Stop and quarantine files in your network](windows-defender-atp\respond-file-alerts-windows-defender-advanced-threat-protection.md#stop-and-quarantine-files-in-your-network)
|
||||
|
||||
@ -59,6 +59,55 @@ You'll also see details such as logon types for each user account, the user grou
|
||||
|
||||
For more information, see [Investigate user entities](investigate-user-windows-defender-advanced-threat-protection.md).
|
||||
|
||||
## Manage machine group and tags
|
||||
Machine group and tags support proper mapping of the network, enabling you to attach different tags to machines to capture context and to enable dynamic groups creation as part of an incident.
|
||||
|
||||
Machine related properties are being extended to account for:
|
||||
|
||||
- Group affiliation
|
||||
- Dynamic context capturing
|
||||
|
||||
|
||||
|
||||
### Group machines
|
||||
Machine group affiliation can represent geographic location, specific activity, importance level and others. Grouping machines with similar attributes can be handy when you need to apply contextual action on a specific list of machines. After creating groups, you can apply the Group filter on the Machines list to get a narrowed list of machines.
|
||||
|
||||
Machine group is defined in the following registry key entry of the machine:
|
||||
|
||||
- Registry key: `HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection\DeviceTagging\`
|
||||
- Registry key value (string): Group
|
||||
|
||||
|
||||
### Set standard tags on machines
|
||||
Dynamic context capturing is achieved using tags. By tagging machines, you can keep track of individual machines in your organization. After adding tags on machines, you can apply the Tags filter on the Machines list to get a narrowed list of machines with the tag.
|
||||
|
||||
1. Select the machine that you want to manage tags on. You can select or search for a machine from any of the following views:
|
||||
|
||||
- **Security operations dashboard** - Select the machine name from the Top machines with active alerts section.
|
||||
- **Alerts queue** - Select the machine name beside the machine icon from the alerts queue.
|
||||
- **Machines list** - Select the machine name from the list of machines.
|
||||
- **Search box** - Select Machine from the drop-down menu and enter the machine name.
|
||||
|
||||
You can also get to the alert page through the file and IP views.
|
||||
|
||||
2. Open the **Actions** menu and select **Manage tags**.
|
||||
|
||||
|
||||
|
||||
3. Enter tags on the machine. To add more tags, click the + icon.
|
||||
4. Click **Save and close**.
|
||||
|
||||
|
||||
|
||||
Tags are added to the machine view and will also be reflected on the **Machines list** view. You can then use the **Tags** or **Groups** filter to see the relevant list of machines.
|
||||
|
||||
### Manage machine tags
|
||||
You can manage tags from the Actions button or by selecting a machine from the Machines list and opening the machine details panel.
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
## Alerts related to this machine
|
||||
The **Alerts related to this machine** section provides a list of alerts that are associated with the machine. You can also manage alerts from this section by clicking the circle icons to the left of the alert (or using Ctrl or Shift + click to select multiple alerts).
|
||||
|
||||
|
||||
@ -95,7 +95,7 @@ Filter the list to view specific machines grouped together by the following malw
|
||||
- **PUA** – Unwanted software is a category of applications that install and perform undesirable activity without adequate user consent. These applications are not necessarily malicious, but their behaviors often negatively impact the computing experience, even appearing to invade user privacy. Many of these applications display advertising, modify browser settings, and install bundled software.
|
||||
|
||||
## Groups and tags
|
||||
You can filter the list based on the grouping and tagging that you've added to individual machines. For more information, see [Manage machine group and tags](respond-machine-alerts-windows-defender-advanced-threat-protection.md#manage-machine-group-and-tags).
|
||||
You can filter the list based on the grouping and tagging that you've added to individual machines. For more information, see [Manage machine group and tags](investigate-machines-windows-defender-advanced-threat-protection.md#manage-machine-group-and-tags).
|
||||
|
||||
## Export machine list to CSV
|
||||
You can download a full list of all the machines in your organization, in CSV format. Click the **Export to CSV** button to download the entire list as a CSV file.
|
||||
|
||||
@ -61,7 +61,7 @@ You can lock down a device and prevent subsequent attempts of potentially malici
|
||||
- [Run Windows Defender Antivirus scan on a machine](respond-machine-alerts-windows-defender-advanced-threat-protection.md#run-windows-defender-antivirus-scan-on-machines)<br>
|
||||
As part of the investigation or response process, you can remotely initiate an antivirus scan to help identify and remediate malware that might be present on a compromised machine.
|
||||
|
||||
- [Manage machine group and tags](respond-machine-alerts-windows-defender-advanced-threat-protection.md#manage-machine-group-and-tags)<br>
|
||||
- [Manage machine group and tags](investigate-machines-windows-defender-advanced-threat-protection.md#manage-machine-group-and-tags)<br>
|
||||
Machine group and tags support proper mapping of the network, enabling you to attach different tags to machines to capture context and to enable dynamic groups creation as part of an incident.
|
||||
|
||||
- [Create and build Power BI reports using Windows Defender ATP data](powerbi-reports-windows-defender-advanced-threat-protection.md)<br>
|
||||
|
||||
@ -33,52 +33,6 @@ Quickly respond to detected attacks by isolating machines or collecting an inves
|
||||
>[!NOTE]
|
||||
> These response actions are only available for machines on Windows 10, version 1703.
|
||||
|
||||
## Manage machine group and tags
|
||||
Machine group and tags support proper mapping of the network, enabling you to attach different tags to machines to capture context and to enable dynamic groups creation as part of an incident.
|
||||
|
||||
Machine related properties are being extended to account for:
|
||||
|
||||
- Group affiliation
|
||||
- Dynamic context capturing
|
||||
|
||||
|
||||
|
||||
### Group machines
|
||||
Machine group affiliation can represent geographic location, specific activity, importance level and others. Grouping machines with similar attributes can be handy when you need to apply contextual action on a specific list of machines. After creating groups, you can apply the Group filter on the Machines list to get a narrowed list of machines.
|
||||
|
||||
Machine group is defined in the following registry key entry of the machine:
|
||||
|
||||
- Registry key: `HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection\DeviceTagging\`
|
||||
- Registry key value (string): Group
|
||||
|
||||
|
||||
### Set standard tags on machines
|
||||
Dynamic context capturing is achieved using tags. By tagging machines, you can keep track of individual machines in your organization. After adding tags on machines, you can apply the Tags filter on the Machines list to get a narrowed list of machines with the tag.
|
||||
|
||||
1. Select the machine that you want to manage tags on. You can select or search for a machine from any of the following views:
|
||||
|
||||
- **Security operations dashboard** - Select the machine name from the Top machines with active alerts section.
|
||||
- **Alerts queue** - Select the machine name beside the machine icon from the alerts queue.
|
||||
- **Machines list** - Select the machine name from the list of machines.
|
||||
- **Search box** - Select Machine from the drop-down menu and enter the machine name.
|
||||
|
||||
You can also get to the alert page through the file and IP views.
|
||||
|
||||
2. Open the **Actions** menu and select **Manage tags**.
|
||||
|
||||
|
||||
|
||||
3. Enter tags on the machine. To add more tags, click the + icon.
|
||||
4. Click **Save and close**.
|
||||
|
||||
|
||||
|
||||
Tags are added to the machine view and will also be reflected on the **Machines list** view. You can then use the **Tags** or **Groups** filter to see the relevant list of machines.
|
||||
|
||||
### Manage machine tags
|
||||
You can manage tags from the Actions button or by selecting a machine from the Machines list and opening the machine details panel.
|
||||
|
||||
|
||||
|
||||
|
||||
## Collect investigation package from machines
|
||||
@ -159,7 +113,7 @@ As part of the investigation or response process, you can remotely initiate an a
|
||||
|
||||
|
||||
|
||||
- **Submission time** - Shows when the isolation action was submitted.
|
||||
- **Submission time** - Shows when the action was submitted.
|
||||
- **Status** - Indicates any pending actions or the results of completed actions.
|
||||
|
||||
The machine timeline will include a new event, reflecting that a scan action was submitted on the machine. Windows Defender AV alerts will reflect any detections that surfaced during the scan.
|
||||
@ -191,7 +145,7 @@ The action to restrict an application from running applies a code integrity poli
|
||||
|
||||
|
||||
|
||||
- **Submission time** - Shows when the isolation action was submitted.
|
||||
- **Submission time** - Shows when the action was submitted.
|
||||
- **Status** - Indicates any pending actions or the results of completed actions.
|
||||
|
||||
When the application execution restriction configuration is applied, a new event is reflected in the machine timeline.
|
||||
@ -247,7 +201,7 @@ On Windows 10, version 1710 and above, you'll have additional control over the n
|
||||
The Action center shows the submission information:
|
||||
|
||||
|
||||
- **Submission time** - Shows when the isolation action was submitted.
|
||||
- **Submission time** - Shows when the action was submitted.
|
||||
- **Status** - Indicates any pending actions or the results of completed actions. Additional indications will be provided if you've enabled Outlook and Skype for Business communication.
|
||||
|
||||
When the isolation configuration is applied, a new event is reflected in the machine timeline.
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user