deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-22 18:27:23 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

response actions

Browse Source
This commit is contained in:
Beth Levin 2020-09-09 15:31:22 -07:00
parent 28a91343eb
commit 9c2eae9657
2 changed files with 19 additions and 23 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
windows/security/threat-protection/TOC.md
View File

@ -325,10 +325,10 @@
###### [Response actions on files](microsoft-defender-atp/respond-file-alerts.md)
###### [Stop and quarantine files in your network](microsoft-defender-atp/respond-file-alerts.md#stop-and-quarantine-files-in-your-network)
###### [Restore file from quarantine](microsoft-defender-atp/respond-file-alerts.md#restore-file-from-quarantine)
###### [Download or collect file](microsoft-defender-atp/respond-file-alerts.md#download-or-collect-file)
###### [Add indicators to block or allow a file](microsoft-defender-atp/respond-file-alerts.md#add-indicator-to-block-or-allow-a-file)
###### [Consult a threat expert](microsoft-defender-atp/respond-file-alerts.md#consult-a-threat-expert)
###### [Check activity details in Action center](microsoft-defender-atp/respond-file-alerts.md#check-activity-details-in-action-center)
###### [Download or collect file](microsoft-defender-atp/respond-file-alerts.md#download-or-collect-file)
###### [Deep analysis](microsoft-defender-atp/respond-file-alerts.md#deep-analysis)
#### [View and approve remediation actions](microsoft-defender-atp/manage-auto-investigation.md)

40
windows/security/threat-protection/microsoft-defender-atp/respond-file-alerts.md
View File

@ -129,6 +129,24 @@ You can roll back and remove a file from quarantine if youve determined that
>
> Microsoft Defender ATP will restore all custom blocked files that were quarantined on this device in the last 30 days.
## Download or collect file
Selecting **Download file** from the response actions allows you to download a local, password-protected .zip archive containing your file. A flyout will appear where you can record a reason for downloading the file, and set a password.
By default, you will not be able to download files that are in quarantine.
![Image of download file action](images/atp-download-file-action.png)
### Download quarantined files
You can turn on a setting to backup quarantined files in a secure and compliant location so they can be downloaded directly from quarantine. Once this setting is enabled, the **Download file** button will always be available.
Go to **Settings** > **Advanced features** > **Download quarantined files** and switch the toggle to **On**.
### Collect files
If a file is not already stored by Microsoft Defender ATP, you can't download it. Instead, you'll see a **Collect file** button in the same location. If a file hasn't been seen in the organization in the past 30 days, **Collect file** will be disabled.
## Add indicator to block or allow a file
Prevent further propagation of an attack in your organization by banning potentially malicious files or suspected malware. If you know a potentially malicious portable executable (PE) file, you can block it. This operation will prevent it from being read, written, or executed on devices in your organization.
@ -163,28 +181,6 @@ To stop blocking a file, remove the indicator. You can do so via the **Edit Indi
You can also edit indicators from the **Settings** page, under **Rules** > **Indicators**. Indicators are listed in this area by their file's hash.
## Download or collect file
Selecting **Download file** from the response actions allows you to download a local, password-protected .zip archive containing your file.
![Image of download file action](images/atp-download-file-action.png)
When you select this action, a fly-out will appear. From the fly-out, you can record a reason as to why you're downloading the file. You can also set a password to open the file.
![Image of download file fly-out](images/atp-download-file-reason400.png)
### Download quarantined files
By default, you will not be able to download files that are in quarantine.
However, you can turn on a setting to backup quarantined files in a secure and compliant location so they can be downloaded directly from quarantine. Once this setting is enabled, the **Download file** button will always be available.
Go to **Settings** > **Advanced features** > **Download quarantined files** and switch the toggle to **On**.
### Collect files
If a file is not already stored by Microsoft Defender ATP, you can't download it. Instead, you'll see a **Collect file** button in the same location. If a file hasn't been seen in the organization in the past 30 days, **Collect file** will be disabled.
## Consult a threat expert
Consult a Microsoft threat expert for more insights on a potentially compromised device, or already compromised devices. Microsoft Threat Experts are engaged directly from within the Microsoft Defender Security Center for timely and accurate response. Experts provide insights on a potentially compromised device and help you understand complex threats and targeted attack notifications. They can also provide information about the alerts or a threat intelligence context that you see on your portal dashboard.