From 9c2eae965795aa97d89750164d050187ae30e403 Mon Sep 17 00:00:00 2001 From: Beth Levin Date: Wed, 9 Sep 2020 15:31:22 -0700 Subject: [PATCH] response actions --- windows/security/threat-protection/TOC.md | 2 +- .../respond-file-alerts.md | 40 +++++++++---------- 2 files changed, 19 insertions(+), 23 deletions(-) diff --git a/windows/security/threat-protection/TOC.md b/windows/security/threat-protection/TOC.md index 0ec64812e8..d589a2de66 100644 --- a/windows/security/threat-protection/TOC.md +++ b/windows/security/threat-protection/TOC.md @@ -325,10 +325,10 @@ ###### [Response actions on files](microsoft-defender-atp/respond-file-alerts.md) ###### [Stop and quarantine files in your network](microsoft-defender-atp/respond-file-alerts.md#stop-and-quarantine-files-in-your-network) ###### [Restore file from quarantine](microsoft-defender-atp/respond-file-alerts.md#restore-file-from-quarantine) +###### [Download or collect file](microsoft-defender-atp/respond-file-alerts.md#download-or-collect-file) ###### [Add indicators to block or allow a file](microsoft-defender-atp/respond-file-alerts.md#add-indicator-to-block-or-allow-a-file) ###### [Consult a threat expert](microsoft-defender-atp/respond-file-alerts.md#consult-a-threat-expert) ###### [Check activity details in Action center](microsoft-defender-atp/respond-file-alerts.md#check-activity-details-in-action-center) -###### [Download or collect file](microsoft-defender-atp/respond-file-alerts.md#download-or-collect-file) ###### [Deep analysis](microsoft-defender-atp/respond-file-alerts.md#deep-analysis) #### [View and approve remediation actions](microsoft-defender-atp/manage-auto-investigation.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/respond-file-alerts.md b/windows/security/threat-protection/microsoft-defender-atp/respond-file-alerts.md index 7d61280521..301fb51363 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/respond-file-alerts.md +++ b/windows/security/threat-protection/microsoft-defender-atp/respond-file-alerts.md @@ -129,6 +129,24 @@ You can roll back and remove a file from quarantine if you’ve determined that > > Microsoft Defender ATP will restore all custom blocked files that were quarantined on this device in the last 30 days. +## Download or collect file + +Selecting **Download file** from the response actions allows you to download a local, password-protected .zip archive containing your file. A flyout will appear where you can record a reason for downloading the file, and set a password. + +By default, you will not be able to download files that are in quarantine. + +![Image of download file action](images/atp-download-file-action.png) + +### Download quarantined files + +You can turn on a setting to backup quarantined files in a secure and compliant location so they can be downloaded directly from quarantine. Once this setting is enabled, the **Download file** button will always be available. + +Go to **Settings** > **Advanced features** > **Download quarantined files** and switch the toggle to **On**. + +### Collect files + +If a file is not already stored by Microsoft Defender ATP, you can't download it. Instead, you'll see a **Collect file** button in the same location. If a file hasn't been seen in the organization in the past 30 days, **Collect file** will be disabled. + ## Add indicator to block or allow a file Prevent further propagation of an attack in your organization by banning potentially malicious files or suspected malware. If you know a potentially malicious portable executable (PE) file, you can block it. This operation will prevent it from being read, written, or executed on devices in your organization. @@ -163,28 +181,6 @@ To stop blocking a file, remove the indicator. You can do so via the **Edit Indi You can also edit indicators from the **Settings** page, under **Rules** > **Indicators**. Indicators are listed in this area by their file's hash. -## Download or collect file - -Selecting **Download file** from the response actions allows you to download a local, password-protected .zip archive containing your file. - -![Image of download file action](images/atp-download-file-action.png) - -When you select this action, a fly-out will appear. From the fly-out, you can record a reason as to why you're downloading the file. You can also set a password to open the file. - -![Image of download file fly-out](images/atp-download-file-reason400.png) - -### Download quarantined files - -By default, you will not be able to download files that are in quarantine. - -However, you can turn on a setting to backup quarantined files in a secure and compliant location so they can be downloaded directly from quarantine. Once this setting is enabled, the **Download file** button will always be available. - -Go to **Settings** > **Advanced features** > **Download quarantined files** and switch the toggle to **On**. - -### Collect files - -If a file is not already stored by Microsoft Defender ATP, you can't download it. Instead, you'll see a **Collect file** button in the same location. If a file hasn't been seen in the organization in the past 30 days, **Collect file** will be disabled. - ## Consult a threat expert Consult a Microsoft threat expert for more insights on a potentially compromised device, or already compromised devices. Microsoft Threat Experts are engaged directly from within the Microsoft Defender Security Center for timely and accurate response. Experts provide insights on a potentially compromised device and help you understand complex threats and targeted attack notifications. They can also provide information about the alerts or a threat intelligence context that you see on your portal dashboard.