deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-23 02:37:23 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

response actions

Browse Source
This commit is contained in:
Beth Levin 2020-09-09 15:31:22 -07:00
parent 28a91343eb
commit 9c2eae9657
2 changed files with 19 additions and 23 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
windows/security/threat-protection/TOC.md
View File

@ -325,10 +325,10 @@
###### [Response actions on files](microsoft-defender-atp/respond-file-alerts.md) ###### [Response actions on files](microsoft-defender-atp/respond-file-alerts.md)
###### [Stop and quarantine files in your network](microsoft-defender-atp/respond-file-alerts.md#stop-and-quarantine-files-in-your-network) ###### [Stop and quarantine files in your network](microsoft-defender-atp/respond-file-alerts.md#stop-and-quarantine-files-in-your-network)
###### [Restore file from quarantine](microsoft-defender-atp/respond-file-alerts.md#restore-file-from-quarantine) ###### [Restore file from quarantine](microsoft-defender-atp/respond-file-alerts.md#restore-file-from-quarantine)
###### [Download or collect file](microsoft-defender-atp/respond-file-alerts.md#download-or-collect-file)
###### [Add indicators to block or allow a file](microsoft-defender-atp/respond-file-alerts.md#add-indicator-to-block-or-allow-a-file) ###### [Add indicators to block or allow a file](microsoft-defender-atp/respond-file-alerts.md#add-indicator-to-block-or-allow-a-file)
###### [Consult a threat expert](microsoft-defender-atp/respond-file-alerts.md#consult-a-threat-expert) ###### [Consult a threat expert](microsoft-defender-atp/respond-file-alerts.md#consult-a-threat-expert)
###### [Check activity details in Action center](microsoft-defender-atp/respond-file-alerts.md#check-activity-details-in-action-center) ###### [Check activity details in Action center](microsoft-defender-atp/respond-file-alerts.md#check-activity-details-in-action-center)
###### [Download or collect file](microsoft-defender-atp/respond-file-alerts.md#download-or-collect-file)
###### [Deep analysis](microsoft-defender-atp/respond-file-alerts.md#deep-analysis) ###### [Deep analysis](microsoft-defender-atp/respond-file-alerts.md#deep-analysis)
#### [View and approve remediation actions](microsoft-defender-atp/manage-auto-investigation.md) #### [View and approve remediation actions](microsoft-defender-atp/manage-auto-investigation.md)

40
windows/security/threat-protection/microsoft-defender-atp/respond-file-alerts.md
View File

@ -129,6 +129,24 @@ You can roll back and remove a file from quarantine if youve determined that
> >
> Microsoft Defender ATP will restore all custom blocked files that were quarantined on this device in the last 30 days. > Microsoft Defender ATP will restore all custom blocked files that were quarantined on this device in the last 30 days.
## Download or collect file
Selecting **Download file** from the response actions allows you to download a local, password-protected .zip archive containing your file. A flyout will appear where you can record a reason for downloading the file, and set a password.
By default, you will not be able to download files that are in quarantine.
![Image of download file action](images/atp-download-file-action.png)
### Download quarantined files
You can turn on a setting to backup quarantined files in a secure and compliant location so they can be downloaded directly from quarantine. Once this setting is enabled, the **Download file** button will always be available.
Go to **Settings** > **Advanced features** > **Download quarantined files** and switch the toggle to **On**.
### Collect files
If a file is not already stored by Microsoft Defender ATP, you can't download it. Instead, you'll see a **Collect file** button in the same location. If a file hasn't been seen in the organization in the past 30 days, **Collect file** will be disabled.
## Add indicator to block or allow a file ## Add indicator to block or allow a file
Prevent further propagation of an attack in your organization by banning potentially malicious files or suspected malware. If you know a potentially malicious portable executable (PE) file, you can block it. This operation will prevent it from being read, written, or executed on devices in your organization. Prevent further propagation of an attack in your organization by banning potentially malicious files or suspected malware. If you know a potentially malicious portable executable (PE) file, you can block it. This operation will prevent it from being read, written, or executed on devices in your organization.
@ -163,28 +181,6 @@ To stop blocking a file, remove the indicator. You can do so via the **Edit Indi
You can also edit indicators from the **Settings** page, under **Rules** > **Indicators**. Indicators are listed in this area by their file's hash. You can also edit indicators from the **Settings** page, under **Rules** > **Indicators**. Indicators are listed in this area by their file's hash.
## Download or collect file
Selecting **Download file** from the response actions allows you to download a local, password-protected .zip archive containing your file.
![Image of download file action](images/atp-download-file-action.png)
When you select this action, a fly-out will appear. From the fly-out, you can record a reason as to why you're downloading the file. You can also set a password to open the file.
![Image of download file fly-out](images/atp-download-file-reason400.png)
### Download quarantined files
By default, you will not be able to download files that are in quarantine.
However, you can turn on a setting to backup quarantined files in a secure and compliant location so they can be downloaded directly from quarantine. Once this setting is enabled, the **Download file** button will always be available.
Go to **Settings** > **Advanced features** > **Download quarantined files** and switch the toggle to **On**.
### Collect files
If a file is not already stored by Microsoft Defender ATP, you can't download it. Instead, you'll see a **Collect file** button in the same location. If a file hasn't been seen in the organization in the past 30 days, **Collect file** will be disabled.
## Consult a threat expert ## Consult a threat expert
Consult a Microsoft threat expert for more insights on a potentially compromised device, or already compromised devices. Microsoft Threat Experts are engaged directly from within the Microsoft Defender Security Center for timely and accurate response. Experts provide insights on a potentially compromised device and help you understand complex threats and targeted attack notifications. They can also provide information about the alerts or a threat intelligence context that you see on your portal dashboard. Consult a Microsoft threat expert for more insights on a potentially compromised device, or already compromised devices. Microsoft Threat Experts are engaged directly from within the Microsoft Defender Security Center for timely and accurate response. Experts provide insights on a potentially compromised device and help you understand complex threats and targeted attack notifications. They can also provide information about the alerts or a threat intelligence context that you see on your portal dashboard.