mirror of
https://github.com/MicrosoftDocs/windows-itpro-docs.git
synced 2025-05-16 15:27:22 +00:00
security operations dashboard
This commit is contained in:
Joey Caparas
parent
f73d3fc085
commit
a0b02d8eb1
@ -36,7 +36,7 @@ If your organization satisfies these conditions, the feature is enabled by defau
|
||||
|
||||
## Show user details
|
||||
When you enable this feature, you'll be able to see user details stored in Azure Active Directory including a user's picture, name, title, and department information when investigating user account entities. You can find user account information in the following views:
|
||||
- Dashboard
|
||||
- Security operations dashboard
|
||||
- Alert queue
|
||||
- Machine details page
|
||||
|
||||
|
||||
@ -115,7 +115,7 @@ Select multiple alerts (Ctrl or Shift select) and manage or edit alerts together
|
||||
|
||||
|
||||
## Related topics
|
||||
- [View the Windows Defender Advanced Threat Protection Dashboard](dashboard-windows-defender-advanced-threat-protection.md)
|
||||
- [View the Windows Defender Advanced Threat Protection Security operations dashboard](dashboard-windows-defender-advanced-threat-protection.md)
|
||||
- [Investigate Windows Defender Advanced Threat Protection alerts](investigate-alerts-windows-defender-advanced-threat-protection.md)
|
||||
- [Investigate a file associated with a Windows Defender ATP alert](investigate-files-windows-defender-advanced-threat-protection.md)
|
||||
- [Investigate an IP address associated with a Windows Defender ATP alert](investigate-ip-windows-defender-advanced-threat-protection.md)
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
---
|
||||
title: View the Windows Defender Advanced Threat Protection Dashboard
|
||||
title: View the Windows Defender Advanced Threat Protection Security operations dashboard
|
||||
description: Use the Dashboard to identify machines at risk, keep track of the status of the service, and see statistics and information about machines and alerts.
|
||||
keywords: dashboard, alerts, new, in progress, resolved, risk, machines at risk, infections, reporting, statistics, charts, graphs, health, active malware detections, threat category, categories, password stealer, ransomware, exploit, threat, low severity, active malware
|
||||
search.product: eADQiWindows 10XVcnh
|
||||
@ -13,7 +13,7 @@ ms.localizationpriority: high
|
||||
ms.date: 09/01/2017
|
||||
---
|
||||
|
||||
# View the Windows Defender Advanced Threat Protection Dashboard
|
||||
# View the Windows Defender Advanced Threat Protection Security operations dashboard
|
||||
|
||||
**Applies to:**
|
||||
|
||||
@ -25,7 +25,7 @@ ms.date: 09/01/2017
|
||||
|
||||
<span style="color:#ED1C24;">[Some information relates to pre-released product, which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.]</span>
|
||||
|
||||
The **Dashboard** displays a snapshot of:
|
||||
The **Security operations dashboard** displays a snapshot of:
|
||||
|
||||
- The latest active alerts on your network
|
||||
- Daily machines reporting
|
||||
@ -37,7 +37,7 @@ The **Dashboard** displays a snapshot of:
|
||||
|
||||
You can explore and investigate alerts and machines to quickly determine if, where, and when suspicious activities occurred in your network to help you understand the context they appeared in.
|
||||
|
||||
From the **Dashboard** you will see aggregated events to facilitate the identification of significant events or behaviors on a machine. You can also drill down into granular events and low-level indicators.
|
||||
From the **Security operations dashboard** you will see aggregated events to facilitate the identification of significant events or behaviors on a machine. You can also drill down into granular events and low-level indicators.
|
||||
|
||||
It also has clickable tiles that give visual cues on the overall health state of your organization. Each tile opens a detailed view of the corresponding overview.
|
||||
|
||||
|
||||
@ -85,7 +85,7 @@ The **Alert timeline** feature provides an addition view of the evidence that tr
|
||||
Selecting an alert detail brings up the **Details pane** where you'll be able to see more information about the alert such as file details, detections, instances of it observed worldwide, and in the organization.
|
||||
|
||||
## Related topics
|
||||
- [View the Windows Defender Advanced Threat Protection Dashboard](dashboard-windows-defender-advanced-threat-protection.md)
|
||||
- [View the Windows Defender Advanced Threat Protection Security operations dashboard](dashboard-windows-defender-advanced-threat-protection.md)
|
||||
- [View and organize the Windows Defender Advanced Threat Protection Alerts queue ](alerts-queue-windows-defender-advanced-threat-protection.md)
|
||||
- [Investigate a file associated with a Windows Defender ATP alert](investigate-files-windows-defender-advanced-threat-protection.md)
|
||||
- [Investigate an IP address associated with a Windows Defender ATP alert](investigate-ip-windows-defender-advanced-threat-protection.md)
|
||||
|
||||
@ -48,7 +48,7 @@ The **Communication with URL in organization** section provides a chronological
|
||||
5. Clicking any of the machine names will take you to that machine's view, where you can continue investigate reported alerts, behaviors, and events.
|
||||
|
||||
## Related topics
|
||||
- [View the Windows Defender Advanced Threat Protection Dashboard](dashboard-windows-defender-advanced-threat-protection.md)
|
||||
- [View the Windows Defender Advanced Threat Protection Security operations dashboard](dashboard-windows-defender-advanced-threat-protection.md)
|
||||
- [View and organize the Windows Defender Advanced Threat Protection Alerts queue ](alerts-queue-windows-defender-advanced-threat-protection.md)
|
||||
- [Investigate Windows Defender Advanced Threat Protection alerts](investigate-alerts-windows-defender-advanced-threat-protection.md)
|
||||
- [Investigate a file associated with a Windows Defender ATP alert](investigate-files-windows-defender-advanced-threat-protection.md)
|
||||
|
||||
@ -56,7 +56,7 @@ The **Most recent observed machines with the file** section allows you to specif
|
||||
This allows for greater accuracy in defining entities to display such as if and when an entity was observed in the organization. For example, if you’re trying to identify the origin of a network communication to a certain IP Address within a 10-minute period on a given date, you can specify that exact time interval, and see only files that communicated with that IP Address at that time, drastically reducing unnecessary scrolling and searching.
|
||||
|
||||
## Related topics
|
||||
- [View the Windows Defender Advanced Threat Protection Dashboard](dashboard-windows-defender-advanced-threat-protection.md)
|
||||
- [View the Windows Defender Advanced Threat Protection Security operations dashboard](dashboard-windows-defender-advanced-threat-protection.md)
|
||||
- [View and organize the Windows Defender Advanced Threat Protection Alerts queue ](alerts-queue-windows-defender-advanced-threat-protection.md)
|
||||
- [Investigate Windows Defender Advanced Threat Protection alerts](investigate-alerts-windows-defender-advanced-threat-protection.md)
|
||||
- [Investigate an IP address associated with a Windows Defender ATP alert](investigate-ip-windows-defender-advanced-threat-protection.md)
|
||||
|
||||
@ -56,7 +56,7 @@ Use the search filters to define the search criteria. You can also use the timel
|
||||
Clicking any of the machine names will take you to that machine's view, where you can continue investigate reported alerts, behaviors, and events.
|
||||
|
||||
## Related topics
|
||||
- [View the Windows Defender Advanced Threat Protection Dashboard](dashboard-windows-defender-advanced-threat-protection.md)
|
||||
- [View the Windows Defender Advanced Threat Protection Security operations dashboard](dashboard-windows-defender-advanced-threat-protection.md)
|
||||
- [View and organize the Windows Defender Advanced Threat Protection Alerts queue ](alerts-queue-windows-defender-advanced-threat-protection.md)
|
||||
- [Investigate Windows Defender Advanced Threat Protection alerts](investigate-alerts-windows-defender-advanced-threat-protection.md)
|
||||
- [Investigate a file associated with a Windows Defender ATP alert](investigate-files-windows-defender-advanced-threat-protection.md)
|
||||
|
||||
@ -28,7 +28,7 @@ You can click on affected machines whenever you see them in the portal to open a
|
||||
|
||||
- The [Machines list](investigate-machines-windows-defender-advanced-threat-protection.md)
|
||||
- The [Alerts queue](alerts-queue-windows-defender-advanced-threat-protection.md)
|
||||
- The [Dashboard](dashboard-windows-defender-advanced-threat-protection.md)
|
||||
- The [Security operations dashboard](dashboard-windows-defender-advanced-threat-protection.md)
|
||||
- Any individual alert
|
||||
- Any individual file details view
|
||||
- Any IP address or domain details view
|
||||
@ -171,7 +171,7 @@ Dynamic context capturing is achieved using tags. By tagging machines, you can k
|
||||
|
||||
1. Select the machine that you want to manage tags on. You can select or search for a machine from any of the following views:
|
||||
|
||||
- **Dashboard** - Select the machine name from the Top machines with active alerts section.
|
||||
- **Security operations dashboard** - Select the machine name from the Top machines with active alerts section.
|
||||
- **Alerts queue** - Select the machine name beside the machine icon from the alerts queue.
|
||||
- **Machines list** - Select the machine name from the list of machines.
|
||||
- **Search box** - Select Machine from the drop-down menu and enter the machine name.
|
||||
@ -196,7 +196,7 @@ You can manage tags from the Actions button or by selecting a machine from the M
|
||||
|
||||
|
||||
## Related topics
|
||||
- [View the Windows Defender Advanced Threat Protection Dashboard](dashboard-windows-defender-advanced-threat-protection.md)
|
||||
- [View the Windows Defender Advanced Threat Protection Security operations dashboard](dashboard-windows-defender-advanced-threat-protection.md)
|
||||
- [View and organize the Windows Defender Advanced Threat Protection Alerts queue ](alerts-queue-windows-defender-advanced-threat-protection.md)
|
||||
- [Investigate Windows Defender Advanced Threat Protection alerts](investigate-alerts-windows-defender-advanced-threat-protection.md)
|
||||
- [Investigate a file associated with a Windows Defender ATP alert](investigate-files-windows-defender-advanced-threat-protection.md)
|
||||
|
||||
@ -28,7 +28,7 @@ ms.date: 09/01/2017
|
||||
Identify user accounts with the most active alerts (displayed on dashboard as "Users at risk") and investigate cases of potential compromised credentials, or pivot on the associated user account when investigating an alert or machine to identify possible lateral movement between machines with that user account.
|
||||
|
||||
You can find user account information in the following views:
|
||||
- Dashboard
|
||||
- Security operations dashboard
|
||||
- Alert queue
|
||||
- Machine details page
|
||||
|
||||
@ -82,7 +82,7 @@ You can filter the results by the following time periods:
|
||||
- 6 months
|
||||
|
||||
## Related topics
|
||||
- [View the Windows Defender Advanced Threat Protection Dashboard](dashboard-windows-defender-advanced-threat-protection.md)
|
||||
- [View the Windows Defender Advanced Threat Protection Security operations dashboard](dashboard-windows-defender-advanced-threat-protection.md)
|
||||
- [View and organize the Windows Defender Advanced Threat Protection Alerts queue ](alerts-queue-windows-defender-advanced-threat-protection.md)
|
||||
- [Investigate Windows Defender Advanced Threat Protection alerts](investigate-alerts-windows-defender-advanced-threat-protection.md)
|
||||
- [Investigate a file associated with a Windows Defender ATP alert](investigate-files-windows-defender-advanced-threat-protection.md)
|
||||
|
||||
@ -104,7 +104,7 @@ You can sort the **Machines list** by the following columns:
|
||||
|
||||
|
||||
## Related topics
|
||||
- [View the Windows Defender Advanced Threat Protection Dashboard](dashboard-windows-defender-advanced-threat-protection.md)
|
||||
- [View the Windows Defender Advanced Threat Protection Security operations dashboard](dashboard-windows-defender-advanced-threat-protection.md)
|
||||
- [View and organize the Windows Defender Advanced Threat Protection Alerts queue ](alerts-queue-windows-defender-advanced-threat-protection.md)
|
||||
- [Investigate Windows Defender Advanced Threat Protection alerts](investigate-alerts-windows-defender-advanced-threat-protection.md)
|
||||
- [Investigate a file associated with a Windows Defender ATP alert](investigate-files-windows-defender-advanced-threat-protection.md)
|
||||
|
||||
@ -25,7 +25,7 @@ ms.date: 09/01/2017
|
||||
|
||||
<span style="color:#ED1C24;">[Some information relates to pre-released product, which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.]</span>
|
||||
|
||||
Windows Defender ATP notifies you of possible malicious events, attributes, and contextual information through alerts. A summary of new alerts is displayed in the **Dashboard**, and you can access all alerts in the **Alerts queue** menu.
|
||||
Windows Defender ATP notifies you of possible malicious events, attributes, and contextual information through alerts. A summary of new alerts is displayed in the **Security operations dashboard**, and you can access all alerts in the **Alerts queue** menu.
|
||||
|
||||
You can manage alerts by selecting an alert in the **Alerts queue** or the **Alerts related to this machine** section of the machine details view.
|
||||
|
||||
@ -115,7 +115,7 @@ Create custom rules to control when alerts are suppressed, or resolved. You can
|
||||
You can select rules to open up the **Alert management** pane. From there, you can activate previously disabled rules.
|
||||
|
||||
## Related topics
|
||||
- [View the Windows Defender Advanced Threat Protection Dashboard](dashboard-windows-defender-advanced-threat-protection.md)
|
||||
- [View the Windows Defender Advanced Threat Protection Security operations dashboard](dashboard-windows-defender-advanced-threat-protection.md)
|
||||
- [View and organize the Windows Defender Advanced Threat Protection Alerts queue ](alerts-queue-windows-defender-advanced-threat-protection.md)
|
||||
- [Investigate Windows Defender Advanced Threat Protection alerts](investigate-alerts-windows-defender-advanced-threat-protection.md)
|
||||
- [Investigate a file associated with a Windows Defender ATP alert](investigate-files-windows-defender-advanced-threat-protection.md)
|
||||
|
||||
@ -49,14 +49,14 @@ You can navigate through the portal using the menu options available in all sect
|
||||
Area | Description
|
||||
:---|:---
|
||||
(1) Search bar, Feedback, Settings, Help and support | **Search** - Provides access to the search bar where you can search for file, IP, machine, URL, and user. Displays the Search box: the drop-down list allows you to select the entity type and then enter the search query text. </br> **Feedback** -Access the feedback button to provide comments about the portal. </br> **Settings** - Gives you access to the configuration settings where you can set time zones, alert suppression rules, and license information. </br> **Help and support** - Gives you access to the Windows Defender ATP guide, Microsoft support, and Premier support.
|
||||
(2) Navigation pane | Use the navigation pane to move between the **Dashboard**, **Alerts queue**, **Machines list**, **Service health**, **Preferences setup**, and **Endpoint management**.
|
||||
**Dashboard** | Provides clickable tiles that open detailed information on various alerts that have been detected in your organization.
|
||||
(2) Navigation pane | Use the navigation pane to move between the **Dashboards**, **Alerts queue**, **Machines list**, **Service health**, **Preferences setup**, and **Endpoint management**.
|
||||
**Dashboards** | Enables you to view the Security operations or the Security analytics dashboard.
|
||||
**Alerts queue** | Enables you to view separate queues of new, in progress, and resolved alerts.
|
||||
**Machines list** | Displays the list of machines that are onboarded to Windows Defender ATP, some information about them, and the corresponding number of alerts.
|
||||
**Service health** | Provides information on the current status of the Window Defender ATP service. You'll be able to verify that the service health is healthy or if there are current issues.
|
||||
**Preferences setup** | Shows the settings you selected during onboarding and lets you update your industry preferences and retention policy period. You can also set email notifications, activate the preview experience, and enable or turn off advanced features.
|
||||
**Endpoint management** | Allows you to download the onboarding configuration package. It provides access to endpoint offboarding.
|
||||
(3) Main portal| Main area where you will see the different views such as the Dashboard, Alerts queue, and Machines list.
|
||||
(3) Main portal| Main area where you will see the different views such as the Dashboards, Alerts queue, and Machines list.
|
||||
|
||||
## Windows Defender ATP icons
|
||||
The following table provides information on the icons used all throughout the portal:
|
||||
|
||||
@ -42,7 +42,7 @@ On Windows 10, version 1710 and above, you'll have additional control over the n
|
||||
|
||||
1. Select the machine that you want to isolate. You can select or search for a machine from any of the following views:
|
||||
|
||||
- **Dashboard** - Select the machine name from the Top machines with active alerts section.
|
||||
- **Security operations dashboard** - Select the machine name from the Top machines with active alerts section.
|
||||
- **Alerts queue** - Select the machine name beside the machine icon from the alerts queue.
|
||||
- **Machines list** - Select the machine name from the list of machines.
|
||||
- **Search box** - Select Machine from the drop-down menu and enter the machine name.
|
||||
@ -94,7 +94,7 @@ The action to restrict an application from running applies a code integrity poli
|
||||
|
||||
1. Select the machine where you'd like to restrict an application from running from. You can select or search for a machine from any of the following views:
|
||||
|
||||
- **Dashboard** - Select the machine name from the Top machines with active alerts section.
|
||||
- **Security operations dashboard** - Select the machine name from the Top machines with active alerts section.
|
||||
- **Alerts queue** - Select the machine name beside the machine icon from the alerts queue.
|
||||
- **Machines list** - Select the machine name from the list of machines.
|
||||
- **Search box** - Select Machine from the drop-down menu and enter the machine name.
|
||||
@ -152,7 +152,7 @@ The package contains the following folders:
|
||||
|
||||
1. Select the machine that you want to investigate. You can select or search for a machine from any of the following views:
|
||||
|
||||
- **Dashboard** - Select the machine name from the Top machines with active alerts section.
|
||||
- **Security operations dashboard** - Select the machine name from the Top machines with active alerts section.
|
||||
- **Alerts queue** - Select the machine name beside the machine icon from the alerts queue.
|
||||
- **Machines list** - Select the heading of the machine name from the machines list.
|
||||
- **Search box** - Select Machine from the drop-down menu and enter the machine name.
|
||||
@ -187,7 +187,7 @@ As part of the investigation or response process, you can remotely initiate an a
|
||||
|
||||
1. Select the machine that you want to run the scan on. You can select or search for a machine from any of the following views:
|
||||
|
||||
- **Dashboard** - Select the machine name from the Top machines with active alerts section.
|
||||
- **Security operations dashboard** - Select the machine name from the Top machines with active alerts section.
|
||||
- **Alerts queue** - Select the machine name beside the machine icon from the alerts queue.
|
||||
- **Machines list** - Select the machine name from the list of machines.
|
||||
- **Search box** - Select Machine from the drop-down menu and enter the machine name.
|
||||
|
||||
@ -38,7 +38,7 @@ Topic | Description
|
||||
[Take response actions on a file](respond-file-alerts-windows-defender-advanced-threat-protection.md)| Stop and quarantine files or block a file from your network.
|
||||
|
||||
## Related topics
|
||||
- [View the Windows Defender Advanced Threat Protection Dashboard](dashboard-windows-defender-advanced-threat-protection.md)
|
||||
- [View the Windows Defender Advanced Threat Protection Security operations dashboard](dashboard-windows-defender-advanced-threat-protection.md)
|
||||
- [View and organize the Windows Defender Advanced Threat Protection Alerts queue ](alerts-queue-windows-defender-advanced-threat-protection.md)
|
||||
- [Investigate Windows Defender Advanced Threat Protection alerts](investigate-alerts-windows-defender-advanced-threat-protection.md)
|
||||
- [Investigate a file associated with a Windows Defender ATP alert](investigate-files-windows-defender-advanced-threat-protection.md)
|
||||
|
||||
@ -29,7 +29,7 @@ The **Service health** provides information on the current status of the Window
|
||||
|
||||
You'll also see information on historical issues that have been resolved and details such as the date and time when the issue was resolved. When there are no issues on the service, you'll see a healthy status.
|
||||
|
||||
You can view details on the service health by clicking the tile from the **Dashboard** or selecting the **Service health** menu from the navigation pane.
|
||||
You can view details on the service health by clicking the tile from the **Security operations dashboard** or selecting the **Service health** menu from the navigation pane.
|
||||
|
||||
The **Service health** details page has the following tabs:
|
||||
|
||||
|
||||
@ -27,7 +27,7 @@ ms.date: 09/01/2017
|
||||
|
||||
A typical security breach investigation requires a member of a security operations team to:
|
||||
|
||||
1. View an alert on the **Dashboard** or **Alerts queue**
|
||||
1. View an alert on the **Security operations dashboard** or **Alerts queue**
|
||||
2. Review the indicators of compromise (IOC) or indications of attack (IOAs)
|
||||
3. Review a timeline of alerts, behaviors, and events from the machine
|
||||
4. Manage alerts, understand the threat or potential breach, collect information to support taking action, and resolve the alert
|
||||
@ -36,13 +36,13 @@ A typical security breach investigation requires a member of a security operatio
|
||||
|
||||
Security operation teams can use Windows Defender ATP portal to carry out this end-to-end process without having to leave the portal.
|
||||
|
||||
Teams can monitor the overall status of enterprise endpoints from the **Dashboard**, gain insight on the various alerts, their category, when they were observed, and how long they’ve been in the network at a glance.
|
||||
Teams can monitor the overall status of enterprise endpoints from the **Security operations dashboard**, gain insight on the various alerts, their category, when they were observed, and how long they’ve been in the network at a glance.
|
||||
|
||||
### In this section
|
||||
|
||||
Topic | Description
|
||||
:---|:---
|
||||
[View the Dashboard](dashboard-windows-defender-advanced-threat-protection.md) | The Windows Defender ATP **Dashboard** provides a snapshot of your network. You can view aggregates of alerts, the overall status of the service of the endpoints on your network, investigate machines, files, and URLs, and see snapshots of threats seen on machines.
|
||||
[View the Windows Defender Advanced Threat Protection Security operations dashboard](dashboard-windows-defender-advanced-threat-protection.md) | The Windows Defender ATP **Security operations dashboard** provides a snapshot of your network. You can view aggregates of alerts, the overall status of the service of the endpoints on your network, investigate machines, files, and URLs, and see snapshots of threats seen on machines.
|
||||
[View and organize the Alerts queue](alerts-queue-windows-defender-advanced-threat-protection.md) | You can sort and filter alerts across your network, and drill down on individual alert queues such as new, in progress, or resolved queues.
|
||||
[Investigate alerts](investigate-alerts-windows-defender-advanced-threat-protection.md)| Investigate alerts in Windows Defender ATP which might indicate possible security breaches on endpoints in your organization.
|
||||
[Investigate files](investigate-files-windows-defender-advanced-threat-protection.md) | Investigate the details of a file associated with a specific alert, behavior, or event to help determine if the file exhibits malicious activities, identify the attack motivation, and understand the potential scope of the breach.
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user