deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-18 11:53:37 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

fix warnings

Browse Source
This commit is contained in:
Joey Caparas
2020-01-15 16:33:18 -08:00
parent cb05ca2099
commit a0ccf3a1b8
4 changed files with 25 additions and 28 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
windows/security/threat-protection/microsoft-defender-atp/investigate-behind-proxy.md
View File

@ -44,7 +44,7 @@ If you turn network protection off, users or apps will not be blocked from conne
If you do not configure it, network blocking will be turned off by default.
For more information, see [Enable network protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/enable-network-protection).
For more information, see [Enable network protection](enable-network-protection.md).
## Investigation impact
When network protection is turned on, you'll see that on a machine's timeline the IP address will keep representing the proxy, while the real target address shows up.

26
windows/security/threat-protection/microsoft-defender-atp/prepare-deployment.md
View File

@ -14,7 +14,7 @@ ms.localizationpriority: medium
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: artilce
ms.topic: article
---
# Prepare Microsoft Defender ATP deployment
@ -37,8 +37,8 @@ to the table below as appropriate for your organization.
|----------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------|
| Enter name and email | **Chief Information Security Officer (CISO)** *An executive representative who serves as sponsor inside the organization for the new technology deployment.* | SO |
| Enter name and email | **Head of Cyber Defense Operations Center (CDOC)** *A representative from the CDOC team in charge of defining how this change is aligned with the processes in the customers security operations team.* | SO |
| Enter name and email | **Security Architect** *A representative from the Security team in charge of defining how this change is aligned with the core Security architecture in the customer<EFBFBD>s organization.* | R |
| Enter name and email | **Workplace Architect** *A representative from the IT team in charge of defining how this change is aligned with the core workplace architecture in the customer<EFBFBD>s organization.* | R |
| Enter name and email | **Security Architect** *A representative from the Security team in charge of defining how this change is aligned with the core Security architecture in the customer's organization.* | R |
| Enter name and email | **Workplace Architect** *A representative from the IT team in charge of defining how this change is aligned with the core workplace architecture in the customer's organization.* | R |
| Enter name and email | **Security Analyst** *A representative from the CDOC team who can provide input on the detection capabilities, user experience and overall usefulness of this change from a security operations perspective.* | I |
## Project Management
@ -117,15 +117,15 @@ Microsoft Defender ATP supports two ways to manage permissions:
- **Role-based access control (RBAC)**: Set granular permissions by defining
roles, assigning Azure AD user groups to the roles, and granting the user
groups access to machine groups. For more information on RBAC, see<EFBFBD>[Manage
groups access to machine groups. For more information on RBAC, see [Manage
portal access using role-based access
control](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-atp/rbac-windows-defender-advanced-threat-protection).
control](rbac.md).
Microsoft recommends leveraging RBAC to ensure that only users that have a
business justification can access Microsoft Defender ATP.
You can find details on permission guidelines
[here](https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/user-roles#create-roles-and-assign-the-role-to-an-azure-active-directory-group).
[here](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/user-roles#create-roles-and-assign-the-role-to-an-azure-active-directory-group).
The following example table serves to identify the Cyber Defense Operations
Center structure in your environment that will help you determine the RBAC
@ -133,9 +133,9 @@ structure required for your environment.
| Tier | Description | Permission Required |
|--------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------------------|
| Tier 1 | **Local security operations team / IT team**<EFBFBD> <br> This team usually triages and investigates alerts contained within their geolocation and escalates to Tier 2 in cases where an active remediation is required. | |
| Tier 2 | **Regional security operations team**<EFBFBD> <br> This team can see all the machines for their region and perform remediation actions. | View data |
| Tier 3 | **Global security operations team**<EFBFBD><br> This team consists of security experts and are authorized to see and perform all actions from the portal. | View data <br> Alerts investigation Active remediation ctions <br> Alerts investigation Active remediation actions <br> Manage portal system settings <br> Manage security settings |
| Tier 1 | **Local security operations team / IT team**<br> This team usually triages and investigates alerts contained within their geolocation and escalates to Tier 2 in cases where an active remediation is required. | |
| Tier 2 | **Regional security operations team**<br> This team can see all the machines for their region and perform remediation actions. | View data |
| Tier 3 | **Global security operations team**<br> This team consists of security experts and are authorized to see and perform all actions from the portal. | View data <br> Alerts investigation Active remediation ctions <br> Alerts investigation Active remediation actions <br> Manage portal system settings <br> Manage security settings |
@ -153,12 +153,12 @@ order on how the endpoint security suite should be enabled.
| Component | Description | Adoption Order Rank |
|-----------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------------------|
| Endpoint Detection & Response (EDR) | Microsoft Defender ATP endpoint detection and response capabilities provide advanced attack detections that are near real-time and actionable. Security analysts can prioritize alerts effectively, gain visibility into the full scope of a breach, and take response actions to remediate threats. [Learn more.](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-atp/overview-endpoint-detection-response) | 1 |
| Endpoint Detection & Response (EDR) | Microsoft Defender ATP endpoint detection and response capabilities provide advanced attack detections that are near real-time and actionable. Security analysts can prioritize alerts effectively, gain visibility into the full scope of a breach, and take response actions to remediate threats. [Learn more.](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/overview-endpoint-detection-response) | 1 |
| Next Generation Protection (NGP) | Microsoft Defender Antivirus is a built-in antimalware solution that provides next generation protection for desktops, portable computers, and servers. Windows Defender Antivirus includes: | 2 |
| Attack Surface Reduction (ASR) | Attack surface reduction capabilities in Microsoft Defender ATP helps protect the devices and applications in the organization from new and emerging threats. [Learn more.](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-atp/overview-attack-surface-reduction) | 3 |
| Attack Surface Reduction (ASR) | Attack surface reduction capabilities in Microsoft Defender ATP helps protect the devices and applications in the organization from new and emerging threats. [Learn more.](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/overview-attack-surface-reduction) | 3 |
| Threat & Vulnerability Management (TVM) | Threat & Vulnerability Management is a component of Microsoft Defender ATP, and provides both security administrators and security operations teams with unique value, including: | 4 |
| Auto Investigation & Remediation (AIR) | Microsoft Defender ATP uses Automated investigations to significantly reduce the volume of alerts that need to be investigated individually. The Automated investigation feature leverages various inspection algorithms, and processes used by analysts (such as playbooks) to examine alerts and take immediate remediation action to resolve breaches. This significantly reduces alert volume, allowing security operations experts to focus on more sophisticated threats and other high value initiatives. [Learn more.](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-atp/automated-investigations-windows-defender-advanced-threat-protection) | Not applicable |
| Microsoft Threat Experts (MTE) | Microsoft Threat Experts is a managed hunting service that provides Security Operation Centers (SOCs) with expert level monitoring and analysis to help them ensure that critical threats in their unique environments don<EFBFBD>t get missed. [Learn more.](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-atp/microsoft-threat-experts) | Not applicable |
| Auto Investigation & Remediation (AIR) | Microsoft Defender ATP uses Automated investigations to significantly reduce the volume of alerts that need to be investigated individually. The Automated investigation feature leverages various inspection algorithms, and processes used by analysts (such as playbooks) to examine alerts and take immediate remediation action to resolve breaches. This significantly reduces alert volume, allowing security operations experts to focus on more sophisticated threats and other high value initiatives. [Learn more.](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/automated-investigations-windows-defender-advanced-threat-protection) | Not applicable |
| Microsoft Threat Experts (MTE) | Microsoft Threat Experts is a managed hunting service that provides Security Operation Centers (SOCs) with expert level monitoring and analysis to help them ensure that critical threats in their unique environments don't get missed. [Learn more.](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/microsoft-threat-experts) | Not applicable |
## Related topic
- [Production deployment](production-deployment.md)

23
windows/security/threat-protection/microsoft-defender-atp/production-deployment.md
View File

@ -26,17 +26,16 @@ Proper planning is the foundation of a successful deployment. In this deployment
- Tenant configuration
- Network configuration
- Onboarding using System Center Configuration Manager
- Endpoint detection and response
- Next generation protection
- Attack surface reduction
>[!NOTE]
>For the purpose of guiding you through a typical deployment, this scenario will only cover the use of System Center Configuration Manager. Microsoft Defnder ATP supports the use of other onboarding tools. For more information, see [Onboard machines to Microsoft Defender ATP](onboard-configure.md).
>For the purpose of guiding you through a typical deployment, this scenario will only cover the use of System Center Configuration Manager. Microsoft Defnder ATP supports the use of other onboarding tools but will not cover those scenarios in the deployment guide. For more information, see [Onboard machines to Microsoft Defender ATP](onboard-configure.md).
## Tenant Configuration
When accessing<EFBFBD>[Microsoft Defender Security
Center](https://securitycenter.windows.com/)<29>for the first time there will be a
setup wizard that will guide you through some initial steps. At the end of the
setup wizard there will be a dedicated cloud instance of Microsoft Defender ATP
created. The easiest method is to perform these steps from a Windows 10 client
When accessing [Microsoft Defender Security Center](https://securitycenter.windows.com/)<29>for the first time there will be a setup wizard that will guide you through some initial steps. At the end of the setup wizard there will be a dedicated cloud instance of Microsoft Defender ATP created. The easiest method is to perform these steps from a Windows 10 client
machine.
1. From a web browser, navigate to <https://securitycenter.windows.com>.
@ -97,7 +96,7 @@ Docs](https://docs.microsoft.com/windows/security/threat-protection/windows-defe
- Registry based configuration
- WinHTTP configured using netsh command <EFBFBD> Suitable only for desktops in a
- WinHTTP configured using netsh command - Suitable only for desktops in a
stable topology (for example: a desktop in a corporate network behind the
same proxy)
@ -113,7 +112,7 @@ under:
Preview Builds \> Configure Authenticated Proxy usage for the Connected User
Experience and Telemetry Service
- Set it to<EFBFBD>**Enabled**<EFBFBD>and select<63>**Disable Authenticated Proxy usage**
- Set it to **Enabled** and select<63>**Disable Authenticated Proxy usage**
1. Open the Group Policy Management Console.
2. Create a policy or edit an existing policy based off the organizational practices.
@ -175,7 +174,7 @@ is configured on these machines.
### Proxy Service URLs
URLs that include v20 in them are only needed if you have Windows 10, version
1803 or later machines. For example,<EFBFBD>`us-v20.events.data.microsoft.com`<EFBFBD>is only
1803 or later machines. For example, ```us-v20.events.data.microsoft.com``` is only
needed if the machine is on Windows 10, version 1803 or later.
Service location | Microsoft.com DNS record
@ -243,7 +242,7 @@ below to onboard systems with Configuration Manager.
![Image of System Center Configuration Manager wizard](images/sccm-criteria.png)
7. Keep criterion type as **simple value**, choose where as **Operating System <EFBFBD> build number**, operator as **is equal to** and value **10240** and click on **OK**.
7. Keep criterion type as **simple value**, choose where as **Operating System - build number**, operator as **is equal to** and value **10240** and click on **OK**.
![Image of System Center Configuration Manager wizard](images/sccm-simple-value.png)
@ -297,9 +296,7 @@ Manager and deploy that policy to Windows 10 devices.
![Image of configuration settings](images/1b9f85316170cfe24b46330afa8517d5.png)
12. Select the appropriate telemetry (**Normal** or **Expedited**).
13. Click **Next**.
12. Select the appropriate telemetry (**Normal** or **Expedited**) then click **Next**.
![Image of configuration settings](images/13201b477bc9a9ae0020814915fe80cc.png)

2
windows/security/threat-protection/security-policy-settings/administer-security-policy-settings.md
View File

@ -135,7 +135,7 @@ The Security Compliance Manager is a downloadable tool that helps you plan, depl
**To administer security policies by using the Security Compliance Manager**
1. Download the most recent version. You can find out more info on the [Microsoft Security Guidance](http://blogs.technet.com/b/secguide/) blog.
1. Download the most recent version. You can find out more info on the [Microsoft Security Guidance](https://blogs.technet.com/b/secguide/) blog.
2. Read the relevant security baseline documentation that is included in this tool.
3. Download and import the relevant security baselines. The installation process steps you through baseline selection.
4. Open the Help and follow instructions how to customize, compare, or merge your security baselines before deploying those baselines.