deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-18 08:17:23 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Merge branch 'MDBranchMachineToDeviceParent' of https://github.com/MicrosoftDocs/windows-docs-pr into MDBranchMachineToDeviceParent

Browse Source
This commit is contained in:
ManikaDhiman 2020-05-22 16:56:05 -07:00
commit a60e9049e6
54 changed files with 329 additions and 329 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
windows/security/threat-protection/microsoft-defender-atp/import-export-exploit-protection-emet-xml.md
View File

@ -27,7 +27,7 @@ Exploit protection applies helps protect devices from malware that use exploits
Many of the features that are part of the [Enhanced Mitigation Experience Toolkit (EMET)](https://support.microsoft.com/help/2458544/) are now included in exploit protection.
You use the Windows Security app or PowerShell to create a set of mitigations (known as a configuration). You can then export this configuration as an XML file and share it with multiple machines on your network so they all have the same set of mitigation settings.
You use the Windows Security app or PowerShell to create a set of mitigations (known as a configuration). You can then export this configuration as an XML file and share it with multiple devices on your network so they all have the same set of mitigation settings.
You can also convert and import an existing EMET configuration XML file into an exploit protection configuration XML.
@ -39,7 +39,7 @@ The [Evaluation Package](https://demo.wd.microsoft.com/Page/EP) contains a sampl
Before you export a configuration file, you need to ensure you have the correct settings.
You should first configure exploit protection on a single, dedicated machine. See [Customize exploit protection](customize-exploit-protection.md) for descriptions about and instructions for configuring mitigations.
You should first configure exploit protection on a single, dedicated device. See [Customize exploit protection](customize-exploit-protection.md) for descriptions about and instructions for configuring mitigations.
When you have configured exploit protection to your desired state (including both system-level and app-level mitigations), you can export the file using either the Windows Security app or PowerShell.
@ -77,7 +77,7 @@ When you have configured exploit protection to your desired state (including bot
**Get-ProcessMitigation -RegistryConfigFilePath C:\ExploitConfigfile.xml**
> [!IMPORTANT]
> When you deploy the configuration using Group Policy, all machines that will use the configuration must be able to access the configuration file. Ensure you place the file in a shared location.
> When you deploy the configuration using Group Policy, all devices that will use the configuration must be able to access the configuration file. Ensure you place the file in a shared location.
## Import a configuration file
@ -136,14 +136,14 @@ You can only do this conversion in PowerShell.
## Manage or deploy a configuration
You can use Group Policy to deploy the configuration you've created to multiple machines in your network.
You can use Group Policy to deploy the configuration you've created to multiple devices in your network.
> [!IMPORTANT]
> When you deploy the configuration using Group Policy, all machines that will use the configuration must be able to access the configuration XML file. Ensure you place the file in a shared location.
> When you deploy the configuration using Group Policy, all devices that will use the configuration must be able to access the configuration XML file. Ensure you place the file in a shared location.
### Use Group Policy to distribute the configuration
1. On your Group Policy management machine, open the [Group Policy Management Console](https://docs.microsoft.com/previous-versions/windows/desktop/gpmc/group-policy-management-console-portal), right-click the Group Policy Object you want to configure and click **Edit**.
1. On your Group Policy management device, open the [Group Policy Management Console](https://docs.microsoft.com/previous-versions/windows/desktop/gpmc/group-policy-management-console-portal), right-click the Group Policy Object you want to configure and click **Edit**.
2. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.

14
windows/security/threat-protection/microsoft-defender-atp/information-protection-investigation.md
View File

@ -24,7 +24,7 @@ ms.topic: article
A typical advanced persistent threat lifecycle involves data exfiltration. In a security incident, it's important to have the ability to prioritize investigations where sensitive files may be jeopardy so that corporate data and information are protected.
Microsoft Defender ATP helps to make the prioritization of security incidents much simpler with the use of sensitivity labels. Sensitivity labels quickly identify incidents that may involve machines with sensitive information such as confidential information.
Microsoft Defender ATP helps to make the prioritization of security incidents much simpler with the use of sensitivity labels. Sensitivity labels quickly identify incidents that may involve devices with sensitive information such as confidential information.
## Investigate incidents that involve sensitive data
Learn how to use data sensitivity labels to prioritize incident investigation.
@ -34,7 +34,7 @@ Learn how to use data sensitivity labels to prioritize incident investigation.
1. In Microsoft Defender Security Center, select **Incidents**.
2. Scroll to the right to see the **Data sensitivity** column. This column reflects sensitivity labels that have been observed on machines related to the incidents providing an indication of whether sensitive files may be impacted by the incident.
2. Scroll to the right to see the **Data sensitivity** column. This column reflects sensitivity labels that have been observed on devices related to the incidents providing an indication of whether sensitive files may be impacted by the incident.
![Image of data sensitivity column](images/data-sensitivity-column.png)
@ -46,16 +46,16 @@ Learn how to use data sensitivity labels to prioritize incident investigation.
![Image of incident page details](images/incident-page.png)
4. Select the **Machines** tab to identify machines storing files with sensitivity labels.
4. Select the **Devices** tab to identify devices storing files with sensitivity labels.
![Image of machine tab](images/investigate-machines-tab.png)
![Image of device tab](images/investigate-machines-tab.png)
5. Select the machines that store sensitive data and search through the timeline to identify which files may be impacted then take appropriate action to ensure that data is protected.
5. Select the devices that store sensitive data and search through the timeline to identify which files may be impacted then take appropriate action to ensure that data is protected.
You can narrow down the events shown on the machine timeline by searching for data sensitivity labels. Doing this will show only events associated with files that have said label name.
You can narrow down the events shown on the device timeline by searching for data sensitivity labels. Doing this will show only events associated with files that have said label name.
![Image of machine timeline with narrowed down search results based on label](images/machine-timeline-labels.png)
![Image of device timeline with narrowed down search results based on label](images/machine-timeline-labels.png)
>[!TIP]

6
windows/security/threat-protection/microsoft-defender-atp/initiate-autoir-investigation.md
View File

@ -1,6 +1,6 @@
---
title: Start Investigation API
description: Use this API to start investigation on a machine.
description: Use this API to start investigation on a device.
keywords: apis, graph api, supported apis, investigation
search.product: eADQiWindows 10XVcnh
ms.prod: w10
@ -24,7 +24,7 @@ ms.topic: article
## API description
Start automated investigation on a machine.
Start automated investigation on a device.
<br>See [Overview of automated investigations](automated-investigations.md) for more information.
@ -43,7 +43,7 @@ Delegated (work or school account) | Alert.ReadWrite | 'Read and write alerts'
>[!Note]
> When obtaining a token using user credentials:
>- The user needs to have at least the following role permission: 'Active remediation actions' (See [Create and manage roles](user-roles.md) for more information)
>- The user needs to have access to the machine, based on machine group settings (See [Create and manage machine groups](machine-groups.md) for more information)
>- The user needs to have access to the device, based on device group settings (See [Create and manage device groups](machine-groups.md) for more information)
## HTTP request

14
windows/security/threat-protection/microsoft-defender-atp/investigate-alerts.md
View File

@ -1,7 +1,7 @@
---
title: Investigate Microsoft Defender Advanced Threat Protection alerts
description: Use the investigation options to get details on alerts are affecting your network, what they mean, and how to resolve them.
keywords: investigate, investigation, machines, machine, alerts queue, dashboard, IP address, file, submit, submissions, deep analysis, timeline, search, domain, URL, IP
keywords: investigate, investigation, devices, device, alerts queue, dashboard, IP address, file, submit, submissions, deep analysis, timeline, search, domain, URL, IP
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: w10
@ -40,13 +40,13 @@ You'll also see a status of the automated investigation on the upper right corne
![Image of the alert page](images/atp-alert-view.png)
The alert context tile shows the where, who, and when context of the alert. As with other pages, you can click on the icon beside the name or user account to bring up the machine or user details pane. The alert details view also has a status tile that shows the status of the alert in the queue. You'll also see a description and a set of recommended actions which you can expand.
The alert context tile shows the where, who, and when context of the alert. As with other pages, you can click on the icon beside the name or user account to bring up the device or user details pane. The alert details view also has a status tile that shows the status of the alert in the queue. You'll also see a description and a set of recommended actions which you can expand.
For more information about managing alerts, see [Manage alerts](manage-alerts.md).
The alert details page also shows the alert process tree, an incident graph, and an artifact timeline.
You can click on the machine link from the alert view to navigate to the machine. The alert will be highlighted automatically, and the timeline will display the appearance of the alert and its evidence in the **Machine timeline**. If the alert appeared more than once on the machine, the latest occurrence will be displayed in the **Machine timeline**.
You can click on the device link from the alert view to navigate to the device. The alert will be highlighted automatically, and the timeline will display the appearance of the alert and its evidence in the **Device timeline**. If the alert appeared more than once on the device, the latest occurrence will be displayed in the **Device timeline**.
Alerts attributed to an adversary or actor display a colored tile with the actor's name.
@ -78,7 +78,7 @@ The alert details pane helps you take a deeper look at the details about the ale
## Incident graph
The **Incident Graph** provides a visual representation of the organizational footprint of the alert and its evidence: where the evidence that triggered the alert was observed on other machines. It provides a graphical mapping from the original machine and evidence expanding to show other machines in the organization where the triggering evidence was also observed.
The **Incident Graph** provides a visual representation of the organizational footprint of the alert and its evidence: where the evidence that triggered the alert was observed on other devices. It provides a graphical mapping from the original device and evidence expanding to show other devices in the organization where the triggering evidence was also observed.
![Image of the Incident graph](images/atp-incident-graph.png)
@ -86,10 +86,10 @@ The **Incident Graph** supports expansion by File, Process, command line, or Des
The **Incident Graph** expansion by destination IP Address, shows the organizational footprint of communications with this IP Address without having to change context by navigating to the IP Address page.
You can click the full circles on the incident graph to expand the nodes and view the expansion to other machines where the matching criteria were observed.
You can click the full circles on the incident graph to expand the nodes and view the expansion to other devices where the matching criteria were observed.
## Artifact timeline
The **Artifact timeline** feature provides an additional view of the evidence that triggered the alert on the machine, and shows the date and time the evidence triggering the alert was observed, as well as the first time it was observed on the machine. This can help in understanding if the evidence was first observed at the time of the alert, or whether it was observed on the machine earlier - without triggering an alert.
The **Artifact timeline** feature provides an additional view of the evidence that triggered the alert on the device, and shows the date and time the evidence triggering the alert was observed, as well as the first time it was observed on the device. This can help in understanding if the evidence was first observed at the time of the alert, or whether it was observed on the device earlier - without triggering an alert.
![Image of artifact timeline](images/atp-alert-timeline.png)
@ -99,7 +99,7 @@ Selecting an alert detail brings up the **Details pane** where you'll be able to
- [View and organize the Microsoft Defender Advanced Threat Protection Alerts queue](alerts-queue.md)
- [Manage Microsoft Defender Advanced Threat Protection alerts](manage-alerts.md)
- [Investigate a file associated with a Microsoft Defender ATP alert](investigate-files.md)
- [Investigate machines in the Microsoft Defender ATP Machines list](investigate-machines.md)
- [Investigate devices in the Microsoft Defender ATP Devices list](investigate-machines.md)
- [Investigate an IP address associated with a Microsoft Defender ATP alert](investigate-ip.md)
- [Investigate a domain associated with a Microsoft Defender ATP alert](investigate-domain.md)
- [Investigate a user account in Microsoft Defender ATP](investigate-user.md)

6
windows/security/threat-protection/microsoft-defender-atp/investigate-behind-proxy.md
View File

@ -32,7 +32,7 @@ The proxy acts as if it was the target endpoint. In these cases, simple network
Microsoft Defender ATP supports advanced HTTP level monitoring through network protection. When turned on, a new type of event is surfaced which exposes the real target domain names.
## Use network protection to monitor network connection behind a firewall
Monitoring network connection behind a forward proxy is possible due to additional network events that originate from network protection. To see them on a machine timeline, turn network protection on (at the minimum in audit mode).
Monitoring network connection behind a forward proxy is possible due to additional network events that originate from network protection. To see them on a device timeline, turn network protection on (at the minimum in audit mode).
Network protection can be controlled using the following modes:
@ -47,9 +47,9 @@ If you do not configure it, network blocking will be turned off by default.
For more information, see [Enable network protection](enable-network-protection.md).
## Investigation impact
When network protection is turned on, you'll see that on a machine's timeline the IP address will keep representing the proxy, while the real target address shows up.
When network protection is turned on, you'll see that on a device's timeline the IP address will keep representing the proxy, while the real target address shows up.
![Image of network events on machine's timeline](images/atp-proxy-investigation.png)
![Image of network events on device's timeline](images/atp-proxy-investigation.png)
Additional events triggered by the network protection layer are now available to surface the real domain names even behind a proxy.

18
windows/security/threat-protection/microsoft-defender-atp/investigate-domain.md
View File

@ -1,6 +1,6 @@
---
title: Investigate Microsoft Defender Advanced Threat Protection domains
description: Use the investigation options to see if machines and servers have been communicating with malicious domains.
description: Use the investigation options to see if devices and servers have been communicating with malicious domains.
keywords: investigate domain, domain, malicious domain, windows defender atp, alert, URL
search.product: eADQiWindows 10XVcnh
search.appverid: met150
@ -28,16 +28,16 @@ ms.date: 04/24/2018
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-investigatedomain-abovefoldlink)
Investigate a domain to see if machines and servers in your enterprise network have been communicating with a known malicious domain.
Investigate a domain to see if devices and servers in your enterprise network have been communicating with a known malicious domain.
You can investigate a domain by using the search feature or by clicking on a domain link from the **Machine timeline**.
You can investigate a domain by using the search feature or by clicking on a domain link from the **Device timeline**.
You can see information from the following sections in the URL view:
- URL details, Contacts, Nameservers
- Alerts related to this URL
- URL in organization
- Most recent observed machines with URL
- Most recent observed devices with URL
## URL worldwide
@ -61,7 +61,7 @@ The Alerts tab can be adjusted to show more or less information, by selecting **
## Observed in organization
The **Observed in organization** tab provides a chronological view on the events and associated alerts that were observed on the URL. This tab includes a timeline and a customizable table listing event details, such as the time, machine, and a brief description of what happened.
The **Observed in organization** tab provides a chronological view on the events and associated alerts that were observed on the URL. This tab includes a timeline and a customizable table listing event details, such as the time, device, and a brief description of what happened.
You can view events from different periods of time by entering the dates into the text fields above the table headers. You can also customize the time range by selecting different areas of the timeline.
@ -69,15 +69,15 @@ You can view events from different periods of time by entering the dates into th
1. Select **URL** from the **Search bar** drop-down menu.
2. Enter the URL in the **Search** field.
3. Click the search icon or press **Enter**. Details about the URL are displayed. Note: search results will only be returned for URLs observed in communications from machines in the organization.
4. Use the search filters to define the search criteria. You can also use the timeline search box to filter the displayed results of all machines in the organization observed communicating with the URL, the file associated with the communication and the last date observed.
5. Clicking any of the machine names will take you to that machine's view, where you can continue investigate reported alerts, behaviors, and events.
3. Click the search icon or press **Enter**. Details about the URL are displayed. Note: search results will only be returned for URLs observed in communications from devices in the organization.
4. Use the search filters to define the search criteria. You can also use the timeline search box to filter the displayed results of all devices in the organization observed communicating with the URL, the file associated with the communication and the last date observed.
5. Clicking any of the device names will take you to that device's view, where you can continue investigate reported alerts, behaviors, and events.
## Related topics
- [View and organize the Microsoft Defender Advanced Threat Protection Alerts queue](alerts-queue.md)
- [Manage Microsoft Defender Advanced Threat Protection alerts](manage-alerts.md)
- [Investigate Microsoft Defender Advanced Threat Protection alerts](investigate-alerts.md)
- [Investigate a file associated with a Microsoft Defender ATP alert](investigate-files.md)
- [Investigate machines in the Microsoft Defender ATP Machines list](investigate-machines.md)
- [Investigate devices in the Microsoft Defender ATP Devices list](investigate-machines.md)
- [Investigate an IP address associated with a Microsoft Defender ATP alert](investigate-ip.md)
- [Investigate a user account in Microsoft Defender ATP](investigate-user.md)

10
windows/security/threat-protection/microsoft-defender-atp/investigate-files.md
View File

@ -30,7 +30,7 @@ ms.date: 04/24/2018
Investigate the details of a file associated with a specific alert, behavior, or event to help determine if the file exhibits malicious activities, identify the attack motivation, and understand the potential scope of the breach.
There are many ways to access the detailed profile page of a specific file. For example, you can use the search feature, click on a link from the **Alert process tree**, **Incident graph**, **Artifact timeline**, or select an event listed in the **Machine timeline**.
There are many ways to access the detailed profile page of a specific file. For example, you can use the search feature, click on a link from the **Alert process tree**, **Incident graph**, **Artifact timeline**, or select an event listed in the **Device timeline**.
Once on the detailed profile page, you can switch between the new and old page layouts by toggling **new File page**. The rest of this article describes the newer page layout.
@ -67,7 +67,7 @@ You'll see details such as the files MD5, the Virus Total detection ratio, an
## Alerts
The **Alerts** tab provides a list of alerts that are associated with the file. This list covers much of the same information as the Alerts queue, except for the machine group, if any, the affected machine belongs to. You can choose what kind of information is shown by selecting **Customize columns** from the toolbar above the column headers.
The **Alerts** tab provides a list of alerts that are associated with the file. This list covers much of the same information as the Alerts queue, except for the device group, if any, the affected device belongs to. You can choose what kind of information is shown by selecting **Customize columns** from the toolbar above the column headers.
![Image of alerts related to the file section](images/atp-alerts-related-to-file.png)
@ -76,9 +76,9 @@ The **Alerts** tab provides a list of alerts that are associated with the file.
The **Observed in organization** tab allows you to specify a date range to see which devices have been observed with the file.
>[!NOTE]
>This tab will show a maximum number of 100 machines. To see _all_ devices with the file, export the tab to a CSV file, by selecting **Export** from the action menu above the tab's column headers.
>This tab will show a maximum number of 100 devices. To see _all_ devices with the file, export the tab to a CSV file, by selecting **Export** from the action menu above the tab's column headers.
![Image of most recent observed machine with the file](images/atp-observed-machines.png)
![Image of most recent observed device with the file](images/atp-observed-machines.png)
Use the slider or the range selector to quickly specify a time period that you want to check for events involving the file. You can specify a time window as small as a single day. This will allow you to see only files that communicated with that IP Address at that time, drastically reducing unnecessary scrolling and searching.
@ -99,7 +99,7 @@ The **File names** tab lists all names the file has been observed to use, within
- [View and organize the Microsoft Defender Advanced Threat Protection Alerts queue](alerts-queue.md)
- [Manage Microsoft Defender Advanced Threat Protection alerts](manage-alerts.md)
- [Investigate Microsoft Defender Advanced Threat Protection alerts](investigate-alerts.md)
- [Investigate machines in the Microsoft Defender ATP Machines list](investigate-machines.md)
- [Investigate devices in the Microsoft Defender ATP Devices list](investigate-machines.md)
- [Investigate an IP address associated with a Microsoft Defender ATP alert](investigate-ip.md)
- [Investigate a domain associated with a Microsoft Defender ATP alert](investigate-domain.md)
- [Investigate a user account in Microsoft Defender ATP](investigate-user.md)

16
windows/security/threat-protection/microsoft-defender-atp/investigate-incidents.md
View File

@ -1,7 +1,7 @@
---
title: Investigate incidents in Microsoft Defender ATP
description: See associated alerts, manage the incident, and see alert metadata to help you investigate an incident
keywords: investigate, incident, alerts, metadata, risk, detection source, affected machines, patterns, correlation
keywords: investigate, incident, alerts, metadata, risk, detection source, affected devices, patterns, correlation
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: w10
@ -28,13 +28,13 @@ Investigate incidents that affect your network, understand what they mean, and c
When you investigate an incident, you'll see:
- Incident details
- Incident comments and actions
- Tabs (alerts, machines, investigations, evidence, graph)
- Tabs (alerts, devices, investigations, evidence, graph)
> [!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RE4qLUV]
## Analyze incident details
Click an incident to see the **Incident pane**. Select **Open incident page** to see the incident details and related information (alerts, machines, investigations, evidence, graph).
Click an incident to see the **Incident pane**. Select **Open incident page** to see the incident details and related information (alerts, devices, investigations, evidence, graph).
![Image of incident details](images/atp-incident-details.png)
@ -44,7 +44,7 @@ Alerts are grouped into incidents based on the following reasons:
- Automated investigation - The automated investigation triggered the linked alert while investigating the original alert
- File characteristics - The files associated with the alert have similar characteristics
- Manual association - A user manually linked the alerts
- Proximate time - The alerts were triggered on the same machine within a certain timeframe
- Proximate time - The alerts were triggered on the same device within a certain timeframe
- Same file - The files associated with the alert are exactly the same
- Same URL - The URL that triggered the alert is exactly the same
@ -52,10 +52,10 @@ Alerts are grouped into incidents based on the following reasons:
You can also manage an alert and see alert metadata along with other information. For more information, see [Investigate alerts](investigate-alerts.md).
### Machines
You can also investigate the machines that are part of, or related to, a given incident. For more information, see [Investigate machines](investigate-machines.md).
### Devices
You can also investigate the devices that are part of, or related to, a given incident. For more information, see [Investigate devices](investigate-machines.md).
![Image of machines tab in incident details page](images/atp-incident-machine-tab.png)
![Image of devices tab in incident details page](images/atp-incident-machine-tab.png)
### Investigations
Select **Investigations** to see all the automatic investigations launched by the system in response to the incident alerts.
@ -72,7 +72,7 @@ Each of the analyzed entities will be marked as infected, remediated, or suspici
Microsoft Defender Advanced Threat Protection aggregates the threat information into an incident so you can see the patterns and correlations coming in from various data points. You can view such correlation through the incident graph.
### Incident graph
The **Graph** tells the story of the cybersecurity attack. For example, it shows you what was the entry point, which indicator of compromise or activity was observed on which machine. etc.
The **Graph** tells the story of the cybersecurity attack. For example, it shows you what was the entry point, which indicator of compromise or activity was observed on which device. etc.
![Image of the incident graph](images/atp-incident-graph-tab.png)

22
windows/security/threat-protection/microsoft-defender-atp/investigate-ip.md
View File

@ -1,6 +1,6 @@
---
title: Investigate an IP address associated with an alert
description: Use the investigation options to examine possible communication between machines and external IP addresses.
description: Use the investigation options to examine possible communication between devices and external IP addresses.
keywords: investigate, investigation, IP address, alert, windows defender atp, external IP
search.product: eADQiWindows 10XVcnh
search.appverid: met150
@ -26,9 +26,9 @@ ms.date: 04/24/2018
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-investigateip-abovefoldlink)
Examine possible communication between your machines and external internet protocol (IP) addresses.
Examine possible communication between your devices and external internet protocol (IP) addresses.
Identifying all machines in the organization that communicated with a suspected or known malicious IP address, such as Command and Control (C2) servers, helps determine the potential scope of breach, associated files, and infected machines.
Identifying all devices in the organization that communicated with a suspected or known malicious IP address, such as Command and Control (C2) servers, helps determine the potential scope of breach, associated files, and infected devices.
You can find information from the following sections in the IP address view:
@ -52,11 +52,11 @@ The **IP in organization** section provides details on the prevalence of the IP
## Prevalence
The **Prevalence** section displays how many machines have connected to this IP address, and when the IP was first and last seen. You can filter the results of this section by time period; the default period is 30 days.
The **Prevalence** section displays how many devices have connected to this IP address, and when the IP was first and last seen. You can filter the results of this section by time period; the default period is 30 days.
## Most recent observed machines with IP
## Most recent observed devices with IP
The **Most recent observed machines** with IP section provides a chronological view on the events and associated alerts that were observed on the IP address.
The **Most recent observed devices** with IP section provides a chronological view on the events and associated alerts that were observed on the IP address.
**Investigate an external IP:**
@ -64,14 +64,14 @@ The **Most recent observed machines** with IP section provides a chronological v
2. Enter the IP address in the **Search** field.
3. Click the search icon or press **Enter**.
Details about the IP address are displayed, including: registration details (if available), reverse IPs (for example, domains), prevalence of machines in the organization that communicated with this IP Address (during selectable time period), and the machines in the organization that were observed communicating with this IP address.
Details about the IP address are displayed, including: registration details (if available), reverse IPs (for example, domains), prevalence of devices in the organization that communicated with this IP Address (during selectable time period), and the devices in the organization that were observed communicating with this IP address.
> [!NOTE]
> Search results will only be returned for IP addresses observed in communication with machines in the organization.
> Search results will only be returned for IP addresses observed in communication with devices in the organization.
Use the search filters to define the search criteria. You can also use the timeline search box to filter the displayed results of all machines in the organization observed communicating with the IP address, the file associated with the communication and the last date observed.
Use the search filters to define the search criteria. You can also use the timeline search box to filter the displayed results of all devices in the organization observed communicating with the IP address, the file associated with the communication and the last date observed.
Clicking any of the machine names will take you to that machine's view, where you can continue investigate reported alerts, behaviors, and events.
Clicking any of the device names will take you to that device's view, where you can continue investigate reported alerts, behaviors, and events.
## Related topics
@ -79,6 +79,6 @@ Clicking any of the machine names will take you to that machine's view, where yo
- [Manage Microsoft Defender Advanced Threat Protection alerts](manage-alerts.md)
- [Investigate Microsoft Defender Advanced Threat Protection alerts](investigate-alerts.md)
- [Investigate a file associated with a Microsoft Defender ATP alert](investigate-files.md)
- [Investigate machines in the Microsoft Defender ATP Machines list](investigate-machines.md)
- [Investigate devices in the Microsoft Defender ATP Devices list](investigate-machines.md)
- [Investigate a domain associated with a Microsoft Defender ATP alert](investigate-domain.md)
- [Investigate a user account in Microsoft Defender ATP](investigate-user.md)

60
windows/security/threat-protection/microsoft-defender-atp/investigate-machines.md
View File

@ -1,7 +1,7 @@
---
title: Investigate machines in the Microsoft Defender ATP Machines list
description: Investigate affected machines by reviewing alerts, network connection information, adding machine tags and groups, and checking the service health.
keywords: machines, tags, groups, endpoint, alerts queue, alerts, machine name, domain, last seen, internal IP, active alerts, threat category, filter, sort, review alerts, network, connection, type, password stealer, ransomware, exploit, threat, low severity, service health
title: Investigate devices in the Microsoft Defender ATP Devices list
description: Investigate affected devices by reviewing alerts, network connection information, adding device tags and groups, and checking the service health.
keywords: devices, tags, groups, endpoint, alerts queue, alerts, device name, domain, last seen, internal IP, active alerts, threat category, filter, sort, review alerts, network, connection, type, password stealer, ransomware, exploit, threat, low severity, service health
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: w10
@ -17,7 +17,7 @@ ms.collection: M365-security-compliance
ms.topic: article
---
# Investigate machines in the Microsoft Defender ATP Machines list
# Investigate devices in the Microsoft Defender ATP Devices list
**Applies to:**
@ -25,33 +25,33 @@ ms.topic: article
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-investigatemachines-abovefoldlink)
Investigate the details of an alert raised on a specific machine to identify other behaviors or events that might be related to the alert or the potential scope of the breach.
Investigate the details of an alert raised on a specific device to identify other behaviors or events that might be related to the alert or the potential scope of the breach.
You can click on affected machines whenever you see them in the portal to open a detailed report about that machine. Affected machines are identified in the following areas:
You can click on affected devices whenever you see them in the portal to open a detailed report about that device. Affected devices are identified in the following areas:
- [Machines list](investigate-machines.md)
- [Devices list](investigate-machines.md)
- [Alerts queue](alerts-queue.md)
- [Security operations dashboard](security-operations-dashboard.md)
- Any individual alert
- Any individual file details view
- Any IP address or domain details view
When you investigate a specific machine, you'll see:
When you investigate a specific device, you'll see:
- Machine details
- Device details
- Response actions
- Cards (active alerts, logged on users, security assessment)
- Tabs (alerts, timeline, security recommendations, software inventory, discovered vulnerabilities)
![Image of machine view](images/specific-machine.png)
![Image of device view](images/specific-machine.png)
## Machine details
## Device details
The machine details section provides information such as the domain, OS, and health state of the machine. If there's an investigation package available on the machine, you'll see a link that allows you to download the package.
The device details section provides information such as the domain, OS, and health state of the device. If there's an investigation package available on the device, you'll see a link that allows you to download the package.
## Response actions
Response actions run along the top of a specific machine page and include:
Response actions run along the top of a specific device page and include:
- Manage tags
- Initiate automated investigation
@ -59,13 +59,13 @@ Response actions run along the top of a specific machine page and include:
- Collect investigation package
- Run antivirus scan
- Restrict app execution
- Isolate machine
- Isolate device
- Consult a threat expert
- Action center
You can take response actions in the Action center, in a specific machine page, or in a specific file page.
You can take response actions in the Action center, in a specific device page, or in a specific file page.
For more information on how to take action on a machine, see [Take response action on a machine](respond-machine-alerts.md).
For more information on how to take action on a device, see [Take response action on a device](respond-machine-alerts.md).
For more information, see [Investigate user entities](investigate-user.md).
@ -73,7 +73,7 @@ For more information, see [Investigate user entities](investigate-user.md).
### Active alerts
The **Azure Advanced Threat Protection** card will display a high-level overview of alerts related to the machine and their risk level, if you have enabled the Azure ATP feature, and there are any active alerts. More information is available in the "Alerts" drill down.
The **Azure Advanced Threat Protection** card will display a high-level overview of alerts related to the device and their risk level, if you have enabled the Azure ATP feature, and there are any active alerts. More information is available in the "Alerts" drill down.
![Image of active alerts card](images/risk-level-small.png)
@ -88,29 +88,29 @@ The **Logged on users** card shows how many users have logged on in the past 30
### Security assessments
The **Security assessments** card shows the overall exposure level, security recommendations, installed software, and discovered vulnerabilities. A machine's exposure level is determined by the cumulative impact of its pending security recommendations.
The **Security assessments** card shows the overall exposure level, security recommendations, installed software, and discovered vulnerabilities. A device's exposure level is determined by the cumulative impact of its pending security recommendations.
![Image of security assessments card](images/security-assessments.png)
## Tabs
The five tabs under the cards section show relevant security and threat prevention information related to the machine. In each tab, you can customize the columns that are shown by selecting **Customize columns** from the bar above the column headers.
The five tabs under the cards section show relevant security and threat prevention information related to the device. In each tab, you can customize the columns that are shown by selecting **Customize columns** from the bar above the column headers.
### Alerts
The **Alerts** section provides a list of alerts that are associated with the machine. This list is a filtered version of the [Alerts queue](alerts-queue.md), and shows a short description of the alert, severity (high, medium, low, informational), status in the queue (new, in progress, resolved), classification (not set, false alert, true alert), investigation state, category of alert, who is addressing the alert, and last activity. You can also filter the alerts.
The **Alerts** section provides a list of alerts that are associated with the device. This list is a filtered version of the [Alerts queue](alerts-queue.md), and shows a short description of the alert, severity (high, medium, low, informational), status in the queue (new, in progress, resolved), classification (not set, false alert, true alert), investigation state, category of alert, who is addressing the alert, and last activity. You can also filter the alerts.
![Image of alerts related to the machine](images/alerts-machine.png)
![Image of alerts related to the device](images/alerts-machine.png)
When the circle icon to the left of an alert is selected, a fly-out appears. From this panel you can manage the alert and view more details such as incident number and related machines. Multiple alerts can be selected at a time.
When the circle icon to the left of an alert is selected, a fly-out appears. From this panel you can manage the alert and view more details such as incident number and related devices. Multiple alerts can be selected at a time.
To see a full page view of an alert including incident graph and process tree, select the title of the alert.
### Timeline
The **Timeline** section provides a chronological view of the events and associated alerts that have been observed on the machine. This can help you correlate any events, files, and IP addresses in relation to the machine.
The **Timeline** section provides a chronological view of the events and associated alerts that have been observed on the device. This can help you correlate any events, files, and IP addresses in relation to the device.
The timeline also enables you to selectively drill down into events that occurred within a given time period. You can view the temporal sequence of events that occurred on a machine over a selected time period. To further control your view, you can filter by event groups or customize the columns.
The timeline also enables you to selectively drill down into events that occurred within a given time period. You can view the temporal sequence of events that occurred on a device over a selected time period. To further control your view, you can filter by event groups or customize the columns.
>[!NOTE]
> For firewall events to be displayed, you'll need to enable the audit policy, see [Audit Filtering Platform connection](https://docs.microsoft.com/windows/security/threat-protection/auditing/audit-filtering-platform-connection).
@ -120,17 +120,17 @@ The timeline also enables you to selectively drill down into events that occurre
>- [5031](https://docs.microsoft.com/windows/security/threat-protection/auditing/event-5031) - application blocked from accepting incoming connections on the network
>- [5157](https://docs.microsoft.com/windows/security/threat-protection/auditing/event-5157) - blocked connection
![Image of machine timeline with events](images/timeline-machine.png)
![Image of device timeline with events](images/timeline-machine.png)
Some of the functionality includes:
- Search for specific events
- Use the search bar to look for specific timeline events.
- Filter events from a specific date
- Select the calendar icon in the upper left of the table to display events in the past day, week, 30 days, or custom range. By default, the machine timeline is set to display the events from the past 30 days.
- Select the calendar icon in the upper left of the table to display events in the past day, week, 30 days, or custom range. By default, the device timeline is set to display the events from the past 30 days.
- Use the timeline to jump to a specific moment in time by highlighting the section. The arrows on the timeline pinpoint automated investigations
- Export detailed machine timeline events
- Export the machine timeline for the current date or a specified date range up to seven days.
- Export detailed device timeline events
- Export the device timeline for the current date or a specified date range up to seven days.
More details about certain events are provided in the **Additional information** section. These details vary depending on the type of event, for example:
@ -142,7 +142,7 @@ More details about certain events are provided in the **Additional information**
- Suspicious script detected - a potentially malicious script was found running
- The alert category - if the event led to the generation of an alert, the alert category ("Lateral Movement", for example) is provided
You can also use the [Artifact timeline](investigate-alerts.md#artifact-timeline) feature to see the correlation between alerts and events on a specific machine.
You can also use the [Artifact timeline](investigate-alerts.md#artifact-timeline) feature to see the correlation between alerts and events on a specific device.
#### Event details
Select an event to view relevant details about that event. A panel displays to show general event information. When applicable and data is available, a graph showing related entities and their relationships are also shown.
@ -159,7 +159,7 @@ To further inspect the event and related events, you can quickly run an [advance
### Software inventory
The **Software inventory** section lets you view software on the device, along with any weaknesses or threats. Selecting the name of the software will take you to the software details page where you can view security recommendations, discovered vulnerabilities, installed machines, and version distribution. See [Software inventory](tvm-software-inventory.md) for details
The **Software inventory** section lets you view software on the device, along with any weaknesses or threats. Selecting the name of the software will take you to the software details page where you can view security recommendations, discovered vulnerabilities, installed devices, and version distribution. See [Software inventory](tvm-software-inventory.md) for details
![Image of software inventory tab](images/software-inventory-machine.png)

6
windows/security/threat-protection/microsoft-defender-atp/investigation.md
View File

@ -30,7 +30,7 @@ Method|Return Type |Description
:---|:---|:---
[List Investigations](get-investigation-collection.md) | Investigation collection | Get collection of Investigation
[Get single Investigation](get-investigation-collection.md) | Investigation entity | Gets single Investigation entity.
[Start Investigation](initiate-autoir-investigation.md) | Investigation entity | Starts Investigation on a machine.
[Start Investigation](initiate-autoir-investigation.md) | Investigation entity | Starts Investigation on a device.
## Properties
@ -42,8 +42,8 @@ endTime | DateTime Nullable | The date and time when the investigation was compl
cancelledBy | String | The ID of the user/application that cancelled that investigation.
investigationState | Enum | The current state of the investigation. Possible values are: 'Unknown', 'Terminated', 'SuccessfullyRemediated', 'Benign', 'Failed', 'PartiallyRemediated', 'Running', 'PendingApproval', 'PendingResource', 'PartiallyInvestigated', 'TerminatedByUser', 'TerminatedBySystem', 'Queued', 'InnerFailure', 'PreexistingAlert', 'UnsupportedOs', 'UnsupportedAlertType', 'SuppressedAlert'.
statusDetails | String | Additional information about the state of the investigation.
machineId | String | The ID of the machine on which the investigation is executed.
computerDnsName | String | The name of the machine on which the investigation is executed.
machineId | String | The ID of the device on which the investigation is executed.
computerDnsName | String | The name of the device on which the investigation is executed.
triggeringAlertId | String | The ID of the alert that triggered the investigation.

12
windows/security/threat-protection/microsoft-defender-atp/isolate-machine.md
View File

@ -1,7 +1,7 @@
---
title: Isolate machine API
description: Use this API to create calls related isolating a machine.
keywords: apis, graph api, supported apis, isolate machine
description: Use this API to create calls related isolating a device.
keywords: apis, graph api, supported apis, isolate device
search.product: eADQiWindows 10XVcnh
ms.prod: w10
ms.mktglfcycl: deploy
@ -24,14 +24,14 @@ ms.topic: article
## API description
Isolates a machine from accessing external network.
Isolates a device from accessing external network.
## Limitations
1. Rate limitations for this API are 100 calls per minute and 1500 calls per hour.
[!include[Machine actions note](../../includes/machineactionsnote.md)]
[!include[Device actions note](../../includes/machineactionsnote.md)]
## Permissions
One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md)
@ -44,7 +44,7 @@ Delegated (work or school account) | Machine.Isolate | 'Isolate machine'
>[!Note]
> When obtaining a token using user credentials:
>- The user needs to have at least the following role permission: 'Active remediation actions' (See [Create and manage roles](user-roles.md) for more information)
>- The user needs to have access to the machine, based on machine group settings (See [Create and manage machine groups](machine-groups.md) for more information)
>- The user needs to have access to the device, based on device group settings (See [Create and manage device groups](machine-groups.md) for more information)
## HTTP request
@ -93,4 +93,4 @@ Content-type: application/json
}
- To unisolate a machine, see [Release machine from isolation](unisolate-machine.md).
- To unisolate a device, see [Release device from isolation](unisolate-machine.md).

2
windows/security/threat-protection/microsoft-defender-atp/linux-exclusions.md
View File

@ -41,7 +41,7 @@ The follow table shows the exclusion types supported by Microsoft Defender ATP f
Exclusion | Definition | Examples
---|---|---
File extension | All files with the extension, anywhere on the machine | `.test`
File extension | All files with the extension, anywhere on the device | `.test`
File | A specific file identified by the full path | `/var/log/test.log`<br/>`/var/log/*.log`<br/>`/var/log/install.?.log`
Folder | All files under the specified folder | `/var/log/`<br/>`/var/*/`
Process | A specific process (specified either by the full path or file name) and all files opened by it | `/bin/cat`<br/>`cat`<br/>`c?t`

12
windows/security/threat-protection/microsoft-defender-atp/linux-install-manually.md
View File

@ -236,8 +236,8 @@ In order to preview new features and provide early feedback, it is recommended t
Download the onboarding package from Microsoft Defender Security Center:
1. In Microsoft Defender Security Center, go to **Settings > Machine Management > Onboarding**.
2. In the first drop-down menu, select **Linux Server** as the operating system. In the second drop-down menu, select **Local Script (for up to 10 machines)** as the deployment method.
1. In Microsoft Defender Security Center, go to **Settings > Device Management > Onboarding**.
2. In the first drop-down menu, select **Linux Server** as the operating system. In the second drop-down menu, select **Local Script (for up to 10 devices)** as the deployment method.
3. Select **Download onboarding package**. Save the file as WindowsDefenderATPOnboardingPackage.zip.
![Microsoft Defender Security Center screenshot](images/atp-portal-onboarding-linux.png)
@ -263,9 +263,9 @@ Download the onboarding package from Microsoft Defender Security Center:
## Client configuration
1. Copy MicrosoftDefenderATPOnboardingLinuxServer.py to the target machine.
1. Copy MicrosoftDefenderATPOnboardingLinuxServer.py to the target device.
Initially the client machine is not associated with an organization. Note that the *orgId* attribute is blank:
Initially the client device is not associated with an organization. Note that the *orgId* attribute is blank:
```bash
mdatp --health orgId
@ -277,7 +277,7 @@ Download the onboarding package from Microsoft Defender Security Center:
python MicrosoftDefenderATPOnboardingLinuxServer.py
```
3. Verify that the machine is now associated with your organization and reports a valid organization identifier:
3. Verify that the device is now associated with your organization and reports a valid organization identifier:
```bash
mdatp --health orgId
@ -293,7 +293,7 @@ Download the onboarding package from Microsoft Defender Security Center:
> When the product starts for the first time, it downloads the latest antimalware definitions. Depending on your Internet connection, this can take up to a few minutes. During this time the above command returns a value of `0`.<br>
> Please note that you may also need to configure a proxy after completing the initial installation. See [Configure Microsoft Defender ATP for Linux for static proxy discovery: Post-installation configuration](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/linux-static-proxy-configuration#post-installation-configuration).
5. Run a detection test to verify that the machine is properly onboarded and reporting to the service. Perform the following steps on the newly onboarded machine:
5. Run a detection test to verify that the device is properly onboarded and reporting to the service. Perform the following steps on the newly onboarded device:
- Ensure that real-time protection is enabled (denoted by a result of `1` from running the following command):

4
windows/security/threat-protection/microsoft-defender-atp/linux-install-with-ansible.md
View File

@ -60,7 +60,7 @@ Before you get started, please see [the main Microsoft Defender ATP for Linux pa
Download the onboarding package from Microsoft Defender Security Center:
1. In Microsoft Defender Security Center, go to **Settings > Machine Management > Onboarding**.
1. In Microsoft Defender Security Center, go to **Settings > Device Management > Onboarding**.
2. In the first drop-down menu, select **Linux Server** as the operating system. In the second drop-down menu, select **Your preferred Linux configuration management tool** as the deployment method.
3. Select **Download onboarding package**. Save the file as WindowsDefenderATPOnboardingPackage.zip.
@ -81,7 +81,7 @@ Download the onboarding package from Microsoft Defender Security Center:
Create subtask or role files that contribute to an actual task. First create the `download_copy_blob.yml` file under the `/etc/ansible/roles` directory:
- Copy the onboarding package to all client machines:
- Copy the onboarding package to all client devices:
```bash
- name: Copy the zip file

4
windows/security/threat-protection/microsoft-defender-atp/linux-install-with-puppet.md
View File

@ -41,7 +41,7 @@ In addition, for Puppet deployment, you need to be familiar with Puppet administ
Download the onboarding package from Microsoft Defender Security Center:
1. In Microsoft Defender Security Center, go to **Settings > Machine Management > Onboarding**.
1. In Microsoft Defender Security Center, go to **Settings > Device Management > Onboarding**.
2. In the first drop-down menu, select **Linux Server** as the operating system. In the second drop-down menu, select **Your preferred Linux configuration management tool** as the deployment method.
3. Select **Download onboarding package**. Save the file as WindowsDefenderATPOnboardingPackage.zip.
@ -171,7 +171,7 @@ Enrolled agent devices periodically poll the Puppet Server, and install new conf
## Monitor Puppet deployment
On the agent machine, you can also check the onboarding status by running:
On the agent device, you can also check the onboarding status by running:
```bash
$ mdatp --health

4
windows/security/threat-protection/microsoft-defender-atp/linux-privacy.md
View File

@ -84,7 +84,7 @@ The following fields are considered common for all events:
| machine_guid | Unique identifier associated with the device. Allows Microsoft to identify whether issues are impacting a select set of installs and how many users are impacted. |
| sense_guid | Unique identifier associated with the device. Allows Microsoft to identify whether issues are impacting a select set of installs and how many users are impacted. |
| org_id | Unique identifier associated with the enterprise that the device belongs to. Allows Microsoft to identify whether issues are impacting a select set of enterprises and how many enterprises are impacted. |
| hostname | Local machine name (without DNS suffix). Allows Microsoft to identify whether issues are impacting a select set of installs and how many users are impacted. |
| hostname | Local device name (without DNS suffix). Allows Microsoft to identify whether issues are impacting a select set of installs and how many users are impacted. |
| product_guid | Unique identifier of the product. Allows Microsoft to differentiate issues impacting different flavors of the product. |
| app_version | Version of the Microsoft Defender ATP for Linux application. Allows Microsoft to identify which versions of the product are showing an issue so that it can correctly be prioritized.|
| sig_version | Version of security intelligence database. Allows Microsoft to identify which versions of the security intelligence are showing an issue so that it can correctly be prioritized. |
@ -125,7 +125,7 @@ The following fields are collected:
| cloud_service.service_uri | URI used to communicate with the cloud. |
| cloud_service.diagnostic_level | Diagnostic level of the device (required, optional). |
| cloud_service.automatic_sample_submission | Automatic sample submission level of the device (none, safe, all). |
| edr.early_preview | Whether the machine should run EDR early preview features. |
| edr.early_preview | Whether the device should run EDR early preview features. |
| edr.group_id | Group identifier used by the detection and response component. |
| edr.tags | User-defined tags. |
| features.\[optional feature name\] | List of preview features, along with whether they are enabled or not. |

4
windows/security/threat-protection/microsoft-defender-atp/linux-resources.md
View File

@ -101,11 +101,11 @@ In the Microsoft Defender ATP portal, you'll see two categories of information:
- Antivirus alerts, including:
- Severity
- Scan type
- Device information (hostname, machine identifier, tenant identifier, app version, and OS type)
- Device information (hostname, device identifier, tenant identifier, app version, and OS type)
- File information (name, path, size, and hash)
- Threat information (name, type, and state)
- Device information, including:
- Machine identifier
- Device identifier
- Tenant identifier
- App version
- Hostname

2
windows/security/threat-protection/microsoft-defender-atp/linux-support-connectivity.md
View File

@ -32,7 +32,7 @@ To test if Microsoft Defender ATP for Linux can communicate to the cloud with th
$ mdatp --connectivity-test
```
If the connectivity test fails, check if the machine has Internet access and if [any of the endpoints required by the product](microsoft-defender-atp-linux.md#network-connections) are blocked by a proxy or firewall.
If the connectivity test fails, check if the device has Internet access and if [any of the endpoints required by the product](microsoft-defender-atp-linux.md#network-connections) are blocked by a proxy or firewall.
## Troubleshooting steps for environments without proxy or with transparent proxy

2
windows/security/threat-protection/microsoft-defender-atp/live-response-command-examples.md
View File

@ -25,7 +25,7 @@ ms.topic: article
Learn about common commands used in live response and see examples on how they are typically used.
Depending on the role that's been granted to you, you can run basic or advanced live response commands. For more information on basic and advanced commands, see [Investigate entities on machines using live response](live-response.md).
Depending on the role that's been granted to you, you can run basic or advanced live response commands. For more information on basic and advanced commands, see [Investigate entities on devices using live response](live-response.md).
## analyze

14
windows/security/threat-protection/microsoft-defender-atp/live-response.md
View File

@ -1,6 +1,6 @@
---
title: Investigate entities on machines using live response in Microsoft Defender ATP
description: Access a machine using a secure remote shell connection to do investigative work and take immediate response actions on a machine in real time.
title: Investigate entities on devices using live response in Microsoft Defender ATP
description: Access a device using a secure remote shell connection to do investigative work and take immediate response actions on a device in real time.
keywords: remote, shell, connection, live, response, real-time, command, script, remediate, hunt, export, log, drop, download, file,
search.product: eADQiWindows 10XVcnh
search.appverid: met150
@ -60,8 +60,8 @@ You'll need to enable the live response capability in the [Advanced features set
>[!NOTE]
>Only users with manage security or global admin roles can edit these settings.
- **Ensure that the machine has an Automation Remediation level assigned to it**.<br>
You'll need to enable, at least, the minimum Remediation Level for a given Machine Group. Otherwise you won't be able to establish a Live Response session to a member of that group.
- **Ensure that the device has an Automation Remediation level assigned to it**.<br>
You'll need to enable, at least, the minimum Remediation Level for a given Device Group. Otherwise you won't be able to establish a Live Response session to a member of that group.
- **Enable live response unsigned script execution** (optional). <br>
@ -92,11 +92,11 @@ The dashboard also gives you access to:
- Command log
## Initiate a live response session on a machine
## Initiate a live response session on a device
1. Log in to Microsoft Defender Security Center.
2. Navigate to the devices list page and select a machine to investigate. The machines page opens.
2. Navigate to the devices list page and select a device to investigate. The devices page opens.
3. Launch the live response session by selecting **Initiate live response session**. A command console is displayed. Wait while the session connects to the device.
@ -152,7 +152,7 @@ The commands that you can use in the console follow similar principles as [Windo
The advanced commands offer a more robust set of actions that allow you to take more powerful actions such as download and upload a file, run scripts on the device, and take remediation actions on an entity.
### Get a file from the machine
### Get a file from the device
For scenarios when you'd like get a file from a device you're investigating, you can use the `getfile` command. This allows you to save the file from the device for further investigation.

2
windows/security/threat-protection/microsoft-defender-atp/mac-exclusions.md
View File

@ -41,7 +41,7 @@ The follow table shows the exclusion types supported by Microsoft Defender ATP f
Exclusion | Definition | Examples
---|---|---
File extension | All files with the extension, anywhere on the machine | `.test`
File extension | All files with the extension, anywhere on the device | `.test`
File | A specific file identified by the full path | `/var/log/test.log`
Folder | All files under the specified folder | `/var/log/`
Process | A specific process (specified either by the full path or file name) and all files opened by it | `/bin/cat`<br/>`cat`

12
windows/security/threat-protection/microsoft-defender-atp/mac-install-manually.md
View File

@ -36,7 +36,7 @@ Before you get started, see [the main Microsoft Defender ATP for macOS page](mic
Download the installation and onboarding packages from Microsoft Defender Security Center:
1. In Microsoft Defender Security Center, go to **Settings > Machine Management > Onboarding**.
1. In Microsoft Defender Security Center, go to **Settings > Device Management > Onboarding**.
2. In Section 1 of the page, set operating system to **macOS** and Deployment method to **Local script**.
3. In Section 2 of the page, select **Download installation package**. Save it as wdav.pkg to a local directory.
4. In Section 2 of the page, select **Download onboarding package**. Save it as WindowsDefenderATPOnboardingPackage.zip to the same directory.
@ -47,7 +47,7 @@ Download the installation and onboarding packages from Microsoft Defender Securi
## Application installation
To complete this process, you must have admin privileges on the machine.
To complete this process, you must have admin privileges on the device.
1. Navigate to the downloaded wdav.pkg in Finder and open it.
@ -72,13 +72,13 @@ The installation proceeds.
> If you don't select **Allow**, the installation will proceed after 5 minutes. Defender ATP will be loaded, but some features, such as real-time protection, will be disabled. See [Troubleshoot kernel extension issues](mac-support-kext.md) for information on how to resolve this.
> [!NOTE]
> macOS may request to reboot the machine upon the first installation of Microsoft Defender. Real-time protection will not be available until the machine is rebooted.
> macOS may request to reboot the device upon the first installation of Microsoft Defender. Real-time protection will not be available until the device is rebooted.
## Client configuration
1. Copy wdav.pkg and MicrosoftDefenderATPOnboardingMacOs.py to the machine where you deploy Microsoft Defender ATP for macOS.
1. Copy wdav.pkg and MicrosoftDefenderATPOnboardingMacOs.py to the device where you deploy Microsoft Defender ATP for macOS.
The client machine is not associated with orgId. Note that the *orgId* attribute is blank.
The client device is not associated with orgId. Note that the *orgId* attribute is blank.
```bash
$ mdatp --health orgId
@ -91,7 +91,7 @@ The installation proceeds.
Generating /Library/Application Support/Microsoft/Defender/com.microsoft.wdav.atp.plist ... (You may be required to enter sudos password)
```
3. Verify that the machine is now associated with your organization and reports a valid *orgId*:
3. Verify that the device is now associated with your organization and reports a valid *orgId*:
```bash
$ mdatp --health orgId

2
windows/security/threat-protection/microsoft-defender-atp/mac-install-with-intune.md
View File

@ -320,7 +320,7 @@ Once the Intune changes are propagated to the enrolled devices, you can see them
> [!CAUTION]
> Setting *Ignore app version* to **No** impacts the ability of the application to receive updates through Microsoft AutoUpdate. See [Deploy updates for Microsoft Defender ATP for Mac](mac-updates.md) for additional information about how the product is updated.
>
> If the version uploaded by Intune is lower than the version on the device, then the lower version will be installed, effectively downgrading Defender. This could result in a non-functioning application. See [Deploy updates for Microsoft Defender ATP for Mac](mac-updates.md) for additional information about how the product is updated. If you deployed Defender with *Ignore app version* set to **No**, please change it to **Yes**. If Defender still cannot be installed on a client machine, then uninstall Defender and push the updated policy.
> If the version uploaded by Intune is lower than the version on the device, then the lower version will be installed, effectively downgrading Defender. This could result in a non-functioning application. See [Deploy updates for Microsoft Defender ATP for Mac](mac-updates.md) for additional information about how the product is updated. If you deployed Defender with *Ignore app version* set to **No**, please change it to **Yes**. If Defender still cannot be installed on a client device, then uninstall Defender and push the updated policy.
![Device status blade screenshot](../windows-defender-antivirus/images/MDATP-8-IntuneAppInfo.png)

6
windows/security/threat-protection/microsoft-defender-atp/mac-install-with-jamf.md
View File

@ -55,7 +55,7 @@ The following table summarizes the steps you would need to take to deploy and ma
Download the installation and onboarding packages from Microsoft Defender Security Center:
1. In Microsoft Defender Security Center, go to **Settings > Machine management > Onboarding**.
1. In Microsoft Defender Security Center, go to **Settings > Device management > Onboarding**.
2. In Section 1 of the page, set the operating system to **Linux, macOS, iOS or Android**.
3. Set the deployment method to **Mobile Device Management / Microsoft Intune**.
@ -140,7 +140,7 @@ Use the **Logs** tab to monitor deployment status for each enrolled device.
### Notification settings
Starting in macOS 10.15 (Catalina) a user must manually allow to display notifications in UI. To auto-enable notifications from Defender and Auto Update, you can import the .mobileconfig below into a separate configuration profile and assign it to all machines with Defender:
Starting in macOS 10.15 (Catalina) a user must manually allow to display notifications in UI. To auto-enable notifications from Defender and Auto Update, you can import the .mobileconfig below into a separate configuration profile and assign it to all devices with Defender:
```xml
<?xml version="1.0" encoding="UTF-8"?>
@ -287,4 +287,4 @@ Your policy should contain a single script:
![Microsoft Defender uninstall script screenshot](../windows-defender-antivirus/images/MDATP-27-UninstallScript.png)
Configure the appropriate scope in the **Scope** tab to specify the machines that will receive this policy.
Configure the appropriate scope in the **Scope** tab to specify the devices that will receive this policy.

14
windows/security/threat-protection/microsoft-defender-atp/mac-install-with-other-mdm.md
View File

@ -36,20 +36,20 @@ If your organization uses a Mobile Device Management (MDM) solution that is not
Microsoft Defender ATP for Mac does not depend on any vendor-specific features. It can be used with any MDM solution that supports the following features:
- Deploy a macOS .pkg to managed machines.
- Deploy macOS system configuration profiles to managed machines.
- Run an arbitrary admin-configured tool/script on managed machines.
- Deploy a macOS .pkg to managed devices.
- Deploy macOS system configuration profiles to managed devices.
- Run an arbitrary admin-configured tool/script on managed devices.
Most modern MDM solutions include these features, however, they may call them differently.
You can deploy Defender without the last requirement from the preceding list, however:
- You will not be able to collect status in a centralized way
- If you decide to uninstall Defender, you will need to logon to the client machine locally as an administrator
- If you decide to uninstall Defender, you will need to logon to the client device locally as an administrator
## Deployment
Most MDM solutions use the same model for managing macOS machines, with similar terminology. Use [JAMF-based deployment](mac-install-with-jamf.md) as a template.
Most MDM solutions use the same model for managing macOS devices, with similar terminology. Use [JAMF-based deployment](mac-install-with-jamf.md) as a template.
### Package
@ -68,7 +68,7 @@ Your system may support an arbitrary property list in XML format. You can upload
Alternatively, it may require you to convert the property list to a different format first.
Typically, your custom profile has an id, name, or domain attribute. You must use exactly "com.microsoft.wdav.atp" for this value.
MDM uses it to deploy the settings file to **/Library/Managed Preferences/com.microsoft.wdav.atp.plist** on a client machine, and Defender uses this file for loading the onboarding information.
MDM uses it to deploy the settings file to **/Library/Managed Preferences/com.microsoft.wdav.atp.plist** on a client device, and Defender uses this file for loading the onboarding information.
### Kernel extension policy
@ -76,4 +76,4 @@ Set up a KEXT or kernel extension policy. Use team identifier **UBF8T346G9** to
## Check installation status
Run [mdatp](mac-install-with-jamf.md#check-onboarding-status) on a client machine to check the onboarding status.
Run [mdatp](mac-install-with-jamf.md#check-onboarding-status) on a client device to check the onboarding status.

2
windows/security/threat-protection/microsoft-defender-atp/mac-preferences.md
View File

@ -314,7 +314,7 @@ Manage the preferences of the endpoint detection and response (EDR) component of
Specify a tag name and its value.
- The GROUP tag, tags the machine with the specified value. The tag is reflected in the portal under the machine page and can be used for filtering and grouping machines.
- The GROUP tag, tags the device with the specified value. The tag is reflected in the portal under the device page and can be used for filtering and grouping devices.
|||
|:---|:---|

4
windows/security/threat-protection/microsoft-defender-atp/mac-privacy.md
View File

@ -80,7 +80,7 @@ The following fields are considered common for all events:
| machine_guid | Unique identifier associated with the device. Allows Microsoft to identify whether issues are impacting a select set of installs and how many users are impacted. |
| sense_guid | Unique identifier associated with the device. Allows Microsoft to identify whether issues are impacting a select set of installs and how many users are impacted. |
| org_id | Unique identifier associated with the enterprise that the device belongs to. Allows Microsoft to identify whether issues are impacting a select set of enterprises and how many enterprises are impacted. |
| hostname | Local machine name (without DNS suffix). Allows Microsoft to identify whether issues are impacting a select set of installs and how many users are impacted. |
| hostname | Local device name (without DNS suffix). Allows Microsoft to identify whether issues are impacting a select set of installs and how many users are impacted. |
| product_guid | Unique identifier of the product. Allows Microsoft to differentiate issues impacting different flavors of the product. |
| app_version | Version of the Microsoft Defender ATP for Mac application. Allows Microsoft to identify which versions of the product are showing an issue so that it can correctly be prioritized.|
| sig_version | Version of security intelligence database. Allows Microsoft to identify which versions of the security intelligence are showing an issue so that it can correctly be prioritized. |
@ -122,7 +122,7 @@ The following fields are collected:
| cloud_service.service_uri | URI used to communicate with the cloud. |
| cloud_service.diagnostic_level | Diagnostic level of the device (required, optional). |
| cloud_service.automatic_sample_submission | Whether automatic sample submission is turned on or not. |
| edr.early_preview | Whether the machine should run EDR early preview features. |
| edr.early_preview | Whether the device should run EDR early preview features. |
| edr.group_id | Group identifier used by the detection and response component. |
| edr.tags | User-defined tags. |
| features.\[optional feature name\] | List of preview features, along with whether they are enabled or not. |

4
windows/security/threat-protection/microsoft-defender-atp/mac-resources.md
View File

@ -96,8 +96,8 @@ Important tasks, such as controlling product settings and triggering on-demand s
|Protection |Cancel an ongoing on-demand scan |`mdatp --scan --cancel` |
|Protection |Request a security intelligence update |`mdatp --definition-update` |
|EDR |Turn on/off EDR preview for Mac |`mdatp --edr --early-preview [true/false]` OR `mdatp --edr --earlyPreview [true/false]` for versions earlier than 100.78.0 |
|EDR |Add group tag to machine. EDR tags are used for managing machine groups. For more information, please visit https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/machine-groups |`mdatp --edr --set-tag GROUP [name]` |
|EDR |Remove group tag from machine |`mdatp --edr --remove-tag [name]` |
|EDR |Add group tag to device. EDR tags are used for managing device groups. For more information, please visit https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/machine-groups |`mdatp --edr --set-tag GROUP [name]` |
|EDR |Remove group tag from device |`mdatp --edr --remove-tag [name]` |
## Client Microsoft Defender ATP quarantine directory

58
windows/security/threat-protection/microsoft-defender-atp/machine-groups.md
View File

@ -1,7 +1,7 @@
---
title: Create and manage machine groups in Microsoft Defender ATP
description: Create machine groups and set automated remediation levels on them by confiring the rules that apply on the group
keywords: machine groups, groups, remediation, level, rules, aad group, role, assign, rank
title: Create and manage device groups in Microsoft Defender ATP
description: Create device groups and set automated remediation levels on them by confiring the rules that apply on the group
keywords: device groups, groups, remediation, level, rules, aad group, role, assign, rank
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: w10
@ -17,7 +17,7 @@ ms.collection: M365-security-compliance
ms.topic: article
---
# Create and manage machine groups
# Create and manage device groups
**Applies to:**
@ -25,64 +25,64 @@ ms.topic: article
- Office 365
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
In an enterprise scenario, security operation teams are typically assigned a set of machines. These machines are grouped together based on a set of attributes such as their domains, computer names, or designated tags.
In an enterprise scenario, security operation teams are typically assigned a set of devices. These devices are grouped together based on a set of attributes such as their domains, computer names, or designated tags.
In Microsoft Defender ATP, you can create machine groups and use them to:
In Microsoft Defender ATP, you can create device groups and use them to:
- Limit access to related alerts and data to specific Azure AD user groups with [assigned RBAC roles](rbac.md)
- Configure different auto-remediation settings for different sets of machines
- Configure different auto-remediation settings for different sets of devices
- Assign specific remediation levels to apply during automated investigations
- In an investigation, filter the **Machines list** to just specific machine groups by using the **Group** filter.
- In an investigation, filter the **Devices list** to just specific device groups by using the **Group** filter.
You can create machine groups in the context of role-based access (RBAC) to control who can take specific action or see information by assigning the machine group(s) to a user group. For more information, see [Manage portal access using role-based access control](rbac.md).
You can create device groups in the context of role-based access (RBAC) to control who can take specific action or see information by assigning the device group(s) to a user group. For more information, see [Manage portal access using role-based access control](rbac.md).
>[!TIP]
> For a comprehensive look into RBAC application, read: [Is your SOC running flat with RBAC](https://techcommunity.microsoft.com/t5/Windows-Defender-ATP/Is-your-SOC-running-flat-with-limited-RBAC/ba-p/320015).
As part of the process of creating a machine group, you'll:
As part of the process of creating a device group, you'll:
- Set the automated remediation level for that group. For more information on remediation levels, see [Use Automated investigation to investigate and remediate threats](automated-investigations.md).
- Specify the matching rule that determines which machine group belongs to the group based on the machine name, domain, tags, and OS platform. If a machine is also matched to other groups, it is added only to the highest ranked machine group.
- Select the Azure AD user group that should have access to the machine group.
- Rank the machine group relative to other groups after it is created.
- Specify the matching rule that determines which device group belongs to the group based on the device name, domain, tags, and OS platform. If a device is also matched to other groups, it is added only to the highest ranked device group.
- Select the Azure AD user group that should have access to the device group.
- Rank the device group relative to other groups after it is created.
>[!NOTE]
>A machine group is accessible to all users if you dont assign any Azure AD groups to it.
>A device group is accessible to all users if you dont assign any Azure AD groups to it.
## Create a machine group
## Create a device group
1. In the navigation pane, select **Settings** > **Machine groups**.
1. In the navigation pane, select **Settings** > **Device groups**.
2. Click **Add machine group**.
2. Click **Add device group**.
3. Enter the group name and automation settings and specify the matching rule that determines which machines belong to the group. See [How the automated investigation starts](automated-investigations.md#how-the-automated-investigation-starts).
3. Enter the group name and automation settings and specify the matching rule that determines which devices belong to the group. See [How the automated investigation starts](automated-investigations.md#how-the-automated-investigation-starts).
>[!TIP]
>If you want to group machines by organizational unit, you can configure the registry key for the group affiliation. For more information on device tagging, see [Create and manage machine tags](machine-tags.md).
>If you want to group devices by organizational unit, you can configure the registry key for the group affiliation. For more information on device tagging, see [Create and manage device tags](machine-tags.md).
4. Preview several machines that will be matched by this rule. If you are satisfied with the rule, click the **User access** tab.
4. Preview several devices that will be matched by this rule. If you are satisfied with the rule, click the **User access** tab.
5. Assign the user groups that can access the machine group you created.
5. Assign the user groups that can access the device group you created.
>[!NOTE]
>You can only grant access to Azure AD user groups that have been assigned to RBAC roles.
6. Click **Close**. The configuration changes are applied.
## Manage machine groups
## Manage device groups
You can promote or demote the rank of a machine group so that it is given higher or lower priority during matching. When a machine is matched to more than one group, it is added only to the highest ranked group. You can also edit and delete groups.
You can promote or demote the rank of a device group so that it is given higher or lower priority during matching. When a device is matched to more than one group, it is added only to the highest ranked group. You can also edit and delete groups.
>[!WARNING]
>Deleting a machine group may affect email notification rules. If a machine group is configured under an email notification rule, it will be removed from that rule. If the machine group is the only group configured for an email notification, that email notification rule will be deleted along with the machine group.
>Deleting a device group may affect email notification rules. If a device group is configured under an email notification rule, it will be removed from that rule. If the device group is the only group configured for an email notification, that email notification rule will be deleted along with the device group.
By default, machine groups are accessible to all users with portal access. You can change the default behavior by assigning Azure AD user groups to the machine group.
By default, device groups are accessible to all users with portal access. You can change the default behavior by assigning Azure AD user groups to the device group.
Machines that are not matched to any groups are added to Ungrouped machines (default) group. You cannot change the rank of this group or delete it. However, you can change the remediation level of this group, and define the Azure AD user groups that can access this group.
Devices that are not matched to any groups are added to Ungrouped devices (default) group. You cannot change the rank of this group or delete it. However, you can change the remediation level of this group, and define the Azure AD user groups that can access this group.
>[!NOTE]
> Applying changes to machine group configuration may take up to several minutes.
> Applying changes to device group configuration may take up to several minutes.
## Related topics
- [Manage portal access using role-based based access control](rbac.md)
- [Create and manage machine tags](machine-tags.md)
- [Get list of tenant machine groups using Graph API](get-machinegroups-collection.md)
- [Create and manage device tags](machine-tags.md)
- [Get list of tenant device groups using Graph API](get-machinegroups-collection.md)

40
windows/security/threat-protection/microsoft-defender-atp/machine-reports.md
View File

@ -1,6 +1,6 @@
---
title: Machine health and compliance report in Microsoft Defender ATP
description: Track machine health state detections, antivirus status, OS platform, and Windows 10 versions using the machine health and compliance report
title: Device health and compliance report in Microsoft Defender ATP
description: Track device health state detections, antivirus status, OS platform, and Windows 10 versions using the device health and compliance report
keywords: health state, antivirus, os platform, windows 10 version, version, health, compliance, state
search.product: eADQiWindows 10XVcnh
search.appverid: met150
@ -17,25 +17,25 @@ ms.collection: M365-security-compliance
ms.topic: article
---
# Machine health and compliance report in Microsoft Defender ATP
# Device health and compliance report in Microsoft Defender ATP
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
The machines status report provides high-level information about the devices in your organization. The report includes trending information showing the sensor health state, antivirus status, OS platforms, and Windows 10 versions.
The devices status report provides high-level information about the devices in your organization. The report includes trending information showing the sensor health state, antivirus status, OS platforms, and Windows 10 versions.
The dashboard is structured into two sections:
![Image of the machine report](images/machine-reports.png)
![Image of the device report](images/machine-reports.png)
Section | Description
:---|:---
1 | Machine trends
2 | Machine summary (current day)
1 | Device trends
2 | Device summary (current day)
## Machine trends
By default, the machine trends displays machine information from the 30-day period ending in the latest full day. To gain better perspective on trends occurring in your organization, you can fine-tune the reporting period by adjusting the time period shown. To adjust the time period, select a time range from the drop-down options:
## Device trends
By default, the device trends displays device information from the 30-day period ending in the latest full day. To gain better perspective on trends occurring in your organization, you can fine-tune the reporting period by adjusting the time period shown. To adjust the time period, select a time range from the drop-down options:
- 30 days
- 3 months
@ -43,42 +43,42 @@ By default, the machine trends displays machine information from the 30-day peri
- Custom
>[!NOTE]
>These filters are only applied on the machine trends section. It doesn't affect the machine summary section.
>These filters are only applied on the device trends section. It doesn't affect the device summary section.
## Machine summary
While the machines trends shows trending machine information, the machine summary shows machine information scoped to the current day.
## Device summary
While the devices trends shows trending device information, the device summary shows device information scoped to the current day.
>[!NOTE]
>The data reflected in the summary section is scoped to 180 days prior to the current date. For example if today's date is March 27, 2019, the data on the summary section will reflect numbers starting from September 28, 2018 to March 27, 2019.<br>
> The filter applied on the trends section is not applied on the summary section.
The machine trends section allows you to drill down to the machines list with the corresponding filter applied to it. For example, clicking on the Inactive bar in the Sensor health state card will bring you the machines list with results showing only machines whose sensor status is inactive.
The device trends section allows you to drill down to the devices list with the corresponding filter applied to it. For example, clicking on the Inactive bar in the Sensor health state card will bring you the devices list with results showing only devices whose sensor status is inactive.
## Machine attributes
The report is made up of cards that display the following machine attributes:
## Device attributes
The report is made up of cards that display the following device attributes:
- **Health state**: shows information about the sensor state on devices, providing an aggregated view of devices that are active, experiencing impaired communications, inactive, or where no sensor data is seen.
- **Antivirus status for active Windows 10 machines**: shows the number of machines and status of Windows Defender Antivirus.
- **Antivirus status for active Windows 10 devices**: shows the number of devices and status of Windows Defender Antivirus.
- **OS platforms**: shows the distribution of OS platforms that exists within your organization.
- **Windows 10 versions**: shows the distribution of Windows 10 machines and their versions in your organization.
- **Windows 10 versions**: shows the distribution of Windows 10 devices and their versions in your organization.
## Filter data
Use the provided filters to include or exclude machines with certain attributes.
Use the provided filters to include or exclude devices with certain attributes.
You can select multiple filters to apply from the machine attributes.
You can select multiple filters to apply from the device attributes.
>[!NOTE]
>These filters apply to **all** the cards in the report.
For example, to show data about Windows 10 machines with Active sensor health state:
For example, to show data about Windows 10 devices with Active sensor health state:
1. Under **Filters > Sensor health state > Active**.
2. Then select **OS platforms > Windows 10**.

44
windows/security/threat-protection/microsoft-defender-atp/machine-tags.md
View File

@ -1,7 +1,7 @@
---
title: Create and manage machine tags
description: Use machine tags to group machines to capture context and enable dynamic list creation as part of an incident
keywords: tags, machine tags, machine groups, groups, remediation, level, rules, aad group, role, assign, rank
title: Create and manage device tags
description: Use device tags to group devices to capture context and enable dynamic list creation as part of an incident
keywords: tags, device tags, device groups, groups, remediation, level, rules, aad group, role, assign, rank
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: w10
@ -17,28 +17,28 @@ ms.collection: M365-security-compliance
ms.topic: article
---
# Create and manage machine tags
# Create and manage device tags
Add tags on machines to create a logical group affiliation. Machine tags support proper mapping of the network, enabling you to attach different tags to capture context and to enable dynamic list creation as part of an incident. Tags can be used as a filter in **Machines list** view, or to group machines. For more information on machine grouping, see [Create and manage machine groups](machine-groups.md).
Add tags on devices to create a logical group affiliation. Device tags support proper mapping of the network, enabling you to attach different tags to capture context and to enable dynamic list creation as part of an incident. Tags can be used as a filter in **Devices list** view, or to group devices. For more information on device grouping, see [Create and manage device groups](machine-groups.md).
You can add tags on machines using the following ways:
You can add tags on devices using the following ways:
- Using the portal
- Setting a registry key value
> [!NOTE]
> There may be some latency between the time a tag is added to a machine and its availability in the machines list and machine page.
> There may be some latency between the time a tag is added to a device and its availability in the devices list and device page.
To add machine tags using API, see [Add or remove machine tags API](add-or-remove-machine-tags.md).
To add device tags using API, see [Add or remove device tags API](add-or-remove-machine-tags.md).
## Add and manage machine tags using the portal
## Add and manage device tags using the portal
1. Select the machine that you want to manage tags on. You can select or search for a machine from any of the following views:
1. Select the device that you want to manage tags on. You can select or search for a device from any of the following views:
- **Security operations dashboard** - Select the machine name from the Top machines with active alerts section.
- **Alerts queue** - Select the machine name beside the machine icon from the alerts queue.
- **Machines list** - Select the machine name from the list of machines.
- **Search box** - Select Machine from the drop-down menu and enter the machine name.
- **Security operations dashboard** - Select the device name from the Top devices with active alerts section.
- **Alerts queue** - Select the device name beside the device icon from the alerts queue.
- **Devices list** - Select the device name from the list of devices.
- **Search box** - Select Device from the drop-down menu and enter the device name.
You can also get to the alert page through the file and IP views.
@ -48,21 +48,21 @@ To add machine tags using API, see [Add or remove machine tags API](add-or-remov
3. Type to find or create tags
![Image of adding tags on a machine](images/new-tags.png)
![Image of adding tags on a device](images/new-tags.png)
Tags are added to the machine view and will also be reflected on the **Machines list** view. You can then use the **Tags** filter to see the relevant list of machines.
Tags are added to the device view and will also be reflected on the **Devices list** view. You can then use the **Tags** filter to see the relevant list of devices.
>[!NOTE]
> Filtering might not work on tag names that contain parenthesis.
You can also delete tags from this view.
![Image of adding tags on a machine](images/more-manage-tags.png)
![Image of adding tags on a device](images/more-manage-tags.png)
## Add machine tags by setting a registry key value
## Add device tags by setting a registry key value
>[!NOTE]
> Applicable only on the following machines:
> Applicable only on the following devices:
>- Windows 10, version 1709 or later
>- Windows Server, version 1803 or later
>- Windows Server 2016
@ -74,15 +74,15 @@ You can also delete tags from this view.
> [!NOTE]
> The maximum number of characters that can be set in a tag is 200.
Machines with similar tags can be handy when you need to apply contextual action on a specific list of machines.
Devices with similar tags can be handy when you need to apply contextual action on a specific list of devices.
Use the following registry key entry to add a tag on a machine:
Use the following registry key entry to add a tag on a device:
- Registry key: `HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection\DeviceTagging\`
- Registry key value (REG_SZ): `Group`
- Registry key data: `Name of the tag you want to set`
>[!NOTE]
>The device tag is part of the machine information report that's generated once a day. As an alternative, you may choose to restart the endpoint that would transfer a new machine information report.
>The device tag is part of the device information report that's generated once a day. As an alternative, you may choose to restart the endpoint that would transfer a new device information report.
>
> If you need to remove a tag that was added using the above Registry key, clear the contents of the Registry key data instead of removing the 'Group' key.

44
windows/security/threat-protection/microsoft-defender-atp/machines-view-overview.md
View File

@ -1,7 +1,7 @@
---
title: View and organize the Microsoft Defender ATP machines list
description: Learn about the available features that you can use from the Machines list such as sorting, filtering, and exporting the list to enhance investigations.
keywords: sort, filter, export, csv, machine name, domain, last seen, internal IP, health state, active alerts, active malware detections, threat category, review alerts, network, connection, malware, type, password stealer, ransomware, exploit, threat, general malware, unwanted software
title: View and organize the Microsoft Defender ATP devices list
description: Learn about the available features that you can use from the Devices list such as sorting, filtering, and exporting the list to enhance investigations.
keywords: sort, filter, export, csv, device name, domain, last seen, internal IP, health state, active alerts, active malware detections, threat category, review alerts, network, connection, malware, type, password stealer, ransomware, exploit, threat, general malware, unwanted software
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: w10
@ -17,7 +17,7 @@ ms.collection: M365-security-compliance
ms.topic: article
---
# View and organize the Microsoft Defender ATP Machines list
# View and organize the Microsoft Defender ATP Devices list
**Applies to:**
@ -25,35 +25,35 @@ ms.topic: article
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-machinesview-abovefoldlink)
The **Machines list** shows a list of the machines in your network where alerts were generated. By default, the queue displays machines with alerts seen in the last 30 days.
The **Devices list** shows a list of the devices in your network where alerts were generated. By default, the queue displays devices with alerts seen in the last 30 days.
At a glance you'll see information such as domain, risk level, OS platform, and other details for easy identification of machines most at risk.
At a glance you'll see information such as domain, risk level, OS platform, and other details for easy identification of devices most at risk.
There are several options you can choose from to customize the machines list view. On the top navigation you can:
There are several options you can choose from to customize the devices list view. On the top navigation you can:
- Add or remove columns
- Export the entire list in CSV format
- Select the number of items to show per page
- Apply filters
During the onboarding process, the **Machines list** is gradually populated with machines as they begin to report sensor data. Use this view to track your onboarded endpoints as they come online, or download the complete endpoint list as a CSV file for offline analysis.
During the onboarding process, the **Devices list** is gradually populated with devices as they begin to report sensor data. Use this view to track your onboarded endpoints as they come online, or download the complete endpoint list as a CSV file for offline analysis.
>[!NOTE]
> If you export the machine list, it will contain every machine in your organization. It might take a significant amount of time to download, depending on how large your organization is. Exporting the list in CSV format displays the data in an unfiltered manner. The CSV file will include all machines in the organization, regardless of any filtering applied in the view itself.
> If you export the device list, it will contain every device in your organization. It might take a significant amount of time to download, depending on how large your organization is. Exporting the list in CSV format displays the data in an unfiltered manner. The CSV file will include all devices in the organization, regardless of any filtering applied in the view itself.
![Image of machines list with list of machines](images/machine-list.png)
![Image of devices list with list of devices](images/machine-list.png)
## Sort and filter the machine list
## Sort and filter the device list
You can apply the following filters to limit the list of alerts and get a more focused view.
### Risk level
The risk level reflects the overall risk assessment of the machine based on a combination of factors, including the types and severity of active alerts on the machine. Resolving active alerts, approving remediation activities, and suppressing subsequent alerts can lower the risk level.
The risk level reflects the overall risk assessment of the device based on a combination of factors, including the types and severity of active alerts on the device. Resolving active alerts, approving remediation activities, and suppressing subsequent alerts can lower the risk level.
### Exposure level
The exposure level reflects the current exposure of the machine based on the cumulative impact of its pending security recommendations.
The exposure level reflects the current exposure of the device based on the cumulative impact of its pending security recommendations.
### OS Platform
@ -61,19 +61,19 @@ Select only the OS platforms you're interested in investigating.
### Health state
Filter by the following machine health states:
Filter by the following device health states:
- **Active** Machines that are actively reporting sensor data to the service.
- **Inactive** Machines that have completely stopped sending signals for more than 7 days.
- **Misconfigured** Machines that have impaired communications with service or are unable to send sensor data. Misconfigured machines can further be classified to:
- **Active** Devices that are actively reporting sensor data to the service.
- **Inactive** Devices that have completely stopped sending signals for more than 7 days.
- **Misconfigured** Devices that have impaired communications with service or are unable to send sensor data. Misconfigured devices can further be classified to:
- No sensor data
- Impaired communications
For more information on how to address issues on misconfigured machines see, [Fix unhealthy sensors](fix-unhealthy-sensors.md).
For more information on how to address issues on misconfigured devices see, [Fix unhealthy sensors](fix-unhealthy-sensors.md).
### Antivirus status
Filter machines by antivirus status. Applies to active Windows 10 machines only.
Filter devices by antivirus status. Applies to active Windows 10 devices only.
- **Disabled** - Virus & threat protection is turned off.
- **Not reporting** - Virus & threat protection is not reporting.
@ -83,7 +83,7 @@ For more information, see [View the Threat & Vulnerability Management dashboard]
### Threat mitigation status
To view machines that may be affected by a certain threat, select the threat from the dropdown menu, and then select what vulnerability aspect needs to be mitigated.
To view devices that may be affected by a certain threat, select the threat from the dropdown menu, and then select what vulnerability aspect needs to be mitigated.
To learn more about certain threats, see [Threat analytics](threat-analytics.md). For mitigation information, see [Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md).
@ -93,8 +93,8 @@ Select only the Windows 10 versions you're interested in investigating.
### Tags & Groups
Filter the list based on the grouping and tagging that you've added to individual machines. See [Create and manage machine tags](machine-tags.md) and [Create and manage machine groups](machine-groups.md).
Filter the list based on the grouping and tagging that you've added to individual devices. See [Create and manage device tags](machine-tags.md) and [Create and manage device groups](machine-groups.md).
## Related topics
- [Investigate machines in the Microsoft Defender ATP Machines list](investigate-machines.md)
- [Investigate devices in the Microsoft Defender ATP Devices list](investigate-machines.md)

14
windows/security/threat-protection/microsoft-defender-atp/manage-alerts.md
View File

@ -26,7 +26,7 @@ ms.topic: article
Microsoft Defender ATP notifies you of possible malicious events, attributes, and contextual information through alerts. A summary of new alerts is displayed in the **Security operations dashboard**, and you can access all alerts in the **Alerts queue**.
You can manage alerts by selecting an alert in the **Alerts queue**, or the **Alerts** tab of the Machine page for an individual device.
You can manage alerts by selecting an alert in the **Alerts queue**, or the **Alerts** tab of the Device page for an individual device.
Selecting an alert in either of those places brings up the **Alert management pane**.
@ -48,7 +48,7 @@ When a suppression rule is created, it will take effect from the point when the
There are two contexts for a suppression rule that you can choose from:
- **Suppress alert on this machine**
- **Suppress alert on this device**
- **Suppress alert in my organization**
The context of the rule lets you tailor what gets surfaced into the portal and ensure that only real security alerts are surfaced into the portal.
@ -57,8 +57,8 @@ You can use the examples in the following table to help you choose the context f
| **Context** | **Definition** | **Example scenarios** |
|:--------------------------------------|:------------------------------------------------------------------------------------------------------------------------------------------------------------|:-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| **Suppress alert on this machine** | Alerts with the same alert title and on that specific machine only will be suppressed. <br /><br />All other alerts on that machine will not be suppressed. | <ul><li>A security researcher is investigating a malicious script that has been used to attack other machines in your organization.</li><li>A developer regularly creates PowerShell scripts for their team.</li></ul> |
| **Suppress alert in my organization** | Alerts with the same alert title on any machine will be suppressed. | <ul><li>A benign administrative tool is used by everyone in your organization.</li></ul> |
| **Suppress alert on this device** | Alerts with the same alert title and on that specific device only will be suppressed. <br /><br />All other alerts on that device will not be suppressed. | <ul><li>A security researcher is investigating a malicious script that has been used to attack other devices in your organization.</li><li>A developer regularly creates PowerShell scripts for their team.</li></ul> |
| **Suppress alert in my organization** | Alerts with the same alert title on any device will be suppressed. | <ul><li>A benign administrative tool is used by everyone in your organization.</li></ul> |
### Suppress an alert and create a new suppression rule:
Create custom rules to control when alerts are suppressed, or resolved. You can control the context for when an alert is suppressed by specifying the alert title, Indicator of compromise, and the conditions. After specifying the context, youll be able to configure the action and scope on the alert.
@ -79,7 +79,7 @@ Create custom rules to control when alerts are suppressed, or resolved. You can
3. Select the **Trigerring IOC**.
4. Specify the action and scope on the alert. <br>
You can automatically resolve an alert or hide it from the portal. Alerts that are automatically resolved will appear in the resolved section of the alerts queue, alert page, and machine timeline and will appear as resolved across Microsoft Defender ATP APIs. <br><br> Alerts that are marked as hidden will be suppressed from the entire system, both on the machine's associated alerts and from the dashboard and will not be streamed across Microsoft Defender ATP APIs.
You can automatically resolve an alert or hide it from the portal. Alerts that are automatically resolved will appear in the resolved section of the alerts queue, alert page, and device timeline and will appear as resolved across Microsoft Defender ATP APIs. <br><br> Alerts that are marked as hidden will be suppressed from the entire system, both on the device's associated alerts and from the dashboard and will not be streamed across Microsoft Defender ATP APIs.
5. Enter a rule name and a comment.
@ -100,7 +100,7 @@ You can categorize alerts (as **New**, **In Progress**, or **Resolved**) by chan
For example, a team leader can review all **New** alerts, and decide to assign them to the **In Progress** queue for further analysis.
Alternatively, the team leader might assign the alert to the **Resolved** queue if they know the alert is benign, coming from a machine that is irrelevant (such as one belonging to a security administrator), or is being dealt with through an earlier alert.
Alternatively, the team leader might assign the alert to the **Resolved** queue if they know the alert is benign, coming from a device that is irrelevant (such as one belonging to a security administrator), or is being dealt with through an earlier alert.
@ -120,7 +120,7 @@ Added comments instantly appear on the pane.
- [View and organize the Microsoft Defender Advanced Threat Protection Alerts queue](alerts-queue.md)
- [Investigate Microsoft Defender Advanced Threat Protection alerts](investigate-alerts.md)
- [Investigate a file associated with a Microsoft Defender ATP alert](investigate-files.md)
- [Investigate machines in the Microsoft Defender ATP Machines list](investigate-machines.md)
- [Investigate devices in the Microsoft Defender ATP Devices list](investigate-machines.md)
- [Investigate an IP address associated with a Microsoft Defender ATP alert](investigate-ip.md)
- [Investigate a domain associated with a Microsoft Defender ATP alert](investigate-domain.md)
- [Investigate a user account in Microsoft Defender ATP](investigate-user.md)

2
windows/security/threat-protection/microsoft-defender-atp/manage-auto-investigation.md
View File

@ -1,7 +1,7 @@
---
title: Review and approve actions following automated investigations in the Microsoft Defender Security Center
description: Review and approve (or reject) remediation actions following an automated investigation.
keywords: autoir, automated, investigation, detection, dashboard, source, threat types, id, tags, machines, duration, filter export
keywords: autoir, automated, investigation, detection, dashboard, source, threat types, id, tags, devices, duration, filter export
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: w10

6
windows/security/threat-protection/microsoft-defender-atp/manage-edr.md
View File

@ -20,13 +20,13 @@ ms.topic: conceptual
# Manage endpoint detection and response capabilities
Manage the alerts queue, investigate machines in the machines list, take response actions, and hunt for possible threats in your organization using advanced hunting.
Manage the alerts queue, investigate devices in the devices list, take response actions, and hunt for possible threats in your organization using advanced hunting.
## In this section
Topic | Description
:---|:---
[Alerts queue](alerts-queue-endpoint-detection-response.md)| View the alerts surfaced in Microsoft Defender Security Center.
[Machines list](machines-view-overview.md) | Learn how you can view and manage the machines list, manage machine groups, and investigate machine related alerts.
[Take response actions](response-actions.md)| Take response actions on machines and files to quickly respond to detected attacks and contain threats.
[Devices list](machines-view-overview.md) | Learn how you can view and manage the devices list, manage device groups, and investigate device related alerts.
[Take response actions](response-actions.md)| Take response actions on devices and files to quickly respond to detected attacks and contain threats.
[Query data using advanced hunting](advanced-hunting-query-language.md)| Proactively hunt for possible threats across your organization using a powerful search and query tool.

20
windows/security/threat-protection/microsoft-defender-atp/manage-indicators.md
View File

@ -28,7 +28,7 @@ ms.topic: article
Indicator of compromise (IoCs) matching is an essential feature in every endpoint protection solution. This capability gives SecOps the ability to set a list of indicators for detection and for blocking (prevention and response).
Create indicators that define the detection, prevention, and exclusion of entities. You can define the action to be taken as well as the duration for when to apply the action as well as the scope of the machine group to apply it to.
Create indicators that define the detection, prevention, and exclusion of entities. You can define the action to be taken as well as the duration for when to apply the action as well as the scope of the device group to apply it to.
Currently supported sources are the cloud detection engine of Microsoft Defender ATP, the automated investigation and remediation engine, and the endpoint prevention engine (Windows Defender AV).
@ -61,7 +61,7 @@ You can create an indicator for:
## Create indicators for files
You can prevent further propagation of an attack in your organization by banning potentially malicious files or suspected malware. If you know a potentially malicious portable executable (PE) file, you can block it. This operation will prevent it from being read, written, or executed on machines in your organization.
You can prevent further propagation of an attack in your organization by banning potentially malicious files or suspected malware. If you know a potentially malicious portable executable (PE) file, you can block it. This operation will prevent it from being read, written, or executed on devices in your organization.
There are two ways you can create indicators for files:
- By creating an indicator through the settings page
@ -72,7 +72,7 @@ It's important to understand the following prerequisites prior to creating indic
- This feature is available if your organization uses Windows Defender Antivirus and Cloudbased protection is enabled. For more information, see [Manage cloudbased protection](../windows-defender-antivirus/deploy-manage-report-windows-defender-antivirus.md).
- The Antimalware client version must be 4.18.1901.x or later.
- Supported on machines on Windows 10, version 1703 or later.
- Supported on devices on Windows 10, version 1703 or later.
- To start blocking files, you first need to [turn the **Block or allow** feature on](advanced-features.md) in Settings.
- This feature is designed to prevent suspected malware (or potentially malicious files) from being downloaded from the web. It currently supports portable executable (PE) files, including _.exe_ and _.dll_ files. The coverage will be extended over time.
@ -95,14 +95,14 @@ It's important to understand the following prerequisites prior to creating indic
4. Specify the following details:
- Indicator - Specify the entity details and define the expiration of the indicator.
- Action - Specify the action to be taken and provide a description.
- Scope - Define the scope of the machine group.
- Scope - Define the scope of the device group.
5. Review the details in the Summary tab, then click **Save**.
### Create a contextual indicator from the file details page
One of the options when taking [response actions on a file](respond-file-alerts.md) is adding an indicator for the file.
When you add an indicator hash for a file, you can choose to raise an alert and block the file whenever a machine in your organization attempts to run it.
When you add an indicator hash for a file, you can choose to raise an alert and block the file whenever a device in your organization attempts to run it.
Files automatically blocked by an indicator won't show up in the file's Action center, but the alerts will still be visible in the Alerts queue.
@ -111,13 +111,13 @@ Microsoft Defender ATP can block what Microsoft deems as malicious IPs/URLs, thr
The threat intelligence data set for this has been managed by Microsoft.
By creating indicators for IPs and URLs or domains, you can now allow or block IPs, URLs, or domains based on your own threat intelligence. You can do this through the settings page or by machine groups if you deem certain groups to be more or less at risk than others.
By creating indicators for IPs and URLs or domains, you can now allow or block IPs, URLs, or domains based on your own threat intelligence. You can do this through the settings page or by device groups if you deem certain groups to be more or less at risk than others.
### Before you begin
It's important to understand the following prerequisites prior to creating indicators for IPS, URLs, or domains:
- URL/IP allow and block relies on the Microsoft Defender ATP component Network Protection to be enabled in block mode. For more information on Network Protection and configuration instructions, see [Enable network protection](enable-network-protection.md).
- The Antimalware client version must be 4.18.1906.x or later.
- Supported on machines on Windows 10, version 1709 or later.
- Supported on devices on Windows 10, version 1709 or later.
- Ensure that **Custom network indicators** is enabled in **Microsoft Defender Security Center> Settings > Advanced features**. For more information, see [Advanced features](advanced-features.md).
@ -144,7 +144,7 @@ It's important to understand the following prerequisites prior to creating indic
4. Specify the following details:
- Indicator - Specify the entity details and define the expiration of the indicator.
- Action - Specify the action to be taken and provide a description.
- Scope - Define the scope of the machine group.
- Scope - Define the scope of the device group.
5. Review the details in the Summary tab, then click **Save**.
@ -162,7 +162,7 @@ It's important to understand the following requirements prior to creating indica
- This feature is available if your organization uses Windows Defender Antivirus and Cloudbased protection is enabled. For more information, see [Manage cloudbased protection](../windows-defender-antivirus/deploy-manage-report-windows-defender-antivirus.md).
- The Antimalware client version must be 4.18.1901.x or later.
- Supported on machines on Windows 10, version 1703 or later.
- Supported on devices on Windows 10, version 1703 or later.
- The virus and threat protection definitions must be up-to-date.
- This feature currently supports entering .CER or .PEM file extensions.
@ -185,7 +185,7 @@ It's important to understand the following requirements prior to creating indica
4. Specify the following details:
- Indicator - Specify the entity details and define the expiration of the indicator.
- Action - Specify the action to be taken and provide a description.
- Scope - Define the scope of the machine group.
- Scope - Define the scope of the device group.
5. Review the details in the Summary tab, then click **Save**.

6
windows/security/threat-protection/microsoft-defender-atp/management-apis.md
View File

@ -31,7 +31,7 @@ Acknowledging that customer environments and structures can vary, Microsoft Defe
## Endpoint onboarding and portal access
Machine onboarding is fully integrated into Microsoft Endpoint Configuration Manager and Microsoft Intune for client machines and Azure Security Center for server machines, providing complete end-to-end experience of configuration, deployment, and monitoring. In addition, Microsoft Defender ATP supports Group Policy and other third-party tools used for machines management.
Device onboarding is fully integrated into Microsoft Endpoint Configuration Manager and Microsoft Intune for client devices and Azure Security Center for server devices, providing complete end-to-end experience of configuration, deployment, and monitoring. In addition, Microsoft Defender ATP supports Group Policy and other third-party tools used for devices management.
Microsoft Defender ATP provides fine-grained control over what users with access to the portal can see and do through the flexibility of role-based access control (RBAC). The RBAC model supports all flavors of security teams structure:
- Globally distributed organizations and security teams
@ -57,9 +57,9 @@ Microsoft Defender ATP offers a layered API model exposing data and capabilities
Watch this video for a quick overview of Microsoft Defender ATP's APIs.
>[!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RE4d73M]
The **Investigation API** exposes the richness of Microsoft Defender ATP - exposing calculated or 'profiled' entities (for example, machine, user, and file) and discrete events (for example, process creation and file creation) which typically describes a behavior related to an entity, enabling access to data via investigation interfaces allowing a query-based access to data. For more information see, [Supported APIs](exposed-apis-list.md).
The **Investigation API** exposes the richness of Microsoft Defender ATP - exposing calculated or 'profiled' entities (for example, device, user, and file) and discrete events (for example, process creation and file creation) which typically describes a behavior related to an entity, enabling access to data via investigation interfaces allowing a query-based access to data. For more information see, [Supported APIs](exposed-apis-list.md).
The **Response API** exposes the ability to take actions in the service and on devices, enabling customers to ingest indicators, manage settings, alert status, as well as take response actions on devices programmatically such as isolate machines from the network, quarantine files, and others.
The **Response API** exposes the ability to take actions in the service and on devices, enabling customers to ingest indicators, manage settings, alert status, as well as take response actions on devices programmatically such as isolate devices from the network, quarantine files, and others.
## Raw data streaming API
Microsoft Defender ATP raw data streaming API provides the ability for customers to ship real-time events and alerts from their instances as they occur within a single data stream, providing a low latency, high throughput delivery mechanism.

4
windows/security/threat-protection/microsoft-defender-atp/microsoft-cloud-app-security-config.md
View File

@ -29,7 +29,7 @@ ms.topic: article
To benefit from Microsoft Defender Advanced Threat Protection (ATP) cloud app discovery signals, turn on Microsoft Cloud App Security integration.
>[!NOTE]
>This feature will be available with an E5 license for [Enterprise Mobility + Security](https://www.microsoft.com/cloud-platform/enterprise-mobility-security) on machines running Windows 10, version 1709 (OS Build 16299.1085 with [KB4493441](https://support.microsoft.com/help/4493441)), Windows 10, version 1803 (OS Build 17134.704 with [KB4493464](https://support.microsoft.com/help/4493464)), Windows 10, version 1809 (OS Build 17763.379 with [KB4489899](https://support.microsoft.com/help/4489899)) or later Windows 10 versions.
>This feature will be available with an E5 license for [Enterprise Mobility + Security](https://www.microsoft.com/cloud-platform/enterprise-mobility-security) on devices running Windows 10, version 1709 (OS Build 16299.1085 with [KB4493441](https://support.microsoft.com/help/4493441)), Windows 10, version 1803 (OS Build 17134.704 with [KB4493464](https://support.microsoft.com/help/4493464)), Windows 10, version 1809 (OS Build 17763.379 with [KB4489899](https://support.microsoft.com/help/4489899)) or later Windows 10 versions.
> See [Microsoft Defender Advanced Threat Protection integration with Microsoft Cloud App Security](https://docs.microsoft.com/cloud-app-security/wdatp-integration) for detailed integration of Microsoft Defender ATP with Microsoft Cloud App Security.
@ -43,7 +43,7 @@ Once activated, Microsoft Defender ATP will immediately start forwarding discove
## View the data collected
To view and access Microsoft Defender ATP data in Microsoft Cloud Apps Security, see [Investigate machines in Cloud App Security](https://docs.microsoft.com/cloud-app-security/wdatp-integration#investigate-machines-in-cloud-app-security).
To view and access Microsoft Defender ATP data in Microsoft Cloud Apps Security, see [Investigate devices in Cloud App Security](https://docs.microsoft.com/cloud-app-security/wdatp-integration#investigate-machines-in-cloud-app-security).
For more information about cloud discovery, see [Working with discovered apps](https://docs.microsoft.com/cloud-app-security/discovered-apps).

2
windows/security/threat-protection/microsoft-defender-atp/microsoft-cloud-app-security-integration.md
View File

@ -28,7 +28,7 @@ ms.date: 10/18/2018
Microsoft Cloud App Security (Cloud App Security) is a comprehensive solution that gives visibility into cloud apps and services by allowing you to control and limit access to cloud apps, while enforcing compliance requirements on data stored in the cloud. For more information, see [Cloud App Security](https://docs.microsoft.com/cloud-app-security/what-is-cloud-app-security).
>[!NOTE]
>This feature is available with an E5 license for [Enterprise Mobility + Security](https://www.microsoft.com/cloud-platform/enterprise-mobility-security) on machines running Windows 10 version 1809 or later.
>This feature is available with an E5 license for [Enterprise Mobility + Security](https://www.microsoft.com/cloud-platform/enterprise-mobility-security) on devices running Windows 10 version 1809 or later.
## Microsoft Defender ATP and Cloud App Security integration

4
windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md
View File

@ -1,7 +1,7 @@
---
title: Microsoft Defender Advanced Threat Protection
description: Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) is an enterprise security platform that helps defend against advanced persistent threats.
keywords: introduction to Microsoft Defender Advanced Threat Protection, introduction to Microsoft Defender ATP, cybersecurity, advanced persistent threat, enterprise security, machine behavioral sensor, cloud security, analytics, threat intelligence, attack surface reduction, next generation protection, automated investigation and remediation, microsoft threat experts, secure score, advanced hunting, microsoft threat protection, cyber threat hunting
keywords: introduction to Microsoft Defender Advanced Threat Protection, introduction to Microsoft Defender ATP, cybersecurity, advanced persistent threat, enterprise security, device behavioral sensor, cloud security, analytics, threat intelligence, attack surface reduction, next generation protection, automated investigation and remediation, microsoft threat experts, secure score, advanced hunting, microsoft threat protection, cyber threat hunting
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: w10
@ -34,7 +34,7 @@ Microsoft Defender ATP uses the following combination of technology built into W
collect and process behavioral signals from the operating system and sends this sensor data to your private, isolated, cloud instance of Microsoft Defender ATP.
- **Cloud security analytics**: Leveraging big-data, machine-learning, and
- **Cloud security analytics**: Leveraging big-data, device-learning, and
unique Microsoft optics across the Windows ecosystem,
enterprise cloud products (such as Office 365), and online assets, behavioral signals
are translated into insights, detections, and recommended responses

4
windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-mac.md
View File

@ -34,7 +34,7 @@ This topic describes how to install, configure, update, and use Microsoft Defend
> [!TIP]
> If you have any feedback that you would like to share, submit it by opening Microsoft Defender ATP for Mac on your device and navigating to **Help** > **Send feedback**.
To get the latest features, including preview capabilities (such as endpoint detection and response for your Mac machines), configure your macOS machine running Microsoft Defender ATP to be an "Insider" machine. See [Enable Microsoft Defender ATP Insider Machine](endpoint-detection-response-mac-preview.md).
To get the latest features, including preview capabilities (such as endpoint detection and response for your Mac devices), configure your macOS device running Microsoft Defender ATP to be an "Insider" device. See [Enable Microsoft Defender ATP Insider Device](endpoint-detection-response-mac-preview.md).
## How to install Microsoft Defender ATP for Mac
@ -105,7 +105,7 @@ The output from this command should be similar to the following:
`OK https://cdn.x.cp.wd.microsoft.com/ping`
> [!CAUTION]
> We recommend that you keep [System Integrity Protection](https://support.apple.com/en-us/HT204899) (SIP) enabled on client machines. SIP is a built-in macOS security feature that prevents low-level tampering with the OS, and is enabled by default.
> We recommend that you keep [System Integrity Protection](https://support.apple.com/en-us/HT204899) (SIP) enabled on client devices. SIP is a built-in macOS security feature that prevents low-level tampering with the OS, and is enabled by default.
Once Microsoft Defender ATP is installed, connectivity can be validated by running the following command in Terminal:
```bash

6
windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-security-center.md
View File

@ -26,12 +26,12 @@ Microsoft Defender Security Center is the portal where you can access Microsoft
Topic | Description
:---|:---
Get started | Learn about the minimum requirements, validate licensing and complete setup, know about preview features, understand data storage and privacy, and how to assign user access to the portal.
[Onboard machines](onboard-configure.md) | Learn about onboarding client, server, and non-Windows machines. Learn how to run a detection test, configure proxy and Internet connectivity settings, and how to troubleshoot potential onboarding issues.
[Onboard devices](onboard-configure.md) | Learn about onboarding client, server, and non-Windows devices. Learn how to run a detection test, configure proxy and Internet connectivity settings, and how to troubleshoot potential onboarding issues.
[Understand the portal](use.md) | Understand the Security operations, Secure Score, and Threat analytics dashboards as well as how to navigate the portal.
Investigate and remediate threats | Investigate alerts, machines, and take response actions to remediate threats.
Investigate and remediate threats | Investigate alerts, devices, and take response actions to remediate threats.
API and SIEM support | Use the supported APIs to pull and create custom alerts, or automate workflows. Use the supported SIEM tools to pull alerts from Microsoft Defender Security Center.
Reporting | Create and build Power BI reports using Microsoft Defender ATP data.
Check service health and sensor state | Verify that the service is running and check the sensor state on machines.
Check service health and sensor state | Verify that the service is running and check the sensor state on devices.
[Configure Microsoft Defender Security Center settings](preferences-setup.md) | Configure general settings, turn on the preview experience, notifications, and enable other features.
[Access the Microsoft Defender ATP Community Center](community.md) | Access the Microsoft Defender ATP Community Center to learn, collaborate, and share experiences about the product.
[Troubleshoot service issues](troubleshoot-mdatp.md) | This section addresses issues that might arise as you use the Microsoft Defender Advanced Threat service.

8
windows/security/threat-protection/microsoft-defender-atp/microsoft-threat-experts.md
View File

@ -44,10 +44,10 @@ Microsoft Threat Experts provides proactive hunting for the most important threa
- Scope of compromise and as much context as can be quickly delivered to enable fast SOC response.
## Collaborate with experts, on demand
Customers can engage our security experts directly from within Microsoft Defender Security Center for timely and accurate response. Experts provide insights needed to better understand the complex threats affecting your organization, from alert inquiries, potentially compromised machines, root cause of a suspicious network connection, to additional threat intelligence regarding ongoing advanced persistent threat campaigns. With this capability, you can:
Customers can engage our security experts directly from within Microsoft Defender Security Center for timely and accurate response. Experts provide insights needed to better understand the complex threats affecting your organization, from alert inquiries, potentially compromised devices, root cause of a suspicious network connection, to additional threat intelligence regarding ongoing advanced persistent threat campaigns. With this capability, you can:
- Get additional clarification on alerts including root cause or scope of the incident
- Gain clarity into suspicious machine behavior and next steps if faced with an advanced attacker
- Gain clarity into suspicious device behavior and next steps if faced with an advanced attacker
- Determine risk and protection regarding threat actors, campaigns, or emerging attacker techniques
- Seamlessly transition to Microsoft Incident Response (IR) or other third-party Incident Response services when necessary
@ -56,8 +56,8 @@ The option to **Consult a threat expert** is available in several places in the
- <i>**Help and support menu**</i><BR>
![Screenshot of MTE-EOD menu option](images/mte-eod-menu.png)
- <i>**Machine page actions menu**</i><BR>
![Screenshot of MTE-EOD machine page action menu option](images/mte-eod-machines.png)
- <i>**Device page actions menu**</i><BR>
![Screenshot of MTE-EOD device page action menu option](images/mte-eod-machines.png)
- <i>**Alerts page actions menu**</i><BR>
![Screenshot of MTE-EOD alert page action menu option](images/mte-eod-alerts.png)

28
windows/security/threat-protection/microsoft-defender-atp/minimum-requirements.md
View File

@ -1,6 +1,6 @@
---
title: Minimum requirements for Microsoft Defender ATP
description: Understand the licensing requirements and requirements for onboarding machines to the service
description: Understand the licensing requirements and requirements for onboarding devices to the service
keywords: minimum requirements, licensing, comparison table
search.product: eADQiWindows 10XVcnh
search.appverid: met150
@ -22,7 +22,7 @@ ms.topic: conceptual
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
There are some minimum requirements for onboarding machines to the service. Learn about the licensing, hardware and software requirements, and other configuration settings to onboard devices to the service.
There are some minimum requirements for onboarding devices to the service. Learn about the licensing, hardware and software requirements, and other configuration settings to onboard devices to the service.
> Want to experience Microsoft Defender ATP? [Sign up for a free trial](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-minreqs-abovefoldlink).
@ -79,12 +79,12 @@ Access to Microsoft Defender ATP is done through a browser, supporting the follo
- Windows Server, version 1803 or later
- Windows Server 2019
Machines on your network must be running one of these editions.
Devices on your network must be running one of these editions.
The hardware requirements for Microsoft Defender ATP on machines is the same as those for the supported editions.
The hardware requirements for Microsoft Defender ATP on devices is the same as those for the supported editions.
> [!NOTE]
> Machines running mobile versions of Windows are not supported.
> Devices running mobile versions of Windows are not supported.
### Other supported operating systems
@ -110,12 +110,12 @@ When you run the onboarding wizard for the first time, you must choose where you
> [!NOTE]
> Microsoft Defender ATP doesn't require any specific diagnostic level as long as it's enabled.
You must ensure that the diagnostic data service is enabled on all the machines in your organization.
You must ensure that the diagnostic data service is enabled on all the devices in your organization.
By default, this service is enabled, but it&#39;s good practice to check to ensure that you&#39;ll get sensor data from them.
**Use the command line to check the Windows 10 diagnostic data service startup type**:
1. Open an elevated command-line prompt on the machine:
1. Open an elevated command-line prompt on the device:
a. Go to **Start** and type **cmd**.
@ -156,21 +156,21 @@ If the **START_TYPE** is not set to **AUTO_START**, then you'll need to set the
#### Internet connectivity
Internet connectivity on machines is required either directly or through proxy.
Internet connectivity on devices is required either directly or through proxy.
The Microsoft Defender ATP sensor can utilize a daily average bandwidth of 5MB to communicate with the Microsoft Defender ATP cloud service and report cyber data. One-off activities such as file uploads and investigation package collection are not included in this daily average bandwidth.
For more information on additional proxy configuration settings, see [Configure machine proxy and Internet connectivity settings](configure-proxy-internet.md).
For more information on additional proxy configuration settings, see [Configure device proxy and Internet connectivity settings](configure-proxy-internet.md).
Before you onboard machines, the diagnostic data service must be enabled. The service is enabled by default in Windows 10.
Before you onboard devices, the diagnostic data service must be enabled. The service is enabled by default in Windows 10.
## Windows Defender Antivirus configuration requirement
The Microsoft Defender ATP agent depends on the ability of Windows Defender Antivirus to scan files and provide information about them.
You must configure Security intelligence updates on the Microsoft Defender ATP machines whether Windows Defender Antivirus is the active antimalware or not. For more information, see [Manage Windows Defender Antivirus updates and apply baselines](../windows-defender-antivirus/manage-updates-baselines-windows-defender-antivirus.md).
You must configure Security intelligence updates on the Microsoft Defender ATP devices whether Windows Defender Antivirus is the active antimalware or not. For more information, see [Manage Windows Defender Antivirus updates and apply baselines](../windows-defender-antivirus/manage-updates-baselines-windows-defender-antivirus.md).
When Windows Defender Antivirus is not the active antimalware in your organization and you use the Microsoft Defender ATP service, Windows Defender Antivirus goes on passive mode. If your organization has disabled Windows Defender Antivirus through group policy or other methods, machines that are onboarded to Microsoft Defender ATP must be excluded from this group policy.
When Windows Defender Antivirus is not the active antimalware in your organization and you use the Microsoft Defender ATP service, Windows Defender Antivirus goes on passive mode. If your organization has disabled Windows Defender Antivirus through group policy or other methods, devices that are onboarded to Microsoft Defender ATP must be excluded from this group policy.
If you are onboarding servers and Windows Defender Antivirus is not the active antimalware on your servers, you shouldn't uninstall Windows Defender Antivirus. You'll need to configure it to run on passive mode. For more information, see [Onboard servers](configure-server-endpoints.md).
@ -181,11 +181,11 @@ If you are onboarding servers and Windows Defender Antivirus is not the active a
For more information, see [Windows Defender Antivirus compatibility](../windows-defender-antivirus/windows-defender-antivirus-compatibility.md).
## Windows Defender Antivirus Early Launch Antimalware (ELAM) driver is enabled
If you're running Windows Defender Antivirus as the primary antimalware product on your machines, the Microsoft Defender ATP agent will successfully onboard.
If you're running Windows Defender Antivirus as the primary antimalware product on your devices, the Microsoft Defender ATP agent will successfully onboard.
If you're running a third-party antimalware client and use Mobile Device Management solutions or Microsoft Endpoint Configuration Manager (current branch), you'll need to ensure that the Windows Defender Antivirus ELAM driver is enabled. For more information, see [Ensure that Windows Defender Antivirus is not disabled by policy](troubleshoot-onboarding.md#ensure-that-windows-defender-antivirus-is-not-disabled-by-a-policy).
## Related topics
- [Validate licensing and complete setup](licensing.md)
- [Onboard machines](onboard-configure.md)
- [Onboard devices](onboard-configure.md)

10
windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt.md
View File

@ -42,7 +42,7 @@ It is the first solution in the industry to bridge the gap between security admi
It provides the following solutions to frequently-cited gaps across security operations, security administration, and IT administration workflows and communication.
- Real-time endpoint detection and response (EDR) insights correlated with endpoint vulnerabilities
- Linked machine vulnerability and security configuration assessment data in the context of exposure discovery
- Linked device vulnerability and security configuration assessment data in the context of exposure discovery
- Built-in remediation processes through Microsoft Intune and Configuration Manager
### Real-time discovery
@ -60,7 +60,7 @@ Threat & Vulnerability Management helps customers prioritize and focus on those
- Exposing emerging attacks in the wild. Through its advanced cyber data and threat analytics platform, Threat & Vulnerability Management dynamically aligns the prioritization of its security recommendations to focus on vulnerabilities that are currently being exploited in the wild and emerging threats that pose the highest risk.
- Pinpointing active breaches. Microsoft Defender ATP correlates Threat & Vulnerability Management and EDR insights to provide the unique ability to prioritize vulnerabilities that are currently being exploited in an active breach within the organization.
- Protecting high-value assets. Microsoft Defender ATP's integration with Azure Information Protection allows Threat & Vulnerability Management to identify the exposed machines with business-critical applications, confidential data, or high-value users.
- Protecting high-value assets. Microsoft Defender ATP's integration with Azure Information Protection allows Threat & Vulnerability Management to identify the exposed devices with business-critical applications, confidential data, or high-value users.
### Seamless remediation
@ -72,13 +72,13 @@ Microsoft Defender ATP's Threat & Vulnerability Management allows security admin
## Before you begin
Ensure that your machines:
Ensure that your devices:
- Are onboarded to Microsoft Defender Advanced Threat Protection
- Run with Windows 10 1709 (Fall Creators Update) or later
>[!NOTE]
>Threat & Vulnerability Management can also scan machines that run on Windows 7 and Windows Server 2019 operating systems and detects vulnerabilities addressed in patch Tuesday.
>Threat & Vulnerability Management can also scan devices that run on Windows 7 and Windows Server 2019 operating systems and detects vulnerabilities addressed in patch Tuesday.
- Have the following mandatory updates installed and deployed in your network to boost your vulnerability assessment detection rates:
@ -90,7 +90,7 @@ Ensure that your machines:
> Windows 10 Version 1903 | [KB 4512941](https://support.microsoft.com/help/4512941/windows-10-update-kb4512941)
- Are onboarded to Microsoft Intune and Microsoft Endpoint Configuration Manager. If you are using Configuration Manager, update your console to the latest version.
- Have at least one security recommendation that can be viewed in the machine page
- Have at least one security recommendation that can be viewed in the device page
- Are tagged or marked as co-managed
## Related topics

6
windows/security/threat-protection/microsoft-defender-atp/offboard-machine-api.md
View File

@ -1,6 +1,6 @@
---
title: Offboard machine API
description: Use this API to offboard a machine from WDATP.
description: Use this API to offboard a device from WDATP.
keywords: apis, graph api, supported apis, collect investigation package
search.product: eADQiWindows 10XVcnh
ms.prod: w10
@ -24,7 +24,7 @@ ms.topic: article
## API description
Offboard machine from Microsoft Defender ATP.
Offboard device from Microsoft Defender ATP.
## Limitations
@ -47,7 +47,7 @@ Delegated (work or school account) | Machine.Offboard | 'Offboard machine'
>[!Note]
> When obtaining a token using user credentials:
>- The user needs to 'Global Admin' AD role
>- The user needs to have access to the machine, based on machine group settings (See [Create and manage machine groups](machine-groups.md) for more information)
>- The user needs to have access to the device, based on device group settings (See [Create and manage device groups](machine-groups.md) for more information)
## HTTP request
```

14
windows/security/threat-protection/microsoft-defender-atp/onboard-configure.md
View File

@ -1,6 +1,6 @@
---
title: Onboard machines to the Microsoft Defender ATP service
description: Onboard Windows 10 machines, servers, non-Windows machines and learn how to run a detection test.
title: Onboard devices to the Microsoft Defender ATP service
description: Onboard Windows 10 devices, servers, non-Windows devices and learn how to run a detection test.
keywords: onboarding, windows defender advanced threat protection onboarding, windows atp onboarding, sccm, group policy, mdm, local script, detection test
search.product: eADQiWindows 10XVcnh
search.appverid: met150
@ -17,7 +17,7 @@ ms.collection: M365-security-compliance
ms.topic: conceptual
---
# Onboard machines to the Microsoft Defender ATP service
# Onboard devices to the Microsoft Defender ATP service
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
@ -40,11 +40,11 @@ In general, to onboard devices to the service:
## In this section
Topic | Description
:---|:---
[Onboard previous versions of Windows](onboard-downlevel.md)| Onboard Windows 7 and Windows 8.1 machines to Microsoft Defender ATP.
[Onboard Windows 10 machines](configure-endpoints.md) | You'll need to onboard machines for it to report to the Microsoft Defender ATP service. Learn about the tools and methods you can use to configure machines in your enterprise.
[Onboard previous versions of Windows](onboard-downlevel.md)| Onboard Windows 7 and Windows 8.1 devices to Microsoft Defender ATP.
[Onboard Windows 10 devices](configure-endpoints.md) | You'll need to onboard devices for it to report to the Microsoft Defender ATP service. Learn about the tools and methods you can use to configure devices in your enterprise.
[Onboard servers](configure-server-endpoints.md) | Onboard Windows Server 2012 R2 and Windows Server 2016 to Microsoft Defender ATP
[Onboard non-Windows machines](configure-endpoints-non-windows.md) | Microsoft Defender ATP provides a centralized security operations experience for Windows as well as non-Windows platforms. You'll be able to see alerts from various supported operating systems (OS) in Microsoft Defender Security Center and better protect your organization's network. This experience leverages on a third-party security products' sensor data.
[Run a detection test on a newly onboarded machine](run-detection-test.md) | Run a script on a newly onboarded machine to verify that it is properly reporting to the Microsoft Defender ATP service.
[Onboard non-Windows devices](configure-endpoints-non-windows.md) | Microsoft Defender ATP provides a centralized security operations experience for Windows as well as non-Windows platforms. You'll be able to see alerts from various supported operating systems (OS) in Microsoft Defender Security Center and better protect your organization's network. This experience leverages on a third-party security products' sensor data.
[Run a detection test on a newly onboarded device](run-detection-test.md) | Run a script on a newly onboarded device to verify that it is properly reporting to the Microsoft Defender ATP service.
[Configure proxy and Internet settings](configure-proxy-internet.md)| Enable communication with the Microsoft Defender ATP cloud service by configuring the proxy and Internet connectivity settings.
[Troubleshoot onboarding issues](troubleshoot-onboarding.md) | Learn about resolving issues that might arise during onboarding.

6
windows/security/threat-protection/microsoft-defender-atp/onboard-downlevel.md
View File

@ -1,6 +1,6 @@
---
title: Onboard previous versions of Windows on Microsoft Defender ATP
description: Onboard supported previous versions of Windows machines so that they can send sensor data to the Microsoft Defender ATP sensor
description: Onboard supported previous versions of Windows devices so that they can send sensor data to the Microsoft Defender ATP sensor
keywords: onboard, windows, 7, 81, oms, sp1, enterprise, pro, down level
search.product: eADQiWindows 10XVcnh
search.appverid: met150
@ -40,7 +40,7 @@ To onboard down-level Windows client endpoints to Microsoft Defender ATP, you'll
- Install and configure Microsoft Monitoring Agent (MMA) to report sensor data to Microsoft Defender ATP as instructed below.
> [!TIP]
> After onboarding the machine, you can choose to run a detection test to verify that it is properly onboarded to the service. For more information, see [Run a detection test on a newly onboarded Microsoft Defender ATP endpoint](run-detection-test.md).
> After onboarding the device, you can choose to run a detection test to verify that it is properly onboarded to the service. For more information, see [Run a detection test on a newly onboarded Microsoft Defender ATP endpoint](run-detection-test.md).
## Configure and update System Center Endpoint Protection clients
> [!IMPORTANT]
@ -77,7 +77,7 @@ Review the following details to verify minimum system requirements:
1. Download the agent setup file: [Windows 64-bit agent](https://go.microsoft.com/fwlink/?LinkId=828603) or [Windows 32-bit agent](https://go.microsoft.com/fwlink/?LinkId=828604).
2. Obtain the workspace ID:
- In the Microsoft Defender ATP navigation pane, select **Settings > Machine management > Onboarding**
- In the Microsoft Defender ATP navigation pane, select **Settings > Device management > Onboarding**
- Select **Windows 7 SP1 and 8.1** as the operating system
- Copy the workspace ID and workspace key

18
windows/security/threat-protection/microsoft-defender-atp/onboard-offline-machines.md
View File

@ -1,7 +1,7 @@
---
title: Onboard machines without Internet access to Microsoft Defender ATP
title: Onboard devices without Internet access to Microsoft Defender ATP
ms.reviewer:
description: Onboard machines without Internet access so that they can send sensor data to the Microsoft Defender ATP sensor
description: Onboard devices without Internet access so that they can send sensor data to the Microsoft Defender ATP sensor
keywords: onboard, servers, vm, on-premise, oms gateway, log analytics, azure log analytics, mma
search.product: eADQiWindows 10XVcnh
search.appverid: met150
@ -18,19 +18,19 @@ ms.collection: M365-security-compliance
ms.topic: article
---
# Onboard machines without Internet access to Microsoft Defender ATP
# Onboard devices without Internet access to Microsoft Defender ATP
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
To onboard machines without Internet access, you'll need to take the following general steps:
To onboard devices without Internet access, you'll need to take the following general steps:
> [!IMPORTANT]
> The steps below are applicable only to machines running previous versions of Windows such as:
> The steps below are applicable only to devices running previous versions of Windows such as:
Windows Server 2016 and earlier or Windows 8.1 and earlier.
> [!NOTE]
> - An OMS gateway server cannot be used as proxy for disconnected Windows 10 or Windows Server 2019 machines when configured via 'TelemetryProxyServer' registry or GPO.
> - An OMS gateway server cannot be used as proxy for disconnected Windows 10 or Windows Server 2019 devices when configured via 'TelemetryProxyServer' registry or GPO.
> - For Windows 10 or Windows Server 2019 - while you may use TelemetryProxyServer, it must point to a standard proxy device or appliance.
> - In addition, Windows 10 or Windows Server 2019 in disconnected environments must be able to update Certificate Trust Lists offline via an internal file or web server.
> - For more information about updating CTLs offline, see (Configure a file or web server to download the CTL files)[https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/dn265983(v=ws.11)#configure-a-file-or-web-server-to-download-the-ctl-files].
@ -38,15 +38,15 @@ Windows Server 2016 and earlier or Windows 8.1 and earlier.
For more information about onboarding methods, see the following articles:
- [Onboard previous versions of Windows](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/onboard-downlevel)
- [Onboard servers to the Microsoft Defender ATP service](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints#windows-server-2008-r2-sp1--windows-server-2012-r2-and-windows-server-2016)
- [Configure machine proxy and Internet connectivity settings](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-proxy-internet#configure-the-proxy-server-manually-using-a-registry-based-static-proxy)
- [Configure device proxy and Internet connectivity settings](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-proxy-internet#configure-the-proxy-server-manually-using-a-registry-based-static-proxy)
## On-premise machines
## On-premise devices
- Setup Azure Log Analytics (formerly known as OMS Gateway) to act as proxy or hub:
- [Azure Log Analytics Agent](https://docs.microsoft.com/azure/azure-monitor/platform/gateway#download-the-log-analytics-gateway)
- [Install and configure Microsoft Monitoring Agent (MMA)](configure-server-endpoints.md#install-and-configure-microsoft-monitoring-agent-mma-to-report-sensor-data-to-microsoft-defender-atp) point to Microsoft Defender ATP Workspace key & ID
- Offline machines in the same network of Azure Log Analytics
- Offline devices in the same network of Azure Log Analytics
- Configure MMA to point to:
- Azure Log Analytics IP as a proxy
- Microsoft Defender ATP workspace key & ID

16
windows/security/threat-protection/microsoft-defender-atp/onboarding-notification.md
View File

@ -45,14 +45,14 @@ You'll need to have access to:
![Image of the notification flow](images/build-flow.png)
4. Select the + button to add a new action. The new action will be an HTTP request to the Microsoft Defender ATP security center machine(s) API. You can also replace it with the out-of-the-box "WDATP Connector" (action: "Machines - Get list of machines").
4. Select the + button to add a new action. The new action will be an HTTP request to the Microsoft Defender ATP security center device(s) API. You can also replace it with the out-of-the-box "WDATP Connector" (action: "Machines - Get list of machines").
![Image of recurrence and add action](images/recurrence-add.png)
5. Enter the following HTTP fields:
- Method: "GET" as a value to get the list of machines.
- Method: "GET" as a value to get the list of devices.
- URI: Enter `https://api.securitycenter.windows.com/api/machines`.
- Authentication: Select "Active Directory OAuth".
- Tenant: Sign-in to https://portal.azure.com and navigate to **Azure Active Directory > App Registrations** and get the Tenant ID value.
@ -159,9 +159,9 @@ You'll need to have access to:
```
10. Extract the values from the JSON call and check if the onboarded machine(s) is / are already registered at the SharePoint list as an example:
10. Extract the values from the JSON call and check if the onboarded device(s) is / are already registered at the SharePoint list as an example:
- If yes, no notification will be triggered
- If no, will register the new onboarded machine(s) in the SharePoint list and a notification will be sent to the Microsoft Defender ATP admin
- If no, will register the new onboarded device(s) in the SharePoint list and a notification will be sent to the Microsoft Defender ATP admin
![Image of apply to each](images/flow-apply.png)
@ -184,16 +184,16 @@ The following image is an example of an email notification.
- You can filter here using lastSeen only:
- Every 60 min:
- Take all machines last seen in the past 7 days.
- Take all devices last seen in the past 7 days.
- For each machine:
- For each device:
- If last seen property is on the one hour interval of [-7 days, -7days + 60 minutes ] -> Alert for offboarding possibility.
- If first seen is on the past hour -> Alert for onboarding.
In this solution you will not have duplicate alerts:
There are tenants that have numerous machines. Getting all those machines might be very expensive and might require paging.
There are tenants that have numerous devices. Getting all those devices might be very expensive and might require paging.
You can split it to two queries:
1. For offboarding take only this interval using the OData $filter and only notify if the conditions are met.
2. Take all machines last seen in the past hour and check first seen property for them (if the first seen property is on the past hour, the last seen must be there too).
2. Take all devices last seen in the past hour and check first seen property for them (if the first seen property is on the past hour, the last seen must be there too).

2
windows/security/threat-protection/microsoft-defender-atp/overview-attack-surface-reduction.md
View File

@ -38,7 +38,7 @@ Article | Description
[Application control](../windows-defender-application-control/windows-defender-application-control.md) | Use application control so that your applications must earn trust in order to run.
[Exploit protection](./exploit-protection.md) | Help protect operating systems and apps your organization uses from being exploited. Exploit protection also works with third-party antivirus solutions.
[Network protection](./network-protection.md) | Extend protection to your network traffic and connectivity on your organization's devices. (Requires Windows Defender Antivirus)
[Web protection](./web-protection-overview.md) | Secure your machines against web threats and help you regulate unwanted content.
[Web protection](./web-protection-overview.md) | Secure your devices against web threats and help you regulate unwanted content.
[Controlled folder access](./controlled-folders.md) | Help prevent malicious or suspicious apps (including file-encrypting ransomware malware) from making changes to files in your key system folders (Requires Windows Defender Antivirus)
[Network firewall](../windows-firewall/windows-firewall-with-advanced-security.md) | Prevent unauthorized traffic from flowing to or from your organization's devices with two-way network traffic filtering.
[Attack surface reduction FAQ](./attack-surface-reduction-faq.md) | Frequently asked questions about Attack surface reduction rules, licensing, and more.

4
windows/security/threat-protection/microsoft-defender-atp/overview-custom-detections.md
View File

@ -23,13 +23,13 @@ ms.topic: conceptual
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
With custom detections, you can proactively monitor for and respond to various events and system states, including suspected breach activity and misconfigured machines. This is made possible by customizable detection rules that automatically trigger alerts as well as response actions.
With custom detections, you can proactively monitor for and respond to various events and system states, including suspected breach activity and misconfigured devices. This is made possible by customizable detection rules that automatically trigger alerts as well as response actions.
Custom detections work with [Advanced hunting](advanced-hunting-overview.md), which provides a powerful, flexible query language that covers a broad set of event and system information from your network. You can set them to run at regular intervals, generating alerts and taking response actions whenever there are matches.
Custom detections provide:
- Alerts for rule-based detections built from advanced hunting queries
- Automatic response actions that apply to files and machines
- Automatic response actions that apply to files and devices
>[!NOTE]
>To create and manage custom detections, [your role](user-roles.md#create-roles-and-assign-the-role-to-an-azure-active-directory-group) needs to have the **manage security settings** permission.

2
windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response.md
View File

@ -37,5 +37,5 @@ The response capabilities give you the power to promptly remediate threats by ac
- [Security operations dashboard](security-operations-dashboard.md)
- [Incidents queue](view-incidents-queue.md)
- [Alerts queue](alerts-queue.md)
- [Machines list](machines-view-overview.md)
- [Devices list](machines-view-overview.md)