deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-15 14:57:23 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

update images and toc

Browse Source
This commit is contained in:
jcaparas 2017-08-29 15:37:33 -07:00
parent eba8af7448
commit a817c102d1
5 changed files with 157 additions and 156 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
windows/threat-protection/TOC.md
View File

@ -37,14 +37,16 @@
###### [Filter events from a specific date](windows-defender-atp\investigate-machines-windows-defender-advanced-threat-protection.md#filter-events-from-a-specific-date)
###### [Export machine timeline events](windows-defender-atp\investigate-machines-windows-defender-advanced-threat-protection.md#export-machine-timeline-events)
###### [Navigate between pages](windows-defender-atp\investigate-machines-windows-defender-advanced-threat-protection.md#navigate-between-pages)
##### [Manage machine group and tags](windows-defender-atp\investigate-machines-windows-defender-advanced-threat-protection.md#manage-machine-group-and-tags)
#### [Investigate a user account](windows-defender-atp\investigate-user-windows-defender-advanced-threat-protection.md)
#### [Manage alerts](windows-defender-atp\manage-alerts-windows-defender-advanced-threat-protection.md)
#### [Take response actions](windows-defender-atp\response-actions-windows-defender-advanced-threat-protection.md)
##### [Take response actions on a machine](windows-defender-atp\respond-machine-alerts-windows-defender-advanced-threat-protection.md)
###### [Manage machine group and tags](windows-defender-atp\respond-machine-alerts-windows-defender-advanced-threat-protection.md#manage-machine-group-and-tags)
###### [Collect investigation package](windows-defender-atp\respond-machine-alerts-windows-defender-advanced-threat-protection.md#collect-investigation-package)
###### [Run antivirus scan](windows-defender-atp\respond-machine-alerts-windows-defender-advanced-threat-protection.md#run-windows-defender-antivirus-scan-on-machines)
###### [Restrict app execution](windows-defender-atp\respond-machine-alerts-windows-defender-advanced-threat-protection.md#restict-app-execution)
###### [Isolate machines from the network](windows-defender-atp\respond-machine-alerts-windows-defender-advanced-threat-protection.md#isolate-machines-from-the-network)
###### [Undo machine isolation](windows-defender-atp\respond-machine-alerts-windows-defender-advanced-threat-protection.md#undo-machine-isolation)
###### [Collect investigation package](windows-defender-atp\respond-machine-alerts-windows-defender-advanced-threat-protection.md#collect-investigation-package)
###### [Check activity details in Action center](windows-defender-atp\respond-machine-alerts-windows-defender-advanced-threat-protection.md#check-activity-details-in-action-center)
##### [Take response actions on a file](windows-defender-atp\respond-file-alerts-windows-defender-advanced-threat-protection.md)
###### [Stop and quarantine files in your network](windows-defender-atp\respond-file-alerts-windows-defender-advanced-threat-protection.md#stop-and-quarantine-files-in-your-network)

BIN
windows/threat-protection/windows-defender-atp/images/atp-user-details-view-tdp.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 185 KiB

46
windows/threat-protection/windows-defender-atp/investigate-machines-windows-defender-advanced-threat-protection.md
View File

@ -147,52 +147,6 @@ Expand an event to view associated processes related to the event. Click on the
The details pane enriches the in-context information across investigation and exploration activities, reducing the need to switch between contexts. It lets you focus on the task of tracing associations between attributes without leaving the current context.
## Manage machine group and tags
Machine group and tags support proper mapping of the network, enabling you to attach different tags to machines to capture context and to enable dynamic groups creation as part of an incident.
Machine related properties are being extended to account for:
- Group affiliation
- Dynamic context capturing
### Group machines
Machine group affiliation can represent geographic location, specific activity, importance level and others. Grouping machines with similar attributes can be handy when you need to apply contextual action on a specific list of machines. After creating groups, you can apply the Group filter on the Machines list to get a narrowed list of machines.
Machine group is defined in the following registry key entry of the machine:
- Registry key: `HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection\DeviceTagging\`
- Registry key value (string): Group
### Set standard tags on machines
Dynamic context capturing is achieved using tags. By tagging machines, you can keep track of individual machines in your organization. After adding tags on machines, you can apply the Tags filter on the Machines list to get a narrowed list of machines with the tag.
1. Select the machine that you want to manage tags on. You can select or search for a machine from any of the following views:
- **Security operations dashboard** - Select the machine name from the Top machines with active alerts section.
- **Alerts queue** - Select the machine name beside the machine icon from the alerts queue.
- **Machines list** - Select the machine name from the list of machines.
- **Search box** - Select Machine from the drop-down menu and enter the machine name.
You can also get to the alert page through the file and IP views.
2. Open the **Actions** menu and select **Manage tags**.
![Image of taking action to manage tags on a machine](images/atp-manage-tags.png)
3. Enter tags on the machine. To add more tags, click the + icon.
4. Click **Save and close**.
![Image of adding tags on a machine](images/atp-save-tag.png)
Tags are added to the machine view and will also be reflected on the **Machines list** view. You can then use the **Tags** or **Groups** filter to see the relevant list of machines.
### Manage machine tags
You can manage tags from the Actions button or by selecting a machine from the Machines list and opening the machine details panel.
![Image of adding tags on a machine](images/atp-tag-management.png)
## Related topics

33
windows/threat-protection/windows-defender-atp/investigate-user-windows-defender-advanced-threat-protection.md
View File

@ -24,37 +24,34 @@ ms.date: 09/01/2017
[!include[Prerelease information](prerelease.md)]
# Investigate a user account in Windows Defender ATP
**Applies to:**
- Windows 10 Enterprise
- Windows 10 Education
- Windows 10 Pro
- Windows 10 Pro Education
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
## Investigate user account entities
Identify user accounts with the most active alerts (displayed on dashboard as "Users at risk") and investigate cases of potential compromised credentials, or pivot on the associated user account when investigating an alert or machine to identify possible lateral movement between machines with that user account.
You can find user account information in the following views:
- Security operations dashboard
- Dashboard
- Alert queue
- Machine details page
A clickable user account link is available in these views, that will take you to the user account details page where more details about the user account are shown.
When you investigate a user account entity, you'll see:
- User account details, Azure Advanced Threat Protection alerts, and Logged on machines
- User account details and Logged on machines
- Alerts related to this user
- Observed in organization (machines logged on to)
![Image of the user account entity details page](images/atp-user-details-view-tdp.png)
![Image of the user account entity details page](images/atp-user-view-ata.png)
The user account entity details, Azure Advanced Threat Protection alerts, and logged on machines sections display various attributes about the user account.
The user entity tile provides details about the user such as when the user was first and last seen. Depending on the integration features you enable, you'll see other details. For example, if you enable the Skype for business integration, you'll be able to contact the user from the portal.
If you have enabled the Azure Advanced Threat Protection feature and there are alerts related to the user, you can click on the link that will take you to the Azure Advanced Threat Protection page where more information about the alerts are provided. The Azure Advanced Threat Protection tile also provides details such as the last AD site, total group memberships, and login failure associated with the user.
You'll also see a list of the machines that the user logged on to, and can expand these to see details of the logon events on each machine.
>[!NOTE]
>Youll need to enable the integration between Windows Defender ATP and Azure Advanced Threat Protection to use this feature.
For more information on how to enable advanced features, see [Turn on advanced features](advanced-features-windows-defender-advanced-threat-protection.md).
The user account entity details and logged on machines section display various attributes about the user account. You'll see details such as when the user was first and last seen and the total number of machines the user logged on to. You'll also see a list of the machines that the user logged on to, and can expand these to see details of the logon events on each machine.
The **Alerts related to this user** section provides a list of alerts that are associated with the user account. This list is a filtered view of the [Alert queue](alerts-queue-windows-defender-advanced-threat-protection.md), and shows alerts where the user context is the selected user account, the date when the last activity was detected, a short description of the alert, the machine associated with the alert, the alert's severity, the alert's status in the queue, and who is assigned the alert.
@ -70,8 +67,6 @@ The machine health state is displayed in the machine icon and color as well as i
2. Enter the user account in the **Search** field.
3. Click the search icon or press **Enter**.
[IS THE BEHAVIOUR BELOW STILL TRUE? I TRIED TO SEARCH FOR USERS AND IT DOESN'T SEEM TO DISPLAY A LIST - PLEASE CHECK FOR TECHNICAL ACCURACY. THANKS!]
A list of users matching the query text is displayed. You'll see the user account's domain and name, when the user account was last seen, and the total number of machines it was observed logged on to in the last 30 days.
You can filter the results by the following time periods:

228
windows/threat-protection/windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection.md
View File

@ -30,108 +30,53 @@ Quickly respond to detected attacks by isolating machines or collecting an inves
>[!NOTE]
> These response actions are only available for machines on Windows 10, version 1703.
## Isolate machines from the network
Depending on the severity of the attack and the sensitivity of the machine, you might want to isolate the machine from the network. This action can help prevent the attacker from controlling the compromised machine and performing further activities such as data exfiltration and lateral movement.
## Manage machine group and tags
Machine group and tags support proper mapping of the network, enabling you to attach different tags to machines to capture context and to enable dynamic groups creation as part of an incident.
This machine isolation feature disconnects the compromised machine from the network while retaining connectivity to the Windows Defender ATP service, which continues to monitor the machine.
Machine related properties are being extended to account for:
On Windows 10, version 1710 and above, you'll have additional control over the network isolation level. You can also choose to enable Outlook and Skype for Business connectivity.
>[!NOTE]
>Youll be able to reconnect the machine back to the network at any time.
1. Select the machine that you want to isolate. You can select or search for a machine from any of the following views:
- **Security operations dashboard** - Select the machine name from the Top machines with active alerts section.
- **Alerts queue** - Select the machine name beside the machine icon from the alerts queue.
- **Machines list** - Select the machine name from the list of machines.
- **Search box** - Select Machine from the drop-down menu and enter the machine name.
2. Open the **Actions** menu and select **Isolate machine**.
![Image of isolate machine](images/atp-actions-isolate-machine.png)
3. Select the check-box if you'd like to enable Outlook and Skype communication while the machine is isolated.
![Image of isolation confirmation](images/atp-confirm-isolate.png)
4. Type a comment and select **Yes, isolate machine** to take action on the machine.
>[!NOTE]
>The machine will remain connected to the Windows Defender ATP service even if it is isolated from the network. If you've chosen to enable Outlook and Skype for Business communication, then you'll be able to communicate to the user while the machine is isolated.
The Action center shows the submission information:
![Image of machine isolation](images/atp-machine-isolation.png)
- **Submission time** - Shows when the isolation action was submitted.
- **Status** - Indicates any pending actions or the results of completed actions. Additional indications will be provided if you've enabled Outlook and Skype for Business communication.
When the isolation configuration is applied, a new event is reflected in the machine timeline.
**Notification on machine user**:</br>
When a machine is being isolated, the following notification is displayed to inform the user that the machine is being isolated from the network:
![Image of no network connection](images/atp-notification-isolate.png)
## Release machine from isolation
Depending on the severity of the attack and the state of the machine you can choose to release the machine from isolation after you have verified that the compromised machine has been remediated.
1. Select a machine that was previously isolated.
2. Open the **Actions** menu and select **Release from isolation**.
![Image of release from isolation](images/atp-actions-release-from-isolation.png)
3. Type a comment and select **Yes, release machine** to take action on the machine. The machine will be reconnected to the network.
## Restrict app execution
In addition to the ability of containing an attack by stopping malicious processes, you can also lock down a device and prevent subsequent attempts of potentially malicious programs from running.
The action to restrict an application from running applies a code integrity policy that only allows running of files that are signed by a Microsoft issued certificate. This method of restriction can help prevent an attacker from controlling compromised machines and performing further malicious activities.
>[!NOTE]
>Youll be able to reverse the restriction of applications from running at any time.
1. Select the machine where you'd like to restrict an application from running from. You can select or search for a machine from any of the following views:
- **Security operations dashboard** - Select the machine name from the Top machines with active alerts section.
- **Alerts queue** - Select the machine name beside the machine icon from the alerts queue.
- **Machines list** - Select the machine name from the list of machines.
- **Search box** - Select Machine from the drop-down menu and enter the machine name.
2. Open the **Actions** menu and select **Restrict app execution**.
![Image of restrict app execution action](images/atp-actions-restrict-app-execution.png)
3. Type a comment and select **Yes, restict app execution** to take action on the file.
![Image of app restriction notification](images/atp-notification-restrict.png)
The Action center shows the submission information:
![Image of action center with app restriction](images/atp-action-center-app-restriction.png)
- Group affiliation
- Dynamic context capturing
- **Submission time** - Shows when the isolation action was submitted.
- **Status** - Indicates any pending actions or the results of completed actions.
When the application execution restriction configuration is applied, a new event is reflected in the machine timeline.
### Group machines
Machine group affiliation can represent geographic location, specific activity, importance level and others. Grouping machines with similar attributes can be handy when you need to apply contextual action on a specific list of machines. After creating groups, you can apply the Group filter on the Machines list to get a narrowed list of machines.
Machine group is defined in the following registry key entry of the machine:
- Registry key: `HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection\DeviceTagging\`
- Registry key value (string): Group
**Notification on machine user**:</br>
When an app is restricted, the following notification is displayed to inform the user that an app is being restricted from running:
### Set standard tags on machines
Dynamic context capturing is achieved using tags. By tagging machines, you can keep track of individual machines in your organization. After adding tags on machines, you can apply the Tags filter on the Machines list to get a narrowed list of machines with the tag.
![Image of app restriction](images/atp-app-restriction.png)
1. Select the machine that you want to manage tags on. You can select or search for a machine from any of the following views:
## Remove app restriction
Depending on the severity of the attack and the state of the machine, you can choose to reverse the restriction of applications policy after you have verified that the compromised machine has been remediated.
- **Security operations dashboard** - Select the machine name from the Top machines with active alerts section.
- **Alerts queue** - Select the machine name beside the machine icon from the alerts queue.
- **Machines list** - Select the machine name from the list of machines.
- **Search box** - Select Machine from the drop-down menu and enter the machine name.
1. Select the machine where you restricted an application from running from.
You can also get to the alert page through the file and IP views.
2. Open the **Actions** menu and select **Remove app restrictions**.
2. Open the **Actions** menu and select **Manage tags**.
![Image of remove app restrictions](images/atp-actions-remove-app-restrictions.png)
![Image of taking action to manage tags on a machine](images/atp-manage-tags.png)
3. Enter tags on the machine. To add more tags, click the + icon.
4. Click **Save and close**.
![Image of adding tags on a machine](images/atp-save-tag.png)
Tags are added to the machine view and will also be reflected on the **Machines list** view. You can then use the **Tags** or **Groups** filter to see the relevant list of machines.
### Manage machine tags
You can manage tags from the Actions button or by selecting a machine from the Machines list and opening the machine details panel.
![Image of adding tags on a machine](images/atp-tag-management.png)
3. Type a comment and select **Yes, remove restriction** to take action on the application. The machine application restriction will no longer apply on the machine.
## Collect investigation package from machines
As part of the investigation or response process, you can collect an investigation package from a machine. By collecting the investigation package, you can identify the current state of the machine and further understand the tools and techniques used by the attacker.
@ -216,6 +161,111 @@ As part of the investigation or response process, you can remotely initiate an a
The machine timeline will include a new event, reflecting that a scan action was submitted on the machine. Windows Defender AV alerts will reflect any detections that surfaced during the scan.
## Restrict app execution
In addition to the ability of containing an attack by stopping malicious processes, you can also lock down a device and prevent subsequent attempts of potentially malicious programs from running.
The action to restrict an application from running applies a code integrity policy that only allows running of files that are signed by a Microsoft issued certificate. This method of restriction can help prevent an attacker from controlling compromised machines and performing further malicious activities.
>[!NOTE]
>Youll be able to reverse the restriction of applications from running at any time.
1. Select the machine where you'd like to restrict an application from running from. You can select or search for a machine from any of the following views:
- **Security operations dashboard** - Select the machine name from the Top machines with active alerts section.
- **Alerts queue** - Select the machine name beside the machine icon from the alerts queue.
- **Machines list** - Select the machine name from the list of machines.
- **Search box** - Select Machine from the drop-down menu and enter the machine name.
2. Open the **Actions** menu and select **Restrict app execution**.
![Image of restrict app execution action](images/atp-actions-restrict-app-execution.png)
3. Type a comment and select **Yes, restict app execution** to take action on the file.
![Image of app restriction notification](images/atp-notification-restrict.png)
The Action center shows the submission information:
![Image of action center with app restriction](images/atp-action-center-app-restriction.png)
- **Submission time** - Shows when the isolation action was submitted.
- **Status** - Indicates any pending actions or the results of completed actions.
When the application execution restriction configuration is applied, a new event is reflected in the machine timeline.
**Notification on machine user**:</br>
When an app is restricted, the following notification is displayed to inform the user that an app is being restricted from running:
![Image of app restriction](images/atp-app-restriction.png)
## Remove app restriction
Depending on the severity of the attack and the state of the machine, you can choose to reverse the restriction of applications policy after you have verified that the compromised machine has been remediated.
1. Select the machine where you restricted an application from running from.
2. Open the **Actions** menu and select **Remove app restrictions**.
![Image of remove app restrictions](images/atp-actions-remove-app-restrictions.png)
3. Type a comment and select **Yes, remove restriction** to take action on the application. The machine application restriction will no longer apply on the machine.
## Isolate machines from the network
Depending on the severity of the attack and the sensitivity of the machine, you might want to isolate the machine from the network. This action can help prevent the attacker from controlling the compromised machine and performing further activities such as data exfiltration and lateral movement.
This machine isolation feature disconnects the compromised machine from the network while retaining connectivity to the Windows Defender ATP service, which continues to monitor the machine.
On Windows 10, version 1710 and above, you'll have additional control over the network isolation level. You can also choose to enable Outlook and Skype for Business connectivity.
>[!NOTE]
>Youll be able to reconnect the machine back to the network at any time.
1. Select the machine that you want to isolate. You can select or search for a machine from any of the following views:
- **Security operations dashboard** - Select the machine name from the Top machines with active alerts section.
- **Alerts queue** - Select the machine name beside the machine icon from the alerts queue.
- **Machines list** - Select the machine name from the list of machines.
- **Search box** - Select Machine from the drop-down menu and enter the machine name.
2. Open the **Actions** menu and select **Isolate machine**.
![Image of isolate machine](images/atp-actions-isolate-machine.png)
3. Select the check-box if you'd like to enable Outlook and Skype communication while the machine is isolated.
![Image of isolation confirmation](images/atp-confirm-isolate.png)
4. Type a comment and select **Yes, isolate machine** to take action on the machine.
>[!NOTE]
>The machine will remain connected to the Windows Defender ATP service even if it is isolated from the network. If you've chosen to enable Outlook and Skype for Business communication, then you'll be able to communicate to the user while the machine is isolated.
The Action center shows the submission information:
![Image of machine isolation](images/atp-machine-isolation.png)
- **Submission time** - Shows when the isolation action was submitted.
- **Status** - Indicates any pending actions or the results of completed actions. Additional indications will be provided if you've enabled Outlook and Skype for Business communication.
When the isolation configuration is applied, a new event is reflected in the machine timeline.
**Notification on machine user**:</br>
When a machine is being isolated, the following notification is displayed to inform the user that the machine is being isolated from the network:
![Image of no network connection](images/atp-notification-isolate.png)
## Release machine from isolation
Depending on the severity of the attack and the state of the machine you can choose to release the machine from isolation after you have verified that the compromised machine has been remediated.
1. Select a machine that was previously isolated.
2. Open the **Actions** menu and select **Release from isolation**.
![Image of release from isolation](images/atp-actions-release-from-isolation.png)
3. Type a comment and select **Yes, release machine** to take action on the machine. The machine will be reconnected to the network.
## Check activity details in Action center
The **Action center** provides information on actions that were taken on a machine or file. Youll be able to view the following details: