From 803e73d38c4261e29678bb384d31113ca2c5bb26 Mon Sep 17 00:00:00 2001 From: Joey Caparas Date: Thu, 3 May 2018 15:13:21 -0700 Subject: [PATCH 01/19] add new email notifications flow --- ...ows-defender-advanced-threat-protection.md | 45 ++++++++++++------- 1 file changed, 30 insertions(+), 15 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-atp/configure-email-notifications-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/configure-email-notifications-windows-defender-advanced-threat-protection.md index a6f16281b6..61e76829f0 100644 --- a/windows/security/threat-protection/windows-defender-atp/configure-email-notifications-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/configure-email-notifications-windows-defender-advanced-threat-protection.md @@ -38,29 +38,44 @@ You can also add or remove recipients of the email notification. New recipients The email notification includes basic information about the alert and a link to the portal where you can do further investigation. -## Set up email notifications for alerts -The email notifications feature is turned off by default. Turn it on to start receiving email notifications. +## Create rules for alert notifications +You can create rules that determine the machines and alert severities to send email notifications for and the notification recipients. -1. On the navigation pane, select **Settings** > **Alert notifications**. -2. Toggle the setting between **On** and **Off**. -3. Select the alert severity level that you’d like your recipients to receive: - - **High** – Select this level to send notifications for high-severity alerts. - - **Medium** – Select this level to send notifications for medium-severity alerts. - - **Low** - Select this level to send notifications for low-severity alerts. - - **Informational** - Select this level to send notification for alerts that might not be considered harmful but good to keep track of. -4. In **Email recipients to notify on new alerts**, type the email address then select the + sign. -5. Click **Save preferences** when you’ve completed adding all the recipients. -Check that email recipients are able to receive the email notifications by selecting **Send test email**. All recipients in the list will receive the test email. +1. In the navigation pane, select **Settings** > **General** > **Alert notifications**. + +2. Click **Add notification rule**. + +3. Specify the General information: + - **Rule name** + - **Machines** - Choose whether to notify recipients for all alerts on all machines or on selected machine group. If you choose to only send on a selected machine group, make sure that the machine group has been created. For more information, see [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md). + - **Alert severity** - Choose the alert severity level + +4. Click **Next**. + +5. Enter the recipient's email address then click **Add recipient**. You can add multiple email addresses. + +6. Check that email recipients are able to receive the email notifications by selecting **Send test email**. + +7. Click **Save notification rule**. Here's an example email notification: ![Image of example email notification](images/atp-example-email-notification.png) -## Remove email recipients +## Edit a notification rule +1. Select the notification rule you'd like to edit. -1. Select the trash bin icon beside the email address you’d like to remove. -2. Click **Save preferences**. +2. Update the General and Recipient tab information. + +3. CLick **Save notification rule**. + + +## Delete notification rule + +1. Select the notification rule you'd like to delete. + +2. Click **Delete**. ## Troubleshoot email notifications for alerts From 69a241fb9d4bdf0c828ea91497099ac2e73be8cb Mon Sep 17 00:00:00 2001 From: Joey Caparas Date: Thu, 3 May 2018 15:59:26 -0700 Subject: [PATCH 02/19] add warning in machine-groups when group is deleted --- ...windows-defender-advanced-threat-protection.md | 8 +++----- ...windows-defender-advanced-threat-protection.md | 15 +++++++++------ 2 files changed, 12 insertions(+), 11 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-atp/configure-email-notifications-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/configure-email-notifications-windows-defender-advanced-threat-protection.md index 61e76829f0..e1c50259a0 100644 --- a/windows/security/threat-protection/windows-defender-atp/configure-email-notifications-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/configure-email-notifications-windows-defender-advanced-threat-protection.md @@ -30,11 +30,9 @@ ms.date: 05/01/2018 You can configure Windows Defender ATP to send email notifications to specified recipients for new alerts. This feature enables you to identify a group of individuals who will immediately be informed and can act on alerts based on their severity. > [!NOTE] -> Only users with full access can configure email notifications. +> Only users with full access can configure email notifications. If you've chosen to use role-based access control (RBAC), users with Security Administrator or Global Administrator roles can configure email notifications. -You can set the alert severity levels that trigger notifications. When you turn enable the email notifications feature, it’s set to high and medium alerts by default. - -You can also add or remove recipients of the email notification. New recipients get notified about alerts encountered after they are added. For more information about alerts, see [View and organize the Alerts queue](alerts-queue-windows-defender-advanced-threat-protection.md). +You can set the alert severity levels that trigger notifications. You can also add or remove recipients of the email notification. New recipients get notified about alerts encountered after they are added. For more information about alerts, see [View and organize the Alerts queue](alerts-queue-windows-defender-advanced-threat-protection.md). The email notification includes basic information about the alert and a link to the portal where you can do further investigation. @@ -68,7 +66,7 @@ Here's an example email notification: 2. Update the General and Recipient tab information. -3. CLick **Save notification rule**. +3. Click **Save notification rule**. ## Delete notification rule diff --git a/windows/security/threat-protection/windows-defender-atp/machine-groups-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/machine-groups-windows-defender-advanced-threat-protection.md index 221bfd7884..dbb76cc73f 100644 --- a/windows/security/threat-protection/windows-defender-atp/machine-groups-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/machine-groups-windows-defender-advanced-threat-protection.md @@ -10,7 +10,7 @@ ms.pagetype: security ms.author: macapara author: mjcaparas ms.localizationpriority: high -ms.date: 04/24/2018 +ms.date: 05/04/2018 --- # Create and manage machine groups in Windows Defender ATP @@ -73,19 +73,22 @@ As part of the process of creating a machine group, you'll: >[!NOTE] >You can only grant access to Azure AD user groups that have been assigned to RBAC roles. -6. Click **Close**. +6. Click **Close**. The configuration changes are applied. -7. Apply the configuration settings. ## Understand matching and manage groups -You can promote the rank of a machine group so that it is given higher priority during matching. When a machine is matched to more than one group, it is added only to the highest ranked group. You can also edit and delete groups. +You can promote or demote the rank of a machine group so that it is given higher or lower priority during matching. When a machine is matched to more than one group, it is added only to the highest ranked group. You can also edit and delete groups. + +>[!WARNING] +>Deleting a machine group may affect email notification rules. If a machine group that's part of an email notification rule is the only machine group in that rule, that email notification rule will be deleted along with the machine group. By default, machine groups are accessible to all users with portal access. You can change the default behavior by assigning Azure AD user groups to the machine group. -Machines that are not matched to any groups are added to Ungrouped machines (default) group. You cannot change the rank of this group or delete it. However, you can change the remediation level of this group, and define the Azure AD user groups that can access this group. +Machines that are not matched to any groups are added to grouped machines (default) group. You cannot change the rank of this group or delete it. However, you can change the remediation level of this group, and define the Azure AD user groups that can access this group. >[!NOTE] ->Applying changes to machine group configuration may take up to several minutes. +> - Applying changes to machine group configuration may take up to several minutes. + From 29b7d59a7bb9d2776a4897278d1d8a94cb0bbaf7 Mon Sep 17 00:00:00 2001 From: Joey Caparas Date: Thu, 3 May 2018 16:13:06 -0700 Subject: [PATCH 03/19] add rbac info in email notifs --- ...otifications-windows-defender-advanced-threat-protection.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/windows/security/threat-protection/windows-defender-atp/configure-email-notifications-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/configure-email-notifications-windows-defender-advanced-threat-protection.md index e1c50259a0..c182936b37 100644 --- a/windows/security/threat-protection/windows-defender-atp/configure-email-notifications-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/configure-email-notifications-windows-defender-advanced-threat-protection.md @@ -34,8 +34,11 @@ You can configure Windows Defender ATP to send email notifications to specified You can set the alert severity levels that trigger notifications. You can also add or remove recipients of the email notification. New recipients get notified about alerts encountered after they are added. For more information about alerts, see [View and organize the Alerts queue](alerts-queue-windows-defender-advanced-threat-protection.md). +If you're using role-based access control (RBAC), recipients will only receive notifications based on the machine group that they are a part of. + The email notification includes basic information about the alert and a link to the portal where you can do further investigation. + ## Create rules for alert notifications You can create rules that determine the machines and alert severities to send email notifications for and the notification recipients. From dfd99584092e706962ed82262816ee63b74a90f8 Mon Sep 17 00:00:00 2001 From: Joey Caparas Date: Thu, 3 May 2018 16:22:00 -0700 Subject: [PATCH 04/19] add link to automated investigations topic --- ...ps-windows-defender-advanced-threat-protection.md | 12 ++---------- 1 file changed, 2 insertions(+), 10 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-atp/machine-groups-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/machine-groups-windows-defender-advanced-threat-protection.md index dbb76cc73f..72b5a1ee22 100644 --- a/windows/security/threat-protection/windows-defender-atp/machine-groups-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/machine-groups-windows-defender-advanced-threat-protection.md @@ -33,7 +33,7 @@ In Windows Defender ATP, you can create machine groups and use them to: - Configure different auto-remediation settings for different sets of machines As part of the process of creating a machine group, you'll: -- Set the automated remediation level for that group +- Set the automated remediation level for that group. For more information on remediation levels, see [Use Automated investigation to investigate and remediate threats](automated-investigations-windows-defender-advanced-threat-protection.md). - Define a matching rule based on the machine name, domain, tags, and OS platform to determine which machines belong to the group. If a machine is also matched to other groups, it is added only to the highest ranked machine group. - Determine access to machine group - Rank the machine group relative to other groups after it is created @@ -51,16 +51,8 @@ As part of the process of creating a machine group, you'll: 3. Set the machine group details, configure an association rule, preview the results, then assign the group to an Azure user group: - **Name** - - **Remediation level for automated investigations** - - **No remediation** - - **Require approval (all folders)** - - **Require approval (non-temp folders)** - - **Require approval (core folders)** - - **Fully automated** - - - **Description** - + - **Description** - **Matching rule** – you can apply the rule based on machine name, domain, tag, or OS version. >[!TIP] From 7a032cdc356c17810b74e8351397263de6d80b7d Mon Sep 17 00:00:00 2001 From: Joey Caparas Date: Thu, 3 May 2018 16:30:13 -0700 Subject: [PATCH 05/19] add remediation level table to explain each level --- ...ations-windows-defender-advanced-threat-protection.md | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/windows/security/threat-protection/windows-defender-atp/automated-investigations-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/automated-investigations-windows-defender-advanced-threat-protection.md index 6b4dfc59d6..2307538282 100644 --- a/windows/security/threat-protection/windows-defender-atp/automated-investigations-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/automated-investigations-windows-defender-advanced-threat-protection.md @@ -74,6 +74,15 @@ When a pending action is approved, the entity is then remediated and this new st ### How an Automated investigation is completed When the Automated investigation completes its analysis, and all pending actions are resolved, an investigation is considered complete. It's important to understand that an investigation is only considered complete if there are no pending actions on it. +## Understand the remediation levels for automated investigations +You can create machine groups and set remediation levels for automated investigations. The following table explains the various levels of remediations and the conditions associated with them. + +Remediation level | Description +:---|:--- +Full | Remediates threats automatically +Require approval for all folders | An approval is needed when a remediation is required on folders +Require approval for non-temp folders | An approval is required on files or executables that are not in temporary directories. This includes both user and system temporary directories. +Require approval for core folders | An approval is required on files or executables that are in the operating system directories such as Windows directory and Program files directory. ## Manage Automated investigations By default, the Automated investigations list displays investigations initiated in the last week. You can also choose to select other time ranges from the drop-down menu or specify a custom range. From 414a24535c238b6328d4e228c551252f5784257d Mon Sep 17 00:00:00 2001 From: Yoni Heiblum Date: Sun, 6 May 2018 13:28:10 +0000 Subject: [PATCH 06/19] Updated configure-email-notifications-windows-defender-advanced-threat-protection.md --- ...cations-windows-defender-advanced-threat-protection.md | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-atp/configure-email-notifications-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/configure-email-notifications-windows-defender-advanced-threat-protection.md index c182936b37..42cf9bf182 100644 --- a/windows/security/threat-protection/windows-defender-atp/configure-email-notifications-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/configure-email-notifications-windows-defender-advanced-threat-protection.md @@ -30,11 +30,13 @@ ms.date: 05/01/2018 You can configure Windows Defender ATP to send email notifications to specified recipients for new alerts. This feature enables you to identify a group of individuals who will immediately be informed and can act on alerts based on their severity. > [!NOTE] -> Only users with full access can configure email notifications. If you've chosen to use role-based access control (RBAC), users with Security Administrator or Global Administrator roles can configure email notifications. +> Only users with 'Manage security settings' permissions can configure email notifications. If you've chosen to use basic permissions management, users with Security Administrator or Global Administrator roles can configure email notifications. You can set the alert severity levels that trigger notifications. You can also add or remove recipients of the email notification. New recipients get notified about alerts encountered after they are added. For more information about alerts, see [View and organize the Alerts queue](alerts-queue-windows-defender-advanced-threat-protection.md). -If you're using role-based access control (RBAC), recipients will only receive notifications based on the machine group that they are a part of. +If you're using role-based access control (RBAC), recipients will only receive notifications based on the machine groups that were configured in the notification rule. +Users with the proper permission can only create, edit, or delete notifications that are limited to their machine group management scope. +Only users assigned to the Global administrator role can manage notification rules that are configured for all machine groups. The email notification includes basic information about the alert and a link to the portal where you can do further investigation. @@ -49,7 +51,7 @@ You can create rules that determine the machines and alert severities to send em 3. Specify the General information: - **Rule name** - - **Machines** - Choose whether to notify recipients for all alerts on all machines or on selected machine group. If you choose to only send on a selected machine group, make sure that the machine group has been created. For more information, see [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md). + - **Machines** - Choose whether to notify recipients for alerts on all machines (Global administrator role only) or on selected machine groups. For more information, see [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md). - **Alert severity** - Choose the alert severity level 4. Click **Next**. From e83b00588cb6a9e30be5bab10bfe44b22fed1b59 Mon Sep 17 00:00:00 2001 From: Yoni Heiblum Date: Sun, 6 May 2018 13:34:27 +0000 Subject: [PATCH 07/19] Updated rbac-windows-defender-advanced-threat-protection.md --- .../rbac-windows-defender-advanced-threat-protection.md | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-atp/rbac-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/rbac-windows-defender-advanced-threat-protection.md index fdb452e1ad..7fc722d5a1 100644 --- a/windows/security/threat-protection/windows-defender-atp/rbac-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/rbac-windows-defender-advanced-threat-protection.md @@ -76,17 +76,18 @@ Someone with a Windows Defender ATP Global administrator role has unrestricted a 2. Click **Add role**. -3. Enter the role name, description, and active permissions you’d like to assign to the role. +3. Enter the role name, description, and permissions you’d like to assign to the role. - **Role name** - **Description** - - **Active permissions** + - **Permissions** - **View data** - Users can view information in the portal. - **Investigate alerts** - Users can manage alerts, initiate automated investigations, collect investigation packages, manage machine tags, and export machine timeline. - **Approve or take action** - Users can take response actions and approve or dismiss pending remediation actions. - **Manage system settings** - Users can configure settings, SIEM and threat intel API settings, advanced settings, preview features, and automated file uploads. + - **Manage security settings** - Users can configure alert suppression settings, manage allowed/blocked lists for automation, manage folder exclusions for automation, onboard and offboard machines, and manage email notifications. 4. Click **Next** to assign the role to an Azure AD group. @@ -102,13 +103,13 @@ Someone with a Windows Defender ATP Global administrator role has unrestricted a 2. Click **Edit**. -3. Modify the details or the groups that the role is a part of. +3. Modify the details or the groups that are assigned to the role. 4. Click **Save and close**. ## Delete roles -1. Select the role row you'd like to delete. +1. Select the role you'd like to delete. 2. Click the drop-down button and select **Delete role**. From feea9ac2224d3371aa1b99de67e57a0889f0212a Mon Sep 17 00:00:00 2001 From: Yoni Heiblum Date: Sun, 6 May 2018 13:38:55 +0000 Subject: [PATCH 08/19] Updated machine-groups-windows-defender-advanced-threat-protection.md --- ...-groups-windows-defender-advanced-threat-protection.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-atp/machine-groups-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/machine-groups-windows-defender-advanced-threat-protection.md index 72b5a1ee22..4e2100d5a6 100644 --- a/windows/security/threat-protection/windows-defender-atp/machine-groups-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/machine-groups-windows-defender-advanced-threat-protection.md @@ -39,7 +39,7 @@ As part of the process of creating a machine group, you'll: - Rank the machine group relative to other groups after it is created >[!NOTE] ->All machine groups are accessible to all users if you don’t assign any Azure AD groups to them. +>A machine group is accessible to all users if you don’t assign any Azure AD groups to it. ## Add a machine group @@ -58,7 +58,7 @@ As part of the process of creating a machine group, you'll: >[!TIP] >If you want to group machines by organizational unit, you can configure the registry key for the group affiliation. For more information on device tagging, see [Manage machine group and tags](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-atp/investigate-machines-windows-defender-advanced-threat-protection#manage-machine-group-and-tags). -4. Review the result of the preview of matched machines. If you are satisfied with the rules, click the **Access** tab. +4. Preview several machines that will be matched by this rule. If you are satisfied with the rule, click the **Access** tab. 5. Assign the user groups that can access the machine group you created. @@ -72,11 +72,11 @@ As part of the process of creating a machine group, you'll: You can promote or demote the rank of a machine group so that it is given higher or lower priority during matching. When a machine is matched to more than one group, it is added only to the highest ranked group. You can also edit and delete groups. >[!WARNING] ->Deleting a machine group may affect email notification rules. If a machine group that's part of an email notification rule is the only machine group in that rule, that email notification rule will be deleted along with the machine group. +>Deleting a machine group may affect email notification rules. If a machine group is configured under an email notification rule it will be removed from that rule. If the machine group is the only group configured for an email notification, that email notification rule will be deleted along with the machine group. By default, machine groups are accessible to all users with portal access. You can change the default behavior by assigning Azure AD user groups to the machine group. -Machines that are not matched to any groups are added to grouped machines (default) group. You cannot change the rank of this group or delete it. However, you can change the remediation level of this group, and define the Azure AD user groups that can access this group. +Machines that are not matched to any groups are added to Ungrouped machines (default) group. You cannot change the rank of this group or delete it. However, you can change the remediation level of this group, and define the Azure AD user groups that can access this group. >[!NOTE] > - Applying changes to machine group configuration may take up to several minutes. From ab3e31ef106a533d957f4e060a0fd6068d940cbc Mon Sep 17 00:00:00 2001 From: Joey Caparas Date: Tue, 8 May 2018 11:14:49 -0700 Subject: [PATCH 09/19] update to email notifications --- ...ows-defender-advanced-threat-protection.md | 21 +++++++------------ 1 file changed, 8 insertions(+), 13 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-atp/machine-groups-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/machine-groups-windows-defender-advanced-threat-protection.md index 72b5a1ee22..90720f62a4 100644 --- a/windows/security/threat-protection/windows-defender-atp/machine-groups-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/machine-groups-windows-defender-advanced-threat-protection.md @@ -34,9 +34,9 @@ In Windows Defender ATP, you can create machine groups and use them to: As part of the process of creating a machine group, you'll: - Set the automated remediation level for that group. For more information on remediation levels, see [Use Automated investigation to investigate and remediate threats](automated-investigations-windows-defender-advanced-threat-protection.md). -- Define a matching rule based on the machine name, domain, tags, and OS platform to determine which machines belong to the group. If a machine is also matched to other groups, it is added only to the highest ranked machine group. -- Determine access to machine group -- Rank the machine group relative to other groups after it is created +- Specify the matching rule that determines which machine group belongs to the group based on the machine name, domain, tags, and OS platform. If a machine is also matched to other groups, it is added only to the highest ranked machine group. +- Select the Azure AD user group that should have access to the machine group. +- Rank the machine group relative to other groups after it is created . >[!NOTE] >All machine groups are accessible to all users if you don’t assign any Azure AD groups to them. @@ -48,17 +48,12 @@ As part of the process of creating a machine group, you'll: 2. Click **Add machine group**. -3. Set the machine group details, configure an association rule, preview the results, then assign the group to an Azure user group: +3. Enter machine group details, specify the matching rule, preview the results, then assign the group to an Azure AD user group. - - **Name** - - **Remediation level for automated investigations** - - **Description** - - **Matching rule** – you can apply the rule based on machine name, domain, tag, or OS version. + >[!TIP] + >If you want to group machines by organizational unit, you can configure the registry key for the group affiliation. For more information on device tagging, see [Manage machine group and tags](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-atp/investigate-machines-windows-defender-advanced-threat-protection#manage-machine-group-and-tags). - >[!TIP] - >If you want to group machines by organizational unit, you can configure the registry key for the group affiliation. For more information on device tagging, see [Manage machine group and tags](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-atp/investigate-machines-windows-defender-advanced-threat-protection#manage-machine-group-and-tags). - -4. Review the result of the preview of matched machines. If you are satisfied with the rules, click the **Access** tab. +4. Review the result of the preview of matched machines. If you are satisfied with the rules, click the **User access** tab. 5. Assign the user groups that can access the machine group you created. @@ -68,7 +63,7 @@ As part of the process of creating a machine group, you'll: 6. Click **Close**. The configuration changes are applied. -## Understand matching and manage groups +## Manage machine groups You can promote or demote the rank of a machine group so that it is given higher or lower priority during matching. When a machine is matched to more than one group, it is added only to the highest ranked group. You can also edit and delete groups. >[!WARNING] From 1742c15bc95be5b7cb73e5027ee007655319f822 Mon Sep 17 00:00:00 2001 From: Joey Caparas Date: Tue, 8 May 2018 12:47:33 -0700 Subject: [PATCH 10/19] fix merge conflict --- ...windows-defender-advanced-threat-protection.md | 15 +++++---------- 1 file changed, 5 insertions(+), 10 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-atp/machine-groups-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/machine-groups-windows-defender-advanced-threat-protection.md index 4e2100d5a6..abad7e5b8f 100644 --- a/windows/security/threat-protection/windows-defender-atp/machine-groups-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/machine-groups-windows-defender-advanced-threat-protection.md @@ -34,9 +34,9 @@ In Windows Defender ATP, you can create machine groups and use them to: As part of the process of creating a machine group, you'll: - Set the automated remediation level for that group. For more information on remediation levels, see [Use Automated investigation to investigate and remediate threats](automated-investigations-windows-defender-advanced-threat-protection.md). -- Define a matching rule based on the machine name, domain, tags, and OS platform to determine which machines belong to the group. If a machine is also matched to other groups, it is added only to the highest ranked machine group. -- Determine access to machine group -- Rank the machine group relative to other groups after it is created +- Specify the matching rule that determines which machine group belongs to the group based on the machine name, domain, tags, and OS platform. If a machine is also matched to other groups, it is added only to the highest ranked machine group. +- Select the Azure AD user group that should have access to the machine group. +- Rank the machine group relative to other groups after it is created. >[!NOTE] >A machine group is accessible to all users if you don’t assign any Azure AD groups to it. @@ -48,12 +48,7 @@ As part of the process of creating a machine group, you'll: 2. Click **Add machine group**. -3. Set the machine group details, configure an association rule, preview the results, then assign the group to an Azure user group: - - - **Name** - - **Remediation level for automated investigations** - - **Description** - - **Matching rule** – you can apply the rule based on machine name, domain, tag, or OS version. +3. Enter machine group details, specify the matching rule, preview the results, then assign the group to an Azure AD user group. >[!TIP] >If you want to group machines by organizational unit, you can configure the registry key for the group affiliation. For more information on device tagging, see [Manage machine group and tags](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-atp/investigate-machines-windows-defender-advanced-threat-protection#manage-machine-group-and-tags). @@ -72,7 +67,7 @@ As part of the process of creating a machine group, you'll: You can promote or demote the rank of a machine group so that it is given higher or lower priority during matching. When a machine is matched to more than one group, it is added only to the highest ranked group. You can also edit and delete groups. >[!WARNING] ->Deleting a machine group may affect email notification rules. If a machine group is configured under an email notification rule it will be removed from that rule. If the machine group is the only group configured for an email notification, that email notification rule will be deleted along with the machine group. +>Deleting a machine group may affect email notification rules. If a machine group is configured under an email notification rule, it will be removed from that rule. If the machine group is the only group configured for an email notification, that email notification rule will be deleted along with the machine group. By default, machine groups are accessible to all users with portal access. You can change the default behavior by assigning Azure AD user groups to the machine group. From a96924aabea789efa94798452af3a233ef5910be Mon Sep 17 00:00:00 2001 From: Joey Caparas Date: Tue, 8 May 2018 12:49:53 -0700 Subject: [PATCH 11/19] update date --- .../rbac-windows-defender-advanced-threat-protection.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-atp/rbac-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/rbac-windows-defender-advanced-threat-protection.md index 7fc722d5a1..4599627b02 100644 --- a/windows/security/threat-protection/windows-defender-atp/rbac-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/rbac-windows-defender-advanced-threat-protection.md @@ -10,7 +10,7 @@ ms.pagetype: security ms.author: macapara author: mjcaparas ms.localizationpriority: high -ms.date: 04/24/2018 +ms.date: 05/08/2018 --- # Manage portal access using role-based access control From dd1c6ad35a2f9ceae45c8b67aca8eb56a1e468e7 Mon Sep 17 00:00:00 2001 From: Joey Caparas Date: Tue, 8 May 2018 12:54:54 -0700 Subject: [PATCH 12/19] update changes --- ...groups-windows-defender-advanced-threat-protection.md | 9 +++------ 1 file changed, 3 insertions(+), 6 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-atp/machine-groups-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/machine-groups-windows-defender-advanced-threat-protection.md index abad7e5b8f..05a34c9ebf 100644 --- a/windows/security/threat-protection/windows-defender-atp/machine-groups-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/machine-groups-windows-defender-advanced-threat-protection.md @@ -50,8 +50,8 @@ As part of the process of creating a machine group, you'll: 3. Enter machine group details, specify the matching rule, preview the results, then assign the group to an Azure AD user group. - >[!TIP] - >If you want to group machines by organizational unit, you can configure the registry key for the group affiliation. For more information on device tagging, see [Manage machine group and tags](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-atp/investigate-machines-windows-defender-advanced-threat-protection#manage-machine-group-and-tags). + >[!TIP] + >If you want to group machines by organizational unit, you can configure the registry key for the group affiliation. For more information on device tagging, see [Manage machine group and tags](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-atp/investigate-machines-windows-defender-advanced-threat-protection#manage-machine-group-and-tags). 4. Preview several machines that will be matched by this rule. If you are satisfied with the rule, click the **Access** tab. @@ -63,7 +63,7 @@ As part of the process of creating a machine group, you'll: 6. Click **Close**. The configuration changes are applied. -## Understand matching and manage groups +## Manage machine groups You can promote or demote the rank of a machine group so that it is given higher or lower priority during matching. When a machine is matched to more than one group, it is added only to the highest ranked group. You can also edit and delete groups. >[!WARNING] @@ -77,8 +77,5 @@ Machines that are not matched to any groups are added to Ungrouped machines (def > - Applying changes to machine group configuration may take up to several minutes. - - - ## Related topic - [Manage portal access using role-based based access control](rbac-windows-defender-advanced-threat-protection.md) \ No newline at end of file From 1cc30e10996b3fcea6b5b36c1bbd2c614dc7c45f Mon Sep 17 00:00:00 2001 From: Joey Caparas Date: Tue, 8 May 2018 16:40:35 -0700 Subject: [PATCH 13/19] update settings navigation, add preview features in advanced features topic --- ...ows-defender-advanced-threat-protection.md | 7 +++- ...ows-defender-advanced-threat-protection.md | 36 ++++++++++--------- ...ows-defender-advanced-threat-protection.md | 2 +- ...ows-defender-advanced-threat-protection.md | 2 +- ...ows-defender-advanced-threat-protection.md | 4 +-- ...ows-defender-advanced-threat-protection.md | 4 +-- ...ows-defender-advanced-threat-protection.md | 4 +-- ...ows-defender-advanced-threat-protection.md | 4 +-- ...ows-defender-advanced-threat-protection.md | 4 +-- ...ows-defender-advanced-threat-protection.md | 2 +- ...ows-defender-advanced-threat-protection.md | 6 ++-- ...ows-defender-advanced-threat-protection.md | 2 +- ...ows-defender-advanced-threat-protection.md | 2 +- ...ows-defender-advanced-threat-protection.md | 2 +- ...ows-defender-advanced-threat-protection.md | 2 +- ...ows-defender-advanced-threat-protection.md | 19 ++++++++-- ...ows-defender-advanced-threat-protection.md | 2 +- ...ows-defender-advanced-threat-protection.md | 6 ++-- ...ows-defender-advanced-threat-protection.md | 2 +- ...ows-defender-advanced-threat-protection.md | 6 ++-- ...ows-defender-advanced-threat-protection.md | 4 +-- ...ows-defender-advanced-threat-protection.md | 4 +-- ...ows-defender-advanced-threat-protection.md | 2 +- ...ows-defender-advanced-threat-protection.md | 2 +- 24 files changed, 76 insertions(+), 54 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-atp/advanced-features-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/advanced-features-windows-defender-advanced-threat-protection.md index d74d21d178..f12f23cc7e 100644 --- a/windows/security/threat-protection/windows-defender-atp/advanced-features-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/advanced-features-windows-defender-advanced-threat-protection.md @@ -10,7 +10,7 @@ ms.pagetype: security ms.author: macapara author: mjcaparas ms.localizationpriority: high -ms.date: 04/24/2018 +ms.date: 05/08/2018 --- # Configure advanced features in Windows Defender ATP @@ -87,6 +87,11 @@ When you enable this feature, you'll be able to share Windows Defender ATP devic >You'll need to enable the integration on both Intune and Windows Defender ATP to use this feature. +## Preview features +Learn about new features in the Windows Defender ATP preview release and be among the first to try upcoming features by turning on the preview experience. + +You'll have access to upcoming features which you can provide feedback on to help improve the overall experience before features are generally available. + ## Enable advanced features 1. In the navigation pane, select **Preferences setup** > **Advanced features**. 2. Select the advanced feature you want to configure and toggle the setting between **On** and **Off**. diff --git a/windows/security/threat-protection/windows-defender-atp/automated-investigations-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/automated-investigations-windows-defender-advanced-threat-protection.md index 2307538282..581eb3d49e 100644 --- a/windows/security/threat-protection/windows-defender-atp/automated-investigations-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/automated-investigations-windows-defender-advanced-threat-protection.md @@ -10,7 +10,7 @@ ms.pagetype: security ms.author: macapara author: mjcaparas ms.localizationpriority: high -ms.date: 05/03/2018 +ms.date: 05/08/2018 --- # Use Automated investigations to investigate and remediate threats @@ -65,24 +65,30 @@ While an investigation is running, any other alert generated from the machine wi If an incriminated entity is seen in another machine, the Automated investigation will expand the investigation to include that machine and a generic machine playbook will start on that machine. If 10 or more machines are found during this expansion process from the same entity, then that expansion action will require an approval and will be seen in the **Pending actions** view. ### How threats are remediated -Depending on how you set up the machine groups and their level of automation, the Automated investigation will either automatically remediate threats or require user approval (this is the default). For more information, see [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md). +Depending on how you set up the machine groups and their level of automation, the Automated investigation will either automatically remediate threats or require user approval (this is the default). + + +You can configure the following levels of automation: + +Automation level | Description +:---|:--- +Semi - require approval for any remediation | This is the default automation level.

An approval is needed for any remediation action. +Semi - require approval for non-temp folders remediation | An approval is required on files or executables that are not in temporary folders.

Files or executables in temporary folders such as the user's download folder or the user's temp folder we will automatically be remediated if needed. +Semi - require approval for non-temp folders remediation | An approval is required on files or executables that are in the operating system directories such as Windows folder and Program files folder.

Files or executables in all other folders will automatically remediate if needed. +Semi - require approval for core folders remediation | An approval is required on files or executables that are in the operating system directories such as Windows folder and Program files folder.

Files or executables in all other folders will automatically remediate if needed. +Full - remediate threats automatically | An approval is required on files or executables that are in the operating system directories such as Windows directory and Program files directory. + +For more information, see [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md). The default machine group is configured for semi-automatic remediation. This means that any malicious entity that needs to be remediated requires an approval and the investigation is added to the **Pending actions** section, this can be changed to fully automatic so that no user approval is needed. When a pending action is approved, the entity is then remediated and this new state is reflected in the **Entities** tab of the investigation. -### How an Automated investigation is completed -When the Automated investigation completes its analysis, and all pending actions are resolved, an investigation is considered complete. It's important to understand that an investigation is only considered complete if there are no pending actions on it. ## Understand the remediation levels for automated investigations You can create machine groups and set remediation levels for automated investigations. The following table explains the various levels of remediations and the conditions associated with them. -Remediation level | Description -:---|:--- -Full | Remediates threats automatically -Require approval for all folders | An approval is needed when a remediation is required on folders -Require approval for non-temp folders | An approval is required on files or executables that are not in temporary directories. This includes both user and system temporary directories. -Require approval for core folders | An approval is required on files or executables that are in the operating system directories such as Windows directory and Program files directory. + ## Manage Automated investigations By default, the Automated investigations list displays investigations initiated in the last week. You can also choose to select other time ranges from the drop-down menu or specify a custom range. @@ -112,19 +118,15 @@ Status | Description | No threats found | No malicious entities found during the investigation. | Failed | A problem has interrupted the investigation, preventing it from completing. | | Partially remediated | A problem prevented the remediation of some malicious entities. | -| Action required | Remediation actions require review and approval. | +| Pending | Remediation actions require review and approval. | | Waiting for machine | Investigation paused. The investigation will resume as soon as the machine is available. | | Queued | Investigation has been queued and will resume as soon as other remediation activities are completed. | | Running | Investigation ongoing. Malicious entities found will be remediated. | | Remediated | Malicious entities found were successfully remediated. | | Terminated by system | Investigation was stopped due to . | -| Terminated by user | A user stopped the investigation before it could complete. | -| Not applicable | Automated investigations do not apply to this alert type. | +| Terminated by user | A user stopped the investigation before it could complete. | Partially investigated | Entities directly related to the alert have been investigated. However, a problem stopped the investigation of collateral entities. | -| Automated investigation not applicable to alert type | Automated investigation does not apply to this alert type. | -| Automated investigation does not support OS | Machine is running an OS that is not supported by Automated investigation. | -| Automated investigation unavailable for preexisting alert | Automated investigation does not apply to alerts that were generated before it was deployed. | -| Automated investigation unavailable for suppressed alert | Automated investigation does not apply to suppressed alerts. | + **Detection source**
diff --git a/windows/security/threat-protection/windows-defender-atp/conditional-access-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/conditional-access-windows-defender-advanced-threat-protection.md index 5c7c425311..10e5212a72 100644 --- a/windows/security/threat-protection/windows-defender-atp/conditional-access-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/conditional-access-windows-defender-advanced-threat-protection.md @@ -102,7 +102,7 @@ Take the following steps to enable conditional access: ### Step 1: Turn on the Microsoft Intune connection -1. In the navigation pane, select **Settings** > **General** > **Advanced features** > **Microsoft Intune connection**. +1. In the navigation pane, select **Settings** > **Advanced features** > **Microsoft Intune connection**. 2. Toggle the Microsoft Intune setting to **On**. 3. Click **Save preferences**. diff --git a/windows/security/threat-protection/windows-defender-atp/configure-email-notifications-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/configure-email-notifications-windows-defender-advanced-threat-protection.md index 42cf9bf182..24e934b696 100644 --- a/windows/security/threat-protection/windows-defender-atp/configure-email-notifications-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/configure-email-notifications-windows-defender-advanced-threat-protection.md @@ -45,7 +45,7 @@ The email notification includes basic information about the alert and a link to You can create rules that determine the machines and alert severities to send email notifications for and the notification recipients. -1. In the navigation pane, select **Settings** > **General** > **Alert notifications**. +1. In the navigation pane, select **Settings** > **Alert notifications**. 2. Click **Add notification rule**. diff --git a/windows/security/threat-protection/windows-defender-atp/configure-endpoints-gp-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/configure-endpoints-gp-windows-defender-advanced-threat-protection.md index e3b7fb8022..a93c05a236 100644 --- a/windows/security/threat-protection/windows-defender-atp/configure-endpoints-gp-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/configure-endpoints-gp-windows-defender-advanced-threat-protection.md @@ -36,7 +36,7 @@ ms.date: 04/24/2018 ## Onboard machines using Group Policy 1. Open the GP configuration package .zip file (*WindowsDefenderATPOnboardingPackage.zip*) that you downloaded from the service onboarding wizard. You can also get the package from the [Windows Defender ATP portal](https://securitycenter.windows.com/): - a. In the navigation pane, select **Settings** > **Machine management** > **Onboarding**. + a. In the navigation pane, select **Settings** > **Onboarding**. b. Select Windows 10 as the operating system. @@ -122,7 +122,7 @@ For security reasons, the package used to Offboard machines will expire 30 days 1. Get the offboarding package from the [Windows Defender ATP portal](https://securitycenter.windows.com/): - a. In the navigation pane, select **Settings** > **Machine management** > **Offboarding**. + a. In the navigation pane, select **Settings** > **Offboarding**. b. Select Windows 10 as the operating system. diff --git a/windows/security/threat-protection/windows-defender-atp/configure-endpoints-mdm-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/configure-endpoints-mdm-windows-defender-advanced-threat-protection.md index c7774a5663..8c10ca727e 100644 --- a/windows/security/threat-protection/windows-defender-atp/configure-endpoints-mdm-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/configure-endpoints-mdm-windows-defender-advanced-threat-protection.md @@ -106,7 +106,7 @@ For more information on using Windows Defender ATP CSP see, [WindowsAdvancedThre 1. Open the Microsoft Intune configuration package .zip file (*WindowsDefenderATPOnboardingPackage.zip*) that you downloaded from the service onboarding wizard. You can also get the package from the [Windows Defender ATP portal](https://securitycenter.windows.com/): - a. In the navigation pane, select **Settings** > **Machine management** > **Onboarding**. + a. In the navigation pane, select **Settings** > **Onboarding**. b. Select Windows 10 as the operating system. @@ -189,7 +189,7 @@ For security reasons, the package used to Offboard machines will expire 30 days 1. Get the offboarding package from the [Windows Defender ATP portal](https://securitycenter.windows.com/): - a. In the navigation pane, select **Settings** > **Machine management** > **Offboarding**. + a. In the navigation pane, select **Settings** > **Offboarding**. b. Select Windows 10 as the operating system. diff --git a/windows/security/threat-protection/windows-defender-atp/configure-endpoints-non-windows-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/configure-endpoints-non-windows-windows-defender-advanced-threat-protection.md index 450371174d..edb65b80d5 100644 --- a/windows/security/threat-protection/windows-defender-atp/configure-endpoints-non-windows-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/configure-endpoints-non-windows-windows-defender-advanced-threat-protection.md @@ -34,7 +34,7 @@ You'll need to take the following steps to onboard non-Windows machines: ### Turn on third-party integration -1. In the navigation pane, select **Settings** > **Machine management** > **Onboarding**. Make sure the third-party solution is listed. +1. In the navigation pane, select **Settings** > **Onboarding**. Make sure the third-party solution is listed. 2. Select Mac and Linux as the operating system. @@ -59,7 +59,7 @@ To effectively offboard the machine from the service, you'll need to disable the 1. Follow the third-party documentation to opt-out on the third-party service side. -2. In the navigation pane, select **Settings** > **Machine management** > **Onboarding**. +2. In the navigation pane, select **Settings** > **Onboarding**. 3. Turn off the third-party solution integration. diff --git a/windows/security/threat-protection/windows-defender-atp/configure-endpoints-sccm-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/configure-endpoints-sccm-windows-defender-advanced-threat-protection.md index ab8da7cafa..a65ad2ad0f 100644 --- a/windows/security/threat-protection/windows-defender-atp/configure-endpoints-sccm-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/configure-endpoints-sccm-windows-defender-advanced-threat-protection.md @@ -49,7 +49,7 @@ You can use existing System Center Configuration Manager functionality to create 1. Open the SCCM configuration package .zip file (*WindowsDefenderATPOnboardingPackage.zip*) that you downloaded from the service onboarding wizard. You can also get the package from the [Windows Defender ATP portal](https://securitycenter.windows.com/): - a. In the navigation pane, select **Settings** > **Machine management** > **Onboarding**. + a. In the navigation pane, select **Settings** > **Onboarding**. b. Select Windows 10 as the operating system. @@ -127,7 +127,7 @@ For security reasons, the package used to Offboard machines will expire 30 days 1. Get the offboarding package from the [Windows Defender ATP portal](https://securitycenter.windows.com/): - a. In the navigation pane, select **Settings** > **Machine management** > **Offboarding**. + a. In the navigation pane, select **Settings** > **Offboarding**. b. Select Windows 10 as the operating system. diff --git a/windows/security/threat-protection/windows-defender-atp/configure-endpoints-script-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/configure-endpoints-script-windows-defender-advanced-threat-protection.md index 4dbf933ec5..884edde275 100644 --- a/windows/security/threat-protection/windows-defender-atp/configure-endpoints-script-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/configure-endpoints-script-windows-defender-advanced-threat-protection.md @@ -36,7 +36,7 @@ You can also manually onboard individual machines to Windows Defender ATP. You m ## Onboard machines 1. Open the GP configuration package .zip file (*WindowsDefenderATPOnboardingPackage.zip*) that you downloaded from the service onboarding wizard. You can also get the package from the [Windows Defender ATP portal](https://securitycenter.windows.com/): - a. In the navigation pane, select **Settings** > **Machine management** > **Onboarding**. + a. In the navigation pane, select **Settings** > **Onboarding**. b. Select Windows 10 as the operating system. @@ -94,7 +94,7 @@ For security reasons, the package used to Offboard machines will expire 30 days 1. Get the offboarding package from the [Windows Defender ATP portal](https://securitycenter.windows.com/): - a. In the navigation pane, select **Settings** > **Machine management** > **Offboarding**. + a. In the navigation pane, select **Settings** > **Offboarding**. b. Select Windows 10 as the operating system. diff --git a/windows/security/threat-protection/windows-defender-atp/configure-endpoints-vdi-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/configure-endpoints-vdi-windows-defender-advanced-threat-protection.md index 3053183884..58d6bfd4b4 100644 --- a/windows/security/threat-protection/windows-defender-atp/configure-endpoints-vdi-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/configure-endpoints-vdi-windows-defender-advanced-threat-protection.md @@ -40,7 +40,7 @@ You can onboard VDI machines using a single entry or multiple entries for each m 1. Open the VDI configuration package .zip file (*WindowsDefenderATPOnboardingPackage.zip*) that you downloaded from the service onboarding wizard. You can also get the package from the [Windows Defender ATP portal](https://securitycenter.windows.com/): - a. In the navigation pane, select **Settings** > **Machine management** > **Onboarding**. + a. In the navigation pane, select **Settings** > **Onboarding**. b. Select Windows 10 as the operating system. diff --git a/windows/security/threat-protection/windows-defender-atp/configure-server-endpoints-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/configure-server-endpoints-windows-defender-advanced-threat-protection.md index e1c5a11e0c..d9e68b4da3 100644 --- a/windows/security/threat-protection/windows-defender-atp/configure-server-endpoints-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/configure-server-endpoints-windows-defender-advanced-threat-protection.md @@ -111,7 +111,9 @@ You’ll be able to onboard in the same method available for Windows 10 client m If the result is ‘The specified service does not exist as an installed service’, then you'll need to install Windows Defender AV. For more information, see [Windows Defender Antivirus in Windows 10](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10). ## Offboard servers -You have two options to offboard servers from the service: +You can offboard Windows Server, version 1803 in the same method available for Windows 10 client machines. + +For other server versions, you have two options to offboard servers from the service: - Uninstall the MMA agent - Remove the Windows Defender ATP workspace configuration @@ -139,7 +141,7 @@ To offboard the server, you can use either of the following methods: #### Run a PowerShell command to remove the configuration 1. Get your Workspace ID: - a. In the navigation pane, select **Settings** > **Machine management** > **Onboarding**. + a. In the navigation pane, select **Settings** > **Onboarding**. b. Select **Windows server 2012, 2012R2 and 2016** as the operating system and get your Workspace ID: diff --git a/windows/security/threat-protection/windows-defender-atp/data-retention-settings-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/data-retention-settings-windows-defender-advanced-threat-protection.md index 2f1642def7..06921f27cf 100644 --- a/windows/security/threat-protection/windows-defender-atp/data-retention-settings-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/data-retention-settings-windows-defender-advanced-threat-protection.md @@ -28,7 +28,7 @@ ms.date: 04/24/2018 During the onboarding process, a wizard takes you through the general settings of Windows Defender ATP. After onboarding, you might want to update the data retention settings. -1. In the navigation pane, select **Settings** > **General** > **Data rention**. +1. In the navigation pane, select **Settings** > **Data rention**. 2. Select the data retention duration from the drop-down list. diff --git a/windows/security/threat-protection/windows-defender-atp/enable-custom-ti-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/enable-custom-ti-windows-defender-advanced-threat-protection.md index babca11760..d9b646f4e0 100644 --- a/windows/security/threat-protection/windows-defender-atp/enable-custom-ti-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/enable-custom-ti-windows-defender-advanced-threat-protection.md @@ -29,7 +29,7 @@ ms.date: 04/24/2018 Before you can create custom threat intelligence (TI) using REST API, you'll need to set up the custom threat intelligence application through the Windows Defender ATP portal. -1. In the navigation pane, select **Settings** > **APIs** > **Threat intel**. +1. In the navigation pane, select **Settings** > **Threat intel**. ![Image of threat intel API menu](images/atp-threat-intel-api.png) diff --git a/windows/security/threat-protection/windows-defender-atp/enable-secure-score-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/enable-secure-score-windows-defender-advanced-threat-protection.md index 472a8abc15..1feb834265 100644 --- a/windows/security/threat-protection/windows-defender-atp/enable-secure-score-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/enable-secure-score-windows-defender-advanced-threat-protection.md @@ -30,7 +30,7 @@ Set the baselines for calculating the score of Windows Defender security control >[!NOTE] >Changes might take up to a few hours to reflect on the dashboard. -1. In the navigation pane, select **Settings** > **General** > **Secure Score**. +1. In the navigation pane, select **Settings** > **Secure Score**. ![Image of Secure Score controls from Preferences setup menu](images/atp-enable-security-analytics.png) diff --git a/windows/security/threat-protection/windows-defender-atp/enable-siem-integration-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/enable-siem-integration-windows-defender-advanced-threat-protection.md index 183ecc286d..bb4aff5ce2 100644 --- a/windows/security/threat-protection/windows-defender-atp/enable-siem-integration-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/enable-siem-integration-windows-defender-advanced-threat-protection.md @@ -29,7 +29,7 @@ ms.date: 04/24/2018 Enable security information and event management (SIEM) integration so you can pull alerts from the Windows Defender ATP portal using your SIEM solution or by connecting directly to the alerts REST API. -1. In the navigation pane, select **Settings** > **APIs** > **SIEM**. +1. In the navigation pane, select **Settings** > **SIEM**. ![Image of SIEM integration from Settings menu](images/atp-siem-integration.png) diff --git a/windows/security/threat-protection/windows-defender-atp/machine-groups-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/machine-groups-windows-defender-advanced-threat-protection.md index 05a34c9ebf..83af29fb16 100644 --- a/windows/security/threat-protection/windows-defender-atp/machine-groups-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/machine-groups-windows-defender-advanced-threat-protection.md @@ -10,7 +10,7 @@ ms.pagetype: security ms.author: macapara author: mjcaparas ms.localizationpriority: high -ms.date: 05/04/2018 +ms.date: 05/08/2018 --- # Create and manage machine groups in Windows Defender ATP @@ -44,11 +44,24 @@ As part of the process of creating a machine group, you'll: ## Add a machine group -1. In the navigation pane, select **Settings > Permissions > Machine groups**. +1. In the navigation pane, select **Settings** > **Machine groups**. 2. Click **Add machine group**. -3. Enter machine group details, specify the matching rule, preview the results, then assign the group to an Azure AD user group. +3. Enter the group name and automation settings and specify the matching rule that determines which machines belong to the group. + + - **Machine group name** + - **Automation level** + - **Semi - require approval for any remediation** + - **Semi - require approval for non-temp folders remediation** + - **Semi - require approval for core folders remediation** + - **Full - remediate threats automatically** + + >[!NOTE] + > For more information on automation levels, see Use Automated investigation to investigate and remediate threats. + + - **Description** + - **Members** >[!TIP] >If you want to group machines by organizational unit, you can configure the registry key for the group affiliation. For more information on device tagging, see [Manage machine group and tags](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-atp/investigate-machines-windows-defender-advanced-threat-protection#manage-machine-group-and-tags). diff --git a/windows/security/threat-protection/windows-defender-atp/manage-alerts-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/manage-alerts-windows-defender-advanced-threat-protection.md index 54bc053ce4..34058bc69a 100644 --- a/windows/security/threat-protection/windows-defender-atp/manage-alerts-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/manage-alerts-windows-defender-advanced-threat-protection.md @@ -110,7 +110,7 @@ Create custom rules to control when alerts are suppressed, or resolved. You can ### View the list of suppression rules -1. In the navigation pane, select **Settings** > **Rules** > **Alert suppression**. +1. In the navigation pane, select **Settings** > **Alert suppression**. 2. The list of suppression rules shows all the rules that users in your organization have created. diff --git a/windows/security/threat-protection/windows-defender-atp/manage-automation-allowed-blocked-list-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/manage-automation-allowed-blocked-list-windows-defender-advanced-threat-protection.md index abe6240f77..4b6a427b67 100644 --- a/windows/security/threat-protection/windows-defender-atp/manage-automation-allowed-blocked-list-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/manage-automation-allowed-blocked-list-windows-defender-advanced-threat-protection.md @@ -36,7 +36,7 @@ Entities added to the blocked list are considered malicious and will be remediat You can define the conditions for when entities are identified as malicious or safe based on certain attributes such as hash values or certificates. ## Create an allowed or blocked list -1. In the navigation pane, select **Settings** > **Rules** > **Automation allowed/blocked list**. +1. In the navigation pane, select **Settings** > **Automation allowed/blocked list**. 2. Select the type of entity you'd like to create an exclusion for. You can choose any of the following entities: - File hash @@ -52,14 +52,14 @@ You can define the conditions for when entities are identified as malicious or s 5. Click **Update rule**. ## Edit a list -1. In the navigation pane, select **Settings** > **Rules** > **Automation allowed/blocked list**. +1. In the navigation pane, select **Settings** > **Automation allowed/blocked list**. 2. Select the type of entity you'd like to edit the list from. 3. Update the details of the rule and click **Update rule**. ## Delete a list -1. In the navigation pane, select **Settings** > **Rules** > **Automation allowed/blocked list**. +1. In the navigation pane, select **Settings** > **Automation allowed/blocked list**. 2. Select the type of entity you'd like to delete the list from. diff --git a/windows/security/threat-protection/windows-defender-atp/manage-automation-file-uploads-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/manage-automation-file-uploads-windows-defender-advanced-threat-protection.md index a418fca559..0633161ea8 100644 --- a/windows/security/threat-protection/windows-defender-atp/manage-automation-file-uploads-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/manage-automation-file-uploads-windows-defender-advanced-threat-protection.md @@ -35,7 +35,7 @@ For example, if you add *exe* and *bat* as file or attachment extension names, t ## Add file extension names and attachment extension names. -1. In the navigation pane, select **Settings** > **Rules** > **Automation file uploads**. +1. In the navigation pane, select **Settings** > **Automation file uploads**. 2. Toggle the content analysis setting between **On** and **Off**. diff --git a/windows/security/threat-protection/windows-defender-atp/manage-automation-folder-exclusions-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/manage-automation-folder-exclusions-windows-defender-advanced-threat-protection.md index 0388d3e0dd..d754d2cc87 100644 --- a/windows/security/threat-protection/windows-defender-atp/manage-automation-folder-exclusions-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/manage-automation-folder-exclusions-windows-defender-advanced-threat-protection.md @@ -47,7 +47,7 @@ You can specify the file names that you want to be excluded in a specific direct ## Add an automation folder exclusion -1. In the navigation pane, select **Settings** > **Rules** > **Automation folder exclusions**. +1. In the navigation pane, select **Settings** > **Automation folder exclusions**. 2. Click **New folder exclusion**. @@ -62,14 +62,14 @@ You can specify the file names that you want to be excluded in a specific direct 4. Click **Save**. ## Edit an automation folder exclusion -1. In the navigation pane, select **Settings** > **Rules** > **Automation folder exclusions**. +1. In the navigation pane, select **Settings** > **Automation folder exclusions**. 2. Click **Edit** on the folder exclusion. 3. Update the details of the rule and click **Save**. ## Remove an automation folder exclusion -1. In the navigation pane, select **Settings** > **Rules** > **Automation folder exclusions**. +1. In the navigation pane, select **Settings** > **Automation folder exclusions**. 2. Click **Remove exclusion**. diff --git a/windows/security/threat-protection/windows-defender-atp/manage-suppression-rules-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/manage-suppression-rules-windows-defender-advanced-threat-protection.md index afd498bd1b..8662980b04 100644 --- a/windows/security/threat-protection/windows-defender-atp/manage-suppression-rules-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/manage-suppression-rules-windows-defender-advanced-threat-protection.md @@ -32,7 +32,7 @@ There might be scenarios where you need to suppress alerts from appearing in the You can view a list of all the suppression rules and manage them in one place. You can also turn an alert suppression rule on or off. ## Turn a suppression rule on or off -1. In the navigation pane, select **Settings** > **Rules** > **Alert suppression**. The list of suppression rules that users in your organization have created is displayed. +1. In the navigation pane, select **Settings** > **Alert suppression**. The list of suppression rules that users in your organization have created is displayed. 2. Select a rule by clicking on the check-box beside the rule name. @@ -40,7 +40,7 @@ You can view a list of all the suppression rules and manage them in one place. Y ## View details of a suppression rule -1. In the navigation pane, select **Settings** > **Rules** > **Alert suppression**. The list of suppression rules that users in your organization have created is displayed. +1. In the navigation pane, select **Settings** > **Alert suppression**. The list of suppression rules that users in your organization have created is displayed. 2. Click on a rule name. Details of the rule is displayed. You'll see the rule details such as status, scope, action, number of matching alerts, created by, and date when the rule was created. You can also view associated alerts and the rule conditions. diff --git a/windows/security/threat-protection/windows-defender-atp/powerbi-reports-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/powerbi-reports-windows-defender-advanced-threat-protection.md index ecb07ccd1e..136ce2f153 100644 --- a/windows/security/threat-protection/windows-defender-atp/powerbi-reports-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/powerbi-reports-windows-defender-advanced-threat-protection.md @@ -40,7 +40,7 @@ You can access these options from the Windows Defender ATP portal. Both the Powe ## Create a Windows Defender ATP dashboard on Power BI service Windows Defender ATP makes it easy to create a Power BI dashboard by providing an option straight from the portal. -1. In the navigation pane, select **Settings** > **General** > **Power BI reports**. +1. In the navigation pane, select **Settings** > **Power BI reports**. 2. Click **Create dashboard**. @@ -127,7 +127,7 @@ You can create a custom dashboard in Power BI Desktop to create visualizations t ### Before you begin 1. Make sure you use Power BI Desktop June 2017 and above. [Download the latest version](https://powerbi.microsoft.com/en-us/desktop/). -2. In the navigation pane, select **Settings** > **General** > **Power BI reports**. +2. In the navigation pane, select **Settings** > **Power BI reports**. 3. Click **Download connector** to download the WDATPPowerBI.zip file and extract it. diff --git a/windows/security/threat-protection/windows-defender-atp/preview-settings-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/preview-settings-windows-defender-advanced-threat-protection.md index 61315574f8..1e36317ed3 100644 --- a/windows/security/threat-protection/windows-defender-atp/preview-settings-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/preview-settings-windows-defender-advanced-threat-protection.md @@ -28,7 +28,7 @@ ms.date: 04/24/2018 Turn on the preview experience setting to be among the first to try upcoming features. -1. In the navigation pane, select **Settings** > **Preview experience**. +1. In the navigation pane, select **Settings** > **Advanced features**. ![Image of settings and preview experience](images/atp-preview-features.png) diff --git a/windows/security/threat-protection/windows-defender-atp/preview-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/preview-windows-defender-advanced-threat-protection.md index 63395308fe..4b90b87fb8 100644 --- a/windows/security/threat-protection/windows-defender-atp/preview-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/preview-windows-defender-advanced-threat-protection.md @@ -36,7 +36,7 @@ You'll have access to upcoming features which you can provide feedback on to hel Turn on the preview experience setting to be among the first to try upcoming features. -1. In the navigation pane, select **Settings** > **General** > **Advanced features** > **Preview features**. +1. In the navigation pane, select **Settings** > **Advanced features** > **Preview features**. 2. Toggle the setting between **On** and **Off** and select **Save preferences**. From 2d5edc3e3a3f76a43892738ae80ec2fdefb4741b Mon Sep 17 00:00:00 2001 From: Joey Caparas Date: Tue, 8 May 2018 16:48:27 -0700 Subject: [PATCH 14/19] fix xref --- ...stigations-windows-defender-advanced-threat-protection.md | 5 ----- ...ine-groups-windows-defender-advanced-threat-protection.md | 2 +- 2 files changed, 1 insertion(+), 6 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-atp/automated-investigations-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/automated-investigations-windows-defender-advanced-threat-protection.md index 581eb3d49e..38abf1c81a 100644 --- a/windows/security/threat-protection/windows-defender-atp/automated-investigations-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/automated-investigations-windows-defender-advanced-threat-protection.md @@ -85,11 +85,6 @@ The default machine group is configured for semi-automatic remediation. This mea When a pending action is approved, the entity is then remediated and this new state is reflected in the **Entities** tab of the investigation. -## Understand the remediation levels for automated investigations -You can create machine groups and set remediation levels for automated investigations. The following table explains the various levels of remediations and the conditions associated with them. - - - ## Manage Automated investigations By default, the Automated investigations list displays investigations initiated in the last week. You can also choose to select other time ranges from the drop-down menu or specify a custom range. diff --git a/windows/security/threat-protection/windows-defender-atp/machine-groups-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/machine-groups-windows-defender-advanced-threat-protection.md index 83af29fb16..88190566eb 100644 --- a/windows/security/threat-protection/windows-defender-atp/machine-groups-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/machine-groups-windows-defender-advanced-threat-protection.md @@ -58,7 +58,7 @@ As part of the process of creating a machine group, you'll: - **Full - remediate threats automatically** >[!NOTE] - > For more information on automation levels, see Use Automated investigation to investigate and remediate threats. + > For more information on automation levels, see [Understand the Automated investigation flow](automated-investigations-windows-defender-advanced-threat-protection.md#understand-the-automated-investigation-flow). - **Description** - **Members** From ec7a7d729a8dec28907cbf8fe12e494a11702829 Mon Sep 17 00:00:00 2001 From: Joey Caparas Date: Wed, 9 May 2018 10:24:09 -0700 Subject: [PATCH 15/19] updates from benny --- ...gations-windows-defender-advanced-threat-protection.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-atp/automated-investigations-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/automated-investigations-windows-defender-advanced-threat-protection.md index 38abf1c81a..4fb169c9e0 100644 --- a/windows/security/threat-protection/windows-defender-atp/automated-investigations-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/automated-investigations-windows-defender-advanced-threat-protection.md @@ -73,10 +73,10 @@ You can configure the following levels of automation: Automation level | Description :---|:--- Semi - require approval for any remediation | This is the default automation level.

An approval is needed for any remediation action. -Semi - require approval for non-temp folders remediation | An approval is required on files or executables that are not in temporary folders.

Files or executables in temporary folders such as the user's download folder or the user's temp folder we will automatically be remediated if needed. -Semi - require approval for non-temp folders remediation | An approval is required on files or executables that are in the operating system directories such as Windows folder and Program files folder.

Files or executables in all other folders will automatically remediate if needed. -Semi - require approval for core folders remediation | An approval is required on files or executables that are in the operating system directories such as Windows folder and Program files folder.

Files or executables in all other folders will automatically remediate if needed. -Full - remediate threats automatically | An approval is required on files or executables that are in the operating system directories such as Windows directory and Program files directory. +Semi - require approval for non-temp folders remediation | An approval is required on files or executables that are not in temporary folders.

Files or executables in temporary folders, such as the user's download folder or the user's temp folder, will get automatically remediated if needed. +Semi - require approval for non-temp folders remediation | An approval is required on files or executables that are in the operating system directories such as Windows folder and Program files folder.

Files or executables in all other folders will get automatically remediated if needed. +Semi - require approval for core folders remediation | An approval is required on files or executables that are in the operating system directories such as Windows folder and Program files folder.

Files or executables in all other folders will get automatically remediated if needed. +Full - remediate threats automatically | All remediation actions will be performed automatically. For more information, see [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md). From c8371fb9841ed62c4605e00a4e9400088ba677fb Mon Sep 17 00:00:00 2001 From: Joey Caparas Date: Wed, 9 May 2018 11:12:41 -0700 Subject: [PATCH 16/19] update automation level descriptions --- ...gations-windows-defender-advanced-threat-protection.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-atp/automated-investigations-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/automated-investigations-windows-defender-advanced-threat-protection.md index 4fb169c9e0..71189cdf90 100644 --- a/windows/security/threat-protection/windows-defender-atp/automated-investigations-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/automated-investigations-windows-defender-advanced-threat-protection.md @@ -73,12 +73,12 @@ You can configure the following levels of automation: Automation level | Description :---|:--- Semi - require approval for any remediation | This is the default automation level.

An approval is needed for any remediation action. -Semi - require approval for non-temp folders remediation | An approval is required on files or executables that are not in temporary folders.

Files or executables in temporary folders, such as the user's download folder or the user's temp folder, will get automatically remediated if needed. -Semi - require approval for non-temp folders remediation | An approval is required on files or executables that are in the operating system directories such as Windows folder and Program files folder.

Files or executables in all other folders will get automatically remediated if needed. -Semi - require approval for core folders remediation | An approval is required on files or executables that are in the operating system directories such as Windows folder and Program files folder.

Files or executables in all other folders will get automatically remediated if needed. +Semi - require approval for non-temp folders remediation | An approval is required on files or executables that are not in temporary folders.

Files or executables in temporary folders, such as the user's download folder or the user's temp folder, will automatically be remediated if needed. +Semi - require approval for non-temp folders remediation | An approval is required on files or executables that are in the operating system directories such as Windows folder and Program files folder.

Files or executables in all other folders will automatically be remediated if needed. +Semi - require approval for core folders remediation | An approval is required on files or executables that are in the operating system directories such as Windows folder and Program files folder.

Files or executables in all other folders will automatically be remediated if needed. Full - remediate threats automatically | All remediation actions will be performed automatically. -For more information, see [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md). +For more information on how to configure these automation levels, see [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md). The default machine group is configured for semi-automatic remediation. This means that any malicious entity that needs to be remediated requires an approval and the investigation is added to the **Pending actions** section, this can be changed to fully automatic so that no user approval is needed. From 896c536cd9a32975b74d975f6e09d34a99fa8d2a Mon Sep 17 00:00:00 2001 From: Joey Caparas Date: Wed, 9 May 2018 15:35:27 -0700 Subject: [PATCH 17/19] offboard --- ...r-endpoints-windows-defender-advanced-threat-protection.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-atp/configure-server-endpoints-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/configure-server-endpoints-windows-defender-advanced-threat-protection.md index 792719609a..c843c3e78e 100644 --- a/windows/security/threat-protection/windows-defender-atp/configure-server-endpoints-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/configure-server-endpoints-windows-defender-advanced-threat-protection.md @@ -115,7 +115,9 @@ You’ll be able to onboard in the same method available for Windows 10 client m If the result is ‘The specified service does not exist as an installed service’, then you'll need to install Windows Defender AV. For more information, see [Windows Defender Antivirus in Windows 10](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10). ## Offboard servers -You have two options to offboard servers from the service: +You can offboard Windows Server, 1803 in the same method available for Windows 10 client machines. + +For other server versions, you have two options to offboard servers from the service: - Uninstall the MMA agent - Remove the Windows Defender ATP workspace configuration From bc9914fda103ee15fa51b33385230d10ff3da104 Mon Sep 17 00:00:00 2001 From: Joey Caparas Date: Thu, 10 May 2018 10:47:15 -0700 Subject: [PATCH 18/19] remove email settings --- ...ows-defender-advanced-threat-protection.md | 46 ++++++------------- 1 file changed, 15 insertions(+), 31 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-atp/configure-email-notifications-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/configure-email-notifications-windows-defender-advanced-threat-protection.md index 24e934b696..595710cac3 100644 --- a/windows/security/threat-protection/windows-defender-atp/configure-email-notifications-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/configure-email-notifications-windows-defender-advanced-threat-protection.md @@ -41,45 +41,29 @@ Only users assigned to the Global administrator role can manage notification rul The email notification includes basic information about the alert and a link to the portal where you can do further investigation. -## Create rules for alert notifications -You can create rules that determine the machines and alert severities to send email notifications for and the notification recipients. +## Set up email notifications for alerts +The email notifications feature is turned off by default. Turn it on to start receiving email notifications. +1. On the navigation pane, select **Settings** > **Alert notifications**. +2. Toggle the setting between **On** and **Off**. +3. Select the alert severity level that you’d like your recipients to receive: + - **High** – Select this level to send notifications for high-severity alerts. + - **Medium** – Select this level to send notifications for medium-severity alerts. + - **Low** - Select this level to send notifications for low-severity alerts. + - **Informational** - Select this level to send notification for alerts that might not be considered harmful but good to keep track of. +4. In **Email recipients to notify on new alerts**, type the email address then select the + sign. +5. Click **Save preferences** when you’ve completed adding all the recipients. -1. In the navigation pane, select **Settings** > **Alert notifications**. - -2. Click **Add notification rule**. - -3. Specify the General information: - - **Rule name** - - **Machines** - Choose whether to notify recipients for alerts on all machines (Global administrator role only) or on selected machine groups. For more information, see [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md). - - **Alert severity** - Choose the alert severity level - -4. Click **Next**. - -5. Enter the recipient's email address then click **Add recipient**. You can add multiple email addresses. - -6. Check that email recipients are able to receive the email notifications by selecting **Send test email**. - -7. Click **Save notification rule**. +Check that email recipients are able to receive the email notifications by selecting **Send test email**. All recipients in the list will receive the test email. Here's an example email notification: ![Image of example email notification](images/atp-example-email-notification.png) -## Edit a notification rule -1. Select the notification rule you'd like to edit. - -2. Update the General and Recipient tab information. - -3. Click **Save notification rule**. - - -## Delete notification rule - -1. Select the notification rule you'd like to delete. - -2. Click **Delete**. +## Remove email recipients +1. Select the trash bin icon beside the email address you’d like to remove. +2. Click **Save preferences**. ## Troubleshoot email notifications for alerts This section lists various issues that you may encounter when using email notifications for alerts. From ff4dc8a1dfef275dac6aa00209af96b2fadb5ade Mon Sep 17 00:00:00 2001 From: Joey Caparas Date: Thu, 10 May 2018 11:20:26 -0700 Subject: [PATCH 19/19] fix --- ...vestigations-windows-defender-advanced-threat-protection.md | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-atp/automated-investigations-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/automated-investigations-windows-defender-advanced-threat-protection.md index 71189cdf90..584da22c52 100644 --- a/windows/security/threat-protection/windows-defender-atp/automated-investigations-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/automated-investigations-windows-defender-advanced-threat-protection.md @@ -65,8 +65,7 @@ While an investigation is running, any other alert generated from the machine wi If an incriminated entity is seen in another machine, the Automated investigation will expand the investigation to include that machine and a generic machine playbook will start on that machine. If 10 or more machines are found during this expansion process from the same entity, then that expansion action will require an approval and will be seen in the **Pending actions** view. ### How threats are remediated -Depending on how you set up the machine groups and their level of automation, the Automated investigation will either automatically remediate threats or require user approval (this is the default). - +Depending on how you set up the machine groups and their level of automation, the Automated investigation will either require user approval (default) or automatically remediate threats. You can configure the following levels of automation: