deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-12 21:37:22 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

Merge pull request #4419 from MicrosoftDocs/master

Browse Source 
Publish 12/16/2020 10:30 AM PT
This commit is contained in:
Tina Burden 2020-12-16 10:34:11 -08:00 committed by GitHub
commit af75a29d95
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
6 changed files with 39 additions and 93 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
windows/security/threat-protection/microsoft-defender-atp/get-device-secure-score.md
View File

@ -21,7 +21,10 @@ ms.topic: article
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
**Applies to:** [Microsoft Defender for Endpoint(https://go.microsoft.com/fwlink/p/?linkid=2146631) **Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
>[!NOTE]
>If you are a US Gov customer, please refer to API endpoints listed in [here](gov.md#api).
- Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) - Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)

6
windows/security/threat-protection/microsoft-defender-atp/gov.md
View File

@ -40,7 +40,7 @@ The following OS versions are supported:
- Windows Server, 2019 (with [KB4490481](https://support.microsoft.com/help/4490481)) - Windows Server, 2019 (with [KB4490481](https://support.microsoft.com/help/4490481))
>[!NOTE] >[!NOTE]
A patch must be deployed before device onboarding in order to configure Defender for Endpoint to the correct environment. >A patch must be deployed before device onboarding in order to configure Defender for Endpoint to the correct environment.
The following OS versions are supported via Azure Security Center: The following OS versions are supported via Azure Security Center:
- Windows Server 2008 R2 SP1 - Windows Server 2008 R2 SP1
@ -108,4 +108,8 @@ Common URLs for all locations (Global location) | ```crl.microsoft.com```<br>```
Defender for Endpoint GCC High specific | ```us4-v20.events.data.microsoft.com``` <br>```winatp-gw-usgt.microsoft.com```<br>```winatp-gw-usgv.microsoft.com```<br>```*.blob.core.usgovcloudapi.net``` Defender for Endpoint GCC High specific | ```us4-v20.events.data.microsoft.com``` <br>```winatp-gw-usgt.microsoft.com```<br>```winatp-gw-usgv.microsoft.com```<br>```*.blob.core.usgovcloudapi.net```
## API
Login endpoint: ```https://login.microsoftonline.us```
Microsoft Defender for Endpoint API endpoint: ```https://api-gov.securitycenter.microsoft.us```

66
windows/security/threat-protection/microsoft-defender-atp/investigate-alerts.md
View File

@ -20,7 +20,7 @@ ms.topic: article
ms.date: 04/24/2018 ms.date: 04/24/2018
--- ---
# Investigate Microsoft Defender Advanced Threat Protection alerts # Investigate alerts in Microsoft Defender for Endpoint
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
@ -35,70 +35,40 @@ ms.date: 04/24/2018
Investigate alerts that are affecting your network, understand what they mean, and how to resolve them. Investigate alerts that are affecting your network, understand what they mean, and how to resolve them.
Click an alert to see the alert details view and the various tiles that provide information about the alert. Select an alert from the alerts queue to go to alert page. This view contains the alert title, the affected assets, the details side pane, and the alert story.
From the alert details view, you can manage an alert and see alert data such as severity, category, technique, along with other information that can help you make better decisions on how to approach them. From the alert page, begin your investigation by selecting the affected assets or any of the entities under the alert story tree view. The details pane automatically populates with further information about what you selected. To see what kind of information you can view here, read [Review alerts in Microsoft Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/review-alerts).
The techniques reflected in the card are based on [MITRE enterprise techniques](https://attack.mitre.org/techniques/enterprise/). ## Investigate using the alert story
You'll also see a status of the automated investigation on the upper right corner. Clicking on the link will take you to the Automated investigations view. For more information, see [Automated investigations](automated-investigations.md). The alert story details why the alert was triggered, related events that happened before and after, as well as other related entities.
![Image of the alert page](images/atp-alert-view.png) Entities are clickable and every entity that isn't an alert is expandable using the expand icon on the right side of that entity's card. The entity in focus will be indicated by a blue stripe to the left side of that entity's card, with the alert in the title being in focus at first.
The alert context tile shows the where, who, and when context of the alert. As with other pages, you can click on the icon beside the name or user account to bring up the device or user details pane. The alert details view also has a status tile that shows the status of the alert in the queue. You'll also see a description and a set of recommended actions which you can expand. Expand entities to view details at a glance. Selecting an entity will switch the context of the details pane to this entity, and will allow you to review further information, as well as manage that entity. Selecting *...* to the right of the entity card will reveal all actions available for that entity. These same actions appear in the details pane when that entity is in focus.
For more information about managing alerts, see [Manage alerts](manage-alerts.md).
The alert details page also shows the alert process tree, an incident graph, and an artifact timeline.
You can click on the device link from the alert view to navigate to the device. The alert will be highlighted automatically, and the timeline will display the appearance of the alert and its evidence in the **Device timeline**. If the alert appeared more than once on the device, the latest occurrence will be displayed in the **Device timeline**.
Alerts attributed to an adversary or actor display a colored tile with the actor's name.
![A detailed view of an alert when clicked](images/atp-actor-alert.png)
Click on the actor's name to see the threat intelligence profile of the actor, including a brief overview of the actor, their interests or targets, their tools, tactics, and processes (TTPs), and areas where they've been observed worldwide. You will also see a set of recommended actions to take.
Some actor profiles include a link to download a more comprehensive threat intelligence report.
![Image of detailed actor profile](images/atp-detailed-actor.png)
The detailed alert profile helps you understand who the attackers are, who they target, what techniques, tools, and procedures (TTPs) they use, which geolocations they are active in, and finally, what recommended actions you may take. In many cases, you can download a more detailed Threat Intelligence report about this attacker or campaign for offline reading.
## Alert process tree
The **Alert process tree** takes alert triage and investigation to the next level, displaying the aggregated alert and surrounding evidence that occurred within the same execution context and time period. This rich triage and investigation context is available on the alert page.
![Image of the alert process tree](images/atp-alert-process-tree.png)
The **Alert process tree** expands to display the execution path of the alert and related evidence that occurred around the same period. Items marked with a thunderbolt icon should be given priority during investigation.
> [!NOTE] > [!NOTE]
>The alert process tree might not show for some alerts, including alerts not triggered directly by process activity. > The alert story section may contain more than one alert, with additional alerts related to the same execution tree appearing before or after the alert you've selected.
Clicking in the circle immediately to the left of the indicator displays its details. ![An example of an alert story with an alert in focus and some expanded cards](images/alert-story-tree.png)
![Image of the alert details pane](images/atp-alert-mgt-pane.png) ## Take action from the details pane
The alert details pane helps you take a deeper look at the details about the alert. It displays rich information about the execution details, file details, detections, observed worldwide, observed in organization, and other details taken from the entity's page while remaining on the alert page, so you never leave the current context of your investigation. Once you've selected an entity of interest, the details pane will change to display information about the selected entity type, historic information when it's available, and offer controls to **take action** on this entity directly from the alert page.
Once you're done investigating, go back to the alert you started with, mark the alert's status as **Resolved** and classify it as either **False alert** or **True alert**. Classifying alerts helps tune this capability to provide more true alerts and less false alerts.
## Incident graph If you classify it as a true alert, you can also select a determination, as shown in the image below.
The **Incident Graph** provides a visual representation of the organizational footprint of the alert and its evidence: where the evidence that triggered the alert was observed on other devices. It provides a graphical mapping from the original device and evidence expanding to show other devices in the organization where the triggering evidence was also observed.
![Image of the Incident graph](images/atp-incident-graph.png) ![A snippet of the details pane with a resolved alert and the determination drop-down expanded](images/alert-details-resolved-true.png)
The **Incident Graph** supports expansion by File, Process, command line, or Destination IP Address, as appropriate. If you are experiencing a false alert with a line-of-business application, create a suppression rule to avoid this type of alert in the future.
The **Incident Graph** expansion by destination IP Address, shows the organizational footprint of communications with this IP Address without having to change context by navigating to the IP Address page. ![actions and classification in the details pane with the suppression rule highlighted](images/alert-false-suppression-rule.png)
You can click the full circles on the incident graph to expand the nodes and view the expansion to other devices where the matching criteria were observed. > [!TIP]
> If you're experiencing any issues not described above, use the 🙂 button to provide feedback or open a support ticket.
## Artifact timeline
The **Artifact timeline** feature provides an additional view of the evidence that triggered the alert on the device, and shows the date and time the evidence triggering the alert was observed, as well as the first time it was observed on the device. This can help in understanding if the evidence was first observed at the time of the alert, or whether it was observed on the device earlier - without triggering an alert.
![Image of artifact timeline](images/atp-alert-timeline.png)
Selecting an alert detail brings up the **Details pane** where you'll be able to see more information about the alert such as file details, detections, instances of it observed worldwide, and in the organization.
## Related topics ## Related topics
- [View and organize the Microsoft Defender for Endpoint Alerts queue](alerts-queue.md) - [View and organize the Microsoft Defender for Endpoint Alerts queue](alerts-queue.md)

2
windows/security/threat-protection/microsoft-defender-atp/investigate-machines.md
View File

@ -132,8 +132,6 @@ More details about certain events are provided in the **Additional information**
- Suspicious script detected - a potentially malicious script was found running - Suspicious script detected - a potentially malicious script was found running
- The alert category - if the event led to the generation of an alert, the alert category ("Lateral Movement", for example) is provided - The alert category - if the event led to the generation of an alert, the alert category ("Lateral Movement", for example) is provided
You can also use the [Artifact timeline](investigate-alerts.md#artifact-timeline) feature to see the correlation between alerts and events on a specific device.
#### Event details #### Event details
Select an event to view relevant details about that event. A panel displays to show general event information. When applicable and data is available, a graph showing related entities and their relationships are also shown. Select an event to view relevant details about that event. A panel displays to show general event information. When applicable and data is available, a graph showing related entities and their relationships are also shown.

2
windows/security/threat-protection/microsoft-defender-atp/mac-resources.md
View File

@ -90,7 +90,7 @@ Important tasks, such as controlling product settings and triggering on-demand s
|Group |Scenario |Command | |Group |Scenario |Command |
|-------------|-------------------------------------------|----------------------------------------------------------------------------------| |-------------|-------------------------------------------|----------------------------------------------------------------------------------|
|Configuration|Turn on/off real-time protection |`mdatp config real-time-protection [enabled/disabled]` | |Configuration|Turn on/off real-time protection |`mdatp config real-time-protection --value [enabled/disabled]` |
|Configuration|Turn on/off cloud protection |`mdatp config cloud --value [enabled/disabled]` | |Configuration|Turn on/off cloud protection |`mdatp config cloud --value [enabled/disabled]` |
|Configuration|Turn on/off product diagnostics |`mdatp config cloud-diagnostic --value [enabled/disabled]` | |Configuration|Turn on/off product diagnostics |`mdatp config cloud-diagnostic --value [enabled/disabled]` |
|Configuration|Turn on/off automatic sample submission |`mdatp config cloud-automatic-sample-submission --value [enabled/disabled]` | |Configuration|Turn on/off automatic sample submission |`mdatp config cloud-automatic-sample-submission --value [enabled/disabled]` |

43
windows/security/threat-protection/microsoft-defender-atp/review-alerts.md
View File

@ -33,21 +33,21 @@ The alert page in Microsoft Defender for Endpoint provides full context to the a
Quickly triage, investigate, and take effective action on alerts that affect your organization. Understand why they were triggered, and their impact from one location. Learn more in this overview. Quickly triage, investigate, and take effective action on alerts that affect your organization. Understand why they were triggered, and their impact from one location. Learn more in this overview.
> [!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RE4yiO5] > [!VIDEO https://www.microsoft.com/videoplayer/embed/RE4yiO5]
## Getting started with an alert ## Getting started with an alert
Clicking on an alert's name in Defender for Endpoint will land you on its alert page. On the alert page, all the information will be shown in context of the selected alert. Each alert page consists of 4 sections: Selecting an alert's name in Defender for Endpoint will land you on its alert page. On the alert page, all the information will be shown in context of the selected alert. Each alert page consists of 4 sections:
1. **The alert title** shows the alert's name and is there to remind you which alert started your current investigation regardless of what you have selected on the page. 1. **The alert title** shows the alert's name and is there to remind you which alert started your current investigation regardless of what you have selected on the page.
2. [**Affected assets**](#review-affected-assets) lists cards of devices and users affected by this alert that are clickable for further information and actions. 2. [**Affected assets**](#review-affected-assets) lists cards of devices and users affected by this alert that are clickable for further information and actions.
3. [**The alert story**](#investigate-using-the-alert-story) displays all entities related to the alert, interconnected by a tree view. The alert in the title will be the one in focus when you first land on your selected alert's page. Entities in the alert story are expandable and clickable, to provide additional information and expedite response by allowing you to take actions right in the context of the alert page. 3. The **alert story** displays all entities related to the alert, interconnected by a tree view. The alert in the title will be the one in focus when you first land on your selected alert's page. Entities in the alert story are expandable and clickable, to provide additional information and expedite response by allowing you to take actions right in the context of the alert page. Use the alert story to start your investigation. Learn how in [Investigate alerts in Microsoft Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/investigate-alerts).
4. [**The details pane**](#take-action-from-the-details-pane) will show the details of the selected alert at first, with details and actions related to this alert. If you click on any of the affected assets or entities in the alert story, the details pane will change to provide contextual information and actions for the selected object. 4. The **details pane** will show the details of the selected alert at first, with details and actions related to this alert. If you select any of the affected assets or entities in the alert story, the details pane will change to provide contextual information and actions for the selected object.
![An alert page when you first land on it](images/alert-landing-view.png) ![An alert page when you first land on it](images/alert-landing-view.png)
Note the detection status for your alert. Blocked, or prevented means actions were already taken by Defender for Endpoint. Note the detection status for your alert. Blocked, or prevented means actions were already taken by Defender for Endpoint.
Start by reviewing the *automated investigation details* in your alert's [details pane](#take-action-from-the-details-pane), to see which actions were already taken, as well as reading the alert's description for recommended actions. Start by reviewing the *automated investigation details* in your alert's details pane, to see which actions were already taken, as well as reading the alert's description for recommended actions.
![A snippet of the details pane with the alert description and automatic investigation sections highlighted](images/alert-air-and-alert-description.png) ![A snippet of the details pane with the alert description and automatic investigation sections highlighted](images/alert-air-and-alert-description.png)
@ -55,42 +55,13 @@ Other information available in the details pane when the alert opens includes MI
## Review affected assets ## Review affected assets
Clicking on a device or a user card in the affected assets sections will switch to the details of the device or user in the details pane. Selecting a device or a user card in the affected assets sections will switch to the details of the device or user in the details pane.
- **For devices** the details pane will display information about the device itself, like Domain, Operating System, and IP. Active alerts and the logged on users on that device are also available. You can take immediate action by isolating the device, restricting app execution, or running an antivirus scan. Alternatively, you could collect an investigation package, initiate an automated investigation, or go to the device page to investigate from the device's point of view. - **For devices** the details pane will display information about the device itself, like Domain, Operating System, and IP. Active alerts and the logged on users on that device are also available. You can take immediate action by isolating the device, restricting app execution, or running an antivirus scan. Alternatively, you could collect an investigation package, initiate an automated investigation, or go to the device page to investigate from the device's point of view.
- **For users** the details pane will display detailed user information, such as the user's SAM name and SID, as well as logon types performed by this user and any alerts and incidents related to it. You can click *Open user page* to continue the investigation from that user's point of view. - **For users** the details pane will display detailed user information, such as the user's SAM name and SID, as well as logon types performed by this user and any alerts and incidents related to it. You can select *Open user page* to continue the investigation from that user's point of view.
![A snippet of the details pane when a device is selected](images/alert-device-details.png) ![A snippet of the details pane when a device is selected](images/alert-device-details.png)
## Investigate using the alert story
The alert story details why the alert was triggered, related events that happened before and after, as well as other related entities.
Entities are clickable and every entity that isn't an alert is expandable using the expand icon on the right side of that entity's card. The entity in focus will be indicated by a blue stripe to the left side of that entity's card, with the alert in the title being in focus at first.
Expand entities to view details at-a-glance about them. Clicking on an entity will switch the context of the details pane to this entity, and will allow you to review further information, as well as manage that entity. Clicking on *...* to the right of the entity card will reveal all actions available for that entity. These same actions appear in the details pane when that entity is in focus.
> [!NOTE]
> The alert story section may contain more than one alert, with additional alerts related to the same execution tree appearing before or after the alert you've selected.
![An example of an alert story with an alert in focus and some expanded cards](images/alert-story-tree.png)
## Take action from the details pane
Once you've selected an entity of interest, the details pane will change to display information about the selected entity type, historic information, when its available, and offer controls to **take action** on this entity directly from the alert page.
Once you're done investigating, go back to the alert you started with, mark the alert's status as **Resolved** and classify it as either **False alert** or **True alert**. Classifying alerts helps tune this capability to provide more true alerts and less false alerts.
If you classify it as a true alert, you can also select a determination, as shown in the image below.
![A snippet of the details pane with a resolved alert and the determination drop-down expanded](images/alert-details-resolved-true.png)
If you are experiencing a false alert with a line-of-business application, create a suppression rule to avoid this type of alert in the future.
![actions and classification in the details pane with the suppression rule highlighted](images/alert-false-suppression-rule.png)
> [!TIP]
> If you're experiencing any issues not described above, use the 🙂 button to provide feedback or open a support ticket.
## Related topics ## Related topics