mirror of
https://github.com/MicrosoftDocs/windows-itpro-docs.git
synced 2025-06-22 05:43:41 +00:00
Merge branch 'master' into security-acrolinx-updates
This commit is contained in:
Beth Levin
@ -2,7 +2,6 @@
|
||||
title: Plan and deploy advanced security audit policies (Windows 10)
|
||||
description: Learn to deploy an effective security audit policy in a network that includes advanced security audit policies.
|
||||
ms.assetid: 7428e1db-aba8-407b-a39e-509671e5a442
|
||||
|
||||
ms.reviewer:
|
||||
ms.author: dansimp
|
||||
ms.prod: w10
|
||||
|
||||
@ -3,7 +3,6 @@ title: Use the command line to manage Microsoft Defender Antivirus
|
||||
description: Run Microsoft Defender Antivirus scans and configure next-generation protection with a dedicated command-line utility.
|
||||
keywords: run windows defender scan, run antivirus scan from command line, run windows defender scan from command line, mpcmdrun, defender
|
||||
search.product: eADQiWindows 10XVcnh
|
||||
ms.pagetype: security
|
||||
ms.prod: w10
|
||||
ms.mktglfcycl: manage
|
||||
ms.sitesec: library
|
||||
|
||||
@ -3,7 +3,6 @@ title: Enable Block at First Sight to detect malware in seconds
|
||||
description: Enable the Block at First sight feature to detect and block malware within seconds, and validate that it is configured correctly.
|
||||
keywords: scan, BAFS, malware, first seen, first sight, cloud, defender
|
||||
search.product: eADQiWindows 10XVcnh
|
||||
ms.pagetype: security
|
||||
ms.prod: w10
|
||||
ms.mktglfcycl: manage
|
||||
ms.sitesec: library
|
||||
|
||||
@ -3,7 +3,6 @@ title: Set up exclusions for Microsoft Defender AV scans
|
||||
description: You can exclude files (including files modified by specified processes) and folders from being scanned by Microsoft Defender AV. Validate your exclusions with PowerShell.
|
||||
keywords:
|
||||
search.product: eADQiWindows 10XVcnh
|
||||
ms.pagetype: security
|
||||
ms.prod: w10
|
||||
ms.mktglfcycl: manage
|
||||
ms.sitesec: library
|
||||
|
||||
@ -3,7 +3,6 @@ title: Configure and validate exclusions based on extension, name, or location
|
||||
description: Exclude files from Microsoft Defender Antivirus scans based on their file extension, file name, or location.
|
||||
keywords: exclusions, files, extension, file type, folder name, file name, scans
|
||||
search.product: eADQiWindows 10XVcnh
|
||||
ms.pagetype: security
|
||||
ms.prod: w10
|
||||
ms.mktglfcycl: manage
|
||||
ms.sitesec: library
|
||||
|
||||
@ -3,7 +3,6 @@ title: Microsoft Defender Antivirus Virtual Desktop Infrastructure deployment gu
|
||||
description: Learn how to deploy Microsoft Defender Antivirus in a virtual desktop environment for the best balance between protection and performance.
|
||||
keywords: vdi, hyper-v, vm, virtual machine, windows defender, antivirus, av, virtual desktop, rds, remote desktop
|
||||
search.product: eADQiWindows 10XVcnh
|
||||
ms.pagetype: security
|
||||
ms.prod: w10
|
||||
ms.mktglfcycl: manage
|
||||
ms.sitesec: library
|
||||
|
||||
@ -3,7 +3,6 @@ title: Block potentially unwanted applications with Microsoft Defender Antivirus
|
||||
description: Enable the potentially unwanted application (PUA) antivirus feature to block unwanted software such as adware.
|
||||
keywords: pua, enable, unwanted software, unwanted apps, adware, browser toolbar, detect, block, Microsoft Defender Antivirus
|
||||
search.product: eADQiWindows 10XVcnh
|
||||
ms.pagetype: security
|
||||
ms.prod: w10
|
||||
ms.mktglfcycl: detect
|
||||
ms.sitesec: library
|
||||
|
||||
@ -3,7 +3,6 @@ title: Enable cloud-delivered protection in Microsoft Defender Antivirus
|
||||
description: Enable cloud-delivered protection to benefit from fast and advanced protection features.
|
||||
keywords: Microsoft Defender Antivirus, antimalware, security, cloud, block at first sight
|
||||
search.product: eADQiWindows 10XVcnh
|
||||
ms.pagetype: security
|
||||
ms.prod: w10
|
||||
ms.mktglfcycl: manage
|
||||
ms.sitesec: library
|
||||
|
||||
@ -3,7 +3,6 @@ title: Evaluate Microsoft Defender Antivirus
|
||||
description: Businesses of all sizes can use this guide to evaluate and test the protection offered by Microsoft Defender Antivirus in Windows 10.
|
||||
keywords: Microsoft Defender Antivirus, cloud protection, cloud, antimalware, security, defender, evaluate, test, protection, compare, real-time protection
|
||||
search.product: eADQiWindows 10XVcnh
|
||||
ms.pagetype: security
|
||||
ms.prod: w10
|
||||
ms.mktglfcycl: manage
|
||||
ms.sitesec: library
|
||||
|
||||
@ -3,7 +3,6 @@ title: Enable the limited periodic Microsoft Defender Antivirus scanning feature
|
||||
description: Limited periodic scanning lets you use Microsoft Defender Antivirus in addition to your other installed AV providers
|
||||
keywords: lps, limited, periodic, scan, scanning, compatibility, 3rd party, other av, disable
|
||||
search.product: eADQiWindows 10XVcnh
|
||||
ms.pagetype: security
|
||||
ms.prod: w10
|
||||
ms.mktglfcycl: manage
|
||||
ms.sitesec: library
|
||||
|
||||
@ -3,7 +3,6 @@ title: Microsoft Defender AV event IDs and error codes
|
||||
description: Look up the causes and solutions for Microsoft Defender Antivirus event IDs and errors
|
||||
keywords: event, error code, siem, logging, troubleshooting, wef, windows event forwarding
|
||||
search.product: eADQiWindows 10XVcnh
|
||||
ms.pagetype: security
|
||||
ms.prod: w10
|
||||
ms.mktglfcycl: manage
|
||||
ms.sitesec: library
|
||||
|
||||
@ -3,7 +3,6 @@ title: Configure Microsoft Defender Antivirus with Group Policy
|
||||
description: Configure Microsoft Defender Antivirus settings with Group Policy
|
||||
keywords: group policy, GPO, configuration, settings
|
||||
search.product: eADQiWindows 10XVcnh
|
||||
ms.pagetype: security
|
||||
ms.prod: w10
|
||||
ms.mktglfcycl: manage
|
||||
ms.sitesec: library
|
||||
|
||||
@ -3,7 +3,6 @@ title: Use next-generation technologies in Microsoft Defender Antivirus through
|
||||
description: next-generation technologies in cloud-delivered protection provide an advanced level of fast, robust antivirus detection.
|
||||
keywords: Microsoft Defender Antivirus, next-generation technologies, next-generation av, machine learning, antimalware, security, defender, cloud, cloud-delivered protection
|
||||
search.product: eADQiWindows 10XVcnh
|
||||
ms.pagetype: security
|
||||
ms.prod: w10
|
||||
ms.mktglfcycl: manage
|
||||
ms.sitesec: library
|
||||
|
||||
@ -3,7 +3,6 @@ title: "Why you should use Microsoft Defender Antivirus together with Microsoft
|
||||
description: "For best results, use Microsoft Defender Antivirus together with your other Microsoft offerings."
|
||||
keywords: windows defender, antivirus, third party av
|
||||
search.product: eADQiWindows 10XVcnh
|
||||
ms.pagetype: security
|
||||
ms.prod: w10
|
||||
ms.mktglfcycl: manage
|
||||
ms.sitesec: library
|
||||
|
||||
@ -21,16 +21,16 @@ ms.topic: conceptual
|
||||
|
||||
> [!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RE4bOeh]
|
||||
|
||||
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) offers a wide breadth of visibility on multiple devices. With this kind of optics, the service generates a multitude of alerts. The volume of alerts generated can be challenging for a typical security operations team to individually address. To address this challenge, Microsoft Defender ATP uses automated investigation and remediation capabilities to significantly reduce the volume of alerts that must be investigated individually.
|
||||
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) offers a wide breadth of visibility on multiple devices. With this kind of optics, the service generates a multitude of alerts. The volume of alerts generated can be challenging for a typical security operations team to individually address. To address this challenge, and to reduce the volume of alerts that must be investigated individually, Microsoft Defender ATP includes automated investigation and remediation capabilities.
|
||||
|
||||
The automated investigation feature leverages various inspection algorithms, and processes used by analysts (such as playbooks) to examine alerts and take immediate remediation action to resolve breaches. This significantly reduces alert volume, allowing security operations experts to focus on more sophisticated threats and other high value initiatives. The **Automated investigations** list shows all the investigations that were initiated automatically, and includes details, such as status, detection source, and when the investigation was initiated.
|
||||
Automated investigation leverages various inspection algorithms, and processes used by analysts (such as playbooks) to examine alerts and take immediate remediation action to resolve breaches. Automated investigation and remediation capabilities significantly reduce alert volume, allowing security operations experts to focus on more sophisticated threats and other high value initiatives. The **Automated investigations** list shows all the investigations that were initiated automatically, and includes details, such as status, detection source, and when each investigation was initiated.
|
||||
|
||||
> [!TIP]
|
||||
> Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-automated-investigations-abovefoldlink)
|
||||
|
||||
## How the automated investigation starts
|
||||
|
||||
When an alert is triggered, a security playbook goes into effect. Depending on the security playbook, an automated investigation can start. For example, suppose a malicious file resides on a device. When that file is detected, an alert is triggered. The automated investigation process begins. Microsoft Defender ATP checks to see if the malicious file is present on any other devices in the organization. Details from the investigation, including verdicts (*Malicious*, *Suspicious*, and *No threats found*) are available during and after the automated investigation.
|
||||
When an alert is triggered, a security playbook goes into effect. Depending on the security playbook, an automated investigation can start. For example, suppose a malicious file resides on a device. When that file is detected, an alert is triggered, and the automated investigation process begins. Microsoft Defender ATP checks to see if the malicious file is present on any other devices in the organization. Details from the investigation, including verdicts (*Malicious*, *Suspicious*, and *No threats found*) are available during and after the automated investigation.
|
||||
|
||||
>[!NOTE]
|
||||
>Currently, automated investigation only supports the following OS versions:
|
||||
@ -41,7 +41,7 @@ When an alert is triggered, a security playbook goes into effect. Depending on t
|
||||
|
||||
## Details of an automated investigation
|
||||
|
||||
During and after an automated investigation, you can view details about the investigation. Selecting a triggering alert brings you to the investigation details view where you can pivot from the **Investigation graph**, **Alerts**, **Devices**, **Evidence**, **Entities**, and **Log** tabs.
|
||||
During and after an automated investigation, you can view details about the investigation. Select a triggering alert to view the investigation details. From there, you can go to the **Investigation graph**, **Alerts**, **Devices**, **Evidence**, **Entities**, and **Log** tabs.
|
||||
|
||||
|Tab |Description |
|
||||
|--|--|
|
||||
@ -50,7 +50,7 @@ During and after an automated investigation, you can view details about the inve
|
||||
|**Evidence** |Shows the entities that were found to be malicious during the investigation.|
|
||||
|**Entities** |Provides details about each analyzed entity, including a determination for each entity type (*Malicious*, *Suspicious*, or *No threats found*). |
|
||||
|**Log** |Shows the chronological detailed view of all the investigation actions taken on the alert.|
|
||||
|**Pending actions** |If there are pending actions on the investigation, the **Pending actions** tab will be displayed where you can approve or reject actions. |
|
||||
|**Pending actions** |If there are any actions awaiting approval as a result of the investigation, the **Pending actions** tab is displayed. On the **Pending actions** tab, you can approve or reject each action. |
|
||||
|
||||
> [!IMPORTANT]
|
||||
> Go to the **Action center** to get an aggregated view all pending actions and manage remediation actions. The **Action center** also acts as an audit trail for all automated investigation actions.
|
||||
@ -59,28 +59,32 @@ During and after an automated investigation, you can view details about the inve
|
||||
|
||||
While an investigation is running, any other alerts generated from the device are added to an ongoing automated investigation until that investigation is completed. In addition, if the same threat is seen on other devices, those devices are added to the investigation.
|
||||
|
||||
If an incriminated entity is seen in another device, the automated investigation process will expand its scope to include that device, and a general security playbook will start on that device. If 10 or more devices are found during this expansion process from the same entity, then that expansion action will require an approval and will be seen in the **Pending actions** view.
|
||||
If an incriminated entity is seen in another device, the automated investigation process expands its scope to include that device, and a general security playbook starts on that device. If 10 or more devices are found during this expansion process from the same entity, then that expansion action requires an approval, and is visible on the **Pending actions** tab.
|
||||
|
||||
## How threats are remediated
|
||||
|
||||
Depending on how you set up the device groups and their level of automation, the automated investigation will either require user approval (default) or automatically remediate threats.
|
||||
Depending on how you set up the device groups and their level of automation, each automated investigation either requires user approval (default) or automatically remediates threats.
|
||||
|
||||
> [!NOTE]
|
||||
> Microsoft Defender ATP tenants created on or after August 16, 2020 have **Full - remediate threats automatically** selected by default. You can keep the default setting, or change it according to your organizational needs. To change your settings, [adjust your device group settings](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-automated-investigations-remediation#set-up-device-groups).
|
||||
|
||||
You can configure the following levels of automation:
|
||||
|
||||
|Automation level | Description|
|
||||
|---|---|
|
||||
|No automated response | Devices do not get any automated investigations run on them. |
|
||||
|Semi - require approval for any remediation | This is the default automation level.<br><br> An approval is needed for any remediation action. |
|
||||
|Semi - require approval for non-temp folders remediation | An approval is required on files or executables that are not in temporary folders. <br><br> Files or executables in temporary folders, such as the user's download folder or the user's temp folder, will automatically be remediated if needed.|
|
||||
|Semi - require approval for core folders remediation | An approval is required on files or executables that are in the operating system directories such as Windows folder and Program files folder. <br><br> Files or executables in all other folders will automatically be remediated if needed.|
|
||||
|Full - remediate threats automatically | All remediation actions will be performed automatically.|
|
||||
|**Full - remediate threats automatically** | All remediation actions are performed automatically.<br/><br/>*This option is selected by default for Microsoft Defender ATP tenants created on or after August 16, 2020.*|
|
||||
|**Semi - require approval for core folders remediation** | An approval is required on files or executables that are in the operating system directories such as Windows folder and Program files folder. <br/><br/> Files or executables in all other folders are automatically remediated, if needed.|
|
||||
|**Semi - require approval for non-temp folders remediation** | An approval is required on files or executables that are not in temporary folders. <br/><br/> Files or executables in temporary folders, such as the user's download folder or the user's temp folder, are automatically be remediated (if needed).|
|
||||
|**Semi - require approval for any remediation** | An approval is needed for any remediation action. <br/><br/>*This option is selected by default for Microsoft Defender ATP tenants created before August 16, 2020.*|
|
||||
|**No automated response** | Devices do not get any automated investigations run on them. <br/><br/>*This option is not recommended, because it fully disables automated investigation and remediation capabilities, and reduces the security posture of your organization's devices.* |
|
||||
|
||||
> [!TIP]
|
||||
> For more information on how to configure these automation levels, see [Create and manage device groups](machine-groups.md).
|
||||
### A few points to keep in mind
|
||||
|
||||
The default device group is configured for semi-automatic remediation. This means that any malicious entity that calls for remediation requires an approval and the investigation is added to the **Pending actions** section. This can be changed to fully automatic so that no user approval is needed.
|
||||
- Your level of automation is determined by your device group settings. See [Set up device groups](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-automated-investigations-remediation#set-up-device-groups).
|
||||
|
||||
When a pending action is approved, the entity is then remediated and this new state is reflected in the **Entities** tab of the investigation.
|
||||
- If your Microsoft Defender ATP tenant was created before August 16, 2020, you have a default device group that is configured for semi-automatic remediation. Any malicious entity that calls for remediation requires an approval and the investigation is added to the **Pending actions** tab in the [Action center](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/auto-investigation-action-center#the-action-center). You can configure your device groups to use full automation so that no user approval is needed.
|
||||
|
||||
- If your Microsoft Defender ATP tenant was created on or after August 16, 2020, you have a default device group that is configured for full automation. Remediation actions are taken automatically for entities that are considered to be malicious. Remediation actions that were taken can be viewed on the **History** tab in the [Action center](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/auto-investigation-action-center#the-action-center).
|
||||
|
||||
## Next steps
|
||||
|
||||
|
||||
@ -3,7 +3,6 @@ title: Evaluate attack surface reduction rules
|
||||
description: See how attack surface reduction would block and prevent attacks with the custom demo tool.
|
||||
keywords: Attack surface reduction, hips, host intrusion prevention system, protection rules, anti-exploit, antiexploit, exploit, infection prevention, evaluate, test, demo
|
||||
search.product: eADQiWindows 10XVcnh
|
||||
ms.pagetype: security
|
||||
ms.prod: w10
|
||||
ms.mktglfcycl: manage
|
||||
ms.sitesec: library
|
||||
|
||||
@ -3,7 +3,6 @@ title: See how controlled folder access can help protect files from being change
|
||||
description: Use a custom tool to see how Controlled folder access works in Windows 10.
|
||||
keywords: Exploit protection, windows 10, windows defender, ransomware, protect, evaluate, test, demo, try
|
||||
search.product: eADQiWindows 10XVcnh
|
||||
ms.pagetype: security
|
||||
ms.prod: w10
|
||||
ms.mktglfcycl: manage
|
||||
ms.sitesec: library
|
||||
|
||||
@ -3,7 +3,6 @@ title: Conduct a demo to see how network protection works
|
||||
description: Quickly see how Network protection works by performing common scenarios that it protects against
|
||||
keywords: Network protection, exploits, malicious website, ip, domain, domains, evaluate, test, demo
|
||||
search.product: eADQiWindows 10XVcnh
|
||||
ms.pagetype: security
|
||||
ms.prod: w10
|
||||
ms.mktglfcycl: manage
|
||||
ms.sitesec: library
|
||||
|
||||
@ -4,7 +4,6 @@ title: Import custom views to see attack surface reduction events
|
||||
description: Use Windows Event Viewer to import individual views for each of the features.
|
||||
keywords: event view, exploit guard, audit, review, events
|
||||
search.product: eADQiWindows 10XVcnh
|
||||
ms.pagetype: security
|
||||
ms.prod: w10
|
||||
ms.mktglfcycl: manage
|
||||
ms.sitesec: library
|
||||
|
||||
@ -3,7 +3,6 @@ title: Firewall and network protection in the Windows Security app
|
||||
description: Use the Firewall & network protection section to see the status of and make changes to firewalls and network connections for the machine.
|
||||
keywords: wdsc, firewall, windows defender firewall, network, connections, domain, private network, publish network, allow firewall, firewall rule, block firewall
|
||||
search.product: eADQiWindows 10XVcnh
|
||||
ms.pagetype: security
|
||||
ms.prod: w10
|
||||
ms.mktglfcycl: manage
|
||||
ms.sitesec: library
|
||||
|
||||
@ -3,7 +3,6 @@ title: The Windows Security app
|
||||
description: The Windows Security app brings together common Windows security features into one place
|
||||
keywords: wdav, smartscreen, antivirus, wdsc, firewall, device health, performance, Edge, browser, family, parental options, security, windows
|
||||
search.product: eADQiWindows 10XVcnh
|
||||
ms.pagetype: security
|
||||
ms.prod: w10
|
||||
ms.mktglfcycl: manage
|
||||
ms.sitesec: library
|
||||
|
||||
@ -35,7 +35,7 @@ The following video provides an overview of Windows Sandbox.
|
||||
|
||||
## Prerequisites
|
||||
|
||||
- Windows 10 Pro or Enterprise build 18305 or later (*Windows Sandbox is currently not supported on Home SKUs*)
|
||||
- Windows 10 Pro, Enterprise or Education build 18305 or later (*Windows Sandbox is currently not supported on Home SKUs*)
|
||||
- AMD64 architecture
|
||||
- Virtualization capabilities enabled in BIOS
|
||||
- At least 4 GB of RAM (8 GB recommended)
|
||||
|
||||
Reference in New Issue
Block a user