From c5dba8615bbdf2bd794ef48d523d8f7d347b3226 Mon Sep 17 00:00:00 2001 From: Joey Caparas Date: Thu, 23 Aug 2018 09:47:50 -0700 Subject: [PATCH] add edr content from tomer --- windows/security/threat-protection/index.md | 2 +- .../overview-endpoint-detection-response.md | 9 +++++---- 2 files changed, 6 insertions(+), 5 deletions(-) diff --git a/windows/security/threat-protection/index.md b/windows/security/threat-protection/index.md index c4705b849d..9448ee2de9 100644 --- a/windows/security/threat-protection/index.md +++ b/windows/security/threat-protection/index.md @@ -64,7 +64,6 @@ Endpoint protection and response capabilities are put in place to detect, invest - [Alerts](/windows-defender-atp/alerts-queue-windows-defender-advanced-threat-protection.md) - [Historical endpoint data](/windows-defender-atp/investigate-machines-windows-defender-advanced-threat-protection.md#machine-timeline) - [Realtime and historical threat hunting](/windows-defender-atp/advanced-hunting-windows-defender-advanced-threat-protection.md) -- [API and SIEM integration](/windows-defender-atp/configure-siem-windows-defender-advanced-threat-protection.md) - [Response orchestration](/windows-defender-atp/response-actions-windows-defender-advanced-threat-protection.md) - [Forensic collection](/windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection.md#collect-investigation-package-from-machines) - [Threat intelligence](/windows-defender-atp/threat-indicator-concepts-windows-defender-advanced-threat-protection.md) @@ -105,6 +104,7 @@ Integrate Windows Defender Advanced Threat Protection into your existing workflo - [Onboarding](/windows-defender-atp/onboard-configure-windows-defender-advanced-threat-protection.md) - [Configuration](/windows-defender-atp/preferences-setup-windows-defender-advanced-threat-protection.md) - [Operating system baseline compliance](/windows-defender-atp/secure-score-dashboard-windows-defender-advanced-threat-protection.md) +- [API and SIEM integration](/windows-defender-atp/configure-siem-windows-defender-advanced-threat-protection.md) - [SIEM connectors](/windows-defender-atp/configure-siem-windows-defender-advanced-threat-protection.md) - [Exposed APIs](/windows-defender-atp/exposed-apis-windows-defender-advanced-threat-protection.md) - [RBAC](/windows-defender-atp/rbac-windows-defender-advanced-threat-protection.md) diff --git a/windows/security/threat-protection/windows-defender-atp/overview-endpoint-detection-response.md b/windows/security/threat-protection/windows-defender-atp/overview-endpoint-detection-response.md index 8902506c49..a40fccae5f 100644 --- a/windows/security/threat-protection/windows-defender-atp/overview-endpoint-detection-response.md +++ b/windows/security/threat-protection/windows-defender-atp/overview-endpoint-detection-response.md @@ -18,14 +18,15 @@ ms.date: 09/03/2018 **Applies to:** - Windows Defender Advanced Threat Protection (Windows Defender ATP) -The endpoint detection and response capabilities in Windows Defender ATP continuously monitors your organization for possible attacks against systems, networks, or users in your organization. It helps detect, investigate, and quickly respond to threats. -The detection capability finds the attacks that made it past all other defenses and surfaces them through alerts. +The Widows Defender ATP endpoint detection and response capabilities provides near real-time actionable advance attacks detections, enables security analysts to effectively prioritize alerts, unfold the full scope of a breach and take response actions to remediate the threat. -The platform provides various ways for you to investigate an incident and allows you to pivot in various views to help you approach an investigation through multiple possible vectors. -The response capabilities gives you the power to promptly remediate threats by taking action on the affected entities. +When a threat is detected, alerts are be created in the system for an analyst to investigate. Alerts with the same attack techniques or attributed to the same attacker are aggregated into an entity called _incident_. Aggregating alerts in this manner makes it easy for analysts to collectively investigate and respond to threats. +Inspired by the "assume breach" mindset, Windows Defender ATP continuously collects behavioral cyber telemetry. This includes process information, network activities, deep optics into the kernel and memory manager, user login activities, registry and file system changes and others. This information is stored for six months, enabling an analyst to travel back in time to the starting point of an attack and pivot in various views and approach an investigation through multiple possible vectors. + +The response capabilities give you the power to promptly remediate threats by acting on the affected entities. ## In this section