mirror of
https://github.com/MicrosoftDocs/windows-itpro-docs.git
synced 2025-05-12 05:17:22 +00:00
Merge branch 'master' into mdm-security-baseline-update
This commit is contained in:
Heidi Lohr
commit
c669f66c09
@ -17,10 +17,6 @@
|
||||
#### [Endpoint detection and response](windows-defender-atp/overview-endpoint-detection-response.md)
|
||||
##### [Security operations dashboard](windows-defender-atp/security-operations-dashboard-windows-defender-advanced-threat-protection.md)
|
||||
|
||||
##### [Incidents queue](windows-defender-atp/incidents-queue.md)
|
||||
###### [View and organize the Incidents queue](windows-defender-atp/view-incidents-queue.md)
|
||||
###### [Manage incidents](windows-defender-atp/manage-incidents-windows-defender-advanced-threat-protection.md)
|
||||
###### [Investigate incidents](windows-defender-atp/investigate-incidents-windows-defender-advanced-threat-protection.md)
|
||||
|
||||
|
||||
|
||||
|
||||
@ -11,7 +11,7 @@ ms.pagetype: security
|
||||
ms.localizationpriority: medium
|
||||
author: andreabichsel
|
||||
ms.author: v-anbic
|
||||
ms.date: 09/03/2018
|
||||
ms.date: 10/08/2018
|
||||
---
|
||||
|
||||
# Configure and validate Windows Defender Antivirus network connections
|
||||
@ -60,8 +60,9 @@ The following table lists the services and their associated URLs that your netwo
|
||||
Used by Windows Defender Antivirus to provide cloud-delivered protection
|
||||
</td>
|
||||
<td>
|
||||
*.wdcp.microsoft.com*<br />
|
||||
*.wdcpalt.microsoft.com*
|
||||
*.wdcp.microsoft.com<br />
|
||||
*.wdcpalt.microsoft.com<br />
|
||||
*.wd.microsoft.com
|
||||
</td>
|
||||
</tr>
|
||||
<tr style="vertical-align:top">
|
||||
|
||||
@ -16,10 +16,6 @@
|
||||
#### [Security operations dashboard](security-operations-dashboard-windows-defender-advanced-threat-protection.md)
|
||||
|
||||
|
||||
#### [Incidents queue](incidents-queue.md)
|
||||
##### [View and organize the Incidents queue](view-incidents-queue.md)
|
||||
##### [Manage incidents](manage-incidents-windows-defender-advanced-threat-protection.md)
|
||||
##### [Investigate incidents](investigate-incidents-windows-defender-advanced-threat-protection.md)
|
||||
|
||||
|
||||
|
||||
|
||||
@ -10,14 +10,12 @@ ms.pagetype: security
|
||||
ms.author: macapara
|
||||
author: mjcaparas
|
||||
ms.localizationpriority: medium
|
||||
ms.date: 04/24/2018
|
||||
ms.date: 10/08/2018
|
||||
---
|
||||
|
||||
# Enable SIEM integration in Windows Defender ATP
|
||||
|
||||
**Applies to:**
|
||||
|
||||
|
||||
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
|
||||
|
||||
|
||||
@ -54,7 +52,8 @@ Enable security information and event management (SIEM) integration so you can p
|
||||
|
||||
You can now proceed with configuring your SIEM solution or connecting to the alerts REST API through programmatic access. You'll need to use the tokens when configuring your SIEM solution to allow it to receive alerts from Windows Defender Security Center.
|
||||
|
||||
|
||||
## Integrate Windows Defender ATP with IBM QRadar
|
||||
You can configure IBM QRadar to collect alerts from Windows Defender ATP. For more information, see [IBM Knowledge Center](https://www.ibm.com/support/knowledgecenter/SS42VS_DSM/c_dsm_guide_MS_Win_Defender_ATP_overview.html?cp=SS42VS_7.3.1).
|
||||
|
||||
## Related topics
|
||||
- [Configure Splunk to pull Windows Defender ATP alerts](configure-splunk-windows-defender-advanced-threat-protection.md)
|
||||
|
||||
@ -1,35 +0,0 @@
|
||||
---
|
||||
title: Incidents queue in Windows Defender ATP
|
||||
description:
|
||||
keywords: incidents, aggregate, investigations, queue, ttp
|
||||
search.product: eADQiWindows 10XVcnh
|
||||
ms.prod: w10
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.pagetype: security
|
||||
ms.author: macapara
|
||||
author: mjcaparas
|
||||
ms.localizationpriority: medium
|
||||
ms.date: 10/08/2018
|
||||
---
|
||||
|
||||
# Incidents queue in Windows Defender ATP
|
||||
**Applies to:**
|
||||
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
|
||||
|
||||
[!include[Prerelease information](prerelease.md)]
|
||||
|
||||
When a cybersecurity threat is emerging, or a potential attacker is deploying its tactics, techniques/tools, and procedures (TTPs) on the network, Windows Defender ATP will quickly trigger alerts and launch matching automatic investigations.
|
||||
|
||||
Windows Defender ATP applies correlation analytics and aggregates all related alerts and investigations into an incident. Doing so helps narrate a broader story of an attack, thus providing you with the right visuals (upgraded incident graph) and data representations to understand and deal with complex cross-entity threats to your organization's network.
|
||||
|
||||
|
||||
## In this section
|
||||
|
||||
Topic | Description
|
||||
:---|:---
|
||||
[View and organize the Incidents queue](view-incidents-queue.md)| See the list of incidents and learn how to apply filters to limit the list and get a more focused view.
|
||||
[Manage incidents](manage-incidents-windows-defender-advanced-threat-protection.md) | Learn how to manage incidents by assigning it, updating its status, or setting its classification and other actions.
|
||||
[Investigate incidents](investigate-incidents-windows-defender-advanced-threat-protection.md)| See associated alerts, manage the incident, see alert metadata, and visualizations to help you investigate an incident.
|
||||
|
||||
|
||||
@ -1,78 +0,0 @@
|
||||
---
|
||||
title: Investigate incidents in Windows Defender ATP
|
||||
description: See associated alerts, manage the incident, and see alert metadata to help you investigate an incident
|
||||
keywords: investigate, incident, alerts, metadata, risk, detection source, affected machines, patterns, correlation
|
||||
search.product: eADQiWindows 10XVcnh
|
||||
ms.prod: w10
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.pagetype: security
|
||||
ms.author: macapara
|
||||
author: mjcaparas
|
||||
ms.localizationpriority: medium
|
||||
ms.date: 10/08/2018
|
||||
---
|
||||
|
||||
# Investigate incidents in Windows Defender ATP
|
||||
|
||||
**Applies to:**
|
||||
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
|
||||
|
||||
[!include[Prerelease information](prerelease.md)]
|
||||
|
||||
Investigate incidents that affect your network, understand what they mean, and collate evidence to resolve them.
|
||||
|
||||
## Analyze incident details
|
||||
Click an incident to see the **Incident pane**. Select **Open incident page** to see the incident details and related information (alerts, machines, investigations, evidence, graph).
|
||||
|
||||
|
||||
|
||||
### Alerts
|
||||
You can investigate the alerts and see how they were linked together in an incident.
|
||||
Alerts are grouped into incidents based on the following reasons:
|
||||
- Automated investigation - The automated investigation triggered the linked alert while investigating the original alert
|
||||
- File characteristics - The files associated with the alert have similar characteristics
|
||||
- Manual association - A user manually linked the alerts
|
||||
- Proximate time - The alerts were triggered on the same machine within a certain timeframe
|
||||
- Same file - The files associated with the alert are exactly the same
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
You can also manage an alert and see alert metadata along with other information. For more information, see [Investigate alerts](investigate-alerts-windows-defender-advanced-threat-protection.md).
|
||||
|
||||
### Machines
|
||||
You can also investigate the machines that are part of, or related to, a given incident. For more information, see [Investigate machines](investigate-machines-windows-defender-advanced-threat-protection.md).
|
||||
|
||||
|
||||
|
||||
### Investigations
|
||||
Select **Investigations** to see all the automatic investigations launched by the system in response to the incident alerts.
|
||||
|
||||
|
||||
|
||||
## Going through the evidence
|
||||
Windows Defender Advanced Threat Protection automatically investigates all the incidents' supported events and suspicious entities in the alerts, providing you with auto-response and information about the important files, processes, services, and more. This helps quickly detect and block potential threats in the incident.
|
||||
Each of the analyzed entities will be marked as infected, remediated, or suspicious.
|
||||
|
||||
|
||||
|
||||
## Visualizing associated cybersecurity threats
|
||||
Windows Defender Advanced Threat Protection aggregates the threat information into an incident so you can see the patterns and correlations coming in from various data points. You can view such correlation through the incident graph.
|
||||
|
||||
### Incident graph
|
||||
The **Graph** tells the story of the cybersecurity attack. For example, it shows you what was the entry point, which indicator of compromise or activity was observed on which machine. etc.
|
||||
|
||||
|
||||
|
||||
You can click the circles on the incident graph to view the details of the malicious files, associated file detections, how many instances has there been worldwide, whether it’s been observed in your organization, if so, how many instances.
|
||||
|
||||
|
||||
|
||||
## Related topics
|
||||
- [Incidents queue](incidents-queue.md)
|
||||
- [View and organize the Incidents queue](view-incidents-queue.md)
|
||||
- [Manage incidents](manage-incidents-windows-defender-advanced-threat-protection.md)
|
||||
|
||||
|
||||
@ -1,61 +0,0 @@
|
||||
---
|
||||
title: Manage Windows Defender ATP incidents
|
||||
description: Manage incidents by assigning it, updating its status, or setting its classification.
|
||||
keywords: incidents, manage, assign, status, classification, true alert, false alert
|
||||
search.product: eADQiWindows 10XVcnh
|
||||
ms.prod: w10
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.pagetype: security
|
||||
ms.author: macapara
|
||||
author: mjcaparas
|
||||
ms.localizationpriority: medium
|
||||
ms.date: 010/08/2018
|
||||
---
|
||||
|
||||
# Manage Windows Defender ATP incidents
|
||||
|
||||
**Applies to:**
|
||||
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
|
||||
|
||||
[!include[Prerelease information](prerelease.md)]
|
||||
|
||||
|
||||
Managing incidents is an important part of every cybersecurity operation. You can manage incidents by selecting an incident from the **Incidents queue** or the **Incidents management pane**. You can assign incidents to yourself, change the status, classify, rename, or comment on them to keep track of their progress.
|
||||
|
||||
|
||||
|
||||
Selecting an incident from the **Incidents queue** brings up the **Incident management pane** where you can open the incident page for details.
|
||||
|
||||
|
||||
|
||||
|
||||
## Assign incidents
|
||||
If an incident has not been assigned yet, you can select **Assign to me** to assign the incident to yourself. Doing so assumes ownership of not just the incident, but also all the alerts associated with it.
|
||||
|
||||
## Change the incident status
|
||||
You can categorize incidents (as **Active**, or **Resolved**) by changing their status as your investigation progresses. This helps you organize and manage how your team can respond to incidents.
|
||||
|
||||
For example, your SoC analyst can review the urgent **Active** incidents for the day, and decide to assign them to himself for investigation.
|
||||
|
||||
Alternatively, your SoC analyst might set the incident as **Resolved** if the incident has been remediated.
|
||||
|
||||
## Classify the incident
|
||||
You can choose not to set a classification, or decide to specify whether an incident is true or false. Doing so helps the team see patterns and learn from them.
|
||||
|
||||
## Rename incident
|
||||
By default, incidents are assigned with numbers. You can rename the incident if your organization uses a naming convention for easier cybersecurity threat identification.
|
||||
|
||||
|
||||
|
||||
## Add comments and view the history of an incident
|
||||
You can add comments and view historical events about an incident to see previous changes made to it.
|
||||
|
||||
Whenever a change or comment is made to an alert, it is recorded in the Comments and history section.
|
||||
|
||||
Added comments instantly appear on the pane.
|
||||
|
||||
## Related topics
|
||||
- [Incidents queue](incidents-queue.md)
|
||||
- [View and organize the Incidents queue](view-incidents-queue.md)
|
||||
- [Investigate incidents](investigate-incidents-windows-defender-advanced-threat-protection.md)
|
||||
@ -41,9 +41,6 @@ The following features are included in the preview release:
|
||||
- [Threat analytics](threat-analytics.md)<br>
|
||||
Threat Analytics is a set of interactive reports published by the Windows Defender ATP research team as soon as emerging threats and outbreaks are identified. The reports help security operations teams assess impact on their environment and provides recommended actions to contain, increase organizational resilience, and prevent specific threats.
|
||||
|
||||
- [Incidents](incidents-queue.md)<br>
|
||||
Windows Defender ATP applies correlation analytics and aggregates all related alerts and investigations into an incident. Doing so helps narrate a broader story of an attack, thus providing you with the right visuals (upgraded incident graph) and data representations to understand and deal with complex cross-entity threats to your organization's network.
|
||||
|
||||
|
||||
- [Custom detection](overview-custom-detections.md)<br>
|
||||
With custom detections, you can create custom queries to monitor events for any kind of behavior such as suspicious or emerging threats. This can be done by leveraging the power of Advanced hunting through the creation of custom detection rules.
|
||||
|
||||
@ -1,74 +0,0 @@
|
||||
---
|
||||
title: View and organize the Incidents queue
|
||||
description: See the list of incidents and learn how to apply filters to limit the list and get a more focused view.
|
||||
keywords: view, organize, incidents, aggregate, investigations, queue, ttp
|
||||
search.product: eADQiWindows 10XVcnh
|
||||
ms.prod: w10
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.pagetype: security
|
||||
ms.author: macapara
|
||||
author: mjcaparas
|
||||
ms.localizationpriority: medium
|
||||
ms.date: 10/08/2018
|
||||
---
|
||||
|
||||
# View and organize the Windows Defender Advanced Threat Protection Incidents queue
|
||||
**Applies to:**
|
||||
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
|
||||
|
||||
[!include[Prerelease information](prerelease.md)]
|
||||
|
||||
The **Incidents queue** shows a collection of incidents that were flagged from machines in your network. It helps you sort through incidents to prioritize and create an informed cybersecurity response decision.
|
||||
|
||||
By default, the queue displays incidents seen in the last 30 days, with the most recent incident showing at the top of the list, helping you see the most recent incidents first.
|
||||
|
||||
There are several options you can choose from to customize the Incidents queue view.
|
||||
|
||||
On the top navigation you can:
|
||||
- Customize columns to add or remove columns
|
||||
- Modify the number of items to view per page
|
||||
- Select the items to show per page
|
||||
- Batch-select the incidents to assign
|
||||
- Navigate between pages
|
||||
- Apply filters
|
||||
|
||||
|
||||
|
||||
## Sort and filter the incidents queue
|
||||
You can apply the following filters to limit the list of incidents and get a more focused view.
|
||||
|
||||
Incident severity | Description
|
||||
:---|:---
|
||||
High </br>(Red) | Threats often associated with advanced persistent threats (APT). These incidents indicate a high risk due to the severity of damage they can inflict on machines.
|
||||
Medium </br>(Orange) | Threats rarely observed in the organization, such as anomalous registry change, execution of suspicious files, and observed behaviors typical of attack stages.
|
||||
Low </br>(Yellow) | Threats associated with prevalent malware and hack-tools that do not necessarily indicate an advanced threat targeting the organization.
|
||||
Informational </br>(Grey) | Informational incidents are those that might not be considered harmful to the network but might be good to keep track of.
|
||||
|
||||
### Category
|
||||
Incidents are categorized based on the description of the stage by which the cybersecurity kill chain is in. This view helps the threat analyst to determine priority, urgency, and corresponding response strategy to deploy based on context.
|
||||
|
||||
### Alerts
|
||||
Indicates the number of alerts associated with or part of the incidents.
|
||||
|
||||
|
||||
### Machines
|
||||
You can limit to show only the machines at risk which are associated with incidents.
|
||||
|
||||
### Users
|
||||
You can limit to show only the users of the machines at risk which are associated with incidents.
|
||||
|
||||
### Assigned to
|
||||
You can choose to show between unassigned incidents or those which are assigned to you.
|
||||
|
||||
### Status
|
||||
You can choose to limit the list of incidents shown based on their status to see which ones are active or resolved
|
||||
|
||||
### Classification
|
||||
Use this filter to choose between focusing on incidents flagged as true or false incidents.
|
||||
|
||||
## Related topics
|
||||
- [Incidents queue](incidents-queue.md)
|
||||
- [Manage incidents](manage-incidents-windows-defender-advanced-threat-protection.md)
|
||||
- [Investigate incidents](investigate-incidents-windows-defender-advanced-threat-protection.md)
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user