deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-19 16:57:23 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

update

Browse Source
This commit is contained in:
Joey Caparas 2017-06-08 13:59:31 -07:00
parent 5681dd221c
commit c8dbb25c70
2 changed files with 25 additions and 26 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
windows/threat-protection/windows-defender-atp/advanced-features-windows-defender-advanced-threat-protection.md
View File

@ -29,11 +29,6 @@ This feature is only available if your organization uses Windows Defender Antivi
If your organization satisfies this condition, the feature is enabled by default. This feature enables you to block potentially malicious files in your network. This operation will prevent it from being read, written, or executed on machines in your organization. If your organization satisfies this condition, the feature is enabled by default. This feature enables you to block potentially malicious files in your network. This operation will prevent it from being read, written, or executed on machines in your organization.
## Run remote antivirus scan
This feature is only available if your organization uses Windows Defender Antivirus as the active antimalware solution and that the cloud-based protection feature is enabled.
If your organization satisfies this condition, the feature is enabled by default. This feature enables you to run remove antivirus scans on machines.
## Office 365 Security Center integration ## Office 365 Security Center integration
This feature is only available if you have an active Office 365 E5 or the Threat Intelligence add-on. For more information, see the Office 365 Enterprise E5 product page. This feature is only available if you have an active Office 365 E5 or the Threat Intelligence add-on. For more information, see the Office 365 Enterprise E5 product page.

46
windows/threat-protection/windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection.md
View File

@ -46,7 +46,9 @@ This machine isolation feature disconnects the compromised machine from the netw
![Image of isolate machine](images/atp-isolate-machine.png) ![Image of isolate machine](images/atp-isolate-machine.png)
3. Type a comment (optional) and select **Yes** to take action on the machine. 3. Select the check-box if you'd like to enable Outlook and Skype communication while the machine is isolated.
4. Type a comment (optional) and select **Yes** to take action on the machine.
>[!NOTE] >[!NOTE]
>The machine will remain connected to the Windows Defender ATP service even if it is isolated from the network. >The machine will remain connected to the Windows Defender ATP service even if it is isolated from the network.
@ -55,9 +57,9 @@ This machine isolation feature disconnects the compromised machine from the netw
- **Submission time** - Shows when the isolation action was submitted. - **Submission time** - Shows when the isolation action was submitted.
- **Submitting user** - Shows who submitted the action on the machine. You can view the comments provided by the user by selecting the information icon. - **Submitting user** - Shows who submitted the action on the machine. You can view the comments provided by the user by selecting the information icon.
- **Status** - Indicates any pending actions or the results of completed actions. - **Status** - Indicates any pending actions or the results of completed actions. If you enabled Outlook and Skype communication while the machine is in isolation, an indication that it has been applied will be displayed.
When the isolation configuration is applied, there will be a new event in the machine timeline. When the isolation configuration is applied, a new event is reflected in the machine timeline.
**Notification on machine user**:</br> **Notification on machine user**:</br>
When a machine is being isolated, the following notification is displayed to inform the user that the machine is being isolated from the network: When a machine is being isolated, the following notification is displayed to inform the user that the machine is being isolated from the network:
@ -82,20 +84,20 @@ You can download the package (Zip file) and investigate the events that occurred
The package contains the following folders: The package contains the following folders:
Folder | Description | Folder | Description |
:---|:--- |:--------------------------------------------|:----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
Autoruns | Contains a set of files that each represent the content of the registry of a known auto start entry point (ASEP) to help identify attackers persistency on the machine. </br></br> NOTE: If the registry key is not found, the file will contain the following message: “ERROR: The system was unable to find the specified registry key or value.” | Autoruns | Contains a set of files that each represent the content of the registry of a known auto start entry point (ASEP) to help identify attackers persistency on the machine. </br></br> NOTE: If the registry key is not found, the file will contain the following message: “ERROR: The system was unable to find the specified registry key or value.” |
Installed programs | This .CSV file contains the list of installed programs that can help identify what is currently installed on the machine. For more information, see [Win32_Product class](https://go.microsoft.com/fwlink/?linkid=841509). | Installed programs | This .CSV file contains the list of installed programs that can help identify what is currently installed on the machine. For more information, see [Win32_Product class](https://go.microsoft.com/fwlink/?linkid=841509). |
Network connections | This folder contains a set of data points related to the connectivity information which can help in identifying connectivity to suspicious URLs, attackers command and control (C&C) infrastructure, any lateral movement, or remote connections.</br></br> - ActiveNetworkConnections.txt Displays protocol statistics and current TCP/IP network connections. Provides the ability to look for suspicious connectivity made by a process. </br></br> - Arp.txt Displays the current address resolution protocol (ARP) cache tables for all interfaces. </br></br> ARP cache can reveal additional hosts on a network that have been compromised or suspicious systems on the network that night have been used to run an internal attack.</br></br> - Dnscache.txt - Displays the contents of the DNS client resolver cache, which includes both entries preloaded from the local Hosts file and any recently obtained resource records for name queries resolved by the computer. This can help in identifying suspicious connections. </br></br> - Ipconfig.txt Displays the full TCP/IP configuration for all adapters. Adapters can represent physical interfaces, such as installed network adapters, or logical interfaces, such as dial-up connections. | Network connections | This folder contains a set of data points related to the connectivity information which can help in identifying connectivity to suspicious URLs, attackers command and control (C&C) infrastructure, any lateral movement, or remote connections.</br></br> - ActiveNetworkConnections.txt Displays protocol statistics and current TCP/IP network connections. Provides the ability to look for suspicious connectivity made by a process. </br></br> - Arp.txt Displays the current address resolution protocol (ARP) cache tables for all interfaces. </br></br> ARP cache can reveal additional hosts on a network that have been compromised or suspicious systems on the network that night have been used to run an internal attack.</br></br> - Dnscache.txt - Displays the contents of the DNS client resolver cache, which includes both entries preloaded from the local Hosts file and any recently obtained resource records for name queries resolved by the computer. This can help in identifying suspicious connections. </br></br> - Ipconfig.txt Displays the full TCP/IP configuration for all adapters. Adapters can represent physical interfaces, such as installed network adapters, or logical interfaces, such as dial-up connections. |
Prefetch files | Windows Prefetch files are designed to speed up the application startup process. It can be used to track all the files recently used in the system and find traces for applications that might have been deleted but can still be found in the prefetch file list. </br></br> - Prefetch folder Contains a copy of the prefetch files from `%SystemRoot%\Prefetch`. NOTE: It is suggested to download a prefetch file viewer to view the prefetch files. </br></br> - PrefetchFilesList.txt Contains the list of all the copied files which can be used to track if there were any copy failures to the prefetch folder. | Prefetch files | Windows Prefetch files are designed to speed up the application startup process. It can be used to track all the files recently used in the system and find traces for applications that might have been deleted but can still be found in the prefetch file list. </br></br> - Prefetch folder Contains a copy of the prefetch files from `%SystemRoot%\Prefetch`. NOTE: It is suggested to download a prefetch file viewer to view the prefetch files. </br></br> - PrefetchFilesList.txt Contains the list of all the copied files which can be used to track if there were any copy failures to the prefetch folder. |
Processes | Contains a .CSV file listing the running processes which provides the ability to identify current processes running on the machine. This can be useful when identifying a suspicious process and its state. | Processes | Contains a .CSV file listing the running processes which provides the ability to identify current processes running on the machine. This can be useful when identifying a suspicious process and its state. |
Scheduled tasks | Contains a .CSV file listing the scheduled tasks which can be used to identify routines performed automatically on a chosen machine to look for suspicious code which was set to run automatically. | Scheduled tasks | Contains a .CSV file listing the scheduled tasks which can be used to identify routines performed automatically on a chosen machine to look for suspicious code which was set to run automatically. |
Security event log | Contains the security event log which contains records of login or logout activity, or other security-related events specified by the system's audit policy. </br></br>NOTE: Open the event log file using Event viewer. | Security event log | Contains the security event log which contains records of login or logout activity, or other security-related events specified by the system's audit policy. </br></br>NOTE: Open the event log file using Event viewer. |
Services | Contains the services.txt file which lists services and their states. | Services | Contains the services.txt file which lists services and their states. |
Windows Server Message Block (SMB) sessions | Lists shared access to files, printers, and serial ports and miscellaneous communications between nodes on a network. This can help identify data exfiltration or lateral movement. </br></br> Contains files for SMBInboundSessions and SMBOutboundSession. </br></br> NOTE: If the file contains the following message: “ERROR: The system was unable to find the specified registry key or value.”, it means that there were no SMB sessions of this type (inbound or outbound). | Windows Server Message Block (SMB) sessions | Lists shared access to files, printers, and serial ports and miscellaneous communications between nodes on a network. This can help identify data exfiltration or lateral movement. </br></br> Contains files for SMBInboundSessions and SMBOutboundSession. </br></br> NOTE: If the file contains the following message: “ERROR: The system was unable to find the specified registry key or value.”, it means that there were no SMB sessions of this type (inbound or outbound). |
Temp Directories | Contains a set of text files that lists the files located in %Temp% for every user in the system. </br></br> This can help to track suspicious files that an attacker may have dropped on the system. </br></br> NOTE: If the file contains the following message: “The system cannot find the path specified”, it means that there is no temp directory for this user, and might be because the user didnt log in to the system. | Temp Directories | Contains a set of text files that lists the files located in %Temp% for every user in the system. </br></br> This can help to track suspicious files that an attacker may have dropped on the system. </br></br> NOTE: If the file contains the following message: “The system cannot find the path specified”, it means that there is no temp directory for this user, and might be because the user didnt log in to the system. |
Users and Groups | Provides a list of files that each represent a group and its members. | Users and Groups | Provides a list of files that each represent a group and its members. |
CollectionSummaryReport.xls | This file is a summary of the investigation package collection, it contains the list of data points, the command used to extract the data, the execution status, and the error code in case of failure. You can use this report to track if the package includes all the expected data and identify if there were any errors. | CollectionSummaryReport.xls | This file is a summary of the investigation package collection, it contains the list of data points, the command used to extract the data, the execution status, and the error code in case of failure. You can use this report to track if the package includes all the expected data and identify if there were any errors. |
1. Select the machine that you want to investigate. You can select or search for a machine from any of the following views: 1. Select the machine that you want to investigate. You can select or search for a machine from any of the following views:
@ -135,17 +137,19 @@ If your organization uses Windows Defender Antivirus as the active antimalware s
[INSERT SCREEN CAPTURE OF ACTION BUTTON HERE!!!] [INSERT SCREEN CAPTURE OF ACTION BUTTON HERE!!!]
3. Type a comment (optional) and select **Yes** to take action on the machine. 3. Select the scan type that you'd like to run. You can choose between a quick or a full scan.
4. Type a comment (optional) and select **Yes** to start the scan.
The Action center shows the scan information: The Action center shows the scan information:
[INSERT SCREEN CAPTURE OF POP UP HERE] [INSERT SCREEN CAPTURE OF POP UP HERE]
- **Pending** - Indicates that the scan is yet to be done on the machine. - **Pending** - Indicates that the scan is yet to be done on the machine.
- **Submitted** - Indicates that the scan action has been submitted. - **Completed** - Indicates that the scan action has completed.
- **Failed** - Indicates that the scan failed. - **Failed** - Indicates that the scan failed.
[ABOVE DESCRIPTIONS MIGHT NEED TO BE UPDATED BASED ON LOUIE'S UX REVIEWS] - **In progress** - Indicates that the scan is still ongoing.
When a scan is successfully done on the machine, a response event is added on the machine timeline. You'll also be able to view malware alerts based on the scan results. When a scan successfully completes on the machine, a response event is added on the machine timeline. You'll also be able to view malware alerts based on the scan results.
## Check activity details in Action center ## Check activity details in Action center