mirror of
https://github.com/MicrosoftDocs/windows-itpro-docs.git
synced 2025-06-25 07:13:37 +00:00
fixed merge conflicts from private repo
This commit is contained in:
Liza Poggemeyer
@ -394,7 +394,7 @@
|
||||
####### [Get domain related alerts](microsoft-defender-atp/get-domain-related-alerts.md)
|
||||
####### [Get domain related machines](microsoft-defender-atp/get-domain-related-machines.md)
|
||||
####### [Get domain statistics](microsoft-defender-atp/get-domain-statistics.md)
|
||||
####### [Is domain seen in organization](microsoft-defender-atp/is-domain-seen-in-org.md)
|
||||
####### [Is domain seen in organization (Deprecated)](microsoft-defender-atp/is-domain-seen-in-org.md)
|
||||
|
||||
###### [File]()
|
||||
####### [File methods and properties](microsoft-defender-atp/files.md)
|
||||
@ -405,9 +405,9 @@
|
||||
|
||||
###### [IP]()
|
||||
####### [Get IP related alerts](microsoft-defender-atp/get-ip-related-alerts.md)
|
||||
####### [Get IP related machines](microsoft-defender-atp/get-ip-related-machines.md)
|
||||
####### [Get IP related machines (Deprecated)](microsoft-defender-atp/get-ip-related-machines.md)
|
||||
####### [Get IP statistics](microsoft-defender-atp/get-ip-statistics.md)
|
||||
####### [Is IP seen in organization](microsoft-defender-atp/is-ip-seen-org.md)
|
||||
####### [Is IP seen in organization (Deprecated)](microsoft-defender-atp/is-ip-seen-org.md)
|
||||
|
||||
###### [User]()
|
||||
####### [User methods](microsoft-defender-atp/user.md)
|
||||
|
||||
@ -59,6 +59,13 @@ For information on other tables in the Advanced hunting schema, see [the Advanc
|
||||
| InitiatingProcessParentId | int | Process ID (PID) of the parent process that spawned the process responsible for the event |
|
||||
| InitiatingProcessParentFileName | string | Name of the parent process that spawned the process responsible for the event |
|
||||
| InitiatingProcessParentCreationTime | datetime | Date and time when the parent of the process responsible for the event was started |
|
||||
| RequestProtocol | string | Network protocol, if applicable, used to initiate the activity: Unknown, Local, SMB, or NFS |
|
||||
| ShareName | string | Name of shared folder containing the file |
|
||||
| RequestSourceIP | string | IPv4 or IPv6 address of the remote device that initiated the activity |
|
||||
| RequestSourcePort | string | Source port on the remote device that initiated the activity |
|
||||
| RequestAccountName | string | User name of account used to remotely initiate the activity |
|
||||
| RequestAccountDomain | string | Domain of the account used to remotely initiate the activity |
|
||||
| RequestAccountSid | string | Security Identifier (SID) of the account to remotely initiate the activity |
|
||||
| ReportId | long | Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the ComputerName and EventTime columns |
|
||||
| AppGuardContainerId | string | Identifier for the virtualized container used by Application Guard to isolate browser activity |
|
||||
| SensitivityLabel | string | Label applied to an email, file, or other content to classify it for information protection |
|
||||
|
||||
@ -1,7 +1,7 @@
|
||||
---
|
||||
title: Configure and manage Microsoft Threat Experts capabilities
|
||||
ms.reviewer:
|
||||
description: You need to register to Microsoft Threats Experts preview to configure, manage, and use it in your daily security operations and security administration work.
|
||||
description: Register to Microsoft Threats Experts to configure, manage, and use it in your daily security operations and security administration work.
|
||||
keywords: Microsoft Threat Experts, managed threat hunting service, MTE, Microsoft managed hunting service
|
||||
search.product: Windows 10
|
||||
search.appverid: met150
|
||||
@ -9,8 +9,8 @@ ms.prod: w10
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.pagetype: security
|
||||
ms.author: mjcaparas
|
||||
author: mjcaparas
|
||||
ms.author: dolmont
|
||||
author: DulceMontemayor
|
||||
ms.localizationpriority: medium
|
||||
manager: dansimp
|
||||
audience: ITPro
|
||||
@ -23,12 +23,12 @@ ms.topic: article
|
||||
|
||||
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
|
||||
|
||||
[!include[Prerelease information](prerelease.md)]
|
||||
[!Include[Prerelease information](prerelease.md)]
|
||||
|
||||
## Before you begin
|
||||
To experience the full Microsoft Threat Experts targeted attack notification capability in Microsoft Defender ATP, and preview the experts-on-demand capability, you need to have a valid Premier customer service and support account. Premier charges will not be incurred during for the capability in preview, but for the generally available capability, there will be charges.
|
||||
To experience the full Microsoft Threat Experts targeted attack notification capability in Microsoft Defender ATP, and preview the experts-on-demand capability, you need to have a valid Premier customer service and support account. Premier charges are not incurred during for the capability in preview, but for the generally available capability, there will be charges.
|
||||
|
||||
You also need to ensure that you have Microsoft Defender ATP deployed in your environment with machines enrolled, and not just on a laboratory set-up.
|
||||
Ensure that you have Microsoft Defender ATP deployed in your environment with machines enrolled, and not just on a laboratory set-up.
|
||||
|
||||
## Register to Microsoft Threat Experts managed threat hunting service
|
||||
If you're already a Microsoft Defender ATP customer, you can apply through the Microsoft Defender ATP portal.
|
||||
@ -47,11 +47,11 @@ If you're already a Microsoft Defender ATP customer, you can apply through the M
|
||||
6. From the navigation pane, go to **Settings** > **General** > **Advanced features** to turn the **Threat Experts** toggle on. Click **Save preferences**.
|
||||
|
||||
## Receive targeted attack notification from Microsoft Threat Experts
|
||||
You can receive targeted attack notification from Microsoft Threat Experts through the following:
|
||||
You can receive targeted attack notification from Microsoft Threat Experts through the following medium:
|
||||
- The Microsoft Defender ATP portal's **Alerts** dashboard
|
||||
- Your email, if you choose to configure it
|
||||
|
||||
To receive targeted attack notifications through email, you need to create an email notification rule.
|
||||
To receive targeted attack notifications through email, create an email notification rule.
|
||||
|
||||
### Create an email notification rule
|
||||
You can create rules to send email notifications for notification recipients. See [Configure alert notifications](configure-email-notifications.md) to create, edit, delete, or troubleshoot email notification, for details.
|
||||
@ -68,11 +68,14 @@ You'll start receiving targeted attack notification from Microsoft Threat Expert
|
||||
>[!NOTE]
|
||||
>The Microsoft Threat Experts' experts-on-demand capability is still in preview. You can only use the experts-on-demand capability if you have applied for preview and your application has been approved.
|
||||
|
||||
You can partner with Microsoft Threat Experts who can be engaged directly from within the Windows Defender Security Center for timely and accurate response. Experts provide insights needed to better understand complex threats, targeted attack notifications that you get, or if you need more information about the alerts, a potentially compromised machine, or a threat intelligence context that you see on your portal dashboard.
|
||||
You can partner with Microsoft Threat Experts who can be engaged directly from within the Windows Defender Security Center for timely and accurate response. Experts provide insights to better understand complex threats, targeted attack notifications that you get, or if you need more information about the alerts, a potentially compromised machine, or a threat intelligence context that you see on your portal dashboard.
|
||||
|
||||
1. Navigate to the portal page with the relevant information that you'd like to investigate, for example, the **Incident** page. Ensure that the page for the relevant alert or machine is in view before raising an inquiry.
|
||||
2. From the upper right-hand menu, click **?**, then select **Ask a threat expert**.
|
||||
3. Asking a threat expert is a two-step process: you need to provide the necessary information and open a support ticket.
|
||||
>[!NOTE]
|
||||
>Alert inquiries related to your organization's customized threat intelligence data are currently not supported. Consult your security operations or incident response team for details.
|
||||
|
||||
1. Navigate to the portal page with the relevant information that you'd like to investigate, for example, the **Incident** page. Ensure that the page for the relevant alert or machine is in view before you send an inquiry.
|
||||
2. From the upper right-hand menu, click **?**. Then, select **Ask a threat expert**.
|
||||
3. Asking a threat expert is a two-step process: provide the necessary information and open a support ticket.
|
||||
|
||||
**Step 1: Provide information**
|
||||
a. Provide enough information to give the Microsoft Threat Experts enough context to start the investigation. Select the inquiry category from the **Provide information > Inquiry** details drop-down menu. <br>
|
||||
@ -83,7 +86,7 @@ You can partner with Microsoft Threat Experts who can be engaged directly from w
|
||||
|
||||
**Step 2: Open a support ticket**
|
||||
>[!NOTE]
|
||||
>To experience the full Microsoft Threat Experts preview capability in Microsoft Defender ATP, you need to have a Premier customer service and support account. However, you will not be charged for the Experts-on-demand service during the preview.
|
||||
>To experience the full Microsoft Threat Experts preview capability in Microsoft Defender ATP, you need a Premier customer service and support account. However, you will not be charged for the Experts-on-demand service during the preview.
|
||||
|
||||
a. In the **New support request** customer support page, select the following from the dropdown menu and then click **Next**: <br>
|
||||
|
||||
@ -100,7 +103,7 @@ You can partner with Microsoft Threat Experts who can be engaged directly from w
|
||||
|
||||
e. Verify your contact details and add another if necessary. Then, click **Next**. <br>
|
||||
|
||||
f. Review the summary of your support request, and update if necessary. Make sure that you read and understand the **Microsoft Services Agreement** and **Privacy Statement**. Then, click **Submit**. You will see the confirmation page indicating the response time and your support request number. <br>
|
||||
f. Review the summary of your support request, and update if necessary. Make sure that you read and understand the **Microsoft Services Agreement** and **Privacy Statement**. Then, click **Submit**. A confirmation page indicating the response time and your support request number shows. <br>
|
||||
|
||||
## Sample questions to ask Microsoft Threat Experts
|
||||
|
||||
@ -111,12 +114,12 @@ You can partner with Microsoft Threat Experts who can be engaged directly from w
|
||||
- Can you give more context or insights about this alert: “Suspicious behavior by a system utility was observed”.
|
||||
|
||||
**Possible machine compromise**
|
||||
- Can you please help answer why we see “Unknown process observed?” This is seen quite frequently on many machines and we would appreciate input on whether this is related to malicious activity.
|
||||
- Can you help answer why we see “Unknown process observed?” This is seen quite frequently on many machines. We appreciate any input to clarify whether this is related to malicious activity.
|
||||
- Can you help validate a possible compromise on the following system on [date] with similar behaviors as the previous [malware name] malware detection on the same system in [month]?
|
||||
|
||||
**Threat intelligence details**
|
||||
- This morning, we detected a phishing email that delivered a malicious Word document to a user. This caused a series of suspicious events which triggered multiple Windows Defender alerts for [malware name] malware. Do you have any information on this malware? If yes, can you please send me a link?
|
||||
- I recently saw a [social media reference e.g. Twitter or blog] post about a threat that is targeting my industry. Can you help me understand what protection Microsoft Defender ATP provides against this threat actor?
|
||||
- This morning, we detected a phishing email that delivered a malicious Word document to a user. This caused a series of suspicious events which triggered multiple Windows Defender alerts for [malware name] malware. Do you have any information on this malware? If yes, can you send me a link?
|
||||
- I recently saw a [social media reference e.g., Twitter or blog] post about a threat that is targeting my industry. Can you help me understand what protection Microsoft Defender ATP provides against this threat actor?
|
||||
|
||||
**Microsoft Threat Experts’ alert communications**
|
||||
- Can your incident response team help us address the targeted attack notification that we got?
|
||||
@ -129,7 +132,7 @@ You can partner with Microsoft Threat Experts who can be engaged directly from w
|
||||
## Scenario
|
||||
|
||||
### Receive a progress report about your managed hunting inquiry
|
||||
Response from Microsoft Threat Experts varies according to your inquiry. They will email a progress report to you regarding the Ask a threat expert inquiry that you've submitted, within two days, to communicate the investigation status from the following categories:
|
||||
Response from Microsoft Threat Experts varies according to your inquiry. They will email a progress report to you about the Ask a threat expert inquiry that you've submitted, within two days, to communicate the investigation status from the following categories:
|
||||
- More information is needed to continue with the investigation
|
||||
- A file or several file samples are needed to determine the technical context
|
||||
- Investigation requires more time
|
||||
|
||||
@ -140,7 +140,7 @@ Agent Resource | Ports
|
||||
To onboard Windows Server, version 1803 or Windows Server 2019, please refer to the supported methods and versions below.
|
||||
|
||||
>[!NOTE]
|
||||
>The Onboarding package for Windows Server 2019 through System Center Configuration Manager currently ships a script. For more information on how to deploy scripts in System Center Configuration Manager, see [Packages and programs in Configuration Manager](https://docs.microsoft.comsccm/apps/deploy-use/packages-and-programs).
|
||||
>The Onboarding package for Windows Server 2019 through System Center Configuration Manager currently ships a script. For more information on how to deploy scripts in System Center Configuration Manager, see [Packages and programs in Configuration Manager](https://docs.microsoft.com/sccm/apps/deploy-use/packages-and-programs).
|
||||
|
||||
Supported tools include:
|
||||
- Local script
|
||||
|
||||
@ -16,7 +16,7 @@ ms.collection: M365-security-compliance
|
||||
ms.topic: article
|
||||
---
|
||||
|
||||
# Get IP related machines API
|
||||
# Get IP related machines API (Deprecated)
|
||||
|
||||
**Applies to:**
|
||||
|
||||
|
||||
@ -16,7 +16,7 @@ ms.collection: M365-security-compliance
|
||||
ms.topic: article
|
||||
---
|
||||
|
||||
# Was domain seen in org
|
||||
# Was domain seen in org (Deprecated)
|
||||
|
||||
**Applies to:**
|
||||
|
||||
|
||||
@ -16,7 +16,7 @@ ms.collection: M365-security-compliance
|
||||
ms.topic: article
|
||||
---
|
||||
|
||||
# Was IP seen in org
|
||||
# Was IP seen in org (Deprecated)
|
||||
|
||||
**Applies to:**
|
||||
|
||||
|
||||
@ -392,7 +392,7 @@
|
||||
####### [Get domain related alerts](get-domain-related-alerts.md)
|
||||
####### [Get domain related machines](get-domain-related-machines.md)
|
||||
####### [Get domain statistics](get-domain-statistics.md)
|
||||
####### [Is domain seen in organization](is-domain-seen-in-org.md)
|
||||
####### [Is domain seen in organization (Deprecated)](is-domain-seen-in-org.md)
|
||||
|
||||
###### [File]()
|
||||
####### [Methods and properties](files.md)
|
||||
@ -403,9 +403,9 @@
|
||||
|
||||
###### [IP]()
|
||||
####### [Get IP related alerts](get-ip-related-alerts.md)
|
||||
####### [Get IP related machines](get-ip-related-machines.md)
|
||||
####### [Get IP related machines (Deprecated)](get-ip-related-machines.md)
|
||||
####### [Get IP statistics](get-ip-statistics.md)
|
||||
####### [Is IP seen in organization](is-ip-seen-org.md)
|
||||
####### [Is IP seen in organization (Deprecated)](is-ip-seen-org.md)
|
||||
|
||||
###### [User]()
|
||||
####### [Methods](user.md)
|
||||
|
||||
@ -40,17 +40,17 @@ The **Secure score dashboard** displays a snapshot of:
|
||||
|
||||
|
||||
## Microsoft secure score
|
||||
The Microsoft secure score tile is reflective of the sum of all the Microsoft Defender security controls that are configured according to the recommended baseline and Office 365 controls. It allows you to drill down into each portal for further analysis. You can also improve this score by taking the steps in configuring each of the security controls in the optimal settings.
|
||||
The Microsoft secure score tile is reflective of the sum of all the security controls that are configured according to the recommended Windows baseline and Office 365 controls. It allows you to drill down into each portal for further analysis. You can also improve this score by taking the steps in configuring each of the security controls in the optimal settings.
|
||||
|
||||
|
||||
|
||||
Each Windows Defender security control contributes 100 points to the score. The total number is reflective of the score potential and calculated by multiplying the number of supported security controls (Windows Defender security controls pillars) by the maximum points that each pillar contributes (maximum of 100 points for each pillar).
|
||||
Each Microsoft security control contributes 100 points to the score. The total number is reflective of the score potential and calculated by multiplying the number of supported Microsoft security controls (security controls pillars) by the maximum points that each pillar contributes (maximum of 100 points for each pillar).
|
||||
|
||||
The Office 365 Secure Score looks at your settings and activities and compares them to a baseline established by Microsoft. For more information, see [Introducing the Office 365 Secure Score](https://support.office.com/article/introducing-the-office-365-secure-score-c9e7160f-2c34-4bd0-a548-5ddcc862eaef#howtoaccess).
|
||||
|
||||
In the example image, the total points for the Windows security controls and Office 365 add up to 602 points.
|
||||
In the example image, the total points for the security controls and Office 365 add up to 602 points.
|
||||
|
||||
You can set the baselines for calculating the score of Windows Defender security controls on the Secure score dashboard through the **Settings**. For more information, see [Enable Secure score security controls](enable-secure-score.md).
|
||||
You can set the baselines for calculating the security control scores on the Secure score dashboard through the **Settings**. For more information, see [Enable Secure score security controls](enable-secure-score.md).
|
||||
|
||||
## Secure score over time
|
||||
You can track the progression of your organizational security posture over time using this tile. It displays the overall score in a historical trend line enabling you to see how taking the recommended actions increase your overall security posture.
|
||||
|
||||
@ -27,7 +27,7 @@ ms.topic: conceptual
|
||||
Each security control lists recommendations that you can take to increase the security posture of your organization.
|
||||
|
||||
### Endpoint detection and response (EDR) optimization
|
||||
A well-configured machine complies to a minimum baseline configuration setting. This tile shows you a list of actions to apply on endpoints to meet the minimum baseline configuration setting for your Endpoint detection and response tool.
|
||||
A well-configured machine complies to the minimum baseline configuration setting. This tile shows you a list of actions to apply on endpoints to meet the minimum baseline configuration setting for your Endpoint detection and response tool.
|
||||
|
||||
>[!IMPORTANT]
|
||||
>This feature is available for machines on Windows 10, version 1607 or later.
|
||||
@ -45,17 +45,17 @@ You can take the following actions to increase the overall security score of you
|
||||
|
||||
For more information, see [Fix unhealthy sensors](fix-unhealthy-sensors.md).
|
||||
|
||||
### Microsoft Defender Antivirus (Microsoft Defender AV) optimization
|
||||
A well-configured machine complies to a minimum baseline configuration setting. This tile shows you a list of actions to apply on endpoints to meet the minimum baseline configuration setting for Microsoft Defender AV.
|
||||
### Windows Defender Antivirus (Windows Defender AV) optimization
|
||||
A well-configured machine complies to the minimum baseline configuration setting. This tile shows you a list of actions to apply on endpoints to meet the minimum baseline configuration setting for Windows Defender AV.
|
||||
|
||||
>[!IMPORTANT]
|
||||
>This feature is available for machines on Windows 10, version 1607 or later.
|
||||
|
||||
#### Minimum baseline configuration setting for Microsoft Defender AV:
|
||||
Machines are considered "well configured" for Microsoft Defender AV if the following requirements are met:
|
||||
#### Minimum baseline configuration setting for Windows Defender AV:
|
||||
A well-configured machine for Windows Defender AV meets the following requirements:
|
||||
|
||||
- Microsoft Defender AV is reporting correctly
|
||||
- Microsoft Defender AV is turned on
|
||||
- Windows Defender AV is reporting correctly
|
||||
- Windows Defender AV is turned on
|
||||
- Security intelligence is up-to-date
|
||||
- Real-time protection is on
|
||||
- Potentially Unwanted Application (PUA) protection is enabled
|
||||
@ -64,16 +64,16 @@ Machines are considered "well configured" for Microsoft Defender AV if the follo
|
||||
You can take the following actions to increase the overall security score of your organization:
|
||||
|
||||
>[!NOTE]
|
||||
> For the Microsoft Defender Antivirus properties to show, you'll need to ensure that the Microsoft Defender Antivirus Cloud-based protection is properly configured on the machine.
|
||||
> For the Windows Defender Antivirus properties to show, you'll need to ensure that the Windows Defender Antivirus Cloud-based protection is properly configured on the machine.
|
||||
|
||||
- Fix antivirus reporting
|
||||
- This recommendation is displayed when the Microsoft Defender Antivirus is not properly configured to report its health state. For more information on fixing the reporting, see [Configure and validate network connections](../windows-defender-antivirus/configure-network-connections-windows-defender-antivirus.md).
|
||||
- This recommendation is displayed when the Windows Defender Antivirus is not properly configured to report its health state. For more information on fixing the reporting, see [Configure and validate network connections](../windows-defender-antivirus/configure-network-connections-windows-defender-antivirus.md).
|
||||
- Turn on antivirus
|
||||
- Update antivirus Security intelligence
|
||||
- Turn on real-time protection
|
||||
- Turn on PUA protection
|
||||
|
||||
For more information, see [Configure Microsoft Defender Antivirus](../windows-defender-antivirus/configure-windows-defender-antivirus-features.md).
|
||||
For more information, see [Configure Windows Defender Antivirus](../windows-defender-antivirus/configure-windows-defender-antivirus-features.md).
|
||||
|
||||
|
||||
### OS security updates optimization
|
||||
@ -90,15 +90,15 @@ You can take the following actions to increase the overall security score of you
|
||||
For more information, see [Windows Update Troubleshooter](https://support.microsoft.com/help/4027322/windows-windows-update-troubleshooter).
|
||||
|
||||
|
||||
### Microsoft Defender Exploit Guard (Microsoft Defender EG) optimization
|
||||
A well-configured machine complies to a minimum baseline configuration setting. This tile shows you a list of actions to apply on machines to meet the minimum baseline configuration setting for Microsoft Defender EG. When endpoints are configured according to the baseline the Microsoft Defender EG events shows on the Microsoft Defender ATP Machine timeline.
|
||||
### Windows Defender Exploit Guard (Windows Defender EG) optimization
|
||||
A well-configured machine complies to the minimum baseline configuration setting. This tile shows you a list of actions to apply on machines to meet the minimum baseline configuration setting for Windows Defender EG. When endpoints are configured according to the baseline, the Windows Defender EG events shows on the Microsoft Defender ATP Machine timeline.
|
||||
|
||||
|
||||
>[!IMPORTANT]
|
||||
>This security control is only applicable for machines with Windows 10, version 1709 or later.
|
||||
|
||||
#### Minimum baseline configuration setting for Microsoft Defender EG:
|
||||
Machines are considered "well configured" for Microsoft Defender EG if the following requirements are met:
|
||||
#### Minimum baseline configuration setting for Windows Defender EG:
|
||||
A well-configured machine for Windows Defender EG meets the following requirements:
|
||||
|
||||
- System level protection settings are configured correctly
|
||||
- Attack Surface Reduction rules are configured correctly
|
||||
@ -148,48 +148,48 @@ You can take the following actions to increase the overall security score of you
|
||||
- Turn on all system-level Exploit Protection settings
|
||||
- Set all ASR rules to enabled or audit mode
|
||||
- Turn on Controlled Folder Access
|
||||
- Turn on Microsoft Defender Antivirus on compatible machines
|
||||
- Turn on Windows Defender Antivirus on compatible machines
|
||||
|
||||
For more information, see [Microsoft Defender Exploit Guard](../windows-defender-exploit-guard/windows-defender-exploit-guard.md).
|
||||
For more information, see [Windows Defender Exploit Guard](../windows-defender-exploit-guard/windows-defender-exploit-guard.md).
|
||||
|
||||
### Microsoft Defender Application Guard (Microsoft Defender AG) optimization
|
||||
A well-configured machine complies to a minimum baseline configuration setting. This tile shows you a list of actions to apply on endpoints to meet the minimum baseline configuration setting for Microsoft Defender AG. When endpoints are configured according to the baseline, Microsoft Defender AG events shows on the Microsoft Defender ATP Machine timeline.
|
||||
### Windows Defender Application Guard (Windows Defender AG) optimization
|
||||
A well-configured machine complies to the minimum baseline configuration setting. This tile shows you a list of actions to apply on endpoints to meet the minimum baseline configuration setting for Windows Defender AG. When endpoints are configured according to the baseline, Windows Defender AG events shows on the Microsoft Defender ATP Machine timeline.
|
||||
|
||||
>[!IMPORTANT]
|
||||
>This security control is only applicable for machines with Windows 10, version 1709 or later.
|
||||
|
||||
#### Minimum baseline configuration setting for Microsoft Defender AG:
|
||||
Machines are considered "well configured" for Microsoft Defender AG if the following requirements are met:
|
||||
#### Minimum baseline configuration setting for Windows Defender AG:
|
||||
A well-configured machine for Windows Defender AG meets the following requirements:
|
||||
|
||||
- Hardware and software prerequisites are met
|
||||
- Microsoft Defender AG is turned on compatible machines
|
||||
- Windows Defender AG is turned on compatible machines
|
||||
- Managed mode is turned on
|
||||
|
||||
##### Recommended actions:
|
||||
You can take the following actions to increase the overall security score of your organization:
|
||||
- Ensure hardware and software prerequisites are met
|
||||
- Ensure that you meet the hardware and software prerequisites
|
||||
|
||||
>[!NOTE]
|
||||
>This improvement item does not contribute to the security score in itself because it's not a prerequisite for Microsoft Defender AG. It gives an indication of a potential reason why Microsoft Defender AG is not turned on.
|
||||
>This improvement item does not contribute to the security score in itself because it's not a prerequisite for Windows Defender AG. It gives an indication of a potential reason why Windows Defender AG is not turned on.
|
||||
|
||||
- Turn on Microsoft Defender AG on compatible machines
|
||||
- Turn on Windows Defender AG on compatible machines
|
||||
- Turn on managed mode
|
||||
|
||||
|
||||
For more information, see [Microsoft Defender Application Guard overview](../windows-defender-application-guard/wd-app-guard-overview.md).
|
||||
For more information, see [Windows Defender Application Guard overview](../windows-defender-application-guard/wd-app-guard-overview.md).
|
||||
|
||||
|
||||
### Microsoft Defender SmartScreen optimization
|
||||
A well-configured machine complies to a minimum baseline configuration setting. This tile shows you a list of actions to apply on endpoints to meet the minimum baseline configuration setting for Microsoft Defender SmartScreen.
|
||||
### Windows Defender SmartScreen optimization
|
||||
A well-configured machine complies to a minimum baseline configuration setting. This tile shows you a list of actions to apply on endpoints to meet the minimum baseline configuration setting for Windows Defender SmartScreen.
|
||||
|
||||
>[!WARNING]
|
||||
> Data collected by Microsoft Defender SmartScreen might be stored and processed outside of the storage location you have selected for your Microsoft Defender ATP data.
|
||||
> Data collected by Windows Defender SmartScreen might be stored and processed outside of the storage location you have selected for your Microsoft Defender ATP data.
|
||||
|
||||
|
||||
>[!IMPORTANT]
|
||||
>This security control is only applicable for machines with Windows 10, version 1709 or later.
|
||||
|
||||
#### Minimum baseline configuration setting for Microsoft Defender SmartScreen:
|
||||
#### Minimum baseline configuration setting for Windows Defender SmartScreen:
|
||||
The following settings must be configured with the following settings:
|
||||
- Check apps and files: **Warn** or **Block**
|
||||
- SmartScreen for Microsoft Edge: **Warn** or **Block**
|
||||
@ -201,27 +201,27 @@ You can take the following actions to increase the overall security score of you
|
||||
- Set **SmartScreen for Microsoft Edge** to **Warn** or **Block**
|
||||
- Set **SmartScreen for Microsoft store apps** to **Warn** or **Off**
|
||||
|
||||
For more information, see [Microsoft Defender SmartScreen](../windows-defender-smartscreen/windows-defender-smartscreen-overview.md).
|
||||
For more information, see [Windows Defender SmartScreen](../windows-defender-smartscreen/windows-defender-smartscreen-overview.md).
|
||||
|
||||
|
||||
|
||||
### Microsoft Defender Firewall optimization
|
||||
A well-configured machine must have Microsoft Defender Firewall turned on and enabled for all profiles so that inbound connections are blocked by default. This tile shows you a list of actions to apply on endpoints to meet the minimum baseline configuration setting for Microsoft Defender Firewall.
|
||||
### Windows Defender Firewall optimization
|
||||
A well-configured machine must have Windows Defender Firewall turned on and enabled for all profiles so that inbound connections are blocked by default. This tile shows you a list of actions to apply on endpoints to meet the minimum baseline configuration setting for Windows Defender Firewall.
|
||||
|
||||
>[!IMPORTANT]
|
||||
>This security control is only applicable for machines with Windows 10, version 1709 or later.
|
||||
|
||||
#### Minimum baseline configuration setting for Microsoft Defender Firewall
|
||||
#### Minimum baseline configuration setting for Windows Defender Firewall
|
||||
|
||||
- Microsoft Defender Firewall is turned on for all network connections
|
||||
- Secure domain profile by enabling Microsoft Defender Firewall and ensure that Inbound connections are set to Blocked
|
||||
- Secure private profile by enabling Microsoft Defender Firewall and ensure that Inbound connections are set to Blocked
|
||||
- Secure public profile is configured by enabling Microsoft Defender Firewall and ensure that Inbound connections are set to Blocked
|
||||
- Windows Defender Firewall is turned on for all network connections
|
||||
- Secure domain profile by enabling Windows Defender Firewall and ensure that Inbound connections are set to Blocked
|
||||
- Secure private profile by enabling Windows Defender Firewall and ensure that Inbound connections are set to Blocked
|
||||
- Secure public profile is configured by enabling Windows Defender Firewall and ensure that Inbound connections are set to Blocked
|
||||
|
||||
For more information on Microsoft Defender Firewall settings, see [Planning settings for a basic firewall policy](https://docs.microsoft.com/windows/security/identity-protection/windows-firewall/planning-settings-for-a-basic-firewall-policy).
|
||||
For more information on Windows Defender Firewall settings, see [Planning settings for a basic firewall policy](https://docs.microsoft.com/windows/security/identity-protection/windows-firewall/planning-settings-for-a-basic-firewall-policy).
|
||||
|
||||
>[!NOTE]
|
||||
> If Microsoft Defender Firewall is not your primary firewall, consider excluding it from the security score calculations and make sure that your third-party firewall is configured in a securely.
|
||||
> If Windows Defender Firewall is not your primary firewall, consider excluding it from the security score calculations and make sure that your third-party firewall is configured in a securely.
|
||||
|
||||
|
||||
##### Recommended actions:
|
||||
@ -234,7 +234,7 @@ You can take the following actions to increase the overall security score of you
|
||||
- Fix sensor data collection
|
||||
- The Microsoft Defender ATP service relies on sensor data collection to determine the security state of a machine. The service will not be able to determine the security state of machines that are not reporting sensor data properly. It's important to ensure that sensor data collection is working properly. For more information, see [Fix unhealthy sensors](fix-unhealthy-sensors.md).
|
||||
|
||||
For more information, see [Microsoft Defender Firewall with Advanced Security](https://docs.microsoft.com/windows/security/identity-protection/windows-firewall/windows-firewall-with-advanced-security).
|
||||
For more information, see [Windows Defender Firewall with Advanced Security](https://docs.microsoft.com/windows/security/identity-protection/windows-firewall/windows-firewall-with-advanced-security).
|
||||
|
||||
### BitLocker optimization
|
||||
A well-configured machine complies to the minimum baseline configuration setting. This tile shows you a list of actions to apply on endpoints to meet the minimum baseline configuration setting for BitLocker.
|
||||
@ -258,17 +258,17 @@ You can take the following actions to increase the overall security score of you
|
||||
|
||||
For more information, see [Bitlocker](https://docs.microsoft.com/windows/security/information-protection/bitlocker/bitlocker-overview).
|
||||
|
||||
### Microsoft Defender Credential Guard optimization
|
||||
A well-configured machine complies to the minimum baseline configuration setting. This tile shows you a list of actions to apply on endpoints to meet the minimum baseline configuration setting for Microsoft Defender Credential Guard.
|
||||
### Windows Defender Credential Guard optimization
|
||||
A well-configured machine complies to the minimum baseline configuration setting. This tile shows you a list of actions to apply on endpoints to meet the minimum baseline configuration setting for Windows Defender Credential Guard.
|
||||
|
||||
>[!IMPORTANT]
|
||||
>This security control is only applicable for machines with Windows 10, version 1709 or later.
|
||||
|
||||
#### Minimum baseline configuration setting for Microsoft Defender Credential Guard:
|
||||
Well-configured machines for Microsoft Defender Credential Guard meets the following requirements:
|
||||
#### Minimum baseline configuration setting for Windows Defender Credential Guard:
|
||||
Well-configured machines for Windows Defender Credential Guard meets the following requirements:
|
||||
|
||||
- Hardware and software prerequisites are met
|
||||
- Microsoft Defender Credential Guard is turned on compatible machines
|
||||
- Windows Defender Credential Guard is turned on compatible machines
|
||||
|
||||
|
||||
##### Recommended actions:
|
||||
@ -279,7 +279,7 @@ You can take the following actions to increase the overall security score of you
|
||||
- Fix sensor data collection
|
||||
- The Microsoft Defender ATP service relies on sensor data collection to determine the security state of a machine. The service will not be able to determine the security state of machines that are not reporting sensor data properly. It's important to ensure that sensor data collection is working properly. For more information, see [Fix unhealthy sensors](fix-unhealthy-sensors.md).
|
||||
|
||||
For more information, see [Manage Microsoft Defender Credential Guard](https://docs.microsoft.com/windows/security/identity-protection/credential-guard/credential-guard-manage).
|
||||
For more information, see [Manage Windows Defender Credential Guard](https://docs.microsoft.com/windows/security/identity-protection/credential-guard/credential-guard-manage).
|
||||
|
||||
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-sadashboard-belowfoldlink)
|
||||
|
||||
|
||||
@ -51,6 +51,9 @@ Microsoft Cloud App Security leverages Microsoft Defender ATP endpoint signals t
|
||||
## Office 365 Advanced Threat Protection (Office 365 ATP)
|
||||
[Office 365 ATP](https://docs.microsoft.com/office365/securitycompliance/office-365-atp) helps protect your organization from malware in email messages or files through ATP Safe Links, ATP Safe Attachments, advanced Anti-Phishing, and spoof intelligence capabilities. The integration between Office 365 ATP and Microsoft Defender ATP enables security analysts to go upstream to investigate the entry point of an attack. Through threat intelligence sharing, attacks can be contained and blocked.
|
||||
|
||||
>[!NOTE]
|
||||
> Office 365 ATP data is displayed for events within the last 30 days. For alerts, Office 365 ATP data is displayed based on first activity time. After that, the data is no longer available in Office 365 ATP.
|
||||
|
||||
## Skype for Business
|
||||
The Skype for Business integration provides s a way for analysts to communicate with a potentially compromised user or device owner through ao simple button from the portal.
|
||||
|
||||
|
||||
Reference in New Issue
Block a user