@@ -83,6 +84,16 @@ In conjunction with being able to quickly respond to advanced attacks, Windows D - [Manage automated investigations](windows-defender-atp/manage-auto-investigation-windows-defender-advanced-threat-protection.md) - [Analyze automated investigation](windows-defender-atp/manage-auto-investigation-windows-defender-advanced-threat-protection.md#analyze-automated-investigations) + + +**[Microsoft Threat Experts](windows-defender-atp/microsoft-threat-experts.md)**
+In conjunction with being able to quickly respond to advanced attacks, Windows Defender ATP offers automatic investigation and remediation capabilities that help reduce the volume of alerts in minutes at scale. + +- [Targeted attack notification](windows-defender-atp/microsoft-threat-experts.md) +- [Experts-on-demand](windows-defender-atp/microsoft-threat-experts.md) +- [Configure your Microsoft Threat Protection managed hunting service](windows-defender-atp/configure-microsoft-threat-experts.md) + + **[Secure score](windows-defender-atp/overview-secure-score-windows-defender-advanced-threat-protection.md)**
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/TOC.md b/windows/security/threat-protection/windows-defender-application-control/applocker/TOC.md index 9aad83e9c5..7bf12c4b20 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/TOC.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/TOC.md @@ -2,7 +2,6 @@ # [AppLocker](applocker-overview.md) ## [Administer AppLocker](administer-applocker.md) -### [Administer AppLocker using MDM](administer-applocker-using-mdm.md) ### [Maintain AppLocker policies](maintain-applocker-policies.md) ### [Edit an AppLocker policy](edit-an-applocker-policy.md) ### [Test and update an AppLocker policy](test-and-update-an-applocker-policy.md) diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/administer-applocker-using-mdm.md b/windows/security/threat-protection/windows-defender-application-control/applocker/administer-applocker-using-mdm.md deleted file mode 100644 index af56b3544c..0000000000 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/administer-applocker-using-mdm.md +++ /dev/null @@ -1,24 +0,0 @@ ---- -title: Administering AppLocker by using Mobile Device Management (MDM) (Windows 10) -description: This topic for IT professionals describes concepts and lists procedures to help you manage Packaged apps with AppLocker as part of your overall application control strategy. -ms.assetid: 6d0c99e7-0284-4547-a30a-0685a9916650 -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security -ms.localizationpriority: medium -author: justinha -manager: dansimp -audience: ITPro -ms.collection: M365-security-compliance -ms.topic: conceptual -ms.date: 03/01/2018 ---- - -# Administering AppLocker by using Mobile Device Management (MDM) - -**Applies to** - - Windows 10 - - Windows Server - - diff --git a/windows/security/threat-protection/windows-defender-atp/TOC.md b/windows/security/threat-protection/windows-defender-atp/TOC.md index f89dbc8e24..a9404e4e52 100644 --- a/windows/security/threat-protection/windows-defender-atp/TOC.md +++ b/windows/security/threat-protection/windows-defender-atp/TOC.md @@ -94,6 +94,10 @@ #### [Information protection in Windows overview](information-protection-in-windows-overview.md) + +### [Microsoft Threat Experts](microsoft-threat-experts.md) + + ### [Portal overview](portal-overview-windows-defender-advanced-threat-protection.md) @@ -331,6 +335,11 @@ #### [Configure managed security service provider (MSSP) support](configure-mssp-support-windows-defender-advanced-threat-protection.md) + + + +### [Configure and manage Microsoft Threat Experts capabilities](configure-microsoft-threat-experts.md) + ### Configure Microsoft Threat Protection integration #### [Configure conditional access](configure-conditional-access-windows-defender-advanced-threat-protection.md) #### [Configure Microsoft Cloud App Security in Windows](microsoft-cloud-app-security-config.md) diff --git a/windows/security/threat-protection/windows-defender-atp/alerts-queue-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/alerts-queue-windows-defender-advanced-threat-protection.md index 850fea7739..d0a2edbc27 100644 --- a/windows/security/threat-protection/windows-defender-atp/alerts-queue-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/alerts-queue-windows-defender-advanced-threat-protection.md @@ -1,7 +1,7 @@ --- title: View and organize the Windows Defender ATP Alerts queue description: Learn about how the Windows Defender ATP alerts queues work, and how to sort and filter lists of alerts. -keywords: alerts, queues, alerts queue, sort, order, filter, manage alerts, new, in progress, resolved, newest, time in queue, severity, time period +keywords: alerts, queues, alerts queue, sort, order, filter, manage alerts, new, in progress, resolved, newest, time in queue, severity, time period, microsoft threat experts alerts search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: w10 @@ -77,7 +77,7 @@ Corresponds to the automated investigation state. You can choose between showing alerts that are assigned to you or automation. ### Detection source -Select the source that triggered the alert detection. +Select the source that triggered the alert detection. Microsoft Threat Experts preview participants can now filter and see detections from the new threat experts managed hunting service. >[!NOTE] >The Windows Defender Antivirus filter will only appear if machines are using Windows Defender Antivirus as the default real-time protection antimalware product. diff --git a/windows/security/threat-protection/windows-defender-atp/configure-microsoft-threat-experts.md b/windows/security/threat-protection/windows-defender-atp/configure-microsoft-threat-experts.md new file mode 100644 index 0000000000..dca722db26 --- /dev/null +++ b/windows/security/threat-protection/windows-defender-atp/configure-microsoft-threat-experts.md @@ -0,0 +1,116 @@ +--- +title: Configure and manage Microsoft Threat Experts capabilities +description: You need to register to Microsoft Threats Experts preview to configure, manage, and use it in your daily security operations and security administration work. +keywords: Microsoft Threat Experts, managed threat hunting service, MTE, Microsoft managed hunting service +search.product: Windows 10 +search.appverid: met150 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: dolmont +author: DulceMV +ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: article +ms.date: 02/28/2019 +--- + +# Configure and manage Microsoft Threat Experts capabilities +**Applies to:** + +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) + +[!include[Prerelease�information](prerelease.md)] + +## Before you begin +To experience the full Microsoft Threat Experts preview capability in Windows Defender ATP, you need to have a valid Premier customer service and support account. However, Premier charges will not be incurred during the preview. + +You also need to ensure that you have Windows Defender ATP deployed in your environment with machines enrolled, and not just on a laboratory set-up. + + +## Register to Microsoft Threat Experts preview +If you're already a Windows Defender ATP customer, you can apply for preview through the Windows Defender ATP portal. + +1. From the navigation pane, go to **Settings > General > Advanced features > Threat Experts**. + +2. Click **Apply for preview**. + +3. In the **Apply for preview** dialog box, read and make sure you understand the preview's terms of agreement. + +4. Enter your name and email address so that Microsoft can get back to you on your application. + +5. Read the privacy statement, then click **Submit** when you're done. + + >[!NOTE] + >You will receive a welcome email once your application is approved. Then, from the navigation pane, go to **Settings** > **General** > **Advanced features** to turn the **Threat Experts** toggle on. Click **Save preferences**. + + +## Receive targeted attack notification from Microsoft Threat Experts +You can receive targeted attack notification from Microsoft Threat Experts through the following: +- The Windows Defender ATP portal's **Alerts** dashboard +- Your email, if you choose to configure it + +To receive targeted attack notifications through email, you need to create an email notification rule. + +### Create an email notification rule +You can create rules to send email notifications for notification recipients. See Configure alert notifications to create, edit, delete, or troubleshoot email notification, for details. + + +## View the targeted attack notification +You'll start receiving targeted attack notification from Microsoft Threat Experts in your email after you have configured your system to receive email notification. + +1. Click the link in the email to go to the corresponding alert context in the dashboard tagged with **Threat experts**. + +2. From the dashboard, select the same alert topic that you got from the email, to view the details. + + +## Ask a Microsoft threat expert about suspicious cybersecurity activities in your organization +You can partner with Microsoft Threat Experts who can be engaged directly from within the Windows Defender Security Center for timely and accurate response. Experts provide insights needed to better understand complex threats, targeted attack notifications that you get, or if you need more information about the alerts, a potentially compromised machine, or a threat intelligence context that you see on your portal dashboard. + +1. Navigate to the portal page with the relevant information that you'd like to investigate, for example, the **Incident** page. Ensure that the page for the relevant alert or machine is in view before raising an inquiry. +2. From the upper right-hand menu, click **?**, then select **Ask a threat expert**. +3. Asking a threat expert is a two-step process: you need to provide the necessary information and open a support ticket. + + **Step 1: Provide information** + a. Provide enough information to give the Microsoft Threat Experts enough context to start the investigation. Select the inquiry category from the **Provide information > Inquiry** details drop-down menu.
+ + b. Enter the additional details to give the threat experts more context of what you’d like to investigate. Click **Next**, and it takes you to the **Open support ticket** tab.
+ + c. Remember to use the ID number from the **Open a support ticket** tab page and include it to the details you will provide in the subsequent Customer Services and Support (CSS) pages.
+ + **Step 2: Open a support ticket** + + >[!NOTE] + >To experience the full Microsoft Threat Experts preview capability in Windows Defender ATP, you need to have a Premier customer service and support account. However, you will not be charged for the Experts-on-demand service during the preview. + + a. In the **New support request** customer support page, select the following from the dropdown menu and then click **Next**:
+ + - **Select the product family**: **Security** + - **Select a product**: **Microsoft Threat Experts** + - **Select a category that best describes the issue**: **Windows Defender ATP** + - **Select a problem that best describes the issue**: Choose according to your inquiry category + + b. Fill out the fields with the necessary information about the issue and use the auto-generated ID when you open a Customer Services and Support (CSS) ticket. Then, click **Next**. + + c. In the **Select a support plan** page, select **Professional No Charge**. + + d. The severity of your issue has been pre-selected by default, per the support plan, **Professional No Charge**, that you'll use for this public preview. Select the time zone by which you'd like to receive the correspondence. Then, click **Next**. + + e. Verify your contact details and add another if necessary. Then, click **Next**. + + f. Review the summary of your support request, and update if necessary. Make sure that you read and understand the **Microsoft Services Agreement** and **Privacy Statement**. Then, click **Submit**. You will see the confirmation page indicating the response time and your support request number. + +## Scenario + +### Receive a progress report about your managed hunting inquiry +Response from Microsoft Threat Experts varies according to your inquiry. They will email a progress report to you regarding the Ask a threat expert inquiry that you've submitted, within two days, to communicate the investigation status from the following categories: +- More information is needed to continue with the investigation +- A file or several file samples are needed to determine the technical context +- Investigation requires more time +- Initial information was enough to conclude the investigation + +It is crucial to respond in a timely manner to keep the investigation moving. See the Premier customer service and support service level agreement for details. + diff --git a/windows/security/threat-protection/windows-defender-atp/images/AH_icon.png b/windows/security/threat-protection/windows-defender-atp/images/AH_icon.png index ff9c97c86e..3fae6eba9a 100644 Binary files a/windows/security/threat-protection/windows-defender-atp/images/AH_icon.png and b/windows/security/threat-protection/windows-defender-atp/images/AH_icon.png differ diff --git a/windows/security/threat-protection/windows-defender-atp/images/AR_icon.png b/windows/security/threat-protection/windows-defender-atp/images/AR_icon.png index 887498f7bc..fa8836ea1f 100644 Binary files a/windows/security/threat-protection/windows-defender-atp/images/AR_icon.png and b/windows/security/threat-protection/windows-defender-atp/images/AR_icon.png differ diff --git a/windows/security/threat-protection/windows-defender-atp/images/ASR_icon.png b/windows/security/threat-protection/windows-defender-atp/images/ASR_icon.png index 28b5b3156f..dd521d492a 100644 Binary files a/windows/security/threat-protection/windows-defender-atp/images/ASR_icon.png and b/windows/security/threat-protection/windows-defender-atp/images/ASR_icon.png differ diff --git a/windows/security/threat-protection/windows-defender-atp/images/EDR_icon.jpg b/windows/security/threat-protection/windows-defender-atp/images/EDR_icon.jpg new file mode 100644 index 0000000000..ed71564e87 Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/EDR_icon.jpg differ diff --git a/windows/security/threat-protection/windows-defender-atp/images/EDR_icon.png b/windows/security/threat-protection/windows-defender-atp/images/EDR_icon.png index 7e6df62bdf..f2622cbc2b 100644 Binary files a/windows/security/threat-protection/windows-defender-atp/images/EDR_icon.png and b/windows/security/threat-protection/windows-defender-atp/images/EDR_icon.png differ diff --git a/windows/security/threat-protection/windows-defender-atp/images/MTE_icon.jpg b/windows/security/threat-protection/windows-defender-atp/images/MTE_icon.jpg new file mode 100644 index 0000000000..020b1d4132 Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/MTE_icon.jpg differ diff --git a/windows/security/threat-protection/windows-defender-atp/images/MTE_icon.png b/windows/security/threat-protection/windows-defender-atp/images/MTE_icon.png new file mode 100644 index 0000000000..d5b9b48086 Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/MTE_icon.png differ diff --git a/windows/security/threat-protection/windows-defender-atp/images/NGP_icon.jpg b/windows/security/threat-protection/windows-defender-atp/images/NGP_icon.jpg new file mode 100644 index 0000000000..d089da2493 Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/NGP_icon.jpg differ diff --git a/windows/security/threat-protection/windows-defender-atp/images/NGP_icon.png b/windows/security/threat-protection/windows-defender-atp/images/NGP_icon.png index df1b70e041..6066f305a2 100644 Binary files a/windows/security/threat-protection/windows-defender-atp/images/NGP_icon.png and b/windows/security/threat-protection/windows-defender-atp/images/NGP_icon.png differ diff --git a/windows/security/threat-protection/windows-defender-atp/images/SS_icon.png b/windows/security/threat-protection/windows-defender-atp/images/SS_icon.png index 95908405ce..e69ea2a796 100644 Binary files a/windows/security/threat-protection/windows-defender-atp/images/SS_icon.png and b/windows/security/threat-protection/windows-defender-atp/images/SS_icon.png differ diff --git a/windows/security/threat-protection/windows-defender-atp/images/TVM_icon.png b/windows/security/threat-protection/windows-defender-atp/images/TVM_icon.png new file mode 100644 index 0000000000..41faa16718 Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/TVM_icon.png differ diff --git a/windows/security/threat-protection/windows-defender-atp/microsoft-threat-experts.md b/windows/security/threat-protection/windows-defender-atp/microsoft-threat-experts.md new file mode 100644 index 0000000000..3e66a55ad7 --- /dev/null +++ b/windows/security/threat-protection/windows-defender-atp/microsoft-threat-experts.md @@ -0,0 +1,47 @@ +--- +title: Microsoft Threat Experts +description: Microsoft Threat Experts is the new managed threat hunting service in Windows Defender Advanced Threat Protection (Windows Defender ATP) that provides proactive hunting, prioritization, and additional context and insights that further empower security operations centers (SOCs) to identify and respond to threats quickly and accurately. It provides additional layer of expertise and optics that Microsoft customers can utilize to augment security operation capabilities as part of Microsoft 365. +keywords: managed threat hunting service, managed threat hunting, MTE, Microsoft Threat Experts +search.product: Windows 10 +search.appverid: met150 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: dolmont +author: DulceMV +ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: conceptual +ms.date: 02/28/2019 +--- + +# Microsoft Threat Experts +**Applies to:** +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) + +[!include[Prerelease�information](prerelease.md)] + +Microsoft Threat Experts is a managed hunting service that provides Security Operation Centers (SOCs) with expert level monitoring and analysis to help them ensure that critical threats in their unique environments don’t get missed. + +This new capability provides expert-driven insights and data through targeted attack notification and access to experts on demand. + +## Targeted attack notification +Microsoft Threat Experts provides proactive hunting for the most important threats to your network, including human adversary intrusions, hands-on-keyboard attacks, or advanced attacks like cyberespionage. The managed hunting service includes: +- Threat monitoring and analysis, reducing dwell time and risk to the business +- Hunter-trained artificial intelligence to discover and prioritize both known and unknown attacks +- Identifying the most important risks, helping SOCs maximize time and energy +- Scope of compromise and as much context as can be quickly delivered to enable fast SOC response. + +## Collaborate with experts, on demand +Customers can engage our security experts directly from within Windows Defender Security Center for timely and accurate response. Experts provide insights needed to better understand the complex threats affecting your organization, from alert inquiries, potentially compromised machines, root cause of a suspicious network connection, to additional threat intelligence regarding ongoing advanced persistent threat campaigns. With this capability, you can: +- Get additional clarification on alerts including root cause or scope of the incident +- Gain clarity into suspicious machine behavior and next steps if faced with an advanced attacker +- Determine risk and protection regarding threat actors, campaigns, or emerging attacker techniques +- Seamlessly transition to Microsoft Incident Response (IR) or other third-party Incident Response services when necessary + + +## Related topic +- [Configure Microsoft Threat Experts capabilities](configure-microsoft-threat-experts.md) \ No newline at end of file diff --git a/windows/security/threat-protection/windows-defender-atp/whats-new-in-windows-defender-atp.md b/windows/security/threat-protection/windows-defender-atp/whats-new-in-windows-defender-atp.md index 2c428b9ff1..9a6873627f 100644 --- a/windows/security/threat-protection/windows-defender-atp/whats-new-in-windows-defender-atp.md +++ b/windows/security/threat-protection/windows-defender-atp/whats-new-in-windows-defender-atp.md @@ -34,6 +34,7 @@ The following capability are included in the February 2019 preview release. - [Reports](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/threat-protection-reports-windows-defender-advanced-threat-protection)
The threat protection report provides high-level information about alerts generated in your organization. +- [Microsoft Threat Experts](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/microsoft-threat-experts)
Microsoft Threat Experts is the new managed threat hunting service in Windows Defender ATP that provides proactive hunting, prioritization, and additional context and insights that further empower security operations centers (SOCs) to identify and respond to threats quickly and accurately. It provides additional layer of expertise and optics that Microsoft customers can utilize to augment security operation capabilities as part of Microsoft 365. ## October 2018 diff --git a/windows/security/threat-protection/windows-defender-atp/windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/windows-defender-advanced-threat-protection.md index f47bbf1c7e..7f9c549ba1 100644 --- a/windows/security/threat-protection/windows-defender-atp/windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/windows-defender-advanced-threat-protection.md @@ -1,7 +1,7 @@ --- title: Windows Defender Advanced Threat Protection description: Windows Defender Advanced Threat Protection is an enterprise security platform that helps secops to prevent, detect, investigate, and respond to possible cybersecurity threats related to advanced persistent threats. -keywords: introduction to Windows Defender Advanced Threat Protection, introduction to Windows Defender ATP, cybersecurity, advanced persistent threat, enterprise security, machine behavioral sensor, cloud security, analytics, threat intelligence, attack surface reduction, next generation protection, automated investigation and remediation, secure score, advanced hunting, microsoft threat protection +keywords: introduction to Windows Defender Advanced Threat Protection, introduction to Windows Defender ATP, cybersecurity, advanced persistent threat, enterprise security, machine behavioral sensor, cloud security, analytics, threat intelligence, attack surface reduction, next generation protection, automated investigation and remediation, microsoft threat experts, secure score, advanced hunting, microsoft threat protection search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: w10 @@ -15,7 +15,6 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 11/07/2018 --- # Windows Defender Advanced Threat Protection @@ -54,15 +53,16 @@ Windows Defender ATP uses the following combination of technology built into Win
Next generation protection
Endpoint detection and response
Automated investigation and remediation
Microsoft Threat Experts
Secure score
Advanced hunting