mirror of
https://github.com/MicrosoftDocs/windows-itpro-docs.git
synced 2025-06-15 18:33:43 +00:00
fix broken links
This commit is contained in:
Joey Caparas
@ -2,7 +2,7 @@
|
||||
title: View and organize the Windows Defender ATP Alerts queue
|
||||
description: Learn about how the Windows Defender ATP alerts queue work, and how to sort and filter lists of alerts.
|
||||
keywords: alerts, queues, alerts queue, sort, order, filter, manage alerts, new, in progress, resolved, newest, time in queue, severity, time period
|
||||
search.product: eADQiWindows 10XVcnh
|
||||
search.product: eADQiWindows 10XVcnh
|
||||
ms.prod: W10
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
@ -37,7 +37,7 @@ There are three mechanisms to pivot the queue against:
|
||||
|
||||
1. Sort the queue by opening the drop-down menu in the **Sort by** field and choosing:
|
||||
|
||||
- **Newest** - Sorts alerts based on when the alert was last seen on an endpoint.
|
||||
- **Newest** - Sorts alerts based on when the alert was last seen on an endpoint.
|
||||
- **Time in queue** - Sorts alerts by the length of time an alert has been in the queue.
|
||||
- **Severity** - Sorts alerts by their level of severity.
|
||||
|
||||
@ -56,10 +56,9 @@ There are three mechanisms to pivot the queue against:
|
||||
- **6 months**
|
||||
|
||||
> **Note** You can change the sort order (for example, from most recent to least recent) by clicking the sort order icon 
|
||||
|
||||
|
||||
### Related topics
|
||||
|
||||
- [View the Windows Defender Advanced Threat Protection Dashboard](dashboard-windows-advanced-threat-protection.md)
|
||||
- [Investigate machines in the Windows Defender ATP Machines view](machines-view-windows-advanced-threat-protection.md)
|
||||
- [Submit files to the Windows Defender ATP Deep analysis feature](deep-analysis-windows-advanced-threat-protection.md)
|
||||
- [Manage Windows Defender Advanced Threat Protection alerts](manage-alerts-windows-advanced-threat-protection.md)
|
||||
|
||||
- [View the Windows Defender Advanced Threat Protection Dashboard](dashboard-windows-defender-advanced-threat-protection.md)
|
||||
- [Investigate machines in the Windows Defender ATP Machines view](machines-view-windows-defender-advanced-threat-protection.md)
|
||||
- [Manage Windows Defender Advanced Threat Protection alerts](manage-alerts-windows-defender-advanced-threat-protection.md)
|
||||
|
||||
@ -2,7 +2,7 @@
|
||||
title: Configure Windows Defender ATP endpoints
|
||||
description: Use Group Policy to deploy the configuration package or do manual registry changes on endpoints so that they are onboarded to the service.
|
||||
keywords: configure endpoints, client onboarding, configure Windows ATP endpoints, configure Windows Defender Advanced Threat Protection endpoints
|
||||
search.product: eADQiWindows 10XVcnh
|
||||
search.product: eADQiWindows 10XVcnh
|
||||
ms.prod: W10
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
@ -22,7 +22,7 @@ You can use a Group Policy (GP) configuration package or an automated script to
|
||||
1. Open the SCCM configuration package .zip file (*WindowsATPOnboardingPackage.zip*) that you downloaded from the service onboarding wizard. You can also get the package from the [Windows Defender ATP portal](https://seville.windows.com): <span style="background-color: yellow;">Naama: Confirm package name</span>
|
||||
|
||||
a. Click **Client onboarding** on the **Navigation pane**.
|
||||
|
||||
|
||||
b. Select **SCCM**, click **Download package**, and save the .zip file. <span style="background-color: yellow;">Iaan: Need to confirm the UI for this</span>
|
||||
|
||||
2. Copy the .zip file to a shared, read-only location that can be accessed by the network administrators who will deploy the package.
|
||||
@ -46,9 +46,9 @@ Using the GP configuration package ensures your endpoints will be correctly conf
|
||||
1. Open the GP configuration package .zip file (*WindowsATPOnboardingPackage.zip*) that you downloaded from the service onboarding wizard. You can also get the package from the [Windows Defender ATP portal](https://seville.windows.com):
|
||||
|
||||
a. Click **Client onboarding** on the **Navigation pane**.
|
||||
|
||||
|
||||
b. Select **GP**, click **Download package** and save the .zip file.
|
||||
|
||||
|
||||
2. Extract the contents of the .zip file to a shared, read-only location that can be accessed by the endpoints. You should have a folder called _*OptionalParamsPolicy*_ and the file _*WindowsATPOnboardingPackage.cmd*_.
|
||||
|
||||
3. Open the [Group Policy Management Console](https://technet.microsoft.com/en-us/library/cc731212.aspx) (GPMC), right-click the Group Policy Object (GPO) you want to configure and click **Edit**.
|
||||
@ -65,9 +65,9 @@ Using the GP configuration package ensures your endpoints will be correctly conf
|
||||
|
||||
9. Click **OK** and close any open GPMC windows.
|
||||
|
||||
For additional settings, see the [Additional configuration settings section](additional-configuration-windows-advanced-threat-protection.md).
|
||||
For additional settings, see the [Additional configuration settings section](additional-configuration-windows-defender-advanced-threat-protection.md).
|
||||
|
||||
## Configure endpoints manually with registry changes
|
||||
## Configure endpoints manually with registry changes
|
||||
You can also manually onboard individual endpoints to Windows Defender ATP. You might want to do this first when testing the service before you commit to onboarding all endpoints in your network.
|
||||
|
||||
1. Extract the contents of the configuration package to a location on
|
||||
@ -77,9 +77,9 @@ You can also manually onboard individual endpoints to Windows Defender ATP. You
|
||||
script:
|
||||
|
||||
a. Click **Start** and type **cmd**.
|
||||
|
||||
|
||||
b. Right-click **Command prompt** and select **Run as administrator**.
|
||||
|
||||
|
||||
|
||||
|
||||
3. Type the location of the script file. If you copied the file the
|
||||
@ -87,10 +87,10 @@ You can also manually onboard individual endpoints to Windows Defender ATP. You
|
||||
|
||||
4. Press the **Enter** key or click **OK**.
|
||||
|
||||
See the [Troubleshoot Windows Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding-windows-advanced-threat-protection.md) topic for details on how you can manually validate that the endpoint is compliant and correctly reports telemetry.
|
||||
See the [Troubleshoot Windows Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md) topic for details on how you can manually validate that the endpoint is compliant and correctly reports telemetry.
|
||||
|
||||
## Related topics
|
||||
- [Windows Defender ATP service onboarding](service-onboarding-windows-advanced-threat-protection.md)
|
||||
- [Monitor the Windows Defender ATP onboarding](monitor-onboarding-windows-advanced-threat-protection.md)
|
||||
- [Additional Windows Defender ATP configuration settings](additional-configuration-windows-advanced-threat-protection.md)
|
||||
- [Troubleshoot Windows Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding-windows-advanced-threat-protection.md)
|
||||
- [Windows Defender ATP service onboarding](service-onboarding-windows-defender-advanced-threat-protection.md)
|
||||
- [Monitor the Windows Defender ATP onboarding](monitor-onboarding-windows-defender-advanced-threat-protection.md)
|
||||
- [Additional Windows Defender ATP configuration settings](additional-configuration-windows-defender-advanced-threat-protection.md)
|
||||
- [Troubleshoot Windows Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md)
|
||||
|
||||
@ -1,14 +1,14 @@
|
||||
---
|
||||
title: View the Windows Defender Advanced Threat Protection Dashboard
|
||||
title: View the Windows Defender Advanced Threat Protection Dashboard
|
||||
description: Use the Dashboard to identify machines at risk, keep track of the status of the service, and see statistics and information about machines and alerts.
|
||||
keywords: dashboard, alerts, new, in progress, resolved, risk, machines at risk, infections, reporting, statistics, charts, graphs, health, active malware detections, threat category, categories, password stealer, ransomware, exploit, threat, low severity, active malware
|
||||
search.product: eADQiWindows 10XVcnh
|
||||
search.product: eADQiWindows 10XVcnh
|
||||
ms.prod: W10
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
---
|
||||
|
||||
# View the Windows Defender Advanced Threat Protection Dashboard
|
||||
# View the Windows Defender Advanced Threat Protection Dashboard
|
||||
|
||||
- Windows 10 Insider Preview
|
||||
|
||||
@ -17,7 +17,7 @@ ms.sitesec: library
|
||||
The **Dashboard** displays a snapshot of:
|
||||
|
||||
- The latest active alerts on your network
|
||||
- Machines reporting
|
||||
- Machines reporting
|
||||
- Top machines with active alerts
|
||||
- The overall status of Windows Defender ATP for the past 30 days
|
||||
- Machines with active malware detections
|
||||
@ -29,24 +29,24 @@ From the **Dashboard** you will see aggregated events to facilitate the identifi
|
||||
It also has clickable tiles that give visual cues on the overall health status of your organization. Each tile opens a detailed view of the corresponding overview.
|
||||
|
||||
## ATP alerts
|
||||
You can view the overall number of active ATP alerts from the last 30 days in your network from the **ATP alerts** tile. Alerts are grouped into **New** and **In progress**.
|
||||
You can view the overall number of active ATP alerts from the last 30 days in your network from the **ATP alerts** tile. Alerts are grouped into **New** and **In progress**.
|
||||
|
||||
|
||||
|
||||
Each group is further sub-categorized into their corresponding alert severity levels. Click the number of alerts inside each alert ring to see a sorted view of that category's queue (**New** or **In progress**).
|
||||
Each group is further sub-categorized into their corresponding alert severity levels. Click the number of alerts inside each alert ring to see a sorted view of that category's queue (**New** or **In progress**).
|
||||
|
||||
See the [View and organize the Windows Defender Advanced Threat Protection Alerts queue](alerts-queue-windows-advanced-threat-protection.md) topic for more information.
|
||||
See the [View and organize the Windows Defender Advanced Threat Protection Alerts queue](alerts-queue-windows-defender-advanced-threat-protection.md) topic for more information.
|
||||
|
||||
The **Latest ATP alerts** section includes the latest active alerts in your network. Each row includes an alert severity category and a short description of the alert. Click an alert to see its detailed view, or **Alerts queue** at the top of the list to go directly to the Alerts queue. See the [Investigate Windows Defender Advanced Threat Protection alerts](investigate-alerts-windows-advanced-threat-protection.md) and [View and organize the Windows Defender Advanced Threat Protection Alerts queue](alerts-queue-windows-advanced-threat-protection.md) topics for more information.
|
||||
The **Latest ATP alerts** section includes the latest active alerts in your network. Each row includes an alert severity category and a short description of the alert. Click an alert to see its detailed view, or **Alerts queue** at the top of the list to go directly to the Alerts queue. See the [Investigate Windows Defender Advanced Threat Protection alerts](investigate-alerts-windows-defender-advanced-threat-protection.md) and [View and organize the Windows Defender Advanced Threat Protection Alerts queue](alerts-queue-windows-defender-advanced-threat-protection.md) topics for more information.
|
||||
|
||||
## Machines at risk
|
||||
This tile shows you a list of machines with the highest number of active alerts. The total number of alerts for each machine is shown in a circle next to the machine name, and then further categorized by severity levels at the far end of the tile (hover over each severity bar to its label).
|
||||
|
||||
|
||||
|
||||
Click the name of the machine to see details about that machine. See the [Investigate Windows Defender ATP alerts](investigate-alerts-windows-advanced-threat-protection.md#investigate-a-machine) topic for more information.
|
||||
Click the name of the machine to see details about that machine. See the [Investigate Windows Defender ATP alerts](investigate-alerts-windows-defender-advanced-threat-protection.md#investigate-a-machine) topic for more information.
|
||||
|
||||
You can also click **Machines view** at the top of the tile to go directly to the **Machines view**, sorted by the number of active alerts. See the [Investigate machines in the Windows Defender Advanced Threat Protection Machines view](machines-view-windows-advanced-threat-protection.md) topic for more information.
|
||||
You can also click **Machines view** at the top of the tile to go directly to the **Machines view**, sorted by the number of active alerts. See the [Investigate machines in the Windows Defender Advanced Threat Protection Machines view](machines-view-windows-defender-advanced-threat-protection.md) topic for more information.
|
||||
|
||||
## Status
|
||||
The **Status** tile informs you if the service is active and running and the specific number of machines (endpoints) reporting to Windows Defender ATP.
|
||||
@ -54,11 +54,11 @@ The **Status** tile informs you if the service is active and running and the spe
|
||||
|
||||
|
||||
## Machines reporting
|
||||
The **Machines reporting** tile shows a bar graph that represents the number of machines reporting alerts daily. Hover over individual bars on the graph to see the exact number of machines reporting in each day.
|
||||
The **Machines reporting** tile shows a bar graph that represents the number of machines reporting alerts daily. Hover over individual bars on the graph to see the exact number of machines reporting in each day.
|
||||
|
||||
|
||||
|
||||
## Machines with active malware detections
|
||||
## Machines with active malware detections
|
||||
The **Active malware** tile will only appear if your endpoints are using Windows Defender.
|
||||
|
||||
Active malware is defined as threats that are actively executing at the time of detection.
|
||||
@ -77,12 +77,11 @@ The chart is sorted into five categories:
|
||||
|
||||
Threats are considered "active" if there is a very high probability that the malware was executing on your network, as opposed to statically located on-disk.
|
||||
|
||||
Clicking on any of these categories will navigate to the [Machines view](machines-view-windows-advanced-threat-protection.md), filtered by the appropriate category. This lets you see a detailed breakdown of which machines have active malware detections, and how many threats were detected per machine.
|
||||
Clicking on any of these categories will navigate to the [Machines view](machines-view-windows-defender-advanced-threat-protection.md), filtered by the appropriate category. This lets you see a detailed breakdown of which machines have active malware detections, and how many threats were detected per machine.
|
||||
|
||||
> **Note** The **Active malware** tile will only appear if your endpoints are using [Windows Defender](https://technet.microsoft.com/en-us/library/mt622091(v=vs.85).aspx) as the default real-time protection antimalware product.
|
||||
|
||||
### Related topics
|
||||
- [View and organize the Windows Defender Advanced Threat Protection Alerts queue](alerts-queue-windows-advanced-threat-protection.md)
|
||||
- [Investigate machines in the Windows Defender ATP Machines view](machines-view-windows-advanced-threat-protection.md)
|
||||
- [Submit files to the Windows Defender ATP Deep analysis feature](deep-analysis-windows-advanced-threat-protection.md)
|
||||
- [Manage Windows Defender Advanced Threat Protection alerts](manage-alerts-windows-advanced-threat-protection.md)
|
||||
- [View and organize the Windows Defender Advanced Threat Protection Alerts queue](alerts-queue-windows-defender-advanced-threat-protection.md)
|
||||
- [Investigate machines in the Windows Defender ATP Machines view](machines-view-windows-defender-advanced-threat-protection.md)
|
||||
- [Manage Windows Defender Advanced Threat Protection alerts](manage-alerts-windows-defender-advanced-threat-protection.md)
|
||||
|
||||
@ -1,15 +1,15 @@
|
||||
---
|
||||
title: Windows Defender ATP data storage and privacy
|
||||
title: Windows Defender ATP data storage and privacy
|
||||
description: Learn about how Windows Defender ATP handles privacy and data that it collects.
|
||||
keywords: Windows Defender ATP data storage and privacy, storage, privacy
|
||||
search.product: eADQiWindows 10XVcnh
|
||||
search.product: eADQiWindows 10XVcnh
|
||||
ms.prod: W10
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
author: DulceMV
|
||||
author: DulceMV
|
||||
---
|
||||
|
||||
# Windows Defender ATP data storage and privacy
|
||||
# Windows Defender ATP data storage and privacy
|
||||
|
||||
- Windows 10 Insider Preview
|
||||
|
||||
@ -23,18 +23,18 @@ Microsoft will collect and store information from your configured endpoints in a
|
||||
|
||||
Information collected includes code file data (such as file names, sizes, and hashes), process data (running processes, hashes), registry data, network connection data (host IPs and ports), and machine details (such as GUIDs, names, and the operating system version).
|
||||
|
||||
Microsoft stores this data in a Microsoft Azure security-specific data store, and maintains it in accordance with Microsoft privacy practices and [Microsoft Trust Center policies](https://azure.microsoft.com/en-us/support/trust-center/).
|
||||
Microsoft stores this data in a Microsoft Azure security-specific data store, and maintains it in accordance with Microsoft privacy practices and [Microsoft Trust Center policies](https://azure.microsoft.com/en-us/support/trust-center/).
|
||||
|
||||
Microsoft uses this data to:
|
||||
- Proactively identify indicators of attack (IOAs) in your organization
|
||||
Microsoft uses this data to:
|
||||
- Proactively identify indicators of attack (IOAs) in your organization
|
||||
- Generate alerts if a possible attack was detected
|
||||
- Provide your security operations with a view into machines, files, and URLs related to threat signals from your network, enabling you to investigate and explore the presence of security threats on the network.
|
||||
- Provide your security operations with a view into machines, files, and URLs related to threat signals from your network, enabling you to investigate and explore the presence of security threats on the network.
|
||||
|
||||
We do not mine your data for advertising or for any other purpose other than providing you the service.
|
||||
|
||||
## Do I have the flexibility to select where to store my data?
|
||||
|
||||
Yes. Data for this new service is stored in Microsoft Azure datacenters in the United States and European Union based on the geolocation properties you specify when you onboard to the service. This provides a convenient way to minimize compliance risk by actively selecting the geographic locations in which your data will reside. Microsoft will not transfer the data from the specified geolocation except in specific circumstances during the TAP stage (see the question [Is there a difference between how you handle data for the TAP program and for General Availability?](#Is-there-a-difference-between-how-Microsoft-handles-data-for-the-TAP-program-and-foR-General-Availability?). If you have concerns about storage of data in a particular country, please contact [winatp@microsoft.com](mailto:winatp@microsoft.com).
|
||||
Yes. Data for this new service is stored in Microsoft Azure datacenters in the United States and European Union based on the geolocation properties you specify when you onboard to the service. This provides a convenient way to minimize compliance risk by actively selecting the geographic locations in which your data will reside. Microsoft will not transfer the data from the specified geolocation except in specific circumstances during the TAP stage (see the question [Is there a difference between how you handle data for the TAP program and for General Availability?](#Is-there-a-difference-between-how-Microsoft-handles-data-for-the-TAP-program-and-for-General-Availability?). If you have concerns about storage of data in a particular country, please contact [winatp@microsoft.com](mailto:winatp@microsoft.com).
|
||||
|
||||
## Is my data isolated from other customer data?
|
||||
Yes. The new cloud service provides appropriate segregation at a number of levels, such as isolation of files, configurations, and telemetry data. Aside from data access authentication, simply keeping different data appropriately segregated provides well-recognized protection.
|
||||
@ -43,28 +43,28 @@ Yes. The new cloud service provides appropriate segregation at a number of level
|
||||
|
||||
Microsoft developers and administrators have, by design, been given sufficient privileges to carry out their assigned duties to operate and evolve the service. Microsoft deploys combinations of preventive, detective, and reactive controls including the following mechanisms to help protect against unauthorized developer and/or administrative activity:
|
||||
|
||||
- Tight access control to sensitive data
|
||||
- Combinations of controls that greatly enhance independent detection of malicious activity
|
||||
- Multiple levels of monitoring, logging, and reporting
|
||||
- Tight access control to sensitive data
|
||||
- Combinations of controls that greatly enhance independent detection of malicious activity
|
||||
- Multiple levels of monitoring, logging, and reporting
|
||||
|
||||
Additionally, Microsoft conducts background verification checks of certain operations personnel, and limits access to applications, systems, and network infrastructure in proportion to the level of background verification. Operations personnel follow a formal process when they are required to access a customer’s account or related information in the performance of their duties.
|
||||
Additionally, Microsoft conducts background verification checks of certain operations personnel, and limits access to applications, systems, and network infrastructure in proportion to the level of background verification. Operations personnel follow a formal process when they are required to access a customer’s account or related information in the performance of their duties.
|
||||
|
||||
## Is data shared with other customers?
|
||||
No. Customer data is isolated from other customers and is not shared. However, insights on the data resulting from Microsoft processing (for example, deep file analysis processing), and which don’t contain any customer specific data, might be shared with other customers. Each customer can only access data collected from its own organization and generic data that Microsoft provides.
|
||||
|
||||
## How long will Microsoft store my data? What is Microsoft’s data retention policy?
|
||||
Your data privacy is one of our key commitments for the cloud. For this service, at contract termination or expiration, your data will be erased from Microsoft’s systems to make it unrecoverable after 90 days from contract termination or expiration.
|
||||
Your data privacy is one of our key commitments for the cloud. For this service, at contract termination or expiration, your data will be erased from Microsoft’s systems to make it unrecoverable after 90 days from contract termination or expiration.
|
||||
|
||||
## Can you help us maintain regulatory compliance?
|
||||
By providing customers with compliant, independently-verified services, Microsoft makes it easier for customers to achieve compliance for the infrastructure and applications they run, including this new Microsoft cloud service.
|
||||
By providing customers with compliant, independently-verified services, Microsoft makes it easier for customers to achieve compliance for the infrastructure and applications they run, including this new Microsoft cloud service.
|
||||
Microsoft provides customers with detailed information about our security and compliance programs, including audit reports and compliance packages, to help customers assess our services against their own legal and regulatory requirements. Windows Defender ATP has a roadmap for obtaining national, regional and industry-specific certifications, starting with ISO 27001. The service is designed, implemented, and maintained according to the compliance and privacy principles of ISO 27001, as well as Microsoft’s compliance standards.
|
||||
|
||||
## Is there a difference between how Microsoft handles data for the TAP program and for General Availability?
|
||||
When you onboard your service during TAP, you will be asked to choose to store your data in a datacenter either in Europe or United States. Your data will not be copied or moved outside of the datacenter you choose, except in the following specific circumstance:
|
||||
|
||||
1. You choose Europe as your datacenter, and
|
||||
2. You [submit a file for deep analysis](deep-analysis-windows-advanced-threat-protection.md).
|
||||
2. You [submit a file for deep analysis](submit-files-for-analysis#investigate-files-windows-defender-advanced-threat-protection.md).
|
||||
|
||||
In this circumstance, the submitted file will be sent to the US deep analysis laboratory. The results of the analysis will be stored in the European datacenter, and the file and data will be deleted from the US deep analysis laboratory and datacenter.
|
||||
|
||||
|
||||
This is a temporary measure as we work to integrate our deep analysis capabilities into the European datacenter. If you have any concerns or questions about submitting files for deep analysis and you are using a European datacenter, or if you’d like to be updated as to when the European deep analysis lab is online, email [winatp@microsoft.com](mailto:winatp@microsoft.com).
|
||||
|
||||
@ -2,7 +2,7 @@
|
||||
title: Investigate Windows Defender Advanced Threat Protection alerts
|
||||
description: Use the investigation options to get details on which alerts are affecting your network, what they mean, and how to resolve them.
|
||||
keywords: investigate, investigation, machines, machine, endpoints, endpoint, alerts queue, dashboard, IP address, file, submit, submissions, deep analysis, timeline, search, domain, URL, IP
|
||||
search.product: eADQiWindows 10XVcnh
|
||||
search.product: eADQiWindows 10XVcnh
|
||||
ms.prod: W10
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
@ -14,7 +14,7 @@ ms.sitesec: library
|
||||
|
||||
<span style="color:#ED1C24;">[Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.]</span>
|
||||
|
||||
Alerts in Windows Defender ATP indicate possible security breaches on endpoints in your organization.
|
||||
Alerts in Windows Defender ATP indicate possible security breaches on endpoints in your organization.
|
||||
|
||||
There are three alert severity levels, described in the following table.
|
||||
|
||||
@ -26,13 +26,13 @@ Low (Yellow) | Threats associated with prevalent malware and hack-tools that pos
|
||||
|
||||
Reviewing the various alerts and their severity can help you take the appropriate action to protect your organization's endpoints.
|
||||
|
||||
Alerts are organized in three queues, by their workflow status:
|
||||
Alerts are organized in three queues, by their workflow status:
|
||||
|
||||
- **New**
|
||||
- **In progress**
|
||||
- **Resolved**
|
||||
|
||||
You can investigate alerts by clicking an alert in [any of the alert queues](alerts-queue-windows-advanced-threat-protection.md).
|
||||
You can investigate alerts by clicking an alert in [any of the alert queues](alerts-queue-windows-defender-advanced-threat-protection.md).
|
||||
|
||||
Details about the alert is displayed such as:
|
||||
- Alert information such as when it was last observed
|
||||
@ -46,7 +46,6 @@ Details about the alert is displayed such as:
|
||||
Depending on the type of alert, you click on the name to see a detailed report about the threat. You'll see information such as a brief introduction of the threat, its interests, tools, tactics, and processes, and the areas it affects worldwide.
|
||||
|
||||
### Related topics
|
||||
- [View the Windows Defender Advanced Threat Protection Dashboard](dashboard-windows-advanced-threat-protection.md)
|
||||
- [View and organize the Windows Defender Advanced Threat Protection Alerts queue](alerts-queue-windows-advanced-threat-protection.md)
|
||||
- [Submit files to the Windows Defender ATP Deep analysis feature](deep-analysis-windows-advanced-threat-protection.md)
|
||||
- [Manage Windows Defender Advanced Threat Protection alerts](manage-alerts-windows-advanced-threat-protection.md)
|
||||
- [View the Windows Defender Advanced Threat Protection Dashboard](dashboard-windows-defender-advanced-threat-protection.md)
|
||||
- [View and organize the Windows Defender Advanced Threat Protection Alerts queue](alerts-queue-windows-defender-advanced-threat-protection.md)
|
||||
- [Manage Windows Defender Advanced Threat Protection alerts](manage-alerts-windows-defender-advanced-threat-protection.md)
|
||||
|
||||
@ -2,14 +2,14 @@
|
||||
title: Investigate Windows Defender Advanced Threat Protection files
|
||||
description: Use the investigation options to get details on files associated with alerts, behaviours, or events.
|
||||
keywords: investigate, investigation, files, malicious activity, attack motivation
|
||||
search.product: eADQiWindows 10XVcnh
|
||||
search.product: eADQiWindows 10XVcnh
|
||||
ms.prod: W10
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
author: mjcaparas
|
||||
---
|
||||
# Investigate a file
|
||||
Investigate the details of a file associated with a specific alert, behavior, or event to help determine if the file exhibits malicious activities, identify the attack motivation, and understand the potential scope of the breach.
|
||||
Investigate the details of a file associated with a specific alert, behavior, or event to help determine if the file exhibits malicious activities, identify the attack motivation, and understand the potential scope of the breach.
|
||||
|
||||
You can get information from the following sections in the file view:
|
||||
|
||||
@ -22,9 +22,9 @@ The file details section shows attributes of the file such as its MD5 hash or nu
|
||||
|
||||
The **Deep analysis** section provides the option of submitting a file for deep analysis to gain detailed visibility on observed suspicious behaviors, and associated artifacts. For more information on submitting files for deep analysis, see the **Deep analysis** topic.
|
||||
|
||||
The **File in organization** section provides details on the prevalence of the file and the name observed in the organization.
|
||||
The **File in organization** section provides details on the prevalence of the file and the name observed in the organization.
|
||||
|
||||
The **Observed in organization** section provides a chronological view on the events and associated alerts that were observed on the file.
|
||||
The **Observed in organization** section provides a chronological view on the events and associated alerts that were observed on the file.
|
||||
|
||||
You'll see a list of machines associated with the file and a description of the action taken by the file.
|
||||
|
||||
@ -32,30 +32,30 @@ You'll see a list of machines associated with the file and a description of the
|
||||
|
||||
1. Select the file you want to investigate. You can select a file from any of the following views or use the Search box:
|
||||
- Alerts - click the file links from the **Description** or **Details** in the Alert timeline
|
||||
- Machines view - click the file links in the **Description** or **Details** columns in the **Observed on machine** section
|
||||
- Search box - select **File** from the drop-down menu and enter the file name
|
||||
- Machines view - click the file links in the **Description** or **Details** columns in the **Observed on machine** section
|
||||
- Search box - select **File** from the drop-down menu and enter the file name
|
||||
2. View the file details.
|
||||
3. Use the search filters to define the search criteria. You can also use the timeline search box to further filter displayed search results.
|
||||
|
||||
##Deep analysis
|
||||
Cyber security investigations are typically triggered by an alert. Alerts are related to one or more observed files that are often new or unknown. Clicking a file takes you to the file view where you can see the file's metadata. To enrich the data related to the file, you can submit the file for deep analysis.
|
||||
Cyber security investigations are typically triggered by an alert. Alerts are related to one or more observed files that are often new or unknown. Clicking a file takes you to the file view where you can see the file's metadata. To enrich the data related to the file, you can submit the file for deep analysis.
|
||||
|
||||
The deep analysis feature executes a file in a secure, fully instrumented cloud environment. Deep analysis results show the file's activities, observed behaviors, and associated artifacts, such as dropped files, registry modifications, and communication with IPs.
|
||||
Deep analysis currently supports extensive analysis of PE (portable executable) files (including _.exe_ and _.dll_ files).
|
||||
The deep analysis feature executes a file in a secure, fully instrumented cloud environment. Deep analysis results show the file's activities, observed behaviors, and associated artifacts, such as dropped files, registry modifications, and communication with IPs.
|
||||
Deep analysis currently supports extensive analysis of PE (portable executable) files (including _.exe_ and _.dll_ files).
|
||||
|
||||
Deep analysis of a file takes several minutes. When the file analysis is complete, results are made available in the File view page, under a new **Deep analysis summary** section. The summary includes a list of observed *behaviors*, some of which can indicate malicious activity, and *observables*, including contacted IPs and files created on the disk.
|
||||
|
||||
Results of deep analysis are matched against threat intelligence and any matches will generate appropriate alerts.
|
||||
Results of deep analysis are matched against threat intelligence and any matches will generate appropriate alerts.
|
||||
|
||||
## Submit files for analysis
|
||||
|
||||
Use the deep analysis feature to investigate the details of any file, usually during an investigation of an alert or for any other reason where you suspect malicious behavior. This feature is available in the context of the file view.
|
||||
Use the deep analysis feature to investigate the details of any file, usually during an investigation of an alert or for any other reason where you suspect malicious behavior. This feature is available in the context of the file view.
|
||||
|
||||
In the file's page, **Submit for deep analysis** is enabled when the file is available in the Windows Defender ATP backend sample collection or if it was observed on a Windows 10 machine that supports submitting to deep analysis.
|
||||
In the file's page, **Submit for deep analysis** is enabled when the file is available in the Windows Defender ATP backend sample collection or if it was observed on a Windows 10 machine that supports submitting to deep analysis.
|
||||
|
||||
> **Note** Only files from Windows 10 can be automatically collected.
|
||||
|
||||
You can also manually submit a sample through the [Malware Protection Center Portal](https://www.microsoft.com/en-us/security/portal/submission/submit.aspx) if the file was not observed on a Windows 10 machine, and wait for **Submit for deep analysis** button to become available.
|
||||
You can also manually submit a sample through the [Malware Protection Center Portal](https://www.microsoft.com/en-us/security/portal/submission/submit.aspx) if the file was not observed on a Windows 10 machine, and wait for **Submit for deep analysis** button to become available.
|
||||
|
||||
> **Note** Due to backend processing flows in the Malware Protection Center Portal, there could be up to 10 minutes of latency between file submission and availability of the deep analysis feature in Windows Defender ATP.
|
||||
|
||||
@ -63,30 +63,30 @@ When the sample is collected, Windows Defender ATP runs the file in is a secure
|
||||
|
||||
**Submit files for deep analysis:**
|
||||
|
||||
1. Select the file that you want to submit for deep analysis. You can select or search a file from any of the following views:
|
||||
- Alerts - click the file links from the **Description** or **Details** in the Alert timeline
|
||||
- **Machines View** - click the file links from the **Description** or **Details** in the **Machine in organization** section
|
||||
- Search box - select **File** from the drop-down menu and enter the file name
|
||||
2. In the **Deep analysis** section of the file view, click **Submit**.
|
||||
1. Select the file that you want to submit for deep analysis. You can select or search a file from any of the following views:
|
||||
- Alerts - click the file links from the **Description** or **Details** in the Alert timeline
|
||||
- **Machines View** - click the file links from the **Description** or **Details** in the **Machine in organization** section
|
||||
- Search box - select **File** from the drop-down menu and enter the file name
|
||||
2. In the **Deep analysis** section of the file view, click **Submit**.
|
||||
|
||||
|
||||
|
||||
>**Note** Only portable executable (PE) files are supported, including _.exe_ and _.dll_ files
|
||||
|
||||
A progress bar is displayed and provides information on the different stages of the analysis. You can then view the report when the analysis is done.
|
||||
A progress bar is displayed and provides information on the different stages of the analysis. You can then view the report when the analysis is done.
|
||||
|
||||
> **Note** Depending on machine availability, sample collection time can vary. There is a 1-hour timeout for sample collection. The collection will fail and the operation will abort if there is no online Windows 10 machine reporting at that time. You can re-submit files for deep analysis to get fresh data on the file.
|
||||
> **Note** Depending on machine availability, sample collection time can vary. There is a 1-hour timeout for sample collection. The collection will fail and the operation will abort if there is no online Windows 10 machine reporting at that time. You can re-submit files for deep analysis to get fresh data on the file.
|
||||
|
||||
## View deep analysis report
|
||||
|
||||
View the deep analysis report that Windows Defender ATP provides to see the details of the deep analysis that was conducted on the file you submitted. This feature is available in the file view context.
|
||||
View the deep analysis report that Windows Defender ATP provides to see the details of the deep analysis that was conducted on the file you submitted. This feature is available in the file view context.
|
||||
|
||||
You can view the comprehensive report that provides details on:
|
||||
You can view the comprehensive report that provides details on:
|
||||
|
||||
- Observed behaviors
|
||||
- Associated artifacts
|
||||
|
||||
The details provided can help you investigate if there are indications of a potential attack.
|
||||
The details provided can help you investigate if there are indications of a potential attack.
|
||||
|
||||
**View deep analysis reports:**
|
||||
|
||||
@ -97,7 +97,7 @@ The details provided can help you investigate if there are indications of a pote
|
||||
|
||||
## Troubleshooting deep analysis
|
||||
|
||||
If you encounter a problem when trying to submit a file, try each of the following troubleshooting steps.
|
||||
If you encounter a problem when trying to submit a file, try each of the following troubleshooting steps.
|
||||
|
||||
**Troubleshoot deep analysis:**
|
||||
|
||||
@ -112,13 +112,13 @@ HKLM\SOFTWARE\Policies\Microsoft\Sense\AllowSampleCollection
|
||||
Value = 0 - block sample collection
|
||||
Value = 1 - allow sample collection
|
||||
```
|
||||
5. Change the organizational unit through the GPO. See [Configure with Group Policy](additional-configuration-windows-advanced-threat-protection.md#configure-with-group-policy).
|
||||
5. Change the organizational unit through the GPO. See [Configure with Group Policy](additional-configuration-windows-defender-advanced-threat-protection.md#configure-with-group-policy).
|
||||
6. If these steps do not resolve the issue, contact [winatp@microsoft.com](mailto:winatp@microsoft.com).
|
||||
|
||||
> **Note** If the value *AllowSampleCollection* is not available, the client will allow sample collection by default.
|
||||
> **Note** If the value *AllowSampleCollection* is not available, the client will allow sample collection by default.
|
||||
|
||||
### Related topics
|
||||
- [View the Windows Defender Advanced Threat Protection Dashboard](dashboard-windows-advanced-threat-protection.md)
|
||||
- [View and organize the Windows Defender Advanced Threat Protection Alerts queue](alerts-queue-windows-advanced-threat-protection.md)
|
||||
- [Investigate machines in the Windows Defender ATP Machines view](machines-view-windows-advanced-threat-protection.md)
|
||||
- [Manage Windows Defender Advanced Threat Protection alerts](manage-alerts-windows-advanced-threat-protection.md)
|
||||
- [View the Windows Defender Advanced Threat Protection Dashboard](dashboard-windows-defender-advanced-threat-protection.md)
|
||||
- [View and organize the Windows Defender Advanced Threat Protection Alerts queue](alerts-queue-windows-defender-advanced-threat-protection.md)
|
||||
- [Investigate machines in the Windows Defender ATP Machines view](machines-view-windows-defender-advanced-threat-protection.md)
|
||||
- [Manage Windows Defender Advanced Threat Protection alerts](manage-alerts-windows-defender-advanced-threat-protection.md)
|
||||
|
||||
@ -2,7 +2,7 @@
|
||||
title: Investigate machines in the Windows Defender ATP Machines view
|
||||
description: Investigate affected machines in your network by reviewing alerts, network connection information, and service health on the Machines view.
|
||||
keywords: machines, endpoints, machine, endpoint, alerts queue, alerts, machine name, domain, last seen, internal IP, active alerts, active malware detections, threat category, filter, sort, review alerts, network, connection, malware, type, password stealer, ransomware, exploit, threat, low severity
|
||||
search.product: eADQiWindows 10XVcnh
|
||||
search.product: eADQiWindows 10XVcnh
|
||||
ms.prod: W10
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
@ -14,45 +14,45 @@ ms.sitesec: library
|
||||
|
||||
<span style="color:#ED1C24;">[Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.]</span>
|
||||
|
||||
The **Machines view** shows a list of the machines in your network, the corresponding number of active alerts for each machine categorized by alert severity levels, and the number of active malware detections. This view allows you to identify machines with the highest risk at a glance, and keep track of all the machines that are reporting telemetry in your network.
|
||||
The **Machines view** shows a list of the machines in your network, the corresponding number of active alerts for each machine categorized by alert severity levels, and the number of active malware detections. This view allows you to identify machines with the highest risk at a glance, and keep track of all the machines that are reporting telemetry in your network.
|
||||
|
||||
Use the Machines view in these two main scenarios:
|
||||
Use the Machines view in these two main scenarios:
|
||||
|
||||
- **During onboarding**
|
||||
- During the onboarding process, the Machines view gradually gets populated with endpoints as they begin to report telemetry. Use this view to track your onboarded endpoints as they appear. Use the available features to sort and filer to see which endpoints have most recently reported telemetry, or download the complete endpoint list as a CSV file for offline analysis.
|
||||
- During the onboarding process, the Machines view gradually gets populated with endpoints as they begin to report telemetry. Use this view to track your onboarded endpoints as they appear. Use the available features to sort and filer to see which endpoints have most recently reported telemetry, or download the complete endpoint list as a CSV file for offline analysis.
|
||||
- **Day-to-day work**
|
||||
- The **Machines view** enables you to identify machines that are most at risk in a glance. High-risk machines are those with the greatest number and highest-severity alerts. By sorting the machines by risk, you'll be able to identify the most vulnerable machines and take action on them.
|
||||
- The **Machines view** enables you to identify machines that are most at risk in a glance. High-risk machines are those with the greatest number and highest-severity alerts. By sorting the machines by risk, you'll be able to identify the most vulnerable machines and take action on them.
|
||||
|
||||
The Machines view contains the following columns:
|
||||
The Machines view contains the following columns:
|
||||
|
||||
- **Machine name** - the name or GUID of the machine
|
||||
- **Machine name** - the name or GUID of the machine
|
||||
- **Domain** - the domain the machine belongs to
|
||||
- **Last seen** - when the machine last reported telemetry
|
||||
- **Internal IP** - the local internal Internet Protocol (IP) address of the machine
|
||||
- **Last seen** - when the machine last reported telemetry
|
||||
- **Internal IP** - the local internal Internet Protocol (IP) address of the machine
|
||||
- **Active Alerts** - the number of alerts reported by the machine by severity
|
||||
- **Active malware detections** - the number of active malware detections reported by the machine
|
||||
|
||||
> **Note** The **Active alerts** and **Active malware detections** filter column will only appear if your endpoints are using [Windows Defender](https://technet.microsoft.com/en-us/library/mt622091(v=vs.85).aspx) as the default real-time protection antimalware product.
|
||||
> **Note** The **Active alerts** and **Active malware detections** filter column will only appear if your endpoints are using [Windows Defender](https://technet.microsoft.com/en-us/library/mt622091(v=vs.85).aspx) as the default real-time protection antimalware product.
|
||||
|
||||
Click any column header to sort the view in ascending or descending order.
|
||||
Click any column header to sort the view in ascending or descending order.
|
||||
|
||||
|
||||
|
||||
You can sort the **Machines view** by **Machine name**, **Last seen**, **IP**, **Active Alerts**, and **Active malware detections**. Scroll down the **Machines view** to see additional machines.
|
||||
You can sort the **Machines view** by **Machine name**, **Last seen**, **IP**, **Active Alerts**, and **Active malware detections**. Scroll down the **Machines view** to see additional machines.
|
||||
|
||||
The view contains two filters: time and threat category.
|
||||
|
||||
You can filter the view by the following time periods:
|
||||
You can filter the view by the following time periods:
|
||||
|
||||
- 1 day
|
||||
- 3 days
|
||||
- 7 days
|
||||
- 30 days
|
||||
- 6 months
|
||||
- 1 day
|
||||
- 3 days
|
||||
- 7 days
|
||||
- 30 days
|
||||
- 6 months
|
||||
|
||||
> **Note** When you select a time period, the list will only display machines that reported within the selected time period. For example, selecting 1 day will only display a list of machines that reported telemetry within the last 24-hour period.
|
||||
> **Note** When you select a time period, the list will only display machines that reported within the selected time period. For example, selecting 1 day will only display a list of machines that reported telemetry within the last 24-hour period.
|
||||
|
||||
The threat category filter lets you filter the view by the following categories:
|
||||
The threat category filter lets you filter the view by the following categories:
|
||||
|
||||
- Password stealer
|
||||
- Ransomware
|
||||
@ -60,21 +60,21 @@ The threat category filter lets you filter the view by the following categories:
|
||||
- Threat
|
||||
- Low severity
|
||||
|
||||
See the [Investigate machines with active alerts](dashboard-windows-advanced-threat-protection.md#investigate-machines-with-active-malware-detections) topic for a description of each category.
|
||||
See the [Investigate machines with active alerts](dashboard-windows-defender-advanced-threat-protection.md#investigate-machines-with-active-malware-detections) topic for a description of each category.
|
||||
|
||||
You can also download a full list of all the machines in your organization, in CSV format. Click the **Manage Alert** menu icon  to download the entire list as a CSV file.
|
||||
You can also download a full list of all the machines in your organization, in CSV format. Click the **Manage Alert** menu icon  to download the entire list as a CSV file.
|
||||
|
||||
**Note**: Exporting the list depends on the number of machines in your organization. It can take a significant amount of time to download, depending on how large your organization is.
|
||||
Exporting the list in CSV format displays the data in an unfiltered manner. The CSV file will include all machines in the organization, regardless of any filtering applied in the view itself.
|
||||
**Note**: Exporting the list depends on the number of machines in your organization. It can take a significant amount of time to download, depending on how large your organization is.
|
||||
Exporting the list in CSV format displays the data in an unfiltered manner. The CSV file will include all machines in the organization, regardless of any filtering applied in the view itself.
|
||||
|
||||
## Investigate a machine
|
||||
Investigate the details of an alert raised on a specific machine to identify other behaviors or events that might be related to the alert or the potential scope of breach.
|
||||
Investigate the details of an alert raised on a specific machine to identify other behaviors or events that might be related to the alert or the potential scope of breach.
|
||||
|
||||
You can click on affected machines whenever you see them in the portal to open a detailed report about that machine. Affected machines are identified in the following areas:
|
||||
|
||||
- The [Machines view](machines-view-windows-advanced-threat-protection.md)
|
||||
- The [Alerts queue](alerts-queue-windows-advanced-threat-protection.md)
|
||||
- The [Dashboard](dashboard-windows-advanced-threat-protection.md)
|
||||
- The [Machines view](machines-view-windows-defender-advanced-threat-protection.md)
|
||||
- The [Alerts queue](alerts-queue-windows-defender-advanced-threat-protection.md)
|
||||
- The [Dashboard](dashboard-windows-defender-advanced-threat-protection.md)
|
||||
- Any individual alert
|
||||
- Any individual file details view
|
||||
- Any IP address or domain details view
|
||||
@ -87,7 +87,7 @@ When you investigate a specific machine, you'll see:
|
||||
|
||||
The machine details, IP, and reporting sections display some attributes of the machine such as its name, domain, OS, IP address, and how long it's been reporting telemetry to the Windows Defender ATP service.
|
||||
|
||||
The **Alerts related to this machine** section provides a list of alerts that are associated with the machine. This list is a simplified version of the [Alerts queue](alerts-queue-windows-advanced-threat-protection.md), and shows the date that the alert was detected, a short description of the alert, the alert's severity, the alert's threat category, and the alert's status in the queue.
|
||||
The **Alerts related to this machine** section provides a list of alerts that are associated with the machine. This list is a simplified version of the [Alerts queue](alerts-queue-windows-defender-advanced-threat-protection.md), and shows the date that the alert was detected, a short description of the alert, the alert's severity, the alert's threat category, and the alert's status in the queue.
|
||||
|
||||
The **Machine timeline** section provides a chronological view of the events and associated alerts that have been observed on the machine.
|
||||
|
||||
@ -104,10 +104,10 @@ You can also filter by:
|
||||
- Signed or unsigned files
|
||||
- Detections mode: displays Windows ATP Alerts and detections
|
||||
- Behaviors mode: displays "detections" and selected events of interest
|
||||
- Verbose mode: displays "behaviors" (including "detections"), and all reported events
|
||||
- Verbose mode: displays "behaviors" (including "detections"), and all reported events
|
||||
- Logged on users, System, Network, or Local service
|
||||
|
||||
Use the time-based slider to filter events from a specific date. By default, the machine timeline is set to display the events of the current day.
|
||||
Use the time-based slider to filter events from a specific date. By default, the machine timeline is set to display the events of the current day.
|
||||
|
||||
Using the slider updates the listed alerts to the date that you select. Displayed events are filtered from that date and older.
|
||||
|
||||
@ -117,29 +117,28 @@ From the **Machine view**, you can also navigate to the file, IP, or URL view an
|
||||
|
||||
From the list of events that are displayed in the timeline, you can examine the behaviors or events in to help identify indicators of interests such as files and IP addresses to help determine the scope of a breach. You can then use the information to respond to events and keep your system secure.
|
||||
|
||||
Windows Defender ATP monitors and captures questionable behavior on Windows 10 machines and displays the process tree flow in the **Machine timeline**. This gives you better context of the behavior which can contribute to understanding the correlation between events, files, and IP addresses in relation to the machine.
|
||||
Windows Defender ATP monitors and captures questionable behavior on Windows 10 machines and displays the process tree flow in the **Machine timeline**. This gives you better context of the behavior which can contribute to understanding the correlation between events, files, and IP addresses in relation to the machine.
|
||||
|
||||
|
||||
|
||||
|
||||
**Investigate a machine:**
|
||||
|
||||
1. Select the machine that you want to investigate. You can select or search a machine from any of the following views:
|
||||
- **Dashboard** - click the machine name from the **Top machines with active alerts** section
|
||||
- **Alerts queue** - click the machine name beside the machine icon
|
||||
- **Machines view** - click the heading of the machine name
|
||||
- **Search box** - select **Machine** from the drop-down menu and enter the machine name
|
||||
2. Information about the specific machine is displayed.
|
||||
- **Machines view** - click the heading of the machine name
|
||||
- **Search box** - select **Machine** from the drop-down menu and enter the machine name
|
||||
2. Information about the specific machine is displayed.
|
||||
|
||||
|
||||
**Use the machine timeline**
|
||||
|
||||
1. Use the sort and filter feature to narrow down the search results.
|
||||
1. Use the sort and filter feature to narrow down the search results.
|
||||
2. Use the timeline search box to filter specific indicators that appear in the machine timeline.
|
||||
3. Click the expand icon  in the timeline row or click anywhere on the row to see additional information about the alert, behavior, or event.
|
||||
3. Click the expand icon  in the timeline row or click anywhere on the row to see additional information about the alert, behavior, or event.
|
||||
|
||||
|
||||
### Related topics
|
||||
- [View the Windows Defender Advanced Threat Protection Dashboard](dashboard-windows-advanced-threat-protection.md)
|
||||
- [View and organize the Windows Defender Advanced Threat Protection Alerts queue](alerts-queue-windows-advanced-threat-protection.md)
|
||||
- [Submit files to the Windows Defender ATP Deep analysis feature](deep-analysis-windows-advanced-threat-protection.md)
|
||||
- [Manage Windows Defender Advanced Threat Protection alerts](manage-alerts-windows-advanced-threat-protection.md)
|
||||
- [View the Windows Defender Advanced Threat Protection Dashboard](dashboard-windows-defender-advanced-threat-protection.md)
|
||||
- [View and organize the Windows Defender Advanced Threat Protection Alerts queue](alerts-queue-windows-defender-advanced-threat-protection.md)
|
||||
- [Manage Windows Defender Advanced Threat Protection alerts](manage-alerts-windows-defender-advanced-threat-protection.md)
|
||||
|
||||
@ -2,7 +2,7 @@
|
||||
title: Manage Windows Defender Advanced Threat Protection alerts
|
||||
description: Change the status of alerts, create suppression rules to hide alerts, submit comments, and review change history for individual alerts with the Manage Alert menu.
|
||||
keywords: manage alerts, manage, alerts, status, new, in progress, resolved, resolve alerts, suppress, supression, rules, context, history, comments, changes
|
||||
search.product: eADQiWindows 10XVcnh
|
||||
search.product: eADQiWindows 10XVcnh
|
||||
ms.prod: W10
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
@ -14,15 +14,15 @@ ms.sitesec: library
|
||||
|
||||
<span style="color:#ED1C24;">[Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.]</span>
|
||||
|
||||
Windows Defender ATP notifies you of detected, possible attacks or breaches through alerts. A summary of new alerts is displayed in the **Dashboard**, and you can access all alerts in the **Alerts queue** menu.
|
||||
Windows Defender ATP notifies you of detected, possible attacks or breaches through alerts. A summary of new alerts is displayed in the **Dashboard**, and you can access all alerts in the **Alerts queue** menu.
|
||||
|
||||
See the [Investigate Windows Defender ATP alerts](investigate-alerts-windows-advanced-threat-protection.md#investigate-windows-defender-advanced-threat-protection-alerts) topic for more details on how to investigate alerts.
|
||||
See the [Investigate Windows Defender ATP alerts](investigate-alerts-windows-defender-advanced-threat-protection.md#investigate-windows-defender-advanced-threat-protection-alerts) topic for more details on how to investigate alerts.
|
||||
|
||||
Click the **Manage Alert** menu icon  on the top of the alert to access the Manage Alert menu and manage alerts.
|
||||
Click the **Manage Alert** menu icon  on the top of the alert to access the Manage Alert menu and manage alerts.
|
||||
|
||||
|
||||
|
||||
The **Manage alert** icon appears on the alert's heading in the **New**, **In Progress**, or **Resolved** queues, and on the details page for individual alerts.
|
||||
The **Manage alert** icon appears on the alert's heading in the **New**, **In Progress**, or **Resolved** queues, and on the details page for individual alerts.
|
||||
|
||||
You can use the **Manage Alert** menu to:
|
||||
|
||||
@ -57,18 +57,18 @@ The comments and change of status are recorded in the [Comments and history wind
|
||||
|
||||
## Suppress alerts
|
||||
|
||||
Windows Defender ATP lets you create suppression rules so you can limit the alerts you see in the **Alerts queue**.
|
||||
Windows Defender ATP lets you create suppression rules so you can limit the alerts you see in the **Alerts queue**.
|
||||
|
||||
Suppression rules can be created from an existing alert.
|
||||
Suppression rules can be created from an existing alert.
|
||||
|
||||
When a suppression rule is created, it will take effect from this point onwards. It will not affect existing alerts already in the queue, but new alerts triggered after the rule is created will not be displayed.
|
||||
|
||||
There are two contexts for a suppression rule that you can choose from:
|
||||
There are two contexts for a suppression rule that you can choose from:
|
||||
|
||||
- **Suppress alert on this machine**
|
||||
- **Suppress alert in my organization**
|
||||
|
||||
The context of the rule lets you tailor the queue to ensure that only alerts you are interested in will appear. You can use the examples in the following table to help you choose the context for a suppression rule:
|
||||
The context of the rule lets you tailor the queue to ensure that only alerts you are interested in will appear. You can use the examples in the following table to help you choose the context for a suppression rule:
|
||||
|
||||
**Context** | **Definition** |**Example scenarios**
|
||||
---|---|---
|
||||
@ -90,14 +90,14 @@ The context of the rule lets you tailor the queue to ensure that only alerts you
|
||||
|
||||
|
||||
|
||||
> **Note** You can also click **See rules** in the confirmation window that appears when you suppress an alert.
|
||||
> **Note** You can also click **See rules** in the confirmation window that appears when you suppress an alert.
|
||||
|
||||
The list of suppression rules shows all the rules that users in your organization have created.
|
||||
Each rule shows:
|
||||
Each rule shows:
|
||||
|
||||
- (1) The title of the alert that is suppressed
|
||||
- (2) Whether the alert was suppressed for a single machine (clicking the machine name will allow you to investigate the machine) or the entire organization
|
||||
- (3) The date when the alert was suppressed
|
||||
- (3) The date when the alert was suppressed
|
||||
- (4) An option to delete the suppression rule, which will cause alerts with this title to be displayed in the queue from this point onwards.
|
||||
|
||||
|
||||
@ -112,7 +112,7 @@ Whenever a change or comment is made to an alert, it is recorded in the **Commen
|
||||
1. Click the **Manage Alert** menu icon  on the heading of the alert.
|
||||
2. Click **Comments and history** to view related comments and history on the alert.
|
||||
|
||||
Comments are indicated by a message box icon () and include the username of the commenter and the time the comment was made.
|
||||
Comments are indicated by a message box icon () and include the username of the commenter and the time the comment was made.
|
||||
|
||||
**Add a new comment:**
|
||||
|
||||
@ -123,13 +123,12 @@ The comment will appear instantly.
|
||||
|
||||
You will also be prompted to enter a comment if you change the status of an alert to **Resolved**.
|
||||
|
||||
Changes are indicated by a clock icon (), and are automatically recorded when:
|
||||
Changes are indicated by a clock icon (), and are automatically recorded when:
|
||||
|
||||
- The alert is created
|
||||
- The status of the alert is changed
|
||||
- The status of the alert is changed
|
||||
|
||||
### Related topics
|
||||
- [View the Windows Defender Advanced Threat Protection Dashboard](dashboard-windows-advanced-threat-protection.md)
|
||||
- [View and organize the Windows Defender Advanced Threat Protection Alerts queue](alerts-queue-windows-advanced-threat-protection.md)
|
||||
- [Investigate machines in the Windows Defender ATP Machines view](machines-view-windows-advanced-threat-protection.md)
|
||||
- [Submit files to the Windows Defender ATP Deep analysis feature](deep-analysis-windows-advanced-threat-protection.md)
|
||||
- [View the Windows Defender Advanced Threat Protection Dashboard](dashboard-windows-defender-advanced-threat-protection.md)
|
||||
- [View and organize the Windows Defender Advanced Threat Protection Alerts queue](alerts-queue-windows-defender-advanced-threat-protection.md)
|
||||
- [Investigate machines in the Windows Defender ATP Machines view](machines-view-windows-defender-advanced-threat-protection.md)
|
||||
|
||||
@ -1,8 +1,8 @@
|
||||
---
|
||||
title: Monitor the Windows Defender ATP onboarding
|
||||
title: Monitor the Windows Defender ATP onboarding
|
||||
description: Monitor the onboarding of the Windows Defender ATP service to ensure your endpoints are correctly configured and are sending telemetry reports.
|
||||
keywords: monitor onboarding, monitor Windows Defender ATP onboarding, monitor Windows Defender Advanced Threat Protection onboarding
|
||||
search.product: eADQiWindows 10XVcnh
|
||||
search.product: eADQiWindows 10XVcnh
|
||||
ms.prod: W10
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
@ -32,9 +32,9 @@ Monitoring can be done directly on the portal, or by using System Center Configu
|
||||
|
||||
> **Note** It can take several days for endpoints to start showing on the **Machines view**. This includes the time it takes for the policies to be distributed to the endpoint, the time it takes before the user logs on, and the time it takes for the endpoint to start reporting.
|
||||
|
||||
## Monitor with System Center Configuration Manager
|
||||
## Monitor with System Center Configuration Manager
|
||||
|
||||
Monitoring with SCCM consists of two parts:
|
||||
Monitoring with SCCM consists of two parts:
|
||||
|
||||
1. Confirming the configuration package has been correctly deployed and is running (or has successfully run) on the endpoints in your network.
|
||||
|
||||
@ -50,7 +50,7 @@ Monitoring with SCCM consists of two parts:
|
||||
|
||||
4. Review the status indicators under **Completion Statistics** and **Content Status**.
|
||||
|
||||
If there are failed deployments (endpoints with **Error**, **Requirements Not Met**, or **Failed statuses**), you may need to troubleshoot the endpoints. See the [Troubleshoot Windows Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding-windows-advanced-threat-protection.md) topic for more information.
|
||||
If there are failed deployments (endpoints with **Error**, **Requirements Not Met**, or **Failed statuses**), you may need to troubleshoot the endpoints. See the [Troubleshoot Windows Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md) topic for more information.
|
||||
|
||||
<span style="background-color: yellow;">Naama: Is this a correct process for idendtifying/resolving issues? YES!</span>
|
||||
|
||||
@ -66,30 +66,30 @@ If there are failed deployments (endpoints with **Error**, **Requirements Not Me
|
||||
|
||||
2. In the SCCM console, click **Assets and Compliance** at the bottom of the navigation pane.
|
||||
|
||||
3. Click **Overview** and then **Compliance Settings**.
|
||||
3. Click **Overview** and then **Compliance Settings**.
|
||||
|
||||
4. In the main area of the SCCM console, click **Configuration Baselines** and import the provided cab. <span style="background-color: yellow;">Iaan: Need to confirm that 'import' is available/ UI is correct</span>
|
||||
|
||||
5. Right-click the imported baseline and deploy to a predefined device collection. <span style="background-color: yellow;">Naama: Is this 'export' as in the screenshot, or is that showing something else?</span>
|
||||
|
||||
4. In the main area of the SCCM console, click **Configuration Baselines** and import the provided cab. <span style="background-color: yellow;">Iaan: Need to confirm that 'import' is available/ UI is correct</span>
|
||||
|
||||
5. Right-click the imported baseline and deploy to a predefined device collection. <span style="background-color: yellow;">Naama: Is this 'export' as in the screenshot, or is that showing something else?</span>
|
||||
|
||||
|
||||
|
||||
|
||||
<span style="background-color: yellow;">Iaan: Need to confirm this is what it looks like</span>
|
||||
|
||||
6. In the SCCM console, click **Monitoring** at the bottom of the navigation pane.
|
||||
6. In the SCCM console, click **Monitoring** at the bottom of the navigation pane.
|
||||
|
||||
7. Click **Overview** and then **Deployments**.
|
||||
7. Click **Overview** and then **Deployments**.
|
||||
|
||||
8. Click the deployment with the package name <span style="background-color: yellow;">Naama: What is the name of the deployment, will it always be the same for every user/installation?</span>
|
||||
|
||||
<span style="background-color: yellow;">Naama: How does one know if there is an issue?</span>
|
||||
|
||||
If there are non-compliant endpoints (endpoints with ?????), you may need to troubleshoot the endpoints. See the [Troubleshoot Windows Defender ATP onboarding issues](troubleshoot-onboarding-windows-advanced-threat-protection.md) topic for more information.
|
||||
If there are non-compliant endpoints (endpoints with ?????), you may need to troubleshoot the endpoints. See the [Troubleshoot Windows Defender ATP onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md) topic for more information.
|
||||
|
||||
<span style="background-color: yellow;">Naama: Is this a correct process for resolving issues?</span>]]]
|
||||
|
||||
## Related topics
|
||||
- [Windows Defender ATP service onboarding](service-onboarding-windows-advanced-threat-protection.md)
|
||||
- [Configure Windows Defender ATP endpoints](configure-endpoints-windows-advanced-threat-protection.md)
|
||||
- [Additional Windows Defender ATP configuration settings](additional-configuration-windows-advanced-threat-protection.md)
|
||||
- [Troubleshoot Windows Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding-windows-advanced-threat-protection.md)
|
||||
- [Windows Defender ATP service onboarding](service-onboarding-windows-defender-advanced-threat-protection.md)
|
||||
- [Configure Windows Defender ATP endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md)
|
||||
- [Additional Windows Defender ATP configuration settings](additional-configuration-windows-defender-advanced-threat-protection.md)
|
||||
- [Troubleshoot Windows Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md)
|
||||
|
||||
@ -2,7 +2,7 @@
|
||||
title: Windows Defender Advanced Threat Protection portal overview
|
||||
description: Use the Windows Defender ATP portal to monitor your enterprise network and assist in responding to alerts to potential advanced persistent threat (APT) activity or data breaches.
|
||||
keywords: Windows Defender ATP portal, portal, cybersecurity threat intelligence, dashboard, alerts queue, machines view, preferences setup, client onboarding, advanced attacks
|
||||
search.product: eADQiWindows 10XVcnh
|
||||
search.product: eADQiWindows 10XVcnh
|
||||
ms.prod: W10
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
@ -16,33 +16,33 @@ author: DulceMV
|
||||
<span style="color:#ED1C24;">[Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.]</span>
|
||||
|
||||
|
||||
Enterprise security teams can use the portal to monitor and assist in responding to alerts of potential advanced persistent threat (APT) activity or data breaches.
|
||||
Enterprise security teams can use the portal to monitor and assist in responding to alerts of potential advanced persistent threat (APT) activity or data breaches.
|
||||
|
||||
You can use the [Windows Defender ATP portal](https://seville.windows.com/) to:
|
||||
- View, sort, and triage alerts from your endpoints
|
||||
- Search for more information on observed indicators such as files and IP Addresses
|
||||
- Change Windows Defender ATP settings, including time zone and alert suppression rules
|
||||
|
||||
## Windows Defender ATP portal
|
||||
## Windows Defender ATP portal
|
||||
When you open the portal, you’ll see the main areas of the application:
|
||||
- (1) Settings
|
||||
- (2) Navigation pane
|
||||
- (3) Main portal
|
||||
- (4) Search bar
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
You can navigate through the portal using the menu options available in all sections. Refer to the following table for a description of each section.
|
||||
|
||||
Area | Description
|
||||
Area | Description
|
||||
:---|:---
|
||||
(1) Settings | Provides access to configuration settings such as time zone, alert suppression rules, and license information.
|
||||
(2) Navigation pane | Use the navigation pane to move between the **Dashboard**, **Alerts queue**, **Machines view**, **Preferences setup**, and **Client onboarding**.
|
||||
**Dashboard** | Provides clickable tiles that open detailed information on various alerts that have been detected in your organization.
|
||||
**Dashboard** | Provides clickable tiles that open detailed information on various alerts that have been detected in your organization.
|
||||
**Alerts queue** | Enables you to view separate queues of new, in progress, and resolved alerts.
|
||||
**Machines view**| Displays the list of machines that are onboarded to Windows Defender ATP, some information about them, and the corresponding number of alerts.
|
||||
**Preferences setup**| Shows the settings you selected during [service onboarding](service-onboarding-windows-advanced-threat-protection.md), and lets you update your industry preferences and retention policy period.
|
||||
**Preferences setup**| Shows the settings you selected during [service onboarding](service-onboarding-windows-defender-advanced-threat-protection.md), and lets you update your industry preferences and retention policy period.
|
||||
**Client onboarding**| Allows you to download the onboarding configuration package.
|
||||
(3) Main portal| Main area where you will see the different views such as the Dashboard, Alerts queue, and Machines view.
|
||||
(4) Search | Search for machines, files, external IP Addresses, or domains across endpoints. The drop-down combo box allows you to select the entity type.
|
||||
@ -50,14 +50,14 @@ Area | Description
|
||||
## Windows Defender ATP icons
|
||||
The following table provides information on the icons used all throughout the portal:
|
||||
|
||||
Icon | Description
|
||||
Icon | Description
|
||||
:---|:---
|
||||
| Alert – Indication of an activity correlated with advanced attacks.
|
||||
| Detection – Indication of a malware threat detection.
|
||||
| Active threat – Threats actively executing at the time of detection.
|
||||
| Detection – Indication of a malware threat detection.
|
||||
| Active threat – Threats actively executing at the time of detection.
|
||||
| Remediated – Threat removed from the machine
|
||||
| Not remediated – Threat not removed from the machine.
|
||||
| Not remediated – Threat not removed from the machine.
|
||||
|
||||
|
||||
### Related topic
|
||||
[Use the Windows Defender Advanced Threat Protection portal](use-windows-defender-advanced-threat-protection.md)
|
||||
[Use the Windows Defender Advanced Threat Protection portal](use-windows-defender-advanced-threat-protection.md)
|
||||
|
||||
@ -2,14 +2,14 @@
|
||||
title: Windows Defender ATP service onboarding
|
||||
description: Assign users to the Windows Defender ATP service application in Azure Active Directory to grant access to the portal.
|
||||
keywords: service onboarding, Windows Defender Advanced Threat Protection service onboarding
|
||||
search.product: eADQiWindows 10XVcnh
|
||||
search.product: eADQiWindows 10XVcnh
|
||||
ms.prod: W10
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
author: mjcaparas
|
||||
---
|
||||
|
||||
# Windows Defender ATP service onboarding
|
||||
# Windows Defender ATP service onboarding
|
||||
|
||||
- Windows 10 Insider Preview
|
||||
- Azure Active Directory
|
||||
@ -22,10 +22,10 @@ You have to assign users to the Windows ATP Service application in Azure Active
|
||||
|
||||
1. When you first go to the [Windows Defender ATP portal](https://seville.windows.com/) and your directory does not
|
||||
have users assigned to the Windows ATP Service application, you will
|
||||
be directed to open the [Microsoft Azure Dashboard](https://portal.azure.com) to manage user access.
|
||||
be directed to open the [Microsoft Azure Dashboard](https://portal.azure.com) to manage user access.
|
||||
|
||||
> **Note** In AAD, a directory is essentially a tenant. See the [Azure AD documentation](https://msdn.microsoft.com/en-us/library/azure/jj573650.aspx) for more information on how tenants work with AAD.
|
||||
|
||||
|
||||
2. Ensure you have logged in to Microsoft Azure with an account that
|
||||
has permissions to assign users to an application in AAD. You might
|
||||
need to sign out of Microsoft Azure and then sign back in again if
|
||||
@ -33,34 +33,34 @@ You have to assign users to the Windows ATP Service application in Azure Active
|
||||
portal:
|
||||
|
||||
a. On the top menu, click the signed-in user’s name.
|
||||
|
||||
b. Click **Sign out**.
|
||||
|
||||
|
||||
b. Click **Sign out**.
|
||||
|
||||
|
||||
|
||||
|
||||
c. Go the [Microsoft Azure Dashboard](https://portal.azure.com) again where you will be asked to sign in.
|
||||
|
||||
|
||||
d. Sign in with the correct user name and password for an account that has permissions to assign users in AAD.
|
||||
|
||||
3. On the **Microsoft Azure Dashboard**, click **Browse** in the navigation pane and then click **Active Directory** to open the [Azure Management Portal](https://manage.windowsazure.com/).
|
||||
3. On the **Microsoft Azure Dashboard**, click **Browse** in the navigation pane and then click **Active Directory** to open the [Azure Management Portal](https://manage.windowsazure.com/).
|
||||
|
||||
|
||||
|
||||
4. You might need to open the **Directory** section of the [Azure Management Portal](https://manage.windowsazure.com/) so you can access your directory. There are two ways you can do this:
|
||||
|
||||
a. Click the arrow icon above the list of directories to see the full list of directories in the main area of the portal.
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
b. Scroll down in the navigation pane and click **Active Directory**.
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
5. Click the directory that contains the Windows Defender ATP application. In the following example, the directory is
|
||||
called **Contoso**.
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
> **Note** You can also access your directory by going straight to the [Azure Management Portal](https://manage.windowsazure.com/), clicking Active Directory and then finding your directory in the list.
|
||||
|
||||
6. Click **Applications** from the top menu bar.
|
||||
@ -76,10 +76,10 @@ You have to assign users to the Windows ATP Service application in Azure Active
|
||||
8. Click **Users** from the top menu bar. A list of users that are in the directory is displayed.
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
> **Note** If you do not normally work with AAD, you might not see any users in the directory, or we might have created a test tenant specifically for a single user’s account. See the [Troubleshoot Windows Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding-windows-advanced-threat-protection.md) section for instructions on adding users to a directory.
|
||||
|
||||
> **Note** If you do not normally work with AAD, you might not see any users in the directory, or we might have created a test tenant specifically for a single user’s account. See the [Troubleshoot Windows Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md) section for instructions on adding users to a directory.
|
||||
|
||||
9. Select the user you want manage.
|
||||
|
||||
@ -95,9 +95,9 @@ You have to assign users to the Windows ATP Service application in Azure Active
|
||||
|
||||
|
||||
|
||||
14. To remove the access for all users, click **Manage access**. If you click **Complete** , you will not see the Windows ATP Service in the list of applications in your directory.
|
||||
14. To remove the access for all users, click **Manage access**. If you click **Complete** , you will not see the Windows ATP Service in the list of applications in your directory.
|
||||
|
||||
> **Note** If you want to give access to users again, see the Manage access for all users in Azure Active Directory topic in [Troubleshoot Windows Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding-windows-advanced-threat-protection.md).
|
||||
> **Note** If you want to give access to users again, see the Manage access for all users in Azure Active Directory topic in [Troubleshoot Windows Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md).
|
||||
|
||||
15. You can continue assigning roles for other users in your organization now, or you can return to the Windows Defender ATP portal to complete the service onboarding wizard.
|
||||
|
||||
@ -111,9 +111,7 @@ Follow the steps in the onboarding wizard to complete the onboarding process.
|
||||
At the end of the wizard, you can download the Group Policy configuration package which you will use to configure endpoints on your network. You can also download the package from the **Client onboarding** menu on the portal after you have completed the onboarding wizard.
|
||||
|
||||
## Related topics
|
||||
- [Configure Windows Defender ATP endpoints (client onboarding)](configure-endpoints-windows-advanced-threat-protection.md)
|
||||
- [Monitor the Windows Defender ATP onboarding](monitor-onboarding-windows-advanced-threat-protection.md)
|
||||
- [Additional Windows Defender ATP configuration settings](additional-configuration-windows-advanced-threat-protection.md)
|
||||
- [Troubleshoot Windows Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding-windows-advanced-threat-protection.md)
|
||||
|
||||
|
||||
- [Configure Windows Defender ATP endpoints (client onboarding)](configure-endpoints-windows-defender-advanced-threat-protection.md)
|
||||
- [Monitor the Windows Defender ATP onboarding](monitor-onboarding-windows-defender-advanced-threat-protection.md)
|
||||
- [Additional Windows Defender ATP configuration settings](additional-configuration-windows-defender-advanced-threat-protection.md)
|
||||
- [Troubleshoot Windows Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md)
|
||||
|
||||
@ -48,7 +48,7 @@ To set the time zone:
|
||||
3. The time zone indicator changes to **Timezone:Local**. Click it again to change back to **Timezone:UTC**.
|
||||
|
||||
## Suppression rules
|
||||
The suppression rules control what alerts are suppressed. You can suppress alerts so that certain activities are not flagged as suspicious. See [Suppress alerts](manage-alerts-windows-advanced-threat-protection.md#suppress-alerts).
|
||||
The suppression rules control what alerts are suppressed. You can suppress alerts so that certain activities are not flagged as suspicious. See [Suppress alerts](manage-alerts-windows-defender-advanced-threat-protection.md#suppress-alerts).
|
||||
|
||||
## License
|
||||
Click the license link in the **Settings** menu to view the license agreement information for Windows Defender ATP.
|
||||
|
||||
@ -2,14 +2,14 @@
|
||||
title: Troubleshoot Windows Defender ATP onboarding issues
|
||||
description: Troubleshoot issues that might arise during the onboarding of endpoints or to the Windows Defender ATP service.
|
||||
keywords: troubleshoot onboarding, onboarding issues, event viewer, azure management portal, data collection and preview builds
|
||||
search.product: eADQiWindows 10XVcnh
|
||||
search.product: eADQiWindows 10XVcnh
|
||||
ms.prod: W10
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
author: mjcaparas
|
||||
---
|
||||
|
||||
# Troubleshoot Windows Defender Advanced Threat Protection onboarding issues
|
||||
# Troubleshoot Windows Defender Advanced Threat Protection onboarding issues
|
||||
|
||||
- Windows 10 Insider Preview
|
||||
|
||||
@ -23,7 +23,7 @@ If you don’t see any users in the [Azure Management Portal](https://manage.win
|
||||
1. Go to the Azure Management Portal and select the directory you want to manage.
|
||||
|
||||
2. Click **Users** from the top menu bar.
|
||||
|
||||
|
||||
|
||||
|
||||
3. Click **Add user** from the menu bar at the bottom.
|
||||
@ -52,7 +52,7 @@ If the endpoints aren’t reporting correctly, you might need to check that the
|
||||
1. Follow the instructions at
|
||||
[https://technet.microsoft.com/library/mt577208%28v=vs.85%29.aspx\#BKMK\_UTC] (https://technet.microsoft.com/library/mt577208%28v=vs.85%29.aspx#BKMK_UTC)
|
||||
|
||||
2. Attempt to [onboard the endpoint](onboard-configure-windows-advanced-threat-protection.md#onboard-endpoints-and-set-up-the-windows-defender-atp-user-access).
|
||||
2. Attempt to [onboard the endpoint](onboard-configure-windows-defender-advanced-threat-protection.md#onboard-endpoints-and-set-up-the-windows-defender-atp-user-access).
|
||||
|
||||
## Configure proxy and Internet connectivity
|
||||
|
||||
@ -89,13 +89,13 @@ For example, if endpoints are not appearing in the **Machines view** list, you m
|
||||
|
||||
Message | Action
|
||||
:---|:---
|
||||
Windows Advanced Threat Protection Service failed to connect to server at ```<variable>``` | Check the connection to the URL. See [Configure proxy and Internet connectivity](#configure-proxy-and-Internet-connectivity).
|
||||
Windows Advanced Threat Protection Service failed to read onboarding parameters. Failure code: ```<variable>``` | Check that GP settings are correct and there are not settings impacting permissions in the policy.
|
||||
Windows Advanced Threat Protection Service failed to connect to server at ```<variable>``` | Check the connection to the URL. See [Configure proxy and Internet connectivity](#configure-proxy-and-Internet-connectivity).
|
||||
Windows Advanced Threat Protection Service failed to read onboarding parameters. Failure code: ```<variable>``` | Check that GP settings are correct and there are not settings impacting permissions in the policy.
|
||||
Windows Advanced Threat Protection Service failed to persist onboarding information. Failure code: ```<variable>``` | Check that GP settings are correct and there are not settings impacting permissions in the policy.
|
||||
|
||||
|
||||
## Related topics
|
||||
- [Windows Defender ATP service onboarding](service-onboarding-windows-advanced-threat-protection.md)
|
||||
- [Configure Windows Defender ATP endpoints](configure-endpoints-windows-advanced-threat-protection.md)
|
||||
- [Monitor the Windows Defender ATP onboarding](monitor-onboarding-windows-advanced-threat-protection.md)
|
||||
- [Additional Windows Defender ATP configuration settings](additional-configuration-windows-advanced-threat-protection.md)
|
||||
- [Windows Defender ATP service onboarding](service-onboarding-windows-defender-advanced-threat-protection.md)
|
||||
- [Configure Windows Defender ATP endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md)
|
||||
- [Monitor the Windows Defender ATP onboarding](monitor-onboarding-windows-defender-advanced-threat-protection.md)
|
||||
- [Additional Windows Defender ATP configuration settings](additional-configuration-windows-defender-advanced-threat-protection.md)
|
||||
|
||||
@ -2,7 +2,7 @@
|
||||
title: Troubleshoot Windows Defender Advanced Threat Protection
|
||||
description: Find solutions and work arounds to known issues such as server errors when trying to access the service.
|
||||
keywords: troubleshoot Windows Defender Advanced Threat Protection, troubleshoot Windows ATP, server error, access denied, invalid credentials
|
||||
search.product: eADQiWindows 10XVcnh
|
||||
search.product: eADQiWindows 10XVcnh
|
||||
ms.prod: W10
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
@ -16,9 +16,9 @@ author: mjcaparas
|
||||
|
||||
This section addresses issues that might arise as you use the service.
|
||||
|
||||
###Server error - Access is denied due to invalid credentials
|
||||
###Server error - Access is denied due to invalid credentials
|
||||
If you encounter a server error when trying to access the service, you’ll need to change your browser cookie settings.
|
||||
Configure your browser to allow cookies.
|
||||
Configure your browser to allow cookies.
|
||||
|
||||
### Related topic
|
||||
- [Troubleshoot Windows Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding-windows-advanced-threat-protection.md)
|
||||
- [Troubleshoot Windows Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md)
|
||||
|
||||
Reference in New Issue
Block a user