mirror of
https://github.com/MicrosoftDocs/windows-itpro-docs.git
synced 2025-05-13 13:57:22 +00:00
Merge branch 'tvm-publicpreview' into tvm-publicpreviewaddendum
This commit is contained in:
Dolcita Montemayor
commit
d577c91d2a
@ -4,6 +4,10 @@
|
||||
### [Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md)
|
||||
#### [What's in the dashboard and what it means for my organization](tvm-dashboard-insights.md)
|
||||
#### [Configuration score](configuration-score.md)
|
||||
#### [Security recommendation](tvm-security-recommendation.md)
|
||||
#### [Remediation](tvm-remediation.md)
|
||||
#### [Software inventory](tvm-software-inventory.md)
|
||||
#### [Weaknesses](tvm-weaknesses.md)
|
||||
#### [Scenarios](threat-and-vuln-mgt-scenarios.md)
|
||||
|
||||
|
||||
|
||||
@ -1,6 +1,5 @@
|
||||
---
|
||||
title: Overview of Configuration score in Microsoft Defender Security Center
|
||||
ms.reviewer:
|
||||
description: Expand your visibility into the overall security configuration posture of your organization
|
||||
keywords: configuration score, mdatp configuration score, secure score, security controls, improvement opportunities, security configuration score over time, security posture, baseline
|
||||
search.product: eADQiWindows 10XVcnh
|
||||
@ -9,8 +8,8 @@ ms.prod: w10
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.pagetype: security
|
||||
ms.author: mjcaparas
|
||||
author: mjcaparas
|
||||
ms.author: dolmont
|
||||
author: DulceMontemayor
|
||||
ms.localizationpriority: medium
|
||||
manager: dansimp
|
||||
audience: ITPro
|
||||
@ -22,10 +21,8 @@ ms.date: 04/11/2019
|
||||
**Applies to:**
|
||||
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
|
||||
|
||||
[!include[Prerelease information](prerelease.md)]
|
||||
|
||||
>[!NOTE]
|
||||
> Secure score is now part of Threat & Vulnerability Management as Configuration score. We’ll keep the secure score page available for a few weeks. View the [Secure score](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/overview-secure-score-windows-defender-advanced-threat-protection) page.
|
||||
> Secure score is now part of Threat & Vulnerability Management as Configuration score. We’ll keep the secure score page available for a few weeks. View the [Secure score](https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/overview-secure-score) page.
|
||||
|
||||
The Microsoft Defender Advanced Threat Protection Configuration score gives you visibility and control over your organization's security posture based on security best practices.
|
||||
|
||||
@ -55,3 +52,7 @@ The goal is to improve your configuration score by remediating the issues in the
|
||||
- [Risk-based Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md)
|
||||
- [Threat & Vulnerability Management dashboard overview](tvm-dashboard-insights.md)
|
||||
- [Scenarios](threat-and-vuln-mgt-scenarios.md)
|
||||
- [Security recommendations](tvm-security-recommendation.md)
|
||||
- [Remediation](tvm-remediation.md)
|
||||
- [Software inventory](tvm-software-inventory.md)
|
||||
- [Weaknesses](tvm-weaknesses.md)
|
||||
|
||||
Binary file not shown.
|
After Width: | Height: | Size: 12 KiB |
Binary file not shown.
|
Before Width: | Height: | Size: 137 KiB After Width: | Height: | Size: 167 KiB |
Binary file not shown.
|
Before Width: | Height: | Size: 69 KiB After Width: | Height: | Size: 134 KiB |
Binary file not shown.
|
Before Width: | Height: | Size: 54 KiB After Width: | Height: | Size: 72 KiB |
@ -1,6 +1,5 @@
|
||||
---
|
||||
title: Next-generation Threat & Vulnerability Management
|
||||
ms.reviewer:
|
||||
description: This new capability uses a game-changing risk-based approach to the discovery, prioritization, and remediation of endpoint vulnerabilities and misconfigurations.
|
||||
keywords: threat and vulnerability management, MDATP-TVM, vulnerability management, threat and vulnerability scanning
|
||||
search.product: eADQiWindows 10XVcnh
|
||||
@ -9,8 +8,8 @@ ms.prod: w10
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.pagetype: security
|
||||
ms.author: mjcaparas
|
||||
author: mjcaparas
|
||||
ms.author: dolmont
|
||||
author: DulceMontemayor
|
||||
ms.localizationpriority: medium
|
||||
manager: dansimp
|
||||
audience: ITPro
|
||||
@ -22,18 +21,14 @@ ms.topic: conceptual
|
||||
**Applies to:**
|
||||
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
|
||||
|
||||
[!include[Prerelease information](prerelease.md)]
|
||||
|
||||
Effectively identifying, assessing, and remediating endpoint weaknesses is pivotal in running a healthy security program and reducing organizational risk. Threat & Vulnerability Management serves as an infrustructure for reducing organizational exposure, hardening endpoint surface area, and increasing organizational resilience.
|
||||
Effectively identifying, assessing, and remediating endpoint weaknesses is pivotal in running a healthy security program and reducing organizational risk. Threat & Vulnerability Management serves as an infrastructure for reducing organizational exposure, hardening endpoint surface area, and increasing organizational resilience.
|
||||
|
||||
It helps organizations discover vulnerabilities and misconfigurations in real-time, based on sensors, without the need of agents or periodic scans. It prioritizes vulnerabilities based on the threat landscape, detections in your organization, sensitive information on vulnerable devices, and business context.
|
||||
|
||||
## Next-generation capabilities
|
||||
Threat & Vulnerability Management is built-in, real-time, cloud-powered, fully integrated with Microsoft endpoint security stack, the Microsoft Intelligent Security Graph, and the application analytics knowledgebase.
|
||||
|
||||
It is the first solution in the industry to automate the remediation process through integration with Microsoft Intune and Microsoft System Center Configuration Manager (SCCM) for patching, configuration changes, or upgrades.
|
||||
>[!Note]
|
||||
> Microsoft Intune and Microsoft System Center Configuration Manager (SCCM) integration will be available in the coming weeks.
|
||||
It is the first solution in the industry to bridge the gap between security administration and IT administration during remediation process. It does so by creating a security task or ticket through integration with Microsoft Intune and Microsoft System Center Configuration Manager (SCCM).
|
||||
|
||||
It provides the following solutions to frequently-cited gaps across security operations, security administration, and IT administration workflows and communication.
|
||||
- Real-time endpoint detection and response (EDR) insights correlated with endpoint vulnerabilities
|
||||
@ -44,21 +39,21 @@ It provides the following solutions to frequently-cited gaps across security ope
|
||||
|
||||
To discover endpoint vulnerabilities and misconfiguration, Threat & Vulnerability Management uses the same agentless built-in Microsoft Defender ATP sensors to reduce cumbersome network scans and IT overhead, and provides:
|
||||
- Real-time device inventory. Devices onboarded to Microsoft Defender ATP automatically report and push vulnerability and security configuration data to the dashboard.
|
||||
- Visibility into software and vulnerabilities. Optics into the organization’s software inventory, as well as software changes like installations, uninstallations, and patches. Newly discovered vulnerabilities are reported with actionable mitigation recommendations for 1st and 3rd party applications.
|
||||
- Application runtime context. Constant visibility into application usage patterns for better prioritization and decision-making. Critical dependencies, such as vulnerable runtime libraries being loaded by other applications, are made visible.
|
||||
- Configuration posture. Visibility into organizational security configuration, surfacing issues like disabled antivirus, enabled SMBv1, or misconfigurations that could allow escalation of privileges. Issues are reported in the dashboard with actionable security recommendations.
|
||||
- Visibility into software and vulnerabilities. Optics into the organization’s software inventory, and software changes like installations, uninstallations, and patches. Newly discovered vulnerabilities are reported with actionable mitigation recommendations for 1st and 3rd party applications.
|
||||
- Application runtime context. Visibility on application usage patterns for better prioritization and decision-making.
|
||||
- Configuration posture. Visibility into organizational security configuration or misconfigurations. Issues are reported in the dashboard with actionable security recommendations.
|
||||
|
||||
### Intelligence-driven prioritization
|
||||
|
||||
Threat & Vulnerability Management helps customers prioritize and focus on those weaknesses that pose the most urgent and the highest risk to the organization. Rather than using static prioritization by severity scores, Threat & Vulnerability Management in Microsoft Defender ATP highlights the most critical weaknesses that need attention by fusing its security recommendations with dynamic threat and business context:
|
||||
- Exposing emerging attacks in the wild. Through its advanced cyber data and threat analytics platform, Threat & Vulnerability Management dynamically aligns the prioritization of its security recommendations to focus on vulnerabilities that are currently being exploited in the wild and emerging threats that pose the highest risk.
|
||||
- Pinpointing active breaches. Microsoft Defender ATP correlates Threat & Vulnerability Management and EDR insights to provide the unique ability to prioritize vulnerabilities that are currently being exploited in an active breach within the organization.
|
||||
- Protecting high-value assets. Microsoft Defender ATP’s integration with Azure Information Protection allows Threat & Vulnerability Management to call attention to exposed machines with business-critical applications, confidential data, or high-value users.
|
||||
- Protecting high-value assets. Microsoft Defender ATP’s integration with Azure Information Protection allows Threat & Vulnerability Management to identify the exposed machines with business-critical applications, confidential data, or high-value users.
|
||||
|
||||
### Seamless remediation
|
||||
|
||||
Microsoft Defender ATP’s Threat & Vulnerability Management allows security administrators and IT administrators to collaborate seamlessly to remediate issues.
|
||||
- One-click remediation requests to IT. Through Microsoft Defender ATP’s integration with Microsoft Intune and System Center Configuration Manager (SCCM), security administrators can create a remediation task in Microsoft Intune with one click. We plan to expand this capability to other IT security management platforms.
|
||||
- Remediation requests to IT. Through Microsoft Defender ATP’s integration with Microsoft Intune and System Center Configuration Manager (SCCM), security administrators can create a remediation task in Microsoft Intune from the Security recommendation pages. We plan to expand this capability to other IT security management platforms.
|
||||
- Alternate mitigations. Threat & Vulnerability Management provides insights on additional mitigations, such as configuration changes that can reduce risk associated with software vulnerabilities.
|
||||
- Real-time remediation status. Microsoft Defender ATP provides real-time monitoring of the status and progress of remediation activities across the organization.
|
||||
|
||||
@ -66,3 +61,7 @@ Microsoft Defender ATP’s Threat & Vulnerability Management allows security adm
|
||||
- [Threat & Vulnerability Management dashboard overview](tvm-dashboard-insights.md)
|
||||
- [Configuration score](configuration-score.md)
|
||||
- [Scenarios](threat-and-vuln-mgt-scenarios.md)
|
||||
- [Security recommendations](tvm-security-recommendation.md)
|
||||
- [Remediation](tvm-remediation.md)
|
||||
- [Software inventory](tvm-software-inventory.md)
|
||||
- [Weaknesses](tvm-weaknesses.md)
|
||||
|
||||
@ -1,6 +1,5 @@
|
||||
---
|
||||
title: Threat & Vulnerability Management scenarios
|
||||
ms.reviewer:
|
||||
description: Learn how to use Threat & Vulnerability Management in the context of scenarios that Security Administrators encounter when collaborating with IT Administrators and SecOps while protecting their organization from cybersecurity threats.
|
||||
keywords: mdatp-tvm scenarios, mdatp, tvm, tvm scenarios, reduce threat & vulnerability exposure, reduce threat and vulnerability, improve security configuration, increase configuration score, increase threat & vulnerability configuration score, configuration score, exposure score, security controls
|
||||
search.product: eADQiWindows 10XVcnh
|
||||
@ -9,8 +8,8 @@ ms.prod: w10
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.pagetype: security
|
||||
ms.author: mjcaparas
|
||||
author: mjcaparas
|
||||
ms.author: dolmont
|
||||
author: DulceMontemayor
|
||||
ms.localizationpriority: medium
|
||||
manager: dansimp
|
||||
audience: ITPro
|
||||
@ -22,15 +21,18 @@ ms.topic: article
|
||||
**Applies to:**
|
||||
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
|
||||
|
||||
[!include[Prerelease information](prerelease.md)]
|
||||
|
||||
## Before you begin
|
||||
Ensure that your machines:
|
||||
- Are onboarded to Microsoft Defender Advanced Threat Protection
|
||||
- Running with Windows 10 1709 (Fall Creators Update) or later
|
||||
|
||||
>[!NOTE]
|
||||
>Threat & Vulnerability Management can also scan machines running on Windows 7 and Windows Server 2019 operating systems and detects vulnerabilities coming from patch Tuesday.
|
||||
|
||||
- Have the following mandatory updates installed:
|
||||
- (1) RS3 customers | [KB4493441](https://support.microsoft.com/en-us/help/4493441/windows-10-update-kb4493441)
|
||||
- (2) RS4 customers | [KB4493464](https://support.microsoft.com/en-us/help/4493464)
|
||||
- Are onboarded to Microsoft Intune and System Center Configuration Manager (SCCM). If you are using SCCM, update your console to the latest May version 1905
|
||||
- Have at least one security recommendation that can be viewed in the machine page
|
||||
- Are tagged or marked as co-managed
|
||||
|
||||
@ -39,7 +41,7 @@ Ensure that your machines:
|
||||
Threat & Vulnerability Management introduces a new exposure score metric which visually represents how exposed your machines are to imminent threats.
|
||||
|
||||
The exposure score is continuously calculated on each device in the organization and influenced by the following factors:
|
||||
- Weaknesses, such as vulnerabilities and misconfigurations discovered on the device
|
||||
- Weaknesses, such as vulnerabilities discovered on the device
|
||||
- External and internal threats such as public exploit code and security alerts
|
||||
- Likelihood of the device getting breached given its current security posture
|
||||
- Value of the device to the organization given its role and content
|
||||
@ -61,11 +63,11 @@ To lower down your threat and vulnerability exposure:
|
||||
> There are two types of recommendations:
|
||||
> - <i>Security update</i> which refers to recommendations that require a package installation
|
||||
> - <i>Configuration</i> change which refers to recommendations that require a registry or GPO modification
|
||||
> Always prioritize recommendations that are associated with ongoing threats. These recommendations are marked with the threat insight  icon or the possible alert activity [possible alert activity](images/tvm_alert_icon.png) icon.
|
||||
> Always prioritize recommendations that are associated with ongoing threats. These recommendations are marked with the threat insight  icon and possible active alert  icon.
|
||||
|
||||
2. In the **Security recommendations** page, you will see the description of what needs to be done and why. It shows the vulnerability details, such as the associated exploits affecting what machines and its business impact. Click **Open software page** option from the flyout menu. 
|
||||
|
||||
3. Click **Installed machines** and select the affected machine from the list to open the flyout page with the relevant machine details, exposure and risk levels, alert and incident activities. 
|
||||
3. Click **Installed machines** and select the affected machine from the list to open the flyout page with the relevant machine details, exposure and risk levels, alert and incident activities. 
|
||||
|
||||
4. Click **Open machine page** to connect to the machine and apply the selected recommendation. 
|
||||
|
||||
@ -88,21 +90,67 @@ Remediating issues in the security recommendations list will improve your config
|
||||
|
||||
3. Read the description to understand the context of the issue and what to do next. Select a due date, add notes, and select **Export all remediation activity data to CSV** so you can attach it to the email that you can send to your IT Administrator for follow-up.
|
||||
|
||||
> >.
|
||||
>
|
||||
> You will see a confirmation message that the remediation task has been created.
|
||||
> 
|
||||
>>.
|
||||
|
||||
>You will see a confirmation message that the remediation task has been created.
|
||||
>
|
||||
|
||||
4. Save your CSV file.
|
||||
|
||||
|
||||
5. Send a follow up email to your IT Administrator and allow the time that you have alloted for the remediation to propagate in the system.
|
||||
|
||||
6. Review the machine **Configuration score** widget again. The number of the security controls issues will decrease. When you click **Security controls** to go back to the **Security recommendations** page, the item that you have addressed will not be listed there anymore, and your configuration score should increase.
|
||||
6. Review the machine **Configuration score** widget again. The number of the security controls issues will decrease. When you click **Security controls** to go back to the **Security recommendations** page, the item that you have addressed will not be be listed there anymore, and your configuration score should increase.
|
||||
|
||||
## Request a remediation
|
||||
>[!NOTE]
|
||||
>To use this capability, enable your Microsoft Intune connections. Navigate to **Settings** > **General** > **Advanced features**. Scroll down and look for **Microsoft Intune connection**. By default, the toggle is turned off. Turn your **Microsoft Intune connection** toggle on.
|
||||
|
||||
The Threat & Vulnerability Management capability in Microsoft Defender ATP bridges the gap between Security and IT Administrators through the remediation request workflow.
|
||||
Security Administrators like you can request for the IT Administrator to remediate a vulnerability from the **Security recommendation** pages to Intune.
|
||||
|
||||
1. Click on a security recommendation you would like to request remediation for, and then click **Remediation options**.
|
||||
|
||||
2. Select **Open a ticket in Intune (for AAD joined devices)**, select a due date, and add optional notes for the IT Administrator. Click **Submit request**.
|
||||
|
||||
3. Notify your IT Administrator about the new request and have them log into Intune to approve or reject the request and start a package deployment.
|
||||
|
||||
4. Go to the **Remediation** page to view the status of your remediation request.
|
||||
|
||||
See [Use Intune to remediate vulnerabilities identified by Microsoft Defender ATP](https://docs.microsoft.com/en-us/intune/atp-manage-vulnerabilities) for details.
|
||||
|
||||
>[!NOTE]
|
||||
>If your request involves remediating more than 10,000 machines, we will only send 10,000 machines for remediation to Intune.
|
||||
|
||||
## File for exception
|
||||
With Threat & Vulnerability Management, you can create exceptions for recommendations, as an alternative to requesting for remediation.
|
||||
|
||||
There are many reasons why organizations might want to create exceptions for a recommendation. For example, if there's a business justification that prevents the company from applying the recommendation, the existence of a compensating or alternative control that provides the same level of protection that the recommendation would, a false positive, among other reasons.
|
||||
|
||||
Exceptions can be created for both *Security update* and *Configuration change* recommendations.
|
||||
|
||||
When an exception is created for a recommendation, the recommendation is no longer active. The recommendation state changes to **Exception**, and it no longer shows up in the security recommendations list.
|
||||
|
||||
|
||||
1. Navigate to the **Security recommendations** page under the **Threat & Vulnerability Management** section menu.
|
||||
|
||||
2. Click the top-most recommendation. A fly-in panel will open with the recommendation details.
|
||||
|
||||
3. Click **Exception options**.
|
||||
|
||||
4. Select your justification for filing an exception instead of remediating the security recommendation in question. Fill out the justification context, then set the exception duration.
|
||||
|
||||
5. Click Submit. A confirmation message at the top of the page will indicate that the exception has been created
|
||||
|
||||
6. View all your exceptions (current + past) by navigating to the **Remediation** page under the **Threat & Vulnerability Management** menu and clicking on the **Exceptions** tab.
|
||||
|
||||
|
||||
## Related topics
|
||||
- [Risk-based Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md)
|
||||
- [Threat & Vulnerability Management dashboard overview](tvm-dashboard-insights.md)
|
||||
- [Configuration score](configuration-score.md)
|
||||
- [Security recommendations](tvm-security-recommendation.md)
|
||||
- [Remediation](tvm-remediation.md)
|
||||
- [Software inventory](tvm-software-inventory.md)
|
||||
- [Weaknesses](tvm-weaknesses.md)
|
||||
|
||||
|
||||
@ -1,6 +1,5 @@
|
||||
---
|
||||
title: What's in the dashboard and what it means for my organization's security posture
|
||||
ms.reviewer:
|
||||
description: What's in the Threat & Vulnerability Management dashboard and how it can help SecOps and Security Administrators arrive at informed decisions in addressing cybersecurity threat vulnerabilities and building their organization's security resilience.
|
||||
keywords: mdatp-tvm, mdatp-tvm dashboard, threat & vulnerability management, risk-based threat & vulnerability management, security configuration, configuration score, exposure score
|
||||
search.product: eADQiWindows 10XVcnh
|
||||
@ -9,8 +8,8 @@ ms.prod: eADQiWindows 10XVcnh
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.pagetype: security
|
||||
ms.author: ellevin
|
||||
author: levinec
|
||||
ms.author: dolmont
|
||||
author: DulceMontemayor
|
||||
ms.localizationpriority: medium
|
||||
manager: dansimp
|
||||
audience: ITPro
|
||||
@ -22,8 +21,6 @@ ms.topic: conceptual
|
||||
**Applies to:**
|
||||
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
|
||||
|
||||
[!include[Prerelease information](prerelease.md)]
|
||||
|
||||
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-portaloverview-abovefoldlink)
|
||||
|
||||
Threat & Vulnerability Management is a component of Microsoft Defender ATP, and provides both security administrators and security operations teams with unique value, including:
|
||||
@ -31,9 +28,6 @@ Threat & Vulnerability Management is a component of Microsoft Defender ATP, and
|
||||
- Invaluable machine vulnerability context during incident investigations
|
||||
- Built-in remediation processes through Microsoft Intune and Microsoft System Center Configuration Manager (SCCM)
|
||||
|
||||
>[!NOTE]
|
||||
> Microsoft Intune and Microsoft System Center Configuration Manager (SCCM) integration will be available in the coming weeks.
|
||||
|
||||
You can use the Threat & Vulnerability Management capability in [Microsoft Defender Security Center](https://securitycenter.windows.com/) to:
|
||||
- View exposure and configuration scores side-by-side with top security recommendations, software vulnerability, remediation activities, and exposed machines
|
||||
- Correlate EDR insights with endpoint vulnerabilities and process them
|
||||
@ -44,7 +38,7 @@ When you open the portal, you’ll see the main areas of the capability:
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
- (1) Menu in the navigation pane
|
||||
- (2) Threat & Vulnerability Management icon
|
||||
@ -55,23 +49,29 @@ You can navigate through the portal using the menu options available in all sect
|
||||
Area | Description
|
||||
:---|:---
|
||||
(1) Menu | Select menu to expand the navigation pane and see the names of the Threat & Vulnerability Management capabilities.
|
||||
(2) Threat & Vulnerability Management navigation pane | Use the navigation pane to move across the **Threat and Vulnerability Management Dashboard**, **Security recommendations**, **Remediation**, and **Software inventory**.
|
||||
(2) Threat & Vulnerability Management navigation pane | Use the navigation pane to move across the **Threat and Vulnerability Management Dashboard**, **Security recommendations**, **Remediation**, **Software inventory**, and **Weaknesses**.
|
||||
**Dashboards** | Get a high-level view of the organization exposure score, MDATP configuration score, top remediation activities, top security recommendations, top vulnerable software, and top exposed machines data.
|
||||
**Security recommendations** | See the list of security recommendations, their related components, insights, number or exposed devices, impact, and request for remediation. You can click each item on the list and it will open a flyout pane where you will see vulnerability details, and have the option to open the software page, and see the remediation options.
|
||||
**Remediation** | See the remediation activity, related component, remediation type, status, due date, option to export the remediation and process data to CSV.
|
||||
**Software inventory** | See the list of applications, versions, weaknesses, whether there’s an exploit found on the application, prevalence in the organization, how many were installed, how many exposed devices are there, and the numerical value of the impact. You can select each item in the list and opt to open the software page which shows the vulnerabilities and misconfigurations associated and its machine and version distribution details.
|
||||
(3) Threat & Vulnerability Management dashboard | Access the **Exposure score**, **Configuration score**, **Exposure distribution**, **Top security recommendations**, **Top vulnerable software**, **Top remediation activities**, **Top exposed machines**, and **Threat campaigns**.
|
||||
**Security recommendations** | See the list of security recommendations, their related components, insights, number or exposed devices, impact, and request for remediation. You can click each item on the list and it will open a flyout pane where you will see vulnerability details, open the software page, see the remediation options, and create exceptions. You can also open a ticket in Intune if your machines are joined through Azure Active Directory and you have enabled your Intune connections in Microsoft Defender ATP. See [Security recommendations](https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation) for more information.
|
||||
**Remediation** | See the remediation activity, related component, remediation type, status, due date, exceptions, and option to export the remediation and process data to CSV. See [Remediation](https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/tvm-remediation) for more information.
|
||||
**Software inventory** | See the list of applications, versions, weaknesses, whether there’s an exploit found on the application, prevalence in the organization, how many were installed, how many exposed devices are there, and the numerical value of the impact. You can select each item in the list and opt to open the software page which shows the associated vulnerabilities, misconfigurations, affected machine, version distribution details, and missing KBs or security updates. See [Software inventory](https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/tvm-software-inventory) for more information.
|
||||
**Weaknesses** | See the list of common vulnerabilities and exposures, the severity, its common vulnerability scoring system (CVSS) V3 score, related software, age, when it was published, related threat alerts, and how many exposed machines are there. You can select each item in the list and it opens a fly-in page with the vulnerability description and other details. See [Weaknesses](https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/tvm-weaknesses) for more information.
|
||||
(3) Threat & Vulnerability Management dashboard | Access the **Exposure score**, **Configuration score**, **Exposure distribution**, **Top security recommendations**, **Top vulnerable software**, **Top remediation activities**, and **Top exposed machines**.
|
||||
**Selected machine groups (#/#)** | Filter the Threat & Vulnerability Management data that you want to see in the dashboard and widgets by machine groups.
|
||||
**Organization Exposure score** | See the current state of your organization’s device exposure to threats and vulnerabilities. Several factors affect your organization’s exposure score: weaknesses discovered in your devices, likelihood of your devices to be breached, value of the devices to your organization, and relevant alerts discovered with your devices. The goal is to lower down your organization’s exposure score to be more secure. To reduce the score, you need to remediate the related security configuration issues listed in the security recommendations.
|
||||
**MDATP Configuration score** | See the security posture of your organization’s operating system, applications, network, accounts and security controls. The goal is to increase your configuration score by remediating the related security configuration issues. You can click the bars and it will take you to the **Security recommendation** page for details.
|
||||
**MDATP Configuration score** | See the security posture of your organization’s operating system, applications, network, accounts and security controls. The goal is to increase your configuration score by remediating the related security configuration issues. You can click the bars and it will take you to the **Security recommendation** page for details. See [Configuration score](https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/configuration-score) for more information.
|
||||
**Machine exposure distribution** | See how many machines are exposed based on their exposure level. You can click the sections in the doughnut chart and it will take you to the **Machines list** page where you'll see the affected machine names, exposure level side by side with risk level, among other details such as domain, OS platform, its health state, when it was last seen, and its tags.
|
||||
**Top security recommendations** | See the collated security recommendations which are sorted and prioritized based on your organization’s risk exposure and the urgency that it requires. Useful icons also quickly calls your attention on possible active alerts , associated public exploits , and recommendation insights . You can drill down on the security recommendation to see the potential risks, list of exposed machines, and read the insights. Thus, providing you with an informed decision to either proceed with a remediation request. Click **Show more** to see the rest of the security recommendations in the list.
|
||||
**Top vulnerable software** | Get real-time visibility into the organizational software inventory, with stack-ranked list of vulnerable software installed on your network’s devices and how they impact on your organizational exposure score. Click each item for details or **Show more** to see the rest of the vulnerable application list in the **Software inventory** page.
|
||||
**Top remediation activities** | Track the remediation activities generated from the security recommendations. You can click each item on the list to see the details in the **Remediation** page or click **Show more** to see the rest of the remediation activities.
|
||||
**Top remediation activities** | Track the remediation activities generated from the security recommendations. You can click each item on the list to see the details in the **Remediation** page or click **Show more** to see the rest of the remediation activities and exceptions.
|
||||
**Top exposed machines** | See the exposed machine names and their exposure level. You can click each machine name from the list and it will take you to the machine page where you can view the alerts, risks, incidents, security recommendations, installed software, discovered vulnerabilities associated with the exposed machines. You can also do other EDR-related tasks in it, such as: manage tags, initiate automated investigations, initiate a live response session, collect an investigation package, run antivirus scan, restrict app execution, and isolate machine. You can also click **Show more** to see the rest of the exposed machines list.
|
||||
|
||||
See [Microsoft Defender ATP icons](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/portal-overview-windows-defender-advanced-threat-protection#windows-defender-atp-icons) for more information on the icons used throughout the portal.
|
||||
See [Microsoft Defender ATP icons](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-atp/portal-overview-windows-defender-advanced-threat-protection#windows-defender-atp-icons) for more information on the icons used throughout the portal.
|
||||
|
||||
## Related topics
|
||||
- [Risk-based Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md)
|
||||
- [Configuration score](configuration-score.md)
|
||||
- [Scenarios](threat-and-vuln-mgt-scenarios.md)
|
||||
- [Security recommendations](tvm-security-recommendation.md)
|
||||
- [Remediation](tvm-remediation.md)
|
||||
- [Software inventory](tvm-software-inventory.md)
|
||||
- [Weaknesses](tvm-weaknesses.md)
|
||||
|
||||
@ -0,0 +1,62 @@
|
||||
---
|
||||
title: Remediation
|
||||
description: You can lower down your organization's exposure from vulnerabilities and increase your security configuration by remediating the security recommendations. Threat & Vulnerability Management bridges the gap between security administration and IT administration during remediation process. It does so by creating a security task or ticket through integration with Microsoft Intune and Microsoft System Center Configuration Manager (SCCM).
|
||||
keywords: microsoft defender atp tvm remediation, mdatp tvm, threat & vulnerability management, threat & vulnerability management remediation, tvm remediation intune, tvm remediation sccm
|
||||
search.product: eADQiWindows 10XVcnh
|
||||
search.appverid: met150
|
||||
ms.prod: w10
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.pagetype: security
|
||||
ms.author: dolmont
|
||||
author: DulceMontemayor
|
||||
ms.localizationpriority: medium
|
||||
manager: dansimp
|
||||
audience: ITPro
|
||||
ms.collection: M365-security-compliance
|
||||
ms.topic: conceptual
|
||||
ms.date: 04/11/2019
|
||||
---
|
||||
# Remediation
|
||||
**Applies to:**
|
||||
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
|
||||
|
||||
>[!NOTE]
|
||||
>To use this capability, enable your Microsoft Intune connections. Navigate to **Settings** > **General** > **Advanced features**. Scroll down and look for **Microsoft Intune connection**. By default, the toggle is turned off. Turn your **Microsoft Intune connection** toggle on.
|
||||
|
||||
After your organization's cybersecurity weaknesses are identified and mapped to actionable security recommendations, you can start creating security tasks through the integration with Microsoft Intune where remediation tickets are created.
|
||||
|
||||
You can lower down your organization's exposure from vulnerabilities and increase your security configuration by remediating the security recommendations.
|
||||
|
||||
## Navigate through your remediation options
|
||||
You'll see your remediation options when you select one of the security recommendation blocks from your **Top security recommendations** widget in the dashboard.
|
||||
1. From the fly-in page, you'll see the security recommendation details including your next steps. Click **Remediation options**.
|
||||
2. In the **Remediation options** page, select **Open a ticket in Intune (for AAD joined devices)**.
|
||||
|
||||
>[!NOTE]
|
||||
>If your request involves remediating more than 10,000 machines, we will only send 10,000 machines for remediation to Intune.
|
||||
|
||||
3. Select a remediation due date.
|
||||
4. Add notes to give your IT administrator a context of your remediation request. For example, you can indicate urgency of the remediation request to avoid potential exposure to a recent exploit activity, or if the request is a part of compliance.
|
||||
|
||||
If you want to check how the ticket shows up in Intune, see [Use Intune to remediate vulnerabilities identified by Microsoft Defender ATP](https://docs.microsoft.com/en-us/intune/atp-manage-vulnerabilities) for details.
|
||||
|
||||
## How it works
|
||||
|
||||
When you submit a remediation request from Threat & Vulnerability Management, it kicks-off a remediation activity.
|
||||
|
||||
It creates a security task which will be tracked in Threat & Vulnerability Management **Remediation page**, and it also creates a remediation ticket in Microsoft Intune.
|
||||
|
||||
You also have the option to export all remediation activity data to CSV for records, reporting purposes, or if you want to notify your IT administration counterpart that a remediation ticket has been submitted.
|
||||
|
||||
The dashboard will show that status of your top remediation activities. Click any of the entries and it will take you to the **Remediation** page. You can mark the remediation activity as completed after the IT administration team remediates the task.
|
||||
|
||||
## Related topics
|
||||
- [Risk-based Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md)
|
||||
- [Threat & Vulnerability Management dashboard overview](tvm-dashboard-insights.md)
|
||||
- [Scenarios](threat-and-vuln-mgt-scenarios.md)
|
||||
- [Security recommendation](tvm-security-recommendation.md)
|
||||
- [Software inventory](tvm-software-inventory.md)
|
||||
- [Weaknesses](tvm-weaknesses.md)
|
||||
|
||||
|
||||
@ -0,0 +1,66 @@
|
||||
---
|
||||
title: Security recommendation
|
||||
description: The weaknesses identified in the environment are mapped to actionable security recommendations and prioritized by their impact on the organizational exposure score.
|
||||
keywords: threat and vulnerability management, mdatp tvm security recommendation, cybersecurity recommendation, actionable security recommendation
|
||||
search.product: eADQiWindows 10XVcnh
|
||||
search.appverid: met150
|
||||
ms.prod: w10
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.pagetype: security
|
||||
ms.author: dolmont
|
||||
author: DulceMontemayor
|
||||
ms.localizationpriority: medium
|
||||
manager: dansimp
|
||||
audience: ITPro
|
||||
ms.collection: M365-security-compliance
|
||||
ms.topic: conceptual
|
||||
ms.date: 04/11/2019
|
||||
---
|
||||
# Security recommendation
|
||||
**Applies to:**
|
||||
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
|
||||
|
||||
The cybersecurity weaknesses identified in your organization are mapped to actionable security recommendations and prioritized by their impact on the security recommendation list. Prioritized recommendation helps shorten the mean time to mitigate or remediate vulnerabilities and drive compliance.
|
||||
|
||||
Each security recommendation includes an actionable remediation recommendation which can be pushed into the IT task queue through a built-in integration with Microsoft Intune and SCCM. It is also dynamic in the sense that when the threat landscape changes, the recommendation also changes as it continuously collect information from your environment.
|
||||
|
||||
## The basis of the security recommendation
|
||||
Each machine in the organization is scored based on three important factors: threat, likelihood to be breached, and value, to help customers to focus on the right things at the right time.
|
||||
|
||||
Threat - Characteristics of the vulnerabilities and exploits in your organizations' devices and breach history. Based on these factors, the security recommendations shows the correponding links to active alerts, ongoing threat campaigns, and their corresponding threat analytic reports.
|
||||
|
||||
Breach likelihood - Your organization's security posture and resilience against threats
|
||||
|
||||
Business value - Your organization's assets, critical processes, and intellectual properties
|
||||
|
||||
|
||||
## Navigate through your security recommendations
|
||||
You can access the security recommendation from the Microsoft Defender ATP Threat & Vulnerability Management menu, dashboard, software page, and machine page, to give you the context that you need as you require it.
|
||||
|
||||
There are security recommendations for application, operating system, network, accounts, and security controls.
|
||||
|
||||
In a given day as a Security Administrator, you can take a look at the dashboard to see your exposure score side-by-side with your configuration score. The goal is to lower down your organization's exposure from vulnerabilities, and increase your organization's security configuration to be more resilient against cybersecurity threat attacks. The top security recommendations list can help you achieve that goal.
|
||||
|
||||
The top security recommendations lists down the improvement opportunities prioritized based on the three important factors mentioned in the previous section - threat, likelihood to be breached, and value.
|
||||
|
||||
You can click on each one of them and see the details, the description, the potential risk if you don't act on or remediate it, insights, how many exposed devices are associated with the security recommendation, vulnerabilities, and other threats.
|
||||
|
||||
From that page, you can do any of the following depending on what you need to do:
|
||||
|
||||
- Open software page - Drill down and open the software page to get more context of the software details, prevalence in the organization, weaknesses discovered, version distribution, and charts so you can see the exposure trend over time.
|
||||
|
||||
- Choose from remediation options - Submit a remediation request to open a ticket in Microsoft Intune for your IT Administrator to pick up and address.
|
||||
|
||||
- Choose from exception options - Submit an exception, provide justification, and set exception duration if you can't remediate the issue just yet due to specific business reasons, compensation controls, or if it is a false positive.
|
||||
|
||||
|
||||
## Related topics
|
||||
- [Risk-based Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md)
|
||||
- [Threat & Vulnerability Management dashboard overview](tvm-dashboard-insights.md)
|
||||
- [Configuration score](configuration-score.md)
|
||||
- [Remediation](tvm-remediation.md)
|
||||
- [Software inventory](tvm-software-inventory.md)
|
||||
- [Weaknesses](tvm-weaknesses.md)
|
||||
- [Scenarios](threat-and-vuln-mgt-scenarios.md)
|
||||
|
||||
@ -0,0 +1,42 @@
|
||||
---
|
||||
title: Software inventory
|
||||
description: Microsoft Defender ATP Threat & Vulnerability management's discovery capability shows in the software inventory page. You can see the name of the product, vendor, the latest version it is in, and the number of weaknesses and vulnerabilities detected.
|
||||
keywords: microsoft defender atp, microsoft defender atp software inventory, mdatp threat & vulnerability management, mdatp threat & vulnerability management software inventory, mdatp tvm software inventory, tvm software inventory
|
||||
search.product: eADQiWindows 10XVcnh
|
||||
search.appverid: met150
|
||||
ms.prod: w10
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.pagetype: security
|
||||
ms.author: dolmont
|
||||
author: DulceMontemayor
|
||||
ms.localizationpriority: medium
|
||||
manager: dansimp
|
||||
audience: ITPro
|
||||
ms.collection: M365-security-compliance
|
||||
ms.topic: conceptual
|
||||
ms.date: 04/11/2019
|
||||
---
|
||||
# Software inventory
|
||||
**Applies to:**
|
||||
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
|
||||
|
||||
Microsoft Defender ATP Threat & Vulnerability management's discovery capability shows in the **Software inventory** page. The software inventory includes the name of the product or vendor, the latest version it is in, and the number of weaknesses and vulnerabilities detected with it.
|
||||
|
||||
## Navigate through your software inventory
|
||||
1. Select **Software inventory** from the Threat & Vulnerability management navigation menu.
|
||||
2. In the **Software inventory** page, select the application that you want to investigate and a fly-in screen opens up with the software details, vendor information, prevalence in the organization, exposed machines, threat context, and its impact to your organization's exposure score.
|
||||
3. In the fly-in screen, select **Open software page** to dive deeper into your software inventory. You will see how many weaknesses are discovered with the application, devices exposed, installed machines, version distribution, and the corresponding security recommendations for the weaknesses and vulnerabilities identified.
|
||||
|
||||
## How it works
|
||||
In the field of discovery, we are leveraging the same set of signals in Microsoft Defender ATP's endpoint detection and response that's responsible for detection, for vulnerability assessment.
|
||||
|
||||
Since it is real-time, in a matter of minutes, you will see vulnerability information as they get discovered. The engine automatically grabs information from multiple security feeds. In fact, you'll will see if a particular application is connected to a live campaign. It also provides a link to a Threat Analytics report soon as it's available.
|
||||
|
||||
## Related topics
|
||||
- [Risk-based Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md)
|
||||
- [Threat & Vulnerability Management dashboard overview](tvm-dashboard-insights.md)
|
||||
- [Scenarios](threat-and-vuln-mgt-scenarios.md)
|
||||
- [Security recommendation](tvm-security-recommendation.md)
|
||||
- [Remediation](tvm-remediation.md)
|
||||
- [Weaknesses](tvm-weaknesses.md)
|
||||
@ -0,0 +1,58 @@
|
||||
---
|
||||
title: Weaknesses
|
||||
description: The **Weaknesses** page lists down the vulnerabilities found in the infected software running in your organization, their severity, Common Vulnerability Scoring System (CVSS) rating, its prevalence in your organization, breach, and threat insights.
|
||||
keywords: mdatp threat & vulnerability management, mdatp tvm weaknesses page, finding weaknesses through tvm, tvm vulnerability list, vulnerability details in tvm
|
||||
search.product: eADQiWindows 10XVcnh
|
||||
search.appverid: met150
|
||||
ms.prod: w10
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.pagetype: security
|
||||
ms.author: dolmont
|
||||
author: DulceMontemayor
|
||||
ms.localizationpriority: medium
|
||||
manager: dansimp
|
||||
audience: ITPro
|
||||
ms.collection: M365-security-compliance
|
||||
ms.topic: conceptual
|
||||
ms.date: 04/11/2019
|
||||
---
|
||||
# Weaknesses
|
||||
**Applies to:**
|
||||
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
|
||||
|
||||
Threat & Vulnerability Management leverages the same signals in Microsoft Defender ATP's endpoint protection to scan and detect vulnerabilities.
|
||||
|
||||
The **Weaknesses** page lists down the vulnerabilities found in the infected software running in your organization, their severity, Common Vulnerability Scoring System (CVSS) rating, its prevalence in your organization, corresponding breach, and threat insights.
|
||||
|
||||
## Navigate through your organization's weaknesses page
|
||||
You can see the list of vulnerabilities in two ways:
|
||||
|
||||
*Global search*
|
||||
1. Click the global search drop-down menu.
|
||||
2. Select **Vulnerability** and key-in the Common Vulnerabilities and Exposures (CVE) ID that you are looking for. The **Weaknesses** page opens with the list of the vulnerabilities and details.
|
||||
|
||||
*Weaknesses page in the menu*
|
||||
1. Go to the Threat & Vulnerability Management navigation menu and select **Weaknesses** to open up the list of vulnerabilities found in your organization.
|
||||
2. Select the vulnerability that you want to investigate to open up a fly-in page with the vulnerability details, such as: CVE description, CVE ID, exploits available, severity, publish, and update dates.
|
||||
|
||||
## How it works
|
||||
When new vulnerabilities are released, you would want know how many of your assets are exposed. You can see the list of vulnerabilities and the details in the **Weaknesses** page.
|
||||
|
||||
If the **Exposed Machines** column shows 0, that means you are not infected.
|
||||
|
||||
If there's a number in the **Exposed Machines**, that means you need to remediate the vulnerabilities in those machines because they put the rest of your assets and your organization at risk.
|
||||
|
||||
You can also see the related alert and threat insights in the **Threat** column.
|
||||
|
||||
>[!NOTE]
|
||||
> Always prioritize recommendations that are associated with ongoing threats. These recommendations are marked with the threat insight  icon and possible active alert  icon.
|
||||
|
||||
|
||||
## Related topics
|
||||
- [Risk-based Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md)
|
||||
- [Threat & Vulnerability Management dashboard overview](tvm-dashboard-insights.md)
|
||||
- [Scenarios](threat-and-vuln-mgt-scenarios.md)
|
||||
- [Security recommendation](tvm-security-recommendation.md)
|
||||
- [Remediation](tvm-remediation.md)
|
||||
- [Software inventory](tvm-software-inventory.md)
|
||||
Loading…
x
Reference in New Issue
Block a user