diff --git a/.vscode/extensions.json b/.vscode/extensions.json deleted file mode 100644 index af02986a5a..0000000000 --- a/.vscode/extensions.json +++ /dev/null @@ -1,5 +0,0 @@ -{ - "recommendations": [ - "docsmsft.docs-authoring-pack" - ] -} \ No newline at end of file diff --git a/.vscode/settings.json b/.vscode/settings.json deleted file mode 100644 index 9c0086e560..0000000000 --- a/.vscode/settings.json +++ /dev/null @@ -1,8 +0,0 @@ -{ - "cSpell.words": [ - "intune", - "kovter", - "kovter's", - "poshspy" - ] -} \ No newline at end of file diff --git a/windows/client-management/mdm/vpnv2-profile-xsd.md b/windows/client-management/mdm/vpnv2-profile-xsd.md index eecc7c7075..c0e32c95b7 100644 --- a/windows/client-management/mdm/vpnv2-profile-xsd.md +++ b/windows/client-management/mdm/vpnv2-profile-xsd.md @@ -1,25 +1,23 @@ --- title: ProfileXML XSD -description: Here's the XSD for the ProfileXML node in VPNv2 CSP for Windows 10 and some profile examples. +description: Here's the XSD for the ProfileXML node in VPNv2 CSP for Windows 10 and some profile examples. ms.assetid: 2F32E14B-F9B9-4760-AE94-E57F1D4DFDB3 -ms.reviewer: +ms.reviewer: manager: dansimp ms.author: dansimp ms.topic: article ms.prod: w10 ms.technology: windows author: manikadhiman -ms.date: 02/05/2018 +ms.date: 07/14/2020 --- # ProfileXML XSD - -Here's the XSD for the ProfileXML node in VPNv2 CSP for Windows 10 and some profile examples. +Here's the XSD for the ProfileXML node in the VPNv2 CSP and VpnManagementAgent::AddProfileFromXmlAsync for Windows 10 and some profile examples. ## XSD for the VPN profile - ```xml @@ -27,6 +25,7 @@ Here's the XSD for the ProfileXML node in VPNv2 CSP for Windows 10 and some pro + @@ -36,6 +35,7 @@ Here's the XSD for the ProfileXML node in VPNv2 CSP for Windows 10 and some pro + @@ -51,15 +51,15 @@ Here's the XSD for the ProfileXML node in VPNv2 CSP for Windows 10 and some pro - + - - - - + + + + @@ -89,7 +89,7 @@ Here's the XSD for the ProfileXML node in VPNv2 CSP for Windows 10 and some pro - + @@ -109,13 +109,20 @@ Here's the XSD for the ProfileXML node in VPNv2 CSP for Windows 10 and some pro + - + + + + + + + @@ -123,6 +130,7 @@ Here's the XSD for the ProfileXML node in VPNv2 CSP for Windows 10 and some pro + @@ -134,6 +142,7 @@ Here's the XSD for the ProfileXML node in VPNv2 CSP for Windows 10 and some pro + @@ -148,34 +157,37 @@ Here's the XSD for the ProfileXML node in VPNv2 CSP for Windows 10 and some pro - - + + + + + + + + + + + + + + + + + - - - - - - - - - - - - - - + - + + @@ -187,16 +199,79 @@ Here's the XSD for the ProfileXML node in VPNv2 CSP for Windows 10 and some pro ## Native profile example +```xml + + corp.contoso.com + true + false + corp.contoso.com + contoso.com -``` - - - testServer.VPN.com - IKEv2 - - Eap - - + + Helloworld.Com + + HelloServer + + + + + true + + true + This is my Eku + This is my issuer hash + + + + + + Microsoft.MicrosoftEdge_8wekyb3d8bbwe + + + + + C:\windows\system32\ping.exe + + + + + hrsite.corporate.contoso.com + 1.2.3.4,5.6.7.8 + 5.5.5.5 + true + + + .corp.contoso.com + 10.10.10.10,20.20.20.20 + 100.100.100.100 + + + + + %ProgramFiles%\Internet Explorer\iexplore.exe + + 6 + 10,20-50,100-200 + 20-50,100-200,300 + 30.30.0.0/16,10.10.10.10-20.20.20.20 + ForceTunnel + + + + Microsoft.MicrosoftEdge_8wekyb3d8bbwe + + 3.3.3.3/32,1.1.1.1-2.2.2.2 + + + + testServer.VPN.com + SplitTunnel + IKEv2 + true + + Eap + + 25 @@ -261,178 +336,110 @@ Here's the XSD for the ProfileXML node in VPNv2 CSP for Windows 10 and some pro - - - SplitTunnel - true - - - -
192.168.0.0
- 24 - - -
10.10.0.0
- 16 - - - - - Microsoft.MicrosoftEdge_8wekyb3d8bbwe - - - - - C:\windows\system32\ping.exe - - - - - - - %ProgramFiles%\Internet Explorer\iexplore.exe - - 6 - 10,20-50,100-200 - 20-50,100-200,300 - 30.30.0.0/16,10.10.10.10-20.20.20.20 - ForceTunnel - - - - Microsoft.MicrosoftEdge_8wekyb3d8bbwe - - 3.3.3.3/32,1.1.1.1-2.2.2.2 - - - - - hrsite.corporate.contoso.com - 1.2.3.4,5.6.7.8 - 5.5.5.5 - true - - - .corp.contoso.com - 10.10.10.10,20.20.20.20 - 100.100.100.100 - - - corp.contoso.com - true - false - corp.contoso.com - contoso.com - - - HelloServer - - Helloworld.Com - - - - true - - true - This is my Eku - This is my issuer hash - - - + + + + + +
192.168.0.0
+ 24 + + +
10.10.0.0
+ 16 + + ``` ## Plug-in profile example - ```xml - - testserver1.contoso.com;testserver2.contoso..com - JuniperNetworks.JunosPulseVpn_cw5n1h2txyewy - true - - -
192.168.0.0
- 24 - - -
10.10.0.0
- 16 - - - - Microsoft.MicrosoftEdge_8wekyb3d8bbwe - - - - - %ProgramFiles%\Internet Explorer\iexplore.exe - - - - - %ProgramFiles%\Internet Explorer\iexplore.exe - - 6 - 10,20-50,100-200 - 20-50,100-200,300 - 30.30.0.0/16,10.10.10.10-20.20.20.20 - - - - - Microsoft.MicrosoftEdge_8wekyb3d8bbwe - - 3.3.3.3/32,1.1.1.1-2.2.2.2 - - - - Microsoft.MicrosoftEdge_8wekyb3d8bbwe - - O:SYG:SYD:(A;;CC;;;AU) - - - - corp.contoso.com - 1.2.3.4,5.6.7.8 - 5.5.5.5 - false - - - corp.contoso.com - 10.10.10.10,20.20.20.20 - 100.100.100.100 - - - true - false - false - false - corp.contoso.com - contoso.com,test.corp.contoso.com - - - HelloServer - - Helloworld.Com - - - - - - - - - - -``` + + true + false + corp.contoso.com + contoso.com,test.corp.contoso.com + false + false -  + + Helloworld.Com + + HelloServer + -  + + + + + + + true + + + + testserver1.contoso.com;testserver2.contoso..com + true + JuniperNetworks.JunosPulseVpn_cw5n1h2txyewy + + + + Microsoft.MicrosoftEdge_8wekyb3d8bbwe + + + + + %ProgramFiles%\Internet Explorer\iexplore.exe + + + + corp.contoso.com + 1.2.3.4,5.6.7.8 + 5.5.5.5 + false + + + corp.contoso.com + 10.10.10.10,20.20.20.20 + 100.100.100.100 + + + + %ProgramFiles%\Internet Explorer\iexplore.exe + + 6 + 10,20-50,100-200 + 20-50,100-200,300 + 30.30.0.0/16,10.10.10.10-20.20.20.20 + + + + + Microsoft.MicrosoftEdge_8wekyb3d8bbwe + + 3.3.3.3/32,1.1.1.1-2.2.2.2 + + + + Microsoft.MicrosoftEdge_8wekyb3d8bbwe + + O:SYG:SYD:(A;;CC;;;AU) + + + +
192.168.0.0
+ 24 + + +
10.10.0.0
+ 16 + + +``` \ No newline at end of file diff --git a/windows/privacy/manage-windows-2004-endpoints.md b/windows/privacy/manage-windows-2004-endpoints.md index 73e8c9e0fd..14db2c3cc4 100644 --- a/windows/privacy/manage-windows-2004-endpoints.md +++ b/windows/privacy/manage-windows-2004-endpoints.md @@ -85,6 +85,7 @@ The following methodology was used to derive these network endpoints: |||HTTPS|*ow1.res.office365.com| |||HTTPS|office.com| |||HTTPS|blobs.officehome.msocdn.com| +|||HTTPS|self.events.data.microsoft.com| |OneDrive|The following endpoints are related to OneDrive. If you turn off traffic for these endpoints, anything that relies on g.live.com to get updated URL information will no longer work.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-onedrive)| |||TLSv1.2|*g.live.com| |||TLSv1.2|oneclient.sfx.ms| diff --git a/windows/security/identity-protection/credential-guard/credential-guard-manage.md b/windows/security/identity-protection/credential-guard/credential-guard-manage.md index 7e98cba59b..b4bbe78a9d 100644 --- a/windows/security/identity-protection/credential-guard/credential-guard-manage.md +++ b/windows/security/identity-protection/credential-guard/credential-guard-manage.md @@ -8,11 +8,14 @@ ms.pagetype: security ms.localizationpriority: medium audience: ITPro author: dulcemontemayor -ms.author: dansimp +ms.author: v-tea manager: dansimp ms.collection: M365-identity-device-management ms.topic: article ms.reviewer: +ms.custom: +- CI 120967 +- CSSTroubleshooting --- # Manage Windows Defender Credential Guard @@ -154,14 +157,25 @@ DG_Readiness_Tool_v3.6.ps1 -Ready - You should perform regular reviews of the PCs that have Windows Defender Credential Guard enabled. This can be done with security audit policies or WMI queries. Here's a list of WinInit event IDs to look for: - **Event ID 13** Windows Defender Credential Guard (LsaIso.exe) was started and will protect LSA credentials. - - **Event ID 14** Windows Defender Credential Guard (LsaIso.exe) configuration: 0x1, 0 - - The first variable: 0x1 means Windows Defender Credential Guard is configured to run. 0x0 means it's not configured to run. - - The second variable: 0 means it's configured to run in protect mode. 1 means it's configured to run in test mode. This variable should always be 0. + - **Event ID 14** Windows Defender Credential Guard (LsaIso.exe) configuration: \[**0x0** \| **0x1** \| **0x2**\], **0** + - The first variable: **0x1** or **0x2** means that Windows Defender Credential Guard is configured to run. **0x0** means that it's not configured to run. + - The second variable: **0** means that it's configured to run in protect mode. **1** means that it's configured to run in test mode. This variable should always be **0**. - **Event ID 15** Windows Defender Credential Guard (LsaIso.exe) is configured but the secure kernel is not running; continuing without Windows Defender Credential Guard. - **Event ID 16** Windows Defender Credential Guard (LsaIso.exe) failed to launch: \[error code\] - - **Event ID 17** Error reading Windows Defender Credential Guard (LsaIso.exe) UEFI configuration: \[error code\] + - **Event ID 17** Error reading Windows Defender Credential Guard (LsaIso.exe) UEFI configuration: \[error code\] You can also verify that TPM is being used for key protection by checking Event ID 51 in the **Microsoft** -> **Windows** -> **Kernel-Boot** event source. If you are running with a TPM, the TPM PCR mask value will be something other than 0. - - **Event ID 51** VSM Master Encryption Key Provisioning. Using cached copy status: 0x0. Unsealing cached copy status: 0x1. New key generation status: 0x1. Sealing status: 0x1. TPM PCR mask: 0x0. + - **Event ID 51** VSM Master Encryption Key Provisioning. Using cached copy status: **0x0**. Unsealing cached copy status: 0x1. New key generation status: 0x1. Sealing status: **0x1**. TPM PCR mask: **0x0**. + - You can use Windows Powershell to determine whether credential guard is running on a client computer. On the computer in question, open an elevated Powershell window and run the following command: + + ```powershell + (Get-CimInstance -ClassName Win32_DeviceGuard -Namespace root\Microsoft\Windows\DeviceGuard).SecurityServicesRunning + ``` + + This command generates the following output: + - **0**: Windows Defender Credential Guard is disabled (not running) + - **1**: Windows Defender Credential Guard is enabled (running) + > [!NOTE] + > Checking the task list or Task Manager to see if LSAISO.exe is running is not a recommended method for determining whether Windows Defender Credential Guard is running. ## Disable Windows Defender Credential Guard @@ -221,7 +235,7 @@ You can also disable Windows Defender Credential Guard by using the [HVCI and Wi ``` DG_Readiness_Tool_v3.6.ps1 -Disable -AutoReboot ``` -> [!IMPORTANT] +> [!IMPORTANT] > When running the HVCI and Windows Defender Credential Guard hardware readiness tool on a non-English operating system, within the script, change `*$OSArch = $(gwmi win32_operatingsystem).OSArchitecture` to be `$OSArch = $((gwmi win32_operatingsystem).OSArchitecture).tolower()` instead, in order for the tool to work. > This is a known issue. diff --git a/windows/security/threat-protection/intelligence/developer-faq.md b/windows/security/threat-protection/intelligence/developer-faq.md index 8bf5c9b5f3..e3d47a044c 100644 --- a/windows/security/threat-protection/intelligence/developer-faq.md +++ b/windows/security/threat-protection/intelligence/developer-faq.md @@ -35,16 +35,16 @@ We encourage all software vendors and developers to read about [how Microsoft id ## Why is Microsoft asking for a copy of my program? -This can help us with our analysis. Participants of the Microsoft Active Protection Service (MAPS) may occasionally receive these requests. The requests will stop once our systems have received and processed the file. +This can help us with our analysis. Participants of the [Microsoft Active Protection Service (MAPS)](https://www.microsoft.com/msrc/mapp) may occasionally receive these requests. The requests will stop once our systems have received and processed the file. ## Why does Microsoft classify my installer as a software bundler? -It contains instructions to offer a program classified as unwanted software. You can review the criteria we use to check applications for behaviors that are considered unwanted. +It contains instructions to offer a program classified as unwanted software. You can review the [criteria](criteria.md) we use to check applications for behaviors that are considered unwanted. -## Why is the Windows Firewall blocking my program? +## Why is the Windows Defender Firewall blocking my program? -This is not related to Microsoft Defender Antivirus and other Microsoft antimalware. You can find out more about Windows Firewall from the Microsoft Developer Network. +This is not related to Microsoft Defender Antivirus and other Microsoft antimalware. [Learn about Windows Defender Firewall](https://docs.microsoft.com/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security). -## Why does the Windows Defender SmartScreen say my program is not commonly downloaded? +## Why does the Microsoft Defender SmartScreen say my program is not commonly downloaded? -This is not related to Microsoft Defender Antivirus and other Microsoft antimalware. You can find out more from the [SmartScreen website.](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview) +This is not related to Microsoft Defender Antivirus and other Microsoft antimalware. [Learn about Microsoft Defender SmartScreen](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview) diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md b/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md index 1c06747e7f..cdb56d3bf7 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md @@ -27,7 +27,7 @@ manager: dansimp Microsoft Defender Antivirus is automatically enabled and installed on endpoints and devices that are running Windows 10. But what happens when another antivirus/antimalware solution is used? It depends on whether you're using [Microsoft Defender ATP](https://docs.microsoft.com/windows/security/threat-protection) together with your antivirus protection. - If your organization's endpoints and devices are protected with a non-Microsoft antivirus/antimalware solution, and Microsoft Defender ATP is not used, then Microsoft Defender Antivirus automatically goes into disabled mode. - If your organization is using Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) together with a non-Microsoft antivirus/antimalware solution, then Microsoft Defender Antivirus automatically goes into passive mode. (Real-time protection and threats are not remediated by Microsoft Defender Antivirus.) -- If your organization is using Microsoft Defender ATP together with a non-Microsoft antivirus/antimalware solution, and you have [EDR in block mode](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/shadow-protection) (currently in private preview) enabled, then Microsoft Defender Antivirus runs in the background and blocks/remediates malicious items that are detected, such as during a post-breach attack. +- If your organization is using Microsoft Defender ATP together with a non-Microsoft antivirus/antimalware solution, and you have [EDR in block mode](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/edr-in-block-mode) (currently in private preview) enabled, then Microsoft Defender Antivirus runs in the background and blocks/remediates malicious items that are detected, such as during a post-breach attack. ## Antivirus and Microsoft Defender ATP diff --git a/windows/security/threat-protection/microsoft-defender-atp/android-configure.md b/windows/security/threat-protection/microsoft-defender-atp/android-configure.md index 182bb5e356..4c9046ca63 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/android-configure.md +++ b/windows/security/threat-protection/microsoft-defender-atp/android-configure.md @@ -29,8 +29,8 @@ Directory enables enforcing Device compliance and Conditional Access policies based on device risk levels. Microsoft Defender ATP is a Mobile Threat Defense (MTD) solution that you can deploy to leverage this capability via Intune. -For more information on how to setup Microsoft Defender ATP for Android and Conditional Access, see [Microsoft Defender ATP and -Intune](https://docs.microsoft.com/mem/intune/protect/advanced-threat-protection#configure-web-protection-on-devices-that-run-android). +For more information about how to set up Microsoft Defender ATP for Android and Conditional Access, see [Microsoft Defender ATP and +Intune](https://docs.microsoft.com/mem/intune/protect/advanced-threat-protection). ## Configure custom indicators diff --git a/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md b/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md index a6be5fa509..9ee5965970 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md +++ b/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md @@ -31,7 +31,7 @@ Attack surface reduction rules target software behaviors that are often abused b - Running obfuscated or otherwise suspicious scripts - Performing behaviors that apps don't usually initiate during normal day-to-day work -These behaviors are sometimes seen in legitimate applications; however, they are considered risky because they are commonly abused by malware. Attack surface reduction rules can constrain these kinds of risky behaviors and help keep your organization safe. +Such behaviors are sometimes seen in legitimate applications; however, they are considered risky because they are commonly abused by malware. Attack surface reduction rules can constrain these kinds of risky behaviors and help keep your organization safe. Use [audit mode](audit-windows-defender.md) to evaluate how attack surface reduction rules would impact your organization if they were enabled. It's best to run all rules in audit mode first so you can understand their impact on your line-of-business applications. Many line-of-business applications are written with limited security concerns, and they may perform tasks in ways that seem similar to malware. By monitoring audit data and [adding exclusions](enable-attack-surface-reduction.md#exclude-files-and-folders-from-asr-rules) for necessary applications, you can deploy attack surface reduction rules without impacting productivity. @@ -96,7 +96,7 @@ The following sections describe each of the 15 attack surface reduction rules. T |[Block all Office applications from creating child processes](#block-all-office-applications-from-creating-child-processes) | `D4F940AB-401B-4EFC-AADC-AD5F3C50688A` | Supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater | |[Block Office applications from creating executable content](#block-office-applications-from-creating-executable-content) | `3B576869-A4EC-4529-8536-B80A7769E899` | Supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater | |[Block Office applications from injecting code into other processes](#block-office-applications-from-injecting-code-into-other-processes) | `75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84` | Supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater | -|[Block JavaScript or VBScript from launching downloaded executable content](#block-javascript-or-vbscript-from-launching-downloaded-executable-content) | `D3E037E1-3EB8-44C8-A917-57927947596D` | Not supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater | +|[Block JavaScript or VBScript from launching downloaded executable content](#block-javascript-or-vbscript-from-launching-downloaded-executable-content) | `D3E037E1-3EB8-44C8-A917-57927947596D` | Supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater | |[Block execution of potentially obfuscated scripts](#block-execution-of-potentially-obfuscated-scripts) | `5BEB7EFE-FD9A-4556-801D-275E5FFC04CC` | Supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater | |[Block Win32 API calls from Office macros](#block-win32-api-calls-from-office-macros) | `92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B` | Supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater | |[Block executable files from running unless they meet a prevalence, age, or trusted list criterion](#block-executable-files-from-running-unless-they-meet-a-prevalence-age-or-trusted-list-criterion) | `01443614-cd74-433a-b99e-2ecdc07bfc25` | Supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater | @@ -191,9 +191,6 @@ This rule prevents scripts from launching potentially malicious downloaded conte Although not common, line-of-business applications sometimes use scripts to download and launch installers. -> [!IMPORTANT] -> File and folder exclusions don't apply to this attack surface reduction rule. - This rule was introduced in: - [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) - [Windows Server, version 1809](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1809) @@ -385,6 +382,9 @@ GUID: `7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c` This rule prevents malware from abusing WMI to attain persistence on a device. +> [!IMPORTANT] +> File and folder exclusions don't apply to this attack surface reduction rule. + Fileless threats employ various tactics to stay hidden, to avoid being seen in the file system, and to gain periodic execution control. Some threats can abuse the WMI repository and event model to stay hidden. This rule was introduced in: diff --git a/windows/security/threat-protection/microsoft-defender-atp/edr-in-block-mode.md b/windows/security/threat-protection/microsoft-defender-atp/edr-in-block-mode.md index 65f8212bc5..8740ad82d5 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/edr-in-block-mode.md +++ b/windows/security/threat-protection/microsoft-defender-atp/edr-in-block-mode.md @@ -29,7 +29,7 @@ ms.collection: When [endpoint detection and response](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response) (EDR) in block mode is enabled, Microsoft Defender ATP leverages behavioral blocking and containment capabilities by blocking malicious artifacts or behaviors that are observed through post-breach protection. EDR in block mode works behind the scenes to remediate malicious artifacts that are detected post-breach. > [!NOTE] -> EDR in block mode is currently in preview. To get the best protection, make sure to **[deploy Microsoft Defender ATP baselines](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-machines-security-baseline)**. +> EDR in block mode is currently in private preview. To get the best protection, make sure to **[deploy Microsoft Defender ATP baselines](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-machines-security-baseline)**. ## What happens when something is detected? diff --git a/windows/security/threat-protection/microsoft-defender-atp/enable-controlled-folders.md b/windows/security/threat-protection/microsoft-defender-atp/enable-controlled-folders.md index 1fe945f148..4fa6b49fc9 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/enable-controlled-folders.md +++ b/windows/security/threat-protection/microsoft-defender-atp/enable-controlled-folders.md @@ -60,19 +60,21 @@ For more information about disabling local list merging, see [Prevent or allow u ## Intune 1. Sign in to the [Azure portal](https://portal.azure.com) and open Intune. -1. Click **Device configuration** > **Profiles** > **Create profile**. -1. Name the profile, choose **Windows 10 and later** and **Endpoint protection**. - ![Create endpoint protection profile](../images/create-endpoint-protection-profile.png) -1. Click **Configure** > **Windows Defender Exploit Guard** > **Controlled folder access** > **Enable**. -1. Type the path to each application that has access to protected folders and the path to any additional folder that needs protection and click **Add**. - ![Enable controlled folder access in Intune](../images/enable-cfa-intune.png) +2. Click **Device configuration** > **Profiles** > **Create profile**. + +3. Name the profile, choose **Windows 10 and later** and **Endpoint protection**.
![Create endpoint protection profile](../images/create-endpoint-protection-profile.png)
+ +4. Click **Configure** > **Windows Defender Exploit Guard** > **Controlled folder access** > **Enable**. + +5. Type the path to each application that has access to protected folders and the path to any additional folder that needs protection and click **Add**.
![Enable controlled folder access in Intune](../images/enable-cfa-intune.png)
> [!NOTE] > Wilcard is supported for applications, but not for folders. Subfolders are not protected. Allowed apps will continue to trigger events until they are restarted. -1. Click **OK** to save each open blade and click **Create**. -1. Click the profile **Assignments**, assign to **All Users & All Devices**, and click **Save**. +6. Click **OK** to save each open blade and click **Create**. + +7. Click the profile **Assignments**, assign to **All Users & All Devices**, and click **Save**. ## MDM @@ -81,12 +83,17 @@ Use the [./Vendor/MSFT/Policy/Config/ControlledFolderAccessProtectedFolders](htt ## Microsoft Endpoint Configuration Manager 1. In Microsoft Endpoint Configuration Manager, click **Assets and Compliance** > **Endpoint Protection** > **Windows Defender Exploit Guard**. + 2. Click **Home** > **Create Exploit Guard Policy**. + 3. Enter a name and a description, click **Controlled folder access**, and click **Next**. + 4. Choose whether block or audit changes, allow other apps, or add other folders, and click **Next**. > [!NOTE] > Wilcard is supported for applications, but not for folders. Subfolders are not protected. Allowed apps will continue to trigger events until they are restarted. + 5. Review the settings and click **Next** to create the policy. + 6. After the policy is created, click **Close**. ## Group Policy diff --git a/windows/security/threat-protection/microsoft-defender-atp/enable-exploit-protection.md b/windows/security/threat-protection/microsoft-defender-atp/enable-exploit-protection.md index b0cad379e8..2251cef5dc 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/enable-exploit-protection.md +++ b/windows/security/threat-protection/microsoft-defender-atp/enable-exploit-protection.md @@ -108,13 +108,18 @@ The result will be that DEP will be enabled for *test.exe*. DEP will not be enab ## Intune 1. Sign in to the [Azure portal](https://portal.azure.com) and open Intune. + 2. Click **Device configuration** > **Profiles** > **Create profile**. -3. Name the profile, choose **Windows 10 and later** and **Endpoint protection**. - ![Create endpoint protection profile](../images/create-endpoint-protection-profile.png) + +3. Name the profile, choose **Windows 10 and later** and **Endpoint protection**.
+ ![Create endpoint protection profile](../images/create-endpoint-protection-profile.png)
+ 4. Click **Configure** > **Windows Defender Exploit Guard** > **Exploit protection**. -5. Upload an [XML file](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-exploitguard) with the exploit protection settings: - ![Enable network protection in Intune](../images/enable-ep-intune.png) + +5. Upload an [XML file](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-exploitguard) with the exploit protection settings:
![Enable network protection in Intune](../images/enable-ep-intune.png)
+ 6. Click **OK** to save each open blade and click **Create**. + 7. Click the profile **Assignments**, assign to **All Users & All Devices**, and click **Save**. ## MDM @@ -124,19 +129,26 @@ Use the [./Vendor/MSFT/Policy/Config/ExploitGuard/ExploitProtectionSettings](htt ## Microsoft Endpoint Configuration Manager 1. In Microsoft Endpoint Configuration Manager, click **Assets and Compliance** > **Endpoint Protection** > **Windows Defender Exploit Guard**. -1. Click **Home** > **Create Exploit Guard Policy**. -1. Enter a name and a description, click **Exploit protection**, and click **Next**. -1. Browse to the location of the exploit protection XML file and click **Next**. -1. Review the settings and click **Next** to create the policy. -1. After the policy is created, click **Close**. + +2. Click **Home** > **Create Exploit Guard Policy**. + +3. Enter a name and a description, click **Exploit protection**, and click **Next**. + +4. Browse to the location of the exploit protection XML file and click **Next**. + +5. Review the settings and click **Next** to create the policy. + +6. After the policy is created, click **Close**. ## Group Policy 1. On your Group Policy management device, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**. -1. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**. -2. Expand the tree to **Windows components** > **Windows Defender Exploit Guard** > **Exploit Protection** > **Use a common set of exploit protection settings**. -3. Click **Enabled** and type the location of the [XML file](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-exploitguard) and click **OK**. +2. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**. + +3. Expand the tree to **Windows components** > **Windows Defender Exploit Guard** > **Exploit Protection** > **Use a common set of exploit protection settings**. + +4. Click **Enabled** and type the location of the [XML file](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-exploitguard) and click **OK**. ## PowerShell diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-incident-details-updated.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-incident-details-updated.png new file mode 100644 index 0000000000..0e2d2fd929 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/atp-incident-details-updated.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-incidents-mgt-pane-updated.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-incidents-mgt-pane-updated.png new file mode 100644 index 0000000000..88d8fb23d2 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/atp-incidents-mgt-pane-updated.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/manage-incidents.md b/windows/security/threat-protection/microsoft-defender-atp/manage-incidents.md index 249d6de806..8ee9cd8e12 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/manage-incidents.md +++ b/windows/security/threat-protection/microsoft-defender-atp/manage-incidents.md @@ -29,12 +29,20 @@ Managing incidents is an important part of every cybersecurity operation. You ca Selecting an incident from the **Incidents queue** brings up the **Incident management pane** where you can open the incident page for details. -![Image of the incidents management pane](images/atp-incidents-mgt-pane.png) +![Image of the incidents management pane](images/atp-incidents-mgt-pane-updated.png) -You can assign incidents to yourself, change the status and classification, rename, or comment on them to keep track of their progress. +You can assign incidents to yourself, change the status and classification, rename, or comment on them to keep track of their progress. -![Image of incident detail page](images/atp-incident-details-page.png) +> [!TIP] +> For additional visibility at-a-glance, automatic incident naming, currently in public preview, generates incident names based on alert attributes such as the number of endpoints affected, users affected, detection sources or categories. This allows you to quickly understand the scope of the incident. +> +> For example: *Multi-stage incident on multiple endpoints reported by multiple sources.* +> +> Incidents that existed prior the rollout of automatic incident naming will not have their name changed. +> +> Learn more about [turning on preview features](preview.md#turn-on-preview-features). +![Image of incident detail page](images/atp-incident-details-updated.png) ## Assign incidents If an incident has not been assigned yet, you can select **Assign to me** to assign the incident to yourself. Doing so assumes ownership of not just the incident, but also all the alerts associated with it. diff --git a/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt.md b/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt.md index 81a12f3806..05fb5adc3b 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt.md +++ b/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt.md @@ -1,5 +1,5 @@ --- -title: Threat & Vulnerability Management +title: Threat and vulnerability management description: This new capability uses a game-changing risk-based approach to the discovery, prioritization, and remediation of endpoint vulnerabilities and misconfigurations. keywords: threat & vulnerability management, threat and vulnerability management, MDATP TVM, MDATP-TVM, vulnerability management, vulnerability assessment, threat and vulnerability scanning, secure configuration assessment, microsoft defender atp, microsoft defender atp, endpoint vulnerabilities, next generation search.product: eADQiWindows 10XVcnh @@ -17,7 +17,7 @@ ms.collection: M365-security-compliance ms.topic: conceptual --- -# Threat & Vulnerability Management +# Threat and vulnerability management **Applies to:** @@ -25,17 +25,17 @@ ms.topic: conceptual >Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-portaloverview-abovefoldlink) -Effectively identifying, assessing, and remediating endpoint weaknesses is pivotal in running a healthy security program and reducing organizational risk. Threat & Vulnerability Management serves as an infrastructure for reducing organizational exposure, hardening endpoint surface area, and increasing organizational resilience. +Effectively identifying, assessing, and remediating endpoint weaknesses is pivotal in running a healthy security program and reducing organizational risk. Threat and vulnerability management serves as an infrastructure for reducing organizational exposure, hardening endpoint surface area, and increasing organizational resilience. It helps organizations discover vulnerabilities and misconfigurations in real-time, based on sensors, without the need of agents or periodic scans. It prioritizes vulnerabilities based on the threat landscape, detections in your organization, sensitive information on vulnerable devices, and business context. -Watch this video for a quick overview of Threat & Vulnerability Management. +Watch this video for a quick overview of threat and vulnerability management. >[!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RE4mLsn] ## Next-generation capabilities -Threat & Vulnerability Management is built-in, real-time, cloud-powered, fully integrated with Microsoft endpoint security stack, the Microsoft Intelligent Security Graph, and the application analytics knowledge base. +Threat and vulnerability management is built-in, real-time, cloud-powered, fully integrated with Microsoft endpoint security stack, the Microsoft Intelligent Security Graph, and the application analytics knowledge base. It is the first solution in the industry to bridge the gap between security administration and IT administration during remediation process. It does so by creating a security task or ticket through integration with Microsoft Intune and Microsoft Microsoft Endpoint Configuration Manager. @@ -47,7 +47,7 @@ It provides the following solutions to frequently-cited gaps across security ope ### Real-time discovery -To discover endpoint vulnerabilities and misconfiguration, Threat & Vulnerability Management uses the same agentless built-in Microsoft Defender ATP sensors to reduce cumbersome network scans and IT overhead, and provides: +To discover endpoint vulnerabilities and misconfiguration, threat and vulnerability management uses the same agentless built-in Microsoft Defender ATP sensors to reduce cumbersome network scans and IT overhead, and provides: - Real-time device inventory. Devices onboarded to Microsoft Defender ATP automatically report and push vulnerability and security configuration data to the dashboard. - Visibility into software and vulnerabilities. Optics into the organization's software inventory, and software changes like installations, uninstalls, and patches. Newly discovered vulnerabilities are reported with actionable mitigation recommendations for 1st and 3rd party applications. @@ -56,20 +56,26 @@ To discover endpoint vulnerabilities and misconfiguration, Threat & Vulnerabilit ### Intelligence-driven prioritization -Threat & Vulnerability Management helps customers prioritize and focus on those weaknesses that pose the most urgent and the highest risk to the organization. Rather than using static prioritization by severity scores, Threat & Vulnerability Management in Microsoft Defender ATP highlights the most critical weaknesses that need attention by fusing its security recommendations with dynamic threat and business context: +Threat and vulnerability management helps customers prioritize and focus on those weaknesses that pose the most urgent and the highest risk to the organization. Rather than using static prioritization by severity scores, threat and vulnerability management in Microsoft Defender ATP highlights the most critical weaknesses that need attention by fusing its security recommendations with dynamic threat and business context: -- Exposing emerging attacks in the wild. Through its advanced cyber data and threat analytics platform, Threat & Vulnerability Management dynamically aligns the prioritization of its security recommendations to focus on vulnerabilities that are currently being exploited in the wild and emerging threats that pose the highest risk. -- Pinpointing active breaches. Microsoft Defender ATP correlates Threat & Vulnerability Management and EDR insights to provide the unique ability to prioritize vulnerabilities that are currently being exploited in an active breach within the organization. -- Protecting high-value assets. Microsoft Defender ATP's integration with Azure Information Protection allows Threat & Vulnerability Management to identify the exposed devices with business-critical applications, confidential data, or high-value users. +- Exposing emerging attacks in the wild. Through its advanced cyber data and threat analytics platform, threat and vulnerability management dynamically aligns the prioritization of its security recommendations to focus on vulnerabilities that are currently being exploited in the wild and emerging threats that pose the highest risk. +- Pinpointing active breaches. Microsoft Defender ATP correlates threat and vulnerability management and EDR insights to provide the unique ability to prioritize vulnerabilities that are currently being exploited in an active breach within the organization. +- Protecting high-value assets. Microsoft Defender ATP's integration with Azure Information Protection allows threat and vulnerability management to identify the exposed devices with business-critical applications, confidential data, or high-value users. ### Seamless remediation -Microsoft Defender ATP's Threat & Vulnerability Management allows security administrators and IT administrators to collaborate seamlessly to remediate issues. +Microsoft Defender ATP's threat and vulnerability management capability allows security administrators and IT administrators to collaborate seamlessly to remediate issues. - Remediation requests to IT. Through Microsoft Defender ATP's integration with Microsoft Intune and Microsoft Endpoint Configuration Manager, security administrators can create a remediation task in Microsoft Intune from the Security recommendation pages. We plan to expand this capability to other IT security management platforms. -- Alternate mitigations. Threat & Vulnerability Management provides insights on additional mitigations, such as configuration changes that can reduce risk associated with software vulnerabilities. +- Alternate mitigations. Threat and vulnerability management provides insights on additional mitigations, such as configuration changes that can reduce risk associated with software vulnerabilities. - Real-time remediation status. Microsoft Defender ATP provides real-time monitoring of the status and progress of remediation activities across the organization. +## Reduce organizational risk with threat and vulnerability management + +Watch this video for a comprehensive walk-through of threat and vulnerability management. + +>[!VIDEO https://aka.ms/MDATP-TVM-Interactive-Guide] + ## Before you begin Ensure that your devices: @@ -78,7 +84,7 @@ Ensure that your devices: - Run with Windows 10 1709 (Fall Creators Update) or later >[!NOTE] ->Threat & Vulnerability Management can also scan devices that run on Windows 7 and Windows Server 2019 operating systems and detects vulnerabilities addressed in patch Tuesday. +>Threat and vulnerability management can also scan devices that run on Windows 7 and Windows Server 2019 operating systems and detects vulnerabilities addressed in patch Tuesday. - Have the following mandatory updates installed and deployed in your network to boost your vulnerability assessment detection rates: @@ -91,11 +97,11 @@ Ensure that your devices: - Are onboarded to Microsoft Intune and Microsoft Endpoint Configuration Manager. If you are using Configuration Manager, update your console to the latest version. - Have at least one security recommendation that can be viewed in the device page -- Are tagged or marked as co-managed +- Are tagged or marked as co-managed ## APIs -Run Threat & Vulnerability Management-related API calls such as get your organization's threat exposure score or device secure score, software and device vulnerability inventory, software version distribution, device vulnerability information, security recommendation information. Learn more from this [Microsoft Tech Community blog post](https://techcommunity.microsoft.com/t5/microsoft-defender-atp/threat-amp-vulnerability-management-apis-are-now-generally/ba-p/1304615). +Run threat and vulnerability management-related API calls such as get your organization's threat exposure score or device secure score, software and device vulnerability inventory, software version distribution, device vulnerability information, security recommendation information. Learn more from this [Microsoft Tech Community blog post](https://techcommunity.microsoft.com/t5/microsoft-defender-atp/threat-amp-vulnerability-management-apis-are-now-generally/ba-p/1304615). See the following topics for related APIs: - [Supported Microsoft Defender ATP APIs](exposed-apis-list.md) @@ -108,7 +114,7 @@ See the following topics for related APIs: ## Related topics - [Supported operating systems and platforms](tvm-supported-os.md) -- [Threat & Vulnerability Management dashboard](tvm-dashboard-insights.md) +- [Threat and vulnerability management dashboard](tvm-dashboard-insights.md) - [Exposure score](tvm-exposure-score.md) - [Microsoft Secure Score for Devices](tvm-microsoft-secure-score-devices.md) - [Security recommendations](tvm-security-recommendation.md) @@ -118,5 +124,5 @@ See the following topics for related APIs: - [Event timeline](threat-and-vuln-mgt-event-timeline.md) - [Scenarios](threat-and-vuln-mgt-scenarios.md) - [APIs](next-gen-threat-and-vuln-mgt.md#apis) -- [Configure data access for Threat & Vulnerability Management roles](user-roles.md#create-roles-and-assign-the-role-to-an-azure-active-directory-group) +- [Configure data access for threat and vulnerability management roles](user-roles.md#create-roles-and-assign-the-role-to-an-azure-active-directory-group) - [BLOG: Microsoft's Threat & Vulnerability Management now helps thousands of customers to discover, prioritize, and remediate vulnerabilities in real time](https://www.microsoft.com/security/blog/2019/07/02/microsofts-threat-vulnerability-management-now-helps-thousands-of-customers-to-discover-prioritize-and-remediate-vulnerabilities-in-real-time/) diff --git a/windows/security/threat-protection/microsoft-defender-atp/threat-and-vuln-mgt-event-timeline.md b/windows/security/threat-protection/microsoft-defender-atp/threat-and-vuln-mgt-event-timeline.md index 3c49e66665..e2d4158d0d 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/threat-and-vuln-mgt-event-timeline.md +++ b/windows/security/threat-protection/microsoft-defender-atp/threat-and-vuln-mgt-event-timeline.md @@ -1,5 +1,5 @@ --- -title: Event timeline +title: Event timeline in threat and vulnerability management description: Event timeline is a "risk news feed" which will help you interpret how risk is introduced into the organization and which mitigations happened to reduce it. keywords: event timeline, mdatp event timeline, mdatp tvm event timeline, threat and vulnerability management, Microsoft Defender Advanced Threat Protection search.product: eADQiWindows 10XVcnh @@ -16,7 +16,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual --- -# Event timeline +# Event timeline - threat and vulnerability management **Applies to:** - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) @@ -33,23 +33,23 @@ Event timeline also tells the story of your [exposure score](tvm-exposure-score. You can access Event timeline mainly through three ways: -- In the Threat & Vulnerability Management navigation menu in the Microsoft Defender Security Center -- Top events card in the [Threat & Vulnerability Management dashboard](tvm-dashboard-insights.md). The highest impact events (for example, affect the most machines or critical vulnerabilities) -- Hovering over the Exposure Score graph in the [Threat & Vulnerability Management dashboard](tvm-dashboard-insights.md) +- In the threat and vulnerability management navigation menu in the Microsoft Defender Security Center +- Top events card in the [threat and vulnerability management dashboard](tvm-dashboard-insights.md). The highest impact events (for example, affect the most machines or critical vulnerabilities) +- Hovering over the Exposure Score graph in the [threat and vulnerability management dashboard](tvm-dashboard-insights.md) ### Navigation menu -Go to the Threat & Vulnerability Management navigation menu and select **Event timeline** to view impactful events. +Go to the threat and vulnerability management navigation menu and select **Event timeline** to view impactful events. ### Top events card -In the Threat & Vulnerability Management dashboard, the "Top events" card displays the three most impactful events in the last 7 days. Select **Show more** to go to the Event timeline page. +In the Tthreat and vulnerability management dashboard, the "Top events" card displays the three most impactful events in the last 7 days. Select **Show more** to go to the Event timeline page. ![Event timeline page](images/tvm-top-events-card.png) ### Exposure score graph -In the Threat & Vulnerability Management dashboard, hover over the Exposure score graph to view top events from that day that impacted your machines. If there are no events, then none will be shown. +In the threat and vulnerability management dashboard, hover over the Exposure score graph to view top events from that day that impacted your machines. If there are no events, then none will be shown. ![Event timeline page](images/tvm-event-timeline-exposure-score400.png) @@ -118,9 +118,9 @@ A full page will appear with all the details of a specific software, including a ## Related topics -- [Threat & Vulnerability Management overview](next-gen-threat-and-vuln-mgt.md) +- [Threat and vulnerability management overview](next-gen-threat-and-vuln-mgt.md) - [Supported operating systems and platforms](tvm-supported-os.md) -- [Threat & Vulnerability Management dashboard](tvm-dashboard-insights.md) +- [Threat and vulnerability management dashboard](tvm-dashboard-insights.md) - [Exposure score](tvm-exposure-score.md) - [Microsoft Secure Score for Devices](tvm-microsoft-secure-score-devices.md) - [Security recommendations](tvm-security-recommendation.md) @@ -130,6 +130,6 @@ A full page will appear with all the details of a specific software, including a - [Event timeline](threat-and-vuln-mgt-event-timeline.md) - [Scenarios](threat-and-vuln-mgt-scenarios.md) - [APIs](next-gen-threat-and-vuln-mgt.md#apis) -- [Configure data access for Threat & Vulnerability Management roles](user-roles.md#create-roles-and-assign-the-role-to-an-azure-active-directory-group) +- [Configure data access for threat and vulnerability management roles](user-roles.md#create-roles-and-assign-the-role-to-an-azure-active-directory-group) - [Advanced hunting overview](overview-hunting.md) - [All advanced hunting tables](advanced-hunting-reference.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/threat-and-vuln-mgt-scenarios.md b/windows/security/threat-protection/microsoft-defender-atp/threat-and-vuln-mgt-scenarios.md index 0f5af6bdf7..7ab41a7658 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/threat-and-vuln-mgt-scenarios.md +++ b/windows/security/threat-protection/microsoft-defender-atp/threat-and-vuln-mgt-scenarios.md @@ -1,6 +1,6 @@ --- -title: Threat & Vulnerability Management scenarios -description: Learn how Threat & Vulnerability Management can be used to help security admins, IT admins, and SecOps collaborate in defending against security threats. +title: Scenarios - threat and vulnerability management +description: Learn how threat and vulnerability management can be used to help security admins, IT admins, and SecOps collaborate in defending against security threats. keywords: mdatp-tvm scenarios, mdatp, tvm, tvm scenarios, reduce threat & vulnerability exposure, reduce threat and vulnerability, improve security configuration, increase Microsoft Secure Score for Devices, increase threat & vulnerability Microsoft Secure Score for Devices, Microsoft Secure Score for Devices, exposure score, security controls search.product: eADQiWindows 10XVcnh search.appverid: met150 @@ -17,7 +17,7 @@ ms.collection: M365-security-compliance ms.topic: article --- -# Threat & Vulnerability Management scenarios +# Scenarios - threat and vulnerability management **Applies to:** @@ -81,9 +81,9 @@ Examples of devices that should be marked as high value: ## Related topics -- [Threat & Vulnerability Management overview](next-gen-threat-and-vuln-mgt.md) +- [Threat and vulnerability management overview](next-gen-threat-and-vuln-mgt.md) - [Supported operating systems and platforms](tvm-supported-os.md) -- [Threat & Vulnerability Management dashboard](tvm-dashboard-insights.md) +- [Threat and vulnerability management dashboard](tvm-dashboard-insights.md) - [Exposure score](tvm-exposure-score.md) - [Microsoft Secure Score for Devices](tvm-microsoft-secure-score-devices.md) - [Security recommendations](tvm-security-recommendation.md) @@ -92,6 +92,6 @@ Examples of devices that should be marked as high value: - [Weaknesses](tvm-weaknesses.md) - [Event timeline](threat-and-vuln-mgt-event-timeline.md) - [APIs](next-gen-threat-and-vuln-mgt.md#apis) -- [Configure data access for Threat & Vulnerability Management roles](user-roles.md#create-roles-and-assign-the-role-to-an-azure-active-directory-group) +- [Configure data access for threat and vulnerability management roles](user-roles.md#create-roles-and-assign-the-role-to-an-azure-active-directory-group) - [Advanced hunting overview](overview-hunting.md) - [All advanced hunting tables](advanced-hunting-reference.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/tvm-dashboard-insights.md b/windows/security/threat-protection/microsoft-defender-atp/tvm-dashboard-insights.md index eaa32244f3..02edd24998 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/tvm-dashboard-insights.md +++ b/windows/security/threat-protection/microsoft-defender-atp/tvm-dashboard-insights.md @@ -1,7 +1,7 @@ --- -title: Threat & Vulnerability Management dashboard insights -description: The Threat & Vulnerability Management dashboard can help SecOps and security admins address cybersecurity threats and build their organization's security resilience. -keywords: mdatp-tvm, mdatp-tvm dashboard, threat & vulnerability management, risk-based threat & vulnerability management, security configuration, Microsoft Secure Score for Devices, exposure score +title: Threat and vulnerability management dashboard insights +description: The threat and vulnerability management dashboard can help SecOps and security admins address cybersecurity threats and build their organization's security resilience. +keywords: mdatp-tvm, mdatp-tvm dashboard, threat & vulnerability management, threat and vulnerability management, risk-based threat & vulnerability management, security configuration, Microsoft Secure Score for Devices, exposure score search.appverid: met150 search.product: eADQiWindows 10XVcnh ms.prod: w10 @@ -16,7 +16,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual --- -# Threat & Vulnerability Management dashboard insights +# Threat and vulnerability management dashboard insights **Applies to:** @@ -24,13 +24,13 @@ ms.topic: conceptual >Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-portaloverview-abovefoldlink) -Threat & Vulnerability Management is a component of Microsoft Defender ATP, and provides both security administrators and security operations teams with unique value, including: +Threat and vulnerability management is a component of Microsoft Defender ATP, and provides both security administrators and security operations teams with unique value, including: - Real-time endpoint detection and response (EDR) insights correlated with endpoint vulnerabilities - Invaluable device vulnerability context during incident investigations - Built-in remediation processes through Microsoft Intune and Microsoft Endpoint Configuration Manager -You can use the Threat & Vulnerability Management capability in [Microsoft Defender Security Center](https://securitycenter.windows.com/) to: +You can use the threat and vulnerability management capability in [Microsoft Defender Security Center](https://securitycenter.windows.com/) to: - View exposure and Microsoft Secure Score for Devices side-by-side with top security recommendations, software vulnerability, remediation activities, and exposed devices - Correlate EDR insights with endpoint vulnerabilities and process them @@ -38,19 +38,19 @@ You can use the Threat & Vulnerability Management capability in [Microsoft Defen - Select exception options and track active exceptions > [!NOTE] -> Devices that are not active in the last 30 days are not factored in on the data that reflects your organization's Threat & Vulnerability Management exposure score and Microsoft Secure Score for Devices. +> Devices that are not active in the last 30 days are not factored in on the data that reflects your organization's threat and vulnerability management exposure score and Microsoft Secure Score for Devices. -Watch this video for a quick overview of what is in the Threat & Vulnerability Management dashboard. +Watch this video for a quick overview of what is in the threat and vulnerability management dashboard. >[!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RE4r1nv] -## Threat & Vulnerability Management in Microsoft Defender Security Center +## Threat and vulnerability management in Microsoft Defender Security Center ![Microsoft Defender Advanced Threat Protection portal](images/tvm-dashboard-devices.png) You can navigate through the portal using the menu options available in all sections. Refer to the following tables for a description of each section. -## Threat & Vulnerability Management navigation pane +## Threat and vulnerability management navigation pane Area | Description :---|:--- @@ -60,11 +60,11 @@ Area | Description [**Software inventory**](tvm-software-inventory.md) | See the list of software, versions, weaknesses, whether there's an exploit found on the software, whether the software or software version has reached end-of-support, prevalence in the organization, how many were installed, how many exposed devices there are, and the numerical value of the impact. You can select each item in the list and opt to open the software page which shows the associated vulnerabilities, misconfigurations, affected device, version distribution details, and missing KBs or security updates. [**Weaknesses**](tvm-weaknesses.md) | See the list of common vulnerabilities and exposures, the severity, the common vulnerability scoring system (CVSS) V3 score, related software, age, when it was published, related threat alerts, and how many exposed devices there are. You can select each item in the list to see a flyout panel with the vulnerability description and other details. -## Threat & Vulnerability Management dashboard +## Threat and vulnerability management dashboard Area | Description :---|:--- -**Selected device groups (#/#)** | Filter the Threat & Vulnerability Management data you want to see in the dashboard and cards by device groups. What you select in the filter applies throughout the Threat & Vulnerability management pages. +**Selected device groups (#/#)** | Filter the threat and vulnerability management data you want to see in the dashboard and cards by device groups. What you select in the filter applies throughout the threat and vulnerability management pages. [**Exposure score**](tvm-exposure-score.md) | See the current state of your organization's device exposure to threats and vulnerabilities. Several factors affect your organization's exposure score: weaknesses discovered in your devices, likelihood of your devices to be breached, value of the devices to your organization, and relevant alerts discovered with your devices. The goal is to lower the exposure score of your organization to be more secure. To reduce the score, you need to remediate the related security configuration issues listed in the security recommendations. [**Microsoft Secure Score for Devices**](tvm-microsoft-secure-score-devices.md) | See the security posture of the operating system, applications, network, accounts and security controls of your organization. The goal is to remediate the related security configuration issues to increase your score for devices. Selecting the bars will take you to the **Security recommendation** page. **Device exposure distribution** | See how many devices are exposed based on their exposure level. Select a section in the doughnut chart to go to the **Devices list** page and view the affected device names, exposure level, risk level, and other details such as domain, operating system platform, its health state, when it was last seen, and its tags. @@ -77,7 +77,7 @@ See [Microsoft Defender ATP icons](portal-overview.md#microsoft-defender-atp-ico ## Related topics -- [Threat & Vulnerability Management overview](next-gen-threat-and-vuln-mgt.md) +- [Threat and vulnerability management overview](next-gen-threat-and-vuln-mgt.md) - [Supported operating systems and platforms](tvm-supported-os.md) - [Exposure score](tvm-exposure-score.md) - [Microsoft Secure Score for Devices](tvm-microsoft-secure-score-devices.md) @@ -88,4 +88,4 @@ See [Microsoft Defender ATP icons](portal-overview.md#microsoft-defender-atp-ico - [Event timeline](threat-and-vuln-mgt-event-timeline.md) - [Scenarios](threat-and-vuln-mgt-scenarios.md) - [APIs](next-gen-threat-and-vuln-mgt.md#apis) -- [Configure data access for Threat & Vulnerability Management roles](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/user-roles#create-roles-and-assign-the-role-to-an-azure-active-directory-group) +- [Configure data access for threat and vulnerability management roles](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/user-roles#create-roles-and-assign-the-role-to-an-azure-active-directory-group) diff --git a/windows/security/threat-protection/microsoft-defender-atp/tvm-exposure-score.md b/windows/security/threat-protection/microsoft-defender-atp/tvm-exposure-score.md index 5391b7ca6b..19805c1e0b 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/tvm-exposure-score.md +++ b/windows/security/threat-protection/microsoft-defender-atp/tvm-exposure-score.md @@ -1,6 +1,6 @@ --- -title: Exposure score -description: The Microsoft Defender ATP exposure score reflects how vulnerable your organization is to cybersecurity threats. +title: Exposure score in threat and vulnerability management +description: The threat and vulnerability management exposure score reflects how vulnerable your organization is to cybersecurity threats. keywords: exposure score, mdatp exposure score, mdatp tvm exposure score, organization exposure score, tvm organization exposure score, threat and vulnerability management, Microsoft Defender Advanced Threat Protection search.product: eADQiWindows 10XVcnh search.appverid: met150 @@ -16,7 +16,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual --- -# Exposure score +# Exposure score - threat and vulnerability management **Applies to:** @@ -24,7 +24,7 @@ ms.topic: conceptual >Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-portaloverview-abovefoldlink) -Your Exposure score is visible in the [Threat & Vulnerability Management dashboard](tvm-dashboard-insights.md) of the Microsoft Defender Security Center. It reflects how vulnerable your organization is to cybersecurity threats. Low exposure score means your devices are less vulnerable from exploitation. +Your exposure score is visible in the [Threat and vulnerability management dashboard](tvm-dashboard-insights.md) of the Microsoft Defender Security Center. It reflects how vulnerable your organization is to cybersecurity threats. Low exposure score means your devices are less vulnerable from exploitation. - Quickly understand and identify high-level takeaways about the state of security in your organization. - Detect and respond to areas that require investigation or action to improve the current state. @@ -36,7 +36,7 @@ The card gives you a high-level view of your exposure score trend over time. Any ## How it works -Threat & Vulnerability Management introduces a new exposure score metric, which visually represents how exposed your devices are to imminent threats. +Threat and vulnerability management introduces a new exposure score metric, which visually represents how exposed your devices are to imminent threats. The exposure score is continuously calculated on each device in the organization and influenced by the following factors: @@ -55,13 +55,13 @@ You can remediate the issues based on prioritized [security recommendations](tvm ## Reduce your threat and vulnerability exposure -Lower your threat and vulnerability exposure by remediating [security recommendations](tvm-security-recommendation.md). Make the most impact to your exposure score by remediating the top security recommendations, which can be viewed in the [Threat & Vulnerability Management dashboard](tvm-dashboard-insights.md). +Lower your threat and vulnerability exposure by remediating [security recommendations](tvm-security-recommendation.md). Make the most impact to your exposure score by remediating the top security recommendations, which can be viewed in the [threat and vulnerability management dashboard](tvm-dashboard-insights.md). ## Related topics -- [Threat & Vulnerability Management overview](next-gen-threat-and-vuln-mgt.md) +- [Threat and vulnerability management overview](next-gen-threat-and-vuln-mgt.md) - [Supported operating systems and platforms](tvm-supported-os.md) -- [Threat & Vulnerability Management dashboard](tvm-dashboard-insights.md) +- [Threat and vulnerability management dashboard](tvm-dashboard-insights.md) - [Microsoft Secure Score for Devices](tvm-microsoft-secure-score-devices.md) - [Security recommendations](tvm-security-recommendation.md) - [Remediation and exception](tvm-remediation.md) @@ -70,4 +70,4 @@ Lower your threat and vulnerability exposure by remediating [security recommenda - [Event timeline](threat-and-vuln-mgt-event-timeline.md) - [Scenarios](threat-and-vuln-mgt-scenarios.md) - [APIs](next-gen-threat-and-vuln-mgt.md#apis) -- [Configure data access for Threat & Vulnerability Management roles](user-roles.md#create-roles-and-assign-the-role-to-an-azure-active-directory-group) +- [Configure data access for threat and vulnerability management roles](user-roles.md#create-roles-and-assign-the-role-to-an-azure-active-directory-group) diff --git a/windows/security/threat-protection/microsoft-defender-atp/tvm-microsoft-secure-score-devices.md b/windows/security/threat-protection/microsoft-defender-atp/tvm-microsoft-secure-score-devices.md index 5cdd484045..83e5537bff 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/tvm-microsoft-secure-score-devices.md +++ b/windows/security/threat-protection/microsoft-defender-atp/tvm-microsoft-secure-score-devices.md @@ -1,7 +1,7 @@ --- title: Overview of Microsoft Secure Score for Devices in Microsoft Defender Security Center description: Your score for devices shows the collective security configuration state of your devices across application, operating system, network, accounts, and security controls -keywords: Microsoft Secure Score for Devices, mdatp Microsoft Secure Score for Devices, secure score, configuration score, security controls, improvement opportunities, security configuration score over time, security posture, baseline +keywords: Microsoft Secure Score for Devices, mdatp Microsoft Secure Score for Devices, secure score, configuration score, threat and vulnerability management, security controls, improvement opportunities, security configuration score over time, security posture, baseline search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: w10 @@ -23,9 +23,9 @@ ms.topic: conceptual - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) >[!NOTE] -> Configuration score is now part of Threat & Vulnerability Management as Microsoft Secure Score for Devices. +> Configuration score is now part of threat and vulnerability management as Microsoft Secure Score for Devices. -Your score for devices is visible in the [Threat & Vulnerability Management dashboard](tvm-dashboard-insights.md) of the Microsoft Defender Security Center. A higher Microsoft Secure Score for Devices means your endpoints are more resilient from cybersecurity threat attacks. It reflects the collective security configuration state of your devices across the following categories: +Your score for devices is visible in the [threat and vulnerability management dashboard](tvm-dashboard-insights.md) of the Microsoft Defender Security Center. A higher Microsoft Secure Score for Devices means your endpoints are more resilient from cybersecurity threat attacks. It reflects the collective security configuration state of your devices across the following categories: - Application - Operating system @@ -51,7 +51,7 @@ The data in the Microsoft Secure Score for Devices card is the product of meticu You can improve your security configuration when you remediate issues from the security recommendations list. As you do so, your Microsoft Secure Score for Devices improves, which means your organization becomes more resilient against cybersecurity threats and vulnerabilities. -1. From the Microsoft Secure Score for Devices card in the Threat & Vulnerability Management dashboard, select the one of the categories to view the list of recommendations related to that category. It will take you to the [**Security recommendations**](tvm-security-recommendation.md) page. If you want to see all security recommendations, once you get to the Security recommendations page, clear the search field. +1. From the Microsoft Secure Score for Devices card in the threat and vulnerability management dashboard, select the one of the categories to view the list of recommendations related to that category. It will take you to the [**Security recommendations**](tvm-security-recommendation.md) page. If you want to see all security recommendations, once you get to the Security recommendations page, clear the search field. 2. Select an item on the list. The flyout panel will open with details related to the recommendation. Select **Remediation options**. @@ -82,9 +82,9 @@ You can improve your security configuration when you remediate issues from the s ## Related topics -- [Threat & Vulnerability Management overview](next-gen-threat-and-vuln-mgt.md) +- [Threat and vulnerability management overview](next-gen-threat-and-vuln-mgt.md) - [Supported operating systems and platforms](tvm-supported-os.md) -- [Threat & Vulnerability Management dashboard](tvm-dashboard-insights.md) +- [Threat and vulnerability management dashboard](tvm-dashboard-insights.md) - [Exposure score](tvm-exposure-score.md) - [Security recommendations](tvm-security-recommendation.md) - [Remediation and exception](tvm-remediation.md) @@ -92,4 +92,4 @@ You can improve your security configuration when you remediate issues from the s - [Weaknesses](tvm-weaknesses.md) - [Scenarios](threat-and-vuln-mgt-scenarios.md) - [APIs](next-gen-threat-and-vuln-mgt.md#apis) -- [Configure data access for Threat & Vulnerability Management roles](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/user-roles#create-roles-and-assign-the-role-to-an-azure-active-directory-group) +- [Configure data access for threat and vulnerability management roles](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/user-roles#create-roles-and-assign-the-role-to-an-azure-active-directory-group) diff --git a/windows/security/threat-protection/microsoft-defender-atp/tvm-remediation.md b/windows/security/threat-protection/microsoft-defender-atp/tvm-remediation.md index 2c3f7a6ef5..a94e2b07c4 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/tvm-remediation.md +++ b/windows/security/threat-protection/microsoft-defender-atp/tvm-remediation.md @@ -1,7 +1,7 @@ --- -title: Remediation and exception -description: Remediate security weaknesses and fill exceptions by integrating Microsoft Intune and Microsoft Endpoint Configuration Manager. -keywords: microsoft defender atp tvm remediation, mdatp tvm, threat & vulnerability management, threat & vulnerability management remediation, tvm remediation intune, tvm remediation sccm +title: Remediation activities and exceptions - threat and vulnerability management +description: Remediate security weaknesses discovered through security recommendations, and create exceptions if needed, in threat and vulnerability management. +keywords: microsoft defender atp tvm remediation, mdatp tvm, threat and vulnerability management, threat & vulnerability management, threat & vulnerability management remediation, tvm remediation intune, tvm remediation sccm search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: w10 @@ -16,7 +16,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual --- -# Remediation activities and exceptions +# Remediation activities and exceptions - threat and vulnerability management **Applies to:** - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) @@ -34,22 +34,22 @@ Lower your organization's exposure from vulnerabilities and increase your securi You can access the Remediation page a few different ways: -- Threat & Vulnerability Management navigation menu in the [Microsoft Defender Security Center](portal-overview.md) -- Top remediation activities card in the [Threat & Vulnerability Management dashboard](tvm-dashboard-insights.md) +- Threat and vulnerability management navigation menu in the [Microsoft Defender Security Center](portal-overview.md) +- Top remediation activities card in the [threat and vulnerability management dashboard](tvm-dashboard-insights.md) ### Navigation menu -Go to the Threat & Vulnerability Management navigation menu and select **Remediation** to open up the list of remediation activities and exceptions found in your organization. +Go to the threat and vulnerability management navigation menu and select **Remediation** to open up the list of remediation activities and exceptions found in your organization. ### Top remediation activities in the dashboard -View **Top remediation activities** in the [Threat & Vulnerability Management dashboard](tvm-dashboard-insights.md). Select any of the entries to go to the **Remediation** page. You can mark the remediation activity as completed after the IT admin team remediates the task. +View **Top remediation activities** in the [threat and vulnerability management dashboard](tvm-dashboard-insights.md). Select any of the entries to go to the **Remediation** page. You can mark the remediation activity as completed after the IT admin team remediates the task. ![Example of Top remediation activities card with a table that lists top activities that were generated from security recommendations.](images/tvm-remediation-activities-card.png) ## Remediation activities -When you [submit a remediation request](tvm-security-recommendation.md#request-remediation) from the [Security recommendations page](tvm-security-recommendation.md), it kicks-off a remediation activity. A security task is created which will be tracked in the Threat & Vulnerability Management **Remediation** page, and a remediation ticket is created in Microsoft Intune. +When you [submit a remediation request](tvm-security-recommendation.md#request-remediation) from the [Security recommendations page](tvm-security-recommendation.md), it kicks-off a remediation activity. A security task is created which will be tracked in the threat and vulnerability management **Remediation** page, and a remediation ticket is created in Microsoft Intune. Once you are in the Remediation page, select the remediation activity that you want to view. You can follow the remediation steps, track progress, view the related recommendation, export to CSV, or mark as complete. ![Example of the Remediation page, with a selected remediation activity, and that activity's flyout listing the description, IT service and device management tools, and device remediation progress.](images/remediation_flyouteolsw.png) @@ -95,9 +95,9 @@ Select **Show exceptions** at the bottom of the **Top security recommendations** ## Related topics -- [Threat & Vulnerability Management overview](next-gen-threat-and-vuln-mgt.md) +- [Threat and vulnerability management overview](next-gen-threat-and-vuln-mgt.md) - [Supported operating systems and platforms](tvm-supported-os.md) -- [Threat & Vulnerability Management dashboard](tvm-dashboard-insights.md) +- [Threat and vulnerability management dashboard](tvm-dashboard-insights.md) - [Exposure score](tvm-exposure-score.md) - [Microsoft Secure Score for Devices](tvm-microsoft-secure-score-devices.md) - [Security recommendations](tvm-security-recommendation.md) @@ -106,4 +106,4 @@ Select **Show exceptions** at the bottom of the **Top security recommendations** - [Event timeline](threat-and-vuln-mgt-event-timeline.md) - [Scenarios](threat-and-vuln-mgt-scenarios.md) - [APIs](next-gen-threat-and-vuln-mgt.md#apis) -- [Configure data access for Threat & Vulnerability Management roles](user-roles.md#create-roles-and-assign-the-role-to-an-azure-active-directory-group) +- [Configure data access for threat and vulnerability management roles](user-roles.md#create-roles-and-assign-the-role-to-an-azure-active-directory-group) diff --git a/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation.md b/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation.md index ad8c99b503..3555d2490e 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation.md +++ b/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation.md @@ -1,6 +1,6 @@ --- -title: Security recommendations -description: Get actionable security recommendations prioritized by threat, likelihood to be breached, and value. +title: Security recommendations by threat and vulnerability management +description: Get actionable security recommendations prioritized by threat, likelihood to be breached, and value, in threat and vulnerability management. keywords: threat and vulnerability management, mdatp tvm security recommendation, cybersecurity recommendation, actionable security recommendation search.product: eADQiWindows 10XVcnh search.appverid: met150 @@ -16,7 +16,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual --- -# Security recommendations +# Security recommendations - threat and vulnerability management **Applies to:** @@ -44,8 +44,8 @@ Each device in the organization is scored based on three important factors to he Access the Security recommendations page a few different ways: -- Threat & Vulnerability Management navigation menu in the [Microsoft Defender Security Center](portal-overview.md) -- Top security recommendations in the [Threat & Vulnerability Management dashboard](tvm-dashboard-insights.md) +- Threat and vulnerability management navigation menu in the [Microsoft Defender Security Center](portal-overview.md) +- Top security recommendations in the [threat and vulnerability management dashboard](tvm-dashboard-insights.md) View related security recommendations in the following places: @@ -54,11 +54,11 @@ View related security recommendations in the following places: ### Navigation menu -Go to the Threat & Vulnerability Management navigation menu and select **Security recommendations** to open the list of security recommendations for the threats and vulnerabilities found in your organization. +Go to the threat and vulnerability management navigation menu and select **Security recommendations** to open the list of security recommendations for the threats and vulnerabilities found in your organization. -### Top security recommendations in the Threat & Vulnerability Management dashboard +### Top security recommendations in the threat and vulnerability management dashboard -In a given day as a Security Administrator, you can take a look at the [Threat & Vulnerability Management dashboard](tvm-dashboard-insights.md) to see your [exposure score](tvm-exposure-score.md) side-by-side with your [Microsoft Secure Score for Devices](tvm-microsoft-secure-score-devices.md). The goal is to **lower** your organization's exposure from vulnerabilities, and **increase** your organization's device security to be more resilient against cybersecurity threat attacks. The top security recommendations list can help you achieve that goal. +In a given day as a Security Administrator, you can take a look at the [threat and vulnerability management dashboard](tvm-dashboard-insights.md) to see your [exposure score](tvm-exposure-score.md) side-by-side with your [Microsoft Secure Score for Devices](tvm-microsoft-secure-score-devices.md). The goal is to **lower** your organization's exposure from vulnerabilities, and **increase** your organization's device security to be more resilient against cybersecurity threat attacks. The top security recommendations list can help you achieve that goal. ![Example of Top security recommendations card, with four security recommendations.](images/top-security-recommendations350.png) @@ -94,7 +94,7 @@ From the flyout, you can do any of the following: - [**Exception options**](tvm-security-recommendation.md#file-for-exception) - Submit an exception, provide justification, and set exception duration if you can't remediate the issue just yet. >[!NOTE] ->When a change is made on a device, it may take up to two hours for the data to be reflected in the Microsoft Defender Security Center. +>When a change is made on a device, it typically takes two hours for the data to be reflected in the Microsoft Defender Security Center. However, it may sometimes take longer. ### Investigate changes in machine exposure or impact @@ -106,7 +106,7 @@ If there is a large jump in the number of exposed machines, or a sharp increase ## Request remediation -The Threat & Vulnerability Management capability in Microsoft Defender ATP bridges the gap between Security and IT administrators through the remediation request workflow. Security admins like you can request for the IT Administrator to remediate a vulnerability from the **Security recommendation** pages to Intune. +The threat and vulnerability management capability in Microsoft Defender ATP bridges the gap between Security and IT administrators through the remediation request workflow. Security admins like you can request for the IT Administrator to remediate a vulnerability from the **Security recommendation** pages to Intune. ### Enable Microsoft Intune connection @@ -118,7 +118,7 @@ See [Use Intune to remediate vulnerabilities identified by Microsoft Defender AT 1. Select a security recommendation you would like to request remediation for, and then select **Remediation options**. -2. Fill out the form, including what you are requesting remediation for, priority, due date, and optional notes. Select **Submit request**. Submitting a remediation request creates a remediation activity item within Threat & Vulnerability Management, which can be used for monitoring the remediation progress for this recommendation. This will not trigger a remediation or apply any changes to devices. +2. Fill out the form, including what you are requesting remediation for, priority, due date, and optional notes. Select **Submit request**. Submitting a remediation request creates a remediation activity item within threat and vulnerability management, which can be used for monitoring the remediation progress for this recommendation. This will not trigger a remediation or apply any changes to devices. 3. Notify your IT Administrator about the new request and have them log into Intune to approve or reject the request and start a package deployment. @@ -144,15 +144,16 @@ When an exception is created for a recommendation, the recommendation is no long The following list details the justifications behind the exception options: - - **Compensating/alternate control** - A 3rd party control that mitigates this recommendation exists, for example, if Network Firewall - - prevents access to a device, third party antivirus - - **Productivity/business need** - Remediation will impact productivity or interrupt business-critical workflow - - **Accept risk** - Poses low risk and/or implementing a compensating control is too expensive + - **Third party control** - A third party product or software already addresses this recommendation + - Choosing this justification type will lower your exposure score and increase you secure score because your risk is reduced + - **Alternate mitigation** - An internal tool already addresses this recommendation + - Choosing this justification type will lower your exposure score and increase you secure score because your risk is reduced + - **Risk accepted** - Poses low risk and/or implementing the recommendation is too expensive - **Planned remediation (grace)** - Already planned but is awaiting execution or authorization - - **Other** - False positive 3. Select **Submit**. A confirmation message at the top of the page indicates that the exception has been created. -4. Navigate to the [**Remediation**](tvm-remediation.md) page under the **Threat & Vulnerability Management** menu and select the **Exceptions** tab to view all your exceptions (current and past). +4. Navigate to the [**Remediation**](tvm-remediation.md) page under the **Threat and vulnerability management** menu and select the **Exceptions** tab to view all your exceptions (current and past). ## Report inaccuracy @@ -166,7 +167,7 @@ You can report a false positive when you see any vague, inaccurate, incomplete, 3. From the flyout pane, select the inaccuracy category from the drop-down menu, fill in your email address, and details regarding the inaccuracy. -4. Select **Submit**. Your feedback is immediately sent to the Threat & Vulnerability Management experts. +4. Select **Submit**. Your feedback is immediately sent to the threat and vulnerability management experts. ## Find and remediate software or software versions which have reached end-of-support (EOS) @@ -176,7 +177,7 @@ It is crucial for Security and IT Administrators to work together and ensure tha To find software or software versions which have reached end-of-support: -1. From the Threat & Vulnerability Management menu, navigate to **Security recommendations**. +1. From the threat and vulnerability management menu, navigate to **Security recommendations**. 2. Go to the **Filters** panel and look for the tags section. Select one or more of the EOS tag options. Then **Apply**. ![Screenshot tags that say EOS software, EOS versions, and Upcoming EOS versions](images/tvm-eos-tag.png) @@ -203,12 +204,11 @@ To view a list of version that have reached end of support, or end or support so After you have identified which software and software versions are vulnerable due to its end-of-support status, remediate them to lower your organizations exposure to vulnerabilities and advanced persistent threats. - ## Related topics -- [Threat & Vulnerability Management overview](next-gen-threat-and-vuln-mgt.md) +- [Threat and vulnerability management overview](next-gen-threat-and-vuln-mgt.md) - [Supported operating systems and platforms](tvm-supported-os.md) -- [Threat & Vulnerability Management dashboard](tvm-dashboard-insights.md) +- [Threat and vulnerability management dashboard](tvm-dashboard-insights.md) - [Exposure score](tvm-exposure-score.md) - [Microsoft Secure Score for Devices](tvm-microsoft-secure-score-devices.md) - [Remediation and exception](tvm-remediation.md) @@ -217,4 +217,4 @@ After you have identified which software and software versions are vulnerable du - [Event timeline](threat-and-vuln-mgt-event-timeline.md) - [Scenarios](threat-and-vuln-mgt-scenarios.md) - [APIs](next-gen-threat-and-vuln-mgt.md#apis) -- [Configure data access for Threat & Vulnerability Management roles](user-roles.md#create-roles-and-assign-the-role-to-an-azure-active-directory-group) \ No newline at end of file +- [Configure data access for threat and vulnerability management roles](user-roles.md#create-roles-and-assign-the-role-to-an-azure-active-directory-group) \ No newline at end of file diff --git a/windows/security/threat-protection/microsoft-defender-atp/tvm-software-inventory.md b/windows/security/threat-protection/microsoft-defender-atp/tvm-software-inventory.md index 9e6591f91c..d0e00649f5 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/tvm-software-inventory.md +++ b/windows/security/threat-protection/microsoft-defender-atp/tvm-software-inventory.md @@ -1,7 +1,7 @@ --- -title: Software inventory -description: Microsoft Defender ATP Threat & Vulnerability Management's software inventory page shows how many weaknesses and vulnerabilities have been detected in software. -keywords: microsoft defender atp, microsoft defender atp software inventory, mdatp threat & vulnerability management, mdatp threat & vulnerability management software inventory, mdatp tvm software inventory, tvm software inventory +title: Software inventory in threat and vulnerability management +description: Microsoft Defender ATP threat and vulnerability management's software inventory page shows how many weaknesses and vulnerabilities have been detected in software. +keywords: threat and vulnerability management, microsoft defender atp, microsoft defender atp software inventory, mdatp threat & vulnerability management, mdatp threat & vulnerability management software inventory, mdatp tvm software inventory, tvm software inventory search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: w10 @@ -16,14 +16,14 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual --- -# Software inventory +# Software inventory - threat and vulnerability management **Applies to:** - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) >Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-portaloverview-abovefoldlink) -Microsoft Defender ATP Threat & Vulnerability management's discovery capability shows in the **Software inventory** page. The software inventory includes the name of the product or vendor, the latest version it is in, and the number of weaknesses and vulnerabilities detected with it. +The software inventory in threat and vulnerability management is a list of all the software in your organization, including details such as the name of the vendor, number of weaknesses, threats, and number of exposed devices. ## How it works @@ -33,7 +33,7 @@ Since it is real-time, in a matter of minutes, you will see vulnerability inform ## Navigate to the Software inventory page -You can access the Software inventory page by selecting **Software inventory** from the Threat & Vulnerability Management navigation menu in the [Microsoft Defender Security Center](portal-overview.md). +You can access the Software inventory page by selecting **Software inventory** from the threat and vulnerability management navigation menu in the [Microsoft Defender Security Center](portal-overview.md). View software on specific devices in the individual devices pages from the [devices list](machines-view-overview.md). @@ -78,13 +78,13 @@ You can report a false positive when you see any vague, inaccurate version, inco 1. Open the software flyout on the Software inventory page. 2. Select **Report inaccuracy**. 3. From the flyout pane, select the inaccuracy category from the drop-down menu, fill in your email address, and details regarding the inaccuracy. -4. Select **Submit**. Your feedback is immediately sent to the Threat & Vulnerability Management experts. +4. Select **Submit**. Your feedback is immediately sent to the threat and vulnerability management experts. ## Related topics -- [Threat & Vulnerability Management overview](next-gen-threat-and-vuln-mgt.md) +- [Threat and vulnerability management overview](next-gen-threat-and-vuln-mgt.md) - [Supported operating systems and platforms](tvm-supported-os.md) -- [Threat & Vulnerability Management dashboard](tvm-dashboard-insights.md) +- [Threat and vulnerability management dashboard](tvm-dashboard-insights.md) - [Exposure score](tvm-exposure-score.md) - [Microsoft Secure Score for Devices](tvm-microsoft-secure-score-devices.md) - [Security recommendations](tvm-security-recommendation.md) @@ -93,4 +93,4 @@ You can report a false positive when you see any vague, inaccurate version, inco - [Event timeline](threat-and-vuln-mgt-event-timeline.md) - [Scenarios](threat-and-vuln-mgt-scenarios.md) - [APIs](next-gen-threat-and-vuln-mgt.md#apis) -- [Configure data access for Threat & Vulnerability Management roles](user-roles.md#create-roles-and-assign-the-role-to-an-azure-active-directory-group) +- [Configure data access for threat and vulnerability management roles](user-roles.md#create-roles-and-assign-the-role-to-an-azure-active-directory-group) diff --git a/windows/security/threat-protection/microsoft-defender-atp/tvm-supported-os.md b/windows/security/threat-protection/microsoft-defender-atp/tvm-supported-os.md index 68cb359a5a..3b048f904c 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/tvm-supported-os.md +++ b/windows/security/threat-protection/microsoft-defender-atp/tvm-supported-os.md @@ -1,7 +1,7 @@ --- -title: Threat & Vulnerability Management supported operating systems and platforms -description: Before you begin, ensure that you meet the operating system or platform requisites for Threat & Vulnerability Management so the activities in your all devices are properly accounted for. -keywords: threat & vulnerability management, operating system, platform requirements, prerequisites, mdatp-tvm supported os, mdatp-tvm, risk-based threat & vulnerability management, security configuration, Microsoft Secure Score for Devices, exposure score +title: Supported operating systems and platforms for threat and vulnerability management +description: Before you begin, ensure that you meet the operating system or platform requisites for threat and vulnerability management so the activities in your all devices are properly accounted for. +keywords: threat & vulnerability management, threat and vulnerability management, operating system, platform requirements, prerequisites, mdatp-tvm supported os, mdatp-tvm, risk-based threat & vulnerability management, security configuration, Microsoft Secure Score for Devices, exposure score search.appverid: met150 search.product: eADQiWindows 10XVcnh ms.prod: w10 @@ -16,7 +16,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: article --- -# Threat & Vulnerability Management supported operating systems and platforms +# Supported operating systems and platforms - threat and vulnerability management **Applies to:** @@ -24,7 +24,7 @@ ms.topic: article >Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-portaloverview-abovefoldlink) -Before you begin, ensure that you meet the following operating system or platform requisites for Threat & Vulnerability Management so the activities in your devices are properly accounted for. +Before you begin, ensure that you meet the following operating system or platform requisites for threat and vulnerability management so the activities in your devices are properly accounted for. Operating system | Security assessment support :---|:--- @@ -43,8 +43,8 @@ Some of the above prerequisites might be different from the [Minimum requirement ## Related topics -- [Threat & Vulnerability Management overview](next-gen-threat-and-vuln-mgt.md) -- [Threat & Vulnerability Management dashboard](tvm-dashboard-insights.md) +- [Threat and vulnerability management overview](next-gen-threat-and-vuln-mgt.md) +- [Threat and vulnerability management dashboard](tvm-dashboard-insights.md) - [Exposure score](tvm-exposure-score.md) - [Microsoft Secure Score for Devices](tvm-microsoft-secure-score-devices.md) - [Security recommendations](tvm-security-recommendation.md) @@ -54,4 +54,4 @@ Some of the above prerequisites might be different from the [Minimum requirement - [Event timeline](threat-and-vuln-mgt-event-timeline.md) - [Scenarios](threat-and-vuln-mgt-scenarios.md) - [APIs](next-gen-threat-and-vuln-mgt.md#apis) -- [Configure data access for Threat & Vulnerability Management roles](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/user-roles#create-roles-and-assign-the-role-to-an-azure-active-directory-group) +- [Configure data access for threat and vulnerability management roles](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/user-roles#create-roles-and-assign-the-role-to-an-azure-active-directory-group) diff --git a/windows/security/threat-protection/microsoft-defender-atp/tvm-weaknesses.md b/windows/security/threat-protection/microsoft-defender-atp/tvm-weaknesses.md index 32379a298f..aa166b9796 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/tvm-weaknesses.md +++ b/windows/security/threat-protection/microsoft-defender-atp/tvm-weaknesses.md @@ -1,7 +1,7 @@ --- -title: Weaknesses -description: Microsoft Defender Security Center offers a Weaknesses page, which lists vulnerabilities found in the infected software running in your organization. -keywords: mdatp threat & vulnerability management, mdatp tvm weaknesses page, finding weaknesses through tvm, tvm vulnerability list, vulnerability details in tvm +title: Weaknesses found by threat and vulnerability management +description: Lists the common vulnerabilities and exposures (CVE) ID of weaknesses found in the software running in your organization. Discovered by the Microsoft Defender ATP threat and vulnerability management capability. +keywords: mdatp threat & vulnerability management, threat and vulnerability management, mdatp tvm weaknesses page, finding weaknesses through tvm, tvm vulnerability list, vulnerability details in tvm search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: w10 @@ -16,7 +16,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual --- -# Weaknesses +# Weaknesses found by threat and vulnerability management **Applies to:** - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) @@ -25,7 +25,7 @@ ms.topic: conceptual [!include[Prerelease information](../../includes/prerelease.md)] -Threat & Vulnerability Management leverages the same signals in Microsoft Defender ATP's endpoint protection to scan and detect vulnerabilities. +Threat and vulnerability management leverages the same signals in Microsoft Defender ATP's endpoint protection to scan and detect vulnerabilities. The **Weaknesses** page lists down the vulnerabilities found in the infected software running in your organization by listing the Common Vulnerabilities and Exposures (CVE) ID, the severity, Common Vulnerability Scoring System (CVSS) rating, prevalence in your organization, corresponding breach, and threat insights. @@ -40,12 +40,12 @@ The **Weaknesses** page lists down the vulnerabilities found in the infected sof Access the Weaknesses page a few different ways: -- Selecting **Weaknesses** from the Threat & Vulnerability Management navigation menu in the [Microsoft Defender Security Center](portal-overview.md) +- Selecting **Weaknesses** from the threat and vulnerability management navigation menu in the [Microsoft Defender Security Center](portal-overview.md) - Global search ### Navigation menu -Go to the Threat & Vulnerability Management navigation menu and select **Weaknesses** to open the list of CVEs. +Go to the threat and vulnerability management navigation menu and select **Weaknesses** to open the list of CVEs. ### Vulnerabilities in global search @@ -80,7 +80,7 @@ The threat insights icon is highlighted if there are associated exploits in the ### Top vulnerable software in the dashboard -1. Go to the [Threat & Vulnerability Management dashboard](tvm-dashboard-insights.md) and scroll down to the **Top vulnerable software** widget. You will see the number of vulnerabilities found in each software along with threat information and a high-level view of the device exposure trend over time. +1. Go to the [threat and vulnerability management dashboard](tvm-dashboard-insights.md) and scroll down to the **Top vulnerable software** widget. You will see the number of vulnerabilities found in each software along with threat information and a high-level view of the device exposure trend over time. ![Top vulnerable software card with four columns: software, weaknesses, threats, exposed devices.](images/tvm-top-vulnerable-software500.png) @@ -119,13 +119,13 @@ You can report a false positive when you see any vague, inaccurate, incomplete, 1. Open the CVE on the Weaknesses page. 2. Select **Report inaccuracy**. 3. From the flyout pane, select the inaccuracy category from the drop-down menu, fill in your email address, and details regarding the inaccuracy. -4. Select **Submit**. Your feedback is immediately sent to the Threat & Vulnerability Management experts. +4. Select **Submit**. Your feedback is immediately sent to the threat and vulnerability management experts. ## Related topics -- [Threat & Vulnerability Management overview](next-gen-threat-and-vuln-mgt.md) +- [Threat and vulnerability management overview](next-gen-threat-and-vuln-mgt.md) - [Supported operating systems and platforms](tvm-supported-os.md) -- [Threat & Vulnerability Management dashboard](tvm-dashboard-insights.md) +- [Threat and vulnerability management dashboard](tvm-dashboard-insights.md) - [Exposure score](tvm-exposure-score.md) - [Microsoft Secure Score for Devices](tvm-microsoft-secure-score-devices.md) - [Security recommendations](tvm-security-recommendation.md) @@ -134,4 +134,4 @@ You can report a false positive when you see any vague, inaccurate, incomplete, - [Event timeline](threat-and-vuln-mgt-event-timeline.md) - [Scenarios](threat-and-vuln-mgt-scenarios.md) - [APIs](next-gen-threat-and-vuln-mgt.md#apis) -- [Configure data access for Threat & Vulnerability Management roles](user-roles.md#create-roles-and-assign-the-role-to-an-azure-active-directory-group) \ No newline at end of file +- [Configure data access for threat and vulnerability management roles](user-roles.md#create-roles-and-assign-the-role-to-an-azure-active-directory-group) \ No newline at end of file diff --git a/windows/security/threat-protection/microsoft-defender-atp/user-roles.md b/windows/security/threat-protection/microsoft-defender-atp/user-roles.md index 18a1a896b3..d58c080f49 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/user-roles.md +++ b/windows/security/threat-protection/microsoft-defender-atp/user-roles.md @@ -1,6 +1,6 @@ --- title: Create and manage roles for role-based access control -description: Create roles and define the permissions assigned to the role as part of the role-based access control implementation +description: Create roles and define the permissions assigned to the role as part of the role-based access control implementation in the Microsoft Defender Security Center keywords: user roles, roles, access rbac search.product: eADQiWindows 10XVcnh search.appverid: met150 @@ -18,6 +18,7 @@ ms.topic: article --- # Create and manage roles for role-based access control + **Applies to:** - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) @@ -26,63 +27,58 @@ ms.topic: article [!include[Prerelease information](../../includes/prerelease.md)] ## Create roles and assign the role to an Azure Active Directory group + The following steps guide you on how to create roles in Microsoft Defender Security Center. It assumes that you have already created Azure Active Directory user groups. 1. In the navigation pane, select **Settings > Roles**. -2. Click **Add role**. +2. Select **Add item**. 3. Enter the role name, description, and permissions you'd like to assign to the role. - - **Role name** - - **Description** - - **Permissions** - - **View data** - Users can view information in the portal. - >[!NOTE] - >To view Threat & Vulnerability Management data, select **Threat and vulnerability management**. - - - **Alerts investigation** - Users can manage alerts, initiate automated investigations, collect investigation packages, manage device tags, and export device timeline. - - **Active remediation actions** - Users can take response actions and approve or dismiss pending remediation actions. - - Security operations - Take response actions - - Approve or dismiss pending remediation actions - - Manage allowed/blocked lists for automation - - Manage allowed/blocked create Indicators +4. Select **Next** to assign the role to an Azure AD Security group. - >[!NOTE] - >To enable your Security operation personnel to choose remediation options and file exceptions, select **Threat and vulnerability management - Remediation handling**, and **Threat and vulnerability management - Exception handling**. - - - **Manage portal system settings** - Users can configure storage settings, SIEM and threat intel API settings (applies globally), advanced settings, automated file uploads, roles and device groups. +5. Use the filter to select the Azure AD group that you'd like to add to this role to. - > [!NOTE] - > This setting is only available in the Microsoft Defender ATP administrator (default) role. - - - **Manage security settings** - Users can configure alert suppression settings, manage allowed/blocked lists for automation, create and manage custom detections, manage folder exclusions for automation, onboard and offboard devices, and manage email notifications. - - - **Live response capabilities** - Users can take basic or advanced live response commands. - - Basic commands allow users to: - - Start a live response session - - Run read only live response commands on a remote device - - Advanced commands allow users to: - - Run basic actions - - Download a file from the remote device - - View a script from the files library - - Run a script on the remote device from the files library take read and write commands. - - For more information on the available commands, see [Investigate devices using Live response](live-response.md). - -4. Click **Next** to assign the role to an Azure AD Security group. - -5. Use the filter to select the Azure AD group that you'd like to add to this role. - -6. Click **Save and close**. +6. **Save and close**. 7. Apply the configuration settings. - > [!IMPORTANT] -> After creating roles, you'll need to create a device group and provide access to the device group by assigning it to a role that you just created. +> After creating roles, you'll need to create a device group and provide access to the device group by assigning it to a role that you just created. +### Permission options +- **View data** + - **Security operations** - View all security operations data in the portal + - **Threat and vulnerability management** - View threat and vulnerability management data in the portal + +- **Active remediation actions** + - **Security operations** - Take response actions, approve or dismiss pending remediation actions, manage allowed/blocked lists for automation and indicators + - **Threat and vulnerability management - Exception handling** - Create new exceptions and manage active exceptions + - **Threat and vulnerability management - Remediation handling** - Submit new remediation requests, create tickets, and manage existing remediation activities + +- **Alerts investigation** - Manage alerts, initiate automated investigations, run scans, collect investigation packages, manage device tags. + +- **Manage portal system settings** - Configure storage settings, SIEM and threat intel API settings (applies globally), advanced settings, automated file uploads, roles and device groups. + + > [!NOTE] + > This setting is only available in the Microsoft Defender ATP administrator (default) role. + +- **Manage security settings in Security Center** - Configure alert suppression settings, manage folder exclusions for automation, onboard and offboard devices, and manage email notifications, manage evaluation lab. + +- **Live response capabilities** + - **Basic** commands: + - Start a live response session + - Perform read only live response commands on remote device (excluding file copy and execution + - **Advanced** commands: + - Download a file from the remote device + - Upload a file to the remote device + - View a script from the files library + - Execute a script on the remote device from the files library + +For more information on the available commands, see [Investigate devices using Live response](live-response.md). + ## Edit roles 1. Select the role you'd like to edit. @@ -99,7 +95,7 @@ The following steps guide you on how to create roles in Microsoft Defender Secur 2. Click the drop-down button and select **Delete role**. - ## Related topic + - [User basic permissions to access the portal](basic-permissions.md) - [Create and manage device groups](machine-groups.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/view-incidents-queue.md b/windows/security/threat-protection/microsoft-defender-atp/view-incidents-queue.md index f215fda3db..0a72f9fa7d 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/view-incidents-queue.md +++ b/windows/security/threat-protection/microsoft-defender-atp/view-incidents-queue.md @@ -63,6 +63,17 @@ You can choose to limit the list of incidents shown based on their status to see ### Data sensitivity Use this filter to show incidents that contain sensitivity labels. +## Incident naming + +To understand the incident's scope at-a-glance, automatic incident naming, currently in public preview, generates incident names based on alert attributes such as the number of endpoints affected, users affected, detection sources or categories. + +For example: *Multi-stage incident on multiple endpoints reported by multiple sources.* + +> [!NOTE] +> Incidents that existed prior the rollout of automatic incident naming will not have their name changed. + +Learn more about [turning on preview features](preview.md#turn-on-preview-features). + ## Related topics - [Incidents queue](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/view-incidents-queue) - [Manage incidents](manage-incidents.md)