diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/event-insights-page.png b/windows/security/threat-protection/microsoft-defender-atp/images/event-insights-page.png new file mode 100644 index 0000000000..7fe365f9a8 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/event-insights-page.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/threat-and-vuln-mgt-event-insights.md b/windows/security/threat-protection/microsoft-defender-atp/threat-and-vuln-mgt-event-insights.md new file mode 100644 index 0000000000..099973b45e --- /dev/null +++ b/windows/security/threat-protection/microsoft-defender-atp/threat-and-vuln-mgt-event-insights.md @@ -0,0 +1,105 @@ +--- +title: Exposure score +description: The Microsoft Defender ATP exposure score reflects how vulnerable your organization is to cybersecurity threats. +keywords: exposure score, mdatp exposure score, mdatp tvm exposure score, organization exposure score, tvm organization exposure score, threat and vulnerability management, Microsoft Defender Advanced Threat Protection +search.product: eADQiWindows 10XVcnh +search.appverid: met150 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: ellevin +author: levinec +ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: conceptual +--- +# Event Insights + +**Applies to:** + +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) + +Event insights is visible in the [Threat & Vulnerability Management dashboard](tvm-dashboard-insights.md) of the Microsoft Defender Security Center. + +The goal of event insights is to tell the story of the exposure score. + +- Quickly understand and identify high-level takeaways about the state of security in your organization. +- Detect and respond to areas that require investigation or action to improve the current state. +- Communicate with peers and management about the impact of security efforts. + +Reduce the exposure score by addressing what needs to be remediated based on the prioritized security recommendations. See [Security recommendations](tvm-security-recommendation.md) for details. + +![Exposure score card](images/event-insights-page.png) + +## Event types + +The following event types reflect time-stamped events that impact the score: + +- Exploit added to an exploit kit +- Exploit was verified +- New public exploit +- New vulnerability + +## Icons + +- A vulnerability was published +- A vulnerability became exploitable +- Verified exploit +- Exploit added to an exploit kit + +## From figma + +- Weaknesses (weakness discovered, weakness updated, weakness resolved) +- New recommendation created +- New threat +- Exploitation attempt + +### Weakness discovered + +New weakness was discovered (score reduced) on a software. This event is triggered if one of the following occur: + +- In the last 24 hours "X vulnerabilities" affected "Y machines" +- New vulnerabilities were discovered (CVE) on a specific product +- A (dynamic) configuration has been broken (e.g. AV stopped updating) +- A (static) configuration has changed from configured to misconfigured state +- New vulnerable software was installed +- New vulnerable software was discovered +- New machines were onboarded to ATP and introduced new vulnerabilities + +### Weakness updated + +Existing weakness was updated with new information (score reduced). This event is triggered if one of the following occur: + +- In the last 24 hours "X vulnerabilities" became exploitable +- A vulnerability was updated with an exploit +- An exploit is now part of an exploit kit +- A vulnerability has become a threat + +### Weakness resolved + +Existing weakness was remediated or mitigated (score increase). This event is triggered if one of the following occur: + +- A remediation task was completed (or was marked as completed) +- A remediation task was marked as dismissed (business justification) +- A remediation or mitigation took place +- A vulnerable application was removed/uninstalled (as part of a remediation request or manually by the user) + +## Related topics + +- [Supported operating systems and platforms](tvm-supported-os.md) +- [Risk-based Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md) +- [Threat & Vulnerability Management dashboard overview](tvm-dashboard-insights.md) +- [Configuration score](configuration-score.md) +- [Security recommendations](tvm-security-recommendation.md) +- [Remediation and exception](tvm-remediation.md) +- [Software inventory](tvm-software-inventory.md) +- [Weaknesses](tvm-weaknesses.md) +- [Scenarios](threat-and-vuln-mgt-scenarios.md) +- [Configure data access for Threat & Vulnerability Management roles](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/user-roles#create-roles-and-assign-the-role-to-an-azure-active-directory-group) +- [Score APIs](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/score) +- [Software APIs](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/software) +- [Vulnerability APIs](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/vulnerability) +- [Recommendation APIs](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/vulnerability) diff --git a/windows/security/threat-protection/microsoft-defender-atp/tvm-exposure-score.md b/windows/security/threat-protection/microsoft-defender-atp/tvm-exposure-score.md index 96a9c48326..6785da1317 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/tvm-exposure-score.md +++ b/windows/security/threat-protection/microsoft-defender-atp/tvm-exposure-score.md @@ -16,7 +16,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual --- -# Exposure score and Event Insights +# Exposure score **Applies to:** @@ -39,53 +39,6 @@ Several factors affect your organization exposure score: Reduce the exposure score by addressing what needs to be remediated based on the prioritized security recommendations. See [Security recommendations](tvm-security-recommendation.md) for details. -## Event insights - -The goal of event insights is to tell the story of the Exposure score. - -- Quickly understand and identify high-level takeaways about the state of security in your organization. -- Detect and respond to areas that require investigation or action to improve the current state. -- Communicate with peers and management about the impact of security efforts. - -### Event types - -The following event types reflect time-stamped events that impact the score: - -- Weaknesses (weakness discovered, weakness updated, weakness resolved) -- New recommendation created -- New threat -- Exploitation attempt - -#### Weakness discovered - -New weakness was discovered (score reduced) on a software. This event is triggered if one of the following occur: - -- In the last 24 hours "X vulnerabilities" affected "Y machines" -- New vulnerabilities were discovered (CVE) on a specific product -- A (dynamic) configuration has been broken (e.g. AV stopped updating) -- A (static) configuration has changed from configured to misconfigured state -- New vulnerable software was installed -- New vulnerable software was discovered -- New machines were onboarded to ATP and introduced new vulnerabilities - -#### Weakness updated - -Existing weakness was updated with new information (score reduced). This event is triggered if one of the following occur: - -- In the last 24 hours "X vulnerabilities" became exploitable -- A vulnerability was updated with an exploit -- An exploit is now part of an exploit kit -- A vulnerability has become a threat - -#### Weakness resolved - -Existing weakness was remediated or mitigated (score increase). This event is triggered if one of the following occur: - -- A remediation task was completed (or was marked as completed) -- A remediation task was marked as dismissed (business justification) -- A remediation or mitigation took place -- A vulnerable application was removed/uninstalled (as part of a remedi ation request or manually by the user) - ## Related topics - [Supported operating systems and platforms](tvm-supported-os.md)