diff --git a/windows/security/threat-protection/microsoft-defender-atp/tvm-exposure-score.md b/windows/security/threat-protection/microsoft-defender-atp/tvm-exposure-score.md index 6785da1317..96a9c48326 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/tvm-exposure-score.md +++ b/windows/security/threat-protection/microsoft-defender-atp/tvm-exposure-score.md @@ -16,7 +16,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual --- -# Exposure score +# Exposure score and Event Insights **Applies to:** @@ -39,6 +39,53 @@ Several factors affect your organization exposure score: Reduce the exposure score by addressing what needs to be remediated based on the prioritized security recommendations. See [Security recommendations](tvm-security-recommendation.md) for details. +## Event insights + +The goal of event insights is to tell the story of the Exposure score. + +- Quickly understand and identify high-level takeaways about the state of security in your organization. +- Detect and respond to areas that require investigation or action to improve the current state. +- Communicate with peers and management about the impact of security efforts. + +### Event types + +The following event types reflect time-stamped events that impact the score: + +- Weaknesses (weakness discovered, weakness updated, weakness resolved) +- New recommendation created +- New threat +- Exploitation attempt + +#### Weakness discovered + +New weakness was discovered (score reduced) on a software. This event is triggered if one of the following occur: + +- In the last 24 hours "X vulnerabilities" affected "Y machines" +- New vulnerabilities were discovered (CVE) on a specific product +- A (dynamic) configuration has been broken (e.g. AV stopped updating) +- A (static) configuration has changed from configured to misconfigured state +- New vulnerable software was installed +- New vulnerable software was discovered +- New machines were onboarded to ATP and introduced new vulnerabilities + +#### Weakness updated + +Existing weakness was updated with new information (score reduced). This event is triggered if one of the following occur: + +- In the last 24 hours "X vulnerabilities" became exploitable +- A vulnerability was updated with an exploit +- An exploit is now part of an exploit kit +- A vulnerability has become a threat + +#### Weakness resolved + +Existing weakness was remediated or mitigated (score increase). This event is triggered if one of the following occur: + +- A remediation task was completed (or was marked as completed) +- A remediation task was marked as dismissed (business justification) +- A remediation or mitigation took place +- A vulnerable application was removed/uninstalled (as part of a remedi ation request or manually by the user) + ## Related topics - [Supported operating systems and platforms](tvm-supported-os.md)