mirror of
https://github.com/MicrosoftDocs/windows-itpro-docs.git
synced 2025-05-12 05:17:22 +00:00
Merge branch 'master' into MDBranchPhase2bPoliciesSet1
This commit is contained in:
ManikaDhiman
commit
f78e121642
Binary file not shown.
|
Before Width: | Height: | Size: 296 KiB |
Binary file not shown.
|
After Width: | Height: | Size: 5.4 KiB |
Binary file not shown.
|
After Width: | Height: | Size: 78 KiB |
Binary file not shown.
|
After Width: | Height: | Size: 5.5 KiB |
@ -29,7 +29,6 @@ ms.date: 04/24/2018
|
||||
|
||||
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
|
||||
|
||||
[!include[Prerelease information](../../includes/prerelease.md)]
|
||||
|
||||
>Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-investigatefiles-abovefoldlink)
|
||||
|
||||
|
||||
@ -29,9 +29,11 @@ ms.date: 5/1/2020
|
||||
|
||||
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-managealerts-abovefoldlink)
|
||||
|
||||
The new alert page in Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) provides full context to the alert, by combining attack signals and alerts related to the selected alert, to construct a detailed alert story.
|
||||
The alert page in Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) provides full context to the alert, by combining attack signals and alerts related to the selected alert, to construct a detailed alert story.
|
||||
|
||||
Quickly triage, investigate, and take effective action on alerts that affect your organization. Understand why they were triggered, and their impact from one location.
|
||||
Quickly triage, investigate, and take effective action on alerts that affect your organization. Understand why they were triggered, and their impact from one location. Learn more in this overview.
|
||||
|
||||
> [!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RE4yiO5]
|
||||
|
||||
## Getting started with an alert
|
||||
|
||||
@ -90,14 +92,6 @@ If you are experiencing a false alert with a line-of-business application, creat
|
||||
> [!TIP]
|
||||
> If you're experiencing any issues not described above, use the 🙂 button to provide feedback or open a support ticket.
|
||||
|
||||
## Transitioning to the new alert page
|
||||
|
||||
When making the move to the new alert page you will notice that we have centralized information from the alert process tree, the incident graph, and the artifact timeline into the [alert story](#investigate-using-the-alert-story), with some information available through the [affected assets](#review-affected-assets) section. Any additional information has been consolidated into the details pane for the relevant entities.
|
||||
|
||||
## Video overview of the new alert page
|
||||
|
||||
> [!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RE4yiO5]
|
||||
|
||||
## Related topics
|
||||
|
||||
- [View and organize the incidents queue](view-incidents-queue.md)
|
||||
|
||||
@ -41,15 +41,6 @@ The card gives you a high-level view of your exposure score trend over time. Any
|
||||
|
||||
## How it works
|
||||
|
||||
Threat and vulnerability management introduces a new exposure score metric, which visually represents how exposed your devices are to imminent threats.
|
||||
|
||||
The exposure score is continuously calculated on each device in the organization. It is influenced by the following factors:
|
||||
|
||||
- Weaknesses, such as vulnerabilities discovered on the device
|
||||
- External and internal threats such as public exploit code and security alerts
|
||||
- Likelihood of the device to get breached given its current security posture
|
||||
- Value of the device to the organization given its role and content
|
||||
|
||||
The exposure score is broken down into the following levels:
|
||||
|
||||
- 0–29: low exposure score
|
||||
@ -58,6 +49,46 @@ The exposure score is broken down into the following levels:
|
||||
|
||||
You can remediate the issues based on prioritized [security recommendations](tvm-security-recommendation.md) to reduce the exposure score. Each software has weaknesses that are transformed into recommendations and prioritized based on risk to the organization.
|
||||
|
||||
## How the score is calculated
|
||||
|
||||
The exposure score is continuously calculated on each device in the organization. It is scored & evaluated based on the following categories:
|
||||
|
||||
- **Threats** - external and internal threats such as public exploit code and security alerts
|
||||
- **Likelihood** - likelihood of the device to get breached given its current security posture
|
||||
- **Value** - value of the device to the organization given its role and content
|
||||
|
||||
**Device exposure score** = (Threats + Likelihood) x Value
|
||||
|
||||
**Organization exposure score** = Avg (All device exposure scores) taking into account organization value multipliers
|
||||
|
||||
### Threats
|
||||
|
||||
Points are added based on whether the device has any vulnerabilities or misconfigurations, determined by the Common Vulnerability Scoring System (CVSS) base score.
|
||||
|
||||
Further points are added based on:
|
||||
|
||||
- Exploits availability and whether the exploit is verified or ranked
|
||||
- A threat campaign is linked to the vulnerability or misconfiguration
|
||||
|
||||
### Likelihood
|
||||
|
||||
Points are added based on whether any of the following factors are true:
|
||||
|
||||
- The device is internet facing
|
||||
- Specific compensating controls are misconfigured
|
||||
- An exploit attempt is linked directly to a threat spotted in the organization
|
||||
|
||||
### Value
|
||||
|
||||
Points are added based on whether any of the following factors are true for a device:
|
||||
|
||||
- Contains high business impact (HBI) data
|
||||
- Marked as a High Value Asset (HVA) or serves as an important server role (e.g. AD, DNS)
|
||||
- Runs a business critical app (BCA)
|
||||
- Used by a marked high value user (HVU) (e.g. domain admin, CEO)
|
||||
|
||||
If a device is valuable to your organization, it should increase the total organization exposure score.
|
||||
|
||||
## Reduce your threat and vulnerability exposure
|
||||
|
||||
Lower your threat and vulnerability exposure by remediating [security recommendations](tvm-security-recommendation.md). Make the most impact to your exposure score by remediating the top security recommendations, which can be viewed in the [threat and vulnerability management dashboard](tvm-dashboard-insights.md).
|
||||
|
||||
@ -28,7 +28,7 @@ ms.topic: conceptual
|
||||
|
||||
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-portaloverview-abovefoldlink)
|
||||
|
||||
The software inventory in threat and vulnerability management is a list of all the software in your organization with known vulnerabilities. It also includes details such as the name of the vendor, number of weaknesses, threats, and number of exposed devices.
|
||||
The software inventory in threat and vulnerability management is a list of known software in your organization with official [Common Platform Enumerations (CPE)](https://nvd.nist.gov/products/cpe). Software products without an official CPE don’t have vulnerabilities published. It also includes details such as the name of the vendor, number of weaknesses, threats, and number of exposed devices.
|
||||
|
||||
## How it works
|
||||
|
||||
@ -47,12 +47,43 @@ View software on specific devices in the individual devices pages from the [devi
|
||||
|
||||
## Software inventory overview
|
||||
|
||||
The **Software inventory** page opens with a list of software installed in your network, including the vendor name, weaknesses found, threats associated with them, exposed devices, impact to exposure score, and tags. You can filter the list view based on weaknesses found in the software, threats associated with them, and whether the software or software versions have reached end-of-support.
|
||||
|
||||
The **Software inventory** page opens with a list of software installed in your network, including the vendor name, weaknesses found, threats associated with them, exposed devices, impact to exposure score, and tags.
|
||||
|
||||
You can filter the list view based on weaknesses found in the software, threats associated with them, and tags like whether the software has reached end-of-support.
|
||||
|
||||
|
||||
|
||||
Select the software that you want to investigate. A flyout panel will open with a more compact view of the information on the page. You can either dive deeper into the investigation and select **Open software page**, or flag any technical inconsistencies by selecting **Report inaccuracy**.
|
||||
|
||||
|
||||
### Software that isn't supported
|
||||
|
||||
Software that isn't currently supported by threat & vulnerability management is still present in the Software inventory page. Because it is not supported, only limited data will be available. Filter by unsupported software with the "Not available" option in the "Weakness" section.
|
||||
|
||||
|
||||
|
||||
The following indicates that a software is not supported:
|
||||
|
||||
- Weaknesses field shows "Not available"
|
||||
- Exposed devices field shows a dash
|
||||
- Informational text added in side panel and in software page
|
||||
|
||||
Currently, products without a CPE are not shown in the software inventory page, only in the device level software inventory.
|
||||
|
||||
## Software inventory on devices
|
||||
|
||||
From the Microsoft Defender Security Center navigation panel, go to the **[Devices list](machines-view-overview.md)**. Select the name of a device to open the device page (like Computer1), then select the **Software inventory** tab to see a list of all the known software present on the device. Select a specific software entry to open the flyout with more information.
|
||||
|
||||
Software may be visible at the device level even if it is currently not supported by threat and vulnerability management. However, only limited data will be available. You'll know if software is unsupported because it will say "Not available" in the "Weakness" column.
|
||||
|
||||
Software with no CPE can also show up under this device specific software inventory.
|
||||
|
||||
### Software evidence
|
||||
|
||||
See evidence of where we detected a specific software on a device from the registry, disk, or both.You can find it on any device in the device software inventory.
|
||||
|
||||
Select a software name to open the flyout, and look for the section called "Software Evidence."
|
||||
|
||||
|
||||
|
||||
## Software pages
|
||||
|
||||
@ -70,15 +101,6 @@ You can view software pages a few different ways:
|
||||
|
||||
|
||||
|
||||
## Software evidence
|
||||
|
||||
We now show evidence of where we detected a specific software on a device from the registry, disk or both.
|
||||
You can find it on any devices found in the [devices list](machines-view-overview.md) in a section called "Software Evidence."
|
||||
|
||||
From the Microsoft Defender Security Center navigation panel, go to the **Devices list**. Select the name of a device to open the device page (like Computer1) > select the **Software inventory** tab > select the software name to open the flyout and view software evidence.
|
||||
|
||||
|
||||
|
||||
## Report inaccuracy
|
||||
|
||||
Report a false positive when you see any vague, inaccurate, or incomplete information. You can also report on security recommendations that have already been remediated.
|
||||
|
||||
@ -91,6 +91,14 @@ If you select a CVE, a flyout panel will open with more information such as the
|
||||
|
||||
|
||||
|
||||
### Software that isn't supported
|
||||
|
||||
CVEs for software that isn't currently supported by threat & vulnerability management is still present in the Weaknesses page. Because the software is not supported, only limited data will be available.
|
||||
|
||||
Exposed device information will not be available for CVEs with unsupported software. Filter by unsupported software by selecting the "Not available" option in the "Exposed devices" section.
|
||||
|
||||
|
||||
|
||||
## View Common Vulnerabilities and Exposures (CVE) entries in other places
|
||||
|
||||
### Top vulnerable software in the dashboard
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user