From f7fab3268724b1cc4f278148c8fb95a44bd7ae8b Mon Sep 17 00:00:00 2001 From: Joey Caparas Date: Wed, 27 Sep 2017 12:43:08 -0700 Subject: [PATCH] move machine group and tags --- ...ows-defender-advanced-threat-protection.md | 49 +++++++++++++++++++ ...ows-defender-advanced-threat-protection.md | 48 +----------------- 2 files changed, 50 insertions(+), 47 deletions(-) diff --git a/windows/threat-protection/windows-defender-atp/investigate-machines-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/investigate-machines-windows-defender-advanced-threat-protection.md index 4581751734..fbaacc28de 100644 --- a/windows/threat-protection/windows-defender-atp/investigate-machines-windows-defender-advanced-threat-protection.md +++ b/windows/threat-protection/windows-defender-atp/investigate-machines-windows-defender-advanced-threat-protection.md @@ -57,6 +57,55 @@ You'll also see details such as logon types for each user account, the user grou For more information, see [Investigate user entities](investigate-user-windows-defender-advanced-threat-protection.md). +## Manage machine group and tags +Machine group and tags support proper mapping of the network, enabling you to attach different tags to machines to capture context and to enable dynamic groups creation as part of an incident. + +Machine related properties are being extended to account for: + +- Group affiliation +- Dynamic context capturing + + + +### Group machines +Machine group affiliation can represent geographic location, specific activity, importance level and others. Grouping machines with similar attributes can be handy when you need to apply contextual action on a specific list of machines. After creating groups, you can apply the Group filter on the Machines list to get a narrowed list of machines. + +Machine group is defined in the following registry key entry of the machine: + +- Registry key: `HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection\DeviceTagging\` +- Registry key value (string): Group + + +### Set standard tags on machines +Dynamic context capturing is achieved using tags. By tagging machines, you can keep track of individual machines in your organization. After adding tags on machines, you can apply the Tags filter on the Machines list to get a narrowed list of machines with the tag. + +1. Select the machine that you want to manage tags on. You can select or search for a machine from any of the following views: + + - **Security operations dashboard** - Select the machine name from the Top machines with active alerts section. + - **Alerts queue** - Select the machine name beside the machine icon from the alerts queue. + - **Machines list** - Select the machine name from the list of machines. + - **Search box** - Select Machine from the drop-down menu and enter the machine name. + + You can also get to the alert page through the file and IP views. + +2. Open the **Actions** menu and select **Manage tags**. + + ![Image of taking action to manage tags on a machine](images/atp-manage-tags.png) + +3. Enter tags on the machine. To add more tags, click the + icon. +4. Click **Save and close**. + + ![Image of adding tags on a machine](images/atp-save-tag.png) + + Tags are added to the machine view and will also be reflected on the **Machines list** view. You can then use the **Tags** or **Groups** filter to see the relevant list of machines. + +### Manage machine tags +You can manage tags from the Actions button or by selecting a machine from the Machines list and opening the machine details panel. + +![Image of adding tags on a machine](images/atp-tag-management.png) + + + ## Alerts related to this machine The **Alerts related to this machine** section provides a list of alerts that are associated with the machine. You can also manage alerts from this section by clicking the circle icons to the left of the alert (or using Ctrl or Shift + click to select multiple alerts). diff --git a/windows/threat-protection/windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection.md index 0879c73c17..24b0943f65 100644 --- a/windows/threat-protection/windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection.md +++ b/windows/threat-protection/windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection.md @@ -30,52 +30,6 @@ Quickly respond to detected attacks by isolating machines or collecting an inves >[!NOTE] > These response actions are only available for machines on Windows 10, version 1703. -## Manage machine group and tags -Machine group and tags support proper mapping of the network, enabling you to attach different tags to machines to capture context and to enable dynamic groups creation as part of an incident. - -Machine related properties are being extended to account for: - -- Group affiliation -- Dynamic context capturing - - - -### Group machines -Machine group affiliation can represent geographic location, specific activity, importance level and others. Grouping machines with similar attributes can be handy when you need to apply contextual action on a specific list of machines. After creating groups, you can apply the Group filter on the Machines list to get a narrowed list of machines. - -Machine group is defined in the following registry key entry of the machine: - -- Registry key: `HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection\DeviceTagging\` -- Registry key value (string): Group - - -### Set standard tags on machines -Dynamic context capturing is achieved using tags. By tagging machines, you can keep track of individual machines in your organization. After adding tags on machines, you can apply the Tags filter on the Machines list to get a narrowed list of machines with the tag. - -1. Select the machine that you want to manage tags on. You can select or search for a machine from any of the following views: - - - **Security operations dashboard** - Select the machine name from the Top machines with active alerts section. - - **Alerts queue** - Select the machine name beside the machine icon from the alerts queue. - - **Machines list** - Select the machine name from the list of machines. - - **Search box** - Select Machine from the drop-down menu and enter the machine name. - - You can also get to the alert page through the file and IP views. - -2. Open the **Actions** menu and select **Manage tags**. - - ![Image of taking action to manage tags on a machine](images/atp-manage-tags.png) - -3. Enter tags on the machine. To add more tags, click the + icon. -4. Click **Save and close**. - - ![Image of adding tags on a machine](images/atp-save-tag.png) - - Tags are added to the machine view and will also be reflected on the **Machines list** view. You can then use the **Tags** or **Groups** filter to see the relevant list of machines. - -### Manage machine tags -You can manage tags from the Actions button or by selecting a machine from the Machines list and opening the machine details panel. - -![Image of adding tags on a machine](images/atp-tag-management.png) ## Collect investigation package from machines @@ -156,7 +110,7 @@ As part of the investigation or response process, you can remotely initiate an a ![Image of action center with antivirus scan](images/atp-av-scan-action-center.png) - - **Submission time** - Shows when the isolation action was submitted. + - **Submission time** - Shows when the action was submitted. - **Status** - Indicates any pending actions or the results of completed actions. The machine timeline will include a new event, reflecting that a scan action was submitted on the machine. Windows Defender AV alerts will reflect any detections that surfaced during the scan.