deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-12 05:17:22 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity
windows-itpro-docs/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response.md
denisebmsft ce07f1157c fixed links 
removed "en-us/"
2019-10-08 11:57:31 -07:00

2.6 KiB
Raw Blame History

title, ms.reviewer, description, keywords, search.product, search.appverid, ms.prod, ms.mktglfcycl, ms.sitesec, ms.pagetype, ms.author, author, ms.localizationpriority, manager, audience, ms.collection, ms.topic
title ms.reviewer description keywords search.product search.appverid ms.prod ms.mktglfcycl ms.sitesec ms.pagetype ms.author author ms.localizationpriority manager audience ms.collection ms.topic
Overview of endpoint detection and response capabilities Learn about the endpoint detection and response capabilities in Microsoft Defender ATP eADQiWindows 10XVcnh met150 w10 deploy library security macapara mjcaparas medium dansimp ITPro M365-security-compliance conceptual

Overview of endpoint detection and response

Applies to:

Microsoft Defender ATP endpoint detection and response capabilities provide advanced attack detections that are near real-time and actionable. Security analysts can prioritize alerts effectively, gain visibility into the full scope of a breach, and take response actions to remediate threats.

When a threat is detected, alerts are created in the system for an analyst to investigate. Alerts with the same attack techniques or attributed to the same attacker are aggregated into an entity called an incident. Aggregating alerts in this manner makes it easy for analysts to collectively investigate and respond to threats.

Inspired by the "assume breach" mindset, Microsoft Defender ATP continuously collects behavioral cyber telemetry. This includes process information, network activities, deep optics into the kernel and memory manager, user login activities, registry and file system changes, and others. The information is stored for six months, enabling an analyst to travel back in time to the start of an attack. The analyst can then pivot in various views and approach an investigation through multiple vectors.

The response capabilities give you the power to promptly remediate threats by acting on the affected entities.

In this section

Topic Description
Security operations dashboard Explore a high level overview of detections, highlighting where response actions are needed.
Incidents queue View and organize the incidents queue, and manage and investigate alerts.
Alerts queue View and organize the machine alerts queue, and manage and investigate alerts.
Machines list Investigate machines with generated alerts and search for specific events over time.
Take response actions Learn about the available response actions and apply them to machines and files.