Home
%3CLINGO-SUB%20id%3D%22lingo-sub-229208%22%20slang%3D%22en-US%22%3EOptimized%20reporting%20latency%20and%20expedite%20mode%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-229208%22%20slang%3D%22en-US%22%3E%3CP%3EIn%20the%20past%20few%20months%2C%20we%20worked%20to%20optimize%20telemetry%20reporting%20and%20%3CEM%3Econsiderably%20reduce%3C%2FEM%3E%20latency%20for%20Windows%2010%20versions%201709%2C%201803%2C%20and%20the%20upcoming%20Windows%2010%20version.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EAs%20a%20result%2C%20we%E2%80%99ve%20adjusted%20the%20%3CEM%3Edefault%3C%2FEM%3E%20reporting%20latency%20for%20Windows%20Defender%20ATP%20to%20achieve%20a%20better%20balance%20between%20speed%20and%20CPU%20performance.%20This%20leaves%20the%20%3CEM%3E%3CA%20href%3D%22https%3A%2F%2Femea01.safelinks.protection.outlook.com%2F%3Furl%3Dhttps%253A%252F%252Fdocs.microsoft.com%252Fen-us%252Fwindows%252Fsecurity%252Fthreat-protection%252Fwindows-defender-atp%252Fconfigure-endpoints-gp-windows-defender-advanced-threat-protection%2523configure-reporting-frequency-settings%26amp%3Bdata%3D02%257C01%257C%257C0e395d6424a341d3024a08d602f38c42%257C72f988bf86f141af91ab2d7cd011db47%257C1%257C0%257C636699642379272415%26amp%3Bsdata%3DwuF440CTigD%252FByOePjxaXQbRdqNYWk1qkmMRxmLbkRA%253D%26amp%3Breserved%3D0%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Eexpedite%20mode%3C%2FA%3E%3C%2FEM%3E%20as%20a%20configuration%20option%20for%20reporting%20frequency%20redundant.%20This%20option%20no%20longer%20affects%20the%20Windows%20Defender%20ATP%20sensor%2C%20so%20you%20can%20leave%20it%20as-is.%20In%20the%20future%2C%20we%20might%20retire%20this%20setting%20altogether%20or%20we%20might%20define%20it%20differently%20in%20the%20backend.%20In%20any%20case%2C%20we%20will%20definitely%20notify%20you%20of%20subsequent%20changes.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3EThank%20you%2C%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3EWindows%20Defender%20ATP%20team%3C%2FSTRONG%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-229357%22%20slang%3D%22en-US%22%3ERE%3A%20Optimized%20reporting%20latency%20and%20expedite%20mode%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-229357%22%20slang%3D%22en-US%22%3EGreat%20news%2C%20thanks%20Tomer!%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-736254%22%20slang%3D%22en-US%22%3ERe%3A%20Optimized%20reporting%20latency%20and%20expedite%20mode%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-736254%22%20slang%3D%22en-US%22%3E%3CP%3EI%20would%20like%20to%20know%20more%20about%20ATP%20file%20search%20using%20a%20hash.%20When%20I%20search%20for%20a%20particular%20file%20has%2C%20the%20output%20would%20be%20a%20list%20of%20machines%20containing%20the%20specific%20file.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20am%20using%20this%20feature%20in%20order%20to%20confirm%20that%20a%20vulnerable%20driver%20(namely%20MicTrayDebugger)%20is%20really%20being%20updated%20after%20the%20latest%20driver%20is%20pushed%20via%20SCCM.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESomething%20we%20noticed%20was%20that%20even%20though%20the%20updated%20driver%20is%20reported%20to%20be%20successfully%20deployed%20from%20SCCM%2C%20the%20workstation%20would%20still%20feature%20in%20the%20list%20from%20ATP%20'old%20driver'%20search.%20I%20assume%20this%20is%20due%20to%20a%20latency%20which%20exist%20in%20updating%20the%20ATP%20file%20database%20from%20telemetry.%20How%20much%20is%20the%20latency%20in%20this%20case%3F%20And%20is%20there%20a%20work%20around%20for%20this%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-736545%22%20slang%3D%22en-US%22%3ERe%3A%20Optimized%20reporting%20latency%20and%20expedite%20mode%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-736545%22%20slang%3D%22en-US%22%3E%3CP%3EATP%20search%20for%20footprint%20of%20the%20files%20-%20this%20also%20covers%20what%26nbsp%3B%3CSTRONG%3Ewas%3C%2FSTRONG%3E%20on%20the%20endpoint%20in%20the%20past.%26nbsp%3B%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3EMostly%20design%20for%20security%20investigations%20where%20the%20SOC%20analyst%20would%20like%20to%20apply%20time%20travel%20to%20the%20attack%20start%20time%20and%20track%20it%20from%20there%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3EIf%20you%20are%20interested%20in%20tracking%20vulnerabilities%2C%20have%20you%20tried%26nbsp%3B%3CFONT%20style%3D%22background-color%3A%20%23ffffff%3B%22%3E%3CA%20href%3D%22https%3A%2F%2Fsecuritycenter.microsoft.com%2Ftvm_dashboard%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fsecuritycenter.microsoft.com%2Ftvm_dashboard%3C%2FA%3E%3C%2FFONT%3E%20%3F%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThanks%2C%3C%2FP%3E%0A%3CP%3ETomer%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-738807%22%20slang%3D%22en-US%22%3ERe%3A%20Optimized%20reporting%20latency%20and%20expedite%20mode%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-738807%22%20slang%3D%22en-US%22%3E%3CBLOCKQUOTE%3E%3CHR%20%2F%3E%3CP%3EThis%20option%20no%20longer%20affects%20the%20Windows%20Defender%20ATP%20sensor%2C%3C%2FP%3E%3C%2FBLOCKQUOTE%3E%3CP%3E%22This%20option%22%20meaning%20the%20%22latency%22%20registry%20key%20%3F%3C%2FP%3E%3CP%3EIf%20so%2C%20why%20is%20the%20local%20onboarding%20script%20still%20explicitly%20creating%20that%20key%20%3F%3C%2FP%3E%3CP%3EWindowsDefenderATPLocalOnboardingScript.cmd%3A%3C%2FP%3E%3CP%3EREG%20add%20%22HKLM%5CSOFTWARE%5CPolicies%5CMicrosoft%5CWindows%20Advanced%20Threat%20Protection%22%20%2Fv%20latency%20%2Ft%20REG_SZ%20%2Ff%20%2Fd%20%22Demo%22%20%26gt%3BNUL%202%26gt%3B%26amp%3B1%3C%2FP%3E%3C%2FLINGO-BODY%3E
Microsoft

In the past few months, we worked to optimize telemetry reporting and considerably reduce latency for Windows 10 versions 1709, 1803, and the upcoming Windows 10 version.

 

As a result, we’ve adjusted the default reporting latency for Windows Defender ATP to achieve a better balance between speed and CPU performance. This leaves the expedite mode as a configuration option for reporting frequency redundant. This option no longer affects the Windows Defender ATP sensor, so you can leave it as-is. In the future, we might retire this setting altogether or we might define it differently in the backend. In any case, we will definitely notify you of subsequent changes.

 

Thank you,

Windows Defender ATP team

4 Comments
Occasional Visitor
Great news, thanks Tomer!
Frequent Visitor

I would like to know more about ATP file search using a hash. When I search for a particular file has, the output would be a list of machines containing the specific file.

 

I am using this feature in order to confirm that a vulnerable driver (namely MicTrayDebugger) is really being updated after the latest driver is pushed via SCCM.

 

Something we noticed was that even though the updated driver is reported to be successfully deployed from SCCM, the workstation would still feature in the list from ATP 'old driver' search. I assume this is due to a latency which exist in updating the ATP file database from telemetry. How much is the latency in this case? And is there a work around for this?

Microsoft

ATP search for footprint of the files - this also covers what was on the endpoint in the past. 

  • Mostly design for security investigations where the SOC analyst would like to apply time travel to the attack start time and track it from there

If you are interested in tracking vulnerabilities, have you tried https://securitycenter.microsoft.com/tvm_dashboard ?

 

Thanks,

Tomer

Occasional Visitor

This option no longer affects the Windows Defender ATP sensor,

"This option" meaning the "latency" registry key ?

If so, why is the local onboarding script still explicitly creating that key ?

WindowsDefenderATPLocalOnboardingScript.cmd:

REG add "HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection" /v latency /t REG_SZ /f /d "Demo" >NUL 2>&1