Home

WDATP September 2018 preview features are out!

Highlighted
Raviv Tamir
Microsoft

WDATP September 2018 preview features are out!

 

Listening to customer feedback and improving the day to day life of security operation teams are one of the core pillars of how we build the Windows Defender ATP service and how we operate across our engineering and research teams. With that in mind, we are excited to roll out today a new set of Windows Defender ATP features that enhance key aspects of the service, based heavily on what we heard from you.

 

The new features below are part of the Windows Defender ATP September 2018 preview program and are available for you to try today.  Here’s how to check and enable preview features on your Windows Defender ATP tenant. Not yet an Windows Defender ATP customer, but interested to try the new features? Sign up for a trial tenant here.

 

So, what's new?

 

Threat Analytics

TA.jpg 

 

Threat Analytics is a set of interactive reports on significant and emerging attack campaigns that fuses organizational risk analytics with threat intelligence.  This powerful tool equips security operations teams with real-time information that helps them understand the nature of the threat, assess impact on their environment and provides recommended actions to increase security resilience, like guidance on prevention, or containment of the threat. 

 

See the new Threat analytics dashboard in the portal or check out the documentation

 

Custom detection (a.k.a Scheduled queries for advanced hunting)

 2.jpg

 

We heard your feedback. You liked our advanced hunting feature, but asked for the ability to generate custom alerts based on your own queries. You got it!


You can now schedule the execution of advanced hunting queries and generate custom alerts.

 

Try it out using our new ‘Advanced Hunting’ tutorial scenario or see instructions for creating custom detections here

 

MCAS integration

3.png

 

Microsoft Cloud App Security (MCAS) can now leverage Windows Defender ATP endpoint signals to allow direct visibility into cloud application usage including the use of unsupported cloud services (shadow IT) from all WDATP monitored machines.  

 

WDATP and MCAS signals are shared over the Microsoft Intelligent Security Graph.

 

Already an MCAS user? To try it out, go to your MCAS portal, click Discover > Cloud Discovery dashboard. Then, on the top right corner under Continuous Report, choose “Win 10 endpoint users” 

 

Not using MCAS yet? Learn more and register for a free trial  

 

WDATP for Windows Server 2019

4.jpg

We're upgrading our server protection stack by adding support for Windows Server 2019. The Windows Defender ATP sensor will be built into the server OS, complete with kernel and memory sensors previously available only to Windows 10 clients.

 

No agent and no installation required.

 

Read here more about Windows Server 2019 onboarding and here’s how to run a detection test on a server once it’s onboarded.

 

Auto-resolve remediated alerts

5.jpg

Alerts can now be automatically resolved when the automated investigation fully remediates the root cause for the alert.

 

This is especially useful to reduce active alert numbers in an environment where automatic investigation is turned on.

 

It also enhances our Conditional Access scenario as once automation remediates a machine and automatically resolves related alerts, machine risk levels will go down re-allowing the user to access corporate resources safeguarded by Conditional Access policies.

 

Follow up here to turn on automatic alert resolution.

Read more about Conditional access and WDATP here.  

 

We look forward to your feedback! Just click on the ‘send a smile/frown’ feature on the top right corner of the portal and tell us what you think.

 

ninjacat.png

The Windows Defender ATP team

 

21 Replies

Re: WDATP September 2018 preview features are out!

Hey Raviv, loving the new Threat Analytics page. Great details and prevention steps there - exactly what I was hoping for.

MCAS integration sounds great! I don't see it yet

Nevermind, had to enable it in Windows Defender Security Center -> Settings -> Advanced Features. Going to check it out now.

Re: WDATP September 2018 preview features are out!

Like!

Re: WDATP September 2018 preview features are out!

We don`t have Cloud App Security, but do have Office 365 Cloud App Security.
Will WDATP intergrate with Office 365 Cloud App Security? Because I have enabled the integration, but don`t see the “Win 10 endpoint users”  option.
Thnx
Peter

Re: WDATP September 2018 preview features are out!

Hi Peter,

 

Office 365 Cloud App Security currently does not support Windows based discovery, due to the lack of support for automatic log upload. To benefit from Windows based discovery you will need to use Microsoft Cloud App Discovery.

Automatic log upload in Office 365 Cloud App Discovery, which will enable Windows based discovery, is being considered for future releases.

Re: WDATP September 2018 preview features are out!

DATP Team,

 

I have a question regarding the MCAS integration. Is this feature only supplementing the data that CAS is receiving from an on-premises log collector receiving traffic logs from a security appliance, or is this data going to act as a data feed on it's own? I ask because I have enabled the feature in DATP approx 24 hours ago, and still do not see the options laid out in:

 

https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-atp/microsoft-c...

 

We aren't using the on-prem log collector functionality of MCAS, but the link below indicates that this integration with WDATP solves this issue:

 

https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-atp/microsoft-c...

 

Any thoughts on why our MCAS portal doesn't seem to match up with the new advertised capabilities?

 

Thanks,

Ricky 

 

Re: WDATP September 2018 preview features are out!

@Omri Amdurskythank you for the fast response!

Re: WDATP September 2018 preview features are out!

I am not getting the Windows WDATP and MCAS Integration to work either the Continuous Report for Windows 10 doesn't appear.  Its a great feature so would love to try it out ASAP.

RE: WDATP September 2018 preview features are out!

hi i can seem to find a way to start a new topic in this forum so here goes. my question is this is the wdatp an extra that can work along my regular AV - trend micro? as an EDR solution. this mean without any other windows defender componentes installed. i can only find alluding to this in the documentation as you write that if windows defender i not the av malware alerts will not be in the dashboard. Plus that you say it works with bitdefender what cost is on the data i send to azure is transfer of data and storage of ATP relelated data included in the E5 license.

Re: RE: WDATP September 2018 preview features are out!

Hi

 

You can read on compatibility with other AV Vendors here, it works fine as an EDR, but you get more integration if you run Defender AV. 

https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/windo...

 

It works fine to integrate with Sentinel One, Ziften and Bitdefender so you can surface all the alerts in one place. The date is stored up to 180 days in WDATP. There are no additional storage or transfer costs outside the Windows 10 E5 license..

Re: WDATP September 2018 preview features are out!

Same issue here. Does it take a few days to hydrate the tenant after enabling integration?

Re: WDATP September 2018 preview features are out!

Sorry to hear it doesn’t work for you. At this stage of the preview we have seen a gap of up to 4 hours for the report to surface in the MCAS portal. If the problem persists please send us a ‘frown face’ from the top right navigation bar in the portal and we’ll follow up and debug.

Re: WDATP September 2018 preview features are out!

It started showing up only after I updated my test VM running Windows 10 EDU Insider on Skip Ahead and that is the only machine in the report. Is there a minimum required build for this feature to work?

Re: WDATP September 2018 preview features are out!

 

I sent a feature request during the summer and it's already in the product, well done!

Re: WDATP September 2018 preview features are out!

Beautiful updates! thank u.

Re: WDATP September 2018 preview features are out!

Hi Stefan, 

 

The features only works on machines running 1809 builds of Windows (insider preview) and during preview might take up a couple of hours to pop up in MCAS portal. If this still doesn't work, please send us a 'frownface' from the WDATP portal top right corner and we'll debug.

 

Raviv

Re: WDATP September 2018 preview features are out!

Yes. Please use the latest 1809 preview build 17760

Re: WDATP September 2018 preview features are out!

Hi,

 

To enable the MCAS integration you need the following:

1) EMS E5

2) RS5 endpoint (The integration is enabled for RS5 and above)

3) Turn on the integration switch in the WDATP settings.

 

Thanks,

Dan

Re: WDATP September 2018 preview features are out!

Hi,

 

To enable the MCAS integration you need the following:

1) EMS E5

2) RS5 endpoint (The integration is enabled for RS5 and above)

3) Turn on the integration switch in the WDATP settings.

 

Please verify that all the above is set and give it a couple of hours to show up.

Make sure  you are creating some moderate cloud apps traffic there just to see it showing up.

 

Thanks,

Dan

Re: WDATP September 2018 preview features are out!

Same answer :)

 

To enable the MCAS integration you need the following:

1) EMS E5

2) RS5 endpoint (The integration is enabled for RS5 and above)

3) Turn on the integration switch in the WDATP settings.

 

It should take up to two hours to see the new report created.

Please try using cloud apps to see them showing up in the report.

 

Thanks,

Dan

Re: WDATP September 2018 preview features are out!

In addition, following the above question -
Yes, there should be created a new continuous report which appears separately from the data that is coming in using the on-prem log collector. The name of the continuous report is 'Win10 Endpoint Users'.

Re: WDATP September 2018 preview features are out!

Yes, there should be created a new continuous report which appears separately from the data that is coming in using the on-prem log collector. The name of the continuous report is 'Win10 Endpoint Users'.