Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community
WDATP preview features are now ON!
Published Mar 12 2018 08:39 AM 19.5K Views
Microsoft

We are excited to announce that today we’ve opened a set of new preview features for Windows Defender ATP community members.

We invite you to try these new features in the Windows Defender ATP portal today -- make sure “Preview features” are enabled in settings.

 

New features include:

  • New Automatic Investigation and Response (AIRS): The new Automated Investigation and Response (AIRS) capability dramatically reduces the volume of alerts that security team need to individually investigate. Built using the integrated technology of Hexadite, AIRS leverages artificial intelligence, forensic algorithms, and automated learning from analysts actions to investigate and automatically tend to alerts. AIRS can take automatic remediation actions or recommend remediation actions to analysts. To learn how to use this new AIRS capability, try our “Automated incident response” simulation available here (AIRS require PCs with Windows Insider build 17110 or above.)

 Automated investigation in WDATPAutomated investigation in WDATP

 

 

 

  • Advanced Hunting: New, powerful query-based search is designed to unleash the hunter in you. With advanced hunting, you can proactively hunt and investigate across all your organization’s data. For example, you can query process creation, network communication, and many other event types.  Items in your query result, such as machine and file names include direct links into relevant sections in our portal, consolidating advanced hunting with your existing investigation experience.  To help you get started, we added set of query examples you can check it out here. Here’s a query to start with:

print a = ':robot_face::jack_o_lantern::grinning_face:🦓:folded_hands::paw_prints::fog::koala:;p:sun_behind_small_cloud::microscope:'

| extend a=extractall('(.)', a)

| mvexpand a

| extend a=substring(base64_encodestring(strcat('abracadabra', a)), 19)

| summarize Message=replace(@'[+]', ' ', replace(@'[[",\]]', "", tostring(makelist(a))))

 

  • Improving Security Posture: Secure score: We’ve added insight into more security controls, for the machines and devices in your business including: Windows Firewall, BitLocker and Credential Guard. Each control includes set of recommended actions to help you improve your overall security score. We’ve also added PowerBI integration to help you better understand threat exposure and provide more granular targeting per machine.

 

  • Meltdown and Spectre insights: If you’re worried about Meltdown and Spectre, we’ve got you covered. A new dashboard provides insights and exposure level for Meltdown and Spectre vulnerability. This includes information about your network, operating system updates and microcode level information against these threats.

 

  • Block and first Sight (BAFS): We’ve enhanced our protection capabilities to include a new feature that detects and blocks new, never-before-seen malware within seconds. When encountering a suspicious file, cloud backend sample the suspicious file and apply heuristics, machine learning, and other automated techniques to determine if the file is malicious or clean. Malicious files are instantaneously blocked.

 

 

  • Role Based Access Control (RBAC): This feature helps companies to segment their tenant to logical groups and apply granular control for who gets to see and take action on each group. Companies can create roles and groups and have fine-grained control over what users can see and do.

 

  • Broader endpoints support – We’re excited to share that we’re supporting more platforms beyond Windows 10:
    • Built-in Windows Server 2019: Our sensor is now built into Windows Server 2019. This allows deeper insight into system activities, coverage for kernel and memory attacks, and enables response actions similar to what we offer on Windows 10.
    • Mac & Linux: We are expanding our coverage for other platforms through our partners. MacOS X and Linux are now supported with Ziften. For more information on how to onboard these endpoints, see Configure non-Windows endpoints.
    • Windows 7 support: Support is coming soon. Stay tuned.

 

  • Microsoft ATP: We‘re expanding our integration across Windows, Office and Azure Advanced Threat Protection (ATP) services and are happy to announce Azure ATP integration. With this integration, companies can get wider Advanced Threat Protection coverage across User identity (Azure ATP), apps and mailbox (Office ATP) and endpoint (Windows Defender ATP)

 

The new features released today continue our investments in making Windows Defender ATP a unified platform for endpoint security.  Making it the most advanced & complete endpoint protection service.

 

For a more up-to-date version of the documentation, see the Windows Defender ATP docs library.

 

Windows Defender ATP Team

32 Comments
Copper Contributor

Great news.
Under Security Analytics I don't see any sensor/graph for Credential Guard.
Will this important feature come in the near future?

Thanks
Jesper Ravn

Copper Contributor

Great news,

 

When do you expect to move from insider builds to 1709?

Microsoft
Yes. Will be released soon...

Great new features to WDATP!
What I miss is the option to browse from for example the Security Operations dashboard to the list of machines involved. I see Suspicious activities, a number of activities which I can hover over, but when I click on that number I want to see some sort of history of those activities. Now nothing happens.

Thanks!

Peter

Brass Contributor

When I try to enable the Automated Investigation, I get the following error:

Failed to save settings

 
I'm currently in a trial of ATP so I don't know if that is related or not.

Aaron, can you please check if it is enabled now?

Brass Contributor
Nope, still same error.

We are currently working to solve this issue
I will get back to you once it is fixed

Copper Contributor

The Roles based administration doesn't appear to be working. We assigned a group to the Global Administrator role but the members can't logon to the tool anymore.

 

Before they could logon with the Azure AD Security Reviewer role.

 

Any help is welcome.

Microsoft

Hi David,

Once RBAC is applied, users with AAD Security reader role are losing their access to portal by design.

In order to grant them the access, your AAD Admin shall log into WDATP portal, create a custom role using RBAC UX and apply this role to desired AAD users group.

 

 

It should be fixed now, let me know how it goes

Brass Contributor
Just tried it from normal window and private browsing and still have the same 500 error.
Copper Contributor

I get the same "Failed to POST" error when trying to enable Automated Investigation.

Microsoft

Hi Jesper,

Security Analytics Credential Guard support is released to preview.

Your feedbacks are welcomed.

Aaron, can you try now?

Brass Contributor

Yep, works now! Thanks.

Copper Contributor

I like the Tags feature but filtering on them doesn't work

Microsoft

Could you please elaborate on what you tried and what didn't work?

If possible it will help to report this using the feedback option within the WDATP portal (click on the smile face in the upper ribbon) 

 

Thanks,

Tomer

Brass Contributor

How soon is soon for supporting 1709? I have found WD-ATP crashes the Microsoft Management Agent which breaks the reporting in to OMS for stats, best practice and more importantly our logs. I love WD-ATP and really looking forward to using it in our 1709 based environment :)

 

Thanks

Microsoft
Mark, can you please use the portal feedback feature (top right looks like a chat icon) to submit a bug to us so we can see details of your tenant and investigate why this happens?
Copper Contributor
Is there a way to access WD ATP in another tenant than your own, when you have been given permission through the roles? I added a guest in my AAD, provided access through a group --> role in WD ATP, but when the guest-user authenticates on "Securitycenter.windows.com", he is redirected to his own tenant and I don't see an option to switch tenants .... Am I missing something? This is a crucial feature for a partner who wants to support WD ATP accross mulitple customers .... (having an account at each customer, is not feasible) Thanks! Raf

A bit off topic, but we have been using a few test devices to test WD ATP and the new features. We have now offboarded those test devices, but they still show up in the dashboard. Does anybody knows how to delete those devices from the dashboard?

Microsoft

Deletion is not available mainly since attacks could be identified weeks after the initial breach, and to be able to time travel back and effectively investigate historical data should be persist, even for machines which were off boarded.

  • Please note that this is part of the 6 months historical data promise and in any case does not incur any cost on the customer

If you really want to hide this machine you can apply a tag (E.g. “decommissioned” / “offboarded”) and filter the machines list based on this value

Thanks,

Tomer

Copper Contributor

Love the Bitlocker status but is there a way to only include the C: drive in our Secure Score?

Brass Contributor

I created a machine group based on tags that I push to each machine upon enrollment. I tied that to a role and gave only the view data permission. I added my colleague to the role/group and asked him to go to the WDATP portal, the view data permission is working, but he can see all of the machines instead of only the machines with the tag I specified. 

 

I confirmed before adding him to any groups that he didn't have any access to the portal. I wanted to rule out that he was getting the privilege from somewhere else.

 

Just curious if there is anything point I may have missed regarding restricting which machines are visible?

Microsoft

@Todd Harrison can you please share the tenant details so we can further inspect this?

Brass Contributor

@Amit Sharan what details related to the tenant do you require?

Microsoft

@Todd Harrison the easiest way would be to login to WDATP portal and submit a frown image.png

Brass Contributor

@Amit Sharan Sorry, I missed this comment, I apologize it has taken me so long to get back to you. After reading about the machine groups I actually figured out what I was doing wrong.

 

I had a number of machines that were still in the "Ungrouped" machine group. I wasn't aware that I could actually modify this default group in any way. Once I realized I could modify it, I created a group in AD for it so I could assign a role. Once I associated it with a role, all the extra machines stopped showing up.

 

Thank you for your help!

Copper Contributor

Do we have any single graph API which can fetch all the details from the portal? 

Microsoft
Copper Contributor

Thanks for your reply Raviv, I have explored that already and have seen multiple APIs for fetching the details. But I am currently looking for single API call which will give all the details for one specific tenant.

Version history
Last update:
‎May 08 2018 01:27 AM
Updated by: