SOLVED
Home

WDATP preview features are now ON!

Raviv Tamir
Microsoft

WDATP preview features are now ON!

We are excited to announce that today we’ve opened a set of new preview features for Windows Defender ATP community members.

We invite you to try these new features in the Windows Defender ATP portal today -- make sure “Preview features” are enabled in settings.

 

New features include:

  • New Automatic Investigation and Response (AIRS): The new Automated Investigation and Response (AIRS) capability dramatically reduces the volume of alerts that security team need to individually investigate. Built using the integrated technology of Hexadite, AIRS leverages artificial intelligence, forensic algorithms, and automated learning from analysts actions to investigate and automatically tend to alerts. AIRS can take automatic remediation actions or recommend remediation actions to analysts. To learn how to use this new AIRS capability, try our “Automated incident response” simulation available here (AIRS require PCs with Windows Insider build 17110 or above.)

 AIRS_2.jpgAutomated investigation in WDATP

 

 

 

  • Advanced Hunting: New, powerful query-based search is designed to unleash the hunter in you. With advanced hunting, you can proactively hunt and investigate across all your organization’s data. For example, you can query process creation, network communication, and many other event types.  Items in your query result, such as machine and file names include direct links into relevant sections in our portal, consolidating advanced hunting with your existing investigation experience.  To help you get started, we added set of query examples you can check it out here. Here’s a query to start with:

print a = '🤖🎃😀🦓🙏🐾🌫🐨😜🌤🔬'

| extend a=extractall('(.)', a)

| mvexpand a

| extend a=substring(base64_encodestring(strcat('abracadabra', a)), 19)

| summarize Message=replace(@'[+]', ' ', replace(@'[[",\]]', "", tostring(makelist(a))))

 

  • Improving Security Posture: Secure score: We’ve added insight into more security controls, for the machines and devices in your business including: Windows Firewall, BitLocker and Credential Guard. Each control includes set of recommended actions to help you improve your overall security score. We’ve also added PowerBI integration to help you better understand threat exposure and provide more granular targeting per machine.

 

  • Meltdown and Spectre insights: If you’re worried about Meltdown and Spectre, we’ve got you covered. A new dashboard provides insights and exposure level for Meltdown and Spectre vulnerability. This includes information about your network, operating system updates and microcode level information against these threats.

 

  • Block and first Sight (BAFS): We’ve enhanced our protection capabilities to include a new feature that detects and blocks new, never-before-seen malware within seconds. When encountering a suspicious file, cloud backend sample the suspicious file and apply heuristics, machine learning, and other automated techniques to determine if the file is malicious or clean. Malicious files are instantaneously blocked.

 

 

  • Role Based Access Control (RBAC): This feature helps companies to segment their tenant to logical groups and apply granular control for who gets to see and take action on each group. Companies can create roles and groups and have fine-grained control over what users can see and do.

 

  • Broader endpoints support – We’re excited to share that we’re supporting more platforms beyond Windows 10:
    • Built-in Windows Server 2019: Our sensor is now built into Windows Server 2019. This allows deeper insight into system activities, coverage for kernel and memory attacks, and enables response actions similar to what we offer on Windows 10.
    • Mac & Linux: We are expanding our coverage for other platforms through our partners. MacOS X and Linux are now supported with Ziften. For more information on how to onboard these endpoints, see Configure non-Windows endpoints.
    • Windows 7 support: Support is coming soon. Stay tuned.

 

  • Microsoft ATP: We‘re expanding our integration across Windows, Office and Azure Advanced Threat Protection (ATP) services and are happy to announce Azure ATP integration. With this integration, companies can get wider Advanced Threat Protection coverage across User identity (Azure ATP), apps and mailbox (Office ATP) and endpoint (Windows Defender ATP)

 

The new features released today continue our investments in making Windows Defender ATP a unified platform for endpoint security.  Making it the most advanced & complete endpoint protection service.

 

For a more up-to-date version of the documentation, see the Windows Defender ATP docs library.

 

Windows Defender ATP Team

29 Replies

Re: WDATP preview features are now ON!

Great news.
Under Security Analytics I don't see any sensor/graph for Credential Guard.
Will this important feature come in the near future?

Thanks
Jesper Ravn

Re: WDATP preview features are now ON!

Great news,

 

When do you expect to move from insider builds to 1709?

Re: WDATP preview features are now ON!

Yes. Will be released soon...

Re: WDATP preview features are now ON!

Great new features to WDATP!
What I miss is the option to browse from for example the Security Operations dashboard to the list of machines involved. I see Suspicious activities, a number of activities which I can hover over, but when I click on that number I want to see some sort of history of those activities. Now nothing happens.

Thanks!

Peter

Re: WDATP preview features are now ON!

When I try to enable the Automated Investigation, I get the following error:

Failed to save settings

 
I'm currently in a trial of ATP so I don't know if that is related or not.

Re: WDATP preview features are now ON!

Aaron, can you please check if it is enabled now?

Re: WDATP preview features are now ON!

Nope, still same error.

Re: WDATP preview features are now ON!

We are currently working to solve this issue
I will get back to you once it is fixed

Re: WDATP preview features are now ON!

The Roles based administration doesn't appear to be working. We assigned a group to the Global Administrator role but the members can't logon to the tool anymore.

 

Before they could logon with the Azure AD Security Reviewer role.

 

Any help is welcome.

Re: WDATP preview features are now ON!

Hi David,

Once RBAC is applied, users with AAD Security reader role are losing their access to portal by design.

In order to grant them the access, your AAD Admin shall log into WDATP portal, create a custom role using RBAC UX and apply this role to desired AAD users group.

 

 

Re: WDATP preview features are now ON!

It should be fixed now, let me know how it goes

Re: WDATP preview features are now ON!

Just tried it from normal window and private browsing and still have the same 500 error.

Re: WDATP preview features are now ON!

I get the same "Failed to POST" error when trying to enable Automated Investigation.

Re: WDATP preview features are now ON!

Hi Jesper,

Security Analytics Credential Guard support is released to preview.

Your feedbacks are welcomed.

Re: WDATP preview features are now ON!

Aaron, can you try now?

Re: WDATP preview features are now ON!

Yep, works now! Thanks.

Re: WDATP preview features are now ON!

I like the Tags feature but filtering on them doesn't work

Re: WDATP preview features are now ON!

Could you please elaborate on what you tried and what didn't work?

If possible it will help to report this using the feedback option within the WDATP portal (click on the smile face in the upper ribbon) 

 

Thanks,

Tomer

Solution

Re: WDATP preview features are now ON!

How soon is soon for supporting 1709? I have found WD-ATP crashes the Microsoft Management Agent which breaks the reporting in to OMS for stats, best practice and more importantly our logs. I love WD-ATP and really looking forward to using it in our 1709 based environment :)

 

Thanks

Re: WDATP preview features are now ON!

Mark, can you please use the portal feedback feature (top right looks like a chat icon) to submit a bug to us so we can see details of your tenant and investigate why this happens?

RE: WDATP preview features are now ON!

Is there a way to access WD ATP in another tenant than your own, when you have been given permission through the roles? I added a guest in my AAD, provided access through a group --> role in WD ATP, but when the guest-user authenticates on "Securitycenter.windows.com", he is redirected to his own tenant and I don't see an option to switch tenants .... Am I missing something? This is a crucial feature for a partner who wants to support WD ATP accross mulitple customers .... (having an account at each customer, is not feasible) Thanks! Raf

Re: WDATP preview features are now ON!

A bit off topic, but we have been using a few test devices to test WD ATP and the new features. We have now offboarded those test devices, but they still show up in the dashboard. Does anybody knows how to delete those devices from the dashboard?

Re: WDATP preview features are now ON!

Deletion is not available mainly since attacks could be identified weeks after the initial breach, and to be able to time travel back and effectively investigate historical data should be persist, even for machines which were off boarded.

  • Please note that this is part of the 6 months historical data promise and in any case does not incur any cost on the customer

If you really want to hide this machine you can apply a tag (E.g. “decommissioned” / “offboarded”) and filter the machines list based on this value

Thanks,

Tomer

Re: WDATP preview features are now ON!

Love the Bitlocker status but is there a way to only include the C: drive in our Secure Score?

Re: WDATP preview features are now ON!

I created a machine group based on tags that I push to each machine upon enrollment. I tied that to a role and gave only the view data permission. I added my colleague to the role/group and asked him to go to the WDATP portal, the view data permission is working, but he can see all of the machines instead of only the machines with the tag I specified. 

 

I confirmed before adding him to any groups that he didn't have any access to the portal. I wanted to rule out that he was getting the privilege from somewhere else.

 

Just curious if there is anything point I may have missed regarding restricting which machines are visible?

Re: WDATP preview features are now ON!

@Todd Harrison can you please share the tenant details so we can further inspect this?

Re: WDATP preview features are now ON!

@Amit Sharan what details related to the tenant do you require?

Re: WDATP preview features are now ON!

@Todd Harrison the easiest way would be to login to WDATP portal and submit a frown image.png

Re: WDATP preview features are now ON!

@Amit Sharan Sorry, I missed this comment, I apologize it has taken me so long to get back to you. After reading about the machine groups I actually figured out what I was doing wrong.

 

I had a number of machines that were still in the "Ungrouped" machine group. I wasn't aware that I could actually modify this default group in any way. Once I realized I could modify it, I created a group in AD for it so I could assign a role. Once I associated it with a role, all the extra machines stopped showing up.

 

Thank you for your help!