03-12-2018 08:39 AM - last edited on 05-08-2018 01:27 AM by Yarden Albeck
We are excited to announce that today we’ve opened a set of new preview features for Windows Defender ATP community members.
We invite you to try these new features in the Windows Defender ATP portal today -- make sure “Preview features” are enabled in settings.
New features include:
Advanced Hunting: New, powerful query-based search is designed to unleash the hunter in you. With advanced hunting, you can proactively hunt and investigate across all your organization’s data. For example, you can query process creation, network communication, and many other event types. Items in your query result, such as machine and file names include direct links into relevant sections in our portal, consolidating advanced hunting with your existing investigation experience. To help you get started, we added set of query examples you can check it out here. Here’s a query to start with:
print a = '🤖🎃😀🦓🙏🐾🌫🐨😜🌤🔬'
| extend a=extractall('(.)', a)
| mvexpand a
| extend a=substring(base64_encodestring(strcat('abracadabra', a)), 19)
| summarize Message=replace(@'[+]', ' ', replace(@'[[",\]]', "", tostring(makelist(a))))
The new features released today continue our investments in making Windows Defender ATP a unified platform for endpoint security. Making it the most advanced & complete endpoint protection service.
For a more up-to-date version of the documentation, see the Windows Defender ATP docs library.
Windows Defender ATP Team
03-12-2018 09:18 AM
Under Security Analytics I don't see any sensor/graph for Credential Guard.
Will this important feature come in the near future?
03-14-2018 01:57 AM
Great new features to WDATP!
What I miss is the option to browse from for example the Security Operations dashboard to the list of machines involved. I see Suspicious activities, a number of activities which I can hover over, but when I click on that number I want to see some sort of history of those activities. Now nothing happens.
03-16-2018 01:52 PM
When I try to enable the Automated Investigation, I get the following error:
03-20-2018 07:50 AM
The Roles based administration doesn't appear to be working. We assigned a group to the Global Administrator role but the members can't logon to the tool anymore.
Before they could logon with the Azure AD Security Reviewer role.
Any help is welcome.
03-20-2018 07:56 AM
Once RBAC is applied, users with AAD Security reader role are losing their access to portal by design.
In order to grant them the access, your AAD Admin shall log into WDATP portal, create a custom role using RBAC UX and apply this role to desired AAD users group.
03-21-2018 12:04 AM
Security Analytics Credential Guard support is released to preview.
Your feedbacks are welcomed.
03-28-2018 12:57 PM
Could you please elaborate on what you tried and what didn't work?
If possible it will help to report this using the feedback option within the WDATP portal (click on the smile face in the upper ribbon)
03-29-2018 05:26 AMSolution
How soon is soon for supporting 1709? I have found WD-ATP crashes the Microsoft Management Agent which breaks the reporting in to OMS for stats, best practice and more importantly our logs. I love WD-ATP and really looking forward to using it in our 1709 based environment :)
03-29-2018 05:47 AM
04-17-2018 09:35 AM
04-19-2018 06:37 AM
A bit off topic, but we have been using a few test devices to test WD ATP and the new features. We have now offboarded those test devices, but they still show up in the dashboard. Does anybody knows how to delete those devices from the dashboard?
04-22-2018 12:00 PM
Deletion is not available mainly since attacks could be identified weeks after the initial breach, and to be able to time travel back and effectively investigate historical data should be persist, even for machines which were off boarded.
If you really want to hide this machine you can apply a tag (E.g. “decommissioned” / “offboarded”) and filter the machines list based on this value
07-06-2018 01:22 PM
I created a machine group based on tags that I push to each machine upon enrollment. I tied that to a role and gave only the view data permission. I added my colleague to the role/group and asked him to go to the WDATP portal, the view data permission is working, but he can see all of the machines instead of only the machines with the tag I specified.
I confirmed before adding him to any groups that he didn't have any access to the portal. I wanted to rule out that he was getting the privilege from somewhere else.
Just curious if there is anything point I may have missed regarding restricting which machines are visible?
07-18-2018 05:05 AM
@Amit Sharan Sorry, I missed this comment, I apologize it has taken me so long to get back to you. After reading about the machine groups I actually figured out what I was doing wrong.
I had a number of machines that were still in the "Ungrouped" machine group. I wasn't aware that I could actually modify this default group in any way. Once I realized I could modify it, I created a group in AD for it so I could assign a role. Once I associated it with a role, all the extra machines stopped showing up.
Thank you for your help!