cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcing new exciting capabilities of Windows Defender ATP (April 2018)
By
Moti Gindi
Published Apr 23 2018 03:45 AM 8,989 Views
Moti Gindi
Microsoft
‎Apr 23 2018 03:45 AM

Announcing new exciting capabilities of Windows Defender ATP (April 2018)

‎Apr 23 2018 03:45 AM

Our mission is to empower every person and every organization on the planet to achieve more. A trusted and secure computing environment is a critical component of our approach. When we introduced Windows Defender Advanced Threat Protection (ATP) more than two years ago, our target was to leverage the power of the cloud, built-in Windows security capabilities and artificial intelligence (AI) to enable our customers’ to stay one step ahead of the cyber-challenges.

 

With the next update to Windows 10, we are further expanding Windows Defender ATP to provide richer capabilities for businesses to improve their security posture and solve security incidents more quickly and efficiently.

 

Let’s dive in into these new capabilities in more detail.

Automatic investigation and remediation of threats

Now you can go from alert to remediation in minutes—at scale! Automated investigation and response dramatically reduces the volume of alerts that security analysts need to handle. It uses artificial intelligence to investigate alerts, exercise in minutes sophisticated playbooks mimicking the best human analysts’ decisions and forensic processes, determine if a threat is active, its origin and then decide the appropriate steps to automatically remediate it. When Windows Defender ATP identifies that the incident includes multiple machines, it automatically expands the investigation across the entire scope of breach and performs the required actions on those in parallel. Threat investigation and remediation decisions can be taken automatically by Windows Defender ATP based on extensive historical data collected, stored and analyzed in our cloud (“time travel”).

 

 

With the new security automation capabilities, Windows Defender ATP can now prevent and find breaches; it can fix them. These actions can be set to run automatically for simple, clear-cut cases, or can be reviewed prior to execution. Either way, time and effort are saved by SecOps, enabling those talented professionals to focus on more complex and strategic problems. In addition, the organization’s security team moves faster, thereby better executing on their critical mission.

 

Microsoft 365 conditional access based on device-risk

If a threat gets detected, the next logical step would be to block access to your sensitive business data from the device while the threat is still active. This is now possible! We worked with our colleagues from the Microsoft Intune and Azure Active Directory (AAD) team, to enrich one of our most popular security scenarios of Microsoft 365 conditional access.

Available in the next update, the dynamic machine risk level can be used to define corporate access policies and prevent risk to corporate data.

As an example, if a bad threat lands on your endpoints, even using the most advanced file less attacks, Windows Defender ATP can detect it and automatically protect your precious corporate information through conditional access. In parallel, Windows Defender ATP will start an automated investigation to quickly remediate the threat. Once the threat is remediated, based on the preference set (automatic or reviewed), the risk level is set back to “no risk” – and access is granted again.

 

 

With Windows Defender ATP, you can now control access based on the risk level of the device itself, helping to ensure devices are always trusted.

 

Advanced hunting

When it comes to more complex issues, security analysts seek rich optics and the right tools to quickly hunt and investigate. We developed a new, powerful query-based search that we call Advanced Hunting designed to unleash the hunter in you.

With Advanced Hunting, you can proactively hunt and investigate across your organization’s data. From new process creation, file modification, machine login, network communication, registry update, remediation actions and many other event types – are entities you can now easily query, correlate and intersect. Advanced hunting is an integral part of our investigation experience, so your hunting results, such as machines and files, can leverage the rich set of features we already provide in Windows Security Center (correlate with worldwide information, VT data, trigger block or containment actions etc.)

To help you get started, we added a set of sample queries within the tool, and we also have a project on GitHub which contains additional sample queries.

 

Signal sharing across the Intelligent Security Graph

Our services also learn from each other. Through the Microsoft Intelligent Security Graph (ISG) we share detections to automatically update our protection and detection mechanism across Microsoft 365 and orchestrate remediation. For example, if a threat gets detected by any of the Windows Defender ATP components, that threat will instantly be blocked if it is encountered through an email that is protected by Office 365 ATP – and the other way around.

 

 

When it comes to investigating threats, other Microsoft ATP services might have information important to understanding the full picture. We are excited to share that we are expanding how Windows, Office, and now Azure Advanced Threat Protection (ATP) work together. We are providing wider Advanced Threat Protection coverage across identities (Azure ATP), apps and data (Office 365 ATP) and devices (Windows Defender ATP). This means relevant information is displayed right at your fingertips and seamless navigation between the consoles without losing context.

 

We added improved prevention for ransomware, exploits and advanced attacks.

Attackers are using new techniques like “fileless” attacks to compromise and deliver ransomware and other types of malware. To address these types of threats we significantly improved our existing exploit protection and behavior monitoring techniques which are already consistently earning top scores on independent tests to protect from these scenarios. Cloud protection has also been updated to inspect and block a broader range of content types (e.g.: java scripts, macros, and documents) regardless of whether it was downloaded from the web, USB stick, etc.

We’ve added new capabilities to prevent unauthorized lateral movement and new techniques to address aggressive ransomware attacks that attempt to render devices unbootable through boot sector tampering (e.g.: NotPetya).

Faster performance and reaction times to fast-moving outbreaks have also been added. The Intelligent Security Graph can now be used to instantly update devices with the latest dynamic intelligence as soon as a new outbreak is detected.  We’ve also added new accelerated memory scanning capability which takes advantage of Intel’s Threat Detection Technology (TDT). This capability leverages Intel’s integrated graphics processor to live-scan memory for advanced threats offering improved performance, user experience, and better battery life.

 

Microsoft Secure Score

We all know that fixing a problem before it happens, is the best way to keep you safe. Windows Secure Score does this by helping you run reports on your devices’ security posture and providing actionable recommendations, ensuring your entire organization is fortified against the next attack. But we know that the security state of devices is not everything, that’s why we display your Secure Score across Windows and Office in a single view with the Microsoft Secure Score.

 

 

 

If you’re worried about the latest threat, we’ve got you covered with a new dashboard that provides insights about the exposure level of your organization – currently for the Meltdown and Spectre vulnerability, so you can easily understand what machines are still exposed. This includes information about your network, operating system updates, and microcode level information against these threats.

 

Windows Defender ATP today

These new Windows Defender ATP innovations place an emphasis on leveraging intelligence, cloud, and analytics to build deeper levels of advanced threat protection for our customers. We are expanding the platform coverage beyond Windows 10: Windows Defender ATP is now built into Windows Server 2019, is currently in private preview for Windows 7 and 8.1 with general availability coming soon, and extends across macOS, Linux, iOS, and Android devices through our Microsoft Intelligent Security Association.

 

All these new capabilities are already available in Public Preview today. Sign up for a 90-day trial of Windows Defender ATP today or enable Preview features on existing tenants.

19 Comments
Dustin Adam
Iron Contributor
‎May 01 2018 01:35 PM
‎May 01 2018 01:35 PM

The buttons to approve a remediation seem to have vanished...

0 Likes
Like
Barak Klinghofer
Microsoft
‎May 01 2018 11:47 PM
‎May 01 2018 11:47 PM
Hi Dustin,
Thanks for your feedback!.

To troubleshoot the issue, I would need a bit more information about the problem you are experiencing.

I have sent you a private message, with a few followup questions.

Best,
Barak
0 Likes
Like
Paul-Keely
MVP
‎Jun 13 2018 11:57 PM
‎Jun 13 2018 11:57 PM

This is such a fantastic way to perform an update on the new features. Please keep it up. 

0 Likes
Like
Azim null
Copper Contributor
‎Jun 21 2018 06:35 AM
‎Jun 21 2018 06:35 AM

"Our mission is to empower every person and every organization on the planet to achieve more. A trusted and secure computing environment is a critical component of our approach"

If this was truly the case, i would not have been rejected from a free trial of this toolset
Untitled picture.png

0 Likes
Like
Azim null
Copper Contributor
‎Jun 21 2018 06:37 AM
‎Jun 21 2018 06:37 AM

"Our mission is to empower every person and every organization on the planet to achieve more. A trusted and secure computing environment is a critical component of our approach"

If this was truly the case, i would not have been rejected from a free trial of this toolset

0 Likes
Like
Yarden Albeck
Microsoft
‎Jul 01 2018 12:12 AM
‎Jul 01 2018 12:12 AM

Hi Azim,

 

I will contact you in private to solve this issue.

 

Best,

Yarden

0 Likes
Like
Deleted
Not applicable
‎Jul 09 2018 01:17 PM
‎Jul 09 2018 01:17 PM
When running a quick scan through ATP on 2 machines in action center it shows that the scan is successfully triggered, but the machines never reports back to ATP as scan completed. The machines are communicating with ATP
0 Likes
Like
Oren Levin
Microsoft
‎Jul 09 2018 11:25 PM
‎Jul 09 2018 11:25 PM

Hi Jeffrey, 

Thanks for your feedback.

The action center display the initialization of the scan.  As the scan may run for a long time, its actual outcome and detection results (if there are such) are available in the machine timeline.

Best,
Oren

0 Likes
Like
Deleted
Not applicable
‎Jul 10 2018 02:27 PM
‎Jul 10 2018 02:27 PM

Thank you for responding.  The screenshots I just provided is the expected behavior?

0 Likes
Like
Chet Filanowski
Copper Contributor
‎Jul 12 2018 09:10 AM
‎Jul 12 2018 09:10 AM
how do we reset and start a new enrollment process?
0 Likes
Like
James Nelson
Copper Contributor
‎Jul 20 2018 09:39 AM
‎Jul 20 2018 09:39 AM

Did something happen with the Secure Score?  It went from 800 possible to 100 possible in the Security and Compliance Center and 300 possible in ATP dashboard.  I didn't see notification of change on this.  Why is it all screwy?

0 Likes
Like
Yarden Albeck
Microsoft
‎Jul 22 2018 03:02 AM
‎Jul 22 2018 03:02 AM

Hi Chet,

I sent you an answer in a private message.

Best,

Yarden

0 Likes
Like
Amit Sharan
Microsoft
‎Jul 22 2018 03:41 AM
‎Jul 22 2018 03:41 AM

Hi,

Please submit a frown in WDATP portal when you're logged on to the tenant with the 300 points. This way we'll get all the necessary details to investigate.

 

Did you see this drop for a given tenant that previously had 800 potential and now has 300 potential? Or, alternatively, you see the 300 for a *new* tenant.

 

Generally, the potential score is subject to the Win10 client versions that are onboarded (RS1/2 vs RS3+ vs RS4+) as it infers the supported security controls (for instance bitlocker is only available in RS4) and the secure score exclusion settings.

 

 

0 Likes
Like
Ricky Bryant
Copper Contributor
‎Aug 27 2018 01:06 PM
‎Aug 27 2018 01:06 PM

Good afternoon,

 

I'm asking here because I can find no documentation on this subject anywhere else, but does Defender ATP record UDP events into the event tables? Every time we have attempted to investigate a UDP based NIDS alert, Defender ATP has nothing to report. 

 

If this is a supported feature, any ideas on what could be wrong with a deployment that picks up no UDP activity?

 

If this isn't a supported feature, is there a reason why? UDP comms is a standard technique for exfiltrating data from a network and would be a pretty large coverage gap for a tool such as this.

 

Thanks,

Ricky

Dan Michelson
Microsoft
‎Aug 29 2018 03:58 AM
‎Aug 29 2018 03:58 AM

Thanks for your feedback,

 

Nothing wrong with your deployment. ATP does not present every piece of information that is collected. We try to keep the investigation experience useful.

 

ATP do monitor the volumes of inbound and outbound traffic in an aggregative way including UDP traffic. It means that we can tell the volume of the traffic in a time window for a specific process/destination address but we cannot really tell if it was a two files upload case or one single upload. As UDP is a connectionless protocol, it feels like it is too noisy to present every single packet in the timeline. There will be some more work to do in order to present it in a way that will make sense.

 

We'd love to hear your feedback regarding the investigation use cases you had and regarding the way you would suggest to see this information.

 

For example:

1) What was the trigger for typical investigation cases?

2) Was it HTTP over UDP traffic or something else?

3) Inbound or outbound traffic.

4) What data in the machine time line or in the investigation experience of ATP could help you?

 

5) Anything else you might think will be useful.

 

Thanks,

Dan

0 Likes
Like
Ricky Bryant
Copper Contributor
‎Aug 29 2018 06:21 AM
‎Aug 29 2018 06:21 AM

Dan,

 

Thanks for the response, very helpful information to know. I'll share my ideas and answers to your questions below:

 

I certainly agree that presenting every UDP transaction would be overly noisy for most deployment situations. Perhaps a toggle feature, similar to the ability to filter on Event Type within the timeline view? I'm imagining selecting only network communications, with further options for selecting TCP and/or UDP communications. Even when selecting UDP from the dropdown menu, I think it would be beneficial to provide 5-tuple summaries similar to how the timeline currently summarizes encrypted network communications with the source process tree and destination IPs (ex: chrome.exe communicated over the network using an encrypted channel), adding in the destination port would help with lead information.

 

1) What was the trigger for typical investigation cases?

Various NIDS alerts for newly seen outbound UDP traffic (VOIP Traffic to a cloud service as an example)

2) Was it HTTP over UDP traffic or something else?

VOIP and its supporting protocols (sip, stun/turn), NTP, DNS

3) Inbound or outbound traffic.

Outbound

4) What data in the machine time line or in the investigation experience of ATP could help you?

 A summary of source process, destination IPs, ports, would help. (ntpd.exe communicated over UDP 123 with 6 IPs)

5) Anything else you might think will be useful.

Even if the information doesn't make sense to view in the timeline feature, perhaps adding a table within the Advanced Hunting feature dedicated to UDP communications would help during an investigation?

 

Thanks again,

Ricky

0 Likes
Like
Dan Michelson
Microsoft
‎Aug 30 2018 01:40 AM
‎Aug 30 2018 01:40 AM

Ricky,

 

That was very helpful.

 

For short term solution I suggest the following:

A stream in Advanced hunting for the aggregated data (1h interval)

  1. Not sure if UDP/TCP info will be there as well as the specific process info. I believe solving the process identity here is important. Not sure if protocol (TCP/UDP) is so important here.

For longer term we'll consider adding it to the UX and even build a full AutoIR flow. 

 

I would appreciate your feedback about both.

Also, please share the name of the NIDS solution you use.

 

Thanks,

Dan

 

0 Likes
Like
Lalit Bhatt
Copper Contributor
‎Sep 17 2018 02:45 AM
‎Sep 17 2018 02:45 AM

Hi

Is windows defender ATP is supported in windows server 2008 and R2?

If we have to replace current antivirus with windows defender ATP in server's then what are the option we have.

 

Thanks

0 Likes
Like
Michal Foster Heldy
Microsoft
‎Sep 17 2018 04:58 AM
‎Sep 17 2018 04:58 AM

Hi,

 

We are not supporting Windows Server 2008 R2.

To use Windows Defender ATP for server you should to use one of our supported server versions, Windows Server 2012 R2 and above.

 

Thanks,

Michal

0 Likes
Like
Version history
Last update:
‎Apr 23 2018 04:20 AM
Updated by: