SOLVED

Questions Based on Webinar

%3CLINGO-SUB%20id%3D%22lingo-sub-1275878%22%20slang%3D%22en-US%22%3EQuestions%20Based%20on%20Webinar%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1275878%22%20slang%3D%22en-US%22%3E%3CP%3EHello%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EFirst%20of%20all%20thank%20you%20for%20a%20very%20helpful%20overview.%26nbsp%3B%20Was%20a%20great%20session.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20have%20some%20specific%20questions%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E1.%20There%20seems%20to%20be%20no%20way%20to%20auto-submit%20a%20false%20positive%20from%20MDATP%20to%20the%20Defender%20website%3F%3C%2FP%3E%3CP%3E2.%20Is%20cyren%20still%20the%20only%20web%20filter%20provider%3F%26nbsp%3B%20During%20testing%20we%20found%20it%20missed%20%22proxy%22%20websites%20and%20people%20could%20easy%20visit%20banned%20sites%20still.%3C%2FP%3E%3CP%3E3.%20Is%20there%20an%20additional%20charge%20for%20threat%20experts%20over%20and%20above%20the%20license%3F%3C%2FP%3E%3CP%3E4.%20Can%20we%20get%20ongoing%20lab%20machines%2C%20limited%20number%20each%20month%2C%20so%20we%20can%20test%20detonate%20in%20a%20more%20rich%20environment%3F%3C%2FP%3E%3CP%3E5.%20When%20testing%20windows%207%20we%20never%20got%20the%20rich%20view%20shown%20in%20the%20blog%2C%20is%20this%20now%20in%20a%20reduced%20from%3F%26nbsp%3B%20We%20installed%20AV%20from%20SCCM%20and%20joined%20but%20the%20view%20is%20extremely%20limited%20for%20win%207%20and%20no%20remediation%20seemed%20to%20take%20place%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThank%20you%20in%20advance!%20%3A)%3C%2Fimg%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1290090%22%20slang%3D%22en-US%22%3ERe%3A%20Questions%20Based%20on%20Webinar%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1290090%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F305905%22%20target%3D%22_blank%22%3E%40mbhmirc%3C%2FA%3E%26nbsp%3BHi%20there!%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EI%20am%20glad%20to%20read%20you%20found%20the%20webcast%20helpful%20and%20you%20liked%20it%20%3A)%3C%2Fimg%3E%3C%2FP%3E%0A%3CP%3EI%20am%20trying%20to%20answer%20as%20many%20questions%20as%20possible%3C%2FP%3E%0A%3CP%3E1.%20you%20can%20mark%20alerts%20as%20FP%20within%20the%20console%26nbsp%3Ba%3CSPAN%3End%20we%20can%20use%20this%20data%20to%20measure%20SNR%20%26amp%3B%20tune%20our%20detectors%20where%20needed.%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%3E2.%20yes%2C%20its%20currently%20in%20preview%20and%20we%20are%20collecting%20feedback%20(I'll%20pass%20your%20proxy%20feedback%20on).%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%3E3.%20Threat%20Experts%20comes%20with%20two%20components%20%22Targeted%20attack%20notification%22%20and%20%22experts%20on%20demand%22.%20The%20first%20one%20is%20included%2C%20the%20second%20is%20a%20separate%20subscription%20-%20but%20after%20you%20applied%20and%20got%20accepted%20to%20the%20program%2C%20you%20can%20test%20Experts%20on%20demand%20first%20free%20of%20charge.%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%3E4.%20we%20get%20this%20request%20frequently%20and%20the%20team%20is%20looking%20into%20options%20as%20those%20are%20very%20high%20costs%20in%20the%20backend.%20Currently%20the%20answer%20is%20no.%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%3E5.%26nbsp%3B%20You%20should%20see%20everything%20we%20are%20capable%26nbsp%3Bof%20picking%20up%20from%20the%20endpoint%2C%20beside%20logged-on%20users.%20And%20yes%2C%20not%20all%20response%20actions%20are%20available%20because%20they%20would%20require%20changes%20in%20Windows%207.%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%3EGreetings%20from%20Seattle%20and%20stay%20safe!%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%3EHeike%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1292623%22%20slang%3D%22en-US%22%3ERe%3A%20Questions%20Based%20on%20Webinar%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1292623%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F63582%22%20target%3D%22_blank%22%3E%40Heike%20Ritter%3C%2FA%3E%26nbsp%3BPerfect%2C%20thank%20you.%26nbsp%3B%20%26nbsp%3BJust%20one%20more%20item.....%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ERegards%20the%20False%20positives%20that's%20great%20for%20ATP.%26nbsp%3B%20However%20for%20a%20defender%20detection%20that%20ATP%20also%20reports%20we%20sometimes%20need%20to%20clean%20it%20up%20quickly%20as%20it%20can%20stop%20production.%26nbsp%3B%20Currently%20we%20download%20the%20file%20with%20the%20rather%20cool%20download%20file%20tool%20and%20then%20submit%20it%20to%20the%20Defender%20team%20who%20double%20check%20the%20file%20and%20then%20update%20the%20intelligence%20files.%26nbsp%3B%20It%20would%20be%20great%20if%20we%20could%20automate%20this%20submission%2C%20or%20is%20it%20a%20case%20this%20is%20automatic%20when%20we%20do%20false%20positive%20at%20all%20levels%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1301226%22%20slang%3D%22en-US%22%3ERe%3A%20Questions%20Based%20on%20Webinar%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1301226%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F305905%22%20target%3D%22_blank%22%3E%40mbhmirc%3C%2FA%3E%26nbsp%3BNo%2C%20it%20does%20not.%20If%20I%20am%20not%20mistaken%2C%20the%20team%20is%20looking%20into%20such%20options%20though.%20I'll%20pass%20your%20feedback%20on%20%3A)%3C%2Fimg%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
Occasional Contributor

Hello,

 

First of all thank you for a very helpful overview.  Was a great session.

 

I have some specific questions:

 

1. There seems to be no way to auto-submit a false positive from MDATP to the Defender website?

2. Is cyren still the only web filter provider?  During testing we found it missed "proxy" websites and people could easy visit banned sites still.

3. Is there an additional charge for threat experts over and above the license?

4. Can we get ongoing lab machines, limited number each month, so we can test detonate in a more rich environment?

5. When testing windows 7 we never got the rich view shown in the blog, is this now in a reduced from?  We installed AV from SCCM and joined but the view is extremely limited for win 7 and no remediation seemed to take place?

 

Thank you in advance! :)

3 Replies
Highlighted

@mbhmirc Hi there!

 

I am glad to read you found the webcast helpful and you liked it :)

I am trying to answer as many questions as possible

1. you can mark alerts as FP within the console and we can use this data to measure SNR & tune our detectors where needed.

2. yes, its currently in preview and we are collecting feedback (I'll pass your proxy feedback on).

3. Threat Experts comes with two components "Targeted attack notification" and "experts on demand". The first one is included, the second is a separate subscription - but after you applied and got accepted to the program, you can test Experts on demand first free of charge.

4. we get this request frequently and the team is looking into options as those are very high costs in the backend. Currently the answer is no.

5.  You should see everything we are capable of picking up from the endpoint, beside logged-on users. And yes, not all response actions are available because they would require changes in Windows 7.

 

Greetings from Seattle and stay safe!

Heike

 

Highlighted

@Heike Ritter Perfect, thank you.   Just one more item.....

 

Regards the False positives that's great for ATP.  However for a defender detection that ATP also reports we sometimes need to clean it up quickly as it can stop production.  Currently we download the file with the rather cool download file tool and then submit it to the Defender team who double check the file and then update the intelligence files.  It would be great if we could automate this submission, or is it a case this is automatic when we do false positive at all levels?

Highlighted
Best Response confirmed by mbhmirc (Occasional Contributor)
Solution

@mbhmirc No, it does not. If I am not mistaken, the team is looking into such options though. I'll pass your feedback on :)