WD ATP Processing / Flow

%3CLINGO-SUB%20id%3D%22lingo-sub-1083599%22%20slang%3D%22en-US%22%3EWD%20ATP%20Processing%20%2F%20Flow%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1083599%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20All%2C%3C%2FP%3E%3CP%3EAssuming%20that%20I%20have%20enabled%20all%20the%20features%2Fcapabilities%20of%20WD%20ATP%20and%20received%20and%20infected%20file%2C%20in%20which%20order%20do%20we%20examine%20the%20file%3F%20i.e.%20do%20we%20detect%20first%20with%20antivirus%20then%20check%20attack%20surface%20reduction%20if%20we%20have%20both%20enabled%3F%20Just%20trying%20to%20understand%20the%20flow%20through%20the%20different%20features%20when%20all%20are%20enabled%2C%20which%20one%20do%20we%20start%20with%20and%20why%3F%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks!%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1401414%22%20slang%3D%22en-US%22%3ERe%3A%20WD%20ATP%20Processing%20%2F%20Flow%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1401414%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F407515%22%20target%3D%22_blank%22%3E%40abeerq%3C%2FA%3E%26nbsp%3BEnable%20automatic%20investigation%20and%20it%20should%20take%20care%20of%20most%20of%20the%20steps%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fmicrosoft-defender-atp%2Fautomate-the-boring-for-your-soc-with-automatic-investigation%2Fba-p%2F1381038%22%20target%3D%22_blank%22%3Ehttps%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fmicrosoft-defender-atp%2Fautomate-the-boring-for-your-soc-with-automatic-investigation%2Fba-p%2F1381038%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E
Occasional Contributor

Hi All,

Assuming that I have enabled all the features/capabilities of WD ATP and received and infected file, in which order do we examine the file? i.e. do we detect first with antivirus then check attack surface reduction if we have both enabled? Just trying to understand the flow through the different features when all are enabled, which one do we start with and why? 

 

Thanks! 

1 Reply

@abeerq Enable automatic investigation and it should take care of most of the steps

 

https://techcommunity.microsoft.com/t5/microsoft-defender-atp/automate-the-boring-for-your-soc-with-...