Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community
WDATP September 2018 preview features are out!
Published Sep 05 2018 08:49 AM 13.3K Views
Microsoft

 

Listening to customer feedback and improving the day to day life of security operation teams are one of the core pillars of how we build the Windows Defender ATP service and how we operate across our engineering and research teams. With that in mind, we are excited to roll out today a new set of Windows Defender ATP features that enhance key aspects of the service, based heavily on what we heard from you.

 

The new features below are part of the Windows Defender ATP September 2018 preview program and are available for you to try today.  Here’s how to check and enable preview features on your Windows Defender ATP tenant. Not yet an Windows Defender ATP customer, but interested to try the new features? Sign up for a trial tenant here.

 

So, what's new?

 

Threat Analytics

TA.jpg 

 

Threat Analytics is a set of interactive reports on significant and emerging attack campaigns that fuses organizational risk analytics with threat intelligence.  This powerful tool equips security operations teams with real-time information that helps them understand the nature of the threat, assess impact on their environment and provides recommended actions to increase security resilience, like guidance on prevention, or containment of the threat. 

 

See the new Threat analytics dashboard in the portal or check out the documentation

 

Custom detection (a.k.a Scheduled queries for advanced hunting)

 2.jpg

 

We heard your feedback. You liked our advanced hunting feature, but asked for the ability to generate custom alerts based on your own queries. You got it!


You can now schedule the execution of advanced hunting queries and generate custom alerts.

 

Try it out using our new ‘Advanced Hunting’ tutorial scenario or see instructions for creating custom detections here

 

MCAS integration

3.png

 

Microsoft Cloud App Security (MCAS) can now leverage Windows Defender ATP endpoint signals to allow direct visibility into cloud application usage including the use of unsupported cloud services (shadow IT) from all WDATP monitored machines.  

 

WDATP and MCAS signals are shared over the Microsoft Intelligent Security Graph.

 

Already an MCAS user? To try it out, go to your MCAS portal, click Discover > Cloud Discovery dashboard. Then, on the top right corner under Continuous Report, choose “Win 10 endpoint users” 

 

Not using MCAS yet? Learn more and register for a free trial  

 

WDATP for Windows Server 2019

4.jpg

We're upgrading our server protection stack by adding support for Windows Server 2019. The Windows Defender ATP sensor will be built into the server OS, complete with kernel and memory sensors previously available only to Windows 10 clients.

 

No agent and no installation required.

 

Read here more about Windows Server 2019 onboarding and here’s how to run a detection test on a server once it’s onboarded.

 

Auto-resolve remediated alerts

5.jpg

Alerts can now be automatically resolved when the automated investigation fully remediates the root cause for the alert.

 

This is especially useful to reduce active alert numbers in an environment where automatic investigation is turned on.

 

It also enhances our Conditional Access scenario as once automation remediates a machine and automatically resolves related alerts, machine risk levels will go down re-allowing the user to access corporate resources safeguarded by Conditional Access policies.

 

Follow up here to turn on automatic alert resolution.

Read more about Conditional access and WDATP here.  

 

We look forward to your feedback! Just click on the ‘send a smile/frown’ feature on the top right corner of the portal and tell us what you think.

 

ninjacat.png

The Windows Defender ATP team

 

27 Comments
Deleted
Not applicable

Hey Raviv, loving the new Threat Analytics page. Great details and prevention steps there - exactly what I was hoping for.

MCAS integration sounds great! I don't see it yet

Nevermind, had to enable it in Windows Defender Security Center -> Settings -> Advanced Features. Going to check it out now.

Microsoft

Like!

We don`t have Cloud App Security, but do have Office 365 Cloud App Security.
Will WDATP intergrate with Office 365 Cloud App Security? Because I have enabled the integration, but don`t see the “Win 10 endpoint users”  option.
Thnx
Peter

Microsoft

Hi Peter,

 

Office 365 Cloud App Security currently does not support Windows based discovery, due to the lack of support for automatic log upload. To benefit from Windows based discovery you will need to use Microsoft Cloud App Discovery.

Automatic log upload in Office 365 Cloud App Discovery, which will enable Windows based discovery, is being considered for future releases.

Copper Contributor

DATP Team,

 

I have a question regarding the MCAS integration. Is this feature only supplementing the data that CAS is receiving from an on-premises log collector receiving traffic logs from a security appliance, or is this data going to act as a data feed on it's own? I ask because I have enabled the feature in DATP approx 24 hours ago, and still do not see the options laid out in:

 

https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-atp/microsoft-c...

 

We aren't using the on-prem log collector functionality of MCAS, but the link below indicates that this integration with WDATP solves this issue:

 

https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-atp/microsoft-c...

 

Any thoughts on why our MCAS portal doesn't seem to match up with the new advertised capabilities?

 

Thanks,

Ricky 

 

@Omri Amdurskythank you for the fast response!

I am not getting the Windows WDATP and MCAS Integration to work either the Continuous Report for Windows 10 doesn't appear.  Its a great feature so would love to try it out ASAP.

Copper Contributor
hi i can seem to find a way to start a new topic in this forum so here goes. my question is this is the wdatp an extra that can work along my regular AV - trend micro? as an EDR solution. this mean without any other windows defender componentes installed. i can only find alluding to this in the documentation as you write that if windows defender i not the av malware alerts will not be in the dashboard. Plus that you say it works with bitdefender what cost is on the data i send to azure is transfer of data and storage of ATP relelated data included in the E5 license.

Hi

 

You can read on compatibility with other AV Vendors here, it works fine as an EDR, but you get more integration if you run Defender AV. 

https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/windo...

 

It works fine to integrate with Sentinel One, Ziften and Bitdefender so you can surface all the alerts in one place. The date is stored up to 180 days in WDATP. There are no additional storage or transfer costs outside the Windows 10 E5 license..

Iron Contributor

Same issue here. Does it take a few days to hydrate the tenant after enabling integration?

Microsoft
Sorry to hear it doesn’t work for you. At this stage of the preview we have seen a gap of up to 4 hours for the report to surface in the MCAS portal. If the problem persists please send us a ‘frown face’ from the top right navigation bar in the portal and we’ll follow up and debug.
Iron Contributor
It started showing up only after I updated my test VM running Windows 10 EDU Insider on Skip Ahead and that is the only machine in the report. Is there a minimum required build for this feature to work?
Brass Contributor

 

I sent a feature request during the summer and it's already in the product, well done!

Microsoft

Beautiful updates! thank u.

Microsoft

Hi Stefan, 

 

The features only works on machines running 1809 builds of Windows (insider preview) and during preview might take up a couple of hours to pop up in MCAS portal. If this still doesn't work, please send us a 'frownface' from the WDATP portal top right corner and we'll debug.

 

Raviv

Microsoft

Yes. Please use the latest 1809 preview build 17760

Microsoft

Hi,

 

To enable the MCAS integration you need the following:

1) EMS E5

2) RS5 endpoint (The integration is enabled for RS5 and above)

3) Turn on the integration switch in the WDATP settings.

 

Thanks,

Dan

Microsoft

Hi,

 

To enable the MCAS integration you need the following:

1) EMS E5

2) RS5 endpoint (The integration is enabled for RS5 and above)

3) Turn on the integration switch in the WDATP settings.

 

Please verify that all the above is set and give it a couple of hours to show up.

Make sure  you are creating some moderate cloud apps traffic there just to see it showing up.

 

Thanks,

Dan

Microsoft

Same answer :)

 

To enable the MCAS integration you need the following:

1) EMS E5

2) RS5 endpoint (The integration is enabled for RS5 and above)

3) Turn on the integration switch in the WDATP settings.

 

It should take up to two hours to see the new report created.

Please try using cloud apps to see them showing up in the report.

 

Thanks,

Dan

In addition, following the above question -
Yes, there should be created a new continuous report which appears separately from the data that is coming in using the on-prem log collector. The name of the continuous report is 'Win10 Endpoint Users'.
Yes, there should be created a new continuous report which appears separately from the data that is coming in using the on-prem log collector. The name of the continuous report is 'Win10 Endpoint Users'.
Copper Contributor

Hi,

 

small question on this: how much time does it take to propagate data from the client up to cloudApp Security through WD ATP? We upgraded a couple of machines to 1809 and the "Windows 10 Endpoint Users" report appears fine a few hour later, but there it seems to take quite some time to have data synchronized to CAS...

 

thanks!

Raf

Hi Raf,

It takes up to 2 hours for the data to come into MCAS.
An overall data aggregations (the stats you are seeing in the Cloud Discovery dashboard) are performed 2 to 4 times a day, so this can take a little longer to be updated.

Other Discovery tables (i.e. discovered apps, users, machines, IP addresses) are updated every 2 hours.

Thanks,
Danny.
Copper Contributor

Thanks Danny!

Is it possible that the upload/download numbers are not quite correct yet? With 2 computers that are actively used and where I e.g. synced > 2GB data over onedrive, the total after 2 days is 35MB for all traffic ... 

tx

Raf

I would have to agree data volumes are not reflecting in a good way here either.  I have for an example downloaded quite allot of GBs from youtube and azure for Ignite sessions and they are not reflecting either.

@Stefan Schörling@Raf Cox - thank you for bringing this up, we will investigate this case.

In order to do that, could you please PM me with your tenant details?

 

Thanks,

Danny.

Copper Contributor

Hi Danny,

 

do you have an update on this issue?

volume of data reported to CAS through WDATP still seems quite low in our tenant ...

 

thanks!

Raf

Version history
Last update:
‎Sep 05 2018 09:11 AM
Updated by: