Windows Defender ATP & O365 integration – it’s here! We’ve all being waiting for this for a long time, and we can finally announce: it’s here!!
Machine timeline full verbose mode & advanced search We're turning on "Full Verbose mode" - which means the Machine Timeline now displays ALL raw events - without aggregations or any other filtering. To allow you to harness this huge amount of information, we're enabling Typed Search over the Machine Timeline combined with Filtering by Event Type. So you can enter any filename, hash, command line, etc., then filter the results to only view Process events matching the search criteria, or to only view file events, or even better: to view only network events over a period of time to make sure no suspicious outbound communications go unnoticed.
Domain-joined, AAD-joined, and unjoined machines We now display the association of machines more consistently: • Domain-joined machines will have their domain displayed • AAD-joined machines will display "AAD joined" in the machine domain field • Workgroup-joined machines ("unjoined") will display "Workgroup" in the machine domain field
Process field reparenting support When a process is elevated, its reported parent (e.g. the initiating process) svchost will be displayed in the process tree, while its logical parent will be reported in the reparented process fields. The process tree will display the logical parent with a description explaining that it's elevated. Beta feature (flighting on MSFT only).
Response Actions - Improved Usability We added the option of canceling a pending response action - simply open the Action Center from the Actions menu and click on "X Cancel action"
SIEM Onboarding Automation We created a new SIEM onboarding automation wizard in the portal. Customers can now login to the portal and create an AAD application for SIEM in a single click. Once the Application is created, they can download a details files specifically for their SIEM solution and generate tokens to be used in configuring the SIEM connector. What used to be a long and complicated process is now short and simple, and adoption is already showing its first fruits: Since releasing the new onboarding wizard, two customers have already used it to create an application; one downloaded a Splunk properties file and queried our Alerts RESTful service - 14 minutes to complete the E2E flow!
SIEM Documentation We updated SIEM TechNet documentation to align with the new SIEM onboarding automation process. In addition, we published the list of available fields in the alerts API and documented the process of pulling alerts directly from the alerts REST API, including: authorization flow to obtain access tokens, alerts API request syntax and parameters, response, and code example. Customers can now programmatically access the alerts API and pull alerts directly to their existing systems - One customer is already using this option, other customers are on the way. Thank you, Windows Defender ATP team