WDATP preview features are now ON!
Published Mar 12 2018 08:39 AM 17.6K Views

We are excited to announce that today we’ve opened a set of new preview features for Windows Defender ATP community members.

We invite you to try these new features in the Windows Defender ATP portal today -- make sure “Preview features” are enabled in settings.


New features include:

  • New Automatic Investigation and Response (AIRS): The new Automated Investigation and Response (AIRS) capability dramatically reduces the volume of alerts that security team need to individually investigate. Built using the integrated technology of Hexadite, AIRS leverages artificial intelligence, forensic algorithms, and automated learning from analysts actions to investigate and automatically tend to alerts. AIRS can take automatic remediation actions or recommend remediation actions to analysts. To learn how to use this new AIRS capability, try our “Automated incident response” simulation available here (AIRS require PCs with Windows Insider build 17110 or above.)

 Automated investigation in WDATPAutomated investigation in WDATP




  • Advanced Hunting: New, powerful query-based search is designed to unleash the hunter in you. With advanced hunting, you can proactively hunt and investigate across all your organization’s data. For example, you can query process creation, network communication, and many other event types.  Items in your query result, such as machine and file names include direct links into relevant sections in our portal, consolidating advanced hunting with your existing investigation experience.  To help you get started, we added set of query examples you can check it out here. Here’s a query to start with:

print a = ':robot_face::jack_o_lantern::grinning_face:🦓:folded_hands::paw_prints::fog::koala:;p:sun_behind_small_cloud::microscope:'

| extend a=extractall('(.)', a)

| mvexpand a

| extend a=substring(base64_encodestring(strcat('abracadabra', a)), 19)

| summarize Message=replace(@'[+]', ' ', replace(@'[[",\]]', "", tostring(makelist(a))))


  • Improving Security Posture: Secure score: We’ve added insight into more security controls, for the machines and devices in your business including: Windows Firewall, BitLocker and Credential Guard. Each control includes set of recommended actions to help you improve your overall security score. We’ve also added PowerBI integration to help you better understand threat exposure and provide more granular targeting per machine.


  • Meltdown and Spectre insights: If you’re worried about Meltdown and Spectre, we’ve got you covered. A new dashboard provides insights and exposure level for Meltdown and Spectre vulnerability. This includes information about your network, operating system updates and microcode level information against these threats.


  • Block and first Sight (BAFS): We’ve enhanced our protection capabilities to include a new feature that detects and blocks new, never-before-seen malware within seconds. When encountering a suspicious file, cloud backend sample the suspicious file and apply heuristics, machine learning, and other automated techniques to determine if the file is malicious or clean. Malicious files are instantaneously blocked.



  • Role Based Access Control (RBAC): This feature helps companies to segment their tenant to logical groups and apply granular control for who gets to see and take action on each group. Companies can create roles and groups and have fine-grained control over what users can see and do.


  • Broader endpoints support – We’re excited to share that we’re supporting more platforms beyond Windows 10:
    • Built-in Windows Server 2019: Our sensor is now built into Windows Server 2019. This allows deeper insight into system activities, coverage for kernel and memory attacks, and enables response actions similar to what we offer on Windows 10.
    • Mac & Linux: We are expanding our coverage for other platforms through our partners. MacOS X and Linux are now supported with Ziften. For more information on how to onboard these endpoints, see Configure non-Windows endpoints.
    • Windows 7 support: Support is coming soon. Stay tuned.


  • Microsoft ATP: We‘re expanding our integration across Windows, Office and Azure Advanced Threat Protection (ATP) services and are happy to announce Azure ATP integration. With this integration, companies can get wider Advanced Threat Protection coverage across User identity (Azure ATP), apps and mailbox (Office ATP) and endpoint (Windows Defender ATP)


The new features released today continue our investments in making Windows Defender ATP a unified platform for endpoint security.  Making it the most advanced & complete endpoint protection service.


For a more up-to-date version of the documentation, see the Windows Defender ATP docs library.


Windows Defender ATP Team

Version history
Last update:
‎May 08 2018 01:27 AM
Updated by: