Today, we are excited to share how we’ve expanded the Windows Defender ATP service to cover prevention, detection, investigation, response and management – providing end-to-end protection for your Windows endpoints. All of these new features are available in the Windows Defender ATP (WDATP) Windows 10 Fall Creators Update, now open for public preview.

This focused security investment combines the best of Windows Defender ATP and the Windows security stack. We integrated Windows 10’s new prevention technologies, enhanced our built-in sensors to better detect script-based attacks, added new response capabilities and opened up powerful analytics.

So now, let’s see what we are lighting up in more detail:

  • Windows security features working in unison – Get visibility into security alerts coming from the combined stack of Endpoint Detection and Response (EDR), Windows Defender Antivirus (AV), Windows Defender Firewall, Windows Defender SmartScreen, Windows Defender Device Guard and Windows Defender Exploit Guard. See events reported across the stack in each machine’s timeline. Here are some of the new things Security Operations (SecOps) would be able to achieve:
    • See alerts and events from Windows Defender SmartScreen that show if an employee within the company clicked on a specific URL despite receiving warning message
    • See Windows Defender Device Guard events surfacing attempts to run unauthorized applications that have been restricted from running in the organization
    • See applications blocked or audited by the Windows Defender Exploit Guardprotection rules
    • See Windows Defender Antivirus detections and Windows Defender Firewall blocks
    • View security events and alerts information for sessions taking place within the Windows Defender Application Guard isolated containers (Figure 1)

In addition, we are providing a centralized and simplified management experience in System Center Configuration Manager (SCCM) starting with version 1710 and Microsoft Intune to manage the various Windows Security stack products.



Application Guard detection event

  • Better detections, enhanced alerts and more power to the SoC – we continue to evolve our detection capabilities to gain more visibility into dynamic script-based attacks, network explorations, and keylogging alerts. We enhanced our alert capabilities, showing more data to help security teams better understand the story behind the alert (Figure 2), introducing automatic detection correlation and grouping of related alerts. In addition, we added the ability to manage high value assets by using tags and grouping capabilities. Based on customer feedback, we are also enhancing our response capabilities, adding more granular machine isolation, ability to restrict the machine to run only trusted binaries and initiating Windows Defender AV update and scan.



Enhanced Alert view

  • Security Analytics – a new dashboard view (Figure 3) designed to assess the organization’s security posture compared to the Windows recommended baseline and shows breakdown of possible issues and actionable recommendations for improvement. This dashboard sheds light on configuration issues and provide view to machines where security features are misconfigured or out of date. Security managers can now see their org’s security posture across a wide set of Windows security stack products, as applied in reality and reported by the endpoints. The dashboard also provides view into top non-compliant machines sorted by number of issues and provide recommendation on actions to take.



Security Analytics dashboard

  • Customized reporting – organizations can now quickly create a Power BI report(Figure 4) that allows them to interactively analyze machines, alerts and investigation status. This report provides view on alerts, for example: severity and time to resolve, and machines, for example: sensor health state and OS platform, domain.



PowerBI report

  • Access your data via APIs - Windows Defender ATP exposes much of the available data and actions using a set of programmatic APIs that are part of the Microsoft Intelligence Security Graph. Those APIs will enable you, to automate workflows and innovate based on Windows Defender ATP capabilities.
  • More Windows sockets – we are expanding our endpoint coverage and adding support for Windows Server 2012R2 and 2016 endpoints (Figure 5). In addition, we are adding enhanced VDI support for organizations wanting to secure their desktop virtualization environment.



Windows Server Machine view

We encourage you to experience all this new goodness first hand, by joining our 90-day free trial today.

Raviv Tamir, Principal Group Program Manager, Windows Defender ATP


Source: Windows Defender ATP Windows 10 Fall Creators Update now open for public preview - Windows Experience Blog