├── .acrolinx-config.edn ├── .gitattributes ├── .gitignore ├── .openpublishing.publish.config.json ├── .openpublishing.redirection.json ├── .vscode ├── settings.json └── spell.json ├── ATADocs ├── ATA-versions.md ├── DeployUse │ └── docfx.json ├── PlanDesign │ └── docfx.json ├── TOC.yml ├── Troubleshoot │ └── docfx.json ├── Understand │ └── docfx.json ├── ata-architecture.md ├── ata-capacity-planning.md ├── ata-configuration-file.md ├── ata-database-management.md ├── ata-health-center.md ├── ata-prerequisites.md ├── ata-privacy-compliance.md ├── ata-resources.md ├── ata-role-groups.md ├── ata-silent-installation.md ├── ata-technical-faq.yml ├── ata-threats.md ├── ata-update-1.5-migration-guide.md ├── ata-update-1.6-migration-guide.md ├── ata-update-1.7-migration-guide.md ├── ata-update-1.8-migration-guide.md ├── ata-update-1.9-migration-guide.md ├── ata-update-1.9.1-migration-guide.md ├── ata-update-1.9.2-migration-guide.md ├── ata-update-1.9.3-migration-guide.md ├── bread │ └── toc.yml ├── cef-format-sa.md ├── configure-event-collection.md ├── configure-port-mirroring.md ├── disaster-recovery.md ├── docfx.json ├── entity-profiles.md ├── event-id-reference.md ├── excluding-entities-from-detections.md ├── includes │ ├── banner.md │ └── rebranding.md ├── index.yml ├── install-ata-step1.md ├── install-ata-step2.md ├── install-ata-step3.md ├── install-ata-step4.md ├── install-ata-step5.md ├── install-ata-step6.md ├── install-ata-step7.md ├── install-ata-step9-samr.md ├── manage-telemetry-settings.md ├── media │ ├── 150x150.png │ ├── 17update_gatewaybug.png │ ├── 18-install-welcome.png │ ├── 18-license.png │ ├── ATA-Alerts-laguage.png │ ├── ATA-Alerts-syslog-settings.png │ ├── ATA-Center-Configuration.jpg │ ├── ATA-Center-Configuration.png │ ├── ATA-Config-GW-Settings.jpg │ ├── ATA-DNS-Suffix.png │ ├── ATA-Domain-Connectivity-User.JPG │ ├── ATA-GW-change-DC-password.png │ ├── ATA-GW-error.png │ ├── ATA-GW-uninstall-bug.jpg │ ├── ATA-Gateway-Configuration.JPG │ ├── ATA-Gateway-perf-counters.png │ ├── ATA-Gateways-config-0.png │ ├── ATA-Gateways-config-1.png │ ├── ATA-Gateways-config-2.png │ ├── ATA-Health-Center-Alert-red-dot.png │ ├── ATA-Health-Issue.jpg │ ├── ATA-Input.jpg │ ├── ATA-Kerberos-background.jpg │ ├── ATA-NET-install-error.png │ ├── ATA-Notification-icon.JPG │ ├── ATA-Port-Mirroring-Capture-traffic.jpg │ ├── ATA-Port-Mirroring-Capture.jpg │ ├── ATA-Port-Mirroring-filter-settings.jpg │ ├── ATA-Sample-Deployment.JPG │ ├── ATA-Suspicious-Activity-Status-Change.JPG │ ├── ATA-Suspicious-Activity-Timeline.jpg │ ├── ATA-Unblock.jpg │ ├── ATA-Unresolved-Profile.jpg │ ├── ATA-VPN-Subnets.JPG │ ├── ATA-alerts-verbosity-language.png │ ├── ATA-alerts.png │ ├── ATA-architecture-topology.jpg │ ├── ATA-center-fullpartial.png │ ├── ATA-center-outdated.png │ ├── ATA-change-console-IP.jpg │ ├── ATA-chge-IP-after-clicking-save.png │ ├── ATA-console-change-IP-bindings.jpg │ ├── ATA-console-search.png │ ├── ATA-edit-site-binding.jpg │ ├── ATA-email-server.png │ ├── ATA-enable-WEF-gw-forwarded-event-log-location.png │ ├── ATA-enable-siem-forward-events.png │ ├── ATA-full-gateway-install-selected.PNG │ ├── ATA-gw-updated.png │ ├── ATA-honeytoken.PNG │ ├── ATA-lightweight-gateway-install-selected.png │ ├── ATA-log-in-screen.jpg │ ├── ATA-log-in-screen.png │ ├── ATA-mini-profile.jpg │ ├── ATA-mongoDB-moveDB.png │ ├── ATA-notification-settings.png │ ├── ATA-performance-counters.png │ ├── ATA-performance-monitoring-add-counters.png │ ├── ATA-red-dot.png │ ├── ATA-server-icon.png │ ├── ATA-settings-icon.jpg │ ├── ATA-syslog-notification-settings-1.7.png │ ├── ATA-syslog-server-settings.png │ ├── ATA-traffic-estimation-1.png │ ├── ATA-traffic-estimation-12.png │ ├── ATA-traffic-estimation-14.png │ ├── ATA-traffic-estimation-2.png │ ├── ATA-traffic-estimation-3.png │ ├── ATA-traffic-estimation-5.png │ ├── ATA-traffic-estimation-7.png │ ├── ATA-traffic-flow.jpg │ ├── ATA-uninstall-center-bug.jpg │ ├── ATACenterSettings.png │ ├── ATAGWDomainController.png │ ├── ATA_1.7-welcome-download-gateway.png │ ├── ATA_1.7-welcome-provide-username-finished.png │ ├── ATA_1.7-welcome-provide-username.png │ ├── ATA_center_fullpartial.png │ ├── ATA_center_outdated.png │ ├── ATAupdateWorkaround.png │ ├── AzureWebsiteIcons-install.png │ ├── AzureWebsiteIcons-manage.png │ ├── AzureWebsiteIcons-what-is-ata.png │ ├── abnormal-behavior-sa.png │ ├── access-computer-from-network.png │ ├── add-service-account.png │ ├── asc-icon.png │ ├── ata-center-cert.png │ ├── ata-config-icon.png │ ├── ata-detection-settings-exclusions.png │ ├── ata-detection-settings-honeytoken-1.7.png │ ├── ata-detection-settings-honeytoken.png │ ├── ata-email-server-1.7.png │ ├── ata-gw-config-1.png │ ├── ata-gw-configure.png │ ├── ata-gw-install.png │ ├── ata-install-credentials.png │ ├── ata-install-error.png │ ├── ata-mail-notification-settings.png │ ├── ata-net-framework-restart.png │ ├── ata-netframework-restart.png │ ├── ata-report-icon.png │ ├── ata-sched-reports.png │ ├── ata-syslog-server-settings-1.7.png │ ├── ata-update-error.png │ ├── ataGW-not-synced.png │ ├── ata_failed_readinesschecks.png │ ├── ata_install_readinesschecks.png │ ├── ata_installupdatesautomatically.png │ ├── ata_ms_update.png │ ├── attack-kill-chain-small.jpg │ ├── attack-timeline-1.7.png │ ├── attack-timeline.png │ ├── broken-trust-sa.png │ ├── capacity-tool.png │ ├── center-activation.png │ ├── change-center-config.png │ ├── computer-profile.png │ ├── config-menu.png │ ├── disaster-recovery-deploymentss.png │ ├── dns-recon-diagram.png │ ├── dns-recon.png │ ├── download-gateway-setup.png │ ├── entity-computer.png │ ├── entity-menu.png │ ├── entity-tags.png │ ├── event-id-location.png │ ├── exclude-in-sa.png │ ├── exclusions-config-page.png │ ├── exclusions.png │ ├── forged-pac-diagram.png │ ├── forged-pac-sa.png │ ├── forged-pac.png │ ├── gateway-core-error.png │ ├── health-center.png │ ├── honeytoken.png │ ├── lateral-movement-icon.png │ ├── migration-18-start.png │ ├── migration-center-success.png │ ├── migration-center-success17.png │ ├── migration-data-migration.png │ ├── migration-data-migration17.png │ ├── migration-update-gw-17.png │ ├── migration-update-gw.png │ ├── migrationerror.png │ ├── netinstallerror.png │ ├── notification-bar-1.7.png │ ├── notification-bar.png │ ├── partial-migration.png │ ├── pass_the_ticket_sa.png │ ├── paths-icon.png │ ├── radius-setup.png │ ├── reports.png │ ├── sa-actions.png │ ├── sample screen abnormal behavior.png │ ├── sample screen broken trust.png │ ├── sample-screen-malicious-replication.png │ ├── samr-add-service.png │ ├── samr-policy-location.png │ ├── sched-report1.png │ ├── sensitive-account-sample.png │ ├── uninstall-ata15.png │ ├── upgrade-path-ata.png │ ├── user-profile-activities.png │ ├── user-profile-dir-data.png │ ├── user-profile-lateral-movement-paths.png │ ├── user-profile.png │ ├── versions.png │ ├── vpn-set-accounting.png │ ├── vpn-user.png │ ├── vpn.png │ ├── wef-1-local-group-policy-editor.png │ ├── wef-2-config-target-sub-manager.png │ ├── wef-3-event-viewer.png │ ├── wef-4-query-filter.png │ ├── wef-5-sub-properties-computers.png │ ├── wef_4776.png │ ├── wef_ad-event-log-reader-popup.png │ ├── wef_http.png │ └── wef_subscription-prop.png ├── modifying-ata-center-configuration.md ├── modifying-ata-config-dcpassword.md ├── monitoring-alerts.md ├── reports.md ├── setting-ata-alerts.md ├── setting-syslog-email-server-settings.md ├── suspicious-activity-guide.md ├── tag-sensitive-accounts.md ├── troubleshoot-audit.md ├── troubleshooting-ata-known-errors.md ├── troubleshooting-ata-using-ata-database.md ├── troubleshooting-ata-using-logs.md ├── troubleshooting-ata-using-perf-counters.md ├── troubleshooting-service-startup.md ├── upgrade-path.md ├── use-case-lateral-movement-path.md ├── validate-port-mirroring.md ├── vpn-integration-install-step.md ├── what-is-ata.md ├── whats-new-version-1.4.md ├── whats-new-version-1.5.md ├── whats-new-version-1.6.md ├── whats-new-version-1.7.md ├── whats-new-version-1.8.md ├── whats-new-version-1.9.md ├── working-with-ata-console.md └── working-with-suspicious-activities.md ├── ATPDocs ├── accounts-with-non-default-pgid.md ├── advanced-settings.md ├── alerts-overview.md ├── architecture.md ├── automated-response-exclusions.md ├── bread │ └── toc.yml ├── built-in-active-directory-guest-account-is-enabled.md ├── cef-format-sa.md ├── change-password-domain-administrator-account.md ├── change-password-krbtgt-account.md ├── change-password-microsoft-entra-seamless-single-sign-on.md ├── credential-access-alerts.md ├── dashboard.md ├── deploy │ ├── activate-capabilities.md │ ├── active-directory-federation-services.md │ ├── capacity-planning.md │ ├── configure-event-collection.md │ ├── configure-event-forwarding.md │ ├── configure-port-mirroring.md │ ├── configure-proxy.md │ ├── configure-sensor-settings.md │ ├── configure-windows-event-collection.md │ ├── create-directory-service-account-gmsa.md │ ├── deploy-defender-identity.md │ ├── directory-service-accounts.md │ ├── download-sensor.md │ ├── event-collection-overview.md │ ├── install-sensor.md │ ├── manage-action-accounts.md │ ├── media │ │ └── configure-windows-event-collection │ │ │ └── image.png │ ├── multi-forest.md │ ├── prerequisites-standalone.md │ ├── prerequisites.md │ ├── quick-installation-guide.md │ ├── remote-calls-sam.md │ └── test-connectivity.md ├── docfx.json ├── domain-controller-account-password-change.md ├── ensure-privileged-accounts-with-sensitive-flag.md ├── entity-tags.md ├── exclusions.md ├── gpo-assigns-unprivileged-identities.md ├── health-alerts.md ├── includes │ ├── dsa-permissions.md │ ├── licenses.md │ └── server-requirements.md ├── index.yml ├── investigate-assets.md ├── lateral-movement-alerts.md ├── manage-security-alerts.md ├── media │ ├── about-settings.png │ ├── access-computer-from-network.png │ ├── account-settings.png │ ├── accounts-with-non-default-pgid │ │ └── screenshot-of-pgid.png │ ├── add-excluded-domain.png │ ├── add-excluded-entity.png │ ├── add-exclusion.png │ ├── adfs-container.png │ ├── adfs-logon-advanced-hunting.png │ ├── advanced-audit-policy-check-step-1.png │ ├── advanced-audit-policy-check-step-2.png │ ├── advanced-audit-policy-check-step-3.png │ ├── advanced-audit-policy-check-step-4.png │ ├── advanced-hunting-lateral-movement-paths.png │ ├── advanced-security.png │ ├── alert-details.png │ ├── alert-state.png │ ├── architecture │ │ └── architecture.png │ ├── audit-adfs.png │ ├── audit-configuration.png │ ├── auditing-tab.png │ ├── automated-response-exclusions.png │ ├── built-in-active-directory-guest-account-is-enabled │ │ ├── guest-account.png │ │ └── security-report.png │ ├── capacity-tool-maybe.png │ ├── capacity-tool.png │ ├── cas-isp-clear-text-1.png │ ├── cas-isp-clear-text-2.png │ ├── cas-isp-dormant-entities-sensitive-groups-1.png │ ├── cas-isp-kerberos-delegation-2.png │ ├── cas-isp-laps-1.png │ ├── cas-isp-laps-2.png │ ├── cas-isp-print-spooler-1.png │ ├── cas-isp-print-spooler-2.png │ ├── cas-isp-riskiest-lmp-1.png │ ├── cas-isp-unconstrained-kerberos-1.png │ ├── cas-isp-unconstrained-kerberos-2.png │ ├── cas-isp-unmonitored-domain-controller-1.png │ ├── cas-isp-unsecure-account-attributes-1.png │ ├── cas-isp-unsecure-sid-history-attribute-1.png │ ├── cas-isp-weak-cipher-2.png │ ├── change-password-domain-administrator-account │ │ └── screenshot-of-report.png │ ├── choose-permissions.png │ ├── classify-alert.png │ ├── clear-all.png │ ├── comments-history.png │ ├── configuration-properties.png │ ├── configure-proxy │ │ ├── certificate.png │ │ └── test-proxy.png │ ├── configure-sensor-details.png │ ├── configure-windows-event-collection │ │ ├── auditing.png │ │ ├── certification-authority.png │ │ └── group-policy-management-editor.png │ ├── contactsupport.png │ ├── contactsupport1.png │ ├── contactsupport2.png │ ├── container-properties.png │ ├── dashboard │ │ └── dashboard.gif │ ├── delete-exclusion.png │ ├── delete-orphaned-sensor.png │ ├── desktop.ini │ ├── detection-rule-details.png │ ├── directory-service-accounts.png │ ├── disable-lso-vmware.png │ ├── domain-properties.png │ ├── enable-delayed-update.png │ ├── ensure-privileged-accounts-with-sensitive-flag │ │ ├── administrator-properties.png │ │ ├── device-profile.png │ │ ├── posture-report.png │ │ └── user-profile.png │ ├── entity-tags │ │ └── tag-entities.png │ ├── exclude-devices-or-ip-addresses.png │ ├── exclude-domains.png │ ├── exclude-ip-addresses.png │ ├── exclude-specific-users.png │ ├── exclude-users.png │ ├── excluded-entities.png │ ├── exclusions-by-detection-rule.png │ ├── export-sensors.png │ ├── filter-defender-for-identity.png │ ├── filtered-alerts.png │ ├── filtered-sensor.png │ ├── global-excluded-entities.png │ ├── global-excluded-entries-list.png │ ├── health-issues │ │ ├── close-suppress.png │ │ └── global-health-issues.png │ ├── incidents-alerts.png │ ├── investigate-assets │ │ ├── device-details.png │ │ ├── group-timeline.png │ │ └── identity-details.png │ ├── involved-entities.png │ ├── issue-details.png │ ├── laps-unprotected-devices.png │ ├── lmp-new.png │ ├── log-on-as-a-service-gpmc.png │ ├── log-on-as-a-service.png │ ├── manage-action-accounts.png │ ├── manage-alert.png │ ├── manage-sensor.png │ ├── management-accounts.png │ ├── missing-network-traffic-health-alert.png │ ├── need-help-option.png │ ├── network-activities.png │ ├── new-directory-service-account.png │ ├── nnr-high-certainty.png │ ├── object-types.png │ ├── permission-entry.png │ ├── radius-setup.png │ ├── recommended-actions.png │ ├── related-entities.png │ ├── remove-excluded-users.png │ ├── remove-rbcd-microsoft-entra-seamless-single-sign-on-account │ │ └── permissions.png │ ├── remove-replication-permissions-microsoft-entra-connect │ │ └── permissions.png │ ├── return-to-exclude-devices.png │ ├── reversible-passwords-group-policy │ │ └── screenshot-of-gpo.png │ ├── samr-policy-location.png │ ├── secure-score │ │ ├── adcs-new-reports.png │ │ ├── dcsync-permissions.png │ │ ├── do-not-expire-passwords.png │ │ ├── enforce-encryption-rpc-certificate.png │ │ ├── local-admins.png │ │ ├── misconfigured-certificate-acl.png │ │ ├── misconfigured-certificate-authority.png │ │ ├── misconfigured-enrollment-agent.png │ │ ├── misconfigured-owner.png │ │ ├── old-passwords.png │ │ ├── permissive-certificate-template.png │ │ ├── prevent-certificate-arbitrary-users.png │ │ ├── remove-suspicious-access-rights.png │ │ └── vulnerable-certificate-authority-settings.png │ ├── security-advanced.png │ ├── security-alert-structure.png │ ├── select-a-principal.png │ ├── select-assessment.png │ ├── select-everyone.png │ ├── select-exclude-domains.png │ ├── select-permissions.png │ ├── select-principal.png │ ├── sensor-config-adfs-resolver.png │ ├── sensor-details.png │ ├── sensor-filters.png │ ├── sensor-install-config.png │ ├── sensor-install-deployment-type.png │ ├── sensor-install-language.png │ ├── sensor-outdated.png │ ├── sensor-page.png │ ├── settings-about-page.png │ ├── settings-identities.png │ ├── troubleshooting-known-issues │ │ └── gmsa-retrieve-password-results.png │ ├── unsafe-permissions-dns-admins-group │ │ └── image.png │ ├── unsecure-domain-configurations.png │ ├── view-different-date-new.png │ ├── vm-sensor-issue.png │ ├── vpn-integration.png │ ├── vpn-set-accounting.png │ ├── wef-1-local-group-policy-editor.png │ ├── wef-2-config-target-sub-manager.png │ ├── wef-3-event-viewer.png │ ├── wef-4-query-filter.png │ ├── what-happened.png │ └── whats-new │ │ ├── adjust-alert-thresholds.png │ │ ├── custom-time-frame.png │ │ ├── device-description.png │ │ ├── go-hunt-groups.png │ │ ├── group-search.png │ │ ├── group-timeline.png │ │ ├── report-management.png │ │ ├── reports-main-area.png │ │ └── uac-flags.png ├── migrate-from-ata-overview.md ├── modified-unprivileged-accounts-gpo.md ├── monitored-activities.md ├── nnr-policy.md ├── notifications.md ├── ops-guide │ ├── ops-guide-daily.md │ ├── ops-guide-monthly.md │ ├── ops-guide-quarterly.md │ ├── ops-guide-weekly.md │ └── ops-guide.md ├── other-alerts.md ├── persistence-privilege-escalation-alerts.md ├── privacy-compliance.md ├── reconnaissance-discovery-alerts.md ├── remediation-actions.md ├── remove-rbcd-microsoft-entra-seamless-single-sign-on-account.md ├── remove-replication-permissions-microsoft-entra-connect.md ├── reports.md ├── reversible-passwords-group-policy.md ├── role-groups.md ├── rotate-password-microsoft-entra-connect.md ├── security-assessment-clear-text.md ├── security-assessment-deploy-defender-for-identity.md ├── security-assessment-dormant-entities.md ├── security-assessment-edit-misconfigured-acl.md ├── security-assessment-edit-misconfigured-ca-acl.md ├── security-assessment-edit-misconfigured-enrollment-agent.md ├── security-assessment-edit-misconfigured-owner.md ├── security-assessment-edit-overly-permissive-template.md ├── security-assessment-edit-vulnerable-ca-setting.md ├── security-assessment-enforce-encryption-rpc.md ├── security-assessment-insecure-adcs-certificate-enrollment.md ├── security-assessment-laps.md ├── security-assessment-non-admin-accounts-dcsync.md ├── security-assessment-prevent-users-request-certificate.md ├── security-assessment-print-spooler.md ├── security-assessment-remove-local-admins.md ├── security-assessment-remove-suspicious-access-rights.md ├── security-assessment-riskiest-lmp.md ├── security-assessment-unconstrained-kerberos.md ├── security-assessment-unmonitored-domain-controller.md ├── security-assessment-unsecure-account-attributes.md ├── security-assessment-unsecure-domain-configurations.md ├── security-assessment-unsecure-sid-history-attribute.md ├── security-assessment-weak-cipher.md ├── security-assessment.md ├── sensor-settings.md ├── settings-about.md ├── support.md ├── technical-faq.yml ├── toc.yml ├── troubleshooting-known-issues.md ├── troubleshooting-using-logs.md ├── understand-lateral-movement-paths.md ├── understanding-security-alerts.md ├── uninstall-sensor.md ├── unsafe-permissions-dns-admins-group.md ├── us-govt-gcc-high.md ├── vpn-integration.md ├── what-is.md ├── whats-new-archive.md ├── whats-new.md └── zero-trust.md ├── LICENSE ├── LICENSE-CODE ├── README.md ├── SECURITY.md ├── ThirdPartyNotices └── includes ├── automatic-redirect.md ├── gdpr-dsr-and-stp-note.md ├── gdpr-hybrid-note.md ├── gdpr-intro-sentence.md ├── gdpr-stponly.md └── secure-score-note.md /.acrolinx-config.edn: -------------------------------------------------------------------------------- 1 | {:allowed-branchname-matches ["main" "master" "release-.*" "sandbox-.*"] 2 | :allowed-filename-matches ["ATADocs" "ATPDocs"]} 3 | -------------------------------------------------------------------------------- /.gitattributes: -------------------------------------------------------------------------------- 1 | # Set the default behavior, in case people don't have core.autocrlf set. 2 | * text=auto 3 | 4 | # Explicitly declare text files you want to always be normalized and converted 5 | # to native line endings on checkout. 6 | *.c text 7 | *.h text 8 | 9 | # Declare files that will always have CRLF line endings on checkout. 10 | *.sln text eol=crlf 11 | 12 | # Denote all files that are truly binary and should not be modified. 13 | *.png binary 14 | *.jpg binary -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | log/ 2 | xhtml/ 3 | packages/ 4 | obj/ 5 | _site/ 6 | Tools/NuGet/ 7 | .optemp/ 8 | .vscode/ 9 | 10 | .openpublishing.build.mdproj 11 | .openpublishing.buildcore.ps1 12 | packages.config 13 | _themes 14 | 15 | -------------------------------------------------------------------------------- /.openpublishing.publish.config.json: -------------------------------------------------------------------------------- 1 | { 2 | "build_entry_point": "docs.ps1", 3 | "docsets_to_publish": [], 4 | "notification_subscribers": [ 5 | "" 6 | ], 7 | "sync_notification_subscribers": [ 8 | "v-jiahu@microsoft.com", 9 | "v-jutao@microsoft.com" 10 | ], 11 | "branches_to_filter": [], 12 | "git_repository_url_open_to_public_contributors": "https://github.com/Microsoft/ATADocs", 13 | "git_repository_branch_open_to_public_contributors": "main", 14 | "need_preview_pull_request": true, 15 | "dependent_repositories": [ 16 | { 17 | "path_to_root": "_themes", 18 | "url": "https://github.com/Microsoft/templates.docs.msft", 19 | "branch": "main", 20 | "branch_mapping": {} 21 | }, 22 | { 23 | "path_to_root": "_themes.pdf", 24 | "url": "https://github.com/Microsoft/templates.docs.msft.pdf", 25 | "branch": "main", 26 | "branch_mapping": {} 27 | } 28 | ], 29 | "branch_target_mapping": { 30 | "live": [ 31 | "Publish", 32 | "Pdf" 33 | ] 34 | }, 35 | "targets": { 36 | "Pdf": { 37 | "template_folder": "_themes.pdf" 38 | } 39 | }, 40 | "docs_build_engine": {}, 41 | "skip_source_output_uploading": false, 42 | "contribution_branch_mappings": {}, 43 | "need_generate_pdf_url_template": true, 44 | "need_generate_pdf": false, 45 | "need_generate_intellisense": false, 46 | "enable_branch_build_custom_validation": true, 47 | "enable_pull_request_custom_validation": true 48 | } -------------------------------------------------------------------------------- /.vscode/settings.json: -------------------------------------------------------------------------------- 1 | { 2 | "cSpell.words": [ 3 | "exfiltration", 4 | "infographic", 5 | "kerberos", 6 | "remediate", 7 | "unmonitored" 8 | ], 9 | "markdownlint.config": { 10 | "MD028": false, 11 | "MD025": { 12 | "front_matter_title": "" 13 | } 14 | } 15 | } -------------------------------------------------------------------------------- /.vscode/spell.json: -------------------------------------------------------------------------------- 1 | { 2 | "language": "en", 3 | "ignoreWordsList": [ 4 | "SIEM", 5 | "FQDN" 6 | ], 7 | "mistakeTypeToStatus": { 8 | "Passive voice": "Hint", 9 | "Spelling": "Error", 10 | "Complex Expression": "Disable", 11 | "Hidden Verbs": "Information", 12 | "Hyphen Required": "Disable", 13 | "Redundant Expression": "Disable", 14 | "Did you mean...": "Disable", 15 | "Repeated Word": "Warning", 16 | "Missing apostrophe": "Warning", 17 | "Cliches": "Disable", 18 | "Missing Word": "Disable", 19 | "Make I uppercase": "Warning" 20 | }, 21 | "languageIDs": [ 22 | "markdown", 23 | "plaintext" 24 | ], 25 | "ignoreRegExp": [ 26 | "/\\(.*\\.(jpg|jpeg|png|md|gif|JPG|JPEG|PNG|MD|GIF)\\)/g", 27 | "/((http|https|ftp|git)\\S*)/g" 28 | ] 29 | } -------------------------------------------------------------------------------- /ATADocs/ATA-versions.md: -------------------------------------------------------------------------------- 1 | --- 2 | # required metadata 3 | 4 | title: Advanced Threat Analytics versions 5 | description: Explains the different support options for Microsoft Advanced Threat Analytics (ATA) versions. 6 | author: batamig 7 | ms.author: bagol 8 | manager: raynew 9 | ms.date: 01/10/2023 10 | ms.topic: conceptual 11 | ms.service: advanced-threat-analytics 12 | 13 | # optional metadata 14 | 15 | #ROBOTS: 16 | #audience: 17 | #ms.devlang: 18 | ms.reviewer: bennyl 19 | ms.suite: ems 20 | #ms.tgt_pltfrm: 21 | #ms.custom: 22 | 23 | --- 24 | # Support for Microsoft Advanced Threat Analytics (ATA) versions 25 | 26 | [!INCLUDE [Banner for top of topics](includes/banner.md)] 27 | 28 | Microsoft ATA support is defined by the Microsoft Lifecycle Policy for [ATA 1.x](/lifecycle/products/?alpha=Advanced%20Threat%20Analytics%201.X), with mainstream support ending on January 12, 2021. 29 | 30 | ATA updates are supported for 12 months from their general availability (GA) release date, or 6 months after a newer update is available. 31 | 32 | > [!NOTE] 33 | > **Support lifecycle** 34 | > 35 | > The final release of ATA is [generally available](https://support.microsoft.com/help/4568997/update-3-for-microsoft-advanced-threat-analytics-1-9). ATA Mainstream Support ended on January 12, 2021. Extended Support will continue until January 2026. For more information, read [our blog](https://techcommunity.microsoft.com/t5/security-compliance-and-identity/end-of-mainstream-support-for-advanced-threat-analytics-january/ba-p/1539181). 36 | 37 | ## Version History 38 | 39 | |VERSION|BUILD NUMBER|AVAILABILITY DATE|SUPPORT END DATE| 40 | |----|----|----|----| 41 | |1.4|1.4.2457|31-AUG-2015|30-AUG-2016| 42 | |1.5|1.5.2946|17-DEC-2015|16-DEC-2016| 43 | |1.6|1.6.4103|05-MAY-2016|04-MAY-2017| 44 | |1.6.1|1.6.4317|15-JUN-2016|14-JUN-2017| 45 | |1.7|1.7.5402|31-AUG-2016|30-AUG-2017| 46 | |1.7.1|1.7.5647|06-OCT-2016|05-OCT-2017| 47 | |1.7.2|1.7.5757|15-NOV-2016|14-NOV-2017| 48 | |1.8|1.8.6645|30-JUN-2017|30-JUN-2018| 49 | |1.8.1|1.8.6765|02-AUG-2017|02-AUG-2018| 50 | |1.9|1.9.7312|21-MAR-2018|21-MAR-2019| 51 | |1.9.1|1.9.7412|01-JUL-2018|01-JUL-2019| 52 | |1.9.2|1.9.7478|28-MAR-2019|14-MAR-2021| 53 | |1.9.3|1.9.7576|14-SEP-2020|13-JAN-2026*| 54 | 55 | \* This date refers to the end of Extended Support. 56 | 57 | ## See Also 58 | 59 | [Check out the ATA forum!](https://social.technet.microsoft.com/Forums/security/home?forum=mata) 60 | -------------------------------------------------------------------------------- /ATADocs/DeployUse/docfx.json: -------------------------------------------------------------------------------- 1 | { 2 | "build": { 3 | "content": [ 4 | { 5 | "files": [ 6 | "**/*.md" 7 | ], 8 | "exclude": [ 9 | "**/obj/**", 10 | "**/Token/**" 11 | ] 12 | } 13 | ], 14 | "resource": [ 15 | { 16 | "files": [ 17 | "**/images/**", 18 | "**/*.png", 19 | "**/*.jpg", 20 | "**/*.gif", 21 | "**/*.bmp", 22 | "**/*.html", 23 | "**/*.css" 24 | ], 25 | "exclude": [ 26 | "**/obj/**", 27 | "_themes/**" 28 | ] 29 | } 30 | ], 31 | "dest": "ATADocs/DeployUse", 32 | "template": "docs.html", 33 | "globalMetadata": { 34 | "layout": "Conceptual", 35 | "breadcrumb_path": "/enterprise-mobility-security/toc.json" 36 | } 37 | } 38 | } 39 | -------------------------------------------------------------------------------- /ATADocs/PlanDesign/docfx.json: -------------------------------------------------------------------------------- 1 | { 2 | "build": { 3 | "content": [ 4 | { 5 | "files": [ 6 | "**/*.md" 7 | ], 8 | "exclude": [ 9 | "**/obj/**", 10 | "**/Token/**" 11 | ] 12 | } 13 | ], 14 | "resource": [ 15 | { 16 | "files": [ 17 | "**/images/**", 18 | "**/*.png", 19 | "**/*.jpg", 20 | "**/*.gif", 21 | "**/*.bmp", 22 | "**/*.html", 23 | "**/*.css" 24 | ], 25 | "exclude": [ 26 | "**/obj/**", 27 | "_themes/**" 28 | ] 29 | } 30 | ], 31 | "dest": "ATADocs/PlanDesign", 32 | "template": "docs.html", 33 | "globalMetadata": { 34 | "layout": "Conceptual", 35 | "breadcrumb_path": "/enterprise-mobility-security/toc.json" 36 | } 37 | } 38 | } 39 | -------------------------------------------------------------------------------- /ATADocs/Troubleshoot/docfx.json: -------------------------------------------------------------------------------- 1 | { 2 | "build": { 3 | "content": [ 4 | { 5 | "files": [ 6 | "**/*.md" 7 | ], 8 | "exclude": [ 9 | "**/obj/**", 10 | "**/Token/**" 11 | ] 12 | } 13 | ], 14 | "resource": [ 15 | { 16 | "files": [ 17 | "**/images/**", 18 | "**/*.png", 19 | "**/*.jpg", 20 | "**/*.gif", 21 | "**/*.bmp", 22 | "**/*.html", 23 | "**/*.css" 24 | ], 25 | "exclude": [ 26 | "**/obj/**", 27 | "_themes/**" 28 | ] 29 | } 30 | ], 31 | "dest": "ATADocs/Troubleshoot", 32 | "template": "docs.html", 33 | "globalMetadata": { 34 | "layout": "Conceptual", 35 | "breadcrumb_path": "/enterprise-mobility-security/toc.json" 36 | } 37 | } 38 | } 39 | -------------------------------------------------------------------------------- /ATADocs/Understand/docfx.json: -------------------------------------------------------------------------------- 1 | { 2 | "build": { 3 | "content": [ 4 | { 5 | "files": [ 6 | "**/*.md" 7 | ], 8 | "exclude": [ 9 | "**/obj/**", 10 | "**/Token/**" 11 | ] 12 | } 13 | ], 14 | "resource": [ 15 | { 16 | "files": [ 17 | "**/images/**", 18 | "**/*.png", 19 | "**/*.jpg", 20 | "**/*.gif", 21 | "**/*.bmp", 22 | "**/*.html", 23 | "**/*.css" 24 | ], 25 | "exclude": [ 26 | "**/obj/**", 27 | "_themes/**" 28 | ] 29 | } 30 | ], 31 | "dest": "ATADocs/Understand", 32 | "template": "docs.html", 33 | "globalMetadata": { 34 | "layout": "Conceptual", 35 | "breadcrumb_path": "/enterprise-mobility-security/toc.json" 36 | } 37 | } 38 | } 39 | -------------------------------------------------------------------------------- /ATADocs/ata-configuration-file.md: -------------------------------------------------------------------------------- 1 | --- 2 | # required metadata 3 | 4 | title: Export and Import Advanced Threat Analytics Configuration 5 | description: How to export and import the ATA configuration. 6 | keywords: 7 | author: batamig 8 | ms.author: bagol 9 | manager: raynew 10 | ms.date: 01/10/2023 11 | ms.topic: conceptual 12 | ms.service: advanced-threat-analytics 13 | ms.assetid: 1d27dba8-fb30-4cce-a68a-f0b1df02b977 14 | 15 | # optional metadata 16 | 17 | #ROBOTS: 18 | #audience: 19 | #ms.devlang: 20 | ms.reviewer: bennyl 21 | ms.suite: ems 22 | #ms.tgt_pltfrm: 23 | #ms.custom: 24 | 25 | --- 26 | 27 | # Export and Import the ATA Configuration 28 | 29 | [!INCLUDE [Banner for top of topics](includes/banner.md)] 30 | 31 | The configuration of ATA is stored in the "SystemProfile" collection in the database. 32 | This collection is backed up every 4 hours by the ATA Center service to files called: **SystemProfile_*timestamp*.json**. The 300 most recent versions are stored. 33 | This file is located in a subfolder called **Backup**. In the default ATA installed location it can be found here: C:\Program Files\Microsoft Advanced Threat Analytics\Center\Backup\SystemProfile_timestamp.json. 34 | 35 | **Note**: It is recommended that you back up this file somewhere when making major changes to ATA. 36 | 37 | It is possible to restore all the settings by running the following command: 38 | 39 | `mongoimport.exe --db ATA --collection SystemProfile --file "" --upsert` 40 | 41 | ## See Also 42 | - [ATA architecture](ata-architecture.md) 43 | - [ATA prerequisites](ata-prerequisites.md) 44 | - [Check out the ATA forum!](https://social.technet.microsoft.com/Forums/security/home?forum=mata) 45 | 46 | -------------------------------------------------------------------------------- /ATADocs/ata-database-management.md: -------------------------------------------------------------------------------- 1 | --- 2 | # required metadata 3 | 4 | title: Advanced Threat Analytics Database Management 5 | description: Procedures to help you move, backup, or restore the ATA database. 6 | keywords: 7 | author: batamig 8 | ms.author: bagol 9 | manager: raynew 10 | ms.date: 01/10/2023 11 | ms.topic: conceptual 12 | ms.service: advanced-threat-analytics 13 | ms.assetid: 05e49e23-6e0a-4ec0-9a63-a2093173c8a1 14 | 15 | # optional metadata 16 | 17 | #ROBOTS: 18 | #audience: 19 | #ms.devlang: 20 | ms.reviewer: bennyl 21 | ms.suite: ems 22 | #ms.tgt_pltfrm: 23 | #ms.custom: 24 | 25 | --- 26 | 27 | # ATA Database Management 28 | 29 | [!INCLUDE [Banner for top of topics](includes/banner.md)] 30 | 31 | If you need to move, backup or restore the ATA database, use these procedures for working with MongoDB. 32 | 33 | ## Backing up the ATA database 34 | 35 | Refer to the [relevant MongoDB documentation](https://www.mongodb.com/docs/manual/core/backups/). 36 | 37 | ## Restoring the ATA database 38 | 39 | Refer to the [relevant MongoDB documentation](https://www.mongodb.com/docs/manual/core/backups/). 40 | 41 | ## Moving the ATA database to another drive 42 | 43 | 1. Stop the **Microsoft Advanced Threat Analytics Center** service. 44 | > [!Important] 45 | > Make sure the ATA Center service stopped before moving on to the next step. 46 | 47 | 1. Stop the **MongoDB** service. 48 | 49 | 1. Open the Mongo configuration file located by default at: C:\Program Files\Microsoft Advanced Threat Analytics\Center\MongoDB\bin\mongod.cfg. 50 | 51 | Find the parameter `storage: dbPath` 52 | 53 | 1. Move the folder listed in the `dbPath` parameter to the new location. 54 | 55 | 1. Change the `dbPath` parameter inside the mongo configuration file to the new folder path and save and close the file. 56 | 57 | ![Modify MongoDB configuration image.](media/ATA-mongoDB-moveDB.png) 58 | 59 | 1. Start the **MongoDB** service. 60 | 61 | 1. Start the **Microsoft Advanced Threat Analytics Center** service. 62 | 63 | ## See Also 64 | 65 | - [ATA architecture](ata-architecture.md) 66 | - [ATA prerequisites](ata-prerequisites.md) 67 | - [Check out the ATA forum!](https://social.technet.microsoft.com/Forums/security/home?forum=mata) 68 | -------------------------------------------------------------------------------- /ATADocs/ata-health-center.md: -------------------------------------------------------------------------------- 1 | --- 2 | # required metadata 3 | 4 | title: Monitor Advanced Threat Analytics System Health and Events 5 | description: Use the ATA Health Center to check how the ATA service is working and be alerted to potential problems and view system events in the Event viewer. 6 | keywords: 7 | author: batamig 8 | ms.author: bagol 9 | manager: raynew 10 | ms.date: 01/10/2023 11 | ms.topic: conceptual 12 | ms.service: advanced-threat-analytics 13 | ms.assetid: d6c783b2-46c5-4211-b21a-d6b17f08d03d 14 | 15 | # optional metadata 16 | 17 | #ROBOTS: 18 | #audience: 19 | #ms.devlang: 20 | #ms.tgt_pltfrm: 21 | #ms.custom: 22 | 23 | --- 24 | 25 | # Working with ATA system health and events 26 | 27 | [!INCLUDE [Banner for top of topics](includes/banner.md)] 28 | 29 | ## ATA Health Center 30 | 31 | The ATA Health Center lets you know how your ATA service is performing and alerts you to problems. 32 | 33 | ## Working with the ATA Health Center 34 | 35 | The ATA Health Center lets you know that there's a problem by raising an alert (a red dot) above the Health Center icon in the menu bar. 36 | 37 | ![ATA Health Center red dot toolbar.](media/ATA-Health-Center-Alert-red-dot.png) 38 | 39 | ### Managing ATA health 40 | 41 | To check up on your system's overall health, select the Health Center icon in the menu bar ![ATA Health Center icon.](media/ATA-red-dot.png) 42 | 43 | - All open alerts can be managed by setting them to **Close**, **Suppress**, or **Delete** by selecting the three dots in the corner of the alert and making your selection. 44 | 45 | - **Open**: All new suspicious activities appear in this list. 46 | 47 | - **Close**: Is used to track suspicious activities that you identified, researched, and fixed for mitigated. 48 | 49 | > [!NOTE] 50 | > ATA may reopen a closed activity if the same activity is detected again within a short period of time. 51 | 52 | - **Suppress**: Suppressing an activity means you want to ignore it for now, and only be alerted again if there's a new instance. If there's a similar alert ATA doesn't reopen it. But if the alert stops for seven days, and is then seen again, you are alerted again. 53 | 54 | - **Delete**: If you Delete an alert, it is deleted from the system, from the database and you will NOT be able to restore it. After you select delete, you'll be able to delete all suspicious activities of the same type. 55 | 56 | ![ATA Health Center issues image.](media/ATA-Health-Issue.JPG) 57 | 58 | ## See Also 59 | 60 | - [Working with suspicious activities](working-with-suspicious-activities.md) 61 | - [Check out the ATA forum!](https://social.technet.microsoft.com/Forums/security/home?forum=mata) 62 | -------------------------------------------------------------------------------- /ATADocs/ata-role-groups.md: -------------------------------------------------------------------------------- 1 | --- 2 | # required metadata 3 | 4 | title: Advanced Threat Analytics role groups for access management 5 | description: Walks you through working with ATA role groups. 6 | keywords: 7 | author: batamig 8 | ms.author: bagol 9 | manager: raynew 10 | ms.date: 01/10/2023 11 | ms.topic: conceptual 12 | ms.service: advanced-threat-analytics 13 | ms.assetid: 3715b69e-e631-449b-9aed-144d0f9bcee7 14 | 15 | # optional metadata 16 | 17 | #ROBOTS: 18 | #audience: 19 | #ms.devlang: 20 | ms.reviewer: bennyl 21 | ms.suite: ems 22 | #ms.tgt_pltfrm: 23 | #ms.custom: 24 | 25 | --- 26 | 27 | # ATA Role Groups 28 | 29 | 30 | [!INCLUDE [Banner for top of topics](includes/banner.md)] 31 | 32 | Role groups enable access management for ATA. Using role groups, you can segregate duties within your security team, and grant only the amount of access that users need to perform their jobs. This article explains access management and ATA role authorization, and helps you get up and running with role groups in ATA. 33 | 34 | > [!NOTE] 35 | > Any local administrator on the ATA Center is automatically a Microsoft Advanced Threat Analytics Administrator. 36 | 37 | ## Types of ATA Role Groups 38 | 39 | ATA introduces three types of Role group: ATA Administrators, ATA Users, and ATA Viewers. The following table describes the type of access in ATA available per role. Depending on which role you assign, various screens and menu options in ATA are not available, as follows: 40 | 41 | |Activity |Microsoft Advanced Threat Analytics Administrators|Microsoft Advanced Threat Analytics Users|Microsoft Advanced Threat Analytics Viewers| 42 | |----|----|----|----| 43 | |Login|Available|Available|Available| 44 | |Provide Input for Suspicious Activities|Available|Available|Not available| 45 | |Change status of Suspicious Activities|Available|Available|Not available| 46 | |Share/Export suspicious activity via email/get link|Available|Available|Not available| 47 | |Change status of Health Alerts|Available|Available|Not available| 48 | |Update ATA Configuration|Available|Not available|Not available| 49 | |Gateway – Add|Available|Not available|Not available| 50 | |Gateway – Delete |Available|Not available|Not available| 51 | |Monitored DC – Add |Available|Not available|Not available| 52 | |Monitored DC – Delete|Available|Not available|Not available| 53 | |View alerts and suspicious activities|Available|Available|Available| 54 | 55 | 56 | When users try to access a page that is not available for their role group, they are redirected to the ATA unauthorized page. 57 | 58 | ## Add \ Remove users - ATA Role Groups 59 | 60 | ATA uses the local Windows groups as a basis for role groups. The role groups must be managed on the ATA Center server. 61 | To add or remove users, use the **Local Users and Groups** MMC (Lusrmgr.msc). On a domain joined machine, you can add domain accounts as well as local accounts. 62 | 63 | -------------------------------------------------------------------------------- /ATADocs/ata-threats.md: -------------------------------------------------------------------------------- 1 | --- 2 | # required metadata 3 | 4 | title: What threats does Advanced Threat Analytics detect? 5 | description: Lists the threats that Advanced Threat Analytics detects 6 | keywords: 7 | author: batamig 8 | ms.author: bagol 9 | manager: raynew 10 | ms.date: 01/10/2023 11 | ms.topic: conceptual 12 | ms.service: advanced-threat-analytics 13 | ms.assetid: 283e7b4e-996a-4491-b7f6-ff06e73790d2 14 | 15 | # optional metadata 16 | 17 | #ROBOTS: 18 | #audience: 19 | #ms.devlang: 20 | ms.reviewer: bennyl 21 | ms.suite: ems 22 | #ms.tgt_pltfrm: 23 | #ms.custom: 24 | 25 | --- 26 | 27 | # What threats does ATA look for? 28 | 29 | 30 | [!INCLUDE [Banner for top of topics](includes/banner.md)] 31 | 32 | ATA provides detection for the following various phases of an advanced attack: reconnaissance, credential compromise, lateral movement, privilege escalation, domain dominance, and others. These detections are aimed at detecting advanced attacks and insider threats before they cause damage to your organization. 33 | The detection of each phase results in several suspicious activities relevant for the phase in question, where each suspicious activity correlates to different flavors of possible attacks. 34 | These phases in the kill-chain where ATA currently provides detections are highlighted in the following image: 35 | 36 | ![ATA focus on lateral activity in attack kill chain.](media/attack-kill-chain-small.jpg) 37 | 38 | 39 | For more information, see [Working with suspicious activities](working-with-suspicious-activities.md) and the [ATA suspicious activity guide](suspicious-activity-guide.md). 40 | 41 | 42 | ## What's next? 43 | 44 | - For more information about how ATA fits into your network: [ATA architecture](ata-architecture.md) 45 | 46 | - To get started deploying ATA: [Install ATA](install-ata-step1.md) 47 | 48 | 49 | ## See Also 50 | [Check out the ATA forum!](https://social.technet.microsoft.com/Forums/security/home?forum=mata) 51 | -------------------------------------------------------------------------------- /ATADocs/ata-update-1.9.1-migration-guide.md: -------------------------------------------------------------------------------- 1 | --- 2 | # required metadata 3 | 4 | title: Advanced Threat Analytics update to 1.9.1 migration guide 5 | description: Procedure to update ATA to version 1.9.1 6 | keywords: 7 | author: batamig 8 | ms.author: bagol 9 | manager: raynew 10 | ms.date: 01/10/2023 11 | ms.topic: conceptual 12 | ms.service: advanced-threat-analytics 13 | ms.assetid: 2946310a-8e4e-48fc-9450-fc9647efeb22 14 | 15 | # optional metadata 16 | 17 | #ROBOTS: 18 | #audience: 19 | #ms.devlang: 20 | ms.reviewer: ort 21 | ms.suite: ems 22 | #ms.tgt_pltfrm: 23 | #ms.custom: 24 | 25 | --- 26 | 27 | # ATA version 1.9.1 28 | 29 | This article describes issues fixed in Update 1 for Microsoft Advanced Threat Analytics (ATA) version 1.9. The build number of this update is 1.9.7412. 30 | 31 | ## Fixed issues included in this update 32 | 33 | - Possibility of migration failures between ATA version 1.8 to version 1.9 for large databases. 34 | - When using the latest version of the Microsoft Edge browser, and switching users, the browser may hang. 35 | - In some scenarios, the user profile page is missing Directory Data Information. 36 | - When adding a user to the exclusion list for abnormal behavior detection, the exclusion isn't always applied. 37 | - Updated MongoDB database version. 38 | - Inconsistent resync after an upgrade to version 1.9 of all Active Directory entities to ATA. 39 | - Inconsistent exports of suspicious activities to Microsoft Excel. Occasional failure with error generation. 40 | 41 | 42 | ## Improvements included in this update 43 | - Changes required for Microsoft Accessibility Standards (MAS) certification. 44 | - Includes additional performance and security fixes. 45 | 46 | ## Get this update 47 | 48 | Updates for Microsoft Advanced Threat Analytics version 1.9 are available from Microsoft Update or by manual download. 49 | 50 | ### Microsoft Update 51 | This update is available on Microsoft Update. For more information about how to use Microsoft Update, see [How to get an update through Windows Update](https://support.microsoft.com/help/3067639). 52 | 53 | ### Manual download 54 | To get the stand-alone package for this update, go to the Microsoft Download Center website: 55 | [Download the ATA 1.9 package now](https://www.microsoft.com/en-us/download/details.aspx?id=56725). 56 | 57 | ### Prerequisites 58 | To install this update, you must have ATA version 1.9 (1.9.7312), Update 1 for ATA version 1.8 (1.8.6765), or ATA version 1.8 (1.8.6645) installed. 59 | 60 | ### Restart requirement 61 | Your computer may require a restart after you apply this update. 62 | 63 | ### Update replacement information 64 | This update replaces ATA version 1.9 (1.9.7312). 65 | 66 | 67 | ## See also 68 | 69 | - [Check out the ATA forum!](https://social.technet.microsoft.com/Forums/security/home?forum=mata) 70 | - [ATA versions](ata-versions.md) 71 | -------------------------------------------------------------------------------- /ATADocs/bread/toc.yml: -------------------------------------------------------------------------------- 1 | - name: Docs 2 | tocHref: / 3 | topicHref: / 4 | items: 5 | - name: Enterprise Mobility + Security 6 | tocHref: /enterprise-mobility-security/ 7 | topicHref: /enterprise-mobility-security 8 | items: 9 | - name: Advanced Threat Analytics 10 | tocHref: /advanced-threat-analytics/ 11 | topicHref: /advanced-threat-analytics 12 | -------------------------------------------------------------------------------- /ATADocs/docfx.json: -------------------------------------------------------------------------------- 1 | { 2 | "build": { 3 | "content": [ 4 | { 5 | "files": [ 6 | "**/*.md", 7 | "**/*.yml" 8 | ], 9 | "exclude": [ 10 | "**/obj/**", 11 | "Understand/**", 12 | "DeployUse/**", 13 | "PlanDesign/**", 14 | "Troubleshoot/**", 15 | "**/Token/**", 16 | "**/includes/**" 17 | ] 18 | } 19 | ], 20 | "resource": [ 21 | { 22 | "files": [ 23 | "**/images/**", 24 | "**/*.png", 25 | "**/*.jpg", 26 | "**/*.gif", 27 | "**/*.bmp", 28 | "**/*.html" 29 | ], 30 | "exclude": [ 31 | "**/obj/**", 32 | "_themes/**", 33 | "Understand/**", 34 | "DeployUse/**", 35 | "PlanDesign/**", 36 | "Troubleshoot/**" 37 | ] 38 | } 39 | ], 40 | "dest": "ATADocs", 41 | "template": "docs.html", 42 | "globalMetadata": { 43 | "feedback_system": "Standard", 44 | "feedback_github_repo": "MicrosoftDocs/atadocs", 45 | "feedback_product_url": "https://techcommunity.microsoft.com/t5/Azure-Advanced-Threat-Protection/bd-p/AzureAdvancedThreatProtection", 46 | "layout": "Conceptual", 47 | "breadcrumb_path": "/advanced-threat-analytics/bread/toc.json", 48 | "uhfHeaderId": "MSDocsHeader-M365-IT", 49 | "searchScope": ["ATA"] 50 | }, 51 | "markdownEngineName": "markdig" 52 | } 53 | } 54 | -------------------------------------------------------------------------------- /ATADocs/includes/banner.md: -------------------------------------------------------------------------------- 1 | *Applies to: Advanced Threat Analytics version 1.9* 2 | -------------------------------------------------------------------------------- /ATADocs/includes/rebranding.md: -------------------------------------------------------------------------------- 1 | > [!IMPORTANT] 2 | > Threat protection product names from Microsoft are changing. Read more about this and other updates [here](https://www.microsoft.com/security/blog/?p=91813). We'll be updating names in products and in the docs in the near future. 3 | -------------------------------------------------------------------------------- /ATADocs/index.yml: -------------------------------------------------------------------------------- 1 | ### YamlMime:Landing 2 | 3 | title: Advanced Threat Analytics documentation 4 | summary: Protect your enterprise using information from multiple network data-sources to learn the behavior of users and entities in your organization. 5 | 6 | metadata: 7 | title: Advanced Threat Analytics documentation 8 | description: Protect your enterprise using information from multiple network data-sources to learn the behavior of users and entities in your organization. 9 | services: service 10 | ms.service: advanced-threat-analytics 11 | ms.subservice: ms.subservice 12 | ms.topic: landing-page 13 | ms.collection: M365-security-compliance 14 | author: batamig 15 | ms.author: bagol 16 | ms.date: 10/01/2019 17 | ms.custom: intro-landing-hub 18 | 19 | # linkListType: architecture | concept | deploy | download | get-started | how-to-guide | learn | overview | quickstart | reference | tutorial | video | whats-new 20 | 21 | landingContent: 22 | 23 | - title: About Advanced Threat Analytics 24 | linkLists: 25 | - linkListType: overview 26 | links: 27 | - text: What is Advanced Threat Analytics (ATA)? 28 | url: what-is-ata.md 29 | - linkListType: architecture 30 | links: 31 | - text: Advanced Threat Analytics architecture 32 | url: ata-architecture.md 33 | - text: Plan your solution capacity 34 | url: ata-capacity-planning.md 35 | - title: Check out ATA alerts 36 | linkLists: 37 | - linkListType: how-to-guide 38 | links: 39 | - text: Security alerts 40 | url: working-with-suspicious-activities.md 41 | - text: Health alerts 42 | url: ata-health-center.md 43 | - text: Monitor your alerts 44 | url: monitoring-alerts.md 45 | - title: Manage and customize ATA 46 | linkLists: 47 | - linkListType: how-to-guide 48 | links: 49 | - text: Set ATA alerts 50 | url: setting-ata-alerts.md 51 | - text: Tag sensitive accounts 52 | url: tag-sensitive-accounts.md 53 | - text: Lateral Movement Paths (LMPs) 54 | url: use-case-lateral-movement-path.md 55 | - text: Manage telemetry settings 56 | url: manage-telemetry-settings.md 57 | - title: Investigate threats 58 | linkLists: 59 | - linkListType: how-to-guide 60 | links: 61 | - text: Suspicious activity guide 62 | url: suspicious-activity-guide.md 63 | - title: Learn more about ATA 64 | linkLists: 65 | - linkListType: reference 66 | links: 67 | - text: What's new in ATA? 68 | url: whats-new-version-1.9.md 69 | - text: Frequently asked questions 70 | url: ata-technical-faq.yml 71 | -------------------------------------------------------------------------------- /ATADocs/install-ata-step2.md: -------------------------------------------------------------------------------- 1 | --- 2 | # required metadata 3 | 4 | title: Install Advanced Threat Analytics - Step 2 5 | description: Step two of installing ATA helps you configure the domain connectivity settings on your ATA Center server 6 | keywords: 7 | author: batamig 8 | ms.author: bagol 9 | manager: raynew 10 | ms.date: 01/10/2023 11 | ms.topic: conceptual 12 | ms.service: advanced-threat-analytics 13 | ms.assetid: e1c5ff41-d989-46cb-aa38-5a3938f03c0f 14 | 15 | # optional metadata 16 | 17 | #ROBOTS: 18 | #audience: 19 | #ms.devlang: 20 | ms.reviewer: bennyl 21 | ms.suite: ems 22 | #ms.tgt_pltfrm: 23 | #ms.custom: 24 | 25 | --- 26 | 27 | # Install ATA - Step 2 28 | 29 | [!INCLUDE [Banner for top of topics](includes/banner.md)] 30 | 31 | > [!div class="step-by-step"] 32 | > [« Step 1](install-ata-step1.md) 33 | > [Step 3 »](install-ata-step3.md) 34 | 35 | ## Step 2: Provide a Username and Password to connect to your Active Directory Forest 36 | 37 | The first time you open the ATA Console, the following screen appears: 38 | 39 | ![ATA welcome stage 1.](media/ATA_1.7-welcome-provide-username.png) 40 | 41 | 1. Enter the following information and click **Save**: 42 | 43 | |Field|Comments| 44 | |---------|------------| 45 | |**Username** (required)|Enter the read-only user name, for example: **ATAuser**. **Note:** Do **not** use the UPN format for your username.| 46 | |**Password** (required)|Enter the password for the read-only user, for example: **Pencil1**.| 47 | |**Domain** (required)|Enter the domain for the read-only user, for example, **contoso.com**. **Note:** It is important that you enter the complete FQDN of the domain where the user is located. For example, if the user's account is in domain corp.contoso.com, you need to enter `corp.contoso.com` not contoso.com| 48 | 49 | 1. You can click **Test connection** to test connectivity to the domain and check that the credentials supplied provide access. This works if the ATA Center has connectivity to the domain. 50 | 51 | After it is saved, the welcome message in the Console will change to the following message: 52 | ![ATA welcome stage 1 finished.](media/ATA_1.7-welcome-provide-username-finished.png) 53 | 54 | 1. In the Console, click **Download Gateway setup and install the first Gateway** to continue. 55 | 56 | > [!div class="step-by-step"] 57 | > [« Step 1](install-ata-step1.md) 58 | > [Step 3 »](install-ata-step3.md) 59 | 60 | ## See Also 61 | 62 | - [ATA POC deployment guide](/samples/browse/?redirectedfrom=TechNet-Gallery) 63 | - [ATA sizing tool](https://aka.ms/atasizingtool) 64 | - [Check out the ATA forum!](https://social.technet.microsoft.com/Forums/security/home?forum=mata) 65 | - [Configure event collection](configure-event-collection.md) 66 | - [ATA prerequisites](ata-prerequisites.md) 67 | -------------------------------------------------------------------------------- /ATADocs/install-ata-step3.md: -------------------------------------------------------------------------------- 1 | --- 2 | # required metadata 3 | 4 | title: Install Advanced Threat Analytics - Step 3 5 | description: Step three of installing ATA helps you download the ATA Gateway setup package. 6 | keywords: 7 | author: batamig 8 | ms.author: bagol 9 | manager: raynew 10 | ms.date: 01/10/2023 11 | ms.topic: conceptual 12 | ms.service: advanced-threat-analytics 13 | ms.assetid: 7fb024e6-297a-4ad9-b962-481bb75a0ba3 14 | 15 | # optional metadata 16 | 17 | #ROBOTS: 18 | #audience: 19 | #ms.devlang: 20 | #ms.tgt_pltfrm: 21 | #ms.custom: 22 | 23 | --- 24 | 25 | # Install ATA - Step 3 26 | 27 | [!INCLUDE [Banner for top of topics](includes/banner.md)] 28 | 29 | > [!div class="step-by-step"] 30 | > [« Step 2](install-ata-step2.md) 31 | > [Step 4 »](install-ata-step4.md) 32 | 33 | ## Step 3: Download the ATA Gateway setup package 34 | 35 | After configuring the domain connectivity settings, you can download the ATA Gateway setup package. The ATA Gateway can be installed on a dedicated server or on a domain controller. If you install it on a domain controller, it is installed as an ATA Lightweight Gateway. For more information on the ATA Lightweight Gateway, see [ATA Architecture](ata-architecture.md). 36 | 37 | Select **Download Gateway Setup** in the list of steps at the top of the page to go to the **Gateways** page. 38 | 39 | ![ATA gateway configuration settings.](media/ATA_1.7-welcome-download-gateway.PNG) 40 | 41 | > [!NOTE] 42 | > To reach the Gateway configuration screen later, select the **settings icon** (upper right corner) and select **Configuration**, then, under **System**, select **Gateways**. 43 | 44 | 1. Select **Gateway Setup**. 45 | ![Download ATA Gateway Setup.](media/download-gateway-setup.png) 46 | 1. Save the package locally. 47 | 1. Copy the package to the dedicated server or domain controller onto which you are installing the ATA Gateway. Alternatively, you can open the ATA Console from the dedicated server or domain controller and skip this step. 48 | 49 | The zip file includes the following files: 50 | 51 | - ATA Gateway installer 52 | 53 | - Configuration setting file with the required information to connect to the ATA Center 54 | 55 | > [!div class="step-by-step"] 56 | > [« Step 2](install-ata-step2.md) 57 | > [Step 4 »](install-ata-step4.md) 58 | 59 | ## See also 60 | 61 | - [ATA POC deployment guide](/samples/browse/?redirectedfrom=TechNet-Gallery) 62 | - [ATA sizing tool](https://aka.ms/atasizingtool) 63 | - [Check out the ATA forum!](https://social.technet.microsoft.com/Forums/security/home?forum=mata) 64 | - [Configure event collection](configure-event-collection.md) 65 | - [ATA prerequisites](ata-prerequisites.md) 66 | -------------------------------------------------------------------------------- /ATADocs/media/150x150.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/ATADocs/18c689f3f979272efd59343d179360524dcb330b/ATADocs/media/150x150.png -------------------------------------------------------------------------------- /ATADocs/media/17update_gatewaybug.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/ATADocs/18c689f3f979272efd59343d179360524dcb330b/ATADocs/media/17update_gatewaybug.png -------------------------------------------------------------------------------- /ATADocs/media/18-install-welcome.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/ATADocs/18c689f3f979272efd59343d179360524dcb330b/ATADocs/media/18-install-welcome.png -------------------------------------------------------------------------------- /ATADocs/media/18-license.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/ATADocs/18c689f3f979272efd59343d179360524dcb330b/ATADocs/media/18-license.png -------------------------------------------------------------------------------- /ATADocs/media/ATA-Alerts-laguage.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/ATADocs/18c689f3f979272efd59343d179360524dcb330b/ATADocs/media/ATA-Alerts-laguage.png -------------------------------------------------------------------------------- /ATADocs/media/ATA-Alerts-syslog-settings.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/ATADocs/18c689f3f979272efd59343d179360524dcb330b/ATADocs/media/ATA-Alerts-syslog-settings.png -------------------------------------------------------------------------------- /ATADocs/media/ATA-Center-Configuration.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/ATADocs/18c689f3f979272efd59343d179360524dcb330b/ATADocs/media/ATA-Center-Configuration.jpg -------------------------------------------------------------------------------- /ATADocs/media/ATA-Center-Configuration.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/ATADocs/18c689f3f979272efd59343d179360524dcb330b/ATADocs/media/ATA-Center-Configuration.png -------------------------------------------------------------------------------- /ATADocs/media/ATA-Config-GW-Settings.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/ATADocs/18c689f3f979272efd59343d179360524dcb330b/ATADocs/media/ATA-Config-GW-Settings.jpg -------------------------------------------------------------------------------- /ATADocs/media/ATA-DNS-Suffix.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/ATADocs/18c689f3f979272efd59343d179360524dcb330b/ATADocs/media/ATA-DNS-Suffix.png -------------------------------------------------------------------------------- /ATADocs/media/ATA-Domain-Connectivity-User.JPG: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/ATADocs/18c689f3f979272efd59343d179360524dcb330b/ATADocs/media/ATA-Domain-Connectivity-User.JPG -------------------------------------------------------------------------------- /ATADocs/media/ATA-GW-change-DC-password.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/ATADocs/18c689f3f979272efd59343d179360524dcb330b/ATADocs/media/ATA-GW-change-DC-password.png -------------------------------------------------------------------------------- /ATADocs/media/ATA-GW-error.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/ATADocs/18c689f3f979272efd59343d179360524dcb330b/ATADocs/media/ATA-GW-error.png -------------------------------------------------------------------------------- /ATADocs/media/ATA-GW-uninstall-bug.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/ATADocs/18c689f3f979272efd59343d179360524dcb330b/ATADocs/media/ATA-GW-uninstall-bug.jpg -------------------------------------------------------------------------------- /ATADocs/media/ATA-Gateway-Configuration.JPG: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/ATADocs/18c689f3f979272efd59343d179360524dcb330b/ATADocs/media/ATA-Gateway-Configuration.JPG -------------------------------------------------------------------------------- /ATADocs/media/ATA-Gateway-perf-counters.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/ATADocs/18c689f3f979272efd59343d179360524dcb330b/ATADocs/media/ATA-Gateway-perf-counters.png -------------------------------------------------------------------------------- /ATADocs/media/ATA-Gateways-config-0.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/ATADocs/18c689f3f979272efd59343d179360524dcb330b/ATADocs/media/ATA-Gateways-config-0.png -------------------------------------------------------------------------------- /ATADocs/media/ATA-Gateways-config-1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/ATADocs/18c689f3f979272efd59343d179360524dcb330b/ATADocs/media/ATA-Gateways-config-1.png -------------------------------------------------------------------------------- /ATADocs/media/ATA-Gateways-config-2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/ATADocs/18c689f3f979272efd59343d179360524dcb330b/ATADocs/media/ATA-Gateways-config-2.png -------------------------------------------------------------------------------- /ATADocs/media/ATA-Health-Center-Alert-red-dot.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/ATADocs/18c689f3f979272efd59343d179360524dcb330b/ATADocs/media/ATA-Health-Center-Alert-red-dot.png -------------------------------------------------------------------------------- /ATADocs/media/ATA-Health-Issue.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/ATADocs/18c689f3f979272efd59343d179360524dcb330b/ATADocs/media/ATA-Health-Issue.jpg -------------------------------------------------------------------------------- /ATADocs/media/ATA-Input.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/ATADocs/18c689f3f979272efd59343d179360524dcb330b/ATADocs/media/ATA-Input.jpg -------------------------------------------------------------------------------- /ATADocs/media/ATA-Kerberos-background.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/ATADocs/18c689f3f979272efd59343d179360524dcb330b/ATADocs/media/ATA-Kerberos-background.jpg -------------------------------------------------------------------------------- /ATADocs/media/ATA-NET-install-error.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/ATADocs/18c689f3f979272efd59343d179360524dcb330b/ATADocs/media/ATA-NET-install-error.png -------------------------------------------------------------------------------- /ATADocs/media/ATA-Notification-icon.JPG: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/ATADocs/18c689f3f979272efd59343d179360524dcb330b/ATADocs/media/ATA-Notification-icon.JPG -------------------------------------------------------------------------------- /ATADocs/media/ATA-Port-Mirroring-Capture-traffic.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/ATADocs/18c689f3f979272efd59343d179360524dcb330b/ATADocs/media/ATA-Port-Mirroring-Capture-traffic.jpg -------------------------------------------------------------------------------- /ATADocs/media/ATA-Port-Mirroring-Capture.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/ATADocs/18c689f3f979272efd59343d179360524dcb330b/ATADocs/media/ATA-Port-Mirroring-Capture.jpg -------------------------------------------------------------------------------- /ATADocs/media/ATA-Port-Mirroring-filter-settings.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/ATADocs/18c689f3f979272efd59343d179360524dcb330b/ATADocs/media/ATA-Port-Mirroring-filter-settings.jpg -------------------------------------------------------------------------------- /ATADocs/media/ATA-Sample-Deployment.JPG: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/ATADocs/18c689f3f979272efd59343d179360524dcb330b/ATADocs/media/ATA-Sample-Deployment.JPG -------------------------------------------------------------------------------- /ATADocs/media/ATA-Suspicious-Activity-Status-Change.JPG: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/ATADocs/18c689f3f979272efd59343d179360524dcb330b/ATADocs/media/ATA-Suspicious-Activity-Status-Change.JPG -------------------------------------------------------------------------------- /ATADocs/media/ATA-Suspicious-Activity-Timeline.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/ATADocs/18c689f3f979272efd59343d179360524dcb330b/ATADocs/media/ATA-Suspicious-Activity-Timeline.jpg -------------------------------------------------------------------------------- /ATADocs/media/ATA-Unblock.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/ATADocs/18c689f3f979272efd59343d179360524dcb330b/ATADocs/media/ATA-Unblock.jpg -------------------------------------------------------------------------------- /ATADocs/media/ATA-Unresolved-Profile.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/ATADocs/18c689f3f979272efd59343d179360524dcb330b/ATADocs/media/ATA-Unresolved-Profile.jpg -------------------------------------------------------------------------------- /ATADocs/media/ATA-VPN-Subnets.JPG: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/ATADocs/18c689f3f979272efd59343d179360524dcb330b/ATADocs/media/ATA-VPN-Subnets.JPG -------------------------------------------------------------------------------- /ATADocs/media/ATA-alerts-verbosity-language.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/ATADocs/18c689f3f979272efd59343d179360524dcb330b/ATADocs/media/ATA-alerts-verbosity-language.png -------------------------------------------------------------------------------- /ATADocs/media/ATA-alerts.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/ATADocs/18c689f3f979272efd59343d179360524dcb330b/ATADocs/media/ATA-alerts.png -------------------------------------------------------------------------------- /ATADocs/media/ATA-architecture-topology.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/ATADocs/18c689f3f979272efd59343d179360524dcb330b/ATADocs/media/ATA-architecture-topology.jpg -------------------------------------------------------------------------------- /ATADocs/media/ATA-center-fullpartial.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/ATADocs/18c689f3f979272efd59343d179360524dcb330b/ATADocs/media/ATA-center-fullpartial.png -------------------------------------------------------------------------------- /ATADocs/media/ATA-center-outdated.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/ATADocs/18c689f3f979272efd59343d179360524dcb330b/ATADocs/media/ATA-center-outdated.png -------------------------------------------------------------------------------- /ATADocs/media/ATA-change-console-IP.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/ATADocs/18c689f3f979272efd59343d179360524dcb330b/ATADocs/media/ATA-change-console-IP.jpg -------------------------------------------------------------------------------- /ATADocs/media/ATA-chge-IP-after-clicking-save.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/ATADocs/18c689f3f979272efd59343d179360524dcb330b/ATADocs/media/ATA-chge-IP-after-clicking-save.png -------------------------------------------------------------------------------- /ATADocs/media/ATA-console-change-IP-bindings.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/ATADocs/18c689f3f979272efd59343d179360524dcb330b/ATADocs/media/ATA-console-change-IP-bindings.jpg -------------------------------------------------------------------------------- /ATADocs/media/ATA-console-search.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/ATADocs/18c689f3f979272efd59343d179360524dcb330b/ATADocs/media/ATA-console-search.png -------------------------------------------------------------------------------- /ATADocs/media/ATA-edit-site-binding.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/ATADocs/18c689f3f979272efd59343d179360524dcb330b/ATADocs/media/ATA-edit-site-binding.jpg -------------------------------------------------------------------------------- /ATADocs/media/ATA-email-server.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/ATADocs/18c689f3f979272efd59343d179360524dcb330b/ATADocs/media/ATA-email-server.png -------------------------------------------------------------------------------- /ATADocs/media/ATA-enable-WEF-gw-forwarded-event-log-location.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/ATADocs/18c689f3f979272efd59343d179360524dcb330b/ATADocs/media/ATA-enable-WEF-gw-forwarded-event-log-location.png -------------------------------------------------------------------------------- /ATADocs/media/ATA-enable-siem-forward-events.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/ATADocs/18c689f3f979272efd59343d179360524dcb330b/ATADocs/media/ATA-enable-siem-forward-events.png -------------------------------------------------------------------------------- /ATADocs/media/ATA-full-gateway-install-selected.PNG: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/ATADocs/18c689f3f979272efd59343d179360524dcb330b/ATADocs/media/ATA-full-gateway-install-selected.PNG -------------------------------------------------------------------------------- /ATADocs/media/ATA-gw-updated.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/ATADocs/18c689f3f979272efd59343d179360524dcb330b/ATADocs/media/ATA-gw-updated.png -------------------------------------------------------------------------------- /ATADocs/media/ATA-honeytoken.PNG: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/ATADocs/18c689f3f979272efd59343d179360524dcb330b/ATADocs/media/ATA-honeytoken.PNG -------------------------------------------------------------------------------- /ATADocs/media/ATA-lightweight-gateway-install-selected.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/ATADocs/18c689f3f979272efd59343d179360524dcb330b/ATADocs/media/ATA-lightweight-gateway-install-selected.png -------------------------------------------------------------------------------- /ATADocs/media/ATA-log-in-screen.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/ATADocs/18c689f3f979272efd59343d179360524dcb330b/ATADocs/media/ATA-log-in-screen.jpg -------------------------------------------------------------------------------- /ATADocs/media/ATA-log-in-screen.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/ATADocs/18c689f3f979272efd59343d179360524dcb330b/ATADocs/media/ATA-log-in-screen.png -------------------------------------------------------------------------------- /ATADocs/media/ATA-mini-profile.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/ATADocs/18c689f3f979272efd59343d179360524dcb330b/ATADocs/media/ATA-mini-profile.jpg -------------------------------------------------------------------------------- /ATADocs/media/ATA-mongoDB-moveDB.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/ATADocs/18c689f3f979272efd59343d179360524dcb330b/ATADocs/media/ATA-mongoDB-moveDB.png -------------------------------------------------------------------------------- /ATADocs/media/ATA-notification-settings.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/ATADocs/18c689f3f979272efd59343d179360524dcb330b/ATADocs/media/ATA-notification-settings.png -------------------------------------------------------------------------------- /ATADocs/media/ATA-performance-counters.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/ATADocs/18c689f3f979272efd59343d179360524dcb330b/ATADocs/media/ATA-performance-counters.png -------------------------------------------------------------------------------- /ATADocs/media/ATA-performance-monitoring-add-counters.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/ATADocs/18c689f3f979272efd59343d179360524dcb330b/ATADocs/media/ATA-performance-monitoring-add-counters.png -------------------------------------------------------------------------------- /ATADocs/media/ATA-red-dot.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/ATADocs/18c689f3f979272efd59343d179360524dcb330b/ATADocs/media/ATA-red-dot.png -------------------------------------------------------------------------------- /ATADocs/media/ATA-server-icon.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/ATADocs/18c689f3f979272efd59343d179360524dcb330b/ATADocs/media/ATA-server-icon.png -------------------------------------------------------------------------------- /ATADocs/media/ATA-settings-icon.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/ATADocs/18c689f3f979272efd59343d179360524dcb330b/ATADocs/media/ATA-settings-icon.jpg -------------------------------------------------------------------------------- /ATADocs/media/ATA-syslog-notification-settings-1.7.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/ATADocs/18c689f3f979272efd59343d179360524dcb330b/ATADocs/media/ATA-syslog-notification-settings-1.7.png -------------------------------------------------------------------------------- /ATADocs/media/ATA-syslog-server-settings.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/ATADocs/18c689f3f979272efd59343d179360524dcb330b/ATADocs/media/ATA-syslog-server-settings.png -------------------------------------------------------------------------------- /ATADocs/media/ATA-traffic-estimation-1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/ATADocs/18c689f3f979272efd59343d179360524dcb330b/ATADocs/media/ATA-traffic-estimation-1.png -------------------------------------------------------------------------------- /ATADocs/media/ATA-traffic-estimation-12.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/ATADocs/18c689f3f979272efd59343d179360524dcb330b/ATADocs/media/ATA-traffic-estimation-12.png -------------------------------------------------------------------------------- /ATADocs/media/ATA-traffic-estimation-14.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/ATADocs/18c689f3f979272efd59343d179360524dcb330b/ATADocs/media/ATA-traffic-estimation-14.png -------------------------------------------------------------------------------- /ATADocs/media/ATA-traffic-estimation-2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/ATADocs/18c689f3f979272efd59343d179360524dcb330b/ATADocs/media/ATA-traffic-estimation-2.png -------------------------------------------------------------------------------- /ATADocs/media/ATA-traffic-estimation-3.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/ATADocs/18c689f3f979272efd59343d179360524dcb330b/ATADocs/media/ATA-traffic-estimation-3.png -------------------------------------------------------------------------------- /ATADocs/media/ATA-traffic-estimation-5.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/ATADocs/18c689f3f979272efd59343d179360524dcb330b/ATADocs/media/ATA-traffic-estimation-5.png -------------------------------------------------------------------------------- /ATADocs/media/ATA-traffic-estimation-7.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/ATADocs/18c689f3f979272efd59343d179360524dcb330b/ATADocs/media/ATA-traffic-estimation-7.png -------------------------------------------------------------------------------- /ATADocs/media/ATA-traffic-flow.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/ATADocs/18c689f3f979272efd59343d179360524dcb330b/ATADocs/media/ATA-traffic-flow.jpg -------------------------------------------------------------------------------- /ATADocs/media/ATA-uninstall-center-bug.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/ATADocs/18c689f3f979272efd59343d179360524dcb330b/ATADocs/media/ATA-uninstall-center-bug.jpg -------------------------------------------------------------------------------- /ATADocs/media/ATACenterSettings.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/ATADocs/18c689f3f979272efd59343d179360524dcb330b/ATADocs/media/ATACenterSettings.png -------------------------------------------------------------------------------- /ATADocs/media/ATAGWDomainController.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/ATADocs/18c689f3f979272efd59343d179360524dcb330b/ATADocs/media/ATAGWDomainController.png -------------------------------------------------------------------------------- /ATADocs/media/ATA_1.7-welcome-download-gateway.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/ATADocs/18c689f3f979272efd59343d179360524dcb330b/ATADocs/media/ATA_1.7-welcome-download-gateway.png -------------------------------------------------------------------------------- /ATADocs/media/ATA_1.7-welcome-provide-username-finished.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/ATADocs/18c689f3f979272efd59343d179360524dcb330b/ATADocs/media/ATA_1.7-welcome-provide-username-finished.png -------------------------------------------------------------------------------- /ATADocs/media/ATA_1.7-welcome-provide-username.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/ATADocs/18c689f3f979272efd59343d179360524dcb330b/ATADocs/media/ATA_1.7-welcome-provide-username.png -------------------------------------------------------------------------------- /ATADocs/media/ATA_center_fullpartial.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/ATADocs/18c689f3f979272efd59343d179360524dcb330b/ATADocs/media/ATA_center_fullpartial.png -------------------------------------------------------------------------------- /ATADocs/media/ATA_center_outdated.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/ATADocs/18c689f3f979272efd59343d179360524dcb330b/ATADocs/media/ATA_center_outdated.png -------------------------------------------------------------------------------- /ATADocs/media/ATAupdateWorkaround.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/ATADocs/18c689f3f979272efd59343d179360524dcb330b/ATADocs/media/ATAupdateWorkaround.png -------------------------------------------------------------------------------- /ATADocs/media/AzureWebsiteIcons-install.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/ATADocs/18c689f3f979272efd59343d179360524dcb330b/ATADocs/media/AzureWebsiteIcons-install.png -------------------------------------------------------------------------------- /ATADocs/media/AzureWebsiteIcons-manage.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/ATADocs/18c689f3f979272efd59343d179360524dcb330b/ATADocs/media/AzureWebsiteIcons-manage.png -------------------------------------------------------------------------------- /ATADocs/media/AzureWebsiteIcons-what-is-ata.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/ATADocs/18c689f3f979272efd59343d179360524dcb330b/ATADocs/media/AzureWebsiteIcons-what-is-ata.png -------------------------------------------------------------------------------- /ATADocs/media/abnormal-behavior-sa.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/ATADocs/18c689f3f979272efd59343d179360524dcb330b/ATADocs/media/abnormal-behavior-sa.png -------------------------------------------------------------------------------- /ATADocs/media/access-computer-from-network.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/ATADocs/18c689f3f979272efd59343d179360524dcb330b/ATADocs/media/access-computer-from-network.png -------------------------------------------------------------------------------- /ATADocs/media/add-service-account.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/ATADocs/18c689f3f979272efd59343d179360524dcb330b/ATADocs/media/add-service-account.png -------------------------------------------------------------------------------- /ATADocs/media/asc-icon.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/ATADocs/18c689f3f979272efd59343d179360524dcb330b/ATADocs/media/asc-icon.png -------------------------------------------------------------------------------- /ATADocs/media/ata-center-cert.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/ATADocs/18c689f3f979272efd59343d179360524dcb330b/ATADocs/media/ata-center-cert.png -------------------------------------------------------------------------------- /ATADocs/media/ata-config-icon.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/ATADocs/18c689f3f979272efd59343d179360524dcb330b/ATADocs/media/ata-config-icon.png -------------------------------------------------------------------------------- /ATADocs/media/ata-detection-settings-exclusions.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/ATADocs/18c689f3f979272efd59343d179360524dcb330b/ATADocs/media/ata-detection-settings-exclusions.png -------------------------------------------------------------------------------- /ATADocs/media/ata-detection-settings-honeytoken-1.7.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/ATADocs/18c689f3f979272efd59343d179360524dcb330b/ATADocs/media/ata-detection-settings-honeytoken-1.7.png -------------------------------------------------------------------------------- /ATADocs/media/ata-detection-settings-honeytoken.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/ATADocs/18c689f3f979272efd59343d179360524dcb330b/ATADocs/media/ata-detection-settings-honeytoken.png -------------------------------------------------------------------------------- /ATADocs/media/ata-email-server-1.7.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/ATADocs/18c689f3f979272efd59343d179360524dcb330b/ATADocs/media/ata-email-server-1.7.png -------------------------------------------------------------------------------- /ATADocs/media/ata-gw-config-1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/ATADocs/18c689f3f979272efd59343d179360524dcb330b/ATADocs/media/ata-gw-config-1.png -------------------------------------------------------------------------------- /ATADocs/media/ata-gw-configure.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/ATADocs/18c689f3f979272efd59343d179360524dcb330b/ATADocs/media/ata-gw-configure.png -------------------------------------------------------------------------------- /ATADocs/media/ata-gw-install.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/ATADocs/18c689f3f979272efd59343d179360524dcb330b/ATADocs/media/ata-gw-install.png -------------------------------------------------------------------------------- /ATADocs/media/ata-install-credentials.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/ATADocs/18c689f3f979272efd59343d179360524dcb330b/ATADocs/media/ata-install-credentials.png -------------------------------------------------------------------------------- /ATADocs/media/ata-install-error.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/ATADocs/18c689f3f979272efd59343d179360524dcb330b/ATADocs/media/ata-install-error.png -------------------------------------------------------------------------------- /ATADocs/media/ata-mail-notification-settings.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/ATADocs/18c689f3f979272efd59343d179360524dcb330b/ATADocs/media/ata-mail-notification-settings.png -------------------------------------------------------------------------------- /ATADocs/media/ata-net-framework-restart.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/ATADocs/18c689f3f979272efd59343d179360524dcb330b/ATADocs/media/ata-net-framework-restart.png -------------------------------------------------------------------------------- /ATADocs/media/ata-netframework-restart.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/ATADocs/18c689f3f979272efd59343d179360524dcb330b/ATADocs/media/ata-netframework-restart.png -------------------------------------------------------------------------------- /ATADocs/media/ata-report-icon.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/ATADocs/18c689f3f979272efd59343d179360524dcb330b/ATADocs/media/ata-report-icon.png -------------------------------------------------------------------------------- /ATADocs/media/ata-sched-reports.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/ATADocs/18c689f3f979272efd59343d179360524dcb330b/ATADocs/media/ata-sched-reports.png -------------------------------------------------------------------------------- /ATADocs/media/ata-syslog-server-settings-1.7.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/ATADocs/18c689f3f979272efd59343d179360524dcb330b/ATADocs/media/ata-syslog-server-settings-1.7.png -------------------------------------------------------------------------------- /ATADocs/media/ata-update-error.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/ATADocs/18c689f3f979272efd59343d179360524dcb330b/ATADocs/media/ata-update-error.png -------------------------------------------------------------------------------- /ATADocs/media/ataGW-not-synced.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/ATADocs/18c689f3f979272efd59343d179360524dcb330b/ATADocs/media/ataGW-not-synced.png -------------------------------------------------------------------------------- /ATADocs/media/ata_failed_readinesschecks.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/ATADocs/18c689f3f979272efd59343d179360524dcb330b/ATADocs/media/ata_failed_readinesschecks.png -------------------------------------------------------------------------------- /ATADocs/media/ata_install_readinesschecks.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/ATADocs/18c689f3f979272efd59343d179360524dcb330b/ATADocs/media/ata_install_readinesschecks.png -------------------------------------------------------------------------------- /ATADocs/media/ata_installupdatesautomatically.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/ATADocs/18c689f3f979272efd59343d179360524dcb330b/ATADocs/media/ata_installupdatesautomatically.png -------------------------------------------------------------------------------- /ATADocs/media/ata_ms_update.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/ATADocs/18c689f3f979272efd59343d179360524dcb330b/ATADocs/media/ata_ms_update.png -------------------------------------------------------------------------------- /ATADocs/media/attack-kill-chain-small.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/ATADocs/18c689f3f979272efd59343d179360524dcb330b/ATADocs/media/attack-kill-chain-small.jpg -------------------------------------------------------------------------------- /ATADocs/media/attack-timeline-1.7.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/ATADocs/18c689f3f979272efd59343d179360524dcb330b/ATADocs/media/attack-timeline-1.7.png -------------------------------------------------------------------------------- /ATADocs/media/attack-timeline.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/ATADocs/18c689f3f979272efd59343d179360524dcb330b/ATADocs/media/attack-timeline.png -------------------------------------------------------------------------------- /ATADocs/media/broken-trust-sa.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/ATADocs/18c689f3f979272efd59343d179360524dcb330b/ATADocs/media/broken-trust-sa.png -------------------------------------------------------------------------------- /ATADocs/media/capacity-tool.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/ATADocs/18c689f3f979272efd59343d179360524dcb330b/ATADocs/media/capacity-tool.png -------------------------------------------------------------------------------- /ATADocs/media/center-activation.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/ATADocs/18c689f3f979272efd59343d179360524dcb330b/ATADocs/media/center-activation.png -------------------------------------------------------------------------------- /ATADocs/media/change-center-config.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/ATADocs/18c689f3f979272efd59343d179360524dcb330b/ATADocs/media/change-center-config.png -------------------------------------------------------------------------------- /ATADocs/media/computer-profile.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/ATADocs/18c689f3f979272efd59343d179360524dcb330b/ATADocs/media/computer-profile.png -------------------------------------------------------------------------------- /ATADocs/media/config-menu.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/ATADocs/18c689f3f979272efd59343d179360524dcb330b/ATADocs/media/config-menu.png -------------------------------------------------------------------------------- /ATADocs/media/disaster-recovery-deploymentss.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/ATADocs/18c689f3f979272efd59343d179360524dcb330b/ATADocs/media/disaster-recovery-deploymentss.png -------------------------------------------------------------------------------- /ATADocs/media/dns-recon-diagram.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/ATADocs/18c689f3f979272efd59343d179360524dcb330b/ATADocs/media/dns-recon-diagram.png -------------------------------------------------------------------------------- /ATADocs/media/dns-recon.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/ATADocs/18c689f3f979272efd59343d179360524dcb330b/ATADocs/media/dns-recon.png -------------------------------------------------------------------------------- /ATADocs/media/download-gateway-setup.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/ATADocs/18c689f3f979272efd59343d179360524dcb330b/ATADocs/media/download-gateway-setup.png -------------------------------------------------------------------------------- /ATADocs/media/entity-computer.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/ATADocs/18c689f3f979272efd59343d179360524dcb330b/ATADocs/media/entity-computer.png -------------------------------------------------------------------------------- /ATADocs/media/entity-menu.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/ATADocs/18c689f3f979272efd59343d179360524dcb330b/ATADocs/media/entity-menu.png -------------------------------------------------------------------------------- /ATADocs/media/entity-tags.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/ATADocs/18c689f3f979272efd59343d179360524dcb330b/ATADocs/media/entity-tags.png -------------------------------------------------------------------------------- /ATADocs/media/event-id-location.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/ATADocs/18c689f3f979272efd59343d179360524dcb330b/ATADocs/media/event-id-location.png -------------------------------------------------------------------------------- /ATADocs/media/exclude-in-sa.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/ATADocs/18c689f3f979272efd59343d179360524dcb330b/ATADocs/media/exclude-in-sa.png -------------------------------------------------------------------------------- /ATADocs/media/exclusions-config-page.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/ATADocs/18c689f3f979272efd59343d179360524dcb330b/ATADocs/media/exclusions-config-page.png -------------------------------------------------------------------------------- /ATADocs/media/exclusions.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/ATADocs/18c689f3f979272efd59343d179360524dcb330b/ATADocs/media/exclusions.png -------------------------------------------------------------------------------- /ATADocs/media/forged-pac-diagram.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/ATADocs/18c689f3f979272efd59343d179360524dcb330b/ATADocs/media/forged-pac-diagram.png -------------------------------------------------------------------------------- /ATADocs/media/forged-pac-sa.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/ATADocs/18c689f3f979272efd59343d179360524dcb330b/ATADocs/media/forged-pac-sa.png -------------------------------------------------------------------------------- /ATADocs/media/forged-pac.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/ATADocs/18c689f3f979272efd59343d179360524dcb330b/ATADocs/media/forged-pac.png -------------------------------------------------------------------------------- /ATADocs/media/gateway-core-error.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/ATADocs/18c689f3f979272efd59343d179360524dcb330b/ATADocs/media/gateway-core-error.png -------------------------------------------------------------------------------- /ATADocs/media/health-center.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/ATADocs/18c689f3f979272efd59343d179360524dcb330b/ATADocs/media/health-center.png -------------------------------------------------------------------------------- /ATADocs/media/honeytoken.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/ATADocs/18c689f3f979272efd59343d179360524dcb330b/ATADocs/media/honeytoken.png -------------------------------------------------------------------------------- /ATADocs/media/lateral-movement-icon.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/ATADocs/18c689f3f979272efd59343d179360524dcb330b/ATADocs/media/lateral-movement-icon.png -------------------------------------------------------------------------------- /ATADocs/media/migration-18-start.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/ATADocs/18c689f3f979272efd59343d179360524dcb330b/ATADocs/media/migration-18-start.png -------------------------------------------------------------------------------- /ATADocs/media/migration-center-success.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/ATADocs/18c689f3f979272efd59343d179360524dcb330b/ATADocs/media/migration-center-success.png -------------------------------------------------------------------------------- /ATADocs/media/migration-center-success17.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/ATADocs/18c689f3f979272efd59343d179360524dcb330b/ATADocs/media/migration-center-success17.png -------------------------------------------------------------------------------- /ATADocs/media/migration-data-migration.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/ATADocs/18c689f3f979272efd59343d179360524dcb330b/ATADocs/media/migration-data-migration.png -------------------------------------------------------------------------------- /ATADocs/media/migration-data-migration17.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/ATADocs/18c689f3f979272efd59343d179360524dcb330b/ATADocs/media/migration-data-migration17.png -------------------------------------------------------------------------------- /ATADocs/media/migration-update-gw-17.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/ATADocs/18c689f3f979272efd59343d179360524dcb330b/ATADocs/media/migration-update-gw-17.png -------------------------------------------------------------------------------- /ATADocs/media/migration-update-gw.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/ATADocs/18c689f3f979272efd59343d179360524dcb330b/ATADocs/media/migration-update-gw.png -------------------------------------------------------------------------------- /ATADocs/media/migrationerror.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/ATADocs/18c689f3f979272efd59343d179360524dcb330b/ATADocs/media/migrationerror.png -------------------------------------------------------------------------------- /ATADocs/media/netinstallerror.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/ATADocs/18c689f3f979272efd59343d179360524dcb330b/ATADocs/media/netinstallerror.png -------------------------------------------------------------------------------- /ATADocs/media/notification-bar-1.7.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/ATADocs/18c689f3f979272efd59343d179360524dcb330b/ATADocs/media/notification-bar-1.7.png -------------------------------------------------------------------------------- /ATADocs/media/notification-bar.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/ATADocs/18c689f3f979272efd59343d179360524dcb330b/ATADocs/media/notification-bar.png -------------------------------------------------------------------------------- /ATADocs/media/partial-migration.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/ATADocs/18c689f3f979272efd59343d179360524dcb330b/ATADocs/media/partial-migration.png -------------------------------------------------------------------------------- /ATADocs/media/pass_the_ticket_sa.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/ATADocs/18c689f3f979272efd59343d179360524dcb330b/ATADocs/media/pass_the_ticket_sa.png -------------------------------------------------------------------------------- /ATADocs/media/paths-icon.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/ATADocs/18c689f3f979272efd59343d179360524dcb330b/ATADocs/media/paths-icon.png -------------------------------------------------------------------------------- /ATADocs/media/radius-setup.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/ATADocs/18c689f3f979272efd59343d179360524dcb330b/ATADocs/media/radius-setup.png -------------------------------------------------------------------------------- /ATADocs/media/reports.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/ATADocs/18c689f3f979272efd59343d179360524dcb330b/ATADocs/media/reports.png -------------------------------------------------------------------------------- /ATADocs/media/sa-actions.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/ATADocs/18c689f3f979272efd59343d179360524dcb330b/ATADocs/media/sa-actions.png -------------------------------------------------------------------------------- /ATADocs/media/sample screen abnormal behavior.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/ATADocs/18c689f3f979272efd59343d179360524dcb330b/ATADocs/media/sample screen abnormal behavior.png -------------------------------------------------------------------------------- /ATADocs/media/sample screen broken trust.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/ATADocs/18c689f3f979272efd59343d179360524dcb330b/ATADocs/media/sample screen broken trust.png -------------------------------------------------------------------------------- /ATADocs/media/sample-screen-malicious-replication.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/ATADocs/18c689f3f979272efd59343d179360524dcb330b/ATADocs/media/sample-screen-malicious-replication.png -------------------------------------------------------------------------------- /ATADocs/media/samr-add-service.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/ATADocs/18c689f3f979272efd59343d179360524dcb330b/ATADocs/media/samr-add-service.png -------------------------------------------------------------------------------- /ATADocs/media/samr-policy-location.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/ATADocs/18c689f3f979272efd59343d179360524dcb330b/ATADocs/media/samr-policy-location.png -------------------------------------------------------------------------------- /ATADocs/media/sched-report1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/ATADocs/18c689f3f979272efd59343d179360524dcb330b/ATADocs/media/sched-report1.png -------------------------------------------------------------------------------- /ATADocs/media/sensitive-account-sample.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/ATADocs/18c689f3f979272efd59343d179360524dcb330b/ATADocs/media/sensitive-account-sample.png -------------------------------------------------------------------------------- /ATADocs/media/uninstall-ata15.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/ATADocs/18c689f3f979272efd59343d179360524dcb330b/ATADocs/media/uninstall-ata15.png -------------------------------------------------------------------------------- /ATADocs/media/upgrade-path-ata.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/ATADocs/18c689f3f979272efd59343d179360524dcb330b/ATADocs/media/upgrade-path-ata.png -------------------------------------------------------------------------------- /ATADocs/media/user-profile-activities.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/ATADocs/18c689f3f979272efd59343d179360524dcb330b/ATADocs/media/user-profile-activities.png -------------------------------------------------------------------------------- /ATADocs/media/user-profile-dir-data.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/ATADocs/18c689f3f979272efd59343d179360524dcb330b/ATADocs/media/user-profile-dir-data.png -------------------------------------------------------------------------------- /ATADocs/media/user-profile-lateral-movement-paths.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/ATADocs/18c689f3f979272efd59343d179360524dcb330b/ATADocs/media/user-profile-lateral-movement-paths.png -------------------------------------------------------------------------------- /ATADocs/media/user-profile.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/ATADocs/18c689f3f979272efd59343d179360524dcb330b/ATADocs/media/user-profile.png -------------------------------------------------------------------------------- /ATADocs/media/versions.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/ATADocs/18c689f3f979272efd59343d179360524dcb330b/ATADocs/media/versions.png -------------------------------------------------------------------------------- /ATADocs/media/vpn-set-accounting.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/ATADocs/18c689f3f979272efd59343d179360524dcb330b/ATADocs/media/vpn-set-accounting.png -------------------------------------------------------------------------------- /ATADocs/media/vpn-user.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/ATADocs/18c689f3f979272efd59343d179360524dcb330b/ATADocs/media/vpn-user.png -------------------------------------------------------------------------------- /ATADocs/media/vpn.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/ATADocs/18c689f3f979272efd59343d179360524dcb330b/ATADocs/media/vpn.png -------------------------------------------------------------------------------- /ATADocs/media/wef-1-local-group-policy-editor.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/ATADocs/18c689f3f979272efd59343d179360524dcb330b/ATADocs/media/wef-1-local-group-policy-editor.png -------------------------------------------------------------------------------- /ATADocs/media/wef-2-config-target-sub-manager.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/ATADocs/18c689f3f979272efd59343d179360524dcb330b/ATADocs/media/wef-2-config-target-sub-manager.png -------------------------------------------------------------------------------- /ATADocs/media/wef-3-event-viewer.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/ATADocs/18c689f3f979272efd59343d179360524dcb330b/ATADocs/media/wef-3-event-viewer.png -------------------------------------------------------------------------------- /ATADocs/media/wef-4-query-filter.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/ATADocs/18c689f3f979272efd59343d179360524dcb330b/ATADocs/media/wef-4-query-filter.png -------------------------------------------------------------------------------- /ATADocs/media/wef-5-sub-properties-computers.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/ATADocs/18c689f3f979272efd59343d179360524dcb330b/ATADocs/media/wef-5-sub-properties-computers.png -------------------------------------------------------------------------------- /ATADocs/media/wef_4776.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/ATADocs/18c689f3f979272efd59343d179360524dcb330b/ATADocs/media/wef_4776.png -------------------------------------------------------------------------------- /ATADocs/media/wef_ad-event-log-reader-popup.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/ATADocs/18c689f3f979272efd59343d179360524dcb330b/ATADocs/media/wef_ad-event-log-reader-popup.png -------------------------------------------------------------------------------- /ATADocs/media/wef_http.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/ATADocs/18c689f3f979272efd59343d179360524dcb330b/ATADocs/media/wef_http.png -------------------------------------------------------------------------------- /ATADocs/media/wef_subscription-prop.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/ATADocs/18c689f3f979272efd59343d179360524dcb330b/ATADocs/media/wef_subscription-prop.png -------------------------------------------------------------------------------- /ATADocs/modifying-ata-config-dcpassword.md: -------------------------------------------------------------------------------- 1 | --- 2 | # required metadata 3 | 4 | title: Change Advanced Threat Analytics config - domain connectivity password 5 | description: Describes how to change the Domain Connectivity Password on the ATA Gateway. 6 | keywords: 7 | author: batamig 8 | ms.author: bagol 9 | manager: raynew 10 | ms.date: 01/10/2023 11 | ms.topic: conceptual 12 | ms.service: advanced-threat-analytics 13 | ms.assetid: 4a25561b-a5ed-44aa-9b72-366976b3c72a 14 | 15 | # optional metadata 16 | 17 | #ROBOTS: 18 | #audience: 19 | #ms.devlang: 20 | ms.reviewer: bennyl 21 | ms.suite: ems 22 | #ms.tgt_pltfrm: 23 | #ms.custom: 24 | 25 | --- 26 | 27 | # Change ATA configuration - domain connectivity password 28 | 29 | [!INCLUDE [Banner for top of topics](includes/banner.md)] 30 | 31 | ## Change the domain connectivity password 32 | 33 | If you modify the Domain Connectivity Password, make sure that the password you enter is correct. If it is not, the ATA Gateway service stops running on the ATA Gateways. 34 | 35 | If you suspect that this happened, on the ATA Gateway, look at the Microsoft.Tri.Gateway-Errors.log file for the following errors: 36 | `The supplied credential is invalid.` 37 | 38 | To correct this, follow this procedure to update the Domain Connectivity password on the ATA Center: 39 | 40 | 1. Open the ATA Console on the ATA Center. 41 | 42 | 1. Select the settings option on the toolbar and select **Configuration**. 43 | 44 | ![ATA configuration settings icon.](media/ATA-config-icon.png) 45 | 46 | 1. Select **Directory Services**. 47 | 48 | ![ATA Gateway change password image.](media/ATA-GW-change-DC-password.png) 49 | 50 | 1. Under **Password**, change the password. 51 | 52 | If the ATA Center has connectivity to the domain, use the **Test Connection** button to validate the credentials 53 | 54 | 1. Click **Save**. 55 | 56 | 1. After changing the password, manually check that the ATA Gateway service is running on the ATA Gateway servers. 57 | 58 | 59 | 60 | ## See Also 61 | - [Working with the ATA Console](working-with-ata-console.md) 62 | - [Check out the ATA forum!](https://social.technet.microsoft.com/Forums/security/home?forum=mata) 63 | -------------------------------------------------------------------------------- /ATADocs/tag-sensitive-accounts.md: -------------------------------------------------------------------------------- 1 | --- 2 | # required metadata 3 | 4 | title: Tag sensitive accounts with ATA 5 | description: Describes how to tag sensitive accounts using Advanced Threat Analytics (ATA) 6 | keywords: 7 | author: batamig 8 | ms.author: bagol 9 | manager: raynew 10 | ms.date: 01/10/2023 11 | ms.topic: conceptual 12 | ms.service: advanced-threat-analytics 13 | ms.assetid: 40a1c5c4-b8d6-477c-8ae5-562b37661624 14 | 15 | # optional metadata 16 | 17 | #ROBOTS: 18 | #audience: 19 | #ms.devlang: 20 | ms.reviewer: bennyl 21 | ms.suite: ems 22 | #ms.tgt_pltfrm: 23 | #ms.custom: 24 | 25 | --- 26 | 27 | # Tag sensitive accounts 28 | 29 | 30 | [!INCLUDE [Banner for top of topics](includes/banner.md)] 31 | 32 | You can manually tag groups or accounts as sensitive to enhance detections. It is important to make sure this is updated because some ATA detections, such as sensitive group modification detection and lateral movement path, rely on which groups and accounts are considered sensitive. Previously, ATA automatically considered an entity *sensitive* if it was a member of a specific list of groups. You can now manually tag other users or groups as sensitive, such as board members, company executives, director of sales, etc., and ATA will consider them sensitive. 33 | 34 | 1. In the ATA console, click the **Configuration** cog in the menu bar. 35 | 36 | 1. Under **Detection,** click **Entity tags**. 37 | 38 | ![ATA entity tags.](media/entity-tags.png) 39 | 40 | 1. In the **Sensitive** section, type the name of the **Sensitive accounts** and **Sensitive groups** and then click **+** sign to add them. 41 | 42 | ![ATA sensitive account sample.](media/sensitive-account-sample.png) 43 | 44 | 1. Click **Save**. 45 | 46 | 1. Go to the entity profile page by clicking on the entity name. Here you will be able to see why the entity is considered sensitive - whether it is because of membership in a group or because of manual tagging as sensitive. 47 | 48 | 49 | ## Sensitive groups 50 | 51 | The following list of groups are considered Sensitive by ATA. Any entity that is a member of these groups is considered sensitive: 52 | 53 | - Administrators 54 | - Power Users 55 | - Account Operators 56 | - Server Operators 57 | - Print Operators 58 | - Backup Operators 59 | - Replicators 60 | - Remote Desktop Users 61 | - Network Configuration Operators 62 | - Incoming Forest Trust Builders 63 | - Domain Admins 64 | - Domain Controllers 65 | - Group Policy Creator Owners 66 | - read-only Domain Controllers 67 | - Enterprise Read-only Domain Controllers 68 | - Schema Admins 69 | - Enterprise Admins 70 | 71 | ## See also 72 | [Check out the ATA forum!](https://social.technet.microsoft.com/Forums/security/home?forum=mata) 73 | -------------------------------------------------------------------------------- /ATADocs/troubleshoot-audit.md: -------------------------------------------------------------------------------- 1 | --- 2 | # required metadata 3 | 4 | title: Working with ATA audit logs 5 | description: This article describes how to work with ATA audit logs in the Windows Event Log. 6 | keywords: 7 | author: batamig 8 | ms.author: bagol 9 | manager: raynew 10 | ms.date: 01/10/2023 11 | ms.topic: conceptual 12 | ms.service: advanced-threat-analytics 13 | ms.assetid: 1d186a96-ef70-4787-aa64-c03d1db94ce0 14 | 15 | # optional metadata 16 | 17 | #ROBOTS: 18 | #audience: 19 | #ms.devlang: 20 | ms.reviewer: bennyl 21 | ms.suite: ems 22 | #ms.tgt_pltfrm: 23 | #ms.custom: 24 | 25 | --- 26 | 27 | # Working with ATA audit logs 28 | 29 | 30 | [!INCLUDE [Banner for top of topics](includes/banner.md)] 31 | 32 | The ATA audit logs are kept in the Windows Event Logs under **Applications and Services** and then **Microsoft ATA** both on the ATA Center and ATA Gateway machines. 33 | 34 | The ATA Center audit log contains: 35 | - Suspicious activity information 36 | - Health alerts (health page) 37 | - ATA Console logins 38 | - All configuration changes* 39 | 40 | The ATA Gateway audit log contains: 41 | - Gateway configuration changes* 42 | 43 | (All ATA Gateway configuration changes are configured on the ATA Center but are still audited on the Gateway machine itself.) 44 | 45 | *The configuration change audit log contains both the previous configuration and the new configuration. 46 | 47 | 48 | ## See Also 49 | - [Working with suspicious activities](working-with-suspicious-activities.md) 50 | - [Check out the ATA forum!](https://social.technet.microsoft.com/Forums/security/home?forum=mata) 51 | -------------------------------------------------------------------------------- /ATADocs/upgrade-path.md: -------------------------------------------------------------------------------- 1 | --- 2 | # required metadata 3 | 4 | title: Advanced Threat Analytics recommended upgrade path 5 | description: Provides instructions for upgrading your Advanced Threat Analytics (ATA) version. 6 | keywords: 7 | author: batamig 8 | ms.author: bagol 9 | manager: raynew 10 | ms.date: 01/10/2023 11 | ms.topic: conceptual 12 | ms.service: advanced-threat-analytics 13 | ms.assetid: 88720401-1fb2-4353-ad39-32bc0088f0de 14 | 15 | # optional metadata 16 | 17 | #ROBOTS: 18 | #audience: 19 | #ms.devlang: 20 | ms.reviewer: bennyl 21 | ms.suite: ems 22 | #ms.tgt_pltfrm: 23 | #ms.custom: 24 | 25 | --- 26 | # Recommended upgrade path for ATA 27 | 28 | [!INCLUDE [Banner for top of topics](includes/banner.md)] 29 | 30 | This article provides information about available Advanced Threat Analytics versions and how to upgrade ATA depending on which version you have running. 31 | 32 | ## ATA versions 33 | 34 | |Version|Build #| 35 | |----|----| 36 | |1.6|1.6.4103| 37 | |1.6 Update 1|1.6.4317| 38 | |1.7|1.7.5402| 39 | |1.7 Update 1|1.7.5647| 40 | |1.7 Update 2|1.7.5757| 41 | |1.8|1.8.6645| 42 | |1.8 Update 1|1.8.6765| 43 | |1.9|1.9.7312| 44 | |1.9 Update 1|1.9.7412| 45 | |1.9 Update 2|1.9.7478| 46 | |1.9 Update 3|1.9.7576| 47 | 48 | ## Upgrade paths 49 | 50 | Refer to the upgrade path diagram to determine the correct upgrade path for your current installation. 51 | 52 | ![ATA version upgrade path.](media/upgrade-path-ata.png) 53 | 54 | ## See Also 55 | 56 | - [ATA prerequisites](ata-prerequisites.md) 57 | - [ATA capacity planning](ata-capacity-planning.md) 58 | - [Configure event collection](configure-event-collection.md) 59 | - [Configuring Windows event forwarding](configure-event-collection.md) 60 | - [Check out the ATA forum!](https://social.technet.microsoft.com/Forums/security/home?forum=mata) 61 | -------------------------------------------------------------------------------- /ATPDocs/accounts-with-non-default-pgid.md: -------------------------------------------------------------------------------- 1 | --- 2 | # Required metadata 3 | # For more information, see https://review.learn.microsoft.com/en-us/help/platform/learn-editor-add-metadata?branch=main 4 | # For valid values of ms.service, ms.prod, and ms.topic, see https://review.learn.microsoft.com/en-us/help/platform/metadata-taxonomies?branch=main 5 | 6 | title: 'Security Assessment: Accounts with non-default Primary Group ID' 7 | description: This recommendation lists all computers and users accounts whose primaryGroupId (PGID) attribute is not the default for domain users and computers in Active Directory.  8 | author: LiorShapiraa # GitHub alias 9 | ms.author: liorshapira 10 | ms.service: microsoft-defender-for-identity 11 | ms.topic: article 12 | ms.date: 10/05/2024 13 | --- 14 | 15 | # Security Assessment: Accounts with non-default Primary Group ID 16 | 17 | 18 | This recommendation lists all computers and users accounts whose primaryGroupId (PGID) attribute is not the default for domain users and computers in Active Directory.  19 | 20 | ## Organization risk 21 | 22 | The primaryGroupId attribute of a user or computer account grants implicit membership to a group. Membership through this attribute does not appear in the list of group members in some interfaces. This attribute may be used as an attempt to hide group membership. It might be a stealthy way for an attacker to escalate privileges without triggering normal auditing for group membership changes.  23 | 24 | ## Remediation steps 25 | 26 | 1. Review the list of exposed entities to discover which of your accounts have a suspicious primaryGroupId.   27 | 28 | 1. Take appropriate action on those accounts by resetting their attribute to their default values or adding the member to the relevant group:   29 | 30 | - User accounts: 513 (Domain Users) or 514 (Domain Guests);   31 | 32 | - Computer accounts: 515 (Domain Computers);   33 | 34 | - Domain controller accounts: 516 (Domain Controllers);   35 | 36 | - Read-only domain controller (RODC) accounts: 521 (Read-only Domain Controllers). 37 | 38 | 39 | ## Next steps 40 | 41 | - [Learn more about Microsoft Secure Score](/microsoft-365/security/defender/microsoft-secure-score) 42 | 43 | -------------------------------------------------------------------------------- /ATPDocs/automated-response-exclusions.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: Automated response exclusions 3 | description: Learn how to configure Microsoft Defender for Identity automated response exclusions in Microsoft Defender XDR. 4 | ms.date: 02/16/2023 5 | ms.topic: how-to 6 | --- 7 | 8 | # Configure Defender for Identity automated response exclusions 9 | 10 | > [!NOTE] 11 | > The experience described in this page can be accessed at as part of Microsoft Defender XDR. 12 | 13 | This article explains how to configure [Microsoft Defender for Identity](/defender-for-identity) automated response exclusions in [Microsoft Defender XDR](/microsoft-365/security/defender/overview-security-center). 14 | 15 | Microsoft Defender for Identity enables the exclusion of Active Directory accounts from automated response actions, used in [Automatic Attack Disruption](https://techcommunity.microsoft.com/t5/microsoft-365-defender-blog/what-s-new-in-xdr-at-microsoft-ignite/ba-p/3648872). Automated response exclusions do not apply to responses triggered by Custom Detections. 16 | 17 | For example, an incident involving Attack Disruption, where response actions are taken automatically, wouldn't disable a specified excluded account. This could be used, for example, to exclude sensitive accounts from automated actions. 18 | 19 | ## How to add automated response exclusions 20 | 21 | 1. In [Microsoft Defender XDR](https://security.microsoft.com/), go to **Settings** and then **Identities**. 22 | 23 | ![Go to Settings, then Identities.](media/settings-identities.png) 24 | 25 | 1. You'll then see **Automated response exclusions** in the left-hand menu. 26 | 27 | ![Automated response exclusions.](media/automated-response-exclusions.png) 28 | 29 | 1. To exclude specific users, select **Exclude Users**. 30 | 31 | :::image type="content" source="media/exclude-users.png" alt-text="Exclude specific users."::: 32 | 33 | 1. Search for the users to exclude and select the **Exclude Users** button. 34 | 35 | :::image type="content" source="media/exclude-specific-users.png" alt-text="Choose which users to exclude."::: 36 | 37 | 1. To remove excluded users, select the relevant users from the list and select the **Remove** button. 38 | 39 | :::image type="content" source="media/remove-excluded-users.png" alt-text="Remove excluded users."::: 40 | 41 | ## See also 42 | 43 | - [Configure event collection](deploy/configure-event-collection.md) 44 | - [Check out the Defender for Identity forum!]() 45 | -------------------------------------------------------------------------------- /ATPDocs/bread/toc.yml: -------------------------------------------------------------------------------- 1 | - name: Microsoft Defender for Identity 2 | tocHref: /defender-for-identity/ 3 | topicHref: /defender-for-identity/index 4 | items: 5 | - name: Microsoft Defender for Identity 6 | tocHref: /microsoft-365/security/defender/ 7 | topicHref: /defender-for-identity/index 8 | -------------------------------------------------------------------------------- /ATPDocs/built-in-active-directory-guest-account-is-enabled.md: -------------------------------------------------------------------------------- 1 | --- 2 | # Required metadata 3 | # For more information, see https://review.learn.microsoft.com/en-us/help/platform/learn-editor-add-metadata?branch=main 4 | # For valid values of ms.service, ms.prod, and ms.topic, see https://review.learn.microsoft.com/en-us/help/platform/metadata-taxonomies?branch=main 5 | 6 | title: 'Security Assessment: Built-in Active Directory Guest account is enabled' 7 | description: 'This recommendation indicates whether an AD Guest account is enabled in your environment. The goal is to ensure that the Guest account of the domain is not enabled. ' 8 | author: LiorShapiraa # GitHub alias 9 | ms.author: liorshapira 10 | ms.service: microsoft-defender-for-identity 11 | ms.topic: article 12 | ms.date: 10/05/2024 13 | --- 14 | 15 | # Security Assessment: Built-in Active Directory Guest account is enabled 16 | 17 | This recommendation indicates whether an AD Guest account is enabled in your environment. 18 | The goal is to **ensure** that the Guest account of the domain is **not enabled**.  19 | 20 | ## Organization risk 21 | 22 | The on-premises Guest account is a built-in, non-nominative account that allows anonymous access to Active Directory. Enabling this account permits access to the domain without requiring a password, potentially posing a security threat. 23 | 24 | ## Remediation steps 25 | 26 | 1. Review the list of exposed entities to discover if there is a Guest account which is enabled.   27 | 28 | 1. Take appropriate action on those accounts by **disabling** the account. 29 | 30 | For example: 31 | 32 | ![Screenshot showing guest account in AD.](media/built-in-active-directory-guest-account-is-enabled/guest-account.png) 33 | 34 | ![Screenshot showing security report.](media/built-in-active-directory-guest-account-is-enabled/security-report.png) 35 | 36 | ## Next steps 37 | 38 | [Learn more about Microsoft Secure Score](/microsoft-365/security/defender/microsoft-secure-score) 39 | 40 | -------------------------------------------------------------------------------- /ATPDocs/change-password-domain-administrator-account.md: -------------------------------------------------------------------------------- 1 | --- 2 | # Required metadata 3 | # For more information, see https://review.learn.microsoft.com/en-us/help/platform/learn-editor-add-metadata?branch=main 4 | # For valid values of ms.service, ms.prod, and ms.topic, see https://review.learn.microsoft.com/en-us/help/platform/metadata-taxonomies?branch=main 5 | 6 | title: 'Security Assessment: Change password of built-in domain Administrator account' 7 | description: This recommendation lists any built-in domain Administrator accounts within your environment with password last set over 180 days ago.  8 | author: LiorShapiraa # GitHub alias 9 | ms.author: liorshapira 10 | ms.service: microsoft-defender-for-identity 11 | ms.topic: article 12 | ms.date: 10/05/2024 13 | --- 14 | 15 | # Security assessment: Change password of built-in domain Administrator account 16 | 17 | This recommendation lists any built-in domain Administrator accounts within your environment with password last set over 180 days ago.  18 | 19 | ## Organization risk 20 | 21 | The built-in domain Administrator account is a default, highly privileged AD account with full control over the domain. It cannot be deleted, has unrestricted access, and is critical for managing the domain's resources. 22 | 23 | Regularly updating the built-in Administrator account's password is essential due to its high privileges, which make it a prime target for attackers. If compromised, it can grant unauthorized control over the domain. Since this account is often unused and its password may not be updated frequently, regular changes reduce exposure and enhance security.  24 | 25 | ## Remediation steps 26 | 27 | 1. Review the list of exposed entities to discover which of your built-in domain Administrator accounts have an old password.   28 | 29 | 1. Take appropriate action on those accounts by resetting their password.   30 | 31 | For example: 32 | 33 | ![Screenshot showing the report on the portal.](media/change-password-domain-administrator-account/screenshot-of-report.png) 34 | 35 | ## Next steps 36 | 37 | - [Learn more about Microsoft Secure Score](/microsoft-365/security/defender/microsoft-secure-score) 38 | 39 | -------------------------------------------------------------------------------- /ATPDocs/change-password-krbtgt-account.md: -------------------------------------------------------------------------------- 1 | --- 2 | # Required metadata 3 | # For more information, see https://review.learn.microsoft.com/en-us/help/platform/learn-editor-add-metadata?branch=main 4 | # For valid values of ms.service, ms.prod, and ms.topic, see https://review.learn.microsoft.com/en-us/help/platform/metadata-taxonomies?branch=main 5 | 6 | title: 'Security Assessment: Change password for krbtgt account' 7 | description: This recommendation lists any krbtgt account within your environment with password last set over 180 days ago. 8 | author: LiorShapiraa # GitHub alias 9 | ms.author: liorshapira 10 | ms.service: microsoft-defender-for-identity 11 | ms.topic: article 12 | ms.date: 10/06/2024 13 | --- 14 | 15 | # Security Assessment: Change password for krbtgt account 16 | 17 | This recommendation lists any krbtgt account within your environment with password last set over 180 days ago. 18 | 19 | ## Organization risk 20 | 21 | The krbtgt account in Active Directory is a built-in account used by the Kerberos authentication service. It encrypts and signs all Kerberos tickets, enabling secure authentication within the domain. The account cannot be deleted, and securing it is crucial, as compromise could allow attackers to forge authentication tickets. 22 | If the KRBTGT account's password is compromised, an attacker can use its hash to generate valid Kerberos authentication tickets, allowing them to perform Golden Ticket attacks and gain access to any resource in the AD domain. Since Kerberos relies on the KRBTGT password to sign all tickets, closely monitoring and regularly changing this password is essential to mitigating the risk of such attacks. 23 | 24 | ## Remediation steps 25 | 26 | 1. Review the list of exposed entities to discover which of your krbtgt accounts have an old password.  27 | 28 | 1. Take appropriate action on those accounts by resetting their password **twice** to invalidate the Golden Ticket attack.  29 | 30 | > [!NOTE] 31 | > The krbtgt Kerberos account in all Active Directory domains supports key storage in all Kerberos Key Distribution Centers (KDC). To renew the Kerberos keys for TGT encryption, periodically change the krbtgt account password. It is recommended to use the [Microsoft-provided script.](https://github.com/microsoft/New-KrbtgtKeys.ps1) 32 | ### Next steps 33 | 34 | [Learn more about Microsoft Secure Score](/microsoft-365/security/defender/microsoft-secure-score) 35 | 36 | -------------------------------------------------------------------------------- /ATPDocs/deploy/download-sensor.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: Download the sensor | Microsoft Defender for Identity 3 | description: Learn how to download the Microsoft Defender for Identity sensors for your domain controllers. 4 | ms.date: 06/13/2023 5 | ms.topic: how-to 6 | --- 7 | 8 | # Download the Microsoft Defender for Identity sensor 9 | 10 | This article describes how to download the Microsoft Defender for Identity sensor for your domain controllers or AD CS / AD FS servers. 11 | 12 | ## Add a sensor and download sensor software 13 | 14 | 1. In [Microsoft Defender XDR](https://security.microsoft.com), go to **System > Settings** > **Identities**. 15 | 16 | 1. Select the **Sensors** tab, which displays all of your Defender for Identity sensors. For example: 17 | 18 | [![Screenshot of the Sensors tab.](../media//sensor-page.png)](../media/sensor-page.png#lightbox) 19 | 20 | 1. Select **Add sensor**. Then, in the **Add a new sensor** pane, select **Download installer** and save the installation package locally. The downloaded zip file includes the following files: 21 | 22 | - The Defender for Identity sensor installer 23 | 24 | - The configuration setting file with the required information to connect to the Defender for Identity cloud service 25 | 26 | - [Npcap OEM version 1.0](https://npcap.com/), which is automatically installed by the sensor installation if it's not found to be already installed 27 | 28 | 1. In the **Add a new sensor** pane, copy the **Access key** value and save it to a secured location. This access key is a one-time password for use when deploying the sensor, after which communication is performed using certificates for authentication and TLS encryption. 29 | 30 | > [!TIP] 31 | > It is recommended to regenerate the access key using the **Regenerate key** button on a regular basis. It won't affect any previously deployed sensors, because it's only used for initial registration of the sensor. 32 | 33 | 1. Copy the downloaded installation package to the dedicated server or domain controller where you're installing the Defender for Identity sensor. 34 | 35 | ## Next step 36 | 37 | > [!div class="step-by-step"] 38 | > [Install the Microsoft Defender for Identity sensor »](install-sensor.md) 39 | -------------------------------------------------------------------------------- /ATPDocs/deploy/media/configure-windows-event-collection/image.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/ATADocs/18c689f3f979272efd59343d179360524dcb330b/ATPDocs/deploy/media/configure-windows-event-collection/image.png -------------------------------------------------------------------------------- /ATPDocs/docfx.json: -------------------------------------------------------------------------------- 1 | { 2 | "build": { 3 | "content": [ 4 | { 5 | "files": [ 6 | "**/*.md", 7 | "**/*.yml" 8 | ], 9 | "exclude": [ 10 | "**/obj/**", 11 | "**/includes/**", 12 | "README.md", 13 | "LICENSE", 14 | "LICENSE-CODE", 15 | "ThirdPartyNotices" 16 | ] 17 | } 18 | ], 19 | "resource": [ 20 | { 21 | "files": [ 22 | "**/*.png", 23 | "**/*.jpg", 24 | "**/*.gif" 25 | ], 26 | "exclude": [ 27 | "**/obj/**", 28 | "**/includes/**" 29 | ] 30 | } 31 | ], 32 | "overwrite": [], 33 | "externalReference": [], 34 | "globalMetadata": { 35 | "feedback_system": "Standard", 36 | "feedback_github_repo": "MicrosoftDocs/atadocs", 37 | "feedback_product_url": "https://aka.ms/MDIcommunity", 38 | "breadcrumb_path": "/azure-advanced-threat-protection/bread/toc.json", 39 | "searchScope": ["Defender for Identity"], 40 | "titleSuffix": "Microsoft Defender for Identity", 41 | "author": "batamig", 42 | "manager": "batamig", 43 | "ms.author": "bagol", 44 | "ms.collection": "M365-security-compliance", 45 | "ms.service": "microsoft-defender-for-identity", 46 | "uhfHeaderId": "MSDocsHeader-MicrosoftDefender", 47 | "ms.suite": "ems" 48 | }, 49 | "fileMetadata": {}, 50 | "template": [], 51 | "dest": "ATPDocs", 52 | "markdownEngineName": "markdig" 53 | } 54 | } 55 | -------------------------------------------------------------------------------- /ATPDocs/domain-controller-account-password-change.md: -------------------------------------------------------------------------------- 1 | --- 2 | # Required metadata 3 | # For more information, see https://review.learn.microsoft.com/en-us/help/platform/learn-editor-add-metadata?branch=main 4 | # For valid values of ms.service, ms.prod, and ms.topic, see https://review.learn.microsoft.com/en-us/help/platform/metadata-taxonomies?branch=main 5 | 6 | title: 'Security Assessment: Change Domain Controller computer account old password ' 7 | description: This recommendation lists all domain controller’s computer accounts with password last set over 45 days ago. 8 | author: LiorShapiraa # GitHub alias 9 | ms.author: liorshapira 10 | ms.service: microsoft-defender-for-identity 11 | ms.topic: article 12 | ms.date: 10/05/2024 13 | --- 14 | 15 | # Security Assessment: Change Domain Controller computer account old password 16 | 17 | This recommendation lists all domain controller’s computer accounts with password last set over 45 days ago. 18 | 19 | ## Organization risk 20 | 21 | A Domain Controller (DC) is a server in an Active Directory (AD) environment that manages user authentication and authorization, enforces security policies, and stores the AD database. It handles logins, verifies permissions, and ensures secure access to network resources. Multiple DCs provide redundancy for high availability. 22 | Domain Controllers with old passwords are at heightened risk of compromise and could be more easily taken over. Attackers can exploit outdated passwords, gaining prolonged access to critical resources and weakening network security. It could indicate a Domain controller that is no longer functioning in the domain. 23 | 24 | ## Remediation steps 25 | 26 | 1. Verify Registry Values:  27 | 28 | - HKLM\System\CurrentControlSet\Services\Netlogon\Parameters\DisablePasswordChange is set to 0 or is nonexistent.  29 | 30 | - HKLM\System\CurrentControlSet\Services\Netlogon\Parameters\MaximumPasswordAge is set to 30.  31 | 32 | 1. Reset Incorrect Values:  33 | - Reset any incorrect values to their default settings.  34 | - Check Group Policy Objects (GPOs) to ensure they do not override these settings.  35 | 36 | 1. If these values are correct, check if the NETLOGON service is started with sc.exe query netlogon.  37 | 38 | 1. Validate Password Synchronization by Running nltest /SC_VERIFY: (with DomainName being the domain NetBIOS name) can check the synchronization status and should display0 0x0 NERR_Success for both verifications. 39 | 40 | > [!TIP] 41 | > For more information about commuter account’s password process check this blog post about [Machine accounts password process](https://techcommunity.microsoft.com/t5/ask-the-directory-services-team/machine-account-password-process/ba-p/396026). 42 | ## Next steps 43 | 44 | [Learn more about Microsoft Secure Score](/microsoft-365/security/defender/microsoft-secure-score) 45 | 46 | -------------------------------------------------------------------------------- /ATPDocs/gpo-assigns-unprivileged-identities.md: -------------------------------------------------------------------------------- 1 | --- 2 | # Required metadata 3 | # For more information, see https://review.learn.microsoft.com/en-us/help/platform/learn-editor-add-metadata?branch=main 4 | # For valid values of ms.service, ms.prod, and ms.topic, see https://review.learn.microsoft.com/en-us/help/platform/metadata-taxonomies?branch=main 5 | 6 | title: 'Security Assessment: GPO assigns unprivileged identities to local groups with elevated privileges' 7 | description: This recommendation lists non-privileged users who are granted elevated permissions through GPO. 8 | author: LiorShapiraa # GitHub alias 9 | ms.author: liorshapira 10 | ms.service: microsoft-defender-for-identity 11 | ms.topic: article 12 | ms.date: 10/05/2024 13 | --- 14 | 15 | # Security assessment: GPO assigns unprivileged identities to local groups with elevated privileges 16 | 17 | This recommendation lists non-privileged users who are granted elevated permissions through GPO. 18 | 19 | ### Organization risk 20 | 21 | Using Group Policy Objects (GPOs) to add membership to a local group can create a security risk if the target group has excessive permissions or rights. To mitigate this risk, it's important to identify any local groups, such as local administrators or terminal server access, where Authenticated Users or Everyone is granted access by a GPO.  22 | Attackers may attempt to obtain information on Group Policy settings to uncover vulnerabilities that can be exploited to gain higher levels of access, understand the security measures in place within a domain, and identify patterns in domain objects. This information can be used to plan subsequent attacks, such as identifying potential paths to exploit within the target network or finding opportunities to blend in or manipulate the environment.  23 | 24 | A user, service or application that relies on these local permissions may stop functioning.  25 | 26 | ### Remediation steps 27 | 28 | Carefully review each assigned group membership, identify any dangerous group membership granted, and modify the GPO to remove any unnecessary or excessive user rights.   29 | 30 | ### Next steps 31 | 32 | - [Learn more about Microsoft Secure Score](/microsoft-365/security/defender/microsoft-secure-score) 33 | 34 | -------------------------------------------------------------------------------- /ATPDocs/includes/dsa-permissions.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: include file 3 | description: include file 4 | ms.topic: include 5 | ms.date: 12/11/2023 6 | --- 7 | 8 | The DSA requires read only permissions on **all** the objects in Active Directory, including the **Deleted Objects Container**. 9 | 10 | The read-only permissions on the **Deleted Objects** container allows Defender for Identity to detect user deletions from your Active Directory. 11 | 12 | Use the following code sample to help you grant the required read permissions on the **Deleted Objects** container, whether or not you're using a gMSA account. 13 | 14 | > [!TIP] 15 | > If the DSA you want to grant the permissions to is a Group Managed Service Account (gMSA), you must first create a security group, add the gMSA as a member, and add the permissions to that group. For more information, see [Configure a Directory Service Account for Defender for Identity with a gMSA](../deploy/create-directory-service-account-gmsa.md). 16 | > 17 | 18 | ```powershell 19 | # Declare the identity that you want to add read access to the deleted objects container: 20 | $Identity = 'mdiSvc01' 21 | 22 | # If the identity is a gMSA, first to create a group and add the gMSA to it: 23 | $groupName = 'mdiUsr01Group' 24 | $groupDescription = 'Members of this group are allowed to read the objects in the Deleted Objects container in AD' 25 | if(Get-ADServiceAccount -Identity $Identity -ErrorAction SilentlyContinue) { 26 | $groupParams = @{ 27 | Name = $groupName 28 | SamAccountName = $groupName 29 | DisplayName = $groupName 30 | GroupCategory = 'Security' 31 | GroupScope = 'Universal' 32 | Description = $groupDescription 33 | } 34 | $group = New-ADGroup @groupParams -PassThru 35 | Add-ADGroupMember -Identity $group -Members ('{0}$' -f $Identity) 36 | $Identity = $group.Name 37 | } 38 | 39 | # Get the deleted objects container's distinguished name: 40 | $distinguishedName = ([adsi]'').distinguishedName.Value 41 | $deletedObjectsDN = 'CN=Deleted Objects,{0}' -f $distinguishedName 42 | 43 | # Take ownership on the deleted objects container: 44 | $params = @("$deletedObjectsDN", '/takeOwnership') 45 | C:\Windows\System32\dsacls.exe $params 46 | 47 | # Grant the 'List Contents' and 'Read Property' permissions to the user or group: 48 | $params = @("$deletedObjectsDN", '/G', ('{0}\{1}:LCRP' -f ([adsi]'').name.Value, $Identity)) 49 | C:\Windows\System32\dsacls.exe $params 50 | 51 | # To remove the permissions, uncomment the next 2 lines and run them instead of the two prior ones: 52 | # $params = @("$deletedObjectsDN", '/R', ('{0}\{1}' -f ([adsi]'').name.Value, $Identity)) 53 | # C:\Windows\System32\dsacls.exe $params 54 | ``` 55 | 56 | For more information, see [Changing permissions on a deleted object container](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc816824(v=ws.10)). 57 | -------------------------------------------------------------------------------- /ATPDocs/includes/licenses.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: include file 3 | description: include file 4 | ms.topic: include 5 | ms.date: 09/26/2023 6 | --- 7 | 8 | - Enterprise Mobility + Security E5 (EMS E5/A5) 9 | - Microsoft 365 E5 (Microsoft E5/A5/G5) 10 | - Microsoft 365 E5/A5/G5/F5[*](#req) Security 11 | - Microsoft 365 F5 Security + Compliance[*](#req) 12 | - A standalone Defender for Identity license 13 | 14 | * Both F5 licenses require Microsoft 365 F1/F3 or Office 365 F3 and Enterprise Mobility + Security E3. 15 | 16 | Acquire licenses directly via the [Microsoft 365 portal](https://www.microsoft.com/cloud-platform/enterprise-mobility-security-pricing) or use the Cloud Solution Partner (CSP) licensing model. 17 | -------------------------------------------------------------------------------- /ATPDocs/includes/server-requirements.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: include file 3 | description: include file 4 | ms.topic: include 5 | ms.date: 09/26/2023 6 | --- 7 | 8 | Defender for Identity sensors can be installed on the following operating systems: 9 | 10 | - **Windows Server 2016** 11 | - **Windows Server 2019**. Requires [KB4487044](https://support.microsoft.com/topic/february-12-2019-kb4487044-os-build-17763-316-6502eb5d-dde8-6902-e149-27ef359ed616) or a newer cumulative update. Sensors installed on Server 2019 without this update will be automatically stopped if the *ntdsai.dll* file version found in the system directory is older than *10.0.17763.316* 12 | - **Windows Server 2022** 13 | 14 | For all operating systems: 15 | 16 | - Both servers with desktop experience and server cores are supported. 17 | - Nano servers are not supported. 18 | - Installations are supported for domain controllers, AD FS, and AD CS servers. 19 | -------------------------------------------------------------------------------- /ATPDocs/media/about-settings.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/ATADocs/18c689f3f979272efd59343d179360524dcb330b/ATPDocs/media/about-settings.png -------------------------------------------------------------------------------- /ATPDocs/media/access-computer-from-network.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/ATADocs/18c689f3f979272efd59343d179360524dcb330b/ATPDocs/media/access-computer-from-network.png -------------------------------------------------------------------------------- /ATPDocs/media/account-settings.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/ATADocs/18c689f3f979272efd59343d179360524dcb330b/ATPDocs/media/account-settings.png -------------------------------------------------------------------------------- /ATPDocs/media/accounts-with-non-default-pgid/screenshot-of-pgid.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/ATADocs/18c689f3f979272efd59343d179360524dcb330b/ATPDocs/media/accounts-with-non-default-pgid/screenshot-of-pgid.png -------------------------------------------------------------------------------- /ATPDocs/media/add-excluded-domain.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/ATADocs/18c689f3f979272efd59343d179360524dcb330b/ATPDocs/media/add-excluded-domain.png -------------------------------------------------------------------------------- /ATPDocs/media/add-excluded-entity.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/ATADocs/18c689f3f979272efd59343d179360524dcb330b/ATPDocs/media/add-excluded-entity.png -------------------------------------------------------------------------------- /ATPDocs/media/add-exclusion.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/ATADocs/18c689f3f979272efd59343d179360524dcb330b/ATPDocs/media/add-exclusion.png -------------------------------------------------------------------------------- /ATPDocs/media/adfs-container.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/ATADocs/18c689f3f979272efd59343d179360524dcb330b/ATPDocs/media/adfs-container.png -------------------------------------------------------------------------------- /ATPDocs/media/adfs-logon-advanced-hunting.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/ATADocs/18c689f3f979272efd59343d179360524dcb330b/ATPDocs/media/adfs-logon-advanced-hunting.png -------------------------------------------------------------------------------- /ATPDocs/media/advanced-audit-policy-check-step-1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/ATADocs/18c689f3f979272efd59343d179360524dcb330b/ATPDocs/media/advanced-audit-policy-check-step-1.png -------------------------------------------------------------------------------- /ATPDocs/media/advanced-audit-policy-check-step-2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/ATADocs/18c689f3f979272efd59343d179360524dcb330b/ATPDocs/media/advanced-audit-policy-check-step-2.png -------------------------------------------------------------------------------- /ATPDocs/media/advanced-audit-policy-check-step-3.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/ATADocs/18c689f3f979272efd59343d179360524dcb330b/ATPDocs/media/advanced-audit-policy-check-step-3.png -------------------------------------------------------------------------------- /ATPDocs/media/advanced-audit-policy-check-step-4.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/ATADocs/18c689f3f979272efd59343d179360524dcb330b/ATPDocs/media/advanced-audit-policy-check-step-4.png -------------------------------------------------------------------------------- /ATPDocs/media/advanced-hunting-lateral-movement-paths.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/ATADocs/18c689f3f979272efd59343d179360524dcb330b/ATPDocs/media/advanced-hunting-lateral-movement-paths.png -------------------------------------------------------------------------------- /ATPDocs/media/advanced-security.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/ATADocs/18c689f3f979272efd59343d179360524dcb330b/ATPDocs/media/advanced-security.png -------------------------------------------------------------------------------- /ATPDocs/media/alert-details.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/ATADocs/18c689f3f979272efd59343d179360524dcb330b/ATPDocs/media/alert-details.png -------------------------------------------------------------------------------- /ATPDocs/media/alert-state.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/ATADocs/18c689f3f979272efd59343d179360524dcb330b/ATPDocs/media/alert-state.png -------------------------------------------------------------------------------- /ATPDocs/media/architecture/architecture.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/ATADocs/18c689f3f979272efd59343d179360524dcb330b/ATPDocs/media/architecture/architecture.png -------------------------------------------------------------------------------- /ATPDocs/media/audit-adfs.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/ATADocs/18c689f3f979272efd59343d179360524dcb330b/ATPDocs/media/audit-adfs.png -------------------------------------------------------------------------------- /ATPDocs/media/audit-configuration.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/ATADocs/18c689f3f979272efd59343d179360524dcb330b/ATPDocs/media/audit-configuration.png -------------------------------------------------------------------------------- /ATPDocs/media/auditing-tab.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/ATADocs/18c689f3f979272efd59343d179360524dcb330b/ATPDocs/media/auditing-tab.png -------------------------------------------------------------------------------- /ATPDocs/media/automated-response-exclusions.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/ATADocs/18c689f3f979272efd59343d179360524dcb330b/ATPDocs/media/automated-response-exclusions.png -------------------------------------------------------------------------------- /ATPDocs/media/built-in-active-directory-guest-account-is-enabled/guest-account.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/ATADocs/18c689f3f979272efd59343d179360524dcb330b/ATPDocs/media/built-in-active-directory-guest-account-is-enabled/guest-account.png -------------------------------------------------------------------------------- /ATPDocs/media/built-in-active-directory-guest-account-is-enabled/security-report.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/ATADocs/18c689f3f979272efd59343d179360524dcb330b/ATPDocs/media/built-in-active-directory-guest-account-is-enabled/security-report.png -------------------------------------------------------------------------------- /ATPDocs/media/capacity-tool-maybe.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/ATADocs/18c689f3f979272efd59343d179360524dcb330b/ATPDocs/media/capacity-tool-maybe.png -------------------------------------------------------------------------------- /ATPDocs/media/capacity-tool.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/ATADocs/18c689f3f979272efd59343d179360524dcb330b/ATPDocs/media/capacity-tool.png -------------------------------------------------------------------------------- /ATPDocs/media/cas-isp-clear-text-1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/ATADocs/18c689f3f979272efd59343d179360524dcb330b/ATPDocs/media/cas-isp-clear-text-1.png -------------------------------------------------------------------------------- /ATPDocs/media/cas-isp-clear-text-2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/ATADocs/18c689f3f979272efd59343d179360524dcb330b/ATPDocs/media/cas-isp-clear-text-2.png -------------------------------------------------------------------------------- /ATPDocs/media/cas-isp-dormant-entities-sensitive-groups-1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/ATADocs/18c689f3f979272efd59343d179360524dcb330b/ATPDocs/media/cas-isp-dormant-entities-sensitive-groups-1.png -------------------------------------------------------------------------------- /ATPDocs/media/cas-isp-kerberos-delegation-2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/ATADocs/18c689f3f979272efd59343d179360524dcb330b/ATPDocs/media/cas-isp-kerberos-delegation-2.png -------------------------------------------------------------------------------- /ATPDocs/media/cas-isp-laps-1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/ATADocs/18c689f3f979272efd59343d179360524dcb330b/ATPDocs/media/cas-isp-laps-1.png -------------------------------------------------------------------------------- /ATPDocs/media/cas-isp-laps-2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/ATADocs/18c689f3f979272efd59343d179360524dcb330b/ATPDocs/media/cas-isp-laps-2.png -------------------------------------------------------------------------------- /ATPDocs/media/cas-isp-print-spooler-1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/ATADocs/18c689f3f979272efd59343d179360524dcb330b/ATPDocs/media/cas-isp-print-spooler-1.png -------------------------------------------------------------------------------- /ATPDocs/media/cas-isp-print-spooler-2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/ATADocs/18c689f3f979272efd59343d179360524dcb330b/ATPDocs/media/cas-isp-print-spooler-2.png -------------------------------------------------------------------------------- /ATPDocs/media/cas-isp-riskiest-lmp-1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/ATADocs/18c689f3f979272efd59343d179360524dcb330b/ATPDocs/media/cas-isp-riskiest-lmp-1.png -------------------------------------------------------------------------------- /ATPDocs/media/cas-isp-unconstrained-kerberos-1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/ATADocs/18c689f3f979272efd59343d179360524dcb330b/ATPDocs/media/cas-isp-unconstrained-kerberos-1.png -------------------------------------------------------------------------------- /ATPDocs/media/cas-isp-unconstrained-kerberos-2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/ATADocs/18c689f3f979272efd59343d179360524dcb330b/ATPDocs/media/cas-isp-unconstrained-kerberos-2.png -------------------------------------------------------------------------------- /ATPDocs/media/cas-isp-unmonitored-domain-controller-1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/ATADocs/18c689f3f979272efd59343d179360524dcb330b/ATPDocs/media/cas-isp-unmonitored-domain-controller-1.png -------------------------------------------------------------------------------- /ATPDocs/media/cas-isp-unsecure-account-attributes-1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/ATADocs/18c689f3f979272efd59343d179360524dcb330b/ATPDocs/media/cas-isp-unsecure-account-attributes-1.png -------------------------------------------------------------------------------- /ATPDocs/media/cas-isp-unsecure-sid-history-attribute-1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/ATADocs/18c689f3f979272efd59343d179360524dcb330b/ATPDocs/media/cas-isp-unsecure-sid-history-attribute-1.png -------------------------------------------------------------------------------- /ATPDocs/media/cas-isp-weak-cipher-2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/ATADocs/18c689f3f979272efd59343d179360524dcb330b/ATPDocs/media/cas-isp-weak-cipher-2.png -------------------------------------------------------------------------------- /ATPDocs/media/change-password-domain-administrator-account/screenshot-of-report.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/ATADocs/18c689f3f979272efd59343d179360524dcb330b/ATPDocs/media/change-password-domain-administrator-account/screenshot-of-report.png -------------------------------------------------------------------------------- /ATPDocs/media/choose-permissions.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/ATADocs/18c689f3f979272efd59343d179360524dcb330b/ATPDocs/media/choose-permissions.png -------------------------------------------------------------------------------- /ATPDocs/media/classify-alert.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/ATADocs/18c689f3f979272efd59343d179360524dcb330b/ATPDocs/media/classify-alert.png -------------------------------------------------------------------------------- /ATPDocs/media/clear-all.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/ATADocs/18c689f3f979272efd59343d179360524dcb330b/ATPDocs/media/clear-all.png -------------------------------------------------------------------------------- /ATPDocs/media/comments-history.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/ATADocs/18c689f3f979272efd59343d179360524dcb330b/ATPDocs/media/comments-history.png -------------------------------------------------------------------------------- /ATPDocs/media/configuration-properties.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/ATADocs/18c689f3f979272efd59343d179360524dcb330b/ATPDocs/media/configuration-properties.png -------------------------------------------------------------------------------- /ATPDocs/media/configure-proxy/certificate.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/ATADocs/18c689f3f979272efd59343d179360524dcb330b/ATPDocs/media/configure-proxy/certificate.png -------------------------------------------------------------------------------- /ATPDocs/media/configure-proxy/test-proxy.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/ATADocs/18c689f3f979272efd59343d179360524dcb330b/ATPDocs/media/configure-proxy/test-proxy.png -------------------------------------------------------------------------------- /ATPDocs/media/configure-sensor-details.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/ATADocs/18c689f3f979272efd59343d179360524dcb330b/ATPDocs/media/configure-sensor-details.png -------------------------------------------------------------------------------- /ATPDocs/media/configure-windows-event-collection/auditing.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/ATADocs/18c689f3f979272efd59343d179360524dcb330b/ATPDocs/media/configure-windows-event-collection/auditing.png -------------------------------------------------------------------------------- /ATPDocs/media/configure-windows-event-collection/certification-authority.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/ATADocs/18c689f3f979272efd59343d179360524dcb330b/ATPDocs/media/configure-windows-event-collection/certification-authority.png -------------------------------------------------------------------------------- /ATPDocs/media/configure-windows-event-collection/group-policy-management-editor.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/ATADocs/18c689f3f979272efd59343d179360524dcb330b/ATPDocs/media/configure-windows-event-collection/group-policy-management-editor.png -------------------------------------------------------------------------------- /ATPDocs/media/contactsupport.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/ATADocs/18c689f3f979272efd59343d179360524dcb330b/ATPDocs/media/contactsupport.png -------------------------------------------------------------------------------- /ATPDocs/media/contactsupport1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/ATADocs/18c689f3f979272efd59343d179360524dcb330b/ATPDocs/media/contactsupport1.png -------------------------------------------------------------------------------- /ATPDocs/media/contactsupport2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/ATADocs/18c689f3f979272efd59343d179360524dcb330b/ATPDocs/media/contactsupport2.png -------------------------------------------------------------------------------- /ATPDocs/media/container-properties.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/ATADocs/18c689f3f979272efd59343d179360524dcb330b/ATPDocs/media/container-properties.png -------------------------------------------------------------------------------- /ATPDocs/media/dashboard/dashboard.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/ATADocs/18c689f3f979272efd59343d179360524dcb330b/ATPDocs/media/dashboard/dashboard.gif -------------------------------------------------------------------------------- /ATPDocs/media/delete-exclusion.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/ATADocs/18c689f3f979272efd59343d179360524dcb330b/ATPDocs/media/delete-exclusion.png -------------------------------------------------------------------------------- /ATPDocs/media/delete-orphaned-sensor.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/ATADocs/18c689f3f979272efd59343d179360524dcb330b/ATPDocs/media/delete-orphaned-sensor.png -------------------------------------------------------------------------------- /ATPDocs/media/desktop.ini: -------------------------------------------------------------------------------- 1 | [LocalizedFileNames] 2 | preview-detection-vpn.png=@preview-detection-vpn.png,0 3 | preview-detections.png=@preview-detections.png,0 4 | -------------------------------------------------------------------------------- /ATPDocs/media/detection-rule-details.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/ATADocs/18c689f3f979272efd59343d179360524dcb330b/ATPDocs/media/detection-rule-details.png -------------------------------------------------------------------------------- /ATPDocs/media/directory-service-accounts.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/ATADocs/18c689f3f979272efd59343d179360524dcb330b/ATPDocs/media/directory-service-accounts.png -------------------------------------------------------------------------------- /ATPDocs/media/disable-lso-vmware.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/ATADocs/18c689f3f979272efd59343d179360524dcb330b/ATPDocs/media/disable-lso-vmware.png -------------------------------------------------------------------------------- /ATPDocs/media/domain-properties.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/ATADocs/18c689f3f979272efd59343d179360524dcb330b/ATPDocs/media/domain-properties.png -------------------------------------------------------------------------------- /ATPDocs/media/enable-delayed-update.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/ATADocs/18c689f3f979272efd59343d179360524dcb330b/ATPDocs/media/enable-delayed-update.png -------------------------------------------------------------------------------- /ATPDocs/media/ensure-privileged-accounts-with-sensitive-flag/administrator-properties.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/ATADocs/18c689f3f979272efd59343d179360524dcb330b/ATPDocs/media/ensure-privileged-accounts-with-sensitive-flag/administrator-properties.png -------------------------------------------------------------------------------- /ATPDocs/media/ensure-privileged-accounts-with-sensitive-flag/device-profile.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/ATADocs/18c689f3f979272efd59343d179360524dcb330b/ATPDocs/media/ensure-privileged-accounts-with-sensitive-flag/device-profile.png -------------------------------------------------------------------------------- /ATPDocs/media/ensure-privileged-accounts-with-sensitive-flag/posture-report.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/ATADocs/18c689f3f979272efd59343d179360524dcb330b/ATPDocs/media/ensure-privileged-accounts-with-sensitive-flag/posture-report.png -------------------------------------------------------------------------------- /ATPDocs/media/ensure-privileged-accounts-with-sensitive-flag/user-profile.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/ATADocs/18c689f3f979272efd59343d179360524dcb330b/ATPDocs/media/ensure-privileged-accounts-with-sensitive-flag/user-profile.png -------------------------------------------------------------------------------- /ATPDocs/media/entity-tags/tag-entities.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/ATADocs/18c689f3f979272efd59343d179360524dcb330b/ATPDocs/media/entity-tags/tag-entities.png -------------------------------------------------------------------------------- /ATPDocs/media/exclude-devices-or-ip-addresses.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/ATADocs/18c689f3f979272efd59343d179360524dcb330b/ATPDocs/media/exclude-devices-or-ip-addresses.png -------------------------------------------------------------------------------- /ATPDocs/media/exclude-domains.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/ATADocs/18c689f3f979272efd59343d179360524dcb330b/ATPDocs/media/exclude-domains.png -------------------------------------------------------------------------------- /ATPDocs/media/exclude-ip-addresses.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/ATADocs/18c689f3f979272efd59343d179360524dcb330b/ATPDocs/media/exclude-ip-addresses.png -------------------------------------------------------------------------------- /ATPDocs/media/exclude-specific-users.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/ATADocs/18c689f3f979272efd59343d179360524dcb330b/ATPDocs/media/exclude-specific-users.png -------------------------------------------------------------------------------- /ATPDocs/media/exclude-users.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/ATADocs/18c689f3f979272efd59343d179360524dcb330b/ATPDocs/media/exclude-users.png -------------------------------------------------------------------------------- /ATPDocs/media/excluded-entities.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/ATADocs/18c689f3f979272efd59343d179360524dcb330b/ATPDocs/media/excluded-entities.png -------------------------------------------------------------------------------- /ATPDocs/media/exclusions-by-detection-rule.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/ATADocs/18c689f3f979272efd59343d179360524dcb330b/ATPDocs/media/exclusions-by-detection-rule.png -------------------------------------------------------------------------------- /ATPDocs/media/export-sensors.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/ATADocs/18c689f3f979272efd59343d179360524dcb330b/ATPDocs/media/export-sensors.png -------------------------------------------------------------------------------- /ATPDocs/media/filter-defender-for-identity.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/ATADocs/18c689f3f979272efd59343d179360524dcb330b/ATPDocs/media/filter-defender-for-identity.png -------------------------------------------------------------------------------- /ATPDocs/media/filtered-alerts.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/ATADocs/18c689f3f979272efd59343d179360524dcb330b/ATPDocs/media/filtered-alerts.png -------------------------------------------------------------------------------- /ATPDocs/media/filtered-sensor.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/ATADocs/18c689f3f979272efd59343d179360524dcb330b/ATPDocs/media/filtered-sensor.png -------------------------------------------------------------------------------- /ATPDocs/media/global-excluded-entities.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/ATADocs/18c689f3f979272efd59343d179360524dcb330b/ATPDocs/media/global-excluded-entities.png -------------------------------------------------------------------------------- /ATPDocs/media/global-excluded-entries-list.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/ATADocs/18c689f3f979272efd59343d179360524dcb330b/ATPDocs/media/global-excluded-entries-list.png -------------------------------------------------------------------------------- /ATPDocs/media/health-issues/close-suppress.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/ATADocs/18c689f3f979272efd59343d179360524dcb330b/ATPDocs/media/health-issues/close-suppress.png -------------------------------------------------------------------------------- /ATPDocs/media/health-issues/global-health-issues.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/ATADocs/18c689f3f979272efd59343d179360524dcb330b/ATPDocs/media/health-issues/global-health-issues.png -------------------------------------------------------------------------------- /ATPDocs/media/incidents-alerts.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/ATADocs/18c689f3f979272efd59343d179360524dcb330b/ATPDocs/media/incidents-alerts.png -------------------------------------------------------------------------------- /ATPDocs/media/investigate-assets/device-details.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/ATADocs/18c689f3f979272efd59343d179360524dcb330b/ATPDocs/media/investigate-assets/device-details.png -------------------------------------------------------------------------------- /ATPDocs/media/investigate-assets/group-timeline.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/ATADocs/18c689f3f979272efd59343d179360524dcb330b/ATPDocs/media/investigate-assets/group-timeline.png -------------------------------------------------------------------------------- /ATPDocs/media/investigate-assets/identity-details.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/ATADocs/18c689f3f979272efd59343d179360524dcb330b/ATPDocs/media/investigate-assets/identity-details.png -------------------------------------------------------------------------------- /ATPDocs/media/involved-entities.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/ATADocs/18c689f3f979272efd59343d179360524dcb330b/ATPDocs/media/involved-entities.png -------------------------------------------------------------------------------- /ATPDocs/media/issue-details.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/ATADocs/18c689f3f979272efd59343d179360524dcb330b/ATPDocs/media/issue-details.png -------------------------------------------------------------------------------- /ATPDocs/media/laps-unprotected-devices.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/ATADocs/18c689f3f979272efd59343d179360524dcb330b/ATPDocs/media/laps-unprotected-devices.png -------------------------------------------------------------------------------- /ATPDocs/media/lmp-new.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/ATADocs/18c689f3f979272efd59343d179360524dcb330b/ATPDocs/media/lmp-new.png -------------------------------------------------------------------------------- /ATPDocs/media/log-on-as-a-service-gpmc.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/ATADocs/18c689f3f979272efd59343d179360524dcb330b/ATPDocs/media/log-on-as-a-service-gpmc.png -------------------------------------------------------------------------------- /ATPDocs/media/log-on-as-a-service.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/ATADocs/18c689f3f979272efd59343d179360524dcb330b/ATPDocs/media/log-on-as-a-service.png -------------------------------------------------------------------------------- /ATPDocs/media/manage-action-accounts.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/ATADocs/18c689f3f979272efd59343d179360524dcb330b/ATPDocs/media/manage-action-accounts.png -------------------------------------------------------------------------------- /ATPDocs/media/manage-alert.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/ATADocs/18c689f3f979272efd59343d179360524dcb330b/ATPDocs/media/manage-alert.png -------------------------------------------------------------------------------- /ATPDocs/media/manage-sensor.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/ATADocs/18c689f3f979272efd59343d179360524dcb330b/ATPDocs/media/manage-sensor.png -------------------------------------------------------------------------------- /ATPDocs/media/management-accounts.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/ATADocs/18c689f3f979272efd59343d179360524dcb330b/ATPDocs/media/management-accounts.png -------------------------------------------------------------------------------- /ATPDocs/media/missing-network-traffic-health-alert.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/ATADocs/18c689f3f979272efd59343d179360524dcb330b/ATPDocs/media/missing-network-traffic-health-alert.png -------------------------------------------------------------------------------- /ATPDocs/media/need-help-option.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/ATADocs/18c689f3f979272efd59343d179360524dcb330b/ATPDocs/media/need-help-option.png -------------------------------------------------------------------------------- /ATPDocs/media/network-activities.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/ATADocs/18c689f3f979272efd59343d179360524dcb330b/ATPDocs/media/network-activities.png -------------------------------------------------------------------------------- /ATPDocs/media/new-directory-service-account.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/ATADocs/18c689f3f979272efd59343d179360524dcb330b/ATPDocs/media/new-directory-service-account.png -------------------------------------------------------------------------------- /ATPDocs/media/nnr-high-certainty.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/ATADocs/18c689f3f979272efd59343d179360524dcb330b/ATPDocs/media/nnr-high-certainty.png -------------------------------------------------------------------------------- /ATPDocs/media/object-types.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/ATADocs/18c689f3f979272efd59343d179360524dcb330b/ATPDocs/media/object-types.png -------------------------------------------------------------------------------- /ATPDocs/media/permission-entry.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/ATADocs/18c689f3f979272efd59343d179360524dcb330b/ATPDocs/media/permission-entry.png -------------------------------------------------------------------------------- /ATPDocs/media/radius-setup.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/ATADocs/18c689f3f979272efd59343d179360524dcb330b/ATPDocs/media/radius-setup.png -------------------------------------------------------------------------------- /ATPDocs/media/recommended-actions.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/ATADocs/18c689f3f979272efd59343d179360524dcb330b/ATPDocs/media/recommended-actions.png -------------------------------------------------------------------------------- /ATPDocs/media/related-entities.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/ATADocs/18c689f3f979272efd59343d179360524dcb330b/ATPDocs/media/related-entities.png -------------------------------------------------------------------------------- /ATPDocs/media/remove-excluded-users.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/ATADocs/18c689f3f979272efd59343d179360524dcb330b/ATPDocs/media/remove-excluded-users.png -------------------------------------------------------------------------------- /ATPDocs/media/remove-rbcd-microsoft-entra-seamless-single-sign-on-account/permissions.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/ATADocs/18c689f3f979272efd59343d179360524dcb330b/ATPDocs/media/remove-rbcd-microsoft-entra-seamless-single-sign-on-account/permissions.png -------------------------------------------------------------------------------- /ATPDocs/media/remove-replication-permissions-microsoft-entra-connect/permissions.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/ATADocs/18c689f3f979272efd59343d179360524dcb330b/ATPDocs/media/remove-replication-permissions-microsoft-entra-connect/permissions.png -------------------------------------------------------------------------------- /ATPDocs/media/return-to-exclude-devices.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/ATADocs/18c689f3f979272efd59343d179360524dcb330b/ATPDocs/media/return-to-exclude-devices.png -------------------------------------------------------------------------------- /ATPDocs/media/reversible-passwords-group-policy/screenshot-of-gpo.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/ATADocs/18c689f3f979272efd59343d179360524dcb330b/ATPDocs/media/reversible-passwords-group-policy/screenshot-of-gpo.png -------------------------------------------------------------------------------- /ATPDocs/media/samr-policy-location.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/ATADocs/18c689f3f979272efd59343d179360524dcb330b/ATPDocs/media/samr-policy-location.png -------------------------------------------------------------------------------- /ATPDocs/media/secure-score/adcs-new-reports.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/ATADocs/18c689f3f979272efd59343d179360524dcb330b/ATPDocs/media/secure-score/adcs-new-reports.png -------------------------------------------------------------------------------- /ATPDocs/media/secure-score/dcsync-permissions.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/ATADocs/18c689f3f979272efd59343d179360524dcb330b/ATPDocs/media/secure-score/dcsync-permissions.png -------------------------------------------------------------------------------- /ATPDocs/media/secure-score/do-not-expire-passwords.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/ATADocs/18c689f3f979272efd59343d179360524dcb330b/ATPDocs/media/secure-score/do-not-expire-passwords.png -------------------------------------------------------------------------------- /ATPDocs/media/secure-score/enforce-encryption-rpc-certificate.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/ATADocs/18c689f3f979272efd59343d179360524dcb330b/ATPDocs/media/secure-score/enforce-encryption-rpc-certificate.png -------------------------------------------------------------------------------- /ATPDocs/media/secure-score/local-admins.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/ATADocs/18c689f3f979272efd59343d179360524dcb330b/ATPDocs/media/secure-score/local-admins.png -------------------------------------------------------------------------------- /ATPDocs/media/secure-score/misconfigured-certificate-acl.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/ATADocs/18c689f3f979272efd59343d179360524dcb330b/ATPDocs/media/secure-score/misconfigured-certificate-acl.png -------------------------------------------------------------------------------- /ATPDocs/media/secure-score/misconfigured-certificate-authority.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/ATADocs/18c689f3f979272efd59343d179360524dcb330b/ATPDocs/media/secure-score/misconfigured-certificate-authority.png -------------------------------------------------------------------------------- /ATPDocs/media/secure-score/misconfigured-enrollment-agent.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/ATADocs/18c689f3f979272efd59343d179360524dcb330b/ATPDocs/media/secure-score/misconfigured-enrollment-agent.png -------------------------------------------------------------------------------- /ATPDocs/media/secure-score/misconfigured-owner.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/ATADocs/18c689f3f979272efd59343d179360524dcb330b/ATPDocs/media/secure-score/misconfigured-owner.png -------------------------------------------------------------------------------- /ATPDocs/media/secure-score/old-passwords.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/ATADocs/18c689f3f979272efd59343d179360524dcb330b/ATPDocs/media/secure-score/old-passwords.png -------------------------------------------------------------------------------- /ATPDocs/media/secure-score/permissive-certificate-template.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/ATADocs/18c689f3f979272efd59343d179360524dcb330b/ATPDocs/media/secure-score/permissive-certificate-template.png -------------------------------------------------------------------------------- /ATPDocs/media/secure-score/prevent-certificate-arbitrary-users.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/ATADocs/18c689f3f979272efd59343d179360524dcb330b/ATPDocs/media/secure-score/prevent-certificate-arbitrary-users.png -------------------------------------------------------------------------------- /ATPDocs/media/secure-score/remove-suspicious-access-rights.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/ATADocs/18c689f3f979272efd59343d179360524dcb330b/ATPDocs/media/secure-score/remove-suspicious-access-rights.png -------------------------------------------------------------------------------- /ATPDocs/media/secure-score/vulnerable-certificate-authority-settings.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/ATADocs/18c689f3f979272efd59343d179360524dcb330b/ATPDocs/media/secure-score/vulnerable-certificate-authority-settings.png -------------------------------------------------------------------------------- /ATPDocs/media/security-advanced.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/ATADocs/18c689f3f979272efd59343d179360524dcb330b/ATPDocs/media/security-advanced.png -------------------------------------------------------------------------------- /ATPDocs/media/security-alert-structure.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/ATADocs/18c689f3f979272efd59343d179360524dcb330b/ATPDocs/media/security-alert-structure.png -------------------------------------------------------------------------------- /ATPDocs/media/select-a-principal.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/ATADocs/18c689f3f979272efd59343d179360524dcb330b/ATPDocs/media/select-a-principal.png -------------------------------------------------------------------------------- /ATPDocs/media/select-assessment.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/ATADocs/18c689f3f979272efd59343d179360524dcb330b/ATPDocs/media/select-assessment.png -------------------------------------------------------------------------------- /ATPDocs/media/select-everyone.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/ATADocs/18c689f3f979272efd59343d179360524dcb330b/ATPDocs/media/select-everyone.png -------------------------------------------------------------------------------- /ATPDocs/media/select-exclude-domains.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/ATADocs/18c689f3f979272efd59343d179360524dcb330b/ATPDocs/media/select-exclude-domains.png -------------------------------------------------------------------------------- /ATPDocs/media/select-permissions.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/ATADocs/18c689f3f979272efd59343d179360524dcb330b/ATPDocs/media/select-permissions.png -------------------------------------------------------------------------------- /ATPDocs/media/select-principal.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/ATADocs/18c689f3f979272efd59343d179360524dcb330b/ATPDocs/media/select-principal.png -------------------------------------------------------------------------------- /ATPDocs/media/sensor-config-adfs-resolver.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/ATADocs/18c689f3f979272efd59343d179360524dcb330b/ATPDocs/media/sensor-config-adfs-resolver.png -------------------------------------------------------------------------------- /ATPDocs/media/sensor-details.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/ATADocs/18c689f3f979272efd59343d179360524dcb330b/ATPDocs/media/sensor-details.png -------------------------------------------------------------------------------- /ATPDocs/media/sensor-filters.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/ATADocs/18c689f3f979272efd59343d179360524dcb330b/ATPDocs/media/sensor-filters.png -------------------------------------------------------------------------------- /ATPDocs/media/sensor-install-config.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/ATADocs/18c689f3f979272efd59343d179360524dcb330b/ATPDocs/media/sensor-install-config.png -------------------------------------------------------------------------------- /ATPDocs/media/sensor-install-deployment-type.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/ATADocs/18c689f3f979272efd59343d179360524dcb330b/ATPDocs/media/sensor-install-deployment-type.png -------------------------------------------------------------------------------- /ATPDocs/media/sensor-install-language.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/ATADocs/18c689f3f979272efd59343d179360524dcb330b/ATPDocs/media/sensor-install-language.png -------------------------------------------------------------------------------- /ATPDocs/media/sensor-outdated.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/ATADocs/18c689f3f979272efd59343d179360524dcb330b/ATPDocs/media/sensor-outdated.png -------------------------------------------------------------------------------- /ATPDocs/media/sensor-page.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/ATADocs/18c689f3f979272efd59343d179360524dcb330b/ATPDocs/media/sensor-page.png -------------------------------------------------------------------------------- /ATPDocs/media/settings-about-page.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/ATADocs/18c689f3f979272efd59343d179360524dcb330b/ATPDocs/media/settings-about-page.png -------------------------------------------------------------------------------- /ATPDocs/media/settings-identities.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/ATADocs/18c689f3f979272efd59343d179360524dcb330b/ATPDocs/media/settings-identities.png -------------------------------------------------------------------------------- /ATPDocs/media/troubleshooting-known-issues/gmsa-retrieve-password-results.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/ATADocs/18c689f3f979272efd59343d179360524dcb330b/ATPDocs/media/troubleshooting-known-issues/gmsa-retrieve-password-results.png -------------------------------------------------------------------------------- /ATPDocs/media/unsafe-permissions-dns-admins-group/image.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/ATADocs/18c689f3f979272efd59343d179360524dcb330b/ATPDocs/media/unsafe-permissions-dns-admins-group/image.png -------------------------------------------------------------------------------- /ATPDocs/media/unsecure-domain-configurations.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/ATADocs/18c689f3f979272efd59343d179360524dcb330b/ATPDocs/media/unsecure-domain-configurations.png -------------------------------------------------------------------------------- /ATPDocs/media/view-different-date-new.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/ATADocs/18c689f3f979272efd59343d179360524dcb330b/ATPDocs/media/view-different-date-new.png -------------------------------------------------------------------------------- /ATPDocs/media/vm-sensor-issue.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/ATADocs/18c689f3f979272efd59343d179360524dcb330b/ATPDocs/media/vm-sensor-issue.png -------------------------------------------------------------------------------- /ATPDocs/media/vpn-integration.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/ATADocs/18c689f3f979272efd59343d179360524dcb330b/ATPDocs/media/vpn-integration.png -------------------------------------------------------------------------------- /ATPDocs/media/vpn-set-accounting.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/ATADocs/18c689f3f979272efd59343d179360524dcb330b/ATPDocs/media/vpn-set-accounting.png -------------------------------------------------------------------------------- /ATPDocs/media/wef-1-local-group-policy-editor.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/ATADocs/18c689f3f979272efd59343d179360524dcb330b/ATPDocs/media/wef-1-local-group-policy-editor.png -------------------------------------------------------------------------------- /ATPDocs/media/wef-2-config-target-sub-manager.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/ATADocs/18c689f3f979272efd59343d179360524dcb330b/ATPDocs/media/wef-2-config-target-sub-manager.png -------------------------------------------------------------------------------- /ATPDocs/media/wef-3-event-viewer.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/ATADocs/18c689f3f979272efd59343d179360524dcb330b/ATPDocs/media/wef-3-event-viewer.png -------------------------------------------------------------------------------- /ATPDocs/media/wef-4-query-filter.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/ATADocs/18c689f3f979272efd59343d179360524dcb330b/ATPDocs/media/wef-4-query-filter.png -------------------------------------------------------------------------------- /ATPDocs/media/what-happened.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/ATADocs/18c689f3f979272efd59343d179360524dcb330b/ATPDocs/media/what-happened.png -------------------------------------------------------------------------------- /ATPDocs/media/whats-new/adjust-alert-thresholds.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/ATADocs/18c689f3f979272efd59343d179360524dcb330b/ATPDocs/media/whats-new/adjust-alert-thresholds.png -------------------------------------------------------------------------------- /ATPDocs/media/whats-new/custom-time-frame.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/ATADocs/18c689f3f979272efd59343d179360524dcb330b/ATPDocs/media/whats-new/custom-time-frame.png -------------------------------------------------------------------------------- /ATPDocs/media/whats-new/device-description.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/ATADocs/18c689f3f979272efd59343d179360524dcb330b/ATPDocs/media/whats-new/device-description.png -------------------------------------------------------------------------------- /ATPDocs/media/whats-new/go-hunt-groups.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/ATADocs/18c689f3f979272efd59343d179360524dcb330b/ATPDocs/media/whats-new/go-hunt-groups.png -------------------------------------------------------------------------------- /ATPDocs/media/whats-new/group-search.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/ATADocs/18c689f3f979272efd59343d179360524dcb330b/ATPDocs/media/whats-new/group-search.png -------------------------------------------------------------------------------- /ATPDocs/media/whats-new/group-timeline.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/ATADocs/18c689f3f979272efd59343d179360524dcb330b/ATPDocs/media/whats-new/group-timeline.png -------------------------------------------------------------------------------- /ATPDocs/media/whats-new/report-management.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/ATADocs/18c689f3f979272efd59343d179360524dcb330b/ATPDocs/media/whats-new/report-management.png -------------------------------------------------------------------------------- /ATPDocs/media/whats-new/reports-main-area.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/ATADocs/18c689f3f979272efd59343d179360524dcb330b/ATPDocs/media/whats-new/reports-main-area.png -------------------------------------------------------------------------------- /ATPDocs/media/whats-new/uac-flags.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MicrosoftDocs/ATADocs/18c689f3f979272efd59343d179360524dcb330b/ATPDocs/media/whats-new/uac-flags.png -------------------------------------------------------------------------------- /ATPDocs/modified-unprivileged-accounts-gpo.md: -------------------------------------------------------------------------------- 1 | --- 2 | # Required metadata 3 | # For more information, see https://review.learn.microsoft.com/en-us/help/platform/learn-editor-add-metadata?branch=main 4 | # For valid values of ms.service, ms.prod, and ms.topic, see https://review.learn.microsoft.com/en-us/help/platform/metadata-taxonomies?branch=main 5 | 6 | title: 'Security Assessment: GPO can be modified by unprivileged accounts ' 7 | description: This recommendation lists any Group Policy Objects in your environment that can be modified by standard users which can potentially lead to the compromise of the domain. 8 | author: LiorShapiraa # GitHub alias 9 | ms.author: liorshapira 10 | ms.service: microsoft-defender-for-identity 11 | ms.topic: article 12 | ms.date: 10/06/2024 13 | --- 14 | 15 | # Security Assessment: GPO can be modified by unprivileged accounts 16 | 17 | This recommendation lists any Group Policy Objects in your environment that can be modified by standard users which can potentially lead to the compromise of the domain. 18 | 19 | ## Organization risk 20 | 21 | Attackers may attempt to obtain information on Group Policy settings to uncover vulnerabilities that can be exploited to gain higher levels of access, understand the security measures in place within a domain, and identify patterns in domain objects. This information can be used to plan subsequent attacks, such as identifying potential paths to exploit within the target network or finding opportunities to blend in or manipulate the environment. A user, service or application that relies on these permissions may stop functioning.  22 | 23 | ## Remediation steps 24 | 25 | Carefully review each assigned permission, identify any dangerous permission granted, and modify them to remove any unnecessary or excessive user rights.  26 | 27 | ## Next steps 28 | 29 | [Learn more about Microsoft Secure Score](/microsoft-365/security/defender/microsoft-secure-score) 30 | 31 | -------------------------------------------------------------------------------- /ATPDocs/ops-guide/ops-guide-monthly.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: Monthly operational guide - Microsoft Defender for Identity 3 | description: Learn about the Microsoft Defender for Identity activities that we recommend for your team on a monthly basis. 4 | ms.date: 01/29/2024 5 | ms.topic: how-to 6 | --- 7 | 8 | # Monthly operational guide - Microsoft Defender for Identity 9 | 10 | This article reviews the Microsoft Defender for Identity activities we recommend for your team on a monthly basis. 11 | 12 | ## Review tuned alerts and adjust tuning if needed 13 | 14 | **Where**: In Microsoft Defender XDR, select **Hunting > Advanced hunting** 15 | 16 | **Persona**: Security and compliance administrators, SOC analysts 17 | 18 | Microsoft Defender XDR allows you to *tune* alerts, helping you reduce the number of alerts you need to triage. Tuning alerts resolves alerts automatically based on your configurations and rule conditions. 19 | 20 | We recommend reviewing your tuning configurations regularly to make sure that they're still relevant and effective. For example: 21 | 22 | - Check to see if your existing rules have matches as expected 23 | - If a rule has no matches, consider whether you still need it or if you can remove it 24 | 25 | For more information, see [Investigate Defender for Identity security alerts in Microsoft Defender XDR](../manage-security-alerts.md). 26 | 27 | ## Track new changes in Microsoft Defender XDR and Defender for Identity 28 | 29 | **Where**: 30 | 31 | - In the Microsoft 365 admin center, select **Health > Message center**. For more information, see [Track new and changed features in the Microsoft 365 Message center](/microsoft-365/admin/manage/message-center). 32 | 33 | - The [Microsoft Defender XDR monthly news](https://techcommunity.microsoft.com/t5/microsoft-defender-xdr-blog/bg-p/MicrosoftThreatProtectionBlog/label-name/Defender%20News). 34 | 35 | - For details about Defender for Identity updates, see [What's new in Microsoft Defender for Identity](../whats-new.md). 36 | 37 | **Persona**: Security administrators, SOC analysts 38 | 39 | ## Related content 40 | 41 | For more information, see: 42 | 43 | - [Microsoft Defender XDR Security operations overview](/security/operations/overview) 44 | - [Microsoft Defender for Identity operational guide](ops-guide.md) 45 | - [Daily operational guide - Microsoft Defender for Identity](ops-guide-daily.md) 46 | - [Weekly operational guide - Microsoft Defender for Identity](ops-guide-weekly.md) 47 | - [Quarterly / Ad hoc operational guide - Microsoft Defender for Identity](ops-guide-quarterly.md) 48 | -------------------------------------------------------------------------------- /ATPDocs/ops-guide/ops-guide.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: Operational guide - Microsoft Defender for Identity 3 | description: Learn about the Microsoft Defender for Identity activities that we recommend for your team on a daily, weekly, and monthly basis. 4 | ms.date: 01/29/2024 5 | ms.topic: conceptual 6 | #customerIntent: To learn about the Microsoft Defender for Identity activities that we recommend for your team on a daily, weekly, monthly, quarterly, and ad-hoc basis. 7 | --- 8 | 9 | # Microsoft Defender for Identity operational guide 10 | 11 | This article summarizes the Microsoft Defender for Identity activities we recommend for your team on a daily, weekly, and monthly basis. 12 | 13 | |Cadence |Tasks | 14 | |---------|---------| 15 | |**Daily** | - [Triage incidents by priority](ops-guide-daily.md#triage-incidents-by-priority)
- [Investigate users with a high investigation score](ops-guide-daily.md#investigate-users-with-a-high-investigation-score)
- [Configure tuning rules for benign true positives / false positive alerts](ops-guide-daily.md#configure-tuning-rules-for-benign-true-positives--false-positive-alerts)
- [Review the ITDR dashboard](ops-guide-daily.md#review-the-itdr-dashboard)
- [Proactively hunt](ops-guide-daily.md#proactively-hunt)
- [Review Defender for Identity health issues](ops-guide-daily.md#review-defender-for-identity-health-issues) | 16 | |**Weekly** |- [Review Secure score recommendations](ops-guide-weekly.md#review-secure-score-recommendations)
- [Review and respond to emerging threats](ops-guide-weekly.md#review-and-respond-to-emerging-threats)
- [Proactively hunt](ops-guide-weekly.md#proactively-hunt) | 17 | |**Monthly** | - [Review tuned alerts and adjust tuning if needed](ops-guide-monthly.md#review-tuned-alerts-and-adjust-tuning-if-needed)
- [Track new changes in Microsoft Defender XDR and Defender for Identity](ops-guide-monthly.md#track-new-changes-in-microsoft-defender-xdr-and-defender-for-identity) | 18 | | **Quarterly / Ad hoc**
Depending on your organization's needs and processes | - [Review Microsoft service health](ops-guide-quarterly.md#review-microsoft-service-health)
- [Review server setup process to include sensors](ops-guide-quarterly.md#review-server-setup-process-to-include-sensors)
- [Check domain configuration via PowerShell](ops-guide-quarterly.md#check-domain-configuration-via-powershell) | 19 | 20 | You might want to proactively hunt on a daily or weekly basis, depending on your level as a SOC analyst. 21 | 22 | ## Related content 23 | 24 | - [Daily operational guide](ops-guide-daily.md) 25 | - [Weekly operational guide](ops-guide-weekly.md) 26 | - [Monthly operational guide](ops-guide-monthly.md) 27 | - [Quarterly / Ad hoc operational guide](ops-guide-quarterly.md) 28 | - The Microsoft Defender XDR [Security operations overview](/security/operations/overview). 29 | -------------------------------------------------------------------------------- /ATPDocs/reversible-passwords-group-policy.md: -------------------------------------------------------------------------------- 1 | --- 2 | # Required metadata 3 | # For more information, see https://review.learn.microsoft.com/en-us/help/platform/learn-editor-add-metadata?branch=main 4 | # For valid values of ms.service, ms.prod, and ms.topic, see https://review.learn.microsoft.com/en-us/help/platform/metadata-taxonomies?branch=main 5 | 6 | title: 'Security Assessment: Reversible passwords found in GPOs' 7 | description: 'This recommendation lists any Group policy objects in your environment that contains password data.' 8 | author: LiorShapiraa # GitHub alias 9 | ms.author: liorshapira 10 | ms.service: microsoft-defender-for-identity 11 | ms.topic: article 12 | ms.date: 10/05/2024 13 | --- 14 | 15 | # Security Assessment: Reversible passwords found in GPOs 16 | 17 | This posture recommendation lists any Group policy objects in your environment that contains password data.  18 | 19 | ## Why might Group policies objects that contain password data be a risk? 20 | 21 | Group Policy Preferences (GPP) previously allowed administrators to include embedded credentials in domain policies. However, this feature was removed with the release of MS14-025 due to security concerns regarding the insecure storage of passwords. But files containing these credentials could still be present in the SYSVOL folder, which means that any domain user can access the files and decrypt the password using the publicly available AES key. 22 | To prevent potential exploitation by adversaries, it is recommended to remove any existing preferences that contain embedded credentials. 23 | 24 | ## Remediation steps 25 | 26 | In order to remove the preferences that contain passwords data, use Group Policy Management Console (GPMC) on a domain controller or from a client that has Remote Server Administration Tools (RSAT) installed. You can remove any preference following these steps:  27 | 28 | 1. In GPMC, open the Group Policy reported in the Exposed entities tab.   29 | 30 | 1. Navigate to the preference configuration that contains password data and delete the object. Click **Apply** and **OK** to save your changes.   31 | For example: 32 | ![Screenshot of delete object.](media/reversible-passwords-group-policy/screenshot-of-gpo.png) 33 | 34 | 35 | 1. Wait a Group Policy refresh cycle to allow changes to propagate to clients (usually up to 120 minutes) . 36 | 37 | 1. After changes are applied to all clients, delete the preference.   38 | 39 | 1. Repeat steps 1 through 5 as needed to clean your whole environment.   40 | 41 | ## Next steps 42 | 43 | - [Learn more about Microsoft Secure Score](/microsoft-365/security/defender/microsoft-secure-score) 44 | 45 | -------------------------------------------------------------------------------- /ATPDocs/security-assessment-clear-text.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: Clear text exposure assessment 3 | description: This article provides an overview of Microsoft Defender for Identity's clear text exposure identity security posture assessment report. 4 | ms.date: 01/29/2023 5 | ms.topic: how-to 6 | --- 7 | 8 | # Security assessment: Entities exposing credentials in clear text 9 | 10 | ![Prevent clear text credentials exposure.](media/cas-isp-clear-text-1.png) 11 | 12 | ## What information does the prevent clear text security assessment provide? 13 | 14 | This security assessment monitors your traffic for any entities exposing credentials in clear text and alerts you to the current exposure risks (most impacted entities) in your organization with suggested remediation. 15 | 16 | ## Why is clear text credential exposure risky? 17 | 18 | Entities exposing credentials in clear text are risky not only for the exposed entity in question, but for your entire organization. 19 | 20 | The increased risk is because unsecure traffic such as LDAP simple-bind is highly susceptible to interception by attacker-in-the-middle attacks. These types of attacks result in malicious activities including credential exposure, in which an attacker can leverage credentials for malicious purposes. 21 | 22 | ## How do I use this security assessment to improve my organizational security posture? 23 | 24 | 1. Review the recommended action at . 25 | 26 | ![Review top impacted entities and create an action plan.](media/cas-isp-clear-text-2.png) 27 | 1. Research why those entities are using LDAP in clear text. 28 | 1. Remediate the issues and stop the exposure. 29 | 1. After confirming remediation, we recommend you require domain controller level LDAP signing. To learn more about LDAP server signing, see [Domain controller LDAP server signing requirements](/windows/security/threat-protection/security-policy-settings/domain-controller-ldap-server-signing-requirements). 30 | 31 | > [!NOTE] 32 | > This assessment is updated in near real time. 33 | > The reports show the affected entities from the last 30 days. After that time, entities no longer affected will be removed from the exposed entities list. 34 | 35 | ## Next steps 36 | 37 | - [Learn more about Microsoft Secure Score](/microsoft-365/security/defender/microsoft-secure-score) 38 | - [Check out the Defender for Identity forum!]() 39 | -------------------------------------------------------------------------------- /ATPDocs/security-assessment-deploy-defender-for-identity.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: Start your Defender for Identity deployment security assessment 3 | description: This article provides an overview of Microsoft Defender for Identity's Start your Defender for Identity deployment security posture assessment report. 4 | ms.date: 06/11/2023 5 | ms.topic: how-to 6 | --- 7 | 8 | # Security assessment: Start your Defender for Identity deployment 9 | 10 | This article describes the **Start your Defender for Identity deployment** security assessment, which encourages you to install sensors on domain controllers and other eligible servers. 11 | 12 | ## Why is not having Defender for Identity deployed considered a risk? 13 | 14 | If you've obtained a Defender for Identity license, but haven't yet deployed Defender for Identity sensors, not only are you not yet using your purchased services, but you may be missing advanced threats in your identity infrastructure. 15 | 16 | Defender for Identity uses your on-premises Active Directory signals to identify, detect, and investigate advanced threats, compromised identities, and malicious insider actions directed at your organization. 17 | 18 | Defender for Identity is also part of monitoring for Zero Trust. You may also want to use [advanced hunting queries in Microsoft Defender XDR](/microsoft-365/security/defender/advanced-hunting-overview) to look for threats across identities, devices, and cloud apps. 19 | 20 | For more information, see: 21 | 22 | - [What is Microsoft Defender for Identity?](what-is.md) 23 | - [Zero Trust with Defender for Identity](zero-trust.md) 24 | 25 | ## How do I use this security assessment? 26 | 27 | 1. Review the recommended action at to be alerted if you have a Defender for Identity license, but don't have Defender for Identity deployed. 28 | 29 | 1. Take appropriate action by deploying Defender for Identity. For more information, see [Deploy Microsoft Defender for Identity with Microsoft Defender XDR](deploy-defender-identity.md). 30 | 31 | > [!NOTE] 32 | > While assessments are updated in near real time, scores and statuses are updated every 24 hours. While the list of impacted entities is updated within a few minutes of your implementing the recommendations, the status may still take time until it's marked as **Completed**. 33 | > 34 | 35 | ## See also 36 | 37 | - [Learn more about Microsoft Secure Score](/microsoft-365/security/defender/microsoft-secure-score) 38 | - [Check out the Defender for Identity forum!]() 39 | -------------------------------------------------------------------------------- /ATPDocs/security-assessment-dormant-entities.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: Dormant entities security assessment 3 | description: This article provides an overview of Microsoft Defender for Identity's dormant entities in sensitive groups identity security posture assessment report. 4 | ms.date: 01/29/2023 5 | ms.topic: how-to 6 | --- 7 | 8 | # Security assessment: Dormant entities in sensitive groups 9 | 10 | ## What are sensitive dormant entities? 11 | 12 | Microsoft Defender for Identity discovers if particular users are **sensitive** along with providing attributes that surface if they are inactive, disabled, or expired. 13 | 14 | However, **Sensitive** accounts can also become *dormant* if they are not used for a period of 180 days. Dormant sensitive entities are targets of opportunity for malicious actors to gain sensitive access to your organization. 15 | 16 | For more information, see [Default sensitive entities](entity-tags.md#default-sensitive-entities). 17 | 18 | ## What risk do dormant entities create in sensitive groups? 19 | 20 | Organizations that fail to secure their dormant user accounts leave the door unlocked to their sensitive data safe. 21 | 22 | Malicious actors, much like thieves, often look for the easiest and quietest way into any environment. An easy and quiet path deep into your organization is through **sensitive** user and service accounts that are no longer in use. 23 | 24 | It doesn't matter if the cause is employee turnover or resource mismanagement -skipping this step leaves your organization's most sensitive entities vulnerable and exposed. 25 | 26 | ## How do I use this security assessment? 27 | 28 | 1. Review the recommended action at to discover which of your sensitive accounts are dormant. 29 | 30 | ![Remediate dormant entities ini sensitive groups.](media/cas-isp-dormant-entities-sensitive-groups-1.png) 31 | 1. Take appropriate action on those user accounts by removing their privileged access rights or by deleting the account. 32 | 33 | > [!NOTE] 34 | > While assessments are updated in near real time, scores and statuses are updated every 24 hours. While the list of impacted entities is updated within a few minutes of your implementing the recommendations, the status may still take time until it's marked as **Completed**. 35 | > 36 | 37 | ## See also 38 | 39 | - [Learn more about Microsoft Secure Score](/microsoft-365/security/defender/microsoft-secure-score) 40 | - [Check out the Defender for Identity forum!]() 41 | -------------------------------------------------------------------------------- /ATPDocs/security-assessment-edit-misconfigured-acl.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: Edit misconfigured certificate templates ACL (ESC4) | Microsoft Defender for Identity 3 | description: This article provides an overview of Microsoft Defender for Identity's misconfigured certificate template ACL security posture assessment report. 4 | ms.date: 11/20/2023 5 | ms.topic: how-to 6 | --- 7 | 8 | # Security assessment: Edit misconfigured certificate templates ACL (ESC4) (Preview) 9 | 10 | This article describes Microsoft Defender for Identity's **Misconfigured certificate template ACL** security posture assessment report. 11 | 12 | ## What is a misconfigured certificate template ACL? 13 | 14 | Certificate templates are Active Directory objects with an ACL controlling the access to the object. Besides determining enrollment permissions, the ACL also determines permissions for editing the object itself. 15 | 16 | If for any reason, there's an entry in the ACL that grants a built-in, unprivileged group with permissions that allow for template setting changes, an adversary can introduce a template misconfiguration, escalate privileges, and compromise the entire domain. 17 | 18 | Examples of built-in, unprivileged groups are *Authenticated users*, *Domain users*, or *Everyone*. Examples of permissions that allow for template setting changes are *Full control* or *Write DACL*. 19 | 20 | 21 | ## How do I use this security assessment to improve my organizational security posture? 22 | 23 | 1. Review the recommended action at for a misconfigured certificate template ACL. For example: 24 | 25 | :::image type="content" source="media/secure-score/misconfigured-certificate-acl.png" alt-text="Screenshot of the Edit misconfigured certificate templates ACL (ESC4) recommendation." lightbox="media/secure-score/misconfigured-certificate-acl.png"::: 26 | 27 | 1. Research why the template ACL might be misconfigured. 28 | 1. Remediate the issue by removing any entry that grants unprivileged group permissions that allow tampering with the template. 29 | 1. Remove the certificate template from being published by any CA if they're not needed. 30 | 31 | Make sure to test your settings in a controlled environment before turning them on in production. 32 | 33 | [!INCLUDE [secure-score-note](../includes/secure-score-note.md)] 34 | 35 | 36 | ## Next steps 37 | 38 | - [Learn more about Microsoft Secure Score](/microsoft-365/security/defender/microsoft-secure-score) 39 | - [Check out the Defender for Identity forum!]() 40 | -------------------------------------------------------------------------------- /ATPDocs/security-assessment-edit-misconfigured-owner.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: Edit misconfigured certificate templates owner (ESC4) | Microsoft Defender for Identity 3 | description: This article provides an overview of Microsoft Defender for Identity's misconfigured certificate templates owner (ESC4) security posture assessment report. 4 | ms.date: 11/14/2023 5 | ms.topic: how-to 6 | --- 7 | 8 | # Security assessment: Edit misconfigured certificate templates owner (ESC4) (Preview) 9 | 10 | This article provides an overview of Microsoft Defender for Identity's **Misconfigured certificate templates owner (ESC4)** security posture assessment report. 11 | 12 | ## What is a misconfigured certificate template owner? 13 | 14 | A certificate template is an Active Directory object with an owner, who controls access to the object and the ability to edit the object. 15 | 16 | If the owner permissions grant a built-in, unprivileged group with permissions that allow for template setting changes, an adversary can introduce a template misconfiguration, escalate privileges, and compromise the entire domain. 17 | 18 | Examples of built-in, unprivileged groups are *Authenticated users*, *Domain users*, or *Everyone*. Examples of permissions that allow for template setting changes are *Full control* or *Write DACL*. 19 | 20 | 21 | ## How do I use this security assessment to improve my organizational security posture? 22 | 23 | 1. Review the recommended action at for a misconfigured certificate template owner. For example: 24 | 25 | :::image type="content" source="media/secure-score/misconfigured-owner.png" alt-text="Screenshot of the Edit misconfigured certificate templates owner (ESC4) recommendation." lightbox="media/secure-score/misconfigured-owner.png"::: 26 | 27 | 1. Research why the template owner might be misconfigured. 28 | 1. Remediate the issue by changing the owner to a privileged and monitored user. 29 | 30 | Make sure to test your settings in a controlled environment before turning them on in production. 31 | 32 | [!INCLUDE [secure-score-note](../includes/secure-score-note.md)] 33 | 34 | 35 | ## Next steps 36 | 37 | - [Learn more about Microsoft Secure Score](/microsoft-365/security/defender/microsoft-secure-score) 38 | - [Check out the Defender for Identity forum!]() 39 | -------------------------------------------------------------------------------- /ATPDocs/security-assessment-insecure-adcs-certificate-enrollment.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: Identify insecure AD CS certificate enrollment IIS endpoints (ESC8)| Microsoft Defender for Identity 3 | description: This article provides an overview of Microsoft Defender for Identity's 'Edit insecure ADCS certificate enrollment IIS endpoints (ESC8)' identity security posture assessment report. 4 | ms.date: 03/04/2024 5 | ms.topic: how-to 6 | --- 7 | 8 | # Security assessment: Edit insecure ADCS certificate enrollment IIS endpoints (ESC8) 9 | 10 | This article describes Microsoft Defender for Identity's **Edit insecure ADCS certificate enrollment IIS endpoints** identity security posture assessment report. 11 | 12 | ## What are insecure AD CS certificate enrollment IIS endpoints? 13 | 14 | Active Directory Certificate Services (AD CS) supports certificate enrollment through various methods and protocols, including enrollment via HTTP using the Certificate Enrollment Service (CES) or the Web Enrollment interface (Certsrv). 15 | 16 | If the IIS endpoint allows NTLM authentication without enforcing protocol signing (HTTPS) or without enforcing Extended Protection for Authentication (EPA), it becomes vulnerable to NTLM relay attacks (ESC8). Relay attacks can lead to complete domain takeover if an attacker manages to pull it off successfully. 17 | 18 | ## Prerequisites 19 | 20 | This assessment is available only to customers who have installed a sensor on an AD CS server. For more information, see [Configuring sensors for AD FS and AD CS](deploy/active-directory-federation-services.md). 21 | 22 | ## How do I use this security assessment to improve my organizational security posture? 23 | 24 | Review the recommended action at for insecure AD CS certificate enrollment IIS endpoints. 25 | 26 | The assessment lists the problematic HTTP endpoints in your organization and guidance to configuring the endpoints securely. 27 | 28 | Once handled, the ESC8 attack risk is mitigated, reducing your attack surface significantly. 29 | 30 | [!INCLUDE [secure-score-note](../includes/secure-score-note.md)] 31 | 32 | 33 | ## Next steps 34 | 35 | - [Learn more about Microsoft Secure Score](/microsoft-365/security/defender/microsoft-secure-score) 36 | - [Check out the Defender for Identity forum!]() 37 | -------------------------------------------------------------------------------- /ATPDocs/security-assessment-non-admin-accounts-dcsync.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: Remove non-admin accounts with DCSync permissions | Microsoft Defender for Identity 3 | description: Learn about Microsoft Defender for Identity's `Remove non-admin accounts with DCSync permissions` security assessment in Microsoft Secure Score. 4 | ms.date: 06/08/2023 5 | ms.topic: how-to 6 | --- 7 | 8 | # Security assessment: Remove non-admin accounts with DCSync permissions 9 | 10 | This article describes the **Remove non-admin accounts with DCSync permissions** security assessment, which identifies risky DCSync permission settings. 11 | 12 | ## Why might the DCSync permission be a risk? 13 | 14 | Accounts with the DCSync permission can initiate domain replication. Attackers can potentially exploit domain replication to gain unauthorized access, manipulate domain data, or compromise the integrity and availability of your Active Directory environment. 15 | 16 | It's crucial to carefully manage and restrict the membership of this group to ensure the security and integrity of your domain replication process. 17 | 18 | ## How do I use this security assessment to improve my organizational security posture? 19 | 20 | 1. Review the recommended action at for **Remove non-admin accounts with DCSync permissions**. 21 | 22 | For example: 23 | 24 | :::image type="content" source="media/secure-score/dcsync-permissions.png" alt-text="Screenshot of the Remove non-admin accounts with DCSync permissions security assessment." lightbox="media/secure-score/dcsync-permissions.png"::: 25 | 26 | 1. Review this list of exposed entities to discover which of your accounts have DCSync permissions and are also nondomain admins. 27 | 28 | 1. Take appropriate action on those entities by removing their privileged access rights. 29 | 30 | To achieve the maximum score, remediate all exposed entities. 31 | 32 | [!INCLUDE [secure-score-note](../includes/secure-score-note.md)] 33 | 34 | 35 | ## Next steps 36 | 37 | - [Learn more about Microsoft Secure Score](/microsoft-365/security/defender/microsoft-secure-score) 38 | - [Check out the Defender for Identity forum!]() 39 | -------------------------------------------------------------------------------- /ATPDocs/security-assessment-remove-local-admins.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: Remove local admins on identity assets | Microsoft Defender for Identity 3 | description: Learn about Microsoft Defender for Identity's `Remove local admins on identity assets` security assessment in Microsoft Secure Score. 4 | ms.date: 06/08/2023 5 | ms.topic: how-to 6 | --- 7 | 8 | # Security assessment: Remove local admins on identity assets 9 | 10 | This article describes the **Remove local admins on identity assets** security assessment, which highlights local admins that pose a risk to your environment. 11 | 12 | ## Why are local admins on identity assets a risk? 13 | 14 | Accounts with indirect control over an identity system, such as AD FS, AD CS, Active Directory, and so on, have the rights to escalate their privileges within the environment, which can lead to obtaining Domain Admin access or equivalent. 15 | 16 | Every local admin on a Tier-0 system is an indirect Domain Admin from an attacker's point of view. 17 | 18 | ## How do I use this security assessment to improve my organizational security posture? 19 | 20 | 1. Review the recommended action at for **Remove local admins on identity assets**. 21 | 22 | For example: 23 | 24 | :::image type="content" source="media/secure-score/local-admins.png" alt-text="Screenshot of the Remove local admins on identity assets security assessment." lightbox="media/secure-score/local-admins.png"::: 25 | 26 | 1. Review this list of exposed entities to discover which of your accounts have local admin rights on your identity assets. 27 | 28 | 1. Take appropriate action on those entities by removing their privileged access rights. 29 | 30 | To achieve a full score, you must remediate all exposed entities. 31 | 32 | [!INCLUDE [secure-score-note](../includes/secure-score-note.md)] 33 | 34 | ## Next steps 35 | 36 | - [Learn more about Microsoft Secure Score](/microsoft-365/security/defender/microsoft-secure-score) 37 | - [Check out the Defender for Identity forum!]() 38 | -------------------------------------------------------------------------------- /ATPDocs/security-assessment-unmonitored-domain-controller.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: Unmonitored domain controllers assessment 3 | description: This article provides an overview of Microsoft Defender for Identity's unmonitored domain controllers identity security posture assessment report. 4 | ms.date: 01/29/2023 5 | ms.topic: how-to 6 | --- 7 | 8 | # Security assessment: Unmonitored domain controllers 9 | 10 | ## What are unmonitored domain controllers? 11 | 12 | An essential part of the Microsoft Defender for Identity solution requires that its sensors are deployed on all organizational domain controllers, providing a comprehensive view for all user activities from every device. 13 | 14 | For this reason, Defender for Identity continuously monitors your environment to identify domain controllers without an installed Defender for Identity sensor, and reports on these unmonitored servers to assist you in managing full coverage of your environment. 15 | 16 | ## What risk do unmonitored domain controllers pose to an organization? 17 | 18 | In order to operate at maximum efficiency, all domain controllers must be monitored with Defender for Identity sensors. Organizations that fail to remediate unmonitored domain controllers, reduce visibility into their environment and potentially expose their assets to malicious actors. 19 | 20 | ## How do I use this security assessment? 21 | 22 | 1. Review the recommended action at to discover which of your domain controllers are unmonitored. 23 | 24 | ![Install Defender for Identity Sensor on all Domain Controllers.](media/cas-isp-unmonitored-domain-controller-1.png) 25 | 1. Take appropriate action on those domain controllers by [installing and configuring monitoring sensors](/defender-for-identity/sensor-settings#domain-controller-status). 26 | 27 | > [!NOTE] 28 | > While assessments are updated in near real time, scores and statuses are updated every 24 hours. While the list of impacted entities is updated within a few minutes of your implementing the recommendations, the status may still take time until it's marked as **Completed**. 29 | > 30 | 31 | ## See Also 32 | 33 | - [Monitoring your domain controller coverage](/defender-for-identity/sensor-settings) 34 | - [Check out the Defender for Identity forum!]() 35 | -------------------------------------------------------------------------------- /ATPDocs/settings-about.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: About page in Microsoft Defender XDR 3 | description: Learn how to collect important details about your Defender for Identity workspace in Microsoft Defender XDR. 4 | ms.date: 07/14/2024 5 | ms.topic: how-to 6 | --- 7 | 8 | # About page for Defender for Identity 9 | 10 | This article explains how to use the About page to collect important details about your Defender for Identity workspace in Microsoft Defender XDR. 11 | 12 | ## Details on About page 13 | 14 | To access the About page, in [Microsoft Defender XDR](https://security.microsoft.com), go to **Settings** and then **Identities**. Under **General**, select **About**. 15 | 16 | :::image type="content" source="media/settings-about-page.png" alt-text="About page."::: 17 | 18 | The About page provides the following details: 19 | 20 | - Sensor version: The latest software version available for sensor updates. 21 | - Geolocation: The geographic location of the workspace where your data is stored. 22 | - Workspace ID: The identifier of your workspace. 23 | - Workspace name: The name of your workspace. 24 | - Total licenses: The total number of Microsoft Denfender for Identity licenses assigned to the tenant. 25 | - Active identities during the past 28 days: The total number of on-premises identities that had activity detected by Defender for Identity. 26 | 27 | This information can be helpful when troubleshooting issues and opening support tickets. Additionally, you can find the name of your workspace (workspace) which is necessary for configuring your [proxy or firewall](configure-proxy.md#enable-access-to-defender-for-identity-service-urls-in-the-proxy-server). 28 | 29 | ## See also 30 | 31 | - [Defender for Identity prerequisites](prerequisites.md) 32 | - [Check out the Defender for Identity forum!]() 33 | 34 | -------------------------------------------------------------------------------- /ATPDocs/unsafe-permissions-dns-admins-group.md: -------------------------------------------------------------------------------- 1 | --- 2 | # Required metadata 3 | # For more information, see https://review.learn.microsoft.com/en-us/help/platform/learn-editor-add-metadata?branch=main 4 | # For valid values of ms.service, ms.prod, and ms.topic, see https://review.learn.microsoft.com/en-us/help/platform/metadata-taxonomies?branch=main 5 | 6 | title: 'Security assessment: Unsafe permissions on the DnsAdmins group' 7 | description: 'This recommendation lists any Group policy objects in your environment that contains password data. ' 8 | author: LiorShapiraa # GitHub alias 9 | ms.author: liorshapira 10 | ms.service: microsoft-defender-for-identity 11 | ms.topic: article 12 | ms.date: 10/05/2024 13 | --- 14 | 15 | # Security assessment: Unsafe permissions on the DnsAdmins group 16 | 17 | This recommendation lists any member of the DNS Admins group that is not a privileged user. Privileged accounts are accounts that are being members of a privileged group such as Domain admins, Schema admins, Read only domain controllers and so on.  18 | 19 | ### Why is it important to review the members of the DnsAdmins group? 20 | 21 | In AD, the DnsAdmins group is a privileged group that has administrative control over the DNS Server service within a domain. Members of this group have the ability to manage DNS servers, which includes tasks like configuring DNS zones, managing records, and modifying DNS settings. 22 | The DnsAdmins group can be delegated to non-AD administrators, like those managing networking functions such as DNS or DHCP, making these accounts attractive targets for compromise. 23 | 24 | ### How do I use this security assessment to improve my organizational security posture? 25 | 26 | 1. Review the list of exposed entities to identify non-privileged accounts with risky permissions. 27 | 28 | 1. Take appropriate action on those accounts by removing the accounts from the DnsAdmins group. If some accounts require these permissions, grant them only the specific access needed. 29 | 30 | For example: 31 | ![Screenshot of Unprivileged account.](media/unsafe-permissions-dns-admins-group/image.png) 32 | 33 | ### Next steps 34 | 35 | [Learn more about Microsoft Secure Score](/microsoft-365/security/defender/microsoft-secure-score) 36 | 37 | -------------------------------------------------------------------------------- /LICENSE-CODE: -------------------------------------------------------------------------------- 1 | The MIT License (MIT) 2 | Copyright (c) Microsoft Corporation 3 | 4 | Permission is hereby granted, free of charge, to any person obtaining a copy of this software and 5 | associated documentation files (the "Software"), to deal in the Software without restriction, 6 | including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, 7 | and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, 8 | subject to the following conditions: 9 | 10 | The above copyright notice and this permission notice shall be included in all copies or substantial 11 | portions of the Software. 12 | 13 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT 14 | NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. 15 | IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, 16 | WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE 17 | SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | ## Microsoft Open Source Code of Conduct 2 | 3 | This project has adopted the [Microsoft Open Source Code of Conduct](https://opensource.microsoft.com/codeofconduct/). 4 | For more information see the [Code of Conduct FAQ](https://opensource.microsoft.com/codeofconduct/faq/) or contact [opencode@microsoft.com](mailto:opencode@microsoft.com) with any additional questions or comments. 5 | 6 | # Github repository for Microsoft technical documentation 7 | 8 | You've found one of the GitHub repositories that houses the source for [Microsoft technical content](https://learn.microsoft.com/). 9 | -------------------------------------------------------------------------------- /SECURITY.md: -------------------------------------------------------------------------------- 1 | 2 | 3 | ## Security 4 | 5 | Microsoft takes the security of our software products and services seriously, which includes all source code repositories managed through our GitHub organizations, which include [Microsoft](https://github.com/microsoft), [Azure](https://github.com/Azure), [DotNet](https://github.com/dotnet), [AspNet](https://github.com/aspnet), [Xamarin](https://github.com/xamarin), and [our GitHub organizations](https://opensource.microsoft.com/). 6 | 7 | If you believe you have found a security vulnerability in any Microsoft-owned repository that meets [Microsoft's definition of a security vulnerability](https://aka.ms/opensource/security/definition), please report it to us as described below. 8 | 9 | ## Reporting Security Issues 10 | 11 | **Please do not report security vulnerabilities through public GitHub issues.** 12 | 13 | Instead, please report them to the Microsoft Security Response Center (MSRC) at [https://msrc.microsoft.com/create-report](https://aka.ms/opensource/security/create-report). 14 | 15 | If you prefer to submit without logging in, send email to [secure@microsoft.com](mailto:secure@microsoft.com). If possible, encrypt your message with our PGP key; please download it from the [Microsoft Security Response Center PGP Key page](https://aka.ms/opensource/security/pgpkey). 16 | 17 | You should receive a response within 24 hours. If for some reason you do not, please follow up via email to ensure we received your original message. Additional information can be found at [microsoft.com/msrc](https://aka.ms/opensource/security/msrc). 18 | 19 | Please include the requested information listed below (as much as you can provide) to help us better understand the nature and scope of the possible issue: 20 | 21 | * Type of issue (e.g. buffer overflow, SQL injection, cross-site scripting, etc.) 22 | * Full paths of source file(s) related to the manifestation of the issue 23 | * The location of the affected source code (tag/branch/commit or direct URL) 24 | * Any special configuration required to reproduce the issue 25 | * Step-by-step instructions to reproduce the issue 26 | * Proof-of-concept or exploit code (if possible) 27 | * Impact of the issue, including how an attacker might exploit the issue 28 | 29 | This information will help us triage your report more quickly. 30 | 31 | If you are reporting for a bug bounty, more complete reports can contribute to a higher bounty award. Please visit our [Microsoft Bug Bounty Program](https://aka.ms/opensource/security/bounty) page for more details about our active programs. 32 | 33 | ## Preferred Languages 34 | 35 | We prefer all communications to be in English. 36 | 37 | ## Policy 38 | 39 | Microsoft follows the principle of [Coordinated Vulnerability Disclosure](https://aka.ms/opensource/security/cvd). 40 | 41 | 42 | -------------------------------------------------------------------------------- /ThirdPartyNotices: -------------------------------------------------------------------------------- 1 | ##Legal Notices 2 | Microsoft and any contributors grant you a license to the Microsoft documentation and other content 3 | in this repository under the [Creative Commons Attribution 4.0 International Public License](https://creativecommons.org/licenses/by/4.0/legalcode), 4 | see the [LICENSE](LICENSE) file, and grant you a license to any code in the repository under the [MIT License](https://opensource.org/licenses/MIT), see the 5 | [LICENSE-CODE](LICENSE-CODE) file. 6 | 7 | Microsoft, Windows, Microsoft Azure and/or other Microsoft products and services referenced in the documentation 8 | may be either trademarks or registered trademarks of Microsoft in the United States and/or other countries. 9 | The licenses for this project do not grant you rights to use any Microsoft names, logos, or trademarks. 10 | Microsoft's general trademark guidelines can be found at https://go.microsoft.com/fwlink/?LinkID=254653. 11 | 12 | Privacy information can be found at https://privacy.microsoft.com/en-us/ 13 | 14 | Microsoft and any contributors reserve all others rights, whether under their respective copyrights, patents, 15 | or trademarks, whether by implication, estoppel or otherwise. -------------------------------------------------------------------------------- /includes/automatic-redirect.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: include file 3 | description: include file 4 | author: batamig 5 | ms.date: 06/08/2023 6 | --- 7 | 8 | > [!IMPORTANT] 9 | > Customers using the classic Defender for Identity portal are now automatically redirected to [Microsoft Defender XDR](https://security.microsoft.com), with no option to revert back to the classic portal. 10 | > 11 | > For more information, see our [blog post](https://techcommunity.microsoft.com/t5/microsoft-365-defender-blog/leveraging-the-convergence-of-microsoft-defender-for-identity-in/ba-p/3856321) and [Microsoft Defender for Identity in Microsoft Defender XDR](/microsoft-365/security/defender/microsoft-365-security-center-mdi). 12 | > 13 | -------------------------------------------------------------------------------- /includes/gdpr-dsr-and-stp-note.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: include file 3 | description: include file 4 | services: active-directory 5 | author: eross-msft 6 | 7 | ms.service: active-directory 8 | ms.topic: include 9 | ms.date: 10/24/2022 10 | ms.author: lizross 11 | ms.custom: include file 12 | --- 13 | 14 | > [!NOTE] 15 | > If you're interested in viewing or deleting personal data, see [Azure Data Subject Requests for the GDPR](/microsoft-365/compliance/gdpr-dsr-azure). If you're looking for general info about GDPR, see the [GDPR section of the Service Trust portal](https://servicetrust.microsoft.com/ViewPage/GDPRGetStarted). 16 | -------------------------------------------------------------------------------- /includes/gdpr-hybrid-note.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: include file 3 | description: include file 4 | services: active-directory 5 | author: eross-msft 6 | 7 | ms.service: active-directory 8 | ms.topic: include 9 | ms.date: 10/24/2022 10 | ms.author: lizross 11 | ms.custom: include file 12 | --- 13 | 14 | > [!NOTE] 15 | > If you're interested in viewing or deleting personal data, please review Microsoft's guidance in [Windows Data Subject Requests for the GDPR](/microsoft-365/compliance/gdpr-dsr-windows). If you're looking for general information about GDPR, see the [GDPR section of the Service Trust portal](https://servicetrust.microsoft.com/ViewPage/GDPRGetStarted). 16 | -------------------------------------------------------------------------------- /includes/gdpr-intro-sentence.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: include file 3 | description: include file 4 | services: active-directory 5 | author: eross-msft 6 | 7 | ms.service: active-directory 8 | ms.topic: include 9 | ms.date: 03/04/2021 10 | ms.author: lizross 11 | ms.custom: include file 12 | --- 13 | 14 | >[!Note] 15 | > This article provides steps for how to delete personal data from the device or service and can be used to support your obligations under the GDPR. If you’re looking for general info about GDPR, see the [GDPR section of the Service Trust portal](https://servicetrust.microsoft.com/ViewPage/GDPRGetStarted). 16 | -------------------------------------------------------------------------------- /includes/gdpr-stponly.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: include file 3 | description: include file 4 | services: active-directory 5 | author: eross-msft 6 | 7 | ms.service: active-directory 8 | ms.topic: include 9 | ms.date: 03/04/2021 10 | ms.author: lizross 11 | ms.custom: include file 12 | --- 13 | 14 | >[!Note] 15 | >If you’re looking for general info about GDPR, see the [GDPR section of the Service Trust portal](https://servicetrust.microsoft.com/ViewPage/GDPRGetStarted). 16 | -------------------------------------------------------------------------------- /includes/secure-score-note.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: include file 3 | description: include file 4 | author: batamig 5 | ms.date: 11/20/2023 6 | --- 7 | 8 | > [!NOTE] 9 | > While assessments are updated in near real time, scores and statuses are updated every 24 hours. While the list of impacted entities is updated within a few minutes of your implementing the recommendations, the status may still take time until it's marked as **Completed**. 10 | > 11 | --------------------------------------------------------------------------------