Windows Defender Advanced Threat Protection (ATP) is a new service from Microsoft that will enable you to monitor and detect, investigate and respond to attacks on their environment. AP is not replacing your antivirus program, but adding a post-breach layer to the Windows 10 Security Stack.
Windows Defender ATP is using client-side sensor technology that is built into Windows 10 (Anniversary Edition) and a cloud service that is using advanced machine learning and telemetry date to help you investigate the breach and offers you response recommendations. As this is still in preview and requires the clients to be running Insider Preview aswell I am only monitoring my own PC at the moment. This means I don’t have a lot of data in my portal but I will give you a short walkthrough anyway.
The ATP dashboard gives you a complete view of the alerts and machines that are at risk within your environment.
As you can see, not a lot is happening, but there is some interesting things to look into. Lets take a look at one of this alerts in more depth.
You can see it gives me more information, like that there is a file on my computer called setup.exe that is a copy of cmd.exe and that this might be an attempt to hide the usage of that tool for malicious purposes. It also gives you some pointers on how to act on this information.
This picture also shows you clear information about what the risk is and what to do. Mimikatz is a tool to retrieve windows password from local machine.
The next thing to look at is the Machine view. Here you can see all about what is happening on the machine in question:
You can have different filters on, I have filtered on detections.
This was just a very short intro to a great new service that is up and coming. For now in the preview I basicly run a script to enable the client to talk to the correct tenant, but I would expect that this should also be configurable through Microsoft Intune and System Center Configuration Manager. It does not seem to care what kind of domain of domain setup I am running, so expect this to work on all Windows 10 (Ent, Pro, Edu) devices regardless of Domain Join or Azure AD Domain join.