You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: ATPDocs/dashboard.md
+1-1Lines changed: 1 addition & 1 deletion
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -45,7 +45,7 @@ Select links in the cards to just to more details, such as documentation, relate
45
45
|**Identities overview (shield widget)**|Provides a quick overview of the number of users in hybrid, cloud, and on-premises environments (AD and Microsoft Entra ID). This feature includes direct links to the Advanced Hunting platform, offering detailed user information at your fingertips.|
46
46
|**Top insights** /<br>**Users identified in a risky lateral movement path**| Indicates any sensitive accounts with risky lateral movement paths, which are windows of opportunity for attackers and can expose risks. <br><br>We recommend that you take action on any sensitive accounts found with risky lateral movement paths to minimize your risk. <br><br>For more information, see [Understand and investigate Lateral Movement Paths (LMPs) with Microsoft Defender for Identity](understand-lateral-movement-paths.md).|
47
47
|**Top insights** /<br>**Dormant Active Directory users who should be removed from sensitive groups**| Lists accounts that have been left unused for at least 180 days. <br><br>An easy and quiet path deep into your organization is through inactive accounts that are a part of sensitive groups, therefore we recommend removing those users from sensitive groups. <br><br>For more information, see [Security assessment: Riskiest lateral movement paths (LMP)](security-assessment-riskiest-lmp.md).|
48
-
|**ITDR deployment health**| Lists any sensor deployment progress, any health alerts, and license availability. |
48
+
|**ITDR deployment health**| Lists any sensor deployment progress, any health alerts, and license availability derived from Defender for Identity data and Device Inventory, which relies on Defender for Endpoint coverage.|
49
49
|**Identity posture (Secure score)**| The score shown represents your organization's security posture with a focus on the *identity* score, reflecting the collective security state of your identities. The score is automatically updated in real-time to reflect the data shown in graphs and recommended actions. <br><br>Microsoft Secure Score updates daily with system data with new points for each recommended action take.<br><br> For more information, see [Microsoft Secure Score](/microsoft-365/security/defender/microsoft-secure-score). |
50
50
|**Highly privileged entities**| Lists a summary of the sensitive accounts in your organization, including Entra ID security administrators and Global admin users. |
51
51
|**Identity related incidents**| Lists alerts from both Defender for Identity and [Microsoft Entra ID Protection](/azure/active-directory/identity-protection/overview-identity-protection), and any corresponding, relevant incidents from the last 30 days. |
Copy file name to clipboardExpand all lines: defender-endpoint/attack-surface-reduction-rules-reference.md
+9-9Lines changed: 9 additions & 9 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -5,17 +5,17 @@ ms.service: defender-endpoint
5
5
ms.subservice: asr
6
6
ms.localizationpriority: medium
7
7
audience: ITPro
8
-
author: emmwalshh
9
-
ms.author: ewalsh
8
+
author: paulinbar
9
+
ms.author: painbar
10
10
ms.reviewer: sugamar, yongrhee
11
-
manager: deniseb
11
+
manager: bagol
12
12
ms.custom: asr
13
13
ms.topic: reference
14
14
ms.collection:
15
15
- m365-security
16
16
- tier2
17
17
- mde-asr
18
-
ms.date: 06/10/2025
18
+
ms.date: 08/28/2025
19
19
search.appverid: met150
20
20
---
21
21
@@ -190,21 +190,21 @@ For rules with the "Rule State" specified:
190
190
|[Block Adobe Reader from creating child processes](#block-adobe-reader-from-creating-child-processes)| Block | Y | Y |
191
191
|[Block all Office applications from creating child processes](#block-all-office-applications-from-creating-child-processes)|| N | Y |
192
192
|[Block credential stealing from the Windows local security authority subsystem (lsass.exe)](#block-credential-stealing-from-the-windows-local-security-authority-subsystem)|| N | N |
193
-
|[Block executable content from email client and webmail](#block-executable-content-from-email-client-and-webmail)|| Y | Y |
193
+
|[Block executable content from email client and webmail](#block-executable-content-from-email-client-and-webmail)|Audit or Block | Y (in block mode) <br/> N (in audit mode) | Y (in block mode)|
194
194
|[Block executable files from running unless they meet a prevalence, age, or trusted list criterion](#block-executable-files-from-running-unless-they-meet-a-prevalence-age-or-trusted-list-criterion)|| N | Y |
195
-
|[Block execution of potentially obfuscated scripts](#block-execution-of-potentially-obfuscated-scripts)|Audit or Block | Y (in block mode) <br/>N (in audit mode)| Y (in block mode) |
195
+
|[Block execution of potentially obfuscated scripts](#block-execution-of-potentially-obfuscated-scripts)|| Y | Y (in block mode) |
196
196
|[Block JavaScript or VBScript from launching downloaded executable content](#block-javascript-or-vbscript-from-launching-downloaded-executable-content)| Block | Y | Y |
197
197
|[Block Office applications from creating executable content](#block-office-applications-from-creating-executable-content)|| N | Y |
198
198
|[Block Office applications from injecting code into other processes](#block-office-applications-from-injecting-code-into-other-processes)|| N | Y |
199
199
|[Block Office communication application from creating child processes](#block-office-communication-application-from-creating-child-processes)|| N | Y |
200
-
|[Block persistence through WMI event subscription](#block-persistence-through-wmi-event-subscription)|Audit or Block | Y (in block mode) <br/> N (in audit mode)| Y (in block mode) |
200
+
|[Block persistence through WMI event subscription](#block-persistence-through-wmi-event-subscription)|| Y | Y (in block mode) |
201
201
|[Block process creations originating from PSExec and WMI commands](#block-process-creations-originating-from-psexec-and-wmi-commands)|| N | Y |
202
202
|[Block rebooting machine in Safe Mode](#block-rebooting-machine-in-safe-mode)|| N | N |
203
-
|[Block untrusted and unsigned processes that run from USB](#block-untrusted-and-unsigned-processes-that-run-from-usb)|Audit or Block | Y (in block mode) <br/> N (in audit mode) | Y (in block mode) |
203
+
|[Block untrusted and unsigned processes that run from USB](#block-untrusted-and-unsigned-processes-that-run-from-usb)|| Y| Y (in block mode) |
204
204
|[Block use of copied or impersonated system tools](#block-use-of-copied-or-impersonated-system-tools)|| N | N |
205
205
|[Block Webshell creation for Servers](#block-webshell-creation-for-servers)|| N | N |
206
206
|[Block Win32 API calls from Office macros](#block-win32-api-calls-from-office-macros)|| N | Y |
207
-
|[Use advanced protection against ransomware](#use-advanced-protection-against-ransomware)|Audit or Block | Y (in block mode) <br/> N (in audit mode)| Y (in block mode) |
207
+
|[Use advanced protection against ransomware](#use-advanced-protection-against-ransomware)|| Y | Y (in block mode) |
0 commit comments