Windows Defender Advanced Threat Protection In Windows 10 and Windows 11
Windows Defender Advanced Threat Protection In Windows 10
Windows Defender Advanced Threat Protection (ATP) is a security service that enables enterprise customers to detect, investigate, and respond to advanced threats on their networks. This chapter provides information about the service, how to configure it, and then maintain and use it for operations. This introduction will explain the prerequisites to enabling this service and give an overview of the key components. The chapter is split into the following logical sections to provide relevant information:
- Plan: Understand the requirements and plan for the changes required to deploy and adopt this solution within your environment
- Deploy: Configuration details to enable the ATP portal, onboard endpoints, and ensure correct network connectivity
- Detect: Detection and investigation steps that ensure you can quickly identify the scope and targets of advanced attacks and gain forensic evidence
- Protect: Post-breach steps you can take to actively stop an attack and prevent further spread
We will cover the following topics:
- An introduction to the Windows Defender Security Center and Advanced Threat Protection (ATP)
- How to activate the ATP service and configure your endpoints
- What do to when suspicious activity is found, and prevent further spread across the enterprise.
Prerequisites
Windows Defender ATP requires one of the following Microsoft Volume Licensing solutions:
- Windows 10 Enterprise E5
- Windows 10 Education E5
- Secure Productive Enterprise E5, which includes Windows 10 Enterprise E5
When you run the onboarding wizard for the first time, you must choose where your Windows Defender ATP-related information is stored: either in a European or United States data center. You cannot change your data storage location after the first setup.
Windows Defender ATP runs on version 1706 and preceding Windows editions:
- Windows 10 Enterprise
- Windows 10 Education
- Windows 10 Pro
- Windows 10 Pro Education
Each endpoint must have an internet connection, which may utilize up to 5 MB of bandwidth daily to communicate with the Windows Defender ATP cloud service and report cyber data.
The Windows Defender signature update (or an alternative and compatible anti-malware service) needs to be configured, and the Windows Defender Early Launch Antimalware (ELAM) driver must be enabled.
To administer the service, administrators must be granted one of the following roles in Azure Active Directory (Azure AD):
- Security administrator: This will provide full access to login, view all information, and resolve alerts. This role can submit files for deep analysis and download the onboarding package.
- Security reader: This will provide the right to login and view all information, but cannot change alert status, submit files for deep analysis, or access the onboarding packages.
Windows Defender
Windows Defender is antivirus software that is built-in to the Windows OS and protects your systems against viruses, malware, spyware, and network threats. It is a Windows service that works with other Microsoft security and maintenance services such as Windows Firewall and Microsoft SmartScreen. All of these services are enabled by default and start at system startup. Windows Update will take care of updating itself automatically, if configured to do so. Updating Windows Defender does not require system restart.
- Some key features of Windows Defender in Windows 10 include the following:
- Microsoft Active Protection Service (MAPS): This uses the metadata of a file to analyze for potential malware, which if found can result in a new virus signature file being created to protect other devices
- Network Inspection System: This helps guard against intrusion attempts targeting known and newly discovered vulnerabilities in network protocols
- Behavioral monitoring: This is used to scan for activities, not just known virus signatures
- Cloud based protection using machine learning: This is used to run the potential malware in a detonation chamber to determine whether it is malicious
- Customization: This can exclude files, directories, or processes (useful for the developer's computers and servers)
- Multiple scan options: These include on-access, quick, scheduled, ondemand, and full scan
- Bi-directional active scanning: This is used for high-volume activities, such as on servers
- Potentially Unwanted Application (PUA): This is a way of looking for and blocking applications and services that should not be running on your computers due to misconfiguration, poor quality software, and being at risk of causing performance and/or security issues
Windows Defender ATP can work alongside third-party security solutions and anti-malware. If you install a third-party security tool, Windows turns off the corresponding security service. For instance, Windows turns off Windows Defender automatically when you install a third-party antivirus, and you cannot turn it back on because Windows Defender settings become inactive unless you uninstall the third-party antivirus.
Windows Defender Security Center
The Windows Defender Security Center was introduced in the Windows 10, version 1703. This app provides a central place to review and configure settings for the following security features:
- Virus, malware, and threat protection using Windows Defender Antivirus:
- It provides real-time protection against known viruses and malware
- It includes cloud based protection, providing faster detection when used in conjunction with automatic sample submission.
- Automatic sample submission enables Windows to send sample files to Microsoft to help protect you and others from potential threats. The user is prompted if the file to be submitted is likely to contain personal information. There is also an option to manually submit a suspicious file for investigation.
- Exclusions can be made if you need to specify a file or directory.
- Notifications with critical information about health and security of your device are available. It can also notify about non-critical notifications, including recent activity and scan results and Windows Firewall notifications (for any apps that are blocked on the private or public networks).
- Device performance and health, which includes information about drivers, storage space, and general Windows Update issues
- Firewall and network protection
- App and browser settings:
- Windows Defender SmartScreen checks apps and files that are unrecognized
- SmartScreen for Microsoft Edge protects from malicious sites and downloads
- SmartScreen for Windows Store apps checks the web content used by these apps
- Family options are available that enable parental controls and view family devices
These options are fully configurable using Group Policy, and virus definition updates are made via the Windows Update mechanism to ensure they are always up to date.
Windows Defender ATP
Windows Defender ATP is a cloud based subscription service that provides advanced protection by analyzing events that occur across multiple endpoints to detect anomalies and known attack vectors. The solution is made up of the following main components:
- Endpoints: These collects and process behavioral signals from sensors built-in to the operating system (for example, kernel, memory, registry, file, and network communications) and send this sensor data to your private, isolated, cloud instance of Windows Defender ATP. They currently work with Windows 10, and support for Windows Server is coming soon.
- Cloud security analytics: This enables us to leverage big data, machine learning, and unique Microsoft views across the Windows ecosystem (such as the Microsoft Malicious Software Removal Tool (MSRT)), enterprise cloud products (such as Office 365), and online assets (such as Bing and SmartScreen URL reputation); behavioral signals are translated into insights, detections, and recommended responses to advanced threats.
- Threat intelligence: This is generated by Microsoft hunters and global security teams, and augmented by threat intelligence provided by multiple partners. Threat intelligence enables Windows Defender ATP to identify attacker tools, techniques, and procedures and generate alerts when these are observed in collected sensor data.
- ATP portal: This is a single cloud based console to provide expert security operations for precise actionable alerts, tools for threat and incident investigations, and post-breach response actions across your organization:
Windows Defender ATP works with existing Windows security
technologies on endpoints, such as Windows Defender, AppLocker, and
Device Guard. It can also work side by side with third-party security
solutions and anti-malware products.
The solution leverages Microsoft technology and expertise to detect
sophisticated cyber attacks. A unique threat intelligence knowledge base
provides actor details and intent context for every threat Intel based
detection, combining first and third-party intelligence sources.
Behavior based advanced attack detection finds the attacks and correlates
alerts for known and unknown adversaries trying to hide their activities on
endpoints. Investigate the scope of breach or suspected behaviors on any
machine through a rich machine timeline, and gain additional insight using
deep collection and analysis (detonation) for any files or URLs.
Plan - environment analysis
This section provides a list of the key considerations and recommendations when deploying the Windows Defender ATP service.
Client types:
- Endpoints should be running Windows 10 version 1706 (Creators Update)
- Confirm that the standard build is configured appropriately to ensure the service can run without impacting the performance of the device
- Run a test to ensure all sensor information is collected correctly
- Sufficient licenses should be owned and assigned to users and devices
- Internet connectivity should be enabled to ensure communication between endpoints and the ATP service, and sufficient bandwidth available for the number of clients that will be reporting daily
- Consider which clients are at high risk and may require a higher reporting frequency
- Also mark which clients should be excluded from submitting samples for deep inspection
Choice of anti-malware:
- The solution will work with compatible third-party antivirus and security solutions, but no response actions will be available; only alerting and investigation
- Using Windows Defender Antivirus (AV) will enable automatic block file across the organization as well as any other response actions that are developed in future
Locations:
- Data will be stored in US or EU data centers only. Consider which is most appropriate for your organization. This option cannot be changed once the tenant is deployed.
- Consider if the security of all endpoints will be managed by the same team. With a global deployment, there may be multiple teams that require access to the ATP portal to view alerts and carry out investigations. Does this require separate tenants, or can all devices report to a single tenant?
Managing clients and alerts:
- Decide which options will be used to manage the endpoints: GPO, System Center Configuration Manager (SCCM), or Mobile device management (MDM).
- Consider using the manual script for configuring individual endpoints during proof of concept, first pilot, and some BYOD deployments.
- Decide who will administer the portal for configuration and for monitoring alerts. Configuration requires the security admin role. Monitoring alerts only requires the security reader role.
- Develop a procedure to ensure that alerts are monitored, assigned, investigated, and resolved appropriately.
Deploy - service activation
This section will explain the steps required to enable and fully deploy this solution to protect users and devices across your organization. The following activities will be explained:
- Sign up and activate the Windows Defender ATP service
- Onboard endpoints
- Configure sensor data
- Other configurations
Sign up and activate Windows Defender ATP
The service is dependent on your Azure tenant being activated and configured. You will then need to ensure the appropriate licenses have been acquired and associated with your subscription.
Administrator permissions: The administrator will need to be a member of the security administrator role to enable the service, run through the initial configuration wizard, and for ongoing support and maintenance. Global admin rights will work also, but is not necessary as this would provide excessive permissions.
First-run wizard: Once the licenses have been assigned, go to https://securitycenter.windows.com and sign in with an account that has either global administrator or security administrator rights to your tenant. A wizard will then guide you through the following steps (a 10-20-minute procedure):
1. You will first see a welcome page, providing links to relevant articles and information, should you require it.
2. The next step is to select the data storage location. There are currently only two options: either US or Europe. The page provides links to the data storage and privacy section of the Windows Defender ATP guide.
3. Then select the following preferences:
- Data retention period: Choose from 30 to 180 days
- Select organization size: Choose based on the number of endpoints to be monitored
- Select your industry: This is a multi-choice option to ensure the service can be configured to search for industry-specific attacks
- Preview experience: Choose whether to enable or disable the preview features
At this point, your choices are finalized and the cloud instance is created, which may take a few minutes to complete before you can continue:
- Once the configuration is complete, you are provided with a list of options to download the endpoint onboarding scripts. These are specific to your environment and required you to create a secure channel and registration between the device and the cloud service (further details will be explained shortly).
- The final steps will close the wizard and take you to the Windows Defender ATP portal to view the endpoints as they register.
Portal configuration
When you first login to the ATP portal, you can configure some of the settings that are specific to your use of the portal:
- Time zone settings: The aspect of time is important in the assessment and analysis of perceived and actual cyber attacks. It is important that your system reflect the correct time zone settings. Your current time zone setting is shown in the Windows Defender ATP menu. You can change the displayed time zone in the Settings menu.
- Suppression rules: The suppression rules control what alerts are suppressed. You can suppress alerts so that certain activities are not flagged as suspicious. Suppressing alerts can be configured based on a specific machine or for the whole organization.
- License: By clicking on the license link in the Settings menu, you can view the license agreement information for Windows Defender ATP.
Check service health
This section allows you to view the current service health. If there are any issues, you will see details related to the issue and when it was detected.
Check sensor status
Endpoints register with the ATP service and provide regular sensor data. If there are communication errors or the client is offline for a long period of time, this report helps identify problematic machines and helps resolve known issues. The two main reasons for not reporting correctly are as follows:
- Inactive: When an endpoint stops reporting to the ATP service for more than seven days. You will need to confirm these endpoints are still active in your environment and remedy any service issues impacting the client's ability to report.
- Misconfigured: When an endpoint is reporting to the ATP service but errors are detected, they show up as misconfigured, due to one of the following issues:
- No sensor data: No sensor data is being sent, so limited alerts can be triggered from the machine
- Impaired communication: The following abilities may be impaired: sending files for deep analysis, blocking files, and isolating machines from the network
Enable SIEM integration
If your organization has deployed a Security Information and Event Management (SIEM) system, you can pull alerts from the Windows Defender ATP portal using the SIEM connector. Connectors are available for multiple vendors, including Splunk and ArcSight. A generic API is available for others.
Onboard endpoints
This is achieved by deploying a configuration package to each endpoint. Currently, this works for Windows 10, version 1706 (Creators Update). Windows Server 2016 and Windows Server 2012 R2 will be supported in the future.
There are several methods and deployment tools that can be used to deploy the configuration package to each endpoint, depending on what works best for your organization size and complexity:
- If your endpoints are joined to an AD domain, you can use Group Policy to deploy the script
- If you have deployed SCCM, this can be used to deploy it to each managed device
- Devices managed by MDM, such as Microsoft Intune
- A script can be run manually on each individual machine regardless of how it is managed, as long as it has internet connectivity to the ATP service
The configuration package is unique to your tenant, and is available for download from the Windows Defender ATP portal: https://securitycenter.windows.com:
1. Go to the Navigation pane and click on Endpoint management.
2. Select the appropriate options, such as Group Policy.
3. Click on Download package and save the .zip file.
Each package provides a different script, and additional files where required:
- Local script: A single Windows command script is provided.
- Group Policy: A Windows command script is provided as well as an .admx and .adml file for the Group Policy Management Console (GPMC).
- MDM: This provides a single onboarding file that can be deployed to targeted machines.
SCCM: There are two options, we recommend upgrading to version 1606. This provides a single onboarding file that can be deployed to targeted machines.
Once the endpoint has received the configuration package, it will attempt to communicate with the ATP service. To do this, the endpoint needs to be on a network that allows HTTP communication with several URLs. For complex and highly secure networks, this may require a change to the firewall rules and proxy settings to enable this communication.
Configure sensor data
Currently, there are two configurations that can be set for each endpoint.
For example, to configure clients using Group Policy:
1. Download the configuration package for Group Policy.
2. Export the contents of the file.
3. Copy the ADMX file to the %systemroot%\PolicyDefinitions\ folder.
4. Copy the ADML file to the %systemroot%\PolicyDefinitions\en-US folder.
5. Launch Group Policy Editor and create a new Group Policy targeted to the appropriate OU for Windows 10 clients.
You now need to configure the following policies:
- To ensure each endpoint registers with the ATP service, go to Computer Configuration | Preferences | Control Panel Settings, and create a new scheduled task to run the Windows Defender ATP onboarding script.
- To configure the latency mode and sample collection settings, go to Computer Configuration | Policies | Administrative Templates | Windows Components | Windows Defender ATP.
- Client latency mode changes the reporting frequency; for high-value assets or machines at high risk, you can increase the frequency to expedite mode. Enabling this feature may have a performance impact on the client and increase network traffic, so it is recommended you test this on a few endpoints and monitor the impact before deploying widely.
- Change the sample collection settings to enable or prevent samples being collected from the endpoint when a request is made through the Windows Defender ATP portal for deep analysis.
Additional configuration
There are some additional configurations to be aware of that may prevent the service running correctly.
Telemetry and diagnostics settings: Before you configure endpoints, you must ensure that the telemetry and diagnostics service is enabled on all the endpoints in your organization. By default, this service is enabled, but it's good practice to check to ensure you'll get sensor data from them.
Windows Defender signature updates are configured: The Windows Defender ATP agent depends on Windows Defender's ability to scan files and provide information about them. If Windows Defender is not the active anti malware in your organization, you may need to configure the signature updates.
- When Windows Defender is not the active anti malware in your organization and you use the Windows Defender ATP service, Windows Defender goes into passive mode.
- The Windows Defender Early Launch Antimalware (ELAM) driver is enabled.
- If you're running Windows Defender as the primary anti malware product on your endpoints, the Windows Defender ATP agent will be successfully onboarded.
- If you're running a third-party anti malware client and use MDM solutions or SCCM (Current Branch) version 1606, you'll need to ensure that the Windows Defender ELAM driver is enabled.
Detect - using the ATP portal
The first thing you will see when you login to the ATP portal is the
Dashboard view:
Dashboard navigation overview:
- Left-side navigation pane (1)
- Main portal window for displaying dashboard tiles and details (2)
- Search, Feedback, Settings, and Help and Support (3)
The Dashboard displays a snapshot of the following components:
- The latest active alerts on your network, with the most important highlighted at the top
- Daily machines reporting to show how many machines are actively reporting each day
- Machines at risk will show those endpoints with the highest risks
- The users at risk report provides quick identification of those users
- Machines with active malware alerts
- Sensor and service health
Alerts queue
From the navigation pane, select Alerts queue. This view will show a list of alerts that were flagged from endpoints in your network. You can sort and filter the alerts by clicking on the column header. Select an alert to see further details, and change the status from New to In Progress or Resolved. You can also specify a classification for the alert and assign it to yourself if it is not yet assigned. To manage multiple alerts, use Ctrl or Shift to select more than one, then apply the same action to each alert. Alerts are managed in several queues, depending on their current status:
- New
- In Progress
- Resolved
- Assigned to me
Machine list
From the navigation pane, select Machine list.
This view will show you all the endpoints that have registered with the ATP service. The columns can be sorted to provide quick insights, or you can export them to a CSV file. The columns available include:
- Machine name
- Domain
- OS Platform
- Health State
- Last seen
- Internal IP
- Active Alerts
- Active malware detections
You can also filter the view results based on the following options:
Time: Choose a range between 1 day and 6 months
OS Platform: Include or exclude specific operating systems
Health: Include or exclude specific health stats to show only active, inactive, or misconfigured endpoints
Malware category alerts: Choose to include or exclude the following malware types:
- Ransomware
- Credential theft
- Exploit
- Backdoor
- General
- PUA
Preferences setup
From the navigation pane, select Preferences setup.
General: Some of the settings that were configured during the initial setup wizard can be modified here, including the data retention policy and industry selections. The data storage location and organization size cannot be modified.
Advanced features: This section provides features that require integration with other technologies:
- Block file: If Windows Defender is the active anti malware solution, and cloud based protection is enabled, then you can use the block file feature to block potentially malicious files in your network. This will prevent the file from being read, written, or executed on all machines registered with ATP (in your organization).
- Office 365 Threat Intelligence connection: If you have an active Office 365 E5 subscription (or the Threat Intelligence add-on) you can connect the Windows Defender ATP to the Office 365 ATP. This will enable security investigations to span across the two platforms.
Endpoint management
From the navigation pane, select Endpoint management. This section allows you to download the relevant configuration files, depending on your deployment and management requirements.
Protect Post-breach response
This section will cover the types of threats that are addressed by Windows Defender ATP, such as ransomware and credential theft, and what responses you can take when a suspect machine, file, or process is found - to ensure you collect the relevant information for a through investigation and clean up.
Types of threats
The Windows Defender ATP service can detect a wide range of threats. Each one is discussed in the following sections, and more may be added in future as the threat landscape changes. Use this information to gain awareness of the various types of threats, and keep up to date with changes by reviewing the Microsoft Security Intelligence Report.
Ransomware
Ransomware uses common methods to encrypt files using keys that are known only to attackers. As a result, victims are unable to access the contents of the encrypted files. Most ransomware displays or drops a ransom note: an image or an HTML file that contains information about how to obtain the attacker supplied decryption tool for a fee. Unfortunately, paying the attacker does not guarantee the files will be decrypted, yet several companies have done this, only providing more funds for them to carry out further attacks against other companies. A better response is to ensure the files were backed up and carry out a restoration of the affected files, and then prevent this from occurring again.
Credential theft
Spying tools, whether commercially available or solely used for unauthorized purposes, include general purpose spyware, monitoring software, hacking programs, and password stealers. These tools collect credentials and other information from browser records, key presses, email and instant messages, voice and video conversations, and screenshots. They are used in cyber attacks to establish control and steal information.
Microsoft has access to cyber-intelligence that allows them to scan for stolen credentials (from mass databases listing the information obtained from previous breaches), and if any are detected in use against your tenant (via Azure AD), it can alert and take immediate action to protect the identity by enforcing additional authentication checks (look up Azure AD Identity Protection for more details).
Exploits
Exploits take advantage of unsecured code in operating system components and applications. Exploits allow attackers to run arbitrary code, elevate privileges, and perform other actions that increase their ability to compromise a targeted machine. Exploits are found in both commodity malware and malware used in targeted attacks. The best way to defend against these types of attacks is to ensure you have fully patched all firmware, operating systems, and software as soon as the updates are available.
Backdoors
Backdoors are malicious remote-access tools that allow attackers to access and control infected machines. Backdoors can also be used to ex-filtrate data. These types of attacks can be limited by ensuring credentials are refreshed on a regular basis (all passwords are changed frequently, including local accounts, services, and built-in credentials). These attacks can be found by monitoring for anomalous behaviors that indicate potential malicious activity.
General malware
Malware is a malicious program that performs unwanted actions, including actions that can disrupt, cause direct damage, and facilitate intrusion and data theft. Some malware can replicate and spread from one machine to another. Others are able to receive commands from remote attackers and perform activities associated with cyber attacks. Antivirus software can detect known malware signatures, but they can change frequently (hundreds to thousands of new variants every day). Preventing local administrative rights to all users is the best way to prevent this type of attack. You can also deploy technologies such as AppLocker to prevent unauthorized processes from running.
Potentially Unwanted Application
PUA is a category of applications that install and perform undesirable activity without adequate user consent. These applications are not necessarily malicious, but their behavior often negatively impacts the computing experience, even appearing to invade user privacy. Many of these applications display advertising, modify browser settings, and install bundled software.
Take responsive actions
Once a breach has been confirmed, you need to be able to take quick and appropriate action to prevent further spread and potential damage. The following response actions are available:
- Isolate machines or collect an investigation package
- Upload files for deep analysis
- Stop and quarantine files or block a file from your network
- Pivot into Office 365 to investigate, preventing further spread
Taking responsive actions on a machine
Once a threat has been identified, there are actions that can be taken on the machine that is suspected of containing the malware or other evidence of activities. Use the following guidance to collect data that can be used as forensic evidence, known as an investigation package, and if necessary, isolate the machine to prevent further risks and give time to carry out a thorough investigation and cleanup.
Collecting an investigation package
Once you have identified suspicious activity on a machine, you can collect an investigation package to identify the current state and further understand the tools and techniques used by the attacker. This information is useful to gather prior to isolation and rebuilding of the computer as part of your recovery process; otherwise, the information is lost and you may never discover how the attack occurred.
To initiate a collection, find the machine in the ATP portal, go to the Actions menu, select Collect investigation package, and then enter a reason when prompted:
It is recommended you run this report on a sample of your endpoints to ensure they are correctly configured when healthy, in order to ensure you will gain all this valuable information should an attack occur.
The package may take several minutes to upload from the endpoint to the portal, and will then be available in the Action center, where you can download it and carry out your investigations:
While testing, the ZIP file was 3.3 MB; your results may vary depending on the level of activity on your clients:
The package contains the following information:
- Autorun process report
- List of installed programs (.csv file)
- Network connections (multiple .txt files)
- Prefetch files (multiple files; these will require a special reader to view)
- Processes (.csv file)
- Scheduled tasks (.csv file)
- Security event log (ensure this is sized correctly to prevent loss of data)
- Services (.txt file)
- Windows SMB sessions (.txt file)
- Temp directories (one .txt file per user)
- Users and groups (.txt file)
- CollectionSummaryReport.xls: A summary of the investigation package collection to ensure you captured all the information
Isolate a machine
When an attack is serious enough, you may want to isolate the whole machine while you can carry out further investigation and cleanup activities. In the ATP portal, identify the machine you want to isolate and open the Actions menu, and then select Isolate machine. The user will be prompted with a message to warn them of this activity and prompt them to contact the service desk:
As long as the device maintains internet connectivity, we can remotely control its capability to spread infections. This is a very powerful way of centrally controlling actions on devices without the risk of losing business productivity if a false positive is found.
Take responsive actions on a file or process
Suspicious files and processes can be specifically investigated. Use the following guidance to carry out deep analysis to fully identify the potential threats and take appropriate response, such as blocking the file being accessed.
Request deep analysis
Deep analysis requests can be carried out from the ATP portal. Through your investigations, when you find a file that is suspicious, you can view the details and instantly see whether this file has already been detected:
This report also shows how many other machines in your environment have detected the file. If you believe it is suspicious, you can select the deep analysis request to submit it to Microsoft for investigation. If a problem is found, you will be notified of the results.
Stop and quarantine file
From the same view, if the Actions button is activated (shows as blue) you can contain an attack by selecting the Stop & Quarantine File action:
The user will be prompted about the file being quarantined.
Block file
If you identify a file that you want to prevent being used everywhere, you can select block file instead. This action will ensure the file is quarantined not only on this machine, but on all endpoints registered with the ATP service. Due to the potential widespread impact this could have across your environment, the ability needs to be enabled under the Preferences setup, in the Advanced Features.
This option works for both files and executable, to prevent unwanted applications being run.
Pivot into Office 365
From the Windows Defender ATP portal, if you investigate an attack and find the suspicious file originated from an email or is discovered in other mailboxes, you can select to launch the Office 365 ATP portal: https://protection.office.com/#/threatexplorer.
The Windows Defender ATP portal provides the specific information required to search for and filter the specific file across all mailboxes:
The administrator can then create an incident within Office 365 and attach the affected emails:
Summary
In this Article, we covered the advanced capabilities that are available when Windows 10 Enterprise is integrated with the Windows Defender ATP service. We now have the ability to gain instant visibility into critical actions of every Windows 10 client that we manage, regardless of where it is in the world. Being able to draw upon the knowledge of global hunter teams and cyber security experts, we can quickly detect, investigate, and respond to advanced threats that standalone software cannot defend from.
This technology is constantly evolving to bring new techniques and process directly to you. Deploy it in your environment, get comfortable with the current controls and capabilities, and stay informed of the changes to ensure you know how to defend and recover from a breach.