From 16887b53262ee46cda30b276733a03b66fa32dc7 Mon Sep 17 00:00:00 2001 From: ShannonLeavitt Date: Wed, 4 Nov 2020 12:02:07 -0700 Subject: [PATCH] acrolinx fixes --- .../how-to-list-xml-elements-in-eventdata.md | 16 ++++++++-------- .../portal-submission-troubleshooting.md | 6 +++--- 2 files changed, 11 insertions(+), 11 deletions(-) diff --git a/windows/security/threat-protection/auditing/how-to-list-xml-elements-in-eventdata.md b/windows/security/threat-protection/auditing/how-to-list-xml-elements-in-eventdata.md index 0762f04322..58bd7574f2 100644 --- a/windows/security/threat-protection/auditing/how-to-list-xml-elements-in-eventdata.md +++ b/windows/security/threat-protection/auditing/how-to-list-xml-elements-in-eventdata.md @@ -1,6 +1,6 @@ --- title: How to get a list of XML data name elements in (Windows 10) -description: This reference topic for the IT professional explains how to use PowerShell to get a list of XML data name elements that can appear in . +description: This reference article for the IT professional explains how to use PowerShell to get a list of XML data name elements that can appear in . ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library @@ -20,15 +20,15 @@ ms.author: dansimp The Security log uses a manifest where you can get all of the event schema. -Run the following from an elevated PowerShell prompt: +Run the following command from an elevated PowerShell prompt: ```powershell $secEvents = get-winevent -listprovider "microsoft-windows-security-auditing" ``` -The .events property is a collection of all of the events listed in the manifest on the local machine. +The `.events` property is a collection of all of the events listed in the manifest on the local machine. -For each event, there is a .Template property for the XML template used for the event properties (if there are any). +For each event, there is a `.Template` property for the XML template used for the event properties (if there are any). For example: @@ -90,7 +90,7 @@ PS C:\WINDOWS\system32> $SecEvents.events[100].Template You can use the <Template> and <Description> to map the data name elements that appear in XML view to the names that appear in the event description. -The <Description> is just the format string (if you’re used to Console.Writeline or sprintf statements) and the <Template> is the source of the input parameters for the <Description>. +The <Description> is just the format string (if you’re used to `Console.Writeline` or `sprintf` statements), and the <Template> is the source of the input parameters for the <Description>. Using Security event 4734 as an example: @@ -124,9 +124,9 @@ Description : A security-enabled local group was deleted. ``` -For the **Subject: Security Id:** text element, it will use the fourth element in the Template, **SubjectUserSid**. +For the **Subject: Security ID:** text element, it will use the fourth element in the Template, **SubjectUserSid**. -For **Additional Information Privileges:**, it would use the eighth element **PrivilegeList**. +For **Additional Information Privileges:**, it would use the eighth element, **PrivilegeList**. -A caveat to this is an oft-overlooked property of events called Version (in the <SYSTEM> element) that indicates the revision of the event schema and description. Most events have 1 version (all events have Version =0 like the Security/4734 example) but a few events like Security/4624 or Security/4688 have at least 3 versions (versions 0, 1, 2) depending on the OS version where the event is generated. Only the latest version is used for generating events in the Security log. In any case, the Event Version where the Template is taken from should use the same Event Version for the Description. +A caveat to this principle is an often overlooked property of events called Version (in the <SYSTEM> element) that indicates the revision of the event schema and description. Most events have one version (all events have Version =0 like the Security/4734 example) but a few events like Security/4624 or Security/4688 have at least three versions (versions 0, 1, 2) depending on the OS version where the event is generated. Only the latest version is used for generating events in the Security log. In any case, the Event Version where the Template is taken from should use the same Event Version for the Description. diff --git a/windows/security/threat-protection/intelligence/portal-submission-troubleshooting.md b/windows/security/threat-protection/intelligence/portal-submission-troubleshooting.md index df44f6142a..71d4c9d78c 100644 --- a/windows/security/threat-protection/intelligence/portal-submission-troubleshooting.md +++ b/windows/security/threat-protection/intelligence/portal-submission-troubleshooting.md @@ -17,14 +17,14 @@ search.appverid: met150 --- # Troubleshooting malware submission errors caused by administrator block -In some instances, an administrator block might cause submission issues when you try to submit a potentially infected file to the [Microsoft Security intelligence website](https://www.microsoft.com/wdsi) for analysis. The following process shows how to resolve this. +In some instances, an administrator block might cause submission issues when you try to submit a potentially infected file to the [Microsoft Security intelligence website](https://www.microsoft.com/wdsi) for analysis. The following process shows how to resolve this problem. ## Review your settings Open your Azure [Enterprise application settings](https://portal.azure.com/#blade/Microsoft_AAD_IAM/StartboardApplicationsMenuBlade/UserSettings/menuId/). Under **Enterprise Applications** > **Users can consent to apps accessing company data on their behalf**, check whether Yes or No is selected. -- If this is set to **No**, an AAD administrator for the customer tenant will need to provide consent for the organization. Depending on the configuration with AAD, users might be able to submit a request right from the same dialog box. If there’s no option to ask for admin consent, users need to request for these permissions to be added to their AAD admin. Go to the following section for more information. +- If **No** is selected, an Azure AD administrator for the customer tenant will need to provide consent for the organization. Depending on the configuration with Azure AD, users might be able to submit a request right from the same dialog box. If there’s no option to ask for admin consent, users need to request for these permissions to be added to their Azure AD admin. Go to the following section for more information. -- It this is set to **Yes**, ensure the Windows Defender Security Intelligence app setting **Enabled for users to sign-in?** is set to **Yes** [in Azure](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ManagedAppMenuBlade/Properties/appId/f0cf43e5-8a9b-451c-b2d5-7285c785684d/objectId/4a918a14-4069-4108-9b7d-76486212d75d). If this is set to **No** you'll need to request an AAD admin enable it. +- If **Yes** is selected, ensure the Windows Defender Security Intelligence app setting **Enabled for users to sign in?** is set to **Yes** [in Azure](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ManagedAppMenuBlade/Properties/appId/f0cf43e5-8a9b-451c-b2d5-7285c785684d/objectId/4a918a14-4069-4108-9b7d-76486212d75d). If this is set to **No** you'll need to request an Azure AD admin enable it.   ## Implement Required Enterprise Application permissions This process requires a global or application admin in the tenant.