deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-13 13:57:22 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

acrolinx fixes

Browse Source
This commit is contained in:
ShannonLeavitt 2020-11-04 12:02:07 -07:00
parent 8fe576f794
commit 16887b5326
2 changed files with 11 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
windows/security/threat-protection/auditing/how-to-list-xml-elements-in-eventdata.md
View File

@ -1,6 +1,6 @@
---
title: How to get a list of XML data name elements in <EventData> (Windows 10)
description: This reference topic for the IT professional explains how to use PowerShell to get a list of XML data name elements that can appear in <EventData>.
description: This reference article for the IT professional explains how to use PowerShell to get a list of XML data name elements that can appear in <EventData>.
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
@ -20,15 +20,15 @@ ms.author: dansimp
The Security log uses a manifest where you can get all of the event schema.
Run the following from an elevated PowerShell prompt:
Run the following command from an elevated PowerShell prompt:
```powershell
$secEvents = get-winevent -listprovider "microsoft-windows-security-auditing"
```
The .events property is a collection of all of the events listed in the manifest on the local machine.
The `.events` property is a collection of all of the events listed in the manifest on the local machine.
For each event, there is a .Template property for the XML template used for the event properties (if there are any).
For each event, there is a `.Template` property for the XML template used for the event properties (if there are any).
For example:
@ -90,7 +90,7 @@ PS C:\WINDOWS\system32> $SecEvents.events[100].Template
You can use the &lt;Template&gt; and &lt;Description&gt; to map the data name elements that appear in XML view to the names that appear in the event description.
The &lt;Description&gt; is just the format string (if youre used to Console.Writeline or sprintf statements) and the &lt;Template&gt; is the source of the input parameters for the &lt;Description&gt;.
The &lt;Description&gt; is just the format string (if youre used to `Console.Writeline` or `sprintf` statements), and the &lt;Template&gt; is the source of the input parameters for the &lt;Description&gt;.
Using Security event 4734 as an example:
@ -124,9 +124,9 @@ Description : A security-enabled local group was deleted.
```
For the **Subject: Security Id:** text element, it will use the fourth element in the Template, **SubjectUserSid**.
For the **Subject: Security ID:** text element, it will use the fourth element in the Template, **SubjectUserSid**.
For **Additional Information Privileges:**, it would use the eighth element **PrivilegeList**.
For **Additional Information Privileges:**, it would use the eighth element, **PrivilegeList**.
A caveat to this is an oft-overlooked property of events called Version (in the &lt;SYSTEM&gt; element) that indicates the revision of the event schema and description. Most events have 1 version (all events have Version =0 like the Security/4734 example) but a few events like Security/4624 or Security/4688 have at least 3 versions (versions 0, 1, 2) depending on the OS version where the event is generated. Only the latest version is used for generating events in the Security log. In any case, the Event Version where the Template is taken from should use the same Event Version for the Description.
A caveat to this principle is an often overlooked property of events called Version (in the &lt;SYSTEM&gt; element) that indicates the revision of the event schema and description. Most events have one version (all events have Version =0 like the Security/4734 example) but a few events like Security/4624 or Security/4688 have at least three versions (versions 0, 1, 2) depending on the OS version where the event is generated. Only the latest version is used for generating events in the Security log. In any case, the Event Version where the Template is taken from should use the same Event Version for the Description.

6
windows/security/threat-protection/intelligence/portal-submission-troubleshooting.md
View File

@ -17,14 +17,14 @@ search.appverid: met150
---
# Troubleshooting malware submission errors caused by administrator block
In some instances, an administrator block might cause submission issues when you try to submit a potentially infected file to the [Microsoft Security intelligence website](https://www.microsoft.com/wdsi) for analysis. The following process shows how to resolve this.
In some instances, an administrator block might cause submission issues when you try to submit a potentially infected file to the [Microsoft Security intelligence website](https://www.microsoft.com/wdsi) for analysis. The following process shows how to resolve this problem.
## Review your settings
Open your Azure [Enterprise application settings](https://portal.azure.com/#blade/Microsoft_AAD_IAM/StartboardApplicationsMenuBlade/UserSettings/menuId/). Under **Enterprise Applications** > **Users can consent to apps accessing company data on their behalf**, check whether Yes or No is selected.
- If this is set to **No**, an AAD administrator for the customer tenant will need to provide consent for the organization. Depending on the configuration with AAD, users might be able to submit a request right from the same dialog box. If theres no option to ask for admin consent, users need to request for these permissions to be added to their AAD admin.Go to the following section for more information.
- If **No** is selected, an Azure AD administrator for the customer tenant will need to provide consent for the organization. Depending on the configuration with Azure AD, users might be able to submit a request right from the same dialog box. If theres no option to ask for admin consent, users need to request for these permissions to be added to their Azure AD admin.Go to the following section for more information.
- It this is set to **Yes**, ensure the Windows Defender Security Intelligence app setting **Enabled for users to sign-in?** is set to **Yes** [in Azure](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ManagedAppMenuBlade/Properties/appId/f0cf43e5-8a9b-451c-b2d5-7285c785684d/objectId/4a918a14-4069-4108-9b7d-76486212d75d).If this is set to **No** you'll need to request an AAD admin enable it.
- If **Yes** is selected, ensure the Windows Defender Security Intelligence app setting **Enabled for users to sign in?** is set to **Yes** [in Azure](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ManagedAppMenuBlade/Properties/appId/f0cf43e5-8a9b-451c-b2d5-7285c785684d/objectId/4a918a14-4069-4108-9b7d-76486212d75d).If this is set to **No** you'll need to request an Azure AD admin enable it.
## Implement Required Enterprise Application permissions
This process requires a global or application admin in the tenant.