deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-20 12:53:38 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Merge branch 'atp-ip' of https://cpubwin.visualstudio.com/_git/it-client into atp-ip

Browse Source
This commit is contained in:
Joey Caparas
2018-11-29 11:54:00 -08:00
parent 5a6b802ab0 84c8ff2449
commit 169fa0ebeb
134 changed files with 2465 additions and 1789 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
windows/security/identity-protection/hello-for-business/hello-how-it-works-authentication.md
View File

@ -19,7 +19,7 @@ Windows Hello for Business authentication is passwordless, two-factor authentica
Azure Active Directory joined devices authenticate to Azure during sign-in and can optional authenticate to Active Directory. Hybrid Azure Active Directory joined devices authenticate to Active Directory during sign-in, and authenticate to Azure Active Directory in the background.<br>
[Azure AD join authentication to Azure Active Directory](#Azure-AD-join-authentication-to-Azure-Active-Directory)<br>
[Azure AD join authentication to Active Direcotry using a Key](#Azure-AD-join-authentication-to-Active-Direcotry-using-a-Key)<br>
[Azure AD join authentication to Active Directory using a Key](#Azure-AD-join-authentication-to-Active-Directory-using-a-Key)<br>
[Azure AD join authentication to Active Directory using a Certificate](#Azure-AD-join-authentication-to-Active-Directory-using-a-Certificate)<br>
[Hybrid Azure AD join authentication using a Key](#Hybrid-Azure-AD-join-authentication-using-a-Key)<br>
[Hybrid Azure AD join authentication using a Certificate](#Hybrid-Azure-AD-join-authentication-using-a-Certificate)<br>
@ -38,7 +38,7 @@ Azure Active Directory joined devices authenticate to Azure during sign-in and c
[Return to top](#Windows-Hello-for-Business-and-Authentication)
## Azure AD join authentication to Active Directory using a Key
![Azure AD join authentication to Active Direotory using a Key](images/howitworks/auth-aadj-keytrust-kerb.png)
![Azure AD join authentication to Active Directory using a Key](images/howitworks/auth-aadj-keytrust-kerb.png)
| Phase | Description |

6
windows/security/identity-protection/hello-for-business/hello-hybrid-key-new-install.md
View File

@ -75,7 +75,7 @@ If you do not have an existing public key infrastructure, please review [Certifi
> [!IMPORTANT]
> For Azure AD joined device to authenticate to and use on-premises resources, ensure you:
> * Install the root certificate authority certificate for your organization in the user's trusted root certifcate store.
> * Install the root certificate authority certificate for your organization in the user's trusted root certificate store.
> * Publish your certificate revocation list to a location that is available to Azure AD joined devices, such as a web-based url.
### Section Review ###
@ -84,7 +84,7 @@ If you do not have an existing public key infrastructure, please review [Certifi
> * Minimum Windows Server 2012 Certificate Authority.
> * Enterprise Certificate Authority.
> * Functioning public key infrastructure.
> * Root certifcate authority certificate (Azure AD Joined devices).
> * Root certificate authority certificate (Azure AD Joined devices).
> * Highly available certificate revocation list (Azure AD Joined devices).
## Azure Active Directory ##
@ -131,7 +131,7 @@ Alternatively, you can configure Windows Server 2016 Active Directory Federation
> * Review the overview and uses of Azure Multifactor Authentication.
> * Review your Azure Active Directory subscription for Azure Multifactor Authentication.
> * Create an Azure Multifactor Authentication Provider, if necessary.
> * Configure Azure Multufactor Authentiation features and settings.
> * Configure Azure Multifactor Authentiation features and settings.
> * Understand the different User States and their effect on Azure Multifactor Authentication.
> * Consider using Azure Multifactor Authentication or a third-party multifactor authentication provider with Windows Server Active Directory Federation Services, if necessary.

2
windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-dir-sync.md
View File

@ -19,7 +19,7 @@ ms.date: 08/19/2018
- Key trust
## Directory Syncrhonization
## Directory Synchronization
In hybrid deployments, users register the public portion of their Windows Hello for Business credential with Azure. Azure AD Connect synchronizes the Windows Hello for Business public key to Active Directory.

10
windows/security/information-protection/windows-information-protection/how-wip-works-with-labels.md
View File

@ -8,7 +8,7 @@ ms.sitesec: library
ms.pagetype: security
author: justinha
ms.localizationpriority: medium
ms.date: 10/12/2018
ms.date: 11/28/2018
---
# How Windows Information Protection protects files with a sensitivity label
@ -27,13 +27,15 @@ Microsoft information protection technologies work together as an integrated sol
Microsoft information protection technologies include:
- [Windows Information Protection (WIP)](protect-enterprise-data-using-wip.md) is built in to Windows 10 and protects data at rest on endpoint devices, and manages apps to protect data in use.
- [Windows Information Protection (WIP)](protect-enterprise-data-using-wip.md) is built in to Windows 10 and protects local data at rest on endpoint devices, and manages apps to protect local data in use. Data that leaves the endpoint device, such as email attachment, is not protected by WIP.
- [Office 365 Information Protection](https://docs.microsoft.com/office365/securitycompliance/office-365-info-protection-for-gdpr-overview) is a solution to classify, protect, and monitor personal data in Office 365 and other first-party or third-party Software-as-a-Service (SaaS) apps.
- [Azure Information Protection](https://docs.microsoft.com/azure/information-protection/what-is-information-protection) is a cloud-based solution that can be purchased either standalone or as part of Microsoft 365 Enterprise. It helps an organization classify and protect its documents and emails by applying labels. End users can choose and apply sensitivity labels from a bar that appears below the ribbon in Office apps:
- [Azure Information Protection](https://docs.microsoft.com/azure/information-protection/what-is-information-protection) is a cloud-based solution that can be purchased either standalone or as part of Microsoft 365 Enterprise. It helps an organization classify and protect its documents and emails by applying labels. Azure Information Protection is applied directly to content, and roams with the content as it's moved between locations and cloud services.
![Sensitivity labels](images/sensitivity-labels.png)
End users can choose and apply sensitivity labels from a bar that appears below the ribbon in Office apps:
![Sensitivity labels](images/sensitivity-labels.png)
## Default WIP behaviors for a sensitivity label

8
windows/security/threat-protection/TOC.md
View File

@ -6,6 +6,7 @@
#### [Attack surface reduction](windows-defender-atp/overview-attack-surface-reduction.md)
##### [Hardware-based isolation](windows-defender-atp/overview-hardware-based-isolation.md)
###### [Application isolation](windows-defender-application-guard/wd-app-guard-overview.md)
####### [System requirements](windows-defender-application-guard/reqs-wd-app-guard.md)
###### [System isolation](windows-defender-atp/how-hardware-based-containers-help-protect-windows.md)
##### [Application control](windows-defender-application-control/windows-defender-application-control.md)
##### [Exploit protection](windows-defender-exploit-guard/exploit-protection-exploit-guard.md)
@ -265,7 +266,7 @@
######## [Is IP seen in organization](windows-defender-atp/is-ip-seen-org-windows-defender-advanced-threat-protection-new.md)
####### [Machine](windows-defender-atp/machine-windows-defender-advanced-threat-protection-new.md)
######## [Get machines](windows-defender-atp/get-machines-windows-defender-advanced-threat-protection-new.md)
######## [List machines](windows-defender-atp/get-machines-windows-defender-advanced-threat-protection-new.md)
######## [Get machine by ID](windows-defender-atp/get-machine-by-id-windows-defender-advanced-threat-protection-new.md)
######## [Get machine log on users](windows-defender-atp/get-machine-log-on-users-windows-defender-advanced-threat-protection-new.md)
######## [Get machine related alerts](windows-defender-atp/get-machine-related-alerts-windows-defender-advanced-threat-protection-new.md)
@ -274,8 +275,8 @@
####### [Machine Action](windows-defender-atp/machineaction-windows-defender-advanced-threat-protection-new.md)
######## [List MachineActions](windows-defender-atp/get-machineactions-collection-windows-defender-advanced-threat-protection-new.md)
######## [Get MachineAction](windows-defender-atp/get-machineaction-object-windows-defender-advanced-threat-protection-new.md)
######## [List Machine Actions](windows-defender-atp/get-machineactions-collection-windows-defender-advanced-threat-protection-new.md)
######## [Get Machine Action](windows-defender-atp/get-machineaction-object-windows-defender-advanced-threat-protection-new.md)
######## [Collect investigation package](windows-defender-atp/collect-investigation-package-windows-defender-advanced-threat-protection-new.md)
######## [Get investigation package SAS URI](windows-defender-atp/get-package-sas-uri-windows-defender-advanced-threat-protection-new.md)
######## [Isolate machine](windows-defender-atp/isolate-machine-windows-defender-advanced-threat-protection-new.md)
@ -284,6 +285,7 @@
######## [Remove app restriction](windows-defender-atp/unrestrict-code-execution-windows-defender-advanced-threat-protection-new.md)
######## [Run antivirus scan](windows-defender-atp/run-av-scan-windows-defender-advanced-threat-protection-new.md)
######## [Offboard machine](windows-defender-atp/offboard-machine-api-windows-defender-advanced-threat-protection-new.md)
######## [Stop and quarantine file](windows-defender-atp/stop-and-quarantine-file-windows-defender-advanced-threat-protection-new.md)
####### [User](windows-defender-atp/user-windows-defender-advanced-threat-protection-new.md)
######## [Get user related alerts](windows-defender-atp/get-user-related-alerts-windows-defender-advanced-threat-protection-new.md)

4
windows/security/threat-protection/security-compliance-toolkit-10.md
View File

@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
ms.localizationpriority: medium
ms.author: sagaudre
author: brianlic-msft
ms.date: 06/25/2018
ms.date: 11/26/2018
---
# Microsoft Security Compliance Toolkit 1.0
@ -22,6 +22,7 @@ The SCT enables administrators to effectively manage their enterprises Group
The Security Compliance Toolkit consists of:
- Windows 10 security baselines
- Windows 10 Version 1809 (October 2018 Update)
- Windows 10 Version 1803 (April 2018 Update)
- Windows 10 Version 1709 (Fall Creators Update)
- Windows 10 Version 1703 (Creators Update)
@ -30,6 +31,7 @@ The Security Compliance Toolkit consists of:
- Windows 10 Version 1507
- Windows Server security baselines
- Windows Server 2019
- Windows Server 2016
- Windows Server 2012 R2

3
windows/security/threat-protection/windows-defender-antivirus/deployment-vdi-windows-defender-antivirus.md
View File

@ -301,11 +301,10 @@ This setting will help ensure protection for a VM that has been offline for some
### Exclusions
On Windows Server 2016, Windows Defender Antivirus will automatically deliver the right exclusions for servers running a VDI environment. However, if you are running an older Windows server version, you can refer to the exclusions that are applied on this page:
- [Automatic exclusions for Windows Server Antimalware](https://technet.microsoft.com/windows-server-docs/security/windows-defender/automatic-exclusions-for-windows-defender)
- [Configure Windows Defender Antivirus exclusions on Windows Server](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/configure-server-exclusions-windows-defender-antivirus)
## Additional resources
- [Video: Microsoft Senior Program Manager Bryan Keller on how System Center Configuration Manger 2012 manages VDI and integrates with App-V]( http://channel9.msdn.com/Shows/Edge/Edge-Show-5-Manage-VDI-using-SCCM-2012#time=03m02s)
- [Project VRC: Windows Defender Antivirus impact and best practices on VDI](https://blogs.technet.microsoft.com/privatecloud/2013/12/06/orchestrated-offline-vm-patching-using-service-management-automation/)
- [TechNet forums on Remote Desktop Services and VDI](https://social.technet.microsoft.com/Forums/windowsserver/en-US/home?forum=winserverTS)
- [SignatureDownloadCustomTask PowerShell script](https://www.powershellgallery.com/packages/SignatureDownloadCustomTask/1.4/DisplayScript)

4
windows/security/threat-protection/windows-defender-antivirus/restore-quarantined-files-windows-defender-antivirus.md
View File

@ -11,7 +11,7 @@ ms.pagetype: security
ms.localizationpriority: medium
author: andreabichsel
ms.author: v-anbic
ms.date: 09/03/2018
ms.date: 11/16/2018
---
# Restore quarantined files in Windows Defender AV
@ -25,7 +25,7 @@ If Windows Defender Antivirus is configured to detect and remediate threats on y
1. Open **Windows Security**.
2. Click **Virus & threat protection** and then click **Threat History**.
3. Under **Quarantined threats**, click **See full history**.
4. Click **Restore** for any items you want to keep. (If you prefer to remove them, you can click **Remove**.)
4. Click an item you want to keep, then click **Restore**. (If you prefer to remove the item, you can click **Remove**.)
## Related topics

2
windows/security/threat-protection/windows-defender-application-control/create-initial-default-policy.md
View File

@ -65,7 +65,7 @@ To create a WDAC policy, copy each of the following commands into an elevated Wi
ConvertFrom-CIPolicy $InitialCIPolicy $CIPolicyBin
```
After you complete these steps, the WDAC binary file (DeviceGuardPolicy.bin) and original .xml file (IntialScan.xml) will be available on your desktop. You can use the binary file as a WDAC policy or sign it for additional security.
After you complete these steps, the WDAC binary file (DeviceGuardPolicy.bin) and original .xml file (InitialScan.xml) will be available on your desktop. You can use the binary file as a WDAC policy or sign it for additional security.
> [!Note]
> We recommend that you keep the original .xml file of the policy for use when you need to merge the WDAC policy with another policy or update its rule options. Alternatively, you would have to create a new policy from a new scan for servicing. For more information about how to merge WDAC policies, see [Merge Windows Defender Application Control policies](merge-windows-defender-application-control-policies.md).

7
windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control.md
View File

@ -8,7 +8,7 @@ ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
author: jsuther1974
ms.date: 05/03/2018
ms.date: 11/28/2018
---
# Windows Defender Application Control
@ -17,6 +17,7 @@ ms.date: 05/03/2018
- Windows 10
- Windows Server 2016
- Windows Server 2019
With thousands of new malicious files created every day, using traditional methods like antivirus solutions—signature-based detection to fight against malware—provides an inadequate defense against new attacks.
In most organizations, information is the most valuable asset, and ensuring that only approved users have access to that information is imperative.
@ -36,9 +37,9 @@ WDAC policies also block unsigned scripts and MSIs, and Windows PowerShell runs
## WDAC System Requirements
WDAC policies can only be created on computers running Windows 10 Enterprise or Windows Server 2016.
WDAC policies can only be created on computers beginning with Windows 10 Enterprise or Professional editions or Windows Server 2016.
They can be applied to computers running any edition of Windows 10 or Windows Server 2016 and managed via Mobile Device Management (MDM), such as Microsoft Intune.
Group Policy can also be used to distribute Group Policy Objects that contain WDAC policies on computers running Windows 10 Enterprise or Windows Server 2016.
Group Policy or Intune can be used to distribute WDAC policies.
## New and changed functionality

7
windows/security/threat-protection/windows-defender-application-guard/TOC.md Normal file
View File

@ -0,0 +1,7 @@
# [Windows Defender Application Guard](wd-app-guard-overview.md)
## [System requirements](reqs-wd-app-guard.md)
## [Install WDAG](install-wd-app-guard.md)
## [Configure WDAG policies](configure-wd-app-guard.md)
## [Test scenarios](test-scenarios-wd-app-guard.md)
## [FAQ](faq-wd-app-guard.md)

4
windows/security/threat-protection/windows-defender-application-guard/wd-app-guard-overview.md
View File

@ -8,14 +8,14 @@ ms.pagetype: security
ms.localizationpriority: medium
author: justinha
ms.author: justinha
ms.date: 09/07/2018
ms.date: 11/27/2018
---
# Windows Defender Application Guard overview
**Applies to:** [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf)
Windows Defender Application Guard (Application Guard) is designed to help prevent old and newly emerging attacks to help keep employees productive. Using our unique hardware isolation approach, our goal is to destroy the playbook that attackers use by rendering current attack methods obsolete.
Windows Defender Application Guard (Application Guard) is designed to help prevent old and newly emerging attacks to help keep employees productive. Using our unique hardware isolation approach, our goal is to destroy the playbook that attackers use by making current attack methods obsolete.
## What is Application Guard and how does it work?
Designed for Windows 10 and Microsoft Edge, Application Guard helps to isolate enterprise-defined untrusted sites, protecting your company while your employees browse the Internet. As an enterprise administrator, you define what is among trusted web sites, cloud resources, and internal networks. Everything not on your list is considered untrusted.

9
windows/security/threat-protection/windows-defender-atp/TOC.md
View File

@ -4,6 +4,7 @@
### [Attack surface reduction](overview-attack-surface-reduction.md)
#### [Hardware-based isolation](overview-hardware-based-isolation.md)
##### [Application isolation](../windows-defender-application-guard/wd-app-guard-overview.md)
###### [System requirements](../windows-defender-application-guard/reqs-wd-app-guard.md)
##### [System isolation](how-hardware-based-containers-help-protect-windows.md)
#### [Application control](../windows-defender-application-control/windows-defender-application-control.md)
#### [Exploit protection](../windows-defender-exploit-guard/exploit-protection-exploit-guard.md)
@ -262,7 +263,7 @@
####### [Is IP seen in organization](is-ip-seen-org-windows-defender-advanced-threat-protection-new.md)
###### [Machine](machine-windows-defender-advanced-threat-protection-new.md)
####### [Get machines](get-machines-windows-defender-advanced-threat-protection-new.md)
####### [List machines](get-machines-windows-defender-advanced-threat-protection-new.md)
####### [Get machine by ID](get-machine-by-id-windows-defender-advanced-threat-protection-new.md)
####### [Get machine log on users](get-machine-log-on-users-windows-defender-advanced-threat-protection-new.md)
####### [Get machine related alerts](get-machine-related-alerts-windows-defender-advanced-threat-protection-new.md)
@ -270,8 +271,8 @@
####### [Find machines by IP](find-machines-by-ip-windows-defender-advanced-threat-protection-new.md)
###### [Machine Action](machineaction-windows-defender-advanced-threat-protection-new.md)
####### [List MachineActions](get-machineactions-collection-windows-defender-advanced-threat-protection-new.md)
####### [Get MachineAction](get-machineaction-object-windows-defender-advanced-threat-protection-new.md)
####### [List Machine Actions](get-machineactions-collection-windows-defender-advanced-threat-protection-new.md)
####### [Get Machine Action](get-machineaction-object-windows-defender-advanced-threat-protection-new.md)
####### [Collect investigation package](collect-investigation-package-windows-defender-advanced-threat-protection-new.md)
####### [Get investigation package SAS URI](get-package-sas-uri-windows-defender-advanced-threat-protection-new.md)
####### [Isolate machine](isolate-machine-windows-defender-advanced-threat-protection-new.md)
@ -280,7 +281,7 @@
####### [Remove app restriction](unrestrict-code-execution-windows-defender-advanced-threat-protection-new.md)
####### [Run antivirus scan](run-av-scan-windows-defender-advanced-threat-protection-new.md)
####### [Offboard machine](offboard-machine-api-windows-defender-advanced-threat-protection-new.md)
####### [Stop and quarantine file](stop-and-quarantine-file-windows-defender-advanced-threat-protection-new.md)
###### [User](user-windows-defender-advanced-threat-protection-new.md)
####### [Get user related alerts](get-user-related-alerts-windows-defender-advanced-threat-protection-new.md)

43
windows/security/threat-protection/windows-defender-atp/add-or-remove-machine-tags-windows-defender-advanced-threat-protection-new.md
View File

@ -15,10 +15,12 @@ ms.date: 12/08/2017
# Add or Remove Machine Tags API
**Applies to:**
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
[!include[Prerelease information](prerelease.md)]
**Applies to:**
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
- Adds or remove tag to a specific machine.
## Permissions
@ -68,10 +70,10 @@ Here is an example of a request that adds machine tag.
[!include[Improve request performance](improverequestperformance-new.md)]
```
POST https://api.securitycenter.windows.com/api/machines/863fed4b174465c703c6e412965a31b5e1884cc4/tags
POST https://api.securitycenter.windows.com/api/machines/1e5bc9d7e413ddd7902c2932e418702b84d0cc07/tags
Content-type: application/json
{
"Value" : "Test Tag",
"Value" : "test Tag 2",
"Action": "Add"
}
@ -85,26 +87,25 @@ HTTP/1.1 200 Ok
Content-type: application/json
{
"@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Machine/$entity",
"id": "863fed4b174465c703c6e412965a31b5e1884cc4",
"computerDnsName": "mymachine55.contoso.com",
"firstSeen": "2018-07-31T14:20:55.8223496Z",
"lastSeen": "2018-09-27T08:44:05.6228836Z",
"id": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07",
"computerDnsName": "mymachine1.contoso.com",
"firstSeen": "2018-08-02T14:55:03.7791856Z",
"lastSeen": "2018-08-02T14:55:03.7791856Z",
"osPlatform": "Windows10",
"osVersion": null,
"lastIpAddress": "10.248.240.38",
"lastExternalIpAddress": "167.220.2.166",
"agentVersion": "10.3720.16299.98",
"osBuild": 16299,
"osVersion": "10.0.0.0",
"lastIpAddress": "172.17.230.209",
"lastExternalIpAddress": "167.220.196.71",
"agentVersion": "10.5830.18209.1001",
"osBuild": 18209,
"healthStatus": "Active",
"isAadJoined": true,
"machineTags": [
"Test Tag"
],
"rbacGroupId": 75,
"riskScore": "Medium",
"aadDeviceId": null
"rbacGroupId": 140,
"rbacGroupName": "The-A-Team",
"riskScore": "Low",
"isAadJoined": true,
"aadDeviceId": "80fe8ff8-2624-418e-9591-41f0491218f9",
"machineTags": [ "test tag 1", "test tag 2" ]
}
```
To remove machine tag, set the Action to 'Remove' instead of 'Add' in the request body.
- To remove machine tag, set the Action to 'Remove' instead of 'Add' in the request body.

14
windows/security/threat-protection/windows-defender-atp/advanced-hunting-reference-windows-defender-advanced-threat-protection.md
View File

@ -37,12 +37,12 @@ To effectively build queries that span multiple tables, you need to understand t
| ActionType | string | Type of activity that triggered the event |
| AdditionalFields | string | Additional information about the event in JSON array format |
| AlertId | string | Unique identifier for the alert |
| AppGuardContainerId | string | Identifier for the virtualized container used by Application Guard to isolate browser activity |
| ComputerName | string | Fully qualified domain name (FQDN) of the machine |
| ConnectedNetworks | string | Networks that the adapter is connected to. Each JSON array contains the network name, category (public, private or domain), a description, and a flag indicating if its connected publicly to the internet. |
| DefaultGateways | string | Default gateway addresses in JSON array format |
| DnsServers | string | DNS server addresses in JSON array format |
| DnsAddresses | string | DNS server addresses in JSON array format |
| EventTime | datetime | Date and time when the event was recorded |
| EventType | string | Table where the record is stored |
| FileName | string | Name of the file that the recorded action was applied to |
| FileOriginIp | string | IP address where the file was downloaded from |
| FileOriginReferrerUrl | string | URL of the web page that links to the downloaded file |
@ -61,7 +61,7 @@ To effectively build queries that span multiple tables, you need to understand t
| InitiatingProcessMd5 | string | MD5 hash of the process (image file) that initiated the event |
| InitiatingProcessParentCreationTime | datetime | Date and time when the parent of the process responsible for the event was started |
| InitiatingProcessParentId | int | Process ID (PID) of the parent process that spawned the process responsible for the event |
| InitiatingProcessParentName | string | Name of the parent process that spawned the process responsible for the event |
| InitiatingProcessParentFileName | string | Name of the parent process that spawned the process responsible for the event |
| InitiatingProcessSha1 | string | SHA-1 of the process (image file) that initiated the event |
| InitiatingProcessSha256 | string | SHA-256 of the process (image file) that initiated the event. This field is usually not populated—use the SHA1 column when available. |
| InitiatingProcessTokenElevation | string | Token type indicating the presence or absence of User Access Control (UAC) privilege elevation applied to the process that initiated the event |
@ -71,6 +71,7 @@ To effectively build queries that span multiple tables, you need to understand t
| IsAzureADJoined | boolean | Boolean indicator of whether machine is joined to the Azure Active Directory |
| LocalIP | string | IP address assigned to the local machine used during communication |
| LocalPort | int | TCP port on the local machine used during communication |
| LocalIPType | string | Type of IP address, for example Public, Private, Reserved, Loopback, Teredo, FourToSixMapping, and Broadcast |
| LogonId | string | Identifier for a logon session. This identifier is unique on the same machine only between restarts. |
| LoggedOnUsers | string | List of all users that are logged on the machine at the time of the event in JSON array format |
| LogonType | string | Type of logon session, specifically:<br><br> - **Interactive** - User physically interacts with the machine using the local keyboard and screen<br><br> - **Remote interactive (RDP) logons** - User interacts with the machine remotely using Remote Desktop, Terminal Services, Remote Assistance, or other RDP clients<br><br> - **Network** - Session initiated when the machine is accessed using PsExec or when shared resources on the machine, such as printers and shared folders, are accessed<br><br> - **Batch** - Session initiated by scheduled tasks<br><br> - **Service** - Session initiated by services as they start<br>
@ -81,7 +82,6 @@ To effectively build queries that span multiple tables, you need to understand t
| NetworkAdapterName | string | Name of the network adapter |
| NetworkAdapterStatus | string | Operational status of the network adapter. For the possible values, refer to [this enumeration](https://docs.microsoft.com/dotnet/api/system.net.networkinformation.operationalstatus?view=netframework-4.7.2). |
| NetworkAdapterType | string | Network adapter type. For the possible values, refer to [this enumeration](https://docs.microsoft.com/dotnet/api/system.net.networkinformation.networkinterfacetype?view=netframework-4.7.2). |
| NetworkCardIPs | string | List of all network adapters on the machine, including their MAC addresses and assigned IP addresses, in JSON array format |
| OSArchitecture | string | Architecture of the operating system running on the machine |
| OSBuild | string | Build version of the operating system running on the machine |
| OSPlatform | string | Platform of the operating system running on the machine. This indicates specific operating systems, including variations within the same family, such as Windows 10 and Windows 7. |
@ -94,7 +94,7 @@ To effectively build queries that span multiple tables, you need to understand t
| ProcessId | int | Process ID (PID) of the newly created process |
| ProcessIntegrityLevel | string | Integrity level of the newly created process. Windows assigns integrity levels to processes based on certain characteristics, such as if they were launched from an internet downloaded. These integrity levels influence permissions to resources. |
| ProcessTokenElevation | string | Token type indicating the presence or absence of User Access Control (UAC) privilege elevation applied to the newly created process |
| ProviderId | string | Unique identifier for the Event Tracing for Windows (ETW) provider that collected the event log |
| Protocol | string | IP protocol used, whether TCP or UDP |
| PublicIP | string | Public IP address used by the onboarded machine to connect to the Windows Defender ATP service. This could be the IP address of the machine itself, a NAT device, or a proxy. |
| RegistryKey | string | Registry key that the recorded action was applied to |
| RegistryValueData | string | Data of the registry value that the recorded action was applied to |
@ -102,12 +102,14 @@ To effectively build queries that span multiple tables, you need to understand t
| RegistryValueType | string | Data type, such as binary or string, of the registry value that the recorded action was applied to |
| RemoteComputerName | string | Name of the machine that performed a remote operation on the affected machine. Depending on the event being reported, this name could be a fully-qualified domain name (FQDN), a NetBIOS name, or a host name without domain information. |
| RemoteIP | string | IP address that was being connected to |
| RemoteIPType | string | Type of IP address, for example Public, Private, Reserved, Loopback, Teredo, FourToSixMapping, and Broadcast |
| RemotePort | int | TCP port on the remote device that was being connected to |
| RemoteUrl | string | URL or fully qualified domain name (FQDN) that was being connected to |
| ReportId | long | Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the ComputerName and EventTime columns. |
| SHA1 | string | SHA-1 of the file that the recorded action was applied to |
| SHA256 | string | SHA-256 of the file that the recorded action was applied to. This field is usually not populated—use the SHA1 column when available. |
| TunnelingProtocol | string | Tunneling protocol, if the interface is used for this purpose, for example: <br> - Various IPv6 to IPv4 tunneling protocols (6to4, Teredo, ISATAP) <br> - VPN (PPTP, SSTP) <br> - SSH <br> **NOTE:** This field doesnt provide full IP tunneling specifications. |
| Table | string | Table that contains the details of the event |
| TunnelingType | string | Tunneling protocol, if the interface is used for this purpose, for example 6to4, Teredo, ISATAP, PPTP, SSTP, and SSH |
>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-advancedhuntingref-belowfoldlink)

23
windows/security/threat-protection/windows-defender-atp/advanced-hunting-windows-defender-advanced-threat-protection.md
View File

@ -65,15 +65,16 @@ For more information on the query language and supported operators, see [Query L
The following tables are exposed as part of Advanced hunting:
- **AlertEvents** - Stores alerts related information
- **MachineInfo** - Stores machines properties
- **ProcessCreationEvents** - Stores process creation events
- **NetworkCommunicationEvents** - Stores network communication events
- **FileCreationEvents** - Stores file creation, modification, and rename events
- **RegistryEvents** - Stores registry key creation, modification, rename and deletion events
- **LogonEvents** - Stores login events
- **ImageLoadEvents** - Stores load dll events
- **MiscEvents** - Stores several types of events, process injection events, access to LSASS processes, and others.
- **AlertEvents** - Alerts on Windows Defender Security Center
- **MachineInfo** - Machine information, including OS information
- **MachineNetworkInfo** - Network properties of machines, including adapters, IP and MAC addresses, as well as connected networks and domains
- **ProcessCreationEvents** - Process creation and related events
- **NetworkCommunicationEvents** - Network connection and related events
- **FileCreationEvents** - File creation, modification, and other file system events
- **RegistryEvents** - Creation and modification of registry entries
- **LogonEvents** - Login and other authentication events
- **ImageLoadEvents** - DLL loading events
- **MiscEvents** - Multiple event types, such as process injection, creation of scheduled tasks, and LSASS access attempts
These tables include data from the last 30 days.
@ -137,8 +138,8 @@ The filter selections will resolve as an additional query term and the results w
## Public Advanced Hunting query GitHub repository
Check out the [Advanced Hunting repository](https://github.com/Microsoft/WindowsDefenderATP-Hunting-Queries). Contribute and use example queries shared by our customers.
## Public Advanced hunting query GitHub repository
Check out the [Advanced hunting repository](https://github.com/Microsoft/WindowsDefenderATP-Hunting-Queries). Contribute and use example queries shared by our customers.
>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-advancedhunting-belowfoldlink)

61
windows/security/threat-protection/windows-defender-atp/alerts-windows-defender-advanced-threat-protection-new.md
View File

@ -37,45 +37,48 @@ Method|Return Type |Description
# Properties
Property | Type | Description
:---|:---|:---
id | String | Alert ID
severity | String | Severity of the alert. Allowed values are: 'Low', 'Medium' and 'High'.
status | String | Specifies the current status of the alert. The property values are: 'New', 'InProgress' and 'Resolved'.
id | String | Alert ID.
incidentId | String | The [Incident](incidents-queue.md) ID of the Alert.
assignedTo | String | Owner of the alert.
severity | Enum | Severity of the alert. Possible values are: 'UnSpecified', 'Informational', 'Low', 'Medium' and 'High'.
status | Enum | Specifies the current status of the alert. Possible values are: 'Unknown', 'New', 'InProgress' and 'Resolved'.
investigationState | Nullable Enum | The current state of the investigation. Possible values are: 'Unknown', 'Terminated', 'SuccessfullyRemediated', 'Benign Failed PartiallyRemediated', 'Running', 'PendingApproval', 'PendingResource', 'PartiallyInvestigated', 'TerminatedByUser', 'TerminatedBySystem', 'Queued', 'InnerFailure', 'PreexistingAlert', 'UnsupportedOs', 'UnsupportedAlertType', 'SuppressedAlert' .
classification | Nullable Enum | Specification of the alert. Possible values are: 'Unknown', 'FalsePositive', 'TruePositive'.
determination | Nullable Enum | Specifies the determination of the alert. Possible values are: 'NotAvailable', 'Apt', 'Malware', 'SecurityPersonnel', 'SecurityTesting', 'UnwantedSoftware', 'Other'.
category| String | Category of the alert. The property values are: 'None', 'SuspiciousActivity', 'Malware', 'CredentialTheft', 'Exploit', 'WebExploit', 'DocumentExploit', 'PrivilegeEscalation', 'Persistence', 'RemoteAccessTool', 'CommandAndControl', 'SuspiciousNetworkTraffic', 'Ransomware', 'MalwareDownload', 'Reconnaissance', 'WebFingerprinting', 'Weaponization', 'Delivery', 'SocialEngineering', 'CredentialStealing', 'Installation', 'Backdoor', 'Trojan', 'TrojanDownloader', 'LateralMovement', 'ExplorationEnumeration', 'NetworkPropagation', 'Exfiltration', 'NotApplicable', 'EnterprisePolicy' and 'General' .
detectionSource | string | Detection source.
threatFamilyName | string | Threat family.
title | string | Alert title.
description | String | Description of the threat, identified by the alert.
recommendedAction | String | Action recommended for handling the suspected threat.
alertCreationTime | DateTimeOffset | The date and time (in UTC) the alert was created.
category| String | Category of the alert. The property values are: 'None', 'SuspiciousActivity', 'Malware', 'CredentialTheft', 'Exploit', 'WebExploit', 'DocumentExploit', 'PrivilegeEscalation', 'Persistence', 'RemoteAccessTool', 'CommandAndControl', 'SuspiciousNetworkTraffic', 'Ransomware', 'MalwareDownload', 'Reconnaissance', 'WebFingerprinting', 'Weaponization', 'Delivery', 'SocialEngineering', 'CredentialStealing', 'Installation', 'Backdoor', 'Trojan', 'TrojanDownloader', 'LateralMovement', 'ExplorationEnumeration', 'NetworkPropagation', 'Exfiltration', 'NotApplicable', 'EnterprisePolicy' and 'General'.
title | string | Alert title
threatFamilyName | string | Threat family
detectionSource | string | Detection source
assignedTo | String | Owner of the alert
classification | String | Specification of the alert. The property values are: 'Unknown', 'FalsePositive', 'TruePositive'.
determination | String | Specifies the determination of the alert. The property values are: 'NotAvailable', 'Apt', 'Malware', 'SecurityPersonnel', 'SecurityTesting', 'UnwantedSoftware', 'Other'
resolvedTime | DateTimeOffset | The date and time in which the status of the alert was changed to 'Resolved'.
lastEventTime | DateTimeOffset | The last occurance of the event that triggered the alert on the same machine.
firstEventTime | DateTimeOffset | The first occurance of the event that triggered the alert on that machine.
resolvedTime | DateTimeOffset | The date and time in which the status of the alert was changed to 'Resolved'.
machineId | String | ID of a [machine](machine-windows-defender-advanced-threat-protection-new.md) entity that is associated with the alert.
# JSON representation
```
{
"@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Alerts",
"id": "636688558380765161_2136280442",
"severity": "Informational",
"status": "InProgress",
"description": "Some alert description 1",
"recommendedAction": "Some recommended action 1",
"alertCreationTime": "2018-08-03T01:17:17.9516179Z",
"category": "General",
"title": "Some alert title 1",
"threatFamilyName": null,
"detectionSource": "WindowsDefenderAtp",
"classification": "TruePositive",
"determination": null,
"assignedTo": "best secop ever",
"resolvedTime": null,
"lastEventTime": "2018-08-02T07:02:52.0894451Z",
"firstEventTime": "2018-08-02T07:02:52.0894451Z",
"actorName": null,
"machineId": "ff0c3800ed8d66738a514971cd6867166809369f"
"id": "121688558380765161_2136280442",
"incidentId": 7696,
"assignedTo": "secop@contoso.com",
"severity": "High",
"status": "New",
"classification": "TruePositive",
"determination": "Malware",
"investigationState": "Running",
"category": "MalwareDownload",
"detectionSource": "WindowsDefenderAv",
"threatFamilyName": "Mikatz",
"title": "Windows Defender AV detected 'Mikatz', high-severity malware",
"description": "Some description"
"recommendedAction": "Some recommended action"
"alertCreationTime": "2018-11-26T16:19:21.8409809Z",
"firstEventTime": "2018-11-26T16:17:50.0948658Z",
"lastEventTime": "2018-11-26T16:18:01.809871Z",
"resolvedTime": null,
"machineId": "9d80fbbc1bdbc5ce968f1d37c72384cbe17ee337"
}
```

4
windows/security/threat-protection/windows-defender-atp/assign-portal-access-windows-defender-advanced-threat-protection.md
View File

@ -11,7 +11,7 @@ ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: medium
ms.date: 09/03/2018
ms.date: 11/28/2018
---
# Assign user access to Windows Defender Security Center
@ -31,7 +31,7 @@ Windows Defender ATP supports two ways to manage permissions:
> [!NOTE]
>If you have already assigned basic permissions, you may switch to RBAC anytime. Consider the following before making the switch:
>- Users with full access (Security Administrators) are automatically assigned the default **Global administrator** role, which also has full access. Only global administrators can manage permissions using RBAC.
>- Users with full access (users that are assigned the Global Administrator or Security Administrator directory role in Azure AD), are automatically assigned the default Windows Defender ATP administrator role, which also has full access. Additional Azure AD user groups can be assigned to the Windows Defender ATP administrator role after switching to RBAC. Only users assigned to the Windows Defender ATP administrator role can manage permissions using RBAC.
>- Users that have read-only access (Security Readers) will lose access to the portal until they are assigned a role. Note that only Azure AD user groups can be assigned a role under RBAC.
>- After switching to RBAC, you will not be able to switch back to using basic permissions management.

6
windows/security/threat-protection/windows-defender-atp/attack-simulations-windows-defender-advanced-threat-protection.md
View File

@ -11,7 +11,7 @@ ms.pagetype: security
ms.author: lomayor
author: lomayor
ms.localizationpriority: medium
ms.date: 28/02/2018
ms.date: 11/20/2018
---
# Experience Windows Defender ATP through simulated attacks
@ -25,6 +25,10 @@ ms.date: 28/02/2018
>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-attacksimulations-abovefoldlink)
>[!TIP]
> Learn about the latest enhancements in Windows Defender ATP: [What's new in Windows Defender ATP](https://cloudblogs.microsoft.com/microsoftsecure/2018/11/15/whats-new-in-windows-defender-atp/).
You might want to experience Windows Defender ATP before you onboard more than a few machines to the service. To do this, you can run controlled attack simulations on a few test machines. After running the simulated attacks, you can review how Windows Defender ATP surfaces malicious activity and explore how it enables an efficient response.
## Before you begin

4
windows/security/threat-protection/windows-defender-atp/create-alert-by-reference-windows-defender-advanced-threat-protection-new.md
View File

@ -39,7 +39,7 @@ Delegated (work or school account) | Alert.ReadWrite | 'Read and write alerts'
## HTTP request
```
POST https://api.securitycenter.windows.com/api/CreateAlertByReference
POST https://api.securitycenter.windows.com/api/alerts/CreateAlertByReference
```
## Request headers
@ -77,7 +77,7 @@ Here is an example of the request.
[!include[Improve request performance](improverequestperformance-new.md)]
```
POST https://api.securitycenter.windows.com/api/CreateAlertByReference
POST https://api.securitycenter.windows.com/api/alerts/CreateAlertByReference
Content-Length: application/json
{

183
windows/security/threat-protection/windows-defender-atp/exposed-apis-odata-samples.md
View File

@ -21,12 +21,17 @@ ms.date: 11/15/2018
- If you are not familiar with OData queries, see: [OData V4 queries](https://www.odata.org/documentation/)
- Currently, [Machine](machine-windows-defender-advanced-threat-protection-new.md) and [Machine Action](machineaction-windows-defender-advanced-threat-protection-new.md) entities supports all OData queries.
- [Alert](alerts-windows-defender-advanced-threat-protection-new.md) entity support all OData queries except $filter.
- Not all properties are filterable.
### Properties that supports $filter:
- [Alert](alerts-windows-defender-advanced-threat-protection-new.md): Id, IncidentId, AlertCreationTime, Status, Severity and Category.
- [Machine](machine-windows-defender-advanced-threat-protection-new.md): Id, ComputerDnsName, LastSeen, LastIpAddress, HealthStatus, OsPlatform, RiskScore, MachineTags and RbacGroupId.
- [MachineAction](machineaction-windows-defender-advanced-threat-protection-new.md): Id, Status, MachineId, Type, Requestor and CreationDateTimeUtc.
### Example 1
**Get all the machines with the tag 'ExampleTag'**
- Get all the machines with the tag 'ExampleTag'
```
HTTP GET https://api.securitycenter.windows.com/api/machines?$filter=machineTags/any(tag: tag eq 'ExampleTag')
@ -41,25 +46,23 @@ Content-type: application/json
"@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Machines",
"value": [
{
"id": "b9d4c51123327fb2a25db29ff1b8f3b64888e7ba",
"computerDnsName": "examples.dev.corp.Contoso.com",
"firstSeen": "2018-03-07T11:19:11.7234147Z",
"lastSeen": "2018-11-15T11:23:38.3196947Z",
"id": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07",
"computerDnsName": "mymachine1.contoso.com",
"firstSeen": "2018-08-02T14:55:03.7791856Z",
"lastSeen": "2018-08-02T14:55:03.7791856Z",
"osPlatform": "Windows10",
"osVersion": "10.0.0.0",
"lastIpAddress": "123.17.255.241",
"lastExternalIpAddress": "123.220.196.180",
"agentVersion": "10.6400.18282.1001",
"osBuild": 18282,
"lastIpAddress": "172.17.230.209",
"lastExternalIpAddress": "167.220.196.71",
"agentVersion": "10.5830.18209.1001",
"osBuild": 18209,
"healthStatus": "Active",
"isAadJoined": true,
"machineTags": [
"ExampleTag"
],
"rbacGroupId": 5,
"rbacGroupName": "Developers",
"riskScore": "North",
"aadDeviceId": null
"rbacGroupId": 140,
"rbacGroupName": "The-A-Team",
"riskScore": "High",
"isAadJoined": true,
"aadDeviceId": "80fe8ff8-2624-418e-9591-41f0491218f9",
"machineTags": [ "test tag 1", "test tag 2", "ExampleTag" ]
},
.
.
@ -70,6 +73,50 @@ Content-type: application/json
### Example 2
- Get all the alerts that created after 2018-10-20 00:00:00
```
HTTP GET https://api.securitycenter.windows.com/api/alerts?$filter=alertCreationTime gt 2018-11-22T00:00:00Z
```
**Response:**
```
HTTP/1.1 200 OK
Content-type: application/json
{
"@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Alerts",
"value": [
{
"id": "121688558380765161_2136280442",
"incidentId": 7696,
"assignedTo": "secop@contoso.com",
"severity": "High",
"status": "New",
"classification": "TruePositive",
"determination": "Malware",
"investigationState": "Running",
"category": "MalwareDownload",
"detectionSource": "WindowsDefenderAv",
"threatFamilyName": "Mikatz",
"title": "Windows Defender AV detected 'Mikatz', high-severity malware",
"description": "Some description"
"recommendedAction": "Some recommended action"
"alertCreationTime": "2018-11-26T16:19:21.8409809Z",
"firstEventTime": "2018-11-26T16:17:50.0948658Z",
"lastEventTime": "2018-11-26T16:18:01.809871Z",
"resolvedTime": null,
"machineId": "9d80fbbc1bdbc5ce968f1d37c72384cbe17ee337"
},
.
.
.
]
}
```
### Example 3
- Get all the machines with 'High' 'RiskScore'
```
@ -85,23 +132,23 @@ Content-type: application/json
"@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Machines",
"value": [
{
"id": "e3a77eeddb83d581238792387b1239b01286b2f",
"computerDnsName": "examples.dev.corp.Contoso.com",
"firstSeen": "2016-11-02T23:26:03.7882168Z",
"lastSeen": "2018-11-12T10:27:08.708723Z",
"id": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07",
"computerDnsName": "mymachine1.contoso.com",
"firstSeen": "2018-08-02T14:55:03.7791856Z",
"lastSeen": "2018-08-02T14:55:03.7791856Z",
"osPlatform": "Windows10",
"osVersion": "10.0.0.0",
"lastIpAddress": "123.123.10.33",
"lastExternalIpAddress": "124.124.160.172",
"agentVersion": "10.6300.18279.1001",
"osBuild": 18279,
"healthStatus": "ImpairedCommunication",
"isAadJoined": true,
"machineTags": [],
"rbacGroupId": 5,
"rbacGroupName": "Developers",
"lastIpAddress": "172.17.230.209",
"lastExternalIpAddress": "167.220.196.71",
"agentVersion": "10.5830.18209.1001",
"osBuild": 18209,
"healthStatus": "Active",
"rbacGroupId": 140,
"rbacGroupName": "The-A-Team",
"riskScore": "High",
"aadDeviceId": "d90b0b99-1234-1234-1234-b91d50c6796a"
"isAadJoined": true,
"aadDeviceId": "80fe8ff8-2624-418e-9591-41f0491218f9",
"machineTags": [ "test tag 1", "test tag 2", "ExampleTag" ]
},
.
.
@ -110,7 +157,7 @@ Content-type: application/json
}
```
### Example 3
### Example 4
- Get top 100 machines with 'HealthStatus' not equals to 'Active'
@ -127,23 +174,23 @@ Content-type: application/json
"@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Machines",
"value": [
{
"id": "1113333ddb83d581238792387b1239b01286b2f",
"computerDnsName": "examples.dev.corp.Contoso.com",
"firstSeen": "2016-11-02T23:26:03.7882168Z",
"lastSeen": "2018-11-12T10:27:08.708723Z",
"id": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07",
"computerDnsName": "mymachine1.contoso.com",
"firstSeen": "2018-08-02T14:55:03.7791856Z",
"lastSeen": "2018-08-02T14:55:03.7791856Z",
"osPlatform": "Windows10",
"osVersion": "10.0.0.0",
"lastIpAddress": "123.123.10.33",
"lastExternalIpAddress": "124.124.160.172",
"agentVersion": "10.6300.18279.1001",
"osBuild": 18279,
"healthStatus": "ImpairedCommunication",
"isAadJoined": true,
"machineTags": [],
"rbacGroupId": 5,
"rbacGroupName": "Developers",
"riskScore": "Medium",
"aadDeviceId": "d90b0b99-1234-1234-1234-b91d50c6796a"
"lastIpAddress": "172.17.230.209",
"lastExternalIpAddress": "167.220.196.71",
"agentVersion": "10.5830.18209.1001",
"osBuild": 18209,
"healthStatus": "Active",
"rbacGroupId": 140,
"rbacGroupName": "The-A-Team",
"riskScore": "High",
"isAadJoined": true,
"aadDeviceId": "80fe8ff8-2624-418e-9591-41f0491218f9",
"machineTags": [ "test tag 1", "test tag 2", "ExampleTag" ]
},
.
.
@ -152,12 +199,12 @@ Content-type: application/json
}
```
### Example 4
### Example 5
- Get all the machines that last seen after 2018-10-20
```
HTTP GET https://api.securitycenter.windows.com/api/machines?$filter=lastSeen gt 2018-10-20Z
HTTP GET https://api.securitycenter.windows.com/api/machines?$filter=lastSeen gt 2018-08-01Z
```
**Response:**
@ -169,23 +216,23 @@ Content-type: application/json
"@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Machines",
"value": [
{
"id": "83113465ffceca4a731234e5dcde3357e026e873",
"computerDnsName": "examples-vm10",
"firstSeen": "2018-11-12T16:07:50.1706168Z",
"lastSeen": "2018-11-12T16:07:50.1706168Z",
"osPlatform": "WindowsServer2019",
"osVersion": null,
"lastIpAddress": "10.123.72.35",
"lastExternalIpAddress": "123.220.2.3",
"agentVersion": "10.6300.18281.1000",
"osBuild": 18281,
"id": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07",
"computerDnsName": "mymachine1.contoso.com",
"firstSeen": "2018-08-02T14:55:03.7791856Z",
"lastSeen": "2018-08-02T14:55:03.7791856Z",
"osPlatform": "Windows10",
"osVersion": "10.0.0.0",
"lastIpAddress": "172.17.230.209",
"lastExternalIpAddress": "167.220.196.71",
"agentVersion": "10.5830.18209.1001",
"osBuild": 18209,
"healthStatus": "Active",
"isAadJoined": false,
"machineTags": [],
"rbacGroupId": 5,
"rbacGroupName": "Developers",
"riskScore": "None",
"aadDeviceId": null
"rbacGroupId": 140,
"rbacGroupName": "The-A-Team",
"riskScore": "High",
"isAadJoined": true,
"aadDeviceId": "80fe8ff8-2624-418e-9591-41f0491218f9",
"machineTags": [ "test tag 1", "test tag 2", "ExampleTag" ]
},
.
.
@ -194,7 +241,7 @@ Content-type: application/json
}
```
### Example 5
### Example 6
- Get all the Anti-Virus scans that the user Analyst@examples.onmicrosoft.com created using Windows Defender ATP

4
windows/security/threat-protection/windows-defender-atp/files-windows-defender-advanced-threat-protection-new.md
View File

@ -15,7 +15,7 @@ ms.date: 12/08/2017
# File resource type
[!include[Prerelease<EFBFBD>information](prerelease.md)]
[!include[Prerelease information](prerelease.md)]
Represent a file entity in WDATP.
@ -34,7 +34,7 @@ Property | Type | Description
sha1 | String | Sha1 hash of the file content
sha256 | String | Sha256 hash of the file content
md5 | String | md5 hash of the file content
globalPrevalence | Integer | File prevalence accross organization
globalPrevalence | Integer | File prevalence across organization
globalFirstObserved | DateTimeOffset | First time the file was observed.
globalLastObserved | DateTimeOffset | Last time the file was observed.
size | Integer | Size of the file.

38
windows/security/threat-protection/windows-defender-atp/find-machines-by-ip-windows-defender-advanced-threat-protection-new.md
View File

@ -15,11 +15,12 @@ ms.date: 12/08/2017
# Find machines by internal IP API
[!include[Prerelease<73>information](prerelease.md)]
**Applies to:**
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
[!include[Prerelease<73>information](prerelease.md)]
- Find machines seen with the requested internal IP in the time range of 15 minutes prior and after a given timestamp
- The given timestamp must be in the past 30 days.
@ -83,22 +84,23 @@ Content-type: application/json
"@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Machines",
"value": [
{
"id": "863fed4b174465c703c6e412965a31b5e1884cc4",
"computerDnsName": "mymachine33.contoso.com",
"firstSeen": "2018-07-31T14:20:55.8223496Z",
"lastSeen": null,
"osPlatform": "Windows10",
"osVersion": null,
"lastIpAddress": "10.248.240.38",
"lastExternalIpAddress": "167.220.2.166",
"agentVersion": "10.3720.16299.98",
"osBuild": 16299,
"healthStatus": "Active",
"isAadJoined": true,
"machineTags": [],
"rbacGroupId": 75,
"riskScore": "Medium",
"aadDeviceId": null
"id": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07",
"computerDnsName": "mymachine1.contoso.com",
"firstSeen": "2018-08-02T14:55:03.7791856Z",
"lastSeen": "2018-09-22T08:55:03.7791856Z",
"osPlatform": "Windows10",
"osVersion": "10.0.0.0",
"lastIpAddress": "10.248.240.38",
"lastExternalIpAddress": "167.220.196.71",
"agentVersion": "10.5830.18209.1001",
"osBuild": 18209,
"healthStatus": "Active",
"rbacGroupId": 140,
"rbacGroupName": "The-A-Team",
"riskScore": "Low",
"isAadJoined": true,
"aadDeviceId": "80fe8ff8-2624-418e-9591-41f0491218f9",
"machineTags": [ "test tag 1", "test tag 2" ]
}
]
}

39
windows/security/threat-protection/windows-defender-atp/get-alert-info-by-id-windows-defender-advanced-threat-protection-new.md
View File

@ -64,7 +64,7 @@ Here is an example of the request.
[!include[Improve request performance](improverequestperformance-new.md)]
```
GET https://api.securitycenter.windows.com/api/alerts/636688558380765161_2136280442
GET https://api.securitycenter.windows.com/api/alerts/441688558380765161_2136280442
```
**Response**
@ -75,24 +75,25 @@ Here is an example of the response.
```
{
"@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Alerts",
"id": "636688558380765161_2136280442",
"severity": "Informational",
"status": "InProgress",
"description": "Some alert description 1",
"recommendedAction": "Some recommended action 1",
"alertCreationTime": "2018-08-03T01:17:17.9516179Z",
"category": "General",
"title": "Some alert title 1",
"threatFamilyName": null,
"detectionSource": "WindowsDefenderAtp",
"classification": "TruePositive",
"determination": null,
"assignedTo": "best secop ever",
"resolvedTime": null,
"lastEventTime": "2018-08-02T07:02:52.0894451Z",
"firstEventTime": "2018-08-02T07:02:52.0894451Z",
"actorName": null,
"machineId": "ff0c3800ed8d66738a514971cd6867166809369f"
"id": "441688558380765161_2136280442",
"incidentId": 8633,
"assignedTo": "secop@contoso.com",
"severity": "Low",
"status": "InProgress",
"classification": "TruePositive",
"determination": "Malware",
"investigationState": "Running",
"category": "MalwareDownload",
"detectionSource": "WindowsDefenderAv",
"threatFamilyName": "Mikatz",
"title": "Windows Defender AV detected 'Mikatz', high-severity malware",
"description": "Some description"
"recommendedAction": "Some recommended action"
"alertCreationTime": "2018-11-25T16:19:21.8409809Z",
"firstEventTime": "2018-11-25T16:17:50.0948658Z",
"lastEventTime": "2018-11-25T16:18:01.809871Z",
"resolvedTime": null,
"machineId": "9d80fbbc1bdbc5ce968f1d37c72384cbe17ee337"
}
```

3
windows/security/threat-protection/windows-defender-atp/get-alert-related-domain-info-windows-defender-advanced-threat-protection-new.md
View File

@ -50,8 +50,7 @@ Authorization | String | Bearer {token}. **Required**.
Empty
## Response
If successful and alert and domain exist - 200 OK.
If alert not found or domain not found - 404 Not Found.
If successful and alert and domain exist - 200 OK. If alert not found - 404 Not Found.
## Example

3
windows/security/threat-protection/windows-defender-atp/get-alert-related-files-info-windows-defender-advanced-threat-protection-new.md
View File

@ -50,8 +50,7 @@ Authorization | String | Bearer {token}. **Required**.
Empty
## Response
If successful and alert and files exist - 200 OK.
If alert not found or files not found - 404 Not Found.
If successful and alert and files exist - 200 OK. If alert not found - 404 Not Found.
## Example

2
windows/security/threat-protection/windows-defender-atp/get-alert-related-ip-info-windows-defender-advanced-threat-protection-new.md
View File

@ -51,7 +51,7 @@ Authorization | String | Bearer {token}. **Required**.
Empty
## Response
If successful and alert and an IP exist - 200 OK. If alert not found or IPs not found - 404 Not Found.
If successful and alert and an IP exist - 200 OK. If alert not found - 404 Not Found.
## Example

32
windows/security/threat-protection/windows-defender-atp/get-alert-related-machine-info-windows-defender-advanced-threat-protection-new.md
View File

@ -14,12 +14,13 @@ ms.date: 12/08/2017
---
# Get alert related machine information API
**Applies to:**
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
[!include[Prerelease<73>information](prerelease.md)]
Retrieves machine that is related to a specific alert.
- Retrieves machine that is related to a specific alert.
## Permissions
One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md)
@ -52,8 +53,7 @@ Authorization | String | Bearer {token}. **Required**.
Empty
## Response
If successful and alert and machine exist - 200 OK.
If alert not found or machine not found - 404 Not Found.
If successful and alert and machine exist - 200 OK. If alert not found or machine not found - 404 Not Found.
## Example
@ -78,22 +78,22 @@ HTTP/1.1 200 OK
Content-type: application/json
{
"@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Machines/$entity",
"id": "ff0c3800ed8d66738a514971cd6867166809369f",
"computerDnsName": "amazingmachine.contoso.com",
"firstSeen": "2017-12-10T07:47:34.4269783Z",
"lastSeen": "2017-12-10T07:47:34.4269783Z",
"id": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07",
"computerDnsName": "mymachine1.contoso.com",
"firstSeen": "2018-08-02T14:55:03.7791856Z",
"lastSeen": "2018-08-02T14:55:03.7791856Z",
"osPlatform": "Windows10",
"osVersion": "10.0.0.0",
"systemProductName": null,
"lastIpAddress": "172.17.0.0",
"lastExternalIpAddress": "167.220.0.0",
"agentVersion": "10.5830.17732.1001",
"osBuild": 17732,
"lastIpAddress": "172.17.230.209",
"lastExternalIpAddress": "167.220.196.71",
"agentVersion": "10.5830.18209.1001",
"osBuild": 18209,
"healthStatus": "Active",
"isAadJoined": true,
"machineTags": [],
"rbacGroupId": 75,
"rbacGroupId": 140,
"rbacGroupName": "The-A-Team",
"riskScore": "Low",
"aadDeviceId": "80fe8ff8-0000-0000-9591-41f0491218f9"
"isAadJoined": true,
"aadDeviceId": "80fe8ff8-2624-418e-9591-41f0491218f9",
"machineTags": [ "test tag 1", "test tag 2" ]
}
```

3
windows/security/threat-protection/windows-defender-atp/get-alert-related-user-info-windows-defender-advanced-threat-protection-new.md
View File

@ -51,8 +51,7 @@ Authorization | String | Bearer {token}. **Required**.
Empty
## Response
If successful and alert and a user exists - 200 OK with user in the body.
If alert not found or user not found - 404 Not Found.
If successful and alert and a user exists - 200 OK with user in the body. If alert or user not found - 404 Not Found.
## Example

87
windows/security/threat-protection/windows-defender-atp/get-alerts-windows-defender-advanced-threat-protection-new.md
View File

@ -21,8 +21,10 @@ ms.date: 12/08/2017
[!include[Prerelease<73>information](prerelease.md)]
Retrieves top recent alerts.
- Retrieves a collection of Alerts.
- Supports [OData V4 queries](https://www.odata.org/documentation/).
- The OData's Filter query is supported on: "Id", "IncidentId", "AlertCreationTime", "Status", "Severity" and "Category".
- See examples at [OData queries with Windows Defender ATP](exposed-apis-odata-samples.md)
## Permissions
One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md)
@ -58,7 +60,7 @@ Authorization | String | Bearer {token}. **Required**.
Empty
## Response
If successful, this method returns 200 OK, and a list of [alert](alerts-windows-defender-advanced-threat-protection-new.md) objects in the response body. If no recent alerts found - 404 Not Found.
If successful, this method returns 200 OK, and a list of [alert](alerts-windows-defender-advanced-threat-protection-new.md) objects in the response body.
## Example
@ -81,50 +83,55 @@ Here is an example of the response.
>The response object shown here may be truncated for brevity. All of the properties will be returned from an actual call.
```
```json
{
"@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Alerts",
"value": [
{
"id": "636688558380765161_2136280442",
"severity": "Informational",
"status": "InProgress",
"description": "Some alert description 1",
"recommendedAction": "Some recommended action 1",
"alertCreationTime": "2018-08-03T01:17:17.9516179Z",
"category": "General",
"title": "Some alert title 1",
"threatFamilyName": null,
"detectionSource": "WindowsDefenderAtp",
"classification": "TruePositive",
"determination": null,
"assignedTo": "best secop ever",
"resolvedTime": null,
"lastEventTime": "2018-08-02T07:02:52.0894451Z",
"firstEventTime": "2018-08-02T07:02:52.0894451Z",
"actorName": null,
"machineId": "ff0c3800ed8d66738a514971cd6867166809369f"
"id": "121688558380765161_2136280442",
"incidentId": 7696,
"assignedTo": "secop@contoso.com",
"severity": "High",
"status": "New",
"classification": "TruePositive",
"determination": "Malware",
"investigationState": "Running",
"category": "MalwareDownload",
"detectionSource": "WindowsDefenderAv",
"threatFamilyName": "Mikatz",
"title": "Windows Defender AV detected 'Mikatz', high-severity malware",
"description": "Some description"
"recommendedAction": "Some recommended action"
"alertCreationTime": "2018-11-26T16:19:21.8409809Z",
"firstEventTime": "2018-11-26T16:17:50.0948658Z",
"lastEventTime": "2018-11-26T16:18:01.809871Z",
"resolvedTime": null,
"machineId": "9d80fbbc1bdbc5ce968f1d37c72384cbe17ee337"
},
{
"id": "636688558380765161_2136280442",
"severity": "Informational",
"status": "InProgress",
"description": "Some alert description 2",
"recommendedAction": "Some recommended action 2",
"alertCreationTime": "2018-08-04T01:17:17.9516179Z",
"category": "General",
"title": "Some alert title 2",
"threatFamilyName": null,
"detectionSource": "WindowsDefenderAtp",
"classification": "TruePositive",
"determination": null,
"assignedTo": "best secop ever",
"resolvedTime": null,
"lastEventTime": "2018-08-03T07:02:52.0894451Z",
"firstEventTime": "2018-08-03T07:02:52.0894451Z",
"actorName": null,
"machineId": "ff0c3800ed8d66738a514971cd6867166809369d"
"id": "441688558380765161_2136280442",
"incidentId": 8633,
"assignedTo": "secop@contoso.com",
"severity": "Low",
"status": "InProgress",
"classification": "TruePositive",
"determination": "Malware",
"investigationState": "Running",
"category": "MalwareDownload",
"detectionSource": "WindowsDefenderAv",
"threatFamilyName": "Mikatz",
"title": "Windows Defender AV detected 'Mikatz', high-severity malware",
"description": "Some description"
"recommendedAction": "Some recommended action"
"alertCreationTime": "2018-11-25T16:19:21.8409809Z",
"firstEventTime": "2018-11-25T16:17:50.0948658Z",
"lastEventTime": "2018-11-25T16:18:01.809871Z",
"resolvedTime": null,
"machineId": "9d80fbbc1bdbc5ce968f1d37c72384cbe17ee337"
}
]
}
```
## Related topics
- [OData queries with Windows Defender ATP](exposed-apis-odata-samples.md)

76
windows/security/threat-protection/windows-defender-atp/get-domain-related-alerts-windows-defender-advanced-threat-protection-new.md
View File

@ -57,7 +57,7 @@ Authorization | String | Bearer {token}. **Required**.
Empty
## Response
If successful and domain and alert exists - 200 OK with list of [alert](alerts-windows-defender-advanced-threat-protection-new.md) entities. If domain or alert does not exist - 404 Not Found.
If successful and domain exists - 200 OK with list of [alert](alerts-windows-defender-advanced-threat-protection-new.md) entities. If domain does not exist - 404 Not Found.
## Example
@ -84,44 +84,46 @@ Content-type: application/json
"@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Machines",
"value": [
{
"id": "636688558380765161_2136280442",
"severity": "Informational",
"status": "InProgress",
"description": "Some alert description 1",
"recommendedAction": "Some recommended action 1",
"alertCreationTime": "2018-08-03T01:17:17.9516179Z",
"category": "General",
"title": "Some alert title 1",
"threatFamilyName": null,
"detectionSource": "WindowsDefenderAtp",
"classification": "TruePositive",
"determination": null,
"assignedTo": "best secop ever",
"resolvedTime": null,
"lastEventTime": "2018-08-02T07:02:52.0894451Z",
"firstEventTime": "2018-08-02T07:02:52.0894451Z",
"actorName": null,
"machineId": "ff0c3800ed8d66738a514971cd6867166809369f"
"id": "441688558380765161_2136280442",
"incidentId": 8633,
"assignedTo": "secop@contoso.com",
"severity": "Low",
"status": "InProgress",
"classification": "TruePositive",
"determination": "Malware",
"investigationState": "Running",
"category": "MalwareDownload",
"detectionSource": "WindowsDefenderAv",
"threatFamilyName": "Mikatz",
"title": "Windows Defender AV detected 'Mikatz', high-severity malware",
"description": "Some description"
"recommendedAction": "Some recommended action"
"alertCreationTime": "2018-11-25T16:19:21.8409809Z",
"firstEventTime": "2018-11-25T16:17:50.0948658Z",
"lastEventTime": "2018-11-25T16:18:01.809871Z",
"resolvedTime": null,
"machineId": "9d80fbbc1bdbc5ce968f1d37c72384cbe17ee337"
},
{
"id": "636688558380765161_2136280442",
"severity": "Informational",
"status": "InProgress",
"description": "Some alert description 2",
"recommendedAction": "Some recommended action 2",
"alertCreationTime": "2018-08-04T01:17:17.9516179Z",
"category": "General",
"title": "Some alert title 2",
"threatFamilyName": null,
"detectionSource": "WindowsDefenderAtp",
"classification": "TruePositive",
"determination": null,
"assignedTo": "best secop ever",
"resolvedTime": null,
"lastEventTime": "2018-08-03T07:02:52.0894451Z",
"firstEventTime": "2018-08-03T07:02:52.0894451Z",
"actorName": null,
"machineId": "ff0c3800ed8d66738a514971cd6867166809369d"
"id": "121688558380765161_2136280442",
"incidentId": 4123,
"assignedTo": "secop@contoso.com",
"severity": "Low",
"status": "InProgress",
"classification": "TruePositive",
"determination": "Malware",
"investigationState": "Running",
"category": "MalwareDownload",
"detectionSource": "WindowsDefenderAv",
"threatFamilyName": "Mikatz",
"title": "Windows Defender AV detected 'Mikatz', high-severity malware",
"description": "Some description"
"recommendedAction": "Some recommended action"
"alertCreationTime": "2018-11-24T16:19:21.8409809Z",
"firstEventTime": "2018-11-24T16:17:50.0948658Z",
"lastEventTime": "2018-11-24T16:18:01.809871Z",
"resolvedTime": null,
"machineId": "9d80fbbc1bdbc5ce968f1d37c72384cbe17ee337"
}
]
}

64
windows/security/threat-protection/windows-defender-atp/get-domain-related-machines-windows-defender-advanced-threat-protection-new.md
View File

@ -52,7 +52,7 @@ Authorization | String | Bearer {token}. **Required**.
Empty
## Response
If successful and domain and machine exists - 200 OK with list of [machine](machine-windows-defender-advanced-threat-protection-new.md) entities. If domain or machines do not exist - 404 Not Found.
If successful and domain exists - 200 OK with list of [machine](machine-windows-defender-advanced-threat-protection-new.md) entities. If domain do not exist - 404 Not Found.
## Example
@ -80,43 +80,43 @@ Content-type: application/json
"@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Machines",
"value": [
{
"id": "02ea9a24e8bd39c247ed7ca0edae879c321684e5",
"computerDnsName": "testMachine1",
"firstSeen": "2018-07-30T20:12:00.3708661Z",
"lastSeen": "2018-07-30T20:12:00.3708661Z",
"id": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07",
"computerDnsName": "mymachine1.contoso.com",
"firstSeen": "2018-08-02T14:55:03.7791856Z",
"lastSeen": "2018-08-02T14:55:03.7791856Z",
"osPlatform": "Windows10",
"osVersion": null,
"systemProductName": null,
"lastIpAddress": "10.209.67.177",
"lastExternalIpAddress": "167.220.1.210",
"agentVersion": "10.5830.18208.1000",
"osBuild": 18208,
"healthStatus": "Inactive",
"isAadJoined": false,
"machineTags": [],
"rbacGroupId": 75,
"osVersion": "10.0.0.0",
"lastIpAddress": "172.17.230.209",
"lastExternalIpAddress": "167.220.196.71",
"agentVersion": "10.5830.18209.1001",
"osBuild": 18209,
"healthStatus": "Active",
"rbacGroupId": 140,
"rbacGroupName": "The-A-Team",
"riskScore": "Low",
"aadDeviceId": null
"isAadJoined": true,
"aadDeviceId": "80fe8ff8-2624-418e-9591-41f0491218f9",
"machineTags": [ "test tag 1", "test tag 2" ]
},
{
"id": "02efb9a9b85f07749a018fbf3f962b4700b3b949",
"computerDnsName": "testMachine2",
"firstSeen": "2018-07-30T19:50:47.3618349Z",
"lastSeen": "2018-07-30T19:50:47.3618349Z",
"id": "7292e4b8cb74ff1cc3d8a495eb29dc8858b732f7",
"computerDnsName": "mymachine2.contoso.com",
"firstSeen": "2018-07-09T13:22:45.1250071Z",
"lastSeen": "2018-07-09T13:22:45.1250071Z",
"osPlatform": "Windows10",
"osVersion": null,
"systemProductName": null,
"lastIpAddress": "10.209.70.231",
"lastExternalIpAddress": "167.220.0.28",
"agentVersion": "10.5830.18208.1000",
"osBuild": 18208,
"osVersion": "10.0.0.0",
"lastIpAddress": "192.168.12.225",
"lastExternalIpAddress": "79.183.65.82",
"agentVersion": "10.5820.17724.1000",
"osBuild": 17724,
"healthStatus": "Inactive",
"isAadJoined": false,
"machineTags": [],
"rbacGroupId": 75,
"riskScore": "None",
"aadDeviceId": null
}
"rbacGroupId": 140,
"rbacGroupName": "The-A-Team",
"riskScore": "Low",
"isAadJoined": false,
"aadDeviceId": null,
"machineTags": [ "test tag 1" ]
}
]
}
```

3
windows/security/threat-protection/windows-defender-atp/get-domain-statistics-windows-defender-advanced-threat-protection-new.md
View File

@ -50,8 +50,7 @@ Authorization | Bearer {token}. **Required**.
Empty
## Response
If successful and domain exists - 200 OK, with statistics object in the response body.
If domain does not exist - 404 Not Found.
If successful and domain exists - 200 OK, with statistics object in the response body. If domain does not exist - 404 Not Found.
## Example

3
windows/security/threat-protection/windows-defender-atp/get-file-information-windows-defender-advanced-threat-protection-new.md
View File

@ -52,8 +52,7 @@ Authorization | String | Bearer {token}. **Required**.
Empty
## Response
If successful and file exists - 200 OK with the [file](files-windows-defender-advanced-threat-protection-new.md) entity in the body.
If file does not exist - 404 Not Found.
If successful and file exists - 200 OK with the [file](files-windows-defender-advanced-threat-protection-new.md) entity in the body. If file does not exist - 404 Not Found.
## Example

40
windows/security/threat-protection/windows-defender-atp/get-file-related-alerts-windows-defender-advanced-threat-protection-new.md
View File

@ -55,8 +55,7 @@ Authorization | String | Bearer {token}. **Required**.
Empty
## Response
If successful and file and alert exists - 200 OK with list of [alert](alerts-windows-defender-advanced-threat-protection-new.md) entities in the body.
If file or alerts do not exist - 404 Not Found.
If successful and file exists - 200 OK with list of [alert](alerts-windows-defender-advanced-threat-protection-new.md) entities in the body. If file do not exist - 404 Not Found.
## Example
@ -83,24 +82,25 @@ Content-type: application/json
"@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Alerts",
"value": [
{
"id": "636692391408655573_2010598859",
"severity": "Low",
"status": "New",
"description": "test alert",
"recommendedAction": "do this and that",
"alertCreationTime": "2018-08-07T11:45:40.0199932Z",
"category": "None",
"title": "test alert",
"threatFamilyName": null,
"detectionSource": "CustomerTI",
"classification": null,
"determination": null,
"assignedTo": null,
"resolvedTime": null,
"lastEventTime": "2018-08-03T16:45:21.7115182Z",
"firstEventTime": "2018-08-03T16:45:21.7115182Z",
"actorName": null,
"machineId": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07"
"id": "121688558380765161_2136280442",
"incidentId": 7696,
"assignedTo": "secop@contoso.com",
"severity": "High",
"status": "New",
"classification": "TruePositive",
"determination": "Malware",
"investigationState": "Running",
"category": "MalwareDownload",
"detectionSource": "WindowsDefenderAv",
"threatFamilyName": "Mikatz",
"title": "Windows Defender AV detected 'Mikatz', high-severity malware",
"description": "Some description"
"recommendedAction": "Some recommended action"
"alertCreationTime": "2018-11-26T16:19:21.8409809Z",
"firstEventTime": "2018-11-26T16:17:50.0948658Z",
"lastEventTime": "2018-11-26T16:18:01.809871Z",
"resolvedTime": null,
"machineId": "9d80fbbc1bdbc5ce968f1d37c72384cbe17ee337"
}
]
}

30
windows/security/threat-protection/windows-defender-atp/get-file-related-machines-windows-defender-advanced-threat-protection-new.md
View File

@ -14,13 +14,14 @@ ms.date: 12/08/2017
---
# Get file related machines API
**Applies to:**
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
[!include[Prerelease<73>information](prerelease.md)]
Retrieves a collection of machines related to a given file hash.
- Retrieves a collection of machines related to a given file hash.
## Permissions
One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md)
@ -53,8 +54,7 @@ Authorization | String | Bearer {token}. **Required**.
Empty
## Response
If successful and file and machines exists - 200 OK with list of [machine](machine-windows-defender-advanced-threat-protection-new.md) entities in the body.
If file or machines do not exist - 404 Not Found.
If successful and file exists - 200 OK with list of [machine](machine-windows-defender-advanced-threat-protection-new.md) entities in the body. If file do not exist - 404 Not Found.
## Example
@ -84,39 +84,37 @@ Content-type: application/json
"id": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07",
"computerDnsName": "mymachine1.contoso.com",
"firstSeen": "2018-08-02T14:55:03.7791856Z",
"lasttSeen": "2018-07-09T13:22:45.1250071Z",
"lastSeen": "2018-08-02T14:55:03.7791856Z",
"osPlatform": "Windows10",
"osVersion": null,
"systemProductName": null,
"osVersion": "10.0.0.0",
"lastIpAddress": "172.17.230.209",
"lastExternalIpAddress": "167.220.196.71",
"agentVersion": "10.5830.18209.1001",
"osBuild": 18209,
"healthStatus": "Active",
"isAadJoined": true,
"machineTags": [],
"rbacGroupId": 140,
"riskScore": "Low",
"aadDeviceId": null
"isAadJoined": true,
"aadDeviceId": "80fe8ff8-2624-418e-9591-41f0491218f9",
"machineTags": [ "test tag 1", "test tag 2" ]
},
{
"id": "7292e4b8cb74ff1cc3d8a495eb29dc8858b732f7",
"computerDnsName": "mymachine2.contoso.com",
"firstSeen": "2018-07-09T13:22:45.1250071Z",
"lasttSeen": "2018-07-09T13:22:45.1250071Z",
"lastSeen": "2018-07-09T13:22:45.1250071Z",
"osPlatform": "Windows10",
"osVersion": null,
"systemProductName": null,
"osVersion": "10.0.0.0",
"lastIpAddress": "192.168.12.225",
"lastExternalIpAddress": "79.183.65.82",
"agentVersion": "10.5820.17724.1000",
"osBuild": 17724,
"healthStatus": "Inactive",
"isAadJoined": true,
"machineTags": [],
"rbacGroupId": 140,
"rbacGroupId": 140,
"riskScore": "Low",
"aadDeviceId": null
"isAadJoined": false,
"aadDeviceId": null,
"machineTags": [ "test tag 1" ]
}
]
}

3
windows/security/threat-protection/windows-defender-atp/get-file-statistics-windows-defender-advanced-threat-protection-new.md
View File

@ -54,8 +54,7 @@ Authorization | String | Bearer {token}. **Required**.
Empty
## Response
If successful and file exists - 200 OK with statistical data in the body.
If file do not exist - 404 Not Found.
If successful and file exists - 200 OK with statistical data in the body. If file do not exist - 404 Not Found.
## Example

40
windows/security/threat-protection/windows-defender-atp/get-ip-related-alerts-windows-defender-advanced-threat-protection-new.md
View File

@ -53,8 +53,7 @@ Authorization | String | Bearer {token}. **Required**.
Empty
## Response
If successful and IP and alert exists - 200 OK with list of [alert](alerts-windows-defender-advanced-threat-protection-new.md) entities in the body.
If IP and alerts do not exist - 404 Not Found.
If successful and IP exists - 200 OK with list of [alert](alerts-windows-defender-advanced-threat-protection-new.md) entities in the body. If IP do not exist - 404 Not Found.
## Example
@ -82,24 +81,25 @@ Content-type: application/json
"@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Alerts",
"value": [
{
"id": "636692391408655573_2010598859",
"severity": "Low",
"status": "New",
"description": "test alert",
"recommendedAction": "do this and that",
"alertCreationTime": "2018-08-07T11:45:40.0199932Z",
"category": "None",
"title": "test alert",
"threatFamilyName": null,
"detectionSource": "CustomerTI",
"classification": null,
"determination": null,
"assignedTo": null,
"resolvedTime": null,
"lastEventTime": "2018-08-03T16:45:21.7115182Z",
"firstEventTime": "2018-08-03T16:45:21.7115182Z",
"actorName": null,
"machineId": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07"
"id": "441688558380765161_2136280442",
"incidentId": 8633,
"assignedTo": "secop@contoso.com",
"severity": "Low",
"status": "InProgress",
"classification": "TruePositive",
"determination": "Malware",
"investigationState": "Running",
"category": "MalwareDownload",
"detectionSource": "WindowsDefenderAv",
"threatFamilyName": "Mikatz",
"title": "Windows Defender AV detected 'Mikatz', high-severity malware",
"description": "Some description"
"recommendedAction": "Some recommended action"
"alertCreationTime": "2018-11-25T16:19:21.8409809Z",
"firstEventTime": "2018-11-25T16:17:50.0948658Z",
"lastEventTime": "2018-11-25T16:18:01.809871Z",
"resolvedTime": null,
"machineId": "9d80fbbc1bdbc5ce968f1d37c72384cbe17ee337"
}
]
}

25
windows/security/threat-protection/windows-defender-atp/get-ip-related-machines-windows-defender-advanced-threat-protection-new.md
View File

@ -53,8 +53,7 @@ Authorization | String | Bearer {token}. **Required**.
Empty
## Response
If successful and IP and machines exists - 200 OK with list of [machine](machine-windows-defender-advanced-threat-protection-new.md) entities in the body.
If IP or machines do not exist - 404 Not Found.
If successful and IP exists - 200 OK with list of [machine](machine-windows-defender-advanced-threat-protection-new.md) entities in the body. If IP do not exist - 404 Not Found.
## Example
@ -86,18 +85,18 @@ Content-type: application/json
"firstSeen": "2018-08-02T14:55:03.7791856Z",
"lastSeen": "2018-08-02T14:55:03.7791856Z",
"osPlatform": "Windows10",
"osVersion": null,
"systemProductName": null,
"osVersion": "10.0.0.0",
"lastIpAddress": "172.17.230.209",
"lastExternalIpAddress": "167.220.196.71",
"agentVersion": "10.5830.18209.1001",
"osBuild": 18209,
"healthStatus": "Active",
"isAadJoined": true,
"machineTags": [],
"rbacGroupId": 140,
"riskScore": "Low",
"aadDeviceId": null
"rbacGroupName": "The-A-Team",
"isAadJoined": true,
"aadDeviceId": "80fe8ff8-2624-418e-9591-41f0491218f9",
"machineTags": [ "test tag 1", "test tag 2" ]
},
{
"id": "7292e4b8cb74ff1cc3d8a495eb29dc8858b732f7",
@ -105,18 +104,18 @@ Content-type: application/json
"firstSeen": "2018-07-09T13:22:45.1250071Z",
"lastSeen": "2018-07-09T13:22:45.1250071Z",
"osPlatform": "Windows10",
"osVersion": null,
"systemProductName": null,
"osVersion": "10.0.0.0",
"lastIpAddress": "192.168.12.225",
"lastExternalIpAddress": "79.183.65.82",
"agentVersion": "10.5820.17724.1000",
"osBuild": 17724,
"healthStatus": "Inactive",
"isAadJoined": true,
"machineTags": [],
"rbacGroupId": 140,
"rbacGroupId": 140,
"rbacGroupName": "The-A-Team",
"riskScore": "Low",
"aadDeviceId": null
"isAadJoined": false,
"aadDeviceId": null,
"machineTags": [ "test tag 1" ]
}
]
}

17
windows/security/threat-protection/windows-defender-atp/get-machine-by-id-windows-defender-advanced-threat-protection-new.md
View File

@ -15,12 +15,13 @@ ms.date: 12/08/2017
# Get machine by ID API
[!include[Prerelease<73>information](prerelease.md)]
**Applies to:**
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
Retrieves a machine entity by ID.
[!include[Prerelease<73>information](prerelease.md)]
- Retrieves a machine entity by ID.
## Permissions
One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md)
@ -85,18 +86,18 @@ Content-type: application/json
"firstSeen": "2018-08-02T14:55:03.7791856Z",
"lastSeen": "2018-08-02T14:55:03.7791856Z",
"osPlatform": "Windows10",
"osVersion": null,
"systemProductName": null,
"osVersion": "10.0.0.0",
"lastIpAddress": "172.17.230.209",
"lastExternalIpAddress": "167.220.196.71",
"agentVersion": "10.5830.18209.1001",
"osBuild": 18209,
"healthStatus": "Active",
"isAadJoined": true,
"machineTags": [],
"rbacGroupId": 140,
"rbacGroupName": "The-A-Team",
"riskScore": "Low",
"aadDeviceId": null
"isAadJoined": true,
"aadDeviceId": "80fe8ff8-2624-418e-9591-41f0491218f9",
"machineTags": [ "test tag 1", "test tag 2" ]
}
```

3
windows/security/threat-protection/windows-defender-atp/get-machine-log-on-users-windows-defender-advanced-threat-protection-new.md
View File

@ -51,8 +51,7 @@ Authorization | String | Bearer {token}. **Required**.
Empty
## Response
If successful and machine and user exist - 200 OK with list of [user](user-windows-defender-advanced-threat-protection-new.md) entities in the body
If no machine found or no users found - 404 Not Found.
If successful and machine exist - 200 OK with list of [user](user-windows-defender-advanced-threat-protection-new.md) entities in the body. If machine was not found - 404 Not Found.
## Example

39
windows/security/threat-protection/windows-defender-atp/get-machine-related-alerts-windows-defender-advanced-threat-protection-new.md
View File

@ -53,7 +53,7 @@ Authorization | String | Bearer {token}. **Required**.
Empty
## Response
If successful and machine and alert exists - 200 OK with list of [alert](alerts-windows-defender-advanced-threat-protection-new.md) entities in the body. If no machine or no alerts found - 404 Not Found.
If successful and machine exists - 200 OK with list of [alert](alerts-windows-defender-advanced-threat-protection-new.md) entities in the body. If machine was not found - 404 Not Found.
## Example
@ -81,24 +81,25 @@ Content-type: application/json
"@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Alerts",
"value": [
{
"id": "636692391408655573_2010598859",
"severity": "Low",
"status": "New",
"description": "test alert",
"recommendedAction": "do this and that",
"alertCreationTime": "2018-08-07T11:45:40.0199932Z",
"category": "None",
"title": "test alert",
"threatFamilyName": null,
"detectionSource": "CustomerTI",
"classification": null,
"determination": null,
"assignedTo": null,
"resolvedTime": null,
"lastEventTime": "2018-08-03T16:45:21.7115182Z",
"firstEventTime": "2018-08-03T16:45:21.7115182Z",
"actorName": null,
"machineId": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07"
"id": "441688558380765161_2136280442",
"incidentId": 8633,
"assignedTo": "secop@contoso.com",
"severity": "Low",
"status": "InProgress",
"classification": "TruePositive",
"determination": "Malware",
"investigationState": "Running",
"category": "MalwareDownload",
"detectionSource": "WindowsDefenderAv",
"threatFamilyName": "Mikatz",
"title": "Windows Defender AV detected 'Mikatz', high-severity malware",
"description": "Some description"
"recommendedAction": "Some recommended action"
"alertCreationTime": "2018-11-25T16:19:21.8409809Z",
"firstEventTime": "2018-11-25T16:17:50.0948658Z",
"lastEventTime": "2018-11-25T16:18:01.809871Z",
"resolvedTime": null,
"machineId": "9d80fbbc1bdbc5ce968f1d37c72384cbe17ee337"
}
]
}

4
windows/security/threat-protection/windows-defender-atp/get-machineaction-object-windows-defender-advanced-threat-protection-new.md
View File

@ -14,12 +14,14 @@ ms.date: 12/08/2017
---
# Get machineAction API
**Applies to:**
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
[!include[Prerelease<73>information](prerelease.md)]
Get action performed on a machine.
- Get action performed on a machine.
## Permissions
One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md)

13
windows/security/threat-protection/windows-defender-atp/get-machineactions-collection-windows-defender-advanced-threat-protection-new.md
View File

@ -15,14 +15,16 @@ ms.date: 12/08/2017
# List MachineActions API
[!include[Prerelease<73>information](prerelease.md)]
**Applies to:**
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
Gets collection of actions done on machines.
Get MachineAction collection API supports [OData V4 queries](https://www.odata.org/documentation/).
[!include[Prerelease<73>information](prerelease.md)]
- Gets collection of actions done on machines.
- Get MachineAction collection API supports [OData V4 queries](https://www.odata.org/documentation/).
- The OData's Filter query is supported on: "Id", "Status", "MachineId", "Type", "Requestor" and "CreationDateTimeUtc".
- See examples at [OData queries with Windows Defender ATP](exposed-apis-odata-samples.md)
## Permissions
One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md)
@ -167,3 +169,6 @@ Content-type: application/json
]
}
```
## Related topics
- [OData queries with Windows Defender ATP](exposed-apis-odata-samples.md)

36
windows/security/threat-protection/windows-defender-atp/get-machines-windows-defender-advanced-threat-protection-new.md
View File

@ -15,15 +15,16 @@ ms.date: 12/08/2017
# List machines API
[!include[Prerelease<73>information](prerelease.md)]
**Applies to:**
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
Retrieves a collection of machines that have communicated with WDATP cloud on the last 30 days.
Get Machines collection API supports [OData V4 queries](https://www.odata.org/documentation/).
The OData's Filter query is supported on: "Id", "ComputerDnsName", "LastSeen", "LastIpAddress", "HealthStatus", "OsPlatform", "RiskScore", "MachineTags" and "RbacGroupId"
[!include[Prerelease<73>information](prerelease.md)]
- Retrieves a collection of machines that have communicated with WDATP cloud on the last 30 days.
- Get Machines collection API supports [OData V4 queries](https://www.odata.org/documentation/).
- The OData's Filter query is supported on: "Id", "ComputerDnsName", "LastSeen", "LastIpAddress", "HealthStatus", "OsPlatform", "RiskScore", "MachineTags" and "RbacGroupId".
- See examples at [OData queries with Windows Defender ATP](exposed-apis-odata-samples.md)
## Permissions
@ -87,18 +88,18 @@ Content-type: application/json
"firstSeen": "2018-08-02T14:55:03.7791856Z",
"lastSeen": "2018-08-02T14:55:03.7791856Z",
"osPlatform": "Windows10",
"osVersion": null,
"systemProductName": null,
"osVersion": "10.0.0.0",
"lastIpAddress": "172.17.230.209",
"lastExternalIpAddress": "167.220.196.71",
"agentVersion": "10.5830.18209.1001",
"osBuild": 18209,
"healthStatus": "Active",
"isAadJoined": true,
"machineTags": [],
"rbacGroupId": 140,
"rbacGroupName": "The-A-Team",
"riskScore": "Low",
"aadDeviceId": null
"isAadJoined": true,
"aadDeviceId": "80fe8ff8-2624-418e-9591-41f0491218f9",
"machineTags": [ "test tag 1", "test tag 2" ]
},
{
"id": "7292e4b8cb74ff1cc3d8a495eb29dc8858b732f7",
@ -106,19 +107,22 @@ Content-type: application/json
"firstSeen": "2018-07-09T13:22:45.1250071Z",
"lastSeen": "2018-07-09T13:22:45.1250071Z",
"osPlatform": "Windows10",
"osVersion": null,
"systemProductName": null,
"osVersion": "10.0.0.0",
"lastIpAddress": "192.168.12.225",
"lastExternalIpAddress": "79.183.65.82",
"agentVersion": "10.5820.17724.1000",
"osBuild": 17724,
"healthStatus": "Inactive",
"isAadJoined": true,
"machineTags": [],
"rbacGroupId": 140,
"rbacGroupId": 140,
"rbacGroupName": "The-A-Team",
"riskScore": "Low",
"aadDeviceId": null
"isAadJoined": false,
"aadDeviceId": null,
"machineTags": [ "test tag 1" ]
}
]
}
```
## Related topics
- [OData queries with Windows Defender ATP](exposed-apis-odata-samples.md)

5
windows/security/threat-protection/windows-defender-atp/get-started.md
View File

@ -11,7 +11,7 @@ ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: medium
ms.date: 09/03/2018
ms.date: 11/20/2018
---
# Get started with Windows Defender Advanced Threat Protection
@ -19,6 +19,9 @@ ms.date: 09/03/2018
- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf)
>[!TIP]
> Learn about the latest enhancements in Windows Defender ATP: [What's new in Windows Defender ATP](https://cloudblogs.microsoft.com/microsoftsecure/2018/11/15/whats-new-in-windows-defender-atp/).
Learn about the minimum requirements and initial steps you need to take to get started with Windows Defender ATP.
The following capabilities are available across multiple products that make up the Windows Defender ATP platform.

6
windows/security/threat-protection/windows-defender-atp/get-user-information-windows-defender-advanced-threat-protection-new.md
View File

@ -21,7 +21,7 @@ ms.date: 12/08/2017
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
Retrieve a User entity by key (user name or domain\user).
Retrieve a User entity by key (user name).
## Permissions
One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md)
@ -58,7 +58,7 @@ Here is an example of the request.
[!include[Improve request performance](improverequestperformance-new.md)]
```
GET https://api.securitycenter.windows.com/api/users/user1@contoso.com
GET https://api.securitycenter.windows.com/api/users/user1
Content-type: application/json
```
@ -72,7 +72,7 @@ HTTP/1.1 200 OK
Content-type: application/json
{
"@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Users/$entity",
"id": "user1@contoso.com",
"id": "user1",
"firstSeen": "2018-08-02T00:00:00Z",
"lastSeen": "2018-08-04T00:00:00Z",
"mostPrevalentMachineId": null,

76
windows/security/threat-protection/windows-defender-atp/get-user-related-alerts-windows-defender-advanced-threat-protection-new.md
View File

@ -54,7 +54,7 @@ Authorization | String | Bearer {token}. **Required**.
Empty
## Response
If successful and user and alert exist - 200 OK. If user or alerts do not exist - 404 Not Found.
If successful and user exist - 200 OK. If the user do not exist - 404 Not Found.
## Example
@ -81,44 +81,46 @@ Content-type: application/json
"@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Alerts",
"value": [
{
"id": "636688558380765161_2136280442",
"severity": "Informational",
"status": "InProgress",
"description": "Some alert description 1",
"recommendedAction": "Some recommended action 1",
"alertCreationTime": "2018-08-03T01:17:17.9516179Z",
"category": "General",
"title": "Some alert title 1",
"threatFamilyName": null,
"detectionSource": "WindowsDefenderAtp",
"classification": "TruePositive",
"determination": null,
"assignedTo": "best secop ever",
"resolvedTime": null,
"lastEventTime": "2018-08-02T07:02:52.0894451Z",
"firstEventTime": "2018-08-02T07:02:52.0894451Z",
"actorName": null,
"machineId": "ff0c3800ed8d66738a514971cd6867166809369f"
"id": "441688558380765161_2136280442",
"incidentId": 8633,
"assignedTo": "secop@contoso.com",
"severity": "Low",
"status": "InProgress",
"classification": "TruePositive",
"determination": "Malware",
"investigationState": "Running",
"category": "MalwareDownload",
"detectionSource": "WindowsDefenderAv",
"threatFamilyName": "Mikatz",
"title": "Windows Defender AV detected 'Mikatz', high-severity malware",
"description": "Some description"
"recommendedAction": "Some recommended action"
"alertCreationTime": "2018-11-25T16:19:21.8409809Z",
"firstEventTime": "2018-11-25T16:17:50.0948658Z",
"lastEventTime": "2018-11-25T16:18:01.809871Z",
"resolvedTime": null,
"machineId": "9d80fbbc1bdbc5ce968f1d37c72384cbe17ee337"
},
{
"id": "636688558380765161_2136280442",
"severity": "Informational",
"status": "InProgress",
"description": "Some alert description 2",
"recommendedAction": "Some recommended action 2",
"alertCreationTime": "2018-08-04T01:17:17.9516179Z",
"category": "General",
"title": "Some alert title 2",
"threatFamilyName": null,
"detectionSource": "WindowsDefenderAtp",
"classification": "TruePositive",
"determination": null,
"assignedTo": "best secop ever",
"resolvedTime": null,
"lastEventTime": "2018-08-03T07:02:52.0894451Z",
"firstEventTime": "2018-08-03T07:02:52.0894451Z",
"actorName": null,
"machineId": "ff0c3800ed8d66738a514971cd6867166809369d"
"id": "121688558380765161_2136280442",
"incidentId": 4123,
"assignedTo": "secop@contoso.com",
"severity": "Low",
"status": "InProgress",
"classification": "TruePositive",
"determination": "Malware",
"investigationState": "Running",
"category": "MalwareDownload",
"detectionSource": "WindowsDefenderAv",
"threatFamilyName": "Mikatz",
"title": "Windows Defender AV detected 'Mikatz', high-severity malware",
"description": "Some description"
"recommendedAction": "Some recommended action"
"alertCreationTime": "2018-11-24T16:19:21.8409809Z",
"firstEventTime": "2018-11-24T16:17:50.0948658Z",
"lastEventTime": "2018-11-24T16:18:01.809871Z",
"resolvedTime": null,
"machineId": "9d80fbbc1bdbc5ce968f1d37c72384cbe17ee337"
}
]
}

25
windows/security/threat-protection/windows-defender-atp/get-user-related-machines-windows-defender-advanced-threat-protection-new.md
View File

@ -14,6 +14,7 @@ ms.date: 12/08/2017
---
# Get user related machines API
**Applies to:**
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
@ -55,7 +56,7 @@ Authorization | String | Bearer {token}. **Required**.
Empty
## Response
If successful and machines exists - 200 OK with list of [machine](machine-windows-defender-advanced-threat-protection-new.md) entities in the body. If user or machines does not exist - 404 Not Found.
If successful and user exists - 200 OK with list of [machine](machine-windows-defender-advanced-threat-protection-new.md) entities in the body. If user does not exist - 404 Not Found.
## Example
@ -87,18 +88,18 @@ Content-type: application/json
"firstSeen": "2018-08-02T14:55:03.7791856Z",
"lastSeen": "2018-08-02T14:55:03.7791856Z",
"osPlatform": "Windows10",
"osVersion": null,
"systemProductName": null,
"osVersion": "10.0.0.0",
"lastIpAddress": "172.17.230.209",
"lastExternalIpAddress": "167.220.196.71",
"agentVersion": "10.5830.18209.1001",
"osBuild": 18209,
"healthStatus": "Active",
"isAadJoined": true,
"machineTags": [],
"rbacGroupId": 140,
"rbacGroupName": "The-A-Team",
"riskScore": "Low",
"aadDeviceId": null
"isAadJoined": true,
"aadDeviceId": "80fe8ff8-2624-418e-9591-41f0491218f9",
"machineTags": [ "test tag 1", "test tag 2" ]
},
{
"id": "7292e4b8cb74ff1cc3d8a495eb29dc8858b732f7",
@ -106,18 +107,18 @@ Content-type: application/json
"firstSeen": "2018-07-09T13:22:45.1250071Z",
"lastSeen": "2018-07-09T13:22:45.1250071Z",
"osPlatform": "Windows10",
"osVersion": null,
"systemProductName": null,
"osVersion": "10.0.0.0",
"lastIpAddress": "192.168.12.225",
"lastExternalIpAddress": "79.183.65.82",
"agentVersion": "10.5820.17724.1000",
"osBuild": 17724,
"healthStatus": "Inactive",
"isAadJoined": true,
"machineTags": [],
"rbacGroupId": 140,
"rbacGroupId": 140,
"rbacGroupName": "The-A-Team",
"riskScore": "Low",
"aadDeviceId": null
"isAadJoined": false,
"aadDeviceId": null,
"machineTags": [ "test tag 1" ]
}
]
}

17
windows/security/threat-protection/windows-defender-atp/machine-windows-defender-advanced-threat-protection-new.md
View File

@ -35,13 +35,14 @@ firstSeen | DateTimeOffset | First date and time where the [machine](machine-win
lastSeen | DateTimeOffset | Last date and time where the [machine](machine-windows-defender-advanced-threat-protection-new.md) was observed by WDATP.
osPlatform | String | OS platform.
osVersion | String | OS Version.
lastIpAddress | Ip | Last IP on local NIC on the [machine](machine-windows-defender-advanced-threat-protection-new.md).
lastExternalIpAddress | Ip | Last IP through which the [machine](machine-windows-defender-advanced-threat-protection-new.md) accessed the internet.
lastIpAddress | String | Last IP on local NIC on the [machine](machine-windows-defender-advanced-threat-protection-new.md).
lastExternalIpAddress | String | Last IP through which the [machine](machine-windows-defender-advanced-threat-protection-new.md) accessed the internet.
agentVersion | String | Version of WDATP agent.
osBuild | Int | OS build number.
osBuild | Nullable long | OS build number.
healthStatus | Enum | [machine](machine-windows-defender-advanced-threat-protection-new.md) health status. Possible values are: "Active", "Inactive", "ImpairedCommunication", "NoSensorData" and "NoSensorDataImpairedCommunication"
isAadJoined | Boolean | Is [machine](machine-windows-defender-advanced-threat-protection-new.md) AAD joined.
machineTags | String collection | Set of [machine](machine-windows-defender-advanced-threat-protection-new.md) tags.
rbacGroupId | Int | Group ID.
riskScore | String | Risk score as evaludated by WDATP. Possible values are: 'None', 'Low', 'Medium' and 'High'.
aadDeviceId | String | AAD Device ID (when [machine](machine-windows-defender-advanced-threat-protection-new.md) is Aad Joined).
rbacGroupId | Int | RBAC Group ID.
rbacGroupName | String | RBAC Group Name.
riskScore | Nullable Enum | Risk score as evaluated by WDATP. Possible values are: 'None', 'Low', 'Medium' and 'High'.
isAadJoined | Nullable Boolean | Is [machine](machine-windows-defender-advanced-threat-protection-new.md) AAD joined.
aadDeviceId | Nullable Guid | AAD Device ID (when [machine](machine-windows-defender-advanced-threat-protection-new.md) is Aad Joined).
machineTags | String collection | Set of [machine](machine-windows-defender-advanced-threat-protection-new.md) tags.

7
windows/security/threat-protection/windows-defender-atp/minimum-requirements-windows-defender-advanced-threat-protection.md
View File

@ -11,7 +11,7 @@ ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: medium
ms.date: 11/06/2018
ms.date: 11/20/2018
---
# Minimum requirements for Windows Defender ATP
@ -23,6 +23,10 @@ There are some minimum requirements for onboarding machines to the service.
>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-minreqs-abovefoldlink)
>[!TIP]
> Learn about the latest enhancements in Windows Defender ATP: [What's new in Windows Defender ATP](https://cloudblogs.microsoft.com/microsoftsecure/2018/11/15/whats-new-in-windows-defender-atp/).
## Licensing requirements
Windows Defender Advanced Threat Protection requires one of the following Microsoft Volume Licensing offers:
@ -35,6 +39,7 @@ For more information on the array of features in Windows 10 editions, see [Compa
For a detailed comparison table of Windows 10 commercial edition comparison, see the [comparison PDF](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf).
## Related topic
- [Validate licensing and complete setup](licensing-windows-defender-advanced-threat-protection.md)
- [Onboard machines](onboard-configure-windows-defender-advanced-threat-protection.md)

4
windows/security/threat-protection/windows-defender-atp/onboard-configure-windows-defender-advanced-threat-protection.md
View File

@ -11,7 +11,7 @@ ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: medium
ms.date: 07/01/2018
ms.date: 11/19/2018
---
# Onboard machines to the Windows Defender ATP service
@ -128,7 +128,7 @@ If the **START_TYPE** is not set to **AUTO_START**, then you'll need to set the
#### Internet connectivity
Internet connectivity on machines is required either directly or through proxy.
The Windows Defender ATP sensor can utilize a daily average bandwidth of 5MB to communicate with the Windows Defender ATP cloud service and report cyber data.
The Windows Defender ATP sensor can utilize a daily average bandwidth of 5MB to communicate with the Windows Defender ATP cloud service and report cyber data. One-off activities such as file uploads and investigation package collection are not included in this daily average bandwidth.
For more information on additional proxy configuration settings see, [Configure machine proxy and Internet connectivity settings](configure-proxy-internet-windows-defender-advanced-threat-protection.md) .

9
windows/security/threat-protection/windows-defender-atp/onboard-downlevel-windows-defender-advanced-threat-protection.md
View File

@ -11,7 +11,7 @@ ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: medium
ms.date: 10/10/2018
ms.date: 11/19/2018
---
# Onboard previous versions of Windows
@ -46,12 +46,13 @@ Windows Defender ATP integrates with System Center Endpoint Protection to provid
The following steps are required to enable this integration:
- Install the [January 2017 anti-malware platform update for Endpoint Protection clients](https://support.microsoft.com/help/3209361/january-2017-anti-malware-platform-update-for-endpoint-protection-clie)
- Configure the SCEP client Cloud Protection Service membership to the **Advanced** setting
- Configure your network to allow connections to the Windows Defender Antivirus cloud. For more information, see [Allow connections to the Windows Defender Antivirus cloud](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-network-connections-windows-defender-antivirus#allow-connections-to-the-windows-defender-antivirus-cloud)
## Install and configure Microsoft Monitoring Agent (MMA) to report sensor data to Windows Defender ATP
### Before you begin
Review the following details to verify minimum system requirements:
- Install the [February monthly update rollup](https://support.microsoft.com/help/4074598/windows-7-update-kb4074598) or a later monthly update rollup.
- Install the [February monthly update rollup](https://support.microsoft.com/help/4074598/windows-7-update-kb4074598)
>[!NOTE]
>Only applicable for Windows 7 SP1 Enterprise and Windows 7 SP1 Pro.
@ -67,9 +68,9 @@ Review the following details to verify minimum system requirements:
>Only applicable for Windows 7 SP1 Enterprise and Windows 7 SP1 Pro.
>Don't install .NET framework 4.0.x, since it will negate the above installation.
- Meet the Azure Log Analytics agent minimum system requirements. For more information, see [Collect data from computers in you environment with Log Analytics](https://docs.microsoft.com/en-us/azure/log-analytics/log-analytics-concept-hybrid#prerequisites)
- Meet the Azure Log Analytics agent minimum system requirements. For more information, see [Collect data from computers in your environment with Log Analytics](https://docs.microsoft.com/azure/log-analytics/log-analytics-concept-hybrid#prerequisites)
1. Download the agent setup file: [Windows 64-bit agent](https://go.microsoft.com/fwlink/?LinkId=828603) or [Windows 32-bit agent](https://go.microsoft.com/fwlink/?LinkId=828604).
@ -89,7 +90,7 @@ Once completed, you should see onboarded endpoints in the portal within an hour.
### Configure proxy and Internet connectivity settings
- Each Windows endpoint must be able to connect to the Internet using HTTPS. This connection can be direct, using a proxy, or through the [OMS Gateway](https://docs.microsoft.com/azure/log-analytics/log-analytics-oms-gateway).
- Each Windows endpoint must be able to connect to the Internet using HTTPS. This connection can be direct, using a proxy, or through the [OMS Gateway](https://docs.microsoft.com/en-us/azure/log-analytics/log-analytics-oms-gateway).
- If a proxy or firewall is blocking all traffic by default and allowing only specific domains through or HTTPS scanning (SSL inspection) is enabled, make sure that the following URLs are white-listed to permit communication with Windows Defender ATP service:
Agent Resource | Ports

5
windows/security/threat-protection/windows-defender-atp/overview.md
View File

@ -11,7 +11,7 @@ ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: medium
ms.date: 09/03/2018
ms.date: 11/20/2018
---
# Overview of Windows Defender ATP capabilities
@ -21,6 +21,9 @@ ms.date: 09/03/2018
Understand the concepts behind the capabilities in Windows Defender ATP so you take full advantage of the complete threat protection platform.
>[!TIP]
> Learn about the latest enhancements in Windows Defender ATP: [What's new in Windows Defender ATP](https://cloudblogs.microsoft.com/microsoftsecure/2018/11/15/whats-new-in-windows-defender-atp/).
## In this section
Topic | Description

6
windows/security/threat-protection/windows-defender-atp/powerbi-reports-windows-defender-advanced-threat-protection.md
View File

@ -10,7 +10,7 @@ ms.sitesec: library
ms.pagetype: security
author: mjcaparas
ms.localizationpriority: medium
ms.date: 10/19/2018
ms.date: 11/26/2018
---
@ -20,6 +20,10 @@ ms.date: 10/19/2018
- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf)
[!include[Prerelease information](prerelease.md)]
>[!TIP]
>Go to **Advanced features** in the **Settings** page to turn on the preview features.
>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-powerbireports-abovefoldlink)

4
windows/security/threat-protection/windows-defender-atp/preview-windows-defender-advanced-threat-protection.md
View File

@ -58,5 +58,9 @@ Onboard supported versions of Windows machines so that they can send sensor data
- Windows 8.1 Pro
- [Create and build Power BI reports using Windows Defender ATP data](powerbi-reports-windows-defender-advanced-threat-protection.md)<br>
Windows Defender ATP makes it easy to create a Power BI dashboard by providing an option straight from the portal.
>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-preview-belowfoldlink)

3
windows/security/threat-protection/windows-defender-atp/pull-alerts-using-rest-api-windows-defender-advanced-threat-protection.md
View File

@ -11,7 +11,7 @@ ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: medium
ms.date: 10/26/2018
ms.date: 11/19/2018
---
# Pull Windows Defender ATP alerts using REST API
@ -106,6 +106,7 @@ DateTime?sinceTimeUtc | string | Defines the lower time bound alerts are retriev
DateTime?untilTimeUtc | string | Defines the upper time bound alerts are retrieved. <br> The time range will be: from `sinceTimeUtc` time to `untilTimeUtc` time. <br><br> **NOTE**: When not specified, the default value will be the current time.
string ago | string | Pulls alerts in the following time range: from `(current_time - ago)` time to `current_time` time. <br><br> Value should be set according to **ISO 8601** duration format <br> E.g. `ago=PT10M` will pull alerts received in the last 10 minutes.
int?limit | int | Defines the number of alerts to be retrieved. Most recent alerts will be retrieved based on the number defined.<br><br> **NOTE**: When not specified, all alerts available in the time range will be retrieved.
machinegroups | String | Specifies machine groups to pull alerts from . <br><br> **NOTE**: When not specified, alerts from all machine groups will be retrieved. <br><br> Example: <br><br> ```https://wdatp-alertexporter-eu.securitycenter.windows.com/api/Alerts/?machinegroups=UKMachines&machinegroups=FranceMachines```
### Request example
The following example demonstrates how to retrieve all the alerts in your organization.

3
windows/security/threat-protection/windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection.md
View File

@ -11,7 +11,7 @@ ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: medium
ms.date: 11/05/2018
ms.date: 11/28/2018
---
# Take response actions on a machine
@ -122,6 +122,7 @@ In addition to the ability of containing an attack by stopping malicious process
>[!IMPORTANT]
> - This action is available for machines on Windows 10, version 1709 or later.
> - This feature is available if your organization uses Windows Defender Antivirus.
> - This action needs to meet the Windows Defender Application Control code integrity policy formats and signing requirements. For more information, see [Code integrity policy formats and signing](https://docs.microsoft.com/windows/device-security/device-guard/requirements-and-deployment-planning-guidelines-for-device-guard#code-integrity-policy-formats-and-signing).

105
windows/security/threat-protection/windows-defender-atp/stop-and-quarantine-file-windows-defender-advanced-threat-protection-new.md Normal file
View File

@ -0,0 +1,105 @@
---
title: Stop and quarantine file API
description: Use this API to stop and quarantine file.
keywords: apis, graph api, supported apis, stop and quarantine file
search.product: eADQiWindows 10XVcnh
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: medium
ms.date: 12/08/2017
---
# Stop and quarantine file API
**Applies to:**
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
[!include[Prerelease<73>information](prerelease.md)]
- Stop execution of a file on a machine and delete it.
[!include[Machine actions note](machineactionsnote.md)]
## Permissions
One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md)
Permission type | Permission | Permission display name
:---|:---|:---
Application | Machine.StopAndQuarantine | 'Stop And Quarantine'
Delegated (work or school account) | Machine.StopAndQuarantine | 'Stop And Quarantine'
>[!Note]
> When obtaining a token using user credentials:
>- The user needs to have at least the following role permission: 'Active remediation actions' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information)
>- The user needs to have access to the machine, based on machine group settings (See [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) for more information)
## HTTP request
```
POST https://api.securitycenter.windows.com/api/machines/{id}/StopAndQuarantineFile
```
## Request headers
Name | Type | Description
:---|:---|:---
Authorization | String | Bearer {token}. **Required**.
Content-Type | string | application/json. **Required**.
## Request body
In the request body, supply a JSON object with the following parameters:
Parameter | Type | Description
:---|:---|:---
Comment | String | Comment to associate with the action. **Required**.
Sha1 | String | Sha1 of the file to stop and quarantine on the machine. **Required**.
## Response
If successful, this method returns 201 - Created response code and [Machine Action](machineaction-windows-defender-advanced-threat-protection-new.md) in the response body.
## Example
**Request**
Here is an example of the request.
```
POST https://api.securitycenter.windows.com/api/machines/1e5bc9d7e413ddd7902c2932e418702b84d0cc07/StopAndQuarantineFile
Content-type: application/json
{
"Comment": "Stop and quarantine file on machine due to alert 441688558380765161_2136280442",
"Sha1": "87662bc3d60e4200ceaf7aae249d1c343f4b83c9"
}
```
**Response**
Here is an example of the response.
[!include[Improve request performance](improverequestperformance-new.md)]
```
HTTP/1.1 201 Created
Content-type: application/json
{
"@odata.context": "https://api.securitycenter.windows.com/api/$metadata#MachineActions/$entity",
"id": "141408d1-384c-4c19-8b57-ba39e378011a",
"type": "StopAndQuarantineFile",
"requestor": "Analyst@contoso.com ",
"requestorComment": "Stop and quarantine file on machine due to alert 441688558380765161_2136280442",
"status": "InProgress",
"machineId": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07",
"creationDateTimeUtc": "2018-12-04T12:15:04.3825985Z",
"lastUpdateTimeUtc": "2018-12-04T12:15:04.3825985Z",
"relatedFileInfo": {
"fileIdentifier": "87662bc3d60e4200ceaf7aae249d1c343f4b83c9",
"fileIdentifierType": "Sha1"
}
}
```

41
windows/security/threat-protection/windows-defender-atp/update-alert-windows-defender-advanced-threat-protection-new.md
View File

@ -72,10 +72,10 @@ Here is an example of the request.
[!include[Improve request performance](improverequestperformance-new.md)]
```
PATCH https://api.securitycenter.windows.com/api/alerts/636688558380765161_2136280442
PATCH https://api.securitycenter.windows.com/api/alerts/121688558380765161_2136280442
Content-Type: application/json
{
"assignedTo": "Our designated secop"
"assignedTo": "secop2@contoso.com"
}
```
@ -86,23 +86,24 @@ Here is an example of the response.
```
{
"@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Alerts/$entity",
"id": "636688558380765161_2136280442",
"severity": "Medium",
"status": "InProgress",
"description": "An anomalous memory operation appears to be tampering with a process associated with the Windows Defender EDR sensor.",
"recommendedAction": "A. Validate the alert.\n1. Examine the process involved in the memory operation to determine whether the process and the observed activities are normal. \n2. Check for other suspicious activities in the machine timeline.\n3. Locate unfamiliar processes in the process tree. Check files for prevalence, their locations, and digital signatures.\n4. Submit relevant files for deep analysis and review file behaviors. \n5. Identify unusual system activity with system owners. \n\nB. Scope the incident. Find related machines, network addresses, and files in the incident graph. \n\nC. Contain and mitigate the breach. Stop suspicious processes, isolate affected machines, decommission compromised accounts or reset passwords, block IP addresses and URLs, and install security updates.\n\nD. Contact your incident response team, or contact Microsoft support for investigation and remediation services.",
"alertCreationTime": "2018-08-07T10:18:04.2665329Z",
"category": "Installation",
"title": "Possible sensor tampering in memory",
"threatFamilyName": null,
"detectionSource": "WindowsDefenderAtp",
"classification": null,
"determination": null,
"assignedTo": "Our designated secop",
"resolvedTime": null,
"lastEventTime": "2018-08-07T10:14:35.470671Z",
"firstEventTime": "2018-08-07T10:14:35.470671Z",
"actorName": null,
"machineId": "a2250e1cd215af1ea2818ef8d01a564f67542857"
"id": "121688558380765161_2136280442",
"incidentId": 7696,
"assignedTo": "secop2@contoso.com",
"severity": "High",
"status": "New",
"classification": "TruePositive",
"determination": "Malware",
"investigationState": "Running",
"category": "MalwareDownload",
"detectionSource": "WindowsDefenderAv",
"threatFamilyName": "Mikatz",
"title": "Windows Defender AV detected 'Mikatz', high-severity malware",
"description": "Some description"
"recommendedAction": "Some recommended action"
"alertCreationTime": "2018-11-26T16:19:21.8409809Z",
"firstEventTime": "2018-11-26T16:17:50.0948658Z",
"lastEventTime": "2018-11-26T16:18:01.809871Z",
"resolvedTime": null,
"machineId": "9d80fbbc1bdbc5ce968f1d37c72384cbe17ee337"
}
```

4
windows/security/threat-protection/windows-defender-atp/windows-defender-advanced-threat-protection.md
View File

@ -66,6 +66,10 @@ Windows Defender ATP uses the following combination of technology built into Win
<a name="asr"></a>
>[!TIP]
> Learn about the latest enhancements in Windows Defender ATP: [What's new in Windows Defender ATP](https://cloudblogs.microsoft.com/microsoftsecure/2018/11/15/whats-new-in-windows-defender-atp/).
**[Attack surface reduction](overview-attack-surface-reduction.md)**<br>
The attack surface reduction set of capabilities provide the first line of defense in the stack. By ensuring configuration settings are properly set and exploit mitigation techniques are applied, these set of capabilities resist attacks and exploitations.

39
windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md
View File

@ -11,7 +11,7 @@ ms.pagetype: security
ms.localizationpriority: medium
author: andreabichsel
ms.author: v-anbic
ms.date: 10/15/2018
ms.date: 11/27/2018
---
# Reduce attack surfaces with attack surface reduction rules
@ -53,18 +53,9 @@ Use advanced protection against ransomware | c1db55ab-c21a-4637-bb3f-a12568109d3
Block credential stealing from the Windows local security authority subsystem (lsass.exe) | 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2
Block process creations originating from PSExec and WMI commands | d1e49aac-8f56-4280-b9ba-993a6d77406c
Block untrusted and unsigned processes that run from USB | b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4
Block Office communication applications from creating child processes | 26190899-1602-49e8-8b27-eb1d0a1ce869
Block Office communication application from creating child processes | 26190899-1602-49e8-8b27-eb1d0a1ce869
Block Adobe Reader from creating child processes | 7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c
The rules apply to the following Office apps:
- Microsoft Word
- Microsoft Excel
- Microsoft PowerPoint
- Microsoft OneNote
The rules do not apply to any other Office apps.
### Rule: Block executable content from email client and webmail
This rule blocks the following file types from being run or launched from an email seen in either Microsoft Outlook or webmail (such as Gmail.com or Outlook.com):
@ -73,13 +64,13 @@ This rule blocks the following file types from being run or launched from an ema
- Script files (such as a PowerShell .ps, VisualBasic .vbs, or JavaScript .js file)
- Script archive files
>[!IMPORTANT]
>[Exclusions do not apply to this rule](customize-attack-surface-reduction.md#exclude-files-and-folders).
### Rule: Block all Office applications from creating child processes
Office apps will not be allowed to create child processes. This includes Word, Excel, PowerPoint, OneNote, and Access.
>[!NOTE]
>This does not include Outlook. For Outlook, please see [Block Office communication applications from creating child processes](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard#rule-block-office-communication-applications-from-creating-child-processes).
This is a typical malware behavior, especially for macro-based attacks that attempt to use Office apps to launch or download malicious executables.
### Rule: Block Office applications from creating executable content
@ -90,22 +81,16 @@ Extensions will be blocked from being used by Office apps. Typically these exten
### Rule: Block Office applications from injecting code into other processes
Office apps, such as Word, Excel, or PowerPoint, will not be able to inject code into other processes.
Office apps, including Word, Excel, PowerPoint, and OneNote, will not be able to inject code into other processes.
This is typically used by malware to run malicious code in an attempt to hide the activity from antivirus scanning engines.
>[!IMPORTANT]
>[Exclusions do not apply to this rule](customize-attack-surface-reduction.md#exclude-files-and-folders).
### Rule: Block JavaScript or VBScript From launching downloaded executable content
JavaScript and VBScript scripts can be used by malware to launch other malicious apps.
This rule prevents these scripts from being allowed to launch apps, thus preventing malicious use of the scripts to spread malware and infect machines.
>[!IMPORTANT]
>[Exclusions do not apply to this rule](customize-attack-surface-reduction.md#exclude-files-and-folders).
### Rule: Block execution of potentially obfuscated scripts
Malware and other threats can attempt to obfuscate or hide their malicious code in some script files.
@ -116,7 +101,7 @@ This rule prevents scripts that appear to be obfuscated from running.
Malware can use macro code in Office files to import and load Win32 DLLs, which can then be used to make API calls to allow further infection throughout the system.
This rule attempts to block Office files that contain macro code that is capable of importing Win32 DLLs.
This rule attempts to block Office files that contain macro code that is capable of importing Win32 DLLs. This includes Word, Excel, PowerPoint, and OneNote.
### Rule: Block executable files from running unless they meet a prevalence, age, or trusted list criteria
@ -138,9 +123,6 @@ This rule provides an extra layer of protection against ransomware. Executable f
Local Security Authority Subsystem Service (LSASS) authenticates users who log in to a Windows computer. Windows Defender Credential Guard in Windows 10 normally prevents attempts to extract credentials from LSASS. However, some organizations can't enable Credential Guard on all of their computers because of compatibility issues with custom smartcard drivers or other programs that load into the Local Security Authority (LSA). In these cases, attackers can use tools like Mimikatz to scrape cleartext passwords and NTLM hashes from LSASS. This rule helps mitigate that risk by locking down LSASS.
>[!IMPORTANT]
>[Exclusions do not apply to this rule](customize-attack-surface-reduction.md#exclude-files-and-folders).
>[!NOTE]
>Some apps are coded to enumerate all running processes and to attempt opening them with exhaustive permissions. This results in the app accessing LSASS even when it's not necessary. ASR will deny the app's process open action and log the details to the security event log. Entry in the event log for access denial by itself is not an indication of the presence of a malicious threat.
@ -158,12 +140,15 @@ With this rule, admins can prevent unsigned or untrusted executable files from r
- Executable files (such as .exe, .dll, or .scr)
- Script files (such as a PowerShell .ps, VisualBasic .vbs, or JavaScript .js file)
### Rule: Block Office communication applications from creating child processes
### Rule: Block Office communication application from creating child processes
Office communication apps will not be allowed to create child processes. This includes Outlook.
Outlook will not be allowed to create child processes.
This is a typical malware behavior, especially for macro-based attacks that attempt to use Office apps to launch or download malicious executables.
>[!NOTE]
>This rule applies to Outlook only.
### Rule: Block Adobe Reader from creating child processes
This rule blocks Adobe Reader from creating child processes.

40
windows/security/threat-protection/windows-defender-exploit-guard/customize-attack-surface-reduction.md
View File

@ -11,7 +11,7 @@ ms.pagetype: security
ms.localizationpriority: medium
author: andreabichsel
ms.author: v-anbic
ms.date: 10/17/2018
ms.date: 11/27/2018
---
# Customize attack surface reduction rules
@ -28,7 +28,7 @@ You can use Group Policy, PowerShell, and MDM CSPs to configure these settings.
## Exclude files and folders
You can exclude files and folders from being evaluated by most attack surface reduction rules. This means that even if the file or folder contains malicious behavior as determined by an attack surface reduction rule, the file will not be blocked from running.
You can exclude files and folders from being evaluated by all attack surface reduction rules. This means that even if the file or folder contains malicious behavior as determined by an attack surface reduction rule, the file will not be blocked from running.
This could potentially allow unsafe files to run and infect your devices.
@ -41,28 +41,24 @@ You can specify individual files or folders (using folder paths or fully qualifi
Attack surface reduction supports environment variables and wildcards. For information about using wildcards, see [Use wildcards in the file name and folder path or extension exclusion lists](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus#use-wildcards-in-the-file-name-and-folder-path-or-extension-exclusion-lists).
Exclusions will only be applied to certain rules. Some rules will not honor the exclusion list. This means that even if you have added a file to the exclusion list, some rules will still evaluate and potentially block that file if the rule determines the file to be unsafe.
Exclusions apply to all attack surface reduction rules.
>[!IMPORTANT]
>Rules that do not honor the exclusion list will not exclude folders or files added in the exclusion list. All files will be evaluated and potentially blocked by rules that do not honor the exclusion list (indicated with a red X in the following table).
Rule description | Rule honors exclusions | GUID
Rule description | GUID
-|:-:|-
Block all Office applications from creating child processes | [!include[Check mark yes](images/svg/check-yes.svg)] | D4F940AB-401B-4EFC-AADC-AD5F3C50688A
Block execution of potentially obfuscated scripts | [!include[Check mark yes](images/svg/check-yes.svg)] | 5BEB7EFE-FD9A-4556-801D-275E5FFC04CC
Block Win32 API calls from Office macro | [!include[Check mark yes](images/svg/check-yes.svg)] | 92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B
Block Office applications from creating executable content | [!include[Check mark yes](images/svg/check-yes.svg)] | 3B576869-A4EC-4529-8536-B80A7769E899
Block Office applications from injecting code into other processes | [!include[Check mark no](images/svg/check-no.svg)] | 75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84
Block JavaScript or VBScript from launching downloaded executable content | [!include[Check mark no](images/svg/check-no.svg)] | D3E037E1-3EB8-44C8-A917-57927947596D
Block executable content from email client and webmail | [!include[Check mark no](images/svg/check-no.svg)] | BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550
Block executable files from running unless they meet a prevalence, age, or trusted list criteria | [!include[Check mark yes](images/svg/check-yes.svg)] | 01443614-cd74-433a-b99e-2ecdc07bfc25
Use advanced protection against ransomware | [!include[Check mark yes](images/svg/check-yes.svg)] | c1db55ab-c21a-4637-bb3f-a12568109d35
Block credential stealing from the Windows local security authority subsystem (lsass.exe) | [!include[Check mark yes](images/svg/check-yes.svg)] | 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2
Block process creations originating from PSExec and WMI commands | [!include[Check mark yes](images/svg/check-yes.svg)] | d1e49aac-8f56-4280-b9ba-993a6d77406c
Block untrusted and unsigned processes that run from USB | [!include[Check mark yes](images/svg/check-yes.svg)] | b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4
Block Office communication applications from creating child processes | [!include[Check mark yes](images/svg/check-yes.svg)] | 26190899-1602-49e8-8b27-eb1d0a1ce869
Block Adobe Reader from creating child processes | [!include[Check mark yes](images/svg/check-yes.svg)] | 7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c
Block all Office applications from creating child processes | D4F940AB-401B-4EFC-AADC-AD5F3C50688A
Block execution of potentially obfuscated scripts | 5BEB7EFE-FD9A-4556-801D-275E5FFC04CC
Block Win32 API calls from Office macro 92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B
Block Office applications from creating executable content | 3B576869-A4EC-4529-8536-B80A7769E899
Block Office applications from injecting code into other processes | 75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84
Block JavaScript or VBScript from launching downloaded executable content | D3E037E1-3EB8-44C8-A917-57927947596D
Block executable content from email client and webmail | BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550
Block executable files from running unless they meet a prevalence, age, or trusted list criteria | 01443614-cd74-433a-b99e-2ecdc07bfc25
Use advanced protection against ransomware | c1db55ab-c21a-4637-bb3f-a12568109d35
Block credential stealing from the Windows local security authority subsystem (lsass.exe) | 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2
Block process creations originating from PSExec and WMI commands | d1e49aac-8f56-4280-b9ba-993a6d77406c
Block untrusted and unsigned processes that run from USB | b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4
Block Office communication applications from creating child processes | 26190899-1602-49e8-8b27-eb1d0a1ce869
Block Adobe Reader from creating child processes | 7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c
See the [attack surface reduction](attack-surface-reduction-exploit-guard.md) topic for details on each rule.

16
windows/security/threat-protection/windows-defender-exploit-guard/customize-exploit-protection.md
View File

@ -11,7 +11,7 @@ ms.pagetype: security
ms.localizationpriority: medium
author: andreabichsel
ms.author: v-anbic
ms.date: 10/02/2018
ms.date: 11/16/2018
---
# Customize exploit protection
@ -53,19 +53,19 @@ Validate exception chains (SEHOP) | Ensures the integrity of an exception chain
Validate heap integrity | Terminates a process when heap corruption is detected. | System and app-level | [!include[Check mark no](images/svg/check-no.svg)]
Arbitrary code guard (ACG) | Prevents the introduction of non-image-backed executable code and prevents code pages from being modified. Can optionally allow thread opt-out and allow remote downgrade (configurable only with PowerShell). | App-level only | [!include[Check mark yes](images/svg/check-yes.svg)]
Block low integrity images | Prevents the loading of images marked with Low Integrity. | App-level only | [!include[Check mark yes](images/svg/check-yes.svg)]
Block remote images | Prevents loading of images from remote devices. | App-level only | [!include[Check mark yes](images/svg/check-yes.svg)]
Block remote images | Prevents loading of images from remote devices. | App-level only | [!include[Check mark no](images/svg/check-no.svg)]
Block untrusted fonts | Prevents loading any GDI-based fonts not installed in the system fonts directory, notably fonts from the web. | App-level only | [!include[Check mark yes](images/svg/check-yes.svg)]
Code integrity guard | Restricts loading of images signed by Microsoft, WHQL, or higher. Can optionally allow Microsoft Store signed images. | App-level only | [!include[Check mark yes](images/svg/check-yes.svg)]
Disable extension points | Disables various extensibility mechanisms that allow DLL injection into all processes, such as AppInit DLLs, window hooks, and Winsock service providers. | App-level only | [!include[Check mark no](images/svg/check-no.svg)]
Disable Win32k system calls | Prevents an app from using the Win32k system call table. | App-level only | [!include[Check mark yes](images/svg/check-yes.svg)]
Do not allow child processes | Prevents an app from creating child processes. | App-level only | [!include[Check mark yes](images/svg/check-yes.svg)]
Export address filtering (EAF) | Detects dangerous operations being resolved by malicious code. Can optionally validate access by modules commonly used by exploits. | App-level only | [!include[Check mark yes](images/svg/check-yes.svg)]
Import address filtering (IAF) | Detects dangerous operations being resolved by malicious code. | App-level only | [!include[Check mark yes](images/svg/check-yes.svg)]
Simulate execution (SimExec) | Ensures that calls to sensitive APIs return to legitimate callers. Only configurable for 32-bit (x86) applications. Not compatible with ACG | App-level only | [!include[Check mark yes](images/svg/check-yes.svg)]
Validate API invocation (CallerCheck) | Ensures that sensitive APIs are invoked by legitimate callers. Only configurable for 32-bit (x86) applications. Not compatible with ACG | App-level only | [!include[Check mark yes](images/svg/check-yes.svg)]
Export address filtering (EAF) | Detects dangerous operations being resolved by malicious code. Can optionally validate access by modules commonly used by exploits. | App-level only | [!include[Check mark no](images/svg/check-no.svg)]
Import address filtering (IAF) | Detects dangerous operations being resolved by malicious code. | App-level only | [!include[Check mark no](images/svg/check-no.svg)]
Simulate execution (SimExec) | Ensures that calls to sensitive APIs return to legitimate callers. Only configurable for 32-bit (x86) applications. Not compatible with ACG | App-level only | [!include[Check mark no](images/svg/check-no.svg)]
Validate API invocation (CallerCheck) | Ensures that sensitive APIs are invoked by legitimate callers. Only configurable for 32-bit (x86) applications. Not compatible with ACG | App-level only | [!include[Check mark no](images/svg/check-no.svg)]
Validate handle usage | Causes an exception to be raised on any invalid handle references. | App-level only | [!include[Check mark no](images/svg/check-no.svg)]
Validate image dependency integrity | Enforces code signing for Windows image dependency loading. | App-level only | [!include[Check mark yes](images/svg/check-yes.svg)]
Validate stack integrity (StackPivot) | Ensures that the stack has not been redirected for sensitive APIs. Not compatible with ACG | App-level only | [!include[Check mark yes](images/svg/check-yes.svg)]
Validate image dependency integrity | Enforces code signing for Windows image dependency loading. | App-level only | [!include[Check mark no](images/svg/check-no.svg)]
Validate stack integrity (StackPivot) | Ensures that the stack has not been redirected for sensitive APIs. Not compatible with ACG | App-level only | [!include[Check mark no](images/svg/check-no.svg)]
>[!IMPORTANT]
>If you add an app to the **Program settings** section and configure individual mitigation settings there, they will be honored above the configuration for the same mitigations specified in the **System settings** section. The following matrix and examples help to illustrate how defaults work:

14
windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction.md
View File

@ -34,13 +34,13 @@ You can manually add the rules by using the GUIDs in the following table:
Rule description | GUID
-|-
Block executable content from email client and webmail | BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550
Block all Office applications from creating child processes | D4F940AB-401B-4EFC-AADC-AD5F3C50688A
Block Office applications from creating executable content | 3B576869-A4EC-4529-8536-B80A7769E899
Block Office applications from injecting code into other processes | 75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84
Block JavaScript or VBScript from launching downloaded executable content | D3E037E1-3EB8-44C8-A917-57927947596D
Block execution of potentially obfuscated scripts | 5BEB7EFE-FD9A-4556-801D-275E5FFC04CC
Block Win32 API calls from Office macro | 92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B
Block executable content from email client and webmail | be9ba2d9-53ea-4cdc-84e5-9B1eeee46550
Block all Office applications from creating child processes | d4f940ab-401b-4efc-aadc-ad5f3c50688a
Block Office applications from creating executable content | 3b576869-a4eC-4529-8536-b80a7769e899
Block Office applications from injecting code into other processes | 75668c1f-73b5-4Cf0-bb93-3ecf5cb7cc84
Block JavaScript or VBScript from launching downloaded executable content | d3e037e1-3eb8-44c8-a917-57927947596d
Block execution of potentially obfuscated scripts | 5beb7efe-fd9A-4556-801d-275e5ffc04cc
Block Win32 API calls from Office macro | 92e97fa1-2edf-4476-bdd6-9dd0B4dddc7b
Block executable files from running unless they meet a prevalence, age, or trusted list criteria | 01443614-cd74-433a-b99e-2ecdc07bfc25
Use advanced protection against ransomware | c1db55ab-c21a-4637-bb3f-a12568109d35
Block credential stealing from the Windows local security authority subsystem (lsass.exe) | 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2

164
windows/security/threat-protection/windows-defender-exploit-guard/evaluate-attack-surface-reduction.md
View File

@ -11,7 +11,7 @@ ms.pagetype: security
ms.localizationpriority: medium
author: andreabichsel
ms.author: v-anbic
ms.date: 10/02/2018
ms.date: 11/16/2018
---
# Evaluate attack surface reduction rules
@ -22,164 +22,14 @@ ms.date: 10/02/2018
Attack surface reduction rules help prevent actions and apps that are typically used by exploit-seeking malware to infect machines. Attack surface reduction rules are supported on Windows Server 2019 as well as Windows 10 clients.
This topic helps you evaluate attack surface reduction rules. It explains how to demo ASR rules using a specialized tool, and how to enable audit mode so you can test the feature directly in your organization.
>[!NOTE]
>This topic uses a customized testing tool and PowerShell cmdlets to make it easy to enable the feature and test it.
>For instructions on how to use Group Policy, Mobile Device Management (MDM), and System Center Configuration Manager to deploy these settings across your network, see the main [Attack surface reduction topic](attack-surface-reduction-exploit-guard.md).
This topic helps you evaluate attack surface reduction rules. It explains how to enable audit mode so you can test the feature directly in your organization.
>[!TIP]
>You can also visit the Windows Defender Testground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the feature is working and see how it works.
## Use the demo tool to see how attack surface reduction rules work
Use the **ExploitGuard ASR test tool** app to see how attack surface reduction rules are applied in certain key protection and high-risk scenarios. These scenarios are typical infection vectors for malware that use exploits to spread and infect machines.
The tool is part of the Windows Defender Exploit Guard evaluation package:
- [Download the Exploit Guard Evaluation Package](https://aka.ms/mp7z2w)
This tool has a simple user interface that lets you choose a rule, configure it in blocking, audit, or disabled mode, and run a pre-created series of actions that would be evaluated by the rule.
When you run a scenario, you will see what the scenario entails, what the rule is set to, and what actions were taken.
![Screenshot of the Exploit guard demo tool](images/asr-test-tool.png)
Each scenario creates a fake or sample file or behavior that the rule would target and, if the rule was enabled, block from running.
>[!IMPORTANT]
>The settings you change while using this tool will be cleared when you close the tool. If you want to test the feature in a production environment, you should consider using [audit mode to measure impact](#use-audit-mode-to-measure-impact), or see the main [Attack surface reduction topic](attack-surface-reduction-exploit-guard.md).
**Run a rule using the demo tool:**
1. Open the Exploit Guard Evaluation Package and copy the file *ExploitGuard ASR test tool* to a location on your PC that is easy to access (such as your desktop).
2. Run the tool by double-clicking the version that matches your operating system - either 64-bit (x64) or 32-bit (x86). If a Windows Defender SmartScreen notification appears, click **More details** and then **Run anyway**.
>[!IMPORTANT]
>Make sure you use the version of the tool that is appropriate for the machine you are using. Use the x86 version for 32-bit versions of Windows 10, or use the x64 version for 64-bit versions of Windows 10.
3. Select the rule from the drop-down menu.
4. Select the mode, **Disabled**, **Block**, or **Audit**.
1. Optionally, click **Show Advanced Options** and choose a specific scenario (or all scenarios sequentially by selecting **All Scenarios**), enter a delay, or click **Leave Dirty**.
5. Click **RunScenario**.
The scenario will run, and an output will appear describing the steps taken.
You can right-click on the output window and click **Open Event Viewer** to see the relevant event in Windows Event Viewer.
>[!TIP]
>You can click **Save Filter to Custom View...** in the Event Viewer to create a custom view so you can easily come back to this view as you continue to evaluate rules.
Choosing the **Mode** will change how the rule functions:
Mode option | Description
-|-
Disabled | The rule will not fire and no event will be recorded. This is the same as if you had not enabled attack surface reduction rules at all.
Block | The rule will fire and the suspicious behavior will be blocked from running. An event will be recorded in the event log. This is the same as if you had enabled attack surface reduction rules.
Audit | The rule wil fire, but the suspicious behavior will **not** be blocked from running. An event will be recorded in the event log as if the rule did block the behavior. This allows you to see how attack surface reduction rules will work but without impacting how you use the computer.
Block mode will cause a notification to appear on the user's desktop:
![Example notification that says Action blocked: Your IT administrator caused Windows Defender Antivirus to block this action. Contact your IT desk.](images/asr-notif.png)
You can [modify the notification to display your company name and links](customize-attack-surface-reduction.md#customize-the-notification) for users to obtain more information or contact your IT help desk.
For further details on how audit mode works, and when you might want to use it, see the [audit Windows Defender Exploit Guard topic](audit-windows-defender-exploit-guard.md).
The following sections describe what each rule does and what the scenarios entail for each rule.
### Rule: Block executable content from email client and webmail
This rule blocks certain files from being run or launched from an email. You can specify an individual scenario, based on the category of the file type or whether the email is in Microsoft Outlook or web mail.
The following table describes the category of the file type that will be blocked and the source of the email for each scenario in this rule:
Scenario name | File type | Program
- | - | -
Random | A scenario will be randomly chosen from this list | Microsoft Outlook or web mail
Mail Client PE | Executable files (such as .exe, .dll, or .scr) | Microsoft Outlook
Mail Client Script | Script files (such as a PowerShell .ps, VisualBasic .vbs, or JavaScript .js file) | Microsoft Outlook
Mail Client Script Archive | Script archive files | Microsoft Outlook
WebMail PE | Executable files (such as .exe, .dll, or .scr) | Web mail, such as gmail, outlook, hotmail
WebMail Script | Script files (such as a PowerShell .ps, VBScript .vbs, or JavaScript .js file) | Web mail
WebMail Script Archive | Script archive files | Web mail
### Rule: Block Office applications from creating child processes
>[!NOTE]
>There is only one scenario to test for this rule.
Office apps, such as Word or Excel, will not be allowed to create child processes. This is a typical malware behavior, especially for macro-based attacks that attempt to use Office apps to launch or download malicious executables.
### Rule: Block Office applications from creating executable content
This rule targets typical behaviors used by suspicious and malicious add-ons and scripts that create or launch executable files. This is a typical malware technique.
The following scenarios can be individually chosen:
- Random
- A scenario will be randomly chosen from this list
- Extension Block
- Extensions will be blocked from being used by Office apps. Typically these extensions use the Windows Scripting Host (.wsh files) to run scripts that automate certain tasks or provide user-created add-on features.
### Rule: Block Office applications from injecting into other processes
>[!NOTE]
>There is only one scenario to test for this rule.
Office apps, such as Word, Excel, or PowerPoint, will not be able to inject code into other processes. This is typically used by malware to run malicious code in an attempt to hide the activity from antivirus scanning engines.
### Rule: Impede JavaScript and VBScript to launch executables
JavaScript and VBScript scripts can be used by malware to launch other malicious apps. This rule prevents these scripts from being allowed to launch apps, thus preventing malicious use of the scripts to spread malware and infect machines.
- Random
- A scenario will be randomly chosen from this list
- JScript
- JavaScript will not be allowed to launch executable files
- VBScript
- VBScript will not be allowed to launch executable files
### Rule: Block execution of potentially obfuscated scripts
Malware and other threats can attempt to obfuscate or hide their malicious code in some script files. This rule prevents scripts that appear to be obfuscated from running.
- Random
- A scenario will be randomly chosen from this list
- AntiMalwareScanInterface
- This scenario uses the [AntiMalwareScanInterface (AMSI)](https://msdn.microsoft.com/library/windows/desktop/dn889587(v=vs.85).aspx) to determine if a script is potentially obfuscated, and then blocks such a script
- OnAccess
- Potentially obfuscated scripts will be blocked when an attempt is made to access them
## Review Attack surface reduction events in Windows Event Viewer
You can also review the Windows event log to see the events there were created when using the tool. You can use the custom view below or [locate them manually](event-views-exploit-guard.md#list-of-attack-surface-reduction-events).
1. Type **Event viewer** in the Start menu to open the Windows Event Viewer.
2. On the left panel, under **Actions**, click **Import custom view...**
3. Navigate to the Exploit Guard Evaluation Package, and select the file *asr-events.xml*. Alternatively, [copy the XML directly](event-views-exploit-guard.md).
4. Click **OK**.
5. This will create a custom view that filters to only show the following events related to Attack surface reduction:
Event ID | Description
-|-
5007 | Event when settings are changed
1122 | Event when rule fires in Audit-mode
1121 | Event when rule fires in Block-mode
## Use audit mode to measure impact
You can also enable the Attack surface reduction feature in audit mode. This lets you see a record of what apps would have been blocked if you had enabled the feature.
You can enable attack surface reduction rules in audit mode. This lets you see a record of what apps would have been blocked if you had enabled attack surface reduction rules.
You might want to do this when testing how the feature will work in your organization, to ensure it doesn't affect your line-of-business apps, and to get an idea of how often the rules will fire during normal use.
@ -189,17 +39,17 @@ To enable audit mode, use the following PowerShell cmdlet:
Set-MpPreference -AttackSurfaceReductionRules_Actions AuditMode
```
This enables all Attack surface reduction rules in audit mode.
This enables all attack surface reduction rules in audit mode.
>[!TIP]
>If you want to fully audit how Attack surface reduction will work in your organization, you'll need to use a management tool to deploy this setting to machines in your network(s).
You can also use Group Policy, Intune, or MDM CSPs to configure and deploy the setting, as described in the main [Attack surface reduction topic](attack-surface-reduction-exploit-guard.md).
>If you want to fully audit how attack surface reduction rules will work in your organization, you'll need to use a management tool to deploy this setting to machines in your network(s).
You can also use Group Policy, Intune, or MDM CSPs to configure and deploy the setting, as described in the main [Attack surface reduction rules topic](attack-surface-reduction-exploit-guard.md).
## Customize attack surface reduction rules
During your evaluation, you may wish to configure each rule individualy or exclude certain files and processes from being evaluated by the feature.
See the [Customize Exploit protection](customize-exploit-protection.md) topic for information on configuring the feature with management tools, including Group Policy and MDM CSP policies.
See the [Customize attack surface reduction rules](customize-attack-surface-reduction.md) topic for information on configuring the feature with management tools, including Group Policy and MDM CSP policies.
## Related topics
- [Reduce attack surfaces with attack surface reduction rules](attack-surface-reduction-exploit-guard.md)

63
windows/security/threat-protection/windows-defender-exploit-guard/evaluate-controlled-folder-access.md
View File

@ -11,7 +11,7 @@ ms.pagetype: security
ms.localizationpriority: medium
author: andreabichsel
ms.author: v-anbic
ms.date: 10/02/2018
ms.date: 11/16/2018
---
# Evaluate controlled folder access
@ -24,70 +24,11 @@ ms.date: 10/02/2018
It is especially useful in helping to protect your documents and information from [ransomware](https://www.microsoft.com/wdsi/threats/ransomware) that can attempt to encrypt your files and hold them hostage.
This topic helps you evaluate controlled folder access. It explains how to demo the feature using a specialized tool, and how to enable audit mode so you can test the feature directly in your organization.
>[!NOTE]
>This topic uses PowerShell cmdlets to make it easy to enable the feature and test it.
>For instructions on how to use Group Policy, Mobile Device Management (MDM), and System Center Configuration Manager to deploy these settings across your network, see the main [Controlled folder access topic](controlled-folders-exploit-guard.md).
This topic helps you evaluate controlled folder access. It explains how to enable audit mode so you can test the feature directly in your organization.
>[!TIP]
>You can also visit the Windows Defender Testground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the feature is working and see how it works.
## Use the demo tool to see how controlled folder access works
Use the **ExploitGuard CFA File Creator** tool to see how controlled folder access can prevent a suspicious app from creating files in protected folders.
The tool is part of the Windows Defender Exploit Guard evaluation package:
- [Download the Exploit Guard Evaluation Package](https://aka.ms/mp7z2w)
This tool can be run locally on an individual machine to see the typical behavior of controlled folder access. The tool is considered by Windows Defender ATP to be suspicious and will be blocked from creating new files or making changes to existing files in any of your protected folders.
You can enable controlled folder access, run the tool, and see what the experience is like when a suspicious app is prevented from accessing or modifying files in protected folders.
1. Type **powershell** in the Start menu.
2. Right-click **Windows PowerShell**, click **Run as administrator** and click **Yes** or enter admin credentials at the prompt.
3. Enter the following in the PowerShell window to enable Controlled folder access:
```PowerShell
Set-MpPreference -EnableControlledFolderAccess Enabled
```
4. Open the Exploit Guard Evaluation Package and copy the file *ExploitGuard CFA File Creator.exe* to a location on your PC that is easy to access (such as your desktop).
5. Run the tool by double-clicking it. If a Windows Defender SmartScreen notification appears, click **More details** and then **Run anyway**.
6. You'll be asked to specify a name and location for the file. You can choose anything you wish to test.
![Screenshot of the exploit guard demo tool](images/cfa-filecreator.png)
7. A notification will appear, indicating that the tool was prevented from creating the file, as in the following example:
![Exampke notification that says Unauthorized changes blocked: Controlled folder access blocked (file name) from making changes to the folder (folder name)](images/cfa-notif.png)
## Review controlled folder access events in Windows Event Viewer
You can also review the Windows event log to see the events there were created when using the tool. You can use the custom view below or [locate them manually](event-views-exploit-guard.md#list-of-attack-surface-reduction-events).
1. Type **Event viewer** in the Start menu to open the Windows Event Viewer.
2. On the left panel, under **Actions**, click **Import custom view...**
3. Navigate to the Exploit Guard Evaluation Package, and select the file *cfa-events.xml*. Alternatively, [copy the XML directly](event-views-exploit-guard.md).
4. Click **OK**.
5. This will create a custom view that filters to only show the following events related to Controlled folder access:
Event ID | Description
-|-
5007 | Event when settings are changed
1124 | Audited controlled folder access event
1123 | Blocked controlled folder access event
1127 | Blocked controlled folder access sector write block event
1128 | Audited controlled folder access sector write block event
## Use audit mode to measure impact
You can enable the controlled folder access feature in audit mode. This lets you see a record of what *would* have happened if you had enabled the setting.

68
windows/security/threat-protection/windows-defender-exploit-guard/evaluate-exploit-protection.md
View File

@ -11,7 +11,7 @@ ms.pagetype: security
ms.localizationpriority: medium
author: andreabichsel
ms.author: v-anbic
ms.date: 05/30/2018
ms.date: 11/16/2018
---
# Evaluate exploit protection
@ -26,75 +26,9 @@ Many of the features that are part of the [Enhanced Mitigation Experience Toolki
This topic helps you evaluate exploit protection. For more information about what exploit protection does and how to configure it for real-world deployment, see [Exploit protection](exploit-protection-exploit-guard.md).
>[!NOTE]
>This topic uses PowerShell cmdlets to make it easy to enable the feature and test it.
>For instructions about how to use Group Policy and Mobile Device Management (MDM to deploy these settings across your network, see [Exploit protection](exploit-protection-exploit-guard.md).
>[!TIP]
>You can also visit the Windows Defender Testground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the feature is working and see how it works.
## Enable and validate an exploit protection mitigation
For this demo you will enable the mitigation that prevents child processes from being created. You'll use Internet Explorer as the parent app.
First, enable the mitigation using PowerShell, and then confirm that it has been applied in the Windows Security app:
1. Type **powershell** in the Start menu, right click **Windows PowerShell** and click **Run as administrator**
2. Enter the following cmdlet:
```PowerShell
Set-ProcessMitigation -Name iexplore.exe -Enable DisallowChildProcessCreation
```
3. Open Windows Security by clicking the shield icon in the task bar or searching the Start menu for **Defender**.
4. Click the **App & browser control** tile (or the app icon on the left menu bar) and then **Exploit protection settings** at the bottom of the screen.
5. Go to the **Program settings** section, scroll down, click **iexplore.exe**, and then **Edit**.
6. Find the **Do not allow child processes** setting and make sure that **Override System settings** is enabled and the switch is set to **On**.
Now that you know the mitigation has been enabled, you can test to see if it works and what the experience would be for an end user:
1. Type **run** in the Start menu and press **Enter** to open the run dialog box.
2. Type **iexplore.exe** and press **Enter** or click **OK** to attempt to open Internet Explorer.
3. Internet Explorer should briefly open and then immediately shut down again, indicating that the mitigation was applied and prevented Internet Explorer from opening a child process (its own process).
Lastly, we can disable the mitigation so that Internet Explorer works properly again:
1. Open Windows Security by clicking the shield icon in the task bar or searching the Start menu for **Defender**.
2. Click the **App & browser control** tile (or the app icon on the left menu bar) and then **Exploit protection settings** at the bottom of the screen.
3. Go to the **Program settings** section, scroll down, click **iexplore.exe**, and then **Edit**.
4. Find the **Do not allow child processes** setting and set the switch to **Off**. Click **Apply**
5. Validate that Internet Explorer runs by running it from the run dialog box again. It should open as expected.
## Review exploit protection events in Windows Event Viewer
You can now review the events that exploit protection sent to the Windows Event Viewer to confirm what happened. You can use the custom view below or [locate them manually](event-views-exploit-guard.md#list-of-attack-surface-reduction-events).
1. Download the [Exploit Guard Evaluation Package](https://aka.ms/mp7z2w) and extract the file *ep-events.xml* to an easily accessible location on the machine.
2. Type **Event viewer** in the Start menu to open the Windows Event Viewer.
3. On the left panel, under **Actions**, click **Import custom view...**
4. Navigate to where you extracted *ep-events.xml* and select it. Alternatively, [copy the XML directly](event-views-exploit-guard.md).
4. Click **OK**.
5. This will create a custom view that filters to only show the events related to exploit protection.
6. The specific event to look for in this demo is event ID 4, which should have the following or similar information:
Process '\Device\HarddiskVolume1\Program Files\Internet Explorer\iexplore.exe' (PID 4692) was blocked from creating a child process 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' with command line '"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4692 CREDAT:75009 /prefetch:2'.
## Use audit mode to measure impact
You can enable exploit protection in audit mode. You can enable audit mode for individual mitigations.

4
windows/security/threat-protection/windows-defender-exploit-guard/evaluate-network-protection.md
View File

@ -11,7 +11,7 @@ ms.pagetype: security
ms.localizationpriority: medium
author: andreabichsel
ms.author: v-anbic
ms.date: 08/09/2018
ms.date: 11/16/2018
---
# Evaluate network protection
@ -39,7 +39,7 @@ This topic helps you evaluate Network protection by enabling the feature and gui
Set-MpPreference -EnableNetworkProtection Enabled
```
You can also carry out the processes described in this topic in audit or disabled mode to see how the feature will work. Use the same PowerShell cmdlet as above, but replace `Enabled` with either `AuditMode` or `Disabled`.
You can also carry out the processes described in this topic in audit or disabled mode to see how the feature will work. Use the same PowerShell cmdlet as above, but replace "Enabled" with either "AuditMode" or "Disabled".
### Visit a (fake) malicious domain