mirror of
https://github.com/MicrosoftDocs/windows-itpro-docs.git
synced 2025-06-18 20:03:40 +00:00
Merge branch 'master' into doom
This commit is contained in:
Joey Caparas
@ -245,6 +245,7 @@ To collect Event Viewer logs:
|
||||
|
||||
### Useful Links
|
||||
|
||||
- [Windows 10 Administrative Templates for Windows 10 November 2019 Update 1909](https://www.microsoft.com/download/details.aspx?id=100591)
|
||||
- [Windows 10 Administrative Templates for Windows 10 May 2019 Update 1903](https://www.microsoft.com/download/details.aspx?id=58495)
|
||||
- [Windows 10 Administrative Templates for Windows 10 October 2018 Update 1809](https://www.microsoft.com/download/details.aspx?id=57576)
|
||||
- [Windows 10 Administrative Templates for Windows 10 April 2018 Update 1803](https://www.microsoft.com/download/details.aspx?id=56880)
|
||||
|
||||
@ -30,7 +30,12 @@ For the purposes of this guide, we will use one server computer: CM01.
|
||||
|
||||
## Add drivers for Windows PE
|
||||
|
||||
This section will show you how to import some network and storage drivers for Windows PE. This section assumes you have downloaded some drivers to the **D:\\Sources\\OSD\\DriverSources\\WinPE x64** folder on CM01.
|
||||
This section will show you how to import some network and storage drivers for Windows PE.
|
||||
|
||||
>[!NOTE]
|
||||
>Windows PE usually has a fairly comprehensive set of drivers out of the box, assuming that you are using a recent version of the Windows ADK. This is different than the full Windows OS which will often require drivers. You shouldn't add drivers to Windows PE unless you have an issue or are missing functionality, and in these cases you should only add the driver that you need. An example of a common driver that is added is the Intel I217 driver. Adding too many drivers can cause conflicts and lead to driver bloat in the Config Mgr database. This section shows you how to add drivers, but typically you can just skip this procedure.
|
||||
|
||||
This section assumes you have downloaded some drivers to the **D:\\Sources\\OSD\\DriverSources\\WinPE x64** folder on CM01.
|
||||
|
||||
|
||||
|
||||
|
||||
@ -22,6 +22,7 @@ ms.topic: article
|
||||
- Windows 10
|
||||
|
||||
In Microsoft Microsoft Endpoint Configuration Manager, you can create custom Windows Preinstallation Environment (Windows PE) boot images that include extra components and features. This topic shows you how to create a custom Windows PE 5.0 boot image with the Microsoft Deployment Toolkit (MDT) wizard. You can also add the Microsoft Diagnostics and Recovery Toolset (DaRT) 10 to the boot image as part of the boot image creation process.
|
||||
- The boot image that is created is based on the version of ADK that is installed.
|
||||
|
||||
For the purposes of this guide, we will use one server computer: CM01.
|
||||
- CM01 is a domain member server and Configuration Manager software distribution point. In this guide CM01 is a standalone primary site server. CM01 is running Windows Server 2019. However, an earlier, supported version of Windows Server can also be used.
|
||||
@ -30,7 +31,9 @@ For the purposes of this guide, we will use one server computer: CM01.
|
||||
|
||||
## Add DaRT 10 files and prepare to brand the boot image
|
||||
|
||||
The steps below outline the process for adding DaRT 10 installation files to the MDT installation directory. You also copy a custom background image to be used later. We assume you have downloaded [Microsoft Desktop Optimization Pack (MDOP) 2015](https://my.visualstudio.com/Downloads?q=Desktop%20Optimization%20Pack%202015) and copied the x64 version of MSDaRT100.msi to the **C:\\Setup\\DaRT 10** folder on CM01. We also assume you have created a custom background image and saved it in **C:\\Setup\\Branding** on CM01. In this section, we use a custom background image named <a href="../images/ContosoBackground.png">ContosoBackground.bmp</a>.
|
||||
The steps below outline the process for adding DaRT 10 installation files to the MDT installation directory. You also copy a custom background image to be used later. These steps are optional. If you do not wish to add DaRT, skip the steps below to copy DaRT tools and later skip adding the DaRT component to the boot image.
|
||||
|
||||
We assume you have downloaded [Microsoft Desktop Optimization Pack (MDOP) 2015](https://my.visualstudio.com/Downloads?q=Desktop%20Optimization%20Pack%202015) and copied the x64 version of MSDaRT100.msi to the **C:\\Setup\\DaRT 10** folder on CM01. We also assume you have created a custom background image and saved it in **C:\\Setup\\Branding** on CM01. In this section, we use a custom background image named <a href="../images/ContosoBackground.png">ContosoBackground.bmp</a>.
|
||||
|
||||
On **CM01**:
|
||||
|
||||
@ -61,6 +64,8 @@ On **CM01**:
|
||||
|
||||
Add the DaRT component to the Configuration Manager boot image.
|
||||
|
||||
>Note: Another common component to add here is Windows PowerShell to enable PowerShell support within Windows PE.
|
||||
|
||||
6. On the **Customization** page, select the **Use a custom background bitmap file** check box, and in the **UNC path:** text box, browse to **\\\\CM01\\Sources$\\OSD\\Branding\\ContosoBackground.bmp** and then click **Next** twice. Wait a few minutes while the boot image is generated, and then click **Finish**.
|
||||
7. Distribute the boot image to the CM01 distribution point by selecting the **Boot images** node, right-clicking the **Zero Touch WinPE x64** boot image, and selecting **Distribute Content**.
|
||||
8. In the Distribute Content Wizard, add the CM01 distribution point, and complete the wizard.
|
||||
|
||||
@ -35,7 +35,8 @@ In this topic, you will use [components](#components-of-configuration-manager-op
|
||||
- The Configuration Manager [reporting services](https://docs.microsoft.com/configmgr/core/servers/manage/configuring-reporting) point role has been added and configured.
|
||||
- A file system folder structure and Configuration Manager console folder structure for packages has been created. Steps to verify or create this folder structure are [provided below](#review-the-sources-folder-structure).
|
||||
- The [Windows ADK](https://docs.microsoft.com/windows-hardware/get-started/adk-install) (including USMT) version 1903, Windows PE add-on, WSIM 1903 update, [MDT](https://www.microsoft.com/download/details.aspx?id=54259) version 8456, and DaRT 10 (part of [MDOP 2015](https://my.visualstudio.com/Downloads?q=Desktop%20Optimization%20Pack%202015)) are installed.
|
||||
- The CMTrace tool (part of the [Microsoft System 2012 R2 Center Configuration Manager Toolkit](https://go.microsoft.com/fwlink/p/?LinkId=734717)) is installed on the distribution point.
|
||||
- The [CMTrace tool](https://docs.microsoft.com/configmgr/core/support/cmtrace) (cmtrace.exe) is installed on the distribution point.
|
||||
- Note: CMTrace is automatically installed with the current branch of Configuration Manager at **Program Files\Microsoft Configuration Manager\tools\cmtrace.exe**. In previous releases of ConfigMgr it was necessary to install the [Configuration Manager Toolkit](https://www.microsoft.com/download/details.aspx?id=50012) separately to get the CMTrace tool, but this is no longer needed. Configuraton Manager version 1910 installs version 5.0.8913.1000 of the CMTrace tool.
|
||||
|
||||
For the purposes of this guide, we will use three server computers: DC01, CM01 and HV01.
|
||||
- DC01 is a domain controller and DNS server for the contoso.com domain. DHCP services are also available and optionally installed on DC01 or another server.
|
||||
@ -372,7 +373,6 @@ MDT Zero Touch simply extends Configuration Manager with many useful built-in op
|
||||
### Why use MDT Lite Touch to create reference images
|
||||
|
||||
You can create reference images for Configuration Manager in Configuration Manager, but in general we recommend creating them in MDT Lite Touch for the following reasons:
|
||||
- In a deployment project, it is typically much faster to create a reference image using MDT Lite Touch than Configuration Manager.
|
||||
- You can use the same image for every type of operating system deployment - Microsoft Virtual Desktop Infrastructure (VDI), Microsoft System Center Virtual Machine Manager (VMM), MDT, Configuration Manager, Windows Deployment Services (WDS), and more.
|
||||
- Configuration Manager performs deployment in the LocalSystem context. This means that you cannot configure the Administrator account with all of the settings that you would like to be included in the image. MDT runs in the context of the Local Administrator, which means you can configure the look and feel of the configuration and then use the CopyProfile functionality to copy these changes to the default user during deployment.
|
||||
- The Configuration Manager task sequence does not suppress user interface interaction.
|
||||
|
||||
@ -20,10 +20,9 @@ ms.topic: article
|
||||
> [!IMPORTANT]
|
||||
> While [Windows Analytics was retired on January 31, 2020](https://docs.microsoft.com/windows/deployment/update/update-compliance-monitor), support for Update Compliance has continued through the Azure Portal; however, please note the following updates:
|
||||
>
|
||||
> * On March 31, 2020, the Windows Defender Antivirus reporting feature of Update Compliance will be removed. You can continue to define and review security compliance policies using [Microsoft Endpoint Manager](https://www.microsoft.com/microsoft-365/microsoft-endpoint-manager), which allows finer control over security features and updates.
|
||||
> * On March 31, 2020, the Windows Defender Antivirus reporting feature of Update Compliance will be removed. You can continue to review malware definition status and manage and monitor malware attacks with Microsoft Endpoint Manager's [Endpoint Protection for Microsoft Intune](https://docs.microsoft.com/mem/intune/fundamentals/help-secure-windows-pcs-with-endpoint-protection-for-microsoft-intune). Configuration Manager customers can monitor Endpoint Protection with [Endpoint Protection in Configuration Manager](https://docs.microsoft.com/configmgr/protect/deploy-use/monitor-endpoint-protection).
|
||||
> * The Perspectives feature of Update Compliance will also be removed on March 31, 2020 in favor of a better experience. The Perspectives feature is part of the Log Search portal of Log Analytics, which was deprecated on February 15, 2019 in favor of [Azure Monitor Logs](https://docs.microsoft.com/azure/azure-monitor/log-query/log-search-transition). Your Update Compliance solution will be automatically upgraded to Azure Monitor Logs, and the data available in Perspectives will be migrated to a set of queries in the [Needs Attention section](update-compliance-need-attention.md) of Update Compliance.
|
||||
|
||||
|
||||
## Introduction
|
||||
|
||||
Update Compliance enables organizations to:
|
||||
|
||||
@ -18,7 +18,7 @@ ms.topic: article
|
||||
|
||||
|
||||
> [!IMPORTANT]
|
||||
> On March 31, 2020, the Windows Defender Antivirus reporting feature of Update Compliance will be removed. You can continue to define and review security compliance policies using [Microsoft Endpoint Manager](https://www.microsoft.com/microsoft-365/microsoft-endpoint-manager), which allows finer control over security features and updates.
|
||||
> On March 31, 2020, the Windows Defender Antivirus reporting feature of Update Compliance will be removed. You can continue to review malware definition status and manage and monitor malware attacks with Microsoft Endpoint Manager's [Endpoint Protection for Microsoft Intune](https://docs.microsoft.com/mem/intune/fundamentals/help-secure-windows-pcs-with-endpoint-protection-for-microsoft-intune). Configuration Manager customers can monitor Endpoint Protection with [Endpoint Protection in Configuration Manager](https://docs.microsoft.com/configmgr/protect/deploy-use/monitor-endpoint-protection).
|
||||
|
||||
|
||||
|
||||
|
||||
Binary file not shown.
|
Before Width: | Height: | Size: 58 KiB After Width: | Height: | Size: 331 KiB |
BIN
windows/deployment/windows-autopilot/images/csp3a.png
Normal file
BIN
windows/deployment/windows-autopilot/images/csp3a.png
Normal file
Binary file not shown.
|
After Width: | Height: | Size: 253 KiB |
BIN
windows/deployment/windows-autopilot/images/csp3b.png
Normal file
BIN
windows/deployment/windows-autopilot/images/csp3b.png
Normal file
Binary file not shown.
|
After Width: | Height: | Size: 229 KiB |
Binary file not shown.
|
Before Width: | Height: | Size: 74 KiB After Width: | Height: | Size: 404 KiB |
@ -47,9 +47,13 @@ For a CSP to register Windows Autopilot devices on behalf of a customer, the cus
|
||||
|
||||
- NOTE: Depending on your partner, they might request Delegated Admin Permissions (DAP) when requesting this consent. You should ask them to use the newer DAP-free process (shown in this document) if possible. If not, you can easily remove their DAP status either from Microsoft Store for Business or the Office 365 admin portal: https://docs.microsoft.com/partner-center/customers_revoke_admin_privileges
|
||||
- Send the template above to the customer via email.
|
||||
2. Customer with global administrator privileges in Microsoft Store for Business (MSfB) clicks the link in the body of the email once they receive it from the CSP, which takes them directly to the following MSfB page:
|
||||
2. Customer with global administrator privileges in Microsoft Store for Business (MSfB) clicks the link in the body of the email once they receive it from the CSP, which takes them directly to the following Microsoft 365 admin center page:
|
||||
|
||||
|
||||
|
||||
|
||||
The image above is what the customer will see if they requested delegated admin rights (DAP). Note that the page says what Admin roles are being requested. If the customer did not request delegated admin rights they would see the following page:
|
||||
|
||||
|
||||
|
||||
> [!NOTE]
|
||||
> A user without global admin privileges who clicks the link will see a message similar to the following:
|
||||
|
||||
@ -42,7 +42,7 @@ The following tables provide more information about the hardware, firmware, and
|
||||
| Firmware: **UEFI firmware version 2.3.1.c or higher with UEFI Secure Boot** | See the System.Fundamentals.Firmware.UEFISecureBoot requirement in the [Windows Hardware Compatibility Specifications for Windows 10, version 1809 and Windows Server 2019 - Systems download](https://go.microsoft.com/fwlink/?linkid=2027110). You can find previous versions of the Windows Hardware Compatibility Program Specifications and Policies [here](https://docs.microsoft.com/windows-hardware/design/compatibility/whcp-specifications-policies). | UEFI Secure Boot helps ensure that the device boots only authorized code. This can prevent boot kits and root kits from installing and persisting across reboots. |
|
||||
| Firmware: **Secure firmware update process** | UEFI firmware must support secure firmware update found under the System.Fundamentals.Firmware.UEFISecureBoot requirement in the [Windows Hardware Compatibility Specifications for Windows 10, version 1809 and Windows Server 2019 - Systems download](https://go.microsoft.com/fwlink/?linkid=2027110). You can find previous versions of the Windows Hardware Compatibility Program Specifications and Policies [here](https://docs.microsoft.com/windows-hardware/design/compatibility/whcp-specifications-policies). | UEFI firmware just like software can have security vulnerabilities that, when found, need to be patched through firmware updates. Patching helps prevent root kits from getting installed. |
|
||||
| Software: **HVCI compatible drivers** | See the Filter.Driver.DeviceGuard.DriverCompatibility requirement in the [Windows Hardware Compatibility Specifications for Windows 10, version 1809 and Windows Server 2019 - Filter driver download](https://go.microsoft.com/fwlink/?linkid=2027110). You can find previous versions of the Windows Hardware Compatibility Program Specifications and Policies [here](https://docs.microsoft.com/windows-hardware/design/compatibility/whcp-specifications-policies). | [HVCI Compatible](https://blogs.msdn.microsoft.com/windows_hardware_certification/2015/05/22/driver-compatibility-with-device-guard-in-windows-10/) drivers help ensure that VBS can maintain appropriate memory permissions. This increases resistance to bypassing vulnerable kernel drivers and helps ensure that malware cannot run in kernel. Only code verified through code integrity can run in kernel mode. |
|
||||
| Software: Qualified **Windows operating system** | Windows 10 Enterprise, Windows 10 Education, Windows Server 2016, or Windows 10 IoT Enterprise<br><blockquote><p><strong>Important:</strong><br> Windows Server 2016 running as a domain controller does not support Windows Defender Credential Guard. Only virtualization-based protection of code integrity is supported in this configuration.</p></blockquote> | Support for VBS and for management features that simplify configuration of Windows Defender Device Guard. |
|
||||
| Software: Qualified **Windows operating system** | Windows 10 Enterprise, Windows 10 Pro, Windows 10 Education, Windows Server 2016, or Windows 10 IoT Enterprise<br><blockquote><p><strong>Important:</strong><br> Windows Server 2016 running as a domain controller does not support Windows Defender Credential Guard. Only virtualization-based protection of code integrity is supported in this configuration.</p></blockquote> | Support for VBS and for management features that simplify configuration of Windows Defender Device Guard. |
|
||||
|
||||
> **Important** The following tables list additional qualifications for improved security. You can use Windows Defender Device Guard with hardware, firmware, and software that support baseline protections, even if they do not support protections for improved security. However, we strongly recommend meeting these additional qualifications to significantly strengthen the level of security that Windows Defender Device Guard can provide.
|
||||
|
||||
@ -75,6 +75,6 @@ The following tables describe additional hardware and firmware qualifications, a
|
||||
|
||||
| Protections for Improved Security | Description | Security benefits |
|
||||
|---------------------------------------------|----------------------------------------------------|------|
|
||||
| Firmware: **VBS enablement of NX protection for UEFI runtime services** | • VBS will enable No-Execute (NX) protection on UEFI runtime service code and data memory regions. UEFI runtime service code must support read-only page protections, and UEFI runtime service data must not be exceutable.<br>• UEFI runtime service must meet these requirements: <br> • Implement UEFI 2.6 EFI_MEMORY_ATTRIBUTES_TABLE. All UEFI runtime service memory (code and data) must be described by this table. <br> • PE sections need to be page-aligned in memory (not required for in non-volitile storage).<br> • The Memory Attributes Table needs to correctly mark code and data as RO/NX for configuration by the OS:<br> • All entries must include attributes EFI_MEMORY_RO, EFI_MEMORY_XP, or both <br> • No entries may be left with neither of the above attributes, indicating memory that is both exceutable and writable. Memory must be either readable and executable or writeable and non-executable. <br><blockquote><p><strong>Notes:</strong><br>• This only applies to UEFI runtime service memory, and not UEFI boot service memory. <br>• This protection is applied by VBS on OS page tables.</p></blockquote><br> Please also note the following: <br>• Do not use sections that are both writeable and exceutable<br>• Do not attempt to directly modify executable system memory<br>• Do not use dynamic code | • Vulnerabilities in UEFI runtime, if any, will be blocked from compromising VBS (such as in functions like UpdateCapsule and SetVariable)<br>• Reduces the attack surface to VBS from system firmware. |
|
||||
| Firmware: **VBS enablement of NX protection for UEFI runtime services** | • VBS will enable No-Execute (NX) protection on UEFI runtime service code and data memory regions. UEFI runtime service code must support read-only page protections, and UEFI runtime service data must not be executable.<br>• UEFI runtime service must meet these requirements: <br> • Implement UEFI 2.6 EFI_MEMORY_ATTRIBUTES_TABLE. All UEFI runtime service memory (code and data) must be described by this table. <br> • PE sections need to be page-aligned in memory (not required for in non-volitile storage).<br> • The Memory Attributes Table needs to correctly mark code and data as RO/NX for configuration by the OS:<br> • All entries must include attributes EFI_MEMORY_RO, EFI_MEMORY_XP, or both <br> • No entries may be left with neither of the above attributes, indicating memory that is both executable and writable. Memory must be either readable and executable or writeable and non-executable. <br><blockquote><p><strong>Notes:</strong><br>• This only applies to UEFI runtime service memory, and not UEFI boot service memory. <br>• This protection is applied by VBS on OS page tables.</p></blockquote><br> Please also note the following: <br>• Do not use sections that are both writeable and executable<br>• Do not attempt to directly modify executable system memory<br>• Do not use dynamic code | • Vulnerabilities in UEFI runtime, if any, will be blocked from compromising VBS (such as in functions like UpdateCapsule and SetVariable)<br>• Reduces the attack surface to VBS from system firmware. |
|
||||
| Firmware: **Firmware support for SMM protection** | The [Windows SMM Security Mitigations Table (WSMT) specification](https://download.microsoft.com/download/1/8/A/18A21244-EB67-4538-BAA2-1A54E0E490B6/WSMT.docx) contains details of an Advanced Configuration and Power Interface (ACPI) table that was created for use with Windows operating systems that support Windows virtualization-based security (VBS) features.| • Protects against potential vulnerabilities in UEFI runtime services, if any, will be blocked from compromising VBS (such as in functions like UpdateCapsule and SetVariable)<br>• Reduces the attack surface to VBS from system firmware.<br>• Blocks additional security attacks against SMM. |
|
||||
|
||||
|
||||
@ -15,7 +15,6 @@ manager: dansimp
|
||||
audience: ITPro
|
||||
ms.collection: M365-security-compliance
|
||||
ms.topic: article
|
||||
ms.date: 10/08/2019
|
||||
---
|
||||
|
||||
# Advanced hunting query best practices
|
||||
|
||||
@ -15,7 +15,6 @@ manager: dansimp
|
||||
audience: ITPro
|
||||
ms.collection: M365-security-compliance
|
||||
ms.topic: article
|
||||
ms.date: 10/08/2019
|
||||
---
|
||||
|
||||
# DeviceEvents
|
||||
|
||||
@ -15,7 +15,6 @@ manager: dansimp
|
||||
audience: ITPro
|
||||
ms.collection: M365-security-compliance
|
||||
ms.topic: article
|
||||
ms.date: 10/08/2019
|
||||
---
|
||||
|
||||
# DeviceFileEvents
|
||||
|
||||
@ -15,7 +15,6 @@ manager: dansimp
|
||||
audience: ITPro
|
||||
ms.collection: M365-security-compliance
|
||||
ms.topic: article
|
||||
ms.date: 10/08/2019
|
||||
---
|
||||
|
||||
# DeviceImageLoadEvents
|
||||
|
||||
@ -15,7 +15,6 @@ manager: dansimp
|
||||
audience: ITPro
|
||||
ms.collection: M365-security-compliance
|
||||
ms.topic: article
|
||||
ms.date: 10/08/2019
|
||||
---
|
||||
|
||||
# DeviceInfo
|
||||
|
||||
@ -15,7 +15,6 @@ manager: dansimp
|
||||
audience: ITPro
|
||||
ms.collection: M365-security-compliance
|
||||
ms.topic: article
|
||||
ms.date: 10/08/2019
|
||||
---
|
||||
|
||||
# DeviceLogonEvents
|
||||
|
||||
@ -15,7 +15,6 @@ manager: dansimp
|
||||
audience: ITPro
|
||||
ms.collection: M365-security-compliance
|
||||
ms.topic: article
|
||||
ms.date: 10/08/2019
|
||||
---
|
||||
|
||||
# DeviceNetworkEvents
|
||||
|
||||
@ -15,7 +15,6 @@ manager: dansimp
|
||||
audience: ITPro
|
||||
ms.collection: M365-security-compliance
|
||||
ms.topic: article
|
||||
ms.date: 10/08/2019
|
||||
---
|
||||
|
||||
# DeviceNetworkInfo
|
||||
|
||||
@ -15,7 +15,6 @@ manager: dansimp
|
||||
audience: ITPro
|
||||
ms.collection: M365-security-compliance
|
||||
ms.topic: article
|
||||
ms.date: 10/08/2019
|
||||
---
|
||||
|
||||
# DeviceProcessEvents
|
||||
|
||||
@ -15,7 +15,6 @@ manager: dansimp
|
||||
audience: ITPro
|
||||
ms.collection: M365-security-compliance
|
||||
ms.topic: article
|
||||
ms.date: 10/08/2019
|
||||
---
|
||||
|
||||
# DeviceRegistryEvents
|
||||
|
||||
@ -15,7 +15,6 @@ manager: dansimp
|
||||
audience: ITPro
|
||||
ms.collection: M365-security-compliance
|
||||
ms.topic: article
|
||||
ms.date: 10/08/2019
|
||||
---
|
||||
|
||||
# Learn the advanced hunting query language
|
||||
@ -32,64 +31,87 @@ Advanced hunting is based on the [Kusto query language](https://docs.microsoft.c
|
||||
In Microsoft Defender Security Center, go to **Advanced hunting** to run your first query. Use the following example:
|
||||
|
||||
```kusto
|
||||
// Finds PowerShell execution events that could involve a download.
|
||||
DeviceProcessEvents
|
||||
// Finds PowerShell execution events that could involve a download
|
||||
union DeviceProcessEvents, DeviceNetworkEvents
|
||||
| where Timestamp > ago(7d)
|
||||
| where FileName in ("powershell.exe", "POWERSHELL.EXE", "powershell_ise.exe", "POWERSHELL_ISE.EXE")
|
||||
| where ProcessCommandLine has "Net.WebClient"
|
||||
or ProcessCommandLine has "DownloadFile"
|
||||
or ProcessCommandLine has "Invoke-WebRequest"
|
||||
or ProcessCommandLine has "Invoke-Shellcode"
|
||||
or ProcessCommandLine contains "http:"
|
||||
| project Timestamp, DeviceName, InitiatingProcessFileName, FileName, ProcessCommandLine
|
||||
// Pivoting on PowerShell processes
|
||||
| where FileName in~ ("powershell.exe", "powershell_ise.exe")
|
||||
// Suspicious commands
|
||||
| where ProcessCommandLine has_any("WebClient",
|
||||
"DownloadFile",
|
||||
"DownloadData",
|
||||
"DownloadString",
|
||||
"WebRequest",
|
||||
"Shellcode",
|
||||
"http",
|
||||
"https")
|
||||
| project Timestamp, DeviceName, InitiatingProcessFileName, InitiatingProcessCommandLine,
|
||||
FileName, ProcessCommandLine, RemoteIP, RemoteUrl, RemotePort, RemoteIPType
|
||||
| top 100 by Timestamp
|
||||
```
|
||||
|
||||
This is how it will look like in advanced hunting.
|
||||
|
||||
|
||||
|
||||
|
||||
### Describe the query and specify the table to search
|
||||
The query starts with a short comment describing what it is for. This helps if you later decide to save your query and share it with others in your organization.
|
||||
|
||||
### Describe the query and specify the tables to search
|
||||
A short comment has been added to the beginning of the query to describe what it is for. This helps if you later decide to save the query and share it with others in your organization.
|
||||
|
||||
```kusto
|
||||
// Finds PowerShell execution events that could involve a download.
|
||||
DeviceProcessEvents
|
||||
// Finds PowerShell execution events that could involve a download
|
||||
```
|
||||
|
||||
The query itself will typically start with a table name followed by a series of elements started by a pipe (`|`). In this example, we start by adding with the table name `DeviceProcessEvents` and add piped elements as needed.
|
||||
The query itself will typically start with a table name followed by a series of elements started by a pipe (`|`). In this example, we start by creating a union of two tables, `DeviceProcessEvents` and `DeviceNetworkEvents`, and add piped elements as needed.
|
||||
|
||||
```kusto
|
||||
union DeviceProcessEvents, DeviceNetworkEvents
|
||||
```
|
||||
### Set the time range
|
||||
The first piped element is a time filter scoped within the previous seven days. Keeping the time range as narrow as possible ensures that queries perform well, return manageable results, and don't time out.
|
||||
The first piped element is a time filter scoped to the previous seven days. Keeping the time range as narrow as possible ensures that queries perform well, return manageable results, and don't time out.
|
||||
|
||||
```kusto
|
||||
| where Timestamp > ago(7d)
|
||||
```
|
||||
### Search for specific executable files
|
||||
The time range is immediately followed by a search for files representing the PowerShell application.
|
||||
|
||||
```kusto
|
||||
| where FileName in ("powershell.exe", "POWERSHELL.EXE", "powershell_ise.exe", "POWERSHELL_ISE.EXE")
|
||||
### Check specific processes
|
||||
The time range is immediately followed by a search for process file names representing the PowerShell application.
|
||||
|
||||
```
|
||||
### Search for specific command lines
|
||||
Afterwards, the query looks for command lines that are typically used with PowerShell to download files.
|
||||
|
||||
```kusto
|
||||
| where ProcessCommandLine has "Net.WebClient"
|
||||
or ProcessCommandLine has "DownloadFile"
|
||||
or ProcessCommandLine has "Invoke-WebRequest"
|
||||
or ProcessCommandLine has "Invoke-Shellcode"
|
||||
or ProcessCommandLine contains "http:"
|
||||
// Pivoting on PowerShell processes
|
||||
| where FileName in~ ("powershell.exe", "powershell_ise.exe")
|
||||
```
|
||||
### Select result columns and length
|
||||
Now that your query clearly identifies the data you want to locate, you can add elements that define what the results look like. `project` returns specific columns and `top` limits the number of results, making the results well-formatted and reasonably large and easy to process.
|
||||
|
||||
### Search for specific command strings
|
||||
Afterwards, the query looks for strings in command lines that are typically used to download files using PowerShell.
|
||||
|
||||
```kusto
|
||||
| project Timestamp, DeviceName, InitiatingProcessFileName, FileName, ProcessCommandLine
|
||||
// Suspicious commands
|
||||
| where ProcessCommandLine has_any("WebClient",
|
||||
"DownloadFile",
|
||||
"DownloadData",
|
||||
"DownloadString",
|
||||
"WebRequest",
|
||||
"Shellcode",
|
||||
"http",
|
||||
"https")
|
||||
```
|
||||
|
||||
### Customize result columns and length
|
||||
Now that your query clearly identifies the data you want to locate, you can add elements that define what the results look like. `project` returns specific columns, and `top` limits the number of results. These operators help ensure the results are well-formatted and reasonably large and easy to process.
|
||||
|
||||
```kusto
|
||||
| project Timestamp, DeviceName, InitiatingProcessFileName, InitiatingProcessCommandLine,
|
||||
FileName, ProcessCommandLine, RemoteIP, RemoteUrl, RemotePort, RemoteIPType
|
||||
| top 100 by Timestamp
|
||||
```
|
||||
|
||||
Click **Run query** to see the results. You can expand the screen view so you can focus on your hunting query and the results.
|
||||
Click **Run query** to see the results. Select the expand icon at the top right of the query editor to focus on your hunting query and the results.
|
||||
|
||||
|
||||
|
||||
>[!TIP]
|
||||
>You can view query results as charts and quickly adjust filters. For guidance, [read about working with query results](advanced-hunting-query-results.md)
|
||||
|
||||
## Learn common query operators for advanced hunting
|
||||
|
||||
|
||||
@ -15,7 +15,6 @@ manager: dansimp
|
||||
audience: ITPro
|
||||
ms.collection: M365-security-compliance
|
||||
ms.topic: article
|
||||
ms.date: 10/08/2019
|
||||
---
|
||||
|
||||
# Use shared queries in advanced hunting
|
||||
|
||||
@ -15,7 +15,7 @@ manager: dansimp
|
||||
audience: ITPro
|
||||
ms.collection: M365-security-compliance
|
||||
ms.topic: article
|
||||
ms.date: 04/24/2018
|
||||
ms.date: 03/27/2020
|
||||
---
|
||||
|
||||
# View and organize the Microsoft Defender Advanced Threat Protection Alerts queue
|
||||
@ -27,6 +27,9 @@ ms.date: 04/24/2018
|
||||
|
||||
The **Alerts queue** shows a list of alerts that were flagged from machines in your network. By default, the queue displays alerts seen in the last 30 days in a grouped view, with the most recent alerts showing at the top of the list, helping you see the most recent alerts first.
|
||||
|
||||
>[!NOTE]
|
||||
>The alerts queue is significantly reduced with automated investigation and remediation, allowing security operations experts to focus on more sophisticated threats and other high value initiatives. When an alert contains a supported entity for automated investigation (for example, a file) in a machine that has a supported operating system for it, an automated investigation and remediation can start. For more information on automated investigations, see [Overview of Automated investigations](automated-investigations.md).
|
||||
|
||||
There are several options you can choose from to customize the alerts queue view.
|
||||
|
||||
On the top navigation you can:
|
||||
@ -45,10 +48,10 @@ You can apply the following filters to limit the list of alerts and get a more f
|
||||
|
||||
Alert severity | Description
|
||||
:---|:---
|
||||
High </br>(Red) | Threats often associated with advanced persistent threats (APT). These alerts indicate a high risk due to the severity of damage they can inflict on machines.
|
||||
Medium </br>(Orange) | Threats rarely observed in the organization, such as anomalous registry change, execution of suspicious files, and observed behaviors typical of attack stages.
|
||||
Low </br>(Yellow) | Threats associated with prevalent malware and hack-tools that do not necessarily indicate an advanced threat targeting the organization.
|
||||
Informational </br>(Grey) | Informational alerts are those that might not be considered harmful to the network but might be good to keep track of.
|
||||
High </br>(Red) | Alerts commonly seen associated with advanced persistent threats (APT). These alerts indicate a high risk due to the severity of damage they can inflict on machines. Some examples of these are credential theft tools activities, ransomware activities not associated with any group, tampering with security sensors, or any malicious activities indicative of a human adversary.
|
||||
Medium </br>(Orange) | Alerts from endpoint detection and response post-breach behaviors that might be a part of an advanced persistent threat (APT). This includes observed behaviors typical of attack stages, anomalous registry change, execution of suspicious files, and so forth. Although some might be part of internal security testing, it requires investigation as it might also be a part of an advanced attack.
|
||||
Low </br>(Yellow) | Alerts on threats associated with prevalent malware, hack-tools, non-malware hack tools, such as running exploration commands, clearing logs, etc., that often do not indicate an advanced threat targeting the organization. It could also come from an isolated security tool testing by a user in your organization.
|
||||
Informational </br>(Grey) | Alerts that might not be considered harmful to the network but can drive organizational security awareness on potential security issues.
|
||||
|
||||
#### Understanding alert severity
|
||||
It is important to understand that the Windows Defender Antivirus (Windows Defender AV) and Microsoft Defender ATP alert severities are different because they represent different scopes.
|
||||
|
||||
Binary file not shown.
|
After Width: | Height: | Size: 26 KiB |
Binary file not shown.
|
After Width: | Height: | Size: 57 KiB |
Binary file not shown.
|
Before Width: | Height: | Size: 36 KiB |
@ -81,6 +81,9 @@ The following are examples of scenarios in which AppLocker can be used:
|
||||
- Some computers in your organization are shared by people who have different software usage needs, and you need to protect specific apps.
|
||||
- In addition to other measures, you need to control the access to sensitive data through app usage.
|
||||
|
||||
> [!NOTE]
|
||||
> AppLocker is a defense-in-depth security feature and **not** a [security boundary](https://www.microsoft.com/msrc/windows-security-servicing-criteria). [Windows Defender Application Control](https://www.microsoft.com/msrc/windows-security-servicing-criteria) should be used when the goal is to provide robust protection against a threat and there are expected to be no by-design limitations that would prevent the security feature from achieving this goal.
|
||||
|
||||
AppLocker can help you protect the digital assets within your organization, reduce the threat of malicious software being introduced into your environment, and improve the management of application control and the maintenance of application control policies.
|
||||
|
||||
## Installing AppLocker
|
||||
|
||||
Reference in New Issue
Block a user