deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-19 12:23:37 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

update file name etc

Browse Source
This commit is contained in:
jcaparas
2018-04-02 22:34:08 -07:00
parent 0df3d03066
commit 231638a756
4 changed files with 7 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
windows/security/threat-protection/windows-defender-atp/advanced-hunting-best-practices-windows-defender-advanced-threat-protection.md
View File

@ -39,7 +39,7 @@ The following best practices serve as a guideline of query performance best prac
## Query tips and pitfalls ## Query tips and pitfalls
### Unique Process IDs ### Unique Process IDs
Process IDs are recycled in Windows and reused for new processes and therefore can<EFBFBD>t serve as a unique identifier for a specific process. Process IDs are recycled in Windows and reused for new processes and therefore can't serve as a unique identifier for a specific process.
To address this issue, Windows Defender ATP created the time process. To get a unique identifier for a process on a specific machine, use the process ID together with the process creation time. To address this issue, Windows Defender ATP created the time process. To get a unique identifier for a process on a specific machine, use the process ID together with the process creation time.

10
windows/security/threat-protection/windows-defender-atp/conditional-access-windows-defender-advanced-threat-protection.md
View File

@ -1,5 +1,5 @@
--- ---
title: Enable conditional access in Windows Defedener ATP title: Enable conditional access to better protect users, devices, and data
description: Enable conditional access to prevent applications from running if a device is considered at risk and an application is determined to be non-compliant. description: Enable conditional access to prevent applications from running if a device is considered at risk and an application is determined to be non-compliant.
keywords: conditional access, block applications, security level, intune, keywords: conditional access, block applications, security level, intune,
search.product: eADQiWindows 10XVcnh search.product: eADQiWindows 10XVcnh
@ -13,7 +13,7 @@ ms.localizationpriority: high
ms.date: 03/05/2018 ms.date: 03/05/2018
--- ---
# Enable conditional access in Windows Defender ATP # Enable conditional access to better protect users, devices, and data
**Applies to:** **Applies to:**
@ -37,12 +37,12 @@ The implementation of conditional access in Windows Defender ATP is based on Mic
The compliance policy is used with conditional access to allow only devices that fulfill one or more device compliance policy rules to access applications. The compliance policy is used with conditional access to allow only devices that fulfill one or more device compliance policy rules to access applications.
## Understand conditional access ## Understand the conditional access flow
When a device is found to be at high risk, the signal is communicated to Intune. In Intune, a device compliance policy is used in conjunction with Azure AD conditional access to block access to applications. In parallel, an automated investigation and remediation process is launched. When a device is found to be at high risk, the signal is communicated to Intune. In Intune, a device compliance policy is used in conjunction with Azure AD conditional access to block access to applications. In parallel, an automated investigation and remediation process is launched.
A device returns to a compliant state when there is lower risk seen on it. A user can still use the device while the automated investigation and remediation is taking place, but access to enterprise data is blocked until the threat is fully remediated. When the risk is removed either through manual or automated remediation, the device returns to a compliant state and access to applications is granted. A device returns to a compliant state when there is lower risk seen on it. A user can still use the device while the automated investigation and remediation is taking place, but access to enterprise data is blocked until the threat is fully remediated. When the risk is removed either through manual or automated remediation, the device returns to a compliant state and access to applications is granted.
The following image shows the conditional access flow in action: The following example sequence of events explains conditional access in action:
1. A user opens a malicious file and Windows Defender ATP flags the device as high risk. 1. A user opens a malicious file and Windows Defender ATP flags the device as high risk.
2. The high risk assessment is passed along to Intune. In parallel, an automated investigation is initiated to remediate the identified threat. A manual remediation can also be done to remediate the identified threat. 2. The high risk assessment is passed along to Intune. In parallel, an automated investigation is initiated to remediate the identified threat. A manual remediation can also be done to remediate the identified threat.
@ -59,7 +59,7 @@ The following image shows the conditional access flow in action:
You'll need to take the following steps to enable conditional access: You'll need to take the following steps to enable conditional access:
1. Turn on the Microsoft Intune connection. For more information, see [Turn on advanced features](advanced-features-windows-defender-advanced-threat-protection.md). 1. Turn on the Microsoft Intune connection. For more information, see [Turn on advanced features](advanced-features-windows-defender-advanced-threat-protection.md).
2. Turn on the Windows Defender ATP integration in Intune. For more information, see LINK TO THE CONTENT INTUNE WRITER IS MAKING. 2. Turn on the Windows Defender ATP integration in Intune. For more information, see
- Ensure that machines are enrolled. For more information see, [Set up enrollment for Windows devices](https://docs.microsoft.com/en-us/intune/windows-enroll). - Ensure that machines are enrolled. For more information see, [Set up enrollment for Windows devices](https://docs.microsoft.com/en-us/intune/windows-enroll).
3. Create a device compliance policy in Intune. For more information, see [Create a compliance policy in the Azure portal](https://docs.microsoft.com/en-us/intune/compliance-policy-create-windows#create-a-compliance-policy-in-the-azure-portal). 3. Create a device compliance policy in Intune. For more information, see [Create a compliance policy in the Azure portal](https://docs.microsoft.com/en-us/intune/compliance-policy-create-windows#create-a-compliance-policy-in-the-azure-portal).

2
windows/security/threat-protection/windows-defender-atp/enable-siem-integration-windows-defender-advanced-threat-protection.md
View File

@ -29,7 +29,7 @@ ms.date: 04/16/2018
Enable security information and event management (SIEM) integration so you can pull alerts from the Windows Defender ATP portal using your SIEM solution or by connecting directly to the alerts REST API. Enable security information and event management (SIEM) integration so you can pull alerts from the Windows Defender ATP portal using your SIEM solution or by connecting directly to the alerts REST API.
1. In the navigation pane, select **Settings** > **API** > **SIEM**. 1. In the navigation pane, select **Settings** > **APIs** > **SIEM**.
![Image of SIEM integration from Settings menu](images/atp-siem-integration.png) ![Image of SIEM integration from Settings menu](images/atp-siem-integration.png)

0
windows/security/threat-protection/windows-defender-atp/secure-score-windows-defender-advanced-threat-protection.md → windows/security/threat-protection/windows-defender-atp/secure-score-dashboard-windows-defender-advanced-threat-protection.md
View File