diff --git a/.openpublishing.redirection.json b/.openpublishing.redirection.json index 107a70bff1..863e6b22b7 100644 --- a/.openpublishing.redirection.json +++ b/.openpublishing.redirection.json @@ -1352,6 +1352,11 @@ "redirect_document_id": true }, { +"source_path": "windows/security/threat-protection/microsoft-defender-atp/configure-splunk.md", +"redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/enable-siem-integration", +"redirect_document_id": false +}, +{ "source_path": "windows/threat-protection/windows-defender-atp/custom-ti-api-windows-defender-advanced-threat-protection.md", "redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/custom-ti-api-windows-defender-advanced-threat-protection", "redirect_document_id": true diff --git a/windows/client-management/mdm/get-seat.md b/windows/client-management/mdm/get-seat.md index 2169488622..598d24ea19 100644 --- a/windows/client-management/mdm/get-seat.md +++ b/windows/client-management/mdm/get-seat.md @@ -1,6 +1,6 @@ --- title: Get seat -description: The Get seat operation retrieves the information about an active seat for a specified user in the Micosoft Store for Business. +description: The Get seat operation retrieves the information about an active seat for a specified user in the Microsoft Store for Business. ms.assetid: 715BAEB2-79FD-4945-A57F-482F9E7D07C6 ms.reviewer: manager: dansimp @@ -14,7 +14,7 @@ ms.date: 09/18/2017 # Get seat -The **Get seat** operation retrieves the information about an active seat for a specified user in the Micosoft Store for Business. +The **Get seat** operation retrieves the information about an active seat for a specified user in the Microsoft Store for Business. ## Request diff --git a/windows/configuration/cortana-at-work/cortana-at-work-feedback.md b/windows/configuration/cortana-at-work/cortana-at-work-feedback.md index 60ae0ffa10..9b2fcfb9c3 100644 --- a/windows/configuration/cortana-at-work/cortana-at-work-feedback.md +++ b/windows/configuration/cortana-at-work/cortana-at-work-feedback.md @@ -16,10 +16,10 @@ manager: dansimp To provide feedback on an individual request or response, select the item in the conversation history and then select **Give feedback**. This opens the Feedback Hub application where you can provide more information to help diagnose reported issues. -:::image type="content" source="../../../images/screenshot11.png" alt-text="Screenshot: Send feedback page"::: +:::image type="content" source="../screenshot1.png" alt-text="Screenshot: Send feedback page"::: To provide feedback about the application in general, go to the **Settings** menu by selecting the three dots in the top left of the application, and select **Feedback**. This opens the Feedback Hub where more information on the issue can be provided. -:::image type="content" source="../../../images/screenshot12.png" alt-text="Screenshot: Select Feedback to go to the Feedback Hub"::: +:::image type="content" source="../screenshot12.png" alt-text="Screenshot: Select Feedback to go to the Feedback Hub"::: In order for enterprise users to provide feedback, admins must unblock the Feedback Hub in the [Azure portal](https://portal.azure.com/). Go to the **Enterprise applications section** and enable **Users can allow apps to access their data**. \ No newline at end of file diff --git a/windows/configuration/cortana-at-work/cortana-at-work-overview.md b/windows/configuration/cortana-at-work/cortana-at-work-overview.md index 7156ab49ea..9bdf2f0ae6 100644 --- a/windows/configuration/cortana-at-work/cortana-at-work-overview.md +++ b/windows/configuration/cortana-at-work/cortana-at-work-overview.md @@ -17,7 +17,7 @@ ms.author: dansimp Cortana is a personal productivity assistant in Microsoft 365, helping your users achieve more with less effort and focus on what matters. The Cortana app in Windows 10 helps users quickly get information across Microsoft 365, using typed or spoken queries to connect with people, check calendars, set reminders, add tasks, and more. -:::image type="content" source="../../../images/screenshot1.png" alt-text="Screenshot: Cortana home page example"::: +:::image type="content" source="../screenshot1.png" alt-text="Screenshot: Cortana home page example"::: ## Where is Cortana available for use in my organization? @@ -30,7 +30,7 @@ The Cortana app in Windows 10, version 2004 requires the latest Microsoft Store Cortana requires a PC running Windows 10, version 1703 or later, as well as the following software to successfully run the included scenario in your organization. >[!NOTE] ->A microphone is not required to use Cortana. +>A microphone isn't required to use Cortana. |**Software** |**Minimum version** | |---------|---------| @@ -48,7 +48,7 @@ Cortana's approach to integration with Microsoft 365 has changed with Windows 10 ### Cortana in Windows 10, version 2004 and later -Cortana enterprise services that can be accessed using Azure AD through Cortana in Windows 10, version 2004 and later, meet the same enterprise-level privacy, security, and compliance promises as reflected in the [Online Services Terms (OST)](https://www.microsoft.com/en-us/licensing/product-licensing/products). For more information, see [Cortana in Microsoft 365](https://docs.microsoft.com/microsoft-365/admin/misc/cortana-integration?view=o365-worldwide#what-data-is-processed-by-cortana-in-office-365). +Cortana enterprise services that can be accessed using Azure AD through Cortana in Windows 10, version 2004 and later, meet the same enterprise-level privacy, security, and compliance promises as reflected in the [Online Services Terms (OST)](https://www.microsoft.com/en-us/licensing/product-licensing/products). To learn more, see [Cortana in Microsoft 365](https://docs.microsoft.com/microsoft-365/admin/misc/cortana-integration?view=o365-worldwide#what-data-is-processed-by-cortana-in-office-365). #### How does Microsoft store, retain, process, and use Customer Data in Cortana? @@ -71,7 +71,7 @@ First, the user must enable the wake word from within Cortana settings. Once it The first decision is made by the Windows Multiple Voice Assistant platform leveraging hardware optionally included in the user's PC for power savings. If the wake word is detected, Windows will show a microphone icon in the system tray indicating an assistant app is listening. -:::image type="content" source="images/screenshot2.png" alt-text="Microphone icon in the system tray indicating an assistant app is listening"::: +:::image type="content" source="../screenshot2.png" alt-text="Screenshot: Microphone icon in the system tray indicating an assistant app is listening"::: At that point, the Cortana app will receive the audio, run a second, more accurate wake word detector, and optionally send it to a Microsoft cloud service where a third wake word detector will confirm. If the service does not confirm that the activation was valid, the audio will be discarded and deleted from any further processing or server logs. On the user's PC, the Cortana app will be silently dismissed, and no query will be shown in conversation history because the query was discarded. diff --git a/windows/configuration/cortana-at-work/cortana-at-work-scenario-1.md b/windows/configuration/cortana-at-work/cortana-at-work-scenario-1.md index 642a124de8..ae1cc6a4a5 100644 --- a/windows/configuration/cortana-at-work/cortana-at-work-scenario-1.md +++ b/windows/configuration/cortana-at-work/cortana-at-work-scenario-1.md @@ -22,9 +22,9 @@ manager: dansimp 4. Say **Cortana, what can you do?**. -When you say "Cortana", Cortana will open in listening mode to acknowledge the wake word. +When you say **Cortana**, Cortana will open in listening mode to acknowledge the wake word. -:::image type="content" source="../../../images/screenshot4.png" alt-text="Screenshot: Cortana listening mode"::: +:::image type="content" source="../screenshot4.png" alt-text="Screenshot: Cortana listening mode"::: Once you finish saying your query, Cortana will open with the result. diff --git a/windows/configuration/cortana-at-work/cortana-at-work-scenario-2.md b/windows/configuration/cortana-at-work/cortana-at-work-scenario-2.md index 55a3d754d6..cd8da63e37 100644 --- a/windows/configuration/cortana-at-work/cortana-at-work-scenario-2.md +++ b/windows/configuration/cortana-at-work/cortana-at-work-scenario-2.md @@ -20,7 +20,7 @@ manager: dansimp Cortana will respond with the information from Bing. -:::image type="content" source="../../../images/screenshot5.png" alt-text="Screenshot: Cortana showing current time in Hyderbad"::: +:::image type="content" source="../screenshot5.png" alt-text="Screenshot: Cortana showing current time in Hyderbad"::: >[!NOTE] ->This scenario requires Bing Answers to be enabled. For more information, see [Set up and configure the Bing Answers feature](https://docs.microsoft.com/windows/configuration/cortana-at-work/set-up-and-test-cortana-in-windows-10#set-up-and-configure-the-bing-answers-feature). \ No newline at end of file +>This scenario requires Bing Answers to be enabled. To learn more, see [Set up and configure the Bing Answers feature](https://docs.microsoft.com/windows/configuration/cortana-at-work/set-up-and-test-cortana-in-windows-10#set-up-and-configure-the-bing-answers-feature). \ No newline at end of file diff --git a/windows/configuration/cortana-at-work/cortana-at-work-scenario-3.md b/windows/configuration/cortana-at-work/cortana-at-work-scenario-3.md index 333199a0a5..5382e5665c 100644 --- a/windows/configuration/cortana-at-work/cortana-at-work-scenario-3.md +++ b/windows/configuration/cortana-at-work/cortana-at-work-scenario-3.md @@ -16,11 +16,10 @@ manager: dansimp This scenario helps you set up, review, and edit a reminder. For example, you can remind yourself to send someone a link to a document after a meeting. -1. Select the **Cortana** icon in the taskbar and type _Remind me to send a link to the deck at 3:05pm_ and press **Enter**. +1. Select the **Cortana** icon in the taskbar and type **Remind me to send a link to the deck at 3:05pm** and press **Enter**. Cortana will create a reminder in Microsoft To Do and will remind you at the appropriate time. -:::image type="content" source="../../../images/screenshot6.png" alt-text="Screenshot: Cortana set a reminder"::: - -:::image type="content" source="../../../images/screenshot7.png" alt-text="Screenshot: Cortana showing reminder on page"::: +:::image type="content" source="../screenshot6.png" alt-text="Screenshot: Cortana set a reminder"::: +:::image type="content" source="../screenshot7.png" alt-text="Screenshot: Cortana showing reminder on page"::: \ No newline at end of file diff --git a/windows/configuration/cortana-at-work/cortana-at-work-scenario-4.md b/windows/configuration/cortana-at-work/cortana-at-work-scenario-4.md index ec22777755..1a34778608 100644 --- a/windows/configuration/cortana-at-work/cortana-at-work-scenario-4.md +++ b/windows/configuration/cortana-at-work/cortana-at-work-scenario-4.md @@ -14,7 +14,7 @@ manager: dansimp # Test scenario 4 - Use Cortana to find free time on your calendar -This process helps you find out if a time slot is free on your calendar. +This scenario helps you find out if a time slot is free on your calendar. 1. Select the **Cortana** icon in the taskbar. @@ -24,4 +24,4 @@ This process helps you find out if a time slot is free on your calendar. Cortana will respond with your availability for that time, as well as nearby meetings. -:::image type="content" source="../../../images/screenshot8.png" alt-text="Screenshot: Cortana showing free time on a calendar"::: \ No newline at end of file +:::image type="content" source="../screenshot8.png" alt-text="Screenshot: Cortana showing free time on a calendar"::: \ No newline at end of file diff --git a/windows/configuration/cortana-at-work/cortana-at-work-scenario-5.md b/windows/configuration/cortana-at-work/cortana-at-work-scenario-5.md index ee0bbe9a6e..6312ad8983 100644 --- a/windows/configuration/cortana-at-work/cortana-at-work-scenario-5.md +++ b/windows/configuration/cortana-at-work/cortana-at-work-scenario-5.md @@ -20,6 +20,6 @@ Cortana can help you quickly look up information about someone or the org chart. 2. Type or select the mic and say, **Who is name of person in your organization's?** -:::image type="content" source="../../../images/screenshot8.png" alt-text="Screenshot: Cortana showing name of person in your organization"::: +:::image type="content" source="../screenshot9.png" alt-text="Screenshot: Cortana showing name of person in your organization"::: -Cortana will respond with information about the person. You can select the person to open information about them in Microsoft Search. \ No newline at end of file +Cortana will respond with information about the person. You can select the person to see more information about them in Microsoft Search. \ No newline at end of file diff --git a/windows/configuration/cortana-at-work/cortana-at-work-scenario-6.md b/windows/configuration/cortana-at-work/cortana-at-work-scenario-6.md index 739f5afbfd..b2c7bdd9dd 100644 --- a/windows/configuration/cortana-at-work/cortana-at-work-scenario-6.md +++ b/windows/configuration/cortana-at-work/cortana-at-work-scenario-6.md @@ -14,7 +14,7 @@ manager: dansimp # Test scenario 6 – Change your language and perform a quick search with Cortana -Cortana can help employees in regions outside the US search for quick answers like currency conversions, time zone conversions, or weather in their location or another. +Cortana can help employees in regions outside the US search for quick answers like currency conversions, time zone conversions, or weather in their location. 1. Select the **Cortana** icon in the taskbar. @@ -22,4 +22,4 @@ Cortana can help employees in regions outside the US search for quick answers li 3. Once the app has restarted, type or say **Convierte 100 Euros a Dólares**. -:::image type="content" source="../../../images/screenshot10.png" alt-text="Screenshot: Cortana showing a change your language and showing search results in Spanish"::: \ No newline at end of file +:::image type="content" source="../screenshot10.png" alt-text="Screenshot: Cortana showing a change your language and showing search results in Spanish"::: \ No newline at end of file diff --git a/windows/configuration/cortana-at-work/set-up-and-test-cortana-in-windows-10.md b/windows/configuration/cortana-at-work/set-up-and-test-cortana-in-windows-10.md index c1b71aa782..14dfdcd3da 100644 --- a/windows/configuration/cortana-at-work/set-up-and-test-cortana-in-windows-10.md +++ b/windows/configuration/cortana-at-work/set-up-and-test-cortana-in-windows-10.md @@ -32,8 +32,8 @@ Users cannot enable or disable the Bing Answer feature individually. So, if you Sign in to the [Office Configuration Admin tool](https://config.office.com/). Follow the steps [here](https://docs.microsoft.com/deployoffice/overview-office-cloud-policy-service#steps-for-creating-a-policy-configuration) to create this policy configuration. Once completed, the policy will look as shown below: - -:::image type="content" source="../../../images/screenshot3.png" alt-text="Screenshot: Bing policy example"::: + +:::image type="content" source="../screenshot3.png" alt-text="Screenshot: Bing policy example"::: ## How does Microsoft handle customer data for Bing Answers? @@ -43,7 +43,7 @@ When a user enters a search query (by speech or text), Cortana evaluates if the 2. If it is not for any of the first-party compliant skills, the query is sent to Bing for a search of public results from Bing.com. Because enterprise searches might be sensitive, similar to [Microsoft Search in Bing](https://docs.microsoft.com/MicrosoftSearch/security-for-search#microsoft-search-in-bing-protects-workplace-searches), Bing Answers in Cortana has implemented a set of trust measures, described below, that govern how the separate search of public results from Bing.com is handled. The Bing Answers in Cortana trust measures are consistent with the enhanced privacy and security measures described in [Microsoft Search in Bing](https://docs.microsoft.com/MicrosoftSearch/security-for-search). All Bing.com search logs that pertain to Cortana traffic are disassociated from users' workplace identity. All Cortana queries issued via a work or school account are stored separately from public, non-Cortana traffic. -Bing Answers is enabled by default for all users. However, admins can configure and change this for specific users/user groups in their organization. +Bing Answers is enabled by default for all users. However, admins can configure and change this for specific users and user groups in their organization. ## How the Bing Answer policy configuration is applied Before a query is sent to Bing for a search of public results from Bing.com, the Bing Answers service checks with the Office Cloud Policy Service to see if there are any policy configurations that pertain to the user for allowing Bing Answers to respond to questions users ask Cortana. If the user is a member of an AAD group that is assigned that policy configuration, then the appropriate policy settings are applied and a check is made again in 10 minutes. \ No newline at end of file diff --git a/images/screenshot1.png b/windows/configuration/screenshot1.png similarity index 100% rename from images/screenshot1.png rename to windows/configuration/screenshot1.png diff --git a/images/screenshot10.png b/windows/configuration/screenshot10.png similarity index 100% rename from images/screenshot10.png rename to windows/configuration/screenshot10.png diff --git a/images/screenshot11.png b/windows/configuration/screenshot11.png similarity index 100% rename from images/screenshot11.png rename to windows/configuration/screenshot11.png diff --git a/images/screenshot12.png b/windows/configuration/screenshot12.png similarity index 100% rename from images/screenshot12.png rename to windows/configuration/screenshot12.png diff --git a/images/screenshot2.png b/windows/configuration/screenshot2.png similarity index 100% rename from images/screenshot2.png rename to windows/configuration/screenshot2.png diff --git a/images/screenshot3.png b/windows/configuration/screenshot3.png similarity index 100% rename from images/screenshot3.png rename to windows/configuration/screenshot3.png diff --git a/images/screenshot4.png b/windows/configuration/screenshot4.png similarity index 100% rename from images/screenshot4.png rename to windows/configuration/screenshot4.png diff --git a/images/screenshot5.png b/windows/configuration/screenshot5.png similarity index 100% rename from images/screenshot5.png rename to windows/configuration/screenshot5.png diff --git a/images/screenshot6.png b/windows/configuration/screenshot6.png similarity index 100% rename from images/screenshot6.png rename to windows/configuration/screenshot6.png diff --git a/images/screenshot7.png b/windows/configuration/screenshot7.png similarity index 100% rename from images/screenshot7.png rename to windows/configuration/screenshot7.png diff --git a/images/screenshot8.png b/windows/configuration/screenshot8.png similarity index 100% rename from images/screenshot8.png rename to windows/configuration/screenshot8.png diff --git a/images/screenshot9.png b/windows/configuration/screenshot9.png similarity index 100% rename from images/screenshot9.png rename to windows/configuration/screenshot9.png diff --git a/windows/security/threat-protection/TOC.md b/windows/security/threat-protection/TOC.md index c294c170b7..d65cca5636 100644 --- a/windows/security/threat-protection/TOC.md +++ b/windows/security/threat-protection/TOC.md @@ -417,8 +417,6 @@ ###### [Create and manage machine groups](microsoft-defender-atp/machine-groups.md) ###### [Create and manage machine tags](microsoft-defender-atp/machine-tags.md) -#### [APIs]() -##### [Enable SIEM integration](microsoft-defender-atp/enable-siem-integration.md) #### [Rules]() ##### [Manage suppression rules](microsoft-defender-atp/manage-suppression-rules.md) @@ -441,7 +439,6 @@ ## Reference ### [Management and APIs]() #### [Overview of management and APIs](microsoft-defender-atp/management-apis.md) - #### [Microsoft Defender ATP API]() ##### [Get started]() ###### [Microsoft Defender ATP API license and terms](microsoft-defender-atp/api-terms-of-use.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/api-portal-mapping.md b/windows/security/threat-protection/microsoft-defender-atp/api-portal-mapping.md index a649d44766..13dae9cb69 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/api-portal-mapping.md +++ b/windows/security/threat-protection/microsoft-defender-atp/api-portal-mapping.md @@ -91,7 +91,6 @@ Field numbers match the numbers in the images below. ## Related topics - [Enable SIEM integration in Microsoft Defender ATP](enable-siem-integration.md) -- [Configure Splunk to pull Microsoft Defender ATP detections](configure-splunk.md) - [Configure ArcSight to pull Microsoft Defender ATP detections](configure-arcsight.md) - [Pull Microsoft Defender ATP detections using REST API](pull-alerts-using-rest-api.md) - [Troubleshoot SIEM tool integration issues](troubleshoot-siem.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-siem.md b/windows/security/threat-protection/microsoft-defender-atp/configure-siem.md index ad965c75e5..0d95a0d4e0 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configure-siem.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-siem.md @@ -28,30 +28,28 @@ ms.topic: article ## Pull detections using security information and events management (SIEM) tools >[!Note] ->- [Microsoft Defender ATP Alert](alerts.md) is composed from one or more detections +>- [Microsoft Defender ATP Alert](alerts.md) is composed from one or more detections. >- [Microsoft Defender ATP Detection](api-portal-mapping.md) is composed from the suspicious event occurred on the Machine and its related Alert details. +>-The Microsoft Defender ATP Alert API is the latest API for alert consumption and contain a detailed list of related evidence for each alert. For more information, see [Alert methods and properties](alerts.md) and [List alerts](get-alerts.md). Microsoft Defender ATP supports security information and event management (SIEM) tools to pull detections. Microsoft Defender ATP exposes alerts through an HTTPS endpoint hosted in Azure. The endpoint can be configured to pull detections from your enterprise tenant in Azure Active Directory (AAD) using the OAuth 2.0 authentication protocol for an AAD application that represents the specific SIEM connector installed in your environment. -Microsoft Defender ATP currently supports the following SIEM tools: +Microsoft Defender ATP currently supports the following specific SIEM solution tools through a dedicated SIEM integration model: -- Splunk -- HP ArcSight +- IBM QRadar +- Micro Focus ArcSight + +Other SIEM solutions (such as Splunk, RSA NetWitness) are supported through a different integration model based on the new Alert API. For more information, view the [Partner application](https://df.securitycenter.microsoft.com/interoperability/partners) page and select the Security Information and Analytics section for full details. To use either of these supported SIEM tools you'll need to: - [Enable SIEM integration in Microsoft Defender ATP](enable-siem-integration.md) - Configure the supported SIEM tool: - - [Configure Splunk to pull Microsoft Defender ATP detections](configure-splunk.md) - - [Configure HP ArcSight to pull Microsoft Defender ATP detections](configure-arcsight.md) + - [Configure HP ArcSight to pull Microsoft Defender ATP detections](configure-arcsight.md) + - Configure IBM QRadar to pull Microsoft Defender ATP detections For more information, see [IBM Knowledge Center](https://www.ibm.com/support/knowledgecenter/SS42VS_DSM/com.ibm.dsm.doc/c_dsm_guide_MS_Win_Defender_ATP_overview.html?cp=SS42VS_7.3.1). For more information on the list of fields exposed in the Detection API see, [Microsoft Defender ATP Detection fields](api-portal-mapping.md). -## Pull Microsoft Defender ATP detections using REST API -Microsoft Defender ATP supports the OAuth 2.0 protocol to pull detections using REST API. - -For more information, see [Pull Microsoft Defender ATP detections using REST API](pull-alerts-using-rest-api.md). - diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-splunk.md b/windows/security/threat-protection/microsoft-defender-atp/configure-splunk.md deleted file mode 100644 index c27fdb45cc..0000000000 --- a/windows/security/threat-protection/microsoft-defender-atp/configure-splunk.md +++ /dev/null @@ -1,133 +0,0 @@ ---- -title: Configure Splunk to pull Microsoft Defender ATP detections -description: Configure Splunk to receive and pull detections from Microsoft Defender Security Center. -keywords: configure splunk, security information and events management tools, splunk -search.product: eADQiWindows 10XVcnh -search.appverid: met150 -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security -ms.author: macapara -author: mjcaparas -ms.localizationpriority: medium -manager: dansimp -audience: ITPro -ms.collection: M365-security-compliance -ms.topic: article ---- - -# Configure Splunk to pull Microsoft Defender ATP detections - -**Applies to:** - - -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) - - - ->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-configuresplunk-abovefoldlink) - -You'll need to configure Splunk so that it can pull Microsoft Defender ATP detections. - ->[!Note] ->- [Microsoft Defender ATP Alert](alerts.md) is composed from one or more detections ->- [Microsoft Defender ATP Detection](api-portal-mapping.md) is composed from the suspicious event occurred on the Machine and its related Alert details. - -## Before you begin - -- Install the open source [Windows Defender ATP Modular Inputs TA](https://splunkbase.splunk.com/app/4128/) in Splunk. -- Make sure you have enabled the **SIEM integration** feature from the **Settings** menu. For more information, see [Enable SIEM integration in Microsoft Defender ATP](enable-siem-integration.md) - -- Have the details file you saved from enabling the **SIEM integration** feature ready. You'll need to get the following values: - - Tenant ID - - Client ID - - Client Secret - - Resource URL - - -## Configure Splunk - -1. Login in to Splunk. - -2. Go to **Settings** > **Data inputs**. - -3. Select **Windows Defender ATP alerts** under **Local inputs**. - - >[!NOTE] - > - This input will only appear after you install the [Windows Defender ATP Modular Inputs TA](https://splunkbase.splunk.com/app/4128/). - > - For Splunk Cloud, use [Microsoft Defender ATP Add-on for Splunk](https://splunkbase.splunk.com/app/4959/). - - -4. Click **New**. - -5. Type the following values in the required fields, then click **Save**: - - NOTE: - All other values in the form are optional and can be left blank. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
FieldValue
NameName for the Data Input
Login URLURL to authenticate the azure app (Default : https://login.microsoftonline.com)
EndpointDepending on the location of your datacenter, select any of the following URL:

For EU: https://wdatp-alertexporter-eu.securitycenter.windows.com

For US:https://wdatp-alertexporter-us.securitycenter.windows.com

For UK:https://wdatp-alertexporter-uk.securitycenter.windows.com -
Tenant IDAzure Tenant ID
ResourceValue from the SIEM integration feature page
Client IDValue from the SIEM integration feature page
Client SecretValue from the SIEM integration feature page
- -After completing these configuration steps, you can go to the Splunk dashboard and run queries. - -## View detections using Splunk solution explorer -Use the solution explorer to view detections in Splunk. - -1. In Splunk, go to **Settings** > **Searchers, reports, and alerts**. - -2. Select **New**. - -3. Enter the following details: - - Search: Enter a query, for example:
- `sourcetype="wdatp:alerts" |spath|table*` - - App: Add-on for Windows Defender (TA_Windows-defender) - - Other values are optional and can be left with the default values. - -4. Click **Save**. The query is saved in the list of searches. - -5. Find the query you saved in the list and click **Run**. The results are displayed based on your query. - - ->[!TIP] -> To minimize Detection duplications, you can use the following query: ->```source="rest://wdatp:alerts" | spath | dedup _raw | table *``` - -## Related topics -- [Enable SIEM integration in Microsoft Defender ATP](enable-siem-integration.md) -- [Configure ArcSight to pull Microsoft Defender ATP detections](configure-arcsight.md) -- [Microsoft Defender ATP Detection fields](api-portal-mapping.md) -- [Pull Microsoft Defender ATP detections using REST API](pull-alerts-using-rest-api.md) -- [Troubleshoot SIEM tool integration issues](troubleshoot-siem.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/enable-siem-integration.md b/windows/security/threat-protection/microsoft-defender-atp/enable-siem-integration.md index f408e29140..382f789aa7 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/enable-siem-integration.md +++ b/windows/security/threat-protection/microsoft-defender-atp/enable-siem-integration.md @@ -27,9 +27,10 @@ ms.topic: article Enable security information and event management (SIEM) integration so you can pull detections from Microsoft Defender Security Center using your SIEM solution or by connecting directly to the detections REST API. ->[!Note] ->- [Microsoft Defender ATP Alert](alerts.md) is composed from one or more detections +>[!NOTE] +>- [Microsoft Defender ATP Alert](alerts.md) is composed from one or more detections. >- [Microsoft Defender ATP Detection](api-portal-mapping.md) is composed from the suspicious event occurred on the Machine and its related Alert details. +>- The Microsoft Defender ATP Alert API is the latest API for alert consumption and contain a detailed list of related evidence for each alert. For more information, see [Alert methods and properties](alerts.md) and [List alerts](get-alerts.md). ## Prerequisites - The user who activates the setting must have permissions to create an app in Azure Active Directory (AAD). This is typically someone with a **Global administrator** role. @@ -75,7 +76,6 @@ You can now proceed with configuring your SIEM solution or connecting to the det You can configure IBM QRadar to collect detections from Microsoft Defender ATP. For more information, see [IBM Knowledge Center](https://www.ibm.com/support/knowledgecenter/SS42VS_DSM/c_dsm_guide_MS_Win_Defender_ATP_overview.html?cp=SS42VS_7.3.1). ## Related topics -- [Configure Splunk to pull Microsoft Defender ATP detections](configure-splunk.md) - [Configure HP ArcSight to pull Microsoft Defender ATP detections](configure-arcsight.md) - [Microsoft Defender ATP Detection fields](api-portal-mapping.md) - [Pull Microsoft Defender ATP detections using REST API](pull-alerts-using-rest-api.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/siem_details.png b/windows/security/threat-protection/microsoft-defender-atp/images/siem_details.png index 94c724f0c8..ef062f0c8e 100644 Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/siem_details.png and b/windows/security/threat-protection/microsoft-defender-atp/images/siem_details.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-install-manually.md b/windows/security/threat-protection/microsoft-defender-atp/linux-install-manually.md index 412d0351fa..31656eeae6 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/linux-install-manually.md +++ b/windows/security/threat-protection/microsoft-defender-atp/linux-install-manually.md @@ -179,18 +179,59 @@ In order to preview new features and provide early feedback, it is recommended t sudo yum install mdatp ``` + If you have multiple Microsoft repositories configured on your device, you can be specific about which repository to install the package from. The following example shows how to install the package from the `production` channel if you also have the `insiders-fast` repository channel configured on this device. This situation can happen if you are using multiple Microsoft products on your device. + + ```bash + # list all repositories + $ yum repolist + ... + packages-microsoft-com-prod packages-microsoft-com-prod 316 + packages-microsoft-com-prod-insiders-fast packages-microsoft-com-prod-ins 2 + ... + + # install the package from the production repository + $ sudo yum --enablerepo=packages-microsoft-com-prod install mdatp + ``` + - SLES and variants: ```bash sudo zypper install mdatp ``` + If you have multiple Microsoft repositories configured on your device, you can be specific about which repository to install the package from. The following example shows how to install the package from the `production` channel if you also have the `insiders-fast` repository channel configured on this device. This situation can happen if you are using multiple Microsoft products on your device. + + ```bash + # list all repositories + $ zypper repos + ... + # | Alias | Name | ... + XX | packages-microsoft-com-insiders-fast | microsoft-insiders-fast | ... + XX | packages-microsoft-com-prod | microsoft-prod | ... + ... + + # install the package from the production repository + $ sudo zypper install packages-microsoft-com-prod:mdatp + ``` + - Ubuntu and Debian system: ```bash sudo apt-get install mdatp ``` + If you have multiple Microsoft repositories configured on your device, you can be specific about which repository to install the package from. The following example shows how to install the package from the `production` channel if you also have the `insiders-fast` repository channel configured on this device. This situation can happen if you are using multiple Microsoft products on your device. + + ```bash + # list all repositories + $ cat /etc/apt/sources.list.d/* + deb [arch=arm64,armhf,amd64] https://packages.microsoft.com/ubuntu/18.04/prod insiders-fast main + deb [arch=amd64] https://packages.microsoft.com/ubuntu/18.04/prod bionic main + + # install the package from the production repository + $ sudo apt -t bionic install mdatp + ``` + ## Download the onboarding package Download the onboarding package from Microsoft Defender Security Center: diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-install-manually.md b/windows/security/threat-protection/microsoft-defender-atp/mac-install-manually.md index e633d8184f..81703f52ed 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/mac-install-manually.md +++ b/windows/security/threat-protection/microsoft-defender-atp/mac-install-manually.md @@ -1,6 +1,6 @@ --- -title: Manual deployment for Microsoft Defender ATP for Mac -description: Install Microsoft Defender ATP for Mac manually, from the command line. +title: Manual deployment for Microsoft Defender ATP for macOS +description: Install Microsoft Defender ATP for macOS manually, from the command line. keywords: microsoft, defender, atp, mac, installation, deploy, uninstallation, intune, jamf, macos, catalina, mojave, high sierra search.product: eADQiWindows 10XVcnh search.appverid: met150 @@ -17,45 +17,34 @@ ms.collection: M365-security-compliance ms.topic: conceptual --- -# Manual deployment for Microsoft Defender ATP for Mac +# Manual deployment for Microsoft Defender ATP for macOS **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Mac](microsoft-defender-atp-mac.md) +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for macOS](microsoft-defender-atp-mac.md) -This topic describes how to deploy Microsoft Defender ATP for Mac manually. A successful deployment requires the completion of all of the following steps: +This topic describes how to deploy Microsoft Defender ATP for macOS manually. A successful deployment requires the completion of all of the following steps: - [Download installation and onboarding packages](#download-installation-and-onboarding-packages) - [Application installation](#application-installation) - [Client configuration](#client-configuration) ## Prerequisites and system requirements -Before you get started, see [the main Microsoft Defender ATP for Mac page](microsoft-defender-atp-mac.md) for a description of prerequisites and system requirements for the current software version. +Before you get started, see [the main Microsoft Defender ATP for macOS page](microsoft-defender-atp-mac.md) for a description of prerequisites and system requirements for the current software version. ## Download installation and onboarding packages Download the installation and onboarding packages from Microsoft Defender Security Center: 1. In Microsoft Defender Security Center, go to **Settings > Machine Management > Onboarding**. -2. In Section 1 of the page, set operating system to **Linux, macOS, iOS, and Android** and Deployment method to **Local script**. +2. In Section 1 of the page, set operating system to **macOS** and Deployment method to **Local script**. 3. In Section 2 of the page, select **Download installation package**. Save it as wdav.pkg to a local directory. 4. In Section 2 of the page, select **Download onboarding package**. Save it as WindowsDefenderATPOnboardingPackage.zip to the same directory. ![Microsoft Defender Security Center screenshot](../windows-defender-antivirus/images/ATP-Portal-Onboarding-page.png) 5. From a command prompt, verify that you have the two files. - Extract the contents of the .zip files: - - ```bash - $ ls -l - total 721152 - -rw-r--r-- 1 test staff 6185 Mar 15 10:45 WindowsDefenderATPOnboardingPackage.zip - -rw-r--r-- 1 test staff 354531845 Mar 13 08:57 wdav.pkg - $ unzip WindowsDefenderATPOnboardingPackage.zip - Archive: WindowsDefenderATPOnboardingPackage.zip - inflating: MicrosoftDefenderATPOnboardingMacOs.py - ``` - + ## Application installation To complete this process, you must have admin privileges on the machine. @@ -87,7 +76,7 @@ The installation proceeds. ## Client configuration -1. Copy wdav.pkg and MicrosoftDefenderATPOnboardingMacOs.py to the machine where you deploy Microsoft Defender ATP for Mac. +1. Copy wdav.pkg and MicrosoftDefenderATPOnboardingMacOs.py to the machine where you deploy Microsoft Defender ATP for macOS. The client machine is not associated with orgId. Note that the *orgId* attribute is blank. @@ -127,4 +116,4 @@ See [Logging installation issues](mac-resources.md#logging-installation-issues) ## Uninstallation -See [Uninstalling](mac-resources.md#uninstalling) for details on how to remove Microsoft Defender ATP for Mac from client devices. +See [Uninstalling](mac-resources.md#uninstalling) for details on how to remove Microsoft Defender ATP for macOS from client devices. diff --git a/windows/security/threat-protection/microsoft-defender-atp/pull-alerts-using-rest-api.md b/windows/security/threat-protection/microsoft-defender-atp/pull-alerts-using-rest-api.md index f2c30ec2e4..c55c6e231f 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/pull-alerts-using-rest-api.md +++ b/windows/security/threat-protection/microsoft-defender-atp/pull-alerts-using-rest-api.md @@ -27,8 +27,9 @@ ms.topic: article >Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-pullalerts-abovefoldlink) >[!Note] ->- [Microsoft Defender ATP Alert](alerts.md) is composed from one or more detections +>- [Microsoft Defender ATP Alert](alerts.md) is composed from one or more detections. >- [Microsoft Defender ATP Detection](api-portal-mapping.md) is composed from the suspicious event occurred on the Machine and its related Alert details. +>-The Microsoft Defender ATP Alert API is the latest API for alert consumption and contain a detailed list of related evidence for each alert. For more information, see [Alert methods and properties](alerts.md) and [List alerts](get-alerts.md). Microsoft Defender ATP supports the OAuth 2.0 protocol to pull detections from the API. diff --git a/windows/security/threat-protection/windows-defender-antivirus/restore-quarantined-files-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/restore-quarantined-files-windows-defender-antivirus.md index f99aa7584f..625c85ac9a 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/restore-quarantined-files-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/restore-quarantined-files-windows-defender-antivirus.md @@ -12,7 +12,7 @@ ms.localizationpriority: medium author: denisebmsft ms.author: deniseb ms.custom: nextgen -ms.date: 11/16/2018 +ms.date: 05/20/2020 ms.reviewer: manager: dansimp --- @@ -23,15 +23,15 @@ manager: dansimp - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) -If Windows Defender Antivirus is configured to detect and remediate threats on your device, Windows Defender Antivirus quarantines suspicious files. If you are certain these files do not present a threat, you can restore them. +If Microsoft Defender Antivirus is configured to detect and remediate threats on your device, Microsoft Defender Antivirus quarantines suspicious files. If you are certain a quarantined file is not a threat, you can restore it. 1. Open **Windows Security**. -2. Click **Virus & threat protection** and then click **Threat History**. -3. Under **Quarantined threats**, click **See full history**. -4. Click an item you want to keep, then click **Restore**. (If you prefer to remove the item, you can click **Remove**.) +2. Select **Virus & threat protection** and then click **Protection history**. +3. In the list of all recent items, filter on **Quarantined Items**. +4. Select an item you want to keep, and take an action, such as restore. -> [!NOTE] -> You can also use the dedicated command-line tool [mpcmdrun.exe](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/command-line-arguments-windows-defender-antivirus) to restore quarantined files in Windows Defender AV. +> [!TIP] +> Restoring a file from quarantine can also be done using Command Prompt. See [Restore a file from quarantine](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/respond-file-alerts#restore-file-from-quarantine). ## Related articles