From b80cd1fcc4816b29ea9f7451252ec9e0daf088ba Mon Sep 17 00:00:00 2001 From: Joey Caparas Date: Thu, 7 May 2020 13:49:18 -0700 Subject: [PATCH 01/15] siem tools update --- .../microsoft-defender-atp/configure-siem.md | 18 ++++++++---------- 1 file changed, 8 insertions(+), 10 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-siem.md b/windows/security/threat-protection/microsoft-defender-atp/configure-siem.md index ad965c75e5..2c0afe0601 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configure-siem.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-siem.md @@ -30,28 +30,26 @@ ms.topic: article >[!Note] >- [Microsoft Defender ATP Alert](alerts.md) is composed from one or more detections >- [Microsoft Defender ATP Detection](api-portal-mapping.md) is composed from the suspicious event occurred on the Machine and its related Alert details. +>- Microsoft Defender ATP supports security information and event management (SIEM) tools to pull detections. Microsoft Defender ATP exposes alerts through an HTTPS endpoint hosted in Azure. The endpoint can be configured to pull detections from your enterprise tenant in Azure Active Directory (AAD) using the OAuth 2.0 authentication protocol for an AAD application that represents the specific SIEM connector installed in your environment. -Microsoft Defender ATP currently supports the following SIEM tools: +Microsoft Defender ATP currently supports the following specific SIEM solution tools through a dedicated SIEM integration model: -- Splunk -- HP ArcSight +- IBM QRadar +- Micro Focus ArcSight + +Other SIEM solutions (such as Splunk, RSA NetWitness) are supported through a different integration model based on the new Alert API. For more information, view the [Partner application](https://df.securitycenter.microsoft.com/interoperability/partners) page and select the Security Information and Analytics section for full details. To use either of these supported SIEM tools you'll need to: - [Enable SIEM integration in Microsoft Defender ATP](enable-siem-integration.md) - Configure the supported SIEM tool: - - [Configure Splunk to pull Microsoft Defender ATP detections](configure-splunk.md) - - [Configure HP ArcSight to pull Microsoft Defender ATP detections](configure-arcsight.md) + - [Configure HP ArcSight to pull Microsoft Defender ATP detections](configure-arcsight.md) + - Configure IBM QRadar to pull Microsoft Defender ATP detections For more information, see [IBM Knowledge Center](https://www.ibm.com/support/knowledgecenter/SS42VS_DSM/com.ibm.dsm.doc/c_dsm_guide_MS_Win_Defender_ATP_overview.html?cp=SS42VS_7.3.1). For more information on the list of fields exposed in the Detection API see, [Microsoft Defender ATP Detection fields](api-portal-mapping.md). -## Pull Microsoft Defender ATP detections using REST API -Microsoft Defender ATP supports the OAuth 2.0 protocol to pull detections using REST API. - -For more information, see [Pull Microsoft Defender ATP detections using REST API](pull-alerts-using-rest-api.md). - From 6d31c74f37e720ff9b7c1d3efcb6964717617168 Mon Sep 17 00:00:00 2001 From: Joey Caparas Date: Thu, 7 May 2020 13:55:19 -0700 Subject: [PATCH 02/15] move enable siem topic --- windows/security/threat-protection/TOC.md | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/windows/security/threat-protection/TOC.md b/windows/security/threat-protection/TOC.md index 41e116ecca..b37c916734 100644 --- a/windows/security/threat-protection/TOC.md +++ b/windows/security/threat-protection/TOC.md @@ -416,8 +416,6 @@ ###### [Create and manage machine groups](microsoft-defender-atp/machine-groups.md) ###### [Create and manage machine tags](microsoft-defender-atp/machine-tags.md) -#### [APIs]() -##### [Enable SIEM integration](microsoft-defender-atp/enable-siem-integration.md) #### [Rules]() ##### [Manage suppression rules](microsoft-defender-atp/manage-suppression-rules.md) @@ -440,7 +438,7 @@ ## Reference ### [Management and APIs]() #### [Overview of management and APIs](microsoft-defender-atp/management-apis.md) - +#### [Enable SIEM integration](microsoft-defender-atp/enable-siem-integration.md) #### [Microsoft Defender ATP API]() ##### [Get started]() ###### [Microsoft Defender ATP API license and terms](microsoft-defender-atp/api-terms-of-use.md) From 73d0b3d66fb1d9b9676696706be24e4fb2941a05 Mon Sep 17 00:00:00 2001 From: Joey Caparas Date: Thu, 7 May 2020 14:06:21 -0700 Subject: [PATCH 03/15] update siem integration remove splunk from image --- .../microsoft-defender-atp/configure-siem.md | 4 ++-- .../enable-siem-integration.md | 6 +++--- .../images/siem_details.png | Bin 69513 -> 68660 bytes 3 files changed, 5 insertions(+), 5 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-siem.md b/windows/security/threat-protection/microsoft-defender-atp/configure-siem.md index 2c0afe0601..0d95a0d4e0 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configure-siem.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-siem.md @@ -28,9 +28,9 @@ ms.topic: article ## Pull detections using security information and events management (SIEM) tools >[!Note] ->- [Microsoft Defender ATP Alert](alerts.md) is composed from one or more detections +>- [Microsoft Defender ATP Alert](alerts.md) is composed from one or more detections. >- [Microsoft Defender ATP Detection](api-portal-mapping.md) is composed from the suspicious event occurred on the Machine and its related Alert details. ->- +>-The Microsoft Defender ATP Alert API is the latest API for alert consumption and contain a detailed list of related evidence for each alert. For more information, see [Alert methods and properties](alerts.md) and [List alerts](get-alerts.md). Microsoft Defender ATP supports security information and event management (SIEM) tools to pull detections. Microsoft Defender ATP exposes alerts through an HTTPS endpoint hosted in Azure. The endpoint can be configured to pull detections from your enterprise tenant in Azure Active Directory (AAD) using the OAuth 2.0 authentication protocol for an AAD application that represents the specific SIEM connector installed in your environment. diff --git a/windows/security/threat-protection/microsoft-defender-atp/enable-siem-integration.md b/windows/security/threat-protection/microsoft-defender-atp/enable-siem-integration.md index f408e29140..382f789aa7 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/enable-siem-integration.md +++ b/windows/security/threat-protection/microsoft-defender-atp/enable-siem-integration.md @@ -27,9 +27,10 @@ ms.topic: article Enable security information and event management (SIEM) integration so you can pull detections from Microsoft Defender Security Center using your SIEM solution or by connecting directly to the detections REST API. ->[!Note] ->- [Microsoft Defender ATP Alert](alerts.md) is composed from one or more detections +>[!NOTE] +>- [Microsoft Defender ATP Alert](alerts.md) is composed from one or more detections. >- [Microsoft Defender ATP Detection](api-portal-mapping.md) is composed from the suspicious event occurred on the Machine and its related Alert details. +>- The Microsoft Defender ATP Alert API is the latest API for alert consumption and contain a detailed list of related evidence for each alert. For more information, see [Alert methods and properties](alerts.md) and [List alerts](get-alerts.md). ## Prerequisites - The user who activates the setting must have permissions to create an app in Azure Active Directory (AAD). This is typically someone with a **Global administrator** role. @@ -75,7 +76,6 @@ You can now proceed with configuring your SIEM solution or connecting to the det You can configure IBM QRadar to collect detections from Microsoft Defender ATP. For more information, see [IBM Knowledge Center](https://www.ibm.com/support/knowledgecenter/SS42VS_DSM/c_dsm_guide_MS_Win_Defender_ATP_overview.html?cp=SS42VS_7.3.1). ## Related topics -- [Configure Splunk to pull Microsoft Defender ATP detections](configure-splunk.md) - [Configure HP ArcSight to pull Microsoft Defender ATP detections](configure-arcsight.md) - [Microsoft Defender ATP Detection fields](api-portal-mapping.md) - [Pull Microsoft Defender ATP detections using REST API](pull-alerts-using-rest-api.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/siem_details.png b/windows/security/threat-protection/microsoft-defender-atp/images/siem_details.png index 94c724f0c88e96d452a5eeb9582f37f7c4282978..ef062f0c8ee4cddc24fe67f0fb0c433d30442f71 100644 GIT binary patch delta 13804 zcmaiacT`hZ_$}xtBZ`a)I3Ps_MIjWWOI1;j-h0U?CG-w~1h^`rj8rKh(rbWF5_*TA zNbfat6r_bFkbnsU-eqRi@4dC&TkG*p$XzGr-h0k>_P4)p@AnzMRDS&BgEI5?b4={N zh-d# z8sMsDU>Z}%?RL1(Z?nGchF4Oqc3RZQY%-@_zTwaQ)8rPX-+^r22U(X6E)~{Tw@+`} z%;VUxiC!nN0kRB?yLwmoZZ|C`*NQ)d%B< z8Cu1flXLnF$BOUDulYQ%WB~t4JvkI!`R0_sVP1koYAH3Gn4Iv93!R2ab9o!@8^y!o znEg@Fn$0{{u)qJESP{WP=Tc4nfN!jMPxY%vH4FVYItRb33$hJW|A)u{N39h|uZ&~~`8@tI^8!(JnkDahj-tWtv4 zZZA_xTCTk5$e2Za{AmdNq62q&Hn9DdFEbyH-;_5f)v%q_KR(nb*<;)B9jt}Rd)se z92Q|Co@8~2vol3Sz@gBkfNZGeRTTF1%IV{2zh&5!+j%Q&p7nO?-076PY3JsjGM)bC zX?ye4FU#8PbHat>y9owLXam_q^UUM#DCTFz&WhJALQoC$$>L?nUR@#E&Q9>9!U1i= zp{@m_xeAIWo~KICLfB`q^B!OU7arTYpP{kc#B!IAUus_0A2Duc^z9o$LbgZTlpk$C zMvNk@+XsKz2%-N@YLgQWucw`;QQ)&_jRv<2^EgdN)PhAMPZQ}xHz74-YkvJMp}ty< zf#G72C? zmqi0@ijFI?8UV_6)rqp(Saj!gTva~9t3cKBS3fc((dpv*#!PzblM5cSzQRZ=!B8Wl zRlL5MG(N$&)0FfvetwMgnp#o$U&&>>g1{fhvAu=uT}ab>JmdJY%Y~yuKk5r_4pZYNubEGMOm6cw(rR zbfWR&R|c8lr+?@(xErqwWMqVyM6>O?&sfSDZ07(YOw3tPS)X5zw8fphaS;g>W@8rH z5^)V$c=Syx%UdBq&QKVNUDpyanvnI(^%P()SB6*1>0xU;X^(D6>P?4AygjRHM3NIP zEh{ZES|-1KQZUinfRN^p9*^A760(cI7#*|^^ED_P?wyX5B>`R@x4=pL+?!|`OI&?` z+Bfp+&o&)FqeXZH;#>Z=O*bI6crK4ktL9qb10C3W4BNgOj_6CrA+6J#yR}5%xux($ zSDH_5X^n!knqq$)(#vD)NRk)7$c4r|<~Jr5^efu3{(s?83_UcRW;seJjCjKUOXH({lLT;+HsUHjiUmu z74J&TugJ|E4M0VXh#BDGP=c%OdzE`VWN2APcz&B%_{BL63mE*N#M<;#BMXCNJ%dl8 zMMpxv&qx1Vd6KZJq1n_VB*H;)-8Q+Ofb#!|iS~a+G$%R5=0*;yENWZ^l1O4zBV776 z%}zFABYBz9lXlz_34Y5P zUUkPaABV50N2PRihov1CHfu`ZB}rt>6r%%Pe3L(jlxt7@rdfKvw(D>=WUM1Gv z#%jl=j!IS~1X;czO|d6F78-zm5&eSb6XKxzN%EJQse zSLq1UO5~?S0}rI8Gj=uzNf@Ytmw~RShYqT{2w@&TZz@O@H5mXk=tD zOF=PH1go4L0V%U4^9$%QNLH_aN+@akRm~?K6L1IkwD0i?29M&?h;nF=5YC+k_6evm z!OT7l7guksH3!1^1XCf&dpSRQokL`czeq{L4IQH#B{>{_YW{uXX%>1z)!v*}{>P*; zzA2vPDGc?o_xWy7{xk8*X$H$?JJ+w7xDuv4 zQ#XJl=c_~r@aw>~UE_N^* zYcv>0(CFsx23*|Y;lv?5X{CaVcLK;>H72Qh1nCCaTa}zT9H4A9{kucD?oxSoHCJ1t zt?C+rh^d!4_cAB^o_ycF9C0ONw^%}Q>*vX5PQrSZv@r~x1b;U&fwuSEGP4UBU z5uGlM2}bh^WU6w+j$yC9d0vUiXXAM3NI> z@zBZUVp~oJI`u;kNpt|J7dr=3%O%|a&s01uhPufkVtFJkaNd3+b|cfj)XXF0O1}E;T-)HxbEY&lC+BAUl=_3E#g3|`*ai8xH#_n?en=3iz?@=2F4nJ z9C22v{aak{i!BjA3~lh!2@B^Gs(RUsd&{T5cEAKKl_+RVZC6s5E_= zjTjtkV-?Pt)0Oa3@IKUB7CUdh>6|?Kq1PC4X8GNswO9PmyKUFA_lZHIGGTL~y_h24dV4(9`P=rnAN>{;&cNs zPsDnmGL{Itwq^XoQ;K8e%As&JiI3N)T*9X6N+{hk#3Zy;4aMvy_;3jCKQg+dxJk-* zUf3ha&KuGpYT5lfQ9QxFWZz_2szWnLOFq%F41vR4Y- z>os$loqtm%I6Fht{dmHA$`N)j@y&w)&ckWcoU{;R87s#-p>)%w!5R?YFcFf;e07@z zgIPFi5`SO_a%v>(i+S5iM=DX}J5a%jIb=P(*`<=5U=Z-_q3F~B3xAfV>oMx24N>23 z<@5Tcwl{$*%rykH11#omX?B@pJMp$s;)4 zY2t_T!7`Eq7Xkjf<R8NrZ;Z`|$H{88 z>Hxd1&TyH}N%2IC&Kf`;x}&%|7UQxBAPwpfUlhhX@i&)Q1Vf}{;VGDot4_RZCc_k_er(+c zr<2cG<4{#LB@7HV8PuOXHZrtZ$bT5sysm$!!naC2@rv5?YqvMwUw2+0IsZ0cpTO&E zI6d?jVwGH z=^kdJv-Z(8!=wf@2_-XNQ&Sym$>sV%D#@g}#3AUOIQc^yOoe&-L&m+T7@?FHx7 zetH%ZeOz)eMNB)UwFu{s^$F6*JApDi_{#R~94T2Jorut zHBEGKAxc#f0nUtldJgs5<2!fTQIdx}9aEQA*guX*L@H6t5|17j4yhNV+Jdmy(ia8h zY@+)fX`SHrY~Z+$Gx$i8mDGYZDGa7uElI3=LD^&u#;PL;l~0rpQzQ`d8l|kTWwK=w zapJL{_(JcW?e^q5c^e-{li$%K?u=+yTGmdetq`C{`S{SNVUPn{E*Ww04=oC2TbB6Q z?WR0sb*o{%pe061aR1I2awYQJwS0=iqRnRdI{eXcdqN_#$#_7N_I-Q908y?Mvhu>? zQB%{4s+2ss56o&jv9i}XIIh_gBxw|F&@j*na)XvY}|s=yC2b-?|Z1FP`ebK6B;6K*KBg8F0AO zX|3P2&U8rOJMPL?KFaY}L*D9O+HTGst!dQ=KGtQMtoHvzJ8cZ~{sk7^3bhKH#wTKD z5dQE-th0uD-xOH|OApP@g$&_WzuTjw9N46^la`cUV7!S9#JB`gK*&x=4h&?iUJx#{ z6s0kE&SzlO#Jd0>INV2{2J>b&MB{SFnBf4evhhXM(k^|-5JBzAwF%7CWEDxvYd%eF zl}G%E#SfwTB>kHXec3^(Ygy7&RhNZOH}o=R2-43~!Ig$bqBPSX>H^-@xw#=4WIKc9sl;he)2O^?8YmR#6oVk16?3z zsrS!-38myyV5p8!yNl5(HjBwU@(j?R3dK9wBaveb+8TWBA1ukICDFS&@MbO9rx;fj zw9g)VG&hFp#x)--BJRk~X7@)911gWHmRvzx>+$<$<-(fde`kFfHW<$Gr3N(CLEo!S zzFxXTupTcT4KBvlR{C1eJ2n;-`~3xSoRwFJj%7zJ{sW`?toBRu-(x|ZC?{(I1d{BY z(8Wi;JDj3HX+h~f5Eh@T~?Fjoh7`4Q)9Iaj> zi#VQCN`cT(4+h{GA0L;OyA%KMp`@+MdN(Vp(8C9~T=UD&F@ITni+@aE`s-6HV2J>O z%j&QfP5!z%4?)_$^ENG~9S$*3FauhqojH%tS;x_iX-C%ak>k1N*A-LD@Oggk+7GYd z_FnzdpNsO>?sM75WaBLB)_f@f5w+!@oCVu}I{-fz-&4b3Y#Tw=^E7|eDCn@4d6Ea9 ziHD!hpMPy!UJ-qmE85|rP|s$n8=>~v%t{q{NWL*EOXA$@lOtiTCzzmPWDbg&Y-Z~o zV3vr>g_m-4kNb0nD+11)wh%dL{_Vt_zh2MR@}}1F+Z(X`CMD+96jBO3`IZr6LTgnn z47~om0e_FONzhx~1F}1-tM-PkgTMW=I>|XAH<1ymu`^ZR~XdTbyUNw z)W7!{9AkF$>&@5H?-aq`Xo+Vo&a#4+z6$-ggjQr_yc?gn+y37qZOPTu=gcrh|`9D%vAjhIB1=!pcRj+0b`k86vHVBnPIv|T2R`wYSl~* z4}to?O%ZseD`tt!@SDLA=IP<-$<_8Ul<~D~qH@VyezV9)IV~SoO zFNx8}OFkZ}v7c&YOhInwc@5kocmJ3<{9Pr#hUnu1=-L_|q2&G16ZrEucVhCGro+8G zTr;%=LPOx+jopqvJyRbxRIXH}j$enFgPqqF?P!LpwUe`6DJHAo z{mov@asfvha&%x7a!^3Mtj=dMqziak%~OgEH$L^y_LLP1Pc(;5_L*W<-^Zkm+47rK zt`zYq9$isKi>*`1F0}R-F?k_NT*nF8VbjS*Ao%C&=w|*kmBVNvZDQbC?ihP%TgobQvtmDPj!cIPn$(&$E;T;b%=(*7+5qk(4X1Z$S z8!$dX#~W)ej(Rl~cJ>gLm``{4e!zL~t?57Av{Nnf#_d%i`h^4=z{~4xkIi1YrS-rE0 zP@HUhs;v04a9mAy{d+kE?C6A3m9uLuHx*JEpyMMRqNXd=_K4yW7VRSoIogwUn`Mi9 zF=L9n!Va}zNs*oh&gU5XFdzZQt;rj2@Jrhd@=uD+gO1UZ<+DcXmJsA2KScJ>Lppv9 zPpY=?;6AXPrGPPB`#SbD7!uSP^2AA?O&S4CcoGw&MJEt62s<+n1Zl>bN~kwMD%Bf7 z5=CM~#bOWIYAAdAV^crZq~esamzU7w113|)MLw}uIOQyDs1;y+9w)jMuBDEBc`Zgp zgcuHmj&|-{zhgZbaC~j5-ojuy&Do~e2vRM%j<(z=M~lv6>7?Pe7Te^4o$jYzpQAp4 z9*%Ma*C6YTX<>xnL2SDUaP*1Yn9fW;T15D+d%GPK=U#_B2xIBErN(d(4C=kppuTWj ziX3VxMLq(8xu|d#F!Te+bA`H&>r5VNH%@j~w1akT@c?FVb7R26Dih0;tx?{RQEQL1 zv5XbWHYwcZXBe71p^MAg)Rg;?UzIXnJcQ;^-lV1>g0b6&?{jFB>O->jUJmJmj%%5|1a*DcqD z@ZHbp-{0uqj{k11_Q%@DC6A~#;p0~lNis^vj5FypsgoaRthw?g-2^|(=y%k~wYEFO zV$k6(R?`B?I`3G-g>9QUi#V=*OmmM0j{+|Gi+P$=wG}H+=+&egv{)`WTV}vx37Bf6 zBiW{FHQ;Ft1%wRk{h>BlaG%}T?QXtKncdeVp$T;c5chcUi^tnd6kIw_psAYjiB~Z7 zqBhq$Asej&#U>~x6E(MIO4PQS3$BNFn-5QiD-bN^gMFi30*$H<)IFMlG#s+y_T{NH z`1QjBk3nK}ut7(S)wt$LI0abJU7OrNA*xH%`3EG``8deKz)6zayLkiJ7p|(1_Q9RO zX~YJ4o4BpXL%)?Fw_Vk-JH8`9(=j%wte>NlEh5JEGSkTbI3c!{s%EN}kp0cPdXR^~-M{h2DSMN-C?217!u21hJEIA|GG6=dizHAArula9i?d*G zF$ll>5fI$KuwV{;|$AL{@lY!@xk@FDXw; z!s>!SgeL5UNL1Psv7k2@Q=Md%v$v=57A&N|j-8ObGkQu|i4dK9{4Q*-`-^kp@wlMj z*oj%5LbR&el#dBb!HRu!degYw$hiT*jq=Ak9Y@dsk%O=meMW|sKPp|bl#4>x*9Dp*i`*Ol)>m10goQsO)*7EgXGit$vlIKHBJ zc5b1pt3XSlxU=)snYrX}Z^5^4uumjJjD4TPHFF;YqgV#m)UJ6VHe5B`{Y(>iZ3JHOqSS z&{}Qw=87n}mm%i28d#~{N~dD{ddkmp`>EQ?E{opK?VK>=j<=2|?+?^d)vu84cS$?R z3Dt02^&4dY30Lh0kh*K1QeCPHduS-YL3neGuF+d6DWyD^wl^m~ zD#NJdG$kjW6Jc@~V;sy};F{RN$|=vKj(_C0z3yB6jiq2Z)?U%i)ynNgve4V6^mng) znvQ8ta>6U+dUBWeyvX{z=k}i__$gUVaSb^Z7<{hb&#un$eXxfHB{KraC-5vl+UzqC zxz6jcPyA&<>0IhwW>Q5LZUy-K0g(U14>FZTkj(GhR#qsmgVpfIFM-`>=_8B0ORPfsd;Q-D=3VkJ(}LacjGAo2L<0-mDA zQgoK{%SN5w9PVA)eRw8Jj&a7y`@DJD<8xtg8oK+PrYSock!W-XV8fGv5Y|*|gE4mC z>zb=+Jsz+ezq~)Iqq_=vttYz;tS2>J9O9~3s~(GjG~|!=t0sRcfkH@nL7-xoeOI|E zyHnaakBOpqGT3qpCf%i8nlbE`kaKs>OC?^kn)dD$&+y;Z*yPEh_4Fv5<@!DLv+=+sof@O@ z{PftrKl9}EE*OkFay4SE>XC$C-W&>3YB!AIhm8krfZdCzj_F~3mkc_M1xBsa!npLv zc8r2y*&7f0c@;=A3`(rP8-!HW43zyvLHxS}mA7M`v%UHB^~u3mv)`_ZS`8K&7je|z z@VtXJD$t$si5gG@f%Pxs}%-ERuuMd9DUQaVB>MAoY5eT;axza%1> z4aB>>x3HUx!gA@GvvE${JGB_P>mN7zPm%Z9z0>h}J87{OXTf92VD#bw1g*r%C;-xN z1z=Agr@*OO_~ZfvmC~_%HwVOGybra}Age%}I9ir;_#!#4cOtd=5A|-=F!nUz;}4pG zK|E8%g+Ag!5(&e?xF>ynoe*|$2*tVzgy#*lO<4y&G3^p<><4p0wZ4O#QNp?}m?>H) zW&eQSRS>-7hj(K@h`KnNbVD7m!Pc_X2va%gAw(6;nBs{lqpx7eY>l52P6d@a=Xl!H zZr5$B)%5t^sa4^+mZ&u!cVPs1Cq9mD!hX$+Rt?mrx1wi~^g4^q&Yg4~+M z(ef3~Fp;U|U0>~9zQDZOTpUstye3i9qjg$)Iyd5*3{2Ay-vL+K=Vv^tAWdsF-QDC71PH3|mQ;fLu>Qo%>R=OsXzS@x?RSZ*o4vnD0*sQ$0Qg zY4oB#PaV!M;I>n-`?TSTLm{XkdCN(dxPDv zpXZ{G7uC3e<$e?5mbE?tCFm!PU;n1hN1+zg&P#LbH?RI|T%O?v1@Rk9q$l^XG7L3?MMU!7XNm)6MsXkAi>D{6gtBi=T|c?$q5 zx>C=p@1MRtHAz4mP@vC5Oq3-G^3bl3Kn`^I((mi%kCsRTYi5i+%)LFV-Ttz1;YIh@ zOI3p9t!14OXoK1u=we*1^fT{5i!)ONyi#U1Daxsd2xO06Ks6lld$$l?K;4|>-ITqr zIccZcCS5jmv^J^OXmAZZuI>gj$w&AFR0gJGl`Txv`@gl1lNoXv)11oV?i1*hiFC1Qz5 z6SbFHLukUj>mOr~uXR_HV9DPI%W!4nS<==eNJ@Orh*gZL8!;sXC`5o39GOF@o0EH$ zkP@v<7*PsTbSi#ouSWJvZN)C{J$wQ7o%lg2(=XNK*k^M5cn(xrN%~+5PDGtq$em)u z#9U|8IyHq*lPYbJ`_XB14#N3NzMNDo%+hHyXD;@tz;vLhGrdz&q>aWsP>#~hThEyI zN32~jO4|c)Z6L~a)Z3e%Ek_sX+|a1wn1NyQ+X8Rn+f92#;6%5w6ginO@Q_I<E~o*5zPM+nUW^$PMYsr+TP!oE@wl zSI!HgYKI_O;}-@_8?7l(3(8~`zYbMkNqNFud2d4?j4UJxuaG4s+vkOX;$Li?IbJW$l;|}2k zK^RGY&mh{h#*`)WBH~o35x28ybI_F-h)N5L`iD=({#}k+mcSc1rnACD!Mtkt8^{E* zFlysU@jk~8AZ@*7`T`~aZWvS1D3fWUM%@n$iF%j%&`_R1av`tx=IEB7Ss_df0|f7)W02C+&Bc*M>CY9xk9KyC zbY_3TG^pqOOk(a7Cso&w;f*UTL=j5W>zAVlZWPh>gg2Zq2y?u5T zT{?i@EGY0pN*-S6jR#$5;{2x9lpWFXr5Q&jJ3<&lTnga0(XD=|w zuy+V(8|)-KeWM1l`ZVx;Tl#Wq)vtm3X!Vs7UHU8IAHcE&$T<5Be~6c@%}2=^+hFx} ztfT4@vfJR#9A5g(&C4?FwtfQ{|YV>cD}R&*Ev0qABS&$XzYgHb9gC{VR9A*kCx$4HUol~Xq@b7%G{g@ zTE(L^rB^$gZ*<*r_CFO-_q~Dh#m51KvJ#4A1^l*#-FZpkeHwXE|7H^T_#tokZ{E_< z#iO2;6V(-BZO82MF|u<+8*Gt|qH#`Sl0=Y=Qw5^euw$`zA1rB5>jrm`rizJjbTAc& zMzuu>EjBKfY0;_0NUh;-2s)lz(d1#(WsN%Q3}j8Bh`Yz@18OFf{Y_GR^fkx2JUplY z_q$^G`ITFnegHx8R(_kitz*g%v~l$qzOU`(Ob!1ZJo1>MZ>~E?p+oeeGJQmE{<9Z)K&V|*gM=yaMJO?sKuU;gaWV>M$Y7jl|f^uDz? z9R}PpE?m?4)^ZK}W%o%*>J5#wvh{m4mLtUaU>Ak-@MQ65>F7&rhh}o{ug}Y(yLb4{ zw)tpgpjXC3eeC|U^>TNS?U7%}e5?pi#(E8@+-fQLtZYw4B3D4`mg{tS*zm+a?i0gh ze~l&zZH-%VOezCQPdbE3dBaW$w=NzY>5;T3QbqN5xn?XWTLXn5eS-iDDKU4k>cDB! zPr+bfy>_5K_sQERUG95FwaXzN5ouiW1C(|H`IxNHr279^pF|PBm*L`!P>}o|TpOK2 z?$lf>4X07FF zhjMT4d}xxb`nd+-z;3@vL3!)Yy0UkRJApS6oOU1u#s8V7K=0HTk*lo2IBj-mDd{w~ z-C1G<@}-m{MSTi}gFGYb3bbQ+P~2{UNE7UUDYx#<-g!!A9k=Aa*$zYXj?VWjPQ^?K z1AAtzJC0${DL^AG!7UnsdkoqK#iP~R^QJD8j82zkRKXJPRLML%lwr$u`r;}R=t zeeLz2U72Ygp23g9eIYDHRV#)Ar;_umjU`Oat?%7dTpo~K_Kofu<4l>=18t8!r&{SP zXMe2Z?pF@M(k}eQapdTN;j*5|F%NH`(KgtmFRcZ8^m}bCosOtv4xsenr(mfQy*^BW z`>7?VfEg!V7Py_XVA6MW)~fKuTJ@Yhi|c_APY<{E(S1(i!!mdC@mCx6EtJ-I1Vz@_ z=pR4QFnA?)Zp@5Mj08* z9)UY0$)5;hAn`tWtB9?UR#;UWhd1>b3@jXJ*&TMCoL7QF_ z^SHAlZ%pKJ@%cq_PM13+QVCJ48q?B6`oFFhX5gl4s813X()=@JESp6>6#~e66$GeI zpN~(?dDSBgI9tY&i>HUR=1H*SCCtIygxNm_lGf{-c6ww#>Mdm6I;l(oVWy#c*JHP{ zLWeXD4b<`Tyk{2d-g-z)D8Gh5&QoW19QUe=hs!FenUB&lP}$Bc_I;%GPKj;?Adc^bvF!*WNGv$V1}v+RyojnVBnkUSOT) zbRaS@X_Bv+anxt+EHeUHXTdkjY4pKn%7wO-1+x9!hLW1@>2a9``OtlPbC|wnj4HC# zS*AxZJx+TMG(zbY;%A~a9=$Ye=ncIR)lMQBZdJ%+ZY>W3LFd>vTn94*xguc=po#ij zdkhzeq7ldA3nOY@SCZ!SSkyA6?<2=d!A>40dI?pOISTT0*D%2fuum`w`l1(kN&k>G z4MtGte0>FJ%W0cod@`3@*Y<7?1|>Y^?_ZdTnnZbJ} zAKJMqpx7ZCxq9y0CEf_U#N?eeuDa8)vf>|VF<>tnB2-yH)?S^?v>T z2sh$Di-=R*86H+=;RUdd7!J^sbGAcXgdnf{Yziay4AQrBCuo@=`vm2J4w%qE1M6DA zmuIIQr(R}I`E`G62@nS>ZlKqjh`ZsDgpw?@nCNrmM!48W_~a4SdQQzcZu%s!p9X4W zuhu~Ds7XB}e}|c_4!d})!q3kScL@R+c#{)8oFQz)V6F9y&hf6cV&aEp_B!2+pp|Ts znFa&+tjXZe_2@NC0I5UsjaO|Z4Yl&c`cli&bqRSMK>>u2aj!7%d~_jou7`HaD(bvw zx~0Fz6Q|UeopJoVRu$Cd6P*QiE|(Nnpe0O+nuwF^cgM@d&y@B)L@PHw6|-)%W(9oT`))O+9~TkHt;-bJ7NL21 zYwvJ{J#blyrH_JP1by^o-_1TV&p1z+kX}#YR#ync*A+BMpf1D2E!q6R4ExGsBn+cl zqJIM09N4n(S4U=xLC6t+$zH1qxpvE_c+s|g9d&K0Q9j3`@wS_ri@~F~N-c*g1sdI-HOVtrHe%2wGguy|74EJQP}7({KME|*a+cf;00a2LQ&3{^3wAtNu~bwF zc8j7PleejFZ`bp z^Pdo79qX%pO*w#g*+5JbeNyC7wUVP*^>Xs++V0grm-@Y*p^(a#R5!#+fXI({5@)2> zzZjd~asL&PT&f1@Ol7(QE0Se9I*RoURpk2IX%nH!P3a{Yg}jcCAamyi!@eH0b6cVV z-8;g%6>||@U>Fw?tiQG*rcqyzkzt)929VvGe)KcZrt-&E8)kbbMCBvYJ00u2Nbn%c z`~W3a%f2;MUlUDA7r;`4+3`ULB@Y?aLzNNBwo89(^B}Ebj_$&~R;v!sdsNwNhAy7` zh~qtczXJ`c$dHw5Q?yT(w00m!|)g<=Xj9tpqoxA!#w|Fmpz7;PIgwLy`A=h?<}4wR`A)A2b()0aQ(?cxj=Vp z$YRBT;8!Or63%`Yd0lMXE~Kit3YRyxq*-M=%&H4b9G}4wjy`vw zhCmCyVk0HQjlxDAcEQ}+E`%6LhbGl5Y*tNDw=!n zK~fm`%X|}-AQzazOYgqB>3>3wHhj+{c)Vu7wvkpNm7i^_}KL+el?i_Stb0kl{t3T6uihJ_soBsu{ C?>C?T delta 14748 zcmZ{LcU)7+-!AA1yCAZwpi8#^(vgl-T@{uNq1Px7Lhqr6V*^%cQbQ3CA#@UYhhU+G zBE5r(5J)Ie0ul(hC+_dP?|tw6+p4#xF1OetD${d_Dim6?yKb zqzPsQ1_tK92UdZ15rM8g{tTs$K z`n$nh0~spV2UNh;3qM=^VUOrtuLin#!59<{*?$B7@*Djxramr#!H@i54EDY>dUw`9 zD1CId04L8!U|)ZR#?HD#u>DthXUj+a-frG-hEAT<7_jZ<+Dv^A{!TCkGVK}Zzq;M? z@$!Os2QnNCq~pLgCi+Ls+yXse3?*BmH>-7YMu5w_u?>aGkKTIPIb{;-O#ZHveX5`r zlk&%G(OfUjKT4?7Im23}5Y?%zoTSdoKfDm?MNy`#!d$Zt~TWmb^q%Wq4}Ofy-vtgD;-_TWK~dm;+T4 zR_9i3qEgno^;m6X*{eUdS3KZW=|ju)rf+lnNiUzc-fo>9!R{2yIJ(G|Y zdF$=9Gc~LPtsbJq4EnMKPIq3!e zwX%sA6HV{+SZh`N@xCW1ePqg8T2nGJuB?5y#Ce~{ZAmc}{XQTva`Q+j?Asi#nXE(D zwn_g62{ox;&Rm$X-V$r7?r}a|;Lmcq@T${`lcibCb;4;<@z<1!m19jDAX^O92B67-UvhD)AnOKwwtsg&)mbiC=9<7YjmmfQl% z*pxjML@<%yS8dC%Y(Xu9rePe@d?rl=%F&Z=o=QBT@0;&4>(svmS>9b`Rl%0p>3%6L zT%6Xwduw&BIe<{-*!A*gi-`eXV5s^ml+qXV>Pef7vtv<9w65kk&c?7``F}3Y_}8o0 zKcKzIoLSor^sVUJ$UHO%r2oV)#eC-PheOUAgKu?#zeHC8M5CNCLy1NXrN(CHNxAAO zNV9mk=%sQl)W$X@J;)NH;*<5#@G=h1UAB?2QDQLSm`T#s8Ub3IN^@hH%_v)5%12&N zgZ)T{D&Yba_NnZ5c!>ZZf6)in2kleN=i~Fx{x34DD{d5&l+$P>r}n`&v1YxgZqaFB z*N8vb6C8GEMyanOx0XmTxTY5H{_MpFRdm|*qB*wy#%ntE?OF)nwhXi;&`lC}OGFbz zy3^}r-1%u$KnOLIcWb<;uG{}f*)n=~qpE&tqF2PP6Kmqp8F?kUuPy(_U+GMOIyd3i zq`v2)w%V|+jmD$1wi_QTuei{RnJ>4$;iS!c%EA3OoIT8Ia1H;)YB^`h(8+t_>~8~4 z209|S!pqN=y!70GQU=T7>_nfLh1;c=Xe(k<&3i4087Zt2?3W&t*F4Xv<`)I7hj;CL z-QE>%A5M{+cyOU&eB^sa8Knin)e0R7PkB5c21viJ9*-Li*?*YxBBMbcp{1!(O5AXe zTIp@OynQH-^sBQ9#*j4Fr~J?7r|u$hh2RGrqo^?JPOZbD#qF?Xgi=8iBm@pwMs6M; zJyY`$CtJ7k#=5xEyH}pB0!_wc3ts(G#srS^?_^% z~IiNY@??$$uaHeC%B_92b~O@~s__s;0|(U8osW7d4f<1ONh@wBmAH`rS}9kRfq3v5s} z_TVhX0>R_7(cHg85Jkks2X*NO&F;bb>UM4f14Ge1yL(nIg?SuSCfq?j43GA_Qj z{{%dh5u^<%xG*yNnXXHGED*R^qC_?W`&UJ(v?HH z?S2m~6sDP^)M&GDIfP#*a6u(^?YWc=ujYF^1rKa+DOvA31`pH?}o>|8dTg~=#3Jh^|CWyS9*>J)f zZ>phL<3g3bx4zqh@i~av7q*gCxr&OQUhMPss=bW-9}aHcjUApSSi3C<>&&zu-ITS5 znhy+-{J`!_jQ@EAp;k)@?W>LJ7Si#0`K_?16ipAmQ$tm8Nm}B3^KpJHq@o0m2v@sR z;}t94T5a{}CvMnQ!pJs}UuX7*{b4*K!(|RId`&9!xekhDr$nH3uGHbbvblD$Oyd`V zm^d3x#E^;OO3Phxe%6UfZx}sNAo&_-#S4II${f-5L^en`b;i}zc!B%7V#shm_y!7o zg9)M&DfP?lgqkkt8yZD%HL{9KbvkbG1_`1I8&i*Wb)%SI981=N>@jIg{j1);R{jy+ zeTI$p$8}BK$bBD6_VVaUkMf>+xJa-@Z zT@DasyI|04waYClOi9ad(Vj`^>4sHQ=XHa*yC_>>nET%HO1LxJ!5*~(cqc;>I=(@; zd1YT7jumOS^@U7(54od0kyn-Selo@ORk={QSz1^!h_|b z7N<#2)+PcoxcAN4$#s6G6%KAr%kIK!MlhMlzUs7dT~Df?TJ(MIBE7y}@=mHk^53)@ z%c`xqT+~o6Q^&50M*92R+2) z;l5MW^?kBgy}gR2P^>cMG@)O1x?$0TtYSMeDY<;dLe)lIa##yjgS76E9iZ%8I~upo z#l5-S?uC$5;`f>rBMa=!soFIBfa#y_pO&1tyZNwsQ4u(&>Y+p~T}i<;>utJ(^+W9G zL+}+13^i347aS9f1GeYFv=x4TiT9m<_SpgNy*z$?p^VGtVetJg7fg!;>zOz`CF`5- zC55!=n?gM9Ck;`YHn{xkpc~qW%ehAl+VWOvOOssVb+s09Ll5COm5w~=rCfSDhkZA1 zZxyIxfdh3#JNR-0+o}q5JG7}xMm}qp2=6=MWhO0N$qrcewcRc$yOL}{!yL+o&gsV2Y0HD+UZRnoa-dOIzTVM9VVwXW3s{D}MpO@MnLCSHV}yaRl?@ z%H~m}y7wQB`h$xdHA^T7a~r-9;@+~e-?P0KT(XVS(}hS`o-BcTyHOI>7VGQ*Anul0 zI@5b+HuKzOy>r?kIy0_czMv~dKu(wUyT>^9EA3G9Uy%8lZ>A2VpJD^12GjYitD6Cj z3v}#rIV*Jd&T0&E+D4qE*T;vr*Lf44znh@{vez}-FJF+a_XuvK+)O6Q8brkaZYW8Z zpdOcQt3|l@Ue+>NzbNNj#fI{q3FwVoFh>u0x{8?0gxo+u0+q243t4jvzIxeiM>Qmf zYVx4Z>I^tr)02U4rrmGVe&>_`BkK1mczpiOGXdADmn{`jClajg@UM`ww}qTPhHaex z_N1`oLO0A>y+$tc;E)i9+|>2qOXJ)#<74;ac~w7%(Y(Yep2lN*Cpmf)vUBW^nNjMw zUD7V+NDrs&SZ|>;iyd2dib>|NEX(t()UYyWw}akU$(lrgwCNP^(E*0ec*jM#SC%(R zLPC|a@=kJ=`*Zt6)H%$8Lp>t$g7$T1Oq2KQ@tFLbuQED03tf@}9vCu+xXlsD{dGS$ zQ#X9dL?K7#@2)G;_i_Fzh^#$rriwORl(MSt-K=phKk7V~=o9DUPL*-=xhgZOIu^V@ z@5x}e$A2fR0YKo_JS+o8{d{H14m3U_J@6DP4P0-r(|vaD?vX7RXM`23A_Zg%?&mpI zXq0X|zxF{~Cp4b#PkNw=vw-I~=^8ch{xkJTCTY@Y9ogGgmnS*XsN-wp)jt$ z6VJ5XUqv?^oba5vE~7_tBh%5{k#-FUm#O*-?zVdfjf&LU?!QJ zfZFWNa*w#ief~oT73jX9pq_1CqJ)u!CYIW^SQ{ea_nXkw3`Gx=4&wFBmRnc+p5m*i?AkR*n+Dal8}LVj-jG&cJY$LFfKm zGppj>kBI@?$ew}&vH&rPhDh5)fEVC^;Qp29{`)j6mEYZTZsac7A7QAJtXI1I7+TOp zku2BN(CK)Ee!>-Ozy$6MIRTsocBDkJ4qggvmEu>&Ug1us7-tq-soNduQrTT?ovQF! zT4mw^oDGW7HaE?;Ekuze7azJfK0-$q$PPMc1<2au463D>x3ho#7E`ctXFM}MuKTSy zqh~{eRE61))ZC&H=G%}sJ{mj=550FT2>SBrZpjx%z~!5o8_XO^Lm*m~!>J^>pE#}e z25x^mV|PwBZ;;E9R_$$Vk=V}LaPOsUIv_T8_lUzsal*TZlZ(r^)7I2a3f-Y`&kuiE zXejLBZmg=?ZedeUBaz6Lv4!ttVRJQmBs6)xqITT7`0XWM7}#^pycbB*|OGn-1?gUJ2oe77b4BlT`;<#Pc9LLc=hUksT>4U@gjb z9ju2M0Ke9_5Qm=GEz`9r%}*gYhgWTZh4O>eUCLIH(Cp~Xmsdc$d+*afd#!VokdDc>D zR9A;&u~_!$gTd_HcUkJU?V+`CpGXJ^PHv=Q6NvN2%y)74H9h^AYZJ92(i68e_~MQGFu~< znNucb5Xl}**pj#28l4VFp>KwN3+6vy8VAurtJ|z*a5v1$5I?{ED+`DtYzj|ad>xil z?+O;&+;FK1SdA(J@mTonjq{nN;G_e%e^cbH;>G_?k(hV$Zfvx%R*K!$y57pY@@?yU zEYh!@e|Is2mYeb-Q`e_q`YK3LeP(*4FWh(MOhA8lVgofhyw0oRSjHAisHzlv9>tZ! zH^J}@%&MJi&loOt)-TiX?m)0KIO{FF>HEwmzh4-&fd1s8Ee2oHK3M83Y8O!&^J>vIoRb2YSh7fI^NrqY19B>l>G4%SCMvJ&Z*h-^>^<>F)ZRYZ)!}=BWGg5jM zy@VP?aK!nNU#~tP#e-D^esrzn9Z}y2Zl{ihRZ2#lyIG?G%#d$p@N$Hagr&^equi(U%!5}+7bA8VMx91F57Y!`q* zvq#w{t;`&jQ*o;8^n12?hXK5~T_ny8H8i{<(_}d@(9Uc%dw9(Z?mNq8h3A<~Rcu@T z8;?`Hnkb0SUH`gsa5gf2vZHpo=3Y{P{Q<&A=hQHG;V?=9A>e`H%Bs}A39b!uB^E4) zul;#`C|L7xsNdH7?Mka^N5fek6~r4TaBw51hPvAIQ>)9!!IF^QEUf5|&1Q zux!i8cWNntV`K>RIVXd~P5_KN`43YB7dkrEEYCa?Th(`>eolbLxKlMT2h1W2c2^(& zvYI?qd}od89454#k?lDKfd<>}C@elf<^RH{4b(Vys4~o(`E#KUgvii}l$Co1tJ|VY z>R0oE`H$&`s)@b{Nv6ycGF)?aJ+Wgau7l72bqIZR=f%lKnkLR9Vkn7DD&D#TCj5ZU zU!BdUnyhOx_KcOd^3`wlB+hAa#TiYKW#H~xJh$A-tfGP4Jdh;wSn$y42gEsLIdcMm z2f{A>aj+u(?9r*Xw;(v2s>6XJW*C5RXeMa=pX7Vxr4dUZ5Ug6#cv4JD zUF42Dc?H4}T(}}o?L0`Su>{jRNwyzO&waL}H;`t=bNy5gQ|H1T0d$;a7QKQySOA}@ zv*Kq^&Qk}lQ?ochrOGF@PLHFNg#UBwBH`mX1`9&$Q=s)T^$3rT7rv^r;<*65rPVj1$-6P5 z+ydOF+h(OwP1dsGMZG~wsYSBPDJ((OS=@^0dLqbiET4nUtRRjepU%oL$7cy>mqPD$ zRX$ehm#?5R`K*`dZNmUA0nF*;z~TU$Kr+CHLuKLsqVUD5{oPB*}sNTOUD1m1Om zs>&o2^B*WZ1)!p`GB{9ISSG-?+j}xifZxpD(N3q9x1($mq(Qv+&D+m{qdz8H*0cKm z+~;+cP>wa(@ufd1Q*a*1BU$4Q+k-EWChEFBg+SjU_&+t?E^%%f!IXkv_|^3r7NI&7 zur8RL78P8x)sJ5R@O(9dv_H)$-XBnsb3aK+i0zNqe?p^hXjgZ zaxW*IscwqvI9OL|@f(+$%|?uyN{duV3HWSThPSr_IO*cC2IgG!%0LG#y?p5^eS+!B zLKk2Bb?eX9+mQ@=U+0?xY^oi*Ue_UrcW~f-Xi!H?mE1ed9S!|~?l?mAN1PgQ%(R3V zQs{@q4&yA_rwZ2Q*6j*!8KGLG`8OxvIT8XsvVhUMo)ArXj$jo4Hyzccaqh2Sky}gj zM`FM*Y^Nlxh4Q2i1T#P8S(vrYJlZLf1p$%k z^NPeB*F&GsdYHE@cr}`&zH_mEj&8I|r1^M|j|cS-+Be`$wbw?@LN$D^gyxcq3Q*F=~H2d4;0WQ%PCG+z9iZO`Bj`wi=L$87%n!AsQc&f)AlP> zD4IZiapd;~;oZH3YdS6FpTJ7c&4=bNa^Igp~`bOlXVj+vkr|Qpi$VPd4S>PYc5=X?yS8_)M*JZkuHReO#!|mCNmKA1Duja@ZQDs z0(QhcDp{juc%FtmuTFrL9;0+ApWC8OxA+uj+2Ipm*@bKxe9*my$SyGG+(?6a$%W=&QV>%g`Qo7^h5e5>I~O<&pcrrQ>&w{T$;aOl` zocuT=ICcRJoa_z-vmKGj|Jy$$tk{^tAJ=pEoZ-|`jfbeM4>W=n|x9vae z2!5EUc(QXn)N&C^5CGbs$$@uK&bqps*&!8frRh{+o0fyJ^m<$OUfy_mTJo&7<=$wQ zO+&M_=8`9>-FHh7L8KBja?@$h^X)7l#HkZ1G*V=t!R}NNj~2$BiWQ&u;KQVFR0=Xs2BcXYXP@H& zuWRF`DdosVVyebg5NY-)+^4+&uDv)iGQ3nNjm+0^qN4V9*Y(nNwfDk~P{G6`)nQVX zfJ5qj!*%J3@kV}Y^t1pLqCaYjeVv+FQb={69h*{ykfi;I%DmB?!7Jq58Nd;FloA#c z(VXk$G1@z3Fsgm7{X`RZoA9MERij$BGEX5;ZNGt^dc;gVhG+x5#Y5p6)oqBAxYHIf zaU1*X*=av@Qs^C{ADZZ8Tl4u7;qq;}EnY?5o)rtQ+Vn-*{?s2I`gR;M4#Wl!hTOVd za@NjvgW=e^Qb4JAnbYWawUrgbn8GRg!q)G>IuZO-3~J{WM&;lCg=A|#KC6O_-W<-T zkzW`eqQ3vac$fY~9(V|{C~>gWR(eTd)d>RK=5#$#Pf%l=RLwLQmxozUU-WZLg3JR8 zJAqJA3--Em4$KohV3LP;WG6H8z>YyeF}-3muN`7(@cZrdxVI>C{;A7*?BH~E;3<9G z@3Hat+tNbi=TC1Sx38e;_C*#m&04&>FM?xb0IFaYyDSi9M0)K~zHRebQeL&9OAJV} zsp>KTGbg@QMKkC^ItQ5P(sZ%#GHOWChFi5BYm%v;=OtIIHAP5ciAw8VNntWALCk^}Q;(36@6c{ix4|;YovqicQ5pxZ~3( znjnd-@jy$$dJ&S11a!UXNW<(gbVaq?%1H_vea$cD)P=4f7k+kuXI8XG>YeQh1-U9t zd#BQ3w3SPVUeVW@id48!Fb}K=Y9a+C z*1Uv?A==1Yp-Hj|5#(sBta?G9FI=#1oPEL*`|d6f3w`$@Qpm+BD@$O@6nA}gL>AfX zX1h2g?c`(dW_q+>#KB{3ADic%nZ1CIp~pZ{HLJ?pcc$^p-kMxBMN9+2 zAnm<_(TC1v2LPFG^1vnsHoBXrOcD86-l;4}dd0iSn~8pz<2RWzZpk>pgVHb*;js7^ z2n(+@$4B*KQxzB+j2H=OuB)Ckq@%oB-VF=Q(3x+@pp^akt_9rqU4G$ciu&$^i<;{43OWz4>@McVLyUIp zJ9o-4*vix0IsAx<=`GtHXS3BIPgp5t16_r*oQ;{i3f|C%j84Ca-@4)t@~`6&xgTnr ztqWe(4INx4=jR#(8RV=mVc@!LdxcpfXoPTs54tFnv(@trDn`P0{6o%iS7~wHR#}j$ zBU7?XT6iOr_*0G}fj?!1Yg9rrQLqcb z$Wi56{hTuc(KQ&L#r+Ely`*PSNN2TM@E?$+v*Vk5MHD<7zaH%01&C z`8$wunS2qjH;q8mVj+=rjl1QeMk?F2zetpQ86+Q;$N|Q?fT-ZBj1tPA zE}iVwzte)IdSB-m0^0{z#OeKwce0cAQmV-w0C+`9-1;SGzlo=1e^|W4O`ZMLE;KvqmHbrd!qm392eQq0+c*y_mj zK)P0-ez~av?&j{L8#R!n;vT7~OKsIU1P`knkKStQ*-nFN|A}Klc-5tx=3L-g+Dkn@ ze6mkRtG{I3e(y_rgLC}n94G6EgC~9QqLqrJ()j}ox&7_*dwuzpc2MUmznrsIUQgs1 zhR34x5OcK_3+-NHJV#_o3{vbKYU8L41w&%B*-Dd~tyzC>X4-kf|E_vvYFh^A=e@A| zcvc)SQK}6LDHe%Bx8P(EPRXg2Ug6sqcJ^Yi9=tVL1*Qjg+$84xT~=;~4Zv_G;u?(V zxt8VhiX+yGgGlki z_Ae1Cq~FB3S*J2nq=ar#CLD58h#OF^=zxA@Kv2gCF_){NWV*tRh6U1f_0qs+vLM4) zKcNZMHLIrAlSCMl$`6+S;DXI9rb9&+Z)Y8fTqiTJ!RS{RPd3ZvHQpWImy>J$um&>9Y#|nr@ai?5J(W(O~{2OnN zyq8f<_Ii&+v(J#m?bYH{z#4qWy_?|ar&Evhjutwgg=%^9Q&aN2B8nct_C`=qd2Q?K z>V2;ZVv?!>avJhd0VNQ7-&*GqgQU%b2f5(8=A&|>1nWhUO(!mX(ju3<+noi4=`0WxI2jS?Pr4j>b5_e7`Y!K_X>@!Q0Ygyxm4 z4#_}MLXiz<^V#F(YtRoAS7Qcg>7F{fGDfn>(d2gW_Fgaqco7-*+W#hU; z)wP>6%m;6O!Ap_y6gK>iZ`*-G=09x+3r&+h{eClY`F(X_w@3P0gO9%4?b*pxsPr(E zjm%UnH8fGZ+}z@WIS#IhD3%X;7(roe%l?L1j$EOe51j4Zxfsa}$LEB`|Adf9|I}bs z<*;V1zb6DsfoR3_cQBIVqqQd;Qm!3~1NNlGx!=&K!KR6|ZAxz(w2$ZvY4q#crm76` zUyBAZ#^o-W1i_aLtY3@qbkvErBYNue6p_~mb_g9dC1J4xciUj}$z4&aGI%%|K<=Uv z!xbr;%VQCW?`ys8?ChQxF8qM&9x)*-5``*K?dBWZW=r?6mLU1s6?UBJg-O95vw8)o zZdq#EoF?Up9)8Ih7<9JjGXxL|pkYV6Qs&G(kTPNYFGAMtViRMIYOtZWMMcK8Hv@=0 z=t)C;>=+FOd^tVgls1r!QsU?lHh}Ep+<&SKV)l6Oc{}3^n{+OL3E1;9U&=f3b-=|I zWE%$$zspvyj11Z~{4wj(2 z`Eu!1+j}1o7e_g$Ep2fMH1XxG9=~FB0Ef%*v0RP$fa!p_w_X6ilDO#%2*W-1W(EE+ zN~xB zhv3_dq2{9=ZV<7lfR3OGKN_@CxW>lui)R%A5%3+>dUiMY5DQw~^2m3x*$vtQnA z@(I7M5(GKAH}iG7bOZQ>s4r%JtZ%74+<7@4EJ)e*>00Z0nc_g%4va&=BNB^WE(zAthC`I;2{v*hFAa6>SG} zAFj|U?Ra!^s!1Y^wqsK*NDsB#mszq2iWk^9j;&gPKKoWD^zVE)+vTB0!0)-EZUbP} zQf^duy^<5~=}j)heYG?qzF?4UIdtm|5atwX@EX47wgFldMFUjPi(%Bj1T-;sc>HvL zisf#u1bX88!?z$GNQGYTLQ;qGkzo2O9jK*H8`q)9cuCcqP(! zPffqwC_ax6=2V)~V@w3}7sAglbpDkNdT{ktRUe=8zTC0-2V0OcXJZ6J3SD=dC@JYg zW*T4MvQWIqHT9;lVUe%P6Rn-yz|EbKdOKtMhcUzj+MIe_^S``w%}rz2f$D$rfXZxY z4k!y+ec1WY#zwbRm{~wTf3u%Zj6NAf^oXCH0m_E9c6asvC$sIQ@h`J|pqtQ;s$M=$ z5Kkx$>A0)zFU33vdS%z9LfkrDFN^Yt!%G$WmeeMF)n>O)2RW&Nuz}1kK>$@ ztE+?l5+^Hez&ANp!Zi$z`8Ho-s(JCnBr>jg;4UG+WMFbrRTS__4Gc8?a^c>BMIute zk~TA%MHwzGNTX2M5%^!@MRAf>`RMktHz)abuM9smI&}%hoaHucnZZ6OJBT38fCh@H zIS)1u*tpRs`=b zCWMWv5;6v;1zl@uT$L_sP96PewljZcF04pUH=QrDew(eQAh9s1TK2>%x6CQ?S%Sb% z*S92|`&Ik-rpO<*SbpvJmqE@GUe;iXg#YZ-7Tug35oy}UbJ>(+#lzm4_ts6hV4&g8 zDLVL1(m}wifjzNan$3za+tGPlD3MF=n5ZjVLl zJRn;ZXP=xU9zsP^eA&9 z$ddYg`sf$|@N{XN^HAVU)Yb~Hc(zj!H<4_?)8EaEuFM`6d5)Mcn%bO;xTd#bsQRhZ zu4C{WPzDzPv9#D=KtLmt)`@N~$I^<&cTal*8Zw&=eJGS_4lREmd6t8VtE!fL4!FTB!S6$g7YV7fnOA)CL&kK|#qZHW8P##Q zuN&Gjdd-!VNye@EV_UXWwUvhP8b{f!<3DW`u4??+p#;cX1XHZjp2+WXe;*1p)j&>g zf7o9$^fsM8{vdk7J3U-YD0>z3@)ejtoB3v*d>jhOWWLTFKY=Zthx^=F7zEHqEMn6$ zZ!}Hi{~T6KjL2q-7f=`{r3tF84Pi2+B0SX=yEDrun}=oCn!-joDZIGl-BNe~bmoGo z3*644M0>}jM{b-8RX=zm?F_%qowGL%x@Ef^%1>(*0%F++!yUjgSuM4(p+U2QS`|hXl1a;uJBRi?F-=c zRsCBldXO#6K2!YvBgA&J`UPbDYg2L@;dikGlXqTSc&=vXdpUN7rXiu9g=2>JkkRD~ z+2v@hqgZ*DOsYAVh2x5oN7r5yEHpB4PBjw$i z+fObpoc_p5(6m1pqgf+K ztO0Yeo!gkH;d_V8xQF<&ls+2yF@JXH{C36E&OfpK;51DV5zH5xe)BrwyEp7@Rd(or z7neP4h<3QGDNX&p*nA%^MaZkxh%Db~BIm&?LF#}ZgP&2*cdXgcD8f5as_h^;GW@$_ zyT%G|qD!WYa3d5Y(>27_$a%O@?MtI_N#W#DXzo-^cseP;mPLi~RYv{f5RM*}cl##J zul_?u=ZZ8jYTtuG(LP+i$=4_v99EsR-CVLAaoDC9aU`X%B)ndrN7-Rd^!T<|KTGX& z)XDp_Q*61W+FBEa=s6qqbxf~*`FeZAsfGHFod=^chvf04wxVq%>_p=!IVUJjGX$Dc3?2LAxdb93;PJTx zkS-rA@@n3~tt3ZM_QKv3j8i6rk>rM27HX)L2abx_UpFVxUL&^>gs#-7QeOV0c??(3 zY|>3!59(6+e?*kzLLr+VBEoAH0jd^ABY?VTSr=rf1qIM=pof(Z@9!{m@~qH$Wh1Dk z{Gkps!{T$T4)agH(gs~O^KkijVQOJ-Ka5o4G~d=sJG_b{cjV5JYxwza_SFgI?$kB= zs8h9qg#Fu+wynBUXnVW=Ag;wIA2IszNkwi%S9u1_DU9^F+@_VpsZL&nAiUeBq=M%h z+mFARR8sMc`@1!B_0(8B@(;px>fwI&EKnz2P*3-pG9-fxff6=xgBDuUQ;fyb(2mz) zx!OavK|OEJLj8D~f3!AvKYxFbI@+4-py~HlXuHZe=x0kszAq(Hxj5n4}QVex8z(2Po09}%!i{U5^3l<${$ zFJfvTG{=$>wU<0ZD&EG7qBJ6l9ZptaD8ypRb=w6!a^n&$D%#M290yt^><&RfJ$rDS zos79mG6hH$y325~vwXo#L|!gHxwLY9n@<%TbDAROYl|kF!U|ZV*SmlS>%`MfekGfX z)b!<^1swJN)^m8w$dl6K^=WC0tJUZO`yahK%i5^@E$!G9>JP6LC_Hv%l696=ti4~j zSF>b|JyogykC+4ePcPT4&6=iy7EwaWr)4fJT{ zrjwU&s9Big6%Q}fG&^bQ6Id*rOTbm)P9H7TfR{ok_Fu~y6QNb0vrRd8>$OFNl}x!; z#X?%<1jR2v<+Ki@7zJyy{{oqea`tLdq4DVz9dieBz0R;f{mjD0& From 9bf8ecd294ebee8959745185432f2e6ffeb06bf6 Mon Sep 17 00:00:00 2001 From: Joey Caparas Date: Thu, 7 May 2020 14:11:56 -0700 Subject: [PATCH 04/15] delete splunk edit api pages --- .openpublishing.redirection.json | 5 + .../api-portal-mapping.md | 4 +- .../configure-splunk.md | 131 ------------------ .../pull-alerts-using-rest-api.md | 3 +- 4 files changed, 9 insertions(+), 134 deletions(-) delete mode 100644 windows/security/threat-protection/microsoft-defender-atp/configure-splunk.md diff --git a/.openpublishing.redirection.json b/.openpublishing.redirection.json index d7b9c5f5dd..3ea3f56b45 100644 --- a/.openpublishing.redirection.json +++ b/.openpublishing.redirection.json @@ -1327,6 +1327,11 @@ "redirect_document_id": true }, { +"source_path": "windows/security/threat-protection/microsoft-defender-atp/configure-splunk.md", +"redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/enable-siem-integration", +"redirect_document_id": false +}, +{ "source_path": "windows/threat-protection/windows-defender-atp/custom-ti-api-windows-defender-advanced-threat-protection.md", "redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/custom-ti-api-windows-defender-advanced-threat-protection", "redirect_document_id": true diff --git a/windows/security/threat-protection/microsoft-defender-atp/api-portal-mapping.md b/windows/security/threat-protection/microsoft-defender-atp/api-portal-mapping.md index 3b57273926..95aaddc7ab 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/api-portal-mapping.md +++ b/windows/security/threat-protection/microsoft-defender-atp/api-portal-mapping.md @@ -28,8 +28,9 @@ ms.topic: article Understand what data fields are exposed as part of the detections API and how they map to Microsoft Defender Security Center. >[!Note] ->- [Microsoft Defender ATP Alert](alerts.md) is composed from one or more detections +>- [Microsoft Defender ATP Alert](alerts.md) is composed from one or more detections. >- **Microsoft Defender ATP Detection** is composed from the suspicious event occurred on the Machine and its related **Alert** details. +>-The Microsoft Defender ATP Alert API is the latest API for alert consumption and contain a detailed list of related evidence for each alert. For more information, see [Alert methods and properties](alerts.md) and [List alerts](get-alerts.md). ## Detections API fields and portal mapping The following table lists the available fields exposed in the detections API payload. It shows examples for the populated values and a reference on how data is reflected on the portal. @@ -91,7 +92,6 @@ Field numbers match the numbers in the images below. ## Related topics - [Enable SIEM integration in Microsoft Defender ATP](enable-siem-integration.md) -- [Configure Splunk to pull Microsoft Defender ATP detections](configure-splunk.md) - [Configure ArcSight to pull Microsoft Defender ATP detections](configure-arcsight.md) - [Pull Microsoft Defender ATP detections using REST API](pull-alerts-using-rest-api.md) - [Troubleshoot SIEM tool integration issues](troubleshoot-siem.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-splunk.md b/windows/security/threat-protection/microsoft-defender-atp/configure-splunk.md deleted file mode 100644 index 10c69301a9..0000000000 --- a/windows/security/threat-protection/microsoft-defender-atp/configure-splunk.md +++ /dev/null @@ -1,131 +0,0 @@ ---- -title: Configure Splunk to pull Microsoft Defender ATP detections -description: Configure Splunk to receive and pull detections from Microsoft Defender Security Center. -keywords: configure splunk, security information and events management tools, splunk -search.product: eADQiWindows 10XVcnh -search.appverid: met150 -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security -ms.author: macapara -author: mjcaparas -ms.localizationpriority: medium -manager: dansimp -audience: ITPro -ms.collection: M365-security-compliance -ms.topic: article ---- - -# Configure Splunk to pull Microsoft Defender ATP detections - -**Applies to:** - - -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) - - - ->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-configuresplunk-abovefoldlink) - -You'll need to configure Splunk so that it can pull Microsoft Defender ATP detections. - ->[!Note] ->- [Microsoft Defender ATP Alert](alerts.md) is composed from one or more detections ->- [Microsoft Defender ATP Detection](api-portal-mapping.md) is composed from the suspicious event occurred on the Machine and its related Alert details. - -## Before you begin - -- Install the open source [Windows Defender ATP Modular Inputs TA](https://splunkbase.splunk.com/app/4128/) in Splunk. -- Make sure you have enabled the **SIEM integration** feature from the **Settings** menu. For more information, see [Enable SIEM integration in Microsoft Defender ATP](enable-siem-integration.md) - -- Have the details file you saved from enabling the **SIEM integration** feature ready. You'll need to get the following values: - - Tenant ID - - Client ID - - Client Secret - - Resource URL - - -## Configure Splunk - -1. Login in to Splunk. - -2. Go to **Settings** > **Data inputs**. - -3. Select **Windows Defender ATP alerts** under **Local inputs**. - - NOTE: - This input will only appear after you install the [Windows Defender ATP Modular Inputs TA](https://splunkbase.splunk.com/app/4128/). - -4. Click **New**. - -5. Type the following values in the required fields, then click **Save**: - - NOTE: - All other values in the form are optional and can be left blank. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
FieldValue
NameName for the Data Input
Login URLURL to authenticate the azure app (Default : https://login.microsoftonline.com)
EndpointDepending on the location of your datacenter, select any of the following URL:

For EU: https://wdatp-alertexporter-eu.securitycenter.windows.com

For US:https://wdatp-alertexporter-us.securitycenter.windows.com

For UK:https://wdatp-alertexporter-uk.securitycenter.windows.com -
Tenant IDAzure Tenant ID
ResourceValue from the SIEM integration feature page
Client IDValue from the SIEM integration feature page
Client SecretValue from the SIEM integration feature page
- -After completing these configuration steps, you can go to the Splunk dashboard and run queries. - -## View detections using Splunk solution explorer -Use the solution explorer to view detections in Splunk. - -1. In Splunk, go to **Settings** > **Searchers, reports, and alerts**. - -2. Select **New**. - -3. Enter the following details: - - Search: Enter a query, for example:
- `sourcetype="wdatp:alerts" |spath|table*` - - App: Add-on for Windows Defender (TA_Windows-defender) - - Other values are optional and can be left with the default values. - -4. Click **Save**. The query is saved in the list of searches. - -5. Find the query you saved in the list and click **Run**. The results are displayed based on your query. - - ->[!TIP] -> To minimize Detection duplications, you can use the following query: ->```source="rest://wdatp:alerts" | spath | dedup _raw | table *``` - -## Related topics -- [Enable SIEM integration in Microsoft Defender ATP](enable-siem-integration.md) -- [Configure ArcSight to pull Microsoft Defender ATP detections](configure-arcsight.md) -- [Microsoft Defender ATP Detection fields](api-portal-mapping.md) -- [Pull Microsoft Defender ATP detections using REST API](pull-alerts-using-rest-api.md) -- [Troubleshoot SIEM tool integration issues](troubleshoot-siem.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/pull-alerts-using-rest-api.md b/windows/security/threat-protection/microsoft-defender-atp/pull-alerts-using-rest-api.md index f2c30ec2e4..c55c6e231f 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/pull-alerts-using-rest-api.md +++ b/windows/security/threat-protection/microsoft-defender-atp/pull-alerts-using-rest-api.md @@ -27,8 +27,9 @@ ms.topic: article >Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-pullalerts-abovefoldlink) >[!Note] ->- [Microsoft Defender ATP Alert](alerts.md) is composed from one or more detections +>- [Microsoft Defender ATP Alert](alerts.md) is composed from one or more detections. >- [Microsoft Defender ATP Detection](api-portal-mapping.md) is composed from the suspicious event occurred on the Machine and its related Alert details. +>-The Microsoft Defender ATP Alert API is the latest API for alert consumption and contain a detailed list of related evidence for each alert. For more information, see [Alert methods and properties](alerts.md) and [List alerts](get-alerts.md). Microsoft Defender ATP supports the OAuth 2.0 protocol to pull detections from the API. From 5fd2ca939a7a09f0af27a31d92f620bd1b98b653 Mon Sep 17 00:00:00 2001 From: Joey Caparas Date: Thu, 14 May 2020 12:49:47 -0700 Subject: [PATCH 05/15] remove from toc --- windows/security/threat-protection/TOC.md | 1 - 1 file changed, 1 deletion(-) diff --git a/windows/security/threat-protection/TOC.md b/windows/security/threat-protection/TOC.md index 0db55f90c3..063d1a137f 100644 --- a/windows/security/threat-protection/TOC.md +++ b/windows/security/threat-protection/TOC.md @@ -437,7 +437,6 @@ ## Reference ### [Management and APIs]() #### [Overview of management and APIs](microsoft-defender-atp/management-apis.md) -#### [Enable SIEM integration](microsoft-defender-atp/enable-siem-integration.md) #### [Microsoft Defender ATP API]() ##### [Get started]() ###### [Microsoft Defender ATP API license and terms](microsoft-defender-atp/api-terms-of-use.md) From 20ff51438770a8d1f84067a98c291c4ed7aab2a6 Mon Sep 17 00:00:00 2001 From: Ikko Ashimine Date: Thu, 21 May 2020 02:27:16 +0900 Subject: [PATCH 06/15] Fix typo MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Micosoft→Microsoft --- windows/client-management/mdm/get-seat.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/client-management/mdm/get-seat.md b/windows/client-management/mdm/get-seat.md index 2169488622..598d24ea19 100644 --- a/windows/client-management/mdm/get-seat.md +++ b/windows/client-management/mdm/get-seat.md @@ -1,6 +1,6 @@ --- title: Get seat -description: The Get seat operation retrieves the information about an active seat for a specified user in the Micosoft Store for Business. +description: The Get seat operation retrieves the information about an active seat for a specified user in the Microsoft Store for Business. ms.assetid: 715BAEB2-79FD-4945-A57F-482F9E7D07C6 ms.reviewer: manager: dansimp @@ -14,7 +14,7 @@ ms.date: 09/18/2017 # Get seat -The **Get seat** operation retrieves the information about an active seat for a specified user in the Micosoft Store for Business. +The **Get seat** operation retrieves the information about an active seat for a specified user in the Microsoft Store for Business. ## Request From 27a062893e3b0d2c65f1d5779bb45ca4fecbfffb Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Wed, 20 May 2020 16:26:55 -0700 Subject: [PATCH 07/15] Update restore-quarantined-files-windows-defender-antivirus.md --- ...ore-quarantined-files-windows-defender-antivirus.md | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-antivirus/restore-quarantined-files-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/restore-quarantined-files-windows-defender-antivirus.md index f99aa7584f..dc1e161cec 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/restore-quarantined-files-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/restore-quarantined-files-windows-defender-antivirus.md @@ -12,7 +12,7 @@ ms.localizationpriority: medium author: denisebmsft ms.author: deniseb ms.custom: nextgen -ms.date: 11/16/2018 +ms.date: 05/20/2020 ms.reviewer: manager: dansimp --- @@ -23,12 +23,12 @@ manager: dansimp - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) -If Windows Defender Antivirus is configured to detect and remediate threats on your device, Windows Defender Antivirus quarantines suspicious files. If you are certain these files do not present a threat, you can restore them. +If Microsoft Defender Antivirus is configured to detect and remediate threats on your device, Microsoft Defender Antivirus quarantines suspicious files. If you are certain that any of the quarantined files are not a threat, you can restore them. 1. Open **Windows Security**. -2. Click **Virus & threat protection** and then click **Threat History**. -3. Under **Quarantined threats**, click **See full history**. -4. Click an item you want to keep, then click **Restore**. (If you prefer to remove the item, you can click **Remove**.) +2. Select **Virus & threat protection** and then click **Protection history**. +3. In the list of all recent items, filter on **Quarantined Items**. +4. Select an item you want to keep, then click **Restore**. (If you prefer to remove the item, you can click **Remove**.) > [!NOTE] > You can also use the dedicated command-line tool [mpcmdrun.exe](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/command-line-arguments-windows-defender-antivirus) to restore quarantined files in Windows Defender AV. From e95b6fed95c3ff67924f1e3c8193a4278b160fb4 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Wed, 20 May 2020 16:39:32 -0700 Subject: [PATCH 08/15] Update restore-quarantined-files-windows-defender-antivirus.md --- ...estore-quarantined-files-windows-defender-antivirus.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-antivirus/restore-quarantined-files-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/restore-quarantined-files-windows-defender-antivirus.md index dc1e161cec..625c85ac9a 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/restore-quarantined-files-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/restore-quarantined-files-windows-defender-antivirus.md @@ -23,15 +23,15 @@ manager: dansimp - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) -If Microsoft Defender Antivirus is configured to detect and remediate threats on your device, Microsoft Defender Antivirus quarantines suspicious files. If you are certain that any of the quarantined files are not a threat, you can restore them. +If Microsoft Defender Antivirus is configured to detect and remediate threats on your device, Microsoft Defender Antivirus quarantines suspicious files. If you are certain a quarantined file is not a threat, you can restore it. 1. Open **Windows Security**. 2. Select **Virus & threat protection** and then click **Protection history**. 3. In the list of all recent items, filter on **Quarantined Items**. -4. Select an item you want to keep, then click **Restore**. (If you prefer to remove the item, you can click **Remove**.) +4. Select an item you want to keep, and take an action, such as restore. -> [!NOTE] -> You can also use the dedicated command-line tool [mpcmdrun.exe](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/command-line-arguments-windows-defender-antivirus) to restore quarantined files in Windows Defender AV. +> [!TIP] +> Restoring a file from quarantine can also be done using Command Prompt. See [Restore a file from quarantine](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/respond-file-alerts#restore-file-from-quarantine). ## Related articles From 2758fb9e9bff08a6a79c46ffbfde630b34c6fa73 Mon Sep 17 00:00:00 2001 From: Joey Caparas Date: Wed, 20 May 2020 16:44:15 -0700 Subject: [PATCH 09/15] fix mac instructions --- .../mac-install-manually.md | 31 ++++++------------- 1 file changed, 10 insertions(+), 21 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-install-manually.md b/windows/security/threat-protection/microsoft-defender-atp/mac-install-manually.md index e633d8184f..81703f52ed 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/mac-install-manually.md +++ b/windows/security/threat-protection/microsoft-defender-atp/mac-install-manually.md @@ -1,6 +1,6 @@ --- -title: Manual deployment for Microsoft Defender ATP for Mac -description: Install Microsoft Defender ATP for Mac manually, from the command line. +title: Manual deployment for Microsoft Defender ATP for macOS +description: Install Microsoft Defender ATP for macOS manually, from the command line. keywords: microsoft, defender, atp, mac, installation, deploy, uninstallation, intune, jamf, macos, catalina, mojave, high sierra search.product: eADQiWindows 10XVcnh search.appverid: met150 @@ -17,45 +17,34 @@ ms.collection: M365-security-compliance ms.topic: conceptual --- -# Manual deployment for Microsoft Defender ATP for Mac +# Manual deployment for Microsoft Defender ATP for macOS **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Mac](microsoft-defender-atp-mac.md) +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for macOS](microsoft-defender-atp-mac.md) -This topic describes how to deploy Microsoft Defender ATP for Mac manually. A successful deployment requires the completion of all of the following steps: +This topic describes how to deploy Microsoft Defender ATP for macOS manually. A successful deployment requires the completion of all of the following steps: - [Download installation and onboarding packages](#download-installation-and-onboarding-packages) - [Application installation](#application-installation) - [Client configuration](#client-configuration) ## Prerequisites and system requirements -Before you get started, see [the main Microsoft Defender ATP for Mac page](microsoft-defender-atp-mac.md) for a description of prerequisites and system requirements for the current software version. +Before you get started, see [the main Microsoft Defender ATP for macOS page](microsoft-defender-atp-mac.md) for a description of prerequisites and system requirements for the current software version. ## Download installation and onboarding packages Download the installation and onboarding packages from Microsoft Defender Security Center: 1. In Microsoft Defender Security Center, go to **Settings > Machine Management > Onboarding**. -2. In Section 1 of the page, set operating system to **Linux, macOS, iOS, and Android** and Deployment method to **Local script**. +2. In Section 1 of the page, set operating system to **macOS** and Deployment method to **Local script**. 3. In Section 2 of the page, select **Download installation package**. Save it as wdav.pkg to a local directory. 4. In Section 2 of the page, select **Download onboarding package**. Save it as WindowsDefenderATPOnboardingPackage.zip to the same directory. ![Microsoft Defender Security Center screenshot](../windows-defender-antivirus/images/ATP-Portal-Onboarding-page.png) 5. From a command prompt, verify that you have the two files. - Extract the contents of the .zip files: - - ```bash - $ ls -l - total 721152 - -rw-r--r-- 1 test staff 6185 Mar 15 10:45 WindowsDefenderATPOnboardingPackage.zip - -rw-r--r-- 1 test staff 354531845 Mar 13 08:57 wdav.pkg - $ unzip WindowsDefenderATPOnboardingPackage.zip - Archive: WindowsDefenderATPOnboardingPackage.zip - inflating: MicrosoftDefenderATPOnboardingMacOs.py - ``` - + ## Application installation To complete this process, you must have admin privileges on the machine. @@ -87,7 +76,7 @@ The installation proceeds. ## Client configuration -1. Copy wdav.pkg and MicrosoftDefenderATPOnboardingMacOs.py to the machine where you deploy Microsoft Defender ATP for Mac. +1. Copy wdav.pkg and MicrosoftDefenderATPOnboardingMacOs.py to the machine where you deploy Microsoft Defender ATP for macOS. The client machine is not associated with orgId. Note that the *orgId* attribute is blank. @@ -127,4 +116,4 @@ See [Logging installation issues](mac-resources.md#logging-installation-issues) ## Uninstallation -See [Uninstalling](mac-resources.md#uninstalling) for details on how to remove Microsoft Defender ATP for Mac from client devices. +See [Uninstalling](mac-resources.md#uninstalling) for details on how to remove Microsoft Defender ATP for macOS from client devices. From e1cba6893dcd2c02d9e2652a02861eb2af450c5e Mon Sep 17 00:00:00 2001 From: Kweku Ako-Adjei Date: Wed, 20 May 2020 16:57:06 -0700 Subject: [PATCH 10/15] Cortana Art update --- {images => windows/configuration}/screenshot1.png | Bin {images => windows/configuration}/screenshot10.png | Bin {images => windows/configuration}/screenshot11.png | Bin {images => windows/configuration}/screenshot12.png | Bin {images => windows/configuration}/screenshot2.png | Bin {images => windows/configuration}/screenshot3.png | Bin {images => windows/configuration}/screenshot4.png | Bin {images => windows/configuration}/screenshot5.png | Bin {images => windows/configuration}/screenshot6.png | Bin {images => windows/configuration}/screenshot7.png | Bin {images => windows/configuration}/screenshot8.png | Bin {images => windows/configuration}/screenshot9.png | Bin 12 files changed, 0 insertions(+), 0 deletions(-) rename {images => windows/configuration}/screenshot1.png (100%) rename {images => windows/configuration}/screenshot10.png (100%) rename {images => windows/configuration}/screenshot11.png (100%) rename {images => windows/configuration}/screenshot12.png (100%) rename {images => windows/configuration}/screenshot2.png (100%) rename {images => windows/configuration}/screenshot3.png (100%) rename {images => windows/configuration}/screenshot4.png (100%) rename {images => windows/configuration}/screenshot5.png (100%) rename {images => windows/configuration}/screenshot6.png (100%) rename {images => windows/configuration}/screenshot7.png (100%) rename {images => windows/configuration}/screenshot8.png (100%) rename {images => windows/configuration}/screenshot9.png (100%) diff --git a/images/screenshot1.png b/windows/configuration/screenshot1.png similarity index 100% rename from images/screenshot1.png rename to windows/configuration/screenshot1.png diff --git a/images/screenshot10.png b/windows/configuration/screenshot10.png similarity index 100% rename from images/screenshot10.png rename to windows/configuration/screenshot10.png diff --git a/images/screenshot11.png b/windows/configuration/screenshot11.png similarity index 100% rename from images/screenshot11.png rename to windows/configuration/screenshot11.png diff --git a/images/screenshot12.png b/windows/configuration/screenshot12.png similarity index 100% rename from images/screenshot12.png rename to windows/configuration/screenshot12.png diff --git a/images/screenshot2.png b/windows/configuration/screenshot2.png similarity index 100% rename from images/screenshot2.png rename to windows/configuration/screenshot2.png diff --git a/images/screenshot3.png b/windows/configuration/screenshot3.png similarity index 100% rename from images/screenshot3.png rename to windows/configuration/screenshot3.png diff --git a/images/screenshot4.png b/windows/configuration/screenshot4.png similarity index 100% rename from images/screenshot4.png rename to windows/configuration/screenshot4.png diff --git a/images/screenshot5.png b/windows/configuration/screenshot5.png similarity index 100% rename from images/screenshot5.png rename to windows/configuration/screenshot5.png diff --git a/images/screenshot6.png b/windows/configuration/screenshot6.png similarity index 100% rename from images/screenshot6.png rename to windows/configuration/screenshot6.png diff --git a/images/screenshot7.png b/windows/configuration/screenshot7.png similarity index 100% rename from images/screenshot7.png rename to windows/configuration/screenshot7.png diff --git a/images/screenshot8.png b/windows/configuration/screenshot8.png similarity index 100% rename from images/screenshot8.png rename to windows/configuration/screenshot8.png diff --git a/images/screenshot9.png b/windows/configuration/screenshot9.png similarity index 100% rename from images/screenshot9.png rename to windows/configuration/screenshot9.png From 18bc1555f39efef8f1b38f5ca7f886033c5b4431 Mon Sep 17 00:00:00 2001 From: Kweku Ako-Adjei Date: Wed, 20 May 2020 17:11:06 -0700 Subject: [PATCH 11/15] Cortana topic art updates --- .../cortana-at-work/cortana-at-work-feedback.md | 4 ++-- .../cortana-at-work/cortana-at-work-overview.md | 4 ++-- .../cortana-at-work/cortana-at-work-scenario-1.md | 2 +- .../cortana-at-work/cortana-at-work-scenario-2.md | 2 +- .../cortana-at-work/cortana-at-work-scenario-3.md | 5 ++--- .../cortana-at-work/cortana-at-work-scenario-4.md | 2 +- .../cortana-at-work/cortana-at-work-scenario-5.md | 2 +- .../cortana-at-work/cortana-at-work-scenario-6.md | 2 +- .../cortana-at-work/set-up-and-test-cortana-in-windows-10.md | 4 ++-- 9 files changed, 13 insertions(+), 14 deletions(-) diff --git a/windows/configuration/cortana-at-work/cortana-at-work-feedback.md b/windows/configuration/cortana-at-work/cortana-at-work-feedback.md index 60ae0ffa10..9b2fcfb9c3 100644 --- a/windows/configuration/cortana-at-work/cortana-at-work-feedback.md +++ b/windows/configuration/cortana-at-work/cortana-at-work-feedback.md @@ -16,10 +16,10 @@ manager: dansimp To provide feedback on an individual request or response, select the item in the conversation history and then select **Give feedback**. This opens the Feedback Hub application where you can provide more information to help diagnose reported issues. -:::image type="content" source="../../../images/screenshot11.png" alt-text="Screenshot: Send feedback page"::: +:::image type="content" source="../screenshot1.png" alt-text="Screenshot: Send feedback page"::: To provide feedback about the application in general, go to the **Settings** menu by selecting the three dots in the top left of the application, and select **Feedback**. This opens the Feedback Hub where more information on the issue can be provided. -:::image type="content" source="../../../images/screenshot12.png" alt-text="Screenshot: Select Feedback to go to the Feedback Hub"::: +:::image type="content" source="../screenshot12.png" alt-text="Screenshot: Select Feedback to go to the Feedback Hub"::: In order for enterprise users to provide feedback, admins must unblock the Feedback Hub in the [Azure portal](https://portal.azure.com/). Go to the **Enterprise applications section** and enable **Users can allow apps to access their data**. \ No newline at end of file diff --git a/windows/configuration/cortana-at-work/cortana-at-work-overview.md b/windows/configuration/cortana-at-work/cortana-at-work-overview.md index 7156ab49ea..de739df432 100644 --- a/windows/configuration/cortana-at-work/cortana-at-work-overview.md +++ b/windows/configuration/cortana-at-work/cortana-at-work-overview.md @@ -17,7 +17,7 @@ ms.author: dansimp Cortana is a personal productivity assistant in Microsoft 365, helping your users achieve more with less effort and focus on what matters. The Cortana app in Windows 10 helps users quickly get information across Microsoft 365, using typed or spoken queries to connect with people, check calendars, set reminders, add tasks, and more. -:::image type="content" source="../../../images/screenshot1.png" alt-text="Screenshot: Cortana home page example"::: +:::image type="content" source="../screenshot1.png" alt-text="Screenshot: Cortana home page example"::: ## Where is Cortana available for use in my organization? @@ -71,7 +71,7 @@ First, the user must enable the wake word from within Cortana settings. Once it The first decision is made by the Windows Multiple Voice Assistant platform leveraging hardware optionally included in the user's PC for power savings. If the wake word is detected, Windows will show a microphone icon in the system tray indicating an assistant app is listening. -:::image type="content" source="images/screenshot2.png" alt-text="Microphone icon in the system tray indicating an assistant app is listening"::: +:::image type="content" source="../screenshot2.png" alt-text="Screenshot: Microphone icon in the system tray indicating an assistant app is listening"::: At that point, the Cortana app will receive the audio, run a second, more accurate wake word detector, and optionally send it to a Microsoft cloud service where a third wake word detector will confirm. If the service does not confirm that the activation was valid, the audio will be discarded and deleted from any further processing or server logs. On the user's PC, the Cortana app will be silently dismissed, and no query will be shown in conversation history because the query was discarded. diff --git a/windows/configuration/cortana-at-work/cortana-at-work-scenario-1.md b/windows/configuration/cortana-at-work/cortana-at-work-scenario-1.md index 642a124de8..60711d75f8 100644 --- a/windows/configuration/cortana-at-work/cortana-at-work-scenario-1.md +++ b/windows/configuration/cortana-at-work/cortana-at-work-scenario-1.md @@ -24,7 +24,7 @@ manager: dansimp When you say "Cortana", Cortana will open in listening mode to acknowledge the wake word. -:::image type="content" source="../../../images/screenshot4.png" alt-text="Screenshot: Cortana listening mode"::: +:::image type="content" source="../screenshot4.png" alt-text="Screenshot: Cortana listening mode"::: Once you finish saying your query, Cortana will open with the result. diff --git a/windows/configuration/cortana-at-work/cortana-at-work-scenario-2.md b/windows/configuration/cortana-at-work/cortana-at-work-scenario-2.md index 55a3d754d6..024edb02d3 100644 --- a/windows/configuration/cortana-at-work/cortana-at-work-scenario-2.md +++ b/windows/configuration/cortana-at-work/cortana-at-work-scenario-2.md @@ -20,7 +20,7 @@ manager: dansimp Cortana will respond with the information from Bing. -:::image type="content" source="../../../images/screenshot5.png" alt-text="Screenshot: Cortana showing current time in Hyderbad"::: +:::image type="content" source="../screenshot5.png" alt-text="Screenshot: Cortana showing current time in Hyderbad"::: >[!NOTE] >This scenario requires Bing Answers to be enabled. For more information, see [Set up and configure the Bing Answers feature](https://docs.microsoft.com/windows/configuration/cortana-at-work/set-up-and-test-cortana-in-windows-10#set-up-and-configure-the-bing-answers-feature). \ No newline at end of file diff --git a/windows/configuration/cortana-at-work/cortana-at-work-scenario-3.md b/windows/configuration/cortana-at-work/cortana-at-work-scenario-3.md index 333199a0a5..6eb0765127 100644 --- a/windows/configuration/cortana-at-work/cortana-at-work-scenario-3.md +++ b/windows/configuration/cortana-at-work/cortana-at-work-scenario-3.md @@ -20,7 +20,6 @@ This scenario helps you set up, review, and edit a reminder. For example, you ca Cortana will create a reminder in Microsoft To Do and will remind you at the appropriate time. -:::image type="content" source="../../../images/screenshot6.png" alt-text="Screenshot: Cortana set a reminder"::: - -:::image type="content" source="../../../images/screenshot7.png" alt-text="Screenshot: Cortana showing reminder on page"::: +:::image type="content" source="../screenshot6.png" alt-text="Screenshot: Cortana set a reminder"::: +:::image type="content" source="../screenshot7.png" alt-text="Screenshot: Cortana showing reminder on page"::: \ No newline at end of file diff --git a/windows/configuration/cortana-at-work/cortana-at-work-scenario-4.md b/windows/configuration/cortana-at-work/cortana-at-work-scenario-4.md index ec22777755..90243bf9f7 100644 --- a/windows/configuration/cortana-at-work/cortana-at-work-scenario-4.md +++ b/windows/configuration/cortana-at-work/cortana-at-work-scenario-4.md @@ -24,4 +24,4 @@ This process helps you find out if a time slot is free on your calendar. Cortana will respond with your availability for that time, as well as nearby meetings. -:::image type="content" source="../../../images/screenshot8.png" alt-text="Screenshot: Cortana showing free time on a calendar"::: \ No newline at end of file +:::image type="content" source="../screenshot8.png" alt-text="Screenshot: Cortana showing free time on a calendar"::: \ No newline at end of file diff --git a/windows/configuration/cortana-at-work/cortana-at-work-scenario-5.md b/windows/configuration/cortana-at-work/cortana-at-work-scenario-5.md index ee0bbe9a6e..66ec2603d8 100644 --- a/windows/configuration/cortana-at-work/cortana-at-work-scenario-5.md +++ b/windows/configuration/cortana-at-work/cortana-at-work-scenario-5.md @@ -20,6 +20,6 @@ Cortana can help you quickly look up information about someone or the org chart. 2. Type or select the mic and say, **Who is name of person in your organization's?** -:::image type="content" source="../../../images/screenshot8.png" alt-text="Screenshot: Cortana showing name of person in your organization"::: +:::image type="content" source="../screenshot9.png" alt-text="Screenshot: Cortana showing name of person in your organization"::: Cortana will respond with information about the person. You can select the person to open information about them in Microsoft Search. \ No newline at end of file diff --git a/windows/configuration/cortana-at-work/cortana-at-work-scenario-6.md b/windows/configuration/cortana-at-work/cortana-at-work-scenario-6.md index 739f5afbfd..731dadfa00 100644 --- a/windows/configuration/cortana-at-work/cortana-at-work-scenario-6.md +++ b/windows/configuration/cortana-at-work/cortana-at-work-scenario-6.md @@ -22,4 +22,4 @@ Cortana can help employees in regions outside the US search for quick answers li 3. Once the app has restarted, type or say **Convierte 100 Euros a Dólares**. -:::image type="content" source="../../../images/screenshot10.png" alt-text="Screenshot: Cortana showing a change your language and showing search results in Spanish"::: \ No newline at end of file +:::image type="content" source="../screenshot10.png" alt-text="Screenshot: Cortana showing a change your language and showing search results in Spanish"::: \ No newline at end of file diff --git a/windows/configuration/cortana-at-work/set-up-and-test-cortana-in-windows-10.md b/windows/configuration/cortana-at-work/set-up-and-test-cortana-in-windows-10.md index c1b71aa782..344668eacd 100644 --- a/windows/configuration/cortana-at-work/set-up-and-test-cortana-in-windows-10.md +++ b/windows/configuration/cortana-at-work/set-up-and-test-cortana-in-windows-10.md @@ -32,8 +32,8 @@ Users cannot enable or disable the Bing Answer feature individually. So, if you Sign in to the [Office Configuration Admin tool](https://config.office.com/). Follow the steps [here](https://docs.microsoft.com/deployoffice/overview-office-cloud-policy-service#steps-for-creating-a-policy-configuration) to create this policy configuration. Once completed, the policy will look as shown below: - -:::image type="content" source="../../../images/screenshot3.png" alt-text="Screenshot: Bing policy example"::: + +:::image type="content" source="../screenshot3.png" alt-text="Screenshot: Bing policy example"::: ## How does Microsoft handle customer data for Bing Answers? From 614406a98c51e7ef6ce392afa508b0949d2045d6 Mon Sep 17 00:00:00 2001 From: Tudor Dobrila Date: Wed, 20 May 2020 19:53:45 -0700 Subject: [PATCH 12/15] Clarify how to deal with multiple Microsoft repos on the same device --- .../linux-install-manually.md | 41 +++++++++++++++++++ 1 file changed, 41 insertions(+) diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-install-manually.md b/windows/security/threat-protection/microsoft-defender-atp/linux-install-manually.md index 412d0351fa..6fe21d3f51 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/linux-install-manually.md +++ b/windows/security/threat-protection/microsoft-defender-atp/linux-install-manually.md @@ -179,18 +179,59 @@ In order to preview new features and provide early feedback, it is recommended t sudo yum install mdatp ``` + If you have multiple Microsoft repositories configured on your device, you can be specific about which repository to install the package from. The following example shows how to install the package from the `production` channel if you also have the `insiders-fast` repository channel configured on this device. This can happen if you are using multiple Microsoft products on your device. + + ```bash + # list all repositories + $ yum repolist + ... + packages-microsoft-com-prod packages-microsoft-com-prod 316 + packages-microsoft-com-prod-insiders-fast packages-microsoft-com-prod-ins 2 + ... + + # install the package from the production repository + $ sudo yum --enablerepo=packages-microsoft-com-prod install mdatp + ``` + - SLES and variants: ```bash sudo zypper install mdatp ``` + If you have multiple Microsoft repositories configured on your device, you can be specific about which repository to install the package from. The following example shows how to install the package from the `production` channel if you also have the `insiders-fast` repository channel configured on this device. This can happen if you are using multiple Microsoft products on your device. + + ```bash + # list all repositories + $ zypper repos + ... + # | Alias | Name | ... + XX | packages-microsoft-com-insiders-fast | microsoft-insiders-fast | ... + XX | packages-microsoft-com-prod | microsoft-prod | ... + ... + + # install the package from the production repository + $ sudo zypper install packages-microsoft-com-prod:mdatp + ``` + - Ubuntu and Debian system: ```bash sudo apt-get install mdatp ``` + If you have multiple Microsoft repositories configured on your device, you can be specific about which repository to install the package from. The following example shows how to install the package from the `production` channel if you also have the `insiders-fast` repository channel configured on this device. This can happen if you are using multiple Microsoft products on your device. + + ```bash + # list all repositories + $ cat /etc/apt/sources.list.d/* + deb [arch=arm64,armhf,amd64] https://packages.microsoft.com/ubuntu/18.04/prod insiders-fast main + deb [arch=amd64] https://packages.microsoft.com/ubuntu/18.04/prod bionic main + + # install the package from the production repository + $ sudo apt -t bionic install mdatp + ``` + ## Download the onboarding package Download the onboarding package from Microsoft Defender Security Center: From 95b5805e3e01c1bb87837ba012722081e0d6b955 Mon Sep 17 00:00:00 2001 From: Tudor Dobrila Date: Wed, 20 May 2020 19:56:54 -0700 Subject: [PATCH 13/15] Keep Acrolinx happy --- .../microsoft-defender-atp/linux-install-manually.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-install-manually.md b/windows/security/threat-protection/microsoft-defender-atp/linux-install-manually.md index 6fe21d3f51..31656eeae6 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/linux-install-manually.md +++ b/windows/security/threat-protection/microsoft-defender-atp/linux-install-manually.md @@ -179,7 +179,7 @@ In order to preview new features and provide early feedback, it is recommended t sudo yum install mdatp ``` - If you have multiple Microsoft repositories configured on your device, you can be specific about which repository to install the package from. The following example shows how to install the package from the `production` channel if you also have the `insiders-fast` repository channel configured on this device. This can happen if you are using multiple Microsoft products on your device. + If you have multiple Microsoft repositories configured on your device, you can be specific about which repository to install the package from. The following example shows how to install the package from the `production` channel if you also have the `insiders-fast` repository channel configured on this device. This situation can happen if you are using multiple Microsoft products on your device. ```bash # list all repositories @@ -199,7 +199,7 @@ In order to preview new features and provide early feedback, it is recommended t sudo zypper install mdatp ``` - If you have multiple Microsoft repositories configured on your device, you can be specific about which repository to install the package from. The following example shows how to install the package from the `production` channel if you also have the `insiders-fast` repository channel configured on this device. This can happen if you are using multiple Microsoft products on your device. + If you have multiple Microsoft repositories configured on your device, you can be specific about which repository to install the package from. The following example shows how to install the package from the `production` channel if you also have the `insiders-fast` repository channel configured on this device. This situation can happen if you are using multiple Microsoft products on your device. ```bash # list all repositories @@ -220,7 +220,7 @@ In order to preview new features and provide early feedback, it is recommended t sudo apt-get install mdatp ``` - If you have multiple Microsoft repositories configured on your device, you can be specific about which repository to install the package from. The following example shows how to install the package from the `production` channel if you also have the `insiders-fast` repository channel configured on this device. This can happen if you are using multiple Microsoft products on your device. + If you have multiple Microsoft repositories configured on your device, you can be specific about which repository to install the package from. The following example shows how to install the package from the `production` channel if you also have the `insiders-fast` repository channel configured on this device. This situation can happen if you are using multiple Microsoft products on your device. ```bash # list all repositories From 915b71c257777299f93c75f252cf358e17acb111 Mon Sep 17 00:00:00 2001 From: Kweku Ako-Adjei Date: Wed, 20 May 2020 20:58:43 -0700 Subject: [PATCH 14/15] Cortana updates --- .../configuration/cortana-at-work/cortana-at-work-overview.md | 2 +- .../configuration/cortana-at-work/cortana-at-work-scenario-1.md | 2 +- .../configuration/cortana-at-work/cortana-at-work-scenario-2.md | 2 +- .../configuration/cortana-at-work/cortana-at-work-scenario-3.md | 2 +- .../configuration/cortana-at-work/cortana-at-work-scenario-4.md | 2 +- .../configuration/cortana-at-work/cortana-at-work-scenario-5.md | 2 +- .../configuration/cortana-at-work/cortana-at-work-scenario-6.md | 2 +- .../cortana-at-work/set-up-and-test-cortana-in-windows-10.md | 2 +- 8 files changed, 8 insertions(+), 8 deletions(-) diff --git a/windows/configuration/cortana-at-work/cortana-at-work-overview.md b/windows/configuration/cortana-at-work/cortana-at-work-overview.md index de739df432..034eb25518 100644 --- a/windows/configuration/cortana-at-work/cortana-at-work-overview.md +++ b/windows/configuration/cortana-at-work/cortana-at-work-overview.md @@ -48,7 +48,7 @@ Cortana's approach to integration with Microsoft 365 has changed with Windows 10 ### Cortana in Windows 10, version 2004 and later -Cortana enterprise services that can be accessed using Azure AD through Cortana in Windows 10, version 2004 and later, meet the same enterprise-level privacy, security, and compliance promises as reflected in the [Online Services Terms (OST)](https://www.microsoft.com/en-us/licensing/product-licensing/products). For more information, see [Cortana in Microsoft 365](https://docs.microsoft.com/microsoft-365/admin/misc/cortana-integration?view=o365-worldwide#what-data-is-processed-by-cortana-in-office-365). +Cortana enterprise services that can be accessed using Azure AD through Cortana in Windows 10, version 2004 and later, meet the same enterprise-level privacy, security, and compliance promises as reflected in the [Online Services Terms (OST)](https://www.microsoft.com/en-us/licensing/product-licensing/products). To learn more, see [Cortana in Microsoft 365](https://docs.microsoft.com/microsoft-365/admin/misc/cortana-integration?view=o365-worldwide#what-data-is-processed-by-cortana-in-office-365). #### How does Microsoft store, retain, process, and use Customer Data in Cortana? diff --git a/windows/configuration/cortana-at-work/cortana-at-work-scenario-1.md b/windows/configuration/cortana-at-work/cortana-at-work-scenario-1.md index 60711d75f8..ae1cc6a4a5 100644 --- a/windows/configuration/cortana-at-work/cortana-at-work-scenario-1.md +++ b/windows/configuration/cortana-at-work/cortana-at-work-scenario-1.md @@ -22,7 +22,7 @@ manager: dansimp 4. Say **Cortana, what can you do?**. -When you say "Cortana", Cortana will open in listening mode to acknowledge the wake word. +When you say **Cortana**, Cortana will open in listening mode to acknowledge the wake word. :::image type="content" source="../screenshot4.png" alt-text="Screenshot: Cortana listening mode"::: diff --git a/windows/configuration/cortana-at-work/cortana-at-work-scenario-2.md b/windows/configuration/cortana-at-work/cortana-at-work-scenario-2.md index 024edb02d3..cd8da63e37 100644 --- a/windows/configuration/cortana-at-work/cortana-at-work-scenario-2.md +++ b/windows/configuration/cortana-at-work/cortana-at-work-scenario-2.md @@ -23,4 +23,4 @@ Cortana will respond with the information from Bing. :::image type="content" source="../screenshot5.png" alt-text="Screenshot: Cortana showing current time in Hyderbad"::: >[!NOTE] ->This scenario requires Bing Answers to be enabled. For more information, see [Set up and configure the Bing Answers feature](https://docs.microsoft.com/windows/configuration/cortana-at-work/set-up-and-test-cortana-in-windows-10#set-up-and-configure-the-bing-answers-feature). \ No newline at end of file +>This scenario requires Bing Answers to be enabled. To learn more, see [Set up and configure the Bing Answers feature](https://docs.microsoft.com/windows/configuration/cortana-at-work/set-up-and-test-cortana-in-windows-10#set-up-and-configure-the-bing-answers-feature). \ No newline at end of file diff --git a/windows/configuration/cortana-at-work/cortana-at-work-scenario-3.md b/windows/configuration/cortana-at-work/cortana-at-work-scenario-3.md index 6eb0765127..5382e5665c 100644 --- a/windows/configuration/cortana-at-work/cortana-at-work-scenario-3.md +++ b/windows/configuration/cortana-at-work/cortana-at-work-scenario-3.md @@ -16,7 +16,7 @@ manager: dansimp This scenario helps you set up, review, and edit a reminder. For example, you can remind yourself to send someone a link to a document after a meeting. -1. Select the **Cortana** icon in the taskbar and type _Remind me to send a link to the deck at 3:05pm_ and press **Enter**. +1. Select the **Cortana** icon in the taskbar and type **Remind me to send a link to the deck at 3:05pm** and press **Enter**. Cortana will create a reminder in Microsoft To Do and will remind you at the appropriate time. diff --git a/windows/configuration/cortana-at-work/cortana-at-work-scenario-4.md b/windows/configuration/cortana-at-work/cortana-at-work-scenario-4.md index 90243bf9f7..1a34778608 100644 --- a/windows/configuration/cortana-at-work/cortana-at-work-scenario-4.md +++ b/windows/configuration/cortana-at-work/cortana-at-work-scenario-4.md @@ -14,7 +14,7 @@ manager: dansimp # Test scenario 4 - Use Cortana to find free time on your calendar -This process helps you find out if a time slot is free on your calendar. +This scenario helps you find out if a time slot is free on your calendar. 1. Select the **Cortana** icon in the taskbar. diff --git a/windows/configuration/cortana-at-work/cortana-at-work-scenario-5.md b/windows/configuration/cortana-at-work/cortana-at-work-scenario-5.md index 66ec2603d8..6312ad8983 100644 --- a/windows/configuration/cortana-at-work/cortana-at-work-scenario-5.md +++ b/windows/configuration/cortana-at-work/cortana-at-work-scenario-5.md @@ -22,4 +22,4 @@ Cortana can help you quickly look up information about someone or the org chart. :::image type="content" source="../screenshot9.png" alt-text="Screenshot: Cortana showing name of person in your organization"::: -Cortana will respond with information about the person. You can select the person to open information about them in Microsoft Search. \ No newline at end of file +Cortana will respond with information about the person. You can select the person to see more information about them in Microsoft Search. \ No newline at end of file diff --git a/windows/configuration/cortana-at-work/cortana-at-work-scenario-6.md b/windows/configuration/cortana-at-work/cortana-at-work-scenario-6.md index 731dadfa00..b2c7bdd9dd 100644 --- a/windows/configuration/cortana-at-work/cortana-at-work-scenario-6.md +++ b/windows/configuration/cortana-at-work/cortana-at-work-scenario-6.md @@ -14,7 +14,7 @@ manager: dansimp # Test scenario 6 – Change your language and perform a quick search with Cortana -Cortana can help employees in regions outside the US search for quick answers like currency conversions, time zone conversions, or weather in their location or another. +Cortana can help employees in regions outside the US search for quick answers like currency conversions, time zone conversions, or weather in their location. 1. Select the **Cortana** icon in the taskbar. diff --git a/windows/configuration/cortana-at-work/set-up-and-test-cortana-in-windows-10.md b/windows/configuration/cortana-at-work/set-up-and-test-cortana-in-windows-10.md index 344668eacd..14dfdcd3da 100644 --- a/windows/configuration/cortana-at-work/set-up-and-test-cortana-in-windows-10.md +++ b/windows/configuration/cortana-at-work/set-up-and-test-cortana-in-windows-10.md @@ -43,7 +43,7 @@ When a user enters a search query (by speech or text), Cortana evaluates if the 2. If it is not for any of the first-party compliant skills, the query is sent to Bing for a search of public results from Bing.com. Because enterprise searches might be sensitive, similar to [Microsoft Search in Bing](https://docs.microsoft.com/MicrosoftSearch/security-for-search#microsoft-search-in-bing-protects-workplace-searches), Bing Answers in Cortana has implemented a set of trust measures, described below, that govern how the separate search of public results from Bing.com is handled. The Bing Answers in Cortana trust measures are consistent with the enhanced privacy and security measures described in [Microsoft Search in Bing](https://docs.microsoft.com/MicrosoftSearch/security-for-search). All Bing.com search logs that pertain to Cortana traffic are disassociated from users' workplace identity. All Cortana queries issued via a work or school account are stored separately from public, non-Cortana traffic. -Bing Answers is enabled by default for all users. However, admins can configure and change this for specific users/user groups in their organization. +Bing Answers is enabled by default for all users. However, admins can configure and change this for specific users and user groups in their organization. ## How the Bing Answer policy configuration is applied Before a query is sent to Bing for a search of public results from Bing.com, the Bing Answers service checks with the Office Cloud Policy Service to see if there are any policy configurations that pertain to the user for allowing Bing Answers to respond to questions users ask Cortana. If the user is a member of an AAD group that is assigned that policy configuration, then the appropriate policy settings are applied and a check is made again in 10 minutes. \ No newline at end of file From f7c70856d05a4ec4c4794e3f97de378a578dfbce Mon Sep 17 00:00:00 2001 From: Kweku Ako-Adjei Date: Thu, 21 May 2020 10:17:45 -0700 Subject: [PATCH 15/15] Update cortana-at-work-overview.md --- .../configuration/cortana-at-work/cortana-at-work-overview.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/configuration/cortana-at-work/cortana-at-work-overview.md b/windows/configuration/cortana-at-work/cortana-at-work-overview.md index 034eb25518..9bdf2f0ae6 100644 --- a/windows/configuration/cortana-at-work/cortana-at-work-overview.md +++ b/windows/configuration/cortana-at-work/cortana-at-work-overview.md @@ -30,7 +30,7 @@ The Cortana app in Windows 10, version 2004 requires the latest Microsoft Store Cortana requires a PC running Windows 10, version 1703 or later, as well as the following software to successfully run the included scenario in your organization. >[!NOTE] ->A microphone is not required to use Cortana. +>A microphone isn't required to use Cortana. |**Software** |**Minimum version** | |---------|---------|