Merge remote-tracking branch 'origin/atp-adv-hunting' into atp-rs4

windows/security/threat-protection/TOC.md

@@ -83,6 +83,8 @@
 ####### [View deep analysis reports](windows-defender-atp\respond-file-alerts-windows-defender-advanced-threat-protection.md#view-deep-analysis-reports)
 ####### [Troubleshoot deep analysis](windows-defender-atp\respond-file-alerts-windows-defender-advanced-threat-protection.md#troubleshoot-deep-analysis)
 
+#### [Advanced hunting](\windows-defender-atp\advanced-hunting-windows-defender-advanced-threat-protection.md)
+
 ###API and SIEM support
 #### [Pull alerts to your SIEM tools](windows-defender-atp\configure-siem-windows-defender-advanced-threat-protection.md)
 ##### [Enable SIEM integration](windows-defender-atp\enable-siem-integration-windows-defender-advanced-threat-protection.md)

windows/security/threat-protection/windows-defender-atp/advanced-hunting-windows-defender-advanced-threat-protection.md

@@ -0,0 +1,94 @@
+---
+title: Advanced hunting in Windows Defender ATP
+description: Learn about advanced hunting in Windows Defender ATP and how to query ATP data.
+keywords: advanced hunting, atp query, query atp data, intellisense, atp telemetry, events, events telemetry, azure log analytics
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: high
+ms.date: 03/05/2018
+---
+
+# Advanced hunting in Windows Defender ATP
+
+**Applies to:**
+
+- Windows 10 Enterprise
+- Windows 10 Education
+- Windows 10 Pro
+- Windows 10 Pro Education
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+
+[!include[Prerelease information](prerelease.md)]
+
+Advanced hunting allows you to proactively hunt and investigate across your organization using a powerful search and query tool. Take advantage of the following capabilities: 
+
+- **Powerful query language with IntelliSense** - Built on top of a query language that gives you the flexibility you need to take hunting to the next level.
+- **Query all stored telemetry** - All telemetry data is accessible in tables for you to query. For example, you can query process creation, network communication, and many other event types.
+- **Links to portal** - Certain query results, such as endpoint names and file names are actually direct links to the Windows Defender ATP portal, consolidating the Advanced hunting query experience and the existing portal investigation experience.
+- **Query examples** - A welcome page provides examples designed to get you started and get you familiar with the tables and the query language.
+
+To get you started in querying your Windows Defender ATP data, you can use the basic or advanced query examples that have some preloaded queries for you to understand the basic query syntax.
+
+![Image of Advanced hunting window](images/atp-advanced-hunting.png)
+
+## Query data in advanced hunting
+
+A typical query starts with a table name followed by a series of operators separated by **|**.
+
+![Image of Windows Defender ATP advanced hunting query](images/atp-advanced-hunting-query.png)
+
+We start with the table name **FileCreationEvents** and add piped elements as needed.
+
+First, we define a time filter to review only records from the previous day. We then add a filter on the _FolderPath_ field to contain only the path _\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup_.
+
+Finally, we limit the results to 100 and click **Run query**.
+
+The query language is very powerful and has the following usable operators: 
+
+- **Limit** - Return up to the specified number of rows.
+- **Where** - Filter a table to the subset of rows that satisfy a predicate.
+- **Count** - Return the number of records in the input record set.
+- **Top** - Return the first N records sorted by the specified columns.
+- **Project** - Select the columns to include, rename or drop, and insert new computed columns.
+- **Summarize** - Produce a table that aggregates the content of the input table.
+- **Extend** - Create calculated columns and append them to the result set.
+- **Join** - Merge the rows of two tables to form a new table by matching values of the specified column(s) from each table.
+- **Makeset** -  Return a dynamic (JSON) array of the set of distinct values that Expr takes in the group
+- **Find** - Find rows that match a predicate across a set of tables.
+
+To see a live example of these operators, run them as part of the **Get started** section.
+
+## Query language documentation
+
+For more information on the query language and supported operators, see [Query Language](https://docs.loganalytics.io/docs/Language-Reference/).
+
+## Tables in advanced hunting
+
+The following tables are exposed as part of advanced hunting:
+
+- **AlertEvents** - Stores all alerts related information 
+- **ProcessCreationEvents** - Stores all process creation events 
+- **NetworkCommunicationEvents** - Stores all network communication events o
+- **FileCreationEvents** - Stores all file creation, modification, and rename events
+- **RegistryEvents** - Stores all registry key creation, modification, rename and deletion events 
+- **LogonEvents** - Stores all login events 
+- **ImageLoadEvents** - Stores all load dll events  
+- **MiscEvents** - Stores several types of events, including Windows Defender Exploit Guard, Windows Defender SmartScreen, Windows Defender Application Guard, and Firewall events.
+- **SuspiciousEvents** - Stores all events that deviate from typical event behavior
+
+## Results set in advanced hunting
+
+The results set has several capabilities to provide you with effective investigation, including:
+
+- Columns that return entity-related objects, such as Machine name, Machine ID, File name, SHA1, User, IP, and URL, are linked to their entity pages in the Windows Defender ATP portal.
+- If you right-click on a cell in the results set, you can add a filter to your written query. The current filtering options are **include** or **exclude**; these cell values are part of the row set. 
+ 
+![Image of Windows Defender ATP advanced hunting results set](images/atp-advanced-hunting-results-set.png)
+
+## Related topics
+

windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md

@@ -76,6 +76,11 @@ Block Office applications from injecting code into other processes | 75668C1F-73
 Block JavaScript or VBScript from launching downloaded executable content | D3E037E1-3EB8-44C8-A917-57927947596D
 Block execution of potentially obfuscated scripts  | 5BEB7EFE-FD9A-4556-801D-275E5FFC04CC
 Block Win32 API calls from Office macro | 92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B
+Block executable files from running unless they meet a prevalence, age, or trusted list criteria | 01443614-cd74-433a-b99e-2ecdc07bfc25
+Use advanced protection against ransomware | c1db55ab-c21a-4637-bb3f-a12568109d35
+Block credential stealing from the Windows local security authority subsystem (lsass.exe) | 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2
+Block process creations originating from PSExec and WMI commands | d1e49aac-8f56-4280-b9ba-993a6d77406c
+Block untrusted and unsigned processes that run from USB | b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4
 
 The rules apply to the following Office apps running on Windows 10, version 1709. See the **Applies to** section at the start of this topic for a list of supported Office version.
 
@@ -147,7 +152,34 @@ Malware can use macro code in Office files to import and load Win32 DLLs, which
 
 This rule attempts to block Office files that contain macro code that is capable of importing Win32 DLLs. 
 
+### Rule: Block executable files from running unless they meet a prevalence, age, or trusted list criteria
  
+This rule blocks the following file types from being run or launched unless they meet prevalence or age criteria set by admins, or they are in a trusted list or exclusion list:
+ 
+- Executable files (such as .exe, .dll, or .scr) 
+- Script files (such as a PowerShell .ps, VisualBasic .vbs, or JavaScript .js file)
+ 
+### Rule: Use advanced protection against ransomware
+ 
+This rule provides an extra layer of protection against ransomware. Executable files that enter the system will be scanned to determine whether they are trustworthy. If the files exhibit characteristics that closely resemble ransomware, they are blocked from being run or launched, provided they are not already in the trusted list or exception list.
+ 
+### Rule: Block credential stealing from the Windows local security authority subsystem (lsass.exe)
+ 
+Local Security Authority Subsystem Service (LSASS) authenticates users who log in to a Windows computer. Windows Defender Credential Guard in Windows 10 normally prevents attempts to extract credentials from LSASS. However, some organizations can't enable Credential Guard on all of their computers because of compatibility issues with custom smartcard drivers or other programs that load into the Local Security Authority (LSA). In these cases, attackers can use tools like Mimikatz to scrape cleartext passwords and NTLM hashes from LSASS. This rule helps mitigate that risk by locking down LSASS.
+ 
+>[!IMPORTANT]
+>[Exclusions do not apply to this rule](customize-attack-surface-reduction.md#exclude-files-and-folders).
+ 
+### Rule: Block process creations originating from PSExec and WMI commands
+ 
+This rule blocks processes through PsExec and WMI commands from running, to prevent remote code execution that can spread malware attacks.
+ 
+### Rule: Block untrusted and unsigned processes that run from USB
+ 
+With this rule, admins can prevent unsigned or untrusted executable files from running from USB removable drives, including SD cards. Blocked file types include:
+ 
+- Executable files (such as .exe, .dll, or .scr) 
+- Script files (such as a PowerShell .ps, VisualBasic .vbs, or JavaScript .js file)
 
 ## Requirements