deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-22 05:43:41 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

update capitalization

Browse Source
This commit is contained in:
Iaan D'Souza-Wiltshire
2017-09-28 17:09:01 -07:00
parent dd48997d65
commit 33839645fd
23 changed files with 323 additions and 323 deletions
Download Patch File Download Diff File Expand all files Collapse all files

86
windows/threat-protection/windows-defender-exploit-guard/event-views-exploit-guard.md
View File

@ -48,10 +48,10 @@ You can also manually navigate to the event area that corresponds to the Windows
### Import an existing XML custom view
1. Download the [Exploit Guard Evaluation Package](https://aka.ms/mp7z2w) and extract the appropraite file to an easily accessible location. The following filenames are each of the custom views:
- Controlled Folder Access events custom view: *cfa-events.xml*
- Exploit Protection events custom view: *ep-events.xml*
- Attack Surface Reduction events custom view: *asr-events.xml*
- Network Protection events custom view: *np-events.xml*
- Controlled folder access events custom view: *cfa-events.xml*
- Exploit protection events custom view: *ep-events.xml*
- Attack surface reduction events custom view: *asr-events.xml*
- Network protection events custom view: *np-events.xml*
1. Type **event viewer** in the Start menu and open the Windows **Event Viewer**.
@ -87,7 +87,7 @@ You can also manually navigate to the event area that corresponds to the Windows
### XML for Attack Surface Reduction events
### XML for Attack surface reduction events
```xml
<QueryList>
@ -98,7 +98,7 @@ You can also manually navigate to the event area that corresponds to the Windows
</QueryList>
```
### XML for Controlled Folder Access events
### XML for Controlled folder access events
```xml
<QueryList>
@ -109,7 +109,7 @@ You can also manually navigate to the event area that corresponds to the Windows
</QueryList>
```
### XML for Exploit Protection events
### XML for Exploit protection events
```xml
<QueryList>
@ -129,7 +129,7 @@ You can also manually navigate to the event area that corresponds to the Windows
</QueryList>
```
### XML for Network Protection events
### XML for Network protection events
```xml
<QueryList>
@ -158,38 +158,38 @@ You can access these events in Windows Event viewer:
Feature | Provider/source | Event ID | Description
:-|:-|:-:|:-
Exploit Protection | Security-Mitigations (Kernal Mode/User Mode) | 1 | ACG audit
Exploit Protection | Security-Mitigations (Kernal Mode/User Mode) | 2 | ACG enforce
Exploit Protection | Security-Mitigations (Kernal Mode/User Mode) | 3 | Do not allow child processes audit
Exploit Protection | Security-Mitigations (Kernal Mode/User Mode) | 4 | Do not allow child processes block
Exploit Protection | Security-Mitigations (Kernal Mode/User Mode) | 5 | Block low integrity images audit
Exploit Protection | Security-Mitigations (Kernal Mode/User Mode) | 6 | Block low integrity images block
Exploit Protection | Security-Mitigations (Kernal Mode/User Mode) | 7 | Block remote images audit
Exploit Protection | Security-Mitigations (Kernal Mode/User Mode) | 8 | Block remote images block
Exploit Protection | Security-Mitigations (Kernal Mode/User Mode) | 9 | Disable win32k system calls audit
Exploit Protection | Security-Mitigations (Kernal Mode/User Mode) | 10 | Disable win32k system calls block
Exploit Protection | Security-Mitigations (Kernal Mode/User Mode) | 11 | Code integrity guard audit
Exploit Protection | Security-Mitigations (Kernal Mode/User Mode) | 12 | Code integrity guard block
Exploit Protection | Security-Mitigations (Kernal Mode/User Mode) | 13 | EAF audit
Exploit Protection | Security-Mitigations (Kernal Mode/User Mode) | 14 | EAF enforce
Exploit Protection | Security-Mitigations (Kernal Mode/User Mode) | 15 | EAF+ audit
Exploit Protection | Security-Mitigations (Kernal Mode/User Mode) | 16 | EAF+ enforce
Exploit Protection | Security-Mitigations (Kernal Mode/User Mode) | 17 | IAF audit
Exploit Protection | Security-Mitigations (Kernal Mode/User Mode) | 18 | IAF enforce
Exploit Protection | Security-Mitigations (Kernal Mode/User Mode) | 19 | ROP StackPivot audit
Exploit Protection | Security-Mitigations (Kernal Mode/User Mode) | 20 | ROP StackPivot enforce
Exploit Protection | Security-Mitigations (Kernal Mode/User Mode) | 21 | ROP CallerCheck audit
Exploit Protection | Security-Mitigations (Kernal Mode/User Mode) | 22 | ROP CallerCheck enforce
Exploit Protection | Security-Mitigations (Kernal Mode/User Mode) | 23 | ROP SimExec audit
Exploit Protection | Security-Mitigations (Kernal Mode/User Mode) | 24 | ROP SimExec enforce
Exploit Protection | WER-Diagnostics | 5 | CFG Block
Exploit Protection | Win32K (Operational) | 260 | Untrusted Font
Network Protection | Windows Defender (Operational) | 5007 | Event when settings are changed
Network Protection | Windows Defender (Operational) | 1125 | Event when Network Protection fires in Audit-mode
Network Protection | Windows Defender (Operational) | 1126 | Event when Network Protection fires in Block-mode
Controlled Folder Access | Windows Defender (Operational) | 5007 | Event when settings are changed
Controlled Folder Access | Windows Defender (Operational) | 1124 | Audited Controlled Folder Access event
Controlled Folder Access | Windows Defender (Operational) | 1123 | Blocked Controlled Folder Access event
Attack Surface Reduction | Windows Defender (Operational) | 5007 | Event when settings are changed
Attack Surface Reduction | Windows Defender (Operational) | 1122 | Event when rule fires in Audit-mode
Attack Surface Reduction | Windows Defender (Operational) | 1121 | Event when rule fires in Block-mode
Exploit protection | Security-Mitigations (Kernal Mode/User Mode) | 1 | ACG audit
Exploit protection | Security-Mitigations (Kernal Mode/User Mode) | 2 | ACG enforce
Exploit protection | Security-Mitigations (Kernal Mode/User Mode) | 3 | Do not allow child processes audit
Exploit protection | Security-Mitigations (Kernal Mode/User Mode) | 4 | Do not allow child processes block
Exploit protection | Security-Mitigations (Kernal Mode/User Mode) | 5 | Block low integrity images audit
Exploit protection | Security-Mitigations (Kernal Mode/User Mode) | 6 | Block low integrity images block
Exploit protection | Security-Mitigations (Kernal Mode/User Mode) | 7 | Block remote images audit
Exploit protection | Security-Mitigations (Kernal Mode/User Mode) | 8 | Block remote images block
Exploit protection | Security-Mitigations (Kernal Mode/User Mode) | 9 | Disable win32k system calls audit
Exploit protection | Security-Mitigations (Kernal Mode/User Mode) | 10 | Disable win32k system calls block
Exploit protection | Security-Mitigations (Kernal Mode/User Mode) | 11 | Code integrity guard audit
Exploit protection | Security-Mitigations (Kernal Mode/User Mode) | 12 | Code integrity guard block
Exploit protection | Security-Mitigations (Kernal Mode/User Mode) | 13 | EAF audit
Exploit protection | Security-Mitigations (Kernal Mode/User Mode) | 14 | EAF enforce
Exploit protection | Security-Mitigations (Kernal Mode/User Mode) | 15 | EAF+ audit
Exploit protection | Security-Mitigations (Kernal Mode/User Mode) | 16 | EAF+ enforce
Exploit protection | Security-Mitigations (Kernal Mode/User Mode) | 17 | IAF audit
Exploit protection | Security-Mitigations (Kernal Mode/User Mode) | 18 | IAF enforce
Exploit protection | Security-Mitigations (Kernal Mode/User Mode) | 19 | ROP StackPivot audit
Exploit protection | Security-Mitigations (Kernal Mode/User Mode) | 20 | ROP StackPivot enforce
Exploit protection | Security-Mitigations (Kernal Mode/User Mode) | 21 | ROP CallerCheck audit
Exploit protection | Security-Mitigations (Kernal Mode/User Mode) | 22 | ROP CallerCheck enforce
Exploit protection | Security-Mitigations (Kernal Mode/User Mode) | 23 | ROP SimExec audit
Exploit protection | Security-Mitigations (Kernal Mode/User Mode) | 24 | ROP SimExec enforce
Exploit protection | WER-Diagnostics | 5 | CFG Block
Exploit protection | Win32K (Operational) | 260 | Untrusted Font
Network protection | Windows Defender (Operational) | 5007 | Event when settings are changed
Network protection | Windows Defender (Operational) | 1125 | Event when Network protection fires in Audit-mode
Network protection | Windows Defender (Operational) | 1126 | Event when Network protection fires in Block-mode
Controlled folder access | Windows Defender (Operational) | 5007 | Event when settings are changed
Controlled folder access | Windows Defender (Operational) | 1124 | Audited Controlled folder access event
Controlled folder access | Windows Defender (Operational) | 1123 | Blocked Controlled folder access event
Attack surface reduction | Windows Defender (Operational) | 5007 | Event when settings are changed
Attack surface reduction | Windows Defender (Operational) | 1122 | Event when rule fires in Audit-mode
Attack surface reduction | Windows Defender (Operational) | 1121 | Event when rule fires in Block-mode