From 5501000abae5c4d8391295479b36b406fda70f20 Mon Sep 17 00:00:00 2001 From: JesseEsquivel <33558203+JesseEsquivel@users.noreply.github.com> Date: Fri, 10 Apr 2020 12:52:01 -0400 Subject: [PATCH 01/15] Quotes are not supported when using GPO Quotes are not supported for ASR exclusions, we need to make this clear to our customers, as it is very confusing to them when reading the ADMX template for the setting - because the ADMX template for this setting actually contains double quotes. --- .../microsoft-defender-atp/enable-attack-surface-reduction.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/enable-attack-surface-reduction.md b/windows/security/threat-protection/microsoft-defender-atp/enable-attack-surface-reduction.md index 655d13f73e..74299098c7 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/enable-attack-surface-reduction.md +++ b/windows/security/threat-protection/microsoft-defender-atp/enable-attack-surface-reduction.md @@ -129,7 +129,7 @@ Value: c:\path|e:\path|c:\Whitelisted.exe ![Group policy setting showing a blank attack surface reduction rule ID and value of 1](../images/asr-rules-gp.png) -5. To exclude files and folders from ASR rules, select the **Exclude files and paths from Attack surface reduction rules** setting and set the option to **Enabled**. Click **Show** and enter each file or folder in the **Value name** column. Enter **0** in the **Value** column for each item. +5. To exclude files and folders from ASR rules, select the **Exclude files and paths from Attack surface reduction rules** setting and set the option to **Enabled**. Click **Show** and enter each file or folder in the **Value name** column. Enter **0** in the **Value** column for each item. Do not use quotes as they are not supported for either the **Value name** column or the **Value** column. ## PowerShell From 9f9c5332f74b32f0a4f38b0fd3e43aff402286a0 Mon Sep 17 00:00:00 2001 From: JesseEsquivel <33558203+JesseEsquivel@users.noreply.github.com> Date: Fri, 10 Apr 2020 15:40:44 -0400 Subject: [PATCH 02/15] Add additional step for AAD app registration Added step to point users to create their Azure AD application and assign required permission. --- .../microsoft-defender-atp/enable-siem-integration.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/windows/security/threat-protection/microsoft-defender-atp/enable-siem-integration.md b/windows/security/threat-protection/microsoft-defender-atp/enable-siem-integration.md index a003bd5a09..8f2cc40426 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/enable-siem-integration.md +++ b/windows/security/threat-protection/microsoft-defender-atp/enable-siem-integration.md @@ -67,6 +67,9 @@ Enable security information and event management (SIEM) integration so you can p > [!NOTE] > You'll need to generate a new Refresh token every 90 days. +6. Follow the instructions for creating an Azure AD app registration and assigning the correct permissions to it to read alerts. + https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-create-app-webapp + You can now proceed with configuring your SIEM solution or connecting to the detections REST API through programmatic access. You'll need to use the tokens when configuring your SIEM solution to allow it to receive detections from Microsoft Defender Security Center. ## Integrate Microsoft Defender ATP with IBM QRadar From 0d08106c76c3b8e2c2cd663de8e47beba54fa6e9 Mon Sep 17 00:00:00 2001 From: JesseEsquivel <33558203+JesseEsquivel@users.noreply.github.com> Date: Fri, 10 Apr 2020 16:33:12 -0400 Subject: [PATCH 03/15] Update pull-alerts-using-rest-api.md Add PowerShell and Bash samples for testing the MDATP SIEM API. --- .../pull-alerts-using-rest-api.md | 101 +++++++++++++++++- 1 file changed, 98 insertions(+), 3 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/pull-alerts-using-rest-api.md b/windows/security/threat-protection/microsoft-defender-atp/pull-alerts-using-rest-api.md index e52e94be42..f2c30ec2e4 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/pull-alerts-using-rest-api.md +++ b/windows/security/threat-protection/microsoft-defender-atp/pull-alerts-using-rest-api.md @@ -175,7 +175,7 @@ Here is an example return value: ## Code examples ### Get access token -The following code example demonstrates how to obtain an access token and call the Microsoft Defender ATP API. +The following code examples demonstrate how to obtain an access token for calling the Microsoft Defender ATP SIEM API. ```csharp AuthenticationContext context = new AuthenticationContext(string.Format("https://login.windows.net/{0}", tenantId)); @@ -183,19 +183,114 @@ ClientCredential clientCredentials = new ClientCredential(clientId, clientSecret AuthenticationResult authenticationResult = context.AcquireTokenAsync(detectionsResource, clientCredentials).GetAwaiter().GetResult(); ``` -### Use token to connect to the detections endpoint +```PowerShell +#Get current working directory +$scriptDir = Split-Path -Path $MyInvocation.MyCommand.Definition -Parent +#Paste below your Tenant ID, App ID and App Secret (App key). +$tenantId = '' ### Paste your tenant ID here +$appId = '' ### Paste your Application ID here +$appSecret = '' ### Paste your Application secret here + +$resourceAppIdUri = 'https://graph.windows.net' +$oAuthUri = "https://login.windows.net/$tenantId/oauth2/token" +$authBody = [Ordered] @{ + resource = "$resourceAppIdUri" + client_id = "$appId" + client_secret = "$appSecret" + grant_type = 'client_credentials' +} + +#call API +$authResponse = Invoke-RestMethod -Method Post -Uri $oAuthUri -Body $authBody -ErrorAction Stop +$authResponse +Out-File -FilePath "$scriptDir\LatestSIEM-token.txt" -InputObject $authResponse.access_token ``` + +```Bash +tenantId='' ### Paste your tenant ID here +appId='' ### Paste your Application ID here +appSecret='' ### Paste your Application secret here +resourceAppIdUri='https://graph.windows.net' +oAuthUri="https://login.windows.net/$tenantId/oauth2/token" +scriptDir=$(pwd) + +apiResponse=$(curl -s X POST "$oAuthUri" -d "resource=$resourceAppIdUri&client_id=$appId&client_secret=$appSecret&\ + grant_type=client_credentials" | cut -d "{" -f2 | cut -d "}" -f1) +IFS="," +apiResponseArr=($apiResponse) +IFS=":" +tokenArr=(${apiResponseArr[6]}) +echo ${tokenArr[1]} | cut -d "\"" -f2 | cut -d "\"" -f1 >> $scriptDir/LatestSIEM-token.txt +``` + +### Use token to connect to the detections endpoint +The following code examples demonstrate how to use an access token for calling the Microsoft Defender ATP SIEM API to get alerts. + +```csharp HttpClient httpClient = new HttpClient(); httpClient.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue(authenticationResult.AccessTokenType, authenticationResult.AccessToken); HttpResponseMessage response = httpClient.GetAsync("https://wdatp-alertexporter-eu.windows.com/api/alert").GetAwaiter().GetResult(); string detectionsJson = response.Content.ReadAsStringAsync().Result; Console.WriteLine("Got detections list: {0}", detectionsJson); - ``` +```PowerShell +#Get current working directory +$scriptDir = Split-Path -Path $MyInvocation.MyCommand.Definition -Parent +#run the script Get-Token.ps1 - make sure you are running this script from the same folder of Get-SIEMToken.ps1 +$token = Get-Content "$scriptDir\LatestSIEM-token.txt" +#Get Alert from the last xx hours 200 in this example. Make sure you have alerts in that time frame. +$dateTime = (Get-Date).ToUniversalTime().AddHours(-200).ToString("o") + +#test SIEM API +$url = 'https://wdatp-alertexporter-us.windows.com/api/alerts?limit=20&sinceTimeUtc=2020-01-01T00:00:00.000' + +#Set the WebRequest headers +$headers = @{ + 'Content-Type' = 'application/json' + Accept = 'application/json' + Authorization = "Bearer $token" +} + +#Send the webrequest and get the results. +$response = Invoke-WebRequest -Method Get -Uri $url -Headers $headers -ErrorAction Stop +$response +Write-Host + +#Extract the alerts from the results. This works for SIEM API: +$alerts = $response.Content | ConvertFrom-Json | ConvertTo-Json + +#Get string with the execution time. We concatenate that string to the output file to avoid overwrite the file +$dateTimeForFileName = Get-Date -Format o | foreach {$_ -replace ":", "."} + +#Save the result as json and as csv +$outputJsonPath = "$scriptDir\Latest Alerts $dateTimeForFileName.json" +$outputCsvPath = "$scriptDir\Latest Alerts $dateTimeForFileName.csv" + +Out-File -FilePath $outputJsonPath -InputObject $alerts +Get-Content -Path $outputJsonPath -Raw | ConvertFrom-Json | Select-Object -ExpandProperty value | Export-CSV $outputCsvPath -NoTypeInformation +``` + +```Bash +#Get current working directory +scriptDir=$(pwd) + +#get the token +token=$(<$scriptDir/LatestSIEM-token.txt) + +#test the SIEM API, get alerts since 1/1/2020 +url='https://wdatp-alertexporter-us.windows.com/api/alerts?limit=20&sinceTimeUtc=2020-01-01T00:00:00.000' + +#send web requst to API and echo JSON content +apiResponse=$(curl -s X GET "$url" -H "Content-Type: application/json" -H "Accept: application/json"\ + -H "Authorization: Bearer $token" | cut -d "[" -f2 | cut -d "]" -f1) +echo "If you see Alert info in JSON format, congratulations you accessed the MDATP SIEM API!" +echo +echo $apiResponse +``` ## Error codes The Microsoft Defender ATP REST API returns the following error codes caused by an invalid request. From 18713b9f4d2a4cae5691e05e3e6eb28e47dcd153 Mon Sep 17 00:00:00 2001 From: illfated Date: Sun, 12 Apr 2020 21:52:37 +0200 Subject: [PATCH 04/15] MDATP/Requirements: add Linux Public Preview notes Description: As noted in issue ticket #6430 (Linux support is in preview), this page does not have a description of Linux support for MD-ATP being Public Preview only for Linux at this time. This PR aims to rectify that information detail. Thanks to memildin (Mel) for reporting this issue. Changes proposed: - Add info comment behind "Linux" in the bullet point list - Add a sentence at the end of the following Note blob - Remove redundant phrase "that are" from Note to improve readability - Add a missing plural S at the end of "Related topic" (2 links) - Whitespace changes (might as well correct those) - add MarkDown indent marker compatibility spacing - remove redundant spacing in bullet point lists (only 1 needed) - remove redundant blank lines, 2 blank lines is sufficient spacing - remove redundant blanks at end-of-line (EOL whitespace) - replace a tab character with 4 blank spaces (GitHub codestyle) Ticket closure or reference: Closes #6430 --- .../minimum-requirements.md | 51 +++++++++---------- 1 file changed, 23 insertions(+), 28 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/minimum-requirements.md b/windows/security/threat-protection/microsoft-defender-atp/minimum-requirements.md index eed0fc1ca1..6316ed2ee3 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/minimum-requirements.md +++ b/windows/security/threat-protection/microsoft-defender-atp/minimum-requirements.md @@ -13,7 +13,7 @@ author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: conceptual --- @@ -24,12 +24,12 @@ ms.topic: conceptual There are some minimum requirements for onboarding machines to the service. Learn about the licensing, hardware and software requirements, and other configuration settings to onboard devices to the service. ->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-minreqs-abovefoldlink) +> Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-minreqs-abovefoldlink) ->[!TIP] ->- Learn about the latest enhancements in Microsoft Defender ATP:[Microsoft Defender Advanced Threat Protection Tech Community](https://techcommunity.microsoft.com/t5/Windows-Defender-Advanced-Threat/ct-p/WindowsDefenderAdvanced). ->- Microsoft Defender ATP demonstrated industry-leading optics and detection capabilities in the recent MITRE evaluation. Read: [Insights from the MITRE ATT&CK-based evaluation](https://cloudblogs.microsoft.com/microsoftsecure/2018/12/03/insights-from-the-mitre-attack-based-evaluation-of-windows-defender-atp/). +> [!TIP] +> - Learn about the latest enhancements in Microsoft Defender ATP:[Microsoft Defender Advanced Threat Protection Tech Community](https://techcommunity.microsoft.com/t5/Windows-Defender-Advanced-Threat/ct-p/WindowsDefenderAdvanced). +> - Microsoft Defender ATP demonstrated industry-leading optics and detection capabilities in the recent MITRE evaluation. Read: [Insights from the MITRE ATT&CK-based evaluation](https://cloudblogs.microsoft.com/microsoftsecure/2018/12/03/insights-from-the-mitre-attack-based-evaluation-of-windows-defender-atp/). ## Licensing requirements Microsoft Defender Advanced Threat Protection requires one of the following Microsoft Volume Licensing offers: @@ -40,7 +40,7 @@ Microsoft Defender Advanced Threat Protection requires one of the following Micr - Microsoft 365 E5 Security - Microsoft 365 A5 (M365 A5) -For detailed licensing information, see the [Product terms page](https://www.microsoft.com/en-us/licensing/product-licensing/products) and work with your account team to learn the detailed terms and conditions for the product. +For detailed licensing information, see the [Product terms page](https://www.microsoft.com/en-us/licensing/product-licensing/products) and work with your account team to learn the detailed terms and conditions for the product. For more information on the array of features in Windows 10 editions, see [Compare Windows 10 editions](https://www.microsoft.com/windowsforbusiness/compare). @@ -53,13 +53,14 @@ For more information about licensing requirements for Microsoft Defender ATP pla Access to Microsoft Defender ATP is done through a browser, supporting the following browsers: - Microsoft Edge - Internet Explorer version 11 -- Google Chrome +- Google Chrome ->[!NOTE] ->While other browsers might work, the mentioned browsers are the ones supported. +> [!NOTE] +> While other browsers might work, the mentioned browsers are the ones supported. ## Hardware and software requirements + ### Supported Windows versions - Windows 7 SP1 Enterprise - Windows 7 SP1 Pro @@ -82,24 +83,26 @@ Machines on your network must be running one of these editions. The hardware requirements for Microsoft Defender ATP on machines is the same as those for the supported editions. > [!NOTE] -> Machines that are running mobile versions of Windows are not supported. +> Machines running mobile versions of Windows are not supported. ### Other supported operating systems -- macOSX -- Linux -- Android +- macOSX +- Linux (currently, MD-ATP is only available in Public Preview Edition for Linux) +- Android ->[!NOTE] ->You'll need to know the exact Linux distros, Android, and macOS versions that are compatible with Microsoft Defender ATP for the integration to work. +> [!NOTE] +> You'll need to know the exact Linux distros, Android, and macOS versions that are compatible with Microsoft Defender ATP for the integration to work. +> +> Also note that MD-ATP is currently only available in Public Preview Edition for Linux. ### Network and data storage and configuration requirements When you run the onboarding wizard for the first time, you must choose where your Microsoft Defender Advanced Threat Protection-related information is stored: in the European Union, the United Kingdom, or the United States datacenter. > [!NOTE] -> - You cannot change your data storage location after the first-time setup. -> - Review the [Microsoft Defender ATP data storage and privacy](data-storage-privacy.md) for more information on where and how Microsoft stores your data. +> - You cannot change your data storage location after the first-time setup. +> - Review the [Microsoft Defender ATP data storage and privacy](data-storage-privacy.md) for more information on where and how Microsoft stores your data. ### Diagnostic data settings @@ -131,12 +134,11 @@ By default, this service is enabled, but it's good practice to check to ensu If the **START_TYPE** is not set to **AUTO_START**, then you'll need to set the service to automatically start. - **Use the command line to set the Windows 10 diagnostic data service to automatically start:** 1. Open an elevated command-line prompt on the endpoint: - a. Go to **Start** and type **cmd**. + a. Go to **Start** and type **cmd**. b. Right-click **Command prompt** and select **Run as administrator**. @@ -153,7 +155,6 @@ If the **START_TYPE** is not set to **AUTO_START**, then you'll need to set the ``` - #### Internet connectivity Internet connectivity on machines is required either directly or through proxy. @@ -164,11 +165,8 @@ For more information on additional proxy configuration settings see, [Configure Before you onboard machines, the diagnostic data service must be enabled. The service is enabled by default in Windows 10. - - - ## Windows Defender Antivirus configuration requirement -The Microsoft Defender ATP agent depends on the ability of Windows Defender Antivirus to scan files and provide information about them. +The Microsoft Defender ATP agent depends on the ability of Windows Defender Antivirus to scan files and provide information about them. You must configure Security intelligence updates on the Microsoft Defender ATP machines whether Windows Defender Antivirus is the active antimalware or not. For more information, see [Manage Windows Defender Antivirus updates and apply baselines](../windows-defender-antivirus/manage-updates-baselines-windows-defender-antivirus.md). @@ -188,9 +186,6 @@ If you're running Windows Defender Antivirus as the primary antimalware product If you're running a third-party antimalware client and use Mobile Device Management solutions or Microsoft Endpoint Configuration Manager (current branch), you'll need to ensure that the Windows Defender Antivirus ELAM driver is enabled. For more information, see [Ensure that Windows Defender Antivirus is not disabled by policy](troubleshoot-onboarding.md#ensure-that-windows-defender-antivirus-is-not-disabled-by-a-policy). - - - -## Related topic +## Related topics - [Validate licensing and complete setup](licensing.md) - [Onboard machines](onboard-configure.md) From 51a9cbad3e41cae703e045380b405ff6b2a2ce2d Mon Sep 17 00:00:00 2001 From: MaratMussabekov <48041687+MaratMussabekov@users.noreply.github.com> Date: Mon, 13 Apr 2020 09:38:47 +0500 Subject: [PATCH 05/15] Update evaluate-controlled-folder-access.md --- .../evaluate-controlled-folder-access.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/windows/security/threat-protection/microsoft-defender-atp/evaluate-controlled-folder-access.md b/windows/security/threat-protection/microsoft-defender-atp/evaluate-controlled-folder-access.md index da28a46770..1d9da1a791 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/evaluate-controlled-folder-access.md +++ b/windows/security/threat-protection/microsoft-defender-atp/evaluate-controlled-folder-access.md @@ -58,6 +58,9 @@ Event ID | Description 1124 | Audited controlled folder access event 1123 | Blocked controlled folder access event +> [!TIP] +> You can configure a [Windows Event Forwarding subscription](https://docs.microsoft.com/windows/win32/wec/setting-up-a-source-initiated-subscription) to collect the logs centrally. + ## Customize protected folders and apps During your evaluation, you may wish to add to the list of protected folders, or allow certain apps to modify files. From d54e696ef8517d073ae3ea3f254020ebd75deaa2 Mon Sep 17 00:00:00 2001 From: "Trond B. Krokli" <38162891+illfated@users.noreply.github.com> Date: Mon, 13 Apr 2020 09:46:39 +0200 Subject: [PATCH 06/15] Update windows/security/threat-protection/microsoft-defender-atp/minimum-requirements.md Add missing period dot at EOL . Co-Authored-By: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- .../microsoft-defender-atp/minimum-requirements.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/minimum-requirements.md b/windows/security/threat-protection/microsoft-defender-atp/minimum-requirements.md index 6316ed2ee3..e645688190 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/minimum-requirements.md +++ b/windows/security/threat-protection/microsoft-defender-atp/minimum-requirements.md @@ -24,7 +24,7 @@ ms.topic: conceptual There are some minimum requirements for onboarding machines to the service. Learn about the licensing, hardware and software requirements, and other configuration settings to onboard devices to the service. -> Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-minreqs-abovefoldlink) +> Want to experience Microsoft Defender ATP? [Sign up for a free trial](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-minreqs-abovefoldlink). > [!TIP] From daa62c39e42ce1d944b4e36ed87d871a7a95cc9d Mon Sep 17 00:00:00 2001 From: "Trond B. Krokli" <38162891+illfated@users.noreply.github.com> Date: Mon, 13 Apr 2020 09:48:16 +0200 Subject: [PATCH 07/15] Update windows/security/threat-protection/microsoft-defender-atp/minimum-requirements.md Make the Product Licensing Link Language agnostic. Co-Authored-By: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- .../microsoft-defender-atp/minimum-requirements.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/minimum-requirements.md b/windows/security/threat-protection/microsoft-defender-atp/minimum-requirements.md index e645688190..9e062e3820 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/minimum-requirements.md +++ b/windows/security/threat-protection/microsoft-defender-atp/minimum-requirements.md @@ -40,7 +40,7 @@ Microsoft Defender Advanced Threat Protection requires one of the following Micr - Microsoft 365 E5 Security - Microsoft 365 A5 (M365 A5) -For detailed licensing information, see the [Product terms page](https://www.microsoft.com/en-us/licensing/product-licensing/products) and work with your account team to learn the detailed terms and conditions for the product. +For detailed licensing information, see the [Product terms page](https://www.microsoft.com/licensing/product-licensing/products) and work with your account team to learn the detailed terms and conditions for the product. For more information on the array of features in Windows 10 editions, see [Compare Windows 10 editions](https://www.microsoft.com/windowsforbusiness/compare). From 8b85f79ec481993745e630a571bed93b094c98bd Mon Sep 17 00:00:00 2001 From: "Trond B. Krokli" <38162891+illfated@users.noreply.github.com> Date: Mon, 13 Apr 2020 09:49:06 +0200 Subject: [PATCH 08/15] Update windows/security/threat-protection/microsoft-defender-atp/minimum-requirements.md Use the expanded name for Microsoft Defender ATP. Co-Authored-By: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- .../microsoft-defender-atp/minimum-requirements.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/minimum-requirements.md b/windows/security/threat-protection/microsoft-defender-atp/minimum-requirements.md index 9e062e3820..54739b2527 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/minimum-requirements.md +++ b/windows/security/threat-protection/microsoft-defender-atp/minimum-requirements.md @@ -88,7 +88,7 @@ The hardware requirements for Microsoft Defender ATP on machines is the same as ### Other supported operating systems - macOSX -- Linux (currently, MD-ATP is only available in Public Preview Edition for Linux) +- Linux (currently, Microsoft Defender ATP is only available in the Public Preview Edition for Linux) - Android > [!NOTE] From 818c54f6bc67c9cb4d50c02d9594d3e48cd15e20 Mon Sep 17 00:00:00 2001 From: "Trond B. Krokli" <38162891+illfated@users.noreply.github.com> Date: Mon, 13 Apr 2020 09:49:42 +0200 Subject: [PATCH 09/15] Update windows/security/threat-protection/microsoft-defender-atp/minimum-requirements.md Use the expanded name for Microsoft Defender ATP. Co-Authored-By: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- .../microsoft-defender-atp/minimum-requirements.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/minimum-requirements.md b/windows/security/threat-protection/microsoft-defender-atp/minimum-requirements.md index 54739b2527..a461f26713 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/minimum-requirements.md +++ b/windows/security/threat-protection/microsoft-defender-atp/minimum-requirements.md @@ -94,7 +94,7 @@ The hardware requirements for Microsoft Defender ATP on machines is the same as > [!NOTE] > You'll need to know the exact Linux distros, Android, and macOS versions that are compatible with Microsoft Defender ATP for the integration to work. > -> Also note that MD-ATP is currently only available in Public Preview Edition for Linux. +> Also note that Microsoft Defender ATP is currently only available in the Public Preview Edition for Linux. ### Network and data storage and configuration requirements From cf7850c35266b07836f8df44d33d7137775ebe39 Mon Sep 17 00:00:00 2001 From: JesseEsquivel <33558203+JesseEsquivel@users.noreply.github.com> Date: Mon, 13 Apr 2020 10:30:49 -0400 Subject: [PATCH 10/15] Updated statement to include hyperlink. Updated statement to include hyperlink. --- .../microsoft-defender-atp/enable-siem-integration.md | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/enable-siem-integration.md b/windows/security/threat-protection/microsoft-defender-atp/enable-siem-integration.md index 8f2cc40426..7d04c886df 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/enable-siem-integration.md +++ b/windows/security/threat-protection/microsoft-defender-atp/enable-siem-integration.md @@ -67,8 +67,7 @@ Enable security information and event management (SIEM) integration so you can p > [!NOTE] > You'll need to generate a new Refresh token every 90 days. -6. Follow the instructions for creating an Azure AD app registration and assigning the correct permissions to it to read alerts. - https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-create-app-webapp +6. Follow the instructions for [creating an Azure AD app registration for MDATP](https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-create-app-webapp) and assign the correct permissions to it to read alerts. You can now proceed with configuring your SIEM solution or connecting to the detections REST API through programmatic access. You'll need to use the tokens when configuring your SIEM solution to allow it to receive detections from Microsoft Defender Security Center. From 1ac92f474b59196340469504c7db0e280d1f399b Mon Sep 17 00:00:00 2001 From: JesseEsquivel <33558203+JesseEsquivel@users.noreply.github.com> Date: Mon, 13 Apr 2020 13:12:17 -0400 Subject: [PATCH 11/15] Update enable-attack-surface-reduction.md --- .../enable-attack-surface-reduction.md | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/enable-attack-surface-reduction.md b/windows/security/threat-protection/microsoft-defender-atp/enable-attack-surface-reduction.md index 74299098c7..15f019a69c 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/enable-attack-surface-reduction.md +++ b/windows/security/threat-protection/microsoft-defender-atp/enable-attack-surface-reduction.md @@ -129,7 +129,10 @@ Value: c:\path|e:\path|c:\Whitelisted.exe ![Group policy setting showing a blank attack surface reduction rule ID and value of 1](../images/asr-rules-gp.png) -5. To exclude files and folders from ASR rules, select the **Exclude files and paths from Attack surface reduction rules** setting and set the option to **Enabled**. Click **Show** and enter each file or folder in the **Value name** column. Enter **0** in the **Value** column for each item. Do not use quotes as they are not supported for either the **Value name** column or the **Value** column. +5. To exclude files and folders from ASR rules, select the **Exclude files and paths from Attack surface reduction rules** setting and set the option to **Enabled**. Click **Show** and enter each file or folder in the **Value name** column. Enter **0** in the **Value** column for each item. + +> [!WARNING] +> Do not use quotes as they are not supported for either the **Value name** column or the **Value** column. ## PowerShell From 0843318f91ef61c14f511b246538306b7744f414 Mon Sep 17 00:00:00 2001 From: JesseEsquivel <33558203+JesseEsquivel@users.noreply.github.com> Date: Mon, 13 Apr 2020 13:38:06 -0400 Subject: [PATCH 12/15] Update windows/security/threat-protection/microsoft-defender-atp/enable-attack-surface-reduction.md Co-Authored-By: Trond B. Krokli <38162891+illfated@users.noreply.github.com> --- .../microsoft-defender-atp/enable-attack-surface-reduction.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/enable-attack-surface-reduction.md b/windows/security/threat-protection/microsoft-defender-atp/enable-attack-surface-reduction.md index 15f019a69c..7212b10766 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/enable-attack-surface-reduction.md +++ b/windows/security/threat-protection/microsoft-defender-atp/enable-attack-surface-reduction.md @@ -136,7 +136,7 @@ Value: c:\path|e:\path|c:\Whitelisted.exe ## PowerShell ->[!WARNING] +> [!WARNING] >If you manage your computers and devices with Intune, Configuration Manager, or other enterprise-level management platform, the management software will overwrite any conflicting PowerShell settings on startup. 1. Type **powershell** in the Start menu, right-click **Windows PowerShell** and click **Run as administrator**. From ece1ef42eea49b9574d1c22b804208c0622c7c34 Mon Sep 17 00:00:00 2001 From: jcaparas Date: Mon, 13 Apr 2020 10:40:52 -0700 Subject: [PATCH 13/15] Update windows/security/threat-protection/microsoft-defender-atp/enable-siem-integration.md Co-Authored-By: Trond B. Krokli <38162891+illfated@users.noreply.github.com> --- .../microsoft-defender-atp/enable-siem-integration.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/enable-siem-integration.md b/windows/security/threat-protection/microsoft-defender-atp/enable-siem-integration.md index 7d04c886df..f408e29140 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/enable-siem-integration.md +++ b/windows/security/threat-protection/microsoft-defender-atp/enable-siem-integration.md @@ -67,7 +67,7 @@ Enable security information and event management (SIEM) integration so you can p > [!NOTE] > You'll need to generate a new Refresh token every 90 days. -6. Follow the instructions for [creating an Azure AD app registration for MDATP](https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-create-app-webapp) and assign the correct permissions to it to read alerts. +6. Follow the instructions for [creating an Azure AD app registration for Microsoft Defender ATP](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-create-app-webapp) and assign the correct permissions to it to read alerts. You can now proceed with configuring your SIEM solution or connecting to the detections REST API through programmatic access. You'll need to use the tokens when configuring your SIEM solution to allow it to receive detections from Microsoft Defender Security Center. From 6aff9512f1bd6d102ecbd1758d1d168a65fc1d22 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Mon, 13 Apr 2020 10:45:03 -0700 Subject: [PATCH 14/15] Update windows/security/threat-protection/microsoft-defender-atp/enable-attack-surface-reduction.md Co-Authored-By: Trond B. Krokli <38162891+illfated@users.noreply.github.com> --- .../microsoft-defender-atp/enable-attack-surface-reduction.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/enable-attack-surface-reduction.md b/windows/security/threat-protection/microsoft-defender-atp/enable-attack-surface-reduction.md index 7212b10766..9b5990bdb7 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/enable-attack-surface-reduction.md +++ b/windows/security/threat-protection/microsoft-defender-atp/enable-attack-surface-reduction.md @@ -137,7 +137,7 @@ Value: c:\path|e:\path|c:\Whitelisted.exe ## PowerShell > [!WARNING] ->If you manage your computers and devices with Intune, Configuration Manager, or other enterprise-level management platform, the management software will overwrite any conflicting PowerShell settings on startup. +> If you manage your computers and devices with Intune, Configuration Manager, or other enterprise-level management platform, the management software will overwrite any conflicting PowerShell settings on startup. 1. Type **powershell** in the Start menu, right-click **Windows PowerShell** and click **Run as administrator**. From 0c5035439df5a10adf27a925b140a16ed9988218 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Mon, 13 Apr 2020 10:50:19 -0700 Subject: [PATCH 15/15] Update index.md --- windows/security/threat-protection/index.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/index.md b/windows/security/threat-protection/index.md index 35ac0e33f0..039851e80d 100644 --- a/windows/security/threat-protection/index.md +++ b/windows/security/threat-protection/index.md @@ -77,7 +77,7 @@ To further reinforce the security perimeter of your network, Microsoft Defender - [Behavior monitoring](/windows/security/threat-protection/windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md) - [Cloud-based protection](/windows/security/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus.md) - [Machine learning](windows-defender-antivirus/utilize-microsoft-cloud-protection-windows-defender-antivirus.md) -- [URL Protection](/windows/security/threat-protection/windows-defender-antivirus/configure-network-connections-windows-defender-antivirus.md) +- [URL Protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-network-connections-windows-defender-antivirus) - [Automated sandbox service](windows-defender-antivirus/configure-block-at-first-sight-windows-defender-antivirus.md)