From 3b8b739a0f36bd2b4a2870e2fc851aba40e43dd5 Mon Sep 17 00:00:00 2001 From: Andrea Bichsel <35236577+andreabichsel@users.noreply.github.com> Date: Tue, 6 Nov 2018 10:52:52 -0800 Subject: [PATCH] Changed procedures in three asr topics. --- .../attack-surface-reduction-exploit-guard.md | 4 +--- .../controlled-folders-exploit-guard.md | 10 +++++++--- .../network-protection-exploit-guard.md | 9 ++++++--- 3 files changed, 14 insertions(+), 9 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md index 5b78a213a9..e577fe1f8c 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md @@ -183,9 +183,7 @@ You can review the Windows event log to see events that are created when an atta 2. Type **Event viewer** in the Start menu to open the Windows Event Viewer. 3. On the left panel, under **Actions**, click **Import custom view...** - - ![Animation showing the import custom view on the Event viewer window](images/events-import.gif) - + 4. Navigate to the Exploit Guard Evaluation Package, and select the file *asr-events.xml*. Alternatively, [copy the XML directly](event-views-exploit-guard.md). 5. Click **OK**. diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/controlled-folders-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/controlled-folders-exploit-guard.md index fb5b4091c5..c3e230964e 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/controlled-folders-exploit-guard.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/controlled-folders-exploit-guard.md @@ -38,6 +38,12 @@ You can use [audit mode](audit-windows-defender-exploit-guard.md) to evaluate ho Controlled folder access requires enabling [Windows Defender Antivirus real-time protection](../windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md). +## Review controlled folder access events in the Windows Defender ATP Security Center + +Windows Defender ATP provides detailed reporting into events and blocks as part of its [alert investigation scenarios](../windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection.md). + +You can query Windows Defender ATP data by using [Advanced hunting](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-atp/advanced-hunting-windows-defender-advanced-threat-protection). If you're using [audit mode](audit-windows-defender-exploit-guard.md), you can use Advanced hunting to see how controlled folder access settings would affect your environment if they were enabled. + ## Review controlled folder access events in Windows Event Viewer You can review the Windows event log to see events that are created when controlled folder access blocks (or audits) an app: @@ -47,9 +53,7 @@ You can review the Windows event log to see events that are created when control 2. Type **Event viewer** in the Start menu to open the Windows Event Viewer. 3. On the left panel, under **Actions**, click **Import custom view...**. - - ![Animation showing the import custom view on the Event viewer window](images/events-import.gif) - + 4. Navigate to where you extracted *cfa-events.xml* and select it. Alternatively, [copy the XML directly](event-views-exploit-guard.md). 4. Click **OK**. diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/network-protection-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/network-protection-exploit-guard.md index 934d1154de..639057a7b2 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/network-protection-exploit-guard.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/network-protection-exploit-guard.md @@ -41,6 +41,11 @@ Windows 10 version | Windows Defender Antivirus - | - Windows 10 version 1709 or later | [Windows Defender AV real-time protection](../windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md) and [cloud-delivered protection](../windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus.md) must be enabled +## Review network protection events in the Windows Defender ATP Security Center + +Windows Defender ATP provides detailed reporting into events and blocks as part of its [alert investigation scenarios](../windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection.md). + +You can query Windows Defender ATP data by using [Advanced hunting](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-atp/advanced-hunting-windows-defender-advanced-threat-protection). If you're using [audit mode](audit-windows-defender-exploit-guard.md), you can use Advanced hunting to see how network protection settings would affect your environment if they were enabled. ## Review network protection events in Windows Event Viewer @@ -51,9 +56,7 @@ You can review the Windows event log to see events that are created when network 1. Type **Event viewer** in the Start menu to open the Windows Event Viewer. 2. On the left panel, under **Actions**, click **Import custom view...** - - ![Antimation of the import custom view option](images/events-import.gif) - + 3. Navigate to the Exploit Guard Evaluation Package, and select the file *np-events.xml*. Alternatively, [copy the XML directly](event-views-exploit-guard.md). 4. Click **OK**.