mirror of
https://github.com/MicrosoftDocs/windows-itpro-docs.git
synced 2025-06-24 23:03:42 +00:00
Merge branch 'master' into asr-working
This commit is contained in:
Denise Vangel-MSFT
GitHub
@ -39,6 +39,26 @@ To complete this procedure, you must be logged on as a member of the built-in Ad
|
||||
- To audit failure events, click **Fail.**
|
||||
- To audit all events, click **All.**
|
||||
|
||||
|
||||
|
||||
6. In the **Applies to** box, select the object(s) that the audit of events will apply to. These include:
|
||||
|
||||
- **This folder only**
|
||||
- **This folder, subfolders and files**
|
||||
- **This folder and subfolders**
|
||||
- **This folder and files**
|
||||
- **Subfolders and files only**
|
||||
- **Subfolders only**
|
||||
- **Files only**
|
||||
|
||||
7. By default, the selected **Basic Permissions** to audit are the following:
|
||||
- **Read and execute**
|
||||
- **List folder contents**
|
||||
- **Read**
|
||||
- Additionally, you can choose **Full control**, **Modify**, and/or **Write** permissions with your selected audit combination.
|
||||
|
||||
|
||||
|
||||
> **Important:** Before setting up auditing for files and folders, you must enable [object access auditing](basic-audit-object-access.md) by defining auditing policy settings for the object access event category. If you do not enable object access auditing, you will receive an error message when you set up auditing for files and folders, and no files or folders will be audited.
|
||||
|
||||
## Additional considerations
|
||||
|
||||
@ -30,9 +30,9 @@ There is no example of this event in this document.
|
||||
|
||||
***Event Schema:***
|
||||
|
||||
*Internal resources allocated for the queuing of audit messages have been exhausted, leading to the loss of some audits. *
|
||||
*Internal resources allocated for the queuing of audit messages have been exhausted, leading to the loss of some audits.*
|
||||
|
||||
*Number of audit messages discarded: %1 *
|
||||
*Number of audit messages discarded: %1*
|
||||
|
||||
*This event is generated when audit queues are filled and events must be discarded. This most commonly occurs when security events are being generated faster than they are being written to disk, or when the auditing system loses connectivity to the event log, such as when the event log service is stopped.*
|
||||
|
||||
|
||||
@ -48,7 +48,7 @@ It appears that this event never occurs.
|
||||
|
||||
*LPC Server Port Name:%6*
|
||||
|
||||
*Windows Local Security Authority (LSA) communicates with the Windows kernel using Local Procedure Call (LPC) ports. If you see this event, an application has inadvertently or intentionally accessed this port which is reserved exclusively for LSA’s use. The application (process) should be investigated to ensure that it is not attempting to tamper with this communications channel." *
|
||||
*Windows Local Security Authority (LSA) communicates with the Windows kernel using Local Procedure Call (LPC) ports. If you see this event, an application has inadvertently or intentionally accessed this port which is reserved exclusively for LSA’s use. The application (process) should be investigated to ensure that it is not attempting to tamper with this communications channel."*
|
||||
|
||||
***Required Server Roles:*** None.
|
||||
|
||||
|
||||
@ -138,7 +138,7 @@ This event generates when a logon session is created (on destination machine). I
|
||||
|
||||
- **Logon ID** \[Type = HexInt64\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “[4672](event-4672.md)(S): Special privileges assigned to new logon.”
|
||||
|
||||
**Logon Information** \[Version 2\]**: **
|
||||
**Logon Information** \[Version 2\]**:**
|
||||
|
||||
- **Logon Type** \[Version 0, 1, 2\] \[Type = UInt32\]**:** the type of logon which was performed. The table below contains the list of possible values for this field.
|
||||
|
||||
|
||||
@ -142,7 +142,7 @@ Before this event can generate, certain ACEs might need to be set in the object
|
||||
|
||||
- **New Security Descriptor** \[Type = UnicodeString\]**:** the new Security Descriptor Definition Language (SDDL) value for the object.
|
||||
|
||||
> **Note** The ** Security Descriptor Definition Language (SDDL)** defines string elements for enumerating information contained in the security descriptor.
|
||||
> **Note** The **Security Descriptor Definition Language (SDDL)** defines string elements for enumerating information contained in the security descriptor.
|
||||
>
|
||||
> Example:
|
||||
>
|
||||
|
||||
@ -151,7 +151,7 @@ This event generates every time a new process starts.
|
||||
|
||||
- **New Process Name** \[Type = UnicodeString\]**:** full path and the name of the executable for the new process.
|
||||
|
||||
- **Token Elevation Type** \[Type = UnicodeString\]**: **
|
||||
- **Token Elevation Type** \[Type = UnicodeString\]**:**
|
||||
|
||||
- **TokenElevationTypeDefault (1):** Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account (for which UAC disabled by default), service account or local system account.
|
||||
|
||||
|
||||
@ -99,7 +99,7 @@ You will see unique event for every user.
|
||||
|
||||
- **Account Name** \[Type = SID\]: the SID of security principal for which user rights were assigned. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
|
||||
|
||||
**New Right: **
|
||||
**New Right:**
|
||||
|
||||
- **User Right** \[Type = UnicodeString\]: the list of assigned user rights. This event generates only for *user* rights, not logon rights. Here is the list of possible user rights:
|
||||
|
||||
|
||||
@ -99,7 +99,7 @@ You will see unique event for every user.
|
||||
|
||||
- **Account Name** \[Type = SID\]: the SID of security principal for which user rights were removed. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
|
||||
|
||||
**Removed Right: **
|
||||
**Removed Right:**
|
||||
|
||||
- **User Right** \[Type = UnicodeString\]: the list of removed user rights. This event generates only for *user* rights, not logon rights. Here is the list of possible user rights:
|
||||
|
||||
|
||||
@ -100,7 +100,7 @@ This event is always logged regardless of the "Audit Policy Change" sub-category
|
||||
|
||||
- **New Security Descriptor** \[Type = UnicodeString\]**:** new Security Descriptor Definition Language (SDDL) value for the audit policy.
|
||||
|
||||
> **Note** The ** Security Descriptor Definition Language (SDDL)** defines string elements for enumerating information contained in the security descriptor.
|
||||
> **Note** The **Security Descriptor Definition Language (SDDL)** defines string elements for enumerating information contained in the security descriptor.
|
||||
>
|
||||
> Example:
|
||||
>
|
||||
|
||||
@ -99,7 +99,7 @@ You will see unique event for every user if logon user rights were granted to mu
|
||||
|
||||
- **Account Name** \[Type = SID\]: the SID of the security principal for which logon right was granted. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
|
||||
|
||||
**Access Granted: **
|
||||
**Access Granted:**
|
||||
|
||||
- **Access Right** \[Type = UnicodeString\]: the name of granted logon right. This event generates only for [logon rights](https://technet.microsoft.com/library/cc728212(v=ws.10).aspx), which are as follows:
|
||||
|
||||
|
||||
@ -99,7 +99,7 @@ You will see unique event for every user if logon user rights were removed for m
|
||||
|
||||
- **Account Name** \[Type = SID\]: the SID of the security principal for which logon right was removed. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
|
||||
|
||||
**Access Removed: **
|
||||
**Access Removed:**
|
||||
|
||||
- **Access Right** \[Type = UnicodeString\]: the name of removed logon right. This event generates only for [logon rights](https://technet.microsoft.com/library/cc728212(v=ws.10).aspx), which are as follows:
|
||||
|
||||
|
||||
@ -266,7 +266,7 @@ For 4738(S): A user account was changed.
|
||||
|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
|
||||
| **Display Name**<br>**User Principal Name**<br>**Home Directory**<br>**Home Drive**<br>**Script Path**<br>**Profile Path**<br>**User Workstations**<br>**Password Last Set**<br>**Account Expires**<br>**Primary Group ID<br>Logon Hours** | We recommend monitoring all changes for these fields for critical domain and local accounts. |
|
||||
| **Primary Group ID** is not 513 | Typically, the **Primary Group** value is 513 for domain and local users. Other values should be monitored. |
|
||||
| For user accounts for which the services list (on the **Delegation** tab) should not be empty: **AllowedToDelegateTo** is marked **<value not set> ** | If **AllowedToDelegateTo** is marked **<value not set>** on user accounts that previously had a services list (on the **Delegation** tab), it means the list was cleared. |
|
||||
| For user accounts for which the services list (on the **Delegation** tab) should not be empty: **AllowedToDelegateTo** is marked **<value not set>** | If **AllowedToDelegateTo** is marked **<value not set>** on user accounts that previously had a services list (on the **Delegation** tab), it means the list was cleared. |
|
||||
| **SID History** is not - | This field will always be set to - unless the account was migrated from another domain. |
|
||||
|
||||
- Consider whether to track the following user account control flags:
|
||||
|
||||
@ -276,7 +276,7 @@ For 4742(S): A computer account was changed.
|
||||
| **Display Name** is not -<br>**User Principal Name** is not -<br>**Home Directory** is not -<br>**Home Drive** is not -<br>**Script Path** is not -<br>**Profile Path** is not -<br>**User Workstations** is not -<br>**Account Expires** is not -<br>**Logon Hours** is not **-** | Typically these fields are **-** for computer accounts. Other values might indicate an anomaly and should be monitored. |
|
||||
| **Password Last Set** changes occur more often than usual | Changes that are more frequent than the default (typically once a month) might indicate an anomaly or attack. |
|
||||
| **Primary Group ID** is not 516, 521, or 515 | Typically, the **Primary Group ID** value is one of the following:<br>**516** for domain controllers<br>**521** for read only domain controllers (RODCs)<br>**515** for servers and workstations (domain computers)<br>Other values should be monitored. |
|
||||
| For computer accounts for which the services list (on the **Delegation** tab) should not be empty: **AllowedToDelegateTo** is marked **<value not set> ** | If **AllowedToDelegateTo** is marked **<value not set>** on computers that previously had a services list (on the **Delegation** tab), it means the list was cleared. |
|
||||
| For computer accounts for which the services list (on the **Delegation** tab) should not be empty: **AllowedToDelegateTo** is marked **<value not set>** | If **AllowedToDelegateTo** is marked **<value not set>** on computers that previously had a services list (on the **Delegation** tab), it means the list was cleared. |
|
||||
| **SID History** is not - | This field will always be set to - unless the account was migrated from another domain. |
|
||||
|
||||
- Consider whether to track the following account control flags:
|
||||
|
||||
@ -116,7 +116,7 @@ Separate events will be generated for “Registry” and “File system” polic
|
||||
| Job | Port | FilterConnectionPort | |
|
||||
| ALPC Port | Semaphore | Adapter | |
|
||||
|
||||
- **Object Name: **
|
||||
- **Object Name:**
|
||||
|
||||
- Key – if “Registry” Global Object Access Auditing policy was changed.
|
||||
|
||||
@ -128,7 +128,7 @@ Separate events will be generated for “Registry” and “File system” polic
|
||||
|
||||
- **New Security Descriptor** \[Type = UnicodeString\]**:** the new Security Descriptor Definition Language (SDDL) value for the Global Object Access Auditing policy.
|
||||
|
||||
> **Note** The ** Security Descriptor Definition Language (SDDL)** defines string elements for enumerating information contained in the security descriptor.
|
||||
> **Note** The **Security Descriptor Definition Language (SDDL)** defines string elements for enumerating information contained in the security descriptor.
|
||||
>
|
||||
> Example:
|
||||
>
|
||||
|
||||
@ -44,7 +44,7 @@ There is no example of this event in this document.
|
||||
|
||||
*Security ID:%7*
|
||||
|
||||
*New Flags:%8 *
|
||||
*New Flags:%8*
|
||||
|
||||
***Required Server Roles:*** Active Directory domain controller.
|
||||
|
||||
|
||||
@ -159,7 +159,7 @@ This event doesn't generate for Active Directory objects.
|
||||
|
||||
- **New Security Descriptor** \[Type = UnicodeString\]**:** the new Security Descriptor Definition Language (SDDL) value for the object.
|
||||
|
||||
> **Note** The ** Security Descriptor Definition Language (SDDL)** defines string elements for enumerating information contained in the security descriptor.
|
||||
> **Note** The **Security Descriptor Definition Language (SDDL)** defines string elements for enumerating information contained in the security descriptor.
|
||||
>
|
||||
> Example:
|
||||
>
|
||||
|
||||
@ -152,7 +152,7 @@ Resource attributes for file or folder can be changed, for example, using Window
|
||||
|
||||
- **New Security Descriptor** \[Type = UnicodeString\]**:** the Security Descriptor Definition Language (SDDL) value for the new resource attributes. See more information in **Resource Attributes\\Original Security Descriptor** field section for this event.
|
||||
|
||||
> **Note** The ** Security Descriptor Definition Language (SDDL)** defines string elements for enumerating information contained in the security descriptor.
|
||||
> **Note** The **Security Descriptor Definition Language (SDDL)** defines string elements for enumerating information contained in the security descriptor.
|
||||
>
|
||||
> Example:
|
||||
>
|
||||
|
||||
@ -156,7 +156,7 @@ This event always generates, regardless of the object’s [SACL](https://msdn.mi
|
||||
|
||||
- **New Security Descriptor** \[Type = UnicodeString\]**:** the Security Descriptor Definition Language (SDDL) value for the new Central Policy ID (for the policy that has been applied to the object). See more information in **Central Policy ID\\Original Security Descriptor** field section for this event.
|
||||
|
||||
> **Note** The ** Security Descriptor Definition Language (SDDL)** defines string elements for enumerating information contained in the security descriptor.
|
||||
> **Note** The **Security Descriptor Definition Language (SDDL)** defines string elements for enumerating information contained in the security descriptor.
|
||||
>
|
||||
> Example:
|
||||
>
|
||||
|
||||
@ -141,7 +141,7 @@ This event generates every time network share object was modified.
|
||||
|
||||
- **New SD** \[Type = UnicodeString\]**:** the new Security Descriptor Definition Language (SDDL) value for network share security descriptor.
|
||||
|
||||
> **Note** The ** Security Descriptor Definition Language (SDDL)** defines string elements for enumerating information contained in the security descriptor.
|
||||
> **Note** The **Security Descriptor Definition Language (SDDL)** defines string elements for enumerating information contained in the security descriptor.
|
||||
>
|
||||
> Example:
|
||||
>
|
||||
|
||||
@ -177,7 +177,7 @@ REQUESTED\_ACCESS: RESULT ACE\_WHICH\_ ALLOWED\_OR\_DENIED\_ACCESS.
|
||||
|
||||
- ACE\_WHICH\_ ALLOWED\_OR\_DENIED\_ACCESS: the Security Descriptor Definition Language (SDDL) value for Access Control Entry (ACE), which granted or denied access.
|
||||
|
||||
> **Note** The ** <span id="SDDL" class="anchor"></span>Security Descriptor Definition Language (SDDL)** defines string elements for enumerating information contained in the security descriptor.
|
||||
> **Note** The **<a id="SDDL" class="anchor"></a>Security Descriptor Definition Language (SDDL)** defines string elements for enumerating information contained in the security descriptor.
|
||||
>
|
||||
> Example:
|
||||
>
|
||||
|
||||
@ -52,7 +52,7 @@ There is no example of this event in this document.
|
||||
>
|
||||
> *Layer Name:%9*
|
||||
>
|
||||
> *Layer Run-Time ID:%10 *
|
||||
> *Layer Run-Time ID:%10*
|
||||
|
||||
***Required Server Roles:*** None.
|
||||
|
||||
|
||||
@ -52,7 +52,7 @@ There is no example of this event in this document.
|
||||
>
|
||||
> *Layer Name:%9*
|
||||
>
|
||||
> *Layer Run-Time ID:%10 *
|
||||
> *Layer Run-Time ID:%10*
|
||||
|
||||
***Required Server Roles:*** None.
|
||||
|
||||
|
||||
@ -30,7 +30,7 @@ There is no example of this event in this document.
|
||||
|
||||
*BranchCache: Received an incorrectly formatted response while discovering availability of content.*
|
||||
|
||||
*IP address of the client that sent this response:%1 *
|
||||
*IP address of the client that sent this response:%1*
|
||||
|
||||
***Required Server Roles:*** None.
|
||||
|
||||
|
||||
@ -28,7 +28,7 @@ There is no example of this event in this document.
|
||||
|
||||
***Event Schema:***
|
||||
|
||||
*BranchCache: Received invalid data from a peer. Data discarded. *
|
||||
*BranchCache: Received invalid data from a peer. Data discarded.*
|
||||
|
||||
*IP address of the client that sent this data:%1*
|
||||
|
||||
|
||||
@ -28,7 +28,7 @@ There is no example of this event in this document.
|
||||
|
||||
***Event Schema:***
|
||||
|
||||
*BranchCache: The message to the hosted cache offering it data is incorrectly formatted. *
|
||||
*BranchCache: The message to the hosted cache offering it data is incorrectly formatted.*
|
||||
|
||||
*IP address of the client that sent this message: %1*
|
||||
|
||||
|
||||
@ -28,7 +28,7 @@ There is no example of this event in this document.
|
||||
|
||||
***Event Schema:***
|
||||
|
||||
*BranchCache: The hosted cache sent an incorrectly formatted response to the client’s message to offer it data. *
|
||||
*BranchCache: The hosted cache sent an incorrectly formatted response to the client’s message to offer it data.*
|
||||
|
||||
*Domain name of the hosted cache is:%1*
|
||||
|
||||
|
||||
@ -28,7 +28,7 @@ There is no example of this event in this document.
|
||||
|
||||
***Event Schema:***
|
||||
|
||||
*BranchCache: Hosted cache could not be authenticated using the provisioned SSL certificate. *
|
||||
*BranchCache: Hosted cache could not be authenticated using the provisioned SSL certificate.*
|
||||
|
||||
*Domain name of the hosted cache:%1*
|
||||
|
||||
|
||||
@ -28,7 +28,7 @@ There is no example of this event in this document.
|
||||
|
||||
***Event Schema:***
|
||||
|
||||
*BranchCache: A service connection point object could not be parsed. *
|
||||
*BranchCache: A service connection point object could not be parsed.*
|
||||
|
||||
*SCP object GUID: %1*
|
||||
|
||||
|
||||
@ -141,7 +141,7 @@ Integrate Microsoft Defender Advanced Threat Protection into your existing workf
|
||||
**[Microsoft Threat Protection](microsoft-defender-atp/threat-protection-integration.md)** <br>
|
||||
Microsoft Defender ATP is part of the Microsoft Threat Protection solution that helps implement end-to-end security across possible attack surfaces in the modern workplace. Bring the power of Microsoft threat protection to your organization.
|
||||
- [Conditional access](microsoft-defender-atp/conditional-access.md)
|
||||
- [O365 ATP](microsoft-defender-atp/threat-protection-integration.md)
|
||||
- [Office 365 ATP](microsoft-defender-atp/threat-protection-integration.md)
|
||||
- [Azure ATP](microsoft-defender-atp/threat-protection-integration.md)
|
||||
- [Azure Security Center](microsoft-defender-atp/threat-protection-integration.md)
|
||||
- [Skype for Business](microsoft-defender-atp/threat-protection-integration.md)
|
||||
|
||||
@ -7,7 +7,7 @@ ms.prod: w10
|
||||
ms.mktglfcycl: secure
|
||||
ms.sitesec: library
|
||||
ms.localizationpriority: medium
|
||||
ms.author: levinec
|
||||
ms.author: ellevin
|
||||
author: levinec
|
||||
manager: dansimp
|
||||
audience: ITPro
|
||||
|
||||
@ -7,7 +7,7 @@ ms.prod: w10
|
||||
ms.mktglfcycl: secure
|
||||
ms.sitesec: library
|
||||
ms.localizationpriority: medium
|
||||
ms.author: levinec
|
||||
ms.author: ellevin
|
||||
author: levinec
|
||||
manager: dansimp
|
||||
audience: ITPro
|
||||
|
||||
@ -7,7 +7,7 @@ ms.prod: w10
|
||||
ms.mktglfcycl: secure
|
||||
ms.sitesec: library
|
||||
ms.localizationpriority: medium
|
||||
ms.author: levinec
|
||||
ms.author: ellevin
|
||||
author: levinec
|
||||
manager: dansimp
|
||||
audience: ITPro
|
||||
|
||||
@ -7,7 +7,7 @@ ms.prod: w10
|
||||
ms.mktglfcycl: secure
|
||||
ms.sitesec: library
|
||||
ms.localizationpriority: medium
|
||||
ms.author: levinec
|
||||
ms.author: ellevin
|
||||
author: levinec
|
||||
manager: dansimp
|
||||
audience: ITPro
|
||||
|
||||
@ -8,7 +8,7 @@ ms.prod: w10
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.pagetype: security
|
||||
ms.author: levinec
|
||||
ms.author: ellevin
|
||||
author: levinec
|
||||
ms.localizationpriority: medium
|
||||
manager: dansimp
|
||||
|
||||
@ -8,7 +8,7 @@ ms.prod: w10
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.pagetype: security
|
||||
ms.author: levinec
|
||||
ms.author: ellevin
|
||||
author: levinec
|
||||
ms.localizationpriority: medium
|
||||
manager: dansimp
|
||||
|
||||
@ -9,7 +9,7 @@ ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.localizationpriority: medium
|
||||
ms.pagetype: security
|
||||
ms.author: levinec
|
||||
ms.author: ellevin
|
||||
author: levinec
|
||||
manager: dansimp
|
||||
audience: ITPro
|
||||
|
||||
@ -7,7 +7,7 @@ ms.prod: w10
|
||||
ms.mktglfcycl: secure
|
||||
ms.sitesec: library
|
||||
ms.localizationpriority: medium
|
||||
ms.author: levinec
|
||||
ms.author: ellevin
|
||||
author: levinec
|
||||
manager: dansimp
|
||||
audience: ITPro
|
||||
|
||||
@ -7,7 +7,7 @@ ms.prod: w10
|
||||
ms.mktglfcycl: secure
|
||||
ms.sitesec: library
|
||||
ms.localizationpriority: medium
|
||||
ms.author: levinec
|
||||
ms.author: ellevin
|
||||
author: levinec
|
||||
manager: dansimp
|
||||
audience: ITPro
|
||||
|
||||
@ -7,7 +7,7 @@ ms.prod: w10
|
||||
ms.mktglfcycl: secure
|
||||
ms.sitesec: library
|
||||
ms.localizationpriority: medium
|
||||
ms.author: levinec
|
||||
ms.author: ellevin
|
||||
author: levinec
|
||||
manager: dansimp
|
||||
audience: ITPro
|
||||
|
||||
@ -7,7 +7,7 @@ ms.prod: w10
|
||||
ms.mktglfcycl: secure
|
||||
ms.sitesec: library
|
||||
ms.localizationpriority: medium
|
||||
ms.author: levinec
|
||||
ms.author: ellevin
|
||||
author: levinec
|
||||
manager: dansimp
|
||||
audience: ITPro
|
||||
|
||||
@ -7,7 +7,7 @@ ms.prod: w10
|
||||
ms.mktglfcycl: secure
|
||||
ms.sitesec: library
|
||||
ms.localizationpriority: medium
|
||||
ms.author: levinec
|
||||
ms.author: ellevin
|
||||
author: levinec
|
||||
manager: dansimp
|
||||
audience: ITPro
|
||||
|
||||
@ -7,7 +7,7 @@ ms.prod: w10
|
||||
ms.mktglfcycl: secure
|
||||
ms.sitesec: library
|
||||
ms.localizationpriority: medium
|
||||
ms.author: levinec
|
||||
ms.author: ellevin
|
||||
author: levinec
|
||||
manager: dansimp
|
||||
audience: ITPro
|
||||
|
||||
@ -7,7 +7,7 @@ ms.prod: w10
|
||||
ms.mktglfcycl: secure
|
||||
ms.sitesec: library
|
||||
ms.localizationpriority: medium
|
||||
ms.author: levinec
|
||||
ms.author: ellevin
|
||||
author: levinec
|
||||
manager: dansimp
|
||||
audience: ITPro
|
||||
|
||||
@ -7,7 +7,7 @@ ms.prod: w10
|
||||
ms.mktglfcycl: secure
|
||||
ms.sitesec: library
|
||||
ms.localizationpriority: medium
|
||||
ms.author: levinec
|
||||
ms.author: ellevin
|
||||
author: levinec
|
||||
manager: dansimp
|
||||
audience: ITPro
|
||||
|
||||
@ -7,7 +7,7 @@ ms.prod: w10
|
||||
ms.mktglfcycl: secure
|
||||
ms.sitesec: library
|
||||
ms.localizationpriority: medium
|
||||
ms.author: levinec
|
||||
ms.author: ellevin
|
||||
author: levinec
|
||||
manager: dansimp
|
||||
audience: ITPro
|
||||
|
||||
@ -7,7 +7,7 @@ ms.prod: w10
|
||||
ms.mktglfcycl: secure
|
||||
ms.sitesec: library
|
||||
ms.localizationpriority: medium
|
||||
ms.author: levinec
|
||||
ms.author: ellevin
|
||||
author: levinec
|
||||
manager: dansimp
|
||||
audience: ITPro
|
||||
|
||||
@ -7,7 +7,7 @@ ms.prod: w10
|
||||
ms.mktglfcycl: secure
|
||||
ms.sitesec: library
|
||||
ms.localizationpriority: medium
|
||||
ms.author: levinec
|
||||
ms.author: ellevin
|
||||
author: levinec
|
||||
manager: dansimp
|
||||
audience: ITPro
|
||||
|
||||
@ -7,7 +7,7 @@ ms.prod: w10
|
||||
ms.mktglfcycl: secure
|
||||
ms.sitesec: library
|
||||
ms.localizationpriority: medium
|
||||
ms.author: levinec
|
||||
ms.author: ellevin
|
||||
author: levinec
|
||||
manager: dansimp
|
||||
audience: ITPro
|
||||
|
||||
@ -7,7 +7,7 @@ ms.prod: w10
|
||||
ms.mktglfcycl: secure
|
||||
ms.sitesec: library
|
||||
ms.localizationpriority: high
|
||||
ms.author: levinec
|
||||
ms.author: ellevin
|
||||
author: levinec
|
||||
manager: dansimp
|
||||
audience: ITPro
|
||||
|
||||
@ -7,7 +7,7 @@ ms.prod: w10
|
||||
ms.mktglfcycl: secure
|
||||
ms.sitesec: library
|
||||
ms.localizationpriority: medium
|
||||
ms.author: levinec
|
||||
ms.author: ellevin
|
||||
author: levinec
|
||||
manager: dansimp
|
||||
audience: ITPro
|
||||
|
||||
@ -7,7 +7,7 @@ ms.prod: w10
|
||||
ms.mktglfcycl: secure
|
||||
ms.sitesec: library
|
||||
ms.localizationpriority: medium
|
||||
ms.author: levinec
|
||||
ms.author: ellevin
|
||||
author: levinec
|
||||
manager: dansimp
|
||||
audience: ITPro
|
||||
|
||||
@ -7,7 +7,7 @@ ms.prod: w10
|
||||
ms.mktglfcycl: secure
|
||||
ms.sitesec: library
|
||||
ms.localizationpriority: medium
|
||||
ms.author: levinec
|
||||
ms.author: ellevin
|
||||
author: levinec
|
||||
manager: dansimp
|
||||
audience: ITPro
|
||||
|
||||
@ -7,7 +7,7 @@ ms.prod: w10
|
||||
ms.mktglfcycl: secure
|
||||
ms.sitesec: library
|
||||
ms.localizationpriority: medium
|
||||
ms.author: levinec
|
||||
ms.author: ellevin
|
||||
author: levinec
|
||||
manager: dansimp
|
||||
audience: ITPro
|
||||
|
||||
@ -7,7 +7,7 @@ ms.prod: w10
|
||||
ms.mktglfcycl: secure
|
||||
ms.sitesec: library
|
||||
ms.localizationpriority: medium
|
||||
ms.author: levinec
|
||||
ms.author: ellevin
|
||||
author: levinec
|
||||
manager: dansimp
|
||||
audience: ITPro
|
||||
|
||||
@ -7,7 +7,7 @@ ms.prod: w10
|
||||
ms.mktglfcycl: secure
|
||||
ms.sitesec: library
|
||||
ms.localizationpriority: medium
|
||||
ms.author: levinec
|
||||
ms.author: ellevin
|
||||
author: levinec
|
||||
manager: dansimp
|
||||
audience: ITPro
|
||||
|
||||
@ -9,7 +9,7 @@ ms.prod: w10
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.pagetype: security
|
||||
ms.author: mjcaparas
|
||||
ms.author: macapara
|
||||
author: mjcaparas
|
||||
ms.localizationpriority: medium
|
||||
manager: dansimp
|
||||
|
||||
@ -58,10 +58,10 @@ The Windows Defender AV threat severity represents the absolute severity of the
|
||||
The Microsoft Defender ATP alert severity represents the severity of the detected behavior, the actual risk to the machine but more importantly the potential risk to the organization.
|
||||
|
||||
So, for example:
|
||||
- The severity of a Microsoft Defender ATP alert about a Windows Defender AV detected threat that was completely prevented and did not infect the machine is categorized as "Informational" because there was no actual damage incurred.
|
||||
- An alert about a commercial malware was detected while executing, but blocked and remediated by Windows Defender AV, is categorized as "Low" because it may have caused some damage to the individual machine but poses no organizational threat.
|
||||
- An alert about malware detected while executing which can pose a threat not only to the individual machine but to the organization, regardless if it was eventually blocked, may be ranked as "Medium" or "High".
|
||||
- Suspicious behavioral alerts which were not blocked or remediated will be ranked "Low", "Medium" or "High" following the same organizational threat considerations.
|
||||
- The severity of a Microsoft Defender ATP alert about a Windows Defender AV detected threat that was completely prevented and did not infect the machine is categorized as "Informational" because there was no actual damage incurred.
|
||||
- An alert about a commercial malware was detected while executing, but blocked and remediated by Windows Defender AV, is categorized as "Low" because it may have caused some damage to the individual machine but poses no organizational threat.
|
||||
- An alert about malware detected while executing which can pose a threat not only to the individual machine but to the organization, regardless if it was eventually blocked, may be ranked as "Medium" or "High".
|
||||
- Suspicious behavioral alerts which were not blocked or remediated will be ranked "Low", "Medium" or "High" following the same organizational threat considerations.
|
||||
|
||||
#### Understanding alert categories
|
||||
We've redefined the alert categories to align to the [enterprise attack tactics](https://attack.mitre.org/tactics/enterprise/) in the [MITRE ATT&CK matrix](https://attack.mitre.org/). New category names apply to all new alerts. Existing alerts will retain the previous category names.
|
||||
|
||||
@ -8,7 +8,7 @@ ms.prod: w10
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.pagetype: security
|
||||
ms.author: mjcaparas
|
||||
ms.author: macapara
|
||||
author: mjcaparas
|
||||
ms.localizationpriority: medium
|
||||
manager: dansimp
|
||||
|
||||
@ -22,6 +22,12 @@ ms.topic: article
|
||||
|
||||
Microsoft Defender ATP APIs are governed by [Microsoft API License and Terms of use](https://docs.microsoft.com/legal/microsoft-apis/terms-of-use).
|
||||
|
||||
### Throttling limits
|
||||
|
||||
Name | Calls | Renewal period
|
||||
:---|:---|:---
|
||||
API calls per connection | 100 | 60 seconds
|
||||
|
||||
|
||||
## Legal Notices
|
||||
|
||||
|
||||
@ -8,7 +8,7 @@ ms.prod: w10
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.pagetype: security
|
||||
ms.author: mjcaparas
|
||||
ms.author: macapara
|
||||
author: mjcaparas
|
||||
ms.localizationpriority: medium
|
||||
manager: dansimp
|
||||
|
||||
@ -9,7 +9,7 @@ ms.prod: w10
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.pagetype: security
|
||||
ms.author: mjcaparas
|
||||
ms.author: macapara
|
||||
author: mjcaparas
|
||||
ms.localizationpriority: medium
|
||||
manager: dansimp
|
||||
|
||||
@ -9,7 +9,7 @@ ms.prod: w10
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.pagetype: security
|
||||
ms.author: mjcaparas
|
||||
ms.author: macapara
|
||||
author: mjcaparas
|
||||
ms.localizationpriority: medium
|
||||
manager: dansimp
|
||||
|
||||
@ -1,6 +1,8 @@
|
||||
---
|
||||
title: Configure managed security service provider support
|
||||
description: Take the necessary steps to configure the MSSP integration with Microsoft Defender ATP
|
||||
|
||||
description: Take the necessary steps to configure the MSSP integration with Windows Defender ATP
|
||||
|
||||
keywords: managed security service provider, mssp, configure, integration
|
||||
search.product: eADQiWindows 10XVcnh
|
||||
search.appverid: met150
|
||||
@ -21,9 +23,11 @@ ms.date: 09/03/2018
|
||||
# Configure managed security service provider integration
|
||||
|
||||
**Applies to:**
|
||||
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
|
||||
|
||||
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-mssp-support-abovefoldlink)
|
||||
- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
|
||||
|
||||
>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-mssp-support-abovefoldlink)
|
||||
|
||||
|
||||
[!include[Prerelease information](prerelease.md)]
|
||||
|
||||
@ -35,19 +39,23 @@ You'll need to take the following configuration steps to enable the managed secu
|
||||
> - MSSP customers: Organizations that engage the services of MSSPs.
|
||||
|
||||
The integration will allow MSSPs to take the following actions:
|
||||
- Get access to MSSP customer's Microsoft Defender Security Center portal
|
||||
|
||||
- Get access to MSSP customer's Windows Defender Security Center portal
|
||||
- Get email notifications, and
|
||||
- Fetch alerts through security information and event management (SIEM) tools
|
||||
|
||||
Before MSSPs can take these actions, the MSSP customer will need to grant access to their Microsoft Defender ATP tenant so that the MSSP can access the portal.
|
||||
Before MSSPs can take these actions, the MSSP customer will need to grant access to their Windows Defender ATP tenant so that the MSSP can access the portal.
|
||||
|
||||
|
||||
Typically, MSSP customers take the initial configuration steps to grant MSSPs access to their Windows Defender Security Central tenant. After access is granted, other configuration steps can be done by either the MSSP customer or the MSSP.
|
||||
|
||||
|
||||
In general, the following configuration steps need to be taken:
|
||||
|
||||
- **Grant the MSSP access to Microsoft Defender Security Center** <br>
|
||||
This action needs to be done by the MSSP customer. It grants the MSSP access to the MSSP customer's Microsoft Defender ATP tenant.
|
||||
|
||||
- **Grant the MSSP access to Windows Defender Security Center** <br>
|
||||
This action needs to be done by the MSSP customer. It grants the MSSP access to the MSSP customer's Windows Defender ATP tenant.
|
||||
|
||||
|
||||
- **Configure alert notifications sent to MSSPs** <br>
|
||||
This action can be taken by either the MSSP customer or MSSP. This lets the MSSPs know what alerts they need to address for the MSSP customer.
|
||||
@ -61,31 +69,36 @@ This action is taken by the MSSP. It allows MSSPs to fetch alerts using APIs.
|
||||
|
||||
## Grant the MSSP access to the portal
|
||||
|
||||
>[!NOTE]
|
||||
|
||||
>[!NOTE]
|
||||
> These set of steps are directed towards the MSSP customer. <br>
|
||||
> Access to the portal can only be done by the MSSP customer.
|
||||
|
||||
As a MSSP customer, you'll need to take the following configuration steps to grant the MSSP access to Microsoft Defender Security Center.
|
||||
As a MSSP customer, you'll need to take the following configuration steps to grant the MSSP access to Windows Defender Security Center.
|
||||
|
||||
|
||||
Authentication and authorization of the MSSP user is built on top of Azure Active Directory (Azure AD) B2B functionality.
|
||||
|
||||
You'll need to take the following 2 steps:
|
||||
- Add MSSP user to your tenant as a guest user
|
||||
- Grant MSSP user access to Microsoft Defender Security Center
|
||||
|
||||
- Grant MSSP user access to Windows Defender Security Center
|
||||
|
||||
|
||||
### Add MSSP user to your tenant as a guest user
|
||||
Add a user who is a member of the MSSP tenant to your tenant as a guest user.
|
||||
|
||||
To grant portal access to the MSSP, you must add the MSSP user to your Azure AD as a guest user. For more information, see [Add Azure Active Directory B2B collaboration users in the Azure portal](https://docs.microsoft.com/azure/active-directory/b2b/add-users-administrator).
|
||||
|
||||
### Grant MSSP user access to Microsoft Defender Security Center
|
||||
Grant the guest user access and permissions to your Microsoft Defender Security Center tenant.
|
||||
|
||||
### Grant MSSP user access to Windows Defender Security Center
|
||||
Grant the guest user access and permissions to your Windows Defender Security Center tenant.
|
||||
|
||||
Granting access to guest user is done the same way as granting access to a user who is a member of your tenant.
|
||||
|
||||
If you're using basic permissions to access the portal, the guest user must be assigned a Security Administrator role in **your** tenant. For more information, see [Use basic permissions to access the portal](basic-permissions.md).
|
||||
|
||||
If you're using role-based access control (RBAC), the guest user must be to added to the appropriate group or groups in **your** tenant. Fore more information on RBAC in Microsoft Defender ATP, see [Manage portal access using RBAC](rbac.md).
|
||||
If you're using role-based access control (RBAC), the guest user must be to added to the appropriate group or groups in **your** tenant. Fore more information on RBAC in Windows Defender ATP, see [Manage portal access using RBAC](rbac.md).
|
||||
|
||||
|
||||
>[!NOTE]
|
||||
>There is no difference between the Member user and Guest user roles from RBAC perspective.
|
||||
@ -94,12 +107,14 @@ It is recommended that groups are created for MSSPs to make authorization access
|
||||
|
||||
As a MSSP customer, you can always remove or modify the permissions granted to the MSSP by updating the Azure AD user groups.
|
||||
|
||||
## Access the Microsoft Defender Security Center MSSP customer portal
|
||||
|
||||
## Access the Windows Defender Security Center MSSP customer portal
|
||||
|
||||
>[!NOTE]
|
||||
>[!NOTE]
|
||||
>These set of steps are directed towards the MSSP.
|
||||
|
||||
By default, MSSP customers access their Microsoft Defender Security Center tenant through the following URL: `https://securitycenter.windows.com`.
|
||||
By default, MSSP customers access their Windows Defender Security Center tenant through the following URL: `https://securitycenter.windows.com`.
|
||||
|
||||
|
||||
MSSPs however, will need to use a tenant-specific URL in the following format: `https://securitycenter.windows.com?tid=customer_tenant_id` to access the MSSP customer portal.
|
||||
|
||||
@ -123,7 +138,9 @@ Use the following steps to obtain the MSSP customer tenant ID and then use the I
|
||||
|
||||
After access the portal is granted, alert notification rules can to be created so that emails are sent to MSSPs when alerts associated with the tenant are created and set conditions are met.
|
||||
|
||||
|
||||
For more information, see [Create rules for alert notifications](configure-email-notifications.md#create-rules-for-alert-notifications).
|
||||
|
||||
|
||||
These check boxes must be checked:
|
||||
- **Include organization name** - The customer name will be added to email notifications
|
||||
@ -141,46 +158,49 @@ To fetch alerts into your SIEM system you'll need to take the following steps:
|
||||
Step 1: Create a third-party application
|
||||
|
||||
Step 2: Get access and refresh tokens from your customer's tenant
|
||||
|
||||
Step 3: Whitelist your application on Microsoft Defender Security Center
|
||||
|
||||
Step 3: Whitelist your application on Windows Defender Security Center
|
||||
|
||||
|
||||
|
||||
|
||||
### Step 1: Create an application in Azure Active Directory (Azure AD)
|
||||
You'll need to create an application and grant it permissions to fetch alerts from your customer's Microsoft Defender ATP tenant.
|
||||
|
||||
You'll need to create an application and grant it permissions to fetch alerts from your customer's Windows Defender ATP tenant.
|
||||
|
||||
|
||||
1. Sign in to the [Azure AD portal](https://aad.portal.azure.com/).
|
||||
|
||||
2. Select **Azure Active Directory** > **App registrations**.
|
||||
|
||||
3. Click **New application registration**.
|
||||
|
||||
3. Click **New registration**.
|
||||
|
||||
|
||||
4. Specify the following values:
|
||||
|
||||
- Name: \<Tenant_name\> SIEM MSSP Connector (replace Tenant_name with the tenant display name)
|
||||
- Application type: Web app / API
|
||||
- Sign-on URL: `https://SiemMsspConnector`
|
||||
|
||||
- Supported account types: Account in this organizational directory only
|
||||
- Redirect URI: Select Web and type `https://<domain_name>/SiemMsspConnector`(replace <domain_name> with the tenant name)
|
||||
|
||||
5. Click **Create**. The application is displayed in the list of applications you own.
|
||||
5. Click **Register**. The application is displayed in the list of applications you own.
|
||||
|
||||
6. Select the application, then click **Settings** > **Properties**.
|
||||
6. Select the application, then click **Overview**.
|
||||
|
||||
7. Copy the value from the **Application ID** field.
|
||||
7. Copy the value from the **Application (client) ID** field to a safe place, you will need this in the next step.
|
||||
|
||||
8. Change the value in the **App ID URI** to: `https://<domain_name>/SiemMsspConnector` (replace \<domain_name\> with the tenant name.
|
||||
8. Select **Certificate & secrets** in the new application panel.
|
||||
|
||||
9. Ensure that the **Multi-tenanted** field is set to **Yes**.
|
||||
9. Click **New client secret**.
|
||||
|
||||
10. In the **Settings** panel, select **Reply URLs** and add the following URL: `https://localhost:44300/wdatpconnector`.
|
||||
|
||||
11. Click **Save**.
|
||||
|
||||
12. Select **Keys** and specify the following values:
|
||||
|
||||
- Description: Enter a description for the key.
|
||||
- Expires: Select **In 1 year**
|
||||
|
||||
13. Click **Save**. Save the value is a safe place, you'll need this
|
||||
|
||||
10. Click **Add**, copy the value of the client secret to a safe place, you will need this in the next step.
|
||||
|
||||
|
||||
### Step 2: Get access and refresh tokens from your customer's tenant
|
||||
This section guides you on how to use a PowerShell script to get the tokens from your customer's tenant. This script uses the application from the previous step to get the access and refresh tokens using the OAuth Authorization Code Flow.
|
||||
@ -248,17 +268,20 @@ After providing your credentials, you'll need to grant consent to the applicatio
|
||||
`Set-ExecutionPolicy -ExecutionPolicy Bypass`
|
||||
|
||||
6. Enter the following commands: `.\MsspTokensAcquisition.ps1 -clientId <client_id> -secret <app_key> -tenantId <customer_tenant_id>`
|
||||
|
||||
- Replace \<client_id\> with the Application ID you got from the previous step.
|
||||
- Replace \<app_key\> with the application key you created from the previous step.
|
||||
- Replace \<customer_tenant_id\> with your customer's tenant ID.
|
||||
|
||||
- Replace \<client_id\> with the **Application (client) ID** you got from the previous step.
|
||||
- Replace \<app_key\> with the **Client Secret** you created from the previous step.
|
||||
- Replace \<customer_tenant_id\> with your customer's **Tenant ID**.
|
||||
|
||||
|
||||
7. You'll be asked to provide your credentials and consent. Ignore the page redirect.
|
||||
|
||||
8. In the PowerShell window, you'll receive an access token and a refresh token. Save the refresh token to configure your SIEM connector.
|
||||
|
||||
### Step 3: Whitelist your application on Microsoft Defender Security Center
|
||||
You'll need to whitelist the application you created in Microsoft Defender Security Center.
|
||||
|
||||
### Step 3: Whitelist your application on Windows Defender Security Center
|
||||
You'll need to whitelist the application you created in Windows Defender Security Center.
|
||||
|
||||
|
||||
You'll need to have **Manage portal system settings** permission to whitelist the application. Otherwise, you'll need to request your customer to whitelist the application for you.
|
||||
|
||||
@ -272,12 +295,15 @@ You'll need to have **Manage portal system settings** permission to whitelist th
|
||||
|
||||
5. Click **Authorize application**.
|
||||
|
||||
You can now download the relevant configuration file for your SIEM and connect to the Microsoft Defender ATP API. For more information see, [Pull alerts to your SIEM tools](configure-siem.md).
|
||||
|
||||
You can now download the relevant configuration file for your SIEM and connect to the Windows Defender ATP API. For more information see, [Pull alerts to your SIEM tools](configure-siem.md).
|
||||
|
||||
|
||||
- In the ArcSight configuration file / Splunk Authentication Properties file you will have to write your application key manually by settings the secret value.
|
||||
- Instead of acquiring a refresh token in the portal, use the script from the previous step to acquire a refresh token (or acquire it by other means).
|
||||
|
||||
## Fetch alerts from MSSP customer's tenant using APIs
|
||||
|
||||
For information on how to fetch alerts using REST API, see [Pull alerts using REST API](pull-alerts-using-rest-api.md).
|
||||
|
||||
## Related topics
|
||||
@ -285,4 +311,5 @@ For information on how to fetch alerts using REST API, see [Pull alerts using RE
|
||||
- [Manage portal access using RBAC](rbac.md)
|
||||
- [Pull alerts to your SIEM tools](configure-siem.md)
|
||||
- [Pull alerts using REST API](pull-alerts-using-rest-api.md)
|
||||
|
||||
|
||||
|
||||
@ -61,7 +61,7 @@ machineId | String | Id of the machine on which the event was identified. **Requ
|
||||
severity | String | Severity of the alert. The property values are: 'Low', 'Medium' and 'High'. **Required**.
|
||||
title | String | Title for the alert. **Required**.
|
||||
description | String | Description of the alert. **Required**.
|
||||
recommendedAction| String | Action that is recommended to be taken by security officer when analyzing the alert.
|
||||
recommendedAction| String | Action that is recommended to be taken by security officer when analyzing the alert. **Required**.
|
||||
eventTime | DateTime(UTC) | The time of the event, as obtained from the advanced query. **Required**.
|
||||
reportId | String | The reportId, as obtained from the advanced query. **Required**.
|
||||
category| String | Category of the alert. The property values are: 'None', 'SuspiciousActivity', 'Malware', 'CredentialTheft', 'Exploit', 'WebExploit', 'DocumentExploit', 'PrivilegeEscalation', 'Persistence', 'RemoteAccessTool', 'CommandAndControl', 'SuspiciousNetworkTraffic', 'Ransomware', 'MalwareDownload', 'Reconnaissance', 'WebFingerprinting', 'Weaponization', 'Delivery', 'SocialEngineering', 'CredentialStealing', 'Installation', 'Backdoor', 'Trojan', 'TrojanDownloader', 'LateralMovement', 'ExplorationEnumeration', 'NetworkPropagation', 'Exfiltration', 'NotApplicable', 'EnterprisePolicy' and 'General'.
|
||||
|
||||
@ -9,7 +9,7 @@ ms.prod: w10
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.pagetype: security
|
||||
ms.author: mjcaparas
|
||||
ms.author: macapara
|
||||
author: mjcaparas
|
||||
ms.localizationpriority: medium
|
||||
manager: dansimp
|
||||
|
||||
@ -2,7 +2,7 @@
|
||||
ms.date: 10/17/2018
|
||||
ms.reviewer:
|
||||
manager: dansimp
|
||||
ms.author: mjcaparas
|
||||
ms.author: macapara
|
||||
author: mjcaparas
|
||||
---
|
||||
> [!WARNING]
|
||||
|
||||
@ -9,7 +9,7 @@ ms.prod: w10
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.pagetype: security
|
||||
ms.author: mjcaparas
|
||||
ms.author: macapara
|
||||
author: mjcaparas
|
||||
ms.localizationpriority: medium
|
||||
manager: dansimp
|
||||
|
||||
@ -8,7 +8,7 @@ ms.prod: w10
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.pagetype: security
|
||||
ms.author: mjcaparas
|
||||
ms.author: macapara
|
||||
author: mjcaparas
|
||||
ms.localizationpriority: medium
|
||||
manager: dansimp
|
||||
@ -62,29 +62,29 @@ This page explains how to create an AAD application, get an access token to Micr
|
||||
|
||||
4. Allow your Application to access Microsoft Defender ATP and assign it 'Read alerts' permission:
|
||||
|
||||
- On your application page, click **API Permissions** > **Add permission** > **APIs my organization uses** > type **WindowsDefenderATP** and click on **WindowsDefenderATP**.
|
||||
- On your application page, click **API Permissions** > **Add permission** > **APIs my organization uses** > type **WindowsDefenderATP** and click on **WindowsDefenderATP**.
|
||||
|
||||
- **Note**: WindowsDefenderATP does not appear in the original list. You need to start writing its name in the text box to see it appear.
|
||||
- **Note**: WindowsDefenderATP does not appear in the original list. You need to start writing its name in the text box to see it appear.
|
||||
|
||||
|
||||
|
||||
|
||||
- Choose **Delegated permissions** > **Alert.Read** > Click on **Add permissions**
|
||||
- Choose **Delegated permissions** > **Alert.Read** > Click on **Add permissions**
|
||||
|
||||
|
||||
|
||||
|
||||
- **Important note**: You need to select the relevant permissions. 'Read alerts' is only an example!
|
||||
- **Important note**: You need to select the relevant permissions. 'Read alerts' is only an example!
|
||||
|
||||
For instance,
|
||||
For instance,
|
||||
|
||||
- To [run advanced queries](run-advanced-query-api.md), select 'Run advanced queries' permission
|
||||
- To [isolate a machine](isolate-machine.md), select 'Isolate machine' permission
|
||||
- To determine which permission you need, please look at the **Permissions** section in the API you are interested to call.
|
||||
- To [run advanced queries](run-advanced-query-api.md), select 'Run advanced queries' permission
|
||||
- To [isolate a machine](isolate-machine.md), select 'Isolate machine' permission
|
||||
- To determine which permission you need, please look at the **Permissions** section in the API you are interested to call.
|
||||
|
||||
- Click **Grant consent**
|
||||
- Click **Grant consent**
|
||||
|
||||
**Note**: Every time you add permission you must click on **Grant consent** for the new permission to take effect.
|
||||
**Note**: Every time you add permission you must click on **Grant consent** for the new permission to take effect.
|
||||
|
||||
|
||||
|
||||
|
||||
6. Write down your application ID and your tenant ID:
|
||||
|
||||
@ -102,42 +102,42 @@ For more details on AAD token, refer to [AAD tutorial](https://docs.microsoft.co
|
||||
- Copy/Paste the below class in your application.
|
||||
- Use **AcquireUserTokenAsync** method with the your application ID, tenant ID, user name and password to acquire a token.
|
||||
|
||||
```
|
||||
namespace WindowsDefenderATP
|
||||
{
|
||||
using System.Net.Http;
|
||||
using System.Text;
|
||||
using System.Threading.Tasks;
|
||||
using Newtonsoft.Json.Linq;
|
||||
```csharp
|
||||
namespace WindowsDefenderATP
|
||||
{
|
||||
using System.Net.Http;
|
||||
using System.Text;
|
||||
using System.Threading.Tasks;
|
||||
using Newtonsoft.Json.Linq;
|
||||
|
||||
public static class WindowsDefenderATPUtils
|
||||
{
|
||||
private const string Authority = "https://login.windows.net";
|
||||
public static class WindowsDefenderATPUtils
|
||||
{
|
||||
private const string Authority = "https://login.windows.net";
|
||||
|
||||
private const string WdatpResourceId = "https://api.securitycenter.windows.com";
|
||||
private const string WdatpResourceId = "https://api.securitycenter.windows.com";
|
||||
|
||||
public static async Task<string> AcquireUserTokenAsync(string username, string password, string appId, string tenantId)
|
||||
{
|
||||
using (var httpClient = new HttpClient())
|
||||
{
|
||||
var urlEncodedBody = $"resource={WdatpResourceId}&client_id={appId}&grant_type=password&username={username}&password={password}";
|
||||
public static async Task<string> AcquireUserTokenAsync(string username, string password, string appId, string tenantId)
|
||||
{
|
||||
using (var httpClient = new HttpClient())
|
||||
{
|
||||
var urlEncodedBody = $"resource={WdatpResourceId}&client_id={appId}&grant_type=password&username={username}&password={password}";
|
||||
|
||||
var stringContent = new StringContent(urlEncodedBody, Encoding.UTF8, "application/x-www-form-urlencoded");
|
||||
var stringContent = new StringContent(urlEncodedBody, Encoding.UTF8, "application/x-www-form-urlencoded");
|
||||
|
||||
using (var response = await httpClient.PostAsync($"{Authority}/{tenantId}/oauth2/token", stringContent).ConfigureAwait(false))
|
||||
{
|
||||
response.EnsureSuccessStatusCode();
|
||||
using (var response = await httpClient.PostAsync($"{Authority}/{tenantId}/oauth2/token", stringContent).ConfigureAwait(false))
|
||||
{
|
||||
response.EnsureSuccessStatusCode();
|
||||
|
||||
var json = await response.Content.ReadAsStringAsync().ConfigureAwait(false);
|
||||
var json = await response.Content.ReadAsStringAsync().ConfigureAwait(false);
|
||||
|
||||
var jObject = JObject.Parse(json);
|
||||
var jObject = JObject.Parse(json);
|
||||
|
||||
return jObject["access_token"].Value<string>();
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
return jObject["access_token"].Value<string>();
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
```
|
||||
|
||||
## Validate the token
|
||||
@ -156,16 +156,17 @@ Sanity check to make sure you got a correct token:
|
||||
- The Expiration time of the token is 1 hour (you can send more then one request with the same token)
|
||||
|
||||
- Example of sending a request to get a list of alerts **using C#**
|
||||
```
|
||||
var httpClient = new HttpClient();
|
||||
|
||||
var request = new HttpRequestMessage(HttpMethod.Get, "https://api.securitycenter.windows.com/api/alerts");
|
||||
```csharp
|
||||
var httpClient = new HttpClient();
|
||||
|
||||
request.Headers.Authorization = new AuthenticationHeaderValue("Bearer", token);
|
||||
var request = new HttpRequestMessage(HttpMethod.Get, "https://api.securitycenter.windows.com/api/alerts");
|
||||
|
||||
var response = httpClient.SendAsync(request).GetAwaiter().GetResult();
|
||||
request.Headers.Authorization = new AuthenticationHeaderValue("Bearer", token);
|
||||
|
||||
// Do something useful with the response
|
||||
var response = httpClient.SendAsync(request).GetAwaiter().GetResult();
|
||||
|
||||
// Do something useful with the response
|
||||
```
|
||||
|
||||
## Related topics
|
||||
|
||||
@ -8,7 +8,7 @@ ms.prod: w10
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.pagetype: security
|
||||
ms.author: mjcaparas
|
||||
ms.author: macapara
|
||||
author: mjcaparas
|
||||
ms.localizationpriority: medium
|
||||
manager: dansimp
|
||||
|
||||
@ -8,7 +8,7 @@ ms.prod: w10
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.pagetype: security
|
||||
ms.author: mjcaparas
|
||||
ms.author: macapara
|
||||
author: mjcaparas
|
||||
ms.localizationpriority: medium
|
||||
manager: dansimp
|
||||
|
||||
@ -8,7 +8,7 @@ ms.prod: w10
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.pagetype: security
|
||||
ms.author: mjcaparas
|
||||
ms.author: macapara
|
||||
author: mjcaparas
|
||||
ms.localizationpriority: medium
|
||||
manager: dansimp
|
||||
|
||||
@ -8,7 +8,7 @@ ms.prod: w10
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.pagetype: security
|
||||
ms.author: mjcaparas
|
||||
ms.author: macapara
|
||||
author: mjcaparas
|
||||
ms.localizationpriority: medium
|
||||
manager: dansimp
|
||||
|
||||
@ -9,7 +9,7 @@ ms.prod: w10
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.pagetype: security
|
||||
ms.author: mjcaparas
|
||||
ms.author: macapara
|
||||
author: mjcaparas
|
||||
ms.localizationpriority: medium
|
||||
manager: dansimp
|
||||
|
||||
@ -44,7 +44,7 @@ Delegated (work or school account) | Alert.ReadWrite | 'Read and write alerts'
|
||||
GET /api/users/{id}/alerts
|
||||
```
|
||||
|
||||
**Note that the id is not the full UPN, but only the user name. (e.g., to retrieve alerts for user1@contoso.com use /api/users/user1/alerts) **
|
||||
**Note that the id is not the full UPN, but only the user name. (e.g., to retrieve alerts for user1@contoso.com use /api/users/user1/alerts)**
|
||||
|
||||
## Request headers
|
||||
|
||||
|
||||
@ -44,7 +44,7 @@ Delegated (work or school account) | Machine.ReadWrite | 'Read and write machine
|
||||
GET /api/users/{id}/machines
|
||||
```
|
||||
|
||||
**Note that the id is not the full UPN, but only the user name. (e.g., to retrieve machines for user1@contoso.com use /api/users/user1/machines) **
|
||||
**Note that the id is not the full UPN, but only the user name. (e.g., to retrieve machines for user1@contoso.com use /api/users/user1/machines)**
|
||||
|
||||
|
||||
## Request headers
|
||||
|
||||
@ -8,7 +8,7 @@ ms.prod: w10
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.pagetype: security
|
||||
ms.author: mjcaparas
|
||||
ms.author: macapara
|
||||
author: mjcaparas
|
||||
ms.localizationpriority: medium
|
||||
manager: dansimp
|
||||
@ -45,8 +45,8 @@ Sensitivity labels classify and help protect sensitive content.
|
||||
|
||||
|
||||
Sensitive information types in the Office 365 data loss prevention (DLP) implementation fall under two categories:
|
||||
- Default
|
||||
- Custom
|
||||
- Default
|
||||
- Custom
|
||||
|
||||
Default sensitive information types include information such as bank account numbers, social security numbers, or national IDs. For more information, see [What the sensitive information type look for](https://docs.microsoft.com/office365/securitycompliance/what-the-sensitive-information-types-look-for).
|
||||
|
||||
|
||||
@ -61,8 +61,8 @@ Comment | String | Comment to associate with the action. **Required**.
|
||||
IsolationType | String | Type of the isolation. Allowed values are: 'Full' or 'Selective'.
|
||||
|
||||
**IsolationType** controls the type of isolation to perform and can be one of the following:
|
||||
- Full – Full isolation
|
||||
- Selective – Restrict only limited set of applications from accessing the network (see [Isolate machines from the network](respond-machine-alerts.md#isolate-machines-from-the-network) for more details)
|
||||
- Full – Full isolation
|
||||
- Selective – Restrict only limited set of applications from accessing the network (see [Isolate machines from the network](respond-machine-alerts.md#isolate-machines-from-the-network) for more details)
|
||||
|
||||
|
||||
## Response
|
||||
|
||||
@ -2,7 +2,7 @@
|
||||
ms.date: 08/28/2017
|
||||
ms.reviewer:
|
||||
manager: dansimp
|
||||
ms.author: mjcaparas
|
||||
ms.author: macapara
|
||||
author: mjcaparas
|
||||
---
|
||||
>[!Note]
|
||||
|
||||
@ -9,7 +9,7 @@ ms.prod: w10
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.pagetype: security
|
||||
ms.author: mjcaparas
|
||||
ms.author: macapara
|
||||
author: mjcaparas
|
||||
ms.localizationpriority: medium
|
||||
manager: dansimp
|
||||
|
||||
@ -9,7 +9,7 @@ ms.prod: w10
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.pagetype: security
|
||||
ms.author: mjcaparas
|
||||
ms.author: macapara
|
||||
author: mjcaparas
|
||||
ms.localizationpriority: medium
|
||||
manager: dansimp
|
||||
|
||||
@ -9,7 +9,7 @@ ms.prod: w10
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.pagetype: security
|
||||
ms.author: mjcaparas
|
||||
ms.author: macapara
|
||||
author: mjcaparas
|
||||
ms.localizationpriority: medium
|
||||
manager: dansimp
|
||||
|
||||
@ -9,7 +9,7 @@ ms.prod: w10
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.pagetype: security
|
||||
ms.author: mjcaparas
|
||||
ms.author: macapara
|
||||
author: mjcaparas
|
||||
ms.localizationpriority: medium
|
||||
manager: dansimp
|
||||
|
||||
@ -9,7 +9,7 @@ ms.prod: w10
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.pagetype: security
|
||||
ms.author: mjcaparas
|
||||
ms.author: macapara
|
||||
author: mjcaparas
|
||||
ms.localizationpriority: medium
|
||||
manager: dansimp
|
||||
|
||||
@ -9,7 +9,7 @@ ms.prod: w10
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.pagetype: security
|
||||
ms.author: mjcaparas
|
||||
ms.author: macapara
|
||||
author: mjcaparas
|
||||
ms.localizationpriority: medium
|
||||
manager: dansimp
|
||||
|
||||
@ -9,7 +9,7 @@ ms.prod: w10
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.pagetype: security
|
||||
ms.author: mjcaparas
|
||||
ms.author: macapara
|
||||
author: mjcaparas
|
||||
ms.localizationpriority: medium
|
||||
manager: dansimp
|
||||
|
||||
@ -9,7 +9,7 @@ ms.prod: w10
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.pagetype: security
|
||||
ms.author: mjcaparas
|
||||
ms.author: macapara
|
||||
author: mjcaparas
|
||||
ms.localizationpriority: medium
|
||||
manager: dansimp
|
||||
@ -33,8 +33,8 @@ Topic | Description
|
||||
[Configure next generation protection](../windows-defender-antivirus/configure-windows-defender-antivirus-features.md) | Configure next generation protection to catch all types of emerging threats.
|
||||
[Configure Secure score dashboard security controls](secure-score-dashboard.md) | Configure the security controls in Secure score to increase the security posture of your organization.
|
||||
[Configure Microsoft Threat Experts capabilities](configure-microsoft-threat-experts.md) | Configure and manage how you would like to get cybersecurity threat intelligence from Microsoft Threat Experts.
|
||||
Configure Microsoft Threat Protection integration| Configure other solutions that integrate with Microsoft Defender ATP.
|
||||
Management and API support| Pull alerts to your SIEM or use APIs to create custom alerts. Create and build Power BI reports.
|
||||
[Configure Microsoft Threat Protection integration](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/threat-protection-integration)| Configure other solutions that integrate with Microsoft Defender ATP.
|
||||
[Management and API support](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/management-apis)| Pull alerts to your SIEM or use APIs to create custom alerts. Create and build Power BI reports.
|
||||
[Configure Microsoft Defender Security Center settings](preferences-setup.md) | Configure portal related settings such as general settings, advanced features, enable the preview experience and others.
|
||||
|
||||
|
||||
|
||||
@ -9,7 +9,7 @@ ms.prod: w10
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.pagetype: security
|
||||
ms.author: mjcaparas
|
||||
ms.author: macapara
|
||||
author: mjcaparas
|
||||
ms.localizationpriority: medium
|
||||
manager: dansimp
|
||||
|
||||
@ -9,7 +9,7 @@ ms.prod: w10
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.pagetype: security
|
||||
ms.author: mjcaparas
|
||||
ms.author: macapara
|
||||
author: mjcaparas
|
||||
ms.localizationpriority: medium
|
||||
manager: dansimp
|
||||
|
||||
@ -13,7 +13,7 @@ manager: dansimp
|
||||
audience: ITPro
|
||||
ms.collection: M365-security-compliance
|
||||
ms.topic: conceptual
|
||||
ms.author: mjcaparas
|
||||
ms.author: macapara
|
||||
ms.date: 09/07/2018
|
||||
---
|
||||
|
||||
|
||||
@ -21,7 +21,7 @@ ms.topic: conceptual
|
||||
**Applies to:**
|
||||
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
|
||||
|
||||
>[!NOTE]
|
||||
>[!NOTE]
|
||||
> Secure score is now part of [Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md) as [Configuration score](configuration-score.md). The secure score page will be available for a few weeks. View the [Secure score](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-secure-score) page.
|
||||
|
||||
The Secure score dashboard expands your visibility into the overall security posture of your organization. From this dashboard, you'll be able to quickly assess the security posture of your organization, see machines that require attention, as well as recommendations for actions to further reduce the attack surface in your organization - all in one place. From there you can take action based on the recommended configuration baselines.
|
||||
@ -79,11 +79,11 @@ Within the tile, you can click on each control to see the recommended optimizati
|
||||
|
||||
Clicking the link under the **Misconfigured machines** column opens up the **Machines list** with filters applied to show only the list of machines where the recommendation is applicable. You can export the list in Excel to create a target collection and apply relevant policies using a management solution of your choice.
|
||||
|
||||
## Related topic
|
||||
## Related topic
|
||||
- [Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md)
|
||||
- [Threat & Vulnerability Management dashboard overview](tvm-dashboard-insights.md)
|
||||
- [Exposure score](tvm-exposure-score.md)
|
||||
- [Configuration score](configuration-score.md)
|
||||
- [Configuration score](configuration-score.md)
|
||||
- [Security recommendations](tvm-security-recommendation.md)
|
||||
- [Remediation](tvm-remediation.md)
|
||||
- [Software inventory](tvm-software-inventory.md)
|
||||
|
||||
@ -9,7 +9,7 @@ ms.prod: w10
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.pagetype: security
|
||||
ms.author: mjcaparas
|
||||
ms.author: macapara
|
||||
author: mjcaparas
|
||||
ms.localizationpriority: medium
|
||||
manager: dansimp
|
||||
|
||||
@ -9,7 +9,7 @@ ms.prod: w10
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.pagetype: security
|
||||
ms.author: mjcaparas
|
||||
ms.author: macapara
|
||||
author: mjcaparas
|
||||
ms.localizationpriority: medium
|
||||
manager: dansimp
|
||||
|
||||
@ -2,7 +2,7 @@
|
||||
ms.date: 08/28/2017
|
||||
ms.reviewer:
|
||||
manager: dansimp
|
||||
ms.author: mjcaparas
|
||||
ms.author: macapara
|
||||
author: mjcaparas
|
||||
---
|
||||
|
||||
|
||||
@ -63,7 +63,7 @@ This action takes effect on machines with Windows 10, version 1703 or later, whe
|
||||
1. Select the file you want to stop and quarantine. You can select a file from any of the following views or use the Search box:
|
||||
|
||||
- **Alerts** - click the corresponding links from the Description or Details in the Artifact timeline
|
||||
- **Search box** - select File from the drop–down menu and enter the file name
|
||||
- **Search box** - select **File** from the drop–down menu and enter the file name
|
||||
|
||||
2. Go to the top bar and select **Stop and Quarantine File**.
|
||||
|
||||
@ -98,7 +98,7 @@ You can roll back and remove a file from quarantine if you’ve determined that
|
||||
|
||||
1. Open an elevated command–line prompt on the machine:
|
||||
|
||||
a. Go to **Start** and type cmd.
|
||||
a. Go to **Start** and type _cmd_.
|
||||
|
||||
b. Right–click **Command prompt** and select **Run as administrator**.
|
||||
|
||||
|
||||
@ -96,7 +96,7 @@ The package contains the following folders:
|
||||
|:---|:---------|
|
||||
|Autoruns | Contains a set of files that each represent the content of the registry of a known auto start entry point (ASEP) to help identify attacker’s persistency on the machine. </br></br> NOTE: If the registry key is not found, the file will contain the following message: “ERROR: The system was unable to find the specified registry key or value.” |
|
||||
|Installed programs | This .CSV file contains the list of installed programs that can help identify what is currently installed on the machine. For more information, see [Win32_Product class](https://go.microsoft.com/fwlink/?linkid=841509). |
|
||||
|Network connections | This folder contains a set of data points related to the connectivity information which can help in identifying connectivity to suspicious URLs, attacker’s command and control (C&C) infrastructure, any lateral movement, or remote connections.</br></br> - ActiveNetConnections.txt – Displays protocol statistics and current TCP/IP network connections. Provides the ability to look for suspicious connectivity made by a process. </br></br> - Arp.txt – Displays the current address resolution protocol (ARP) cache tables for all interfaces. </br></br> ARP cache can reveal additional hosts on a network that have been compromised or suspicious systems on the network that night have been used to run an internal attack.</br></br> - DnsCache.txt - Displays the contents of the DNS client resolver cache, which includes both entries preloaded from the local Hosts file and any recently obtained resource records for name queries resolved by the computer. This can help in identifying suspicious connections. </br></br> - IpConfig.txt – Displays the full TCP/IP configuration for all adapters. Adapters can represent physical interfaces, such as installed network adapters, or logical interfaces, such as dial-up connections. </br></br> - FirewassExecutionLog.txt and pfirewall.log |
|
||||
|Network connections | This folder contains a set of data points related to the connectivity information which can help in identifying connectivity to suspicious URLs, attacker’s command and control (C&C) infrastructure, any lateral movement, or remote connections.</br></br> - ActiveNetConnections.txt – Displays protocol statistics and current TCP/IP network connections. Provides the ability to look for suspicious connectivity made by a process. </br></br> - Arp.txt – Displays the current address resolution protocol (ARP) cache tables for all interfaces. </br></br> ARP cache can reveal additional hosts on a network that have been compromised or suspicious systems on the network that night have been used to run an internal attack.</br></br> - DnsCache.txt - Displays the contents of the DNS client resolver cache, which includes both entries preloaded from the local Hosts file and any recently obtained resource records for name queries resolved by the computer. This can help in identifying suspicious connections. </br></br> - IpConfig.txt – Displays the full TCP/IP configuration for all adapters. Adapters can represent physical interfaces, such as installed network adapters, or logical interfaces, such as dial-up connections. </br></br> - FirewassExecutionLog.txt and pfirewall.log |
|
||||
| Prefetch files| Windows Prefetch files are designed to speed up the application startup process. It can be used to track all the files recently used in the system and find traces for applications that might have been deleted but can still be found in the prefetch file list. </br></br> - Prefetch folder – Contains a copy of the prefetch files from `%SystemRoot%\Prefetch`. NOTE: It is suggested to download a prefetch file viewer to view the prefetch files. </br></br> - PrefetchFilesList.txt – Contains the list of all the copied files which can be used to track if there were any copy failures to the prefetch folder. |
|
||||
| Processes| Contains a .CSV file listing the running processes which provides the ability to identify current processes running on the machine. This can be useful when identifying a suspicious process and its state. |
|
||||
| Scheduled tasks| Contains a .CSV file listing the scheduled tasks which can be used to identify routines performed automatically on a chosen machine to look for suspicious code which was set to run automatically. |
|
||||
|
||||
@ -8,7 +8,7 @@ ms.prod: w10
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.pagetype: security
|
||||
ms.author: mjcaparas
|
||||
ms.author: macapara
|
||||
author: mjcaparas
|
||||
ms.localizationpriority: medium
|
||||
manager: dansimp
|
||||
|
||||
@ -8,7 +8,7 @@ ms.prod: w10
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.pagetype: security
|
||||
ms.author: mjcaparas
|
||||
ms.author: macapara
|
||||
author: mjcaparas
|
||||
ms.localizationpriority: medium
|
||||
manager: dansimp
|
||||
|
||||
@ -8,7 +8,7 @@ ms.prod: w10
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.pagetype: security
|
||||
ms.author: mjcaparas
|
||||
ms.author: macapara
|
||||
author: mjcaparas
|
||||
ms.localizationpriority: medium
|
||||
manager: dansimp
|
||||
|
||||
@ -8,7 +8,7 @@ ms.prod: w10
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.pagetype: security
|
||||
ms.author: mjcaparas
|
||||
ms.author: macapara
|
||||
author: mjcaparas
|
||||
ms.localizationpriority: medium
|
||||
manager: dansimp
|
||||
|
||||
@ -8,7 +8,7 @@ ms.prod: w10
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.pagetype: security
|
||||
ms.author: mjcaparas
|
||||
ms.author: macapara
|
||||
author: mjcaparas
|
||||
ms.localizationpriority: medium
|
||||
manager: dansimp
|
||||
|
||||
Some files were not shown because too many files have changed in this diff Show More
Reference in New Issue
Block a user