From 5b6bba426c4fdb739f1febd77978c6906ad3f458 Mon Sep 17 00:00:00 2001 From: Joey Caparas Date: Tue, 16 Apr 2019 16:00:43 -0700 Subject: [PATCH 01/11] Update respond-file-alerts-windows-defender-advanced-threat-protection.md add hex --- ...file-alerts-windows-defender-advanced-threat-protection.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/windows/security/threat-protection/windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md index e5f643f908..a15f907fa2 100644 --- a/windows/security/threat-protection/windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md @@ -258,6 +258,10 @@ If you encounter a problem when trying to submit a file, try each of the followi a. Change the following registry entry and values to change the policy on specific machines: ``` HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection +AllowSampleCollection (dword) 1 (hex) + + +Where: Value = 0 – block sample collection Value = 1 – allow sample collection ``` From 7711732617d0bd6755461a43358fb78e0d84d3d7 Mon Sep 17 00:00:00 2001 From: Joey Caparas Date: Thu, 18 Apr 2019 15:51:15 -0700 Subject: [PATCH 02/11] content for interoperability --- windows/security/threat-protection/TOC.md | 4 ++ .../windows-defender-atp/TOC.md | 4 ++ .../partner-applications.md | 64 +++++++++++++++++++ .../whats-new-in-windows-defender-atp.md | 4 +- 4 files changed, 75 insertions(+), 1 deletion(-) create mode 100644 windows/security/threat-protection/windows-defender-atp/partner-applications.md diff --git a/windows/security/threat-protection/TOC.md b/windows/security/threat-protection/TOC.md index 178b297aa0..0cf1107dd2 100644 --- a/windows/security/threat-protection/TOC.md +++ b/windows/security/threat-protection/TOC.md @@ -345,6 +345,10 @@ ###### [Threat protection reports](windows-defender-atp/threat-protection-reports-windows-defender-advanced-threat-protection.md) ###### [Machine health and compliance reports](windows-defender-atp/machine-reports-windows-defender-advanced-threat-protection.md) +##### Interoperability +###### [Partner applications](windows-defender-atp/partner-applications.md) + + ##### Role-based access control ###### [Manage portal access using RBAC](windows-defender-atp/rbac-windows-defender-advanced-threat-protection.md) ####### [Create and manage roles](windows-defender-atp/user-roles-windows-defender-advanced-threat-protection.md) diff --git a/windows/security/threat-protection/windows-defender-atp/TOC.md b/windows/security/threat-protection/windows-defender-atp/TOC.md index 3ac4481724..635860ba03 100644 --- a/windows/security/threat-protection/windows-defender-atp/TOC.md +++ b/windows/security/threat-protection/windows-defender-atp/TOC.md @@ -338,6 +338,10 @@ ##### [Threat protection reports](threat-protection-reports-windows-defender-advanced-threat-protection.md) ##### [Machine health and compliance reports](machine-reports-windows-defender-advanced-threat-protection.md) + +#### Interoperability +##### [Partner applications](partner-applications.md) + #### Role-based access control ##### [Manage portal access using RBAC](rbac-windows-defender-advanced-threat-protection.md) ###### [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) diff --git a/windows/security/threat-protection/windows-defender-atp/partner-applications.md b/windows/security/threat-protection/windows-defender-atp/partner-applications.md new file mode 100644 index 0000000000..b622280ea5 --- /dev/null +++ b/windows/security/threat-protection/windows-defender-atp/partner-applications.md @@ -0,0 +1,64 @@ +--- +title: Partner applications in Microsoft Defender ATP +description: View supported partner connections so enhance the detection, investigation, and threat intelligence capabilities of the platform +keywords: partners, applications, third-party, connections, sentinelone, lookout, bitdefender, corrata, morphisec, paloalto, ziften, better mobile +search.product: eADQiWindows 10XVcnh +search.appverid: met150 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: conceptual +--- + +# Partner applications in Microsoft Defender ATP +**Applies to:** + +- [Microsoft Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) + + +Microsoft Defender ATP supports third-party applications to help enhance the detection, investigation, and threat intelligence capabilities of the platform. + + +The support for third-party solutions help to further streamline, integrate, and orchestrate defenses from other vendors with Microsoft Defender ATP; enabling security teams to effectively respond better to modern threats. + +Microsoft Defender ATP seamlessly integrates with existing security solutions - providing out of the box integration with SIEM, ticketing and IT service management solutions, managed security service providers (MSSP), IoC indicators ingestions and matching, automated device investigation and remediation based on external alerts, and integration with Security orchestration and automation response (SOAR) systems. + +## SIEM integration +Microsoft Defender ATP supports SIEM integration through a variety of methods – specialized SIEM system interface with out of the box connectors, a generic alert API enabling custom implementations, and an action API enabling alert status management. For more information, see [Enable SIEM integration](enable-siem-integration-windows-defender-advanced-threat-protection.md). + +## Ticketing and IT service management +Ticketing solution integration helps to implement manual and automatic response processes. Microsoft Defender ATP can help to create tickets automatically when an alert is generated and resolve the alerts when tickets are closed using the alerts API. + +## Security orchestration and automation response (SOAR) integration +Orchestration solutions can help build playbooks and integrate the rich data model and actions that Microsoft Defender ATP APIs expose to orchestrate responses, such as query for device data, trigger machine isolation, block/allow, resolve alert and others. + +## External alert correlation and Automated investigation and remediation +Microsoft Defender ATP offers unique automated investigation and remediation capabilities to drive incident response at scale. + +Integrating the automated investigation and response capability with other solutions such as IDS and firewalls help to address alerts and minimize the complexities surrounding network and device signal correlation, effectively streamlining the investigation and threat remediation actions on devices. + +External alerts can be pushed into Microsoft Defender ATP and is presented side-by-side with additional device-based alerts from Microsoft Defender ATP. This view provides a full context of the alert - with the real process and the full story of attack. + +## Indicators matching +You can use threat-intelligence from providers and aggregators to maintain and use indicators of compromise (IOCs). + +Microsoft Defender ATP allows you to integrate with such solutions and act on IoCs by correlating its rich telemetry and creating alerts when there's a match; leveraging prevention and automated response capabilities to block execution and take remediation actions when there’s a match. + +Microsoft Defender ATP currently supports IOC matching and remediation for file and network indicators. Blocking is supported for file indicators. + +## Support for non-Windows platforms +Microsoft Defender ATP provides a centralized security operations experience for Windows as well as non-Windows platforms. You'll be able to see alerts from various supported operating systems (OS) in the portal and better protect your organization's network. This experience leverages on a third-party security products’ sensor data giving you a unified experience. + + + + + + + diff --git a/windows/security/threat-protection/windows-defender-atp/whats-new-in-windows-defender-atp.md b/windows/security/threat-protection/windows-defender-atp/whats-new-in-windows-defender-atp.md index 6d2c512257..f9ac32f49d 100644 --- a/windows/security/threat-protection/windows-defender-atp/whats-new-in-windows-defender-atp.md +++ b/windows/security/threat-protection/windows-defender-atp/whats-new-in-windows-defender-atp.md @@ -25,10 +25,12 @@ Here are the new features in the latest release of Windows Defender ATP as well ## April 2019 ### In preview -The following capability is included in the April 2019 preview release. +The following capabilities are included in the April 2019 preview release. - [Threat & Vulnerability Management](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/next-gen-threat-and-vuln-mgt)
A new built-in capability that uses a risk-based approach to the discovery, prioritization, and remediation of endpoint vulnerabilities and misconfigurations. +- [Interoperability](https://docs.microsoft.com/windows/security/threat-protection/partner-applications)
Microsoft Defender ATP supports third-party applications to help enhance the detection, investigation, and threat intelligence capabilities of the platform. + ## March 2019 ### In preview The following capability are included in the March 2019 preview release. From b40996040a1af9ebe7fdc35158bc47ac4b396cba Mon Sep 17 00:00:00 2001 From: Joey Caparas Date: Thu, 18 Apr 2019 15:54:03 -0700 Subject: [PATCH 03/11] Update partner-applications.md content for partner integration --- .../windows-defender-atp/partner-applications.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-atp/partner-applications.md b/windows/security/threat-protection/windows-defender-atp/partner-applications.md index b622280ea5..24ba042fc8 100644 --- a/windows/security/threat-protection/windows-defender-atp/partner-applications.md +++ b/windows/security/threat-protection/windows-defender-atp/partner-applications.md @@ -1,6 +1,6 @@ --- title: Partner applications in Microsoft Defender ATP -description: View supported partner connections so enhance the detection, investigation, and threat intelligence capabilities of the platform +description: View supported partner applications to enhance the detection, investigation, and threat intelligence capabilities of the platform keywords: partners, applications, third-party, connections, sentinelone, lookout, bitdefender, corrata, morphisec, paloalto, ziften, better mobile search.product: eADQiWindows 10XVcnh search.appverid: met150 From cbfd8b30f63d341b922550e3bd77ec48d6adc539 Mon Sep 17 00:00:00 2001 From: Joey Caparas Date: Thu, 18 Apr 2019 15:58:54 -0700 Subject: [PATCH 04/11] remove allowed blocked naming --- .openpublishing.redirection.json | 5 +++++ windows/security/threat-protection/TOC.md | 2 +- ...er-advanced-threat-protection.md => manage-indicators.md} | 0 3 files changed, 6 insertions(+), 1 deletion(-) rename windows/security/threat-protection/windows-defender-atp/{manage-allowed-blocked-list-windows-defender-advanced-threat-protection.md => manage-indicators.md} (100%) diff --git a/.openpublishing.redirection.json b/.openpublishing.redirection.json index ab677cc666..f6b41f4ac4 100644 --- a/.openpublishing.redirection.json +++ b/.openpublishing.redirection.json @@ -13944,5 +13944,10 @@ "redirect_url": "/windows/security/threat-protection/windows-defender-atp/threat-analytics", "redirect_document_id": true }, +{ +"source_path": "windows/security/threat-protection/windows-defender-atp/manage-allowed-blocked-list-windows-defender-advanced-threat-protection.md", +"redirect_url": "/windows/security/threat-protection/windows-defender-atp/manage-indicators", +"redirect_document_id": true +}, ] } diff --git a/windows/security/threat-protection/TOC.md b/windows/security/threat-protection/TOC.md index 0cf1107dd2..32688a8c55 100644 --- a/windows/security/threat-protection/TOC.md +++ b/windows/security/threat-protection/TOC.md @@ -393,7 +393,7 @@ #####Rules ###### [Manage suppression rules](windows-defender-atp/manage-suppression-rules-windows-defender-advanced-threat-protection.md) ###### [Manage automation allowed/blocked lists](windows-defender-atp/manage-automation-allowed-blocked-list-windows-defender-advanced-threat-protection.md) -###### [Manage allowed/blocked lists](windows-defender-atp/manage-allowed-blocked-list-windows-defender-advanced-threat-protection.md) +###### [Manage indicators](windows-defender-atp/manage-allowed-blocked-list-windows-defender-advanced-threat-protection.md) ###### [Manage automation file uploads](windows-defender-atp/manage-automation-file-uploads-windows-defender-advanced-threat-protection.md) ###### [Manage automation folder exclusions](windows-defender-atp/manage-automation-folder-exclusions-windows-defender-advanced-threat-protection.md) diff --git a/windows/security/threat-protection/windows-defender-atp/manage-allowed-blocked-list-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/manage-indicators.md similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/manage-allowed-blocked-list-windows-defender-advanced-threat-protection.md rename to windows/security/threat-protection/windows-defender-atp/manage-indicators.md From ef439f7b5b0c17df6a43dbbdf6133d362d7250bd Mon Sep 17 00:00:00 2001 From: Joey Caparas Date: Thu, 18 Apr 2019 16:01:13 -0700 Subject: [PATCH 05/11] update toc update toc --- windows/security/threat-protection/TOC.md | 2 +- windows/security/threat-protection/windows-defender-atp/TOC.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/threat-protection/TOC.md b/windows/security/threat-protection/TOC.md index 32688a8c55..3feed9a1fa 100644 --- a/windows/security/threat-protection/TOC.md +++ b/windows/security/threat-protection/TOC.md @@ -393,7 +393,7 @@ #####Rules ###### [Manage suppression rules](windows-defender-atp/manage-suppression-rules-windows-defender-advanced-threat-protection.md) ###### [Manage automation allowed/blocked lists](windows-defender-atp/manage-automation-allowed-blocked-list-windows-defender-advanced-threat-protection.md) -###### [Manage indicators](windows-defender-atp/manage-allowed-blocked-list-windows-defender-advanced-threat-protection.md) +###### [Manage indicators](windows-defender-atp/manage-indicators.md) ###### [Manage automation file uploads](windows-defender-atp/manage-automation-file-uploads-windows-defender-advanced-threat-protection.md) ###### [Manage automation folder exclusions](windows-defender-atp/manage-automation-folder-exclusions-windows-defender-advanced-threat-protection.md) diff --git a/windows/security/threat-protection/windows-defender-atp/TOC.md b/windows/security/threat-protection/windows-defender-atp/TOC.md index 635860ba03..3a56abbd31 100644 --- a/windows/security/threat-protection/windows-defender-atp/TOC.md +++ b/windows/security/threat-protection/windows-defender-atp/TOC.md @@ -378,7 +378,7 @@ ####Rules ##### [Manage suppression rules](manage-suppression-rules-windows-defender-advanced-threat-protection.md) ##### [Manage automation allowed/blocked lists](manage-automation-allowed-blocked-list-windows-defender-advanced-threat-protection.md) -##### [Manage allowed/blocked lists](manage-allowed-blocked-list-windows-defender-advanced-threat-protection.md) +##### [Manage indicators](manage-indicators.md) ##### [Manage automation file uploads](manage-automation-file-uploads-windows-defender-advanced-threat-protection.md) ##### [Manage automation folder exclusions](manage-automation-folder-exclusions-windows-defender-advanced-threat-protection.md) From 240c73c3916a67077a1710757d06a7ae4ca7d706 Mon Sep 17 00:00:00 2001 From: Joey Caparas Date: Thu, 18 Apr 2019 16:55:13 -0700 Subject: [PATCH 06/11] update error --- ...alerts-windows-defender-advanced-threat-protection.md | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md index a15f907fa2..a482be899c 100644 --- a/windows/security/threat-protection/windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md @@ -257,11 +257,10 @@ If you encounter a problem when trying to submit a file, try each of the followi a. Change the following registry entry and values to change the policy on specific machines: ``` -HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection -AllowSampleCollection (dword) 1 (hex) - - -Where: +Path: HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection +Name: AllowSampleCollection +Type: DWORD +Value: Value = 0 – block sample collection Value = 1 – allow sample collection ``` From f1e7de83818af4e0c39a73c220691a877efe2200 Mon Sep 17 00:00:00 2001 From: Joey Caparas Date: Thu, 18 Apr 2019 16:58:25 -0700 Subject: [PATCH 07/11] Update respond-file-alerts-windows-defender-advanced-threat-protection.md --- ...d-file-alerts-windows-defender-advanced-threat-protection.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md index a482be899c..e8a6fb62e1 100644 --- a/windows/security/threat-protection/windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md @@ -260,7 +260,7 @@ If you encounter a problem when trying to submit a file, try each of the followi Path: HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection Name: AllowSampleCollection Type: DWORD -Value: +Hexadecimal value : Value = 0 – block sample collection Value = 1 – allow sample collection ``` From 639f826369a79caabe6919e6dfe3ef6edae356e8 Mon Sep 17 00:00:00 2001 From: Joey Caparas Date: Thu, 18 Apr 2019 17:02:45 -0700 Subject: [PATCH 08/11] Update respond-file-alerts-windows-defender-advanced-threat-protection.md --- ...ows-defender-advanced-threat-protection.md | 21 ++++++++----------- 1 file changed, 9 insertions(+), 12 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md index e8a6fb62e1..544077f49b 100644 --- a/windows/security/threat-protection/windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md @@ -253,22 +253,19 @@ If you encounter a problem when trying to submit a file, try each of the followi 1. Ensure that the file in question is a PE file. PE files typically have _.exe_ or _.dll_ extensions (executable programs or applications). 2. Ensure the service has access to the file, that it still exists, and has not been corrupted or modified. 3. You can wait a short while and try to submit the file again, in case the queue is full or there was a temporary connection or communication error. -4. Verify the policy setting enables sample collection and try to submit the file again. +4. If the sample collection policy is not configured, then the default behavior is to allow sample collection. If it is configured, then verify the policy setting allows sample collection before submitting the file again. When sample collection is configured, then check the following registry value: - a. Change the following registry entry and values to change the policy on specific machines: - ``` -Path: HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection -Name: AllowSampleCollection -Type: DWORD -Hexadecimal value : - Value = 0 – block sample collection - Value = 1 – allow sample collection -``` + ``` + Path: HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection + Name: AllowSampleCollection + Type: DWORD + Hexadecimal value : + Value = 0 – block sample collection + Value = 1 – allow sample collection + ``` 5. Change the organizational unit through the Group Policy. For more information, see [Configure with Group Policy](configure-endpoints-gp-windows-defender-advanced-threat-protection.md). 6. If these steps do not resolve the issue, contact [winatp@microsoft.com](mailto:winatp@microsoft.com). -> [!NOTE] -> If the value *AllowSampleCollection* is not available, the client will allow sample collection by default. ## Related topic - [Take response actions on a machine](respond-machine-alerts-windows-defender-advanced-threat-protection.md) From e151042d6424d7a85ae25bddf58fe31bf83f75df Mon Sep 17 00:00:00 2001 From: Joey Caparas Date: Thu, 18 Apr 2019 17:09:59 -0700 Subject: [PATCH 09/11] data storage update data storage update --- ...age-privacy-windows-defender-advanced-threat-protection.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-atp/data-storage-privacy-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/data-storage-privacy-windows-defender-advanced-threat-protection.md index 67780a3f78..8967eb0a92 100644 --- a/windows/security/threat-protection/windows-defender-atp/data-storage-privacy-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/data-storage-privacy-windows-defender-advanced-threat-protection.md @@ -36,12 +36,12 @@ Information collected includes file data (such as file names, sizes, and hashes) Microsoft stores this data securely in Microsoft Azure and maintains it in accordance with Microsoft privacy practices and [Microsoft Trust Center policies](https://go.microsoft.com/fwlink/?linkid=827578). -Microsoft uses this data to: +This data enables Windows Defender ATP to: - Proactively identify indicators of attack (IOAs) in your organization - Generate alerts if a possible attack was detected - Provide your security operations with a view into machines, files, and URLs related to threat signals from your network, enabling you to investigate and explore the presence of security threats on the network. -Microsoft does not use your data for advertising or for any other purpose other than providing you the service. +Microsoft does not use your data for advertising. ## Data protection and encryption The Windows Defender ATP service utilizes state of the art data protection technologies which are based on Microsoft Azure infrastructure. From 4caccfbad98e278784b2869ef59a125029652143 Mon Sep 17 00:00:00 2001 From: Joey Caparas Date: Thu, 18 Apr 2019 17:15:52 -0700 Subject: [PATCH 10/11] genearl fixes --- ...atures-windows-defender-advanced-threat-protection.md | 3 +-- .../microsoft-cloud-app-security-config.md | 9 ++------- 2 files changed, 3 insertions(+), 9 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-atp/advanced-features-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/advanced-features-windows-defender-advanced-threat-protection.md index df2d4cbab8..dff8fdeb1c 100644 --- a/windows/security/threat-protection/windows-defender-atp/advanced-features-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/advanced-features-windows-defender-advanced-threat-protection.md @@ -94,8 +94,7 @@ To receive contextual machine integration in Office 365 Threat Intelligence, you This feature is currently on public preview. When you enable this feature, you'll receive targeted attack notifications from Microsoft Threat Experts through your Windows Defender ATP portal's alerts dashboard and via email if you configure it. >[!NOTE] ->This feature will be available with an E5 license for [Enterprise Mobility + Security](https://www.microsoft.com/cloud-platform/enterprise-mobility-security) on machines running Windows 10 version 1809 or later. - +>This feature will be available with an E5 license for [Enterprise Mobility + Security](https://www.microsoft.com/cloud-platform/enterprise-mobility-security) on machines running Windows 10, version 1709 (OS Build 16299.1085 with [KB4493441](https://support.microsoft.com/help/4493441)), Windows 10, version 1803 (OS Build 17134.704 with [KB4493464](https://support.microsoft.com/help/4493464)), Windows 10, version 1809 (OS Build 17763.379 with [KB4489899](https://support.microsoft.com/help/4489899)) or later Windows 10 versions. ## Microsoft Cloud App Security diff --git a/windows/security/threat-protection/windows-defender-atp/microsoft-cloud-app-security-config.md b/windows/security/threat-protection/windows-defender-atp/microsoft-cloud-app-security-config.md index 52627d87be..32faa07505 100644 --- a/windows/security/threat-protection/windows-defender-atp/microsoft-cloud-app-security-config.md +++ b/windows/security/threat-protection/windows-defender-atp/microsoft-cloud-app-security-config.md @@ -15,31 +15,26 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: article -ms.date: 10/19/2018 - --- # Configure Microsoft Cloud App Security in Windows **Applies to:** - [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) -[!include[Prerelease�information](prerelease.md)] +[!include[Prerelease information](prerelease.md)] To benefit from Windows Defender Advanced Threat Protection (ATP) cloud app discovery signals, turn on Microsoft Cloud App Security integration. >[!NOTE] ->This feature is available with an E5 license for [Enterprise Mobility + Security](https://www.microsoft.com/cloud-platform/enterprise-mobility-security) on machines running Windows 10 version 1809 or later. +>This feature will be available with an E5 license for [Enterprise Mobility + Security](https://www.microsoft.com/cloud-platform/enterprise-mobility-security) on machines running Windows 10, version 1709 (OS Build 16299.1085 with [KB4493441](https://support.microsoft.com/help/4493441)), Windows 10, version 1803 (OS Build 17134.704 with [KB4493464](https://support.microsoft.com/help/4493464)), Windows 10, version 1809 (OS Build 17763.379 with [KB4489899](https://support.microsoft.com/help/4489899)) or later Windows 10 versions. 1. In the navigation pane, select **Preferences setup** > **Advanced features**. 2. Select **Microsoft Cloud App Security** and switch the toggle to **On**. 3. Click **Save preferences**. - -![Advanced features](images/atp-mcas-settings.png) - Once activated, Windows Defender ATP will immediately start forwarding discovery signals to Cloud App Security. ## View the data collected From cacc4365f50074a579ecf1d885c11b0496a434be Mon Sep 17 00:00:00 2001 From: lomayor Date: Fri, 19 Apr 2019 10:28:57 -0700 Subject: [PATCH 11/11] Update attack-surface-reduction-exploit-guard.md --- .../attack-surface-reduction-exploit-guard.md | 32 +++++++++---------- 1 file changed, 16 insertions(+), 16 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md index e16b905b59..5bfe2c6ba4 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md @@ -63,22 +63,22 @@ Event ID | Description The following sections describe each of the 15 attack surface reduction rules. This table shows their corresponding GUIDs, which you use if you're configuring the rules with Group Policy or PowerShell. If you use System Center Configuration Manager or Microsoft Intune, you do not need the GUIDs: -Rule name | GUID --|- -Block executable content from email client and webmail | BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550 -Block all Office applications from creating child processes | D4F940AB-401B-4EFC-AADC-AD5F3C50688A -Block Office applications from creating executable content | 3B576869-A4EC-4529-8536-B80A7769E899 -Block Office applications from injecting code into other processes | 75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84 -Block JavaScript or VBScript from launching downloaded executable content | D3E037E1-3EB8-44C8-A917-57927947596D -Block execution of potentially obfuscated scripts | 5BEB7EFE-FD9A-4556-801D-275E5FFC04CC -Block Win32 API calls from Office macro | 92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B -Block executable files from running unless they meet a prevalence, age, or trusted list criterion | 01443614-cd74-433a-b99e-2ecdc07bfc25 -Use advanced protection against ransomware | c1db55ab-c21a-4637-bb3f-a12568109d35 -Block credential stealing from the Windows local security authority subsystem (lsass.exe) | 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2 -Block process creations originating from PSExec and WMI commands | d1e49aac-8f56-4280-b9ba-993a6d77406c -Block untrusted and unsigned processes that run from USB | b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4 -Block Office communication application from creating child processes | 26190899-1602-49e8-8b27-eb1d0a1ce869 -Block Adobe Reader from creating child processes | 7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c +Rule name | GUID | File & folder exclusions +-|-|- +Block executable content from email client and webmail | BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550 | Supported +Block all Office applications from creating child processes | D4F940AB-401B-4EFC-AADC-AD5F3C50688A | Supported +Block Office applications from creating executable content | 3B576869-A4EC-4529-8536-B80A7769E899 | Supported +Block Office applications from injecting code into other processes | 75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84 | Supported +Block JavaScript or VBScript from launching downloaded executable content | D3E037E1-3EB8-44C8-A917-57927947596D | Not supported +Block execution of potentially obfuscated scripts | 5BEB7EFE-FD9A-4556-801D-275E5FFC04CC | Supported +Block Win32 API calls from Office macro | 92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B | Supported +Block executable files from running unless they meet a prevalence, age, or trusted list criterion | 01443614-cd74-433a-b99e-2ecdc07bfc25 | Supported +Use advanced protection against ransomware | c1db55ab-c21a-4637-bb3f-a12568109d35 | Supported +Block credential stealing from the Windows local security authority subsystem (lsass.exe) | 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2 | Supported +Block process creations originating from PSExec and WMI commands | d1e49aac-8f56-4280-b9ba-993a6d77406c | Not supported +Block untrusted and unsigned processes that run from USB | b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4 | Supported +Block Office communication application from creating child processes | 26190899-1602-49e8-8b27-eb1d0a1ce869 | Supported +Block Adobe Reader from creating child processes | 7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c | Supported Each rule description indicates which apps or file types the rule applies to. In general, the rules for Office apps apply to only Word, Excel, PowerPoint, and OneNote, or they apply to Outlook. Except where specified, attack surface reduction rules don't apply to any other Office apps.