mirror of
https://github.com/MicrosoftDocs/windows-itpro-docs.git
synced 2025-06-20 12:53:38 +00:00
Merge branch 'asc' of https://cpubwin.visualstudio.com/_git/it-client into asc
This commit is contained in:
Joey Caparas
@ -5,7 +5,7 @@ ms.prod: w10
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.pagetype: security
|
||||
ms.date: 07/30/2018
|
||||
ms.date: 12/10/2018
|
||||
---
|
||||
|
||||
# Local Accounts
|
||||
@ -16,15 +16,8 @@ ms.date: 07/30/2018
|
||||
|
||||
This reference topic for the IT professional describes the default local user accounts for servers, including how to manage these built-in accounts on a member or standalone server. This topic does not describe the default local user accounts for an Active Directory domain controller.
|
||||
|
||||
**Did you mean…**
|
||||
|
||||
- [Active Directory Accounts](active-directory-accounts.md)
|
||||
|
||||
- [Microsoft Accounts](microsoft-accounts.md)
|
||||
|
||||
## <a href="" id="about-local-user-accounts-"></a>About local user accounts
|
||||
|
||||
|
||||
Local user accounts are stored locally on the server. These accounts can be assigned rights and permissions on a particular server, but on that server only. Local user accounts are security principals that are used to secure and manage access to the resources on a standalone or member server for services or users.
|
||||
|
||||
This topic describes the following:
|
||||
@ -475,14 +468,9 @@ Passwords can be randomized by:
|
||||
|
||||
- Purchasing and implementing an enterprise tool to accomplish this task. These tools are commonly referred to as "privileged password management" tools.
|
||||
|
||||
- Configuring, customizing and implementing a free tool to accomplish this task. A sample tool with source code is available at [Solution for management of built-in Administrator account’s password via GPO](https://code.msdn.microsoft.com/windowsdesktop/Solution-for-management-of-ae44e789).
|
||||
- Configuring [Local Administrator Password Solution (LAPS)](https://www.microsoft.com/download/details.aspx?id=46899) to accomplish this task.
|
||||
|
||||
**Note**
|
||||
This tool is not supported by Microsoft. There are some important considerations to make before deploying this tool because this tool requires client-side extensions and schema extensions to support password generation and storage.
|
||||
|
||||
|
||||
|
||||
- Create and implement a custom script or solution to randomize local account passwords.
|
||||
- Creating and implementing a custom script or solution to randomize local account passwords.
|
||||
|
||||
## <a href="" id="dhcp-references"></a>See also
|
||||
|
||||
|
||||
@ -22,7 +22,7 @@ Over the past few years, Microsoft has continued their commitment to enabling a
|
||||
### 1. Develop a password replacement offering
|
||||
Before you move away from passwords, you need something to replace them. With Windows 10, Microsoft introduced Windows Hello for Business, a strong, hardware protected two-factor credential that enables single-sign on to Azure Active Directory and Active Directory.
|
||||
|
||||
Deploying Windows Hello for Business is the first step towards password-less. With Windows Hello for Business deployed, it coexists with password nicely. Users are likely to useWindows Hello for Business because of its convenience, especially when combined with biometrics. However, some workflows and applications may still need passwords. This early stage is about implementing an alternative and getting users used to it.
|
||||
Deploying Windows Hello for Business is the first step towards password-less. With Windows Hello for Business deployed, it coexists with password nicely. Users are likely to use Windows Hello for Business because of its convenience, especially when combined with biometrics. However, some workflows and applications may still need passwords. This early stage is about implementing an alternative and getting users used to it.
|
||||
|
||||
### 2. Reduce user-visible password surface area
|
||||
With Windows Hello for Business and passwords coexisting in your environment, the next step towards password-less is to reduce the password surface. The environment and workflows need to stop asking for passwords. The goal of this step is to achieve a state where the user knows they have a password, but they never user it. This state helps decondition users from providing a password any time a password prompt shows on their computer. This is a how passwords are phished. Users who rarely, it at all, use their password are unlikely to provide it. Password prompts are no longer the norm.
|
||||
|
||||
Binary file not shown.
|
After Width: | Height: | Size: 142 KiB |
Binary file not shown.
|
After Width: | Height: | Size: 89 KiB |
Binary file not shown.
|
After Width: | Height: | Size: 130 KiB |
@ -6,7 +6,7 @@ ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.pagetype: security
|
||||
author: aadake
|
||||
ms.date: 10/03/2018
|
||||
ms.date: 12/08/2018
|
||||
---
|
||||
|
||||
# Kernel DMA Protection for Thunderbolt™ 3
|
||||
@ -65,11 +65,17 @@ Systems released prior to Windows 10 version 1803 do not support Kernel DMA Prot
|
||||
|
||||
Systems running Windows 10 version 1803 that do support Kernel DMA Protection do have this security feature enabled automatically by the OS with no user or IT admin configuration required.
|
||||
|
||||
**To check if a device supports Kernel DMA Protection**
|
||||
### Using Security Center
|
||||
|
||||
Beginning with Wndows 10 version 1809, you can use Security Center to check if Kernel DMA Protection is enabled. Click **Start** > **Settings** > **Update & Security** > **Windows Security** > **Open Windows Security** > **Device security** > **Core isolation details** > **Memory access protection**.
|
||||
|
||||
|
||||
|
||||
### Using System information
|
||||
|
||||
1. Launch MSINFO32.exe in a command prompt, or in the Windows search bar.
|
||||
2. Check the value of **Kernel DMA Protection**.
|
||||
|
||||
|
||||
3. If the current state of **Kernel DMA Protection** is OFF and **Virtualization Technology in Firmware** is NO:
|
||||
- Reboot into BIOS settings
|
||||
- Turn on Intel Virtualization Technology.
|
||||
|
||||
@ -92,6 +92,7 @@
|
||||
#### [Microsoft threat protection](windows-defender-atp/threat-protection-integration.md)
|
||||
##### [Protect users, data, and devices with conditional access](windows-defender-atp/conditional-access-windows-defender-advanced-threat-protection.md)
|
||||
##### [Microsoft Cloud App Security integration overview](windows-defender-atp/microsoft-cloud-app-security-integration.md)
|
||||
##### [Information protection in Windows overview](windows-defender-atp/information-protection-in-windows-overview.md)
|
||||
|
||||
|
||||
|
||||
@ -411,6 +412,7 @@
|
||||
#### Configure Microsoft threat protection integration
|
||||
##### [Configure conditional access](windows-defender-atp/configure-conditional-access-windows-defender-advanced-threat-protection.md)
|
||||
##### [Configure Microsoft Cloud App Security integration](windows-defender-atp/microsoft-cloud-app-security-config.md)
|
||||
##### [Configure information protection in Windows](windows-defender-atp/information-protection-in-windows-config.md)
|
||||
|
||||
|
||||
|
||||
|
||||
Binary file not shown.
|
After Width: | Height: | Size: 58 KiB |
Binary file not shown.
|
After Width: | Height: | Size: 64 KiB |
@ -11,7 +11,7 @@ ms.pagetype: security
|
||||
ms.localizationpriority: medium
|
||||
author: andreabichsel
|
||||
ms.author: v-anbic
|
||||
ms.date: 09/03/2018
|
||||
ms.date: 12/10/2018
|
||||
---
|
||||
|
||||
# Configure and manage Windows Defender Antivirus with the mpcmdrun.exe command-line tool
|
||||
@ -37,16 +37,20 @@ MpCmdRun.exe [command] [-options]
|
||||
|
||||
Command | Description
|
||||
:---|:---
|
||||
\- ? **or** -h | Displays all available options for the tool
|
||||
\-Scan [-ScanType #] [-File <path> [-DisableRemediation] [-BootSectorScan]][-Timeout <days>] | Scans for malicious software
|
||||
\-Trace [-Grouping #] [-Level #]| Starts diagnostic tracing
|
||||
\-GetFiles | Collects support information
|
||||
\-RemoveDefinitions [-All] | Restores the installed signature definitions to a previous backup copy or to the original default set of signatures
|
||||
\-AddDynamicSignature [-Path] | Loads a dynamic signature
|
||||
\-ListAllDynamicSignature [-Path] | Lists the loaded dynamic signatures
|
||||
\-RemoveDynamicSignature [-SignatureSetID] | Removes a dynamic signature
|
||||
\-ValidateMapsConnection | Used to validate connection to the [cloud-delivered protection service](configure-network-connections-windows-defender-antivirus.md)
|
||||
\-SignatureUpdate [-UNC [-Path <path>]] | Checks for new definition updates
|
||||
\-? **or** -h | Displays all available options for this tool
|
||||
\-Scan [-ScanType #] [-File <path> [-DisableRemediation] [-BootSectorScan]] [-Timeout <days>] [-Cancel] | Scans for malicious software
|
||||
\-Trace [-Grouping #] [-Level #] | Starts diagnostic tracing
|
||||
\-GetFiles | Collects support information
|
||||
\-GetFilesDiagTrack | Same as Getfiles but outputs to temporary DiagTrack folder
|
||||
\-RemoveDefinitions [-All] | Restores the installed signature definitions to a previous backup copy or to the original default set of signatures
|
||||
\-RemoveDefinitions [-DynamicSignatures] | Removes only the dynamically downloaded signatures
|
||||
\-SignatureUpdate [-UNC \| -MMPC] | Checks for new definition updates
|
||||
\-Restore [-ListAll \| [[-Name <name>] [-All] \| [-FilePath <filePath>]] [-Path <path>]] | Restores or lists quarantined item(s)
|
||||
\-AddDynamicSignature [-Path] | Loads a dynamic signature
|
||||
\-ListAllDynamicSignatures | Lists the loaded dynamic signatures
|
||||
\-RemoveDynamicSignature [-SignatureSetID] | Removes a dynamic signature
|
||||
\-CheckExclusion -path <path> | Checks whether a path is excluded
|
||||
|
||||
|
||||
## Related topics
|
||||
|
||||
|
||||
@ -11,7 +11,7 @@ ms.pagetype: security
|
||||
ms.localizationpriority: medium
|
||||
author: andreabichsel
|
||||
ms.author: v-anbic
|
||||
ms.date: 09/03/2018
|
||||
ms.date: 12/10/2018
|
||||
---
|
||||
|
||||
# Configure and validate exclusions based on file extension and folder location
|
||||
@ -264,7 +264,7 @@ The following table describes how the wildcards can be used and provides some ex
|
||||
|
||||
## Review the list of exclusions
|
||||
|
||||
You can retrieve the items in the exclusion list with [Intune](https://docs.microsoft.com/intune/deploy-use/help-secure-windows-pcs-with-endpoint-protection-for-microsoft-intune), [System Center Configuration Manager](https://docs.microsoft.com/sccm/protect/deploy-use/endpoint-antimalware-policies#exclusion-settings), PowerShell, or the [Windows Security app](windows-defender-security-center-antivirus.md#exclusions).
|
||||
You can retrieve the items in the exclusion list with [Intune](https://docs.microsoft.com/intune/deploy-use/help-secure-windows-pcs-with-endpoint-protection-for-microsoft-intune), [System Center Configuration Manager](https://docs.microsoft.com/sccm/protect/deploy-use/endpoint-antimalware-policies#exclusion-settings), MpCmdRun, PowerShell, or the [Windows Security app](windows-defender-security-center-antivirus.md#exclusions).
|
||||
|
||||
>[!IMPORTANT]
|
||||
>Exclusion list changes made with Group Policy **will show** in the lists in the [Windows Security app](windows-defender-security-center-antivirus.md#exclusions).
|
||||
@ -276,7 +276,18 @@ If you use PowerShell, you can retrieve the list in two ways:
|
||||
- Retrieve the status of all Windows Defender Antivirus preferences. Each of the lists will be displayed on separate lines, but the items within each list will be combined into the same line.
|
||||
- Write the status of all preferences to a variable, and use that variable to only call the specific list you are interested in. Each use of `Add-MpPreference` is written to a new line.
|
||||
|
||||
**Review the list of exclusions alongside all other Windows Defender Antivirus preferences:**
|
||||
**Validate the exclusion list by using MpCmdRun:**
|
||||
|
||||
To check exclusions with the dedicated [command-line tool mpcmdrun.exe](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/command-line-arguments-windows-defender-antivirus?branch=v-anbic-wdav-new-mpcmdrun-options), use the following command:
|
||||
|
||||
```DOS
|
||||
MpCmdRun.exe -CheckExclusion -path <path>
|
||||
```
|
||||
|
||||
>[!NOTE]
|
||||
>Checking exclusions with MpCmdRun requires Windows Defender Antivirus CAMP version 4.18.1812.3 (released in December 2018) or later.
|
||||
|
||||
**Review the list of exclusions alongside all other Windows Defender Antivirus preferences by using PowerShell:**
|
||||
|
||||
Use the following cmdlet:
|
||||
|
||||
@ -290,7 +301,7 @@ In the following example, the items contained in the `ExclusionExtension` list a
|
||||
|
||||
See [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/itpro/powershell/windows/defender/index) for more information on how to use PowerShell with Windows Defender Antivirus.
|
||||
|
||||
**Retrieve a specific exclusions list:**
|
||||
**Retrieve a specific exclusions list by using PowerShell:**
|
||||
|
||||
Use the following code snippet (enter each line as a separate command); replace **WDAVprefs** with whatever label you want to name the variable:
|
||||
|
||||
|
||||
@ -11,7 +11,7 @@ ms.pagetype: security
|
||||
ms.localizationpriority: medium
|
||||
author: andreabichsel
|
||||
ms.author: v-anbic
|
||||
ms.date: 09/03/2018
|
||||
ms.date: 12/10/2018
|
||||
---
|
||||
|
||||
# Configure exclusions for files opened by processes
|
||||
@ -147,14 +147,26 @@ Environment variables | The defined variable will be populated as a path when th
|
||||
|
||||
## Review the list of exclusions
|
||||
|
||||
You can retrieve the items in the exclusion list with PowerShell, [System Center Configuration Manager](https://docs.microsoft.com/sccm/protect/deploy-use/endpoint-antimalware-policies#exclusion-settings), [Intune](https://docs.microsoft.com/intune/device-restrictions-configure), or the [Windows Security app](windows-defender-security-center-antivirus.md#exclusions).
|
||||
You can retrieve the items in the exclusion list with MpCmdRun, PowerShell, [System Center Configuration Manager](https://docs.microsoft.com/sccm/protect/deploy-use/endpoint-antimalware-policies#exclusion-settings), [Intune](https://docs.microsoft.com/intune/device-restrictions-configure), or the [Windows Security app](windows-defender-security-center-antivirus.md#exclusions).
|
||||
|
||||
If you use PowerShell, you can retrieve the list in two ways:
|
||||
|
||||
- Retrieve the status of all Windows Defender Antivirus preferences. Each of the lists will be displayed on separate lines, but the items within each list will be combined into the same line.
|
||||
- Write the status of all preferences to a variable, and use that variable to only call the specific list you are interested in. Each use of `Add-MpPreference` is written to a new line.
|
||||
|
||||
**Review the list of exclusions alongside all other Windows Defender Antivirus preferences:**
|
||||
**Validate the exclusion list by using MpCmdRun:**
|
||||
|
||||
To check exclusions with the dedicated [command-line tool mpcmdrun.exe](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/command-line-arguments-windows-defender-antivirus?branch=v-anbic-wdav-new-mpcmdrun-options), use the following command:
|
||||
|
||||
```DOS
|
||||
MpCmdRun.exe -CheckExclusion -path <path>
|
||||
```
|
||||
|
||||
>[!NOTE]
|
||||
>Checking exclusions with MpCmdRun requires Windows Defender Antivirus CAMP version 4.18.1812.3 (released in December 2018) or later.
|
||||
|
||||
|
||||
**Review the list of exclusions alongside all other Windows Defender Antivirus preferences by using PowerShell:**
|
||||
|
||||
Use the following cmdlet:
|
||||
|
||||
@ -164,7 +176,7 @@ Get-MpPreference
|
||||
|
||||
See [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/itpro/powershell/windows/defender/index) for more information on how to use PowerShell with Windows Defender Antivirus.
|
||||
|
||||
**Retrieve a specific exclusions list:**
|
||||
**Retrieve a specific exclusions list by using PowerShell:**
|
||||
|
||||
Use the following code snippet (enter each line as a separate command); replace **WDAVprefs** with whatever label you want to name the variable:
|
||||
|
||||
|
||||
@ -11,7 +11,7 @@ ms.pagetype: security
|
||||
ms.localizationpriority: medium
|
||||
author: andreabichsel
|
||||
ms.author: v-anbic
|
||||
ms.date: 09/03/2018
|
||||
ms.date: 12/10/2018
|
||||
---
|
||||
|
||||
# Configure scheduled quick or full Windows Defender Antivirus scans
|
||||
@ -42,7 +42,6 @@ To configure the Group Policy settings described in this topic:
|
||||
|
||||
6. Double-click the policy **Setting** as specified in the table below, and set the option to your desired configuration. Click **OK**, and repeat for any other settings.
|
||||
|
||||
|
||||
Also see the [Manage when protection updates should be downloaded and applied](manage-protection-update-schedule-windows-defender-antivirus.md) and [Prevent or allow users to locally modify policy settings](configure-local-policy-overrides-windows-defender-antivirus.md) topics.
|
||||
|
||||
## Quick scan versus full scan and custom scan
|
||||
@ -66,6 +65,8 @@ A custom scan allows you to specify the files and folders to scan, such as a USB
|
||||
|
||||
Scheduled scans will run at the day and time you specify. You can use Group Policy, PowerShell, and WMI to configure scheduled scans.
|
||||
|
||||
>[!NOTE]
|
||||
>If a computer is unplugged and running on battery during a scheduled full scan, the scheduled scan will stop with event 1002, which states that the scan stopped before completion. Windows Defender Antivirus will run a full scan at the next scheduled time.
|
||||
|
||||
**Use Group Policy to schedule scans:**
|
||||
|
||||
|
||||
@ -22,6 +22,7 @@
|
||||
### [Deploy WDAC policies using Group Policy](deploy-windows-defender-application-control-policies-using-group-policy.md)
|
||||
### [Deploy WDAC policies using Intune](deploy-windows-defender-application-control-policies-using-intune.md)
|
||||
### [Use WDAC with .NET hardening](use-windows-defender-application-control-with-dynamic-code-security.md)
|
||||
### [Query WDAC events with Advanced hunting](querying-application-control-events-centrally-using-advanced-hunting.md)
|
||||
### [Use code signing to simplify application control for classic Windows applications](use-code-signing-to-simplify-application-control-for-classic-windows-applications.md)
|
||||
#### [Optional: Use the Device Guard Signing Portal in the Microsoft Store for Business](use-device-guard-signing-portal-in-microsoft-store-for-business.md)
|
||||
#### [Optional: Create a code signing cert for WDAC](create-code-signing-cert-for-windows-defender-application-control.md)
|
||||
|
||||
@ -50,7 +50,7 @@ AppLocker helps administrators control how users can access and use files, such
|
||||
|
||||
You can administer AppLocker policies by using the Group Policy Management Console to create or edit a Group Policy Object (GPO), or to create or edit an AppLocker policy on a local computer by using the Local Group Policy Editor snap-in or the Local Security Policy snap-in (secpol.msc).
|
||||
|
||||
### Administer Applocker using Group Policy
|
||||
### Administer AppLocker using Group Policy
|
||||
|
||||
You must have Edit Setting permission to edit a GPO. By default, members of the **Domain Admins** group, the **Enterprise Admins** group, and the **Group Policy Creator Owners** group have this permission. Also, the Group Policy Management feature must be installed on the computer.
|
||||
|
||||
|
||||
@ -0,0 +1,39 @@
|
||||
---
|
||||
title: Querying Application Control events centrally using Advanced hunting (Windows 10)
|
||||
description: Learn about Windows Defender Application Guard and how it helps to combat malicious content and malware out on the Internet.
|
||||
ms.prod: w10
|
||||
ms.mktglfcycl: manage
|
||||
ms.sitesec: library
|
||||
ms.pagetype: security
|
||||
ms.localizationpriority: medium
|
||||
author: mdsakibMSFT
|
||||
ms.author: justinha
|
||||
ms.date: 12/06/2018
|
||||
---
|
||||
|
||||
# Querying Application Control events centrally using Advanced hunting
|
||||
|
||||
A Windows Defender Application Control (WDAC) policy logs events locally in Windows Event Viewer in either enforced or audit mode.
|
||||
While Event Viewer helps to see the impact on a single system, IT Pros want to gauge the impact across many systems.
|
||||
|
||||
In November 2018, we added functionality in Windows Defender Advanced Threat Protection (Windows Defender ATP) that makes it easy to view WDAC events centrally from all systems that are connected to Windows Defender ATP.
|
||||
|
||||
Advanced hunting in Windows Defender ATP allows customers to query data using a rich set of capabilities. WDAC events can be queried with using an ActionType that starts with “AppControl”.
|
||||
This capability is supported beginning with Windows version 1607.
|
||||
|
||||
Here is a simple example query that shows all the WDAC events generated in the last seven days from machines being monitored by Windows Defender ATP:
|
||||
|
||||
```
|
||||
MiscEvents
|
||||
| where EventTime > ago(7d) and
|
||||
ActionType startswith "AppControl"
|
||||
| summarize Machines=dcount(ComputerName) by ActionType
|
||||
| order by Machines desc
|
||||
```
|
||||
|
||||
The query results can be used for several important functions related to managing WDAC including:
|
||||
|
||||
- Assessing the impact of deploying policies in audit mode
|
||||
Since applications still run in audit mode, it is an ideal way to see the impact and correctness of the rules included in the policy. Integrating the generated events with Advanced hunting makes it much easier to have broad deployments of audit mode policies and see how the included rules would impact those systems in real world usage. This audit mode data will help streamline the transition to using policies in enforced mode.
|
||||
- Monitoring blocks from policies in enforced mode
|
||||
Policies deployed in enforced mode may block executables or scripts that fail to meet any of the included allow rules. Legitimate new applications and updates or potentially unwanted or malicious software could be blocked. In either case, the Advanced hunting queries report the blocks for further investigation.
|
||||
@ -90,7 +90,8 @@
|
||||
|
||||
### [Microsoft Threat Protection](threat-protection-integration.md)
|
||||
#### [Protect users, data, and devices with conditional access](conditional-access-windows-defender-advanced-threat-protection.md)
|
||||
#### [Microsoft Cloud App Security integration overview](microsoft-cloud-app-security-integration.md)
|
||||
#### [Microsoft Cloud App Security in Windows overview](microsoft-cloud-app-security-integration.md)
|
||||
#### [Information protection in Windows overview](information-protection-in-windows-overview.md)
|
||||
|
||||
|
||||
### [Portal overview](portal-overview-windows-defender-advanced-threat-protection.md)
|
||||
@ -411,7 +412,8 @@
|
||||
|
||||
### Configure Microsoft Threat Protection integration
|
||||
#### [Configure conditional access](configure-conditional-access-windows-defender-advanced-threat-protection.md)
|
||||
#### [Configure Microsoft Cloud App Security integration](microsoft-cloud-app-security-config.md)
|
||||
#### [Configure Microsoft Cloud App Security in Windows](microsoft-cloud-app-security-config.md)
|
||||
####[Configure information protection in Windows](information-protection-in-windows-config.md)
|
||||
|
||||
|
||||
### [Configure Windows Security app settings](preferences-setup-windows-defender-advanced-threat-protection.md)
|
||||
|
||||
@ -11,7 +11,7 @@ ms.pagetype: security
|
||||
ms.author: macapara
|
||||
author: mjcaparas
|
||||
ms.localizationpriority: medium
|
||||
ms.date: 09/28/2018
|
||||
ms.date: 11/16/2018
|
||||
---
|
||||
|
||||
# Configure advanced features in Windows Defender ATP
|
||||
@ -89,7 +89,7 @@ Enabling this setting forwards Windows Defender ATP signals to Microsoft Cloud A
|
||||
>[!NOTE]
|
||||
>This feature is available with an E5 license for [Enterprise Mobility + Security](https://www.microsoft.com/cloud-platform/enterprise-mobility-security) on machines running Windows 10 version 1809 or later.
|
||||
|
||||
## Azure information protection
|
||||
## Azure Information Protection
|
||||
Turning this setting on forwards signals to Azure Information Protection, giving data owners and administrators visibility into protected data on onboarded machines and machine risk ratings.
|
||||
|
||||
|
||||
|
||||
@ -59,7 +59,7 @@ To see a live example of these operators, run them as part of the **Get started*
|
||||
|
||||
## Access query language documentation
|
||||
|
||||
For more information on the query language and supported operators, see [Query Language](https://docs.loganalytics.io/docs/Language-Reference/).
|
||||
For more information on the query language and supported operators, see [Query Language](https://docs.microsoft.com/azure/log-analytics/query-language/query-language).
|
||||
|
||||
## Use exposed tables in Advanced hunting
|
||||
|
||||
|
||||
@ -50,7 +50,6 @@ detectionSource | string | Detection source.
|
||||
threatFamilyName | string | Threat family.
|
||||
title | string | Alert title.
|
||||
description | String | Description of the threat, identified by the alert.
|
||||
recommendedAction | String | Action recommended for handling the suspected threat.
|
||||
alertCreationTime | DateTimeOffset | The date and time (in UTC) the alert was created.
|
||||
lastEventTime | DateTimeOffset | The last occurance of the event that triggered the alert on the same machine.
|
||||
firstEventTime | DateTimeOffset | The first occurance of the event that triggered the alert on that machine.
|
||||
@ -74,7 +73,6 @@ machineId | String | ID of a [machine](machine-windows-defender-advanced-threat-
|
||||
"threatFamilyName": "Mikatz",
|
||||
"title": "Windows Defender AV detected 'Mikatz', high-severity malware",
|
||||
"description": "Some description"
|
||||
"recommendedAction": "Some recommended action"
|
||||
"alertCreationTime": "2018-11-26T16:19:21.8409809Z",
|
||||
"firstEventTime": "2018-11-26T16:17:50.0948658Z",
|
||||
"lastEventTime": "2018-11-26T16:18:01.809871Z",
|
||||
|
||||
@ -26,7 +26,8 @@ ms.date: 11/20/2018
|
||||
>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-attacksimulations-abovefoldlink)
|
||||
|
||||
>[!TIP]
|
||||
> Learn about the latest enhancements in Windows Defender ATP: [What's new in Windows Defender ATP](https://cloudblogs.microsoft.com/microsoftsecure/2018/11/15/whats-new-in-windows-defender-atp/).
|
||||
>- Learn about the latest enhancements in Windows Defender ATP: [What's new in Windows Defender ATP](https://cloudblogs.microsoft.com/microsoftsecure/2018/11/15/whats-new-in-windows-defender-atp/).
|
||||
>- Windows Defender ATP demonstrated industry-leading optics and detection capabilities in the recent MITRE evaluation. Read: [Insights from the MITRE ATT&CK-based evaluation](https://cloudblogs.microsoft.com/microsoftsecure/2018/12/03/insights-from-the-mitre-attack-based-evaluation-of-windows-defender-atp/).
|
||||
|
||||
|
||||
You might want to experience Windows Defender ATP before you onboard more than a few machines to the service. To do this, you can run controlled attack simulations on a few test machines. After running the simulated attacks, you can review how Windows Defender ATP surfaces malicious activity and explore how it enables an efficient response.
|
||||
|
||||
@ -11,7 +11,7 @@ ms.pagetype: security
|
||||
ms.author: macapara
|
||||
author: mjcaparas
|
||||
ms.localizationpriority: medium
|
||||
ms.date: 09/19/2018
|
||||
ms.date: 12/06/2018
|
||||
---
|
||||
|
||||
# Onboard Windows 10 machines using Mobile Device Management tools
|
||||
@ -34,27 +34,10 @@ For more information on enabling MDM with Microsoft Intune, see [Setup Windows D
|
||||
|
||||
## Onboard machines using Microsoft Intune
|
||||
|
||||
Follow the instructions from [Intune](https://docs.microsoft.com/intune/advanced-threat-protection).
|
||||
|
||||
For more information on using Windows Defender ATP CSP see, [WindowsAdvancedThreatProtection CSP](https://msdn.microsoft.com/library/windows/hardware/mt723296(v=vs.85).aspx) and [WindowsAdvancedThreatProtection DDF file](https://msdn.microsoft.com/library/windows/hardware/mt723297(v=vs.85).aspx).
|
||||
|
||||
### Use the Azure Intune Portal to deploy Windows Defender Advanced Threat Protection policies on Windows 10 1607 and higher
|
||||
|
||||
1. Login to the [Microsoft Azure portal](https://portal.azure.com).
|
||||
|
||||
2. Select **Device Configuration > Profiles > Create profile**.
|
||||
|
||||
3. Enter a **Name** and **Description**.
|
||||
|
||||
4. For **Platform**, select **Windows 10 and later**.
|
||||
|
||||
5. For **Profile type**, select **Windows Defender ATP (Windows 10 Desktop)**.
|
||||
|
||||
6. Configure the settings:
|
||||
- **Onboard Configuration Package**: Browse and select the **WindowsDefenderATP.onboarding** file you downloaded. This file enables a setting so devices can report to the Windows Defender ATP service.
|
||||
- **Sample sharing for all files**: Allows samples to be collected, and shared with Windows Defender ATP. For example, if you see a suspicious file, you can submit it to Windows Defender ATP for deep analysis.
|
||||
- **Expedite telemetry reporting frequency**: For devices that are at high risk, enable this setting so it reports telemetry to the Windows Defender ATP service more frequently.
|
||||
- **Offboard Configuration Package**: If you want to remove Windows Defender ATP monitoring, you can download an offboarding package from Windows Defender Security Center, and add it. Otherwise, skip this property.
|
||||
|
||||
7. Select **OK**, and **Create** to save your changes, which creates the profile.
|
||||
|
||||
> [!NOTE]
|
||||
> - The **Health Status for onboarded machines** policy uses read-only properties and can't be remediated.
|
||||
|
||||
@ -84,8 +84,8 @@ Content-Length: application/json
|
||||
"machineId": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07",
|
||||
"severity": "Low",
|
||||
"title": "test alert",
|
||||
"description": "redalert",
|
||||
"recommendedAction": "white alert",
|
||||
"description": "test alert",
|
||||
"recommendedAction": "test alert",
|
||||
"eventTime": "2018-08-03T16:45:21.7115183Z",
|
||||
"reportId": "20776",
|
||||
"category": "None"
|
||||
|
||||
@ -11,7 +11,7 @@ ms.pagetype: security
|
||||
ms.author: macapara
|
||||
author: mjcaparas
|
||||
ms.localizationpriority: medium
|
||||
ms.date: 10/08/2018
|
||||
ms.date: 12/10/2018
|
||||
---
|
||||
|
||||
# Enable SIEM integration in Windows Defender ATP
|
||||
@ -20,20 +20,29 @@ ms.date: 10/08/2018
|
||||
- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf)
|
||||
|
||||
|
||||
|
||||
>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-enablesiem-abovefoldlink)
|
||||
|
||||
Enable security information and event management (SIEM) integration so you can pull alerts from Windows Defender Security Center using your SIEM solution or by connecting directly to the alerts REST API.
|
||||
|
||||
## Prerequisites
|
||||
- The user who activates the setting must have permissions to create an app in Azure Active Directory (AAD). This is typically someone with a **Global administrator** role.
|
||||
- During the initial activation, a pop-up screen is displayed for credentials to be entered. Make sure that you allow pop-ups for this site.
|
||||
|
||||
## Enabling SIEM integration
|
||||
1. In the navigation pane, select **Settings** > **SIEM**.
|
||||
|
||||
|
||||
|
||||
|
||||
>[!TIP]
|
||||
>If you encounter an error when trying to enable the SIEM connector application, check the pop-up blocker settings of your browser. It might be blocking the new window being opened when you enable the capability.
|
||||
|
||||
2. Select **Enable SIEM integration**. This activates the **SIEM connector access details** section with pre-populated values and an application is created under you Azure Active Directory (AAD) tenant.
|
||||
|
||||
> [!WARNING]
|
||||
>The client secret is only displayed once. Make sure you keep a copy of it in a safe place.<br>
|
||||
For more information about getting a new secret see, [Learn how to get a new secret](troubleshoot-custom-ti-windows-defender-advanced-threat-protection.md#learn-how-to-get-a-new-client-secret).
|
||||
> [!WARNING]
|
||||
>The client secret is only displayed once. Make sure you keep a copy of it in a safe place.<br>
|
||||
For more information about getting a new secret see, [Learn how to get a new secret](troubleshoot-custom-ti-windows-defender-advanced-threat-protection.md#learn-how-to-get-a-new-client-secret).
|
||||
|
||||
|
||||
|
||||
3. Choose the SIEM type you use in your organization.
|
||||
|
||||
|
||||
@ -100,8 +100,7 @@ Content-type: application/json
|
||||
"detectionSource": "WindowsDefenderAv",
|
||||
"threatFamilyName": "Mikatz",
|
||||
"title": "Windows Defender AV detected 'Mikatz', high-severity malware",
|
||||
"description": "Some description"
|
||||
"recommendedAction": "Some recommended action"
|
||||
"description": "Some description",
|
||||
"alertCreationTime": "2018-11-26T16:19:21.8409809Z",
|
||||
"firstEventTime": "2018-11-26T16:17:50.0948658Z",
|
||||
"lastEventTime": "2018-11-26T16:18:01.809871Z",
|
||||
|
||||
@ -87,8 +87,7 @@ Here is an example of the response.
|
||||
"detectionSource": "WindowsDefenderAv",
|
||||
"threatFamilyName": "Mikatz",
|
||||
"title": "Windows Defender AV detected 'Mikatz', high-severity malware",
|
||||
"description": "Some description"
|
||||
"recommendedAction": "Some recommended action"
|
||||
"description": "Some description",
|
||||
"alertCreationTime": "2018-11-25T16:19:21.8409809Z",
|
||||
"firstEventTime": "2018-11-25T16:17:50.0948658Z",
|
||||
"lastEventTime": "2018-11-25T16:18:01.809871Z",
|
||||
|
||||
@ -100,8 +100,7 @@ Here is an example of the response.
|
||||
"detectionSource": "WindowsDefenderAv",
|
||||
"threatFamilyName": "Mikatz",
|
||||
"title": "Windows Defender AV detected 'Mikatz', high-severity malware",
|
||||
"description": "Some description"
|
||||
"recommendedAction": "Some recommended action"
|
||||
"description": "Some description",
|
||||
"alertCreationTime": "2018-11-26T16:19:21.8409809Z",
|
||||
"firstEventTime": "2018-11-26T16:17:50.0948658Z",
|
||||
"lastEventTime": "2018-11-26T16:18:01.809871Z",
|
||||
@ -121,8 +120,7 @@ Here is an example of the response.
|
||||
"detectionSource": "WindowsDefenderAv",
|
||||
"threatFamilyName": "Mikatz",
|
||||
"title": "Windows Defender AV detected 'Mikatz', high-severity malware",
|
||||
"description": "Some description"
|
||||
"recommendedAction": "Some recommended action"
|
||||
"description": "Some description",
|
||||
"alertCreationTime": "2018-11-25T16:19:21.8409809Z",
|
||||
"firstEventTime": "2018-11-25T16:17:50.0948658Z",
|
||||
"lastEventTime": "2018-11-25T16:18:01.809871Z",
|
||||
|
||||
@ -96,8 +96,7 @@ Content-type: application/json
|
||||
"detectionSource": "WindowsDefenderAv",
|
||||
"threatFamilyName": "Mikatz",
|
||||
"title": "Windows Defender AV detected 'Mikatz', high-severity malware",
|
||||
"description": "Some description"
|
||||
"recommendedAction": "Some recommended action"
|
||||
"description": "Some description",
|
||||
"alertCreationTime": "2018-11-25T16:19:21.8409809Z",
|
||||
"firstEventTime": "2018-11-25T16:17:50.0948658Z",
|
||||
"lastEventTime": "2018-11-25T16:18:01.809871Z",
|
||||
@ -117,8 +116,7 @@ Content-type: application/json
|
||||
"detectionSource": "WindowsDefenderAv",
|
||||
"threatFamilyName": "Mikatz",
|
||||
"title": "Windows Defender AV detected 'Mikatz', high-severity malware",
|
||||
"description": "Some description"
|
||||
"recommendedAction": "Some recommended action"
|
||||
"description": "Some description",
|
||||
"alertCreationTime": "2018-11-24T16:19:21.8409809Z",
|
||||
"firstEventTime": "2018-11-24T16:17:50.0948658Z",
|
||||
"lastEventTime": "2018-11-24T16:18:01.809871Z",
|
||||
|
||||
@ -94,8 +94,7 @@ Content-type: application/json
|
||||
"detectionSource": "WindowsDefenderAv",
|
||||
"threatFamilyName": "Mikatz",
|
||||
"title": "Windows Defender AV detected 'Mikatz', high-severity malware",
|
||||
"description": "Some description"
|
||||
"recommendedAction": "Some recommended action"
|
||||
"description": "Some description",
|
||||
"alertCreationTime": "2018-11-26T16:19:21.8409809Z",
|
||||
"firstEventTime": "2018-11-26T16:17:50.0948658Z",
|
||||
"lastEventTime": "2018-11-26T16:18:01.809871Z",
|
||||
|
||||
@ -93,8 +93,7 @@ Content-type: application/json
|
||||
"detectionSource": "WindowsDefenderAv",
|
||||
"threatFamilyName": "Mikatz",
|
||||
"title": "Windows Defender AV detected 'Mikatz', high-severity malware",
|
||||
"description": "Some description"
|
||||
"recommendedAction": "Some recommended action"
|
||||
"description": "Some description",
|
||||
"alertCreationTime": "2018-11-25T16:19:21.8409809Z",
|
||||
"firstEventTime": "2018-11-25T16:17:50.0948658Z",
|
||||
"lastEventTime": "2018-11-25T16:18:01.809871Z",
|
||||
|
||||
@ -93,8 +93,7 @@ Content-type: application/json
|
||||
"detectionSource": "WindowsDefenderAv",
|
||||
"threatFamilyName": "Mikatz",
|
||||
"title": "Windows Defender AV detected 'Mikatz', high-severity malware",
|
||||
"description": "Some description"
|
||||
"recommendedAction": "Some recommended action"
|
||||
"description": "Some description",
|
||||
"alertCreationTime": "2018-11-25T16:19:21.8409809Z",
|
||||
"firstEventTime": "2018-11-25T16:17:50.0948658Z",
|
||||
"lastEventTime": "2018-11-25T16:18:01.809871Z",
|
||||
|
||||
@ -20,7 +20,8 @@ ms.date: 11/20/2018
|
||||
- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf)
|
||||
|
||||
>[!TIP]
|
||||
> Learn about the latest enhancements in Windows Defender ATP: [What's new in Windows Defender ATP](https://cloudblogs.microsoft.com/microsoftsecure/2018/11/15/whats-new-in-windows-defender-atp/).
|
||||
>- Learn about the latest enhancements in Windows Defender ATP: [What's new in Windows Defender ATP](https://cloudblogs.microsoft.com/microsoftsecure/2018/11/15/whats-new-in-windows-defender-atp/).
|
||||
>- Windows Defender ATP demonstrated industry-leading optics and detection capabilities in the recent MITRE evaluation. Read: [Insights from the MITRE ATT&CK-based evaluation](https://cloudblogs.microsoft.com/microsoftsecure/2018/12/03/insights-from-the-mitre-attack-based-evaluation-of-windows-defender-atp/).
|
||||
|
||||
Learn about the minimum requirements and initial steps you need to take to get started with Windows Defender ATP.
|
||||
|
||||
|
||||
@ -93,8 +93,7 @@ Content-type: application/json
|
||||
"detectionSource": "WindowsDefenderAv",
|
||||
"threatFamilyName": "Mikatz",
|
||||
"title": "Windows Defender AV detected 'Mikatz', high-severity malware",
|
||||
"description": "Some description"
|
||||
"recommendedAction": "Some recommended action"
|
||||
"description": "Some description",
|
||||
"alertCreationTime": "2018-11-25T16:19:21.8409809Z",
|
||||
"firstEventTime": "2018-11-25T16:17:50.0948658Z",
|
||||
"lastEventTime": "2018-11-25T16:18:01.809871Z",
|
||||
@ -114,8 +113,7 @@ Content-type: application/json
|
||||
"detectionSource": "WindowsDefenderAv",
|
||||
"threatFamilyName": "Mikatz",
|
||||
"title": "Windows Defender AV detected 'Mikatz', high-severity malware",
|
||||
"description": "Some description"
|
||||
"recommendedAction": "Some recommended action"
|
||||
"description": "Some description",
|
||||
"alertCreationTime": "2018-11-24T16:19:21.8409809Z",
|
||||
"firstEventTime": "2018-11-24T16:17:50.0948658Z",
|
||||
"lastEventTime": "2018-11-24T16:18:01.809871Z",
|
||||
|
||||
Binary file not shown.
|
After Width: | Height: | Size: 93 KiB |
Binary file not shown.
|
After Width: | Height: | Size: 152 KiB |
Binary file not shown.
|
After Width: | Height: | Size: 49 KiB |
Binary file not shown.
|
After Width: | Height: | Size: 65 KiB |
Binary file not shown.
|
After Width: | Height: | Size: 68 KiB |
@ -0,0 +1,49 @@
|
||||
---
|
||||
title: Configure information protection in Windows
|
||||
description: Learn how to expand the coverage of WIP to protect files based on their label, regardless of their origin.
|
||||
keywords: information, protection, data, loss, prevention, wip, policy, scc, compliance, labels, dlp
|
||||
search.product: eADQiWindows 10XVcnh
|
||||
ms.prod: w10
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.pagetype: security
|
||||
ms.author: macapara
|
||||
author: mjcaparas
|
||||
ms.localizationpriority: medium
|
||||
ms.date: 12/05/2018
|
||||
---
|
||||
|
||||
# Configure information protection in Windows
|
||||
**Applies to:**
|
||||
- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf)
|
||||
|
||||
[!include[Prerelease information](prerelease.md)]
|
||||
|
||||
Learn how you can use Windows Defender ATP to expand the coverage of Windows Information Protection (WIP) to protect files based on their label, regardless of their origin.
|
||||
|
||||
## Prerequisites
|
||||
- Endpoints need to be on Windows 10, version 1809 or later
|
||||
- You'll need the appropriate license to leverage the Windows Defender ATP and Azure Information Protection integration
|
||||
- Your tenant needs to be onboarded to Azure Information Protection analytics, for more information see, [Configure a Log Analytics workspace for the reports](https://docs.microsoft.comazure/information-protection/reports-aip#configure-a-log-analytics-workspace-for-the-reports)
|
||||
|
||||
|
||||
## Configuration steps
|
||||
1. Define a WIP policy and assign it to the relevant devices. For more information, see [Protect your enterprise data using Windows Information Protection (WIP)](https://docs.microsoft.com/windows/security/information-protection/windows-information-protection/protect-enterprise-data-using-wip). If WIP is already configured on the relevant devices, skip this step.
|
||||
2. Define which labels need to get WIP protection in Office 365 Security and Compliance.
|
||||
|
||||
1. Go to: **Classifications > Labels**.
|
||||
2. Create a new label or edit an existing one.
|
||||
3. In the configuration wizard, go to 'Data loss prevention' tab and enable WIP.
|
||||
|
||||
|
||||
|
||||
4. Repeat for every label that you want to get WIP applied to in Windows.
|
||||
|
||||
After completing these steps Windows Defender ATP will automatically identify labeled documents stored on the device and enable WIP on them.
|
||||
|
||||
>[!NOTE]
|
||||
>- The Windows Defender ATP configuration is pulled every 15 minutes. Allow up to 30 minutes for the new policy to take effect and ensure that the endpoint is online. Otherwise, it will not receive the policy.
|
||||
>- Data forwarded to Azure Information Protection is stored in the same location as your other Azure Information Protection data.
|
||||
|
||||
## Related topic
|
||||
- [Information protection in Windows overview](information-protection-in-windows-overview.md)
|
||||
@ -0,0 +1,95 @@
|
||||
---
|
||||
title: Information protection in Windows overview
|
||||
description: Learn about how information protection works in Windows to identify and protect sensitive information
|
||||
keywords: information, protection, dlp, wip, data, loss, prevention, protect
|
||||
search.product: eADQiWindows 10XVcnh
|
||||
ms.prod: w10
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.pagetype: security
|
||||
ms.author: macapara
|
||||
author: mjcaparas
|
||||
ms.localizationpriority: medium
|
||||
ms.date: 12/05/2018
|
||||
---
|
||||
|
||||
# Information protection in Windows overview
|
||||
**Applies to:**
|
||||
- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf)
|
||||
|
||||
[!include[Prerelease information](prerelease.md)]
|
||||
|
||||
Information protection is an integral part of Microsoft 365 Enterprise suite, providing intelligent protection to keep sensitive data secure while enabling productivity in the workplace.
|
||||
|
||||
|
||||
Windows Defender ATP is seamlessly integrated in Microsoft Threat Protection to provide a complete and comprehensive data loss prevention (DLP) solution for Windows devices. This solution is delivered and managed as part of the unified Microsoft 365 information protection suite.
|
||||
|
||||
|
||||
Windows Defender ATP applies two methods to discover and protect data:
|
||||
- **Data discovery** - Identify sensitive data on Windows devices at risk
|
||||
- **Data protection** - Windows Information Protection (WIP) as outcome of Azure Information Protection label
|
||||
|
||||
|
||||
## Data discovery
|
||||
Windows Defender ATP automatically discovers files with sensitivity labels on Windows devices when the feature is enabled. You can enable the Azure Information Protection integration feature from Windows Defender Security Center. For more information, see [Configure advanced features](advanced-features-windows-defender-advanced-threat-protection.md#azure-information-protection).
|
||||
|
||||
|
||||
|
||||
|
||||
After enabling the Azure Information Protection integration, data discovery signals are immediately forwarded to Azure Information Protection from the device. When a labeled file is created or modified on a Windows device, Windows Defender ATP automatically reports the signal to Azure Information Protection.
|
||||
|
||||
The reported signals can be viewed on the Azure Information Protection - Data discovery dashboard.
|
||||
|
||||
### Azure Information Protection - Data discovery dashboard
|
||||
This dashboard presents a summarized discovery information of data discovered by both Windows Defender ATP and Azure Information Protection. Data from Windows Defender ATP is marked with Location Type - Endpoint.
|
||||
|
||||
|
||||
|
||||
|
||||
Notice the Device Risk column on the right, this device risk is derived directly from Windows Defender ATP, indicating the risk level of the security device where the file was discovered, based on the active security threats detected by Windows Defender ATP.
|
||||
|
||||
Clicking the device risk level will redirect you to the device page in Windows Defender ATP, where you can get a comprehensive view of the device security status and its active alerts.
|
||||
|
||||
|
||||
>[!NOTE]
|
||||
>Windows Defender ATP does not currently report the Information Types.
|
||||
|
||||
### Log Analytics
|
||||
Data discovery based on Windows Defender ATP is also available in [Azure Log Analytics](https://docs.microsoft.com/azure/log-analytics/log-analytics-overview), where you can perform complex queries over the raw data.
|
||||
|
||||
For more information on Azure Information Protection analytics, see [Central reporting for Azure Information Protection](https://docs.microsoft.com/azure/information-protection/reports-aip).
|
||||
|
||||
Open Azure Log Analytics in Azure Portal and open a query builder (standard or classic).
|
||||
|
||||
To view Windows Defender ATP data, perform a query that contains:
|
||||
|
||||
|
||||
```
|
||||
InformationProtectionLogs_CL
|
||||
| where Workload_s == "Windows Defender"
|
||||
```
|
||||
|
||||
**Prerequisites:**
|
||||
- Customers must have a subscription for Azure Information Protection.
|
||||
- Enable Azure Information Protection integration in Windows Defender Security Center:
|
||||
- Go to **Settings** in Windows Defender Security Center, click on **Advanced Settings** under **General**.
|
||||
|
||||
|
||||
## Data protection
|
||||
For data to be protected, they must first be identified through labels. Sensitivity labels are created in Office Security and Compliance (SCC). Windows Defender ATP then uses the labels to identify endpoints that need Windows Information Protection (WIP) applied on them.
|
||||
|
||||
|
||||
When you create sensitivity labels, you can set the information protection functionalities that will be applied on the file. The setting that applies to Windows Defender ATP is the Data loss prevention. You'll need to turn on the Data loss prevention and select Enable Windows end point protection (DLP for devices).
|
||||
|
||||
|
||||
|
||||
|
||||
Once, the policy is set and published, Windows Defender ATP automatically enables WIP for labeled files. When a labeled file is created or modified on a Windows device, Windows Defender ATP automatically detects it and enables WIP on that file if its label corresponds with Office Security and Compliance (SCC) policy.
|
||||
|
||||
This functionality expands the coverage of WIP to protect files based on their label, regardless of their origin.
|
||||
|
||||
For more information, see [Configure information protection in Windows](information-protection-in-windows-config.md).
|
||||
|
||||
|
||||
## Related topics
|
||||
- [How Windows Information Protection protects files with a sensitivity label](https://docs.microsoft.com/windows/security/information-protection/windows-information-protection/how-wip-works-with-labels)
|
||||
@ -40,7 +40,7 @@ id | Guid | Identity of the [Machine Action](machineaction-windows-defender-adva
|
||||
type | Enum | Type of the action. Possible values are: "RunAntiVirusScan", "Offboard", "CollectInvestigationPackage", "Isolate", "Unisolate", "StopAndQuarantineFile", "RestrictCodeExecution" and "UnrestrictCodeExecution"
|
||||
requestor | String | Identity of the person that executed the action.
|
||||
requestorComment | String | Comment that was written when issuing the action.
|
||||
status | Enum | Current status of the command. Possible values are: "InProgress", "Succeeded", "Failed", "TimeOut" and "Cancelled".
|
||||
status | Enum | Current status of the command. Possible values are: "Pending", "InProgress", "Succeeded", "Failed", "TimeOut" and "Cancelled".
|
||||
machineId | String | Id of the machine on which the action was executed.
|
||||
creationDateTimeUtc | DateTimeOffset | The date and time when the action was created.
|
||||
lastUpdateTimeUtc | DateTimeOffset | The last date and time when the action status was updated.
|
||||
|
||||
@ -11,11 +11,11 @@ ms.pagetype: security
|
||||
ms.author: macapara
|
||||
author: mjcaparas
|
||||
ms.localizationpriority: medium
|
||||
ms.date: 09/19/2018
|
||||
ms.date: 10/19/2018
|
||||
|
||||
---
|
||||
|
||||
# Configure Microsoft Cloud App Security integration
|
||||
# Configure Microsoft Cloud App Security in Windows
|
||||
**Applies to:**
|
||||
- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf)
|
||||
|
||||
|
||||
@ -1,7 +1,7 @@
|
||||
---
|
||||
title: Microsoft Cloud App Security integration overview
|
||||
description:
|
||||
keywords:
|
||||
description: Windows Defender ATP integrates with Cloud App Security by collecting and forwarding all cloud app networking activities, providing unparalleled visibility to cloud app usage
|
||||
keywords: cloud, app, networking, visibility, usage
|
||||
search.product: eADQiWindows 10XVcnh
|
||||
search.appverid: met150
|
||||
ms.prod: w10
|
||||
@ -11,10 +11,10 @@ ms.pagetype: security
|
||||
ms.author: macapara
|
||||
author: mjcaparas
|
||||
ms.localizationpriority: medium
|
||||
ms.date: 09/18/2018
|
||||
ms.date: 10/18/2018
|
||||
---
|
||||
|
||||
# Microsoft Cloud App Security integration overview
|
||||
# Microsoft Cloud App Security in Windows overview
|
||||
**Applies to:**
|
||||
- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf)
|
||||
|
||||
|
||||
@ -25,7 +25,8 @@ There are some minimum requirements for onboarding machines to the service.
|
||||
|
||||
|
||||
>[!TIP]
|
||||
> Learn about the latest enhancements in Windows Defender ATP: [What's new in Windows Defender ATP](https://cloudblogs.microsoft.com/microsoftsecure/2018/11/15/whats-new-in-windows-defender-atp/).
|
||||
>- Learn about the latest enhancements in Windows Defender ATP: [What's new in Windows Defender ATP](https://cloudblogs.microsoft.com/microsoftsecure/2018/11/15/whats-new-in-windows-defender-atp/).
|
||||
>- Windows Defender ATP demonstrated industry-leading optics and detection capabilities in the recent MITRE evaluation. Read: [Insights from the MITRE ATT&CK-based evaluation](https://cloudblogs.microsoft.com/microsoftsecure/2018/12/03/insights-from-the-mitre-attack-based-evaluation-of-windows-defender-atp/).
|
||||
|
||||
## Licensing requirements
|
||||
Windows Defender Advanced Threat Protection requires one of the following Microsoft Volume Licensing offers:
|
||||
|
||||
@ -58,9 +58,6 @@ Review the following details to verify minimum system requirements:
|
||||
>Only applicable for Windows 7 SP1 Enterprise and Windows 7 SP1 Pro.
|
||||
|
||||
- Install the [Update for customer experience and diagnostic telemetry](https://support.microsoft.com/help/3080149/update-for-customer-experience-and-diagnostic-telemetry)
|
||||
|
||||
>[!NOTE]
|
||||
>Only applicable for Windows 7 SP1 Enterprise and Windows 7 SP1 Pro.
|
||||
|
||||
- Install either [.NET framework 4.5](https://www.microsoft.com/en-us/download/details.aspx?id=30653) (or later) or [KB3154518](https://support.microsoft.com/help/3154518/support-for-tls-system-default-versions-included-in-the-net-framework)
|
||||
|
||||
|
||||
@ -22,7 +22,8 @@ ms.date: 11/20/2018
|
||||
Understand the concepts behind the capabilities in Windows Defender ATP so you take full advantage of the complete threat protection platform.
|
||||
|
||||
>[!TIP]
|
||||
> Learn about the latest enhancements in Windows Defender ATP: [What's new in Windows Defender ATP](https://cloudblogs.microsoft.com/microsoftsecure/2018/11/15/whats-new-in-windows-defender-atp/).
|
||||
>- Learn about the latest enhancements in Windows Defender ATP: [What's new in Windows Defender ATP](https://cloudblogs.microsoft.com/microsoftsecure/2018/11/15/whats-new-in-windows-defender-atp/).
|
||||
>- Windows Defender ATP demonstrated industry-leading optics and detection capabilities in the recent MITRE evaluation. Read: [Insights from the MITRE ATT&CK-based evaluation](https://cloudblogs.microsoft.com/microsoftsecure/2018/12/03/insights-from-the-mitre-attack-based-evaluation-of-windows-defender-atp/).
|
||||
|
||||
## In this section
|
||||
|
||||
|
||||
@ -11,7 +11,7 @@ ms.pagetype: security
|
||||
ms.author: macapara
|
||||
author: mjcaparas
|
||||
ms.localizationpriority: medium
|
||||
ms.date: 11/05/2018
|
||||
ms.date: 12/03/2018
|
||||
---
|
||||
|
||||
# Windows Defender ATP preview features
|
||||
@ -39,6 +39,10 @@ Turn on the preview experience setting to be among the first to try upcoming fea
|
||||
## Preview features
|
||||
The following features are included in the preview release:
|
||||
|
||||
- [Information protection](information-protection-in-windows-overview.md)<br>
|
||||
Windows Defender ATP is seamlessly integrated in Microsoft Threat Protection to provide a complete and comprehensive data loss prevention (DLP) solution for Windows devices. This solution is delivered and managed as part of the unified Microsoft 365 information protection suite.
|
||||
|
||||
|
||||
- [Incidents](incidents-queue.md)<br>
|
||||
Windows Defender ATP applies correlation analytics and aggregates all related alerts and investigations into an incident. Doing so helps narrate a broader story of an attack, thus providing you with the right visuals (upgraded incident graph) and data representations to understand and deal with complex cross-entity threats to your organization's network.
|
||||
|
||||
|
||||
@ -73,7 +73,7 @@ The response will include an access token and expiry information.
|
||||
```json
|
||||
{
|
||||
"token_type": "Bearer",
|
||||
"expires_in": "3599"
|
||||
"expires_in": "3599",
|
||||
"ext_expires_in": "0",
|
||||
"expires_on": "1488720683",
|
||||
"not_before": "1488720683",
|
||||
@ -98,7 +98,7 @@ Authorization | string | Required. The Azure AD access token in the form **Beare
|
||||
|
||||
### Request parameters
|
||||
|
||||
Use optional query parameters to specify and control the amount of data returned in a response. If you call this method without parameters, the response contains all the alerts in your organization.
|
||||
Use optional query parameters to specify and control the amount of data returned in a response. If you call this method without parameters, the response contains all the alerts in your organization in the last 2 hours.
|
||||
|
||||
Name | Value| Description
|
||||
:---|:---|:---
|
||||
@ -106,7 +106,9 @@ DateTime?sinceTimeUtc | string | Defines the lower time bound alerts are retriev
|
||||
DateTime?untilTimeUtc | string | Defines the upper time bound alerts are retrieved. <br> The time range will be: from `sinceTimeUtc` time to `untilTimeUtc` time. <br><br> **NOTE**: When not specified, the default value will be the current time.
|
||||
string ago | string | Pulls alerts in the following time range: from `(current_time - ago)` time to `current_time` time. <br><br> Value should be set according to **ISO 8601** duration format <br> E.g. `ago=PT10M` will pull alerts received in the last 10 minutes.
|
||||
int?limit | int | Defines the number of alerts to be retrieved. Most recent alerts will be retrieved based on the number defined.<br><br> **NOTE**: When not specified, all alerts available in the time range will be retrieved.
|
||||
machinegroups | String | Specifies machine groups to pull alerts from . <br><br> **NOTE**: When not specified, alerts from all machine groups will be retrieved. <br><br> Example: <br><br> ```https://wdatp-alertexporter-eu.securitycenter.windows.com/api/Alerts/?machinegroups=UKMachines&machinegroups=FranceMachines```
|
||||
machinegroups | String | Specifies machine groups to pull alerts from. <br><br> **NOTE**: When not specified, alerts from all machine groups will be retrieved. <br><br> Example: <br><br> ```https://wdatp-alertexporter-eu.securitycenter.windows.com/api/Alerts/?machinegroups=UKMachines&machinegroups=FranceMachines```
|
||||
DeviceCreatedMachineTags | string | Single machine tag from the registry.
|
||||
CloudCreatedMachineTags | string | Machine tags that were created in Windows Defender Security Center.
|
||||
|
||||
### Request example
|
||||
The following example demonstrates how to retrieve all the alerts in your organization.
|
||||
|
||||
@ -236,7 +236,7 @@ For a machine to be considered "well configured", it must comply to a minimum ba
|
||||
>This security control is only applicable for machines with Windows 10, version 1803 or later.
|
||||
|
||||
#### Minimum baseline configuration setting for BitLocker
|
||||
- Ensure all supported internal drives are encrypted
|
||||
- Ensure all supported drives are encrypted
|
||||
- Ensure that all suspended protection on drives resume protection
|
||||
- Ensure that drives are compatible
|
||||
|
||||
|
||||
@ -11,7 +11,7 @@ ms.pagetype: security
|
||||
ms.author: macapara
|
||||
author: mjcaparas
|
||||
ms.localizationpriority: medium
|
||||
ms.date: 10/12/2018
|
||||
ms.date: 12/03/2018
|
||||
---
|
||||
|
||||
# Microsoft Threat Protection
|
||||
@ -28,24 +28,30 @@ Microsoft's multiple layers of threat protection across data, applications, devi
|
||||
|
||||
Each layer in the threat protection stack plays a critical role in protecting customers. The deep integration between these layers results in better protected customers.
|
||||
|
||||
## Conditional access
|
||||
Windows Defender ATP's dynamic machine risk score is integrated into the conditional access evaluation, ensuring that only secure devices have access to resources.
|
||||
|
||||
## Office 365 Advanced Threat Protection (Office 365 ATP)
|
||||
[Office 365 ATP](https://docs.microsoft.com/office365/securitycompliance/office-365-atp) helps protect your organization from malware in email messages or files through ATP Safe Links, ATP Safe Attachments, advanced Anti-Phishing, and spoof intelligence capabilities. The integration between Office 365 ATP and Windows Defender ATP enables security analysts to go upstream to investigate the entry point of an attack. Through threat intelligence sharing, attacks can be contained and blocked.
|
||||
|
||||
## Azure Advanced Threat Protection (Azure ATP)
|
||||
Suspicious activities are processes running under a user context. The integration between Windows Defender ATP and Azure ATP provides the flexibility of conducting cyber security investigation across activities and identities.
|
||||
|
||||
## Skype for Business
|
||||
The Skype for Business integration provides s a way for analysts to communicate with a potentially compromised user or device owner through ao simple button from the portal.
|
||||
|
||||
## Azure Security Center
|
||||
Windows Defender ATP provides a comprehensive server protection solution, including endpoint detection and response (EDR) capabilities on Windows Servers.
|
||||
|
||||
## Azure Information Protection
|
||||
Keep sensitive data secure while enabling productivity in the workplace through data data discovery and data protection.
|
||||
|
||||
## Conditional access
|
||||
Windows Defender ATP's dynamic machine risk score is integrated into the conditional access evaluation, ensuring that only secure devices have access to resources.
|
||||
|
||||
|
||||
## Microsoft Cloud App Security
|
||||
Microsoft Cloud App Security leverages Windows Defender ATP endpoint signals to allow direct visibility into cloud application usage including the use of unsupported cloud services (shadow IT) from all Windows Defender ATP monitored machines.
|
||||
|
||||
## Office 365 Advanced Threat Protection (Office 365 ATP)
|
||||
[Office 365 ATP](https://docs.microsoft.com/office365/securitycompliance/office-365-atp) helps protect your organization from malware in email messages or files through ATP Safe Links, ATP Safe Attachments, advanced Anti-Phishing, and spoof intelligence capabilities. The integration between Office 365 ATP and Windows Defender ATP enables security analysts to go upstream to investigate the entry point of an attack. Through threat intelligence sharing, attacks can be contained and blocked.
|
||||
|
||||
## Skype for Business
|
||||
The Skype for Business integration provides s a way for analysts to communicate with a potentially compromised user or device owner through ao simple button from the portal.
|
||||
|
||||
|
||||
|
||||
## Related topic
|
||||
- [Protect users, data, and devices with conditional access](conditional-access-windows-defender-advanced-threat-protection.md)
|
||||
|
||||
|
||||
@ -98,8 +98,7 @@ Here is an example of the response.
|
||||
"detectionSource": "WindowsDefenderAv",
|
||||
"threatFamilyName": "Mikatz",
|
||||
"title": "Windows Defender AV detected 'Mikatz', high-severity malware",
|
||||
"description": "Some description"
|
||||
"recommendedAction": "Some recommended action"
|
||||
"description": "Some description",
|
||||
"alertCreationTime": "2018-11-26T16:19:21.8409809Z",
|
||||
"firstEventTime": "2018-11-26T16:17:50.0948658Z",
|
||||
"lastEventTime": "2018-11-26T16:18:01.809871Z",
|
||||
|
||||
@ -68,7 +68,8 @@ Windows Defender ATP uses the following combination of technology built into Win
|
||||
|
||||
|
||||
>[!TIP]
|
||||
> Learn about the latest enhancements in Windows Defender ATP: [What's new in Windows Defender ATP](https://cloudblogs.microsoft.com/microsoftsecure/2018/11/15/whats-new-in-windows-defender-atp/).
|
||||
>- Learn about the latest enhancements in Windows Defender ATP: [What's new in Windows Defender ATP](https://cloudblogs.microsoft.com/microsoftsecure/2018/11/15/whats-new-in-windows-defender-atp/).
|
||||
>- Windows Defender ATP demonstrated industry-leading optics and detection capabilities in the recent MITRE evaluation. Read: [Insights from the MITRE ATT&CK-based evaluation](https://cloudblogs.microsoft.com/microsoftsecure/2018/12/03/insights-from-the-mitre-attack-based-evaluation-of-windows-defender-atp/).
|
||||
|
||||
**[Attack surface reduction](overview-attack-surface-reduction.md)**<br>
|
||||
The attack surface reduction set of capabilities provide the first line of defense in the stack. By ensuring configuration settings are properly set and exploit mitigation techniques are applied, these set of capabilities resist attacks and exploitations.
|
||||
|
||||
@ -33,13 +33,13 @@ You can also get detailed reporting into events and blocks as part of Windows Se
|
||||
|
||||
You can create custom views in the Windows Event Viewer to only see events for specific capabilities and settings.
|
||||
|
||||
The easiest way to do this is to import a custom view as an XML file. You can obtain XML files for each of the features in the [Exploit Guard Evaluation Package](https://aka.ms/mp7z2w), or you can copy the XML directly from this page.
|
||||
The easiest way to do this is to import a custom view as an XML file. You can copy the XML directly from this page.
|
||||
|
||||
You can also manually navigate to the event area that corresponds to the feature, see the [list of attack surface reduction events](#list-of-attack-surface-reduction-events) section at the end of this topic for more details.
|
||||
|
||||
### Import an existing XML custom view
|
||||
|
||||
1. Download the [Exploit Guard Evaluation Package](https://aka.ms/mp7z2w) and extract the appropriate file to an easily accessible location. The following filenames are each of the custom views:
|
||||
1. Create an empty .txt file and copy the XML for the custom view you want to use into the .txt file. Do this for each of the custom views you want to use. Rename the files as follows (ensure you change the type from .txt to .xml):
|
||||
- Controlled folder access events custom view: *cfa-events.xml*
|
||||
- Exploit protection events custom view: *ep-events.xml*
|
||||
- Attack surface reduction events custom view: *asr-events.xml*
|
||||
|
||||
Reference in New Issue
Block a user