mirror of
https://github.com/MicrosoftDocs/windows-itpro-docs.git
synced 2025-06-18 20:03:40 +00:00
fixed links
This commit is contained in:
Justin Hall
@ -236,7 +236,7 @@ SCCM name: Not applicable
|
||||
|
||||
GUID: 7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c
|
||||
|
||||
## Review attack surface reduction in Windows Event Viewer
|
||||
## Review attack surface reduction events in Windows Event Viewer
|
||||
|
||||
You can review the Windows event log to see events that are created when attack surface rules block (or audit) an app:
|
||||
|
||||
|
||||
@ -40,9 +40,9 @@ You can use Group Policy, PowerShell, and configuration service providers (CSPs)
|
||||
|
||||
Audit options | How to enable audit mode | How to view events
|
||||
- | - | -
|
||||
Audit applies to all events | [Enable controlled folder access](enable-controlled-folders-exploit-guard.md#enable-and-audit-controlled-folder-access) | [Controlled folder access events](controlled-folders-exploit-guard.md#review-controlled-folder-access-events-in-windows-event-viewer)
|
||||
Audit applies to individual rules | [Enable attack surface reduction rules](enable-attack-surface-reduction.md) | [Attack surface reduction rule events](attack-surface-reduction-exploit-guard.md)
|
||||
Audit applies to all events | [Enable network protection](enable-network-protection.md#enable-and-audit-network-protection) | [Network protection events](network-protection-exploit-guard.md#review-network-protection-events-in-windows-event-viewer)
|
||||
Audit applies to all events | [Enable controlled folder access](enable-controlled-folders-exploit-guard.md) | [Controlled folder access events](evaluate-controlled-folders.md#review-controlled-folder-access-events-in-windows-event-viewer)
|
||||
Audit applies to individual rules | [Enable attack surface reduction rules](enable-attack-surface-reduction.md) | [Attack surface reduction rule events](attack-surface-reduction-exploit-guard.md#review-attack-surface-reduction-events-in-windows-event-viewer)
|
||||
Audit applies to all events | [Enable network protection](enable-network-protection.md) | [Network protection events](evaluate-network-protection.md#review-network-protection-events-in-windows-event-viewer)
|
||||
Audit applies to individual mitigations | [Enable exploit protection](enable-exploit-protection.md#enable-and-audit-exploit-protection) | [Exploit protection events](exploit-protection-exploit-guard.md#review-exploit-protection-events-in-windows-event-viewer)
|
||||
|
||||
|
||||
|
||||
@ -11,7 +11,7 @@ ms.pagetype: security
|
||||
ms.localizationpriority: medium
|
||||
author: andreabichsel
|
||||
ms.author: v-anbic
|
||||
ms.date: 11/16/2018
|
||||
ms.date: 03/26/2019
|
||||
---
|
||||
|
||||
# Customize exploit protection
|
||||
@ -156,7 +156,7 @@ Get-ProcessMitigation -Name processName.exe
|
||||
>
|
||||
>For app-level settings, `NOTSET` indicates the system-level setting for the mitigation will be applied.
|
||||
>
|
||||
>The default setting for each system-level mitigation can be seen in the Windows Security, as described in the [Configure system-level mitigations with the Windows Security app section above](#configure-system-level-mitigations-with-the-windows-defender-security-center-app).
|
||||
>The default setting for each system-level mitigation can be seen in the Windows Security.
|
||||
|
||||
Use `Set` to configure each mitigation in the following format:
|
||||
|
||||
|
||||
@ -120,7 +120,7 @@ Get-ProcessMitigation -Name processName.exe
|
||||
>
|
||||
>For app-level settings, `NOTSET` indicates the system-level setting for the mitigation will be applied.
|
||||
>
|
||||
>The default setting for each system-level mitigation can be seen in the Windows Security, as described in the [Configure system-level mitigations with the Windows Security app section above](#configure-system-level-mitigations-with-the-windows-defender-security-center-app).
|
||||
>The default setting for each system-level mitigation can be seen in the Windows Security.
|
||||
|
||||
Use `Set` to configure each mitigation in the following format:
|
||||
|
||||
|
||||
@ -45,7 +45,14 @@ Set-MpPreference -EnableControlledFolderAccess AuditMode
|
||||
>If you want to fully audit how controlled folder access will work in your organization, you'll need to use a management tool to deploy this setting to machines in your network(s).
|
||||
You can also use Group Policy, Intune, MDM, or System Center Configuration Manager to configure and deploy the setting, as described in the main [controlled folder access topic](controlled-folders-exploit-guard.md).
|
||||
|
||||
For further details on how audit mode works, and when you might want to use it, see the [audit Windows Defender Exploit Guard topic](audit-windows-defender-exploit-guard.md).
|
||||
## Review controlled folder access events in Windows Event Viewer
|
||||
|
||||
The following controlled folder access events appear in Windows Event Viewer.
|
||||
|
||||
Event ID | Description
|
||||
5007 | Event when settings are changed
|
||||
1124 | Audited controlled folder access event
|
||||
1123 | Blocked controlled folder access event
|
||||
|
||||
## Customize protected folders and apps
|
||||
|
||||
|
||||
@ -12,7 +12,7 @@ ms.date: 04/16/2018
|
||||
ms.localizationpriority: medium
|
||||
author: andreabichsel
|
||||
ms.author: v-anbic
|
||||
ms.date: 08/08/2018
|
||||
ms.date: 03/26/2019
|
||||
---
|
||||
|
||||
# View attack surface reduction events
|
||||
@ -35,7 +35,7 @@ You can create custom views in the Windows Event Viewer to only see events for s
|
||||
|
||||
The easiest way to do this is to import a custom view as an XML file. You can copy the XML directly from this page.
|
||||
|
||||
You can also manually navigate to the event area that corresponds to the feature. For more details, see the [list of attack surface reduction events](#list-of-attack-surface-reduction-events) section at the end of this topic.
|
||||
You can also manually navigate to the event area that corresponds to the feature.
|
||||
|
||||
### Import an existing XML custom view
|
||||
|
||||
@ -43,7 +43,7 @@ You can also manually navigate to the event area that corresponds to the feature
|
||||
- Controlled folder access events custom view: *cfa-events.xml*
|
||||
- Exploit protection events custom view: *ep-events.xml*
|
||||
- Attack surface reduction events custom view: *asr-events.xml*
|
||||
- Network protection events custom view: *np-events.xml*
|
||||
- Network/ protection events custom view: *np-events.xml*
|
||||
|
||||
1. Type **event viewer** in the Start menu and open **Event Viewer**.
|
||||
|
||||
@ -55,7 +55,7 @@ You can also manually navigate to the event area that corresponds to the feature
|
||||
|
||||
4. Click **Open**.
|
||||
|
||||
5. This will create a custom view that filters to only show the [events related to that feature](#list-of-all-windows-defender-exploit-guard-events).
|
||||
5. This will create a custom view that filters to only show the events related to that feature.
|
||||
|
||||
|
||||
### Copy the XML directly
|
||||
@ -73,7 +73,7 @@ You can also manually navigate to the event area that corresponds to the feature
|
||||
|
||||
4. Click **OK**. Specify a name for your filter.
|
||||
|
||||
5. This will create a custom view that filters to only show the [events related to that feature](#list-of-all-windows-defender-exploit-guard-events).
|
||||
5. This will create a custom view that filters to only show the events related to that feature.
|
||||
|
||||
### XML for attack surface reduction rule events
|
||||
|
||||
|
||||
Reference in New Issue
Block a user