deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-25 23:33:35 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Merge branch 'public' into note_conversion

Browse Source
This commit is contained in:
Trond B. Krokli
2020-05-20 19:19:45 +02:00
committed by GitHub
parent 6c6a89b9f7 4cdbf7d868
commit 57cb557390
75 changed files with 1470 additions and 735 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-dir-sync.md
View File

@ -29,7 +29,7 @@ ms.reviewer:
In hybrid deployments, users register the public portion of their Windows Hello for Business credential with Azure. Azure AD Connect synchronizes the Windows Hello for Business public key to Active Directory.
The key-trust model needs Windows Server 2016 domain controllers, which configures the key registration permissions automatically; however, the certificate-trust model does not and requires you to add the permissions manually.
The key-trust model needs Windows Server 2016 domain controllers, which configure the key registration permissions automatically; however, the certificate-trust model does not and requires you to add the permissions manually.
> [!IMPORTANT]
> If you already have a Windows Server 2016 domain controller in your domain, you can skip **Configure Permissions for Key Synchronization**. In this case, you should use the pre-created group KeyAdmins in step 3 of the "Group Memberships for the Azure AD Connect Service Account" section of this article.

10
windows/security/threat-protection/TOC.md
View File

@ -238,6 +238,7 @@
##### [Configure and validate exclusions](microsoft-defender-atp/linux-exclusions.md)
##### [Static proxy configuration](microsoft-defender-atp/linux-static-proxy-configuration.md)
##### [Set preferences](microsoft-defender-atp/linux-preferences.md)
##### [Detect and block Potentially Unwanted Applications](microsoft-defender-atp/linux-pua.md)
#### [Troubleshoot]()
##### [Troubleshoot installation issues](microsoft-defender-atp/linux-support-install.md)
@ -245,6 +246,7 @@
##### [Troubleshoot performance issues](microsoft-defender-atp/linux-support-perf.md)
#### [Privacy](microsoft-defender-atp/linux-privacy.md)
#### [Resources](microsoft-defender-atp/linux-resources.md)
### [Configure and manage Microsoft Threat Experts capabilities](microsoft-defender-atp/configure-microsoft-threat-experts.md)
@ -349,10 +351,10 @@
##### [DeviceNetworkEvents](microsoft-defender-atp/advanced-hunting-devicenetworkevents-table.md)
##### [DeviceProcessEvents](microsoft-defender-atp/advanced-hunting-deviceprocessevents-table.md)
##### [DeviceRegistryEvents](microsoft-defender-atp/advanced-hunting-deviceregistryevents-table.md)
##### [DeviceTvmSoftwareInventoryVulnerabilities](microsoft-defender-atp/advanced-hunting-tvm-softwareinventory-table.md)
##### [DeviceTvmSoftwareVulnerabilitiesKB](microsoft-defender-atp/advanced-hunting-tvm-softwarevulnerability-table.md)
##### [DeviceTvmSecureConfigurationAssessment](microsoft-defender-atp/advanced-hunting-tvm-configassessment-table.md)
##### [DeviceTvmSecureConfigurationAssessmentKB](microsoft-defender-atp/advanced-hunting-tvm-secureconfigkb-table.md)
##### [DeviceTvmSoftwareInventoryVulnerabilities](microsoft-defender-atp/advanced-hunting-devicetvmsoftwareinventoryvulnerabilities-table.md)
##### [DeviceTvmSoftwareVulnerabilitiesKB](microsoft-defender-atp/advanced-hunting-devicetvmsoftwarevulnerabilitieskb-table.md)
##### [DeviceTvmSecureConfigurationAssessment](microsoft-defender-atp/advanced-hunting-devicetvmsecureconfigurationassessment-table.md)
##### [DeviceTvmSecureConfigurationAssessmentKB](microsoft-defender-atp/advanced-hunting-devicetvmsecureconfigurationassessmentkb-table.md)
#### [Apply query best practices](microsoft-defender-atp/advanced-hunting-best-practices.md)
### [Microsoft Threat Experts](microsoft-defender-atp/microsoft-threat-experts.md)

BIN
windows/security/threat-protection/images/lab-creation-page.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 135 KiB

23
windows/security/threat-protection/microsoft-defender-atp/add-or-remove-machine-tags.md
View File

@ -22,30 +22,34 @@ ms.topic: article
- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
## API description
Adds or remove tag to a specific [Machine](machine.md).
## Limitations
1. You can post on machines last seen in the past 30 days.
2. Rate limitations for this API are 100 calls per minute and 1500 calls per hour.
## Permissions
One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md)
Permission type | Permission | Permission display name
Permission type | Permission | Permission display name
:---|:---|:---
Application | Machine.ReadWrite.All | 'Read and write all machine information'
Application | Machine.ReadWrite.All | 'Read and write all machine information'
Delegated (work or school account) | Machine.ReadWrite | 'Read and write machine information'
>[!Note]
> When obtaining a token using user credentials:
>- The user needs to have at least the following role permission: 'Manage security setting' (See [Create and manage roles](user-roles.md) for more information)
>
>- The user needs to have at least the following role permission: 'Manage security setting'. For more (See [Create and manage roles](user-roles.md) for more information)
>- User needs to have access to the machine, based on machine group settings (See [Create and manage machine groups](machine-groups.md) for more information)
## HTTP request
```
POST https://api.securitycenter.windows.com/api/machines/{id}/tags
```
@ -58,17 +62,18 @@ Authorization | String | Bearer {token}. **Required**.
Content-Type | string | application/json. **Required**.
## Request body
In the request body, supply a JSON object with the following parameters:
Parameter | Type | Description
Parameter | Type | Description
:---|:---|:---
Value | String | The tag name. **Required**.
Action | Enum | Add or Remove. Allowed values are: 'Add' or 'Remove'. **Required**.
Value | String | The tag name. **Required**.
Action | Enum | Add or Remove. Allowed values are: 'Add' or 'Remove'. **Required**.
## Response
If successful, this method returns 200 - Ok response code and the updated Machine in the response body.
If successful, this method returns 200 - Ok response code and the updated Machine in the response body.
## Example

106
windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-tvm-configassessment-table.md → windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicetvmsecureconfigurationassessment-table.md
View File

@ -1,53 +1,53 @@
---
title: DeviceTvmSecureConfigurationAssessment table in the advanced hunting schema
description: Learn about Threat & Vulnerability Management security assessment events in the DeviceTvmSecureConfigurationAssessment table of the Advanced hunting schema. These events provide machine information as well as security configuration details, impact, and compliance information.
keywords: advanced hunting, threat hunting, cyber threat hunting, mdatp, windows defender atp, wdatp search, query, telemetry, schema reference, kusto, table, column, data type, description, threat & vulnerability management, TVM, device management, security configuration, DeviceTvmSecureConfigurationAssessment
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: dolmont
author: DulceMontemayor
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: article
ms.date: 11/12/2019
---
# DeviceTvmSecureConfigurationAssessment
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/WindowsForBusiness/windows-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)
[!include[Prerelease information](../../includes/prerelease.md)]
Each row in the `DeviceTvmSecureConfigurationAssessment` table contains an assessment event for a specific security configuration from [Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md). Use this reference to check the latest assessment results and determine whether devices are compliant.
For information on other tables in the advanced hunting schema, see [the advanced hunting reference](advanced-hunting-reference.md).
| Column name | Data type | Description |
|-------------|-----------|-------------|
| `DeviceId` | string | Unique identifier for the machine in the service |
| `DeviceName` | string | Fully qualified domain name (FQDN) of the machine |
| `OSPlatform` | string | Platform of the operating system running on the machine. This indicates specific operating systems, including variations within the same family, such as Windows 10 and Windows 7.|
| `Timestamp` | datetime |Date and time when the record was generated |
| `ConfigurationId` | string | Unique identifier for a specific configuration |
| `ConfigurationCategory` | string | Category or grouping to which the configuration belongs: Application, OS, Network, Accounts, Security controls |
| `ConfigurationSubcategory` | string |Subcategory or subgrouping to which the configuration belongs. In many cases, this describes specific capabilities or features. |
| `ConfigurationImpact` | string | Rated impact of the configuration to the overall configuration score (1-10) |
| `IsCompliant` | boolean | Indicates whether the configuration or policy is properly configured |
## Related topics
- [Advanced hunting overview](advanced-hunting-overview.md)
- [Learn the query language](advanced-hunting-query-language.md)
- [Understand the schema](advanced-hunting-schema-reference.md)
- [Overview of Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md)
---
title: DeviceTvmSecureConfigurationAssessment table in the advanced hunting schema
description: Learn about Threat & Vulnerability Management security assessment events in the DeviceTvmSecureConfigurationAssessment table of the Advanced hunting schema. These events provide machine information as well as security configuration details, impact, and compliance information.
keywords: advanced hunting, threat hunting, cyber threat hunting, mdatp, windows defender atp, wdatp search, query, telemetry, schema reference, kusto, table, column, data type, description, threat & vulnerability management, TVM, device management, security configuration, DeviceTvmSecureConfigurationAssessment
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: dolmont
author: DulceMontemayor
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: article
ms.date: 11/12/2019
---
# DeviceTvmSecureConfigurationAssessment
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/WindowsForBusiness/windows-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)
[!include[Prerelease information](../../includes/prerelease.md)]
Each row in the `DeviceTvmSecureConfigurationAssessment` table contains an assessment event for a specific security configuration from [Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md). Use this reference to check the latest assessment results and determine whether devices are compliant.
For information on other tables in the advanced hunting schema, see [the advanced hunting reference](advanced-hunting-reference.md).
| Column name | Data type | Description |
|-------------|-----------|-------------|
| `DeviceId` | string | Unique identifier for the machine in the service |
| `DeviceName` | string | Fully qualified domain name (FQDN) of the machine |
| `OSPlatform` | string | Platform of the operating system running on the machine. This indicates specific operating systems, including variations within the same family, such as Windows 10 and Windows 7.|
| `Timestamp` | datetime |Date and time when the record was generated |
| `ConfigurationId` | string | Unique identifier for a specific configuration |
| `ConfigurationCategory` | string | Category or grouping to which the configuration belongs: Application, OS, Network, Accounts, Security controls |
| `ConfigurationSubcategory` | string |Subcategory or subgrouping to which the configuration belongs. In many cases, this describes specific capabilities or features. |
| `ConfigurationImpact` | string | Rated impact of the configuration to the overall configuration score (1-10) |
| `IsCompliant` | boolean | Indicates whether the configuration or policy is properly configured |
## Related topics
- [Advanced hunting overview](advanced-hunting-overview.md)
- [Learn the query language](advanced-hunting-query-language.md)
- [Understand the schema](advanced-hunting-schema-reference.md)
- [Overview of Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md)

106
windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-tvm-secureconfigkb-table.md → windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicetvmsecureconfigurationassessmentkb-table.md
View File

@ -1,53 +1,53 @@
---
title: DeviceTvmSecureConfigurationAssessmentKB table in the advanced hunting schema
description: Learn about the various secure configurations assessed by Threat & Vulnerability Management in the DeviceTvmSecureConfigurationAssessmentKB table of the Advanced hunting schema.
keywords: advanced hunting, threat hunting, cyber threat hunting, mdatp, windows defender atp, wdatp search, query, telemetry, schema reference, kusto, table, column, data type, description, threat & vulnerability management, TVM, device management, security configuration, MITRE ATT&CK framework, knowledge base, KB, DeviceTvmSecureConfigurationAssessmentKB
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: dolmont
author: DulceMontemayor
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: article
ms.date: 11/12/2019
---
# DeviceTvmSecureConfigurationAssessmentKB
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/WindowsForBusiness/windows-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)
[!include[Prerelease information](../../includes/prerelease.md)]
The `DeviceTvmSecureConfigurationAssessmentKB` table in the advanced hunting schema contains information about the various secure configurations — such as whether a device has automatic updates on — checked by [Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md). It also includes risk information, related industry benchmarks, and applicable MITRE ATT&CK techniques and tactics. Use this reference to construct queries that return information from the table.
For information on other tables in the advanced hunting schema, see [the advanced hunting reference](advanced-hunting-reference.md).
| Column name | Data type | Description |
|-------------|-----------|-------------|
| `ConfigurationId` | string | Unique identifier for a specific configuration |
| `ConfigurationImpact` | string | Rated impact of the configuration to the overall configuration score (1-10) |
| `ConfigurationName` | string | Display name of the configuration |
| `ConfigurationDescription` | string | Description of the configuration |
| `RiskDescription` | string | Description of the associated risk |
| `ConfigurationCategory` | string | Category or grouping to which the configuration belongs: Application, OS, Network, Accounts, Security controls|
| `ConfigurationSubcategory` | string |Subcategory or subgrouping to which the configuration belongs. In many cases, this describes specific capabilities or features. |
| `ConfigurationBenchmarks` | string | List of industry benchmarks recommending the same or similar configuration |
| `RelatedMitreTechniques` | string | List of Mitre ATT&CK framework techniques related to the configuration |
| `RelatedMitreTactics ` | string | List of Mitre ATT&CK framework tactics related to the configuration |
## Related topics
- [Advanced hunting overview](advanced-hunting-overview.md)
- [Learn the query language](advanced-hunting-query-language.md)
- [Understand the schema](advanced-hunting-schema-reference.md)
- [Overview of Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md)
---
title: DeviceTvmSecureConfigurationAssessmentKB table in the advanced hunting schema
description: Learn about the various secure configurations assessed by Threat & Vulnerability Management in the DeviceTvmSecureConfigurationAssessmentKB table of the Advanced hunting schema.
keywords: advanced hunting, threat hunting, cyber threat hunting, mdatp, windows defender atp, wdatp search, query, telemetry, schema reference, kusto, table, column, data type, description, threat & vulnerability management, TVM, device management, security configuration, MITRE ATT&CK framework, knowledge base, KB, DeviceTvmSecureConfigurationAssessmentKB
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: dolmont
author: DulceMontemayor
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: article
ms.date: 11/12/2019
---
# DeviceTvmSecureConfigurationAssessmentKB
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/WindowsForBusiness/windows-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)
[!include[Prerelease information](../../includes/prerelease.md)]
The `DeviceTvmSecureConfigurationAssessmentKB` table in the advanced hunting schema contains information about the various secure configurations — such as whether a device has automatic updates on — checked by [Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md). It also includes risk information, related industry benchmarks, and applicable MITRE ATT&CK techniques and tactics. Use this reference to construct queries that return information from the table.
For information on other tables in the advanced hunting schema, see [the advanced hunting reference](advanced-hunting-reference.md).
| Column name | Data type | Description |
|-------------|-----------|-------------|
| `ConfigurationId` | string | Unique identifier for a specific configuration |
| `ConfigurationImpact` | string | Rated impact of the configuration to the overall configuration score (1-10) |
| `ConfigurationName` | string | Display name of the configuration |
| `ConfigurationDescription` | string | Description of the configuration |
| `RiskDescription` | string | Description of the associated risk |
| `ConfigurationCategory` | string | Category or grouping to which the configuration belongs: Application, OS, Network, Accounts, Security controls|
| `ConfigurationSubcategory` | string |Subcategory or subgrouping to which the configuration belongs. In many cases, this describes specific capabilities or features. |
| `ConfigurationBenchmarks` | string | List of industry benchmarks recommending the same or similar configuration |
| `RelatedMitreTechniques` | string | List of Mitre ATT&CK framework techniques related to the configuration |
| `RelatedMitreTactics ` | string | List of Mitre ATT&CK framework tactics related to the configuration |
## Related topics
- [Advanced hunting overview](advanced-hunting-overview.md)
- [Learn the query language](advanced-hunting-query-language.md)
- [Understand the schema](advanced-hunting-schema-reference.md)
- [Overview of Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md)

112
windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-tvm-softwareinventory-table.md → windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicetvmsoftwareinventoryvulnerabilities-table.md
View File

@ -1,56 +1,56 @@
---
title: DeviceTvmSoftwareInventoryVulnerabilities table in the advanced hunting schema
description: Learn about the inventory of software in your devices and their vulnerabilities in the DeviceTvmSoftwareInventoryVulnerabilities table of the advanced hunting schema.
keywords: advanced hunting, threat hunting, cyber threat hunting, mdatp, windows defender atp, wdatp search, query, telemetry, schema reference, kusto, table, column, data type, description, threat & vulnerability management, TVM, device management, software, inventory, vulnerabilities, CVE ID, OS DeviceTvmSoftwareInventoryVulnerabilities
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: dolmont
author: DulceMontemayor
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: article
ms.date: 11/12/2019
---
# DeviceTvmSoftwareInventoryVulnerabilities
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/WindowsForBusiness/windows-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)
[!include[Prerelease information](../../includes/prerelease.md)]
The `DeviceTvmSoftwareInventoryVulnerabilities` table in the advanced hunting schema contains the [Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md) inventory of software on your devices as well as any known vulnerabilities in these software products. This table also includes operating system information, CVE IDs, and vulnerability severity information. Use this reference to construct queries that return information from the table.
For information on other tables in the advanced hunting schema, see [the advanced hunting reference](advanced-hunting-reference.md).
| Column name | Data type | Description |
|-------------|-----------|-------------|
| `DeviceId` | string | Unique identifier for the machine in the service |
| `DeviceName` | string | Fully qualified domain name (FQDN) of the machine |
| `OSPlatform` | string | Platform of the operating system running on the machine. This indicates specific operating systems, including variations within the same family, such as Windows 10 and Windows 7. |
| `OSVersion` | string | Version of the operating system running on the machine |
| `OSArchitecture` | string | Architecture of the operating system running on the machine |
| `SoftwareVendor` | string | Name of the software vendor |
| `SoftwareName` | string | Name of the software product |
| `SoftwareVersion` | string | Version number of the software product |
| `CveId` | string | Unique identifier assigned to the security vulnerability under the Common Vulnerabilities and Exposures (CVE) system |
| `VulnerabilitySeverityLevel` | string | Severity level assigned to the security vulnerability based on the CVSS score and dynamic factors influenced by the threat landscape |
## Related topics
- [Advanced hunting overview](advanced-hunting-overview.md)
- [Learn the query language](advanced-hunting-query-language.md)
- [Understand the schema](advanced-hunting-schema-reference.md)
- [Overview of Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md)
---
title: DeviceTvmSoftwareInventoryVulnerabilities table in the advanced hunting schema
description: Learn about the inventory of software in your devices and their vulnerabilities in the DeviceTvmSoftwareInventoryVulnerabilities table of the advanced hunting schema.
keywords: advanced hunting, threat hunting, cyber threat hunting, mdatp, windows defender atp, wdatp search, query, telemetry, schema reference, kusto, table, column, data type, description, threat & vulnerability management, TVM, device management, software, inventory, vulnerabilities, CVE ID, OS DeviceTvmSoftwareInventoryVulnerabilities
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: dolmont
author: DulceMontemayor
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: article
ms.date: 11/12/2019
---
# DeviceTvmSoftwareInventoryVulnerabilities
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/WindowsForBusiness/windows-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)
[!include[Prerelease information](../../includes/prerelease.md)]
The `DeviceTvmSoftwareInventoryVulnerabilities` table in the advanced hunting schema contains the [Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md) inventory of software on your devices as well as any known vulnerabilities in these software products. This table also includes operating system information, CVE IDs, and vulnerability severity information. Use this reference to construct queries that return information from the table.
For information on other tables in the advanced hunting schema, see [the advanced hunting reference](advanced-hunting-reference.md).
| Column name | Data type | Description |
|-------------|-----------|-------------|
| `DeviceId` | string | Unique identifier for the machine in the service |
| `DeviceName` | string | Fully qualified domain name (FQDN) of the machine |
| `OSPlatform` | string | Platform of the operating system running on the machine. This indicates specific operating systems, including variations within the same family, such as Windows 10 and Windows 7. |
| `OSVersion` | string | Version of the operating system running on the machine |
| `OSArchitecture` | string | Architecture of the operating system running on the machine |
| `SoftwareVendor` | string | Name of the software vendor |
| `SoftwareName` | string | Name of the software product |
| `SoftwareVersion` | string | Version number of the software product |
| `CveId` | string | Unique identifier assigned to the security vulnerability under the Common Vulnerabilities and Exposures (CVE) system |
| `VulnerabilitySeverityLevel` | string | Severity level assigned to the security vulnerability based on the CVSS score and dynamic factors influenced by the threat landscape |
## Related topics
- [Advanced hunting overview](advanced-hunting-overview.md)
- [Learn the query language](advanced-hunting-query-language.md)
- [Understand the schema](advanced-hunting-schema-reference.md)
- [Overview of Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md)

102
windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-tvm-softwarevulnerability-table.md → windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicetvmsoftwarevulnerabilitieskb-table.md
View File

@ -1,51 +1,51 @@
---
title: DeviceTvmSoftwareVulnerabilitiesKB table in the advanced hunting schema
description: Learn about the software vulnerabilities tracked by Threat & Vulnerability Management in the DeviceTvmSoftwareVulnerabilitiesKB table of the advanced hunting schema.
keywords: advanced hunting, threat hunting, cyber threat hunting, mdatp, windows defender atp, wdatp search, query, telemetry, schema reference, kusto, table, column, data type, description, threat & vulnerability management, TVM, device management, software, inventory, vulnerabilities, CVE ID, CVSS, DeviceTvmSoftwareVulnerabilitiesKB
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: dolmont
author: DulceMontemayor
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: article
ms.date: 11/12/2019
---
# DeviceTvmSoftwareVulnerabilitiesKB
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/WindowsForBusiness/windows-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)
[!include[Prerelease information](../../includes/prerelease.md)]
The `DeviceTvmSoftwareVulnerabilitiesKB` table in the advanced hunting schema contains the list of vulnerabilities [Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md) assesses devices for. Use this reference to construct queries that return information from the table.
For information on other tables in the advanced hunting schema, see [the advanced hunting reference](advanced-hunting-reference.md).
| Column name | Data type | Description |
|-------------|-----------|-------------|
| `CveId` | string | Unique identifier assigned to the security vulnerability under the Common Vulnerabilities and Exposures (CVE) system |
| `CvssScore` | string | Severity score assigned to the security vulnerability under th Common Vulnerability Scoring System (CVSS) |
| `IsExploitAvailable` | boolean | Indicates whether exploit code for the vulnerability is publicly available |
| `VulnerabilitySeverityLevel` | string | Severity level assigned to the security vulnerability based on the CVSS score and dynamic factors influenced by the threat landscape |
| `LastModifiedTime` | datetime | Date and time the item or related metadata was last modified |
| `PublishedDate` | datetime | Date vulnerability was disclosed to public |
| `VulnerabilityDescription` | string | Description of vulnerability and associated risks |
| `AffectedSoftware` | string | List of all software products affected by the vulnerability |
## Related topics
- [Advanced hunting overview](advanced-hunting-overview.md)
- [Learn the query language](advanced-hunting-query-language.md)
- [Understand the schema](advanced-hunting-schema-reference.md)
- [Overview of Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md)
---
title: DeviceTvmSoftwareVulnerabilitiesKB table in the advanced hunting schema
description: Learn about the software vulnerabilities tracked by Threat & Vulnerability Management in the DeviceTvmSoftwareVulnerabilitiesKB table of the advanced hunting schema.
keywords: advanced hunting, threat hunting, cyber threat hunting, mdatp, windows defender atp, wdatp search, query, telemetry, schema reference, kusto, table, column, data type, description, threat & vulnerability management, TVM, device management, software, inventory, vulnerabilities, CVE ID, CVSS, DeviceTvmSoftwareVulnerabilitiesKB
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: dolmont
author: DulceMontemayor
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: article
ms.date: 11/12/2019
---
# DeviceTvmSoftwareVulnerabilitiesKB
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/WindowsForBusiness/windows-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)
[!include[Prerelease information](../../includes/prerelease.md)]
The `DeviceTvmSoftwareVulnerabilitiesKB` table in the advanced hunting schema contains the list of vulnerabilities [Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md) assesses devices for. Use this reference to construct queries that return information from the table.
For information on other tables in the advanced hunting schema, see [the advanced hunting reference](advanced-hunting-reference.md).
| Column name | Data type | Description |
|-------------|-----------|-------------|
| `CveId` | string | Unique identifier assigned to the security vulnerability under the Common Vulnerabilities and Exposures (CVE) system |
| `CvssScore` | string | Severity score assigned to the security vulnerability under th Common Vulnerability Scoring System (CVSS) |
| `IsExploitAvailable` | boolean | Indicates whether exploit code for the vulnerability is publicly available |
| `VulnerabilitySeverityLevel` | string | Severity level assigned to the security vulnerability based on the CVSS score and dynamic factors influenced by the threat landscape |
| `LastModifiedTime` | datetime | Date and time the item or related metadata was last modified |
| `PublishedDate` | datetime | Date vulnerability was disclosed to public |
| `VulnerabilityDescription` | string | Description of vulnerability and associated risks |
| `AffectedSoftware` | string | List of all software products affected by the vulnerability |
## Related topics
- [Advanced hunting overview](advanced-hunting-overview.md)
- [Learn the query language](advanced-hunting-query-language.md)
- [Understand the schema](advanced-hunting-schema-reference.md)
- [Overview of Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md)

8
windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-schema-reference.md
View File

@ -48,10 +48,10 @@ Table and column names are also listed within the Microsoft Defender Security Ce
| **[DeviceImageLoadEvents](advanced-hunting-deviceimageloadevents-table.md)** | DLL loading events |
| **[DeviceEvents](advanced-hunting-deviceevents-table.md)** | Multiple event types, including events triggered by security controls such as Windows Defender Antivirus and exploit protection |
| **[DeviceFileCertificateInfo](advanced-hunting-devicefilecertificateinfo-table.md)** | Certificate information of signed files obtained from certificate verification events on endpoints |
| **[DeviceTvmSoftwareInventoryVulnerabilities](advanced-hunting-tvm-softwareinventory-table.md)** | Inventory of software on devices as well as any known vulnerabilities in these software products |
| **[DeviceTvmSoftwareVulnerabilitiesKB ](advanced-hunting-tvm-softwarevulnerability-table.md)** | Knowledge base of publicly disclosed vulnerabilities, including whether exploit code is publicly available |
| **[DeviceTvmSecureConfigurationAssessment](advanced-hunting-tvm-configassessment-table.md)** | Threat & Vulnerability Management assessment events, indicating the status of various security configurations on devices |
| **[DeviceTvmSecureConfigurationAssessmentKB](advanced-hunting-tvm-secureconfigkb-table.md)** | Knowledge base of various security configurations used by Threat & Vulnerability Management to assess devices; includes mappings to various standards and benchmarks |
| **[DeviceTvmSoftwareInventoryVulnerabilities](advanced-hunting-devicetvmsoftwareinventoryvulnerabilities-table.md)** | Inventory of software on devices as well as any known vulnerabilities in these software products |
| **[DeviceTvmSoftwareVulnerabilitiesKB ](advanced-hunting-devicetvmsoftwarevulnerabilitieskb-table.md)** | Knowledge base of publicly disclosed vulnerabilities, including whether exploit code is publicly available |
| **[DeviceTvmSecureConfigurationAssessment](advanced-hunting-devicetvmsecureconfigurationassessment-table.md)** | Threat & Vulnerability Management assessment events, indicating the status of various security configurations on devices |
| **[DeviceTvmSecureConfigurationAssessmentKB](advanced-hunting-devicetvmsecureconfigurationassessmentkb-table.md)** | Knowledge base of various security configurations used by Threat & Vulnerability Management to assess devices; includes mappings to various standards and benchmarks |
## Related topics
- [Advanced hunting overview](advanced-hunting-overview.md)

48
windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints.md
View File

@ -13,7 +13,7 @@ ms.author: macapara
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.collection: M365-security-compliance
ms.topic: article
---
@ -35,7 +35,7 @@ ms.topic: article
Microsoft Defender ATP extends support to also include the Windows Server operating system. This support provides advanced attack detection and investigation capabilities seamlessly through the Microsoft Defender Security Center console.
The service supports the onboarding of the following servers:
- Windows Server 2008 R2 SP1
- Windows Server 2008 R2 SP1
- Windows Server 2012 R2
- Windows Server 2016
- Windows Server (SAC) version 1803 and later
@ -57,11 +57,11 @@ There are two options to onboard Windows Server 2008 R2 SP1, Windows Server 2012
### Option 1: Onboard servers through Microsoft Defender Security Center
You'll need to take the following steps if you choose to onboard servers through Microsoft Defender Security Center.
You'll need to take the following steps if you choose to onboard servers through Microsoft Defender Security Center.
- For Windows Server 2008 R2 SP1 or Windows Server 2012 R2, ensure that you install the following hotfix:
- [Update for customer experience and diagnostic telemetry](https://support.microsoft.com/en-us/help/3080149/update-for-customer-experience-and-diagnostic-telemetry)
- In addition, for Windows Server 2008 R2 SP1, ensure that you fulfill the following requirements:
- Install the [February monthly update rollup](https://support.microsoft.com/en-us/help/4074598/windows-7-update-kb4074598)
- Install either [.NET framework 4.5](https://www.microsoft.com/download/details.aspx?id=30653) (or later) or [KB3154518](https://support.microsoft.com/help/3154518/support-for-tls-system-default-versions-included-in-the-net-framework)
@ -73,7 +73,7 @@ You'll need to take the following steps if you choose to onboard servers through
- Turn on server monitoring from Microsoft Defender Security Center.
- If you're already leveraging System Center Operations Manager (SCOM) or Azure Monitor (formerly known as Operations Management Suite (OMS)), attach the Microsoft Monitoring Agent (MMA) to report to your Microsoft Defender ATP workspace through Multihoming support.
- If you're already leveraging System Center Operations Manager (SCOM) or Azure Monitor (formerly known as Operations Management Suite (OMS)), attach the Microsoft Monitoring Agent (MMA) to report to your Microsoft Defender ATP workspace through Multihoming support.
Otherwise, install and configure MMA to report sensor data to Microsoft Defender ATP as instructed below. For more information, see [Collect log data with Azure Log Analytics agent](https://docs.microsoft.com/azure/azure-monitor/platform/log-analytics-agent).
@ -82,10 +82,10 @@ You'll need to take the following steps if you choose to onboard servers through
### Configure and update System Center Endpoint Protection clients
Microsoft Defender ATP integrates with System Center Endpoint Protection. The integration provides visibility to malware detections and to stop propagation of an attack in your organization by banning potentially malicious files or suspected malware.
Microsoft Defender ATP integrates with System Center Endpoint Protection. The integration provides visibility to malware detections and to stop propagation of an attack in your organization by banning potentially malicious files or suspected malware.
The following steps are required to enable this integration:
- Install the [January 2017 anti-malware platform update for Endpoint Protection clients](https://support.microsoft.com/help/3209361/january-2017-anti-malware-platform-update-for-endpoint-protection-clie)
The following steps are required to enable this integration:
- Install the [January 2017 anti-malware platform update for Endpoint Protection clients](https://support.microsoft.com/help/3209361/january-2017-anti-malware-platform-update-for-endpoint-protection-clie)
- Configure the SCEP client Cloud Protection Service membership to the **Advanced** setting
@ -95,19 +95,19 @@ The following steps are required to enable this integration:
1. In the navigation pane, select **Settings** > **Machine management** > **Onboarding**.
2. Select Windows Server 2012 R2 and 2016 as the operating system.
3. Click **Turn on server monitoring** and confirm that you'd like to proceed with the environment setup. When the setup completes, the **Workspace ID** and **Workspace key** fields are populated with unique values. You'll need to use these values to configure the MMA agent.
<span id="server-mma"/>
### Install and configure Microsoft Monitoring Agent (MMA) to report sensor data to Microsoft Defender ATP
### Install and configure Microsoft Monitoring Agent (MMA) to report sensor data to Microsoft Defender ATP
1. Download the agent setup file: [Windows 64-bit agent](https://go.microsoft.com/fwlink/?LinkId=828603).
2. Using the Workspace ID and Workspace key provided in the previous procedure, choose any of the following installation methods to install the agent on the server:
- [Manually install the agent using setup](https://docs.microsoft.com/azure/log-analytics/log-analytics-windows-agents#install-the-agent-using-setup) <br>
On the **Agent Setup Options** page, choose **Connect the agent to Azure Log Analytics (OMS)**.
- [Install the agent using the command line](https://docs.microsoft.com/azure/log-analytics/log-analytics-windows-agents#install-the-agent-using-the-command-line) and [configure the agent using a script](https://docs.microsoft.com/azure/log-analytics/log-analytics-windows-agents#add-a-workspace-using-a-script).
- [Install the agent using the command line](https://docs.microsoft.com/azure/log-analytics/log-analytics-windows-agents#install-the-agent-using-the-command-line) and [configure the agent using a script](https://docs.microsoft.com/azure/log-analytics/log-analytics-windows-agents#add-a-workspace-using-a-script).
3. You'll need to configure proxy settings for the Microsoft Monitoring Agent. For more information, see [Configure proxy settings](configure-proxy-internet.md).
@ -116,7 +116,7 @@ Once completed, you should see onboarded servers in the portal within an hour.
<span id="server-proxy"/>
### Configure server proxy and Internet connectivity settings
- Each Windows server must be able to connect to the Internet using HTTPS. This connection can be direct, using a proxy, or through the <a href="https://docs.microsoft.com/azure/log-analytics/log-analytics-oms-gateway" data-raw-source="[OMS Gateway](https://docs.microsoft.com/azure/log-analytics/log-analytics-oms-gateway)">OMS Gateway</a>.
- If a proxy or firewall is blocking all traffic by default and allowing only specific domains through or HTTPS scanning (SSL inspection) is enabled, make sure that you [enable access to Microsoft Defender ATP service URLs](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-proxy-internet#enable-access-to-microsoft-defender-atp-service-urls-in-the-proxy-server).
@ -127,7 +127,7 @@ Once completed, you should see onboarded servers in the portal within an hour.
2. Select Windows Server 2008 R2 SP1, 2012 R2 and 2016 as the operating system.
3. Click **Onboard Servers in Azure Security Center**.
3. Click **Onboard Servers in Azure Security Center**.
4. Follow the onboarding instructions in [Microsoft Defender Advanced Threat Protection with Azure Security Center](https://docs.microsoft.com/azure/security-center/security-center-wdatp).
@ -140,16 +140,16 @@ To onboard Windows Server (SAC) version 1803, Windows Server 2019, or Windows Se
Supported tools include:
- Local script
- Group Policy
- Group Policy
- Microsoft Endpoint Configuration Manager
- System Center Configuration Manager 2012 / 2012 R2 1511 / 1602
- VDI onboarding scripts for non-persistent machines
For more information, see [Onboard Windows 10 machines](configure-endpoints.md).
Support for Windows Server, provide deeper insight into activities happening on the server, coverage for kernel and memory attack detection, and enables response actions on Windows Server endpoint as well.
Support for Windows Server, provide deeper insight into activities happening on the server, coverage for kernel and memory attack detection, and enables response actions on Windows Server endpoint as well.
1. Configure Microsoft Defender ATP onboarding settings on the server. For more information, see [Onboard Windows 10 machines](configure-endpoints.md).
1. Configure Microsoft Defender ATP onboarding settings on the server. For more information, see [Onboard Windows 10 machines](configure-endpoints.md).
2. If you're running a third-party antimalware solution, you'll need to apply the following Windows Defender AV passive mode settings. Verify that it was configured correctly:
@ -165,12 +165,12 @@ Support for Windows Server, provide deeper insight into activities happening on
```
1. Confirm that a recent event containing the passive mode event is found:
![Image of passive mode verification result](images/atp-verify-passive-mode.png)
3. Run the following command to check if Windows Defender AV is installed:
```sc query Windefend```
```sc.exe query Windefend```
If the result is 'The specified service does not exist as an installed service', then you'll need to install Windows Defender AV. For more information, see [Windows Defender Antivirus in Windows 10](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10).
@ -188,12 +188,12 @@ The following capabilities are included in this integration:
- Server investigation - Azure Security Center customers can access Microsoft Defender Security Center to perform detailed investigation to uncover the scope of a potential breach
> [!IMPORTANT]
> - When you use Azure Security Center to monitor servers, a Microsoft Defender ATP tenant is automatically created. The Microsoft Defender ATP data is stored in Europe by default.
> - When you use Azure Security Center to monitor servers, a Microsoft Defender ATP tenant is automatically created. The Microsoft Defender ATP data is stored in Europe by default.
> - If you use Microsoft Defender ATP before using Azure Security Center, your data will be stored in the location you specified when you created your tenant even if you integrate with Azure Security Center at a later time.
> - When you use Azure Security Center to monitor servers, a Microsoft Defender ATP tenant is automatically created and the Microsoft Defender ATP data is stored in Europe by default. If you need to move your data to another location, you need to contact Microsoft Support to reset the tenant. Server endpoint monitoring utilizing this integration has been disabled for Office 365 GCC customers.
## Offboard servers
## Offboard servers
You can offboard Windows Server (SAC), Windows Server 2019, and Windows Server 2019 Core edition in the same method available for Windows 10 client machines.
For other server versions, you have two options to offboard servers from the service:
@ -210,10 +210,10 @@ For more information, see [To disable an agent](https://docs.microsoft.com/azure
### Remove the Microsoft Defender ATP workspace configuration
To offboard the server, you can use either of the following methods:
- Remove the Microsoft Defender ATP workspace configuration from the MMA agent
- Remove the Microsoft Defender ATP workspace configuration from the MMA agent
- Run a PowerShell command to remove the configuration
#### Remove the Microsoft Defender ATP workspace configuration from the MMA agent
#### Remove the Microsoft Defender ATP workspace configuration from the MMA agent
1. In the **Microsoft Monitoring Agent Properties**, select the **Azure Log Analytics (OMS)** tab.
@ -228,7 +228,7 @@ To offboard the server, you can use either of the following methods:
1. In the navigation pane, select **Settings** > **Onboarding**.
1. Select **Windows Server 2012 R2 and 2016** as the operating system and get your Workspace ID:
![Image of server onboarding](images/atp-server-offboarding-workspaceid.png)
2. Open an elevated PowerShell and run the following command. Use the Workspace ID you obtained and replacing `WorkspaceID`:

6
windows/security/threat-protection/microsoft-defender-atp/configure-splunk.md
View File

@ -54,8 +54,10 @@ You'll need to configure Splunk so that it can pull Microsoft Defender ATP detec
3. Select **Windows Defender ATP alerts** under **Local inputs**.
NOTE:
This input will only appear after you install the [Windows Defender ATP Modular Inputs TA](https://splunkbase.splunk.com/app/4128/).
>[!NOTE]
> - This input will only appear after you install the [Windows Defender ATP Modular Inputs TA](https://splunkbase.splunk.com/app/4128/).
> - For Splunk Cloud, use [Microsoft Defender ATP Add-on for Splunk](https://splunkbase.splunk.com/app/4959/).
4. Click **New**.

144
windows/security/threat-protection/microsoft-defender-atp/evaluation-lab.md
View File

@ -23,36 +23,45 @@ ms.topic: article
Conducting a comprehensive security product evaluation can be a complex process requiring cumbersome environment and machine configuration before an end-to-end attack simulation can actually be done. Adding to the complexity is the challenge of tracking where the simulation activities, alerts, and results are reflected during the evaluation.
The Microsoft Defender ATP evaluation lab is designed to eliminate the complexities of machine and environment configuration so that you can focus on evaluating the capabilities of the platform, running simulations, and seeing the prevention, detection, and remediation features in action.
When you get started with the lab, you'll be guided through a simple set-up process where you can specify the type of configuration that best suits your needs.
After the lab setup process is complete, you can add Windows 10 or Windows Server 2019 machines. These test machines come pre-configured to have the latest and greatest OS versions with the right security components in place and Office 2019 Standard installed.
The Microsoft Defender ATP evaluation lab is designed to eliminate the complexities of machine and environment configuration so that you can focus on evaluating the capabilities of the platform, running simulations, and seeing the prevention, detection, and remediation features in action.
With the simplified set-up experience, you can focus on running your own test scenarios and the pre-made simulations to see how Microsoft Defender ATP performs.
You'll have full access to all the powerful capabilities of the platform such as automated investigations, advanced hunting, and threat analytics, allowing you to test the comprehensive protection stack that Microsoft Defender ATP offers.
You'll have full access to the powerful capabilities of the platform such as automated investigations, advanced hunting, and threat analytics, allowing you to test the comprehensive protection stack that Microsoft Defender ATP offers.
You can add Windows 10 or Windows Server 2019 machines that come pre-configured to have the latest OS versions and the right security components in place as well as Office 2019 Standard installed.
You can also install threat simulators. Microsoft Defender ATP has partnered with industry leading threat simulation platforms to help you test out the Microsoft Defender ATP capabilities without having to leave the portal.
Install your preferred simulator, run scenarios within the evaluation lab, and instantly see how the platform performs - all conveniently available at no extra cost to you. You'll also have convenient access to wide array of simulations which you can access and run from the simulations catalog.
## Before you begin
You'll need to fulfill the [licensing requirements](minimum-requirements.md#licensing-requirements) or have trial access to Microsoft Defender ATP to access the evaluation lab.
You must have **Manage security settings** permissions to:
- Create the lab
- Create machines
- Reset password
- Create simulations
For more information, see [Create and manage roles](user-roles.md).
Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-main-abovefoldlink)
## Get started with the lab
You can access the lab from the menu. In the navigation menu, select **Evaluation and tutorials > Evaluation lab**.
![Image of the evaluation lab on the menu](images/evaluation-lab-menu.png)
When you access the evaluation lab for the first time, you'll find an introduction page with a link to the evaluation guide. The guide contains tips and recommendations to keep in mind when evaluating an advanced threat protection product.
It's a good idea to read the guide before starting the evaluation process so that you can conduct a thorough assessment of the platform.
>[!NOTE]
>- Each environment is provisioned with a limited set of test machines.
>- Depending the type of environment structure you select, machines will be available for the specified number of hours from the day of activation.
>- When you've used up the provisioned machines, no new machines are provided. A deleted machine does not refresh the available test machine count.
>- Given the limited resources, its advisable to use the machines carefully.
Already have a lab? Make sure to enable the new threat simulators and have active machines.
## Setup the evaluation lab
@ -60,17 +69,37 @@ It's a good idea to read the guide before starting the evaluation process so tha
![Image of the evaluation lab welcome page](images/evaluation-lab-setup.png)
2. Depending on your evaluation needs, you can choose to setup an environment with fewer machines for a longer period or more machines for a shorter period. Select your preferred lab configuration then select **Create lab**.
2. Depending on your evaluation needs, you can choose to setup an environment with fewer machines for a longer period or more machines for a shorter period. Select your preferred lab configuration then select **Next**.
![Image of lab configuration options](images/lab-creation-page.png)
![Image of lab configuration options](images/lab-creation-page.png)
3. (Optional) You can choose to install threat simulators in the lab.
![Image of install simulators agent](images/install-agent.png)
>[!IMPORTANT]
>You'll first need to accept and provide consent to the terms and information sharing statements.
4. Select the threat simulation agent you'd like to use and enter your details. You can also choose to install threat simulators at a later time. If you choose to install threat simulation agents during the lab setup, you'll enjoy the benefit of having them conveniently installed on the machines you add.
![Image of summary page](images/lab-setup-summary.png)
5. Review the summary and select **Setup lab**.
After the lab setup process is complete, you can add machines and run simulations.
When the environment completes the setup process, you're ready to add machines.
## Add machines
When you add a machine to your environment, Microsoft Defender ATP sets up a well-configured machine with connection details. You can add Windows 10 or Windows Server 2019 machines.
The machine will be configured with the most up-to-date version of the OS and Office 2019 Standard as well as other apps such as Java, Python, and SysIntenals.
>[!TIP]
> Need more machines in your lab? Submit a support ticket to have your request reviewed by the Microsoft Defender ATP team.
If you chose to add a threat simulator during the lab setup, all machines will have the threat simulator agent installed in the machines that you add.
The machine will automatically be onboarded to your tenant with the recommended Windows security components turned on and in audit mode - with no effort on your side.
The following security components are pre-configured in the test machines:
@ -94,9 +123,6 @@ Automated investigation settings will be dependent on tenant settings. It will b
1. From the dashboard, select **Add machine**.
![Image of lab setup page](images/lab-setup-page.png)
2. Choose the type of machine to add. You can choose to add Windows 10 or Windows Server 2019.
![Image of lab setup with machine options](images/add-machine-options.png)
@ -114,20 +140,31 @@ Automated investigation settings will be dependent on tenant settings. It will b
4. Machine set up begins. This can take up to approximately 30 minutes.
The environment will reflect your test machine status through the evaluation - including risk score, exposure score, and alerts created through the simulation.
5. See the status of test machines, the risk and exposure levels, and the status of simulator installations by selecting the **Machines** tab.
![Image of machines tab](images/machines-tab.png)
>[!TIP]
>In the **Simulator status** column, you can hover over the information icon to know the installation status of an agent.
![Image of test machines](images/eval-lab-dashboard.png)
## Simulate attack scenarios
Use the test machines to run attack simulations by connecting to them.
Use the test machines to run your own attack simulations by connecting to them.
If you are looking for a pre-made simulation, you can use our ["Do It Yourself" attack scenarios](https://securitycenter.windows.com/tutorials). These scripts are safe, documented, and easy to use. These scenarios will reflect Microsoft Defender ATP capabilities and walk you through investigation experience.
You can simulate attack scenarios using:
- The ["Do It Yourself" attack scenarios](https://securitycenter.windows.com/tutorials)
- Threat simulators
You can also use [Advanced hunting](advanced-hunting-query-language.md) to query data and [Threat analytics](threat-analytics.md) to view reports about emerging threats.
> [!NOTE]
> The connection to the test machines is done using RDP. Make sure that your firewall settings allow RDP connections.
### Do-it-yourself attack scenarios
If you are looking for a pre-made simulation, you can use our ["Do It Yourself" attack scenarios](https://securitycenter.windows.com/tutorials). These scripts are safe, documented, and easy to use. These scenarios will reflect Microsoft Defender ATP capabilities and walk you through investigation experience.
>[!NOTE]
>The connection to the test machines is done using RDP. Make sure that your firewall settings allow RDP connections.
1. Connect to your machine and run an attack simulation by selecting **Connect**.
@ -146,20 +183,70 @@ You can also use [Advanced hunting](advanced-hunting-query-language.md) to query
![Image of window to enter credentials](images/enter-password.png)
4. Run simulations on the machine.
4. Run Do-it-yourself attack simulations on the machine.
### Threat simulator scenarios
If you chose to install any of the supported threat simulators during the lab setup, you can run the built-in simulations on the evaluation lab machines.
Running threat simulations using third-party platforms is a good way to evaluate Microsoft Defender ATP capabilities within the confines of a lab environment.
>[!NOTE]
>Before you can run simulations, ensure the following requirements are met:
>- Machines must be added to the evaluation lab
>- Threat simulators must be installed in the evaluation lab
1. From the portal select **Create simulation**.
2. Select a threat simulator.
![Image of threat simulator selection](images/select-simulator.png)
3. Choose a simulation or look through the simulation gallery to browse through the available simulations.
You can get to the simulation gallery from:
- The main evaluation dashboard in the **Simulations overview** tile or
- By navigating from the navigation pane **Evaluation and tutorials** > **Simulation & tutorials**, then select **Simulations catalog**.
4. Select the devices where you'd like to run the simulation on.
5. Select **Create simulation**.
6. View the progress of a simulation by selecting the **Simulations** tab. View the simulation state, active alerts, and other details.
![Image of simulations tab](images/simulations-tab.png)
After running your simulations, we encourage you to walk through the lab progress bar and explore Microsoft Defender ATP features. See if the attack simulations you ran triggered an automated investigation and remediation, check out the evidence collected and analyzed by the feature.
After running your simulations, we encourage you to walk through the lab progress bar and explore Microsoft Defender ATP features. See if your attacks triggered an automated investigation and remediation, check out the evidence collected and analyzed by the feature.
Hunt for attack evidence through advanced hunting by using the rich query language and raw telemetry and check out some world-wide threats documented in Threat analytics.
## Simulation results
Get a full overview of the simulation results, all in one place, allowing you to drill down to the relevant pages with every detail you need.
## Simulation gallery
Microsoft Defender ATP has partnered with various threat simulation platforms to give you convenient access to test the capabilities of the platform right from the within the portal.
View the machine details page by selecting the machine from the table. You'll be able to drill down on relevant alerts and investigations by exploring the rich context provided on the attack simulation.
View all the available simulations by going to **Simulations and tutorials** > **Simulations catalog** from the menu.
### Evaluation report
A list of supported third-party threat simulation agents are listed, and specific types of simulations along with detailed descriptions are provided on the catalog.
You can conveniently run any available simulation right from the catalog.
![Image of simulations catalog](images/simulations-catalog.png)
Each simulation comes with an in-depth description of the attack scenario and references such as the MITRE attack techniques used and sample Advanced hunting queries you run.
**Examples:**
![Image of simulation description details](images/simulation-details-aiq.png)
![Image of simulation description details](images/simulation-details-sb.png)
## Evaluation report
The lab reports summarize the results of the simulations conducted on the machines.
![Image of the evaluation report](images/eval-report.png)
@ -172,6 +259,7 @@ At a glance, you'll quickly be able to see:
- Detection sources
- Automated investigations
## Provide feedback
Your feedback helps us get better in protecting your environment from advanced attacks. Share your experience and impressions from product capabilities and evaluation results.

BIN
windows/security/threat-protection/microsoft-defender-atp/images/evaluation-lab-setup.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 138 KiB

After

Width:  |  Height:  |  Size: 100 KiB

BIN
windows/security/threat-protection/microsoft-defender-atp/images/install-agent.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 173 KiB

BIN
windows/security/threat-protection/microsoft-defender-atp/images/lab-creation-page.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 44 KiB

After

Width:  |  Height:  |  Size: 135 KiB

BIN
windows/security/threat-protection/microsoft-defender-atp/images/lab-setup-summary.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 70 KiB

BIN
windows/security/threat-protection/microsoft-defender-atp/images/machines-tab.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 291 KiB

BIN
windows/security/threat-protection/microsoft-defender-atp/images/select-simulator.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 55 KiB

BIN
windows/security/threat-protection/microsoft-defender-atp/images/send-us-feedback-eval-lab.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 47 KiB

After

Width:  |  Height:  |  Size: 113 KiB

BIN
windows/security/threat-protection/microsoft-defender-atp/images/simulation-details-aiq.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 204 KiB

BIN
windows/security/threat-protection/microsoft-defender-atp/images/simulation-details-sb.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 169 KiB

BIN
windows/security/threat-protection/microsoft-defender-atp/images/simulations-catalog.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 105 KiB

BIN
windows/security/threat-protection/microsoft-defender-atp/images/simulations-tab.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 279 KiB

6
windows/security/threat-protection/microsoft-defender-atp/linux-install-manually.md
View File

@ -276,6 +276,10 @@ Download the onboarding package from Microsoft Defender Security Center:
See [Log installation issues](linux-resources.md#log-installation-issues) for more information on how to find the automatically generated log that is created by the installer when an error occurs.
## Operating system upgrades
When upgrading your operating system to a new major version, you must first uninstall Microsoft Defender ATP for Linux, install the upgrade, and finally reconfigure Microsoft Defender ATP for Linux on your device.
## Uninstallation
See [Uninstall](linux-resources.md#uninstall) for details on how to remove Microsoft Defender ATP for Linux from client devices.
See [Uninstall](linux-resources.md#uninstall) for details on how to remove Microsoft Defender ATP for Linux from client devices.

4
windows/security/threat-protection/microsoft-defender-atp/linux-install-with-ansible.md
View File

@ -255,6 +255,10 @@ Now run the tasks files under `/etc/ansible/playbooks/`.
See [Log installation issues](linux-resources.md#log-installation-issues) for more information on how to find the automatically generated log that is created by the installer when an error occurs.
## Operating system upgrades
When upgrading your operating system to a new major version, you must first uninstall Microsoft Defender ATP for Linux, install the upgrade, and finally reconfigure Microsoft Defender ATP for Linux on your device.
## References
- [Add or remove YUM repositories](https://docs.ansible.com/ansible/2.3/yum_repository_module.html)

4
windows/security/threat-protection/microsoft-defender-atp/linux-install-with-puppet.md
View File

@ -207,6 +207,10 @@ If the product is not healthy, the exit code (which can be checked through `echo
See [Log installation issues](linux-resources.md#log-installation-issues) for more information on how to find the automatically generated log that is created by the installer when an error occurs.
## Operating system upgrades
When upgrading your operating system to a new major version, you must first uninstall Microsoft Defender ATP for Linux, install the upgrade, and finally reconfigure Microsoft Defender ATP for Linux on your device.
## Uninstallation
Create a module *remove_mdatp* similar to *install_mdatp* with the following contents in *init.pp* file:

300
windows/security/threat-protection/microsoft-defender-atp/linux-privacy.md Normal file
View File

@ -0,0 +1,300 @@
---
title: Privacy for Microsoft Defender ATP for Linux
description: Privacy controls, how to configure policy settings that impact privacy and information about the diagnostic data collected in Microsoft Defender ATP for Linux.
keywords: microsoft, defender, atp, linux, privacy, diagnostic
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: dansimp
author: dansimp
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
---
# Privacy for Microsoft Defender ATP for Linux
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Linux](microsoft-defender-atp-linux.md)
Microsoft is committed to providing you with the information and controls you need to make choices about how your data is collected and used when youre using Microsoft Defender ATP for Linux.
This topic describes the privacy controls available within the product, how to manage these controls with policy settings and more details on the data events that are collected.
## Overview of privacy controls in Microsoft Defender ATP for Linux
This section describes the privacy controls for the different types of data collected by Microsoft Defender ATP for Linux.
### Diagnostic data
Diagnostic data is used to keep Microsoft Defender ATP secure and up-to-date, detect, diagnose and fix problems, and also make product improvements.
Some diagnostic data is required, while some diagnostic data is optional. We give you the ability to choose whether to send us required or optional diagnostic data through the use of privacy controls, such as policy settings for organizations.
There are two levels of diagnostic data for Microsoft Defender ATP client software that you can choose from:
* **Required**: The minimum data necessary to help keep Microsoft Defender ATP secure, up-to-date, and performing as expected on the device its installed on.
* **Optional**: Additional data that helps Microsoft make product improvements and provides enhanced information to help detect, diagnose, and remediate issues.
By default, only required diagnostic data is sent to Microsoft.
### Cloud delivered protection data
Cloud delivered protection is used to provide increased and faster protection with access to the latest protection data in the cloud.
Enabling the cloud-delivered protection service is optional, however it is highly recommended because it provides important protection against malware on your endpoints and across your network.
### Sample data
Sample data is used to improve the protection capabilities of the product, by sending Microsoft suspicious samples so they can be analyzed. Enabling automatic sample submission is optional.
There are three levels for controlling sample submission:
- **None**: no suspicious samples are submitted to Microsoft.
- **Safe**: only suspicious samples that do not contain personally identifiable information (PII) are submitted automatically. This is the default value for this setting.
- **All**: all suspicious samples are submitted to Microsoft.
## Manage privacy controls with policy settings
If you're an IT administrator, you might want to configure these controls at the enterprise level.
The privacy controls for the various types of data described in the preceding section are described in detail in [Set preferences for Microsoft Defender ATP for Linux](linux-preferences.md).
As with any new policy settings, you should carefully test them out in a limited, controlled environment to ensure the settings that you configure have the desired effect before you implement the policy settings more widely in your organization.
## Diagnostic data events
This section describes what is considered required diagnostic data and what is considered optional diagnostic data, along with a description of the events and fields that are collected.
### Data fields that are common for all events
There is some information about events that is common to all events, regardless of category or data subtype.
The following fields are considered common for all events:
| Field | Description |
| ----------------------- | ----------- |
| platform | The broad classification of the platform on which the app is running. Allows Microsoft to identify on which platforms an issue may be occurring so that it can correctly be prioritized. |
| machine_guid | Unique identifier associated with the device. Allows Microsoft to identify whether issues are impacting a select set of installs and how many users are impacted. |
| sense_guid | Unique identifier associated with the device. Allows Microsoft to identify whether issues are impacting a select set of installs and how many users are impacted. |
| org_id | Unique identifier associated with the enterprise that the device belongs to. Allows Microsoft to identify whether issues are impacting a select set of enterprises and how many enterprises are impacted. |
| hostname | Local machine name (without DNS suffix). Allows Microsoft to identify whether issues are impacting a select set of installs and how many users are impacted. |
| product_guid | Unique identifier of the product. Allows Microsoft to differentiate issues impacting different flavors of the product. |
| app_version | Version of the Microsoft Defender ATP for Linux application. Allows Microsoft to identify which versions of the product are showing an issue so that it can correctly be prioritized.|
| sig_version | Version of security intelligence database. Allows Microsoft to identify which versions of the security intelligence are showing an issue so that it can correctly be prioritized. |
| supported_compressions | List of compression algorithms supported by the application, for example `['gzip']`. Allows Microsoft to understand what types of compressions can be used when it communicates with the application. |
| release_ring | Ring that the device is associated with (for example Insider Fast, Insider Slow, Production). Allows Microsoft to identify on which release ring an issue may be occurring so that it can correctly be prioritized. |
### Required diagnostic data
**Required diagnostic data** is the minimum data necessary to help keep Microsoft Defender ATP secure, up-to-date, and perform as expected on the device its installed on.
Required diagnostic data helps to identify problems with Microsoft Defender ATP that may be related to a device or software configuration. For example, it can help determine if a Microsoft Defender ATP feature crashes more frequently on a particular operating system version, with newly introduced features, or when certain Microsoft Defender ATP features are disabled. Required diagnostic data helps Microsoft detect, diagnose, and fix these problems more quickly so the impact to users or organizations is reduced.
#### Software setup and inventory data events
**Microsoft Defender ATP installation / uninstallation**
The following fields are collected:
| Field | Description |
| ---------------- | ----------- |
| correlation_id | Unique identifier associated with the installation. |
| version | Version of the package. |
| severity | Severity of the message (for example Informational). |
| code | Code that describes the operation. |
| text | Additional information associated with the product installation. |
**Microsoft Defender ATP configuration**
The following fields are collected:
| Field | Description |
| --------------------------------------------------- | ----------- |
| antivirus_engine.enable_real_time_protection | Whether real-time protection is enabled on the device or not. |
| antivirus_engine.passive_mode | Whether passive mode is enabled on the device or not. |
| cloud_service.enabled | Whether cloud delivered protection is enabled on the device or not. |
| cloud_service.timeout | Time out when the application communicates with the Microsoft Defender ATP cloud. |
| cloud_service.heartbeat_interval | Interval between consecutive heartbeats sent by the product to the cloud. |
| cloud_service.service_uri | URI used to communicate with the cloud. |
| cloud_service.diagnostic_level | Diagnostic level of the device (required, optional). |
| cloud_service.automatic_sample_submission | Automatic sample submission level of the device (none, safe, all). |
| edr.early_preview | Whether the machine should run EDR early preview features. |
| edr.group_id | Group identifier used by the detection and response component. |
| edr.tags | User-defined tags. |
| features.\[optional feature name\] | List of preview features, along with whether they are enabled or not. |
#### Product and service usage data events
**Security intelligence update report**
The following fields are collected:
| Field | Description |
| ---------------- | ----------- |
| from_version | Original security intelligence version. |
| to_version | New security intelligence version. |
| status | Status of the update indicating success or failure. |
| using_proxy | Whether the update was done over a proxy. |
| error | Error code if the update failed. |
| reason | Error message if the update failed. |
#### Product and service performance data events
**Kernel extension statistics**
The following fields are collected:
| Field | Description |
| ---------------- | ----------- |
| version | Version of Microsoft Defender ATP for Linux. |
| instance_id | Unique identifier generated on kernel extension startup. |
| trace_level | Trace level of the kernel extension. |
| subsystem | The underlying subsystem used for real-time protection. |
| ipc.connects | Number of connection requests received by the kernel extension. |
| ipc.rejects | Number of connection requests rejected by the kernel extension. |
| ipc.connected | Whether there is any active connection to the kernel extension. |
#### Support data
**Diagnostic logs**
Diagnostic logs are collected only with the consent of the user as part of the feedback submission feature. The following files are collected as part of the support logs:
- All files under */var/log/microsoft/mdatp*
- Subset of files under */etc/opt/microsoft/mdatp* that are created and used by Microsoft Defender ATP for Linux
- Product installation and uninstallation logs under */var/log/microsoft_mdatp_\*.log*
### Optional diagnostic data
**Optional diagnostic data** is additional data that helps Microsoft make product improvements and provides enhanced information to help detect, diagnose, and fix issues.
If you choose to send us optional diagnostic data, required diagnostic data is also included.
Examples of optional diagnostic data include data Microsoft collects about product configuration (for example number of exclusions set on the device) and product performance (aggregate measures about the performance of components of the product).
#### Software setup and inventory data events
**Microsoft Defender ATP configuration**
The following fields are collected:
| Field | Description |
| -------------------------------------------------- | ----------- |
| connection_retry_timeout | Connection retry time-out when communication with the cloud. |
| file_hash_cache_maximum | Size of the product cache. |
| crash_upload_daily_limit | Limit of crash logs uploaded daily. |
| antivirus_engine.exclusions[].is_directory | Whether the exclusion from scanning is a directory or not. |
| antivirus_engine.exclusions[].path | Path that was excluded from scanning. |
| antivirus_engine.exclusions[].extension | Extension excluded from scanning. |
| antivirus_engine.exclusions[].name | Name of the file excluded from scanning. |
| antivirus_engine.scan_cache_maximum | Size of the product cache. |
| antivirus_engine.maximum_scan_threads | Maximum number of threads used for scanning. |
| antivirus_engine.threat_restoration_exclusion_time | Time out before a file restored from the quarantine can be detected again. |
| filesystem_scanner.full_scan_directory | Full scan directory. |
| filesystem_scanner.quick_scan_directories | List of directories used in quick scan. |
| edr.latency_mode | Latency mode used by the detection and response component. |
| edr.proxy_address | Proxy address used by the detection and response component. |
**Microsoft Auto-Update configuration**
The following fields are collected:
| Field | Description |
| --------------------------- | ----------- |
| how_to_check | Determines how product updates are checked (for example automatic or manual). |
| channel_name | Update channel associated with the device. |
| manifest_server | Server used for downloading updates. |
| update_cache | Location of the cache used to store updates. |
### Product and service usage
#### Diagnostic log upload started report
The following fields are collected:
| Field | Description |
| ---------------- | ----------- |
| sha256 | SHA256 identifier of the support log. |
| size | Size of the support log. |
| original_path | Path to the support log (always under */var/opt/microsoft/mdatp/wdavdiag/*). |
| format | Format of the support log. |
#### Diagnostic log upload completed report
The following fields are collected:
| Field | Description |
| ---------------- | ----------- |
| request_id | Correlation ID for the support log upload request. |
| sha256 | SHA256 identifier of the support log. |
| blob_sas_uri | URI used by the application to upload the support log. |
#### Product and service performance data events
**Unexpected application exit (crash)**
Unexpected application exits and the state of the application when that happens.
**Kernel extension statistics**
The following fields are collected:
| Field | Description |
| ------------------------------ | ----------- |
| pkt_ack_timeout | The following properties are aggregated numerical values, representing count of events that happened since kernel extension startup. |
| pkt_ack_conn_timeout | |
| ipc.ack_pkts | |
| ipc.nack_pkts | |
| ipc.send.ack_no_conn | |
| ipc.send.nack_no_conn | |
| ipc.send.ack_no_qsq | |
| ipc.send.nack_no_qsq | |
| ipc.ack.no_space | |
| ipc.ack.timeout | |
| ipc.ack.ackd_fast | |
| ipc.ack.ackd | |
| ipc.recv.bad_pkt_len | |
| ipc.recv.bad_reply_len | |
| ipc.recv.no_waiter | |
| ipc.recv.copy_failed | |
| ipc.kauth.vnode.mask | |
| ipc.kauth.vnode.read | |
| ipc.kauth.vnode.write | |
| ipc.kauth.vnode.exec | |
| ipc.kauth.vnode.del | |
| ipc.kauth.vnode.read_attr | |
| ipc.kauth.vnode.write_attr | |
| ipc.kauth.vnode.read_ex_attr | |
| ipc.kauth.vnode.write_ex_attr | |
| ipc.kauth.vnode.read_sec | |
| ipc.kauth.vnode.write_sec | |
| ipc.kauth.vnode.take_own | |
| ipc.kauth.vnode.link | |
| ipc.kauth.vnode.create | |
| ipc.kauth.vnode.move | |
| ipc.kauth.vnode.mount | |
| ipc.kauth.vnode.denied | |
| ipc.kauth.vnode.ackd_before_deadline | |
| ipc.kauth.vnode.missed_deadline | |
| ipc.kauth.file_op.mask | |
| ipc.kauth_file_op.open | |
| ipc.kauth.file_op.close | |
| ipc.kauth.file_op.close_modified | |
| ipc.kauth.file_op.move | |
| ipc.kauth.file_op.link | |
| ipc.kauth.file_op.exec | |
| ipc.kauth.file_op.remove | |
| ipc.kauth.file_op.unmount | |
| ipc.kauth.file_op.fork | |
| ipc.kauth.file_op.create | |
## Resources
- [Privacy at Microsoft](https://privacy.microsoft.com/)

65
windows/security/threat-protection/microsoft-defender-atp/linux-pua.md Normal file
View File

@ -0,0 +1,65 @@
---
title: Detect and block potentially unwanted applications with Microsoft Defender ATP for Linux
description: Detect and block Potentially Unwanted Applications (PUA) using Microsoft Defender ATP for Linux.
keywords: microsoft, defender, atp, linux, pua, pus
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: dansimp
author: dansimp
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
---
# Detect and block potentially unwanted applications with Microsoft Defender ATP for Linux
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Linux](microsoft-defender-atp-linux.md)
The potentially unwanted application (PUA) protection feature in Microsoft Defender ATP for Linux can detect and block PUA files on endpoints in your network.
These applications are not considered viruses, malware, or other types of threats, but might perform actions on endpoints that adversely affect their performance or use. PUA can also refer to applications that are considered to have poor reputation.
These applications can increase the risk of your network being infected with malware, cause malware infections to be harder to identify, and can waste IT resources in cleaning up the applications.
## How it works
Microsoft Defender ATP for Linux can detect and report PUA files. When configured in blocking mode, PUA files are moved to the quarantine.
When a PUA is detected on an endpoint, Microsoft Defender ATP for Linux keeps a record of the infection in the threat history. The history can be visualized from the Microsoft Defender Security Center portal or through the `mdatp` command-line tool. The threat name will contain the word "Application".
## Configure PUA protection
PUA protection in Microsoft Defender ATP for Linux can be configured in one of the following ways:
- **Off**: PUA protection is disabled.
- **Audit**: PUA files are reported in the product logs, but not in Microsoft Defender Security Center. No record of the infection is stored in the threat history and no action is taken by the product.
- **Block**: PUA files are reported in the product logs and in Microsoft Defender Security Center. A record of the infection is stored in the threat history and action is taken by the product.
>[!WARNING]
>By default, PUA protection is configured in **Audit** mode.
You can configure how PUA files are handled from the command line or from the management console.
### Use the command-line tool to configure PUA protection:
In Terminal, execute the following command to configure PUA protection:
```bash
$ mdatp --threat --type-handling potentially_unwanted_application [off|audit|block]
```
### Use the management console to configure PUA protection:
In your enterprise, you can configure PUA protection from a management console, such as Puppet or Ansible, similarly to how other product settings are configured. For more information, see the [Threat type settings](linux-preferences.md#threat-type-settings) section of the [Set preferences for Microsoft Defender ATP for Linux](linux-preferences.md) topic.
## Related topics
- [Set preferences for Microsoft Defender ATP for Linux](linux-preferences.md)

25
windows/security/threat-protection/microsoft-defender-atp/mac-privacy.md
View File

@ -43,7 +43,7 @@ There are two levels of diagnostic data for Microsoft Defender ATP client softwa
* **Optional**: Additional data that helps Microsoft make product improvements and provides enhanced information to help detect, diagnose, and remediate issues.
By default, both optional and required diagnostic data are sent to Microsoft.
By default, only required diagnostic data is sent to Microsoft.
### Cloud delivered protection data
@ -127,6 +127,21 @@ The following fields are collected:
| edr.tags | User-defined tags. |
| features.\[optional feature name\] | List of preview features, along with whether they are enabled or not. |
#### Product and service usage data events
**Security intelligence update report**
The following fields are collected:
| Field | Description |
| ---------------- | ----------- |
| from_version | Original security intelligence version. |
| to_version | New security intelligence version. |
| status | Status of the update indicating success or failure. |
| using_proxy | Whether the update was done over a proxy. |
| error | Error code if the update failed. |
| reason | Error message if the updated filed. |
#### Product and service performance data events
**Kernel extension statistics**
@ -138,6 +153,7 @@ The following fields are collected:
| version | Version of Microsoft Defender ATP for Mac. |
| instance_id | Unique identifier generated on kernel extension startup. |
| trace_level | Trace level of the kernel extension. |
| subsystem | The underlying subsystem used for real-time protection. |
| ipc.connects | Number of connection requests received by the kernel extension. |
| ipc.rejects | Number of connection requests rejected by the kernel extension. |
| ipc.connected | Whether there is any active connection to the kernel extension. |
@ -259,7 +275,13 @@ The following fields are collected:
| ipc.kauth.vnode.read_sec | |
| ipc.kauth.vnode.write_sec | |
| ipc.kauth.vnode.take_own | |
| ipc.kauth.vnode.link | |
| ipc.kauth.vnode.create | |
| ipc.kauth.vnode.move | |
| ipc.kauth.vnode.mount | |
| ipc.kauth.vnode.denied | |
| ipc.kauth.vnode.ackd_before_deadline | |
| ipc.kauth.vnode.missed_deadline | |
| ipc.kauth.file_op.mask | |
| ipc.kauth_file_op.open | |
| ipc.kauth.file_op.close | |
@ -268,6 +290,7 @@ The following fields are collected:
| ipc.kauth.file_op.link | |
| ipc.kauth.file_op.exec | |
| ipc.kauth.file_op.remove | |
| ipc.kauth.file_op.unmount | |
| ipc.kauth.file_op.fork | |
| ipc.kauth.file_op.create | |

4
windows/security/threat-protection/microsoft-defender-atp/onboard-offline-machines.md
View File

@ -33,9 +33,9 @@ Windows Server 2016 and earlier or Windows 8.1 and earlier.
> - An OMS gateway server cannot be used as proxy for disconnected Windows 10 or Windows Server 2019 machines when configured via 'TelemetryProxyServer' registry or GPO.
> - For Windows 10 or Windows Server 2019 - while you may use TelemetryProxyServer, it must point to a standard proxy device or appliance.
> - In addition, Windows 10 or Windows Server 2019 in disconnected environments must be able to update Certificate Trust Lists offline via an internal file or web server.
> - For more information about updating CTLs offline, refer to the following article: https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/dn265983(v=ws.11)#configure-a-file-or-web-server-to-download-the-ctl-files
> - For more information about updating CTLs offline, see (Configure a file or web server to download the CTL files)[https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/dn265983(v=ws.11)#configure-a-file-or-web-server-to-download-the-ctl-files].
>For more information about onboarding methods, see the following articles:
For more information about onboarding methods, see the following articles:
- [Onboard previous versions of Windows](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/onboard-downlevel)
- [Onboard servers to the Microsoft Defender ATP service](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints#windows-server-2008-r2-sp1--windows-server-2012-r2-and-windows-server-2016)
- [Configure machine proxy and Internet connectivity settings](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-proxy-internet#configure-the-proxy-server-manually-using-a-registry-based-static-proxy)

3
windows/security/threat-protection/microsoft-defender-atp/preview.md
View File

@ -29,6 +29,9 @@ The Microsoft Defender ATP service is constantly being updated to include new fe
Learn about new features in the Microsoft Defender ATP preview release and be among the first to try upcoming features by turning on the preview experience.
>[!TIP]
>Get notified when this page is updated by copying and pasting the following URL into your feed reader: `https://docs.microsoft.com/api/search/rss?search=%22Microsoft+Defender+ATP+preview+features%22&locale=en-us`
For more information on new capabilities that are generally available, see [What's new in Microsoft Defender ATP](whats-new-in-microsoft-defender-atp.md).
## Turn on preview features

3
windows/security/threat-protection/microsoft-defender-atp/troubleshoot-onboarding-error-messages.md
View File

@ -88,5 +88,4 @@ crl.microsoft.com`
- `https://static2.sharepointonline.com`
## Related topics
- [Validate licensing provisioning and complete setup for Microsoft Defender ATP](licensing.md)

11
windows/security/threat-protection/microsoft-defender-atp/whats-new-in-microsoft-defender-atp.md
View File

@ -27,8 +27,13 @@ The following features are generally available (GA) in the latest release of Mic
For more information preview features, see [Preview features](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/preview-windows-defender-advanced-threat-protection).
RSS feed: Get notified when this page is updated by copying and pasting the following URL into your feed reader:
`https://docs.microsoft.com/api/search/rss?search=%22Microsoft+Defender+ATP+as+well+as+security+features+in+Windows+10+and+Windows+Server.%22&locale=en-us`
> [!TIP]
> RSS feed: Get notified when this page is updated by copying and pasting the following URL into your feed reader:
>
> ```https
> https://docs.microsoft.com/api/search/rss?search=%22Microsoft+Defender+ATP+as+well+as+security+features+in+Windows+10+and+Windows+Server.%22&locale=en-us
> ```
## April 2020
@ -58,7 +63,7 @@ RSS feed: Get notified when this page is updated by copying and pasting the foll
## September 2019
- [Tamper Protection settings using Intune](../windows-defender-antivirus/prevent-changes-to-security-settings-with-tamper-protection.md#turn-tamper-protection-on-or-off-for-your-organization-using-intune)<br/>You can now turn Tamper Protection on (or off) for your organization in the Microsoft 365 Device Management portal (Intune).
- [Tamper Protection settings using Intune](../windows-defender-antivirus/prevent-changes-to-security-settings-with-tamper-protection.md#turn-tamper-protection-on-or-off-for-your-organization-using-intune)<br/>You can now turn Tamper Protection on (or off) for your organization in the Microsoft 365 Device Management Portal (Intune).
- [Live response](live-response.md)<BR> Get instantaneous access to a machine using a remote shell connection. Do in-depth investigative work and take immediate response actions to promptly contain identified threats - real-time.