From e8f3a312e66b32e9cd499e57808d4453dcfead9d Mon Sep 17 00:00:00 2001 From: ImranHabib <47118050+joinimran@users.noreply.github.com> Date: Fri, 20 Nov 2020 17:26:03 +0500 Subject: [PATCH 1/8] Addition to a troubleshooting link Added a link to a troubleshooting document as suggested by the user. Problem: https://github.com/MicrosoftDocs/windows-itpro-docs/issues/6620 --- .../microsoft-defender-atp/raw-data-export-event-hub.md | 1 + 1 file changed, 1 insertion(+) diff --git a/windows/security/threat-protection/microsoft-defender-atp/raw-data-export-event-hub.md b/windows/security/threat-protection/microsoft-defender-atp/raw-data-export-event-hub.md index 9e61246a70..f4aa755eb9 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/raw-data-export-event-hub.md +++ b/windows/security/threat-protection/microsoft-defender-atp/raw-data-export-event-hub.md @@ -91,3 +91,4 @@ To get the data types for event properties do the following: - [Microsoft Defender for Endpoint streaming API](raw-data-export.md) - [Stream Microsoft Defender for Endpoint events to your Azure storage account](raw-data-export-storage.md) - [Azure Event Hubs documentation](https://docs.microsoft.com/azure/event-hubs/) +- [Troubleshoot connectivity issues - Azure Event Hubs](https://docs.microsoft.com/en-us/azure/event-hubs/troubleshooting-guide) From 1d313ffcc69a3a66cd45a9193816af1c27e63651 Mon Sep 17 00:00:00 2001 From: ImranHabib <47118050+joinimran@users.noreply.github.com> Date: Sat, 21 Nov 2020 20:45:46 +0500 Subject: [PATCH 2/8] Update windows/security/threat-protection/microsoft-defender-atp/raw-data-export-event-hub.md Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- .../microsoft-defender-atp/raw-data-export-event-hub.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/raw-data-export-event-hub.md b/windows/security/threat-protection/microsoft-defender-atp/raw-data-export-event-hub.md index f4aa755eb9..b006634521 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/raw-data-export-event-hub.md +++ b/windows/security/threat-protection/microsoft-defender-atp/raw-data-export-event-hub.md @@ -91,4 +91,4 @@ To get the data types for event properties do the following: - [Microsoft Defender for Endpoint streaming API](raw-data-export.md) - [Stream Microsoft Defender for Endpoint events to your Azure storage account](raw-data-export-storage.md) - [Azure Event Hubs documentation](https://docs.microsoft.com/azure/event-hubs/) -- [Troubleshoot connectivity issues - Azure Event Hubs](https://docs.microsoft.com/en-us/azure/event-hubs/troubleshooting-guide) +- [Troubleshoot connectivity issues - Azure Event Hubs](https://docs.microsoft.com/azure/event-hubs/troubleshooting-guide) From 249fb6f7954fbc015efc90e4eaaf049cacbb8a80 Mon Sep 17 00:00:00 2001 From: alons8 <61512160+alons8@users.noreply.github.com> Date: Tue, 24 Nov 2020 17:31:00 +0200 Subject: [PATCH 3/8] Update raw-data-export-storage.md Update the feature requirements. Since this feature was moved to GA there is no need to enable preview features --- .../microsoft-defender-atp/raw-data-export-storage.md | 1 - 1 file changed, 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/raw-data-export-storage.md b/windows/security/threat-protection/microsoft-defender-atp/raw-data-export-storage.md index 804a1ff98e..99f189565c 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/raw-data-export-storage.md +++ b/windows/security/threat-protection/microsoft-defender-atp/raw-data-export-storage.md @@ -32,7 +32,6 @@ Want to experience Defender for Endpoint? [Sign up for a free trial.](https://ww 1. Create a [Storage account](https://docs.microsoft.com/azure/storage/common/storage-account-overview) in your tenant. 2. Log in to your [Azure tenant](https://ms.portal.azure.com/), go to **Subscriptions > Your subscription > Resource Providers > Register to Microsoft.insights**. -3. Go to **Settings > Advanced Features > Preview features** and turn Preview features **On**. ## Enable raw data streaming: From a93c5a57e300a2578e194a06994ad55154d460ed Mon Sep 17 00:00:00 2001 From: Evan Miller Date: Tue, 24 Nov 2020 12:18:30 -0800 Subject: [PATCH 4/8] Add HoloLens CSP support for 20h2 --- .../mdm/configuration-service-provider-reference.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/windows/client-management/mdm/configuration-service-provider-reference.md b/windows/client-management/mdm/configuration-service-provider-reference.md index d064a375ca..6415a28922 100644 --- a/windows/client-management/mdm/configuration-service-provider-reference.md +++ b/windows/client-management/mdm/configuration-service-provider-reference.md @@ -2728,6 +2728,7 @@ The following list shows the CSPs supported in HoloLens devices: | [DiagnosticLog CSP](diagnosticlog-csp.md) | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png) | ![check mark](images/checkmark.png) | | [DMAcc CSP](dmacc-csp.md) | ![check mark](images/checkmark.png) | ![check mark](images/checkmark.png) | ![check mark](images/checkmark.png) | | [DMClient CSP](dmclient-csp.md) | ![check mark](images/checkmark.png) | ![check mark](images/checkmark.png) | ![check mark](images/checkmark.png) | +| [EnrollmentStatusTracking CSP](enrollmentstatustracking-csp.md) | ![cross mark](images/crossmark.png) | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png) 10 | | [EnterpriseModernAppManagement CSP](enterprisemodernappmanagement-csp.md) | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png) | ![check mark](images/checkmark.png) | | [NetworkProxy CSP](networkproxy-csp.md) | ![cross mark](images/crossmark.png) | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png) | | [NetworkQoSPolicy CSP](networkqospolicy-csp.md) | ![cross mark](images/crossmark.png) | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png) 8| @@ -2737,6 +2738,7 @@ The following list shows the CSPs supported in HoloLens devices: | [RemoteFind CSP](remotefind-csp.md) | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png) 4 | ![check mark](images/checkmark.png) | | [RemoteWipe CSP](remotewipe-csp.md) | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png) 4 | ![check mark](images/checkmark.png) | | [RootCATrustedCertificates CSP](rootcacertificates-csp.md) | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png) | ![check mark](images/checkmark.png) | +| [TenantLockdown CSP](tenantlockdown-csp.md) | ![cross mark](images/crossmark.png) | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png) 10 | | [Update CSP](update-csp.md) | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png) | ![check mark](images/checkmark.png) | | [VPNv2 CSP](vpnv2-csp.md) | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png) | ![check mark](images/checkmark.png) | | [WiFi CSP](wifi-csp.md) | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png) | ![check mark](images/checkmark.png) | @@ -2813,3 +2815,4 @@ The following list shows the CSPs supported in HoloLens devices: - 7 - Added in Windows 10, version 1909. - 8 - Added in Windows 10, version 2004. - 9 - Added in Windows 10 Team 2020 Update +- 10 - Added in [Windows Holographic, version 20H2](https://docs.microsoft.com/hololens/hololens-release-notes#windows-holographic-version-20h2) From 696aaae521f585fc4d22b113f86546e2f6d44647 Mon Sep 17 00:00:00 2001 From: Gary Moore Date: Tue, 24 Nov 2020 13:05:13 -0800 Subject: [PATCH 5/8] Applied correct `> [!NOTE]` style --- .../mdm/configuration-service-provider-reference.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/windows/client-management/mdm/configuration-service-provider-reference.md b/windows/client-management/mdm/configuration-service-provider-reference.md index 6415a28922..dcf8eec173 100644 --- a/windows/client-management/mdm/configuration-service-provider-reference.md +++ b/windows/client-management/mdm/configuration-service-provider-reference.md @@ -2747,7 +2747,9 @@ The following list shows the CSPs supported in HoloLens devices: ## CSPs supported in Microsoft Surface Hub -- [Accounts CSP](accounts-csp.md)9 **Note:** Support in Surface Hub is limited to **Domain\ComputerName**. +- [Accounts CSP](accounts-csp.md)9 + > [!NOTE] + > Support in Surface Hub is limited to **Domain\ComputerName**. - [AccountManagement CSP](accountmanagement-csp.md) - [APPLICATION CSP](application-csp.md) - [CertificateStore CSP](certificatestore-csp.md) From b05065b371a0da06b1c13e1cefa14b8aab86124a Mon Sep 17 00:00:00 2001 From: Gary Moore Date: Tue, 24 Nov 2020 13:32:41 -0800 Subject: [PATCH 6/8] Corrections to layout --- .../raw-data-export-storage.md | 52 +++++++++++-------- 1 file changed, 30 insertions(+), 22 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/raw-data-export-storage.md b/windows/security/threat-protection/microsoft-defender-atp/raw-data-export-storage.md index 99f189565c..1fa007de50 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/raw-data-export-storage.md +++ b/windows/security/threat-protection/microsoft-defender-atp/raw-data-export-storage.md @@ -36,13 +36,18 @@ Want to experience Defender for Endpoint? [Sign up for a free trial.](https://ww ## Enable raw data streaming: 1. Log in to [Microsoft Defender for Endpoint portal](https://securitycenter.windows.com) with Global Admin user. -2. Go to [Data export settings page](https://securitycenter.windows.com/interoperability/dataexport) on Microsoft Defender Security Center. -3. Click on **Add data export settings**. -4. Choose a name for your new settings. -5. Choose **Forward events to Azure Storage**. -6. Type your **Storage Account Resource Id**. In order to get your **Storage Account Resource Id**, go to your Storage account page on [Azure portal](https://ms.portal.azure.com/) > properties tab > copy the text under **Storage account resource ID**: - ![Image of event hub resource Id](images/storage-account-resource-id.png) +2. Go to [Data export settings page](https://securitycenter.windows.com/interoperability/dataexport) on Microsoft Defender Security Center. + +3. Click on **Add data export settings**. + +4. Choose a name for your new settings. + +5. Choose **Forward events to Azure Storage**. + +6. Type your **Storage Account Resource ID**. In order to get your **Storage Account Resource ID**, go to your Storage account page on [Azure portal](https://ms.portal.azure.com/) > properties tab > copy the text under **Storage account resource ID**: + + ![Image of event hub resource ID](images/storage-account-resource-id.png) 7. Choose the events you want to stream and click **Save**. @@ -50,22 +55,25 @@ Want to experience Defender for Endpoint? [Sign up for a free trial.](https://ww - A blob container will be created for each event type: -![Image of event hub resource Id](images/storage-account-event-schema.png) + ![Image of event hub resource ID](images/storage-account-event-schema.png) - The schema of each row in a blob is the following JSON: -``` -{ - "time": "" - "tenantId": "" - "category": "" - "properties": { } -} -``` + ``` + { + "time": "" + "tenantId": "" + "category": "" + "properties": { } + } + ``` - Each blob contains multiple rows. + - Each row contains the event name, the time Defender for Endpoint received the event, the tenant it belongs (you will only get events from your tenant), and the event in JSON format in a property called "properties". + - For more information about the schema of Microsoft Defender for Endpoint events, see [Advanced Hunting overview](advanced-hunting-overview.md). + - In Advanced Hunting, the **DeviceInfo** table has a column named **MachineGroup** which contains the group of the device. Here every event will be decorated with this column as well. See [Device Groups](machine-groups.md) for more information. ## Data types mapping: @@ -73,18 +81,18 @@ Want to experience Defender for Endpoint? [Sign up for a free trial.](https://ww In order to get the data types for our events properties do the following: 1. Log in to [Microsoft Defender Security Center](https://securitycenter.windows.com) and go to [Advanced Hunting page](https://securitycenter.windows.com/hunting-package). + 2. Run the following query to get the data types mapping for each event: -``` -{EventType} -| getschema -| project ColumnName, ColumnType - -``` + ``` + {EventType} + | getschema + | project ColumnName, ColumnType + ``` - Here is an example for Device Info event: -![Image of event hub resource ID](images/machine-info-datatype-example.png) + ![Image of event hub resource ID](images/machine-info-datatype-example.png) ## Related topics - [Overview of Advanced Hunting](advanced-hunting-overview.md) From d08c38bcb4402304e4109d99ab3c8c475e9f0893 Mon Sep 17 00:00:00 2001 From: Gary Moore Date: Tue, 24 Nov 2020 13:34:49 -0800 Subject: [PATCH 7/8] Corrections to layout --- .../raw-data-export-event-hub.md | 40 ++++++++++++------- 1 file changed, 25 insertions(+), 15 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/raw-data-export-event-hub.md b/windows/security/threat-protection/microsoft-defender-atp/raw-data-export-event-hub.md index b006634521..7aa3fdcc1e 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/raw-data-export-event-hub.md +++ b/windows/security/threat-protection/microsoft-defender-atp/raw-data-export-event-hub.md @@ -31,19 +31,26 @@ Want to experience Defender for Endpoint? [Sign up for a free trial.](https://ww ## Before you begin: 1. Create an [event hub](https://docs.microsoft.com/azure/event-hubs/) in your tenant. -2. Log in to your [Azure tenant](https://ms.portal.azure.com/), go to **Subscriptions > Your subscription > Resource Providers > Register to **Microsoft.insights****. + +2. Log in to your [Azure tenant](https://ms.portal.azure.com/), go to **Subscriptions > Your subscription > Resource Providers > Register to **Microsoft.insights**. ## Enable raw data streaming: 1. Log in to [Microsoft Defender Security Center](https://securitycenter.windows.com) with a Global Admin user. -2. Go to [Data export settings page](https://securitycenter.windows.com/interoperability/dataexport) on Microsoft Defender Security Center. -3. Click on **Add data export settings**. -4. Choose a name for your new settings. -5. Choose **Forward events to Azure Event Hubs**. -6. Type your **Event Hubs name** and your **Event Hubs resource ID**. - In order to get your **Event Hubs resource ID**, go to your Azure Event Hubs namespace page on [Azure](https://ms.portal.azure.com/) > properties tab > copy the text under **Resource ID**: - ![Image of event hub resource Id](images/event-hub-resource-id.png) +2. Go to [Data export settings page](https://securitycenter.windows.com/interoperability/dataexport) on Microsoft Defender Security Center. + +3. Click on **Add data export settings**. + +4. Choose a name for your new settings. + +5. Choose **Forward events to Azure Event Hubs**. + +6. Type your **Event Hubs name** and your **Event Hubs resource ID**. + + In order to get your **Event Hubs resource ID**, go to your Azure Event Hubs namespace page on [Azure](https://ms.portal.azure.com/) > properties tab > copy the text under **Resource ID**: + + ![Image of event hub resource Id](images/event-hub-resource-id.png) 7. Choose the events you want to stream and click **Save**. @@ -64,8 +71,11 @@ Want to experience Defender for Endpoint? [Sign up for a free trial.](https://ww ``` - Each event hub message in Azure Event Hubs contains list of records. + - Each record contains the event name, the time Microsoft Defender ATP received the event, the tenant it belongs (you will only get events from your tenant), and the event in JSON format in a property called "**properties**". + - For more information about the schema of Microsoft Defender for Endpoint events, see [Advanced Hunting overview](advanced-hunting-overview.md). + - In Advanced Hunting, the **DeviceInfo** table has a column named **MachineGroup** which contains the group of the device. Here every event will be decorated with this column as well. See [Device Groups](machine-groups.md) for more information. ## Data types mapping: @@ -73,18 +83,18 @@ Want to experience Defender for Endpoint? [Sign up for a free trial.](https://ww To get the data types for event properties do the following: 1. Log in to [Microsoft Defender Security Center](https://securitycenter.windows.com) and go to [Advanced Hunting page](https://securitycenter.windows.com/hunting-package). + 2. Run the following query to get the data types mapping for each event: -``` -{EventType} -| getschema -| project ColumnName, ColumnType - -``` + ``` + {EventType} + | getschema + | project ColumnName, ColumnType + ``` - Here is an example for Device Info event: -![Image of event hub resource Id](images/machine-info-datatype-example.png) + ![Image of event hub resource Id](images/machine-info-datatype-example.png) ## Related topics - [Overview of Advanced Hunting](advanced-hunting-overview.md) From 5a2dd7d0abc9be352ffe92284cdc0457c4e022df Mon Sep 17 00:00:00 2001 From: Gary Moore Date: Tue, 24 Nov 2020 13:43:58 -0800 Subject: [PATCH 8/8] Aligned spacing change with raw-data-export-event-hub.md --- .../microsoft-defender-atp/raw-data-export-storage.md | 1 + 1 file changed, 1 insertion(+) diff --git a/windows/security/threat-protection/microsoft-defender-atp/raw-data-export-storage.md b/windows/security/threat-protection/microsoft-defender-atp/raw-data-export-storage.md index 1fa007de50..8dae2a2358 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/raw-data-export-storage.md +++ b/windows/security/threat-protection/microsoft-defender-atp/raw-data-export-storage.md @@ -31,6 +31,7 @@ Want to experience Defender for Endpoint? [Sign up for a free trial.](https://ww ## Before you begin: 1. Create a [Storage account](https://docs.microsoft.com/azure/storage/common/storage-account-overview) in your tenant. + 2. Log in to your [Azure tenant](https://ms.portal.azure.com/), go to **Subscriptions > Your subscription > Resource Providers > Register to Microsoft.insights**. ## Enable raw data streaming: