mirror of
https://github.com/MicrosoftDocs/windows-itpro-docs.git
synced 2025-06-18 03:43:39 +00:00
Merge branch 'master' into TVMGranularExploitInfoUpd8s
This commit is contained in:
Dolcita Montemayor
@ -122,10 +122,13 @@
|
||||
##### [NetworkCommunicationEvents](microsoft-defender-atp/advanced-hunting-networkcommunicationevents-table.md)
|
||||
##### [ProcessCreationEvents](microsoft-defender-atp/advanced-hunting-processcreationevents-table.md)
|
||||
##### [RegistryEvents](microsoft-defender-atp/advanced-hunting-registryevents-table.md)
|
||||
##### [DeviceTvmSoftwareInventoryVulnerabilities](microsoft-defender-atp/advanced-hunting-tvm-softwareinventory-table.md)
|
||||
##### [DeviceTvmSoftwareVulnerabilitiesKB](microsoft-defender-atp/advanced-hunting-tvm-softwarevulnerability-table.md)
|
||||
##### [DeviceTvmSecureConfigurationAssessment](microsoft-defender-atp/advanced-hunting-tvm-configassessment-table.md)
|
||||
##### [DeviceTvmSecureConfigurationAssessmentKB](microsoft-defender-atp/advanced-hunting-tvm-secureconfigkb-table.md)
|
||||
#### [Apply query best practices](microsoft-defender-atp/advanced-hunting-best-practices.md)
|
||||
#### [Stream Advanced hunting events to Azure Event Hubs](microsoft-defender-atp/raw-data-export-event-hub.md)
|
||||
|
||||
|
||||
#### [Custom detections]()
|
||||
##### [Understand custom detection rules](microsoft-defender-atp/overview-custom-detections.md)
|
||||
##### [Create and manage custom detections rules](microsoft-defender-atp/custom-detection-rules.md)
|
||||
|
||||
@ -1,7 +1,7 @@
|
||||
---
|
||||
title: Threat Protection (Windows 10)
|
||||
description: Learn how Microsoft Defender ATP helps protect against threats.
|
||||
keywords: threat protection, Microsoft Defender Advanced Threat Protection, attack surface reduction, next generation protection, endpoint detection and response, automated investigation and response, microsoft threat experts, secure score, advanced hunting, cyber threat hunting
|
||||
keywords: threat protection, Microsoft Defender Advanced Threat Protection, attack surface reduction, next generation protection, endpoint detection and response, automated investigation and response, microsoft threat experts, secure score, advanced hunting, cyber threat hunting, web threat protection
|
||||
search.product: eADQiWindows 10XVcnh
|
||||
ms.prod: w10
|
||||
ms.mktglfcycl: deploy
|
||||
@ -64,7 +64,7 @@ The attack surface reduction set of capabilities provide the first line of defen
|
||||
- [Application control](windows-defender-application-control/windows-defender-application-control.md)
|
||||
- [Device control](device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md)
|
||||
- [Exploit protection](microsoft-defender-atp/exploit-protection.md)
|
||||
- [Network protection](microsoft-defender-atp/network-protection.md), [Web protection](microsoft-defender-atp/web-protection-overview.md)
|
||||
- [Network protection](microsoft-defender-atp/network-protection.md), [web protection](microsoft-defender-atp/web-protection-overview.md)
|
||||
- [Controlled folder access](microsoft-defender-atp/controlled-folders.md)
|
||||
- [Network firewall](windows-firewall/windows-firewall-with-advanced-security.md)
|
||||
- [Attack surface reduction rules](microsoft-defender-atp/attack-surface-reduction.md)
|
||||
|
||||
@ -45,6 +45,10 @@ Table and column names are also listed within the Microsoft Defender Security Ce
|
||||
| **[LogonEvents](advanced-hunting-logonevents-table.md)** | Sign-ins and other authentication events |
|
||||
| **[ImageLoadEvents](advanced-hunting-imageloadevents-table.md)** | DLL loading events |
|
||||
| **[MiscEvents](advanced-hunting-miscevents-table.md)** | Multiple event types, including events triggered by security controls such as Windows Defender Antivirus and exploit protection |
|
||||
| **[DeviceTvmSoftwareInventoryVulnerabilities](advanced-hunting-tvm-softwareinventory-table.md)** | Vulnerabilities in your software inventory |
|
||||
| **[DeviceTvmSoftwareVulnerabilitiesKB ](advanced-hunting-tvm-softwarevulnerability-table.md)** | Publicly-available vulnerabilities and whether they exist in your software inventory |
|
||||
| **[DeviceTvmSecureConfigurationAssessment](advanced-hunting-tvm-configassessment-table.md)** | Security configuration assessment information |
|
||||
| **[DeviceTvmSecureConfigurationAssessmentKB](advanced-hunting-tvm-secureconfigkb-table.md)** | Basis of security configuration assessment such as security industry standards and benchmarks |
|
||||
|
||||
## Related topics
|
||||
- [Advanced hunting overview](advanced-hunting-overview.md)
|
||||
|
||||
@ -0,0 +1,51 @@
|
||||
---
|
||||
title: DeviceTvmSecureConfigurationAssessment table in the Advanced hunting schema
|
||||
description: Learn about the DeviceTvmSecureConfigurationAssessment table in the Advanced hunting schema, such as machine ID, computer name, operating system platform, security configuration details, impact, and compliance information.
|
||||
keywords: advanced hunting, atp query, device management, query atp data, query tvm data, query security configuration, intellisense, atp telemetry, events, events telemetry, azure log analytics, description, DeviceTvmSecureConfigurationAssessment
|
||||
search.product: eADQiWindows 10XVcnh
|
||||
search.appverid: met150
|
||||
ms.prod: w10
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.pagetype: security
|
||||
ms.author: dolmont
|
||||
author: DulceMontemayor
|
||||
ms.localizationpriority: medium
|
||||
manager: dansimp
|
||||
audience: ITPro
|
||||
ms.collection: M365-security-compliance
|
||||
ms.topic: article
|
||||
ms.date: 10/27/2019
|
||||
---
|
||||
|
||||
# DeviceTvmSecureConfigurationAssessment
|
||||
|
||||
**Applies to:**
|
||||
|
||||
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
|
||||
|
||||
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)
|
||||
|
||||
Each row in the DeviceTvmSecureConfigurationAssessment table contains an assessment event for a specific security configuration. Use this reference to check the latest assessment results and determine whether device are compliant.
|
||||
|
||||
For information on other tables in the Advanced hunting schema, see [the Advanced hunting reference](advanced-hunting-reference.md).
|
||||
|
||||
| Column name | Data type | Description |
|
||||
|-------------|-----------|-------------|
|
||||
| MachineId | string | Unique identifier for the machine in the service |
|
||||
| ComputerName | string | Fully qualified domain name (FQDN) of the machine |
|
||||
| OSPlatform | string | Platform of the operating system running on the machine. This indicates specific operating systems, including variations within the same family, such as Windows 10 and Windows 7.|| CveId | string | Unique identifier assigned to the security vulnerability under the Common Vulnerabilities and Exposures (CVE) system|
|
||||
| Timestamp | datetime |Date and time when the record was generated|
|
||||
| ConfigurationId | string | Unique identifier for a specific configuration |
|
||||
| ConfigurationCategory | string | Category or grouping to which the configuration belongs: Application, OS, Network, Accounts, Security controls|
|
||||
| ConfigurationSubcategory | string |Subcategory or subgrouping to which the configuration belongs. In many cases, this describes specific capabilities or features. |
|
||||
| ConfigurationImpact | string | Rated impact of the configuration to the overall configuration score (1-10) |
|
||||
| IsCompliant | string | Indicates whether the configuration or policy is properly configured |
|
||||
|
||||
|
||||
## Related topics
|
||||
|
||||
- [Advanced hunting overview](overview-hunting.md)
|
||||
- [All Advanced hunting tables](advanced-hunting-reference.md)
|
||||
- [Advanced hunting query best practices](advanced-hunting-best-practices.md)
|
||||
- [Query data using Advanced hunting](advanced-hunting.md)
|
||||
@ -0,0 +1,51 @@
|
||||
---
|
||||
title: DeviceTvmSecureConfigurationAssessmentKB table in the Advanced hunting schema
|
||||
description: Learn about the DeviceTvmSecureConfigurationAssessmentKB table in the Advanced hunting schema, security configuration details, and the associated industry benchmarks that it adheres to.
|
||||
keywords: advanced hunting, atp query, device management, query atp data, query tvm data, query security configuration, intellisense, atp telemetry, events, events telemetry, azure log analytics, description, MITRE ATT&CK framework, DeviceTvmSecureConfigurationAssessmentKB
|
||||
search.product: eADQiWindows 10XVcnh
|
||||
search.appverid: met150
|
||||
ms.prod: w10
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.pagetype: security
|
||||
ms.author: dolmont
|
||||
author: DulceMontemayor
|
||||
ms.localizationpriority: medium
|
||||
manager: dansimp
|
||||
audience: ITPro
|
||||
ms.collection: M365-security-compliance
|
||||
ms.topic: article
|
||||
ms.date: 10/27/2019
|
||||
---
|
||||
|
||||
# DeviceTvmSecureConfigurationAssessmentKB
|
||||
|
||||
**Applies to:**
|
||||
|
||||
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
|
||||
|
||||
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)
|
||||
|
||||
The DeviceTvmSecureConfigurationAssessmentKB table in the Advanced hunting schema contains information about the various secure configuration TVM checks during assessments related to your organization. An example of a security configuration is to block JavaScript or VBScript from launching downloaded executable content to prevent accidentally downloading malicious files in your network. Use this reference to construct queries that return information from the table.
|
||||
|
||||
For information on other tables in the Advanced hunting schema, see [the Advanced hunting reference](advanced-hunting-reference.md).
|
||||
|
||||
| Column name | Data type | Description |
|
||||
|-------------|-----------|-------------|
|
||||
| ConfigurationId | string | Unique identifier for a specific configuration |
|
||||
| ConfigurationImpact | string | Rated impact of the configuration to the overall configuration score (1-10) |
|
||||
| ConfigurationName | string | Display name of the configuration |
|
||||
| ConfigurationDescription | string | Description of the configuration |
|
||||
| RiskDescription | string | Description of the associated risk |
|
||||
| ConfigurationCategory | string | Category or grouping to which the configuration belongs: Application, OS, Network, Accounts, Security controls|
|
||||
| ConfigurationSubcategory | string |Subcategory or subgrouping to which the configuration belongs. In many cases, this describes specific capabilities or features. |
|
||||
| ConfigurationBenchmarks | string | List of industry benchmarks recommending the same or similar configuration |
|
||||
| RelatedMitreTechniques | string | List of Mitre ATT&CK framework techniques related to the configuration |
|
||||
| RelatedMitreTactics | string | List of Mitre ATT&CK framework tactics related to the configuration|
|
||||
|
||||
## Related topics
|
||||
|
||||
- [Advanced hunting overview](overview-hunting.md)
|
||||
- [All Advanced hunting tables](advanced-hunting-reference.md)
|
||||
- [Advanced hunting query best practices](advanced-hunting-best-practices.md)
|
||||
- [Query data using Advanced hunting](advanced-hunting.md)
|
||||
@ -0,0 +1,56 @@
|
||||
---
|
||||
title: DeviceTvmSoftwareInventoryVulnerabilities table in the Advanced hunting schema
|
||||
description: Learn about the DeviceTvmSoftwareInventoryVulnerabilities table in the Advanced hunting schema, such as operating system platform, version, and architecture, software vendor, name, and version, CVE ID, vulnerability severity, and descriptions
|
||||
keywords: advanced hunting, atp query, device management, query atp data, query tvm data, query software inventory, query software vulnerability inventory, intellisense, atp telemetry, events, events telemetry, azure log analytics, description, DeviceTvmSoftwareInventoryVulnerabilities
|
||||
search.product: eADQiWindows 10XVcnh
|
||||
search.appverid: met150
|
||||
ms.prod: w10
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.pagetype: security
|
||||
ms.author: dolmont
|
||||
author: DulceMontemayor
|
||||
ms.localizationpriority: medium
|
||||
manager: dansimp
|
||||
audience: ITPro
|
||||
ms.collection: M365-security-compliance
|
||||
ms.topic: article
|
||||
ms.date: 10/27/2019
|
||||
---
|
||||
|
||||
# DeviceTvmSoftwareInventoryVulnerabilities
|
||||
|
||||
**Applies to:**
|
||||
|
||||
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
|
||||
|
||||
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)
|
||||
|
||||
|
||||
[!include[Prerelease information](prerelease.md)]
|
||||
|
||||
The DeviceTvmSoftwareInventoryVulnerabilities table in the Advanced hunting schema contains an inventory of the software on your devices as well as any known vulnerabilities in the software products. Use this reference to construct queries that return information from the table.
|
||||
|
||||
For information on other tables in the Advanced hunting schema, see [the Advanced hunting reference](advanced-hunting-reference.md).
|
||||
|
||||
| Column name | Data type | Description |
|
||||
|-------------|-----------|-------------|
|
||||
| MachineId | string | Unique identifier for the machine in the service |
|
||||
| ComputerName | string | Fully qualified domain name (FQDN) of the machine |
|
||||
| OSPlatform | string | Platform of the operating system running on the machine. This indicates specific operating systems, including variations within the same family, such as Windows 10 and Windows 7.|
|
||||
| OSVersion | string | Version of the operating system running on the machine |
|
||||
| OSArchitecture | string | Architecture of the operating system running on the machine|
|
||||
| SoftwareVendor | string | Severity level assigned to the security vulnerability based on the CVSS score and dynamic factors influenced by the threat landscape|
|
||||
| SoftwareName | string | Name of the software product|
|
||||
|SoftwareVersion | string | Unique identifier assigned to the security vulnerability under the Common Vulnerabilities and Exposures (CVE) system|
|
||||
| CveId | string | Severity level assigned to the security vulnerability based on the CVSS score and dynamic factors influenced by the threat landscape|
|
||||
| VulnerabilitySeverityLevel | string | Severity level assigned to the security vulnerability based on the CVSS score and dynamic factors influenced by the threat landscape|
|
||||
|
||||
|
||||
|
||||
## Related topics
|
||||
|
||||
- [Advanced hunting overview](overview-hunting.md)
|
||||
- [All Advanced hunting tables](advanced-hunting-reference.md)
|
||||
- [Advanced hunting query best practices](advanced-hunting-best-practices.md)
|
||||
- [Query data using Advanced hunting](advanced-hunting.md)
|
||||
@ -0,0 +1,49 @@
|
||||
---
|
||||
title: DeviceTvmSoftwareVulnerabilitiesKB table in the Advanced hunting schema
|
||||
description: Learn about the DeviceTvmSoftwareVulnerabilitiesKB table in the Advanced hunting schema, such as CVE ID, CVSS score, exploit availability, vulnerability severity, last modified time, date the vulnerability was disclosed to public, and affected software in your network.
|
||||
keywords: advanced hunting, atp query, device management, query atp data, query tvm data, query software vulnerability inventory, intellisense, atp telemetry, events, events telemetry, azure log analytics, description, DeviceTvmSoftwareVulnerabilitiesKB
|
||||
search.product: eADQiWindows 10XVcnh
|
||||
search.appverid: met150
|
||||
ms.prod: w10
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.pagetype: security
|
||||
ms.author: dolmont
|
||||
author: DulceMontemayor
|
||||
ms.localizationpriority: medium
|
||||
manager: dansimp
|
||||
audience: ITPro
|
||||
ms.collection: M365-security-compliance
|
||||
ms.topic: article
|
||||
ms.date: 10/27/2019
|
||||
---
|
||||
|
||||
# DeviceTvmSoftwareVulnerabilitiesKB
|
||||
|
||||
**Applies to:**
|
||||
|
||||
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
|
||||
|
||||
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)
|
||||
|
||||
The DeviceTvmSoftwareInventoryVulnerabilities table in the Advanced hunting schema contains information about the vulnerabilities Threat & Vulnerability Management assesses devices for. Use this reference along with DeviceTvmSoftwareInventoryVulnerabilities to construct queries that return information on the metadata related to the vulnerabilities in your inventory.
|
||||
|
||||
For information on other tables in the Advanced hunting schema, see [the Advanced hunting reference](advanced-hunting-reference.md).
|
||||
|
||||
| Column name | Data type | Description |
|
||||
|-------------|-----------|-------------|
|
||||
| CveId | string | Unique identifier assigned to the security vulnerability under the Common Vulnerabilities and Exposures (CVE) system|
|
||||
| CvssScore | string | Severity score assigned to the security vulnerability under th Common Vulnerability Scoring System (CVSS)|
|
||||
| IsExploitAvailable | string | Indicates whether exploit code for the vulnerability is publicly available|
|
||||
| VulnerabilitySeverityLevel | string | Severity level assigned to the security vulnerability based on the CVSS score and dynamic factors influenced by the threat landscape|
|
||||
| LastModifiedTime | datetime | Date and time the item or related metadata was last modified|
|
||||
| PublishedDate | datetime | Date vulnerability was disclosed to public|
|
||||
| VulnerabilityDescription | string | Description of vulnerability and associated risks|
|
||||
| AffectedSoftware | string | List of all software products affected by the vulnerability|
|
||||
|
||||
## Related topics
|
||||
|
||||
- [Advanced hunting overview](overview-hunting.md)
|
||||
- [All Advanced hunting tables](advanced-hunting-reference.md)
|
||||
- [Advanced hunting query best practices](advanced-hunting-best-practices.md)
|
||||
- [Query data using Advanced hunting](advanced-hunting.md)
|
||||
@ -37,7 +37,7 @@ Microsoft Defender Advanced Threat Protection requires one of the following Micr
|
||||
- Windows 10 Enterprise E5
|
||||
- Windows 10 Education E5
|
||||
- Microsoft 365 E5 (M365 E5) which includes Windows 10 Enterprise E5
|
||||
- Microsoft 365 E3 (M365 E3) with Identity and Threat Protection package
|
||||
|
||||
|
||||
For more information on the array of features in Windows 10 editions, see [Compare Windows 10 editions](https://www.microsoft.com/windowsforbusiness/compare).
|
||||
|
||||
|
||||
@ -44,7 +44,9 @@ The following features are included in the preview release:
|
||||
|
||||
- [Microsoft Defender ATP for Mac](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac) <BR> Microsoft Defender ATP for Mac brings the next-generation protection, and endpoint detection and response coverage to Mac devices. Core components of the unified endpoint security platform will now be available for Mac devices.
|
||||
|
||||
- [Threat & Vulnerability Management Report inaccuracy](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation#report-inaccuracy) <BR> You can report a false positive when you see any vague, inaccurate, incomplete, or already remediated [security recommendation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation#report-inaccuracy), [software inventory](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-software-inventory#report-inaccuracy), and [discovered vulnerabilities](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-weaknesses#report-inaccuracy).
|
||||
- [Threat & Vulnerability Management Report inaccuracy](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation#report-inaccuracy) <BR> You can report a false positive when you see any vague, inaccurate, incomplete, or already remediated [security recommendation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation#report-inaccuracy), [software inventory](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-software-inventory#report-inaccuracy), and [discovered vulnerabilities](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-weaknesses#report-inaccuracy).
|
||||
|
||||
- [Threat & Vulnerability Management Advanced Hunting Schemas](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-registryevents-table) <BR> You can now use the Threat & Vulnerability Management tables in the Advanced hunting schema to query about software inventory, vulnerability knowledgebase, security configuration assessment, and security configuration knowledgebase.
|
||||
|
||||
- [Machine health and compliance report](machine-reports.md) The machine health and compliance report provides high-level information about the devices in your organization.
|
||||
|
||||
|
||||
@ -150,6 +150,29 @@ When an exception is created for a recommendation, the recommendation is no long
|
||||
|
||||
6. Navigate to the **Remediation** page under the **Threat & Vulnerability Management** menu and click the **Exceptions** tab to view all your exceptions (current and past).
|
||||
|
||||
## Use Advanced hunting query to search for machines with High active alerts or critical CVE public exploit
|
||||
|
||||
1. Go to **Advanced hunting** from the left-hand navigation pane.
|
||||
|
||||
2. Scroll down to the TVM advanced hunting schemas to familiarize yourself with the column names.
|
||||
|
||||
3. Enter the following queries:
|
||||
|
||||
```
|
||||
// Search for machines with High active alerts or Critical CVE public exploit
|
||||
DeviceTvmSoftwareInventoryVulnerabilities
|
||||
| join kind=inner(DeviceTvmSoftwareVulnerabilitiesKB) on CveId
|
||||
| where IsExploitAvailable == 1 and CvssScore >= 7
|
||||
| summarize NumOfVulnerabilities=dcount(CveId),
|
||||
ComputerName=any(ComputerName) by MachineId
|
||||
| join kind =inner(AlertEvents) on MachineId
|
||||
| summarize NumOfVulnerabilities=any(NumOfVulnerabilities),
|
||||
ComputerName=any(ComputerName) by MachineId, AlertId
|
||||
| project ComputerName, NumOfVulnerabilities, AlertId
|
||||
| order by NumOfVulnerabilities desc
|
||||
|
||||
```
|
||||
|
||||
## Related topics
|
||||
- [Risk-based Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md)
|
||||
- [Threat & Vulnerability Management dashboard overview](tvm-dashboard-insights.md)
|
||||
@ -159,3 +182,5 @@ When an exception is created for a recommendation, the recommendation is no long
|
||||
- [Remediation](tvm-remediation.md)
|
||||
- [Software inventory](tvm-software-inventory.md)
|
||||
- [Weaknesses](tvm-weaknesses.md)
|
||||
- [Advanced hunting overview](overview-hunting.md)
|
||||
- [All Advanced hunting tables](advanced-hunting-reference.md)
|
||||
|
||||
@ -79,8 +79,6 @@ You can report a false positive when you see any vague, inaccurate, incomplete,
|
||||
6. Click **Submit**. Your feedback is immediately sent to the Threat & Vulnerability Management experts with its context.
|
||||
|
||||
|
||||
|
||||
|
||||
## Related topics
|
||||
- [Risk-based Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md)
|
||||
- [Threat & Vulnerability Management dashboard overview](tvm-dashboard-insights.md)
|
||||
|
||||
@ -1,7 +1,7 @@
|
||||
---
|
||||
title: Monitoring web browsing security in Microsoft Defender ATP
|
||||
description: Use web protection in Microsoft Defender ATP to monitor web browsing security
|
||||
keywords: web protection, web browsing, monitoring, reports, cards, domain list, security, phishing, malware, exploit, websites, network protection, Edge, Internet Explorer, Chrome, Firefox, web browser
|
||||
keywords: web protection, web threat protection, web browsing, monitoring, reports, cards, domain list, security, phishing, malware, exploit, websites, network protection, Edge, Internet Explorer, Chrome, Firefox, web browser
|
||||
search.product: eADQiWindows 10XVcnh
|
||||
search.appverid: met150
|
||||
ms.prod: w10
|
||||
@ -22,9 +22,7 @@ ms.date: 08/30/2019
|
||||
|
||||
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-main-abovefoldlink&rtc=1)
|
||||
|
||||
[!include[Prerelease information](prerelease.md)]
|
||||
|
||||
Web protection lets you monitor your organization’s web browsing security through reports under **Reports > Web protection** in the Microsoft Defender Security Center. The report contains the following cards that provide web threat detection statistics:
|
||||
Web protection lets you monitor your organization’s web browsing security through reports under **Reports > Web protection** in the Microsoft Defender Security Center. The report contains cards that provide web threat detection statistics.
|
||||
|
||||
- **Web threat protection detections over time** — this trending card displays the number of web threats detected by type during the selected time period (Last 30 days, Last 3 months, Last 6 months)
|
||||
|
||||
@ -44,7 +42,7 @@ Web protection categorizes malicious and unwanted websites as:
|
||||
- **Custom indicator** — websites whose URLs or domains you've added to your [custom indicator list](manage-indicators.md) for blocking
|
||||
|
||||
## View the domain list
|
||||
Clicking on a specific web threat category in the **Web threat protection summary** card opens the **Domains** page, which shows a list of the domains prefiltered under that threat category. The page provides the following information for each domain:
|
||||
Select a specific web threat category in the **Web threat protection summary** card to open the **Domains** page and display the list of the domains under that threat category. The page provides the following information for each domain:
|
||||
|
||||
- **Access count** — number of requests for URLs in the domain
|
||||
- **Blocks** — number of times requests were blocked
|
||||
@ -52,7 +50,7 @@ Clicking on a specific web threat category in the **Web threat protection summar
|
||||
- **Threat category** — type of web threat
|
||||
- **Machines** — number of machines with access attempts
|
||||
|
||||
Selecting a domain opens a panel that shows the list of URLs in that domain that have been accessed. The panel also lists machines that have attempted to access URLs in the domain.
|
||||
Select a domain to view the list of machines that have attempted to access URLs in that domain as well as the list of URLs.
|
||||
|
||||
## Related topics
|
||||
- [Web protection overview](web-protection-overview.md)
|
||||
|
||||
@ -1,7 +1,7 @@
|
||||
---
|
||||
title: Overview of web protection in Microsoft Defender ATP
|
||||
description: Learn about web protection in Microsoft Defender ATP and how it can protect your organization
|
||||
keywords: web protection, web browsing, security, phishing, malware, exploit, websites, network protection, Edge, Internet Explorer, Chrome, Firefox, web browser
|
||||
keywords: web protection, web threat protection, web browsing, security, phishing, malware, exploit, websites, network protection, Edge, Internet Explorer, Chrome, Firefox, web browser
|
||||
search.product: eADQiWindows 10XVcnh
|
||||
search.appverid: met150
|
||||
ms.prod: w10
|
||||
@ -22,18 +22,16 @@ ms.date: 08/30/2019
|
||||
|
||||
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-main-abovefoldlink&rtc=1)
|
||||
|
||||
[!include[Prerelease information](prerelease.md)]
|
||||
Web protection in Microsoft Defender ATP uses [network protection](network-protection.md) to secure your machines against web threats. By integrating with Microsoft Edge and popular third-party browsers like Chrome and Firefox, web protection stops web threats without a web proxy and can protect machines while they are away or on premises. Web protection stops access to phishing sites, malware vectors, exploit sites, untrusted or low-reputation sites, as well as sites that you have blocked in your [custom indicator list](manage-indicators.md).
|
||||
|
||||
Web protection in Microsoft Defender ATP leverages [network protection](network-protection.md) to secure your machines against web threats without relying on a web proxy, providing security for devices that are either away or on premises. By integrating with Microsoft Edge as well as popular third-party browsers like Chrome and Firefox, web protection stops access to phishing sites, malware vectors, exploit sites, untrusted or low-reputation sites, as well as sites that you have blocked in your [custom indicator list](manage-indicators.md).
|
||||
>[!Note]
|
||||
>It can take up to an hour for machines to receive new customer indicators.
|
||||
|
||||
With web protection, you also get:
|
||||
- Comprehensive visibility into web threats affecting your organization
|
||||
- Investigation capabilities over web-related threat activity through alerts and comprehensive profiles of URLs and the machines that access these URLs
|
||||
- A full set of security features that track general access trends to malicious and unwanted websites
|
||||
|
||||
>[!Note]
|
||||
>It can take up to an hour for machines to receive new customer indicators.
|
||||
|
||||
## Prerequisites
|
||||
Web protection uses network protection to provide web browsing security on Microsoft Edge and third-party web browsers.
|
||||
|
||||
|
||||
@ -1,7 +1,7 @@
|
||||
---
|
||||
title: Respond to web threats in Microsoft Defender ATP
|
||||
description: Respond to alerts related to malicious and unwanted websites. Understand how web threat protection informs end users through their web browsers and Windows notifications
|
||||
keywords: web protection, web browsing, alerts, response, security, phishing, malware, exploit, websites, network protection, Edge, Internet Explorer, Chrome, Firefox, web browser, notifications, end users, Windows notifications, blocking page,
|
||||
keywords: web protection, web threat protection, web browsing, alerts, response, security, phishing, malware, exploit, websites, network protection, Edge, Internet Explorer, Chrome, Firefox, web browser, notifications, end users, Windows notifications, blocking page,
|
||||
search.product: eADQiWindows 10XVcnh
|
||||
search.appverid: met150
|
||||
ms.prod: w10
|
||||
@ -22,8 +22,6 @@ ms.date: 08/30/2019
|
||||
|
||||
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-main-abovefoldlink&rtc=1)
|
||||
|
||||
[!include[Prerelease information](prerelease.md)]
|
||||
|
||||
Web protection in Microsoft Defender ATP lets you efficiently investigate and respond to alerts related to malicious websites and websites in your custom indicator list.
|
||||
|
||||
## View web threat alerts
|
||||
@ -62,10 +60,10 @@ You can also check the machine that attempted to access a blocked URL. Selecting
|
||||
With web protection in Microsoft Defender ATP, your end users will be prevented from visiting malicious or unwanted websites using Microsoft Edge or other browsers. Because blocking is performed by [network protection](network-protection.md), they will see a generic error from the web browser. They will also see a notification from Windows.
|
||||
|
||||
|
||||
*Web threat blocked by Microsoft Edge*
|
||||
*Web threat blocked on Microsoft Edge*
|
||||
|
||||
|
||||
*Web threat blocked by the Chrome web browser*
|
||||
|
||||
*Web threat blocked on Chrome*
|
||||
|
||||
## Related topics
|
||||
- [Web protection overview](web-protection-overview.md)
|
||||
|
||||
@ -33,24 +33,49 @@ The general steps for expanding the S mode base policy on your devices are to ge
|
||||
1. Generate a supplemental policy with WDAC tooling
|
||||
|
||||
This policy will expand the S mode base policy to authorize additional applications. Anything authorized by either the S mode base policy or your supplemental policy will be allowed to run. Your supplemental policies can specify filepath rules, trusted publishers, and more.
|
||||
|
||||
Refer to [Deploy multiple Windows Defender Application Control Policies](deploy-multiple-windows-defender-application-control-policies.md) for guidance on creating supplemental policies and [Deploy Windows Defender Application Control policy rules and file rules](select-types-of-rules-to-create.md) to choose the right type of rules to create for your policy.
|
||||
|
||||
Refer to [Deploy multiple Windows Defender Application Control Policies](deploy-multiple-windows-defender-application-control-policies.md) for guidance on creating supplemental policies and [Deploy Windows Defender Application Control policy rules and file rules](select-types-of-rules-to-create.md) to choose the right type of rules to create for your policy.
|
||||
Below are a basic set of instructions for creating an S mode supplemental policy:
|
||||
- Create a new base policy using [New-CIPolicy](https://docs.microsoft.com/powershell/module/configci/new-cipolicy?view=win10-ps)
|
||||
|
||||
```powershell
|
||||
New-CIPolicy -MultiplePolicyFormat -ScanPath <path> -UserPEs -FilePath "<path>\SupplementalPolicy.xml" -Level Publisher -Fallback Hash
|
||||
```
|
||||
- Change it to a supplemental policy using [Set-CIPolicyIdInfo](https://docs.microsoft.com/powershell/module/configci/set-cipolicyidinfo?view=win10-ps)
|
||||
|
||||
```powershell
|
||||
Set-CIPolicyIdInfo -SupplementsBasePolicyID 5951A96A-E0B5-4D3D-8FB8-3E5B61030784 -FilePath "<path>\SupplementalPolicy.xml"
|
||||
```
|
||||
Policies which are supplementing the S mode base policy must use **-SupplementsBasePolicyID 5951A96A-E0B5-4D3D-8FB8-3E5B61030784**, as this is the S mode policy ID.
|
||||
- Put the policy in enforce mode using [Set-RuleOption](https://docs.microsoft.com/powershell/module/configci/set-ruleoption?view=win10-ps)
|
||||
|
||||
```powershell
|
||||
Set-RuleOption -FilePath "<path>\SupplementalPolicy.xml>" -Option 3 –Delete
|
||||
```
|
||||
This deletes the ‘audit mode’ qualifier.
|
||||
- Convert to .bin using [ConvertFrom-CIPolicy](https://docs.microsoft.com/powershell/module/configci/convertfrom-cipolicy?view=win10-ps)
|
||||
|
||||
```powershell
|
||||
ConvertFrom-CIPolicy -XmlFilePath "<path>\SupplementalPolicy.xml" -BinaryFilePath "<path>\SupplementalPolicy.bin>
|
||||
```
|
||||
|
||||
> [!Note]
|
||||
> Policies which are supplementing the S mode base policy must use **-SupplementsBasePolicyID 5951A96A-E0B5-4D3D-8FB8-3E5B61030784**, as this is the S mode policy ID.
|
||||
2. Sign policy
|
||||
|
||||
Supplemental S mode policies must be digitally signed. To sign your policy, you can choose to use the Device Guard Signing Service or your organization's custom Public Key Infrastructure (PKI). Refer to [Use the Device Guard Signing Portal in the Microsoft Store for Business](use-device-guard-signing-portal-in-microsoft-store-for-business.md) for guidance on using DGSS and [Create a code signing cert for WDAC](create-code-signing-cert-for-windows-defender-application-control.md) for guidance on signing using an internal CA.
|
||||
|
||||
Once your policy is signed, you must authorize the signing certificate you used to sign the policy and optionally one or more additional signers that can be used to sign updates to the policy in the future. Use Add-SignerRule to add the signing certificate to the WDAC policy, filling in the correct path and filenames for `<policypath>` and `<certpath>`:
|
||||
Once your policy is signed, you must authorize the signing certificate you used to sign the policy and optionally one or more additional signers that can be used to sign updates to the policy in the future. Use Add-SignerRule to add the signing certificate to the WDAC policy:
|
||||
|
||||
`Add-SignerRule -FilePath <policypath> -CertificatePath <certpath> -User -Update`
|
||||
```powershell
|
||||
Add-SignerRule -FilePath <policypath> -CertificatePath <certpath> -User -Update`
|
||||
```
|
||||
Rename your policy to "{PolicyID}.p7b" after you've signed it. PolicyID can be found by inspecting the Supplemental Policy XML
|
||||
|
||||
3. Deploy the signed supplemental policy using Microsoft Intune
|
||||
|
||||
Upload the signed policy to Intune and assign it to user or device groups. Intune will generate tenant- and device- specific authorization tokens. Intune then deploys the corresponding authorization token and supplemental policy to each device in the assigned group. Together, these expand the S mode base policy on the device.
|
||||
<!-- Intune link?-->
|
||||
Go to the Azure portal online and navigate to the Microsoft Intune page, then go to the Client apps blade and select 'S mode supplemental policies'. Upload the signed policy to Intune and assign it to user or device groups. Intune will generate tenant- and device- specific authorization tokens. Intune then deploys the corresponding authorization token and supplemental policy to each device in the assigned group. Together, these expand the S mode base policy on the device.
|
||||
|
||||
> [!Note]
|
||||
> [!Note]
|
||||
> When updating your supplemental policy, ensure that the new version number is strictly greater than the previous one. Using the same version number is not allowed by Intune. Refer to [Set-CIPolicyVersion](https://docs.microsoft.com/powershell/module/configci/set-cipolicyversion?view=win10-ps) for information on setting the version number.
|
||||
|
||||
# Standard Process for Deploying Apps through Intune
|
||||
@ -152,8 +177,8 @@ Below is a sample policy that allows kernel debuggers, PowerShell ISE, and Regis
|
||||
</SiPolicy>
|
||||
```
|
||||
# Policy Removal
|
||||
> [!Note]
|
||||
> There is currently a policy deletion error, with a fix expected in the 2D update in late February 2020. Devices of users who are unenrolled will still have their WDAC policies removed. In the mentime, IT Pros are recommended to update their policy with the below 'empty' policy which makes no changes to S mode.
|
||||
> [!Note]
|
||||
> This feature currently has a known a policy deletion bug, with a fix expected in the 2D update in late February 2020. Devices of users who are unenrolled will still have their WDAC policies removed. In the mentime, IT Pros are recommended to update their policy with the below 'empty' policy which makes no changes to S mode.
|
||||
|
||||
```xml
|
||||
<?xml version="1.0" encoding="utf-8"?>
|
||||
|
||||
@ -24,9 +24,6 @@ ms.date: 05/17/2019
|
||||
- Windows 10
|
||||
- Windows Server 2016
|
||||
|
||||
>[!IMPORTANT]
|
||||
>Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
|
||||
|
||||
The restriction of only having a single code integrity policy active on a system at any given time has felt limiting for customers in situations where multiple policies with different intents would be useful. Beginning with Windows 10 version 1903, WDAC supports multiple simultaneous code integrity policies for one device in order to enable the following scenarios:
|
||||
|
||||
1. Enforce and Audit Side-by-Side
|
||||
@ -53,7 +50,7 @@ Note that multiple policies will not work on pre-1903 systems.
|
||||
In order to allow multiple policies to exist and take effect on a single system, policies must be created using the new Multiple Policy Format. The "MultiplePolicyFormat" switch in [New-CIPolicy](https://docs.microsoft.com/powershell/module/configci/new-cipolicy?view=win10-ps) results in 1) random GUIDs being generated for the policy ID and 2) the policy type being specified as base. The below is an example of creating a new policy in the multiple policy format.
|
||||
|
||||
```powershell
|
||||
New-CIPolicy -MultiplePolicyFormat -ScanPath '.\temp\' -UserPEs -FilePath ".\policy.xml" -Level Publisher -Fallback Hash
|
||||
New-CIPolicy -MultiplePolicyFormat -ScanPath "<path>" -UserPEs -FilePath ".\policy.xml" -Level Publisher -Fallback Hash
|
||||
```
|
||||
|
||||
Optionally, you can choose to make the new base policy supplementable (allow supplemental policies).
|
||||
@ -71,18 +68,19 @@ Add-SignerRule -FilePath <string> -CertificatePath <string> [-Kernel] [-User] [-
|
||||
### Supplemental Policy Creation
|
||||
|
||||
In order to create a supplemental policy, begin by creating a new policy in the Multiple Policy Format. From there, use Set-CIPolicyIdInfo to convert it to a supplemental policy and specify which base policy it expands.
|
||||
- "SupplementsBasePolicyID": guid of new supplemental policy
|
||||
- "SupplementsBasePolicyID":
|
||||
of new supplemental policy
|
||||
- "BasePolicyToSupplementPath": base policy that the supplemental policy applies to
|
||||
|
||||
```powershell
|
||||
Set-CIPolicyIdInfo [-FilePath] <string> [-PolicyName <string>] [-SupplementsBasePolicyID <guid>] [-BasePolicyToSupplementPath <string>] [-ResetPolicyID] [-PolicyId <string>] [<CommonParameters>]
|
||||
```
|
||||
|
||||
Note that "ResetPolicyId" reverts a supplemental policy to a base policy, and resets the policy guids back to a random guid.
|
||||
Note that "ResetPolicyId" reverts a supplemental policy to a base policy, and resets the policy GUIDs back to a random GUID.
|
||||
|
||||
### Merging policies
|
||||
|
||||
When merging, the policy type and ID of the leftmost/first policy specified is used. If the leftmost is a base policy with ID \<ID>, then regardless of what the GUIDS and types are for any subsequent policies, the merged policy will be a base policy with ID \<ID>.
|
||||
When merging, the policy type and ID of the leftmost/first policy specified is used. If the leftmost is a base policy with ID \<ID>, then regardless of what the GUIDs and types are for any subsequent policies, the merged policy will be a base policy with ID \<ID>.
|
||||
|
||||
### Deploying policies
|
||||
|
||||
|
||||
Reference in New Issue
Block a user