From 71ffe3c05ccd0342d6745c29578508839f779b18 Mon Sep 17 00:00:00 2001 From: Joey Caparas Date: Thu, 23 Apr 2020 16:01:31 -0700 Subject: [PATCH] ioc indicator --- .../enable-network-protection.md | 38 +++++++++-------- .../manage-indicators.md | 41 ++++++++++++++++++- 2 files changed, 61 insertions(+), 18 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/enable-network-protection.md b/windows/security/threat-protection/microsoft-defender-atp/enable-network-protection.md index db54d852de..8513635c3a 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/enable-network-protection.md +++ b/windows/security/threat-protection/microsoft-defender-atp/enable-network-protection.md @@ -28,11 +28,31 @@ You can [audit network protection](evaluate-network-protection.md) in a test env You can enable network protection by using any of these methods: +* [PowerShell](#powershell) * [Microsoft Intune](#intune) * [Mobile Device Management (MDM)](#mdm) * [Microsoft Endpoint Configuration Manager](#microsoft-endpoint-configuration-manager) * [Group Policy](#group-policy) -* [PowerShell](#powershell) + +## PowerShell + +1. Type **powershell** in the Start menu, right-click **Windows PowerShell** and click **Run as administrator** +2. Enter the following cmdlet: + + ```PowerShell + Set-MpPreference -EnableNetworkProtection Enabled + ``` + +You can enable the feature in audit mode using the following cmdlet: + +```PowerShell +Set-MpPreference -EnableNetworkProtection AuditMode +``` + +Use `Disabled` instead of `AuditMode` or `Enabled` to turn the feature off. + + + ## Intune @@ -89,22 +109,6 @@ You can confirm network protection is enabled on a local computer by using Regis * 1=On * 2=Audit -## PowerShell - -1. Type **powershell** in the Start menu, right-click **Windows PowerShell** and click **Run as administrator** -2. Enter the following cmdlet: - - ```PowerShell - Set-MpPreference -EnableNetworkProtection Enabled - ``` - -You can enable the feature in audit mode using the following cmdlet: - -```PowerShell -Set-MpPreference -EnableNetworkProtection AuditMode -``` - -Use `Disabled` instead of `AuditMode` or `Enabled` to turn the feature off. ## Related topics diff --git a/windows/security/threat-protection/microsoft-defender-atp/manage-indicators.md b/windows/security/threat-protection/microsoft-defender-atp/manage-indicators.md index 76908992e4..4f3be8bbf1 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/manage-indicators.md +++ b/windows/security/threat-protection/microsoft-defender-atp/manage-indicators.md @@ -114,7 +114,7 @@ By creating indicators for IPs and URLs or domains, you can now allow or block I ### Before you begin It's important to understand the following prerequisites prior to creating indicators for IPS, URLs, or domains: -- URL/IP allow and block relies on the Microsoft Defender ATP component Network Protection to be enabled in block mode. For more information on Network Protection and configuration instructions, see [Protect your network](network-protection.md). +- URL/IP allow and block relies on the Microsoft Defender ATP component Network Protection to be enabled in block mode. For more information on Network Protection and configuration instructions, see [Enable network protection](enable-network-protection.md). - The Antimalware client version must be 4.18.1906.x or later. - Supported on machines on Windows 10, version 1709 or later. - Ensure that **Custom network indicators** is enabled in **Microsoft Defender Security Center > Settings > Advanced features**. For more information, see [Advanced features](advanced-features.md). @@ -147,6 +147,45 @@ It's important to understand the following prerequisites prior to creating indic 5. Review the details in the Summary tab, then click **Save**. +## Create indicators for certificates + +You can create indicators for certificates. Some common use cases include: + +- Deploying blocking technologies, such as [attack surface reduction rules](attack-surface-reduction.md) but allow behaviors from signed applications using certificate whitelisting. +- Blocking the use of a specific signed application across your organization. Using the certificate 'block' indicator, Windows Defender AV will prevent file executions (block and remediate) and the Automated Investigation and Remediation behave the same. + +### Before you begin + +It's important to understand the following requirements prior to creating indicators for certifications: + +- This feature is available if your organization uses Windows Defender Antivirus and Cloud–based protection is enabled. For more information, see [Manage cloud–based protection](../windows-defender-antivirus/deploy-manage-report-windows-defender-antivirus.md). +- Supported on machines on Windows 10, version 1703 or later. +- The Antimalware client version must be or later. +- The Engine version must be x or later. +- This feature currently supports entering … or … + +>[!IMPORTANT] +> - A valid leaf certificate is a signing certificate that has a valid certification path and must be chained to the Root Certificate Authority (CA) trusted by Microsoft. Alternatively, a custom (self-signed) certificate can be used as long as it’s trusted by the client (Root CA certificate is installed under the Local Machine 'Trusted Root Certification Authorities'). +>- The children or parent of the allow/block certificate IOCs are not included in the allow/block IoC functionality – only leaf certificates are supported. +>- Microsoft signed certificates cannot be blocked. + +#### Create an indicator for certificates from the settings page: + +>[!IMPORTANT] +> It can take up to 3 hours to create and remove a certificate IoC. + +1. In the navigation pane, select **Settings** > **Indicators**. + +2. Select the **Certificate** tab. + +3. Select **Add indicator**. + +4. Specify the following details: + - Indicator - Specify the entity details and define the expiration of the indicator. + - Action - Specify the action to be taken and provide a description. + - Scope - Define the scope of the machine group. + +5. Review the details in the Summary tab, then click **Save**. ## Manage indicators