deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-21 05:13:40 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

updated-4567381-Batch9

Browse Source 
rebranding
This commit is contained in:
Lovina Saldanha
2020-11-06 14:52:38 +05:30
parent 761847f06f
commit 78075f1b9b
25 changed files with 169 additions and 170 deletions
Download Patch File Download Diff File Expand all files Collapse all files

24
windows/security/threat-protection/microsoft-defender-atp/investigate-machines.md
View File

@ -1,5 +1,5 @@
---
title: Investigate devices in the Microsoft Defender ATP Devices list
title: Investigate devices in the Defender for Endpoint Defender ATP Devices list
description: Investigate affected devices by reviewing alerts, network connection information, adding device tags and groups, and checking the service health.
keywords: devices, tags, groups, endpoint, alerts queue, alerts, device name, domain, last seen, internal IP, active alerts, threat category, filter, sort, review alerts, network, connection, type, password stealer, ransomware, exploit, threat, low severity, service health
search.product: eADQiWindows 10XVcnh
@ -19,16 +19,16 @@ ms.collection:
ms.topic: article
---
# Investigate devices in the Microsoft Defender ATP Devices list
# Investigate devices in the Microsoft Defender for Endpoint Devices list
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2146631)
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-investigatemachines-abovefoldlink)
>Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-investigatemachines-abovefoldlink)
Investigate the details of an alert raised on a specific device to identify other behaviors or events that might be related to the alert or the potential scope of the breach.
@ -173,7 +173,7 @@ The **Azure Advanced Threat Protection** card will display a high-level overview
![Image of active alerts card](images/risk-level-small.png)
>[!NOTE]
>You'll need to enable the integration on both Azure ATP and Microsoft Defender ATP to use this feature. In Microsoft Defender ATP, you can enable this feature in advanced features. For more information on how to enable advanced features, see [Turn on advanced features](advanced-features.md).
>You'll need to enable the integration on both Azure ATP and Defender for Endpoint to use this feature. In Defender for Endpoint, you can enable this feature in advanced features. For more information on how to enable advanced features, see [Turn on advanced features](advanced-features.md).
### Logged on users
@ -189,12 +189,12 @@ The **Security assessments** card shows the overall exposure level, security rec
## Related topics
- [View and organize the Microsoft Defender Advanced Threat Protection Alerts queue](alerts-queue.md)
- [Manage Microsoft Defender Advanced Threat Protection alerts](manage-alerts.md)
- [Investigate Microsoft Defender Advanced Threat Protection alerts](investigate-alerts.md)
- [Investigate a file associated with a Microsoft Defender ATP alert](investigate-files.md)
- [Investigate an IP address associated with a Microsoft Defender ATP alert](investigate-ip.md)
- [Investigate a domain associated with a Microsoft Defender ATP alert](investigate-domain.md)
- [Investigate a user account in Microsoft Defender ATP](investigate-user.md)
- [View and organize the Microsoft Defender for Endpoint Alerts queue](alerts-queue.md)
- [Manage Microsoft Defender for Endpoint alerts](manage-alerts.md)
- [Investigate Microsoft Defender for Endpoint alerts](investigate-alerts.md)
- [Investigate a file associated with a Defender for Endpoint alert](investigate-files.md)
- [Investigate an IP address associated with a Defender for Endpoint alert](investigate-ip.md)
- [Investigate a domain associated with a Defender for Endpoint alert](investigate-domain.md)
- [Investigate a user account in Defender for Endpoint](investigate-user.md)
- [Security recommendation](tvm-security-recommendation.md)
- [Software inventory](tvm-software-inventory.md)

22
windows/security/threat-protection/microsoft-defender-atp/investigate-user.md
View File

@ -19,16 +19,16 @@ ms.collection:
ms.topic: article
ms.date: 04/24/2018
---
# Investigate a user account in Microsoft Defender ATP
# Investigate a user account in Microsoft Defender for Endpoint
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2146631)
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-investigatgeuser-abovefoldlink)
>Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-investigatgeuser-abovefoldlink)
## Investigate user account entities
@ -56,7 +56,7 @@ When you investigate a user account entity, you'll see:
The **User details** pane on left provides information about the user, such as related open incidents, active alerts, SAM name, SID, Azure ATP alerts, number of devices the user is logged on to, when the user was first and last seen, role, and logon types. Depending on the integration features you've enabled, you'll see other details. For example, if you enable the Skype for business integration, you'll be able to contact the user from the portal. The **Azure ATP alerts** section contains a link that will take you to the Azure ATP page, if you have enabled the Azure ATP feature, and there are alerts related to the user. The Azure ATP page will provide more information about the alerts.
>[!NOTE]
>You'll need to enable the integration on both Azure ATP and Microsoft Defender ATP to use this feature. In Microsoft Defender ATP, you can enable this feature in advanced features. For more information on how to enable advanced features, see [Turn on advanced features](advanced-features.md).
>You'll need to enable the integration on both Azure ATP and Defender for Endpoint to use this feature. In Defender for Endpoint, you can enable this feature in advanced features. For more information on how to enable advanced features, see [Turn on advanced features](advanced-features.md).
The Overview, Alerts, and Observed in organization are different tabs that display various attributes about the user account.
@ -92,10 +92,10 @@ You can filter the results by the following time periods:
## Related topics
- [View and organize the Microsoft Defender Advanced Threat Protection Alerts queue](alerts-queue.md)
- [Manage Microsoft Defender Advanced Threat Protection alerts](manage-alerts.md)
- [Investigate Microsoft Defender Advanced Threat Protection alerts](investigate-alerts.md)
- [Investigate a file associated with a Microsoft Defender ATP alert](investigate-files.md)
- [Investigate devices in the Microsoft Defender ATP Devices list](investigate-machines.md)
- [Investigate an IP address associated with a Microsoft Defender ATP alert](investigate-ip.md)
- [Investigate a domain associated with a Microsoft Defender ATP alert](investigate-domain.md)
- [View and organize the Microsoft Defender for Endpoint Alerts queue](alerts-queue.md)
- [Manage Microsoft Defender for Endpoint alerts](manage-alerts.md)
- [Investigate Microsoft Defender for Endpoint alerts](investigate-alerts.md)
- [Investigate a file associated with a Defender for Endpoint alert](investigate-files.md)
- [Investigate devices in the Defender for Endpoint Devices list](investigate-machines.md)
- [Investigate an IP address associated with a Defender for Endpoint alert](investigate-ip.md)
- [Investigate a domain associated with a Defender for Endpoint alert](investigate-domain.md)

6
windows/security/threat-protection/microsoft-defender-atp/investigation.md
View File

@ -23,11 +23,11 @@ ms.topic: article
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2146631)
**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
- Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
Represent an Automated Investigation entity in Microsoft Defender ATP.
Represent an Automated Investigation entity in Defender for Endpoint.
<br> See [Overview of automated investigations](automated-investigations.md) for more information.
## Methods

8
windows/security/threat-protection/microsoft-defender-atp/ios-configure-features.md
View File

@ -20,7 +20,7 @@ ms.collection:
ms.topic: conceptual
---
# Configure Microsoft Defender ATP for iOS features
# Configure Microsoft Defender for Endpoint for iOS features
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
@ -33,17 +33,17 @@ ms.topic: conceptual
## Configure custom indicators
Microsoft Defender ATP for iOS enables admins to configure custom indicators on
Defender for Endpoint for iOS enables admins to configure custom indicators on
iOS devices as well. Refer to [Manage
indicators](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/manage-indicators)
on how to configure custom indicators
## Web Protection
By default, Microsoft Defender ATP for iOS includes and enables the web
By default, Defender for Endpoint for iOS includes and enables the web
protection feature. [Web
protection](web-protection-overview.md) helps
to secure devices against web threats and protect users from phishing attacks.
>[!NOTE]
>Microsoft Defender ATP for iOS would use a VPN in order to provide the Web Protection feature. This is not a regular VPN and is a local/self-looping VPN that does not take traffic outside the device.
>Defender for Endpoint for iOS would use a VPN in order to provide the Web Protection feature. This is not a regular VPN and is a local/self-looping VPN that does not take traffic outside the device.

21
windows/security/threat-protection/microsoft-defender-atp/ios-install.md
View File

@ -20,7 +20,7 @@ ms.collection:
ms.topic: conceptual
---
# App-based deployment for Microsoft Defender ATP for iOS
# App-based deployment for Microsoft Defender for Endpoint for iOS
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
@ -31,7 +31,7 @@ ms.topic: conceptual
>
> As with any pre-release solution, remember to exercise caution when determining the target population for your deployments.
Microsoft Defender ATP for iOS is currently available as a preview app on TestFlight, Apple's beta testing platform. In GA, it will be available on the Apple App store.
Defender for Endpoint for iOS is currently available as a preview app on TestFlight, Apple's beta testing platform. In GA, it will be available on the Apple App store.
Deployment devices need to be enrolled on Intune Company portal. Refer to
[Enroll your
@ -43,33 +43,32 @@ learn more about Intune device enrollment
- Ensure you have access to [Microsoft Endpoint manager admin
center](https://go.microsoft.com/fwlink/?linkid=2109431).
- Ensure iOS enrollment is done for your users. Users need to have Microsoft Defender ATP
license assigned in order to use Microsoft Defender ATP for iOS. Refer [Assign licenses to
- Ensure iOS enrollment is done for your users. Users need to have Defender for Endpoint
license assigned in order to use Defender for Endpoint for iOS. Refer [Assign licenses to
users](https://docs.microsoft.com/azure/active-directory/users-groups-roles/licensing-groups-assign)
for instructions on how to assign licenses.
## Deployment steps
To install Microsoft Defender ATP for iOS, end-users can visit
To install Defender for Endpoint for iOS, end-users can visit
<https://aka.ms/defenderios> on their iOS devices. This link will open the
TestFlight application on their device or prompt them to install TestFlight. On
the TestFlight app, follow the onscreen instructions to install Microsoft
Defender ATP.
the TestFlight app, follow the onscreen instructions to install Defender for Endpoint.
![Image of deployment steps](images/testflight-get.png)
## Complete onboarding and check status
1. Once Microsoft Defender ATP for iOS has been installed on the device, you
1. Once Defender for Endpoint for iOS has been installed on the device, you
will see the app icon.
![A screen shot of a smart phone Description automatically generated](images/41627a709700c324849bf7e13510c516.png)
2. Tap the Microsoft Defender ATP app icon and follow the on-screen
2. Tap the Defender for Endpoint app icon and follow the on-screen
instructions to complete the onboarding steps. The details include end-user
acceptance of iOS permissions required by Microsoft Defender ATP for iOS.
acceptance of iOS permissions required by Defender for Endpoint for iOS.
3. Upon successful onboarding, the device will start showing up on the Devices
list in Microsoft Defender Security Center.
@ -79,4 +78,4 @@ Defender ATP.
## Next Steps
[Configure Microsoft Defender ATP for iOS features](ios-configure-features.md)
[Configure Defender for Endpoint for iOS features](ios-configure-features.md)

10
windows/security/threat-protection/microsoft-defender-atp/ios-privacy.md
View File

@ -23,18 +23,18 @@ hideEdit: true
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for iOS](microsoft-defender-atp-ios.md)
- [Microsoft Defender for Endpoint](microsoft-defender-atp-ios.md)
>[!NOTE]
> Microsoft Defender ATP for iOS uses a VPN in order to provide the Web Protection feature. This is not a regular VPN and is a local/self-looping VPN that does not take traffic outside the device. Microsoft or your organization **does not see your browsing activity**.
> Defender for Endpoint for iOS uses a VPN in order to provide the Web Protection feature. This is not a regular VPN and is a local/self-looping VPN that does not take traffic outside the device. Microsoft or your organization **does not see your browsing activity**.
Microsoft Defender ATP for iOS collects information from your configured iOS devices and stores it in the same tenant where you have Microsoft Defender ATP.
Defender for Endpoint for iOS collects information from your configured iOS devices and stores it in the same tenant where you have Defender for Endpoint.
Information is collected to help keep Microsoft Defender ATP for iOS secure, up-to-date, performing as expected and to support the service.
Information is collected to help keep Defender for Endpoint for iOS secure, up-to-date, performing as expected and to support the service.
## Required data
Required data consists of data that is necessary to make Microsoft Defender ATP for iOS work as expected. This data is essential to the operation of the service and can include data related to the end user, organization, device, and apps. Here's a list of the types of data being collected:
Required data consists of data that is necessary to make Defender for Endpoint for iOS work as expected. This data is essential to the operation of the service and can include data related to the end user, organization, device, and apps. Here's a list of the types of data being collected:
### Web page / Network information

8
windows/security/threat-protection/microsoft-defender-atp/ios-terms.md
View File

@ -21,12 +21,12 @@ ms.topic: conceptual
hideEdit: true
---
# Microsoft Defender ATP for iOS application license terms
# Microsoft Defender for Endpoint for iOS application license terms
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
## MICROSOFT APPLICATION LICENSE TERMS: MICROSOFT DEFENDER ATP
## MICROSOFT APPLICATION LICENSE TERMS: MICROSOFT DEFENDER FOR ENDPOINT
These license terms ("Terms") are an agreement between Microsoft Corporation (or
based on where you live, one of its affiliates) and you. Please read them. They
@ -53,7 +53,7 @@ DO NOT USE THE APPLICATION.**
1. **Installation and Use.** You may install and use any number of copies
of this application on iOS enabled device or devices which you own
or control. You may use this application with your company's valid
subscription of Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) or
subscription of Defender for Endpoint or
an online service that includes MDATP functionalities.
2. **Updates.** Updates or upgrades to MDATP may be required for full
@ -162,7 +162,7 @@ DO NOT USE THE APPLICATION.**
enforce and rely upon any provision of these Terms that grants them a
benefit or rights.
9. **TRADEMARK NOTICES.** Microsoft, Microsoft Defender ATP, MDATP, and
9. **TRADEMARK NOTICES.** Microsoft, Microsoft Defender for Endpoint and
Microsoft 365 are registered or common-law trademarks of Microsoft
Corporation in the United States and/or other countries.

6
windows/security/threat-protection/microsoft-defender-atp/isolate-machine.md
View File

@ -21,9 +21,9 @@ ms.topic: article
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2146631)
**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
- Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
## API description
@ -37,7 +37,7 @@ Isolates a device from accessing external network.
[!include[Device actions note](../../includes/machineactionsnote.md)]
## Permissions
One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md)
One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender for Endpoint APIs](apis-intro.md)
Permission type | Permission | Permission display name
:---|:---|:---

18
windows/security/threat-protection/microsoft-defender-atp/linux-exclusions.md
View File

@ -19,30 +19,30 @@ ms.collection:
ms.topic: conceptual
---
# Configure and validate exclusions for Microsoft Defender ATP for Linux
# Configure and validate exclusions for Microsoft Defender for Endpoint for Linux
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Linux](microsoft-defender-atp-linux.md)
- [Microsoft Defender for Endpoint for Linux](microsoft-defender-atp-linux.md)
This article provides information on how to define exclusions that apply to on-demand scans, and real-time protection and monitoring.
> [!IMPORTANT]
> The exclusions described in this article don't apply to other Microsoft Defender ATP for Linux capabilities, including endpoint detection and response (EDR). Files that you exclude using the methods described in this article can still trigger EDR alerts and other detections.
> The exclusions described in this article don't apply to other Defender for Endpoint for Linux capabilities, including endpoint detection and response (EDR). Files that you exclude using the methods described in this article can still trigger EDR alerts and other detections.
You can exclude certain files, folders, processes, and process-opened files from Microsoft Defender ATP for Linux scans.
You can exclude certain files, folders, processes, and process-opened files from Defender for Endpoint for Linux scans.
Exclusions can be useful to avoid incorrect detections on files or software that are unique or customized to your organization. They can also be useful for mitigating performance issues caused by Microsoft Defender ATP for Linux.
Exclusions can be useful to avoid incorrect detections on files or software that are unique or customized to your organization. They can also be useful for mitigating performance issues caused by Defender for Endpoint for Linux.
> [!WARNING]
> Defining exclusions lowers the protection offered by Microsoft Defender ATP for Linux. You should always evaluate the risks that are associated with implementing exclusions, and you should only exclude files that you are confident are not malicious.
> Defining exclusions lowers the protection offered by Defender for Endpoint for Linux. You should always evaluate the risks that are associated with implementing exclusions, and you should only exclude files that you are confident are not malicious.
## Supported exclusion types
The follow table shows the exclusion types supported by Microsoft Defender ATP for Linux.
The follow table shows the exclusion types supported by Defender for Endpoint for Linux.
Exclusion | Definition | Examples
---|---|---
@ -65,7 +65,7 @@ Wildcard | Description | Example | Matches | Does not match
### From the management console
For more information on how to configure exclusions from Puppet, Ansible, or another management console, see [Set preferences for Microsoft Defender ATP for Linux](linux-preferences.md).
For more information on how to configure exclusions from Puppet, Ansible, or another management console, see [Set preferences for Defender for Endpoint for Linux](linux-preferences.md).
### From the command line
@ -145,7 +145,7 @@ In the following Bash snippet, replace `test.txt` with a file that conforms to y
curl -o test.txt https://www.eicar.org/download/eicar.com.txt
```
If Microsoft Defender ATP for Linux reports malware, then the rule is not working. If there is no report of malware, and the downloaded file exists, then the exclusion is working. You can open the file to confirm that the contents are the same as what is described on the [EICAR test file website](http://2016.eicar.org/86-0-Intended-use.html).
If Defender for Endpoint for Linux reports malware, then the rule is not working. If there is no report of malware, and the downloaded file exists, then the exclusion is working. You can open the file to confirm that the contents are the same as what is described on the [EICAR test file website](http://2016.eicar.org/86-0-Intended-use.html).
If you do not have Internet access, you can create your own EICAR test file. Write the EICAR string to a new text file with the following Bash command:

16
windows/security/threat-protection/microsoft-defender-atp/linux-install-manually.md
View File

@ -20,16 +20,16 @@ ms.collection:
ms.topic: conceptual
---
# Deploy Microsoft Defender ATP for Linux manually
# Deploy Microsoft Defender for Endpoint for Linux manually
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Linux](microsoft-defender-atp-linux.md)
- [Microsoft Defender for Endpoint for Linux](microsoft-defender-atp-linux.md)
This article describes how to deploy Microsoft Defender ATP for Linux manually. A successful deployment requires the completion of all of the following tasks:
This article describes how to deploy Microsoft Defender for Endpoint for Linux manually. A successful deployment requires the completion of all of the following tasks:
- [Configure the Linux software repository](#configure-the-linux-software-repository)
- [Application installation](#application-installation)
@ -42,7 +42,7 @@ Before you get started, see [Microsoft Defender ATP for Linux](microsoft-defende
## Configure the Linux software repository
Microsoft Defender ATP for Linux can be deployed from one of the following channels (denoted below as *[channel]*): *insiders-fast*, *insiders-slow*, or *prod*. Each of these channels corresponds to a Linux software repository. Instructions for configuring your device to use one of these repositories are provided below.
Defender for Endpoint for Linux can be deployed from one of the following channels (denoted below as *[channel]*): *insiders-fast*, *insiders-slow*, or *prod*. Each of these channels corresponds to a Linux software repository. Instructions for configuring your device to use one of these repositories are provided below.
The choice of the channel determines the type and frequency of updates that are offered to your device. Devices in *insiders-fast* are the first ones to receive updates and new features, followed later by *insiders-slow* and lastly by *prod*.
@ -301,7 +301,7 @@ Download the onboarding package from Microsoft Defender Security Center:
> ```bash
> mdatp health --field definitions_status
> ```
> Please note that you may also need to configure a proxy after completing the initial installation. See [Configure Microsoft Defender ATP for Linux for static proxy discovery: Post-installation configuration](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/linux-static-proxy-configuration#post-installation-configuration).
> Please note that you may also need to configure a proxy after completing the initial installation. See [Configure Defender for Endpoint for Linux for static proxy discovery: Post-installation configuration](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/linux-static-proxy-configuration#post-installation-configuration).
5. Run a detection test to verify that the device is properly onboarded and reporting to the service. Perform the following steps on the newly onboarded device:
@ -317,7 +317,7 @@ Download the onboarding package from Microsoft Defender Security Center:
curl -o ~/Downloads/eicar.com.txt https://www.eicar.org/download/eicar.com.txt
```
- The file should have been quarantined by Microsoft Defender ATP for Linux. Use the following command to list all the detected threats:
- The file should have been quarantined by Defender for Endpoint for Linux. Use the following command to list all the detected threats:
```bash
mdatp threat list
@ -329,8 +329,8 @@ See [Log installation issues](linux-resources.md#log-installation-issues) for mo
## Operating system upgrades
When upgrading your operating system to a new major version, you must first uninstall Microsoft Defender ATP for Linux, install the upgrade, and finally reconfigure Microsoft Defender ATP for Linux on your device.
When upgrading your operating system to a new major version, you must first uninstall Defender for Endpoint for Linux, install the upgrade, and finally reconfigure Defender for Endpoint for Linux on your device.
## Uninstallation
See [Uninstall](linux-resources.md#uninstall) for details on how to remove Microsoft Defender ATP for Linux from client devices.
See [Uninstall](linux-resources.md#uninstall) for details on how to remove Defender for Endpoint for Linux from client devices.

16
windows/security/threat-protection/microsoft-defender-atp/linux-install-with-ansible.md
View File

@ -20,16 +20,16 @@ ms.collection:
ms.topic: conceptual
---
# Deploy Microsoft Defender ATP for Linux with Ansible
# Deploy Microsoft Defender for Endpoint for Linux with Ansible
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Linux](microsoft-defender-atp-linux.md)
- [Microsoft Defender for Endpoint for Linux](microsoft-defender-atp-linux.md)
This article describes how to deploy Microsoft Defender ATP for Linux using Ansible. A successful deployment requires the completion of all of the following tasks:
This article describes how to deploy Defender for Endpoint for Linux using Ansible. A successful deployment requires the completion of all of the following tasks:
- [Download the onboarding package](#download-the-onboarding-package)
- [Create Ansible YAML files](#create-ansible-yaml-files)
@ -38,7 +38,7 @@ This article describes how to deploy Microsoft Defender ATP for Linux using Ansi
## Prerequisites and system requirements
Before you get started, see [the main Microsoft Defender ATP for Linux page](microsoft-defender-atp-linux.md) for a description of prerequisites and system requirements for the current software version.
Before you get started, see [the main Defender for Endpoint for Linux page](microsoft-defender-atp-linux.md) for a description of prerequisites and system requirements for the current software version.
In addition, for Ansible deployment, you need to be familiar with Ansible administration tasks, have Ansible configured, and know how to deploy playbooks and tasks. Ansible has many ways to complete the same task. These instructions assume availability of supported Ansible modules, such as *apt* and *unarchive* to help deploy the package. Your organization might use a different workflow. Refer to the [Ansible documentation](https://docs.ansible.com/) for details.
@ -120,9 +120,9 @@ Create a subtask or role files that contribute to an playbook or task.
when: not mdatp_onboard.stat.exists
```
- Add the Microsoft Defender ATP repository and key.
- Add the Defender for Endpoint repository and key.
Microsoft Defender ATP for Linux can be deployed from one of the following channels (denoted below as *[channel]*): *insiders-fast*, *insiders-slow*, or *prod*. Each of these channels corresponds to a Linux software repository.
Defender for Endpoint for Linux can be deployed from one of the following channels (denoted below as *[channel]*): *insiders-fast*, *insiders-slow*, or *prod*. Each of these channels corresponds to a Linux software repository.
The choice of the channel determines the type and frequency of updates that are offered to your device. Devices in *insiders-fast* are the first ones to receive updates and new features, followed later by *insiders-slow* and lastly by *prod*.
@ -156,7 +156,7 @@ Create a subtask or role files that contribute to an playbook or task.
- name: Add Microsoft yum repository for MDATP
yum_repository:
name: packages-microsoft-com-prod-[channel]
description: Microsoft Defender ATP
description: Microsoft Defender for Endpoint
file: microsoft-[channel]
baseurl: https://packages.microsoft.com/[distro]/[version]/[channel]/
gpgcheck: yes
@ -254,7 +254,7 @@ See [Log installation issues](linux-resources.md#log-installation-issues) for mo
## Operating system upgrades
When upgrading your operating system to a new major version, you must first uninstall Microsoft Defender ATP for Linux, install the upgrade, and finally reconfigure Microsoft Defender ATP for Linux on your device.
When upgrading your operating system to a new major version, you must first uninstall Defender for Endpoint for Linux, install the upgrade, and finally reconfigure Defender for Endpoint for Linux on your device.
## References

16
windows/security/threat-protection/microsoft-defender-atp/linux-install-with-puppet.md
View File

@ -20,16 +20,16 @@ ms.collection:
ms.topic: conceptual
---
# Deploy Microsoft Defender ATP for Linux with Puppet
# Deploy Microsoft Defender for Endpoint for Linux with Puppet
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Linux](microsoft-defender-atp-linux.md)
- [Microsoft Defender for Endpoint for Linux](microsoft-defender-atp-linux.md)
This article describes how to deploy Microsoft Defender ATP for Linux using Puppet. A successful deployment requires the completion of all of the following tasks:
This article describes how to deploy Defender for Endpoint for Linux using Puppet. A successful deployment requires the completion of all of the following tasks:
- [Download the onboarding package](#download-the-onboarding-package)
- [Create Puppet manifest](#create-a-puppet-manifest)
@ -38,7 +38,7 @@ This article describes how to deploy Microsoft Defender ATP for Linux using Pupp
## Prerequisites and system requirements
For a description of prerequisites and system requirements for the current software version, see [the main Microsoft Defender ATP for Linux page](microsoft-defender-atp-linux.md).
For a description of prerequisites and system requirements for the current software version, see [the main Defender for Endpoint for Linux page](microsoft-defender-atp-linux.md).
In addition, for Puppet deployment, you need to be familiar with Puppet administration tasks, have Puppet configured, and know how to deploy packages. Puppet has many ways to complete the same task. These instructions assume availability of supported Puppet modules, such as *apt* to help deploy the package. Your organization might use a different workflow. Refer to the [Puppet documentation](https://puppet.com/docs) for details.
@ -72,7 +72,7 @@ Download the onboarding package from Microsoft Defender Security Center:
## Create a Puppet manifest
You need to create a Puppet manifest for deploying Microsoft Defender ATP for Linux to devices managed by a Puppet server. This example makes use of the *apt* and *yumrepo* modules available from puppetlabs, and assumes that the modules have been installed on your Puppet server.
You need to create a Puppet manifest for deploying Defender for Endpoint for Linux to devices managed by a Puppet server. This example makes use of the *apt* and *yumrepo* modules available from puppetlabs, and assumes that the modules have been installed on your Puppet server.
Create the folders *install_mdatp/files* and *install_mdatp/manifests* under the modules folder of your Puppet installation. This folder is typically located in */etc/puppetlabs/code/environments/production/modules* on your Puppet server. Copy the mdatp_onboard.json file created above to the *install_mdatp/files* folder. Create an *init.pp* file that contains the deployment instructions:
@ -96,7 +96,7 @@ install_mdatp
### Contents of `install_mdatp/manifests/init.pp`
Microsoft Defender ATP for Linux can be deployed from one of the following channels (denoted below as *[channel]*): *insiders-fast*, *insiders-slow*, or *prod*. Each of these channels corresponds to a Linux software repository.
Defender for Endpoint for Linux can be deployed from one of the following channels (denoted below as *[channel]*): *insiders-fast*, *insiders-slow*, or *prod*. Each of these channels corresponds to a Linux software repository.
The choice of the channel determines the type and frequency of updates that are offered to your device. Devices in *insiders-fast* are the first ones to receive updates and new features, followed later by *insiders-slow* and lastly by *prod*.
@ -205,7 +205,7 @@ org_id : "[your organization identifier]"
- **licensed**: This confirms that the device is tied to your organization.
- **orgId**: This is your Microsoft Defender ATP organization identifier.
- **orgId**: This is your Defender for Endpoint organization identifier.
## Check onboarding status
@ -231,7 +231,7 @@ If the product is not healthy, the exit code (which can be checked through `echo
## Operating system upgrades
When upgrading your operating system to a new major version, you must first uninstall Microsoft Defender ATP for Linux, install the upgrade, and finally reconfigure Microsoft Defender ATP for Linux on your device.
When upgrading your operating system to a new major version, you must first uninstall Defender for Endpoint for Linux, install the upgrade, and finally reconfigure Defender for Endpoint for Linux on your device.
## Uninstallation

26
windows/security/threat-protection/microsoft-defender-atp/linux-preferences.md
View File

@ -20,19 +20,19 @@ ms.collection:
ms.topic: conceptual
---
# Set preferences for Microsoft Defender ATP for Linux
# Set preferences for Microsoft Defender for Endpoint for Linux
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Linux](microsoft-defender-atp-linux.md)
- [Microsoft Defender for Endpoint for Linux](microsoft-defender-atp-linux.md)
>[!IMPORTANT]
>This topic contains instructions for how to set preferences for Microsoft Defender ATP for Linux in enterprise environments. If you are interested in configuring the product on a device from the command-line, see [Resources](linux-resources.md#configure-from-the-command-line).
>This topic contains instructions for how to set preferences for Defender for Endpoint for Linux in enterprise environments. If you are interested in configuring the product on a device from the command-line, see [Resources](linux-resources.md#configure-from-the-command-line).
In enterprise environments, Microsoft Defender ATP for Linux can be managed through a configuration profile. This profile is deployed from the management tool of your choice. Preferences managed by the enterprise take precedence over the ones set locally on the device. In other words, users in your enterprise are not able to change preferences that are set through this configuration profile.
In enterprise environments, Defender for Endpoint for Linux can be managed through a configuration profile. This profile is deployed from the management tool of your choice. Preferences managed by the enterprise take precedence over the ones set locally on the device. In other words, users in your enterprise are not able to change preferences that are set through this configuration profile.
This article describes the structure of this profile (including a recommended profile that you can use to get started) and instructions on how to deploy the profile.
@ -78,7 +78,7 @@ Determines whether the antivirus engine runs in passive mode or not. In passive
| **Key** | passiveMode |
| **Data type** | Boolean |
| **Possible values** | false (default) <br/> true |
| **Comments** | Available in Microsoft Defender ATP version 100.67.60 or higher. |
| **Comments** | Available in Defender for Endpoint version 100.67.60 or higher. |
#### Exclusion merge policy
@ -89,7 +89,7 @@ Specifies the merge policy for exclusions. It can be a combination of administra
| **Key** | exclusionsMergePolicy |
| **Data type** | String |
| **Possible values** | merge (default) <br/> admin_only |
| **Comments** | Available in Microsoft Defender ATP version 100.83.73 or higher. |
| **Comments** | Available in Defender for Endpoint version 100.83.73 or higher. |
#### Scan exclusions
@ -173,7 +173,7 @@ Restricts the actions that the local user of a device can take when threats are
| **Key** | disallowedThreatActions |
| **Data type** | Array of strings |
| **Possible values** | allow (restricts users from allowing threats) <br/> restore (restricts users from restoring threats from the quarantine) |
| **Comments** | Available in Microsoft Defender ATP version 100.83.73 or higher. |
| **Comments** | Available in Defender for Endpoint version 100.83.73 or higher. |
#### Threat type settings
@ -218,7 +218,7 @@ Specifies the merge policy for threat type settings. This can be a combination o
| **Key** | threatTypeSettingsMergePolicy |
| **Data type** | String |
| **Possible values** | merge (default) <br/> admin_only |
| **Comments** | Available in Microsoft Defender ATP version 100.83.73 or higher. |
| **Comments** | Available in Defender for Endpoint version 100.83.73 or higher. |
#### Antivirus scan history retention (in days)
@ -229,7 +229,7 @@ Specify the number of days that results are retained in the scan history on the
| **Key** | scanResultsRetentionDays |
| **Data type** | String |
| **Possible values** | 90 (default). Allowed values are from 1 day to 180 days. |
| **Comments** | Available in Microsoft Defender ATP version 101.04.76 or higher. |
| **Comments** | Available in Defender for Endpoint version 101.04.76 or higher. |
#### Maximum number of items in the antivirus scan history
@ -240,7 +240,7 @@ Specify the maximum number of entries to keep in the scan history. Entries inclu
| **Key** | scanHistoryMaximumItems |
| **Data type** | String |
| **Possible values** | 10000 (default). Allowed values are from 5000 items to 15000 items. |
| **Comments** | Available in Microsoft Defender ATP version 101.04.76 or higher. |
| **Comments** | Available in Defender for Endpoint version 101.04.76 or higher. |
### Cloud-delivered protection preferences
@ -264,7 +264,7 @@ Determines whether cloud-delivered protection is enabled on the device or not. T
#### Diagnostic collection level
Diagnostic data is used to keep Microsoft Defender ATP secure and up-to-date, detect, diagnose and fix problems, and also make product improvements. This setting determines the level of diagnostics sent by the product to Microsoft.
Diagnostic data is used to keep Defender for Endpoint secure and up-to-date, detect, diagnose and fix problems, and also make product improvements. This setting determines the level of diagnostics sent by the product to Microsoft.
|||
|:---|:---|
@ -298,7 +298,7 @@ Determines whether security intelligence updates are installed automatically:
## Recommended configuration profile
To get started, we recommend the following configuration profile for your enterprise to take advantage of all protection features that Microsoft Defender ATP provides.
To get started, we recommend the following configuration profile for your enterprise to take advantage of all protection features that Defender for Endpoint provides.
The following configuration profile will:
@ -407,4 +407,4 @@ If the JSON is well-formed, the above command outputs it back to the Terminal an
## Configuration profile deployment
Once you've built the configuration profile for your enterprise, you can deploy it through the management tool that your enterprise is using. Microsoft Defender ATP for Linux reads the managed configuration from the */etc/opt/microsoft/mdatp/managed/mdatp_managed.json* file.
Once you've built the configuration profile for your enterprise, you can deploy it through the management tool that your enterprise is using. Defender for Endpoint for Linux reads the managed configuration from the */etc/opt/microsoft/mdatp/managed/mdatp_managed.json* file.

36
windows/security/threat-protection/microsoft-defender-atp/linux-privacy.md
View File

@ -17,32 +17,32 @@ ms.collection: M365-security-compliance
ms.topic: conceptual
---
# Privacy for Microsoft Defender ATP for Linux
# Privacy for Microsoft Defender for Endpoint for Linux
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Linux](microsoft-defender-atp-linux.md)
- [Microsoft Defender for Endpoint](microsoft-defender-atp-linux.md)
Microsoft is committed to providing you with the information and controls you need to make choices about how your data is collected and used when youre using Microsoft Defender ATP for Linux.
Microsoft is committed to providing you with the information and controls you need to make choices about how your data is collected and used when youre using Defender for Endpoint for Linux.
This topic describes the privacy controls available within the product, how to manage these controls with policy settings and more details on the data events that are collected.
## Overview of privacy controls in Microsoft Defender ATP for Linux
## Overview of privacy controls in Microsoft Defender for Endpoint for Linux
This section describes the privacy controls for the different types of data collected by Microsoft Defender ATP for Linux.
This section describes the privacy controls for the different types of data collected by Defender for Endpoint for Linux.
### Diagnostic data
Diagnostic data is used to keep Microsoft Defender ATP secure and up-to-date, detect, diagnose and fix problems, and also make product improvements.
Diagnostic data is used to keep Defender for Endpoint secure and up-to-date, detect, diagnose and fix problems, and also make product improvements.
Some diagnostic data is required, while some diagnostic data is optional. We give you the ability to choose whether to send us required or optional diagnostic data through the use of privacy controls, such as policy settings for organizations.
There are two levels of diagnostic data for Microsoft Defender ATP client software that you can choose from:
There are two levels of diagnostic data for Defender for Endpoint client software that you can choose from:
* **Required**: The minimum data necessary to help keep Microsoft Defender ATP secure, up-to-date, and performing as expected on the device its installed on.
* **Required**: The minimum data necessary to help keep Defender for Endpoint secure, up-to-date, and performing as expected on the device its installed on.
* **Optional**: Additional data that helps Microsoft make product improvements and provides enhanced information to help detect, diagnose, and remediate issues.
@ -68,7 +68,7 @@ There are three levels for controlling sample submission:
If you're an IT administrator, you might want to configure these controls at the enterprise level.
The privacy controls for the various types of data described in the preceding section are described in detail in [Set preferences for Microsoft Defender ATP for Linux](linux-preferences.md).
The privacy controls for the various types of data described in the preceding section are described in detail in [Set preferences for Defender for Endpoint for Linux](linux-preferences.md).
As with any new policy settings, you should carefully test them out in a limited, controlled environment to ensure the settings that you configure have the desired effect before you implement the policy settings more widely in your organization.
@ -89,20 +89,20 @@ The following fields are considered common for all events:
| org_id | Unique identifier associated with the enterprise that the device belongs to. Allows Microsoft to identify whether issues are impacting a select set of enterprises and how many enterprises are impacted. |
| hostname | Local device name (without DNS suffix). Allows Microsoft to identify whether issues are impacting a select set of installs and how many users are impacted. |
| product_guid | Unique identifier of the product. Allows Microsoft to differentiate issues impacting different flavors of the product. |
| app_version | Version of the Microsoft Defender ATP for Linux application. Allows Microsoft to identify which versions of the product are showing an issue so that it can correctly be prioritized.|
| app_version | Version of the Defender for Endpoint for Linux application. Allows Microsoft to identify which versions of the product are showing an issue so that it can correctly be prioritized.|
| sig_version | Version of security intelligence database. Allows Microsoft to identify which versions of the security intelligence are showing an issue so that it can correctly be prioritized. |
| supported_compressions | List of compression algorithms supported by the application, for example `['gzip']`. Allows Microsoft to understand what types of compressions can be used when it communicates with the application. |
| release_ring | Ring that the device is associated with (for example Insider Fast, Insider Slow, Production). Allows Microsoft to identify on which release ring an issue may be occurring so that it can correctly be prioritized. |
### Required diagnostic data
**Required diagnostic data** is the minimum data necessary to help keep Microsoft Defender ATP secure, up-to-date, and perform as expected on the device its installed on.
**Required diagnostic data** is the minimum data necessary to help keep Defender for Endpoint secure, up-to-date, and perform as expected on the device its installed on.
Required diagnostic data helps to identify problems with Microsoft Defender ATP that may be related to a device or software configuration. For example, it can help determine if a Microsoft Defender ATP feature crashes more frequently on a particular operating system version, with newly introduced features, or when certain Microsoft Defender ATP features are disabled. Required diagnostic data helps Microsoft detect, diagnose, and fix these problems more quickly so the impact to users or organizations is reduced.
Required diagnostic data helps to identify problems with Microsoft Defender ATP that may be related to a device or software configuration. For example, it can help determine if a Defender for Endpoint feature crashes more frequently on a particular operating system version, with newly introduced features, or when certain Defender for Endpoint features are disabled. Required diagnostic data helps Microsoft detect, diagnose, and fix these problems more quickly so the impact to users or organizations is reduced.
#### Software setup and inventory data events
**Microsoft Defender ATP installation / uninstallation**
**Microsoft Defender for Endpoint installation / uninstallation**
The following fields are collected:
@ -114,7 +114,7 @@ The following fields are collected:
| code | Code that describes the operation. |
| text | Additional information associated with the product installation. |
**Microsoft Defender ATP configuration**
**Microsoft Defender for Endpoint configuration**
The following fields are collected:
@ -123,7 +123,7 @@ The following fields are collected:
| antivirus_engine.enable_real_time_protection | Whether real-time protection is enabled on the device or not. |
| antivirus_engine.passive_mode | Whether passive mode is enabled on the device or not. |
| cloud_service.enabled | Whether cloud delivered protection is enabled on the device or not. |
| cloud_service.timeout | Time out when the application communicates with the Microsoft Defender ATP cloud. |
| cloud_service.timeout | Time out when the application communicates with the Defender for Endpoint cloud. |
| cloud_service.heartbeat_interval | Interval between consecutive heartbeats sent by the product to the cloud. |
| cloud_service.service_uri | URI used to communicate with the cloud. |
| cloud_service.diagnostic_level | Diagnostic level of the device (required, optional). |
@ -156,7 +156,7 @@ The following fields are collected:
| Field | Description |
| ---------------- | ----------- |
| version | Version of Microsoft Defender ATP for Linux. |
| version | Version of Defender for Endpoint for Linux. |
| instance_id | Unique identifier generated on kernel extension startup. |
| trace_level | Trace level of the kernel extension. |
| subsystem | The underlying subsystem used for real-time protection. |
@ -171,7 +171,7 @@ The following fields are collected:
Diagnostic logs are collected only with the consent of the user as part of the feedback submission feature. The following files are collected as part of the support logs:
- All files under */var/log/microsoft/mdatp*
- Subset of files under */etc/opt/microsoft/mdatp* that are created and used by Microsoft Defender ATP for Linux
- Subset of files under */etc/opt/microsoft/mdatp* that are created and used by Defender for Endpoint for Linux
- Product installation and uninstallation logs under */var/log/microsoft_mdatp_\*.log*
### Optional diagnostic data
@ -184,7 +184,7 @@ Examples of optional diagnostic data include data Microsoft collects about produ
#### Software setup and inventory data events
**Microsoft Defender ATP configuration**
**Microsoft Defender for Endpoint configuration**
The following fields are collected:

16
windows/security/threat-protection/microsoft-defender-atp/linux-pua.md
View File

@ -19,16 +19,16 @@ ms.collection:
ms.topic: conceptual
---
# Detect and block potentially unwanted applications with Microsoft Defender ATP for Linux
# Detect and block potentially unwanted applications with Microsoft Defender for Endpoint for Linux
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Linux](microsoft-defender-atp-linux.md)
- [Microsoft Defender for Endpoint for Linux](microsoft-defender-atp-linux.md)
The potentially unwanted application (PUA) protection feature in Microsoft Defender ATP for Linux can detect and block PUA files on endpoints in your network.
The potentially unwanted application (PUA) protection feature in Defender for Endpoint for Linux can detect and block PUA files on endpoints in your network.
These applications are not considered viruses, malware, or other types of threats, but might perform actions on endpoints that adversely affect their performance or use. PUA can also refer to applications that are considered to have poor reputation.
@ -36,13 +36,13 @@ These applications can increase the risk of your network being infected with mal
## How it works
Microsoft Defender ATP for Linux can detect and report PUA files. When configured in blocking mode, PUA files are moved to the quarantine.
Defender for Endpoint for Linux can detect and report PUA files. When configured in blocking mode, PUA files are moved to the quarantine.
When a PUA is detected on an endpoint, Microsoft Defender ATP for Linux keeps a record of the infection in the threat history. The history can be visualized from the Microsoft Defender Security Center portal or through the `mdatp` command-line tool. The threat name will contain the word "Application".
When a PUA is detected on an endpoint, Defender for Endpoint for Linux keeps a record of the infection in the threat history. The history can be visualized from the Microsoft Defender Security Center portal or through the `mdatp` command-line tool. The threat name will contain the word "Application".
## Configure PUA protection
PUA protection in Microsoft Defender ATP for Linux can be configured in one of the following ways:
PUA protection in Defender for Endpoint for Linux can be configured in one of the following ways:
- **Off**: PUA protection is disabled.
- **Audit**: PUA files are reported in the product logs, but not in Microsoft Defender Security Center. No record of the infection is stored in the threat history and no action is taken by the product.
@ -63,8 +63,8 @@ mdatp threat policy set --type potentially_unwanted_application --action [off|au
### Use the management console to configure PUA protection:
In your enterprise, you can configure PUA protection from a management console, such as Puppet or Ansible, similarly to how other product settings are configured. For more information, see the [Threat type settings](linux-preferences.md#threat-type-settings) section of the [Set preferences for Microsoft Defender ATP for Linux](linux-preferences.md) article.
In your enterprise, you can configure PUA protection from a management console, such as Puppet or Ansible, similarly to how other product settings are configured. For more information, see the [Threat type settings](linux-preferences.md#threat-type-settings) section of the [Set preferences for Defender for Endpoint for Linux](linux-preferences.md) article.
## Related articles
- [Set preferences for Microsoft Defender ATP for Linux](linux-preferences.md)
- [Set preferences for Defender for Endpoint for Linux](linux-preferences.md)

10
windows/security/threat-protection/microsoft-defender-atp/linux-resources.md
View File

@ -27,7 +27,7 @@ ms.topic: conceptual
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Linux](microsoft-defender-atp-linux.md)
- [Microsoft Defender for Endpoint for Linux](microsoft-defender-atp-linux.md)
## Collect diagnostic information
@ -44,7 +44,7 @@ If you can reproduce a problem, first increase the logging level, run the system
2. Reproduce the problem.
3. Run the following command to back up Microsoft Defender ATP's logs. The files will be stored inside of a .zip archive.
3. Run the following command to back up Defender for Endpoint's logs. The files will be stored inside of a .zip archive.
```bash
sudo mdatp diagnostic create
@ -71,7 +71,7 @@ The detailed log will be saved to `/var/log/microsoft/mdatp_install.log`. If you
## Uninstall
There are several ways to uninstall Microsoft Defender ATP for Linux. If you are using a configuration tool such as Puppet, follow the package uninstallation instructions for the configuration tool.
There are several ways to uninstall Defender for Endpoint for Linux. If you are using a configuration tool such as Puppet, follow the package uninstallation instructions for the configuration tool.
### Manual uninstallation
@ -125,9 +125,9 @@ The following table lists commands for some of the most common scenarios. Run `m
|Quarantine management |Remove a file detected as a threat from the quarantine |`mdatp threat quarantine remove --id [threat-id]` |
|Quarantine management |Restore a file from the quarantine |`mdatp threat quarantine restore --id [threat-id]` |
## Microsoft Defender ATP portal information
## Microsoft Defender for Endpoint portal information
In the Microsoft Defender ATP portal, you'll see two categories of information:
In the Defender for Endpoint portal, you'll see two categories of information:
- Antivirus alerts, including:
- Severity

8
windows/security/threat-protection/microsoft-defender-atp/linux-static-proxy-configuration.md
View File

@ -20,14 +20,14 @@ ms.collection:
ms.topic: conceptual
---
# Configure Microsoft Defender ATP for Linux for static proxy discovery
# Configure Microsoft Defender for Endpoint for Linux for static proxy discovery
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Linux](microsoft-defender-atp-linux.md)
- [Microsoft Defender for Endpoint for Linux](microsoft-defender-atp-linux.md)
Microsoft Defender ATP can discover a proxy server using the ```HTTPS_PROXY``` environment variable. This setting must be configured **both** at installation time and after the product has been installed.
@ -50,7 +50,7 @@ During installation, the ```HTTPS_PROXY``` environment variable must be passed t
> [!CAUTION]
> Note that above two methods could define the proxy to use for other applications on your system. Use this method with caution, or only if this is meant to be a generally global configuration.
- The `HTTPS_PROXY` variable is prepended to the installation or uninstallation commands. For example, with the APT package manager, prepend the variable as follows when installing Microsoft Defender ATP:
- The `HTTPS_PROXY` variable is prepended to the installation or uninstallation commands. For example, with the APT package manager, prepend the variable as follows when installing Microsoft Defender for Endpoint:
```bash
HTTPS_PROXY="http://proxy.server:port/" apt install mdatp
@ -65,7 +65,7 @@ Note that installation and uninstallation will not necessarily fail if a proxy i
## Post installation configuration
After installation, the `HTTPS_PROXY` environment variable must be defined in the Microsoft Defender ATP service file. To do this, open `/lib/systemd/system/mdatp.service` in a text editor while running as the root user. You can then propagate the variable to the service in one of two ways:
After installation, the `HTTPS_PROXY` environment variable must be defined in the Defender for Endpoint service file. To do this, open `/lib/systemd/system/mdatp.service` in a text editor while running as the root user. You can then propagate the variable to the service in one of two ways:
- Uncomment the line `#Environment="HTTPS_PROXY=http://address:port"` and specify your static proxy address.

12
windows/security/threat-protection/microsoft-defender-atp/linux-support-connectivity.md
View File

@ -20,18 +20,18 @@ ms.collection:
ms.topic: conceptual
---
# Troubleshoot cloud connectivity issues for Microsoft Defender ATP for Linux
# Troubleshoot cloud connectivity issues for Microsoft Defender for Endpoint for Linux
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Linux](microsoft-defender-atp-linux.md)
- [Microsoft Defender for Endpoint for Linux](microsoft-defender-atp-linux.md)
## Run the connectivity test
To test if Microsoft Defender ATP for Linux can communicate to the cloud with the current network settings, run a connectivity test from the command line:
To test if Defender for Endpoint for Linux can communicate to the cloud with the current network settings, run a connectivity test from the command line:
```bash
mdatp connectivity test
@ -59,7 +59,7 @@ OK https://cdn.x.cp.wd.microsoft.com/ping
> [!WARNING]
> PAC, WPAD, and authenticated proxies are not supported. Ensure that only a static proxy or transparent proxy is being used.
>
> SSL inspection and intercepting proxies are also not supported for security reasons. Configure an exception for SSL inspection and your proxy server to directly pass through data from Microsoft Defender ATP for Linux to the relevant URLs without interception. Adding your interception certificate to the global store will not allow for interception.
> SSL inspection and intercepting proxies are also not supported for security reasons. Configure an exception for SSL inspection and your proxy server to directly pass through data from Defender for Endpoint for Linux to the relevant URLs without interception. Adding your interception certificate to the global store will not allow for interception.
If a static proxy is required, add a proxy parameter to the above command, where `proxy_address:port` correspond to the proxy address and port:
@ -80,7 +80,7 @@ To use a static proxy, the `mdatp.service` file must be modified. Ensure the lea
Also ensure that the correct static proxy address is filled in to replace `address:port`.
If this file is correct, try running the following command in the terminal to reload Microsoft Defender ATP for Linux and propagate the setting:
If this file is correct, try running the following command in the terminal to reload Defender for Endpoint for Linux and propagate the setting:
```bash
sudo systemctl daemon-reload; sudo systemctl restart mdatp
@ -96,4 +96,4 @@ If the problem persists, contact customer support.
## Resources
- For more information about how to configure the product to use a static proxy, see [Configure Microsoft Defender ATP for static proxy discovery](linux-static-proxy-configuration.md).
- For more information about how to configure the product to use a static proxy, see [Configure Microsoft Defender for Endpoint for static proxy discovery](linux-static-proxy-configuration.md).

4
windows/security/threat-protection/microsoft-defender-atp/linux-support-install.md
View File

@ -20,14 +20,14 @@ ms.collection:
ms.topic: conceptual
---
# Troubleshoot installation issues for Microsoft Defender ATP for Linux
# Troubleshoot installation issues for Microsoft Defender for Endpoint for Linux
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Linux](microsoft-defender-atp-linux.md)
- [Microsoft Defender for Endpoint for Linux](microsoft-defender-atp-linux.md)
## Verify if installation succeeded

22
windows/security/threat-protection/microsoft-defender-atp/linux-support-perf.md
View File

@ -19,24 +19,24 @@ mms.collection:
ms.topic: conceptual
---
# Troubleshoot performance issues for Microsoft Defender ATP for Linux
# Troubleshoot performance issues for Microsoft Defender for Endpoint for Linux
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Linux](microsoft-defender-atp-linux.md)
- [Microsoft Defender for Endpoint for Linux](microsoft-defender-atp-linux.md)
This article provides some general steps that can be used to narrow down performance issues related to Microsoft Defender ATP for Linux.
This article provides some general steps that can be used to narrow down performance issues related to Defender for Endpoint for Linux.
Real-time protection (RTP) is a feature of Microsoft Defender ATP for Linux that continuously monitors and protects your device against threats. It consists of file and process monitoring and other heuristics.
Real-time protection (RTP) is a feature of Defender for Endpoint for Linux that continuously monitors and protects your device against threats. It consists of file and process monitoring and other heuristics.
Depending on the applications that you are running and your device characteristics, you may experience suboptimal performance when running Microsoft Defender ATP for Linux. In particular, applications or system processes that access many resources over a short timespan can lead to performance issues in Microsoft Defender ATP for Linux.
Depending on the applications that you are running and your device characteristics, you may experience suboptimal performance when running Defender for Endpoint for Linux. In particular, applications or system processes that access many resources over a short timespan can lead to performance issues in Defender for Endpoint for Linux.
The following steps can be used to troubleshoot and mitigate these issues:
1. Disable real-time protection using one of the following methods and observe whether the performance improves. This approach helps narrow down whether Microsoft Defender ATP for Linux is contributing to the performance issues.
1. Disable real-time protection using one of the following methods and observe whether the performance improves. This approach helps narrow down whether Defender for Endpoint for Linux is contributing to the performance issues.
If your device is not managed by your organization, real-time protection can be disabled from the command line:
@ -47,9 +47,9 @@ The following steps can be used to troubleshoot and mitigate these issues:
Configuration property updated
```
If your device is managed by your organization, real-time protection can be disabled by your administrator using the instructions in [Set preferences for Microsoft Defender ATP for Linux](linux-preferences.md).
If your device is managed by your organization, real-time protection can be disabled by your administrator using the instructions in [Set preferences for Defender for Endpoint for Linux](linux-preferences.md).
2. To find the applications that are triggering the most scans, you can use real-time statistics gathered by Microsoft Defender ATP for Linux.
2. To find the applications that are triggering the most scans, you can use real-time statistics gathered by Defender for Endpoint for Linux.
> [!NOTE]
> This feature is available in version 100.90.70 or newer.
@ -81,13 +81,13 @@ The following steps can be used to troubleshoot and mitigate these issues:
mdatp diagnostic real_time_protection_statistics # you can use > stat.log to redirect to file
```
The output of this command will show all processes and their associated scan activity. To improve the performance of Microsoft Defender ATP for Linux, locate the one with the highest number under the `Total files scanned` row and add an exclusion for it. For more information, see [Configure and validate exclusions for Microsoft Defender ATP for Linux](linux-exclusions.md).
The output of this command will show all processes and their associated scan activity. To improve the performance of Defender for Endpoint for Linux, locate the one with the highest number under the `Total files scanned` row and add an exclusion for it. For more information, see [Configure and validate exclusions for Defender for Endpoint for Linux](linux-exclusions.md).
> [!NOTE]
> The application stores statistics in memory and only keeps track of file activity since it was started and real-time protection was enabled. Processes that were launched before or during periods when real time protection was off are not counted. Additionally, only events which triggered scans are counted.
3. Use the `top` command-line tool and analyze which applications are using the resources on your system. Typical examples include software updaters and compilers.
4. Configure Microsoft Defender ATP for Linux with exclusions for the processes or disk locations that contribute to the performance issues and re-enable real-time protection.
4. Configure Defender for Endpoint for Linux with exclusions for the processes or disk locations that contribute to the performance issues and re-enable real-time protection.
For more details, see [Configure and validate exclusions for Microsoft Defender ATP for Linux](linux-exclusions.md).
For more details, see [Configure and validate exclusions for Defender for Endpoint for Linux](linux-exclusions.md).

8
windows/security/threat-protection/microsoft-defender-atp/linux-updates.md
View File

@ -20,24 +20,24 @@ ms.collection:
ms.topic: conceptual
---
# Deploy updates for Microsoft Defender ATP for Linux
# Deploy updates for Microsoft Defender for Endpoint for Linux
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Linux](microsoft-defender-atp-linux.md)
- [Microsoft Defender for Endpoint for Linux](microsoft-defender-atp-linux.md)
Microsoft regularly publishes software updates to improve performance, security, and to deliver new features.
> [!WARNING]
> Each version of Microsoft Defender ATP for Linux has an expiration date, after which it will no longer continue to protect your device. You must update the product prior to this date. To check the expiration date, run the following command:
> Each version of Defender for Endpoint for Linux has an expiration date, after which it will no longer continue to protect your device. You must update the product prior to this date. To check the expiration date, run the following command:
> ```bash
> mdatp health --field product_expiration
> ```
To update Microsoft Defender ATP for Linux manually, execute one of the following commands:
To update Defender for Endpoint for Linux manually, execute one of the following commands:
## RHEL and variants (CentOS and Oracle Linux)

2
windows/security/threat-protection/microsoft-defender-atp/linux-whatsnew.md
View File

@ -19,7 +19,7 @@ ms.collection:
ms.topic: conceptual
---
# What's new in Microsoft Defender Advanced Threat Protection for Linux
# What's new in Microsoft Defender for Endpoint for Linux
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]

2
windows/security/threat-protection/microsoft-defender-atp/live-response-command-examples.md
View File

@ -23,7 +23,7 @@ ms.topic: article
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf)
- [Microsoft Defender for Endpoint](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf)
Learn about common commands used in live response and see examples on how they are typically used.

2
windows/security/threat-protection/microsoft-defender-atp/live-response.md
View File

@ -23,7 +23,7 @@ ms.topic: article
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2146631)
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
Live response gives security operations teams instantaneous access to a device (also referred to as a machine) using a remote shell connection. This gives you the power to do in-depth investigative work and take immediate response actions to promptly contain identified threats—in real time.

20
windows/security/threat-protection/microsoft-defender-atp/mac-exclusions.md
View File

@ -19,30 +19,30 @@ ms.collection:
ms.topic: conceptual
---
# Configure and validate exclusions for Microsoft Defender ATP for Mac
# Configure and validate exclusions for Microsoft Defender for Endpoint for Mac
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Mac](microsoft-defender-atp-mac.md)
- [Microsoft Defender for Endpoint for Mac](microsoft-defender-atp-mac.md)
This article provides information on how to define exclusions that apply to on-demand scans, and real-time protection and monitoring.
>[!IMPORTANT]
>The exclusions described in this article don't apply to other Microsoft Defender ATP for Mac capabilities, including endpoint detection and response (EDR). Files that you exclude using the methods described in this article can still trigger EDR alerts and other detections.
>The exclusions described in this article don't apply to other Defender for Endpoint for Mac capabilities, including endpoint detection and response (EDR). Files that you exclude using the methods described in this article can still trigger EDR alerts and other detections.
You can exclude certain files, folders, processes, and process-opened files from Microsoft Defender ATP for Mac scans.
You can exclude certain files, folders, processes, and process-opened files from Defender for Endpoint for Mac scans.
Exclusions can be useful to avoid incorrect detections on files or software that are unique or customized to your organization. They can also be useful for mitigating performance issues caused by Microsoft Defender ATP for Mac.
Exclusions can be useful to avoid incorrect detections on files or software that are unique or customized to your organization. They can also be useful for mitigating performance issues caused by Defender for Endpoint for Mac.
>[!WARNING]
>Defining exclusions lowers the protection offered by Microsoft Defender ATP for Mac. You should always evaluate the risks that are associated with implementing exclusions, and you should only exclude files that you are confident are not malicious.
>Defining exclusions lowers the protection offered by Defender for Endpoint for Mac. You should always evaluate the risks that are associated with implementing exclusions, and you should only exclude files that you are confident are not malicious.
## Supported exclusion types
The follow table shows the exclusion types supported by Microsoft Defender ATP for Mac.
The follow table shows the exclusion types supported by Defender for Endpoint for Mac.
Exclusion | Definition | Examples
---|---|---
@ -62,11 +62,11 @@ Wildcard | Description | Example | Matches | Does not match
### From the management console
For more information on how to configure exclusions from JAMF, Intune, or another management console, see [Set preferences for Microsoft Defender ATP for Mac](mac-preferences.md).
For more information on how to configure exclusions from JAMF, Intune, or another management console, see [Set preferences for Defender for Endpoint for Mac](mac-preferences.md).
### From the user interface
Open the Microsoft Defender ATP application and navigate to **Manage settings** > **Add or Remove Exclusion...**, as shown in the following screenshot:
Open the Defender for Endpoint application and navigate to **Manage settings** > **Add or Remove Exclusion...**, as shown in the following screenshot:
![Manage exclusions screenshot](../microsoft-defender-antivirus/images/mdatp-37-exclusions.png)
@ -82,7 +82,7 @@ In the following Bash snippet, replace `test.txt` with a file that conforms to y
curl -o test.txt https://www.eicar.org/download/eicar.com.txt
```
If Microsoft Defender ATP for Mac reports malware, then the rule is not working. If there is no report of malware, and the downloaded file exists, then the exclusion is working. You can open the file to confirm that the contents are the same as what is described on the [EICAR test file website](http://2016.eicar.org/86-0-Intended-use.html).
If Defender for Endpoint for Mac reports malware, then the rule is not working. If there is no report of malware, and the downloaded file exists, then the exclusion is working. You can open the file to confirm that the contents are the same as what is described on the [EICAR test file website](http://2016.eicar.org/86-0-Intended-use.html).
If you do not have Internet access, you can create your own EICAR test file. Write the EICAR string to a new text file with the following Bash command: