diff --git a/.openpublishing.redirection.json b/.openpublishing.redirection.json index daf16f5204..551ce8b897 100644 --- a/.openpublishing.redirection.json +++ b/.openpublishing.redirection.json @@ -1249,7 +1249,7 @@ { "source_path": "windows/security/threat-protection/microsoft-defender-atp/custom-ti-api.md", "redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/manage-indicators", -"redirect_document_id": true +"redirect_document_id": false }, { "source_path": "windows/security/threat-protection/windows-defender-atp/custom-detection-rules.md", @@ -1364,7 +1364,7 @@ { "source_path": "windows/security/threat-protection/microsoft-defender-atp/experiment-custom-ti.md", "redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/manage-indicators", -"redirect_document_id": true +"redirect_document_id": false }, { "source_path": "windows/threat-protection/windows-defender-atp/fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md", @@ -1704,7 +1704,7 @@ { "source_path": "windows/security/threat-protection/microsoft-defender-atp/powershell-example-code.md", "redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/manage-indicators", -"redirect_document_id": true +"redirect_document_id": false }, { "source_path": "windows/keep-secure/preferences-setup-windows-defender-advanced-threat-protection.md", @@ -1779,7 +1779,7 @@ { "source_path": "windows/security/threat-protection/microsoft-defender-atp/python-example-code.md", "redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/manage-indicators", -"redirect_document_id": true +"redirect_document_id": false }, { "source_path": "windows/security/threat-protection/windows-defender-atp/rbac-windows-defender-advanced-threat-protection.md", @@ -1949,7 +1949,7 @@ { "source_path": "windows/security/threat-protection/microsoft-defender-atp/troubleshoot-custom-ti.md", "redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/manage-indicators", -"redirect_document_id": true +"redirect_document_id": false }, { "source_path": "windows/threat-protection/windows-defender-atp/troubleshoot-onboarding-windows-defender-advanced-threat-protection.md", @@ -2004,7 +2004,7 @@ { "source_path": "windows/security/threat-protection/microsoft-defender-atp/use-custom-ti.md", "redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/manage-indicators", -"redirect_document_id": true +"redirect_document_id": false }, { "source_path": "windows/security/threat-protection/windows-defender-atp/user-roles-windows-defender-advanced-threat-protection.md", diff --git a/windows/security/threat-protection/microsoft-defender-atp/enable-siem-integration.md b/windows/security/threat-protection/microsoft-defender-atp/enable-siem-integration.md index f27473d081..a003bd5a09 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/enable-siem-integration.md +++ b/windows/security/threat-protection/microsoft-defender-atp/enable-siem-integration.md @@ -47,7 +47,7 @@ Enable security information and event management (SIEM) integration so you can p > [!WARNING] >The client secret is only displayed once. Make sure you keep a copy of it in a safe place.
- For more information about getting a new secret see, [Learn how to get a new secret](troubleshoot-custom-ti.md#learn-how-to-get-a-new-client-secret). + ![Image of SIEM integration from Settings menu](images/siem_details.png) diff --git a/windows/security/threat-protection/microsoft-defender-atp/threat-indicator-concepts.md b/windows/security/threat-protection/microsoft-defender-atp/threat-indicator-concepts.md index 8ad9940788..c9d50043b1 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/threat-indicator-concepts.md +++ b/windows/security/threat-protection/microsoft-defender-atp/threat-indicator-concepts.md @@ -39,7 +39,7 @@ Alert definitions are contextual attributes that can be used collectively to ide IOCs are individually-known malicious events that indicate that a network or machine has already been breached. Unlike alert definitions, these indicators are considered as evidence of a breach. They are often seen after an attack has already been carried out and the objective has been reached, such as exfiltration. Keeping track of IOCs is also important during forensic investigations. Although it might not provide the ability to intervene with an attack chain, gathering these indicators can be useful in creating better defenses for possible future attacks. ## Relationship between alert definitions and IOCs -In the context of Microsoft Defender ATP, alert definitions are containers for IOCs and defines the alert, including the metadata that is raised in case of a specific IOC match. Various metadata is provided as part of the alert definitions. Metadata such as alert definition name of attack, severity, and description is provided along with other options. For more information on available metadata options, see [Threat Intelligence API metadata](custom-ti-api.md#threat-intelligence-api-metadata). +In the context of Microsoft Defender ATP, alert definitions are containers for IOCs and defines the alert, including the metadata that is raised in case of a specific IOC match. Various metadata is provided as part of the alert definitions. Metadata such as alert definition name of attack, severity, and description is provided along with other options. Each IOC defines the concrete detection logic based on its type and value as well as its action, which determines how it is matched. It is bound to a specific alert definition that defines how a detection is displayed as an alert on the Microsoft Defender ATP console. @@ -51,9 +51,4 @@ Here is an example of an IOC: IOCs have a many-to-one relationship with alert definitions such that an alert definition can have many IOCs that correspond to it. ## Related topics -- [Enable the custom threat intelligence API in Microsoft Defender ATP](enable-custom-ti.md) -- [Create custom alerts using the threat intelligence API](custom-ti-api.md) -- [PowerShell code examples for the custom threat intelligence API](powershell-example-code.md) -- [Python code examples for the custom threat intelligence API](python-example-code.md) -- [Experiment with custom threat intelligence alerts](experiment-custom-ti.md) -- [Troubleshoot custom threat intelligence issues](troubleshoot-custom-ti.md) +- [Manage indicators](manage-indicators.md)