From cb04295981d407c3871a7c0bc621fd85a5e50a93 Mon Sep 17 00:00:00 2001 From: Lovina Saldanha Date: Mon, 12 Oct 2020 14:03:39 +0530 Subject: [PATCH 01/35] New_4490409 Created new topic "Schedule scans with Microsoft Defender ATP for Linux" --- images/linux-mdatp.png | Bin 0 -> 5634 bytes .../linux-schedule-scan-atp.md | 247 ++++++++++++++++++ 2 files changed, 247 insertions(+) create mode 100644 images/linux-mdatp.png create mode 100644 windows/security/threat-protection/microsoft-defender-atp/linux-schedule-scan-atp.md diff --git a/images/linux-mdatp.png b/images/linux-mdatp.png new file mode 100644 index 0000000000000000000000000000000000000000..f8c9c07b16906f1465cf3b97f50b71ab49b3f10f GIT binary patch literal 5634 zcmV+d7X9goP)4_KtMo6D;h>!XGcdzOG`^k zOiWEpO;Au!Qc_Y=Q&Ut_R8>_~R#sM5S65hASXo(FT3T9NU0q&YUSD5dU`H%sVP0cl zUt?lmV`F1vV_;-sVPs@vWn^MyWn*S#V`^$@Yinz4D*$Y4Yi(_8Zf$LDZfCf> zsHv%`sj8}~s;R1~s;jH3tgNi9t*x%EuCcMPvT!c5uc@=Mv$V0QwX?0YwY9gjuDG_a zxwWynwz9gov%9&pytuTyyu7`;w!XTyzP+EnySKl;zrnq^!NI}8!otPR-^S11#?ar! z(BR69Ps+im%gM*g%gN2KbIr}n&d$!y&dt!!(9zJ((b3V;($dq@)6~?|)z#J4*VozE z+1uOO-QC?QUjxqgHpeUs%xPU|Dwm@VT8WkMH z1sv|n;!?0$6QYEo($unvF(!sB4flQD_kES)|6}g+&1khckeq!#B)KICXQ7TQ&XThP)Wc;Zv!q&&+aEYaE$3Yv*O^t}F>qNeS0#JZjH>l!6g891ZE)|2 z&(%koDV0t=I@oGeW3(u59XMZz?N4=fvE9K-*xhEbMQmxUTlDP0-^OXr zQ41P_l(qL(+MQLRm=^W4A77xkCGmdV3?pn{cLTb}R6h2V{Z}D0Ww$L&I^NS|pS^A8 z@Y-t$9&Twxtwc@*d?{S()>zNn4Py+l7yCl12se1W#(pc=+>&@dZxw9@rE>x;J$raR z{*q4XWNt6%*xz7ACmkI9&H1H6_GVS2SC>wHePX3EgO+X)=}hkpD&u61a97nfbG zl5I>X)Pab-Y}K_R0?IGOu)aJ!AQ+dAhCCCFTb8Z2HpNU+?L?e$+Oj zPB8AhbnBT1Ge=N5`1F@6m6bidOUXH1IsXU+)ql8)-C(QSmKGgEk+A2q#-vW+gAc?Pd> zD!0Dy;8DC`Uts4vzVX^(hIqTGCN_aT#8GvQ=}nf9Vvr>H5^Dr~2zt zI?B_qbcpw{rE?rh=kNitFO!*0>FljkO7I;EFDff%FX3gL+A^e5T8pB!k|rHm4_lx= zyg2Txsx3o0RTdG3>j~)?Wnfg7E$yLtR?pVl!Y%M}I%+RwEe|wt2=6yUe`IevT|r*vvv6@_(I%H8g@LW3-3#TJj-F4pj$sx7a=>V^B0E!?&=I_>P0{m~)K zUO>~l+KZySn%@I!Zg9_{49^_bD_Xs5ko7M82YbIQ%5c2~+Y$D3?^E4Rp3B{lolfcG zLcFcP<@{8Ka!^0Je?ez0?MCC=x+_cKzte0)|l{zU>U zhr0*sdCu>`(!sj0q_dJE2R|nQwHSaYXkQiZpZDzS)na(i`^n5&BffOvkDET5H5}~P2m*I4bebm@3`WyIYO ztxa+yC~XUdK-%%oGB?j_4rn`_pY zUW5c{A*AEwmBk8-j~nKnmG|NPQtMMXyY#sLWqVxh>Zubsa<4WnFN69^txxH+2vM3hrGr_61D|x% z3RystxGiCh4_I5q^K*Ve-rK8K!>P1OMf9`Iz!+1Q253U*y2P$6K zS?hSDQ%Bx$q5e|qEgil-z1-?wI^y6jG*w72ARUA5b$Y4tB{uz2z{pZM*gt(CtnteI zNQXzo?Qx<0Qi~By#-DFV-Wq(dc&-h2rhpO2e4$xsMq%mTZ}$$}t9pTG;o`Qq1ke_8 zF$?g@0qM|sE~N~Q8zP8PbEWg~_Uk3dOUPTBFXq`L__9_->NHlDnu;c?7COUh(!B+v z7l;-vTw7HAb>(6f;+36oEl!#*yA8rQ#6PDN|EeQMUP9j5d@;{1VPziHTQF16WYt1v zm?64XCx~rYc&3n5{mBR3KwjAy7tXJ25Y8d~Iki5d6U#_!m|48vBFAH4uULNN?WxGG zoayzqu<4VILM>_&^x+J9b#(G8PxV!2I&Hf1D`!&aq!wQ-8RH%`p)yLPGl|N{D4`fD zn~6%WEWezmHc{Ha61mg9(%`KL`f?(#I)mjo9>hw0ueif426$Xg6h64^N(g_pghL|DQ7Ki=G2%ilGA^f z&)zzq89RE70pwS9vLzcvNa&^b7aaWm-H$%?eEarPdgIeC=y}WPm8E&8()st_o6$hY zYWw>tZC-S}d3|!ei?h|ju9y6M5DYh|#~1^M69Fl2^|qD6c+!z}{?P3YDg$hDJkt3U zwtxNg!()_Atr1T;Ry}VEyI%6Q&@kMj9%GDtq*J4bQ;w)~p8NBMBKGT`DV+(mYqg!nMF~vvgHiVmrA!rE}eh=@q<`8m@l>vQk+NFVRZ*7Lr%tH zC`U3}56Vj{>M8yi%HiBA&#|^eJD}0&;20vmvZAQN^H4V|p9ijgcJ}3a$?_MMT_j_i zdxF(l))&XL?1{_EB)M4U0^1t7bpH1H4`6P1&3Wdb(qusKVs;p1#29I8Fv4bLKqE7< z4tuysDvf$h4regWF~Bt&xtY~tf`Kt;wm05Pqp0N#OV1lPw{nAXBTPCfwcz~q=t2hn zd4XOfb{n&#O#DgO%9|6*zD#zAvf_1m{I2NtC6a#bG`aMwW@LY3kj`Iz_m&I$AwDB_^2X7~qL8LV^CyGFt>`LhNP2Q`RvXa z6hk^KnoJIoj>x`jNoQZ=TvoQRzctTRdEum&LzT{-K5^Hf`+O$`7}gn3Y`_$W%aF== ztTV!pbb!prpmel)J*AT`<{_@Rr*xb#lyvmW$e?s^+m~cxN{8iPcBF&HxHyl;u%vTw zUNYA5y7T7Gbh~H9ES*2R{6(L0pDIU^92{a9y?+^uFd!XSuZMK>dOf9stoP;Ud6NUu zamP^7!KYBBw}qsm$m$rhrZcFC^APYRB8|~%HSf%qN^cwKXd6m8Dt~#7D zh5Z_gu$d#7GQzT+Uph`bk95pD#{kzHkd9}JfOP0+;>4XaFy}5ww^CqKF@ zdX5*-Z2i2P8K-ofeBSF?qvvuJX>3ryPLAYa7pm7%nTL4`)t@09hdGAw979_MF)hY; z+8u*3)>fuv)k5V+E?(Cjt`J^r$Z^RQUH)bluSD%LS-#XI%iqo_5yq9hhw#>{$i93U znPsHjdG)oQv|XZQCl;@aM>@a8_9S}s7`R+T8k-cbog*2p*NP6T76!Qt=5TgNXgFUp zKuib6Xz+Z@Q~1S`3w68WnYH!Nvr6&K99Uhl8;6@zkUB*Xwq#gzmW{Z;@v4o3|TC0rqqaZ ze*UA^PPmsU(uO8Cer!Y58gN7UeaeCCg~xJA$Tf&o0@9r{N%guMX9BhKsrDD z&U?}Wky;Yz{P>&iN)JS8Nu=|`Z@d#^lZVeM`}tk+7@ihEi%IhK%?J-`9+rQm_aUp2 z=M1a<%43?*Ssh>Y(98?x>-AGTr1QP6y&YhaW4sKy?<4Lfeof9SE?*2Y!o`tGr(%)D z)O+XPmn-(6!;#}od+(t(jTgf+di=ot!XBoc6GjjYA2WcB=rPx!vsdseGhyj``>SsQ ze#7EfBZe7J33AB#Kt8_MWrVu`=s9}nxc))W9E?E}%~yxuNN-I3r+UZv~{ovqp?XI(BAcA7AV;!v7!Xxc))XAvqRJUwBMfi`v)hp9{t# z9V^zHSUUI-K9EgDTDCV~@!4cM3$jD}YL!`Li^X;_ySl-h4#9{C+DG|5HX|Y(mq^wbW-B_x_AZmX%Na!}>t*Iy6+=pz z`EVDAF$w9YdX%STo-*lt|LgAn*<_UuSzG4C;*g;%$QJQyR;Fk~M~nvKQWo{_WhMzD zY3+~^N>7PScc#fYtb9|YxX2ggJP9&=t`H5s)Mz)&!7x@;WlyzR&9QWK4 z(PJldn)$GE@za;?1*JoJxj^fklv`3dG!3Q0CPSZ^xE!*cgV^ME-J6M)8ChQA?DwXt zdg`?%jEd+2j4&I+MsRem;4IB<3-+$^Z3ECz%Vhp1?FFM2Pzp=JLU^w`j9kWJh#5UZ zIS(owmq>;XE?(InlIO20>c>m&;5(GSS;@T$|1-O>(>x7HhmY|Q+~O(480pe+*ktF8 zA*de?S+Ku0zw1cH%#3WL;Wo+?*K8nHU4RkxNyj0Qk?CJT>G0DULC<#*wAcqfaB`WP z3&PygG2|;w4MZddq@(r{!a13AGVX#WwsdSZ*?D6K>W4!X?5~jp8Iq2f8QCu##Wg$9 zfyaQPV-d;7^lt>xA^5WI2d&x-N-jgvfr#W-(jkQN*rnsJ$<7LyuT8KOjOF9;jY=~n}=|DHEvUr9aTp=?y5Ry(&!%zE?4wB^Z7^UNUIXANm zt7vFE4%uLTb?JC`<*;;2uDPdl6p?Jq$RUy$`#Y#~1d;46lNa!#d8NP#S)Tr$(lMxK zM>SY}LnwtfgM`5ioKweqn ziyJ)qvX2oiNJiKmL#LTRuN?o>KSm3cb6Jex^3Na-9KwSOSI?Lc<}?<{`sm)U!oPHllcKo_Lvs0EEd%4EcvgJ2_I ztW&e36Bo<`;v9?an}6#AgjNE+C}J9Vtt5{%ix{%{g^OSSt@Lb9pmehC`^HBk9Yst- z(y`cIT{`*oR63)T4##gfja#<(U3D9Pauur [!NOTE] +> To get a list of all the time zones, run the following command: +> timedatectl list-timezones + +> Examples for timezones: +> America/Los_Angeles +> America/New_York +> America/Chicago +> America/Denver + +## To set the Cron job + +**To backup crontab entries:** + +sudo crontab -l > /var/tmp/cron_backup_200919.dat + +> [!NOTE] +> Where 200919 == YRMMDD + +> TIP: +> Do this before you edit or remove. +> To edit the crontab and add a new job as a root user: +> sudo crontab -e + +> [!NOTE] +> The default editor is VIM + +You might see: + +0 * * * * /etc/opt/microsoft/mdatp/logrorate.sh + +Press “Insert” + +Add the following entries: + +CRON_TZ=America/Los_Angeles + +0 2 * * sat /bin/mdatp scan quick > ~/mdatp_cron_job.log + +> [!NOTE] +> In this example, we are setting it to 00 minutes, 2 a.m. (hour in 24 hour format), any day of the month, any month, on Saturdays. Meaning it will run Saturdays at 2:00 a.m. Pacific (UTC –8) + +Press “Esc” + +Type “:wq” w/o the double quotes. + +> [!NOTE] +> w == write, q == quit + +To view your cron jobs, type sudo crontab -l + +:::image type="content" source="../../../../images/linux-mdatp.png" alt-text="linux mdatp"::: + +**How to inspect cron job runs:** + +sudo grep mdatp /var/log/cron + +**How to inspect the mdatp_cron_job.log** +sudo nano mdatp_cron_job.log + +## For those of you that are using Ansible, Chef, or Puppet] +### How to set cron jobs in Ansible: + +cron – Manage cron.d and crontab entries + +See [https://docs.ansible.com/ansible/latest/modules/cron_module.html](https://docs.ansible.com/ansible/latest/modules/cron_module.html) + +### How to set crontabs in Chef: +cron resource + +See [https://docs.chef.io/resources/cron/](https://docs.chef.io/resources/cron/) + +### How to set cron jobs in Puppet: +Resource Type: cron + +See [https://puppet.com/docs/puppet/5.5/types/cron.html](https://puppet.com/docs/puppet/5.5/types/cron.html) + +Automating with Puppet: Cron jobs and scheduled tasks + +See [https://puppet.com/blog/automating-puppet-cron-jobs-and-scheduled-tasks/](https://puppet.com/blog/automating-puppet-cron-jobs-and-scheduled-tasks/) + +## Additional information: + +**To get help with crontab** +man crontab + +**To get a list of crontab file of the current user:** + +crontab -l + +**To get a list of crontab file of another user:** + +crontab -u username -l + +**To backup crontab entries:** + +crontab -l > /var/tmp/cron_backup.dat +> [!TIP] +> Do this before you edit or remove. + +**To restore crontab entries:** + +crontab /var/tmp/cron_backup.dat + +**To edit the crontab and add a new job as a root user:** + +Sudo crontab -e + +**To edit the crontab and add a new job:** + +crontab -e + +**To edit other user’s crontab entries:** + +crontab -u username -e + +**To remove all crontab entries:** + +crontab -r + +**To remove other user’s crontab entries:** + +crontab -u username -r + +**Explanation**: + ++—————- minute (values: 0 – 59) (special characters: , – * /) + +| +————- hour (values: 0 – 23) (special characters: , – * /) + +| | +———- day of month (values: 1 – 31) (special characters: , – * / L W C) + +| | | +——- month (values: 1 – 12) (special characters: ,- * / ) +| | | | +—- day of week (values: 0 – 6) (Sunday=0 or 7) (special characters: , – * / L W C) +| | | | | +* * * * * command to be executed + + + + + + + + + +[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] + + +While you can start a threat scan at any time with Microsoft Defender ATP, your enterprise might benefit from scheduled or timed scans. For example, you can schedule a scan to run at the beginning of every workday or week. + +## Schedule a scan with *launchd* + +You can create a scanning schedule using the *launchd* daemon on a macOS device. + +1. The following code shows the schema you need to use to schedule a scan. Open a text editor and use this example as a guide for your own scheduled scan file. + + For more information on the *.plist* file format used here, see [About Information Property List Files](https://developer.apple.com/library/archive/documentation/General/Reference/InfoPlistKeyReference/Articles/AboutInformationPropertyListFiles.html) at the official Apple developer website. + + ```XML + + + + + Label + com.microsoft.wdav.schedquickscan + ProgramArguments + + sh + -c + /usr/local/bin/mdatp --scan --quick + + RunAtLoad + + StartCalendarInterval + + Day + 3 + Hour + 2 + Minute + 0 + Weekday + 5 + + StartInterval + 604800 + WorkingDirectory + /usr/local/bin/ + + + ``` + +2. Save the file as *com.microsoft.wdav.schedquickscan.plist*. + + > [!TIP] + > To run a full scan instead of a quick scan, change line 12, `/usr/local/bin/mdatp --scan --quick`, to use the `--full` option instead of `--quick` (i.e. `/usr/local/bin/mdatp --scan --full`) and save the file as *com.microsoft.wdav.sched**full**scan.plist* instead of *com.microsoft.wdav.sched**quick**scan.plist*. + +3. Open **Terminal**. +4. Enter the following commands to load your file: + + ```bash + launchctl load /Library/LaunchDaemons/ + launchctl start + ``` + +5. Your scheduled scan will run at the date, time, and frequency you defined in your p-list. In the example, the scan runs at 2:00 AM every Friday. + + Note that the `StartInterval` value is in seconds, indicating that scans should run every 604,800 seconds (one week), while the `Weekday` value of `StartCalendarInterval` uses an integer to indicate the fifth day of the week, or Friday. + + > [!IMPORTANT] + > Agents executed with *launchd* will not run at the scheduled time while the device is asleep. They will instead run once the device resumes from sleep mode. + > + > If the device is turned off, the scan will run at the next scheduled scan time. + +## Schedule a scan with Intune + +You can also schedule scans with Microsoft Intune. The [runMDATPQuickScan.sh](https://github.com/microsoft/shell-intune-samples/tree/master/Misc/MDATP#runmdatpquickscansh) shell script available at [Scripts for Microsoft Defender Advanced Threat Protection](https://github.com/microsoft/shell-intune-samples/tree/master/Misc/MDATP) will persist when the device resumes from sleep mode. + +See [Use shell scripts on macOS devices in Intune](https://docs.microsoft.com/mem/intune/apps/macos-shell-scripts) for more detailed instructions on how to use this script in your enterprise. From da50b63b45e3cfe776aa45fccfe215ca77d1c256 Mon Sep 17 00:00:00 2001 From: Lovina Saldanha Date: Mon, 12 Oct 2020 14:22:47 +0530 Subject: [PATCH 02/35] Update linux-schedule-scan-atp.md --- .../linux-schedule-scan-atp.md | 109 +++--------------- 1 file changed, 15 insertions(+), 94 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-schedule-scan-atp.md b/windows/security/threat-protection/microsoft-defender-atp/linux-schedule-scan-atp.md index 8515254bac..0d706608ba 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/linux-schedule-scan-atp.md +++ b/windows/security/threat-protection/microsoft-defender-atp/linux-schedule-scan-atp.md @@ -26,14 +26,16 @@ Linux (and Unix) have the tool called **crontab** (similar to Task Scheduler) to ## Pre-requisite > [!NOTE] -> To get a list of all the time zones, run the following command: -> timedatectl list-timezones + +To get a list of all the time zones, run the following command: + +timedatectl list-timezones > Examples for timezones: -> America/Los_Angeles -> America/New_York -> America/Chicago -> America/Denver +America/Los_Angeles +America/New_York +America/Chicago +America/Denver ## To set the Cron job @@ -42,12 +44,13 @@ Linux (and Unix) have the tool called **crontab** (similar to Task Scheduler) to sudo crontab -l > /var/tmp/cron_backup_200919.dat > [!NOTE] -> Where 200919 == YRMMDD + +Where 200919 == YRMMDD > TIP: -> Do this before you edit or remove. -> To edit the crontab and add a new job as a root user: -> sudo crontab -e +Do this before you edit or remove. +To edit the crontab and add a new job as a root user: +sudo crontab -e > [!NOTE] > The default editor is VIM @@ -65,14 +68,14 @@ CRON_TZ=America/Los_Angeles 0 2 * * sat /bin/mdatp scan quick > ~/mdatp_cron_job.log > [!NOTE] -> In this example, we are setting it to 00 minutes, 2 a.m. (hour in 24 hour format), any day of the month, any month, on Saturdays. Meaning it will run Saturdays at 2:00 a.m. Pacific (UTC –8) +In this example, we are setting it to 00 minutes, 2 a.m. (hour in 24 hour format), any day of the month, any month, on Saturdays. Meaning it will run Saturdays at 2:00 a.m. Pacific (UTC –8) Press “Esc” Type “:wq” w/o the double quotes. > [!NOTE] -> w == write, q == quit + w == write, q == quit To view your cron jobs, type sudo crontab -l @@ -163,85 +166,3 @@ crontab -u username -r * * * * * command to be executed - - - - - - - -[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] - - -While you can start a threat scan at any time with Microsoft Defender ATP, your enterprise might benefit from scheduled or timed scans. For example, you can schedule a scan to run at the beginning of every workday or week. - -## Schedule a scan with *launchd* - -You can create a scanning schedule using the *launchd* daemon on a macOS device. - -1. The following code shows the schema you need to use to schedule a scan. Open a text editor and use this example as a guide for your own scheduled scan file. - - For more information on the *.plist* file format used here, see [About Information Property List Files](https://developer.apple.com/library/archive/documentation/General/Reference/InfoPlistKeyReference/Articles/AboutInformationPropertyListFiles.html) at the official Apple developer website. - - ```XML - - - - - Label - com.microsoft.wdav.schedquickscan - ProgramArguments - - sh - -c - /usr/local/bin/mdatp --scan --quick - - RunAtLoad - - StartCalendarInterval - - Day - 3 - Hour - 2 - Minute - 0 - Weekday - 5 - - StartInterval - 604800 - WorkingDirectory - /usr/local/bin/ - - - ``` - -2. Save the file as *com.microsoft.wdav.schedquickscan.plist*. - - > [!TIP] - > To run a full scan instead of a quick scan, change line 12, `/usr/local/bin/mdatp --scan --quick`, to use the `--full` option instead of `--quick` (i.e. `/usr/local/bin/mdatp --scan --full`) and save the file as *com.microsoft.wdav.sched**full**scan.plist* instead of *com.microsoft.wdav.sched**quick**scan.plist*. - -3. Open **Terminal**. -4. Enter the following commands to load your file: - - ```bash - launchctl load /Library/LaunchDaemons/ - launchctl start - ``` - -5. Your scheduled scan will run at the date, time, and frequency you defined in your p-list. In the example, the scan runs at 2:00 AM every Friday. - - Note that the `StartInterval` value is in seconds, indicating that scans should run every 604,800 seconds (one week), while the `Weekday` value of `StartCalendarInterval` uses an integer to indicate the fifth day of the week, or Friday. - - > [!IMPORTANT] - > Agents executed with *launchd* will not run at the scheduled time while the device is asleep. They will instead run once the device resumes from sleep mode. - > - > If the device is turned off, the scan will run at the next scheduled scan time. - -## Schedule a scan with Intune - -You can also schedule scans with Microsoft Intune. The [runMDATPQuickScan.sh](https://github.com/microsoft/shell-intune-samples/tree/master/Misc/MDATP#runmdatpquickscansh) shell script available at [Scripts for Microsoft Defender Advanced Threat Protection](https://github.com/microsoft/shell-intune-samples/tree/master/Misc/MDATP) will persist when the device resumes from sleep mode. - -See [Use shell scripts on macOS devices in Intune](https://docs.microsoft.com/mem/intune/apps/macos-shell-scripts) for more detailed instructions on how to use this script in your enterprise. From 32e1b1490b117de100bbed41d6478cb7e035c398 Mon Sep 17 00:00:00 2001 From: Lovina Saldanha Date: Mon, 12 Oct 2020 15:12:25 +0530 Subject: [PATCH 03/35] Update linux-schedule-scan-atp.md minor corrections during self review --- .../linux-schedule-scan-atp.md | 62 +++++++++---------- 1 file changed, 30 insertions(+), 32 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-schedule-scan-atp.md b/windows/security/threat-protection/microsoft-defender-atp/linux-schedule-scan-atp.md index 0d706608ba..aee27d7e1f 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/linux-schedule-scan-atp.md +++ b/windows/security/threat-protection/microsoft-defender-atp/linux-schedule-scan-atp.md @@ -27,33 +27,31 @@ Linux (and Unix) have the tool called **crontab** (similar to Task Scheduler) to > [!NOTE] -To get a list of all the time zones, run the following command: - -timedatectl list-timezones +> To get a list of all the time zones, run the following command: +`timedatectl list-timezones` > Examples for timezones: -America/Los_Angeles -America/New_York -America/Chicago -America/Denver +> - `America/Los_Angeles` +> - `America/New_York` +>- `America/Chicago` +>- `America/Denver` ## To set the Cron job **To backup crontab entries:** -sudo crontab -l > /var/tmp/cron_backup_200919.dat +`sudo crontab -l > /var/tmp/cron_backup_200919.dat` > [!NOTE] - -Where 200919 == YRMMDD +> Where 200919 == YRMMDD > TIP: Do this before you edit or remove. -To edit the crontab and add a new job as a root user: -sudo crontab -e +To edit the crontab, and add a new job as a root user: +`sudo crontab -e` > [!NOTE] -> The default editor is VIM +> The default editor is VIM. You might see: @@ -72,7 +70,7 @@ In this example, we are setting it to 00 minutes, 2 a.m. (hour in 24 hour format Press “Esc” -Type “:wq” w/o the double quotes. +Type “:wq” without the double quotes. > [!NOTE] w == write, q == quit @@ -83,22 +81,22 @@ To view your cron jobs, type sudo crontab -l **How to inspect cron job runs:** -sudo grep mdatp /var/log/cron +`sudo grep mdatp /var/log/cron` **How to inspect the mdatp_cron_job.log** -sudo nano mdatp_cron_job.log +`sudo nano mdatp_cron_job.log` -## For those of you that are using Ansible, Chef, or Puppet] +## For those who use Ansible, Chef, or Puppet] ### How to set cron jobs in Ansible: -cron – Manage cron.d and crontab entries +`cron – Manage cron.d and crontab entries` -See [https://docs.ansible.com/ansible/latest/modules/cron_module.html](https://docs.ansible.com/ansible/latest/modules/cron_module.html) +See [https://docs.ansible.com/ansible/latest/modules/cron_module.html](https://docs.ansible.com/ansible/latest/modules/cron_module.html) for more information. ### How to set crontabs in Chef: -cron resource +`cron resource` -See [https://docs.chef.io/resources/cron/](https://docs.chef.io/resources/cron/) +See [https://docs.chef.io/resources/cron/](https://docs.chef.io/resources/cron/) for more information. ### How to set cron jobs in Puppet: Resource Type: cron @@ -107,50 +105,50 @@ See [https://puppet.com/docs/puppet/5.5/types/cron.html](https://puppet.com/docs Automating with Puppet: Cron jobs and scheduled tasks -See [https://puppet.com/blog/automating-puppet-cron-jobs-and-scheduled-tasks/](https://puppet.com/blog/automating-puppet-cron-jobs-and-scheduled-tasks/) +See [https://puppet.com/blog/automating-puppet-cron-jobs-and-scheduled-tasks/](https://puppet.com/blog/automating-puppet-cron-jobs-and-scheduled-tasks/) for more information. ## Additional information: **To get help with crontab** -man crontab +`man crontab` **To get a list of crontab file of the current user:** -crontab -l +`crontab -l` **To get a list of crontab file of another user:** -crontab -u username -l +`crontab -u username -l` **To backup crontab entries:** -crontab -l > /var/tmp/cron_backup.dat +`crontab -l > /var/tmp/cron_backup.dat` > [!TIP] > Do this before you edit or remove. **To restore crontab entries:** -crontab /var/tmp/cron_backup.dat +`crontab /var/tmp/cron_backup.dat` **To edit the crontab and add a new job as a root user:** -Sudo crontab -e +`Sudo crontab -e` **To edit the crontab and add a new job:** -crontab -e +`crontab -e` **To edit other user’s crontab entries:** -crontab -u username -e +`crontab -u username -e` **To remove all crontab entries:** -crontab -r +`crontab -r` **To remove other user’s crontab entries:** -crontab -u username -r +`crontab -u username -r` **Explanation**: From 970adb587ffd9881b9a735f74d6b7e9bdbe370ab Mon Sep 17 00:00:00 2001 From: Lovina Saldanha <69782111+Lovina-Saldanha@users.noreply.github.com> Date: Mon, 12 Oct 2020 15:27:59 +0530 Subject: [PATCH 04/35] Add files via upload Added new file --- .../threat-protection/images/linux-mdatp.png | Bin 0 -> 5634 bytes 1 file changed, 0 insertions(+), 0 deletions(-) create mode 100644 windows/security/threat-protection/images/linux-mdatp.png diff --git a/windows/security/threat-protection/images/linux-mdatp.png b/windows/security/threat-protection/images/linux-mdatp.png new file mode 100644 index 0000000000000000000000000000000000000000..f8c9c07b16906f1465cf3b97f50b71ab49b3f10f GIT binary patch literal 5634 zcmV+d7X9goP)4_KtMo6D;h>!XGcdzOG`^k zOiWEpO;Au!Qc_Y=Q&Ut_R8>_~R#sM5S65hASXo(FT3T9NU0q&YUSD5dU`H%sVP0cl zUt?lmV`F1vV_;-sVPs@vWn^MyWn*S#V`^$@Yinz4D*$Y4Yi(_8Zf$LDZfCf> zsHv%`sj8}~s;R1~s;jH3tgNi9t*x%EuCcMPvT!c5uc@=Mv$V0QwX?0YwY9gjuDG_a zxwWynwz9gov%9&pytuTyyu7`;w!XTyzP+EnySKl;zrnq^!NI}8!otPR-^S11#?ar! z(BR69Ps+im%gM*g%gN2KbIr}n&d$!y&dt!!(9zJ((b3V;($dq@)6~?|)z#J4*VozE z+1uOO-QC?QUjxqgHpeUs%xPU|Dwm@VT8WkMH z1sv|n;!?0$6QYEo($unvF(!sB4flQD_kES)|6}g+&1khckeq!#B)KICXQ7TQ&XThP)Wc;Zv!q&&+aEYaE$3Yv*O^t}F>qNeS0#JZjH>l!6g891ZE)|2 z&(%koDV0t=I@oGeW3(u59XMZz?N4=fvE9K-*xhEbMQmxUTlDP0-^OXr zQ41P_l(qL(+MQLRm=^W4A77xkCGmdV3?pn{cLTb}R6h2V{Z}D0Ww$L&I^NS|pS^A8 z@Y-t$9&Twxtwc@*d?{S()>zNn4Py+l7yCl12se1W#(pc=+>&@dZxw9@rE>x;J$raR z{*q4XWNt6%*xz7ACmkI9&H1H6_GVS2SC>wHePX3EgO+X)=}hkpD&u61a97nfbG zl5I>X)Pab-Y}K_R0?IGOu)aJ!AQ+dAhCCCFTb8Z2HpNU+?L?e$+Oj zPB8AhbnBT1Ge=N5`1F@6m6bidOUXH1IsXU+)ql8)-C(QSmKGgEk+A2q#-vW+gAc?Pd> zD!0Dy;8DC`Uts4vzVX^(hIqTGCN_aT#8GvQ=}nf9Vvr>H5^Dr~2zt zI?B_qbcpw{rE?rh=kNitFO!*0>FljkO7I;EFDff%FX3gL+A^e5T8pB!k|rHm4_lx= zyg2Txsx3o0RTdG3>j~)?Wnfg7E$yLtR?pVl!Y%M}I%+RwEe|wt2=6yUe`IevT|r*vvv6@_(I%H8g@LW3-3#TJj-F4pj$sx7a=>V^B0E!?&=I_>P0{m~)K zUO>~l+KZySn%@I!Zg9_{49^_bD_Xs5ko7M82YbIQ%5c2~+Y$D3?^E4Rp3B{lolfcG zLcFcP<@{8Ka!^0Je?ez0?MCC=x+_cKzte0)|l{zU>U zhr0*sdCu>`(!sj0q_dJE2R|nQwHSaYXkQiZpZDzS)na(i`^n5&BffOvkDET5H5}~P2m*I4bebm@3`WyIYO ztxa+yC~XUdK-%%oGB?j_4rn`_pY zUW5c{A*AEwmBk8-j~nKnmG|NPQtMMXyY#sLWqVxh>Zubsa<4WnFN69^txxH+2vM3hrGr_61D|x% z3RystxGiCh4_I5q^K*Ve-rK8K!>P1OMf9`Iz!+1Q253U*y2P$6K zS?hSDQ%Bx$q5e|qEgil-z1-?wI^y6jG*w72ARUA5b$Y4tB{uz2z{pZM*gt(CtnteI zNQXzo?Qx<0Qi~By#-DFV-Wq(dc&-h2rhpO2e4$xsMq%mTZ}$$}t9pTG;o`Qq1ke_8 zF$?g@0qM|sE~N~Q8zP8PbEWg~_Uk3dOUPTBFXq`L__9_->NHlDnu;c?7COUh(!B+v z7l;-vTw7HAb>(6f;+36oEl!#*yA8rQ#6PDN|EeQMUP9j5d@;{1VPziHTQF16WYt1v zm?64XCx~rYc&3n5{mBR3KwjAy7tXJ25Y8d~Iki5d6U#_!m|48vBFAH4uULNN?WxGG zoayzqu<4VILM>_&^x+J9b#(G8PxV!2I&Hf1D`!&aq!wQ-8RH%`p)yLPGl|N{D4`fD zn~6%WEWezmHc{Ha61mg9(%`KL`f?(#I)mjo9>hw0ueif426$Xg6h64^N(g_pghL|DQ7Ki=G2%ilGA^f z&)zzq89RE70pwS9vLzcvNa&^b7aaWm-H$%?eEarPdgIeC=y}WPm8E&8()st_o6$hY zYWw>tZC-S}d3|!ei?h|ju9y6M5DYh|#~1^M69Fl2^|qD6c+!z}{?P3YDg$hDJkt3U zwtxNg!()_Atr1T;Ry}VEyI%6Q&@kMj9%GDtq*J4bQ;w)~p8NBMBKGT`DV+(mYqg!nMF~vvgHiVmrA!rE}eh=@q<`8m@l>vQk+NFVRZ*7Lr%tH zC`U3}56Vj{>M8yi%HiBA&#|^eJD}0&;20vmvZAQN^H4V|p9ijgcJ}3a$?_MMT_j_i zdxF(l))&XL?1{_EB)M4U0^1t7bpH1H4`6P1&3Wdb(qusKVs;p1#29I8Fv4bLKqE7< z4tuysDvf$h4regWF~Bt&xtY~tf`Kt;wm05Pqp0N#OV1lPw{nAXBTPCfwcz~q=t2hn zd4XOfb{n&#O#DgO%9|6*zD#zAvf_1m{I2NtC6a#bG`aMwW@LY3kj`Iz_m&I$AwDB_^2X7~qL8LV^CyGFt>`LhNP2Q`RvXa z6hk^KnoJIoj>x`jNoQZ=TvoQRzctTRdEum&LzT{-K5^Hf`+O$`7}gn3Y`_$W%aF== ztTV!pbb!prpmel)J*AT`<{_@Rr*xb#lyvmW$e?s^+m~cxN{8iPcBF&HxHyl;u%vTw zUNYA5y7T7Gbh~H9ES*2R{6(L0pDIU^92{a9y?+^uFd!XSuZMK>dOf9stoP;Ud6NUu zamP^7!KYBBw}qsm$m$rhrZcFC^APYRB8|~%HSf%qN^cwKXd6m8Dt~#7D zh5Z_gu$d#7GQzT+Uph`bk95pD#{kzHkd9}JfOP0+;>4XaFy}5ww^CqKF@ zdX5*-Z2i2P8K-ofeBSF?qvvuJX>3ryPLAYa7pm7%nTL4`)t@09hdGAw979_MF)hY; z+8u*3)>fuv)k5V+E?(Cjt`J^r$Z^RQUH)bluSD%LS-#XI%iqo_5yq9hhw#>{$i93U znPsHjdG)oQv|XZQCl;@aM>@a8_9S}s7`R+T8k-cbog*2p*NP6T76!Qt=5TgNXgFUp zKuib6Xz+Z@Q~1S`3w68WnYH!Nvr6&K99Uhl8;6@zkUB*Xwq#gzmW{Z;@v4o3|TC0rqqaZ ze*UA^PPmsU(uO8Cer!Y58gN7UeaeCCg~xJA$Tf&o0@9r{N%guMX9BhKsrDD z&U?}Wky;Yz{P>&iN)JS8Nu=|`Z@d#^lZVeM`}tk+7@ihEi%IhK%?J-`9+rQm_aUp2 z=M1a<%43?*Ssh>Y(98?x>-AGTr1QP6y&YhaW4sKy?<4Lfeof9SE?*2Y!o`tGr(%)D z)O+XPmn-(6!;#}od+(t(jTgf+di=ot!XBoc6GjjYA2WcB=rPx!vsdseGhyj``>SsQ ze#7EfBZe7J33AB#Kt8_MWrVu`=s9}nxc))W9E?E}%~yxuNN-I3r+UZv~{ovqp?XI(BAcA7AV;!v7!Xxc))XAvqRJUwBMfi`v)hp9{t# z9V^zHSUUI-K9EgDTDCV~@!4cM3$jD}YL!`Li^X;_ySl-h4#9{C+DG|5HX|Y(mq^wbW-B_x_AZmX%Na!}>t*Iy6+=pz z`EVDAF$w9YdX%STo-*lt|LgAn*<_UuSzG4C;*g;%$QJQyR;Fk~M~nvKQWo{_WhMzD zY3+~^N>7PScc#fYtb9|YxX2ggJP9&=t`H5s)Mz)&!7x@;WlyzR&9QWK4 z(PJldn)$GE@za;?1*JoJxj^fklv`3dG!3Q0CPSZ^xE!*cgV^ME-J6M)8ChQA?DwXt zdg`?%jEd+2j4&I+MsRem;4IB<3-+$^Z3ECz%Vhp1?FFM2Pzp=JLU^w`j9kWJh#5UZ zIS(owmq>;XE?(InlIO20>c>m&;5(GSS;@T$|1-O>(>x7HhmY|Q+~O(480pe+*ktF8 zA*de?S+Ku0zw1cH%#3WL;Wo+?*K8nHU4RkxNyj0Qk?CJT>G0DULC<#*wAcqfaB`WP z3&PygG2|;w4MZddq@(r{!a13AGVX#WwsdSZ*?D6K>W4!X?5~jp8Iq2f8QCu##Wg$9 zfyaQPV-d;7^lt>xA^5WI2d&x-N-jgvfr#W-(jkQN*rnsJ$<7LyuT8KOjOF9;jY=~n}=|DHEvUr9aTp=?y5Ry(&!%zE?4wB^Z7^UNUIXANm zt7vFE4%uLTb?JC`<*;;2uDPdl6p?Jq$RUy$`#Y#~1d;46lNa!#d8NP#S)Tr$(lMxK zM>SY}LnwtfgM`5ioKweqn ziyJ)qvX2oiNJiKmL#LTRuN?o>KSm3cb6Jex^3Na-9KwSOSI?Lc<}?<{`sm)U!oPHllcKo_Lvs0EEd%4EcvgJ2_I ztW&e36Bo<`;v9?an}6#AgjNE+C}J9Vtt5{%ix{%{g^OSSt@Lb9pmehC`^HBk9Yst- z(y`cIT{`*oR63)T4##gfja#<(U3D9Pauur Date: Mon, 12 Oct 2020 17:25:02 +0530 Subject: [PATCH 05/35] Linux_MDATP_4490409 Minor edits --- .../threat-protection/images}/linux-mdatp.png | Bin .../linux-schedule-scan-atp.md | 34 ++++++++++-------- 2 files changed, 20 insertions(+), 14 deletions(-) rename {images => windows/security/threat-protection/images}/linux-mdatp.png (100%) diff --git a/images/linux-mdatp.png b/windows/security/threat-protection/images/linux-mdatp.png similarity index 100% rename from images/linux-mdatp.png rename to windows/security/threat-protection/images/linux-mdatp.png diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-schedule-scan-atp.md b/windows/security/threat-protection/microsoft-defender-atp/linux-schedule-scan-atp.md index aee27d7e1f..347e58511a 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/linux-schedule-scan-atp.md +++ b/windows/security/threat-protection/microsoft-defender-atp/linux-schedule-scan-atp.md @@ -19,16 +19,16 @@ ms.topic: conceptual # Schedule scans with Microsoft Defender ATP for Linux -For the command line to be able to run a scan on MDATP for Linux, see [Supported Commands](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/linux-resources#supported-commands). +To run a scan on MDATP for Linux, see [Supported Commands](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/linux-resources#supported-commands). -Linux (and Unix) have the tool called **crontab** (similar to Task Scheduler) to be able to run scheduled tasks. +Linux (and Unix) have a tool called **crontab** (similar to Task Scheduler) to be able to run scheduled tasks. ## Pre-requisite > [!NOTE] -> To get a list of all the time zones, run the following command: -`timedatectl list-timezones` +> To get a list of all the time zones, run the following command: +> `timedatectl list-timezones` > Examples for timezones: > - `America/Los_Angeles` @@ -37,6 +37,7 @@ Linux (and Unix) have the tool called **crontab** (similar to Task Scheduler) to >- `America/Denver` ## To set the Cron job +Use the following commands: **To backup crontab entries:** @@ -66,7 +67,7 @@ CRON_TZ=America/Los_Angeles 0 2 * * sat /bin/mdatp scan quick > ~/mdatp_cron_job.log > [!NOTE] -In this example, we are setting it to 00 minutes, 2 a.m. (hour in 24 hour format), any day of the month, any month, on Saturdays. Meaning it will run Saturdays at 2:00 a.m. Pacific (UTC –8) +In this example, we have set it to 00 minutes, 2 a.m. (hour in 24 hour format), any day of the month, any month, on Saturdays. Meaning it will run Saturdays at 2:00 a.m. Pacific (UTC –8). Press “Esc” @@ -75,33 +76,36 @@ Type “:wq” without the double quotes. > [!NOTE] w == write, q == quit -To view your cron jobs, type sudo crontab -l +To view your cron jobs, type `sudo crontab -l` -:::image type="content" source="../../../../images/linux-mdatp.png" alt-text="linux mdatp"::: +:::image type="content" source="..\images\linux-mdatp.png" alt-text="linux mdatp"::: -**How to inspect cron job runs:** +**To inspect cron job runs:** `sudo grep mdatp /var/log/cron` -**How to inspect the mdatp_cron_job.log** +**To inspect the mdatp_cron_job.log** + `sudo nano mdatp_cron_job.log` ## For those who use Ansible, Chef, or Puppet] -### How to set cron jobs in Ansible: + +Use the following commands: +### To set cron jobs in Ansible: `cron – Manage cron.d and crontab entries` See [https://docs.ansible.com/ansible/latest/modules/cron_module.html](https://docs.ansible.com/ansible/latest/modules/cron_module.html) for more information. -### How to set crontabs in Chef: +### To set crontabs in Chef: `cron resource` See [https://docs.chef.io/resources/cron/](https://docs.chef.io/resources/cron/) for more information. -### How to set cron jobs in Puppet: +### To set cron jobs in Puppet: Resource Type: cron -See [https://puppet.com/docs/puppet/5.5/types/cron.html](https://puppet.com/docs/puppet/5.5/types/cron.html) +See [https://puppet.com/docs/puppet/5.5/types/cron.html](https://puppet.com/docs/puppet/5.5/types/cron.html) for more information. Automating with Puppet: Cron jobs and scheduled tasks @@ -110,6 +114,7 @@ See [https://puppet.com/blog/automating-puppet-cron-jobs-and-scheduled-tasks/](h ## Additional information: **To get help with crontab** + `man crontab` **To get a list of crontab file of the current user:** @@ -161,6 +166,7 @@ See [https://puppet.com/blog/automating-puppet-cron-jobs-and-scheduled-tasks/](h | | | +——- month (values: 1 – 12) (special characters: ,- * / ) | | | | +—- day of week (values: 0 – 6) (Sunday=0 or 7) (special characters: , – * / L W C) | | | | | -* * * * * command to be executed + +*****command to be executed From a86c74982cd7697a858c64c1c468dfc8f1e9a854 Mon Sep 17 00:00:00 2001 From: Lovina Saldanha <69782111+Lovina-Saldanha@users.noreply.github.com> Date: Mon, 12 Oct 2020 17:56:30 +0530 Subject: [PATCH 06/35] linux-mdatp-1.png New file --- .../threat-protection/images/linux-mdatp-1.png | Bin 0 -> 5634 bytes 1 file changed, 0 insertions(+), 0 deletions(-) create mode 100644 windows/security/threat-protection/images/linux-mdatp-1.png diff --git a/windows/security/threat-protection/images/linux-mdatp-1.png b/windows/security/threat-protection/images/linux-mdatp-1.png new file mode 100644 index 0000000000000000000000000000000000000000..f8c9c07b16906f1465cf3b97f50b71ab49b3f10f GIT binary patch literal 5634 zcmV+d7X9goP)4_KtMo6D;h>!XGcdzOG`^k zOiWEpO;Au!Qc_Y=Q&Ut_R8>_~R#sM5S65hASXo(FT3T9NU0q&YUSD5dU`H%sVP0cl zUt?lmV`F1vV_;-sVPs@vWn^MyWn*S#V`^$@Yinz4D*$Y4Yi(_8Zf$LDZfCf> zsHv%`sj8}~s;R1~s;jH3tgNi9t*x%EuCcMPvT!c5uc@=Mv$V0QwX?0YwY9gjuDG_a zxwWynwz9gov%9&pytuTyyu7`;w!XTyzP+EnySKl;zrnq^!NI}8!otPR-^S11#?ar! z(BR69Ps+im%gM*g%gN2KbIr}n&d$!y&dt!!(9zJ((b3V;($dq@)6~?|)z#J4*VozE z+1uOO-QC?QUjxqgHpeUs%xPU|Dwm@VT8WkMH z1sv|n;!?0$6QYEo($unvF(!sB4flQD_kES)|6}g+&1khckeq!#B)KICXQ7TQ&XThP)Wc;Zv!q&&+aEYaE$3Yv*O^t}F>qNeS0#JZjH>l!6g891ZE)|2 z&(%koDV0t=I@oGeW3(u59XMZz?N4=fvE9K-*xhEbMQmxUTlDP0-^OXr zQ41P_l(qL(+MQLRm=^W4A77xkCGmdV3?pn{cLTb}R6h2V{Z}D0Ww$L&I^NS|pS^A8 z@Y-t$9&Twxtwc@*d?{S()>zNn4Py+l7yCl12se1W#(pc=+>&@dZxw9@rE>x;J$raR z{*q4XWNt6%*xz7ACmkI9&H1H6_GVS2SC>wHePX3EgO+X)=}hkpD&u61a97nfbG zl5I>X)Pab-Y}K_R0?IGOu)aJ!AQ+dAhCCCFTb8Z2HpNU+?L?e$+Oj zPB8AhbnBT1Ge=N5`1F@6m6bidOUXH1IsXU+)ql8)-C(QSmKGgEk+A2q#-vW+gAc?Pd> zD!0Dy;8DC`Uts4vzVX^(hIqTGCN_aT#8GvQ=}nf9Vvr>H5^Dr~2zt zI?B_qbcpw{rE?rh=kNitFO!*0>FljkO7I;EFDff%FX3gL+A^e5T8pB!k|rHm4_lx= zyg2Txsx3o0RTdG3>j~)?Wnfg7E$yLtR?pVl!Y%M}I%+RwEe|wt2=6yUe`IevT|r*vvv6@_(I%H8g@LW3-3#TJj-F4pj$sx7a=>V^B0E!?&=I_>P0{m~)K zUO>~l+KZySn%@I!Zg9_{49^_bD_Xs5ko7M82YbIQ%5c2~+Y$D3?^E4Rp3B{lolfcG zLcFcP<@{8Ka!^0Je?ez0?MCC=x+_cKzte0)|l{zU>U zhr0*sdCu>`(!sj0q_dJE2R|nQwHSaYXkQiZpZDzS)na(i`^n5&BffOvkDET5H5}~P2m*I4bebm@3`WyIYO ztxa+yC~XUdK-%%oGB?j_4rn`_pY zUW5c{A*AEwmBk8-j~nKnmG|NPQtMMXyY#sLWqVxh>Zubsa<4WnFN69^txxH+2vM3hrGr_61D|x% z3RystxGiCh4_I5q^K*Ve-rK8K!>P1OMf9`Iz!+1Q253U*y2P$6K zS?hSDQ%Bx$q5e|qEgil-z1-?wI^y6jG*w72ARUA5b$Y4tB{uz2z{pZM*gt(CtnteI zNQXzo?Qx<0Qi~By#-DFV-Wq(dc&-h2rhpO2e4$xsMq%mTZ}$$}t9pTG;o`Qq1ke_8 zF$?g@0qM|sE~N~Q8zP8PbEWg~_Uk3dOUPTBFXq`L__9_->NHlDnu;c?7COUh(!B+v z7l;-vTw7HAb>(6f;+36oEl!#*yA8rQ#6PDN|EeQMUP9j5d@;{1VPziHTQF16WYt1v zm?64XCx~rYc&3n5{mBR3KwjAy7tXJ25Y8d~Iki5d6U#_!m|48vBFAH4uULNN?WxGG zoayzqu<4VILM>_&^x+J9b#(G8PxV!2I&Hf1D`!&aq!wQ-8RH%`p)yLPGl|N{D4`fD zn~6%WEWezmHc{Ha61mg9(%`KL`f?(#I)mjo9>hw0ueif426$Xg6h64^N(g_pghL|DQ7Ki=G2%ilGA^f z&)zzq89RE70pwS9vLzcvNa&^b7aaWm-H$%?eEarPdgIeC=y}WPm8E&8()st_o6$hY zYWw>tZC-S}d3|!ei?h|ju9y6M5DYh|#~1^M69Fl2^|qD6c+!z}{?P3YDg$hDJkt3U zwtxNg!()_Atr1T;Ry}VEyI%6Q&@kMj9%GDtq*J4bQ;w)~p8NBMBKGT`DV+(mYqg!nMF~vvgHiVmrA!rE}eh=@q<`8m@l>vQk+NFVRZ*7Lr%tH zC`U3}56Vj{>M8yi%HiBA&#|^eJD}0&;20vmvZAQN^H4V|p9ijgcJ}3a$?_MMT_j_i zdxF(l))&XL?1{_EB)M4U0^1t7bpH1H4`6P1&3Wdb(qusKVs;p1#29I8Fv4bLKqE7< z4tuysDvf$h4regWF~Bt&xtY~tf`Kt;wm05Pqp0N#OV1lPw{nAXBTPCfwcz~q=t2hn zd4XOfb{n&#O#DgO%9|6*zD#zAvf_1m{I2NtC6a#bG`aMwW@LY3kj`Iz_m&I$AwDB_^2X7~qL8LV^CyGFt>`LhNP2Q`RvXa z6hk^KnoJIoj>x`jNoQZ=TvoQRzctTRdEum&LzT{-K5^Hf`+O$`7}gn3Y`_$W%aF== ztTV!pbb!prpmel)J*AT`<{_@Rr*xb#lyvmW$e?s^+m~cxN{8iPcBF&HxHyl;u%vTw zUNYA5y7T7Gbh~H9ES*2R{6(L0pDIU^92{a9y?+^uFd!XSuZMK>dOf9stoP;Ud6NUu zamP^7!KYBBw}qsm$m$rhrZcFC^APYRB8|~%HSf%qN^cwKXd6m8Dt~#7D zh5Z_gu$d#7GQzT+Uph`bk95pD#{kzHkd9}JfOP0+;>4XaFy}5ww^CqKF@ zdX5*-Z2i2P8K-ofeBSF?qvvuJX>3ryPLAYa7pm7%nTL4`)t@09hdGAw979_MF)hY; z+8u*3)>fuv)k5V+E?(Cjt`J^r$Z^RQUH)bluSD%LS-#XI%iqo_5yq9hhw#>{$i93U znPsHjdG)oQv|XZQCl;@aM>@a8_9S}s7`R+T8k-cbog*2p*NP6T76!Qt=5TgNXgFUp zKuib6Xz+Z@Q~1S`3w68WnYH!Nvr6&K99Uhl8;6@zkUB*Xwq#gzmW{Z;@v4o3|TC0rqqaZ ze*UA^PPmsU(uO8Cer!Y58gN7UeaeCCg~xJA$Tf&o0@9r{N%guMX9BhKsrDD z&U?}Wky;Yz{P>&iN)JS8Nu=|`Z@d#^lZVeM`}tk+7@ihEi%IhK%?J-`9+rQm_aUp2 z=M1a<%43?*Ssh>Y(98?x>-AGTr1QP6y&YhaW4sKy?<4Lfeof9SE?*2Y!o`tGr(%)D z)O+XPmn-(6!;#}od+(t(jTgf+di=ot!XBoc6GjjYA2WcB=rPx!vsdseGhyj``>SsQ ze#7EfBZe7J33AB#Kt8_MWrVu`=s9}nxc))W9E?E}%~yxuNN-I3r+UZv~{ovqp?XI(BAcA7AV;!v7!Xxc))XAvqRJUwBMfi`v)hp9{t# z9V^zHSUUI-K9EgDTDCV~@!4cM3$jD}YL!`Li^X;_ySl-h4#9{C+DG|5HX|Y(mq^wbW-B_x_AZmX%Na!}>t*Iy6+=pz z`EVDAF$w9YdX%STo-*lt|LgAn*<_UuSzG4C;*g;%$QJQyR;Fk~M~nvKQWo{_WhMzD zY3+~^N>7PScc#fYtb9|YxX2ggJP9&=t`H5s)Mz)&!7x@;WlyzR&9QWK4 z(PJldn)$GE@za;?1*JoJxj^fklv`3dG!3Q0CPSZ^xE!*cgV^ME-J6M)8ChQA?DwXt zdg`?%jEd+2j4&I+MsRem;4IB<3-+$^Z3ECz%Vhp1?FFM2Pzp=JLU^w`j9kWJh#5UZ zIS(owmq>;XE?(InlIO20>c>m&;5(GSS;@T$|1-O>(>x7HhmY|Q+~O(480pe+*ktF8 zA*de?S+Ku0zw1cH%#3WL;Wo+?*K8nHU4RkxNyj0Qk?CJT>G0DULC<#*wAcqfaB`WP z3&PygG2|;w4MZddq@(r{!a13AGVX#WwsdSZ*?D6K>W4!X?5~jp8Iq2f8QCu##Wg$9 zfyaQPV-d;7^lt>xA^5WI2d&x-N-jgvfr#W-(jkQN*rnsJ$<7LyuT8KOjOF9;jY=~n}=|DHEvUr9aTp=?y5Ry(&!%zE?4wB^Z7^UNUIXANm zt7vFE4%uLTb?JC`<*;;2uDPdl6p?Jq$RUy$`#Y#~1d;46lNa!#d8NP#S)Tr$(lMxK zM>SY}LnwtfgM`5ioKweqn ziyJ)qvX2oiNJiKmL#LTRuN?o>KSm3cb6Jex^3Na-9KwSOSI?Lc<}?<{`sm)U!oPHllcKo_Lvs0EEd%4EcvgJ2_I ztW&e36Bo<`;v9?an}6#AgjNE+C}J9Vtt5{%ix{%{g^OSSt@Lb9pmehC`^HBk9Yst- z(y`cIT{`*oR63)T4##gfja#<(U3D9Pauur Date: Mon, 12 Oct 2020 20:54:38 +0530 Subject: [PATCH 07/35] 4490409 minor image tag changes --- .../microsoft-defender-atp/linux-schedule-scan-atp.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-schedule-scan-atp.md b/windows/security/threat-protection/microsoft-defender-atp/linux-schedule-scan-atp.md index 347e58511a..6862347fd7 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/linux-schedule-scan-atp.md +++ b/windows/security/threat-protection/microsoft-defender-atp/linux-schedule-scan-atp.md @@ -78,7 +78,7 @@ Type “:wq” without the double quotes. To view your cron jobs, type `sudo crontab -l` -:::image type="content" source="..\images\linux-mdatp.png" alt-text="linux mdatp"::: +:::image type="content" source="..\images\linux-mdatp-1.png" alt-text="linux mdatp"::: **To inspect cron job runs:** From 2c781644824327ee8ca4f743cda8455830c6a314 Mon Sep 17 00:00:00 2001 From: Lovina Saldanha Date: Tue, 13 Oct 2020 19:55:32 +0530 Subject: [PATCH 08/35] Update linux-schedule-scan-atp.md --- .../microsoft-defender-atp/linux-schedule-scan-atp.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-schedule-scan-atp.md b/windows/security/threat-protection/microsoft-defender-atp/linux-schedule-scan-atp.md index 6862347fd7..4881a157db 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/linux-schedule-scan-atp.md +++ b/windows/security/threat-protection/microsoft-defender-atp/linux-schedule-scan-atp.md @@ -88,7 +88,7 @@ To view your cron jobs, type `sudo crontab -l` `sudo nano mdatp_cron_job.log` -## For those who use Ansible, Chef, or Puppet] +## For those who use Ansible, Chef, or Puppet Use the following commands: ### To set cron jobs in Ansible: From cd76be762770237fe42059bdd96cd438e5eac045 Mon Sep 17 00:00:00 2001 From: Lovina Saldanha <69782111+Lovina-Saldanha@users.noreply.github.com> Date: Tue, 13 Oct 2020 20:57:59 +0530 Subject: [PATCH 09/35] Update linux-schedule-scan-atp.md --- .../microsoft-defender-atp/linux-schedule-scan-atp.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-schedule-scan-atp.md b/windows/security/threat-protection/microsoft-defender-atp/linux-schedule-scan-atp.md index 4881a157db..491a44df0e 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/linux-schedule-scan-atp.md +++ b/windows/security/threat-protection/microsoft-defender-atp/linux-schedule-scan-atp.md @@ -21,7 +21,7 @@ ms.topic: conceptual To run a scan on MDATP for Linux, see [Supported Commands](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/linux-resources#supported-commands). -Linux (and Unix) have a tool called **crontab** (similar to Task Scheduler) to be able to run scheduled tasks. +Linux (and Unix) have a tool called **crontab**(similar to Task Scheduler) to be able to run scheduled tasks. ## Pre-requisite From ac4ce3a6408ffcf5ac0c6d172c226ad27f2d887f Mon Sep 17 00:00:00 2001 From: Lovina Saldanha Date: Tue, 13 Oct 2020 21:00:28 +0530 Subject: [PATCH 10/35] Update linux-schedule-scan-atp.md --- .../microsoft-defender-atp/linux-schedule-scan-atp.md | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-schedule-scan-atp.md b/windows/security/threat-protection/microsoft-defender-atp/linux-schedule-scan-atp.md index 4881a157db..09fcee81f1 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/linux-schedule-scan-atp.md +++ b/windows/security/threat-protection/microsoft-defender-atp/linux-schedule-scan-atp.md @@ -26,10 +26,8 @@ Linux (and Unix) have a tool called **crontab** (similar to Task Scheduler) to b ## Pre-requisite > [!NOTE] - > To get a list of all the time zones, run the following command: > `timedatectl list-timezones` - > Examples for timezones: > - `America/Los_Angeles` > - `America/New_York` @@ -67,14 +65,14 @@ CRON_TZ=America/Los_Angeles 0 2 * * sat /bin/mdatp scan quick > ~/mdatp_cron_job.log > [!NOTE] -In this example, we have set it to 00 minutes, 2 a.m. (hour in 24 hour format), any day of the month, any month, on Saturdays. Meaning it will run Saturdays at 2:00 a.m. Pacific (UTC –8). +>In this example, we have set it to 00 minutes, 2 a.m. (hour in 24 hour format), any day of the month, any month, on Saturdays. Meaning it will run Saturdays at 2:00 a.m. Pacific (UTC –8). Press “Esc” Type “:wq” without the double quotes. > [!NOTE] - w == write, q == quit +> w == write, q == quit To view your cron jobs, type `sudo crontab -l` From 47429eb530bedc9d4ecc942939d5ca9246d6c445 Mon Sep 17 00:00:00 2001 From: Lovina Saldanha <69782111+Lovina-Saldanha@users.noreply.github.com> Date: Tue, 13 Oct 2020 21:46:01 +0530 Subject: [PATCH 11/35] Update linux-schedule-scan-atp.md --- .../microsoft-defender-atp/linux-schedule-scan-atp.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-schedule-scan-atp.md b/windows/security/threat-protection/microsoft-defender-atp/linux-schedule-scan-atp.md index 737bba28fe..2daf8f2576 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/linux-schedule-scan-atp.md +++ b/windows/security/threat-protection/microsoft-defender-atp/linux-schedule-scan-atp.md @@ -21,7 +21,7 @@ ms.topic: conceptual To run a scan on MDATP for Linux, see [Supported Commands](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/linux-resources#supported-commands). -Linux (and Unix) have a tool called **crontab**(similar to Task Scheduler) to be able to run scheduled tasks. +Linux(and Unix) have a tool called **crontab**(similar to Task Scheduler) to be able to run scheduled tasks. ## Pre-requisite From b5c866a3520e0cb37d2df908b76b535a659ca054 Mon Sep 17 00:00:00 2001 From: Lovina Saldanha <69782111+Lovina-Saldanha@users.noreply.github.com> Date: Thu, 15 Oct 2020 14:32:58 +0530 Subject: [PATCH 12/35] Update linux-schedule-scan-atp.md Updated per comments from Yong Rhee --- .../linux-schedule-scan-atp.md | 17 ++++++----------- 1 file changed, 6 insertions(+), 11 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-schedule-scan-atp.md b/windows/security/threat-protection/microsoft-defender-atp/linux-schedule-scan-atp.md index 2daf8f2576..b04e20d3a6 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/linux-schedule-scan-atp.md +++ b/windows/security/threat-protection/microsoft-defender-atp/linux-schedule-scan-atp.md @@ -155,16 +155,11 @@ See [https://puppet.com/blog/automating-puppet-cron-jobs-and-scheduled-tasks/](h **Explanation**: -+—————- minute (values: 0 – 59) (special characters: , – * /) - -| +————- hour (values: 0 – 23) (special characters: , – * /) - -| | +———- day of month (values: 1 – 31) (special characters: , – * / L W C) - -| | | +——- month (values: 1 – 12) (special characters: ,- * / ) -| | | | +—- day of week (values: 0 – 6) (Sunday=0 or 7) (special characters: , – * / L W C) -| | | | | - -*****command to be executed ++—————- minute (values: 0 – 59) (special characters: , – * /)
+| +————- hour (values: 0 – 23) (special characters: , – * /)
+| | +———- day of month (values: 1 – 31) (special characters: , – * / L W C)
+| | | +——- month (values: 1 – 12) (special characters: ,- * / )
+| | | | +—- day of week (values: 0 – 6) (Sunday=0 or 7) (special characters: , – * / L W C)
+| | | | |*****command to be executed From 104c43ff75a1f4af29a932f8e2b49618176c5ca9 Mon Sep 17 00:00:00 2001 From: Lovina Saldanha <69782111+Lovina-Saldanha@users.noreply.github.com> Date: Thu, 15 Oct 2020 14:42:18 +0530 Subject: [PATCH 13/35] update-toc-per-4490409 Updated the new topic link in the TOC - "Schedule scans with Microsoft Defender ATP for Linux" --- windows/security/threat-protection/TOC.md | 1 + 1 file changed, 1 insertion(+) diff --git a/windows/security/threat-protection/TOC.md b/windows/security/threat-protection/TOC.md index f69cdfadb5..7325a5cf3e 100644 --- a/windows/security/threat-protection/TOC.md +++ b/windows/security/threat-protection/TOC.md @@ -284,6 +284,7 @@ ##### [Static proxy configuration](microsoft-defender-atp/linux-static-proxy-configuration.md) ##### [Set preferences](microsoft-defender-atp/linux-preferences.md) ##### [Detect and block Potentially Unwanted Applications](microsoft-defender-atp/linux-pua.md) +##### [Schedule scans with Microsoft Defender ATP for Linux](microsoft-defender-atp/linux-schedule-scan-atp.md) #### [Troubleshoot]() ##### [Troubleshoot installation issues](microsoft-defender-atp/linux-support-install.md) From 4eebe0f6f82af97bfc6e9a94c9184cbaa34e3d0a Mon Sep 17 00:00:00 2001 From: Lovina Saldanha <69782111+Lovina-Saldanha@users.noreply.github.com> Date: Thu, 15 Oct 2020 14:54:54 +0530 Subject: [PATCH 14/35] Update linux-schedule-scan-atp.md minor edit --- .../microsoft-defender-atp/linux-schedule-scan-atp.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-schedule-scan-atp.md b/windows/security/threat-protection/microsoft-defender-atp/linux-schedule-scan-atp.md index b04e20d3a6..22187f7d02 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/linux-schedule-scan-atp.md +++ b/windows/security/threat-protection/microsoft-defender-atp/linux-schedule-scan-atp.md @@ -21,7 +21,7 @@ ms.topic: conceptual To run a scan on MDATP for Linux, see [Supported Commands](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/linux-resources#supported-commands). -Linux(and Unix) have a tool called **crontab**(similar to Task Scheduler) to be able to run scheduled tasks. +Linux (and Unix) have a tool called **crontab** (similar to Task Scheduler) to be able to run scheduled tasks. ## Pre-requisite From 272b272988926a83aac025515b09846e6b1e452e Mon Sep 17 00:00:00 2001 From: Daniel Simpson Date: Thu, 15 Oct 2020 11:08:06 -0700 Subject: [PATCH 15/35] Update linux-schedule-scan-atp.md using correct brand names from MDATP to Microsoft Defender for Endpoint (Linux) --- .../microsoft-defender-atp/linux-schedule-scan-atp.md | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-schedule-scan-atp.md b/windows/security/threat-protection/microsoft-defender-atp/linux-schedule-scan-atp.md index 22187f7d02..d5c088430a 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/linux-schedule-scan-atp.md +++ b/windows/security/threat-protection/microsoft-defender-atp/linux-schedule-scan-atp.md @@ -1,7 +1,7 @@ --- -title: How to schedule scans with MDATP for Linux -description: Learn how to schedule an automatic scanning time for Microsoft Defender ATP in Linux to better protect your organization's assets. -keywords: microsoft, defender, atp, linux, scans, antivirus +title: How to schedule scans with Microsoft Defender for Endpoint (Linux) +description: Learn how to schedule an automatic scanning time for Microsoft Defender for Endpoint (Linux) to better protect your organization's assets. +keywords: microsoft, defender, atp, linux, scans, antivirus, microsoft defender for endpoint (linux) search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: w10 @@ -17,9 +17,9 @@ ms.collection: M365-security-compliance ms.topic: conceptual --- -# Schedule scans with Microsoft Defender ATP for Linux +# Schedule scans with Microsoft Defender for Endpoint (Linux) -To run a scan on MDATP for Linux, see [Supported Commands](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/linux-resources#supported-commands). +To run a scan for Linux, see [Supported Commands](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/linux-resources#supported-commands). Linux (and Unix) have a tool called **crontab** (similar to Task Scheduler) to be able to run scheduled tasks. From 59eb12e1ebca06511ad3e3ff02e09363171e3921 Mon Sep 17 00:00:00 2001 From: Lovina Saldanha <69782111+Lovina-Saldanha@users.noreply.github.com> Date: Fri, 16 Oct 2020 22:49:48 +0530 Subject: [PATCH 16/35] Update linux-schedule-scan-atp.md --- .../linux-schedule-scan-atp.md | 16 +++++++++------- 1 file changed, 9 insertions(+), 7 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-schedule-scan-atp.md b/windows/security/threat-protection/microsoft-defender-atp/linux-schedule-scan-atp.md index d5c088430a..ff23ec7922 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/linux-schedule-scan-atp.md +++ b/windows/security/threat-protection/microsoft-defender-atp/linux-schedule-scan-atp.md @@ -31,8 +31,8 @@ Linux (and Unix) have a tool called **crontab** (similar to Task Scheduler) to b > Examples for timezones: > - `America/Los_Angeles` > - `America/New_York` ->- `America/Chicago` ->- `America/Denver` +> - `America/Chicago` +> - `America/Denver` ## To set the Cron job Use the following commands: @@ -44,9 +44,10 @@ Use the following commands: > [!NOTE] > Where 200919 == YRMMDD -> TIP: -Do this before you edit or remove. -To edit the crontab, and add a new job as a root user: +> [!TIP] +> Do this before you edit or remove.
+ +To edit the crontab, and add a new job as a root user:
`sudo crontab -e` > [!NOTE] @@ -109,7 +110,7 @@ Automating with Puppet: Cron jobs and scheduled tasks See [https://puppet.com/blog/automating-puppet-cron-jobs-and-scheduled-tasks/](https://puppet.com/blog/automating-puppet-cron-jobs-and-scheduled-tasks/) for more information. -## Additional information: +## Additional information **To get help with crontab** @@ -126,8 +127,9 @@ See [https://puppet.com/blog/automating-puppet-cron-jobs-and-scheduled-tasks/](h **To backup crontab entries:** `crontab -l > /var/tmp/cron_backup.dat` + > [!TIP] -> Do this before you edit or remove. +> Do this before you edit or remove.
**To restore crontab entries:** From c2b1ce54a71a141ca0ab9b953dce06198784fbed Mon Sep 17 00:00:00 2001 From: Lovina Saldanha <69782111+Lovina-Saldanha@users.noreply.github.com> Date: Fri, 16 Oct 2020 23:08:33 +0530 Subject: [PATCH 17/35] Update linux-schedule-scan-atp.md --- .../linux-schedule-scan-atp.md | 30 +++++++++---------- 1 file changed, 15 insertions(+), 15 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-schedule-scan-atp.md b/windows/security/threat-protection/microsoft-defender-atp/linux-schedule-scan-atp.md index ff23ec7922..18d93d4b7d 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/linux-schedule-scan-atp.md +++ b/windows/security/threat-protection/microsoft-defender-atp/linux-schedule-scan-atp.md @@ -37,7 +37,7 @@ Linux (and Unix) have a tool called **crontab** (similar to Task Scheduler) to b ## To set the Cron job Use the following commands: -**To backup crontab entries:** +**To backup crontab entries** `sudo crontab -l > /var/tmp/cron_backup_200919.dat` @@ -79,7 +79,7 @@ To view your cron jobs, type `sudo crontab -l` :::image type="content" source="..\images\linux-mdatp-1.png" alt-text="linux mdatp"::: -**To inspect cron job runs:** +**To inspect cron job runs** `sudo grep mdatp /var/log/cron` @@ -90,18 +90,18 @@ To view your cron jobs, type `sudo crontab -l` ## For those who use Ansible, Chef, or Puppet Use the following commands: -### To set cron jobs in Ansible: +### To set cron jobs in Ansible `cron – Manage cron.d and crontab entries` See [https://docs.ansible.com/ansible/latest/modules/cron_module.html](https://docs.ansible.com/ansible/latest/modules/cron_module.html) for more information. -### To set crontabs in Chef: +### To set crontabs in Chef `cron resource` See [https://docs.chef.io/resources/cron/](https://docs.chef.io/resources/cron/) for more information. -### To set cron jobs in Puppet: +### To set cron jobs in Puppet Resource Type: cron See [https://puppet.com/docs/puppet/5.5/types/cron.html](https://puppet.com/docs/puppet/5.5/types/cron.html) for more information. @@ -116,46 +116,46 @@ See [https://puppet.com/blog/automating-puppet-cron-jobs-and-scheduled-tasks/](h `man crontab` -**To get a list of crontab file of the current user:** +**To get a list of crontab file of the current user** `crontab -l` -**To get a list of crontab file of another user:** +**To get a list of crontab file of another user** `crontab -u username -l` -**To backup crontab entries:** +**To backup crontab entries** `crontab -l > /var/tmp/cron_backup.dat` > [!TIP] > Do this before you edit or remove.
-**To restore crontab entries:** +**To restore crontab entries** `crontab /var/tmp/cron_backup.dat` -**To edit the crontab and add a new job as a root user:** +**To edit the crontab and add a new job as a root user** `Sudo crontab -e` -**To edit the crontab and add a new job:** +**To edit the crontab and add a new job** `crontab -e` -**To edit other user’s crontab entries:** +**To edit other user’s crontab entries** `crontab -u username -e` -**To remove all crontab entries:** +**To remove all crontab entries** `crontab -r` -**To remove other user’s crontab entries:** +**To remove other user’s crontab entries** `crontab -u username -r` -**Explanation**: +**Explanation** +—————- minute (values: 0 – 59) (special characters: , – * /)
| +————- hour (values: 0 – 23) (special characters: , – * /)
From b7f5d38e67c4fce459f4c94795fe7491df8cbf80 Mon Sep 17 00:00:00 2001 From: Lovina Saldanha Date: Tue, 20 Oct 2020 23:38:41 +0530 Subject: [PATCH 18/35] Update linux-schedule-scan-atp.md minor correction in note --- .../microsoft-defender-atp/linux-schedule-scan-atp.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-schedule-scan-atp.md b/windows/security/threat-protection/microsoft-defender-atp/linux-schedule-scan-atp.md index 18d93d4b7d..3bd8a7cde1 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/linux-schedule-scan-atp.md +++ b/windows/security/threat-protection/microsoft-defender-atp/linux-schedule-scan-atp.md @@ -27,7 +27,7 @@ Linux (and Unix) have a tool called **crontab** (similar to Task Scheduler) to b > [!NOTE] > To get a list of all the time zones, run the following command: -> `timedatectl list-timezones` +> `timedatectl list-timezones`
> Examples for timezones: > - `America/Los_Angeles` > - `America/New_York` From 3f52aca0f46c3c59738dc1183053f0b2f3dcbc1a Mon Sep 17 00:00:00 2001 From: MaratMussabekov <48041687+MaratMussabekov@users.noreply.github.com> Date: Thu, 22 Oct 2020 21:33:58 +0500 Subject: [PATCH 19/35] Update hello-cert-trust-adfs.md --- .../hello-for-business/hello-cert-trust-adfs.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-cert-trust-adfs.md b/windows/security/identity-protection/hello-for-business/hello-cert-trust-adfs.md index 4486823bc5..edd7419a58 100644 --- a/windows/security/identity-protection/hello-for-business/hello-cert-trust-adfs.md +++ b/windows/security/identity-protection/hello-for-business/hello-cert-trust-adfs.md @@ -45,7 +45,8 @@ Prepare the Active Directory Federation Services deployment by installing and up > 2. Right click "Scope Descriptions" and select "Add Scope Description". > 3. Under name type "ugs" and Click Apply > OK. > 4. Launch Powershell as Administrator. -> 5. Execute the command "Get-AdfsApplicationPermission". Look for the ScopeNames :{openid, aza} that has the ClientRoleIdentifier Make a note of the ObjectIdentifier. +> 5. Get the ObjectIdentifier of application permission with ClientRoleIdentifier parameter equal to "38aa3b87-a06d-4817-b275-7a316988d93b": +```(Get-AdfsApplicationPermission -ServerRoleIdentifiers 'http://schemas.microsoft.com/ws/2009/12/identityserver/selfscope' | ?{ $_.ClientRoleIdentifier -eq '38aa3b87-a06d-4817-b275-7a316988d93b' }).ObjectIdentifier``` > 6. Execute the command "Set-AdfsApplicationPermission -TargetIdentifier -AddScope 'ugs'. > 7. Restart the ADFS service. > 8. On the client: Restart the client. User should be prompted to provision WHFB. From 2e58aa16fc0869d7f63a8fff1082daa1388e4a1d Mon Sep 17 00:00:00 2001 From: MaratMussabekov <48041687+MaratMussabekov@users.noreply.github.com> Date: Sat, 24 Oct 2020 21:21:12 +0500 Subject: [PATCH 20/35] Update windows/security/identity-protection/hello-for-business/hello-cert-trust-adfs.md Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- .../hello-for-business/hello-cert-trust-adfs.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-cert-trust-adfs.md b/windows/security/identity-protection/hello-for-business/hello-cert-trust-adfs.md index edd7419a58..379208652b 100644 --- a/windows/security/identity-protection/hello-for-business/hello-cert-trust-adfs.md +++ b/windows/security/identity-protection/hello-for-business/hello-cert-trust-adfs.md @@ -44,7 +44,7 @@ Prepare the Active Directory Federation Services deployment by installing and up > 1. Launch AD FS management console. Brose to "Services > Scope Descriptions". > 2. Right click "Scope Descriptions" and select "Add Scope Description". > 3. Under name type "ugs" and Click Apply > OK. -> 4. Launch Powershell as Administrator. +> 4. Launch PowerShell as an administrator. > 5. Get the ObjectIdentifier of application permission with ClientRoleIdentifier parameter equal to "38aa3b87-a06d-4817-b275-7a316988d93b": ```(Get-AdfsApplicationPermission -ServerRoleIdentifiers 'http://schemas.microsoft.com/ws/2009/12/identityserver/selfscope' | ?{ $_.ClientRoleIdentifier -eq '38aa3b87-a06d-4817-b275-7a316988d93b' }).ObjectIdentifier``` > 6. Execute the command "Set-AdfsApplicationPermission -TargetIdentifier -AddScope 'ugs'. From dd8487ef9baf8469d3e493a424ffb2835ecb89b3 Mon Sep 17 00:00:00 2001 From: MaratMussabekov <48041687+MaratMussabekov@users.noreply.github.com> Date: Sat, 24 Oct 2020 21:21:22 +0500 Subject: [PATCH 21/35] Update windows/security/identity-protection/hello-for-business/hello-cert-trust-adfs.md Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- .../hello-for-business/hello-cert-trust-adfs.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-cert-trust-adfs.md b/windows/security/identity-protection/hello-for-business/hello-cert-trust-adfs.md index 379208652b..1d233bb60e 100644 --- a/windows/security/identity-protection/hello-for-business/hello-cert-trust-adfs.md +++ b/windows/security/identity-protection/hello-for-business/hello-cert-trust-adfs.md @@ -45,7 +45,7 @@ Prepare the Active Directory Federation Services deployment by installing and up > 2. Right click "Scope Descriptions" and select "Add Scope Description". > 3. Under name type "ugs" and Click Apply > OK. > 4. Launch PowerShell as an administrator. -> 5. Get the ObjectIdentifier of application permission with ClientRoleIdentifier parameter equal to "38aa3b87-a06d-4817-b275-7a316988d93b": +> 5. Get the ObjectIdentifier of the application permission with the ClientRoleIdentifier parameter equal to "38aa3b87-a06d-4817-b275-7a316988d93b": ```(Get-AdfsApplicationPermission -ServerRoleIdentifiers 'http://schemas.microsoft.com/ws/2009/12/identityserver/selfscope' | ?{ $_.ClientRoleIdentifier -eq '38aa3b87-a06d-4817-b275-7a316988d93b' }).ObjectIdentifier``` > 6. Execute the command "Set-AdfsApplicationPermission -TargetIdentifier -AddScope 'ugs'. > 7. Restart the ADFS service. From 6a97dfb5454dda514bc3f8a6c03f57f3c055fbd9 Mon Sep 17 00:00:00 2001 From: MaratMussabekov <48041687+MaratMussabekov@users.noreply.github.com> Date: Mon, 26 Oct 2020 07:28:55 +0500 Subject: [PATCH 22/35] Update windows/security/identity-protection/hello-for-business/hello-cert-trust-adfs.md Co-authored-by: Trond B. Krokli <38162891+illfated@users.noreply.github.com> --- .../hello-for-business/hello-cert-trust-adfs.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-cert-trust-adfs.md b/windows/security/identity-protection/hello-for-business/hello-cert-trust-adfs.md index 1d233bb60e..14ba52e89e 100644 --- a/windows/security/identity-protection/hello-for-business/hello-cert-trust-adfs.md +++ b/windows/security/identity-protection/hello-for-business/hello-cert-trust-adfs.md @@ -46,7 +46,9 @@ Prepare the Active Directory Federation Services deployment by installing and up > 3. Under name type "ugs" and Click Apply > OK. > 4. Launch PowerShell as an administrator. > 5. Get the ObjectIdentifier of the application permission with the ClientRoleIdentifier parameter equal to "38aa3b87-a06d-4817-b275-7a316988d93b": -```(Get-AdfsApplicationPermission -ServerRoleIdentifiers 'http://schemas.microsoft.com/ws/2009/12/identityserver/selfscope' | ?{ $_.ClientRoleIdentifier -eq '38aa3b87-a06d-4817-b275-7a316988d93b' }).ObjectIdentifier``` +> ```PowerShell +> (Get-AdfsApplicationPermission -ServerRoleIdentifiers 'http://schemas.microsoft.com/ws/2009/12/identityserver/selfscope' | ?{ $_.ClientRoleIdentifier -eq '38aa3b87-a06d-4817-b275-7a316988d93b' }).ObjectIdentifier +> ``` > 6. Execute the command "Set-AdfsApplicationPermission -TargetIdentifier -AddScope 'ugs'. > 7. Restart the ADFS service. > 8. On the client: Restart the client. User should be prompted to provision WHFB. From c3955bf1426e417b293c2d422c736e07235712b8 Mon Sep 17 00:00:00 2001 From: MaratMussabekov <48041687+MaratMussabekov@users.noreply.github.com> Date: Mon, 26 Oct 2020 07:29:21 +0500 Subject: [PATCH 23/35] Update windows/security/identity-protection/hello-for-business/hello-cert-trust-adfs.md Co-authored-by: Trond B. Krokli <38162891+illfated@users.noreply.github.com> --- .../hello-for-business/hello-cert-trust-adfs.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-cert-trust-adfs.md b/windows/security/identity-protection/hello-for-business/hello-cert-trust-adfs.md index 14ba52e89e..8e3e7d4f74 100644 --- a/windows/security/identity-protection/hello-for-business/hello-cert-trust-adfs.md +++ b/windows/security/identity-protection/hello-for-business/hello-cert-trust-adfs.md @@ -49,7 +49,7 @@ Prepare the Active Directory Federation Services deployment by installing and up > ```PowerShell > (Get-AdfsApplicationPermission -ServerRoleIdentifiers 'http://schemas.microsoft.com/ws/2009/12/identityserver/selfscope' | ?{ $_.ClientRoleIdentifier -eq '38aa3b87-a06d-4817-b275-7a316988d93b' }).ObjectIdentifier > ``` -> 6. Execute the command "Set-AdfsApplicationPermission -TargetIdentifier -AddScope 'ugs'. +> 6. Execute the command `Set-AdfsApplicationPermission -TargetIdentifier -AddScope 'ugs'`. > 7. Restart the ADFS service. > 8. On the client: Restart the client. User should be prompted to provision WHFB. > 9. If the provisioning window does not pop up then need to collect NGC trace logs and further troubleshoot. From 01d53bd1861df85fe97bd22a9ad4cdb31bf5f8da Mon Sep 17 00:00:00 2001 From: bb-froggy Date: Thu, 5 Nov 2020 10:23:17 +0100 Subject: [PATCH 24/35] OCSP as alternative to CDP --- .../hello-for-business/hello-hybrid-key-trust-prereqs.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md index fa3b1d7a97..18959a0f1e 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md @@ -67,7 +67,7 @@ Key trust deployments do not need client issued certificates for on-premises aut The minimum required Enterprise certificate authority that can be used with Windows Hello for Business is Windows Server 2012, but you can also use a third-party Enterprise certification authority. The requirements for the domain controller certificate are shown below. For more details, see [Requirements for domain controller certificates from a third-party CA](https://support.microsoft.com/help/291010/requirements-for-domain-controller-certificates-from-a-third-party-ca). -* The certificate must have a Certificate Revocation List (CRL) distribution point extension that points to a valid CRL. +* The certificate must have a Certificate Revocation List (CRL) distribution point extension that points to a valid CRL, or an Authority Information Access (AIA) extension that points to an Online Certificate Status Protocol (OCSP) responder. * The certificate Subject section should contain the directory path of the server object (the distinguished name). * The certificate Key Usage section must contain Digital Signature and Key Encipherment. * Optionally, the certificate Basic Constraints section should contain: [Subject Type=End Entity, Path Length Constraint=None]. From 9b9e0c2568933b78376cec5bc5e86622cd93ba33 Mon Sep 17 00:00:00 2001 From: Alexey-Zheltov <71097129+Alexey-Zheltov@users.noreply.github.com> Date: Thu, 5 Nov 2020 21:45:35 +0400 Subject: [PATCH 25/35] Update hello-hybrid-cert-trust-devreg.md Set-AdfsGlobalAuthenticationPolicy -DeviceAuthenticationEnabled $true -DeviceAuthenticationMethod All` command to enable Device Authentication will trigger certificate prompt on Azure AD Joined devices when they are connecting to ADFS. Set-AdfsGlobalAuthenticationPolicy -DeviceAuthenticationEnabled $true -DeviceAuthenticationMethod SignedToken` not causing such issue. --- .../hello-for-business/hello-hybrid-cert-trust-devreg.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md index e5ebf54b09..81afb0421e 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md @@ -506,7 +506,7 @@ The following script helps you with the creation of the issuance transform rules #### Configure Device Authentication in AD FS Using an elevated PowerShell command window, configure AD FS policy by executing the following command -`PS C:>Set-AdfsGlobalAuthenticationPolicy -DeviceAuthenticationEnabled $true -DeviceAuthenticationMethod All` +`PS C:>Set-AdfsGlobalAuthenticationPolicy -DeviceAuthenticationEnabled $true -DeviceAuthenticationMethod SignedToken` #### Check your configuration For your reference, below is a comprehensive list of the AD DS devices, containers and permissions required for device write-back and authentication to work From d6f042859bbb09b65dce51f76867c4477970c4d6 Mon Sep 17 00:00:00 2001 From: VARADHARAJAN K <3296790+RAJU2529@users.noreply.github.com> Date: Sun, 15 Nov 2020 14:16:41 +0530 Subject: [PATCH 26/35] removed invalid link and added correct link as per user report #8634 , so i removed invalid link and added the correct link. --- windows/client-management/troubleshoot-windows-freeze.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/client-management/troubleshoot-windows-freeze.md b/windows/client-management/troubleshoot-windows-freeze.md index b50e43abae..50e3f04514 100644 --- a/windows/client-management/troubleshoot-windows-freeze.md +++ b/windows/client-management/troubleshoot-windows-freeze.md @@ -251,7 +251,7 @@ If the physical computer is still running in a frozen state, follow these steps Pool Monitor shows you the number of allocations and outstanding bytes of allocation by type of pool and the tag that is passed into calls of ExAllocatePoolWithTag. -Learn [how to use Pool Monitor](https://support.microsoft.com/help/177415) and how to [use the data to troubleshoot pool leaks](https://blogs.technet.com/b/markrussinovich/archive/2009/03/26/3211216.aspx). +Learn [How to use Memory Pool Monitor to troubleshoot kernel mode memory leaks](https://support.microsoft.com/office/how-to-use-memory-pool-monitor-poolmon-exe-to-troubleshoot-kernel-mode-memory-leaks-4f4a05c2-ef8a-fca4-3ae0-670b940af398). ### Use memory dump to collect data for the virtual machine that's running in a frozen state From 136d6de96b8401f511fb4c585d3b087cb8ff926b Mon Sep 17 00:00:00 2001 From: VARADHARAJAN K <3296790+RAJU2529@users.noreply.github.com> Date: Mon, 16 Nov 2020 21:12:46 +0530 Subject: [PATCH 27/35] Update windows/client-management/troubleshoot-windows-freeze.md accepted Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- windows/client-management/troubleshoot-windows-freeze.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/client-management/troubleshoot-windows-freeze.md b/windows/client-management/troubleshoot-windows-freeze.md index 50e3f04514..ee292cb2a6 100644 --- a/windows/client-management/troubleshoot-windows-freeze.md +++ b/windows/client-management/troubleshoot-windows-freeze.md @@ -251,7 +251,7 @@ If the physical computer is still running in a frozen state, follow these steps Pool Monitor shows you the number of allocations and outstanding bytes of allocation by type of pool and the tag that is passed into calls of ExAllocatePoolWithTag. -Learn [How to use Memory Pool Monitor to troubleshoot kernel mode memory leaks](https://support.microsoft.com/office/how-to-use-memory-pool-monitor-poolmon-exe-to-troubleshoot-kernel-mode-memory-leaks-4f4a05c2-ef8a-fca4-3ae0-670b940af398). +Learn [how to use Memory Pool Monitor to troubleshoot kernel mode memory leaks](https://support.microsoft.com/office/how-to-use-memory-pool-monitor-poolmon-exe-to-troubleshoot-kernel-mode-memory-leaks-4f4a05c2-ef8a-fca4-3ae0-670b940af398). ### Use memory dump to collect data for the virtual machine that's running in a frozen state From a7d1facfd2bd7bc13686a8bc295b045a1c177640 Mon Sep 17 00:00:00 2001 From: Nagappan Veerappan Date: Wed, 18 Nov 2020 09:46:54 -0800 Subject: [PATCH 28/35] Sentence correction FAQ : has typo and sentence correction. ## Can I disable the PIN while using Windows Hello for Business? --- .../identity-protection/hello-for-business/hello-faq.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-faq.md b/windows/security/identity-protection/hello-for-business/hello-faq.md index b96b25c8f4..be2ed0eda2 100644 --- a/windows/security/identity-protection/hello-for-business/hello-faq.md +++ b/windows/security/identity-protection/hello-for-business/hello-faq.md @@ -144,7 +144,7 @@ Beginning with Windows 10, version 1709, Windows Hello for Business used as a sm The smart card emulation feature of Windows Hello for Business verifies the PIN and then discards the PIN in exchange for a ticket. The process does not receive the PIN, but rather the ticket that grants them private key operations. Windows 10 does not provide any Group Policy settings to adjust this caching. ## Can I disable the PIN while using Windows Hello for Business? -No. The movement away from passwords is accomplished by gradually reducing the use of the password. In the occurrence where you cannot authenticate with biometrics, you need a fall back mechanism that is not a password. The PIN is the fall back mechanism. Disabling or hiding the PIN credential provider disabled the use of biometrics. +No. The movement away from passwords is accomplished by gradually reducing the use of the password. In the occurrence where you cannot authenticate with biometrics, you need a fall back mechanism that is not a password. The PIN is the fall back mechanism. Disabling or hiding the PIN credential provider will disable the use of biometrics. ## How are keys protected? Wherever possible, Windows Hello for Business takes advantage of trusted platform module (TPM) 2.0 hardware to generate and protect keys. However, Windows Hello and Windows Hello for Business does not require a TPM. Administrators can choose to allow key operations in software. From 1e8a6ff66c813e2b5083bc75b7f6e6e499c0b6b7 Mon Sep 17 00:00:00 2001 From: Nagappan Veerappan Date: Wed, 18 Nov 2020 14:26:32 -0800 Subject: [PATCH 29/35] Update windows/security/identity-protection/hello-for-business/hello-faq.md Looks good Co-authored-by: Trond B. Krokli <38162891+illfated@users.noreply.github.com> --- .../identity-protection/hello-for-business/hello-faq.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-faq.md b/windows/security/identity-protection/hello-for-business/hello-faq.md index be2ed0eda2..b3026e84d7 100644 --- a/windows/security/identity-protection/hello-for-business/hello-faq.md +++ b/windows/security/identity-protection/hello-for-business/hello-faq.md @@ -144,7 +144,7 @@ Beginning with Windows 10, version 1709, Windows Hello for Business used as a sm The smart card emulation feature of Windows Hello for Business verifies the PIN and then discards the PIN in exchange for a ticket. The process does not receive the PIN, but rather the ticket that grants them private key operations. Windows 10 does not provide any Group Policy settings to adjust this caching. ## Can I disable the PIN while using Windows Hello for Business? -No. The movement away from passwords is accomplished by gradually reducing the use of the password. In the occurrence where you cannot authenticate with biometrics, you need a fall back mechanism that is not a password. The PIN is the fall back mechanism. Disabling or hiding the PIN credential provider will disable the use of biometrics. +No. The movement away from passwords is accomplished by gradually reducing the use of the password. In the occurrence where you cannot authenticate with biometrics, you need a fallback mechanism that is not a password. The PIN is the fallback mechanism. Disabling or hiding the PIN credential provider will disable the use of biometrics. ## How are keys protected? Wherever possible, Windows Hello for Business takes advantage of trusted platform module (TPM) 2.0 hardware to generate and protect keys. However, Windows Hello and Windows Hello for Business does not require a TPM. Administrators can choose to allow key operations in software. From 7f685696729678e465c85c3f3c1151083d4730b6 Mon Sep 17 00:00:00 2001 From: Joey Caparas Date: Wed, 18 Nov 2020 15:33:09 -0800 Subject: [PATCH 30/35] update intune step 2 --- .../microsoft-defender-atp/onboarding-endpoint-manager.md | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/onboarding-endpoint-manager.md b/windows/security/threat-protection/microsoft-defender-atp/onboarding-endpoint-manager.md index 0027824386..1c87de1aa1 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/onboarding-endpoint-manager.md +++ b/windows/security/threat-protection/microsoft-defender-atp/onboarding-endpoint-manager.md @@ -104,12 +104,13 @@ needs.
In the following section, you'll create a number of configuration policies. First is a configuration policy to select which groups of users or devices will -be onboarded to Defender for Endpoint. +be onboarded to Defender for Endpoint: + +- [Endpoint detection and response](#endpoint-detection-and-response) Then you will continue by creating several -different types of endpoint security policies. +different types of endpoint security policies: -- [Endpoint detection and response](#endpoint-detection-and-response) - [Next-generation protection](#next-generation-protection) - [Attack surface reduction](#attack-surface-reduction--attack-surface-reduction-rules) From e11250a1fc13d616ebd6bceb320329264791f5ba Mon Sep 17 00:00:00 2001 From: Tudor Dobrila Date: Wed, 18 Nov 2020 18:13:05 -0800 Subject: [PATCH 31/35] Fix typo in system extension instrucitons --- .../microsoft-defender-atp/mac-sysext-policies.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-sysext-policies.md b/windows/security/threat-protection/microsoft-defender-atp/mac-sysext-policies.md index 9b20ff2260..73bb94faf9 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/mac-sysext-policies.md +++ b/windows/security/threat-protection/microsoft-defender-atp/mac-sysext-policies.md @@ -150,13 +150,13 @@ As part of the Endpoint Detection and Response capabilities, Microsoft Defender 4. After the certificate is created and installed to your device, run the following command from the Terminal to sign the file: ```bash - $ security cms -S -N "" -i /com.apple.webcontent-filter.mobileconfig -o /com.microsoft.network-extension.signed.mobileconfig + $ security cms -S -N "" -i /com.microsoft.network-extension.mobileconfig -o /com.microsoft.network-extension.signed.mobileconfig ``` For example, if the certificate name is **SigningCertificate** and the signed file is going to be stored in Documents: ```bash - $ security cms -S -N "SigningCertificate" -i ~/Documents/com.apple.webcontent-filter.mobileconfig -o ~/Documents/com.microsoft.network-extension.signed.mobileconfig + $ security cms -S -N "SigningCertificate" -i ~/Documents/com.microsoft.network-extension.mobileconfig -o ~/Documents/com.microsoft.network-extension.signed.mobileconfig ``` 5. From the JAMF portal, navigate to **Configuration Profiles** and click the **Upload** button. Select `com.microsoft.network-extension.signed.mobileconfig` when prompted for the file. From 8765322a40d7750701fd888530837ad94f177265 Mon Sep 17 00:00:00 2001 From: Lovina Saldanha Date: Thu, 19 Nov 2020 15:14:07 +0530 Subject: [PATCH 32/35] Update TOC.md To fix build error --- windows/security/threat-protection/TOC.md | 1 - 1 file changed, 1 deletion(-) diff --git a/windows/security/threat-protection/TOC.md b/windows/security/threat-protection/TOC.md index 29bbd110d3..2e9b5977ec 100644 --- a/windows/security/threat-protection/TOC.md +++ b/windows/security/threat-protection/TOC.md @@ -8,7 +8,6 @@ ### [Data storage and privacy](microsoft-defender-atp/data-storage-privacy.md) ### [Overview of Microsoft Defender Security Center](microsoft-defender-atp/use.md) ### [Portal overview](microsoft-defender-atp/portal-overview.md) -### [Microsoft Defender ATP for US Government Community Cloud High customers](microsoft-defender-atp/commercial-gov.md) ### [Microsoft Defender ATP for non-Windows platforms](microsoft-defender-atp/non-windows.md) ## [Evaluate capabilities](microsoft-defender-atp/evaluation-lab.md) From 28c6d8b6ffabca4d3f5990e54c94e8984f78d249 Mon Sep 17 00:00:00 2001 From: Lovina Saldanha Date: Thu, 19 Nov 2020 15:15:33 +0530 Subject: [PATCH 33/35] Update linux-schedule-scan-atp.md minor spelling error --- .../microsoft-defender-atp/linux-schedule-scan-atp.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-schedule-scan-atp.md b/windows/security/threat-protection/microsoft-defender-atp/linux-schedule-scan-atp.md index 3bd8a7cde1..fe7f0dbd32 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/linux-schedule-scan-atp.md +++ b/windows/security/threat-protection/microsoft-defender-atp/linux-schedule-scan-atp.md @@ -137,7 +137,7 @@ See [https://puppet.com/blog/automating-puppet-cron-jobs-and-scheduled-tasks/](h **To edit the crontab and add a new job as a root user** -`Sudo crontab -e` +`sudo crontab -e` **To edit the crontab and add a new job** From 4c77803457e67a91c8b7586dd8409bf6b7784c14 Mon Sep 17 00:00:00 2001 From: Joey Caparas Date: Thu, 19 Nov 2020 09:51:10 -0800 Subject: [PATCH 34/35] update toc --- .openpublishing.redirection.json | 5 + windows/security/threat-protection/TOC.md | 2 +- .../microsoft-defender-atp/ios-privacy.md | 100 ++++++++++-------- 3 files changed, 63 insertions(+), 44 deletions(-) diff --git a/.openpublishing.redirection.json b/.openpublishing.redirection.json index 2f50152758..4b75b026fc 100644 --- a/.openpublishing.redirection.json +++ b/.openpublishing.redirection.json @@ -84,6 +84,11 @@ "source_path": "windows/security/threat-protection/microsoft-defender-atp/ios-privacy-statement.md", "redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/ios-privacy", "redirect_document_id": true + }, + { + "source_path": "windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-ios-privacy-information.md", + "redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/ios-privacy", + "redirect_document_id": false }, { "source_path": "windows/security/information-protection/windows-information-protection/create-wip-policy-using-mam-intune-azure.md", diff --git a/windows/security/threat-protection/TOC.md b/windows/security/threat-protection/TOC.md index 144ddb363c..ed7e7849ea 100644 --- a/windows/security/threat-protection/TOC.md +++ b/windows/security/threat-protection/TOC.md @@ -277,7 +277,7 @@ #### [Configure]() ##### [Configure iOS features](microsoft-defender-atp/ios-configure-features.md) -#### [Privacy](microsoft-defender-atp/microsoft-defender-atp-ios-privacy-information.md) +#### [Privacy](microsoft-defender-atp/ios-privacy.md) ### [Microsoft Defender Advanced Threat Protection for Linux]() diff --git a/windows/security/threat-protection/microsoft-defender-atp/ios-privacy.md b/windows/security/threat-protection/microsoft-defender-atp/ios-privacy.md index 31ee7b41b6..3b519f301b 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/ios-privacy.md +++ b/windows/security/threat-protection/microsoft-defender-atp/ios-privacy.md @@ -1,78 +1,92 @@ --- -title: Microsoft Defender ATP for iOS note on Privacy +title: Privacy information - Microsoft Defender for Endpoint for iOS ms.reviewer: -description: Describes the Microsoft Defender ATP for iOS Privacy -keywords: microsoft, defender, atp, iOS, license, terms, application, use, installation, service, feedback, scope, +description: Describes privacy information for Microsoft Defender for Endpoint for iOS +keywords: microsoft, defender, atp, ios, policy, overview search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security -ms.author: sunasing -author: sunasing +ms.author: macapara +author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: +- m365-security-compliance +- m365initiative-defender-endpoint ms.topic: conceptual -hideEdit: true --- -# Microsoft Defender ATP for iOS - Privacy information +# Privacy information - Microsoft Defender for Endpoint for iOS -**Applies to:** +> [!NOTE] +> Defender for Endpoint for iOS uses a VPN to provide the Web Protection feature. This is not a regular VPN and is a local or self-looping VPN that does not take traffic outside the device. **Microsoft or your organization, does not see your browsing activity.** -- [Microsoft Defender for Endpoint](microsoft-defender-atp-ios.md) +Defender for Endpoint for iOS collects information from your configured iOS devices and stores it in the same tenant where you have Defender for Endpoint. The information is collected to help keep Defender for Endpoint for iOS secure, up-to-date, performing as expected, and to support the service. ->[!NOTE] -> Defender for Endpoint for iOS uses a VPN in order to provide the Web Protection feature. This is not a regular VPN and is a local/self-looping VPN that does not take traffic outside the device. Microsoft or your organization **does not see your browsing activity**. +For more details about data storage, see [Microsoft Defender for Endpoint data storage and privacy](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/data-storage-privacy). -Defender for Endpoint for iOS collects information from your configured iOS devices and stores it in the same tenant where you have Defender for Endpoint. +## Required data -Information is collected to help keep Defender for Endpoint for iOS secure, up-to-date, performing as expected and to support the service. +Required data consists of data that is necessary to make Defender for Endpoint for iOS work as expected. This data is essential to the operation of the service and can include data related to the end user, organization, device, and apps. -## Required data +Here is a list of the types of data being collected: -Required data consists of data that is necessary to make Defender for Endpoint for iOS work as expected. This data is essential to the operation of the service and can include data related to the end user, organization, device, and apps. Here's a list of the types of data being collected: +### Web page or Network information -### Web page / Network information +- Connection information only when a malicious connection or web page is detected. -- Connection information -- Protocol type (such as HTTP, HTTPS, etc.) +- Protocol type (such as HTTP, HTTPS, etc.) only when a malicious connection or web page is detected. -### Device and account information +### Device and account information -- Device information such as date & time, iOS version, CPU info, and Device identifier -- Device identifier is one of the below: - - Wi-Fi adapter MAC address - - Randomly generated globally unique identifier (GUID) +- Device information such as date & time, iOS version, CPU info, and Device identifier, where Device identifier is one of the following: -- Tenant, Device, and User information - - Azure Active Directory (AD) Device ID and Azure User ID: Uniquely identifies the device, User respectively at Azure Active directory. - - Azure tenant ID - GUID that identifies your organization within Azure Active Directory - - Microsoft Defender ATP org ID - Unique identifier associated with the enterprise that the device belongs to. Allows Microsoft to identify whether issues are impacting a select set of enterprises and how many enterprises are impacted - - User Principal Name - Email ID of the user + - Wi-Fi adapter MAC address -### Product and service usage data + - Randomly generated globally unique identifier (GUID) -- App package info, including name, version, and app upgrade status -- Actions performed in the app -- Crash report logs generated by iOS -- Memory usage data +- Tenant, Device and User information -## Optional data + - Azure Active Directory (AD) Device ID and Azure User ID - Uniquely identifies the device, User respectively at Azure Active directory. -Optional data includes diagnostic data and feedback data from the client. Optional diagnostic data is additional data that helps us make product improvements and provides enhanced information to help us detect, diagnose, and fix issues. This data is only for diagnostic purposes and is not required for the service itself. + - Azure tenant ID - GUID that identifies your organization within Azure Active Directory. -Optional diagnostic data includes: + - Microsoft Defender for Endpoint org ID - Unique identifier associated with the enterprise that the device belongs to. Allows Microsoft to identify whether issues are impacting a select set of enterprises and how many enterprises are impacted. -- App, CPU, and network usage -- Features configured by the admin + - User Principal Name Email ID of the user. -**Feedback Data** is collected through in-app feedback provided by the user. +### Product and service usage data + +The following information is collected only for Microsoft Defender for Endpoint app installed on the device. + +- App package info, including name, version, and app upgrade status. + +- Actions performed in the app. + +- Crash report logs generated by iOS. + +- Memory usage data. + +## Optional Data + +Optional data includes diagnostic data and feedback data from the client. Optional diagnostic data is additional data that helps us make product improvements and provides enhanced information to help us detect, diagnose, and fix issues. This data is only for diagnostic purposes and is not required for the service itself. + +Optional diagnostic data includes: + +- App, CPU, and network usage for Defender for Endpoint. + +- Features configured by the admin for Defender for Endpoint. + +Feedback Data is collected through in-app feedback provided by the user. + +- The users email address, if they choose to provide it. + +- Feedback type (smile, frown, idea) and any feedback comments submitted by the user. + +For more information, see [More on Privacy](https://aka.ms/mdatpiosprivacystatement). -- The user's email address, if they choose to provide it -- Feedback type (smile, frown, idea) and any feedback comments submitted by the user -[More on Privacy](https://aka.ms/mdatpiosprivacystatement) \ No newline at end of file From 32b25a4398371cf389df31b9fc13c0e46bdf709a Mon Sep 17 00:00:00 2001 From: Joey Caparas Date: Thu, 19 Nov 2020 10:00:35 -0800 Subject: [PATCH 35/35] chars --- .../microsoft-defender-atp/ios-privacy.md | 16 ++++++++++------ 1 file changed, 10 insertions(+), 6 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/ios-privacy.md b/windows/security/threat-protection/microsoft-defender-atp/ios-privacy.md index 3b519f301b..361ee24da1 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/ios-privacy.md +++ b/windows/security/threat-protection/microsoft-defender-atp/ios-privacy.md @@ -22,12 +22,16 @@ ms.topic: conceptual # Privacy information - Microsoft Defender for Endpoint for iOS +**Applies to:** + +- [Microsoft Defender for Endpoint](microsoft-defender-atp-ios.md) + > [!NOTE] > Defender for Endpoint for iOS uses a VPN to provide the Web Protection feature. This is not a regular VPN and is a local or self-looping VPN that does not take traffic outside the device. **Microsoft or your organization, does not see your browsing activity.** Defender for Endpoint for iOS collects information from your configured iOS devices and stores it in the same tenant where you have Defender for Endpoint. The information is collected to help keep Defender for Endpoint for iOS secure, up-to-date, performing as expected, and to support the service. -For more details about data storage, see [Microsoft Defender for Endpoint data storage and privacy](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/data-storage-privacy). +For more information about data storage, see [Microsoft Defender for Endpoint data storage and privacy](data-storage-privacy.md). ## Required data @@ -49,15 +53,15 @@ Here is a list of the types of data being collected: - Randomly generated globally unique identifier (GUID) -- Tenant, Device and User information +- Tenant, Device, and User information - Azure Active Directory (AD) Device ID and Azure User ID - Uniquely identifies the device, User respectively at Azure Active directory. - Azure tenant ID - GUID that identifies your organization within Azure Active Directory. - - Microsoft Defender for Endpoint org ID - Unique identifier associated with the enterprise that the device belongs to. Allows Microsoft to identify whether issues are impacting a select set of enterprises and how many enterprises are impacted. + - Microsoft Defender for Endpoint org ID - Unique identifier associated with the enterprise that the device belongs to. Allows Microsoft to identify if there are issues affecting a select set of enterprises and the number of enterprises impacted. - - User Principal Name Email ID of the user. + - User Principal Name - Email ID of the user. ### Product and service usage data @@ -65,7 +69,7 @@ The following information is collected only for Microsoft Defender for Endpoint - App package info, including name, version, and app upgrade status. -- Actions performed in the app. +- Actions done in the app. - Crash report logs generated by iOS. @@ -83,7 +87,7 @@ Optional diagnostic data includes: Feedback Data is collected through in-app feedback provided by the user. -- The users email address, if they choose to provide it. +- The user's email address, if they choose to provide it. - Feedback type (smile, frown, idea) and any feedback comments submitted by the user.