deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-07-04 03:33:36 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

Merge branch 'atp-siem' of https://github.com/Microsoft/win-cpub-itpro-docs into atp-siem

Browse Source
This commit is contained in:
jcaparas
2017-01-17 20:50:37 -08:00
parent 70c7073815 bec0751a33
commit 94c2598585
7 changed files with 52 additions and 55 deletions
Download Patch File Download Diff File Expand all files Collapse all files

69
windows/keep-secure/configure-arcsight-windows-defender-advanced-threat-protection.md
View File

@ -29,72 +29,69 @@ Configuring the HP ArcSight Connector tool requires several configuration files
This section guides you in getting the necessary information to set and use the required configuration files correctly.
1. Get the following information from your AAD application by selecting the **View Endpoint** on the application configuration page:
- OAuth 2 Token refresh URL
- OAuth 2 Client ID
- OAuth 2 Client secret
- OAuth 2.0 Token refresh URL
- OAuth 2.0 Client ID
- OAuth 2.0 Client secret
2. Download the wdatp-connector.properties file and update the following values:
(JOEY: UPLOAD FILE IN DOWNLOAD CENTER - PUT EMPTY PROPERTIES FILE. PUT WITH THE FOLLOWING VALUES.)
(JOEY: PUT IN THE LINK FROM DOWNLOAD MANAGEMENT STUDIO)
- **client_ID**: OAuth 2 Client ID
- **client_secret**: OAuth 2 Client secret
- **auth_url**: Append the following to the value you obtained from the AAD app: ```?resource=https%3A%2F%2FWDATPAlertExport.Seville.onmicrosoft.com ```
- **auth_url**: ```https://login.microsoftonline.com/<tenantID>?resource=https%3A%2F%2FWDATPAlertExport.Seville.onmicrosoft.com ```
>!NOTE
>Replace *tenantID* with your tenant ID.
- **token_url**: `https://login.microsoftonline.com/<tenantID>/oauth2/token`
>!NOTE
>Replace the *tenantID* value with your tenant ID.
For example: `https://<url>/<value>/oauth2/authorize?resource=https%3A%2F%2FWDATPAlertExport.Seville.onmicrosoft.com`
- **token_url**: Use your tenant ID URL [JOEY: NOT SURE IF THIS IS CORRECT - PLEASE HELP PROVIDE TECHNICAL DESCRIPTION]
- **redirect_uri**: ```https://localhost:44300/wdatpconnector```
- **scope**: Leave blank [JOEY: NOT SURE IF THIS IS CORRECT - PLEASE CHECK]
- **scope**: Leave the value blank
3. Download the wdatp-connector.json.properties file. This file is used to parse the information from Windows Defender ATP to HP ArcSight consumable format.
(JOEY: UPLOAD FILE IN DOWNLOAD CENTER)
(JOEY: PUT IN THE LINK FROM DOWNLOAD MANAGEMENT STUDIO)
## Install and configure HP ArcSight SmartConnector
The following steps assume that you have completed all the required steps in [Before you begin](#before-you-begin).
1. Install the latest 32-bit Windows SmartConnector installer. You can find this in the HPE Software center. The tool is typically installed in `C:\ArcSightSmartConnectors\<descriptive_name>\`.
[AVIV, NEED ALL THE SCREENSHOTS HERE]
[AVIV/BRIAN - WHAT IF THEY WANT TO USE 64-BIT? CAN I THEN JUST REMOVE THE WORDS 32-BIT?]
2. Open File Explorer and put the two configuration files in the installation location, for example:
>!NOTE
>Replace *descriptive_name* with your preferred location name.
2. Follow the installation wizard through the following tasks:
- Introduction
- Choose Install Folder
- Choose Install Set
- Choose Shortcut Folder
- Pre-Installation Summary
- Installing...
You can keep the default values for each of these tasks.
3. Open File Explorer and put the two configuration files in the installation location, for example:
- WDATP-connector.jsonparser.properties: `C:\ArcSightSmartConnectors\<descriptive_name>\current\user\agent\flexagent\`
- WDATP-connector.properties: `C:\ArcSightSmartConnectors\<descriptive_name>\`
[AVIV - I BELIEVE THERE ARE SEVERAL SCREENS BEFORE THE CONNECTOR SETUP IS DISPLAYED. CAN YOU PROVIDE THOSE PLEASE?]
4. After the installation of the core connector completes, the Connector Setup window opens. In the Connector Setup window, select **Add a Connector**.
3. In the Connector Setup window, select **Add a Connector**.
![Connector Setup window - select Add a Connector](images/hp-1.png)
4. Select the **ArcSight FlexConnector REST** connector and click **Next**.
![Connector Setup window - select ArcSight FlexConnector REST](images/hp-2.png)
5. Generate a refresh token to use in the installer:
a. Open a command prompt. Browse to `C:\ArcSightSmartConnectors\<descriptive_name>\current\bin`.
b. Type: `arcsight restutil token -config C:\ArcSightSmartConnectors_Prod\WDATP\WDATP-connector.properties`.
A Web browser window will open.
c. Type in your credentials then click on the password field to let the page redirect.
d. In the login prompt enter your `DOMAIN\alias` [AVIV - ARE WE SURE OUR CUSTOMERS FULLOW THE SAME DOMAIN\ALIAS FORMAT?] and your password. After some redirects and providing permission to the app, a token is provided in the command prompt.
f. Save the token in a secure location.
5. Select the **ArcSight FlexConnector REST** connector and click **Next**.
6. Type the following information in the parameter details form. All other values in the form are optional and can be left blank.
![Connector Setup - Enter parameter details](images/hp-3.png)
Field | Value
:---|:---
Configuration File | Type in the name of the client property file. It must match the client property file.
Events URL | https://DataAccess-PRD.trafficmanager.net:444/api/alerts
Authentication Type | OAuth 2
OAuth 2 Client Properties file | Select wdatp-connector.properties.
Refresh Token | Paste the refresh token you generated in the previous step.
Refresh Token | Use either the Windows Defender ATP token URL or the restutil tool to get your refresh token. <br> **Get your refresh token using the Windows Defender ATP token URL:** </br> Open a browser and connect to the following URL: `https://DataAccess-PRD.trafficmanager.net:444/api/FetchToken?clientId=f7c1acd8-0458-48a0-a662-dba6de049d1c&tenantId=<tenant ID>&clientSecret=<clientSecret>`</br> </br>NOTE: Replace the *tenantID* value with your tenant ID.</br> **Get your refresh token using the restutil tool:** </br> a. Open a command prompt. Navigate to `C:\ArcSightSmartConnectors\<descriptive_name>\current\bin`. </br> b. Type: `arcsight restutil token -config C:\ArcSightSmartConnectors_Prod\WDATP\WDATP-connector.properties`.A Web browser window will open. </br> c. A web browser will open. Type in your credentials then click on the password field to let the page redirect. In the login prompt, enter your credentials. </br> d. A refresh token is provided in the command prompt.
You can leave the destination parameter fields with the default values.
7. You can leave the destination parameter fields with the default values.
![Connector Setup - Enter parameter details](images/hp-5.png)
Type in a name for the connector. You can leave the other fields blank.

1
windows/manage/configure-windows-telemetry-in-your-organization.md
View File

@ -148,6 +148,7 @@ The following table defines the endpoints for telemetry services:
| Connected User Experience and Telemetry component | v10.vortex-win.data.microsoft.com<br />settings-win.data.microsoft.com |
| [Windows Error Reporting](http://msdn.microsoft.com/library/windows/desktop/bb513641.aspx) | watson.telemetry.microsoft.com |
| [Online Crash Analysis](http://msdn.microsoft.com/library/windows/desktop/ee416349.aspx) | oca.telemetry.microsoft.com |
| OneDrive app for Windows 10 | vortex.data.microsoft.com/collect/v1 |
### Data use and access

BIN
windows/manage/images/wufb-config1a.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 68 KiB

After

Width:  |  Height:  |  Size: 60 KiB

BIN
windows/manage/images/wufb-config2.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 64 KiB

After

Width:  |  Height:  |  Size: 54 KiB

BIN
windows/manage/images/wufb-config3a.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 66 KiB

After

Width:  |  Height:  |  Size: 62 KiB

35
windows/manage/waas-integrate-wufb.md
View File

@ -23,10 +23,10 @@ You can integrate Windows Update for Business deployments with existing manageme
## Integrate Windows Update for Business with Windows Server Update Services
For Windows 10, version 1607, devices can now be configured to receive updates from both Windows Update and Windows Server Update Services (WSUS). In a joint WSUS and Windows Update for Business setup:
For Windows 10, version 1607, devices can now be configured to receive updates from both Windows Update (or Microsoft Update) and Windows Server Update Services (WSUS). In a joint WSUS and Windows Update for Business setup:
- Devices will receive their Windows content from Microsoft and defer these updates according to Windows Update for Business policy
- All other content synced from WSUS will be directly applied to the device; that is, non-Windows Updates content will not follow your Windows Update for Business deferral policies
- All other content synced from WSUS will be directly applied to the device; that is, updates to products other than Windows will not follow your Windows Update for Business deferral policies
### Configuration example \#1: Deferring Windows Update updates with other update content hosted on WSUS
@ -34,13 +34,13 @@ For Windows 10, version 1607, devices can now be configured to receive updates f
- Device is configured to defer Windows Quality Updates using Windows Update for Business
- Device is also configured to be managed by WSUS
- Device is not configured to include Microsoft Updates from Windows Update (**Update/AllowMUUpdateService** = not enabled)
- Admin has opted to put Microsoft updates on WSUS
- Device is not configured to enable Microsoft Update (**Update/AllowMUUpdateService** = not enabled)
- Admin has opted to put updates to Office and other products on WSUS
- Admin has also put 3rd party drivers on WSUS
<table><thead><th>Content</th><th>Metadata source</th><th>Payload source</th><th>Deferred?</th><th></th></thead>
<tbody><tr><td>Windows Update</td><td>Windows Update</td><td>Windows Update</td><td>Yes</td><td rowspan="3">![diagram of content flow](images/wufb-config1a.png)</td></tr>
<tr><td>Microsoft Update (such as Office updates)</td><td>WSUS</td><td>WSUS</td><td>No</td></tr>
<tbody><tr><td>Updates to Windows</td><td>Windows Update</td><td>Windows Update</td><td>Yes</td><td rowspan="3">![diagram of content flow](images/wufb-config1a.png)</td></tr>
<tr><td>Updates to Office and other products</td><td>WSUS</td><td>WSUS</td><td>No</td></tr>
<tr><td>Third-party drivers</td><td>WSUS</td><td>WSUS</td><td>No</td></tr>
</table>
@ -54,10 +54,9 @@ For Windows 10, version 1607, devices can now be configured to receive updates f
<table><thead><th>Content</th><th>Metadata source</th><th>Payload source</th><th>Deferred?</th><th></th></thead>
<tbody><tr><td>Windows Update (exclude driver)</td><td>Windows Update</td><td>Windows Update</td><td>Yes</td><td rowspan="4">![diagram of content flow](images/wufb-config2.png)</td></tr>
<tr><td>Windows Update drivers</td><td>WSUS</td><td>WSUS</td><td>No</td></tr>
<tr><td>Microsoft Update (such as Office updates)</td><td>WSUS</td><td>WSUS</td><td>No</td></tr>
<tr><td>Windows drivers, third-party drivers</td><td>WSUS</td><td>WSUS</td><td>No</td></tr>
<tbody><tr><td>Updates to Windows (excluding drivers)</td><td>Windows Update</td><td>Windows Update</td><td>Yes</td><td rowspan="4">![diagram of content flow](images/wufb-config2.png)</td></tr>
<tr><td>Updates to Office and other products</td><td>WSUS</td><td>WSUS</td><td>No</td></tr>
<tr><td>Drivers</td><td>WSUS</td><td>WSUS</td><td>No</td></tr>
</table>
@ -66,18 +65,18 @@ For Windows 10, version 1607, devices can now be configured to receive updates f
**Configuration:**
- Device is configured to defer Quality Updates using Windows Update for Business and to be managed by WSUS
- Device is configured to “receive updates for other Microsoft products” along with Windows Update updates (**Update/AllowMUUpdateService** = enabled)
- Admin has also placed Microsoft Update content on the WSUS server
- Device is configured to “receive updates for other Microsoft products” along with updates to Windows (**Update/AllowMUUpdateService** = enabled)
- Admin has also placed Microsoft Update, third-paprty, and locally-published update content on the WSUS server
In this example, the Microsoft Update deferral behavior is slightly different than if WSUS were not enabled.
- In a non-WSUS case, the Microsoft Update updates would be deferred just as any Windows Update update would be.
- However, with WSUS also configured, Microsoft Update content is sourced from Microsoft but deferral policies are not applied.
In this example, the deferral behavior for updates to Office and other non-Windows products is slightly different than if WSUS were not enabled.
- In a non-WSUS case, these updates would be deferred just as any update to Windows would be.
- However, with WSUS also configured, these updates are sourced from Microsoft but deferral policies are not applied.
<table><thead><th>Content</th><th>Metadata source</th><th>Payload source</th><th>Deferred?</th><th></th></thead>
<tbody><tr><td>Windows Update (exclude drivers)</td><td>Windows Update</td><td>Windows Update</td><td>Yes</td><td rowspan="3">![diagram of content flow](images/wufb-config3a.png)</td></tr>
<tr><td>Microsoft Update (such as Office updates)</td><td>Microsoft Update</td><td>Microsoft Update</td><td>No</td></tr>
<tr><td>Drivers, third-party</td><td>WSUS</td><td>WSUS</td><td>No</td></tr>
<tbody><tr><td>Updates to Windows (excluding drivers)</td><td>Microsoft Update</td><td>Microsoft Update</td><td>Yes</td><td rowspan="3">![diagram of content flow](images/wufb-config3a.png)</td></tr>
<tr><td>Updates to Office and other products</td><td>Microsoft Update</td><td>Microsoft Update</td><td>No</td></tr>
<tr><td>Drivers, third-party applications</td><td>WSUS</td><td>WSUS</td><td>No</td></tr>
</table>
>[!NOTE]

2
windows/manage/waas-restart.md
View File

@ -27,7 +27,7 @@ When you set the **Configure Automatic Updates** policy to **Auto download and s
When **Configure Automatic Updates** is enabled, you can enable one of the following additional policies to manage device restart:
- **Turn off auto-restart for updates during active hours** prevents automatic restart during active hours.
- **Always automatically restart at the scheduled time** forces a restart after the specified installation time and lets you configure a timer to warn a signed-in user that a restart is going to occur.
- **Always automatically restart at the scheduled time** forces a restart after the specified installation time and lets you configure a timer to warn a signed-in user that a restart is going to occur. To set the time, you need to go **Configure Automatic Updates**, select option **4 - Auto download and schedule the install**, and then enter a time in the **Scheduled install time** dropdown.
- **No auto-restart with logged on users for scheduled automatic updates installations** prevents automatic restart when a user is signed in. If a user schedules the restart in the update notification, the device will restart at the time the user specifies even if a user is signed in at the time. This policy only applies when **Configure Automatic Updates** is set to option **4-Auto download and schedule the install**.
## Configure active hours