deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-25 23:33:35 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Merge branch 'master' into patch-22

Browse Source
This commit is contained in:
Marty Hernandez Avedon
2019-07-22 16:57:41 -04:00
committed by GitHub
parent 00bb1cc4e6 f025f522b7
commit 96b1b48c86
459 changed files with 4981 additions and 3396 deletions
Download Patch File Download Diff File Expand all files Collapse all files

835
windows/security/threat-protection/TOC.md
View File

@ -1,437 +1,500 @@
# [Threat protection](index.md)
## [Microsoft Defender Advanced Threat Protection](microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md)
## [Overview]()
### [What is Microsoft Defender Advanced Threat Protection?](microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md)
### [Overview of Microsoft Defender ATP capabilities](microsoft-defender-atp/overview.md)
### [Attack surface reduction]()
#### [Hardware-based isolation]()
##### [Hardware-based isolation in Windows 10](microsoft-defender-atp/overview-hardware-based-isolation.md)
### [Overview](microsoft-defender-atp/overview.md)
#### [Attack surface reduction](microsoft-defender-atp/overview-attack-surface-reduction.md)
##### [Hardware-based isolation](microsoft-defender-atp/overview-hardware-based-isolation.md)
###### [Application isolation](windows-defender-application-guard/wd-app-guard-overview.md)
####### [System requirements](windows-defender-application-guard/reqs-wd-app-guard.md)
###### [System integrity](windows-defender-system-guard/system-guard-how-hardware-based-root-of-trust-helps-protect-windows.md)
##### [Application control](windows-defender-application-control/windows-defender-application-control.md)
##### [Exploit protection](windows-defender-exploit-guard/exploit-protection-exploit-guard.md)
##### [Network protection](windows-defender-exploit-guard/network-protection-exploit-guard.md)
##### [Controlled folder access](windows-defender-exploit-guard/controlled-folders-exploit-guard.md)
##### [Attack surface reduction](windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md)
##### [Network firewall](windows-firewall/windows-firewall-with-advanced-security.md)
#### [Next generation protection](windows-defender-antivirus/windows-defender-antivirus-in-windows-10.md)
#### [Endpoint detection and response](microsoft-defender-atp/overview-endpoint-detection-response.md)
##### [Security operations dashboard](microsoft-defender-atp/security-operations-dashboard.md)
##### [Application isolation]()
###### [Application guard overview](windows-defender-application-guard/wd-app-guard-overview.md)
###### [System requirements](windows-defender-application-guard/reqs-wd-app-guard.md)
##### [Incidents queue](microsoft-defender-atp/incidents-queue.md)
###### [View and organize the Incidents queue](microsoft-defender-atp/view-incidents-queue.md)
###### [Manage incidents](microsoft-defender-atp/manage-incidents.md)
###### [Investigate incidents](microsoft-defender-atp/investigate-incidents.md)
##### [System integrity](windows-defender-system-guard/system-guard-how-hardware-based-root-of-trust-helps-protect-windows.md)
#### [Application control](windows-defender-application-control/windows-defender-application-control.md)
#### [Exploit protection](windows-defender-exploit-guard/exploit-protection-exploit-guard.md)
#### [Network protection](windows-defender-exploit-guard/network-protection-exploit-guard.md)
#### [Controlled folder access](windows-defender-exploit-guard/controlled-folders-exploit-guard.md)
#### [Attack surface reduction](windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md)
#### [Network firewall](windows-firewall/windows-firewall-with-advanced-security.md)
### [Next generation protection](windows-defender-antivirus/windows-defender-antivirus-in-windows-10.md)
##### Alerts queue
###### [View and organize the Alerts queue](microsoft-defender-atp/alerts-queue.md)
###### [Manage alerts](microsoft-defender-atp/manage-alerts.md)
###### [Investigate alerts](microsoft-defender-atp/investigate-alerts.md)
###### [Investigate files](microsoft-defender-atp/investigate-files.md)
###### [Investigate machines](microsoft-defender-atp/investigate-machines.md)
###### [Investigate an IP address](microsoft-defender-atp/investigate-ip.md)
###### [Investigate a domain](microsoft-defender-atp/investigate-domain.md)
###### [Investigate a user account](microsoft-defender-atp/investigate-user.md)
### [Endpoint detection and response]()
#### [Endpoint detection and response overview](microsoft-defender-atp/overview-endpoint-detection-response.md)
#### [Security operations dashboard](microsoft-defender-atp/security-operations-dashboard.md)
#### [Incidents queue]()
##### [View and organize the Incidents queue](microsoft-defender-atp/view-incidents-queue.md)
##### [Manage incidents](microsoft-defender-atp/manage-incidents.md)
##### [Investigate incidents](microsoft-defender-atp/investigate-incidents.md)
#### [Alerts queue]()
##### [View and organize the Alerts queue](microsoft-defender-atp/alerts-queue.md)
##### [Manage alerts](microsoft-defender-atp/manage-alerts.md)
##### [Investigate alerts](microsoft-defender-atp/investigate-alerts.md)
##### [Investigate files](microsoft-defender-atp/investigate-files.md)
##### [Investigate machines](microsoft-defender-atp/investigate-machines.md)
##### [Investigate an IP address](microsoft-defender-atp/investigate-ip.md)
##### [Investigate a domain](microsoft-defender-atp/investigate-domain.md)
##### [Investigate a user account](microsoft-defender-atp/investigate-user.md)
##### Machines list
###### [View and organize the Machines list](microsoft-defender-atp/machines-view-overview.md)
###### [Manage machine group and tags](microsoft-defender-atp/machine-tags.md)
###### [Alerts related to this machine](microsoft-defender-atp/investigate-machines.md#alerts-related-to-this-machine)
###### [Machine timeline](microsoft-defender-atp/investigate-machines.md#machine-timeline)
####### [Search for specific events](microsoft-defender-atp/investigate-machines.md#search-for-specific-events)
####### [Filter events from a specific date](microsoft-defender-atp/investigate-machines.md#filter-events-from-a-specific-date)
####### [Export machine timeline events](microsoft-defender-atp/investigate-machines.md#export-machine-timeline-events)
####### [Navigate between pages](microsoft-defender-atp/investigate-machines.md#navigate-between-pages)
#### [Machines list]()
##### [View and organize the Machines list](microsoft-defender-atp/machines-view-overview.md)
##### [Manage machine group and tags](microsoft-defender-atp/machine-tags.md)
##### [Alerts related to this machine](microsoft-defender-atp/investigate-machines.md#alerts-related-to-this-machine)
##### [Machine timeline]()
###### [View machine profile](microsoft-defender-atp/investigate-machines.md#machine-timeline)
###### [Search for specific events](microsoft-defender-atp/investigate-machines.md#search-for-specific-events)
###### [Filter events from a specific date](microsoft-defender-atp/investigate-machines.md#filter-events-from-a-specific-date)
###### [Export machine timeline events](microsoft-defender-atp/investigate-machines.md#export-machine-timeline-events)
###### [Navigate between pages](microsoft-defender-atp/investigate-machines.md#navigate-between-pages)
##### [Take response actions](microsoft-defender-atp/response-actions.md)
###### [Take response actions on a machine](microsoft-defender-atp/respond-machine-alerts.md)
####### [Collect investigation package](microsoft-defender-atp/respond-machine-alerts.md#collect-investigation-package-from-machines)
####### [Run antivirus scan](microsoft-defender-atp/respond-machine-alerts.md#run-windows-defender-antivirus-scan-on-machines)
####### [Restrict app execution](microsoft-defender-atp/respond-machine-alerts.md#restrict-app-execution)
####### [Remove app restriction](microsoft-defender-atp/respond-machine-alerts.md#remove-app-restriction)
####### [Isolate machines from the network](microsoft-defender-atp/respond-machine-alerts.md#isolate-machines-from-the-network)
####### [Release machine from isolation](microsoft-defender-atp/respond-machine-alerts.md#release-machine-from-isolation)
#### [Take response actions]()
##### [Take response actions on a machine]()
###### [Response actions on machines](microsoft-defender-atp/respond-machine-alerts.md)
###### [Collect investigation package](microsoft-defender-atp/respond-machine-alerts.md#collect-investigation-package-from-machines)
###### [Run antivirus scan](microsoft-defender-atp/respond-machine-alerts.md#run-windows-defender-antivirus-scan-on-machines)
###### [Restrict app execution](microsoft-defender-atp/respond-machine-alerts.md#restrict-app-execution)
###### [Remove app restriction](microsoft-defender-atp/respond-machine-alerts.md#remove-app-restriction)
###### [Isolate machines from the network](microsoft-defender-atp/respond-machine-alerts.md#isolate-machines-from-the-network)
###### [Release machine from isolation](microsoft-defender-atp/respond-machine-alerts.md#release-machine-from-isolation)
####### [Check activity details in Action center](microsoft-defender-atp/respond-machine-alerts.md#check-activity-details-in-action-center)
###### [Take response actions on a file](microsoft-defender-atp/respond-file-alerts.md)
####### [Stop and quarantine files in your network](microsoft-defender-atp/respond-file-alerts.md#stop-and-quarantine-files-in-your-network)
####### [Remove file from quarantine](microsoft-defender-atp/respond-file-alerts.md#remove-file-from-quarantine)
####### [Block files in your network](microsoft-defender-atp/respond-file-alerts.md#block-files-in-your-network)
####### [Remove file from blocked list](microsoft-defender-atp/respond-file-alerts.md#remove-file-from-blocked-list)
####### [Check activity details in Action center](microsoft-defender-atp/respond-file-alerts.md#check-activity-details-in-action-center)
####### [Deep analysis](microsoft-defender-atp/respond-file-alerts.md#deep-analysis)
####### [Submit files for analysis](microsoft-defender-atp/respond-file-alerts.md#submit-files-for-analysis)
####### [View deep analysis reports](microsoft-defender-atp/respond-file-alerts.md#view-deep-analysis-reports)
##### [Take response actions on a file]()
###### [Response actions on files](microsoft-defender-atp/respond-file-alerts.md)
###### [Stop and quarantine files in your network](microsoft-defender-atp/respond-file-alerts.md#stop-and-quarantine-files-in-your-network)
###### [Remove file from quarantine](microsoft-defender-atp/respond-file-alerts.md#remove-file-from-quarantine)
###### [Block files in your network](microsoft-defender-atp/respond-file-alerts.md#block-files-in-your-network)
###### [Remove file from blocked list](microsoft-defender-atp/respond-file-alerts.md#remove-file-from-blocked-list)
###### [Check activity details in Action center](microsoft-defender-atp/respond-file-alerts.md#check-activity-details-in-action-center)
###### [Deep analysis](microsoft-defender-atp/respond-file-alerts.md#deep-analysis)
###### [Submit files for analysis](microsoft-defender-atp/respond-file-alerts.md#submit-files-for-analysis)
###### [View deep analysis reports](microsoft-defender-atp/respond-file-alerts.md#view-deep-analysis-reports)
####### [Troubleshoot deep analysis](microsoft-defender-atp/respond-file-alerts.md#troubleshoot-deep-analysis)
###### [Investigate entities using Live response](microsoft-defender-atp/live-response.md)
#######[Live response command examples](microsoft-defender-atp/live-response-command-examples.md)
#### [Automated investigation and remediation](microsoft-defender-atp/automated-investigations.md)
##### [Learn about the automated investigation and remediation dashboard](microsoft-defender-atp/manage-auto-investigation.md)
##### [Investigate entities using Live response]()
###### [Investigate entities on machines](microsoft-defender-atp/live-response.md)
######[Live response command examples](microsoft-defender-atp/live-response-command-examples.md)
### [Automated investigation and remediation]()
#### [Automated investigation and remediation overview](microsoft-defender-atp/automated-investigations.md)
#### [Learn about the automated investigation and remediation dashboard](microsoft-defender-atp/manage-auto-investigation.md)
#####[Manage actions related to automated investigation and remediation](microsoft-defender-atp/auto-investigation-action-center.md)
### [Secure score](microsoft-defender-atp/overview-secure-score.md)
### [Threat analytics](microsoft-defender-atp/threat-analytics.md)
#### [Secure score](microsoft-defender-atp/overview-secure-score.md)
#### [Threat analytics](microsoft-defender-atp/threat-analytics.md)
### [Advanced hunting]()
#### [Advanced hunting overview](microsoft-defender-atp/overview-hunting.md)
#### [Query data using Advanced hunting](microsoft-defender-atp/advanced-hunting.md)
##### [Advanced hunting reference](microsoft-defender-atp/advanced-hunting-reference.md)
##### [Advanced hunting query language best practices](microsoft-defender-atp/advanced-hunting-best-practices.md)
#### [Advanced hunting](microsoft-defender-atp/overview-hunting.md)
##### [Query data using Advanced hunting](microsoft-defender-atp/advanced-hunting.md)
###### [Advanced hunting reference](microsoft-defender-atp/advanced-hunting-reference.md)
###### [Advanced hunting query language best practices](microsoft-defender-atp/advanced-hunting-best-practices.md)
##### [Custom detections](microsoft-defender-atp/overview-custom-detections.md)
###### [Create custom detections rules](microsoft-defender-atp/custom-detection-rules.md)
#### [Custom detections]()
##### [Understand custom detection rules](microsoft-defender-atp/overview-custom-detections.md)
##### [Create custom detections rules](microsoft-defender-atp/custom-detection-rules.md)
#### [Management and APIs](microsoft-defender-atp/management-apis.md)
#### [Management and APIs]()
##### [Overview of management and APIs](microsoft-defender-atp/management-apis.md)
##### [Understand threat intelligence concepts](microsoft-defender-atp/threat-indicator-concepts.md)
##### [Microsoft Defender ATP APIs](microsoft-defender-atp/apis-intro.md)
##### [Managed security service provider support](microsoft-defender-atp/mssp-support.md)
#### [Microsoft threat protection](microsoft-defender-atp/threat-protection-integration.md)
#### [Integrations]()
##### [Microsoft Defender ATP integrations](microsoft-defender-atp/threat-protection-integration.md)
##### [Protect users, data, and devices with conditional access](microsoft-defender-atp/conditional-access.md)
##### [Microsoft Cloud App Security integration overview](microsoft-defender-atp/microsoft-cloud-app-security-integration.md)
##### [Information protection in Windows overview](microsoft-defender-atp/information-protection-in-windows-overview.md)
###### [Use sensitivity labels to prioritize incident response](microsoft-defender-atp/information-protection-investigation.md)
#### [Information protection in Windows overview]()
##### [Windows integration](microsoft-defender-atp/information-protection-in-windows-overview.md)
##### [Use sensitivity labels to prioritize incident response](microsoft-defender-atp/information-protection-investigation.md)
### [Microsoft Threat Experts](microsoft-defender-atp/microsoft-threat-experts.md)
### [Portal overview](microsoft-defender-atp/portal-overview.md)
## [Get started]()
### [What's new in Microsoft Defender ATP](microsoft-defender-atp/whats-new-in-microsoft-defender-atp.md)
### [Minimum requirements](microsoft-defender-atp/minimum-requirements.md)
### [Validate licensing and complete setup](microsoft-defender-atp/licensing.md)
### [Preview features](microsoft-defender-atp/preview.md)
### [Data storage and privacy](microsoft-defender-atp/data-storage-privacy.md)
### [Assign user access to the portal](microsoft-defender-atp/assign-portal-access.md)
#### [Microsoft Threat Experts](microsoft-defender-atp/microsoft-threat-experts.md)
#### [Portal overview](microsoft-defender-atp/portal-overview.md)
### [Get started](microsoft-defender-atp/get-started.md)
#### [What's new in Microsoft Defender ATP](microsoft-defender-atp/whats-new-in-microsoft-defender-atp.md)
#### [Minimum requirements](microsoft-defender-atp/minimum-requirements.md)
#### [Validate licensing and complete setup](microsoft-defender-atp/licensing.md)
#### [Preview features](microsoft-defender-atp/preview.md)
#### [Data storage and privacy](microsoft-defender-atp/data-storage-privacy.md)
#### [Assign user access to the portal](microsoft-defender-atp/assign-portal-access.md)
#### [Evaluate Microsoft Defender ATP](microsoft-defender-atp/evaluate-atp.md)
#####Evaluate attack surface reduction
###### [Hardware-based isolation](windows-defender-application-guard/test-scenarios-wd-app-guard.md)
###### [Application control](windows-defender-application-control/audit-windows-defender-application-control-policies.md)
###### [Exploit protection](windows-defender-exploit-guard/evaluate-exploit-protection.md)
###### [Network Protection](windows-defender-exploit-guard/evaluate-network-protection.md)
###### [Controlled folder access](windows-defender-exploit-guard/evaluate-controlled-folder-access.md)
###### [Attack surface reduction](windows-defender-exploit-guard/evaluate-attack-surface-reduction.md)
###### [Network firewall](windows-firewall/evaluating-windows-firewall-with-advanced-security-design-examples.md)
### [Evaluate Microsoft Defender ATP]()
#### [Attack surface reduction and next-generation capability evaluation]()
##### [Attack surface reduction and nex-generation evaluation overview](microsoft-defender-atp/evaluate-atp.md)
##### [Hardware-based isolation](windows-defender-application-guard/test-scenarios-wd-app-guard.md)
##### [Application control](windows-defender-application-control/audit-windows-defender-application-control-policies.md)
##### [Exploit protection](windows-defender-exploit-guard/evaluate-exploit-protection.md)
##### [Network Protection](windows-defender-exploit-guard/evaluate-network-protection.md)
##### [Controlled folder access](windows-defender-exploit-guard/evaluate-controlled-folder-access.md)
##### [Attack surface reduction](windows-defender-exploit-guard/evaluate-attack-surface-reduction.md)
##### [Network firewall](windows-firewall/evaluating-windows-firewall-with-advanced-security-design-examples.md)
##### [Evaluate next generation protection](windows-defender-antivirus/evaluate-windows-defender-antivirus.md)
#### [Access the Windows Defender Security Center Community Center](microsoft-defender-atp/community.md)
### [Access the Windows Defender Security Center Community Center](microsoft-defender-atp/community.md)
### [Configure and manage capabilities](microsoft-defender-atp/onboard.md)
#### [Configure attack surface reduction](microsoft-defender-atp/configure-attack-surface-reduction.md)
#####Hardware-based isolation
###### [System isolation](windows-defender-system-guard/system-guard-secure-launch-and-smm-protection.md)
###### [Application isolation](windows-defender-application-guard/install-wd-app-guard.md)
####### [Configuration settings](windows-defender-application-guard/configure-wd-app-guard.md)
##### [Application control](windows-defender-application-control/windows-defender-application-control.md)
##### Device control
###### [Control USB devices](device-control/control-usb-devices-using-intune.md)
###### [Device Guard](device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md)
####### [Memory integrity](windows-defender-exploit-guard/memory-integrity.md)
######## [Hardware qualifications](windows-defender-exploit-guard/requirements-and-deployment-planning-guidelines-for-virtualization-based-protection-of-code-integrity.md)
######## [Enable HVCI](windows-defender-exploit-guard/enable-virtualization-based-protection-of-code-integrity.md)
##### [Exploit protection](windows-defender-exploit-guard/enable-exploit-protection.md)
###### [Import/export configurations](windows-defender-exploit-guard/import-export-exploit-protection-emet-xml.md)
##### [Network protection](windows-defender-exploit-guard/enable-network-protection.md)
##### [Controlled folder access](windows-defender-exploit-guard/enable-controlled-folders-exploit-guard.md)
##### [Attack surface reduction controls](windows-defender-exploit-guard/enable-attack-surface-reduction.md)
###### [Customize attack surface reduction](windows-defender-exploit-guard/customize-attack-surface-reduction.md)
##### [Network firewall](windows-firewall/windows-firewall-with-advanced-security-deployment-guide.md)
## [Configure and manage capabilities]()
### [Configure attack surface reduction]()
#### [Attack surface reduction configuration settings](microsoft-defender-atp/configure-attack-surface-reduction.md)
#### [Hardware-based isolation]()
##### [System isolation](windows-defender-system-guard/system-guard-secure-launch-and-smm-protection.md)
##### [Application isolation]()
###### [Install Windows Defender Application Guard](windows-defender-application-guard/install-wd-app-guard.md)
###### [Configuration settings](windows-defender-application-guard/configure-wd-app-guard.md)
#### [Configure next generation protection](windows-defender-antivirus/configure-windows-defender-antivirus-features.md)
##### [Utilize Microsoft cloud-delivered protection](windows-defender-antivirus/utilize-microsoft-cloud-protection-windows-defender-antivirus.md)
###### [Enable cloud-delivered protection](windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus.md)
###### [Specify the cloud-delivered protection level](windows-defender-antivirus/specify-cloud-protection-level-windows-defender-antivirus.md)
###### [Configure and validate network connections](windows-defender-antivirus/configure-network-connections-windows-defender-antivirus.md)
###### [Enable Block at first sight](windows-defender-antivirus/configure-block-at-first-sight-windows-defender-antivirus.md)
###### [Configure the cloud block timeout period](windows-defender-antivirus/configure-cloud-block-timeout-period-windows-defender-antivirus.md)
##### [Configure behavioral, heuristic, and real-time protection](windows-defender-antivirus/configure-protection-features-windows-defender-antivirus.md)
###### [Detect and block Potentially Unwanted Applications](windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus.md)
###### [Enable and configure always-on protection and monitoring](windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md)
##### [Antivirus on Windows Server 2016](windows-defender-antivirus/windows-defender-antivirus-on-windows-server-2016.md)
##### [Antivirus compatibility](windows-defender-antivirus/windows-defender-antivirus-compatibility.md)
###### [Use limited periodic antivirus scanning](windows-defender-antivirus/limited-periodic-scanning-windows-defender-antivirus.md)
#### [Application control](windows-defender-application-control/windows-defender-application-control.md)
##### [Deploy, manage updates, and report on antivirus](windows-defender-antivirus/deploy-manage-report-windows-defender-antivirus.md)
###### [Deploy and enable antivirus](windows-defender-antivirus/deploy-windows-defender-antivirus.md)
####### [Deployment guide for VDI environments](windows-defender-antivirus/deployment-vdi-windows-defender-antivirus.md)
###### [Report on antivirus protection](windows-defender-antivirus/report-monitor-windows-defender-antivirus.md)
####### [Troubleshoot antivirus reporting in Update Compliance](windows-defender-antivirus/troubleshoot-reporting.md)
###### [Manage updates and apply baselines](windows-defender-antivirus/manage-updates-baselines-windows-defender-antivirus.md)
####### [Manage protection and definition updates](windows-defender-antivirus/manage-protection-updates-windows-defender-antivirus.md)
####### [Manage when protection updates should be downloaded and applied](windows-defender-antivirus/manage-protection-update-schedule-windows-defender-antivirus.md)
####### [Manage updates for endpoints that are out of date](windows-defender-antivirus/manage-outdated-endpoints-windows-defender-antivirus.md)
####### [Manage event-based forced updates](windows-defender-antivirus/manage-event-based-updates-windows-defender-antivirus.md)
####### [Manage updates for mobile devices and VMs](windows-defender-antivirus/manage-updates-mobile-devices-vms-windows-defender-antivirus.md)
#### [Device control]()
##### [Control USB devices](device-control/control-usb-devices-using-intune.md)
##### [Customize, initiate, and review the results of scans and remediation](windows-defender-antivirus/customize-run-review-remediate-scans-windows-defender-antivirus.md)
###### [Configure and validate exclusions in antivirus scans](windows-defender-antivirus/configure-exclusions-windows-defender-antivirus.md)
####### [Configure and validate exclusions based on file name, extension, and folder location](windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus.md)
####### [Configure and validate exclusions for files opened by processes](windows-defender-antivirus/configure-process-opened-file-exclusions-windows-defender-antivirus.md)
####### [Configure antivirus exclusions Windows Server 2016](windows-defender-antivirus/configure-server-exclusions-windows-defender-antivirus.md)
###### [Configure scanning antivirus options](windows-defender-antivirus/configure-advanced-scan-types-windows-defender-antivirus.md)
###### [Configure remediation for scans](windows-defender-antivirus/configure-remediation-windows-defender-antivirus.md)
###### [Configure scheduled scans](windows-defender-antivirus/scheduled-catch-up-scans-windows-defender-antivirus.md)
###### [Configure and run scans](windows-defender-antivirus/run-scan-windows-defender-antivirus.md)
###### [Review scan results](windows-defender-antivirus/review-scan-results-windows-defender-antivirus.md)
###### [Run and review the results of an offline scan](windows-defender-antivirus/windows-defender-offline.md)
##### [Device Guard]()
###### [Code integrity](device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md)
###### [Memory integrity]()
####### [Understand memory integrity](windows-defender-exploit-guard/memory-integrity.md)
####### [Hardware qualifications](windows-defender-exploit-guard/requirements-and-deployment-planning-guidelines-for-virtualization-based-protection-of-code-integrity.md)
####### [Enable HVCI](windows-defender-exploit-guard/enable-virtualization-based-protection-of-code-integrity.md)
#### [Exploit protection]()
##### [Enable exploit protection](windows-defender-exploit-guard/enable-exploit-protection.md)
##### [Import/export configurations](windows-defender-exploit-guard/import-export-exploit-protection-emet-xml.md)
#### [Network protection](windows-defender-exploit-guard/enable-network-protection.md)
#### [Controlled folder access](windows-defender-exploit-guard/enable-controlled-folders-exploit-guard.md)
#### [Attack surface reduction controls]()
##### [Enable attack surface reduction rules](windows-defender-exploit-guard/enable-attack-surface-reduction.md)
##### [Customize attack surface reduction](windows-defender-exploit-guard/customize-attack-surface-reduction.md)
#### [Network firewall](windows-firewall/windows-firewall-with-advanced-security-deployment-guide.md)
### [Configure next generation protection]()
#### [Configure Windows Defender Antivirus features](windows-defender-antivirus/configure-windows-defender-antivirus-features.md)
#### [Utilize Microsoft cloud-delivered protection](windows-defender-antivirus/utilize-microsoft-cloud-protection-windows-defender-antivirus.md)
##### [Enable cloud-delivered protection](windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus.md)
##### [Specify the cloud-delivered protection level](windows-defender-antivirus/specify-cloud-protection-level-windows-defender-antivirus.md)
##### [Configure and validate network connections](windows-defender-antivirus/configure-network-connections-windows-defender-antivirus.md)
##### [Prevent security settings changes with tamper protection](windows-defender-antivirus/prevent-changes-to-security-settings-with-tamper-protection.md)
##### [Enable Block at first sight](windows-defender-antivirus/configure-block-at-first-sight-windows-defender-antivirus.md)
##### [Configure the cloud block timeout period](windows-defender-antivirus/configure-cloud-block-timeout-period-windows-defender-antivirus.md)
#### [Configure behavioral, heuristic, and real-time protection]()
##### [Configuration overview](windows-defender-antivirus/configure-protection-features-windows-defender-antivirus.md)
##### [Detect and block Potentially Unwanted Applications](windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus.md)
##### [Enable and configure always-on protection and monitoring](windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md)
#### [Antivirus on Windows Server 2016](windows-defender-antivirus/windows-defender-antivirus-on-windows-server-2016.md)
#### [Antivirus compatibility]()
##### [Compatibility charts](windows-defender-antivirus/windows-defender-antivirus-compatibility.md)
##### [Use limited periodic antivirus scanning](windows-defender-antivirus/limited-periodic-scanning-windows-defender-antivirus.md)
#### [Deploy, manage updates, and report on antivirus]()
##### [Preparing to deploy](windows-defender-antivirus/deploy-manage-report-windows-defender-antivirus.md)
##### [Deploy and enable antivirus](windows-defender-antivirus/deploy-windows-defender-antivirus.md)
###### [Deployment guide for VDI environments](windows-defender-antivirus/deployment-vdi-windows-defender-antivirus.md)
##### [Report on antivirus protection]()
###### [Review protection status and alerts](windows-defender-antivirus/report-monitor-windows-defender-antivirus.md)
###### [Troubleshoot antivirus reporting in Update Compliance](windows-defender-antivirus/troubleshoot-reporting.md)
##### [Manage updates and apply baselines]()
###### [Learn about the different kinds of updates](windows-defender-antivirus/manage-updates-baselines-windows-defender-antivirus.md)
###### [Manage protection and definition updates](windows-defender-antivirus/manage-protection-updates-windows-defender-antivirus.md)
###### [Manage when protection updates should be downloaded and applied](windows-defender-antivirus/manage-protection-update-schedule-windows-defender-antivirus.md)
###### [Manage updates for endpoints that are out of date](windows-defender-antivirus/manage-outdated-endpoints-windows-defender-antivirus.md)
###### [Manage event-based forced updates](windows-defender-antivirus/manage-event-based-updates-windows-defender-antivirus.md)
###### [Manage updates for mobile devices and VMs](windows-defender-antivirus/manage-updates-mobile-devices-vms-windows-defender-antivirus.md)
#### [Customize, initiate, and review the results of scans and remediation]()
##### [Configuration overview](windows-defender-antivirus/customize-run-review-remediate-scans-windows-defender-antivirus.md)
##### [Configure and validate exclusions in antivirus scans]()
###### [Exclusions overview](windows-defender-antivirus/configure-exclusions-windows-defender-antivirus.md)
###### [Configure and validate exclusions based on file name, extension, and folder location](windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus.md)
###### [Configure and validate exclusions for files opened by processes](windows-defender-antivirus/configure-process-opened-file-exclusions-windows-defender-antivirus.md)
###### [Configure antivirus exclusions Windows Server 2016](windows-defender-antivirus/configure-server-exclusions-windows-defender-antivirus.md)
##### [Configure scanning antivirus options](windows-defender-antivirus/configure-advanced-scan-types-windows-defender-antivirus.md)
##### [Configure remediation for scans](windows-defender-antivirus/configure-remediation-windows-defender-antivirus.md)
##### [Configure scheduled scans](windows-defender-antivirus/scheduled-catch-up-scans-windows-defender-antivirus.md)
##### [Configure and run scans](windows-defender-antivirus/run-scan-windows-defender-antivirus.md)
##### [Review scan results](windows-defender-antivirus/review-scan-results-windows-defender-antivirus.md)
##### [Run and review the results of an offline scan](windows-defender-antivirus/windows-defender-offline.md)
#### [Restore quarantined files](windows-defender-antivirus/restore-quarantined-files-windows-defender-antivirus.md)
#### [Manage antivirus in your business]()
##### [Management overview](windows-defender-antivirus/configuration-management-reference-windows-defender-antivirus.md)
##### [Use Group Policy settings to configure and manage antivirus](windows-defender-antivirus/use-group-policy-windows-defender-antivirus.md)
##### [Use System Center Configuration Manager and Microsoft Intune to configure and manage antivirus](windows-defender-antivirus/use-intune-config-manager-windows-defender-antivirus.md)
##### [Use PowerShell cmdlets to configure and manage antivirus](windows-defender-antivirus/use-powershell-cmdlets-windows-defender-antivirus.md)
##### [Use Windows Management Instrumentation (WMI) to configure and manage antivirus](windows-defender-antivirus/use-wmi-windows-defender-antivirus.md)
##### [Use the mpcmdrun.exe commandline tool to configure and manage antivirus](windows-defender-antivirus/command-line-arguments-windows-defender-antivirus.md)
#### [Manage scans and remediation]()
##### [Management overview](windows-defender-antivirus/customize-run-review-remediate-scans-windows-defender-antivirus.md)
##### [Configure and validate exclusions in antivirus scans]()
###### [Exclusions overview](windows-defender-antivirus/configure-exclusions-windows-defender-antivirus.md)
###### [Configure and validate exclusions based on file name, extension, and folder location](windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus.md)
###### [Configure and validate exclusions for files opened by processes](windows-defender-antivirus/configure-process-opened-file-exclusions-windows-defender-antivirus.md)
###### [Configure antivirus exclusions on Windows Server 2016](windows-defender-antivirus/configure-server-exclusions-windows-defender-antivirus.md)
##### [Configure scanning options](windows-defender-antivirus/configure-advanced-scan-types-windows-defender-antivirus.md)
#### [Configure remediation for scans](windows-defender-antivirus/configure-remediation-windows-defender-antivirus.md)
##### [Configure remediation for scans](windows-defender-antivirus/configure-remediation-windows-defender-antivirus.md)
##### [Configure scheduled scans](windows-defender-antivirus/scheduled-catch-up-scans-windows-defender-antivirus.md)
##### [Configure and run scans](windows-defender-antivirus/run-scan-windows-defender-antivirus.md)
##### [Review scan results](windows-defender-antivirus/review-scan-results-windows-defender-antivirus.md)
##### [Run and review the results of an offline scan](windows-defender-antivirus/windows-defender-offline.md)
##### [Restore quarantined files](windows-defender-antivirus/restore-quarantined-files-windows-defender-antivirus.md)
##### [Manage antivirus in your business](windows-defender-antivirus/configuration-management-reference-windows-defender-antivirus.md)
###### [Use Group Policy settings to configure and manage antivirus](windows-defender-antivirus/use-group-policy-windows-defender-antivirus.md)
###### [Use System Center Configuration Manager and Microsoft Intune to configure and manage antivirus](windows-defender-antivirus/use-intune-config-manager-windows-defender-antivirus.md)
###### [Use PowerShell cmdlets to configure and manage antivirus](windows-defender-antivirus/use-powershell-cmdlets-windows-defender-antivirus.md)
###### [Use Windows Management Instrumentation (WMI) to configure and manage antivirus](windows-defender-antivirus/use-wmi-windows-defender-antivirus.md)
###### [Use the mpcmdrun.exe commandline tool to configure and manage antivirus](windows-defender-antivirus/command-line-arguments-windows-defender-antivirus.md)
##### [Manage scans and remediation](windows-defender-antivirus/customize-run-review-remediate-scans-windows-defender-antivirus.md)
###### [Configure and validate exclusions in antivirus scans](windows-defender-antivirus/configure-exclusions-windows-defender-antivirus.md)
####### [Configure and validate exclusions based on file name, extension, and folder location](windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus.md)
####### [Configure and validate exclusions for files opened by processes](windows-defender-antivirus/configure-process-opened-file-exclusions-windows-defender-antivirus.md)
####### [Configure antivirus exclusions on Windows Server 2016](windows-defender-antivirus/configure-server-exclusions-windows-defender-antivirus.md)
###### [Configure scanning options](windows-defender-antivirus/configure-advanced-scan-types-windows-defender-antivirus.md)
###### [Configure remediation for scans](windows-defender-antivirus/configure-remediation-windows-defender-antivirus.md)
###### [Configure scheduled scans](windows-defender-antivirus/scheduled-catch-up-scans-windows-defender-antivirus.md)
###### [Configure and run scans](windows-defender-antivirus/run-scan-windows-defender-antivirus.md)
###### [Review scan results](windows-defender-antivirus/review-scan-results-windows-defender-antivirus.md)
###### [Run and review the results of an offline scan](windows-defender-antivirus/windows-defender-offline.md)
###### [Restore quarantined files](windows-defender-antivirus/restore-quarantined-files-windows-defender-antivirus.md)
##### [Manage next generation protection in your business](windows-defender-antivirus/configuration-management-reference-windows-defender-antivirus.md)
###### [Use Microsoft Intune and System Center Configuration Manager to manage next generation protection](windows-defender-antivirus/use-intune-config-manager-windows-defender-antivirus.md)
###### [Use Group Policy settings to manage next generation protection](windows-defender-antivirus/use-group-policy-windows-defender-antivirus.md)
###### [Use PowerShell cmdlets to manage next generation protection](windows-defender-antivirus/use-powershell-cmdlets-windows-defender-antivirus.md)
###### [Use Windows Management Instrumentation (WMI) to manage next generation protection](windows-defender-antivirus/use-wmi-windows-defender-antivirus.md)
###### [Use the mpcmdrun.exe command line tool to manage next generation protection](windows-defender-antivirus/command-line-arguments-windows-defender-antivirus.md)
#### [Manage next generation protection in your business]()
##### [Management overview](windows-defender-antivirus/configuration-management-reference-windows-defender-antivirus.md)
##### [Management overview](windows-defender-antivirus/configuration-management-reference-windows-defender-antivirus.md)
##### [Use Microsoft Intune and System Center Configuration Manager to manage next generation protection](windows-defender-antivirus/use-intune-config-manager-windows-defender-antivirus.md)
##### [Use Group Policy settings to manage next generation protection](windows-defender-antivirus/use-group-policy-windows-defender-antivirus.md)
##### [Use PowerShell cmdlets to manage next generation protection](windows-defender-antivirus/use-powershell-cmdlets-windows-defender-antivirus.md)
##### [Use Windows Management Instrumentation (WMI) to manage next generation protection](windows-defender-antivirus/use-wmi-windows-defender-antivirus.md)
##### [Use the mpcmdrun.exe command line tool to manage next generation protection](windows-defender-antivirus/command-line-arguments-windows-defender-antivirus.md)
### [Configure Secure score dashboard security controls](microsoft-defender-atp/secure-score-dashboard.md)
### [Configure and manage Microsoft Threat Experts capabilities](microsoft-defender-atp/configure-microsoft-threat-experts.md)
### [Management and API support]()
#### [Onboard devices to the service]()
##### [Onboard machines to Microsoft Defender ATP](microsoft-defender-atp/onboard-configure.md)
##### [Onboard previous versions of Windows](microsoft-defender-atp/onboard-downlevel.md)
##### [Onboard Windows 10 machines]()
###### [Onboarding tools and methods](microsoft-defender-atp/configure-endpoints.md)
###### [Onboard machines using Group Policy](microsoft-defender-atp/configure-endpoints-gp.md)
###### [Onboard machines using System Center Configuration Manager](microsoft-defender-atp/configure-endpoints-sccm.md)
###### [Onboard machines using Mobile Device Management tools](microsoft-defender-atp/configure-endpoints-mdm.md)
###### [Onboard machines using a local script](microsoft-defender-atp/configure-endpoints-script.md)
###### [Onboard non-persistent virtual desktop infrastructure (VDI) machines](microsoft-defender-atp/configure-endpoints-vdi.md)
##### [Onboard servers](microsoft-defender-atp/configure-server-endpoints.md)
##### [Onboard non-Windows machines](microsoft-defender-atp/configure-endpoints-non-windows.md)
##### [Onboard machines without Internet access](microsoft-defender-atp/onboard-offline-machines.md)
##### [Run a detection test on a newly onboarded machine](microsoft-defender-atp/run-detection-test.md)
##### [Run simulated attacks on machines](microsoft-defender-atp/attack-simulations.md)
##### [Configure proxy and Internet connectivity settings](microsoft-defender-atp/configure-proxy-internet.md)
##### [Troubleshoot onboarding issues]()
###### [Troubleshoot issues during onboarding](microsoft-defender-atp/troubleshoot-onboarding.md)
###### [Troubleshoot subscription and portal access issues](microsoft-defender-atp/troubleshoot-onboarding-error-messages.md)
#### [Microsoft Defender ATP API]()
##### [Microsoft Defender ATP API license and terms](microsoft-defender-atp/api-terms-of-use.md)
##### [Get started with Microsoft Defender ATP APIs]()
###### [Introduction](microsoft-defender-atp/apis-intro.md)
###### [Hello World](microsoft-defender-atp/api-hello-world.md)
###### [Get access with application context](microsoft-defender-atp/exposed-apis-create-app-webapp.md)
###### [Get access with user context](microsoft-defender-atp/exposed-apis-create-app-nativeapp.md)
##### [APIs]()
###### [Supported Microsoft Defender ATP query APIs](microsoft-defender-atp/exposed-apis-list.md)
###### [Advanced Hunting](microsoft-defender-atp/run-advanced-query-api.md)
###### [Alert]()
####### [Alert methods and properties](microsoft-defender-atp/alerts.md)
####### [List alerts](microsoft-defender-atp/get-alerts.md)
####### [Create alert](microsoft-defender-atp/create-alert-by-reference.md)
####### [Update Alert](microsoft-defender-atp/update-alert.md)
####### [Get alert information by ID](microsoft-defender-atp/get-alert-info-by-id.md)
####### [Get alert related domains information](microsoft-defender-atp/get-alert-related-domain-info.md)
####### [Get alert related file information](microsoft-defender-atp/get-alert-related-files-info.md)
####### [Get alert related IPs information](microsoft-defender-atp/get-alert-related-ip-info.md)
####### [Get alert related machine information](microsoft-defender-atp/get-alert-related-machine-info.md)
####### [Get alert related user information](microsoft-defender-atp/get-alert-related-user-info.md)
###### [Machine]()
####### [Machine methods and properties](microsoft-defender-atp/machine.md)
####### [List machines](microsoft-defender-atp/get-machines.md)
####### [Get machine by ID](microsoft-defender-atp/get-machine-by-id.md)
####### [Get machine log on users](microsoft-defender-atp/get-machine-log-on-users.md)
####### [Get machine related alerts](microsoft-defender-atp/get-machine-related-alerts.md)
####### [Add or Remove machine tags](microsoft-defender-atp/add-or-remove-machine-tags.md)
####### [Find machines by IP](microsoft-defender-atp/find-machines-by-ip.md)
###### [Machine Action]()
####### [Machine Action methods and properties](microsoft-defender-atp/machineaction.md)
####### [List Machine Actions](microsoft-defender-atp/get-machineactions-collection.md)
####### [Get Machine Action](microsoft-defender-atp/get-machineaction-object.md)
####### [Collect investigation package](microsoft-defender-atp/collect-investigation-package.md)
####### [Get investigation package SAS URI](microsoft-defender-atp/get-package-sas-uri.md)
####### [Isolate machine](microsoft-defender-atp/isolate-machine.md)
####### [Release machine from isolation](microsoft-defender-atp/unisolate-machine.md)
####### [Restrict app execution](microsoft-defender-atp/restrict-code-execution.md)
####### [Remove app restriction](microsoft-defender-atp/unrestrict-code-execution.md)
####### [Run antivirus scan](microsoft-defender-atp/run-av-scan.md)
####### [Offboard machine](microsoft-defender-atp/offboard-machine-api.md)
####### [Stop and quarantine file](microsoft-defender-atp/stop-and-quarantine-file.md)
####### [Initiate investigation (preview)](microsoft-defender-atp/initiate-autoir-investigation.md)
###### [Indicators]()
####### [Indicators methods and properties](microsoft-defender-atp/ti-indicator.md)
####### [Submit Indicator](microsoft-defender-atp/post-ti-indicator.md)
####### [List Indicators](microsoft-defender-atp/get-ti-indicators-collection.md)
####### [Delete Indicator](microsoft-defender-atp/delete-ti-indicator-by-id.md)
###### [Domain]()
####### [Get domain related alerts](microsoft-defender-atp/get-domain-related-alerts.md)
####### [Get domain related machines](microsoft-defender-atp/get-domain-related-machines.md)
####### [Get domain statistics](microsoft-defender-atp/get-domain-statistics.md)
####### [Is domain seen in organization](microsoft-defender-atp/is-domain-seen-in-org.md)
###### [File]()
####### [File methods and properties](microsoft-defender-atp/files.md)
####### [Get file information](microsoft-defender-atp/get-file-information.md)
####### [Get file related alerts](microsoft-defender-atp/get-file-related-alerts.md)
####### [Get file related machines](microsoft-defender-atp/get-file-related-machines.md)
####### [Get file statistics](microsoft-defender-atp/get-file-statistics.md)
###### [IP]()
####### [Get IP related alerts](microsoft-defender-atp/get-ip-related-alerts.md)
####### [Get IP related machines](microsoft-defender-atp/get-ip-related-machines.md)
####### [Get IP statistics](microsoft-defender-atp/get-ip-statistics.md)
####### [Is IP seen in organization](microsoft-defender-atp/is-ip-seen-org.md)
###### [User]()
####### [User methods](microsoft-defender-atp/user.md)
####### [Get user related alerts](microsoft-defender-atp/get-user-related-alerts.md)
####### [Get user related machines](microsoft-defender-atp/get-user-related-machines.md)
##### [How to use APIs - Samples]()
###### [Advanced Hunting API]()
####### [Schedule advanced Hunting using Microsoft Flow](microsoft-defender-atp/run-advanced-query-sample-ms-flow.md)
####### [Advanced Hunting using PowerShell](microsoft-defender-atp/run-advanced-query-sample-powershell.md)
####### [Advanced Hunting using Python](microsoft-defender-atp/run-advanced-query-sample-python.md)
####### [Create custom Power BI reports](microsoft-defender-atp/run-advanced-query-sample-power-bi-app-token.md)
###### [Multiple APIs]()
####### [PowerShell](microsoft-defender-atp/exposed-apis-full-sample-powershell.md)
###### [Using OData Queries](microsoft-defender-atp/exposed-apis-odata-samples.md)
#### [Windows updates (KB) info]()
##### [Get KbInfo collection](microsoft-defender-atp/get-kbinfo-collection.md)
#### [Common Vulnerabilities and Exposures (CVE) to KB map]()
##### [Get CVE-KB map](microsoft-defender-atp/get-cvekbmap-collection.md)
#### [API for custom alerts (Deprecated)]()
##### [Enable the custom threat intelligence application (Deprecated)](microsoft-defender-atp/enable-custom-ti.md)
##### [Use the threat intelligence API to create custom alerts (Deprecated)](microsoft-defender-atp/use-custom-ti.md)
##### [Create custom threat intelligence alerts (Deprecated)](microsoft-defender-atp/custom-ti-api.md)
##### [PowerShell code examples (Deprecated)](microsoft-defender-atp/powershell-example-code.md)
##### [Python code examples (Deprecated)](microsoft-defender-atp/python-example-code.md)
##### [Experiment with custom threat intelligence alerts (Deprecated)](microsoft-defender-atp/experiment-custom-ti.md)
##### [Troubleshoot custom threat intelligence issues (Deprecated)](microsoft-defender-atp/troubleshoot-custom-ti.md)
#### [Pull alerts to your SIEM tools]()
##### [Learn about different ways to pull alerts](microsoft-defender-atp/configure-siem.md)
##### [Enable SIEM integration](microsoft-defender-atp/enable-siem-integration.md)
##### [Configure Splunk to pull alerts](microsoft-defender-atp/configure-splunk.md)
##### [Configure HP ArcSight to pull alerts](microsoft-defender-atp/configure-arcsight.md)
##### [Microsoft Defender ATP SIEM alert API fields](microsoft-defender-atp/api-portal-mapping.md)
##### [Pull alerts using SIEM REST API](microsoft-defender-atp/pull-alerts-using-rest-api.md)
##### [Troubleshoot SIEM tool integration issues](microsoft-defender-atp/troubleshoot-siem.md)
#### [Reporting]()
##### [Create and build Power BI reports using Microsoft Defender ATP data](microsoft-defender-atp/powerbi-reports.md)
##### [Threat protection reports](microsoft-defender-atp/threat-protection-reports.md)
##### [Machine health and compliance reports](microsoft-defender-atp/machine-reports.md)
#### [Interoperability]()
##### [Partner applications](microsoft-defender-atp/partner-applications.md)
#### [Manage machine configuration]()
##### [Ensure your machines are configured properly](microsoft-defender-atp/configure-machines.md)
##### [Monitor and increase machine onboarding](microsoft-defender-atp/configure-machines-onboarding.md)
##### [Increase compliance to the security baseline](microsoft-defender-atp/configure-machines-security-baseline.md)
##### [Optimize ASR rule deployment and detections](microsoft-defender-atp/configure-machines-asr.md)
#### [Configure Secure score dashboard security controls](microsoft-defender-atp/secure-score-dashboard.md)
#### [Role-based access control]()
##### [Manage portal access using RBAC](microsoft-defender-atp/rbac.md)
##### [Create and manage roles](microsoft-defender-atp/user-roles.md)
##### [Create and manage machine groups]()
###### [Using machine groups](microsoft-defender-atp/machine-groups.md)
###### [Create and manage machine tags](microsoft-defender-atp/machine-tags.md)
#### [Configure managed security service provider (MSSP) support](microsoft-defender-atp/configure-mssp-support.md)
### [Configure and manage Microsoft Threat Experts capabilities](microsoft-defender-atp/configure-microsoft-threat-experts.md)
### [Configure Microsoft threat protection integration]()
#### [Configure conditional access](microsoft-defender-atp/configure-conditional-access.md)
#### [Configure Microsoft Cloud App Security integration](microsoft-defender-atp/microsoft-cloud-app-security-config.md)
#### [Configure information protection in Windows](microsoft-defender-atp/information-protection-in-windows-config.md)
### [Configure portal settings]()
#### [General]()
##### [Update data retention settings](microsoft-defender-atp/data-retention-settings.md)
##### [Configure alert notifications](microsoft-defender-atp/configure-email-notifications.md)
##### [Enable and create Power BI reports using Windows Defender Security center data](microsoft-defender-atp/powerbi-reports.md)
##### [Enable Secure score security controls](microsoft-defender-atp/enable-secure-score.md)
##### [Configure advanced features](microsoft-defender-atp/advanced-features.md)
#### [Permissions]()
##### [Use basic permissions to access the portal](microsoft-defender-atp/basic-permissions.md)
##### [Manage portal access using RBAC](microsoft-defender-atp/rbac.md)
###### [Create and manage roles](microsoft-defender-atp/user-roles.md)
###### [Create and manage machine groups](microsoft-defender-atp/machine-groups.md)
####### [Create and manage machine tags](microsoft-defender-atp/machine-tags.md)
#### [APIs]()
##### [Enable Threat intel (Deprecated)](microsoft-defender-atp/enable-custom-ti.md)
##### [Enable SIEM integration](microsoft-defender-atp/enable-siem-integration.md)
#### [Rules]()
##### [Manage suppression rules](microsoft-defender-atp/manage-suppression-rules.md)
##### [Manage automation allowed/blocked lists](microsoft-defender-atp/manage-automation-allowed-blocked-list.md)
##### [Manage indicators](microsoft-defender-atp/manage-indicators.md)
##### [Manage automation file uploads](microsoft-defender-atp/manage-automation-file-uploads.md)
##### [Manage automation folder exclusions](microsoft-defender-atp/manage-automation-folder-exclusions.md)
#### [Machine management]()
##### [Onboarding machines](microsoft-defender-atp/onboard-configure.md)
##### [Offboarding machines](microsoft-defender-atp/offboard-machines.md)
#### [Configure Windows Defender Security Center time zone settings](microsoft-defender-atp/time-settings.md)
#### Management and API support
##### [Onboard machines](microsoft-defender-atp/onboard-configure.md)
###### [Onboard previous versions of Windows](microsoft-defender-atp/onboard-downlevel.md)
###### [Onboard Windows 10 machines](microsoft-defender-atp/configure-endpoints.md)
####### [Onboard machines using Group Policy](microsoft-defender-atp/configure-endpoints-gp.md)
####### [Onboard machines using System Center Configuration Manager](microsoft-defender-atp/configure-endpoints-sccm.md)
####### [Onboard machines using Mobile Device Management tools](microsoft-defender-atp/configure-endpoints-mdm.md)
######## [Onboard machines using Microsoft Intune](microsoft-defender-atp/configure-endpoints-mdm.md#onboard-machines-using-microsoft-intune)
####### [Onboard machines using a local script](microsoft-defender-atp/configure-endpoints-script.md)
####### [Onboard non-persistent virtual desktop infrastructure (VDI) machines](microsoft-defender-atp/configure-endpoints-vdi.md)
###### [Onboard servers](microsoft-defender-atp/configure-server-endpoints.md)
###### [Onboard non-Windows machines](microsoft-defender-atp/configure-endpoints-non-windows.md)
###### [Onboard machines without Internet access](microsoft-defender-atp/onboard-offline-machines.md)
###### [Run a detection test on a newly onboarded machine](microsoft-defender-atp/run-detection-test.md)
###### [Run simulated attacks on machines](microsoft-defender-atp/attack-simulations.md)
###### [Configure proxy and Internet connectivity settings](microsoft-defender-atp/configure-proxy-internet.md)
###### [Troubleshoot onboarding issues](microsoft-defender-atp/troubleshoot-onboarding.md)
####### [Troubleshoot subscription and portal access issues](microsoft-defender-atp/troubleshoot-onboarding-error-messages.md)
##### [Microsoft Defender ATP API](microsoft-defender-atp/use-apis.md)
###### [Microsoft Defender ATP API license and terms](microsoft-defender-atp/api-terms-of-use.md)
###### [Get started with Microsoft Defender ATP APIs](microsoft-defender-atp/apis-intro.md)
####### [Hello World](microsoft-defender-atp/api-hello-world.md)
####### [Get access with application context](microsoft-defender-atp/exposed-apis-create-app-webapp.md)
####### [Get access with user context](microsoft-defender-atp/exposed-apis-create-app-nativeapp.md)
###### [APIs](microsoft-defender-atp/exposed-apis-list.md)
## [Troubleshoot Microsoft Defender ATP]()
### [Troubleshoot sensor state]()
#### [Check sensor state](microsoft-defender-atp/check-sensor-status.md)
#### [Fix unhealthy sensors](microsoft-defender-atp/fix-unhealthy-sensors.md)
#### [Inactive machines](microsoft-defender-atp/fix-unhealthy-sensors.md#inactive-machines)
#### [Misconfigured machines](microsoft-defender-atp/fix-unhealthy-sensors.md#misconfigured-machines)
#### [Review sensor events and errors on machines with Event Viewer](microsoft-defender-atp/event-error-codes.md)
####### [Advanced Hunting](microsoft-defender-atp/run-advanced-query-api.md)
### [Troubleshoot Microsoft Defender ATP service issues]()
#### [Troubleshoot service issues](microsoft-defender-atp/troubleshoot-mdatp.md)
#### [Check service health](microsoft-defender-atp/service-status.md)
####### [Alert](microsoft-defender-atp/alerts.md)
######## [List alerts](microsoft-defender-atp/get-alerts.md)
######## [Create alert](microsoft-defender-atp/create-alert-by-reference.md)
######## [Update Alert](microsoft-defender-atp/update-alert.md)
######## [Get alert information by ID](microsoft-defender-atp/get-alert-info-by-id.md)
######## [Get alert related domains information](microsoft-defender-atp/get-alert-related-domain-info.md)
######## [Get alert related file information](microsoft-defender-atp/get-alert-related-files-info.md)
######## [Get alert related IPs information](microsoft-defender-atp/get-alert-related-ip-info.md)
######## [Get alert related machine information](microsoft-defender-atp/get-alert-related-machine-info.md)
######## [Get alert related user information](microsoft-defender-atp/get-alert-related-user-info.md)
### [Troubleshoot live response issues]()
#### [Troubleshoot issues related to live response](microsoft-defender-atp/troubleshoot-live-response.md)
####### [Machine](microsoft-defender-atp/machine.md)
######## [List machines](microsoft-defender-atp/get-machines.md)
######## [Get machine by ID](microsoft-defender-atp/get-machine-by-id.md)
######## [Get machine log on users](microsoft-defender-atp/get-machine-log-on-users.md)
######## [Get machine related alerts](microsoft-defender-atp/get-machine-related-alerts.md)
######## [Add or Remove machine tags](microsoft-defender-atp/add-or-remove-machine-tags.md)
######## [Find machines by IP](microsoft-defender-atp/find-machines-by-ip.md)
####### [Machine Action](microsoft-defender-atp/machineaction.md)
######## [List Machine Actions](microsoft-defender-atp/get-machineactions-collection.md)
######## [Get Machine Action](microsoft-defender-atp/get-machineaction-object.md)
######## [Collect investigation package](microsoft-defender-atp/collect-investigation-package.md)
######## [Get investigation package SAS URI](microsoft-defender-atp/get-package-sas-uri.md)
######## [Isolate machine](microsoft-defender-atp/isolate-machine.md)
######## [Release machine from isolation](microsoft-defender-atp/unisolate-machine.md)
######## [Restrict app execution](microsoft-defender-atp/restrict-code-execution.md)
######## [Remove app restriction](microsoft-defender-atp/unrestrict-code-execution.md)
######## [Run antivirus scan](microsoft-defender-atp/run-av-scan.md)
######## [Offboard machine](microsoft-defender-atp/offboard-machine-api.md)
######## [Stop and quarantine file](microsoft-defender-atp/stop-and-quarantine-file.md)
######## [Initiate investigation (preview)](microsoft-defender-atp/initiate-autoir-investigation.md)
####### [Indicators](microsoft-defender-atp/ti-indicator.md)
######## [Submit Indicator](microsoft-defender-atp/post-ti-indicator.md)
######## [List Indicators](microsoft-defender-atp/get-ti-indicators-collection.md)
######## [Delete Indicator](microsoft-defender-atp/delete-ti-indicator-by-id.md)
####### Domain
######## [Get domain related alerts](microsoft-defender-atp/get-domain-related-alerts.md)
######## [Get domain related machines](microsoft-defender-atp/get-domain-related-machines.md)
######## [Get domain statistics](microsoft-defender-atp/get-domain-statistics.md)
######## [Is domain seen in organization](microsoft-defender-atp/is-domain-seen-in-org.md)
####### [File](microsoft-defender-atp/files.md)
######## [Get file information](microsoft-defender-atp/get-file-information.md)
######## [Get file related alerts](microsoft-defender-atp/get-file-related-alerts.md)
######## [Get file related machines](microsoft-defender-atp/get-file-related-machines.md)
######## [Get file statistics](microsoft-defender-atp/get-file-statistics.md)
####### IP
######## [Get IP related alerts](microsoft-defender-atp/get-ip-related-alerts.md)
######## [Get IP related machines](microsoft-defender-atp/get-ip-related-machines.md)
######## [Get IP statistics](microsoft-defender-atp/get-ip-statistics.md)
######## [Is IP seen in organization](microsoft-defender-atp/is-ip-seen-org.md)
####### [User](microsoft-defender-atp/user.md)
######## [Get user related alerts](microsoft-defender-atp/get-user-related-alerts.md)
######## [Get user related machines](microsoft-defender-atp/get-user-related-machines.md)
###### How to use APIs - Samples
####### Advanced Hunting API
######## [Schedule advanced Hunting using Microsoft Flow](microsoft-defender-atp/run-advanced-query-sample-ms-flow.md)
######## [Advanced Hunting using PowerShell](microsoft-defender-atp/run-advanced-query-sample-powershell.md)
######## [Advanced Hunting using Python](microsoft-defender-atp/run-advanced-query-sample-python.md)
######## [Create custom Power BI reports](microsoft-defender-atp/run-advanced-query-sample-power-bi-app-token.md)
####### Multiple APIs
######## [PowerShell](microsoft-defender-atp/exposed-apis-full-sample-powershell.md)
####### [Using OData Queries](microsoft-defender-atp/exposed-apis-odata-samples.md)
#####Windows updates (KB) info
###### [Get KbInfo collection](microsoft-defender-atp/get-kbinfo-collection.md)
#####Common Vulnerabilities and Exposures (CVE) to KB map
###### [Get CVE-KB map](microsoft-defender-atp/get-cvekbmap-collection.md)
### [Troubleshoot attack surface reduction]()
#### [Network protection](windows-defender-exploit-guard/troubleshoot-np.md)
#### [Attack surface reduction rules](windows-defender-exploit-guard/troubleshoot-asr.md)
##### API for custom alerts (Deprecated)
###### [Enable the custom threat intelligence application (Deprecated)](microsoft-defender-atp/enable-custom-ti.md)
###### [Use the threat intelligence API to create custom alerts (Deprecated)](microsoft-defender-atp/use-custom-ti.md)
###### [Create custom threat intelligence alerts (Deprecated)](microsoft-defender-atp/custom-ti-api.md)
###### [PowerShell code examples (Deprecated)](microsoft-defender-atp/powershell-example-code.md)
###### [Python code examples (Deprecated)](microsoft-defender-atp/python-example-code.md)
###### [Experiment with custom threat intelligence alerts (Deprecated)](microsoft-defender-atp/experiment-custom-ti.md)
###### [Troubleshoot custom threat intelligence issues (Deprecated)](microsoft-defender-atp/troubleshoot-custom-ti.md)
##### [Pull alerts to your SIEM tools](microsoft-defender-atp/configure-siem.md)
###### [Enable SIEM integration](microsoft-defender-atp/enable-siem-integration.md)
###### [Configure Splunk to pull alerts](microsoft-defender-atp/configure-splunk.md)
###### [Configure HP ArcSight to pull alerts](microsoft-defender-atp/configure-arcsight.md)
###### [Microsoft Defender ATP SIEM alert API fields](microsoft-defender-atp/api-portal-mapping.md)
###### [Pull alerts using SIEM REST API](microsoft-defender-atp/pull-alerts-using-rest-api.md)
###### [Troubleshoot SIEM tool integration issues](microsoft-defender-atp/troubleshoot-siem.md)
### [Troubleshoot next generation protection](windows-defender-antivirus/troubleshoot-windows-defender-antivirus.md)
##### Reporting
###### [Create and build Power BI reports using Microsoft Defender ATP data](microsoft-defender-atp/powerbi-reports.md)
###### [Threat protection reports](microsoft-defender-atp/threat-protection-reports.md)
###### [Machine health and compliance reports](microsoft-defender-atp/machine-reports.md)
##### Interoperability
###### [Partner applications](microsoft-defender-atp/partner-applications.md)
##### Role-based access control
###### [Manage portal access using RBAC](microsoft-defender-atp/rbac.md)
####### [Create and manage roles](microsoft-defender-atp/user-roles.md)
####### [Create and manage machine groups](microsoft-defender-atp/machine-groups.md)
######## [Create and manage machine tags](microsoft-defender-atp/machine-tags.md)
##### [Configure managed security service provider (MSSP) support](microsoft-defender-atp/configure-mssp-support.md)
#### [Configure and manage Microsoft Threat Experts capabilities](microsoft-defender-atp/configure-microsoft-threat-experts.md)
#### Configure Microsoft threat protection integration
##### [Configure conditional access](microsoft-defender-atp/configure-conditional-access.md)
##### [Configure Microsoft Cloud App Security integration](microsoft-defender-atp/microsoft-cloud-app-security-config.md)
##### [Configure information protection in Windows](microsoft-defender-atp/information-protection-in-windows-config.md)
#### [Configure Windows Defender Security Center settings](microsoft-defender-atp/preferences-setup.md)
##### General
###### [Update data retention settings](microsoft-defender-atp/data-retention-settings.md)
###### [Configure alert notifications](microsoft-defender-atp/configure-email-notifications.md)
###### [Enable and create Power BI reports using Windows Defender Security center data](microsoft-defender-atp/powerbi-reports.md)
###### [Enable Secure score security controls](microsoft-defender-atp/enable-secure-score.md)
###### [Configure advanced features](microsoft-defender-atp/advanced-features.md)
##### Permissions
###### [Use basic permissions to access the portal](microsoft-defender-atp/basic-permissions.md)
###### [Manage portal access using RBAC](microsoft-defender-atp/rbac.md)
####### [Create and manage roles](microsoft-defender-atp/user-roles.md)
####### [Create and manage machine groups](microsoft-defender-atp/machine-groups.md)
######## [Create and manage machine tags](microsoft-defender-atp/machine-tags.md)
##### APIs
###### [Enable Threat intel (Deprecated)](microsoft-defender-atp/enable-custom-ti.md)
###### [Enable SIEM integration](microsoft-defender-atp/enable-siem-integration.md)
#####Rules
###### [Manage suppression rules](microsoft-defender-atp/manage-suppression-rules.md)
###### [Manage automation allowed/blocked lists](microsoft-defender-atp/manage-automation-allowed-blocked-list.md)
###### [Manage indicators](microsoft-defender-atp/manage-indicators.md)
###### [Manage automation file uploads](microsoft-defender-atp/manage-automation-file-uploads.md)
###### [Manage automation folder exclusions](microsoft-defender-atp/manage-automation-folder-exclusions.md)
#####Machine management
###### [Onboarding machines](microsoft-defender-atp/onboard-configure.md)
###### [Offboarding machines](microsoft-defender-atp/offboard-machines.md)
##### [Configure Windows Defender Security Center time zone settings](microsoft-defender-atp/time-settings.md)
### [Troubleshoot Microsoft Defender ATP](microsoft-defender-atp/troubleshoot-overview.md)
####Troubleshoot sensor state
##### [Check sensor state](microsoft-defender-atp/check-sensor-status.md)
##### [Fix unhealthy sensors](microsoft-defender-atp/fix-unhealthy-sensors.md)
##### [Inactive machines](microsoft-defender-atp/fix-unhealthy-sensors.md#inactive-machines)
##### [Misconfigured machines](microsoft-defender-atp/fix-unhealthy-sensors.md#misconfigured-machines)
##### [Review sensor events and errors on machines with Event Viewer](microsoft-defender-atp/event-error-codes.md)
#### [Troubleshoot Microsoft Defender ATP service issues](microsoft-defender-atp/troubleshoot-mdatp.md)
##### [Check service health](microsoft-defender-atp/service-status.md)
#### [Troubleshoot live response issues]()
##### [Troubleshoot issues related to live response](microsoft-defender-atp/troubleshoot-live-response.md)
####Troubleshoot attack surface reduction
##### [Network protection](windows-defender-exploit-guard/troubleshoot-np.md)
##### [Attack surface reduction rules](windows-defender-exploit-guard/troubleshoot-asr.md)
##### [Collect diagnostic data for files](windows-defender-exploit-guard/collect-cab-files-exploit-guard-submission.md)
#### [Troubleshoot next generation protection](windows-defender-antivirus/troubleshoot-windows-defender-antivirus.md)
## [Security intelligence](intelligence/index.md)
### [Understand malware & other threats](intelligence/understanding-malware.md)

2
windows/security/threat-protection/auditing/advanced-security-audit-policy-settings.md
View File

@ -9,7 +9,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: none
author: dulcemontemayor
author: Mir0sh
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance

2
windows/security/threat-protection/auditing/advanced-security-auditing-faq.md
View File

@ -9,7 +9,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: none
author: dulcemontemayor
author: Mir0sh
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance

2
windows/security/threat-protection/auditing/advanced-security-auditing.md
View File

@ -9,7 +9,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: none
author: dulcemontemayor
author: Mir0sh
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance

2
windows/security/threat-protection/auditing/appendix-a-security-monitoring-recommendations-for-many-audit-events.md
View File

@ -6,7 +6,7 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dulcemontemayor
author: Mir0sh
ms.date: 04/19/2017
ms.reviewer:
manager: dansimp

2
windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md
View File

@ -9,7 +9,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: none
author: dulcemontemayor
author: Mir0sh
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance

2
windows/security/threat-protection/auditing/audit-account-lockout.md
View File

@ -10,7 +10,7 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dulcemontemayor
author: Mir0sh
ms.date: 07/16/2018
---

16
windows/security/threat-protection/auditing/audit-application-generated.md
View File

@ -10,7 +10,7 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dulcemontemayor
author: Mir0sh
ms.date: 04/19/2017
---
@ -20,24 +20,22 @@ ms.date: 04/19/2017
- Windows 10
- Windows Server 2016
Audit Application Generated generates events for actions related to Authorization Manager [applications](https://technet.microsoft.com/library/cc770563.aspx).
Audit Application Generated subcategory is out of scope of this document, because [Authorization Manager](https://technet.microsoft.com/library/cc726036.aspx) is very rarely in use and it is deprecated starting from Windows Server 2012.
| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments |
|-------------------|-----------------|-----------------|------------------|------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments |
|-------------------|-----------------|-----------------|------------------|------------------|----------|
| Domain Controller | IF | IF | IF | IF | IF if you use [Authorization Manager](https://technet.microsoft.com/library/cc726036.aspx) in your environment and you need to monitor events related to Authorization Manager [applications](https://technet.microsoft.com/library/cc770563.aspx), enable this subcategory. |
| Member Server | IF | IF | IF | IF | IF if you use [Authorization Manager](https://technet.microsoft.com/library/cc726036.aspx) in your environment and you need to monitor events related to Authorization Manager [applications](https://technet.microsoft.com/library/cc770563.aspx), enable this subcategory. |
| Workstation | IF | IF | IF | IF | IF if you use [Authorization Manager](https://technet.microsoft.com/library/cc726036.aspx) in your environment and you need to monitor events related to Authorization Manager [applications](https://technet.microsoft.com/library/cc770563.aspx), enable this subcategory. |
**Events List:**
## 4665: An attempt was made to create an application client context.
- 4665: An attempt was made to create an application client context.
## 4666: An application attempted an operation.
- 4666: An application attempted an operation.
## 4667: An application client context was deleted.
## 4668: An application was initialized.
- 4667: An application client context was deleted.
- 4668: An application was initialized.

24
windows/security/threat-protection/auditing/audit-application-group-management.md
View File

@ -10,7 +10,7 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dulcemontemayor
author: Mir0sh
ms.date: 04/19/2017
---
@ -20,7 +20,6 @@ ms.date: 04/19/2017
- Windows 10
- Windows Server 2016
Audit Application Group Management generates events for actions related to [application groups](https://technet.microsoft.com/library/cc771579.aspx), such as group creation, modification, addition or removal of group member and some other actions.
[Application groups](https://technet.microsoft.com/library/cc771579.aspx) are used by [Authorization Manager](https://technet.microsoft.com/library/cc726036.aspx).
@ -33,23 +32,22 @@ Audit Application Group Management subcategory is out of scope of this document,
| Member Server | - | - | - | - | This subcategory is outside the scope of this document. |
| Workstation | - | - | - | - | This subcategory is outside the scope of this document. |
## 4783(S): A basic application group was created.
- 4783(S): A basic application group was created.
## 4784(S): A basic application group was changed.
- 4784(S): A basic application group was changed.
## 4785(S): A member was added to a basic application group.
- 4785(S): A member was added to a basic application group.
## 4786(S): A member was removed from a basic application group.
- 4786(S): A member was removed from a basic application group.
## 4787(S): A non-member was added to a basic application group.
- 4787(S): A non-member was added to a basic application group.
## 4788(S): A non-member was removed from a basic application group.
- 4788(S): A non-member was removed from a basic application group.
## 4789(S): A basic application group was deleted.
- 4789(S): A basic application group was deleted.
## 4790(S): An LDAP query group was created.
- 4790(S): An LDAP query group was created.
## 4791(S): An LDAP query group was changed.
## 4792(S): An LDAP query group was deleted.
- 4791(S): An LDAP query group was changed.
- 4792(S): An LDAP query group was deleted.

2
windows/security/threat-protection/auditing/audit-audit-policy-change.md
View File

@ -10,7 +10,7 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dulcemontemayor
author: Mir0sh
ms.date: 04/19/2017
---

2
windows/security/threat-protection/auditing/audit-authentication-policy-change.md
View File

@ -10,7 +10,7 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dulcemontemayor
author: Mir0sh
ms.date: 04/19/2017
---

2
windows/security/threat-protection/auditing/audit-authorization-policy-change.md
View File

@ -10,7 +10,7 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dulcemontemayor
author: Mir0sh
ms.date: 04/19/2017
---

2
windows/security/threat-protection/auditing/audit-central-access-policy-staging.md
View File

@ -10,7 +10,7 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dulcemontemayor
author: Mir0sh
ms.date: 04/19/2017
---

66
windows/security/threat-protection/auditing/audit-certification-services.md
View File

@ -10,7 +10,7 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dulcemontemayor
author: Mir0sh
ms.date: 04/19/2017
---
@ -20,7 +20,6 @@ ms.date: 04/19/2017
- Windows 10
- Windows Server 2016
Audit Certification Services determines whether the operating system generates events when Active Directory Certificate Services (AD CS) operations are performed.
Examples of AD CS operations include:
@ -59,65 +58,64 @@ Role-specific subcategories are outside the scope of this document.
| Member Server | IF | IF | IF | IF | IF if a server has the [Active Directory Certificate Services](https://technet.microsoft.com/windowsserver/dd448615.aspx) (AD CS) role installed and you need to monitor AD CS related events, enable this subcategory. |
| Workstation | No | No | No | No | [Active Directory Certificate Services](https://technet.microsoft.com/windowsserver/dd448615.aspx) (AD CS) role cannot be installed on client OS. |
## 4868: The certificate manager denied a pending certificate request.
- 4868: The certificate manager denied a pending certificate request.
## 4869: Certificate Services received a resubmitted certificate request.
- 4869: Certificate Services received a resubmitted certificate request.
## 4870: Certificate Services revoked a certificate.
- 4870: Certificate Services revoked a certificate.
## 4871: Certificate Services received a request to publish the certificate revocation list (CRL).
- 4871: Certificate Services received a request to publish the certificate revocation list (CRL).
## 4872: Certificate Services published the certificate revocation list (CRL).
- 4872: Certificate Services published the certificate revocation list (CRL).
## 4873: A certificate request extension changed.
- 4873: A certificate request extension changed.
## 4874: One or more certificate request attributes changed.
- 4874: One or more certificate request attributes changed.
## 4875: Certificate Services received a request to shut down.
- 4875: Certificate Services received a request to shut down.
## 4876: Certificate Services backup started.
- 4876: Certificate Services backup started.
## 4877: Certificate Services backup completed.
- 4877: Certificate Services backup completed.
## 4878: Certificate Services restore started.
- 4878: Certificate Services restore started.
## 4879: Certificate Services restore completed.
- 4879: Certificate Services restore completed.
## 4880: Certificate Services started.
- 4880: Certificate Services started.
## 4881: Certificate Services stopped.
- 4881: Certificate Services stopped.
## 4882: The security permissions for Certificate Services changed.
- 4882: The security permissions for Certificate Services changed.
## 4883: Certificate Services retrieved an archived key.
- 4883: Certificate Services retrieved an archived key.
## 4884: Certificate Services imported a certificate into its database.
- 4884: Certificate Services imported a certificate into its database.
## 4885: The audit filter for Certificate Services changed.
- 4885: The audit filter for Certificate Services changed.
## 4886: Certificate Services received a certificate request.
- 4886: Certificate Services received a certificate request.
## 4887: Certificate Services approved a certificate request and issued a certificate.
- 4887: Certificate Services approved a certificate request and issued a certificate.
## 4888: Certificate Services denied a certificate request.
- 4888: Certificate Services denied a certificate request.
## 4889: Certificate Services set the status of a certificate request to pending.
- 4889: Certificate Services set the status of a certificate request to pending.
## 4890: The certificate manager settings for Certificate Services changed.
- 4890: The certificate manager settings for Certificate Services changed.
## 4891: A configuration entry changed in Certificate Services.
- 4891: A configuration entry changed in Certificate Services.
## 4892: A property of Certificate Services changed.
- 4892: A property of Certificate Services changed.
## 4893: Certificate Services archived a key.
- 4893: Certificate Services archived a key.
## 4894: Certificate Services imported and archived a key.
- 4894: Certificate Services imported and archived a key.
## 4895: Certificate Services published the CA certificate to Active Directory Domain Services.
- 4895: Certificate Services published the CA certificate to Active Directory Domain Services.
## 4896: One or more rows have been deleted from the certificate database.
- 4896: One or more rows have been deleted from the certificate database.
## 4897: Role separation enabled.
## 4898: Certificate Services loaded a template.
- 4897: Role separation enabled.
- 4898: Certificate Services loaded a template.

2
windows/security/threat-protection/auditing/audit-computer-account-management.md
View File

@ -10,7 +10,7 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dulcemontemayor
author: Mir0sh
ms.date: 04/19/2017
---

2
windows/security/threat-protection/auditing/audit-credential-validation.md
View File

@ -10,7 +10,7 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dulcemontemayor
author: Mir0sh
ms.date: 04/19/2017
---

2
windows/security/threat-protection/auditing/audit-detailed-directory-service-replication.md
View File

@ -10,7 +10,7 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dulcemontemayor
author: Mir0sh
ms.date: 04/19/2017
---

2
windows/security/threat-protection/auditing/audit-detailed-file-share.md
View File

@ -10,7 +10,7 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dulcemontemayor
author: Mir0sh
ms.date: 04/19/2017
---

2
windows/security/threat-protection/auditing/audit-directory-service-access.md
View File

@ -10,7 +10,7 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dulcemontemayor
author: Mir0sh
ms.date: 04/19/2017
---

2
windows/security/threat-protection/auditing/audit-directory-service-changes.md
View File

@ -10,7 +10,7 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dulcemontemayor
author: Mir0sh
ms.date: 04/19/2017
---

2
windows/security/threat-protection/auditing/audit-directory-service-replication.md
View File

@ -10,7 +10,7 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dulcemontemayor
author: Mir0sh
ms.date: 04/19/2017
---

48
windows/security/threat-protection/auditing/audit-distribution-group-management.md
View File

@ -10,7 +10,7 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dulcemontemayor
author: Mir0sh
ms.date: 04/19/2017
---
@ -20,7 +20,6 @@ ms.date: 04/19/2017
- Windows 10
- Windows Server 2016
Audit Distribution Group Management determines whether the operating system generates audit events for specific distribution-group management tasks.
This subcategory generates events only on domain controllers.
@ -29,47 +28,46 @@ This subcategory generates events only on domain controllers.
This subcategory allows you to audit events generated by changes to distribution groups such as the following:
- Distribution group is created, changed, or deleted.
- Distribution group is created, changed, or deleted.
- Member is added or removed from a distribution group.
- Member is added or removed from a distribution group.
If you need to monitor for group type changes, you need to monitor for “[4764](event-4764.md): A groups type was changed.” “Audit Security Group Management” subcategory success auditing must be enabled.
| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments |
|-------------------|-----------------|-----------------|------------------|------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Domain Controller | IF | No | IF | No | IF - Typically actions related to distribution groups have low security relevance, much more important to monitor Security Group changes. But if you want to monitor for critical distribution groups changes, such as member was added to internal critical distribution group (executives, administrative group, for example), you need to enable this subcategory for Success auditing.<br>Typically volume of these events is low on domain controllers.<br>This subcategory doesnt have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
| Member Server | No | No | No | No | This subcategory generates events only on domain controllers. |
| Workstation | No | No | No | No | This subcategory generates events only on domain controllers. |
| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments |
|-------------------|-----------------|-----------------|------------------|------------------|----------|
| Domain Controller | IF | No | IF | No | IF - Typically, actions related to distribution groups have low security relevance. It is much more important to monitor Security Group changes. However, if you want to monitor for critical distribution groups changes, such as if a member was added to internal critical distribution group (executives, administrative group, for example), you need to enable this subcategory for Success auditing.<br>Typically, volume of these events is low on domain controllers.<br>This subcategory doesnt have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
| Member Server | No | No | No | No | This subcategory generates events only on domain controllers. |
| Workstation | No | No | No | No | This subcategory generates events only on domain controllers. |
**Events List:**
- [4749](event-4749.md)(S): A security-disabled global group was created.
- [4749](event-4749.md)(S): A security-disabled global group was created.
- [4750](event-4750.md)(S): A security-disabled global group was changed.
- [4750](event-4750.md)(S): A security-disabled global group was changed.
- [4751](event-4751.md)(S): A member was added to a security-disabled global group.
- [4751](event-4751.md)(S): A member was added to a security-disabled global group.
- [4752](event-4752.md)(S): A member was removed from a security-disabled global group.
- [4752](event-4752.md)(S): A member was removed from a security-disabled global group.
- [4753](event-4753.md)(S): A security-disabled global group was deleted.
- [4753](event-4753.md)(S): A security-disabled global group was deleted.
**4759(S): A security-disabled universal group was created.** See event “[4749](event-4749.md): A security-disabled global group was created. Event 4759 is the same, but it is generated for a **universal** distribution group instead of a **global** distribution group. All event fields, XML, and recommendations are the same. The type of group is the only difference.
- 4759(S): A security-disabled universal group was created. See event _[4749](event-4749.md): A security-disabled global group was created._ Event 4759 is the same, except it is generated for a **universal** distribution group instead of a **global** distribution group. All event fields, XML, and recommendations are the same. The type of group is the only difference.
**4760(S): A security-disabled universal group was changed.** See event “[4750](event-4750.md): A security-disabled global group was changed. Event 4760 is the same, but it is generated for a **universal** distribution group instead of a **global** distribution group. All event fields, XML, and recommendations are the same. The type of group is the only difference.
- 4760(S): A security-disabled universal group was changed. See event _[4750](event-4750.md): A security-disabled global group was changed._ Event 4760 is the same, except it is generated for a **universal** distribution group instead of a **global** distribution group. All event fields, XML, and recommendations are the same. The type of group is the only difference.
**4761(S): A member was added to a security-disabled universal group.** See event “[4751](event-4751.md): A member was added to a security-disabled global group. Event 4761 is the same, but it is generated for a **universal** distribution group instead of a **global** distribution group. All event fields, XML, and recommendations are the same. The type of group is the only difference.
- 4761(S): A member was added to a security-disabled universal group. See event _[4751](event-4751.md): A member was added to a security-disabled global group._ Event 4761 is the same, except it is generated for a **universal** distribution group instead of a **global** distribution group. All event fields, XML, and recommendations are the same. The type of group is the only difference.
**4762(S): A member was removed from a security-disabled universal group.** See event “[4752](event-4752.md): A member was removed from a security-disabled global group. Event 4762 is the same, but it is generated for a **universal** distribution group instead of a **global** distribution group. All event fields, XML, and recommendations are the same. The type of group is the only difference.
- 4762(S): A member was removed from a security-disabled universal group. See event _[4752](event-4752.md): A member was removed from a security-disabled global group._ Event 4762 is the same, except it is generated for a **universal** distribution group instead of a **global** distribution group. All event fields, XML, and recommendations are the same. The type of group is the only difference.
**4763(S): A security-disabled universal group was deleted.** See event “[4753](event-4753.md): A security-disabled global group was deleted. Event 4763 is the same, but it is generated for a **universal** distribution group instead of a **global** distribution group. All event fields, XML, and recommendations are the same. The type of group is the only difference.
- 4763(S): A security-disabled universal group was deleted. See event _[4753](event-4753.md): A security-disabled global group was deleted._ Event 4763 is the same, except it is generated for a **universal** distribution group instead of a **global** distribution group. All event fields, XML, and recommendations are the same. The type of group is the only difference.
**4744(S): A security-disabled local group was created.** See event “[4749](event-4749.md): A security-disabled global group was created. Event 4744 is the same, but it is generated for a **local** distribution group instead of a **global** distribution group. All event fields, XML, and recommendations are the same. The type of group is the only difference.
- 4744(S): A security-disabled local group was created. See event _[4749](event-4749.md): A security-disabled global group was created._ Event 4744 is the same, except it is generated for a **local** distribution group instead of a **global** distribution group. All event fields, XML, and recommendations are the same. The type of group is the only difference.
**4745(S): A security-disabled local group was changed.** See event “[4750](event-4750.md): A security-disabled global group was changed. Event 4745 is the same, but it is generated for a **local** distribution group instead of a **global** distribution group. All event fields, XML, and recommendations are the same. The type of group is the only difference.
- 4745(S): A security-disabled local group was changed. See event _[4750](event-4750.md): A security-disabled global group was changed._ Event 4745 is the same, except it is generated for a **local** distribution group instead of a **global** distribution group. All event fields, XML, and recommendations are the same. The type of group is the only difference.
**4746(S): A member was added to a security-disabled local group.** See event “[4751](event-4751.md): A member was added to a security-disabled global group. Event 4746 is the same, but it is generated for a **local** distribution group instead of a **global** distribution group. All event fields, XML, and recommendations are the same. The type of group is the only difference.
- 4746(S): A member was added to a security-disabled local group. See event _[4751](event-4751.md): A member was added to a security-disabled global group._ Event 4746 is the same, except it is generated for a **local** distribution group instead of a **global** distribution group. All event fields, XML, and recommendations are the same. The type of group is the only difference.
**4747(S): A member was removed from a security-disabled local group.** See event “[4752](event-4752.md): A member was removed from a security-disabled global group. Event 4747 is the same, but it is generated for a **local** distribution group instead of a **global** distribution group. All event fields, XML, and recommendations are the same. The type of group is the only difference.
**4748(S): A security-disabled local group was deleted.** See event “[4753](event-4753.md): A security-disabled global group was deleted.” Event 4748 is the same, but it is generated for a **local** distribution group instead of a **global** distribution group. All event fields, XML, and recommendations are the same. The type of group is the only difference.
- 4747(S): A member was removed from a security-disabled local group. See event _[4752](event-4752.md): A member was removed from a security-disabled global group._ Event 4747 is the same, except it is generated for a **local** distribution group instead of a **global** distribution group. All event fields, XML, and recommendations are the same. The type of group is the only difference.
- 4748(S): A security-disabled local group was deleted. See event _[4753](event-4753.md): A security-disabled global group was deleted._ Event 4748 is the same, except it is generated for a **local** distribution group instead of a **global** distribution group. All event fields, XML, and recommendations are the same. The type of group is the only difference.

2
windows/security/threat-protection/auditing/audit-dpapi-activity.md
View File

@ -10,7 +10,7 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dulcemontemayor
author: Mir0sh
ms.date: 04/19/2017
---

2
windows/security/threat-protection/auditing/audit-file-share.md
View File

@ -10,7 +10,7 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dulcemontemayor
author: Mir0sh
ms.date: 04/19/2017
---

2
windows/security/threat-protection/auditing/audit-file-system.md
View File

@ -10,7 +10,7 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dulcemontemayor
author: Mir0sh
ms.date: 04/19/2017
---

2
windows/security/threat-protection/auditing/audit-filtering-platform-connection.md
View File

@ -10,7 +10,7 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dulcemontemayor
author: Mir0sh
ms.date: 04/19/2017
---

2
windows/security/threat-protection/auditing/audit-filtering-platform-packet-drop.md
View File

@ -10,7 +10,7 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dulcemontemayor
author: Mir0sh
ms.date: 04/19/2017
---

92
windows/security/threat-protection/auditing/audit-filtering-platform-policy-change.md
View File

@ -10,7 +10,7 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dulcemontemayor
author: Mir0sh
ms.date: 04/19/2017
---
@ -20,16 +20,15 @@ ms.date: 04/19/2017
- Windows 10
- Windows Server 2016
Audit Filtering Platform Policy Change allows you to audit events generated by changes to the [Windows Filtering Platform](https://msdn.microsoft.com/library/windows/desktop/aa366510(v=vs.85).aspx) (WFP), such as the following:
- IPsec services status.
- IPsec services status.
- Changes to IPsec policy settings.
- Changes to IPsec policy settings.
- Changes to Windows Filtering Platform Base Filtering Engine policy settings.
- Changes to Windows Filtering Platform Base Filtering Engine policy settings.
- Changes to WFP providers and engine.
- Changes to WFP providers and engine.
Windows Filtering Platform (WFP) enables independent software vendors (ISVs) to filter and modify TCP/IP packets, monitor or authorize connections, filter Internet Protocol security (IPsec)-protected traffic, and filter remote procedure calls (RPCs).
@ -41,83 +40,82 @@ This subcategory is outside the scope of this document.
| Member Server | - | - | - | - | This subcategory is outside the scope of this document. |
| Workstation | - | - | - | - | This subcategory is outside the scope of this document. |
## 4709(S): IPsec Services was started.
- 4709(S): IPsec Services was started.
## 4710(S): IPsec Services was disabled.
- 4710(S): IPsec Services was disabled.
## 4711(S): May contain any one of the following:
- 4711(S): May contain any one of the following:
## 4712(F): IPsec Services encountered a potentially serious failure.
- 4712(F): IPsec Services encountered a potentially serious failure.
## 5040(S): A change has been made to IPsec settings. An Authentication Set was added.
- 5040(S): A change has been made to IPsec settings. An Authentication Set was added.
## 5041(S): A change has been made to IPsec settings. An Authentication Set was modified.
- 5041(S): A change has been made to IPsec settings. An Authentication Set was modified.
## 5042(S): A change has been made to IPsec settings. An Authentication Set was deleted.
- 5042(S): A change has been made to IPsec settings. An Authentication Set was deleted.
## 5043(S): A change has been made to IPsec settings. A Connection Security Rule was added.
- 5043(S): A change has been made to IPsec settings. A Connection Security Rule was added.
## 5044(S): A change has been made to IPsec settings. A Connection Security Rule was modified.
- 5044(S): A change has been made to IPsec settings. A Connection Security Rule was modified.
## 5045(S): A change has been made to IPsec settings. A Connection Security Rule was deleted.
- 5045(S): A change has been made to IPsec settings. A Connection Security Rule was deleted.
## 5046(S): A change has been made to IPsec settings. A Crypto Set was added.
- 5046(S): A change has been made to IPsec settings. A Crypto Set was added.
## 5047(S): A change has been made to IPsec settings. A Crypto Set was modified.
- 5047(S): A change has been made to IPsec settings. A Crypto Set was modified.
## 5048(S): A change has been made to IPsec settings. A Crypto Set was deleted.
- 5048(S): A change has been made to IPsec settings. A Crypto Set was deleted.
## 5440(S): The following callout was present when the Windows Filtering Platform Base Filtering Engine started.
- 5440(S): The following callout was present when the Windows Filtering Platform Base Filtering Engine started.
## 5441(S): The following filter was present when the Windows Filtering Platform Base Filtering Engine started.
- 5441(S): The following filter was present when the Windows Filtering Platform Base Filtering Engine started.
## 5442(S): The following provider was present when the Windows Filtering Platform Base Filtering Engine started.
- 5442(S): The following provider was present when the Windows Filtering Platform Base Filtering Engine started.
## 5443(S): The following provider context was present when the Windows Filtering Platform Base Filtering Engine started.
- 5443(S): The following provider context was present when the Windows Filtering Platform Base Filtering Engine started.
## 5444(S): The following sub-layer was present when the Windows Filtering Platform Base Filtering Engine started.
- 5444(S): The following sub-layer was present when the Windows Filtering Platform Base Filtering Engine started.
## 5446(S): A Windows Filtering Platform callout has been changed.
- 5446(S): A Windows Filtering Platform callout has been changed.
## 5448(S): A Windows Filtering Platform provider has been changed.
- 5448(S): A Windows Filtering Platform provider has been changed.
## 5449(S): A Windows Filtering Platform provider context has been changed.
- 5449(S): A Windows Filtering Platform provider context has been changed.
## 5450(S): A Windows Filtering Platform sub-layer has been changed.
- 5450(S): A Windows Filtering Platform sub-layer has been changed.
## 5456(S): PAStore Engine applied Active Directory storage IPsec policy on the computer.
- 5456(S): PAStore Engine applied Active Directory storage IPsec policy on the computer.
## 5457(F): PAStore Engine failed to apply Active Directory storage IPsec policy on the computer.
- 5457(F): PAStore Engine failed to apply Active Directory storage IPsec policy on the computer.
## 5458(S): PAStore Engine applied locally cached copy of Active Directory storage IPsec policy on the computer.
- 5458(S): PAStore Engine applied locally cached copy of Active Directory storage IPsec policy on the computer.
## 5459(F): PAStore Engine failed to apply locally cached copy of Active Directory storage IPsec policy on the computer.
- 5459(F): PAStore Engine failed to apply locally cached copy of Active Directory storage IPsec policy on the computer.
## 5460(S): PAStore Engine applied local registry storage IPsec policy on the computer.
- 5460(S): PAStore Engine applied local registry storage IPsec policy on the computer.
## 5461(F): PAStore Engine failed to apply local registry storage IPsec policy on the computer.
- 5461(F): PAStore Engine failed to apply local registry storage IPsec policy on the computer.
## 5462(F): PAStore Engine failed to apply some rules of the active IPsec policy on the computer. Use the IP Security Monitor snap-in to diagnose the problem.
- 5462(F): PAStore Engine failed to apply some rules of the active IPsec policy on the computer. Use the IP Security Monitor snap-in to diagnose the problem.
## 5463(S): PAStore Engine polled for changes to the active IPsec policy and detected no changes.
- 5463(S): PAStore Engine polled for changes to the active IPsec policy and detected no changes.
## 5464(S): PAStore Engine polled for changes to the active IPsec policy, detected changes, and applied them to IPsec Services.
- 5464(S): PAStore Engine polled for changes to the active IPsec policy, detected changes, and applied them to IPsec Services.
## 5465(S): PAStore Engine received a control for forced reloading of IPsec policy and processed the control successfully.
- 5465(S): PAStore Engine received a control for forced reloading of IPsec policy and processed the control successfully.
## 5466(F): PAStore Engine polled for changes to the Active Directory IPsec policy, determined that Active Directory cannot be reached, and will use the cached copy of the Active Directory IPsec policy instead. Any changes made to the Active Directory IPsec policy since the last poll could not be applied.
- 5466(F): PAStore Engine polled for changes to the Active Directory IPsec policy, determined that Active Directory cannot be reached, and will use the cached copy of the Active Directory IPsec policy instead. Any changes made to the Active Directory IPsec policy since the last poll could not be applied.
## 5467(F): PAStore Engine polled for changes to the Active Directory IPsec policy, determined that Active Directory can be reached, and found no changes to the policy. The cached copy of the Active Directory IPsec policy is no longer being used.
- 5467(F): PAStore Engine polled for changes to the Active Directory IPsec policy, determined that Active Directory can be reached, and found no changes to the policy. The cached copy of the Active Directory IPsec policy is no longer being used.
## 5468(S): PAStore Engine polled for changes to the Active Directory IPsec policy, determined that Active Directory can be reached, found changes to the policy, and applied those changes. The cached copy of the Active Directory IPsec policy is no longer being used.
- 5468(S): PAStore Engine polled for changes to the Active Directory IPsec policy, determined that Active Directory can be reached, found changes to the policy, and applied those changes. The cached copy of the Active Directory IPsec policy is no longer being used.
## 5471(S): PAStore Engine loaded local storage IPsec policy on the computer.
- 5471(S): PAStore Engine loaded local storage IPsec policy on the computer.
## 5472(F): PAStore Engine failed to load local storage IPsec policy on the computer.
- 5472(F): PAStore Engine failed to load local storage IPsec policy on the computer.
## 5473(S): PAStore Engine loaded directory storage IPsec policy on the computer.
- 5473(S): PAStore Engine loaded directory storage IPsec policy on the computer.
## 5474(F): PAStore Engine failed to load directory storage IPsec policy on the computer.
## 5477(F): PAStore Engine failed to add quick mode filter.
- 5474(F): PAStore Engine failed to load directory storage IPsec policy on the computer.
- 5477(F): PAStore Engine failed to add quick mode filter.

2
windows/security/threat-protection/auditing/audit-group-membership.md
View File

@ -10,7 +10,7 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dulcemontemayor
author: Mir0sh
ms.date: 04/19/2017
---

16
windows/security/threat-protection/auditing/audit-handle-manipulation.md
View File

@ -10,7 +10,7 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dulcemontemayor
author: Mir0sh
ms.date: 04/19/2017
---
@ -20,24 +20,20 @@ ms.date: 04/19/2017
- Windows 10
- Windows Server 2016
Audit Handle Manipulation enables generation of “4658: The handle to an object was closed” in [Audit File System](audit-file-system.md), [Audit Kernel Object](audit-kernel-object.md), [Audit Registry](audit-registry.md), [Audit Removable Storage](audit-removable-storage.md) and [Audit SAM](audit-sam.md) subcategories, and shows objects handle duplication and close actions.
**Event volume**: High.
| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments |
|-------------------|-----------------|-----------------|------------------|------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments |
|-------------------|-----------------|-----------------|------------------|------------------|----------|
| Domain Controller | No | No | No | No | Typically, information about the duplication or closing of an object handle has little to no security relevance and is hard to parse or analyze.<br>There is no recommendation to enable this subcategory for Success or Failure auditing, unless you know exactly what you need to monitor in Objects Handles level. |
| Member Server | No | No | No | No | Typically, information about the duplication or closing of an object handle has little to no security relevance and is hard to parse or analyze.<br>There is no recommendation to enable this subcategory for Success or Failure auditing, unless you know exactly what you need to monitor in Objects Handles level. |
| Workstation | No | No | No | No | Typically, information about the duplication or closing of an object handle has little to no security relevance and is hard to parse or analyze.<br>There is no recommendation to enable this subcategory for Success or Failure auditing, unless you know exactly what you need to monitor in Objects Handles level. |
**Events List:**
- [4658](event-4658.md)(S): The handle to an object was closed.
- [4658](event-4658.md)(S): The handle to an object was closed.
- [4690](event-4690.md)(S): An attempt was made to duplicate a handle to an object.
## 4658(S): The handle to an object was closed.
This event doesnt generate in this subcategory, but you can use this subcategory to enable it. For a description of the event, see “[4658](event-4658.md)(S): The handle to an object was closed” in the Audit File System subcategory.
- [4690](event-4690.md)(S): An attempt was made to duplicate a handle to an object.
- 4658(S): The handle to an object was closed. For a description of the event, see _[4658](event-4658.md)(S): The handle to an object was closed._ in the Audit File System subcategory. This event doesnt generate in the Audit Handle Manipulation subcategory, but you can use this subcategory to enable it.

32
windows/security/threat-protection/auditing/audit-ipsec-driver.md
View File

@ -10,7 +10,7 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dulcemontemayor
author: Mir0sh
ms.date: 10/02/2018
---
@ -20,7 +20,6 @@ ms.date: 10/02/2018
- Windows 10
- Windows Server 2016
Audit IPsec Driver allows you to audit events generated by IPSec driver such as the following:
- Startup and shutdown of the IPsec services.
@ -37,9 +36,11 @@ Audit IPsec Driver allows you to audit events generated by IPSec driver such as
A high rate of packet drops by the IPsec filter driver may indicate attempts to gain access to the network by unauthorized systems.
Failure to process IPsec filters poses a potential security risk because some network interfaces may not get the protection that is provided by the IPsec filter.
Failure to process IPsec filters poses a potential security risk because some network interfaces may not get the protection that is provided by the IPsec filter. This subcategory is outside the scope of this document.
This subcategory is outside the scope of this document.
**Event volume:** Medium
**Default:** Not configured
| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments |
|-------------------|-----------------|-----------------|------------------|------------------|-------------------------------------------------------------------------------------------------------------------------------------------|
@ -47,25 +48,26 @@ This subcategory is outside the scope of this document.
| Member Server | - | - | - | - | There is no recommendation for this subcategory in this document, unless you know exactly what you need to monitor at IPsec Driver level. |
| Workstation | - | - | - | - | There is no recommendation for this subcategory in this document, unless you know exactly what you need to monitor at IPsec Driver level. |
## 4960(S): IPsec dropped an inbound packet that failed an integrity check. If this problem persists, it could indicate a network issue or that packets are being modified in transit to this computer. Verify that the packets sent from the remote computer are the same as those received by this computer. This error might also indicate interoperability problems with other IPsec implementations.
**Events List:**
## 4961(S): IPsec dropped an inbound packet that failed a replay check. If this problem persists, it could indicate a replay attack against this computer.
- 4960(S): IPsec dropped an inbound packet that failed an integrity check. If this problem persists, it could indicate a network issue or that packets are being modified in transit to this computer. Verify that the packets sent from the remote computer are the same as those received by this computer. This error might also indicate interoperability problems with other IPsec implementations.
## 4962(S): IPsec dropped an inbound packet that failed a replay check. The inbound packet had too low a sequence number to ensure it was not a replay.
- 4961(S): IPsec dropped an inbound packet that failed a replay check. If this problem persists, it could indicate a replay attack against this computer.
## 4963(S): IPsec dropped an inbound clear text packet that should have been secured. This is usually due to the remote computer changing its IPsec policy without informing this computer. This could also be a spoofing attack attempt.
- 4962(S): IPsec dropped an inbound packet that failed a replay check. The inbound packet had too low a sequence number to ensure it was not a replay.
## 4965(S): IPsec received a packet from a remote computer with an incorrect Security Parameter Index (SPI). This is usually caused by malfunctioning hardware that is corrupting packets. If these errors persist, verify that the packets sent from the remote computer are the same as those received by this computer. This error may also indicate interoperability problems with other IPsec implementations. In that case, if connectivity is not impeded, then these events can be ignored.
- 4963(S): IPsec dropped an inbound clear text packet that should have been secured. This is usually due to the remote computer changing its IPsec policy without informing this computer. This could also be a spoofing attack attempt.
## 5478(S): IPsec Services has started successfully.
- 4965(S): IPsec received a packet from a remote computer with an incorrect Security Parameter Index (SPI). This is usually caused by malfunctioning hardware that is corrupting packets. If these errors persist, verify that the packets sent from the remote computer are the same as those received by this computer. This error may also indicate interoperability problems with other IPsec implementations. In that case, if connectivity is not impeded, then these events can be ignored.
## 5479(S): IPsec Services has been shut down successfully. The shutdown of IPsec Services can put the computer at greater risk of network attack or expose the computer to potential security risks.
- 5478(S): IPsec Services has started successfully.
## 5480(F): IPsec Services failed to get the complete list of network interfaces on the computer. This poses a potential security risk because some of the network interfaces may not get the protection provided by the applied IPsec filters. Use the IP Security Monitor snap-in to diagnose the problem.
- 5479(S): IPsec Services has been shut down successfully. The shutdown of IPsec Services can put the computer at greater risk of network attack or expose the computer to potential security risks.
## 5483(F): IPsec Services failed to initialize RPC server. IPsec Services could not be started.
- 5480(F): IPsec Services failed to get the complete list of network interfaces on the computer. This poses a potential security risk because some of the network interfaces may not get the protection provided by the applied IPsec filters. Use the IP Security Monitor snap-in to diagnose the problem.
## 5484(F): IPsec Services has experienced a critical failure and has been shut down. The shutdown of IPsec Services can put the computer at greater risk of network attack or expose the computer to potential security risks.
- 5483(F): IPsec Services failed to initialize RPC server. IPsec Services could not be started.
## 5485(F): IPsec Services failed to process some IPsec filters on a plug-and-play event for network interfaces. This poses a potential security risk because some of the network interfaces may not get the protection provided by the applied IPsec filters. Use the IP Security Monitor snap-in to diagnose the problem.
- 5484(F): IPsec Services has experienced a critical failure and has been shut down. The shutdown of IPsec Services can put the computer at greater risk of network attack or expose the computer to potential security risks.
- 5485(F): IPsec Services failed to process some IPsec filters on a plug-and-play event for network interfaces. This poses a potential security risk because some of the network interfaces may not get the protection provided by the applied IPsec filters. Use the IP Security Monitor snap-in to diagnose the problem.

21
windows/security/threat-protection/auditing/audit-ipsec-extended-mode.md
View File

@ -10,7 +10,7 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dulcemontemayor
author: Mir0sh
ms.date: 10/02/2018
---
@ -25,23 +25,22 @@ Audit IPsec Extended Mode allows you to audit events generated by Internet Key E
Audit IPsec Extended Mode subcategory is out of scope of this document, because this subcategory is mainly used for IPsec Extended Mode troubleshooting.
| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments |
|-------------------|-----------------|-----------------|------------------|------------------|--------------------------------------------------------------------------------------------------------------------------------------------|
| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments |
|-------------------|-----------------|-----------------|------------------|------------------|----------|
| Domain Controller | IF | IF | IF | IF | IF - This subcategory is mainly used for IPsec Extended Mode troubleshooting, or for tracing or monitoring IPsec Extended Mode operations. |
| Member Server | IF | IF | IF | IF | IF - This subcategory is mainly used for IPsec Extended Mode troubleshooting, or for tracing or monitoring IPsec Extended Mode operations. |
| Workstation | IF | IF | IF | IF | IF - This subcategory is mainly used for IPsec Extended Mode troubleshooting, or for tracing or monitoring IPsec Extended Mode operations. |
## 4978(S): During Extended Mode negotiation, IPsec received an invalid negotiation packet. If this problem persists, it could indicate a network issue or an attempt to modify or replay this negotiation.
- 4978(S): During Extended Mode negotiation, IPsec received an invalid negotiation packet. If this problem persists, it could indicate a network issue or an attempt to modify or replay this negotiation.
## 4979(S): IPsec Main Mode and Extended Mode security associations were established.
- 4979(S): IPsec Main Mode and Extended Mode security associations were established.
## 4980(S): IPsec Main Mode and Extended Mode security associations were established.
- 4980(S): IPsec Main Mode and Extended Mode security associations were established.
## 4981(S): IPsec Main Mode and Extended Mode security associations were established.
- 4981(S): IPsec Main Mode and Extended Mode security associations were established.
## 4982(S): IPsec Main Mode and Extended Mode security associations were established.
- 4982(S): IPsec Main Mode and Extended Mode security associations were established.
## 4983(S): An IPsec Extended Mode negotiation failed. The corresponding Main Mode security association has been deleted.
## 4984(S): An IPsec Extended Mode negotiation failed. The corresponding Main Mode security association has been deleted.
- 4983(S): An IPsec Extended Mode negotiation failed. The corresponding Main Mode security association has been deleted.
- 4984(S): An IPsec Extended Mode negotiation failed. The corresponding Main Mode security association has been deleted.

26
windows/security/threat-protection/auditing/audit-ipsec-main-mode.md
View File

@ -10,7 +10,7 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dulcemontemayor
author: Mir0sh
ms.date: 10/02/2018
---
@ -20,32 +20,30 @@ ms.date: 10/02/2018
- Windows 10
- Windows Server 2016
Audit IPsec Main Mode allows you to audit events generated by Internet Key Exchange protocol (IKE) and Authenticated Internet Protocol (AuthIP) during Main Mode negotiations.
Audit IPsec Main Mode subcategory is out of scope of this document, because this subcategory is mainly used for IPsec Main Mode troubleshooting.
| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments |
|-------------------|-----------------|-----------------|------------------|------------------|------------------------------------------------------------------------------------------------------------------------------------|
| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments |
|-------------------|-----------------|-----------------|------------------|------------------|----------|
| Domain Controller | IF | IF | IF | IF | IF - This subcategory is mainly used for IPsec Main Mode troubleshooting, or for tracing or monitoring IPsec Main Mode operations. |
| Member Server | IF | IF | IF | IF | IF - This subcategory is mainly used for IPsec Main Mode troubleshooting, or for tracing or monitoring IPsec Main Mode operations. |
| Workstation | IF | IF | IF | IF | IF - This subcategory is mainly used for IPsec Main Mode troubleshooting, or for tracing or monitoring IPsec Main Mode operations. |
## 4646(S): Security ID: %1
- 4646(S): Security ID: %1
## 4650(S): An IPsec Main Mode security association was established. Extended Mode was not enabled. Certificate authentication was not used.
- 4650(S): An IPsec Main Mode security association was established. Extended Mode was not enabled. Certificate authentication was not used.
## 4651(S): An IPsec Main Mode security association was established. Extended Mode was not enabled. A certificate was used for authentication.
- 4651(S): An IPsec Main Mode security association was established. Extended Mode was not enabled. A certificate was used for authentication.
## 4652(F): An IPsec Main Mode negotiation failed.
- 4652(F): An IPsec Main Mode negotiation failed.
## 4653(F): An IPsec Main Mode negotiation failed.
- 4653(F): An IPsec Main Mode negotiation failed.
## 4655(S): An IPsec Main Mode security association ended.
- 4655(S): An IPsec Main Mode security association ended.
## 4976(S): During Main Mode negotiation, IPsec received an invalid negotiation packet. If this problem persists, it could indicate a network issue or an attempt to modify or replay this negotiation.
- 4976(S): During Main Mode negotiation, IPsec received an invalid negotiation packet. If this problem persists, it could indicate a network issue or an attempt to modify or replay this negotiation.
## 5049(S): An IPsec Security Association was deleted.
## 5453(S): An IPsec negotiation with a remote computer failed because the IKE and AuthIP IPsec Keying Modules (IKEEXT) service is not started.
- 5049(S): An IPsec Security Association was deleted.
- 5453(S): An IPsec negotiation with a remote computer failed because the IKE and AuthIP IPsec Keying Modules (IKEEXT) service is not started.

14
windows/security/threat-protection/auditing/audit-ipsec-quick-mode.md
View File

@ -10,7 +10,7 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dulcemontemayor
author: Mir0sh
ms.date: 10/02/2018
---
@ -20,20 +20,18 @@ ms.date: 10/02/2018
- Windows 10
- Windows Server 2016
Audit IPsec Quick Mode allows you to audit events generated by Internet Key Exchange protocol (IKE) and Authenticated Internet Protocol (AuthIP) during Quick Mode negotiations.
Audit IPsec Quick Mode subcategory is out of scope of this document, because this subcategory is mainly used for IPsec Quick Mode troubleshooting.
| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments |
|-------------------|-----------------|-----------------|------------------|------------------|--------------------------------------------------------------------------------------------------------------------------------------|
| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments |
|-------------------|-----------------|-----------------|------------------|------------------|----------|
| Domain Controller | IF | IF | IF | IF | IF - This subcategory is mainly used for IPsec Quick Mode troubleshooting, or for tracing or monitoring IPsec Quick Mode operations. |
| Member Server | IF | IF | IF | IF | IF - This subcategory is mainly used for IPsec Quick Mode troubleshooting, or for tracing or monitoring IPsec Quick Mode operations. |
| Workstation | IF | IF | IF | IF | IF - This subcategory is mainly used for IPsec Quick Mode troubleshooting, or for tracing or monitoring IPsec Quick Mode operations. |
## 4977(S): During Quick Mode negotiation, IPsec received an invalid negotiation packet. If this problem persists, it could indicate a network issue or an attempt to modify or replay this negotiation.
- 4977(S): During Quick Mode negotiation, IPsec received an invalid negotiation packet. If this problem persists, it could indicate a network issue or an attempt to modify or replay this negotiation.
## 5451(S): An IPsec Quick Mode security association was established.
## 5452(S): An IPsec Quick Mode security association ended.
- 5451(S): An IPsec Quick Mode security association was established.
- 5452(S): An IPsec Quick Mode security association ended.

2
windows/security/threat-protection/auditing/audit-kerberos-authentication-service.md
View File

@ -10,7 +10,7 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dulcemontemayor
author: Mir0sh
ms.date: 04/19/2017
---

2
windows/security/threat-protection/auditing/audit-kerberos-service-ticket-operations.md
View File

@ -10,7 +10,7 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dulcemontemayor
author: Mir0sh
ms.date: 04/19/2017
---

2
windows/security/threat-protection/auditing/audit-kernel-object.md
View File

@ -10,7 +10,7 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dulcemontemayor
author: Mir0sh
ms.date: 04/19/2017
---

2
windows/security/threat-protection/auditing/audit-logoff.md
View File

@ -10,7 +10,7 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dulcemontemayor
author: Mir0sh
ms.date: 07/16/2018
---

2
windows/security/threat-protection/auditing/audit-logon.md
View File

@ -10,7 +10,7 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dulcemontemayor
author: Mir0sh
ms.date: 04/19/2017
---

2
windows/security/threat-protection/auditing/audit-mpssvc-rule-level-policy-change.md
View File

@ -10,7 +10,7 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dulcemontemayor
author: Mir0sh
ms.date: 04/19/2017
---

28
windows/security/threat-protection/auditing/audit-network-policy-server.md
View File

@ -10,7 +10,7 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dulcemontemayor
author: Mir0sh
ms.date: 04/19/2017
---
@ -20,7 +20,6 @@ ms.date: 04/19/2017
- Windows 10
- Windows Server 2016
Audit Network Policy Server allows you to audit events generated by RADIUS (IAS) and Network Access Protection (NAP) activity related to user access requests. These requests can be Grant, Deny, Discard, Quarantine, Lock, and Unlock.
If you configure this subcategory, an audit event is generated for each IAS and NAP user access request.
@ -33,27 +32,26 @@ NAP events can be used to help understand the overall health of the network.
Role-specific subcategories are outside the scope of this document.
| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments |
|-------------------|-----------------|-----------------|------------------|------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments |
|-------------------|-----------------|-----------------|------------------|------------------|----------|
| Domain Controller | IF | IF | IF | IF | IF if a server has the [Network Policy Server](https://msdn.microsoft.com/library/cc732912.aspx) (NPS) role installed and you need to monitor access requests and other NPS-related events, enable this subcategory. |
| Member Server | IF | IF | IF | IF | IF if a server has the [Network Policy Server](https://msdn.microsoft.com/library/cc732912.aspx) (NPS) role installed and you need to monitor access requests and other NPS-related events, enable this subcategory. |
| Workstation | No | No | No | No | [Network Policy Server](https://msdn.microsoft.com/library/cc732912.aspx) (NPS) role cannot be installed on client OS. |
| Workstation | No | No | No | No | [Network Policy Server](https://msdn.microsoft.com/library/cc732912.aspx) (NPS) role cannot be installed on client OS. |
## 6272: Network Policy Server granted access to a user.
- 6272: Network Policy Server granted access to a user.
## 6273: Network Policy Server denied access to a user.
- 6273: Network Policy Server denied access to a user.
## 6274: Network Policy Server discarded the request for a user.
- 6274: Network Policy Server discarded the request for a user.
## 6275: Network Policy Server discarded the accounting request for a user.
- 6275: Network Policy Server discarded the accounting request for a user.
## 6276: Network Policy Server quarantined a user.
- 6276: Network Policy Server quarantined a user.
## 6277: Network Policy Server granted access to a user but put it on probation because the host did not meet the defined health policy.
- 6277: Network Policy Server granted access to a user but put it on probation because the host did not meet the defined health policy.
## 6278: Network Policy Server granted full access to a user because the host met the defined health policy.
- 6278: Network Policy Server granted full access to a user because the host met the defined health policy.
## 6279: Network Policy Server locked the user account due to repeated failed authentication attempts.
## 6280: Network Policy Server unlocked the user account.
- 6279: Network Policy Server locked the user account due to repeated failed authentication attempts.
- 6280: Network Policy Server unlocked the user account.

2
windows/security/threat-protection/auditing/audit-non-sensitive-privilege-use.md
View File

@ -10,7 +10,7 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dulcemontemayor
author: Mir0sh
ms.date: 04/19/2017
---

2
windows/security/threat-protection/auditing/audit-other-account-logon-events.md
View File

@ -10,7 +10,7 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dulcemontemayor
author: Mir0sh
ms.date: 04/19/2017
---

2
windows/security/threat-protection/auditing/audit-other-account-management-events.md
View File

@ -10,7 +10,7 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dulcemontemayor
author: Mir0sh
ms.date: 04/19/2017
---

2
windows/security/threat-protection/auditing/audit-other-logonlogoff-events.md
View File

@ -10,7 +10,7 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dulcemontemayor
author: Mir0sh
ms.date: 04/19/2017
---

2
windows/security/threat-protection/auditing/audit-other-object-access-events.md
View File

@ -10,7 +10,7 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dulcemontemayor
author: Mir0sh
ms.date: 05/29/2017
---

2
windows/security/threat-protection/auditing/audit-other-policy-change-events.md
View File

@ -10,7 +10,7 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dulcemontemayor
author: Mir0sh
ms.date: 04/19/2017
---

2
windows/security/threat-protection/auditing/audit-other-privilege-use-events.md
View File

@ -10,7 +10,7 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dulcemontemayor
author: Mir0sh
ms.date: 04/19/2017
---

2
windows/security/threat-protection/auditing/audit-other-system-events.md
View File

@ -10,7 +10,7 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dulcemontemayor
author: Mir0sh
ms.date: 04/19/2017
---

2
windows/security/threat-protection/auditing/audit-pnp-activity.md
View File

@ -10,7 +10,7 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dulcemontemayor
author: Mir0sh
ms.date: 04/19/2017
---

2
windows/security/threat-protection/auditing/audit-process-creation.md
View File

@ -10,7 +10,7 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dulcemontemayor
author: Mir0sh
ms.date: 04/19/2017
---

2
windows/security/threat-protection/auditing/audit-process-termination.md
View File

@ -10,7 +10,7 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dulcemontemayor
author: Mir0sh
ms.date: 04/19/2017
---

2
windows/security/threat-protection/auditing/audit-registry.md
View File

@ -10,7 +10,7 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dulcemontemayor
author: Mir0sh
ms.date: 04/19/2017
---

2
windows/security/threat-protection/auditing/audit-removable-storage.md
View File

@ -10,7 +10,7 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dulcemontemayor
author: Mir0sh
ms.date: 04/19/2017
---

2
windows/security/threat-protection/auditing/audit-rpc-events.md
View File

@ -10,7 +10,7 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dulcemontemayor
author: Mir0sh
ms.date: 04/19/2017
---

2
windows/security/threat-protection/auditing/audit-sam.md
View File

@ -10,7 +10,7 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dulcemontemayor
author: Mir0sh
ms.date: 04/19/2017
---

84
windows/security/threat-protection/auditing/audit-security-group-management.md
View File

@ -10,7 +10,7 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dulcemontemayor
author: Mir0sh
ms.date: 02/28/2019
---
@ -20,78 +20,86 @@ ms.date: 02/28/2019
- Windows 10
- Windows Server 2016
Audit Security Group Management determines whether the operating system generates audit events when specific security group management tasks are performed.
**Event volume**: Low.
This subcategory allows you to audit events generated by changes to security groups such as the following:
- Security group is created, changed, or deleted.
- Security group is created, changed, or deleted.
- Member is added or removed from a security group.
- Member is added or removed from a security group.
- Group type is changed.
- Group type is changed.
| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments |
|-------------------|-----------------|-----------------|------------------|------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Domain Controller | Yes | No | Yes | No | We recommend Success auditing of security groups, to see new group creation events, changes and deletion of critical groups. Also you will get information about new members of security groups, when a member was removed from a group and when security group membership was enumerated. <br> This subcategory doesnt have Failure events, so there is no recommendation to enable Failure auditing for this subcategory.|
| Member Server | Yes | No | Yes | No | We recommend Success auditing of security groups, to see new group creation events, changes and deletion of critical groups. Also you will get information about new members of security groups, when a member was removed from a group and when security group membership was enumerated. <br> This subcategory doesnt have Failure events, so there is no recommendation to enable Failure auditing for this subcategory.|
| Workstation | Yes | No | Yes | No | We recommend Success auditing of security groups, to see new group creation events, changes and deletion of critical groups. Also you will get information about new members of security groups, when a member was removed from a group and when security group membership was enumerated. <br> This subcategory doesnt have Failure events, so there is no recommendation to enable Failure auditing for this subcategory.|
| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments |
|-------------------|-----------------|-----------------|------------------|------------------|----------|
| Domain Controller | Yes | No | Yes | No | We recommend Success auditing of security groups, to see new group creation events, changes and deletion of critical groups. Also you will get information about new members of security groups, when a member was removed from a group and when security group membership was enumerated. <br> This subcategory doesnt have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
| Member Server | Yes | No | Yes | No | We recommend Success auditing of security groups, to see new group creation events, changes and deletion of critical groups. Also you will get information about new members of security groups, when a member was removed from a group and when security group membership was enumerated. <br> This subcategory doesnt have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
| Workstation | Yes | No | Yes | No | We recommend Success auditing of security groups, to see new group creation events, changes and deletion of critical groups. Also you will get information about new members of security groups, when a member was removed from a group and when security group membership was enumerated. <br> This subcategory doesnt have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
**Events List:**
- [4731](event-4731.md)(S): A security-enabled local group was created.
- [4731](event-4731.md)(S): A security-enabled local group was created.
- [4732](event-4732.md)(S): A member was added to a security-enabled local group.
- [4732](event-4732.md)(S): A member was added to a security-enabled local group.
- [4733](event-4733.md)(S): A member was removed from a security-enabled local group.
- [4733](event-4733.md)(S): A member was removed from a security-enabled local group.
- [4734](event-4734.md)(S): A security-enabled local group was deleted.
- [4734](event-4734.md)(S): A security-enabled local group was deleted.
- [4735](event-4735.md)(S): A security-enabled local group was changed.
- [4735](event-4735.md)(S): A security-enabled local group was changed.
- [4764](event-4764.md)(S): A groups type was changed.
- [4764](event-4764.md)(S): A groups type was changed.
- [4799](event-4799.md)(S): A security-enabled local group membership was enumerated.
- [4799](event-4799.md)(S): A security-enabled local group membership was enumerated.
**4727(S): A security-enabled global group was created.** See event “[4731](event-4731.md): A security-enabled local group was created. Event 4727 is the same, but it is generated for a **global** security group instead of a **local** security group. All event fields, XML, and recommendations are the same. The type of group is the only difference.
- 4727(S): A security-enabled global group was created. See event _[4731](event-4731.md): A security-enabled local group was created._ Event 4727 is the same, but it is generated for a **global** security group instead of a **local** security group. All event fields, XML, and recommendations are the same. The type of group is the only difference.
**Important:** this event generates only for domain groups, so the Local sections in event [4731](event-4731.md) do not apply.
> [!IMPORTANT]
> Event 4727(S) generates only for domain groups, so the Local sections in event [4731](event-4731.md) do not apply.
**4737(S): A security-enabled global group was changed.** See event “[4735](event-4735.md): A security-enabled local group was changed. Event 4737 is the same, but it is generated for a **global** security group instead of a **local** security group. All event fields, XML, and recommendations are the same. The type of group is the only difference.
- 4737(S): A security-enabled global group was changed. See event _[4735](event-4735.md): A security-enabled local group was changed._ Event 4737 is the same, but it is generated for a **global** security group instead of a **local** security group. All event fields, XML, and recommendations are the same. The type of group is the only difference.
**Important:** this event generates only for domain groups, so the Local sections in event [4735](event-4735.md) do not apply.
> [!IMPORTANT]
> Event 4737(S) generates only for domain groups, so the Local sections in event [4735](event-4735.md) do not apply.
**4728(S): A member was added to a security-enabled global group.** See event “[4732](event-4732.md): A member was added to a security-enabled local group. Event 4728 is the same, but it is generated for a **global** security group instead of a **local** security group. All event fields, XML, and recommendations are the same. The type of group is the only difference.
- 4728(S): A member was added to a security-enabled global group. See event _[4732](event-4732.md): A member was added to a security-enabled local group._ Event 4728 is the same, but it is generated for a **global** security group instead of a **local** security group. All event fields, XML, and recommendations are the same. The type of group is the only difference.
**Important:** this event generates only for domain groups, so the Local sections in event [4732](event-4732.md) do not apply.
> [!IMPORTANT]
> Event 4728(S) generates only for domain groups, so the Local sections in event [4732](event-4732.md) do not apply.
**4729(S): A member was removed from a security-enabled global group.** See event “[4733](event-4733.md): A member was removed from a security-enabled local group. Event 4729 is the same, but it is generated for a **global** security group instead of a **local** security group. All event fields, XML, and recommendations are the same. The type of group is the only difference.
- 4729(S): A member was removed from a security-enabled global group. See event _[4733](event-4733.md): A member was removed from a security-enabled local group._ Event 4729 is the same, but it is generated for a **global** security group instead of a **local** security group. All event fields, XML, and recommendations are the same. The type of group is the only difference.
**Important:** this event generates only for domain groups, so the Local sections in event [4733](event-4733.md) do not apply.
> [!IMPORTANT]
> Event 4729(S) generates only for domain groups, so the Local sections in event [4733](event-4733.md) do not apply.
**4730(S): A security-enabled global group was deleted.** See event “[4734](event-4734.md): A security-enabled local group was deleted. Event 4730 is the same, but it is generated for a **global** security group instead of a **local** security group. All event fields, XML, and recommendations are the same. The type of group is the only difference.
- 4730(S): A security-enabled global group was deleted. See event _[4734](event-4734.md): A security-enabled local group was deleted._ Event 4730 is the same, but it is generated for a **global** security group instead of a **local** security group. All event fields, XML, and recommendations are the same. The type of group is the only difference.
**Important:** this event generates only for domain groups, so the Local sections in event [4734](event-4734.md) do not apply.
> [!IMPORTANT]
> Event 4730(S) generates only for domain groups, so the Local sections in event [4734](event-4734.md) do not apply.
**4754(S): A security-enabled universal group was created.** See event “[4731](event-4731.md): A security-enabled local group was created.”. Event 4754 is the same, but it is generated for a **universal** security group instead of a **local** security group. All event fields, XML, and recommendations are the same. The type of group is the only difference.
- 4754(S): A security-enabled universal group was created. See event _[4731](event-4731.md): A security-enabled local group was created._ Event 4754 is the same, but it is generated for a **universal** security group instead of a **local** security group. All event fields, XML, and recommendations are the same. The type of group is the only difference.
**Important:** this event generates only for domain groups, so the Local sections in event [4731](event-4731.md) do not apply.
> [!IMPORTANT]
> Event 4754(S) generates only for domain groups, so the Local sections in event [4731](event-4731.md) do not apply.
**4755(S): A security-enabled universal group was changed.** See event “[4735](event-4735.md): A security-enabled local group was changed.”. Event 4737 is the same, but it is generated for a **universal** security group instead of a **local** security group. All event fields, XML, and recommendations are the same. The type of group is the only difference.
- 4755(S): A security-enabled universal group was changed. See event _[4735](event-4735.md): A security-enabled local group was changed._ Event 4737 is the same, but it is generated for a **universal** security group instead of a **local** security group. All event fields, XML, and recommendations are the same. The type of group is the only difference.
**Important:** this event generates only for domain groups, so the Local sections in event [4735](event-4735.md) do not apply.
> [!IMPORTANT]
> Event 4755(S) generates only for domain groups, so the Local sections in event [4735](event-4735.md) do not apply.
**4756(S): A member was added to a security-enabled universal group.** See event “[4732](event-4732.md): A member was added to a security-enabled local group.”. Event 4756 is the same, but it is generated for a **universal** security group instead of a **local** security group. All event fields, XML, and recommendations are the same. The type of group is the only difference.
- 4756(S): A member was added to a security-enabled universal group. See event _[4732](event-4732.md): A member was added to a security-enabled local group._ Event 4756 is the same, but it is generated for a **universal** security group instead of a **local** security group. All event fields, XML, and recommendations are the same. The type of group is the only difference.
**Important:** this event generates only for domain groups, so the Local sections in event [4732](event-4732.md) do not apply.
> [!IMPORTANT]
> Event 4756(S) generates only for domain groups, so the Local sections in event [4732](event-4732.md) do not apply.
**4757(S): A member was removed from a security-enabled universal group.** See event “[4733](event-4733.md): A member was removed from a security-enabled local group.”. Event 4757 is the same, but it is generated for a **universal** security group instead of a **local** security group. All event fields, XML, and recommendations are the same. The type of group is the only difference.
- 4757(S): A member was removed from a security-enabled universal group. See event _[4733](event-4733.md): A member was removed from a security-enabled local group._ Event 4757 is the same, but it is generated for a **universal** security group instead of a **local** security group. All event fields, XML, and recommendations are the same. The type of group is the only difference.
**Important:** this event generates only for domain groups, so the Local sections in event [4733](event-4733.md) do not apply.
> [!IMPORTANT]
> Event 4757(S) generates only for domain groups, so the Local sections in event [4733](event-4733.md) do not apply.
**4758(S): A security-enabled universal group was deleted.** See event “[4734](event-4734.md): A security-enabled local group was deleted.”. Event 4758 is the same, but it is generated for a **universal** security group instead of a **local** security group. All event fields, XML, and recommendations are the same. The type of group is the only difference.
**Important:** this event generates only for domain groups, so the Local sections in event [4734](event-4734.md) do not apply.
- 4758(S): A security-enabled universal group was deleted. See event _[4734](event-4734.md): A security-enabled local group was deleted._ Event 4758 is the same, but it is generated for a **universal** security group instead of a **local** security group. All event fields, XML, and recommendations are the same. The type of group is the only difference.
>[!IMPORTANT]
> Event 4758(S) generates only for domain groups, so the Local sections in event [4734](event-4734.md) do not apply.

5
windows/security/threat-protection/auditing/audit-security-state-change.md
View File

@ -10,7 +10,7 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dulcemontemayor
author: Mir0sh
ms.date: 04/19/2017
---
@ -39,5 +39,6 @@ Audit Security State Change contains Windows startup, recovery, and shutdown eve
- [4621](event-4621.md)(S): Administrator recovered system from CrashOnAuditFail.
>**Note**&nbsp;&nbsp;Event **4609(S): Windows is shutting down** currently doesnt generate. It is a defined event, but it is never invoked by the operating system.
>[!NOTE]
>Event **4609(S): Windows is shutting down** doesn't currently generate. It is a defined event, but it is never invoked by the operating system.

2
windows/security/threat-protection/auditing/audit-security-system-extension.md
View File

@ -10,7 +10,7 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dulcemontemayor
author: Mir0sh
ms.date: 04/19/2017
---

5
windows/security/threat-protection/auditing/audit-sensitive-privilege-use.md
View File

@ -10,7 +10,7 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dulcemontemayor
author: Mir0sh
ms.date: 04/19/2017
---
@ -71,6 +71,7 @@ If you configure this policy setting, an audit event is generated when sensitive
- [4985](event-4985.md)(S): The state of a transaction has changed.
>**Note**&nbsp;&nbsp;For some reason event “[4985](event-4985.md)(S): The state of a transaction has changed" from [Audit File System](audit-file-system.md) subcategory generates also in this subcategory. See description of event [4985](event-4985.md) in [Audit File System](audit-file-system.md) subcategory.
>[!NOTE]
> The event “[4985](event-4985.md)(S): The state of a transaction has changed" from [Audit File System](audit-file-system.md) subcategory also generates in this subcategory. See description of event [4985](event-4985.md) in [Audit File System](audit-file-system.md) subcategory.

2
windows/security/threat-protection/auditing/audit-special-logon.md
View File

@ -10,7 +10,7 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dulcemontemayor
author: Mir0sh
ms.date: 04/19/2017
---

2
windows/security/threat-protection/auditing/audit-system-integrity.md
View File

@ -10,7 +10,7 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dulcemontemayor
author: Mir0sh
ms.date: 04/19/2017
---

2
windows/security/threat-protection/auditing/audit-user-account-management.md
View File

@ -10,7 +10,7 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dulcemontemayor
author: Mir0sh
ms.date: 04/19/2017
---

2
windows/security/threat-protection/auditing/audit-user-device-claims.md
View File

@ -10,7 +10,7 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dulcemontemayor
author: Mir0sh
ms.date: 04/19/2017
---

2
windows/security/threat-protection/auditing/basic-audit-account-logon-events.md
View File

@ -9,7 +9,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: none
author: dulcemontemayor
author: Mir0sh
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance

2
windows/security/threat-protection/auditing/basic-audit-account-management.md
View File

@ -9,7 +9,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: none
author: dulcemontemayor
author: Mir0sh
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance

2
windows/security/threat-protection/auditing/basic-audit-directory-service-access.md
View File

@ -9,7 +9,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: none
author: dulcemontemayor
author: Mir0sh
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance

2
windows/security/threat-protection/auditing/basic-audit-logon-events.md
View File

@ -9,7 +9,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: none
author: dulcemontemayor
author: Mir0sh
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance

2
windows/security/threat-protection/auditing/basic-audit-object-access.md
View File

@ -9,7 +9,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: none
author: dulcemontemayor
author: Mir0sh
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance

2
windows/security/threat-protection/auditing/basic-audit-policy-change.md
View File

@ -9,7 +9,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: none
author: dulcemontemayor
author: Mir0sh
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance

2
windows/security/threat-protection/auditing/basic-audit-privilege-use.md
View File

@ -9,7 +9,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: none
author: dulcemontemayor
author: Mir0sh
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance

2
windows/security/threat-protection/auditing/basic-audit-process-tracking.md
View File

@ -9,7 +9,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: none
author: dulcemontemayor
author: Mir0sh
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance

2
windows/security/threat-protection/auditing/basic-audit-system-events.md
View File

@ -9,7 +9,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: none
author: dulcemontemayor
author: Mir0sh
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance

2
windows/security/threat-protection/auditing/basic-security-audit-policies.md
View File

@ -9,7 +9,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: none
author: dulcemontemayor
author: Mir0sh
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance

2
windows/security/threat-protection/auditing/basic-security-audit-policy-settings.md
View File

@ -9,7 +9,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: none
author: dulcemontemayor
author: Mir0sh
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance

2
windows/security/threat-protection/auditing/create-a-basic-audit-policy-settings-for-an-event-category.md
View File

@ -9,7 +9,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: none
author: dulcemontemayor
author: Mir0sh
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance

2
windows/security/threat-protection/auditing/event-1100.md
View File

@ -6,7 +6,7 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dulcemontemayor
author: Mir0sh
ms.date: 04/19/2017
ms.reviewer:
manager: dansimp

2
windows/security/threat-protection/auditing/event-1102.md
View File

@ -6,7 +6,7 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dulcemontemayor
author: Mir0sh
ms.date: 04/19/2017
ms.reviewer:
manager: dansimp

2
windows/security/threat-protection/auditing/event-1104.md
View File

@ -6,7 +6,7 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dulcemontemayor
author: Mir0sh
ms.date: 04/19/2017
ms.reviewer:
manager: dansimp

4
windows/security/threat-protection/intelligence/macro-malware.md
View File

@ -45,4 +45,6 @@ We've seen macro malware download threats from the following families:
* Enterprises can prevent macro malware from running executable content using [ASR rules](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction#enable-and-audit-attack-surface-reduction-rules)
For more general tips, see [prevent malware infection](prevent-malware-infection.md).
For more tips on protecting yourself from suspicious emails, see [phishing](phishing.md).
For more general tips, see [prevent malware infection](prevent-malware-infection.md).

11
windows/security/threat-protection/intelligence/safety-scanner-download.md
View File

@ -23,13 +23,16 @@ Microsoft Safety Scanner is a scan tool designed to find and remove malware from
- [Download Microsoft Safety Scanner (64-bit)](https://go.microsoft.com/fwlink/?LinkId=212732)
> **NOTE** The security intelligence update version of the Microsoft Safety Scaner matches the version described [in this web page](https://www.microsoft.com/en-us/wdsi/definitions).
> [!NOTE]
> The security intelligence update version of the Microsoft Safety Scanner matches the version described [in this web page](https://www.microsoft.com/en-us/wdsi/definitions).
Safety Scanner only scans when manually triggered and is available for use 10 days after being downloaded. We recommend that you always download the latest version of this tool before each scan.
> **NOTE:** This tool does not replace your antimalware product. For real-time protection with automatic updates, use [Windows Defender Antivirus on Windows 10 and Windows 8](https://www.microsoft.com/windows/comprehensive-security) or [Microsoft Security Essentials on Windows 7](https://support.microsoft.com/help/14210/security-essentials-download). These antimalware products also provide powerful malware removal capabilities. If you are having difficulties removing malware with these products, you can refer to our help on [removing difficult threats](https://www.microsoft.com/en-us/wdsi/help/troubleshooting-infection).
>
> **NOTE:** Safety scanner is a portable executable and does not appear in the Windows Start menu or as an icon on the desktop. Note where you saved this download.
> [!NOTE]
> This tool does not replace your antimalware product. For real-time protection with automatic updates, use [Windows Defender Antivirus on Windows 10 and Windows 8](https://www.microsoft.com/windows/comprehensive-security) or [Microsoft Security Essentials on Windows 7](https://support.microsoft.com/help/14210/security-essentials-download). These antimalware products also provide powerful malware removal capabilities. If you are having difficulties removing malware with these products, you can refer to our help on [removing difficult threats](https://www.microsoft.com/en-us/wdsi/help/troubleshooting-infection).
> [!NOTE]
> Safety scanner is a portable executable and does not appear in the Windows Start menu or as an icon on the desktop. Note where you saved this download.
## System requirements

2
windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-best-practices.md
View File

@ -37,7 +37,7 @@ The following best practices serve as a guideline of query performance best prac
- When joining between two tables, project only needed columns from both sides of the join.
>[!Tip]
>For more guidance on improving query performance, read [Kusto query best practices](https://docs.microsoft.com/en-us/azure/kusto/query/best-practices).
>For more guidance on improving query performance, read [Kusto query best practices](https://docs.microsoft.com/azure/kusto/query/best-practices).
## Query tips and pitfalls

1
windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-reference.md
View File

@ -72,7 +72,6 @@ To effectively build queries that span multiple tables, you need to understand t
| Ipv6Dhcp | string | IPv6 address of DHCP server |
| IsAzureADJoined | boolean | Boolean indicator of whether machine is joined to the Azure Active Directory |
| IsAzureInfoProtectionApplied | boolean | Indicates whether the file is encrypted by Azure Information Protection |
| IsWindowsInfoProtectionApplied | boolean | Indicates whether Windows Information Protection (WIP) policies apply to the file |
| LocalIP | string | IP address assigned to the local machine used during communication |
| LocalPort | int | TCP port on the local machine used during communication |
| LocalIPType | string | Type of IP address, for example Public, Private, Reserved, Loopback, Teredo, FourToSixMapping, and Broadcast |

2
windows/security/threat-protection/microsoft-defender-atp/configuration-score.md
View File

@ -48,7 +48,7 @@ The goal is to remediate the issues in the security recommendations list to impr
- **Related component** — **Accounts**, **Application**, **Network**, **OS**, or **Security controls**
- **Remediation type** — **Configuration change** or **Software update**
See how you can [improve your security configuration](https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/threat-and-vuln-mgt-scenarios#improve-your-security-configuration), for details.
See how you can [improve your security configuration](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/threat-and-vuln-mgt-scenarios#improve-your-security-configuration), for details.
## Related topics
- [Risk-based Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md)

2
windows/security/threat-protection/microsoft-defender-atp/configure-conditional-access.md
View File

@ -33,7 +33,7 @@ You need to make sure that all your devices are enrolled in Intune. You can use
- IT Admin: For more information on how to enabling auto-enrollment, see [Windows Enrollment](https://docs.microsoft.com/intune/windows-enroll#enable-windows-10-automatic-enrollment)
- End-user: For more information on how to enroll your Windows 10 device in Intune, see [Enroll your Windows 10 device in Intune]https://docs.microsoft.com/intune/quickstart-enroll-windows-device)
- End-user: For more information on how to enroll your Windows 10 device in Intune, see [Enroll your Windows 10 device in Intune](https://docs.microsoft.com/intune/quickstart-enroll-windows-device)
- End-user alternative: For more information on joining an Azure AD domain, see [How to: Plan your Azure AD join implementation](https://docs.microsoft.com/azure/active-directory/devices/azureadjoin-plan).

8
windows/security/threat-protection/microsoft-defender-atp/configure-email-notifications.md
View File

@ -47,7 +47,7 @@ You can create rules that determine the machines and alert severities to send em
2. Click **Add notification rule**.
3. Specify the General information:
3. Specify the General information:
- **Rule name** - Specify a name for the notification rule.
- **Include organization name** - Specify the customer name that appears on the email notification.
- **Include tenant-specific portal link** - Adds a link with the tenant ID to allow access to a specific tenant.
@ -93,9 +93,9 @@ This section lists various issues that you may encounter when using email notifi
**Solution:** Make sure that the notifications are not blocked by email filters:
1. Check that the Microsoft Defender ATP email notifications are not sent to the Junk Email folder. Mark them as Not junk.
2. Check that your email security product is not blocking the email notifications from Microsoft Defender ATP.
3. Check your email application rules that might be catching and moving your Microsoft Defender ATP email notifications.
1. Check that the Microsoft Defender ATP email notifications are not sent to the Junk Email folder. Mark them as Not junk.
2. Check that your email security product is not blocking the email notifications from Microsoft Defender ATP.
3. Check your email application rules that might be catching and moving your Microsoft Defender ATP email notifications.
## Related topics
- [Update data retention settings](data-retention-settings.md)

26
windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-gp.md
View File

@ -46,7 +46,7 @@ ms.date: 04/24/2018
d. Click **Download package** and save the .zip file.
2. Extract the contents of the .zip file to a shared, read-only location that can be accessed by the machine. You should have a folder called *OptionalParamsPolicy* and the file *WindowsDefenderATPOnboardingScript.cmd*.
2. Extract the contents of the .zip file to a shared, read-only location that can be accessed by the machine. You should have a folder called *OptionalParamsPolicy* and the file *WindowsDefenderATPOnboardingScript.cmd*.
3. Open the [Group Policy Management Console](https://docs.microsoft.com/internet-explorer/ie11-deploy-guide/group-policy-and-group-policy-mgmt-console-ie11) (GPMC), right-click the Group Policy Object (GPO) you want to configure and click **Edit**.
@ -98,7 +98,7 @@ For security reasons, the package used to Offboard machines will expire 30 days
> [!NOTE]
> Onboarding and offboarding policies must not be deployed on the same machine at the same time, otherwise this will cause unpredictable collisions.
1. Get the offboarding package from [Microsoft Defender Security Center](https://securitycenter.windows.com/):
1. Get the offboarding package from [Microsoft Defender Security Center](https://securitycenter.windows.com/):
a. In the navigation pane, select **Settings** > **Offboarding**.
@ -108,21 +108,21 @@ For security reasons, the package used to Offboard machines will expire 30 days
d. Click **Download package** and save the .zip file.
2. Extract the contents of the .zip file to a shared, read-only location that can be accessed by the machine. You should have a file named *WindowsDefenderATPOffboardingScript_valid_until_YYYY-MM-DD.cmd*.
2. Extract the contents of the .zip file to a shared, read-only location that can be accessed by the machine. You should have a file named *WindowsDefenderATPOffboardingScript_valid_until_YYYY-MM-DD.cmd*.
3. Open the [Group Policy Management Console](https://docs.microsoft.com/internet-explorer/ie11-deploy-guide/group-policy-and-group-policy-mgmt-console-ie11) (GPMC), right-click the Group Policy Object (GPO) you want to configure and click **Edit**.
3. Open the [Group Policy Management Console](https://docs.microsoft.com/internet-explorer/ie11-deploy-guide/group-policy-and-group-policy-mgmt-console-ie11) (GPMC), right-click the Group Policy Object (GPO) you want to configure and click **Edit**.
4. In the **Group Policy Management Editor**, go to **Computer configuration,** then **Preferences**, and then **Control panel settings**.
4. In the **Group Policy Management Editor**, go to **Computer configuration,** then **Preferences**, and then **Control panel settings**.
5. Right-click **Scheduled tasks**, point to **New**, and then click **Immediate task**.
5. Right-click **Scheduled tasks**, point to **New**, and then click **Immediate task**.
6. In the **Task** window that opens, go to the **General** tab. Choose the local SYSTEM user account (BUILTIN\SYSTEM) under **Security options**.
6. In the **Task** window that opens, go to the **General** tab. Choose the local SYSTEM user account (BUILTIN\SYSTEM) under **Security options**.
7. Select **Run whether user is logged on or not** and check the **Run with highest privileges** check-box.
7. Select **Run whether user is logged on or not** and check the **Run with highest privileges** check-box.
8. Go to the **Actions** tab and click **New...**. Ensure that **Start a program** is selected in the **Action** field. Enter the file name and location of the shared *WindowsDefenderATPOffboardingScript_valid_until_YYYY-MM-DD.cmd* file.
8. Go to the **Actions** tab and click **New...**. Ensure that **Start a program** is selected in the **Action** field. Enter the file name and location of the shared *WindowsDefenderATPOffboardingScript_valid_until_YYYY-MM-DD.cmd* file.
9. Click **OK** and close any open GPMC windows.
9. Click **OK** and close any open GPMC windows.
> [!IMPORTANT]
> Offboarding causes the machine to stop sending sensor data to the portal but data from the machine, including reference to any alerts it has had will be retained for up to 6 months.
@ -132,9 +132,9 @@ For security reasons, the package used to Offboard machines will expire 30 days
With Group Policy there isnt an option to monitor deployment of policies on the machines. Monitoring can be done directly on the portal, or by using the different deployment tools.
## Monitor machines using the portal
1. Go to [Microsoft Defender Security Center](https://securitycenter.windows.com/).
2. Click **Machines list**.
3. Verify that machines are appearing.
1. Go to [Microsoft Defender Security Center](https://securitycenter.windows.com/).
2. Click **Machines list**.
3. Verify that machines are appearing.
> [!NOTE]
> It can take several days for machines to start showing on the **Machines list**. This includes the time it takes for the policies to be distributed to the machine, the time it takes before the user logs on, and the time it takes for the endpoint to start reporting.

4
windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-sccm.md
View File

@ -103,7 +103,7 @@ For security reasons, the package used to Offboard machines will expire 30 days
> [!NOTE]
> Onboarding and offboarding policies must not be deployed on the same machine at the same time, otherwise this will cause unpredictable collisions.
1. Get the offboarding package from [Microsoft Defender Security Center](https://securitycenter.windows.com/):
1. Get the offboarding package from [Microsoft Defender Security Center](https://securitycenter.windows.com/):
a. In the navigation pane, select **Settings** > **Offboarding**.
@ -113,7 +113,7 @@ For security reasons, the package used to Offboard machines will expire 30 days
d. Click **Download package**, and save the .zip file.
2. Extract the contents of the .zip file to a shared, read-only location that can be accessed by the network administrators who will deploy the package. You should have a file named *WindowsDefenderATPOffboardingScript_valid_until_YYYY-MM-DD.cmd*.
2. Extract the contents of the .zip file to a shared, read-only location that can be accessed by the network administrators who will deploy the package. You should have a file named *WindowsDefenderATPOffboardingScript_valid_until_YYYY-MM-DD.cmd*.
3. Deploy the package by following the steps in the [Packages and Programs in Configuration Manager](https://docs.microsoft.com/sccm/apps/deploy-use/packages-and-programs) topic.

10
windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-script.md
View File

@ -93,7 +93,7 @@ For security reasons, the package used to Offboard machines will expire 30 days
> [!NOTE]
> Onboarding and offboarding policies must not be deployed on the same machine at the same time, otherwise this will cause unpredictable collisions.
1. Get the offboarding package from [Microsoft Defender Security Center](https://securitycenter.windows.com/):
1. Get the offboarding package from [Microsoft Defender Security Center](https://securitycenter.windows.com/):
a. In the navigation pane, select **Settings** > **Offboarding**.
@ -103,7 +103,7 @@ For security reasons, the package used to Offboard machines will expire 30 days
d. Click **Download package** and save the .zip file.
2. Extract the contents of the .zip file to a shared, read-only location that can be accessed by the machines. You should have a file named *WindowsDefenderATPOffboardingScript_valid_until_YYYY-MM-DD.cmd*.
2. Extract the contents of the .zip file to a shared, read-only location that can be accessed by the machines. You should have a file named *WindowsDefenderATPOffboardingScript_valid_until_YYYY-MM-DD.cmd*.
3. Open an elevated command-line prompt on the machine and run the script:
@ -127,11 +127,11 @@ You can follow the different verification steps in the [Troubleshoot onboarding
Monitoring can also be done directly on the portal, or by using the different deployment tools.
### Monitor machines using the portal
1. Go to Microsoft Defender Security Center.
1. Go to Microsoft Defender Security Center.
2. Click **Machines list**.
2. Click **Machines list**.
3. Verify that machines are appearing.
3. Verify that machines are appearing.
## Related topics

5
windows/security/threat-protection/microsoft-defender-atp/configure-endpoints.md
View File

@ -1,5 +1,5 @@
---
title: Onboard Windows 10 machines on Microsoft Defender ATP
title: Onboarding tools and methods for Windows 10 machines
description: Onboard Windows 10 machines so that they can send sensor data to the Microsoft Defender ATP sensor
keywords: Onboard Windows 10 machines, group policy, system center configuration manager, mobile device management, local script, gp, sccm, mdm, intune
search.product: eADQiWindows 10XVcnh
@ -15,10 +15,9 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 07/12/2018
---
# Onboard Windows 10 machines
# Onboarding tools and methods for Windows 10 machines
**Applies to:**

2
windows/security/threat-protection/microsoft-defender-atp/configure-machines-asr.md
View File

@ -14,7 +14,7 @@ ms.localizationpriority: medium
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: procedural
ms.topic: article
---
# Optimize ASR rule deployment and detections

6
windows/security/threat-protection/microsoft-defender-atp/configure-machines-onboarding.md
View File

@ -14,7 +14,7 @@ ms.localizationpriority: medium
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: procedural
ms.topic: article
---
# Get machines onboarded to Microsoft Defender ATP
@ -65,11 +65,11 @@ From the overview, create a configuration profile specifically for the deploymen
3. After creating the profile, assign it to all your machines. You can review profiles and their deployment status anytime by accessing **Device configuration > Profiles** on Intune.
![Profile assignment screen screen on Intune](images/secconmgmt_onboarding_3assignprofile.png)<br>
![Profile assignment screen on Intune](images/secconmgmt_onboarding_3assignprofile.png)<br>
*Assigning the new agent profile to all machines*
>[!TIP]
>To learn more about Intune profiles, read [Assign user and device profiles in Microsoft Intune](https://docs.microsoft.com/en-us/intune/device-profile-assign).
>To learn more about Intune profiles, read [Assign user and device profiles in Microsoft Intune](https://docs.microsoft.com/intune/device-profile-assign).
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-onboardconfigure-belowfoldlink)

5
windows/security/threat-protection/microsoft-defender-atp/configure-machines-security-baseline.md
View File

@ -14,7 +14,7 @@ ms.localizationpriority: medium
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: procedural
ms.topic: article
---
# Increase compliance to the Microsoft Defender ATP security baseline
@ -41,6 +41,9 @@ The Windows Intune security baseline provides a comprehensive set of recommended
Both baselines are maintained so that they complement one another and have identical values for shared settings. Deploying both baselines to the same machine will not result in conflicts. Ideally, machines onboarded to Microsoft Defender ATP are deployed both baselines: the Windows Intune security baseline to initially secure Windows and then the Microsoft Defender ATP security baseline layered on top to optimally configure the Microsoft Defender ATP security controls.
>[!NOTE]
>The Microsoft Defender ATP security baseline has been optimized for physical devices and is currently not recommended for use on virtual machines (VMs) or VDI endpoints. Certain baseline settings can impact remote interactive sessions on virtualized environments.
## Get permissions to manage security baselines in Intune
By default, only users who have been assigned the Global Administrator or the Intune Service Administrator role on Azure AD can manage security baseline profiles. If you havent been assigned either role, work with a Global Administrator or an Intune Service Administrator to [create a custom role in Intune](https://docs.microsoft.com/intune/create-custom-role#to-create-a-custom-role) with full permissions to security baselines and then assign that role to your Azure AD group.

8
windows/security/threat-protection/microsoft-defender-atp/configure-machines.md
View File

@ -14,7 +14,7 @@ ms.localizationpriority: medium
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: procedural
ms.topic: conceptual
---
# Ensure your machines are configured properly
@ -47,13 +47,13 @@ In doing so, you benefit from:
Machine configuration management works closely with Intune device management to establish the inventory of the machines in your organization and the baseline security configuration. You will be able to track and manage configuration issues on Intune-managed Windows 10 machines.
Before you can ensure your machines are configured properly, enroll them to Intune management. Intune enrollment is robust and has several enrollment options for Windows 10 machines. For more information about Intune enrollment options, read [Set up enrollment for Windows devices](https://docs.microsoft.com/en-us/intune/windows-enroll).
Before you can ensure your machines are configured properly, enroll them to Intune management. Intune enrollment is robust and has several enrollment options for Windows 10 machines. For more information about Intune enrollment options, read [Set up enrollment for Windows devices](https://docs.microsoft.com/intune/windows-enroll).
>[!NOTE]
>To enroll Windows devices to Intune, administrators must have already been assigned licenses. [Read about assigning licenses for device enrollment](https://docs.microsoft.com/en-us/intune/licenses-assign).
>To enroll Windows devices to Intune, administrators must have already been assigned licenses. [Read about assigning licenses for device enrollment](https://docs.microsoft.com/intune/licenses-assign).
>[!TIP]
>To optimize machine management through Intune, [connect Intune to Microsoft Defender ATP](https://docs.microsoft.com/en-us/intune/advanced-threat-protection#enable-windows-defender-atp-in-intune).
>To optimize machine management through Intune, [connect Intune to Microsoft Defender ATP](https://docs.microsoft.com/intune/advanced-threat-protection#enable-windows-defender-atp-in-intune).
## Known issues and limitations in this preview
During preview, you might encounter a few known limitations:

3
windows/security/threat-protection/microsoft-defender-atp/configure-proxy-internet.md
View File

@ -134,7 +134,7 @@ You can find the Azure IP range on [Microsoft Azure Datacenter IP Ranges](https:
Verify the proxy configuration completed successfully, that WinHTTP can discover and communicate through the proxy server in your environment, and that the proxy server allows traffic to the Microsoft Defender ATP service URLs.
1. Download the [connectivity verification tool](https://go.microsoft.com/fwlink/p/?linkid=823683) to the PC where Microsoft Defender ATP sensor is running on.
1. Download the [connectivity verification tool](https://aka.ms/mdatpanalyzer) to the PC where Microsoft Defender ATP sensor is running on.
2. Extract the contents of WDATPConnectivityAnalyzer on the machine.
@ -172,6 +172,7 @@ If at least one of the connectivity options returns a (200) status, then the Mic
However, if the connectivity check results indicate a failure, an HTTP error is displayed (see HTTP Status Codes). You can then use the URLs in the table shown in [Enable access to Microsoft Defender ATP service URLs in the proxy server](#enable-access-to-microsoft-defender-atp-service-urls-in-the-proxy-server). The URLs you'll use will depend on the region selected during the onboarding procedure.
> [!NOTE]
> The Connectivity Analyzer tool is not compatible with ASR rule [Block process creations originating from PSExec and WMI commands](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard#attack-surface-reduction-rules). You will need to temporarily disable this rule to run the connectivity tool.
> When the TelemetryProxyServer is set, in Registry or via Group Policy, Microsoft Defender ATP will fall back to direct if it can't access the defined proxy.
## Related topics

8
windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints.md
View File

@ -104,14 +104,14 @@ The following steps are required to enable this integration:
### Install and configure Microsoft Monitoring Agent (MMA) to report sensor data to Microsoft Defender ATP
1. Download the agent setup file: [Windows 64-bit agent](https://go.microsoft.com/fwlink/?LinkId=828603).
1. Download the agent setup file: [Windows 64-bit agent](https://go.microsoft.com/fwlink/?LinkId=828603).
2. Using the Workspace ID and Workspace key provided in the previous procedure, choose any of the following installation methods to install the agent on the server:
2. Using the Workspace ID and Workspace key provided in the previous procedure, choose any of the following installation methods to install the agent on the server:
- [Manually install the agent using setup](https://docs.microsoft.com/azure/log-analytics/log-analytics-windows-agents#install-the-agent-using-setup) <br>
On the **Agent Setup Options** page, choose **Connect the agent to Azure Log Analytics (OMS)**.
- [Install the agent using the command line](https://docs.microsoft.com/azure/log-analytics/log-analytics-windows-agents#install-the-agent-using-the-command-line) and [configure the agent using a script](https://docs.microsoft.com/azure/log-analytics/log-analytics-windows-agents#add-a-workspace-using-a-script).
3. You'll need to configure proxy settings for the Microsoft Monitoring Agent. For more information, see [Configure proxy settings](https://docs.microsoft.com/azure/log-analytics/log-analytics-windows-agents#configure-proxy-settings).
3. You'll need to configure proxy settings for the Microsoft Monitoring Agent. For more information, see [Configure proxy settings](https://docs.microsoft.com/azure/log-analytics/log-analytics-windows-agents#configure-proxy-settings).
Once completed, you should see onboarded servers in the portal within an hour.
@ -149,7 +149,7 @@ Supported tools include:
1. Configure Microsoft Defender ATP onboarding settings on the server. For more information, see [Onboard Windows 10 machines](configure-endpoints.md).
2. If youre running a third party antimalware solution, you'll need to apply the following Windows Defender AV passive mode settings and verify it was configured correctly:
2. If youre running a third party antimalware solution, you'll need to apply the following Windows Defender AV passive mode settings and verify it was configured correctly:
a. Set the following registry entry:
- Path: `HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection`

5
windows/security/threat-protection/microsoft-defender-atp/configure-splunk.md
View File

@ -15,7 +15,6 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: article
ms.date: 10/16/2017
---
# Configure Splunk to pull Microsoft Defender ATP alerts
@ -33,7 +32,7 @@ You'll need to configure Splunk so that it can pull Microsoft Defender ATP alert
## Before you begin
- Install the [REST API Modular Input app](https://splunkbase.splunk.com/app/1546/) in Splunk.
- Install the open source [Windows Defender ATP Modular Inputs TA](https://splunkbase.splunk.com/app/4128/) in Splunk.
- Make sure you have enabled the **SIEM integration** feature from the **Settings** menu. For more information, see [Enable SIEM integration in Microsoft Defender ATP](enable-siem-integration.md)
- Have the details file you saved from enabling the **SIEM integration** feature ready. You'll need to get the following values:
@ -52,7 +51,7 @@ You'll need to configure Splunk so that it can pull Microsoft Defender ATP alert
3. Click **REST** under **Local inputs**.
NOTE:
This input will only appear after you install the [REST API Modular Input app](https://splunkbase.splunk.com/app/1546/).
This input will only appear after you install the [Windows Defender ATP Modular Inputs TA](https://splunkbase.splunk.com/app/4128/).
4. Click **New**.

10
windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules.md
View File

@ -28,13 +28,13 @@ Create custom detection rules from [Advanced hunting](overview-hunting.md) queri
>[!NOTE]
>To create and manage custom detections, [your role](user-roles.md#create-roles-and-assign-the-role-to-an-azure-active-directory-group) needs to have the **manage security settings** permission.
1. In the navigation pane, select **Advanced hunting**.
1. In the navigation pane, select **Advanced hunting**.
2. Select an existing query that you'd like to base the monitor on or create a new query.
2. Select an existing query that you'd like to base the monitor on or create a new query.
3. Select **Create detection rule**.
3. Select **Create detection rule**.
4. Specify the alert details:
4. Specify the alert details:
- Alert title
- Severity
@ -42,7 +42,7 @@ Create custom detection rules from [Advanced hunting](overview-hunting.md) queri
- Description
- Recommended actions
5. Click **Create**.
5. Click **Create**.
> [!TIP]
> TIP #1: Running the query for the first time before saving it can help you find any mistakes or errors and give you a preview of the data you can expect to be returned.<br>

6
windows/security/threat-protection/microsoft-defender-atp/experiment-custom-ti.md
View File

@ -141,11 +141,11 @@ This step will guide you in simulating an event in connection to a malicious IP
## Step 4: Explore the custom alert in the portal
This step will guide you in exploring the custom alert in the portal.
1. Open [Microsoft Defender Security Center](http://securitycenter.windows.com/) on a browser.
1. Open [Microsoft Defender Security Center](http://securitycenter.windows.com/) on a browser.
2. Log in with your Microsoft Defender ATP credentials.
2. Log in with your Microsoft Defender ATP credentials.
3. The dashboard should display the custom TI alert for the victim machine resulting from the simulated attack.
3. The dashboard should display the custom TI alert for the victim machine resulting from the simulated attack.
![Image of sample custom ti alert in the portal](images/atp-sample-custom-ti-alert.png)

BIN
windows/security/threat-protection/microsoft-defender-atp/images/timeline-machine.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 81 KiB

After

Width:  |  Height:  |  Size: 91 KiB

Some files were not shown because too many files have changed in this diff Show More