From fa7ff33a3ae22711e9040bfc9958ce7299d727f3 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Tue, 15 Dec 2020 14:54:58 -0800 Subject: [PATCH 001/190] Create defender-endpoint-false-positives-negatives.md --- ...nder-endpoint-false-positives-negatives.md | 33 +++++++++++++++++++ 1 file changed, 33 insertions(+) create mode 100644 windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md new file mode 100644 index 0000000000..6ea027c1ee --- /dev/null +++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md @@ -0,0 +1,33 @@ +--- +title: Address false positives/negatives in Microsoft Defender for Endpoint +description: Learn how to handle false positives or false negatives in Microsoft Defender for Endpoint. +keywords: alert, exclusion, defender atp, false positive, false negative +search.product: eADQiWindows 10XVcnh +search.appverid: met150 +ms.prod: w10 +ms.technology: windows +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: deniseb +author: denisebmsft +ms.date: 12/15/2020 +ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: +- m365-security-compliance +- m365initiative-defender-endpoint +ms.topic: conceptual +ms.reviewer: ramarom, evaldm, isco, mabraitm, chriggs, yonghree +ms.custom: AIR +--- + +# Address false positives/negatives in Microsoft Defender for Endpoint + +[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] + +**Applies to** + +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146806) + From 6ce84f2c4dbacc71486731a580b322af7bd12486 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Tue, 15 Dec 2020 14:57:19 -0800 Subject: [PATCH 002/190] Update defender-endpoint-false-positives-negatives.md --- .../defender-endpoint-false-positives-negatives.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md index 6ea027c1ee..b3098ec0dd 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md +++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md @@ -20,7 +20,7 @@ ms.collection: - m365initiative-defender-endpoint ms.topic: conceptual ms.reviewer: ramarom, evaldm, isco, mabraitm, chriggs, yonghree -ms.custom: AIR +ms.custom: FPFN --- # Address false positives/negatives in Microsoft Defender for Endpoint @@ -31,3 +31,5 @@ ms.custom: AIR - [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146806) +Did Microsoft Defender for Endpoint identify an artifact as malicious, even though it wasn't? Are files or processes that are not a threat being stopped in their tracks by Defender for Endpoint? Or, did Defender for Endpoint miss something? Use this article as a guide for addressing false positives or false negatives in Defender for Endpoint. + From fda53f2bd94c7d4e2691922fad5982a7c5b08a0e Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Tue, 15 Dec 2020 15:10:19 -0800 Subject: [PATCH 003/190] Update defender-endpoint-false-positives-negatives.md --- .../defender-endpoint-false-positives-negatives.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md index b3098ec0dd..72ede58c51 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md +++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md @@ -33,3 +33,6 @@ ms.custom: FPFN Did Microsoft Defender for Endpoint identify an artifact as malicious, even though it wasn't? Are files or processes that are not a threat being stopped in their tracks by Defender for Endpoint? Or, did Defender for Endpoint miss something? Use this article as a guide for addressing false positives or false negatives in Defender for Endpoint. +| Step | Description | +|:---|:---| +| 1. Identify a false positive/negative | | \ No newline at end of file From 131da8346ac47dac17b151b7ed07ff7c81cfd056 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Tue, 15 Dec 2020 15:56:57 -0800 Subject: [PATCH 004/190] Update defender-endpoint-false-positives-negatives.md --- ...nder-endpoint-false-positives-negatives.md | 23 ++++++++++++++++++- 1 file changed, 22 insertions(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md index 72ede58c51..7a8b28a303 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md +++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md @@ -35,4 +35,25 @@ Did Microsoft Defender for Endpoint identify an artifact as malicious, even thou | Step | Description | |:---|:---| -| 1. Identify a false positive/negative | | \ No newline at end of file +| 1. Identify a false positive/negative | | +| 2. Review/define exclusions for Defender for Endpoint | | +| 3. Review/define indicators for Defender for Endpoint | | +| 4. Classify a false positive/negative in Defender for Endpoint | | +| 5. Submit a file for analysis | | +| 6. Confirm your software uses EV code signing | | + +## Identify a false positive/negative + +*How do we know something is a false positive or negative? What do we want customers to look for?* + +## Review or define exclusions + +*Exclusions are defined for AutoIR and for MDAV, yes?* + +## Review or define indicators + +## Classify a false positive or false negative + +## Submit a file for analysis + +## Confirm your software uses EV code signing \ No newline at end of file From ae764c12b4d5421861690c50422d036e3e37cc7b Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Tue, 15 Dec 2020 16:02:50 -0800 Subject: [PATCH 005/190] Update defender-endpoint-false-positives-negatives.md --- ...nder-endpoint-false-positives-negatives.md | 22 +++++++++++++------ 1 file changed, 15 insertions(+), 7 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md index 7a8b28a303..40bb2b65ea 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md +++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md @@ -35,12 +35,12 @@ Did Microsoft Defender for Endpoint identify an artifact as malicious, even thou | Step | Description | |:---|:---| -| 1. Identify a false positive/negative | | -| 2. Review/define exclusions for Defender for Endpoint | | -| 3. Review/define indicators for Defender for Endpoint | | -| 4. Classify a false positive/negative in Defender for Endpoint | | -| 5. Submit a file for analysis | | -| 6. Confirm your software uses EV code signing | | +| 1. [Identify a false positive/negative](#identify-a-false-positivenegative) | | +| 2. [Review/define exclusions for Defender for Endpoint](#review-or-define-exclusions) | | +| 3. [Review/define indicators for Defender for Endpoint](#review-or-define-indicators) | | +| 4. [Classify a false positive/negative in Defender for Endpoint](#classify-a-false-positive-or-false-negative) | | +| 5. [Submit a file for analysis](#submit-a-file-for-analysis) | | +| 6. [Confirm your software uses EV code signing](#confirm-your-software-uses-ev-code-signing) | | ## Identify a false positive/negative @@ -52,8 +52,16 @@ Did Microsoft Defender for Endpoint identify an artifact as malicious, even thou ## Review or define indicators +*Allow indicators for false positives; block indicators for false negatives. https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/manage-indicators* + ## Classify a false positive or false negative +*Need to figure out where/how this is done* + ## Submit a file for analysis -## Confirm your software uses EV code signing \ No newline at end of file +*https://www.microsoft.com/wdsi/filesubmission/* + +## Confirm your software uses EV code signing + +*Some info is available here: https://docs.microsoft.com/windows-hardware/drivers/dashboard/get-a-code-signing-certificate* \ No newline at end of file From fe4c83039bc4c7431f25a5f3f975109743b011ce Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Tue, 15 Dec 2020 16:08:27 -0800 Subject: [PATCH 006/190] Update defender-endpoint-false-positives-negatives.md --- .../defender-endpoint-false-positives-negatives.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md index 40bb2b65ea..2d4e5efdb5 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md +++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md @@ -35,7 +35,7 @@ Did Microsoft Defender for Endpoint identify an artifact as malicious, even thou | Step | Description | |:---|:---| -| 1. [Identify a false positive/negative](#identify-a-false-positivenegative) | | +| 1. [Identify a false positive/negative](#identify-a-false-positivenegative) | A false positive is something that was detected and identified as malicious, when in fact it does not pose a threat.
A false negative is something that was not detected as a threat even though it is, in fact, malicious.
Both false positives and false negatives can be problematic for your organization. | | 2. [Review/define exclusions for Defender for Endpoint](#review-or-define-exclusions) | | | 3. [Review/define indicators for Defender for Endpoint](#review-or-define-indicators) | | | 4. [Classify a false positive/negative in Defender for Endpoint](#classify-a-false-positive-or-false-negative) | | From c4e05bee82eba5736e53e971e2433929df88ec2c Mon Sep 17 00:00:00 2001 From: ImranHabib <47118050+joinimran@users.noreply.github.com> Date: Mon, 4 Jan 2021 13:03:43 +0500 Subject: [PATCH 007/190] Procedural Changes An unnecessary step was added in the procedure and has been removed. Problem: https://github.com/MicrosoftDocs/windows-itpro-docs/issues/8408 --- .../mac-jamfpro-policies.md | 38 +++++++++---------- 1 file changed, 18 insertions(+), 20 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-jamfpro-policies.md b/windows/security/threat-protection/microsoft-defender-atp/mac-jamfpro-policies.md index 5faeec9c8d..f1017e4215 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/mac-jamfpro-policies.md +++ b/windows/security/threat-protection/microsoft-defender-atp/mac-jamfpro-policies.md @@ -750,18 +750,14 @@ Follow the instructions on [Schedule scans with Microsoft Defender for Endpoint ![Image of configuration settings](images/990742cd9a15ca9fdd37c9f695d1b9f4.png) -4. Navigate to **Advanced Computer Searches**. - - ![A screenshot of a social media post Description automatically generated](images/95313facfdd5e1ea361981e0a2478fec.png) - -5. Select **Computer Management**. +4. Select your computer and click the gear icon on the top, select **Computer Management** ![Image of configuration settings](images/b6d671b2f18b89d96c1c8e2ea1991242.png) -6. In **Packages**, select **+ New**. +5. In **Packages**, select **+ New**. ![A picture containing bird Description automatically generated](images/57aa4d21e2ccc65466bf284701d4e961.png) -7. In **New Package** Enter the following details: +6. In **New Package** Enter the following details: **General tab** - Display Name: Leave it blank for now. Because it will be reset when you choose your pkg. @@ -774,15 +770,17 @@ Follow the instructions on [Schedule scans with Microsoft Defender for Endpoint ![A screenshot of a computer screen Description automatically generated](images/1aa5aaa0a387f4e16ce55b66facc77d1.png) -8. Select **Open**. Set the **Display Name** to **Microsoft Defender Advanced Threat Protection and Microsoft Defender Antivirus**. +7. Select **Open**. Set the **Display Name** to **Microsoft Defender Advanced Threat Protection and Microsoft Defender Antivirus**. + **Manifest File** is not required. Microsoft Defender Advanced Threat Protection works without Manifest File. + **Options tab**
Keep default values. **Limitations tab**
Keep default values. ![Image of configuration settings](images/56dac54634d13b2d3948ab50e8d3ef21.png) -9. Select **Save**. The package is uploaded to Jamf Pro. +8. Select **Save**. The package is uploaded to Jamf Pro. ![Image of configuration settings](images/33f1ecdc7d4872555418bbc3efe4b7a3.png) @@ -790,45 +788,45 @@ Follow the instructions on [Schedule scans with Microsoft Defender for Endpoint ![Image of configuration settings](images/1626d138e6309c6e87bfaab64f5ccf7b.png) -10. Navigate to the **Policies** page. +9. Navigate to the **Policies** page. ![Image of configuration settings](images/f878f8efa5ebc92d069f4b8f79f62c7f.png) -11. Select **+ New** to create a new policy. +10. Select **+ New** to create a new policy. ![Image of configuration settings](images/847b70e54ed04787e415f5180414b310.png) -12. In **General** Enter the following details: +11. In **General** Enter the following details: - Display name: MDATP Onboarding Contoso 200329 v100.86.92 or later ![Image of configuration settings](images/625ba6d19e8597f05e4907298a454d28.png) -13. Select **Recurring Check-in**. +12. Select **Recurring Check-in**. ![Image of configuration settings](images/68bdbc5754dfc80aa1a024dde0fce7b0.png) -14. Select **Save**. +13. Select **Save**. -15. Select **Packages > Configure**. +14. Select **Packages > Configure**. ![Image of configuration settings](images/8fb4cc03721e1efb4a15867d5241ebfb.png) -16. Select the **Add** button next to **Microsoft Defender Advanced Threat Protection and Microsoft Defender Antivirus**. +15. Select the **Add** button next to **Microsoft Defender Advanced Threat Protection and Microsoft Defender Antivirus**. ![Image of configuration settings](images/526b83fbdbb31265b3d0c1e5fbbdc33a.png) -17. Select **Save**. +16. Select **Save**. ![Image of configuration settings](images/9d6e5386e652e00715ff348af72671c6.png) -18. Select the **Scope** tab. +17. Select the **Scope** tab. ![Image of configuration settings](images/8d80fe378a31143db9be0bacf7ddc5a3.png) -19. Select the target computers. +18. Select the target computers. ![Image of configuration settings](images/6eda18a64a660fa149575454e54e7156.png) @@ -844,7 +842,7 @@ Follow the instructions on [Schedule scans with Microsoft Defender for Endpoint ![Image of configuration settings](images/c9f85bba3e96d627fe00fc5a8363b83a.png) -20. Select **Done**. +19. Select **Done**. ![Image of configuration settings](images/99679a7835b0d27d0a222bc3fdaf7f3b.png) From 8c4268ea229155638b6cb9a201fcaa9985a3a8ed Mon Sep 17 00:00:00 2001 From: ImranHabib <47118050+joinimran@users.noreply.github.com> Date: Mon, 4 Jan 2021 13:33:46 +0500 Subject: [PATCH 008/190] Addition of a right A right was missing from the list. Added the basic info. Problem: https://github.com/MicrosoftDocs/windows-itpro-docs/issues/8551 --- .../security-policy-settings/user-rights-assignment.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/windows/security/threat-protection/security-policy-settings/user-rights-assignment.md b/windows/security/threat-protection/security-policy-settings/user-rights-assignment.md index 03d0a20cf4..6074db6073 100644 --- a/windows/security/threat-protection/security-policy-settings/user-rights-assignment.md +++ b/windows/security/threat-protection/security-policy-settings/user-rights-assignment.md @@ -69,6 +69,7 @@ The following table links to each security policy setting and provides the const | [Manage auditing and security log](manage-auditing-and-security-log.md)| SeSecurityPrivilege| | [Modify an object label](modify-an-object-label.md) | SeRelabelPrivilege| | [Modify firmware environment values](modify-firmware-environment-values.md)| SeSystemEnvironmentPrivilege| +| [Obtain an impersonation token for another user in the same session]) | SeDelegateSessionUserImpersonatePrivilege| | [Perform volume maintenance tasks](perform-volume-maintenance-tasks.md) | SeManageVolumePrivilege| | [Profile single process](profile-single-process.md) | SeProfileSingleProcessPrivilege| | [Profile system performance](profile-system-performance.md) | SeSystemProfilePrivilege| @@ -78,6 +79,7 @@ The following table links to each security policy setting and provides the const | [Shut down the system](shut-down-the-system.md) | SeShutdownPrivilege| | [Synchronize directory service data](synchronize-directory-service-data.md)| SeSyncAgentPrivilege| | [Take ownership of files or other objects](take-ownership-of-files-or-other-objects.md) | SeTakeOwnershipPrivilege| + ## Related topics From 053da0a6581a34a3d11ed9fe2f0c921bc4725ab5 Mon Sep 17 00:00:00 2001 From: ImranHabib <47118050+joinimran@users.noreply.github.com> Date: Mon, 4 Jan 2021 09:09:40 -0700 Subject: [PATCH 009/190] Update windows/security/threat-protection/microsoft-defender-atp/mac-jamfpro-policies.md Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- .../microsoft-defender-atp/mac-jamfpro-policies.md | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-jamfpro-policies.md b/windows/security/threat-protection/microsoft-defender-atp/mac-jamfpro-policies.md index f1017e4215..961a958e6f 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/mac-jamfpro-policies.md +++ b/windows/security/threat-protection/microsoft-defender-atp/mac-jamfpro-policies.md @@ -750,7 +750,7 @@ Follow the instructions on [Schedule scans with Microsoft Defender for Endpoint ![Image of configuration settings](images/990742cd9a15ca9fdd37c9f695d1b9f4.png) -4. Select your computer and click the gear icon on the top, select **Computer Management** +4. Select your computer and click the gear icon at the top, then select **Computer Management**. ![Image of configuration settings](images/b6d671b2f18b89d96c1c8e2ea1991242.png) @@ -851,4 +851,3 @@ Follow the instructions on [Schedule scans with Microsoft Defender for Endpoint - From 7682c17362d6802ae7a7019d280feb3a5263afd1 Mon Sep 17 00:00:00 2001 From: ImranHabib <47118050+joinimran@users.noreply.github.com> Date: Mon, 4 Jan 2021 09:22:32 -0700 Subject: [PATCH 010/190] Update windows/security/threat-protection/security-policy-settings/user-rights-assignment.md Co-authored-by: Trond B. Krokli <38162891+illfated@users.noreply.github.com> --- .../security-policy-settings/user-rights-assignment.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/security-policy-settings/user-rights-assignment.md b/windows/security/threat-protection/security-policy-settings/user-rights-assignment.md index 6074db6073..656b0c378b 100644 --- a/windows/security/threat-protection/security-policy-settings/user-rights-assignment.md +++ b/windows/security/threat-protection/security-policy-settings/user-rights-assignment.md @@ -69,7 +69,7 @@ The following table links to each security policy setting and provides the const | [Manage auditing and security log](manage-auditing-and-security-log.md)| SeSecurityPrivilege| | [Modify an object label](modify-an-object-label.md) | SeRelabelPrivilege| | [Modify firmware environment values](modify-firmware-environment-values.md)| SeSystemEnvironmentPrivilege| -| [Obtain an impersonation token for another user in the same session]) | SeDelegateSessionUserImpersonatePrivilege| +| [Obtain an impersonation token for another user in the same session](impersonate-a-client-after-authentication.md) | SeDelegateSessionUserImpersonatePrivilege| | [Perform volume maintenance tasks](perform-volume-maintenance-tasks.md) | SeManageVolumePrivilege| | [Profile single process](profile-single-process.md) | SeProfileSingleProcessPrivilege| | [Profile system performance](profile-system-performance.md) | SeSystemProfilePrivilege| From 500fd2c72ee5fa5d5ce00dbe699dabac111a77e3 Mon Sep 17 00:00:00 2001 From: MaratMussabekov <48041687+MaratMussabekov@users.noreply.github.com> Date: Tue, 12 Jan 2021 10:50:21 +0500 Subject: [PATCH 011/190] Update use-vamt-in-windows-powershell.md --- .../volume-activation/use-vamt-in-windows-powershell.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/volume-activation/use-vamt-in-windows-powershell.md b/windows/deployment/volume-activation/use-vamt-in-windows-powershell.md index 7389bcd273..0fcb1ad99c 100644 --- a/windows/deployment/volume-activation/use-vamt-in-windows-powershell.md +++ b/windows/deployment/volume-activation/use-vamt-in-windows-powershell.md @@ -57,7 +57,7 @@ get-help get-VamtProduct -all ``` **Warning** -The update-help cmdlet is not supported for VAMT PowerShell cmdlets. To view online help for VAMT cmdlets, you can use the -online option with the get-help cmdlet. For more information, see [Volume Activation Management Tool (VAMT) Cmdlets in Windows PowerShell](https://go.microsoft.com/fwlink/p/?LinkId=242278). +The update-help cmdlet is not supported for VAMT PowerShell cmdlets. To view online help for VAMT cmdlets, you can use the -online option with the get-help cmdlet. For more information, see [Volume Activation Management Tool (VAMT) Cmdlets in Windows PowerShell](https://docs.microsoft.com/powershell/module/vamt). **To view VAMT PowerShell Help sections** From eb8843f637a817ceb46c8c58d9eb75c116ab8655 Mon Sep 17 00:00:00 2001 From: MaratMussabekov <48041687+MaratMussabekov@users.noreply.github.com> Date: Tue, 12 Jan 2021 11:59:56 +0500 Subject: [PATCH 012/190] Update hello-planning-guide.md --- .../hello-for-business/hello-planning-guide.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-planning-guide.md b/windows/security/identity-protection/hello-for-business/hello-planning-guide.md index 265aa7219d..fc57328704 100644 --- a/windows/security/identity-protection/hello-for-business/hello-planning-guide.md +++ b/windows/security/identity-protection/hello-for-business/hello-planning-guide.md @@ -332,7 +332,7 @@ Windows Hello for Business does not require an Azure AD premium subscription. H If box **1a** on your planning worksheet reads **on-premises**, write **No** in box **6c** on your planning worksheet. -If box **1a** on your planning worksheet reads **hybrid** and box **1b** reads **key trust**, write **No** in box **6c** on your planning worksheet. You can deploy Windows Hello for Business using the free Azure Active Directory account (additional costs needed for multi-factor authentication). +If box **1a** on your planning worksheet reads **hybrid** and box **1b** reads **key trust**, write **No** in box **6c** on your planning worksheet. You can deploy Windows Hello for Business using the free Azure Active Directory account. In this case, you need to have another subscription that includes Azure AD Multi-Factor Authentication license (like Microsoft 365), or use third-party Multi-Factor Authentication provider. If box **5b** on your planning worksheet reads **AD FS RA**, write **Yes** in box **6c** on your planning worksheet. Enrolling a certificate using the AD FS registration authority requires devices to authenticate to the AD FS server, which requires device write-back, an Azure AD Premium feature. From 7c7a13348fa00a44133e085964b25260ba80d04e Mon Sep 17 00:00:00 2001 From: MaratMussabekov <48041687+MaratMussabekov@users.noreply.github.com> Date: Tue, 12 Jan 2021 14:37:28 +0500 Subject: [PATCH 013/190] Update windows/security/identity-protection/hello-for-business/hello-planning-guide.md Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- .../hello-for-business/hello-planning-guide.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-planning-guide.md b/windows/security/identity-protection/hello-for-business/hello-planning-guide.md index fc57328704..d99d54226f 100644 --- a/windows/security/identity-protection/hello-for-business/hello-planning-guide.md +++ b/windows/security/identity-protection/hello-for-business/hello-planning-guide.md @@ -332,7 +332,7 @@ Windows Hello for Business does not require an Azure AD premium subscription. H If box **1a** on your planning worksheet reads **on-premises**, write **No** in box **6c** on your planning worksheet. -If box **1a** on your planning worksheet reads **hybrid** and box **1b** reads **key trust**, write **No** in box **6c** on your planning worksheet. You can deploy Windows Hello for Business using the free Azure Active Directory account. In this case, you need to have another subscription that includes Azure AD Multi-Factor Authentication license (like Microsoft 365), or use third-party Multi-Factor Authentication provider. +If box **1a** on your planning worksheet reads **hybrid** and box **1b** reads **key trust**, write **No** in box **6c** on your planning worksheet. You can deploy Windows Hello for Business using the free Azure Active Directory account. In this case, you need to have another subscription that includes an Azure AD Multi-Factor Authentication license (like Microsoft 365) or to use a third-party Multi-Factor Authentication provider. If box **5b** on your planning worksheet reads **AD FS RA**, write **Yes** in box **6c** on your planning worksheet. Enrolling a certificate using the AD FS registration authority requires devices to authenticate to the AD FS server, which requires device write-back, an Azure AD Premium feature. From 7ced57c6927538be4219721a78fa1d09b0eb879a Mon Sep 17 00:00:00 2001 From: MaratMussabekov <48041687+MaratMussabekov@users.noreply.github.com> Date: Wed, 13 Jan 2021 07:23:37 +0500 Subject: [PATCH 014/190] Update hello-planning-guide.md --- .../hello-for-business/hello-planning-guide.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-planning-guide.md b/windows/security/identity-protection/hello-for-business/hello-planning-guide.md index d99d54226f..ba1692b00e 100644 --- a/windows/security/identity-protection/hello-for-business/hello-planning-guide.md +++ b/windows/security/identity-protection/hello-for-business/hello-planning-guide.md @@ -332,7 +332,7 @@ Windows Hello for Business does not require an Azure AD premium subscription. H If box **1a** on your planning worksheet reads **on-premises**, write **No** in box **6c** on your planning worksheet. -If box **1a** on your planning worksheet reads **hybrid** and box **1b** reads **key trust**, write **No** in box **6c** on your planning worksheet. You can deploy Windows Hello for Business using the free Azure Active Directory account. In this case, you need to have another subscription that includes an Azure AD Multi-Factor Authentication license (like Microsoft 365) or to use a third-party Multi-Factor Authentication provider. +If box **1a** on your planning worksheet reads **hybrid** and box **1b** reads **key trust**, write **No** in box **6c** on your planning worksheet. You can deploy Windows Hello for Business using the free Azure Active Directory account. In this case, you need to use a third-party Multi-Factor Authentication provider. If box **5b** on your planning worksheet reads **AD FS RA**, write **Yes** in box **6c** on your planning worksheet. Enrolling a certificate using the AD FS registration authority requires devices to authenticate to the AD FS server, which requires device write-back, an Azure AD Premium feature. From bcd0ea8622f7858720b7f9d28bf8f718567be1d6 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Wed, 13 Jan 2021 12:49:14 -0800 Subject: [PATCH 015/190] Update defender-endpoint-false-positives-negatives.md --- ...nder-endpoint-false-positives-negatives.md | 33 ++++++++++++------- 1 file changed, 21 insertions(+), 12 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md index 2d4e5efdb5..c43654ba5e 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md +++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md @@ -11,7 +11,7 @@ ms.sitesec: library ms.pagetype: security ms.author: deniseb author: denisebmsft -ms.date: 12/15/2020 +ms.date: 01/15/2021 ms.localizationpriority: medium manager: dansimp audience: ITPro @@ -31,20 +31,29 @@ ms.custom: FPFN - [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146806) -Did Microsoft Defender for Endpoint identify an artifact as malicious, even though it wasn't? Are files or processes that are not a threat being stopped in their tracks by Defender for Endpoint? Or, did Defender for Endpoint miss something? Use this article as a guide for addressing false positives or false negatives in Defender for Endpoint. +In Microsoft Defender for Endpoint, a false positive is an entity, such as a file or process, that was detected and identified as malicious, when, in fact, the entity does not pose a threat. A false negative is an entity that was not detected as a threat even though it is, in fact, malicious. If you’re seeing false positives or negatives in your Microsoft Defender Security Center, use this article as a guide to take action. -| Step | Description | -|:---|:---| -| 1. [Identify a false positive/negative](#identify-a-false-positivenegative) | A false positive is something that was detected and identified as malicious, when in fact it does not pose a threat.
A false negative is something that was not detected as a threat even though it is, in fact, malicious.
Both false positives and false negatives can be problematic for your organization. | -| 2. [Review/define exclusions for Defender for Endpoint](#review-or-define-exclusions) | | -| 3. [Review/define indicators for Defender for Endpoint](#review-or-define-indicators) | | -| 4. [Classify a false positive/negative in Defender for Endpoint](#classify-a-false-positive-or-false-negative) | | -| 5. [Submit a file for analysis](#submit-a-file-for-analysis) | | -| 6. [Confirm your software uses EV code signing](#confirm-your-software-uses-ev-code-signing) | | +Review your threat protection settings +Microsoft Defender for Endpoint offers a wide variety of options, including the ability to fine tune settings for various features and capabilities. If you’re getting a lot of false positives, review your organization’s threat protection settings. You might need to make some adjustments to the following settings in particular: -## Identify a false positive/negative +- Cloud-delivered protection +- Remediation for potentially unwanted apps (PUA) + +### Cloud-delivered protection + +Check your cloud-delivered protection level for Microsoft Defender Antivirus. By default, this is set to **Not configured**, which corresponds to a normal level of protection for most organizations. If your cloud-delivered protection is set to **High**, **High +**, or **Zero tolerance**, you might experience a higher number of false positives. + +See [Specify the cloud-delivered protection level](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/specify-cloud-protection-level-microsoft-defender-antivirus) + +### Remediation for potentially unwanted applications (PUA) + +Potentially unwanted applications (PUA) are a category of software that can cause devices to run slowly, display unexpected ads, or install other software that might be unexpected or unwanted. Examples of PUA include advertising software, bundling software, and evasion software that behaves differently with security products. Although PUA is not considered malware, some kinds of software are PUA based on their behavior and reputation. + +Depending on the apps your organization is using, you might be getting false positives as a result of your PUA protection settings. If this is happening, consider running PUA protection in audit mode for a while, or apply PUA protection to a subset of devices in your organization. PUA protection can be configured for the Microsoft Edge browser and for Microsoft Defender Antivirus. + +> [!TIP] +> To learn more about PUA, see [Detect and block potentially unwanted applications](https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus). -*How do we know something is a false positive or negative? What do we want customers to look for?* ## Review or define exclusions From a41ed13796f6238a069151684485c15296665174 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Wed, 13 Jan 2021 12:50:25 -0800 Subject: [PATCH 016/190] Update defender-endpoint-false-positives-negatives.md --- .../defender-endpoint-false-positives-negatives.md | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md index c43654ba5e..7e2224fc74 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md +++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md @@ -54,6 +54,16 @@ Depending on the apps your organization is using, you might be getting false pos > [!TIP] > To learn more about PUA, see [Detect and block potentially unwanted applications](https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus). +#### Use Microsoft Endpoint Manager to edit PUA protection for existing configuration profiles + +1. Go to the Microsoft Endpoint Manager admin center ([https://endpoint.microsoft.com](https://endpoint.microsoft.com)) and sign in. +2. Choose **Devices** > **Configuration profiles**, and then select an existing policy. (If you don’t have an existing policy, or you want to create a new policy, skip to the next procedure). +3. Under **Manage**, choose **Properties**, and then, next to **Configuration settings**, choose **Edit**. +4. On the **Configuration settings** tab, scroll down and expand **Microsoft Defender Antivirus**. +5. Set **Detect potentially unwanted applications** to **Audit**. (You can turn it off, but by using audit mode, you will be able to see detections.) +6. Choose **Review + save**, and then choose **Save**. + + ## Review or define exclusions From 0509296bac40162a4aefbfe21aecf284507843ac Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Wed, 13 Jan 2021 12:50:48 -0800 Subject: [PATCH 017/190] Update defender-endpoint-false-positives-negatives.md --- .../defender-endpoint-false-positives-negatives.md | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md index 7e2224fc74..703de9a4ef 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md +++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md @@ -56,12 +56,12 @@ Depending on the apps your organization is using, you might be getting false pos #### Use Microsoft Endpoint Manager to edit PUA protection for existing configuration profiles -1. Go to the Microsoft Endpoint Manager admin center ([https://endpoint.microsoft.com](https://endpoint.microsoft.com)) and sign in. -2. Choose **Devices** > **Configuration profiles**, and then select an existing policy. (If you don’t have an existing policy, or you want to create a new policy, skip to the next procedure). -3. Under **Manage**, choose **Properties**, and then, next to **Configuration settings**, choose **Edit**. -4. On the **Configuration settings** tab, scroll down and expand **Microsoft Defender Antivirus**. -5. Set **Detect potentially unwanted applications** to **Audit**. (You can turn it off, but by using audit mode, you will be able to see detections.) -6. Choose **Review + save**, and then choose **Save**. +1. Go to the Microsoft Endpoint Manager admin center ([https://endpoint.microsoft.com](https://endpoint.microsoft.com)) and sign in. +2. Choose **Devices** > **Configuration profiles**, and then select an existing policy. (If you don’t have an existing policy, or you want to create a new policy, skip to the next procedure). +3. Under **Manage**, choose **Properties**, and then, next to **Configuration settings**, choose **Edit**. +4. On the **Configuration settings** tab, scroll down and expand **Microsoft Defender Antivirus**. +5. Set **Detect potentially unwanted applications** to **Audit**. (You can turn it off, but by using audit mode, you will be able to see detections.) +6. Choose **Review + save**, and then choose **Save**. From 1c60d9b448e225a8707e85cbc1d7c0292741de68 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Wed, 13 Jan 2021 12:52:02 -0800 Subject: [PATCH 018/190] Update defender-endpoint-false-positives-negatives.md --- .../defender-endpoint-false-positives-negatives.md | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md index 703de9a4ef..4fc988374f 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md +++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md @@ -57,12 +57,23 @@ Depending on the apps your organization is using, you might be getting false pos #### Use Microsoft Endpoint Manager to edit PUA protection for existing configuration profiles 1. Go to the Microsoft Endpoint Manager admin center ([https://endpoint.microsoft.com](https://endpoint.microsoft.com)) and sign in. -2. Choose **Devices** > **Configuration profiles**, and then select an existing policy. (If you don’t have an existing policy, or you want to create a new policy, skip to the next procedure). +2. Choose **Devices** > **Configuration profiles**, and then select an existing policy. (If you don’t have an existing policy, or you want to create a new policy, skip to [the next procedure](#use-microsoft-endpoint-manager-to-set-pua-protection-for-a-new-configuration-profile)). 3. Under **Manage**, choose **Properties**, and then, next to **Configuration settings**, choose **Edit**. 4. On the **Configuration settings** tab, scroll down and expand **Microsoft Defender Antivirus**. 5. Set **Detect potentially unwanted applications** to **Audit**. (You can turn it off, but by using audit mode, you will be able to see detections.) 6. Choose **Review + save**, and then choose **Save**. +#### Use Microsoft Endpoint Manager to set PUA protection for a new configuration profile + +1. Go to the Microsoft Endpoint Manager admin center ([https://endpoint.microsoft.com](https://endpoint.microsoft.com)) and sign in. +2. Choose **Devices** > **Configuration profiles** > **+ Create profile**. +3. For the **Platform**, choose **Windows 10 and later**, and for **Profile**, select **Device restrictions**. +4. On the **Basics** tab, specify a name and description for your policy. Then choose **Next**. +5. On the **Configuration settings** tab, scroll down and expand **Microsoft Defender Antivirus**. +6. Set **Detect potentially unwanted applications** to **Audit**, and then choose **Next**. (You can turn PUA protection off, but by using audit mode, you will be able to see detections.) +7. On the **Assignments** tab, specify the users and groups to whom your policy should be applied, and then choose **Next**. (If you need help with assignments, see [Assign user and device profiles in Microsoft Intune](Assign device profiles in Microsoft Intune - Azure | Microsoft Docs).) +8. On the **Applicability Rules** tab, specify the OS editions or versions to include or exclude from the policy. For example, you can set the policy to be applied to all devices certain editions of Windows 10. Then choose **Next**. +9. On the **Review + create** tab, review your settings, and, and then choose **Create**. ## Review or define exclusions From 47a5ddb4b59892d07f31a4ef6dc08737e27e7a14 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Wed, 13 Jan 2021 12:54:35 -0800 Subject: [PATCH 019/190] Update defender-endpoint-false-positives-negatives.md --- .../defender-endpoint-false-positives-negatives.md | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md index 4fc988374f..d120882e6a 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md +++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md @@ -76,9 +76,17 @@ Depending on the apps your organization is using, you might be getting false pos 9. On the **Review + create** tab, review your settings, and, and then choose **Create**. -## Review or define exclusions +## Review or define exclusions for Microsoft Defender for Endpoint + +An exclusion is an entity that you specify as an exception to remediation. The excluded entity might still get detected, but no remediation actions are taken on that entity. That is, the detected file or process won’t be stopped, sent to quarantine, removed, or otherwise changed by Microsoft Defender for Endpoint. + +To define exclusions across Microsoft Defender for Endpoint, you must perform at least two kinds of tasks: + +- Define exclusions for Microsoft Defender Antivirus (you do this by editing an existing antivirus policy or by creating a new policy) +- Create “allow” indicators for Microsoft Defender for Endpoint () + +You must perform both kinds of tasks because Microsoft Defender Antivirus exclusions don't apply to other Microsoft Defender for Endpoint capabilities, including [endpoint detection and response](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response) (EDR), attack surface reduction (ASR) rules, and controlled folder access. Files that you exclude using the methods described in this article can still trigger EDR alerts and other detections. To exclude files broadly, use custom indicators. -*Exclusions are defined for AutoIR and for MDAV, yes?* ## Review or define indicators From ba8ffab39c6b33c5d8b74f831c6adb308218a1fd Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Wed, 13 Jan 2021 12:55:40 -0800 Subject: [PATCH 020/190] Update defender-endpoint-false-positives-negatives.md --- .../defender-endpoint-false-positives-negatives.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md index d120882e6a..4cfd1708d9 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md +++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md @@ -85,7 +85,7 @@ To define exclusions across Microsoft Defender for Endpoint, you must perform at - Define exclusions for Microsoft Defender Antivirus (you do this by editing an existing antivirus policy or by creating a new policy) - Create “allow” indicators for Microsoft Defender for Endpoint () -You must perform both kinds of tasks because Microsoft Defender Antivirus exclusions don't apply to other Microsoft Defender for Endpoint capabilities, including [endpoint detection and response](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response) (EDR), attack surface reduction (ASR) rules, and controlled folder access. Files that you exclude using the methods described in this article can still trigger EDR alerts and other detections. To exclude files broadly, use custom indicators. +You must perform both kinds of tasks because Microsoft Defender Antivirus exclusions don't apply to other Microsoft Defender for Endpoint capabilities, including [endpoint detection and response](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response) (EDR), [attack surface reduction (ASR) rules](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction), and [controlled folder access](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/controlled-folders). Files that you exclude using the methods described in this article can still trigger EDR alerts and other detections. To exclude files broadly, use custom indicators. ## Review or define indicators From f1e6f6f4ff42ca4086b58915cf99051c152af1e2 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Wed, 13 Jan 2021 12:56:39 -0800 Subject: [PATCH 021/190] Update defender-endpoint-false-positives-negatives.md --- .../defender-endpoint-false-positives-negatives.md | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md index 4cfd1708d9..61db33647d 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md +++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md @@ -75,17 +75,15 @@ Depending on the apps your organization is using, you might be getting false pos 8. On the **Applicability Rules** tab, specify the OS editions or versions to include or exclude from the policy. For example, you can set the policy to be applied to all devices certain editions of Windows 10. Then choose **Next**. 9. On the **Review + create** tab, review your settings, and, and then choose **Create**. - ## Review or define exclusions for Microsoft Defender for Endpoint An exclusion is an entity that you specify as an exception to remediation. The excluded entity might still get detected, but no remediation actions are taken on that entity. That is, the detected file or process won’t be stopped, sent to quarantine, removed, or otherwise changed by Microsoft Defender for Endpoint. To define exclusions across Microsoft Defender for Endpoint, you must perform at least two kinds of tasks: - - Define exclusions for Microsoft Defender Antivirus (you do this by editing an existing antivirus policy or by creating a new policy) - Create “allow” indicators for Microsoft Defender for Endpoint () -You must perform both kinds of tasks because Microsoft Defender Antivirus exclusions don't apply to other Microsoft Defender for Endpoint capabilities, including [endpoint detection and response](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response) (EDR), [attack surface reduction (ASR) rules](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction), and [controlled folder access](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/controlled-folders). Files that you exclude using the methods described in this article can still trigger EDR alerts and other detections. To exclude files broadly, use custom indicators. +You must perform both kinds of tasks because Microsoft Defender Antivirus exclusions don't apply to other Microsoft Defender for Endpoint capabilities, including [endpoint detection and response](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response) (EDR), [attack surface reduction (ASR) rules](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction), and [controlled folder access](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/controlled-folders). Files that you exclude using the methods described in this article can still trigger EDR alerts and other detections. To exclude files broadly, use [custom indicators](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/manage-indicators). ## Review or define indicators From 04e2d46c5b0994aefda58e659b99e89164de1dad Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Wed, 13 Jan 2021 13:06:18 -0800 Subject: [PATCH 022/190] Update defender-endpoint-false-positives-negatives.md --- ...nder-endpoint-false-positives-negatives.md | 27 +++++++++++++++++++ 1 file changed, 27 insertions(+) diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md index 61db33647d..f9216bbfe8 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md +++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md @@ -85,6 +85,33 @@ To define exclusions across Microsoft Defender for Endpoint, you must perform at You must perform both kinds of tasks because Microsoft Defender Antivirus exclusions don't apply to other Microsoft Defender for Endpoint capabilities, including [endpoint detection and response](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response) (EDR), [attack surface reduction (ASR) rules](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction), and [controlled folder access](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/controlled-folders). Files that you exclude using the methods described in this article can still trigger EDR alerts and other detections. To exclude files broadly, use [custom indicators](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/manage-indicators). +### Exclusions for Microsoft Defender Antivirus + +In general, you should not need to define exclusions for Microsoft Defender Antivirus. Make sure that you define exclusions sparingly, and that you only include the files, folders, processes, and process-opened files that are resulting in false positives. In addition, make sure to review your defined exclusions regularly. We recommend using Microsoft Endpoint Manager to define or edit your antivirus exclusions. + +> [!TIP] +> Need help with antivirus exclusions? See [Configure and validate exclusions for Microsoft Defender Antivirus scans](https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-antivirus/configure-exclusions-microsoft-defender-antivirus). + +#### Use Microsoft Endpoint Manager to manage antivirus exclusions for existing policies + +1. Go to the Microsoft Endpoint Manager admin center ([https://endpoint.microsoft.com](https://endpoint.microsoft.com)) and sign in. +2. Choose **Endpoint security** > **Antivirus**, and then select an existing policy. (If you don’t have an existing policy, or you want to create a new policy, skip to the next procedure). +3. Choose **Properties**, and next to **Configuration settings**, choose **Edit**. +4. Expand **Microsoft Defender Antivirus Exclusions** and then specify your exclusions. +5. Choose **Review + save**, and then choose **Save**. + +#### Use Microsoft Endpoint Manager to create an antivirus policy with exclusions +1. Go to the Microsoft Endpoint Manager admin center ([https://endpoint.microsoft.com](https://endpoint.microsoft.com)) and sign in. +2. Choose **Endpoint security** > **Antivirus** > **+ Create Policy**. +3. Select a platform (such as Windows 10 and later, macOS, or Windows 10 and Windows Server). +4. For **Profile**, select **Microsoft Defender Antivirus exclusions**, and then choose **Create**. +5. Specify a name and description for the profile, and then choose **Next**. +6. On the **Configuration settings** tab, specify your antivirus exclusions, and then choose **Next**. +7. On the **Scope tags** tab, if you are using scope tags in your organization, specify scope tags for the policy you are creating. (See [Scope tags]( Use role-based access control (RBAC) and scope tags for distributed IT in Intune | Microsoft Docs).) +8. On the **Assignments** tab, specify the users and groups to whom your policy should be applied, and then choose **Next**. (If you need help with assignments, see [Assign user and device profiles in Microsoft Intune](Assign device profiles in Microsoft Intune - Azure | Microsoft Docs).) +9. On the **Review + create** tab, review the settings, and then choose **Create**. + + ## Review or define indicators From 3d1407fd3a22033c4ba167208dc03f379cc85de2 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Wed, 13 Jan 2021 13:06:54 -0800 Subject: [PATCH 023/190] Update defender-endpoint-false-positives-negatives.md --- .../defender-endpoint-false-positives-negatives.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md index f9216bbfe8..4fd508750d 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md +++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md @@ -90,7 +90,7 @@ You must perform both kinds of tasks because Microsoft Defender Antivirus exclus In general, you should not need to define exclusions for Microsoft Defender Antivirus. Make sure that you define exclusions sparingly, and that you only include the files, folders, processes, and process-opened files that are resulting in false positives. In addition, make sure to review your defined exclusions regularly. We recommend using Microsoft Endpoint Manager to define or edit your antivirus exclusions. > [!TIP] -> Need help with antivirus exclusions? See [Configure and validate exclusions for Microsoft Defender Antivirus scans](https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-antivirus/configure-exclusions-microsoft-defender-antivirus). +> Need help with antivirus exclusions? See [Configure and validate exclusions for Microsoft Defender Antivirus scans](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-exclusions-microsoft-defender-antivirus). #### Use Microsoft Endpoint Manager to manage antivirus exclusions for existing policies @@ -101,6 +101,7 @@ In general, you should not need to define exclusions for Microsoft Defender Anti 5. Choose **Review + save**, and then choose **Save**. #### Use Microsoft Endpoint Manager to create an antivirus policy with exclusions + 1. Go to the Microsoft Endpoint Manager admin center ([https://endpoint.microsoft.com](https://endpoint.microsoft.com)) and sign in. 2. Choose **Endpoint security** > **Antivirus** > **+ Create Policy**. 3. Select a platform (such as Windows 10 and later, macOS, or Windows 10 and Windows Server). From 3c5d2a3d2429851c32762559e667f20c91f60cc7 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Wed, 13 Jan 2021 13:09:06 -0800 Subject: [PATCH 024/190] Update defender-endpoint-false-positives-negatives.md --- .../defender-endpoint-false-positives-negatives.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md index 4fd508750d..b43e1e658d 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md +++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md @@ -95,7 +95,7 @@ In general, you should not need to define exclusions for Microsoft Defender Anti #### Use Microsoft Endpoint Manager to manage antivirus exclusions for existing policies 1. Go to the Microsoft Endpoint Manager admin center ([https://endpoint.microsoft.com](https://endpoint.microsoft.com)) and sign in. -2. Choose **Endpoint security** > **Antivirus**, and then select an existing policy. (If you don’t have an existing policy, or you want to create a new policy, skip to the next procedure). +2. Choose **Endpoint security** > **Antivirus**, and then select an existing policy. (If you don’t have an existing policy, or you want to create a new policy, skip to [the next procedure](#use-microsoft-endpoint-manager-to-create-an-antivirus-policy-with-exclusions)). 3. Choose **Properties**, and next to **Configuration settings**, choose **Edit**. 4. Expand **Microsoft Defender Antivirus Exclusions** and then specify your exclusions. 5. Choose **Review + save**, and then choose **Save**. @@ -108,7 +108,7 @@ In general, you should not need to define exclusions for Microsoft Defender Anti 4. For **Profile**, select **Microsoft Defender Antivirus exclusions**, and then choose **Create**. 5. Specify a name and description for the profile, and then choose **Next**. 6. On the **Configuration settings** tab, specify your antivirus exclusions, and then choose **Next**. -7. On the **Scope tags** tab, if you are using scope tags in your organization, specify scope tags for the policy you are creating. (See [Scope tags]( Use role-based access control (RBAC) and scope tags for distributed IT in Intune | Microsoft Docs).) +7. On the **Scope tags** tab, if you are using scope tags in your organization, specify scope tags for the policy you are creating. (See [Scope tags](https://docs.microsoft.com/mem/intune/fundamentals/scope-tags).) 8. On the **Assignments** tab, specify the users and groups to whom your policy should be applied, and then choose **Next**. (If you need help with assignments, see [Assign user and device profiles in Microsoft Intune](Assign device profiles in Microsoft Intune - Azure | Microsoft Docs).) 9. On the **Review + create** tab, review the settings, and then choose **Create**. From 480e2a5a36204a7a1aa754c651f18631efbc55e7 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Wed, 13 Jan 2021 13:10:06 -0800 Subject: [PATCH 025/190] Update defender-endpoint-false-positives-negatives.md --- .../defender-endpoint-false-positives-negatives.md | 2 -- 1 file changed, 2 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md index b43e1e658d..41af0bb20a 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md +++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md @@ -112,8 +112,6 @@ In general, you should not need to define exclusions for Microsoft Defender Anti 8. On the **Assignments** tab, specify the users and groups to whom your policy should be applied, and then choose **Next**. (If you need help with assignments, see [Assign user and device profiles in Microsoft Intune](Assign device profiles in Microsoft Intune - Azure | Microsoft Docs).) 9. On the **Review + create** tab, review the settings, and then choose **Create**. - - ## Review or define indicators *Allow indicators for false positives; block indicators for false negatives. https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/manage-indicators* From 514985aeb75c4975f24cb75ae6bc930a61ee32fc Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Wed, 13 Jan 2021 14:02:08 -0800 Subject: [PATCH 026/190] Update defender-endpoint-false-positives-negatives.md --- .../defender-endpoint-false-positives-negatives.md | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md index 41af0bb20a..684eb83488 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md +++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md @@ -33,7 +33,8 @@ ms.custom: FPFN In Microsoft Defender for Endpoint, a false positive is an entity, such as a file or process, that was detected and identified as malicious, when, in fact, the entity does not pose a threat. A false negative is an entity that was not detected as a threat even though it is, in fact, malicious. If you’re seeing false positives or negatives in your Microsoft Defender Security Center, use this article as a guide to take action. -Review your threat protection settings +## Review your threat protection settings + Microsoft Defender for Endpoint offers a wide variety of options, including the ability to fine tune settings for various features and capabilities. If you’re getting a lot of false positives, review your organization’s threat protection settings. You might need to make some adjustments to the following settings in particular: - Cloud-delivered protection @@ -112,13 +113,17 @@ In general, you should not need to define exclusions for Microsoft Defender Anti 8. On the **Assignments** tab, specify the users and groups to whom your policy should be applied, and then choose **Next**. (If you need help with assignments, see [Assign user and device profiles in Microsoft Intune](Assign device profiles in Microsoft Intune - Azure | Microsoft Docs).) 9. On the **Review + create** tab, review the settings, and then choose **Create**. -## Review or define indicators +### Indicators for Microsoft Defender for Endpoint *Allow indicators for false positives; block indicators for false negatives. https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/manage-indicators* -## Classify a false positive or false negative +To specify files, IP addresses, URLs, domains, and certificates as exclusions for Microsoft Defender for Endpoint, you can create "allow" indicators. "Allow" indicators prevent the following capabilities of Microsoft Defender for Endpoint from taking action on entities: + +- [Next-generation protection](https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10) +- [Endpoint detection and response](https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response) +- [Automated investigation & remediation](https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/automated-investigations) + -*Need to figure out where/how this is done* ## Submit a file for analysis From 7312853d028e81efbab426af3f5c28d1240c8d34 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Wed, 13 Jan 2021 14:02:28 -0800 Subject: [PATCH 027/190] Update defender-endpoint-false-positives-negatives.md --- .../defender-endpoint-false-positives-negatives.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md index 684eb83488..ae042deaee 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md +++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md @@ -53,7 +53,7 @@ Potentially unwanted applications (PUA) are a category of software that can caus Depending on the apps your organization is using, you might be getting false positives as a result of your PUA protection settings. If this is happening, consider running PUA protection in audit mode for a while, or apply PUA protection to a subset of devices in your organization. PUA protection can be configured for the Microsoft Edge browser and for Microsoft Defender Antivirus. > [!TIP] -> To learn more about PUA, see [Detect and block potentially unwanted applications](https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus). +> To learn more about PUA, see [Detect and block potentially unwanted applications](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus). #### Use Microsoft Endpoint Manager to edit PUA protection for existing configuration profiles @@ -119,9 +119,9 @@ In general, you should not need to define exclusions for Microsoft Defender Anti To specify files, IP addresses, URLs, domains, and certificates as exclusions for Microsoft Defender for Endpoint, you can create "allow" indicators. "Allow" indicators prevent the following capabilities of Microsoft Defender for Endpoint from taking action on entities: -- [Next-generation protection](https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10) -- [Endpoint detection and response](https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response) -- [Automated investigation & remediation](https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/automated-investigations) +- [Next-generation protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10) +- [Endpoint detection and response](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response) +- [Automated investigation & remediation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/automated-investigations) From b83175dcb1eafe83648d424b07efa4bc40665622 Mon Sep 17 00:00:00 2001 From: msft-cjeich Date: Thu, 14 Jan 2021 12:17:20 -0800 Subject: [PATCH 028/190] Update web-content-filtering.md Text update to account for changes to our data provider. Also - 15 min for policy sync is incorrect. SLA should be 2hrs. Include other 3rd party browsers which NP supports. This is a server-side change which requires no client side changes. --- .../microsoft-defender-atp/web-content-filtering.md | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/web-content-filtering.md b/windows/security/threat-protection/microsoft-defender-atp/web-content-filtering.md index d8daf9644c..b6d259a0f2 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/web-content-filtering.md +++ b/windows/security/threat-protection/microsoft-defender-atp/web-content-filtering.md @@ -32,7 +32,7 @@ Web content filtering is part of [Web protection](web-protection-overview.md) ca Configure policies across your device groups to block certain categories. Blocking a category prevents users within specified device groups from accessing URLs associated with the category. For any category that's not blocked, the URLs are automatically audited. Your users can access the URLs without disruption, and you'll gather access statistics to help create a more custom policy decision. Your users will see a block notification if an element on the page they're viewing is making calls to a blocked resource. -Web content filtering is available on the major web browsers, with blocks performed by Windows Defender SmartScreen (Microsoft Edge) and Network Protection (Chrome and Firefox). For more information about browser support, see the prerequisites section. +Web content filtering is available on the major web browsers, with blocks performed by Windows Defender SmartScreen (Microsoft Edge) and Network Protection (Chrome, Firefox, Brave and Opera). For more information about browser support, see the prerequisites section. Summarizing the benefits: @@ -42,7 +42,7 @@ Summarizing the benefits: ## User experience -The blocking experience for Chrome/Firefox is provided by Network Protection, which provides a system-level toast notifying the user of a blocked connection. +The blocking experience for 3rd party supported browsers is provided by Network Protection, which provides a system-level toast notifying the user of a blocked connection. For a more user-friendly in-browser experience, consider using Microsoft Edge. @@ -54,11 +54,11 @@ Before trying out this feature, make sure you have the following requirements: - Access to Microsoft Defender Security Center portal - Devices running Windows 10 Anniversary Update (version 1607) or later with the latest MoCAMP update. -If Windows Defender SmartScreen isn't turned on, Network Protection will take over the blocking. It requires [enabling Network Protection](enable-network-protection.md) on the device. +If Windows Defender SmartScreen isn't turned on, Network Protection will take over the blocking. It requires [enabling Network Protection](enable-network-protection.md) on the device. Chrome, Firefox, Brave and Opera are currently 3rd party browsers in which the feature is enabled. ## Data handling -We will follow whichever region you have elected to use as part of your [Microsoft Defender for Endpoint data handling settings](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/data-storage-privacy). Your data will not leave the data center in that region. In addition, your data will not be shared with any third-parties, including our data providers. However, we may send them aggregate data (across users and organizations) to help them improve their feeds. +We will follow whichever region you have elected to use as part of your [Microsoft Defender for Endpoint data handling settings](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/data-storage-privacy). Your data will not leave the data center in that region. In addition, your data will not be shared with any third-parties, including our data providers. ## Turn on web content filtering @@ -78,7 +78,7 @@ To add a new policy: 2. Specify a name. 3. Select the categories to block. Use the expand icon to fully expand each parent category and select specific web content categories. 4. Specify the policy scope. Select the device groups to specify where to apply the policy. Only devices in the selected device groups will be prevented from accessing websites in the selected categories. -5. Review the summary and save the policy. The policy may take up to 15 minutes to apply to your selected devices. +5. Review the summary and save the policy. The policy refresh may take up to 2 hours to apply to your selected devices. Tip: You can deploy a policy without selecting any category on a device group. This action will create an audit only policy, to help you understand user behavior before creating a block policy. @@ -138,7 +138,7 @@ Use the time range filter at the top left of the page to select a time period. Y ### Limitations and known issues in this preview -- Only Microsoft Edge is supported if your device's OS configuration is Server (cmd > Systeminfo > OS Configuration). Network Protection is only supported in Inspect mode on Server devices, which is responsible for securing traffic across Chrome/Firefox. +- Only Microsoft Edge is supported if your device's OS configuration is Server (cmd > Systeminfo > OS Configuration). Network Protection is only supported in Inspect mode on Server devices, which is responsible for securing traffic across supported 3rd party browsers. - Unassigned devices will have incorrect data shown within the report. In the Report details > Device groups pivot, you may see a row with a blank Device Group field. This group contains your unassigned devices before they get put into your specified group. The report for this row may not contain an accurate count of devices or access counts. From 44c4fbf6396ca58b9b8ac058e1a73fe8902b9e9f Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Thu, 14 Jan 2021 13:42:27 -0800 Subject: [PATCH 029/190] Update defender-endpoint-false-positives-negatives.md --- .../defender-endpoint-false-positives-negatives.md | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md index ae042deaee..ffdbda504e 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md +++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md @@ -80,11 +80,13 @@ Depending on the apps your organization is using, you might be getting false pos An exclusion is an entity that you specify as an exception to remediation. The excluded entity might still get detected, but no remediation actions are taken on that entity. That is, the detected file or process won’t be stopped, sent to quarantine, removed, or otherwise changed by Microsoft Defender for Endpoint. -To define exclusions across Microsoft Defender for Endpoint, you must perform at least two kinds of tasks: -- Define exclusions for Microsoft Defender Antivirus (you do this by editing an existing antivirus policy or by creating a new policy) -- Create “allow” indicators for Microsoft Defender for Endpoint () +To define exclusions across Microsoft Defender for Endpoint, you perform these two tasks: +- Define exclusions for Microsoft Defender Antivirus +- Create “allow” indicators for Microsoft Defender for Endpoint -You must perform both kinds of tasks because Microsoft Defender Antivirus exclusions don't apply to other Microsoft Defender for Endpoint capabilities, including [endpoint detection and response](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response) (EDR), [attack surface reduction (ASR) rules](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction), and [controlled folder access](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/controlled-folders). Files that you exclude using the methods described in this article can still trigger EDR alerts and other detections. To exclude files broadly, use [custom indicators](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/manage-indicators). +Microsoft Defender Antivirus exclusions don't apply to other Microsoft Defender for Endpoint capabilities, including [endpoint detection and response](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response) (EDR), [attack surface reduction (ASR) rules](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction), and [controlled folder access](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/controlled-folders). Files that you exclude using the methods described in this article can still trigger EDR alerts and other detections. To exclude files broadly, use [custom indicators](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/manage-indicators), such as "allow" indcators for Microsoft Defender for Endpoint. + +The procedures in this section describe how to define exclusions and indicators. ### Exclusions for Microsoft Defender Antivirus From 2a62143a863c9cac8d8a0ed1092bcd69b5bee3c9 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Thu, 14 Jan 2021 13:43:08 -0800 Subject: [PATCH 030/190] Update defender-endpoint-false-positives-negatives.md --- .../defender-endpoint-false-positives-negatives.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md index ffdbda504e..e6f69698aa 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md +++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md @@ -90,7 +90,7 @@ The procedures in this section describe how to define exclusions and indicators. ### Exclusions for Microsoft Defender Antivirus -In general, you should not need to define exclusions for Microsoft Defender Antivirus. Make sure that you define exclusions sparingly, and that you only include the files, folders, processes, and process-opened files that are resulting in false positives. In addition, make sure to review your defined exclusions regularly. We recommend using Microsoft Endpoint Manager to define or edit your antivirus exclusions. +In general, you should not need to define exclusions for Microsoft Defender Antivirus. Make sure that you define exclusions sparingly, and that you only include the files, folders, processes, and process-opened files that are resulting in false positives. In addition, make sure to review your defined exclusions regularly. We recommend using Microsoft Endpoint Manager to define or edit your antivirus exclusions; however, you can use other methods, such as Group Policy as well. > [!TIP] > Need help with antivirus exclusions? See [Configure and validate exclusions for Microsoft Defender Antivirus scans](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-exclusions-microsoft-defender-antivirus). From b02a689fcabe64b16fef1247e8ccc188bf8654b6 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Thu, 14 Jan 2021 13:51:31 -0800 Subject: [PATCH 031/190] Update defender-endpoint-false-positives-negatives.md --- .../defender-endpoint-false-positives-negatives.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md index e6f69698aa..06cebc920f 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md +++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md @@ -117,9 +117,9 @@ In general, you should not need to define exclusions for Microsoft Defender Anti ### Indicators for Microsoft Defender for Endpoint -*Allow indicators for false positives; block indicators for false negatives. https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/manage-indicators* +Indicators enable your security operations team to define the detection, prevention, and exclusion of entities. For example, your security operations team can specify certain files to be omitted from scans and remediation actions in Microsoft Defender for Endpoint. Or, indicators can be used to generate alerts for certain IP addresses or URLs. -To specify files, IP addresses, URLs, domains, and certificates as exclusions for Microsoft Defender for Endpoint, you can create "allow" indicators. "Allow" indicators prevent the following capabilities of Microsoft Defender for Endpoint from taking action on entities: +To specify entities, such as files, IP addresses, URLs, domains, and certificates as exclusions for Microsoft Defender for Endpoint, you can create "allow" indicators. Such "allow" indicators apply to the following capabilities in Microsoft Defender for Endpoint: - [Next-generation protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10) - [Endpoint detection and response](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response) From 8dcc9193719eca758c78c4a28af7ed1b7508ebff Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Thu, 14 Jan 2021 14:13:59 -0800 Subject: [PATCH 032/190] Update defender-endpoint-false-positives-negatives.md --- .../defender-endpoint-false-positives-negatives.md | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md index 06cebc920f..7b10b4055e 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md +++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md @@ -119,13 +119,18 @@ In general, you should not need to define exclusions for Microsoft Defender Anti Indicators enable your security operations team to define the detection, prevention, and exclusion of entities. For example, your security operations team can specify certain files to be omitted from scans and remediation actions in Microsoft Defender for Endpoint. Or, indicators can be used to generate alerts for certain IP addresses or URLs. -To specify entities, such as files, IP addresses, URLs, domains, and certificates as exclusions for Microsoft Defender for Endpoint, you can create "allow" indicators. Such "allow" indicators apply to the following capabilities in Microsoft Defender for Endpoint: +To specify entities as exclusions for Microsoft Defender for Endpoint, you can create "allow" indicators. Such "allow" indicators apply to the following capabilities in Microsoft Defender for Endpoint: - [Next-generation protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10) - [Endpoint detection and response](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response) - [Automated investigation & remediation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/automated-investigations) +You can create indicators for files, IP addresses, URLs, domains, and certificates. Use the following resources to create or manage indicators in the Microsoft Defender Security Center([https://securitycenter.windows.com](https://securitycenter.windows.com)): +- [Learn more about indicators](https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/manage-indicators) +- [Create an indicator for a file, such as an executable](https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/indicator-file) +- [Create an indicator for an IP address, URL, or domain](https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/indicator-ip-domain) +- [Create an indicator for an application certificate](https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/indicator-certificates) ## Submit a file for analysis From 686d53ec8af732d9193d252fbcdd800446163efa Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Thu, 14 Jan 2021 14:21:59 -0800 Subject: [PATCH 033/190] Update defender-endpoint-false-positives-negatives.md --- .../defender-endpoint-false-positives-negatives.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md index 7b10b4055e..870ce280d6 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md +++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md @@ -132,6 +132,9 @@ You can create indicators for files, IP addresses, URLs, domains, and certificat - [Create an indicator for an IP address, URL, or domain](https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/indicator-ip-domain) - [Create an indicator for an application certificate](https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/indicator-certificates) +> [!TIP] +> When you create indicators, you can define them one by one or import multiple items at once. Keep in mind there's a limit of 15,000 indicators you can have in a single tenant. And, you might need to gather certain details first, such as file hash information. + ## Submit a file for analysis *https://www.microsoft.com/wdsi/filesubmission/* From e371bbcd198bee71ae509467d145686035ea23f8 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Thu, 14 Jan 2021 15:21:53 -0800 Subject: [PATCH 034/190] Update defender-endpoint-false-positives-negatives.md --- ...nder-endpoint-false-positives-negatives.md | 23 +++++++++++++------ 1 file changed, 16 insertions(+), 7 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md index 870ce280d6..21a9dffad4 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md +++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md @@ -119,21 +119,30 @@ In general, you should not need to define exclusions for Microsoft Defender Anti Indicators enable your security operations team to define the detection, prevention, and exclusion of entities. For example, your security operations team can specify certain files to be omitted from scans and remediation actions in Microsoft Defender for Endpoint. Or, indicators can be used to generate alerts for certain IP addresses or URLs. -To specify entities as exclusions for Microsoft Defender for Endpoint, you can create "allow" indicators. Such "allow" indicators apply to the following capabilities in Microsoft Defender for Endpoint: +To specify entities as exclusions for Microsoft Defender for Endpoint, your security team can create "allow" indicators. Such "allow" indicators apply to the following capabilities in Microsoft Defender for Endpoint: - [Next-generation protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10) - [Endpoint detection and response](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response) - [Automated investigation & remediation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/automated-investigations) -You can create indicators for files, IP addresses, URLs, domains, and certificates. Use the following resources to create or manage indicators in the Microsoft Defender Security Center([https://securitycenter.windows.com](https://securitycenter.windows.com)): +Your security team can create indicators for files, IP addresses, URLs, domains, and certificates. Use the following resources to create or manage indicators in the Microsoft Defender Security Center([https://securitycenter.windows.com](https://securitycenter.windows.com)): -- [Learn more about indicators](https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/manage-indicators) -- [Create an indicator for a file, such as an executable](https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/indicator-file) -- [Create an indicator for an IP address, URL, or domain](https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/indicator-ip-domain) -- [Create an indicator for an application certificate](https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/indicator-certificates) +- [Learn more about indicators](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/manage-indicators) +- [Create an indicator for a file, such as an executable](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-file) +- [Create an indicator for an IP address, URL, or domain](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-ip-domain) +- [Create an indicator for an application certificate](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-certificates) > [!TIP] -> When you create indicators, you can define them one by one or import multiple items at once. Keep in mind there's a limit of 15,000 indicators you can have in a single tenant. And, you might need to gather certain details first, such as file hash information. +> When you create indicators, you can define them one by one or import multiple items at once. Keep in mind there's a limit of 15,000 indicators you can have in a single tenant. And, you might need to gather certain details first, such as file hash information. Make sure to review the information, including prerequisites, + +## Classify a false positive or false negative + +### Suppress alerts for a false positive + +To suppress an alert, you create an alert suppression rule. + +1. Go to the Microsoft Defender Security Center () + ## Submit a file for analysis From 593e88abae3a0d4d650d43d98d09f6e9d9d2fdb5 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Thu, 14 Jan 2021 15:32:05 -0800 Subject: [PATCH 035/190] Update defender-endpoint-false-positives-negatives.md --- .../defender-endpoint-false-positives-negatives.md | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md index 21a9dffad4..ee2d488676 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md +++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md @@ -137,12 +137,17 @@ Your security team can create indicators for files, IP addresses, URLs, domains, ## Classify a false positive or false negative -### Suppress alerts for a false positive +### Classify an alert as a false positive -To suppress an alert, you create an alert suppression rule. +Your security team can classify an alert as a false positive in the Microsoft Defender Security Center, in the Alerts queue. -1. Go to the Microsoft Defender Security Center () +1. Go to the Microsoft Defender Security Center ([https://securitycenter.windows.com](https://securitycenter.windows.com)) and sign in. +2. Select **Alerts queue**, and then select an alert that is a false positive. +3. For the selected alert, select **Actions** > **Manage alert**. A flyout pane opens. +4. In the **Manage alert** section, select **True alert** or **False alert**. Use **False alert** to classify a false positive. +> [!TIP] +> For more details about suppressing alerts, see [Manage Microsoft Defender for Endpoint alerts](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/manage-alerts). ## Submit a file for analysis From b4a2125bc097ea67e3ba0aa56316323feb1c81a4 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Fri, 15 Jan 2021 11:38:36 -0800 Subject: [PATCH 036/190] Update defender-endpoint-false-positives-negatives.md --- .../defender-endpoint-false-positives-negatives.md | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md index ee2d488676..5f0e8172e9 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md +++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md @@ -137,6 +137,12 @@ Your security team can create indicators for files, IP addresses, URLs, domains, ## Classify a false positive or false negative +As alerts are triggered, if you see something that was detected as malicious or suspicious that should not be, you can suppress alerts for that entity and classify alerts as false positives. Managing your alerts and classifying false positives helps to train your threat protection solution. Taking these steps also helps reduce noise in your security operations dashboard so that your security team can focus on higher priority work items. + +### Suppress an alert + + + ### Classify an alert as a false positive Your security team can classify an alert as a false positive in the Microsoft Defender Security Center, in the Alerts queue. From 33bdd42057de9d1c7d326fedfbf3c1ed59ab24f2 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Fri, 15 Jan 2021 11:43:57 -0800 Subject: [PATCH 037/190] Update defender-endpoint-false-positives-negatives.md --- .../defender-endpoint-false-positives-negatives.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md index 5f0e8172e9..2a143eeeca 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md +++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md @@ -31,7 +31,7 @@ ms.custom: FPFN - [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146806) -In Microsoft Defender for Endpoint, a false positive is an entity, such as a file or process, that was detected and identified as malicious, when, in fact, the entity does not pose a threat. A false negative is an entity that was not detected as a threat even though it is, in fact, malicious. If you’re seeing false positives or negatives in your Microsoft Defender Security Center, use this article as a guide to take action. +In the area of endpoint protection, a false positive is an entity, such as a file or process, that was detected and identified as malicious, when, in fact, the entity does not pose a threat. A false negative is an entity that was not detected as a threat even though it is, in fact, malicious. If you’re using Microsoft Defender for Endpoint, and you're seeing false positives or negatives in your Microsoft Defender Security Center, use this article as a guide to take action. ## Review your threat protection settings From 03455cece21ba363366bd6962c0a8b62a5251de8 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Fri, 15 Jan 2021 11:53:37 -0800 Subject: [PATCH 038/190] Update defender-endpoint-false-positives-negatives.md --- .../defender-endpoint-false-positives-negatives.md | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md index 2a143eeeca..5e214daece 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md +++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md @@ -31,7 +31,11 @@ ms.custom: FPFN - [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146806) -In the area of endpoint protection, a false positive is an entity, such as a file or process, that was detected and identified as malicious, when, in fact, the entity does not pose a threat. A false negative is an entity that was not detected as a threat even though it is, in fact, malicious. If you’re using Microsoft Defender for Endpoint, and you're seeing false positives or negatives in your Microsoft Defender Security Center, use this article as a guide to take action. +In the area of endpoint protection, a false positive is an entity, such as a file or process, that was detected and identified as malicious, when, in fact, the entity does not pose a threat. A false negative is an entity that was not detected as a threat even though it is, in fact, malicious. The process of addressing false positives/negatives can include: +- Reviewing your threat protection settings and making adjustments where needed +- + +If you’re using Microsoft Defender for Endpoint, and you're seeing false positives or negatives in your Microsoft Defender Security Center, use this article as a guide to take action. ## Review your threat protection settings From 5eddcebd712edab6b9dd9822886e3e4571db2c3d Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Fri, 15 Jan 2021 12:06:56 -0800 Subject: [PATCH 039/190] Update defender-endpoint-false-positives-negatives.md --- .../defender-endpoint-false-positives-negatives.md | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md index 5e214daece..7e8b9fe917 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md +++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md @@ -31,11 +31,14 @@ ms.custom: FPFN - [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146806) -In the area of endpoint protection, a false positive is an entity, such as a file or process, that was detected and identified as malicious, when, in fact, the entity does not pose a threat. A false negative is an entity that was not detected as a threat even though it is, in fact, malicious. The process of addressing false positives/negatives can include: -- Reviewing your threat protection settings and making adjustments where needed -- +In endpoint protection, a false positive is an entity, such as a file or process, that was detected and identified as malicious, when, in fact, the entity does not pose a threat. A false negative is an entity that was not detected as a threat even though it is, in fact, malicious. The process of addressing false positives/negatives can include: +- [Reviewing your threat protection settings and making adjustments where needed](#review-your-threat-protection-settings); +- [Defining exclusions, such as for antivirus and other endpoint protection features](#review-or-define-exclusions-for-microsoft-defender-for-endpoint); +- [Classifying false positives in your endpoint protection solution](#classify-a-false-positive-or-false-negative); +- [Submitting files for further analysis](#submit-a-file-for-analysis); and +- [Verifying that the applications your organization is using are properly signed](#confirm-your-software-uses-ev-code-signing). -If you’re using Microsoft Defender for Endpoint, and you're seeing false positives or negatives in your Microsoft Defender Security Center, use this article as a guide to take action. +If you’re using Microsoft Defender for Endpoint, and you're seeing false positives/negatives in your Microsoft Defender Security Center, use this article as a guide to take action. ## Review your threat protection settings From 19182cc41478da89fd15c381c01a4c9f80ff1cdd Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Fri, 15 Jan 2021 12:15:08 -0800 Subject: [PATCH 040/190] Update defender-endpoint-false-positives-negatives.md --- .../defender-endpoint-false-positives-negatives.md | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md index 7e8b9fe917..a77c24e5c2 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md +++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md @@ -38,7 +38,7 @@ In endpoint protection, a false positive is an entity, such as a file or process - [Submitting files for further analysis](#submit-a-file-for-analysis); and - [Verifying that the applications your organization is using are properly signed](#confirm-your-software-uses-ev-code-signing). -If you’re using Microsoft Defender for Endpoint, and you're seeing false positives/negatives in your Microsoft Defender Security Center, use this article as a guide to take action. +If you’re using [Microsoft Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection), and you're seeing false positives/negatives in your [Microsoft Defender Security Center](https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/use), use this article as a guide to take action. This article also includes information about [what to do if you still need help](#still-need-help) after taking the recommended steps to address false positives/negatives in your environment. ## Review your threat protection settings @@ -168,4 +168,6 @@ Your security team can classify an alert as a false positive in the Microsoft De ## Confirm your software uses EV code signing -*Some info is available here: https://docs.microsoft.com/windows-hardware/drivers/dashboard/get-a-code-signing-certificate* \ No newline at end of file +*Some info is available here: https://docs.microsoft.com/windows-hardware/drivers/dashboard/get-a-code-signing-certificate* + +## Still need help? \ No newline at end of file From b76685aa6938c547cafd7b397aa2e606759fc87d Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Fri, 15 Jan 2021 12:22:20 -0800 Subject: [PATCH 041/190] Update defender-endpoint-false-positives-negatives.md --- .../defender-endpoint-false-positives-negatives.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md index a77c24e5c2..1881a1f688 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md +++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md @@ -42,7 +42,7 @@ If you’re using [Microsoft Defender for Endpoint](https://docs.microsoft.com/w ## Review your threat protection settings -Microsoft Defender for Endpoint offers a wide variety of options, including the ability to fine tune settings for various features and capabilities. If you’re getting a lot of false positives, review your organization’s threat protection settings. You might need to make some adjustments to the following settings in particular: +Microsoft Defender for Endpoint offers a wide variety of options, including the ability to fine tune settings for various features and capabilities. If you’re getting a lot of false positives, make sure to review your organization’s threat protection settings. You might need to make some adjustments to the following settings in particular: - Cloud-delivered protection - Remediation for potentially unwanted apps (PUA) @@ -85,13 +85,13 @@ Depending on the apps your organization is using, you might be getting false pos ## Review or define exclusions for Microsoft Defender for Endpoint -An exclusion is an entity that you specify as an exception to remediation. The excluded entity might still get detected, but no remediation actions are taken on that entity. That is, the detected file or process won’t be stopped, sent to quarantine, removed, or otherwise changed by Microsoft Defender for Endpoint. +An exclusion is an entity that you specify as an exception to remediation actions. The excluded entity might still get detected, but no remediation actions are taken on that entity. That is, the detected file or process won’t be stopped, sent to quarantine, removed, or otherwise changed by Microsoft Defender for Endpoint. -To define exclusions across Microsoft Defender for Endpoint, you perform these two tasks: +To define exclusions across Microsoft Defender for Endpoint, perform the following tasks: - Define exclusions for Microsoft Defender Antivirus - Create “allow” indicators for Microsoft Defender for Endpoint -Microsoft Defender Antivirus exclusions don't apply to other Microsoft Defender for Endpoint capabilities, including [endpoint detection and response](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response) (EDR), [attack surface reduction (ASR) rules](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction), and [controlled folder access](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/controlled-folders). Files that you exclude using the methods described in this article can still trigger EDR alerts and other detections. To exclude files broadly, use [custom indicators](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/manage-indicators), such as "allow" indcators for Microsoft Defender for Endpoint. +Microsoft Defender Antivirus exclusions don't apply to other Microsoft Defender for Endpoint capabilities, including [endpoint detection and response](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response), [attack surface reduction rules](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction), and [controlled folder access](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/controlled-folders). Files that you exclude using the methods described in this article can still trigger alerts and other detections. To exclude files broadly, use [custom indicators](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/manage-indicators), such as "allow" indcators for Microsoft Defender for Endpoint. The procedures in this section describe how to define exclusions and indicators. From 04ec92cf634ec8ddfb09c0ba1692039b10f1ff4a Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Fri, 15 Jan 2021 12:41:26 -0800 Subject: [PATCH 042/190] Update defender-endpoint-false-positives-negatives.md --- ...defender-endpoint-false-positives-negatives.md | 15 ++++++++++++++- 1 file changed, 14 insertions(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md index 1881a1f688..8db2bfbd67 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md +++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md @@ -51,7 +51,20 @@ Microsoft Defender for Endpoint offers a wide variety of options, including the Check your cloud-delivered protection level for Microsoft Defender Antivirus. By default, this is set to **Not configured**, which corresponds to a normal level of protection for most organizations. If your cloud-delivered protection is set to **High**, **High +**, or **Zero tolerance**, you might experience a higher number of false positives. -See [Specify the cloud-delivered protection level](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/specify-cloud-protection-level-microsoft-defender-antivirus) +We recommend using Microsoft Endpoint Manager to edit your cloud-delivered protection settings. + +#### Use Microsoft Endpoint Manager to review and edit cloud-delivered protection settings + +1. Go to the Microsoft Endpoint Manager admin center ([https://endpoint.microsoft.com](https://endpoint.microsoft.com)) and sign in. +2. Choose Endpoint security > Antivirus and then select an existing policy. (If you don’t have an existing policy, or you want to create a new policy, skip to the next procedure). +3. Under **Manage**, select **Properties**. Then, next to **Configuration settings**, choose **Edit**. +4. Expand **Cloud protection**, and review your current setting in the **Cloud-delivered protection level** row. We recommend setting this to **Not configured**, which provides strong protection while reducing the chances of getting false positives. +5. Choose **Review + save**, and then **Save**. + + + +> [!TIP] +> To learn more about configuring your cloud-delivered protection, see [Specify the cloud-delivered protection level](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/specify-cloud-protection-level-microsoft-defender-antivirus) ### Remediation for potentially unwanted applications (PUA) From 05b7341aee7a6b1c2d39f90f5eebe8fc9adc5f9c Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Fri, 15 Jan 2021 12:42:15 -0800 Subject: [PATCH 043/190] Update defender-endpoint-false-positives-negatives.md --- .../defender-endpoint-false-positives-negatives.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md index 8db2bfbd67..1a74f33fa5 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md +++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md @@ -56,12 +56,12 @@ We recommend using Microsoft Endpoint Manager to edit your cloud-delivered prote #### Use Microsoft Endpoint Manager to review and edit cloud-delivered protection settings 1. Go to the Microsoft Endpoint Manager admin center ([https://endpoint.microsoft.com](https://endpoint.microsoft.com)) and sign in. -2. Choose Endpoint security > Antivirus and then select an existing policy. (If you don’t have an existing policy, or you want to create a new policy, skip to the next procedure). +2. Choose **Endpoint security** > **Antivirus** and then select an existing policy. (If you don’t have an existing policy, or you want to create a new policy, skip to [the next procedure](#use-microsoft-endpoint-manager-to-set-cloud-delivered-protection-settings-for-a-new-antivirus-policy)). 3. Under **Manage**, select **Properties**. Then, next to **Configuration settings**, choose **Edit**. 4. Expand **Cloud protection**, and review your current setting in the **Cloud-delivered protection level** row. We recommend setting this to **Not configured**, which provides strong protection while reducing the chances of getting false positives. 5. Choose **Review + save**, and then **Save**. - +#### Use Microsoft Endpoint Manager to set cloud-delivered protection settings for a new antivirus policy > [!TIP] > To learn more about configuring your cloud-delivered protection, see [Specify the cloud-delivered protection level](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/specify-cloud-protection-level-microsoft-defender-antivirus) From cdd241e8d99345b9797dfc7a4175c2b2b0236976 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Fri, 15 Jan 2021 12:49:22 -0800 Subject: [PATCH 044/190] Update TOC.md --- windows/security/threat-protection/TOC.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/windows/security/threat-protection/TOC.md b/windows/security/threat-protection/TOC.md index 4fd85c48d2..d64cf954ff 100644 --- a/windows/security/threat-protection/TOC.md +++ b/windows/security/threat-protection/TOC.md @@ -508,6 +508,8 @@ #### [Configure conditional access](microsoft-defender-atp/configure-conditional-access.md) #### [Configure Microsoft Cloud App Security integration](microsoft-defender-atp/microsoft-cloud-app-security-config.md) +### [Address false positives/negatives in Microsoft Defender for Endpoint](microsoft-defender-atp/defender-endpoint-false-positives-negatives.md) + ### [Use audit mode](microsoft-defender-atp/audit-windows-defender.md) ## Reference From cdde314ed51395c2fc9aee94d6fcdbff2fbedbb2 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Fri, 15 Jan 2021 12:49:34 -0800 Subject: [PATCH 045/190] Update defender-endpoint-false-positives-negatives.md --- .../defender-endpoint-false-positives-negatives.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md index 1a74f33fa5..22e7b90793 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md +++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md @@ -63,6 +63,8 @@ We recommend using Microsoft Endpoint Manager to edit your cloud-delivered prote #### Use Microsoft Endpoint Manager to set cloud-delivered protection settings for a new antivirus policy + + > [!TIP] > To learn more about configuring your cloud-delivered protection, see [Specify the cloud-delivered protection level](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/specify-cloud-protection-level-microsoft-defender-antivirus) From 68ea7ac163b7f95c072adcbad71e11f583111b3e Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Fri, 15 Jan 2021 13:28:26 -0800 Subject: [PATCH 046/190] Update defender-endpoint-false-positives-negatives.md --- .../defender-endpoint-false-positives-negatives.md | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md index 22e7b90793..1ef9284ac9 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md +++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md @@ -44,8 +44,8 @@ If you’re using [Microsoft Defender for Endpoint](https://docs.microsoft.com/w Microsoft Defender for Endpoint offers a wide variety of options, including the ability to fine tune settings for various features and capabilities. If you’re getting a lot of false positives, make sure to review your organization’s threat protection settings. You might need to make some adjustments to the following settings in particular: -- Cloud-delivered protection -- Remediation for potentially unwanted apps (PUA) +- [Cloud-delivered protection](#cloud-delivered-protection) +- [Remediation for potentially unwanted apps](#remediation-for-potentially-unwanted-applications-pua) (PUA) ### Cloud-delivered protection @@ -55,11 +55,11 @@ We recommend using Microsoft Endpoint Manager to edit your cloud-delivered prote #### Use Microsoft Endpoint Manager to review and edit cloud-delivered protection settings -1. Go to the Microsoft Endpoint Manager admin center ([https://endpoint.microsoft.com](https://endpoint.microsoft.com)) and sign in. -2. Choose **Endpoint security** > **Antivirus** and then select an existing policy. (If you don’t have an existing policy, or you want to create a new policy, skip to [the next procedure](#use-microsoft-endpoint-manager-to-set-cloud-delivered-protection-settings-for-a-new-antivirus-policy)). -3. Under **Manage**, select **Properties**. Then, next to **Configuration settings**, choose **Edit**. -4. Expand **Cloud protection**, and review your current setting in the **Cloud-delivered protection level** row. We recommend setting this to **Not configured**, which provides strong protection while reducing the chances of getting false positives. -5. Choose **Review + save**, and then **Save**. +1. Go to the Microsoft Endpoint Manager admin center ([https://endpoint.microsoft.com](https://endpoint.microsoft.com)) and sign in. +2. Choose **Endpoint security** > **Antivirus** and then select an existing policy. (If you don’t have an existing policy, or you want to create a new policy, skip to [the next procedure](#use-microsoft-endpoint-manager-to-set-cloud-delivered-protection-settings-for-a-new-antivirus-policy)). +3. Under **Manage**, select **Properties**. Then, next to **Configuration settings**, choose **Edit**. +4. Expand **Cloud protection**, and review your current setting in the **Cloud-delivered protection level** row. We recommend setting this to **Not configured**, which provides strong protection while reducing the chances of getting false positives. +5. Choose **Review + save**, and then **Save**. #### Use Microsoft Endpoint Manager to set cloud-delivered protection settings for a new antivirus policy From 9422afe00f6e835c8fbc33b7259acc60f144d893 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Fri, 15 Jan 2021 13:43:24 -0800 Subject: [PATCH 047/190] Update defender-endpoint-false-positives-negatives.md --- .../defender-endpoint-false-positives-negatives.md | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md index 1ef9284ac9..cfe7df33b6 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md +++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md @@ -38,7 +38,7 @@ In endpoint protection, a false positive is an entity, such as a file or process - [Submitting files for further analysis](#submit-a-file-for-analysis); and - [Verifying that the applications your organization is using are properly signed](#confirm-your-software-uses-ev-code-signing). -If you’re using [Microsoft Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection), and you're seeing false positives/negatives in your [Microsoft Defender Security Center](https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/use), use this article as a guide to take action. This article also includes information about [what to do if you still need help](#still-need-help) after taking the recommended steps to address false positives/negatives in your environment. +If you’re using [Microsoft Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection), and you're seeing false positives/negatives in your [Microsoft Defender Security Center](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/use), use this article as a guide to take action. This article also includes information about [what to do if you still need help](#still-need-help) after taking the recommended steps to address false positives/negatives in your environment. ## Review your threat protection settings @@ -63,7 +63,8 @@ We recommend using Microsoft Endpoint Manager to edit your cloud-delivered prote #### Use Microsoft Endpoint Manager to set cloud-delivered protection settings for a new antivirus policy - +1. Go to the Microsoft Endpoint Manager admin center ([https://endpoint.microsoft.com](https://endpoint.microsoft.com)) and sign in. +2. Choose **Endpoint security** > **Antivirus** and then select an existing policy. > [!TIP] > To learn more about configuring your cloud-delivered protection, see [Specify the cloud-delivered protection level](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/specify-cloud-protection-level-microsoft-defender-antivirus) From a25292e549f421e316dc663adfa53259a74c9e1a Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Fri, 15 Jan 2021 13:59:55 -0800 Subject: [PATCH 048/190] Update defender-endpoint-false-positives-negatives.md --- .../defender-endpoint-false-positives-negatives.md | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md index cfe7df33b6..c0b9058440 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md +++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md @@ -64,7 +64,14 @@ We recommend using Microsoft Endpoint Manager to edit your cloud-delivered prote #### Use Microsoft Endpoint Manager to set cloud-delivered protection settings for a new antivirus policy 1. Go to the Microsoft Endpoint Manager admin center ([https://endpoint.microsoft.com](https://endpoint.microsoft.com)) and sign in. -2. Choose **Endpoint security** > **Antivirus** and then select an existing policy. +2. Choose **Endpoint security** > **Antivirus** > **+ Create policy**. +3. For **Platform**, select an option, and then for **Profile**, select **Antivirus** or **Microsoft Defender Antivirus** (the specific option depends on what you selected for **Platform**.) Then choose **Create**. +4. On the **Basics** tab, specify a name and description for the policy. Then choose **Next**. +5. On the **Configuration settings** tab, expand **Cloud protection**, and specify the following settings: + - Set **Turn on cloud-delivered protection** to **Yes**. + - Set **Cloud-delivered protection level** to **Not configured**. (This level provides a strong level of protection by default while reducing the chances of getting false positives.) +6. On the **Scope tags** tab, + > [!TIP] > To learn more about configuring your cloud-delivered protection, see [Specify the cloud-delivered protection level](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/specify-cloud-protection-level-microsoft-defender-antivirus) @@ -135,7 +142,7 @@ In general, you should not need to define exclusions for Microsoft Defender Anti 5. Specify a name and description for the profile, and then choose **Next**. 6. On the **Configuration settings** tab, specify your antivirus exclusions, and then choose **Next**. 7. On the **Scope tags** tab, if you are using scope tags in your organization, specify scope tags for the policy you are creating. (See [Scope tags](https://docs.microsoft.com/mem/intune/fundamentals/scope-tags).) -8. On the **Assignments** tab, specify the users and groups to whom your policy should be applied, and then choose **Next**. (If you need help with assignments, see [Assign user and device profiles in Microsoft Intune](Assign device profiles in Microsoft Intune - Azure | Microsoft Docs).) +8. On the **Assignments** tab, specify the users and groups to whom your policy should be applied, and then choose **Next**. (If you need help with assignments, see [Assign user and device profiles in Microsoft Intune](https://docs.microsoft.com/mem/intune/configuration/device-profile-assign).) 9. On the **Review + create** tab, review the settings, and then choose **Create**. ### Indicators for Microsoft Defender for Endpoint From 07713c98772ee3af4565a1b149553e519daf4dd1 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Fri, 15 Jan 2021 14:02:25 -0800 Subject: [PATCH 049/190] Update defender-endpoint-false-positives-negatives.md --- .../defender-endpoint-false-positives-negatives.md | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md index c0b9058440..41a001d354 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md +++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md @@ -51,6 +51,9 @@ Microsoft Defender for Endpoint offers a wide variety of options, including the Check your cloud-delivered protection level for Microsoft Defender Antivirus. By default, this is set to **Not configured**, which corresponds to a normal level of protection for most organizations. If your cloud-delivered protection is set to **High**, **High +**, or **Zero tolerance**, you might experience a higher number of false positives. +> [!TIP] +> To learn more about configuring your cloud-delivered protection, see [Specify the cloud-delivered protection level](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/specify-cloud-protection-level-microsoft-defender-antivirus) + We recommend using Microsoft Endpoint Manager to edit your cloud-delivered protection settings. #### Use Microsoft Endpoint Manager to review and edit cloud-delivered protection settings @@ -70,11 +73,12 @@ We recommend using Microsoft Endpoint Manager to edit your cloud-delivered prote 5. On the **Configuration settings** tab, expand **Cloud protection**, and specify the following settings: - Set **Turn on cloud-delivered protection** to **Yes**. - Set **Cloud-delivered protection level** to **Not configured**. (This level provides a strong level of protection by default while reducing the chances of getting false positives.) -6. On the **Scope tags** tab, +6. On the **Scope tags** tab, if you are using scope tags in your organization, specify scope tags for the policy you are creating. (See [Scope tags](https://docs.microsoft.com/mem/intune/fundamentals/scope-tags).) +8. On the **Assignments** tab, specify the users and groups to whom your policy should be applied, and then choose **Next**. (If you need help with assignments, see [Assign user and device profiles in Microsoft Intune](https://docs.microsoft.com/mem/intune/configuration/device-profile-assign).) +9. On the **Review + create** tab, review the settings, and then choose **Create**. + -> [!TIP] -> To learn more about configuring your cloud-delivered protection, see [Specify the cloud-delivered protection level](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/specify-cloud-protection-level-microsoft-defender-antivirus) ### Remediation for potentially unwanted applications (PUA) From 70896026c3c8aede5837401ed9e3ef30efdd2c84 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Fri, 15 Jan 2021 14:08:28 -0800 Subject: [PATCH 050/190] Update defender-endpoint-false-positives-negatives.md --- .../defender-endpoint-false-positives-negatives.md | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md index 41a001d354..60b333fb5f 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md +++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md @@ -77,9 +77,6 @@ We recommend using Microsoft Endpoint Manager to edit your cloud-delivered prote 8. On the **Assignments** tab, specify the users and groups to whom your policy should be applied, and then choose **Next**. (If you need help with assignments, see [Assign user and device profiles in Microsoft Intune](https://docs.microsoft.com/mem/intune/configuration/device-profile-assign).) 9. On the **Review + create** tab, review the settings, and then choose **Create**. - - - ### Remediation for potentially unwanted applications (PUA) Potentially unwanted applications (PUA) are a category of software that can cause devices to run slowly, display unexpected ads, or install other software that might be unexpected or unwanted. Examples of PUA include advertising software, bundling software, and evasion software that behaves differently with security products. Although PUA is not considered malware, some kinds of software are PUA based on their behavior and reputation. @@ -175,6 +172,8 @@ As alerts are triggered, if you see something that was detected as malicious or ### Suppress an alert +You can suppress an alert in the Microsoft Defender Security Center. + ### Classify an alert as a false positive From c89b09bdf3e1c53a30105dd41db70db9dfc2d9d2 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Fri, 15 Jan 2021 14:13:56 -0800 Subject: [PATCH 051/190] Update defender-endpoint-false-positives-negatives.md --- .../defender-endpoint-false-positives-negatives.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md index 60b333fb5f..b9a77466b5 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md +++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md @@ -103,7 +103,7 @@ Depending on the apps your organization is using, you might be getting false pos 4. On the **Basics** tab, specify a name and description for your policy. Then choose **Next**. 5. On the **Configuration settings** tab, scroll down and expand **Microsoft Defender Antivirus**. 6. Set **Detect potentially unwanted applications** to **Audit**, and then choose **Next**. (You can turn PUA protection off, but by using audit mode, you will be able to see detections.) -7. On the **Assignments** tab, specify the users and groups to whom your policy should be applied, and then choose **Next**. (If you need help with assignments, see [Assign user and device profiles in Microsoft Intune](Assign device profiles in Microsoft Intune - Azure | Microsoft Docs).) +7. On the **Assignments** tab, specify the users and groups to whom your policy should be applied, and then choose **Next**. (If you need help with assignments, see [Assign user and device profiles in Microsoft Intune](https://docs.microsoft.com/mem/intune/configuration/device-profile-assign).) 8. On the **Applicability Rules** tab, specify the OS editions or versions to include or exclude from the policy. For example, you can set the policy to be applied to all devices certain editions of Windows 10. Then choose **Next**. 9. On the **Review + create** tab, review your settings, and, and then choose **Create**. From 04b09667e6a2174745db3d5891431b0466f6844a Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Fri, 15 Jan 2021 14:22:26 -0800 Subject: [PATCH 052/190] Update defender-endpoint-false-positives-negatives.md --- .../defender-endpoint-false-positives-negatives.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md index b9a77466b5..1ea52853e9 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md +++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md @@ -42,7 +42,7 @@ If you’re using [Microsoft Defender for Endpoint](https://docs.microsoft.com/w ## Review your threat protection settings -Microsoft Defender for Endpoint offers a wide variety of options, including the ability to fine tune settings for various features and capabilities. If you’re getting a lot of false positives, make sure to review your organization’s threat protection settings. You might need to make some adjustments to the following settings in particular: +Microsoft Defender for Endpoint offers a wide variety of options, including the ability to fine-tune settings for various features and capabilities. If you’re getting numerous false positives, make sure to review your organization’s threat protection settings. You might need to make some adjustments to the following settings in particular: - [Cloud-delivered protection](#cloud-delivered-protection) - [Remediation for potentially unwanted apps](#remediation-for-potentially-unwanted-applications-pua) (PUA) @@ -73,7 +73,7 @@ We recommend using Microsoft Endpoint Manager to edit your cloud-delivered prote 5. On the **Configuration settings** tab, expand **Cloud protection**, and specify the following settings: - Set **Turn on cloud-delivered protection** to **Yes**. - Set **Cloud-delivered protection level** to **Not configured**. (This level provides a strong level of protection by default while reducing the chances of getting false positives.) -6. On the **Scope tags** tab, if you are using scope tags in your organization, specify scope tags for the policy you are creating. (See [Scope tags](https://docs.microsoft.com/mem/intune/fundamentals/scope-tags).) +6. On the **Scope tags** tab, if you are using scope tags in your organization, specify scope tags for the policy. (See [Scope tags](https://docs.microsoft.com/mem/intune/fundamentals/scope-tags).) 8. On the **Assignments** tab, specify the users and groups to whom your policy should be applied, and then choose **Next**. (If you need help with assignments, see [Assign user and device profiles in Microsoft Intune](https://docs.microsoft.com/mem/intune/configuration/device-profile-assign).) 9. On the **Review + create** tab, review the settings, and then choose **Create**. @@ -138,7 +138,7 @@ In general, you should not need to define exclusions for Microsoft Defender Anti 1. Go to the Microsoft Endpoint Manager admin center ([https://endpoint.microsoft.com](https://endpoint.microsoft.com)) and sign in. 2. Choose **Endpoint security** > **Antivirus** > **+ Create Policy**. -3. Select a platform (such as Windows 10 and later, macOS, or Windows 10 and Windows Server). +3. Select a platform (such as **Windows 10 and later**, **macOS**, or **Windows 10 and Windows Server**). 4. For **Profile**, select **Microsoft Defender Antivirus exclusions**, and then choose **Create**. 5. Specify a name and description for the profile, and then choose **Next**. 6. On the **Configuration settings** tab, specify your antivirus exclusions, and then choose **Next**. From e3b8b22f857727ef5deb18bd5f8ad38e72aaa5c8 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Fri, 15 Jan 2021 14:23:04 -0800 Subject: [PATCH 053/190] Update defender-endpoint-false-positives-negatives.md --- .../defender-endpoint-false-positives-negatives.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md index 1ea52853e9..4e7efcd55a 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md +++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md @@ -102,7 +102,7 @@ Depending on the apps your organization is using, you might be getting false pos 3. For the **Platform**, choose **Windows 10 and later**, and for **Profile**, select **Device restrictions**. 4. On the **Basics** tab, specify a name and description for your policy. Then choose **Next**. 5. On the **Configuration settings** tab, scroll down and expand **Microsoft Defender Antivirus**. -6. Set **Detect potentially unwanted applications** to **Audit**, and then choose **Next**. (You can turn PUA protection off, but by using audit mode, you will be able to see detections.) +6. Set **Detect potentially unwanted applications** to **Audit**, and then choose **Next**. (You can turn off PUA protection, but by using audit mode, you will be able to see detections.) 7. On the **Assignments** tab, specify the users and groups to whom your policy should be applied, and then choose **Next**. (If you need help with assignments, see [Assign user and device profiles in Microsoft Intune](https://docs.microsoft.com/mem/intune/configuration/device-profile-assign).) 8. On the **Applicability Rules** tab, specify the OS editions or versions to include or exclude from the policy. For example, you can set the policy to be applied to all devices certain editions of Windows 10. Then choose **Next**. 9. On the **Review + create** tab, review your settings, and, and then choose **Create**. @@ -115,7 +115,7 @@ To define exclusions across Microsoft Defender for Endpoint, perform the followi - Define exclusions for Microsoft Defender Antivirus - Create “allow” indicators for Microsoft Defender for Endpoint -Microsoft Defender Antivirus exclusions don't apply to other Microsoft Defender for Endpoint capabilities, including [endpoint detection and response](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response), [attack surface reduction rules](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction), and [controlled folder access](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/controlled-folders). Files that you exclude using the methods described in this article can still trigger alerts and other detections. To exclude files broadly, use [custom indicators](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/manage-indicators), such as "allow" indcators for Microsoft Defender for Endpoint. +Microsoft Defender Antivirus exclusions don't apply to other Microsoft Defender for Endpoint capabilities, including [endpoint detection and response](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response), [attack surface reduction rules](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction), and [controlled folder access](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/controlled-folders). Files that you exclude using the methods described in this article can still trigger alerts and other detections. To exclude files broadly, use [custom indicators](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/manage-indicators), such as "allow" indicators for Microsoft Defender for Endpoint. The procedures in this section describe how to define exclusions and indicators. @@ -186,7 +186,7 @@ Your security team can classify an alert as a false positive in the Microsoft De 4. In the **Manage alert** section, select **True alert** or **False alert**. Use **False alert** to classify a false positive. > [!TIP] -> For more details about suppressing alerts, see [Manage Microsoft Defender for Endpoint alerts](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/manage-alerts). +> For more information about suppressing alerts, see [Manage Microsoft Defender for Endpoint alerts](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/manage-alerts). ## Submit a file for analysis From a0d3c8e46811e7101948011a7789634861d87425 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Fri, 15 Jan 2021 14:33:09 -0800 Subject: [PATCH 054/190] Update defender-endpoint-false-positives-negatives.md --- .../defender-endpoint-false-positives-negatives.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md index 4e7efcd55a..e022ecd644 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md +++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md @@ -156,7 +156,7 @@ To specify entities as exclusions for Microsoft Defender for Endpoint, your secu - [Endpoint detection and response](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response) - [Automated investigation & remediation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/automated-investigations) -Your security team can create indicators for files, IP addresses, URLs, domains, and certificates. Use the following resources to create or manage indicators in the Microsoft Defender Security Center([https://securitycenter.windows.com](https://securitycenter.windows.com)): +Your security team can create indicators for files, IP addresses, URLs, domains, and certificates. Use the following resources to create or manage indicators in the Microsoft Defender Security Center ([https://securitycenter.windows.com](https://securitycenter.windows.com)): - [Learn more about indicators](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/manage-indicators) - [Create an indicator for a file, such as an executable](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-file) From 85f16c130ea0dc4a512631922c48d838936c6249 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Fri, 15 Jan 2021 14:34:27 -0800 Subject: [PATCH 055/190] Update defender-endpoint-false-positives-negatives.md --- .../defender-endpoint-false-positives-negatives.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md index e022ecd644..e6352c7739 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md +++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md @@ -31,7 +31,7 @@ ms.custom: FPFN - [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146806) -In endpoint protection, a false positive is an entity, such as a file or process, that was detected and identified as malicious, when, in fact, the entity does not pose a threat. A false negative is an entity that was not detected as a threat even though it is, in fact, malicious. The process of addressing false positives/negatives can include: +In endpoint protection, a false positive is an entity, such as a file or a process, that was detected and identified as malicious, even though the entity is not actually a threat. A false negative is an entity that was not detected as a threat, even though it actually is malicious. The process of addressing false positives/negatives can include: - [Reviewing your threat protection settings and making adjustments where needed](#review-your-threat-protection-settings); - [Defining exclusions, such as for antivirus and other endpoint protection features](#review-or-define-exclusions-for-microsoft-defender-for-endpoint); - [Classifying false positives in your endpoint protection solution](#classify-a-false-positive-or-false-negative); From 829d15f748361815e2953a10f2b33726c5a13c5b Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Fri, 15 Jan 2021 14:36:34 -0800 Subject: [PATCH 056/190] Update defender-endpoint-false-positives-negatives.md --- .../defender-endpoint-false-positives-negatives.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md index e6352c7739..d1a1651c05 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md +++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md @@ -31,7 +31,7 @@ ms.custom: FPFN - [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146806) -In endpoint protection, a false positive is an entity, such as a file or a process, that was detected and identified as malicious, even though the entity is not actually a threat. A false negative is an entity that was not detected as a threat, even though it actually is malicious. The process of addressing false positives/negatives can include: +In endpoint protection, a false positive is an entity, such as a file or a process, that was detected and identified as malicious, even though the entity isn't actually a threat. A false negative is an entity that was not detected as a threat, even though it actually is malicious. The process of addressing false positives/negatives can include: - [Reviewing your threat protection settings and making adjustments where needed](#review-your-threat-protection-settings); - [Defining exclusions, such as for antivirus and other endpoint protection features](#review-or-define-exclusions-for-microsoft-defender-for-endpoint); - [Classifying false positives in your endpoint protection solution](#classify-a-false-positive-or-false-negative); From 13ea23be0e54cf823514a89cb1e7aae5e518520b Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Fri, 15 Jan 2021 14:37:49 -0800 Subject: [PATCH 057/190] Update defender-endpoint-false-positives-negatives.md --- .../defender-endpoint-false-positives-negatives.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md index d1a1651c05..692b8001f3 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md +++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md @@ -54,9 +54,9 @@ Check your cloud-delivered protection level for Microsoft Defender Antivirus. By > [!TIP] > To learn more about configuring your cloud-delivered protection, see [Specify the cloud-delivered protection level](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/specify-cloud-protection-level-microsoft-defender-antivirus) -We recommend using Microsoft Endpoint Manager to edit your cloud-delivered protection settings. +We recommend using Microsoft Endpoint Manager to edit or set your cloud-delivered protection settings. -#### Use Microsoft Endpoint Manager to review and edit cloud-delivered protection settings +#### Use Microsoft Endpoint Manager to review and edit cloud-delivered protection settings (for existing policies) 1. Go to the Microsoft Endpoint Manager admin center ([https://endpoint.microsoft.com](https://endpoint.microsoft.com)) and sign in. 2. Choose **Endpoint security** > **Antivirus** and then select an existing policy. (If you don’t have an existing policy, or you want to create a new policy, skip to [the next procedure](#use-microsoft-endpoint-manager-to-set-cloud-delivered-protection-settings-for-a-new-antivirus-policy)). @@ -64,7 +64,7 @@ We recommend using Microsoft Endpoint Manager to edit your cloud-delivered prote 4. Expand **Cloud protection**, and review your current setting in the **Cloud-delivered protection level** row. We recommend setting this to **Not configured**, which provides strong protection while reducing the chances of getting false positives. 5. Choose **Review + save**, and then **Save**. -#### Use Microsoft Endpoint Manager to set cloud-delivered protection settings for a new antivirus policy +#### Use Microsoft Endpoint Manager to set cloud-delivered protection settings (for a new policy) 1. Go to the Microsoft Endpoint Manager admin center ([https://endpoint.microsoft.com](https://endpoint.microsoft.com)) and sign in. 2. Choose **Endpoint security** > **Antivirus** > **+ Create policy**. From d1f235b8097193002b28a4845aca1a6684d95a19 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Fri, 15 Jan 2021 14:39:35 -0800 Subject: [PATCH 058/190] Update defender-endpoint-false-positives-negatives.md --- .../defender-endpoint-false-positives-negatives.md | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md index 692b8001f3..79bd50bdb6 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md +++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md @@ -77,16 +77,18 @@ We recommend using Microsoft Endpoint Manager to edit or set your cloud-delivere 8. On the **Assignments** tab, specify the users and groups to whom your policy should be applied, and then choose **Next**. (If you need help with assignments, see [Assign user and device profiles in Microsoft Intune](https://docs.microsoft.com/mem/intune/configuration/device-profile-assign).) 9. On the **Review + create** tab, review the settings, and then choose **Create**. -### Remediation for potentially unwanted applications (PUA) +### Remediation for potentially unwanted applications Potentially unwanted applications (PUA) are a category of software that can cause devices to run slowly, display unexpected ads, or install other software that might be unexpected or unwanted. Examples of PUA include advertising software, bundling software, and evasion software that behaves differently with security products. Although PUA is not considered malware, some kinds of software are PUA based on their behavior and reputation. Depending on the apps your organization is using, you might be getting false positives as a result of your PUA protection settings. If this is happening, consider running PUA protection in audit mode for a while, or apply PUA protection to a subset of devices in your organization. PUA protection can be configured for the Microsoft Edge browser and for Microsoft Defender Antivirus. +We recommend using Microsoft Endpoint Manager to edit or set PUA protection settings. + > [!TIP] > To learn more about PUA, see [Detect and block potentially unwanted applications](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus). -#### Use Microsoft Endpoint Manager to edit PUA protection for existing configuration profiles +#### Use Microsoft Endpoint Manager to edit PUA protection (for existing configuration profiles) 1. Go to the Microsoft Endpoint Manager admin center ([https://endpoint.microsoft.com](https://endpoint.microsoft.com)) and sign in. 2. Choose **Devices** > **Configuration profiles**, and then select an existing policy. (If you don’t have an existing policy, or you want to create a new policy, skip to [the next procedure](#use-microsoft-endpoint-manager-to-set-pua-protection-for-a-new-configuration-profile)). @@ -95,7 +97,7 @@ Depending on the apps your organization is using, you might be getting false pos 5. Set **Detect potentially unwanted applications** to **Audit**. (You can turn it off, but by using audit mode, you will be able to see detections.) 6. Choose **Review + save**, and then choose **Save**. -#### Use Microsoft Endpoint Manager to set PUA protection for a new configuration profile +#### Use Microsoft Endpoint Manager to set PUA protection (for a new configuration profile) 1. Go to the Microsoft Endpoint Manager admin center ([https://endpoint.microsoft.com](https://endpoint.microsoft.com)) and sign in. 2. Choose **Devices** > **Configuration profiles** > **+ Create profile**. From f4e06d3edda8d7e7463982471adf3c7d6758f10c Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Fri, 15 Jan 2021 14:43:30 -0800 Subject: [PATCH 059/190] Update defender-endpoint-false-positives-negatives.md --- .../defender-endpoint-false-positives-negatives.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md index 79bd50bdb6..945fa7046e 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md +++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md @@ -59,7 +59,7 @@ We recommend using Microsoft Endpoint Manager to edit or set your cloud-delivere #### Use Microsoft Endpoint Manager to review and edit cloud-delivered protection settings (for existing policies) 1. Go to the Microsoft Endpoint Manager admin center ([https://endpoint.microsoft.com](https://endpoint.microsoft.com)) and sign in. -2. Choose **Endpoint security** > **Antivirus** and then select an existing policy. (If you don’t have an existing policy, or you want to create a new policy, skip to [the next procedure](#use-microsoft-endpoint-manager-to-set-cloud-delivered-protection-settings-for-a-new-antivirus-policy)). +2. Choose **Endpoint security** > **Antivirus** and then select an existing policy. (If you don’t have an existing policy, or you want to create a new policy, skip to [the next procedure](#use-microsoft-endpoint-manager-to-set-cloud-delivered-protection-settings-for-a-new-policy)). 3. Under **Manage**, select **Properties**. Then, next to **Configuration settings**, choose **Edit**. 4. Expand **Cloud protection**, and review your current setting in the **Cloud-delivered protection level** row. We recommend setting this to **Not configured**, which provides strong protection while reducing the chances of getting false positives. 5. Choose **Review + save**, and then **Save**. @@ -91,7 +91,7 @@ We recommend using Microsoft Endpoint Manager to edit or set PUA protection sett #### Use Microsoft Endpoint Manager to edit PUA protection (for existing configuration profiles) 1. Go to the Microsoft Endpoint Manager admin center ([https://endpoint.microsoft.com](https://endpoint.microsoft.com)) and sign in. -2. Choose **Devices** > **Configuration profiles**, and then select an existing policy. (If you don’t have an existing policy, or you want to create a new policy, skip to [the next procedure](#use-microsoft-endpoint-manager-to-set-pua-protection-for-a-new-configuration-profile)). +2. Choose **Devices** > **Configuration profiles**, and then select an existing policy. (If you don’t have an existing policy, or you want to create a new policy, skip to [the next procedure](#use-microsoft-endpoint-manager-to-set-pua-protection-for-a-new-configuration-profile).) 3. Under **Manage**, choose **Properties**, and then, next to **Configuration settings**, choose **Edit**. 4. On the **Configuration settings** tab, scroll down and expand **Microsoft Defender Antivirus**. 5. Set **Detect potentially unwanted applications** to **Audit**. (You can turn it off, but by using audit mode, you will be able to see detections.) From 491246ff122991f20713e366ac4ec1f680b9c3fd Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Fri, 15 Jan 2021 15:06:40 -0800 Subject: [PATCH 060/190] Update defender-endpoint-false-positives-negatives.md --- ...fender-endpoint-false-positives-negatives.md | 17 ++++++++++------- 1 file changed, 10 insertions(+), 7 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md index 945fa7046e..5bdb3bdb43 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md +++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md @@ -114,8 +114,8 @@ We recommend using Microsoft Endpoint Manager to edit or set PUA protection sett An exclusion is an entity that you specify as an exception to remediation actions. The excluded entity might still get detected, but no remediation actions are taken on that entity. That is, the detected file or process won’t be stopped, sent to quarantine, removed, or otherwise changed by Microsoft Defender for Endpoint. To define exclusions across Microsoft Defender for Endpoint, perform the following tasks: -- Define exclusions for Microsoft Defender Antivirus -- Create “allow” indicators for Microsoft Defender for Endpoint +- [Define exclusions for Microsoft Defender Antivirus](#exclusions-for-microsoft-defender-antivirus) +- [Create “allow” indicators for Microsoft Defender for Endpoint](#indicators-for-microsoft-defender-for-endpoint) Microsoft Defender Antivirus exclusions don't apply to other Microsoft Defender for Endpoint capabilities, including [endpoint detection and response](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response), [attack surface reduction rules](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction), and [controlled folder access](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/controlled-folders). Files that you exclude using the methods described in this article can still trigger alerts and other detections. To exclude files broadly, use [custom indicators](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/manage-indicators), such as "allow" indicators for Microsoft Defender for Endpoint. @@ -128,15 +128,15 @@ In general, you should not need to define exclusions for Microsoft Defender Anti > [!TIP] > Need help with antivirus exclusions? See [Configure and validate exclusions for Microsoft Defender Antivirus scans](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-exclusions-microsoft-defender-antivirus). -#### Use Microsoft Endpoint Manager to manage antivirus exclusions for existing policies +#### Use Microsoft Endpoint Manager to manage antivirus exclusions (for existing policies) 1. Go to the Microsoft Endpoint Manager admin center ([https://endpoint.microsoft.com](https://endpoint.microsoft.com)) and sign in. -2. Choose **Endpoint security** > **Antivirus**, and then select an existing policy. (If you don’t have an existing policy, or you want to create a new policy, skip to [the next procedure](#use-microsoft-endpoint-manager-to-create-an-antivirus-policy-with-exclusions)). +2. Choose **Endpoint security** > **Antivirus**, and then select an existing policy. (If you don’t have an existing policy, or you want to create a new policy, skip to [the next procedure](#use-microsoft-endpoint-manager-to-create-a-new-antivirus-policy-with-exclusions)). 3. Choose **Properties**, and next to **Configuration settings**, choose **Edit**. 4. Expand **Microsoft Defender Antivirus Exclusions** and then specify your exclusions. 5. Choose **Review + save**, and then choose **Save**. -#### Use Microsoft Endpoint Manager to create an antivirus policy with exclusions +#### Use Microsoft Endpoint Manager to create a new antivirus policy with exclusions 1. Go to the Microsoft Endpoint Manager admin center ([https://endpoint.microsoft.com](https://endpoint.microsoft.com)) and sign in. 2. Choose **Endpoint security** > **Antivirus** > **+ Create Policy**. @@ -150,7 +150,7 @@ In general, you should not need to define exclusions for Microsoft Defender Anti ### Indicators for Microsoft Defender for Endpoint -Indicators enable your security operations team to define the detection, prevention, and exclusion of entities. For example, your security operations team can specify certain files to be omitted from scans and remediation actions in Microsoft Defender for Endpoint. Or, indicators can be used to generate alerts for certain IP addresses or URLs. +[Indicators](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/manage-indicators) enable your security operations team to define the detection, prevention, and exclusion of entities. For example, your security operations team can specify certain files to be omitted from scans and remediation actions in Microsoft Defender for Endpoint. Or, indicators can be used to generate alerts for certain IP addresses or URLs. To specify entities as exclusions for Microsoft Defender for Endpoint, your security team can create "allow" indicators. Such "allow" indicators apply to the following capabilities in Microsoft Defender for Endpoint: @@ -176,7 +176,10 @@ As alerts are triggered, if you see something that was detected as malicious or You can suppress an alert in the Microsoft Defender Security Center. - +1. Go to the Microsoft Defender Security Center ([https://securitycenter.windows.com](https://securitycenter.windows.com)) and sign in. +2. In the navigation pane, select **Alerts queue**. +3. Select an alert that you want to suppress to open its **Details** pane. +4. ### Classify an alert as a false positive From 212169b3961958a332cc25fb70c2bcd29574198e Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Fri, 15 Jan 2021 15:14:08 -0800 Subject: [PATCH 061/190] Update defender-endpoint-false-positives-negatives.md --- .../defender-endpoint-false-positives-negatives.md | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md index 5bdb3bdb43..573573fee3 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md +++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md @@ -179,7 +179,11 @@ You can suppress an alert in the Microsoft Defender Security Center. 1. Go to the Microsoft Defender Security Center ([https://securitycenter.windows.com](https://securitycenter.windows.com)) and sign in. 2. In the navigation pane, select **Alerts queue**. 3. Select an alert that you want to suppress to open its **Details** pane. -4. +4. In the **Details** pane, choose the ellipsis (`...`), and then choose **Create a suppression rule**. +5. Specify all the settings for your suppression rule, and then choose **Save**. + +> [!TIP] +> Need help with suppression rules? See [Suppress an alert and create a new suppression rule](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/manage-alerts#suppress-an-alert-and-create-a-new-suppression-rule). ### Classify an alert as a false positive From 9e0135d6f6a59131cb024d703f52e3a92b8f46bb Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Fri, 15 Jan 2021 15:25:45 -0800 Subject: [PATCH 062/190] Update defender-endpoint-false-positives-negatives.md --- .../defender-endpoint-false-positives-negatives.md | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md index 573573fee3..eb27f493c0 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md +++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md @@ -195,11 +195,16 @@ Your security team can classify an alert as a false positive in the Microsoft De 4. In the **Manage alert** section, select **True alert** or **False alert**. Use **False alert** to classify a false positive. > [!TIP] -> For more information about suppressing alerts, see [Manage Microsoft Defender for Endpoint alerts](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/manage-alerts). +> - For more information about suppressing alerts, see [Manage Microsoft Defender for Endpoint alerts](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/manage-alerts). +> - If your organization is using a security information and event management (SIEM) server, make sure to define a suppression rule there, too. ## Submit a file for analysis -*https://www.microsoft.com/wdsi/filesubmission/* +You can submit files, such as false positives or false negatives, to Microsoft for analysis. Microsoft security researchers analyze all submissions. + +1. Review the guidelines here: [Submit files for analysis](https://docs.microsoft.com/windows/security/threat-protection/intelligence/submission-guide). + +2. Visit the Microsoft Security Intelligence submission site at [https://www.microsoft.com/wdsi/filesubmission](https://www.microsoft.com/wdsi/filesubmission), and submit your file(s). ## Confirm your software uses EV code signing From 6492201cda1c123429423f82730c684011c90521 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Fri, 15 Jan 2021 15:34:23 -0800 Subject: [PATCH 063/190] Update defender-endpoint-false-positives-negatives.md --- .../defender-endpoint-false-positives-negatives.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md index eb27f493c0..d6efaf4c7c 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md +++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md @@ -208,6 +208,8 @@ You can submit files, such as false positives or false negatives, to Microsoft f ## Confirm your software uses EV code signing +As explained in the blog, [Partnering with the industry to minimize false positives](https://www.microsoft.com/security/blog/2018/08/16/partnering-with-the-industry-to-minimize-false-positives), digital signatures help to ensure the software integrity. + *Some info is available here: https://docs.microsoft.com/windows-hardware/drivers/dashboard/get-a-code-signing-certificate* ## Still need help? \ No newline at end of file From 0d77afe588ae2158bf2495fc44e7e9a10c0ba20f Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Fri, 15 Jan 2021 15:36:11 -0800 Subject: [PATCH 064/190] Update defender-endpoint-false-positives-negatives.md --- .../defender-endpoint-false-positives-negatives.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md index d6efaf4c7c..9894246277 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md +++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md @@ -200,7 +200,7 @@ Your security team can classify an alert as a false positive in the Microsoft De ## Submit a file for analysis -You can submit files, such as false positives or false negatives, to Microsoft for analysis. Microsoft security researchers analyze all submissions. +You can submit files, such as false positives or false negatives, to Microsoft for analysis. Microsoft security researchers analyze all submissions. After you sign in at the submission site, you can track your submissions. 1. Review the guidelines here: [Submit files for analysis](https://docs.microsoft.com/windows/security/threat-protection/intelligence/submission-guide). From 6e94b9e5ea0af085ae814ffae0b05de0f714418e Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Fri, 15 Jan 2021 15:41:02 -0800 Subject: [PATCH 065/190] Update defender-endpoint-false-positives-negatives.md --- .../defender-endpoint-false-positives-negatives.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md index 9894246277..566483d5ad 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md +++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md @@ -208,7 +208,7 @@ You can submit files, such as false positives or false negatives, to Microsoft f ## Confirm your software uses EV code signing -As explained in the blog, [Partnering with the industry to minimize false positives](https://www.microsoft.com/security/blog/2018/08/16/partnering-with-the-industry-to-minimize-false-positives), digital signatures help to ensure the software integrity. +As explained in the blog, [Partnering with the industry to minimize false positives](https://www.microsoft.com/security/blog/2018/08/16/partnering-with-the-industry-to-minimize-false-positives), digital signatures help to ensure the software integrity. The reputation of digital certificates also plays a role in whether software is considered suspicious or not a threat. By using a reputable certificate, developers can reduce the chances of their software being detected as malware. *Some info is available here: https://docs.microsoft.com/windows-hardware/drivers/dashboard/get-a-code-signing-certificate* From 1f7a3c6aed3a8baddd7a7949e51c9779f114e90a Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Fri, 15 Jan 2021 15:45:25 -0800 Subject: [PATCH 066/190] Update defender-endpoint-false-positives-negatives.md --- .../defender-endpoint-false-positives-negatives.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md index 566483d5ad..8ccb2a1464 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md +++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md @@ -208,7 +208,7 @@ You can submit files, such as false positives or false negatives, to Microsoft f ## Confirm your software uses EV code signing -As explained in the blog, [Partnering with the industry to minimize false positives](https://www.microsoft.com/security/blog/2018/08/16/partnering-with-the-industry-to-minimize-false-positives), digital signatures help to ensure the software integrity. The reputation of digital certificates also plays a role in whether software is considered suspicious or not a threat. By using a reputable certificate, developers can reduce the chances of their software being detected as malware. +As explained in the blog, [Partnering with the industry to minimize false positives](https://www.microsoft.com/security/blog/2018/08/16/partnering-with-the-industry-to-minimize-false-positives), digital signatures help to ensure the software integrity. The reputation of digital certificates also plays a role in whether software is considered suspicious or not a threat. By using a reputable certificate, developers can reduce the chances of their software being detected as malware. Extended validation (EV) code signing is a more advanced version of digital certificates and requires a more rigorous vetting and authentication process. *Some info is available here: https://docs.microsoft.com/windows-hardware/drivers/dashboard/get-a-code-signing-certificate* From 8e578d849a19ec35472d887e21d229914248975a Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Fri, 15 Jan 2021 15:49:01 -0800 Subject: [PATCH 067/190] Update defender-endpoint-false-positives-negatives.md --- .../defender-endpoint-false-positives-negatives.md | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md index 8ccb2a1464..5fd958105a 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md +++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md @@ -210,6 +210,9 @@ You can submit files, such as false positives or false negatives, to Microsoft f As explained in the blog, [Partnering with the industry to minimize false positives](https://www.microsoft.com/security/blog/2018/08/16/partnering-with-the-industry-to-minimize-false-positives), digital signatures help to ensure the software integrity. The reputation of digital certificates also plays a role in whether software is considered suspicious or not a threat. By using a reputable certificate, developers can reduce the chances of their software being detected as malware. Extended validation (EV) code signing is a more advanced version of digital certificates and requires a more rigorous vetting and authentication process. -*Some info is available here: https://docs.microsoft.com/windows-hardware/drivers/dashboard/get-a-code-signing-certificate* +Want to learn more? See the following resources: + +- [Microsoft Security Blog: Partnering with the industry to minimize false positives](https://www.microsoft.com/security/blog/2018/08/16/partnering-with-the-industry-to-minimize-false-positives/) +- [Get a code signing certificate](https://docs.microsoft.com/windows-hardware/drivers/dashboard/get-a-code-signing-certificate) ## Still need help? \ No newline at end of file From 1850364615dcad85b73c3acc1695fe72e86a6711 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Fri, 15 Jan 2021 16:01:55 -0800 Subject: [PATCH 068/190] Update defender-endpoint-false-positives-negatives.md --- .../defender-endpoint-false-positives-negatives.md | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md index 5fd958105a..20d9296951 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md +++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md @@ -215,4 +215,10 @@ Want to learn more? See the following resources: - [Microsoft Security Blog: Partnering with the industry to minimize false positives](https://www.microsoft.com/security/blog/2018/08/16/partnering-with-the-industry-to-minimize-false-positives/) - [Get a code signing certificate](https://docs.microsoft.com/windows-hardware/drivers/dashboard/get-a-code-signing-certificate) -## Still need help? \ No newline at end of file +## Still need help? + +If you still need help after working through all the steps in this article, your best bet is to contact technical support. + +1. Go to the Microsoft Defender Security Center ([https://securitycenter.windows.com](https://securitycenter.windows.com)) and sign in. +2. In the upper right corner, select the question mark (**?**), and then select **Microsoft support**. +3. In the Support Assistant window, describe your issue, and then send your message. From there, you can open a service request. \ No newline at end of file From 55266f36a6982d43f1fb1942165eb0d78873efae Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Fri, 15 Jan 2021 16:03:50 -0800 Subject: [PATCH 069/190] Update defender-endpoint-false-positives-negatives.md --- .../defender-endpoint-false-positives-negatives.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md index 20d9296951..c0cf213302 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md +++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md @@ -31,7 +31,7 @@ ms.custom: FPFN - [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146806) -In endpoint protection, a false positive is an entity, such as a file or a process, that was detected and identified as malicious, even though the entity isn't actually a threat. A false negative is an entity that was not detected as a threat, even though it actually is malicious. The process of addressing false positives/negatives can include: +In endpoint protection solutions, a false positive is an entity, such as a file or a process, that was detected and identified as malicious, even though the entity isn't actually a threat. A false negative is an entity that was not detected as a threat, even though it actually is malicious. The process of addressing false positives/negatives can include: - [Reviewing your threat protection settings and making adjustments where needed](#review-your-threat-protection-settings); - [Defining exclusions, such as for antivirus and other endpoint protection features](#review-or-define-exclusions-for-microsoft-defender-for-endpoint); - [Classifying false positives in your endpoint protection solution](#classify-a-false-positive-or-false-negative); From ce22afb841af4e3c5fbd31bf252c12c22eb5ecb4 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Fri, 15 Jan 2021 16:04:36 -0800 Subject: [PATCH 070/190] Update defender-endpoint-false-positives-negatives.md --- .../defender-endpoint-false-positives-negatives.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md index c0cf213302..372f40c539 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md +++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md @@ -204,7 +204,7 @@ You can submit files, such as false positives or false negatives, to Microsoft f 1. Review the guidelines here: [Submit files for analysis](https://docs.microsoft.com/windows/security/threat-protection/intelligence/submission-guide). -2. Visit the Microsoft Security Intelligence submission site at [https://www.microsoft.com/wdsi/filesubmission](https://www.microsoft.com/wdsi/filesubmission), and submit your file(s). +2. Visit the Microsoft Security Intelligence submission ([https://www.microsoft.com/wdsi/filesubmission](https://www.microsoft.com/wdsi/filesubmission)), and submit your file(s). ## Confirm your software uses EV code signing From 5893f5768835f358ad7dae1824a2cbaa12a1975c Mon Sep 17 00:00:00 2001 From: MaratMussabekov <48041687+MaratMussabekov@users.noreply.github.com> Date: Sun, 17 Jan 2021 14:42:06 +0500 Subject: [PATCH 071/190] Update windows/security/identity-protection/hello-for-business/hello-planning-guide.md Co-authored-by: mapalko --- .../hello-for-business/hello-planning-guide.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-planning-guide.md b/windows/security/identity-protection/hello-for-business/hello-planning-guide.md index ba1692b00e..8570ec4a63 100644 --- a/windows/security/identity-protection/hello-for-business/hello-planning-guide.md +++ b/windows/security/identity-protection/hello-for-business/hello-planning-guide.md @@ -332,7 +332,7 @@ Windows Hello for Business does not require an Azure AD premium subscription. H If box **1a** on your planning worksheet reads **on-premises**, write **No** in box **6c** on your planning worksheet. -If box **1a** on your planning worksheet reads **hybrid** and box **1b** reads **key trust**, write **No** in box **6c** on your planning worksheet. You can deploy Windows Hello for Business using the free Azure Active Directory account. In this case, you need to use a third-party Multi-Factor Authentication provider. +If box **1a** on your planning worksheet reads **hybrid** and box **1b** reads **key trust**, write **No** in box **6c** on your planning worksheet. You can deploy Windows Hello for Business using the free Azure Active Directory free tier. All Azure Active Directory free accounts can use Azure AD Multifactor Authentication through the use of security defaults. Some Azure AD Multifactor Authentication features require a license. For more details see [Features and licenses for Azure AD Multi-Factor Authentication](https://docs.microsoft.com/azure/active-directory/authentication/concept-mfa-licensing) If box **5b** on your planning worksheet reads **AD FS RA**, write **Yes** in box **6c** on your planning worksheet. Enrolling a certificate using the AD FS registration authority requires devices to authenticate to the AD FS server, which requires device write-back, an Azure AD Premium feature. From 97136cf8c9ec2eba91ce0020b387d55baaeb0532 Mon Sep 17 00:00:00 2001 From: MaratMussabekov <48041687+MaratMussabekov@users.noreply.github.com> Date: Sun, 17 Jan 2021 14:47:53 +0500 Subject: [PATCH 072/190] Update hello-planning-guide.md --- .../hello-for-business/hello-planning-guide.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-planning-guide.md b/windows/security/identity-protection/hello-for-business/hello-planning-guide.md index 8570ec4a63..449642dfe7 100644 --- a/windows/security/identity-protection/hello-for-business/hello-planning-guide.md +++ b/windows/security/identity-protection/hello-for-business/hello-planning-guide.md @@ -332,7 +332,7 @@ Windows Hello for Business does not require an Azure AD premium subscription. H If box **1a** on your planning worksheet reads **on-premises**, write **No** in box **6c** on your planning worksheet. -If box **1a** on your planning worksheet reads **hybrid** and box **1b** reads **key trust**, write **No** in box **6c** on your planning worksheet. You can deploy Windows Hello for Business using the free Azure Active Directory free tier. All Azure Active Directory free accounts can use Azure AD Multifactor Authentication through the use of security defaults. Some Azure AD Multifactor Authentication features require a license. For more details see [Features and licenses for Azure AD Multi-Factor Authentication](https://docs.microsoft.com/azure/active-directory/authentication/concept-mfa-licensing) +If box **1a** on your planning worksheet reads **hybrid** and box **1b** reads **key trust**, write **No** in box **6c** on your planning worksheet. You can deploy Windows Hello for Business using the free Azure Active Directory free tier. All Azure Active Directory free accounts can use Azure AD Multi-Factor Authentication through the use of security defaults. Some Azure AD Multi-Factor Authentication features require a license. For more details see [Features and licenses for Azure AD Multi-Factor Authentication](https://docs.microsoft.com/azure/active-directory/authentication/concept-mfa-licensing) If box **5b** on your planning worksheet reads **AD FS RA**, write **Yes** in box **6c** on your planning worksheet. Enrolling a certificate using the AD FS registration authority requires devices to authenticate to the AD FS server, which requires device write-back, an Azure AD Premium feature. From a000c63a559273bb537cab48c9b29396640984a0 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Tue, 19 Jan 2021 11:32:59 -0800 Subject: [PATCH 073/190] Update defender-endpoint-false-positives-negatives.md --- .../defender-endpoint-false-positives-negatives.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md index 372f40c539..7b7d214f5c 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md +++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md @@ -11,7 +11,7 @@ ms.sitesec: library ms.pagetype: security ms.author: deniseb author: denisebmsft -ms.date: 01/15/2021 +ms.date: 01/19/2021 ms.localizationpriority: medium manager: dansimp audience: ITPro @@ -52,7 +52,7 @@ Microsoft Defender for Endpoint offers a wide variety of options, including the Check your cloud-delivered protection level for Microsoft Defender Antivirus. By default, this is set to **Not configured**, which corresponds to a normal level of protection for most organizations. If your cloud-delivered protection is set to **High**, **High +**, or **Zero tolerance**, you might experience a higher number of false positives. > [!TIP] -> To learn more about configuring your cloud-delivered protection, see [Specify the cloud-delivered protection level](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/specify-cloud-protection-level-microsoft-defender-antivirus) +> To learn more about configuring your cloud-delivered protection, see [Specify the cloud-delivered protection level](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/specify-cloud-protection-level-microsoft-defender-antivirus). We recommend using Microsoft Endpoint Manager to edit or set your cloud-delivered protection settings. From 590d25d31b798511becfa79d2b5a3d675cfbfc90 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Tue, 19 Jan 2021 12:07:38 -0800 Subject: [PATCH 074/190] Update defender-endpoint-false-positives-negatives.md --- .../defender-endpoint-false-positives-negatives.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md index 7b7d214f5c..ec326b2612 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md +++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md @@ -150,7 +150,7 @@ In general, you should not need to define exclusions for Microsoft Defender Anti ### Indicators for Microsoft Defender for Endpoint -[Indicators](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/manage-indicators) enable your security operations team to define the detection, prevention, and exclusion of entities. For example, your security operations team can specify certain files to be omitted from scans and remediation actions in Microsoft Defender for Endpoint. Or, indicators can be used to generate alerts for certain IP addresses or URLs. +[Indicators](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/manage-indicators) enable your security operations team to define the detection, prevention, and exclusion of entities. For example, your security operations team can specify certain files to be omitted from scans and remediation actions in Microsoft Defender for Endpoint. Or, indicators can be used to generate alerts for certain files, IP addresses, or URLs. To specify entities as exclusions for Microsoft Defender for Endpoint, your security team can create "allow" indicators. Such "allow" indicators apply to the following capabilities in Microsoft Defender for Endpoint: From 273dd4589a029b55cba7ce0795732b721f4c50fc Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Tue, 19 Jan 2021 12:09:11 -0800 Subject: [PATCH 075/190] Update defender-endpoint-false-positives-negatives.md --- .../defender-endpoint-false-positives-negatives.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md index ec326b2612..aa6c823ab6 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md +++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md @@ -152,7 +152,7 @@ In general, you should not need to define exclusions for Microsoft Defender Anti [Indicators](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/manage-indicators) enable your security operations team to define the detection, prevention, and exclusion of entities. For example, your security operations team can specify certain files to be omitted from scans and remediation actions in Microsoft Defender for Endpoint. Or, indicators can be used to generate alerts for certain files, IP addresses, or URLs. -To specify entities as exclusions for Microsoft Defender for Endpoint, your security team can create "allow" indicators. Such "allow" indicators apply to the following capabilities in Microsoft Defender for Endpoint: +To specify entities as exclusions for Microsoft Defender for Endpoint, your security team can create "allow" indicators for those entities. Such "allow" indicators in Microsoft Defender for Endpoint apply to: - [Next-generation protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10) - [Endpoint detection and response](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response) From 2614a6dcebeef0d92a5c8245e4b797048e11cc14 Mon Sep 17 00:00:00 2001 From: MaratMussabekov <48041687+MaratMussabekov@users.noreply.github.com> Date: Wed, 20 Jan 2021 18:33:17 +0500 Subject: [PATCH 076/190] Update windows/security/identity-protection/hello-for-business/hello-planning-guide.md Co-authored-by: Trond B. Krokli <38162891+illfated@users.noreply.github.com> --- .../hello-for-business/hello-planning-guide.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-planning-guide.md b/windows/security/identity-protection/hello-for-business/hello-planning-guide.md index 449642dfe7..0c252830e7 100644 --- a/windows/security/identity-protection/hello-for-business/hello-planning-guide.md +++ b/windows/security/identity-protection/hello-for-business/hello-planning-guide.md @@ -332,7 +332,7 @@ Windows Hello for Business does not require an Azure AD premium subscription. H If box **1a** on your planning worksheet reads **on-premises**, write **No** in box **6c** on your planning worksheet. -If box **1a** on your planning worksheet reads **hybrid** and box **1b** reads **key trust**, write **No** in box **6c** on your planning worksheet. You can deploy Windows Hello for Business using the free Azure Active Directory free tier. All Azure Active Directory free accounts can use Azure AD Multi-Factor Authentication through the use of security defaults. Some Azure AD Multi-Factor Authentication features require a license. For more details see [Features and licenses for Azure AD Multi-Factor Authentication](https://docs.microsoft.com/azure/active-directory/authentication/concept-mfa-licensing) +If box **1a** on your planning worksheet reads **hybrid** and box **1b** reads **key trust**, write **No** in box **6c** on your planning worksheet. You can deploy Windows Hello for Business using the free Azure Active Directory free tier. All Azure Active Directory free accounts can use Azure AD Multi-Factor Authentication through the use of security defaults. Some Azure AD Multi-Factor Authentication features require a license. For more details, see [Features and licenses for Azure AD Multi-Factor Authentication](https://docs.microsoft.com/azure/active-directory/authentication/concept-mfa-licensing). If box **5b** on your planning worksheet reads **AD FS RA**, write **Yes** in box **6c** on your planning worksheet. Enrolling a certificate using the AD FS registration authority requires devices to authenticate to the AD FS server, which requires device write-back, an Azure AD Premium feature. From 576057ec5bce89bcafe9d656d7ba013088bbf163 Mon Sep 17 00:00:00 2001 From: MaratMussabekov <48041687+MaratMussabekov@users.noreply.github.com> Date: Wed, 20 Jan 2021 18:36:10 +0500 Subject: [PATCH 077/190] Update hello-planning-guide.md --- .../hello-for-business/hello-planning-guide.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-planning-guide.md b/windows/security/identity-protection/hello-for-business/hello-planning-guide.md index 0c252830e7..cb3a0081f2 100644 --- a/windows/security/identity-protection/hello-for-business/hello-planning-guide.md +++ b/windows/security/identity-protection/hello-for-business/hello-planning-guide.md @@ -332,7 +332,7 @@ Windows Hello for Business does not require an Azure AD premium subscription. H If box **1a** on your planning worksheet reads **on-premises**, write **No** in box **6c** on your planning worksheet. -If box **1a** on your planning worksheet reads **hybrid** and box **1b** reads **key trust**, write **No** in box **6c** on your planning worksheet. You can deploy Windows Hello for Business using the free Azure Active Directory free tier. All Azure Active Directory free accounts can use Azure AD Multi-Factor Authentication through the use of security defaults. Some Azure AD Multi-Factor Authentication features require a license. For more details, see [Features and licenses for Azure AD Multi-Factor Authentication](https://docs.microsoft.com/azure/active-directory/authentication/concept-mfa-licensing). +If box **1a** on your planning worksheet reads **hybrid** and box **1b** reads **key trust**, write **No** in box **6c** on your planning worksheet. You can deploy Windows Hello for Business using the Azure Active Directory free tier. All Azure Active Directory free accounts can use Azure AD Multi-Factor Authentication through the use of security defaults. Some Azure AD Multi-Factor Authentication features require a license. For more details, see [Features and licenses for Azure AD Multi-Factor Authentication](https://docs.microsoft.com/azure/active-directory/authentication/concept-mfa-licensing). If box **5b** on your planning worksheet reads **AD FS RA**, write **Yes** in box **6c** on your planning worksheet. Enrolling a certificate using the AD FS registration authority requires devices to authenticate to the AD FS server, which requires device write-back, an Azure AD Premium feature. From c466bf04c640455788b97a07d5a031617adb1a85 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Wed, 20 Jan 2021 10:47:46 -0800 Subject: [PATCH 078/190] Update defender-endpoint-false-positives-negatives.md --- .../defender-endpoint-false-positives-negatives.md | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md index aa6c823ab6..473172524a 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md +++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md @@ -166,7 +166,15 @@ Your security team can create indicators for files, IP addresses, URLs, domains, - [Create an indicator for an application certificate](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-certificates) > [!TIP] -> When you create indicators, you can define them one by one or import multiple items at once. Keep in mind there's a limit of 15,000 indicators you can have in a single tenant. And, you might need to gather certain details first, such as file hash information. Make sure to review the information, including prerequisites, +> When you create indicators, you can define them one by one or import multiple items at once. Keep in mind there's a limit of 15,000 indicators you can have in a single tenant. And, you might need to gather certain details first, such as file hash information. Make sure to review the prerequisites before you [create indicators](manage-indicators.md). + +| Indicator type | Prerequisites | Notes | +|----|----|---| +|Files

Helps prevent suspected malware (or potentially malicious files) from being downloaded from the web. Files can include portable executable (PE) files, such as `.exe` and `.dll` files.

[Create an indicator for a file, such as an executable](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-file). | Your organization is using Microsoft Defender Antivirus with cloud-based protection enabled.

Your antimalware client version is must be 4.18.1901.x or later.

Your devices are must be running one of the following versions of Windows:
- Windows 10, version 1703 or later
- Windows Server 2016
- Windows Server 2019 | Make sure the [Block or allow feature is turned on](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-features). | The allow or block function cannot be done on files if the file's classification exists on the device's cache prior to the allow or block action

Trusted signed files are treated differently. Defender for Endpoint is optimized to handle malicious files. Trying to block trusted signed files, in some cases, may have performance implications.

Typically, file blocks are enforced within a couple of minutes, but can take upwards of 30 minutes. | + + + + ## Classify a false positive or false negative From 5eb90ebe273a332b300d734c429c492da1382cb3 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Wed, 20 Jan 2021 10:51:21 -0800 Subject: [PATCH 079/190] Update defender-endpoint-false-positives-negatives.md --- .../defender-endpoint-false-positives-negatives.md | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md index 473172524a..b8a979b127 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md +++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md @@ -171,6 +171,12 @@ Your security team can create indicators for files, IP addresses, URLs, domains, | Indicator type | Prerequisites | Notes | |----|----|---| |Files

Helps prevent suspected malware (or potentially malicious files) from being downloaded from the web. Files can include portable executable (PE) files, such as `.exe` and `.dll` files.

[Create an indicator for a file, such as an executable](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-file). | Your organization is using Microsoft Defender Antivirus with cloud-based protection enabled.

Your antimalware client version is must be 4.18.1901.x or later.

Your devices are must be running one of the following versions of Windows:
- Windows 10, version 1703 or later
- Windows Server 2016
- Windows Server 2019 | Make sure the [Block or allow feature is turned on](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-features). | The allow or block function cannot be done on files if the file's classification exists on the device's cache prior to the allow or block action

Trusted signed files are treated differently. Defender for Endpoint is optimized to handle malicious files. Trying to block trusted signed files, in some cases, may have performance implications.

Typically, file blocks are enforced within a couple of minutes, but can take upwards of 30 minutes. | +| IP addresses and URLs

Full URL path blocks can be applied on the domain level and all unencrypted URLs

IP is supported for all three protocols

[Create an indicator for an IP address, URL, or domain](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-ip-domain) | Network protection in Defender for Endpoint must be enabled in block mode. ([Enable network protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/enable-network-protection).)

Your antimalware client version must be 4.18.1906.x or later.

Your devices must be running Windows 10, version 1709 or later

Custom network indicators must be turned on in the Microsoft Defender Security Center (See [Advanced features](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-features).) | Only external IPs can be added to the indicator list. Indicators cannot be created for internal IPs. For web protection scenarios, we recommend using the built-in capabilities in Microsoft Edge. Microsoft Edge leverages [Network Protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/network-protection) to inspect network traffic and allows blocks for TCP, HTTP, and HTTPS (TLS). For all other processes, web protection scenarios leverage Network Protection for inspection and enforcement.

There may be up to 2 hours of latency (usually less) between the time the action is taken, and the URL and IP being blocked.

Only single IP addresses are supported (no CIDR blocks or IP ranges)

Encrypted URLs (full path) can only be blocked on first party browsers (Internet Explorer, Edge)

Encrypted URLS (FQDN only) can be blocked outside of first party browsers (Internet Explorer, Edge) | + + + + + From e8f163965b5dbb0b5d731d0be21fe66ffd47d26e Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Wed, 20 Jan 2021 10:58:24 -0800 Subject: [PATCH 080/190] Update defender-endpoint-false-positives-negatives.md --- .../defender-endpoint-false-positives-negatives.md | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md index b8a979b127..8122abd1da 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md +++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md @@ -170,8 +170,12 @@ Your security team can create indicators for files, IP addresses, URLs, domains, | Indicator type | Prerequisites | Notes | |----|----|---| -|Files

Helps prevent suspected malware (or potentially malicious files) from being downloaded from the web. Files can include portable executable (PE) files, such as `.exe` and `.dll` files.

[Create an indicator for a file, such as an executable](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-file). | Your organization is using Microsoft Defender Antivirus with cloud-based protection enabled.

Your antimalware client version is must be 4.18.1901.x or later.

Your devices are must be running one of the following versions of Windows:
- Windows 10, version 1703 or later
- Windows Server 2016
- Windows Server 2019 | Make sure the [Block or allow feature is turned on](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-features). | The allow or block function cannot be done on files if the file's classification exists on the device's cache prior to the allow or block action

Trusted signed files are treated differently. Defender for Endpoint is optimized to handle malicious files. Trying to block trusted signed files, in some cases, may have performance implications.

Typically, file blocks are enforced within a couple of minutes, but can take upwards of 30 minutes. | +|Files

Helps prevent suspected malware (or potentially malicious files) from being downloaded from the web. Files can include portable executable (PE) files, such as `.exe` and `.dll` files.

[Create an indicator for a file, such as an executable](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-file). | Microsoft Defender Antivirus with cloud-based protection enabled.

Antimalware client version must be 4.18.1901.x or later.

Devices are running one of the following versions of Windows:
- Windows 10, version 1703 or later
- Windows Server 2016
- Windows Server 2019

The [Block or allow feature is turned on](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-features). | The allow or block function cannot be done on a file if the file's classification exists on the device's cache prior to the allow or block action

Trusted, signed files are treated differently. Defender for Endpoint is optimized to handle malicious files. Trying to block trusted, signed files, can have performance implications.

Typically, file blocks are enforced within a couple of minutes, but can take upwards of 30 minutes. | | IP addresses and URLs

Full URL path blocks can be applied on the domain level and all unencrypted URLs

IP is supported for all three protocols

[Create an indicator for an IP address, URL, or domain](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-ip-domain) | Network protection in Defender for Endpoint must be enabled in block mode. ([Enable network protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/enable-network-protection).)

Your antimalware client version must be 4.18.1906.x or later.

Your devices must be running Windows 10, version 1709 or later

Custom network indicators must be turned on in the Microsoft Defender Security Center (See [Advanced features](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-features).) | Only external IPs can be added to the indicator list. Indicators cannot be created for internal IPs. For web protection scenarios, we recommend using the built-in capabilities in Microsoft Edge. Microsoft Edge leverages [Network Protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/network-protection) to inspect network traffic and allows blocks for TCP, HTTP, and HTTPS (TLS). For all other processes, web protection scenarios leverage Network Protection for inspection and enforcement.

There may be up to 2 hours of latency (usually less) between the time the action is taken, and the URL and IP being blocked.

Only single IP addresses are supported (no CIDR blocks or IP ranges)

Encrypted URLs (full path) can only be blocked on first party browsers (Internet Explorer, Edge)

Encrypted URLS (FQDN only) can be blocked outside of first party browsers (Internet Explorer, Edge) | +| Certificates

`.CER` or `.PEM` file extensions are supported.

[Create an indicator for an application certificate](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-certificates) |Microsoft Defender Antivirus with cloud-based protection is enabled ([Manage cloud-based protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/deploy-manage-report-microsoft-defender-antivirus).)

Your antimalware client version must be 4.18.1901.x or later.

Your devices must be running one of the following versions of Windows:
- Windows 10, version 1703 or later
- Windows Server 2016
- Windows Server 2019

Your virus and threat protection definitions must be up to date. | + + + From 66c7569f3377716bba0b8e5e9afad6a8308ddb6c Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Wed, 20 Jan 2021 10:59:26 -0800 Subject: [PATCH 081/190] Update defender-endpoint-false-positives-negatives.md --- .../defender-endpoint-false-positives-negatives.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md index 8122abd1da..f5ce4cceed 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md +++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md @@ -172,7 +172,8 @@ Your security team can create indicators for files, IP addresses, URLs, domains, |----|----|---| |Files

Helps prevent suspected malware (or potentially malicious files) from being downloaded from the web. Files can include portable executable (PE) files, such as `.exe` and `.dll` files.

[Create an indicator for a file, such as an executable](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-file). | Microsoft Defender Antivirus with cloud-based protection enabled.

Antimalware client version must be 4.18.1901.x or later.

Devices are running one of the following versions of Windows:
- Windows 10, version 1703 or later
- Windows Server 2016
- Windows Server 2019

The [Block or allow feature is turned on](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-features). | The allow or block function cannot be done on a file if the file's classification exists on the device's cache prior to the allow or block action

Trusted, signed files are treated differently. Defender for Endpoint is optimized to handle malicious files. Trying to block trusted, signed files, can have performance implications.

Typically, file blocks are enforced within a couple of minutes, but can take upwards of 30 minutes. | | IP addresses and URLs

Full URL path blocks can be applied on the domain level and all unencrypted URLs

IP is supported for all three protocols

[Create an indicator for an IP address, URL, or domain](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-ip-domain) | Network protection in Defender for Endpoint must be enabled in block mode. ([Enable network protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/enable-network-protection).)

Your antimalware client version must be 4.18.1906.x or later.

Your devices must be running Windows 10, version 1709 or later

Custom network indicators must be turned on in the Microsoft Defender Security Center (See [Advanced features](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-features).) | Only external IPs can be added to the indicator list. Indicators cannot be created for internal IPs. For web protection scenarios, we recommend using the built-in capabilities in Microsoft Edge. Microsoft Edge leverages [Network Protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/network-protection) to inspect network traffic and allows blocks for TCP, HTTP, and HTTPS (TLS). For all other processes, web protection scenarios leverage Network Protection for inspection and enforcement.

There may be up to 2 hours of latency (usually less) between the time the action is taken, and the URL and IP being blocked.

Only single IP addresses are supported (no CIDR blocks or IP ranges)

Encrypted URLs (full path) can only be blocked on first party browsers (Internet Explorer, Edge)

Encrypted URLS (FQDN only) can be blocked outside of first party browsers (Internet Explorer, Edge) | -| Certificates

`.CER` or `.PEM` file extensions are supported.

[Create an indicator for an application certificate](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-certificates) |Microsoft Defender Antivirus with cloud-based protection is enabled ([Manage cloud-based protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/deploy-manage-report-microsoft-defender-antivirus).)

Your antimalware client version must be 4.18.1901.x or later.

Your devices must be running one of the following versions of Windows:
- Windows 10, version 1703 or later
- Windows Server 2016
- Windows Server 2019

Your virus and threat protection definitions must be up to date. | +| Certificates

`.CER` or `.PEM` file extensions are supported.

[Create an indicator for an application certificate](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-certificates) |Microsoft Defender Antivirus with cloud-based protection is enabled ([Manage cloud-based protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/deploy-manage-report-microsoft-defender-antivirus).)

Your antimalware client version must be 4.18.1901.x or later.

Your devices must be running one of the following versions of Windows:
- Windows 10, version 1703 or later
- Windows Server 2016
- Windows Server 2019

Your virus and threat protection definitions must be up to date. | A valid leaf certificate is a signing certificate that has a valid certification path and must be chained to the Root Certificate Authority (CA) trusted by Microsoft.

Alternatively, a custom (self-signed) certificate can be used as long as it's trusted by the client (Root CA certificate is installed under the Local Machine Trusted Root Certification Authorities).

The children or parent of the allow/block certificate IOCs are not included in the allow/block IoC functionality, only leaf certificates are supported.

Microsoft signed certificates cannot be blocked.

It can take up to 3 hours to create and remove a certificate IoC. | + From 08442412663eeb9785fb3a9a1d189c1f0b2dd354 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Wed, 20 Jan 2021 10:59:58 -0800 Subject: [PATCH 082/190] Update defender-endpoint-false-positives-negatives.md --- .../defender-endpoint-false-positives-negatives.md | 13 ------------- 1 file changed, 13 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md index f5ce4cceed..5d51a6f36d 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md +++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md @@ -174,19 +174,6 @@ Your security team can create indicators for files, IP addresses, URLs, domains, | IP addresses and URLs

Full URL path blocks can be applied on the domain level and all unencrypted URLs

IP is supported for all three protocols

[Create an indicator for an IP address, URL, or domain](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-ip-domain) | Network protection in Defender for Endpoint must be enabled in block mode. ([Enable network protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/enable-network-protection).)

Your antimalware client version must be 4.18.1906.x or later.

Your devices must be running Windows 10, version 1709 or later

Custom network indicators must be turned on in the Microsoft Defender Security Center (See [Advanced features](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-features).) | Only external IPs can be added to the indicator list. Indicators cannot be created for internal IPs. For web protection scenarios, we recommend using the built-in capabilities in Microsoft Edge. Microsoft Edge leverages [Network Protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/network-protection) to inspect network traffic and allows blocks for TCP, HTTP, and HTTPS (TLS). For all other processes, web protection scenarios leverage Network Protection for inspection and enforcement.

There may be up to 2 hours of latency (usually less) between the time the action is taken, and the URL and IP being blocked.

Only single IP addresses are supported (no CIDR blocks or IP ranges)

Encrypted URLs (full path) can only be blocked on first party browsers (Internet Explorer, Edge)

Encrypted URLS (FQDN only) can be blocked outside of first party browsers (Internet Explorer, Edge) | | Certificates

`.CER` or `.PEM` file extensions are supported.

[Create an indicator for an application certificate](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-certificates) |Microsoft Defender Antivirus with cloud-based protection is enabled ([Manage cloud-based protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/deploy-manage-report-microsoft-defender-antivirus).)

Your antimalware client version must be 4.18.1901.x or later.

Your devices must be running one of the following versions of Windows:
- Windows 10, version 1703 or later
- Windows Server 2016
- Windows Server 2019

Your virus and threat protection definitions must be up to date. | A valid leaf certificate is a signing certificate that has a valid certification path and must be chained to the Root Certificate Authority (CA) trusted by Microsoft.

Alternatively, a custom (self-signed) certificate can be used as long as it's trusted by the client (Root CA certificate is installed under the Local Machine Trusted Root Certification Authorities).

The children or parent of the allow/block certificate IOCs are not included in the allow/block IoC functionality, only leaf certificates are supported.

Microsoft signed certificates cannot be blocked.

It can take up to 3 hours to create and remove a certificate IoC. | - - - - - - - - - - - - - ## Classify a false positive or false negative As alerts are triggered, if you see something that was detected as malicious or suspicious that should not be, you can suppress alerts for that entity and classify alerts as false positives. Managing your alerts and classifying false positives helps to train your threat protection solution. Taking these steps also helps reduce noise in your security operations dashboard so that your security team can focus on higher priority work items. From 0b2d7ab3e403ea122bd6e5aa85b23cc645cdb053 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Wed, 20 Jan 2021 16:08:22 -0800 Subject: [PATCH 083/190] Update defender-endpoint-false-positives-negatives.md --- .../defender-endpoint-false-positives-negatives.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md index 5d51a6f36d..2242561c26 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md +++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md @@ -11,7 +11,7 @@ ms.sitesec: library ms.pagetype: security ms.author: deniseb author: denisebmsft -ms.date: 01/19/2021 +ms.date: 01/21/2021 ms.localizationpriority: medium manager: dansimp audience: ITPro From 6b129e368cc8e97a8680dbbed15979b112de427b Mon Sep 17 00:00:00 2001 From: Ben Alfasi Date: Thu, 21 Jan 2021 20:52:24 +0200 Subject: [PATCH 084/190] 1 --- .../find-machine-info-by-ip.md | 95 ------------------- .../find-machines-by-tag.md | 82 ++++++++++++++++ 2 files changed, 82 insertions(+), 95 deletions(-) delete mode 100644 windows/security/threat-protection/microsoft-defender-atp/find-machine-info-by-ip.md create mode 100644 windows/security/threat-protection/microsoft-defender-atp/find-machines-by-tag.md diff --git a/windows/security/threat-protection/microsoft-defender-atp/find-machine-info-by-ip.md b/windows/security/threat-protection/microsoft-defender-atp/find-machine-info-by-ip.md deleted file mode 100644 index b94742b61d..0000000000 --- a/windows/security/threat-protection/microsoft-defender-atp/find-machine-info-by-ip.md +++ /dev/null @@ -1,95 +0,0 @@ ---- -title: Find device information by internal IP API -description: Use this API to create calls related to finding a device entry around a specific timestamp by internal IP. -keywords: ip, apis, graph api, supported apis, find device, device information -search.product: eADQiWindows 10XVcnh -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security -ms.author: macapara -author: mjcaparas -ms.localizationpriority: medium -manager: dansimp -audience: ITPro -ms.collection: M365-security-compliance -ms.topic: article ---- - -# Find device information by internal IP API - -[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] - - -**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) - -- Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) - -[!include[Microsoft Defender for Endpoint API URIs for US Government](../../includes/microsoft-defender-api-usgov.md)] - -[!include[Improve request performance](../../includes/improve-request-performance.md)] - -Find a device by internal IP. - ->[!NOTE] ->The timestamp must be within the last 30 days. - -## Permissions -One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender for Endpoint APIs](apis-intro.md) - -Permission type | Permission | Permission display name -:---|:---|:--- -Application | Machine.Read.All | 'Read all machine profiles' -Application | Machine.ReadWrite.All | 'Read and write all machine information' - -## HTTP request -``` -GET /api/machines/find(timestamp={time},key={IP}) -``` - -## Request headers - -Name | Type | Description -:---|:---|:--- -Authorization | String | Bearer {token}. **Required**. - - -## Request body -Empty - -## Response -If successful and machine exists - 200 OK. -If no machine found - 404 Not Found. - - -## Example - -**Request** - -Here is an example of the request. - -``` -GET https://graph.microsoft.com/testwdatppreview/machines/find(timestamp=2018-06-19T10:00:00Z,key='10.166.93.61') -Content-type: application/json -``` - -**Response** - -Here is an example of the response. - -The response will return a list of all devices that reported this IP address within sixteen minutes prior and after the timestamp. - -``` -HTTP/1.1 200 OK -Content-type: application/json -{ - "@odata.context": "https://graph.microsoft.com/testwdatppreview/$metadata#Machines", - "value": [ - { - "id": "04c99d46599f078f1c3da3783cf5b95f01ac61bb", - "computerDnsName": "", - "firstSeen": "2017-07-06T01:25:04.9480498Z", - "osPlatform": "Windows10", -… -} -``` diff --git a/windows/security/threat-protection/microsoft-defender-atp/find-machines-by-tag.md b/windows/security/threat-protection/microsoft-defender-atp/find-machines-by-tag.md new file mode 100644 index 0000000000..d076dc226e --- /dev/null +++ b/windows/security/threat-protection/microsoft-defender-atp/find-machines-by-tag.md @@ -0,0 +1,82 @@ +--- +title: Find devices by tag API +description: Find all devices that contain specifc tag +keywords: apis, supported apis, get, device, find, find device, by tag, tag +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: article +--- + +# Find devices by tag API + +[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] + + +**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) + +- Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) + +[!include[Microsoft Defender for Endpoint API URIs for US Government](../../includes/microsoft-defender-api-usgov.md)] + +[!include[Improve request performance](../../includes/improve-request-performance.md)] + + +## API description +Find [Machines](machine.md) by [Tag](machine-tags.md). + + +## Limitations +1. Rate limitations for this API are 100 calls per minute and 1500 calls per hour. + + +## Permissions +One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender for Endpoint APIs](apis-intro.md) + +Permission type | Permission | Permission display name +:---|:---|:--- +Application | Machine.Read.All | 'Read all machine profiles' +Application | Machine.ReadWrite.All | 'Read and write all machine information' +Delegated (work or school account) | Machine.Read | 'Read machine information' +Delegated (work or school account) | Machine.ReadWrite | 'Read and write machine information' + +>[!Note] +> When obtaining a token using user credentials: +> - Response will include only devices that the user have access to based on device group settings (See [Create and manage device groups](machine-groups.md) for more information) +> - The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles.md) for more information) +> - Response will include only devices that the user have access to based on device group settings (See [Create and manage device groups](machine-groups.md) for more information) + +## HTTP request +``` +GET /api/machines/findbytag(tag='{tag}') +``` + +## Request headers + +Name | Type | Description +:---|:---|:--- +Authorization | String | Bearer {token}. **Required**. + +## Request body +Empty + +## Response +If successful - 200 OK with list of the machines in the response body. + +## Example + +**Request** + +Here is an example of the request. + +``` +GET https://api.securitycenter.microsoft.com/api/machines/findbytag(tag='testTag') +``` From 704a3a87252a456ce34bc8242c86ddec26dbdb1c Mon Sep 17 00:00:00 2001 From: VLG17 <41186174+VLG17@users.noreply.github.com> Date: Thu, 21 Jan 2021 21:30:59 +0200 Subject: [PATCH 085/190] add info about network boundary https://github.com/MicrosoftDocs/windows-itpro-docs/issues/8880 --- .../md-app-guard-overview.md | 1 + 1 file changed, 1 insertion(+) diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-overview.md b/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-overview.md index 98150e0f15..0c47055df2 100644 --- a/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-overview.md +++ b/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-overview.md @@ -52,3 +52,4 @@ Application Guard has been created to target several types of devices: | [Microsoft Defender Application Guard Extension for web browsers](md-app-guard-browser-extension.md) | Describes the Application Guard extension for Chrome and Firefox, including known issues, and a troubleshooting guide | | [Microsoft Defender Application Guard for Microsoft Office](https://docs.microsoft.com/microsoft-365/security/office-365-security/install-app-guard) | Describes Application Guard for Microsoft Office, including minimum hardware requirements, configuration, and a troubleshooting guide | |[Frequently asked questions - Microsoft Defender Application Guard](faq-md-app-guard.md)|Provides answers to frequently asked questions about Application Guard features, integration with the Windows operating system, and general configuration.| +|[Use a network boundary to add trusted sites on Windows devices in Microsoft Intune](https://docs.microsoft.com/en-us/mem/intune/configuration/network-boundary-windows)|Network boundary, a feature that helps you protect your environment from sites that aren't trusted by your organization.| From ac2d63462d8d096c5e9fd0aeead6a1839214af29 Mon Sep 17 00:00:00 2001 From: Ben Alfasi Date: Thu, 21 Jan 2021 21:48:12 +0200 Subject: [PATCH 086/190] 1 --- .../find-machines-by-tag.md | 2 +- .../import-ti-indicators.md | 141 ++++++++++++++++++ .../post-ti-indicator.md | 5 +- 3 files changed, 145 insertions(+), 3 deletions(-) create mode 100644 windows/security/threat-protection/microsoft-defender-atp/import-ti-indicators.md diff --git a/windows/security/threat-protection/microsoft-defender-atp/find-machines-by-tag.md b/windows/security/threat-protection/microsoft-defender-atp/find-machines-by-tag.md index d076dc226e..c077f850b8 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/find-machines-by-tag.md +++ b/windows/security/threat-protection/microsoft-defender-atp/find-machines-by-tag.md @@ -79,4 +79,4 @@ Here is an example of the request. ``` GET https://api.securitycenter.microsoft.com/api/machines/findbytag(tag='testTag') -``` +``` \ No newline at end of file diff --git a/windows/security/threat-protection/microsoft-defender-atp/import-ti-indicators.md b/windows/security/threat-protection/microsoft-defender-atp/import-ti-indicators.md new file mode 100644 index 0000000000..acc7328e9d --- /dev/null +++ b/windows/security/threat-protection/microsoft-defender-atp/import-ti-indicators.md @@ -0,0 +1,141 @@ +--- +title: Import Indicators API +description: Learn how to use the Import batch of Indicator API in Microsoft Defender Advanced Threat Protection. +keywords: apis, supported apis, submit, ti, indicator, update +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: article +--- + +# Import Indicators API + +[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] + + +**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) + +- Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) + +[!include[Microsoft Defender for Endpoint API URIs for US Government](../../includes/microsoft-defender-api-usgov.md)] + +[!include[Improve request performance](../../includes/improve-request-performance.md)] + + +## API description +Submits or Updates batch of [Indicator](ti-indicator.md) entities. +
CIDR notation for IPs is not supported. + +## Limitations +1. Rate limitations for this API are 30 calls per minute. +2. There is a limit of 15,000 active [Indicators](ti-indicator.md) per tenant. + + +## Permissions +One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Get started](apis-intro.md) + +Permission type | Permission | Permission display name +:---|:---|:--- +Application | Ti.ReadWrite | 'Read and write Indicators' +Application | Ti.ReadWrite.All | 'Read and write All Indicators' +Delegated (work or school account) | Ti.ReadWrite | 'Read and write Indicators' + + +## HTTP request +``` +POST https://api.securitycenter.microsoft.com/api/indicators/import +``` + +## Request headers + +Name | Type | Description +:---|:---|:--- +Authorization | String | Bearer {token}. **Required**. +Content-Type | string | application/json. **Required**. + +## Request body +In the request body, supply a JSON object with the following parameters: + +Parameter | Type | Description +:---|:---|:--- +Indicators | List<[Indicator](ti-indicator.md)> | List of [Indicators](ti-indicator.md). **Required** + + +## Response +- If successful, this method returns 200 - OK response code with a list of import results per indicator, see example below. +- If not successful: this method return 400 - Bad Request. Bad request usually indicates incorrect body. + +## Example + +**Request** + +Here is an example of the request. + +``` +POST https://api.securitycenter.microsoft.com/api/indicators/import +``` +```json +{ + "Indicators": + [ + { + "indicatorValue": "220e7d15b011d7fac48f2bd61114db1022197f7f", + "indicatorType": "FileSha1", + "title": "demo", + "application": "demo-test", + "expirationTime": "2021-12-12T00:00:00Z", + "action": "Alert", + "severity": "Informational", + "description": "demo2", + "recommendedActions": "nothing", + "rbacGroupNames": ["group1", "group2"] + }, + { + "indicatorValue": "2233223322332233223322332233223322332233223322332233223322332222", + "indicatorType": "FileSha256", + "title": "demo2", + "application": "demo-test2", + "expirationTime": "2021-12-12T00:00:00Z", + "action": "Alert", + "severity": "Medium", + "description": "demo2", + "recommendedActions": "nothing", + "rbacGroupNames": [] + } + ] +} +``` + +**Request** + +Here is an example of the request. + +```json +{ + "value": [ + { + "id": "2841", + "indicator": "220e7d15b011d7fac48f2bd61114db1022197f7f", + "isFailed": false, + "failureReason": null + }, + { + "id": "2842", + "indicator": "2233223322332233223322332233223322332233223322332233223322332222", + "isFailed": false, + "failureReason": null + } + ] +} +``` + +## Related topic +- [Manage indicators](manage-indicators.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/post-ti-indicator.md b/windows/security/threat-protection/microsoft-defender-atp/post-ti-indicator.md index ac9c3929ea..433f0a15eb 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/post-ti-indicator.md +++ b/windows/security/threat-protection/microsoft-defender-atp/post-ti-indicator.md @@ -32,7 +32,7 @@ ms.topic: article ## API description Submits or Updates new [Indicator](ti-indicator.md) entity. -
CIDR notation for IPs is supported. +
CIDR notation for IPs is not supported. ## Limitations 1. Rate limitations for this API are 100 calls per minute and 1500 calls per hour. @@ -90,7 +90,8 @@ Here is an example of the request. ``` POST https://api.securitycenter.microsoft.com/api/indicators -Content-type: application/json +``` +```json { "indicatorValue": "220e7d15b011d7fac48f2bd61114db1022197f7f", "indicatorType": "FileSha1", From 08ff136c0d20cf3c6c98780e6f136920d362f91d Mon Sep 17 00:00:00 2001 From: Ben Alfasi Date: Thu, 21 Jan 2021 21:48:50 +0200 Subject: [PATCH 087/190] 2 --- .../microsoft-defender-atp/import-ti-indicators.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/import-ti-indicators.md b/windows/security/threat-protection/microsoft-defender-atp/import-ti-indicators.md index acc7328e9d..822e0f9985 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/import-ti-indicators.md +++ b/windows/security/threat-protection/microsoft-defender-atp/import-ti-indicators.md @@ -114,9 +114,9 @@ POST https://api.securitycenter.microsoft.com/api/indicators/import } ``` -**Request** +**Response** -Here is an example of the request. +Here is an example of the response. ```json { From 8f1150a12f25a24568016709705f1c62e43855f1 Mon Sep 17 00:00:00 2001 From: Ben Alfasi Date: Thu, 21 Jan 2021 22:10:40 +0200 Subject: [PATCH 088/190] 1 --- windows/security/threat-protection/TOC.md | 2 ++ .../threat-protection/microsoft-defender-atp/machine.md | 1 + .../threat-protection/microsoft-defender-atp/ti-indicator.md | 3 ++- 3 files changed, 5 insertions(+), 1 deletion(-) diff --git a/windows/security/threat-protection/TOC.md b/windows/security/threat-protection/TOC.md index 4fd85c48d2..af35c57f47 100644 --- a/windows/security/threat-protection/TOC.md +++ b/windows/security/threat-protection/TOC.md @@ -550,6 +550,7 @@ ####### [Get security recommendations](microsoft-defender-atp/get-security-recommendations.md) ####### [Add or Remove machine tags](microsoft-defender-atp/add-or-remove-machine-tags.md) ####### [Find machines by IP](microsoft-defender-atp/find-machines-by-ip.md) +####### [Find machines by tag](microsoft-defender-atp/find-machines-by-tag.md) ####### [Get missing KBs](microsoft-defender-atp/get-missing-kbs-machine.md) ####### [Set device value](microsoft-defender-atp/set-device-value.md) @@ -576,6 +577,7 @@ ###### [Indicators]() ####### [Indicators methods and properties](microsoft-defender-atp/ti-indicator.md) ####### [Submit Indicator](microsoft-defender-atp/post-ti-indicator.md) +####### [Import Indicators](microsoft-defender-atp/import-ti-indicators.md) ####### [List Indicators](microsoft-defender-atp/get-ti-indicators-collection.md) ####### [Delete Indicator](microsoft-defender-atp/delete-ti-indicator-by-id.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/machine.md b/windows/security/threat-protection/microsoft-defender-atp/machine.md index 53bdfe131c..f4952472cd 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/machine.md +++ b/windows/security/threat-protection/microsoft-defender-atp/machine.md @@ -44,6 +44,7 @@ Method|Return Type |Description [Get security recommendations](get-security-recommendations.md) | [recommendation](recommendation.md) collection | Retrieves a collection of security recommendations related to a given machine ID. [Add or Remove machine tags](add-or-remove-machine-tags.md) | [machine](machine.md) | Add or Remove tag to a specific machine. [Find machines by IP](find-machines-by-ip.md) | [machine](machine.md) collection | Find machines seen with IP. +[Find machines by tag](find-machines-by-tag.md) | [machine](machine.md) collection | Find machines by [Tag](machine-tags.md). [Get missing KBs](get-missing-kbs-machine.md) | KB collection | Get a list of missing KBs associated with the machine ID [Set device value](set-device-value.md)| [machine](machine.md) collection | Set the [value of a device](tvm-assign-device-value.md). diff --git a/windows/security/threat-protection/microsoft-defender-atp/ti-indicator.md b/windows/security/threat-protection/microsoft-defender-atp/ti-indicator.md index 39a5774d5c..1b6bef4976 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/ti-indicator.md +++ b/windows/security/threat-protection/microsoft-defender-atp/ti-indicator.md @@ -35,7 +35,8 @@ ms.topic: article Method|Return Type |Description :---|:---|:--- [List Indicators](get-ti-indicators-collection.md) | [Indicator](ti-indicator.md) Collection | List [Indicator](ti-indicator.md) entities. -[Submit Indicator](post-ti-indicator.md) | [Indicator](ti-indicator.md) | Submits [Indicator](ti-indicator.md) entity. +[Submit Indicator](post-ti-indicator.md) | [Indicator](ti-indicator.md) | Submit or update [Indicator](ti-indicator.md) entity. +[Import Indicators](import-ti-indicators.md) | [Indicator](ti-indicator.md) Collection | Submit or update [Indicators](ti-indicator.md) entities. [Delete Indicator](delete-ti-indicator-by-id.md) | No Content | Deletes [Indicator](ti-indicator.md) entity. From 544c3c53ee7ae950290838dedfa6121e7da41a6d Mon Sep 17 00:00:00 2001 From: jcaparas Date: Thu, 21 Jan 2021 12:35:36 -0800 Subject: [PATCH 089/190] Update .openpublishing.redirection.json redirect for deleted file --- .openpublishing.redirection.json | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/.openpublishing.redirection.json b/.openpublishing.redirection.json index 0cf060785e..7bcd7f8d15 100644 --- a/.openpublishing.redirection.json +++ b/.openpublishing.redirection.json @@ -15110,6 +15110,11 @@ "redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/find-machine-info-by-ip", "redirect_document_id": true }, + { + "source_path": "windows/security/threat-protection/microsoft-defender-atp/find-machine-info-by-ip.md", + "redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/find-machines-by-ip", + "redirect_document_id": false + }, { "source_path": "windows/security/threat-protection/windows-defender-atp/get-filemachineaction-object-windows-defender-advanced-threat-protection.md", "redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/use-apis", From 4d281e31d100e182c94040de6bbde8ee1a8202b9 Mon Sep 17 00:00:00 2001 From: Carmen Forsmann Date: Thu, 21 Jan 2021 12:54:14 -0800 Subject: [PATCH 090/190] Update waas-delivery-optimization.md Add Edge browser support to content type table. --- windows/deployment/update/waas-delivery-optimization.md | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/windows/deployment/update/waas-delivery-optimization.md b/windows/deployment/update/waas-delivery-optimization.md index de5f866595..7337c717c1 100644 --- a/windows/deployment/update/waas-delivery-optimization.md +++ b/windows/deployment/update/waas-delivery-optimization.md @@ -65,7 +65,7 @@ For information about setting up Delivery Optimization, including tips for the b - Office installations and updates - Xbox game pass games - MSIX apps (HTTP downloads only) - - Edge browser installations and updates + - Edge browser installs and updates ## Requirements @@ -90,7 +90,8 @@ The following table lists the minimum Windows 10 version that supports Delivery | Win32 apps for Intune | 1709 | | Xbox game pass games | 2004 | | MSIX apps (HTTP downloads only) | 2004 | -| Configuration Manager Express Updates | 1709 + Configuration Manager version 1711 | +| Configuration Manager Express updates | 1709 + Configuration Manager version 1711 | +| Edge browser installs and updates | 1809 | > [!NOTE] > Starting with Configuration Manager version 1910, you can use Delivery Optimization for the distribution of all Windows update content for clients running Windows 10 version 1709 or newer, not just express installation files. For more, see [Delivery Optimization starting in version 1910](https://docs.microsoft.com/mem/configmgr/sum/deploy-use/optimize-windows-10-update-delivery#bkmk_DO-1910). From 63ed3c92e22d2030cf7eb4918c71a2bcf5947f23 Mon Sep 17 00:00:00 2001 From: Matthew Palko Date: Thu, 21 Jan 2021 16:52:46 -0800 Subject: [PATCH 091/190] Add troubleshooting for DC certs from 3rd party CAs --- .../hello-deployment-issues.md | 33 +++++++++++++++++++ 1 file changed, 33 insertions(+) diff --git a/windows/security/identity-protection/hello-for-business/hello-deployment-issues.md b/windows/security/identity-protection/hello-for-business/hello-deployment-issues.md index 4dece74866..96f5181b12 100644 --- a/windows/security/identity-protection/hello-for-business/hello-deployment-issues.md +++ b/windows/security/identity-protection/hello-for-business/hello-deployment-issues.md @@ -45,6 +45,39 @@ After the initial logon attempt, the user's Windows Hello for Business public ke To resolve this behavior, upgrade Windows Server 2016 and 2019 domain controllers to with the latest patches. For Windows Server 2016, this behavior is fixed in build 14393.4104 ([KB4593226](https://support.microsoft.com/help/4593226)) and later. For Windows Server 2019, this behavior is fixed in build 17763.1637 ([KB4592440](https://support.microsoft.com/help/4592440)). +## Azure AD Joined Device Access to On-Premises Resources Using Key Trust and Third-Party Certificate Authority (CA) + +Applies to: + +- Azure AD joined key trust deployments +- Third-party certificate authority (CA) issuing domain controller certificates + +Windows Hello for Business uses smart card based authentication for many operations. Smart card has special guidelines when using a third-party CA for certificate issuance, some of which apply to the domain controllers. Not all Windows Hello for Business deployment types require these configurations. Accessing on-premises resources from an Azure AD Joined device does require special configuration when using a third-party CA to issue domain controller certificates. + +For more information, read [Guidelines for enabling smart card logon with third-party certification authorities]( +https://support.microsoft.com/topic/a34a400a-51d5-f2a1-c8c0-7a6c9c49cb78). + +### Identifying On-premises Resource Access Issues with Third-Party CAs + +This issue can be identified using network traces or Kerberos logging from the client. In the network trace, the client will fail to place a TGS_REQ request when a user attempts to access a resource. On the client, this can be observed in Kerberos event logs: + + The Kerberos client received a KDC certificate that does not have a matched domain name. + Expected Domain Name: ad.contoso.com + Error Code: 0xC000006D + +See [How to enable Kerberos event logging](https://docs.microsoft.com/troubleshoot/windows-server/identity/enable-kerberos-event-logging#enable-kerberos-event-logging-on-a-specific-computer) for information on enabling Kerberos logs on a client device. + +### Resolving On-premises Resource Access Issue with Third-Party CAs + +To resolve this issue, domain controller certificates need to be updated so the certificate subject contains directory path of the server object (distinguished name). +Example Subject: CN=DC1 OU=Domain Controller, DC=ad, DC=contoso, DC=com + +Alternatively, you can set the subject alternative name (SAN) of the domain controller certificate to contain the server object's fully qualified domain name and the NETBIOS name of the domain. +Example Subject Alternative Name: +dns=dc1.ad.contoso.com +dns=ad.contoso.com +dns=ad + ## Key Trust Authentication Broken for Windows Server 2019 Applies to: From 1e96248e32a1da6172b1b24587481405dba6c81c Mon Sep 17 00:00:00 2001 From: Carmen Forsmann Date: Thu, 21 Jan 2021 20:01:51 -0800 Subject: [PATCH 092/190] Update waas-delivery-optimization.md Add Dynamic updates support --- windows/deployment/update/waas-delivery-optimization.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/windows/deployment/update/waas-delivery-optimization.md b/windows/deployment/update/waas-delivery-optimization.md index 7337c717c1..599fd37ab1 100644 --- a/windows/deployment/update/waas-delivery-optimization.md +++ b/windows/deployment/update/waas-delivery-optimization.md @@ -62,10 +62,11 @@ For information about setting up Delivery Optimization, including tips for the b - DOMaxUploadBandwidth - Support for new types of downloads: - - Office installations and updates + - Office installs and updates - Xbox game pass games - MSIX apps (HTTP downloads only) - Edge browser installs and updates + - Dynamic updates ## Requirements @@ -92,6 +93,7 @@ The following table lists the minimum Windows 10 version that supports Delivery | MSIX apps (HTTP downloads only) | 2004 | | Configuration Manager Express updates | 1709 + Configuration Manager version 1711 | | Edge browser installs and updates | 1809 | +| Dynamic updates | 1903 | > [!NOTE] > Starting with Configuration Manager version 1910, you can use Delivery Optimization for the distribution of all Windows update content for clients running Windows 10 version 1709 or newer, not just express installation files. For more, see [Delivery Optimization starting in version 1910](https://docs.microsoft.com/mem/configmgr/sum/deploy-use/optimize-windows-10-update-delivery#bkmk_DO-1910). From f7b513116952b788788b1856b6fc3ed945558a00 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Thu, 21 Jan 2021 20:14:46 -0800 Subject: [PATCH 093/190] Update defender-endpoint-false-positives-negatives.md --- .../defender-endpoint-false-positives-negatives.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md index 2242561c26..1083895ed8 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md +++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md @@ -11,7 +11,7 @@ ms.sitesec: library ms.pagetype: security ms.author: deniseb author: denisebmsft -ms.date: 01/21/2021 +ms.date: 01/22/2021 ms.localizationpriority: medium manager: dansimp audience: ITPro From cc97ce85b1d8549daebc662e47e134c7f1df2b32 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Thu, 21 Jan 2021 20:27:52 -0800 Subject: [PATCH 094/190] Update defender-endpoint-false-positives-negatives.md --- ...nder-endpoint-false-positives-negatives.md | 95 +++++++++++++++++-- 1 file changed, 89 insertions(+), 6 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md index 1083895ed8..0a7de859a9 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md +++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md @@ -31,15 +31,98 @@ ms.custom: FPFN - [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146806) -In endpoint protection solutions, a false positive is an entity, such as a file or a process, that was detected and identified as malicious, even though the entity isn't actually a threat. A false negative is an entity that was not detected as a threat, even though it actually is malicious. The process of addressing false positives/negatives can include: -- [Reviewing your threat protection settings and making adjustments where needed](#review-your-threat-protection-settings); -- [Defining exclusions, such as for antivirus and other endpoint protection features](#review-or-define-exclusions-for-microsoft-defender-for-endpoint); -- [Classifying false positives in your endpoint protection solution](#classify-a-false-positive-or-false-negative); -- [Submitting files for further analysis](#submit-a-file-for-analysis); and -- [Verifying that the applications your organization is using are properly signed](#confirm-your-software-uses-ev-code-signing). +In endpoint protection, a false positive is an entity, such as a file or a process, that was detected and identified as malicious, even though the entity isn't actually a threat. A false negative is an entity that was not detected as a threat, even though it actually is malicious. The process of addressing false positives/negatives includes: + +1. Reviewing and classifying alerts +2. Reviewing remediation actions that were taken +3. Reviewing and defining exclusions +4. Submitting an entity for analysis +5. Reviewing your threat protection settings If you’re using [Microsoft Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection), and you're seeing false positives/negatives in your [Microsoft Defender Security Center](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/use), use this article as a guide to take action. This article also includes information about [what to do if you still need help](#still-need-help) after taking the recommended steps to address false positives/negatives in your environment. +## Review and classify alerts + +If your security operations team see an alert that was triggered because something was detected as malicious or suspicious that should not have been, you can suppress the alert for that entity. You can also suppress alerts that are not necessarily false positives, but are unimportant. And, you can classify alerts as false positives as needed. + +Managing your alerts and classifying false positives helps to train your threat protection solution and can reduce the number of false positives or false negatives over time. Taking these steps also helps reduce noise in your security operations dashboard so that your security team can focus on higher priority work items. + +### Determine whether an alert is accurate + +Before you classify or suppress an alert, determine whether the alert is accurate, a false positive, or benign. +1. Go to the Microsoft Defender Security Center (https://securitycenter.windows.com) and sign in. +2. In the navigation pane, choose **Alerts queue**. +3. Select an alert to more details about the alert. (See [Review alerts](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/review-alerts).) +4. Take one of the following steps: + - If the alert is accurate, assign and investigate the alert further. + - If the alert is a false positive, proceed to classify the alert as a false positive, and then suppress the alert. Also, create an indicator for Microsoft Defender for Endpoint. + - If the alert is accurate but benign (unimportant), classify the alert as a true positive, and then suppress the alert. + +### Classify an alert as a false positive + +Your security team can classify an alert as a false positive in the Microsoft Defender Security Center, in the Alerts queue. + +1. Go to the Microsoft Defender Security Center ([https://securitycenter.windows.com](https://securitycenter.windows.com)) and sign in. +2. Select **Alerts queue**, and then select an alert that is a false positive. +3. For the selected alert, select **Actions** > **Manage alert**. A flyout pane opens. +4. In the **Manage alert** section, select **True alert** or **False alert**. Use **False alert** to classify a false positive. + +> [!TIP] +> For more information about suppressing alerts, see [Manage Microsoft Defender for Endpoint alerts](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/manage-alerts). And, if your organization is using a security information and event management (SIEM) server, make sure to define a suppression rule there, too. + +### Suppress an alert + +If you have alerts that are either false positives or are for unimportant events, you can suppress those alerts in the Microsoft Defender Security Center. + +1. Go to the Microsoft Defender Security Center ([https://securitycenter.windows.com](https://securitycenter.windows.com)) and sign in. +2. In the navigation pane, select **Alerts queue**. +3. Select an alert that you want to suppress to open its **Details** pane. +4. In the **Details** pane, choose the ellipsis (**...**), and then choose **Create a suppression rule**. +5. Specify all the settings for your suppression rule, and then choose **Save**. + +> [!TIP] +> Need help with suppression rules? See [Suppress an alert and create a new suppression rule](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/manage-alerts#suppress-an-alert-and-create-a-new-suppression-rule). + +## Review remediation actions + +[Remediation actions](manage-auto-investigation.md#remediation-actions), such as sending a file to quarantine or stopping a process, can be taken on entities that are detected as threats. Several types of remediation actions can occur automatically through automated investigation and Microsoft Defender Antivirus. Examples of such actions include: +- Quarantine a file +- Remove a registry key +- Kill a process +- Stop a service +- Disable a driver +- Remove a scheduled task + +Other actions, such as starting an antivirus scan or collecting an investigation package, can occur through [Live Response](live-response.md). Those actions cannot be undone. + +### Review completed actions + +1. Go to the Action center ([https://securitycenter.windows.com/action-center](https://securitycenter.windows.com/action-center)) and sign in. +2. Select the **History** tab. +3. Select an item to view more details about the remediation action that was taken. + +If you find that a remediation action was taken automatically on an entity that is not actually a threat, you can undo the action. Remediation actions that you can undo include the following: +- Isolate device +- Restrict code execution +- Quarantine a file +- Remove a registry key +- Stop a service +- Disable a driver +- Remove a scheduled task + +### To undo an action + +1. Go to the Action center ([https://securitycenter.windows.com/action-center](https://securitycenter.windows.com/action-center)) and sign in. +2. On the **History** tab, select an action that you want to undo. +3. In the flyout pane, select **Undo**. (If the action cannot be undone with this method, you will not see an **Undo** button.) + +### To undo multiple actions at one time + +1. Go to the Action center ([https://securitycenter.windows.com/action-center](https://securitycenter.windows.com/action-center)) and sign in. +2. On the **History** tab, select the actions that you want to undo. +3. In the pane on the right side of the screen, select **Undo**. + + ## Review your threat protection settings Microsoft Defender for Endpoint offers a wide variety of options, including the ability to fine-tune settings for various features and capabilities. If you’re getting numerous false positives, make sure to review your organization’s threat protection settings. You might need to make some adjustments to the following settings in particular: From a5c3e6656d506074a70daafa4d2842b74139b586 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Thu, 21 Jan 2021 20:29:36 -0800 Subject: [PATCH 095/190] Update defender-endpoint-false-positives-negatives.md --- ...nder-endpoint-false-positives-negatives.md | 130 +++++++++--------- 1 file changed, 66 insertions(+), 64 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md index 0a7de859a9..4f8b62add6 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md +++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md @@ -122,6 +122,72 @@ If you find that a remediation action was taken automatically on an entity that 2. On the **History** tab, select the actions that you want to undo. 3. In the pane on the right side of the screen, select **Undo**. +## Review or define exclusions for Microsoft Defender for Endpoint + +An exclusion is an entity that you specify as an exception to remediation actions. The excluded entity might still get detected, but no remediation actions are taken on that entity. That is, the detected file or process won’t be stopped, sent to quarantine, removed, or otherwise changed by Microsoft Defender for Endpoint. + +To define exclusions across Microsoft Defender for Endpoint, perform the following tasks: +- [Define exclusions for Microsoft Defender Antivirus](#exclusions-for-microsoft-defender-antivirus) +- [Create “allow” indicators for Microsoft Defender for Endpoint](#indicators-for-microsoft-defender-for-endpoint) + +Microsoft Defender Antivirus exclusions don't apply to other Microsoft Defender for Endpoint capabilities, including [endpoint detection and response](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response), [attack surface reduction rules](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction), and [controlled folder access](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/controlled-folders). Files that you exclude using the methods described in this article can still trigger alerts and other detections. To exclude files broadly, use [custom indicators](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/manage-indicators), such as "allow" indicators for Microsoft Defender for Endpoint. + +The procedures in this section describe how to define exclusions and indicators. + +### Exclusions for Microsoft Defender Antivirus + +In general, you should not need to define exclusions for Microsoft Defender Antivirus. Make sure that you define exclusions sparingly, and that you only include the files, folders, processes, and process-opened files that are resulting in false positives. In addition, make sure to review your defined exclusions regularly. We recommend using Microsoft Endpoint Manager to define or edit your antivirus exclusions; however, you can use other methods, such as Group Policy as well. + +> [!TIP] +> Need help with antivirus exclusions? See [Configure and validate exclusions for Microsoft Defender Antivirus scans](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-exclusions-microsoft-defender-antivirus). + +#### Use Microsoft Endpoint Manager to manage antivirus exclusions (for existing policies) + +1. Go to the Microsoft Endpoint Manager admin center ([https://endpoint.microsoft.com](https://endpoint.microsoft.com)) and sign in. +2. Choose **Endpoint security** > **Antivirus**, and then select an existing policy. (If you don’t have an existing policy, or you want to create a new policy, skip to [the next procedure](#use-microsoft-endpoint-manager-to-create-a-new-antivirus-policy-with-exclusions)). +3. Choose **Properties**, and next to **Configuration settings**, choose **Edit**. +4. Expand **Microsoft Defender Antivirus Exclusions** and then specify your exclusions. +5. Choose **Review + save**, and then choose **Save**. + +#### Use Microsoft Endpoint Manager to create a new antivirus policy with exclusions + +1. Go to the Microsoft Endpoint Manager admin center ([https://endpoint.microsoft.com](https://endpoint.microsoft.com)) and sign in. +2. Choose **Endpoint security** > **Antivirus** > **+ Create Policy**. +3. Select a platform (such as **Windows 10 and later**, **macOS**, or **Windows 10 and Windows Server**). +4. For **Profile**, select **Microsoft Defender Antivirus exclusions**, and then choose **Create**. +5. Specify a name and description for the profile, and then choose **Next**. +6. On the **Configuration settings** tab, specify your antivirus exclusions, and then choose **Next**. +7. On the **Scope tags** tab, if you are using scope tags in your organization, specify scope tags for the policy you are creating. (See [Scope tags](https://docs.microsoft.com/mem/intune/fundamentals/scope-tags).) +8. On the **Assignments** tab, specify the users and groups to whom your policy should be applied, and then choose **Next**. (If you need help with assignments, see [Assign user and device profiles in Microsoft Intune](https://docs.microsoft.com/mem/intune/configuration/device-profile-assign).) +9. On the **Review + create** tab, review the settings, and then choose **Create**. + +### Indicators for Microsoft Defender for Endpoint + +[Indicators](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/manage-indicators) enable your security operations team to define the detection, prevention, and exclusion of entities. For example, your security operations team can specify certain files to be omitted from scans and remediation actions in Microsoft Defender for Endpoint. Or, indicators can be used to generate alerts for certain files, IP addresses, or URLs. + +To specify entities as exclusions for Microsoft Defender for Endpoint, your security team can create "allow" indicators for those entities. Such "allow" indicators in Microsoft Defender for Endpoint apply to: + +- [Next-generation protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10) +- [Endpoint detection and response](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response) +- [Automated investigation & remediation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/automated-investigations) + +Your security team can create indicators for files, IP addresses, URLs, domains, and certificates. Use the following resources to create or manage indicators in the Microsoft Defender Security Center ([https://securitycenter.windows.com](https://securitycenter.windows.com)): + +- [Learn more about indicators](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/manage-indicators) +- [Create an indicator for a file, such as an executable](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-file) +- [Create an indicator for an IP address, URL, or domain](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-ip-domain) +- [Create an indicator for an application certificate](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-certificates) + +> [!TIP] +> When you create indicators, you can define them one by one or import multiple items at once. Keep in mind there's a limit of 15,000 indicators you can have in a single tenant. And, you might need to gather certain details first, such as file hash information. Make sure to review the prerequisites before you [create indicators](manage-indicators.md). + +| Indicator type | Prerequisites | Notes | +|----|----|---| +|Files

Helps prevent suspected malware (or potentially malicious files) from being downloaded from the web. Files can include portable executable (PE) files, such as `.exe` and `.dll` files.

[Create an indicator for a file, such as an executable](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-file). | Microsoft Defender Antivirus with cloud-based protection enabled.

Antimalware client version must be 4.18.1901.x or later.

Devices are running one of the following versions of Windows:
- Windows 10, version 1703 or later
- Windows Server 2016
- Windows Server 2019

The [Block or allow feature is turned on](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-features). | The allow or block function cannot be done on a file if the file's classification exists on the device's cache prior to the allow or block action

Trusted, signed files are treated differently. Defender for Endpoint is optimized to handle malicious files. Trying to block trusted, signed files, can have performance implications.

Typically, file blocks are enforced within a couple of minutes, but can take upwards of 30 minutes. | +| IP addresses and URLs

Full URL path blocks can be applied on the domain level and all unencrypted URLs

IP is supported for all three protocols

[Create an indicator for an IP address, URL, or domain](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-ip-domain) | Network protection in Defender for Endpoint must be enabled in block mode. ([Enable network protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/enable-network-protection).)

Your antimalware client version must be 4.18.1906.x or later.

Your devices must be running Windows 10, version 1709 or later

Custom network indicators must be turned on in the Microsoft Defender Security Center (See [Advanced features](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-features).) | Only external IPs can be added to the indicator list. Indicators cannot be created for internal IPs. For web protection scenarios, we recommend using the built-in capabilities in Microsoft Edge. Microsoft Edge leverages [Network Protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/network-protection) to inspect network traffic and allows blocks for TCP, HTTP, and HTTPS (TLS). For all other processes, web protection scenarios leverage Network Protection for inspection and enforcement.

There may be up to 2 hours of latency (usually less) between the time the action is taken, and the URL and IP being blocked.

Only single IP addresses are supported (no CIDR blocks or IP ranges)

Encrypted URLs (full path) can only be blocked on first party browsers (Internet Explorer, Edge)

Encrypted URLS (FQDN only) can be blocked outside of first party browsers (Internet Explorer, Edge) | +| Certificates

`.CER` or `.PEM` file extensions are supported.

[Create an indicator for an application certificate](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-certificates) |Microsoft Defender Antivirus with cloud-based protection is enabled ([Manage cloud-based protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/deploy-manage-report-microsoft-defender-antivirus).)

Your antimalware client version must be 4.18.1901.x or later.

Your devices must be running one of the following versions of Windows:
- Windows 10, version 1703 or later
- Windows Server 2016
- Windows Server 2019

Your virus and threat protection definitions must be up to date. | A valid leaf certificate is a signing certificate that has a valid certification path and must be chained to the Root Certificate Authority (CA) trusted by Microsoft.

Alternatively, a custom (self-signed) certificate can be used as long as it's trusted by the client (Root CA certificate is installed under the Local Machine Trusted Root Certification Authorities).

The children or parent of the allow/block certificate IOCs are not included in the allow/block IoC functionality, only leaf certificates are supported.

Microsoft signed certificates cannot be blocked.

It can take up to 3 hours to create and remove a certificate IoC. | + + ## Review your threat protection settings @@ -192,70 +258,6 @@ We recommend using Microsoft Endpoint Manager to edit or set PUA protection sett 8. On the **Applicability Rules** tab, specify the OS editions or versions to include or exclude from the policy. For example, you can set the policy to be applied to all devices certain editions of Windows 10. Then choose **Next**. 9. On the **Review + create** tab, review your settings, and, and then choose **Create**. -## Review or define exclusions for Microsoft Defender for Endpoint - -An exclusion is an entity that you specify as an exception to remediation actions. The excluded entity might still get detected, but no remediation actions are taken on that entity. That is, the detected file or process won’t be stopped, sent to quarantine, removed, or otherwise changed by Microsoft Defender for Endpoint. - -To define exclusions across Microsoft Defender for Endpoint, perform the following tasks: -- [Define exclusions for Microsoft Defender Antivirus](#exclusions-for-microsoft-defender-antivirus) -- [Create “allow” indicators for Microsoft Defender for Endpoint](#indicators-for-microsoft-defender-for-endpoint) - -Microsoft Defender Antivirus exclusions don't apply to other Microsoft Defender for Endpoint capabilities, including [endpoint detection and response](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response), [attack surface reduction rules](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction), and [controlled folder access](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/controlled-folders). Files that you exclude using the methods described in this article can still trigger alerts and other detections. To exclude files broadly, use [custom indicators](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/manage-indicators), such as "allow" indicators for Microsoft Defender for Endpoint. - -The procedures in this section describe how to define exclusions and indicators. - -### Exclusions for Microsoft Defender Antivirus - -In general, you should not need to define exclusions for Microsoft Defender Antivirus. Make sure that you define exclusions sparingly, and that you only include the files, folders, processes, and process-opened files that are resulting in false positives. In addition, make sure to review your defined exclusions regularly. We recommend using Microsoft Endpoint Manager to define or edit your antivirus exclusions; however, you can use other methods, such as Group Policy as well. - -> [!TIP] -> Need help with antivirus exclusions? See [Configure and validate exclusions for Microsoft Defender Antivirus scans](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-exclusions-microsoft-defender-antivirus). - -#### Use Microsoft Endpoint Manager to manage antivirus exclusions (for existing policies) - -1. Go to the Microsoft Endpoint Manager admin center ([https://endpoint.microsoft.com](https://endpoint.microsoft.com)) and sign in. -2. Choose **Endpoint security** > **Antivirus**, and then select an existing policy. (If you don’t have an existing policy, or you want to create a new policy, skip to [the next procedure](#use-microsoft-endpoint-manager-to-create-a-new-antivirus-policy-with-exclusions)). -3. Choose **Properties**, and next to **Configuration settings**, choose **Edit**. -4. Expand **Microsoft Defender Antivirus Exclusions** and then specify your exclusions. -5. Choose **Review + save**, and then choose **Save**. - -#### Use Microsoft Endpoint Manager to create a new antivirus policy with exclusions - -1. Go to the Microsoft Endpoint Manager admin center ([https://endpoint.microsoft.com](https://endpoint.microsoft.com)) and sign in. -2. Choose **Endpoint security** > **Antivirus** > **+ Create Policy**. -3. Select a platform (such as **Windows 10 and later**, **macOS**, or **Windows 10 and Windows Server**). -4. For **Profile**, select **Microsoft Defender Antivirus exclusions**, and then choose **Create**. -5. Specify a name and description for the profile, and then choose **Next**. -6. On the **Configuration settings** tab, specify your antivirus exclusions, and then choose **Next**. -7. On the **Scope tags** tab, if you are using scope tags in your organization, specify scope tags for the policy you are creating. (See [Scope tags](https://docs.microsoft.com/mem/intune/fundamentals/scope-tags).) -8. On the **Assignments** tab, specify the users and groups to whom your policy should be applied, and then choose **Next**. (If you need help with assignments, see [Assign user and device profiles in Microsoft Intune](https://docs.microsoft.com/mem/intune/configuration/device-profile-assign).) -9. On the **Review + create** tab, review the settings, and then choose **Create**. - -### Indicators for Microsoft Defender for Endpoint - -[Indicators](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/manage-indicators) enable your security operations team to define the detection, prevention, and exclusion of entities. For example, your security operations team can specify certain files to be omitted from scans and remediation actions in Microsoft Defender for Endpoint. Or, indicators can be used to generate alerts for certain files, IP addresses, or URLs. - -To specify entities as exclusions for Microsoft Defender for Endpoint, your security team can create "allow" indicators for those entities. Such "allow" indicators in Microsoft Defender for Endpoint apply to: - -- [Next-generation protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10) -- [Endpoint detection and response](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response) -- [Automated investigation & remediation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/automated-investigations) - -Your security team can create indicators for files, IP addresses, URLs, domains, and certificates. Use the following resources to create or manage indicators in the Microsoft Defender Security Center ([https://securitycenter.windows.com](https://securitycenter.windows.com)): - -- [Learn more about indicators](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/manage-indicators) -- [Create an indicator for a file, such as an executable](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-file) -- [Create an indicator for an IP address, URL, or domain](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-ip-domain) -- [Create an indicator for an application certificate](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-certificates) - -> [!TIP] -> When you create indicators, you can define them one by one or import multiple items at once. Keep in mind there's a limit of 15,000 indicators you can have in a single tenant. And, you might need to gather certain details first, such as file hash information. Make sure to review the prerequisites before you [create indicators](manage-indicators.md). - -| Indicator type | Prerequisites | Notes | -|----|----|---| -|Files

Helps prevent suspected malware (or potentially malicious files) from being downloaded from the web. Files can include portable executable (PE) files, such as `.exe` and `.dll` files.

[Create an indicator for a file, such as an executable](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-file). | Microsoft Defender Antivirus with cloud-based protection enabled.

Antimalware client version must be 4.18.1901.x or later.

Devices are running one of the following versions of Windows:
- Windows 10, version 1703 or later
- Windows Server 2016
- Windows Server 2019

The [Block or allow feature is turned on](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-features). | The allow or block function cannot be done on a file if the file's classification exists on the device's cache prior to the allow or block action

Trusted, signed files are treated differently. Defender for Endpoint is optimized to handle malicious files. Trying to block trusted, signed files, can have performance implications.

Typically, file blocks are enforced within a couple of minutes, but can take upwards of 30 minutes. | -| IP addresses and URLs

Full URL path blocks can be applied on the domain level and all unencrypted URLs

IP is supported for all three protocols

[Create an indicator for an IP address, URL, or domain](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-ip-domain) | Network protection in Defender for Endpoint must be enabled in block mode. ([Enable network protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/enable-network-protection).)

Your antimalware client version must be 4.18.1906.x or later.

Your devices must be running Windows 10, version 1709 or later

Custom network indicators must be turned on in the Microsoft Defender Security Center (See [Advanced features](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-features).) | Only external IPs can be added to the indicator list. Indicators cannot be created for internal IPs. For web protection scenarios, we recommend using the built-in capabilities in Microsoft Edge. Microsoft Edge leverages [Network Protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/network-protection) to inspect network traffic and allows blocks for TCP, HTTP, and HTTPS (TLS). For all other processes, web protection scenarios leverage Network Protection for inspection and enforcement.

There may be up to 2 hours of latency (usually less) between the time the action is taken, and the URL and IP being blocked.

Only single IP addresses are supported (no CIDR blocks or IP ranges)

Encrypted URLs (full path) can only be blocked on first party browsers (Internet Explorer, Edge)

Encrypted URLS (FQDN only) can be blocked outside of first party browsers (Internet Explorer, Edge) | -| Certificates

`.CER` or `.PEM` file extensions are supported.

[Create an indicator for an application certificate](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-certificates) |Microsoft Defender Antivirus with cloud-based protection is enabled ([Manage cloud-based protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/deploy-manage-report-microsoft-defender-antivirus).)

Your antimalware client version must be 4.18.1901.x or later.

Your devices must be running one of the following versions of Windows:
- Windows 10, version 1703 or later
- Windows Server 2016
- Windows Server 2019

Your virus and threat protection definitions must be up to date. | A valid leaf certificate is a signing certificate that has a valid certification path and must be chained to the Root Certificate Authority (CA) trusted by Microsoft.

Alternatively, a custom (self-signed) certificate can be used as long as it's trusted by the client (Root CA certificate is installed under the Local Machine Trusted Root Certification Authorities).

The children or parent of the allow/block certificate IOCs are not included in the allow/block IoC functionality, only leaf certificates are supported.

Microsoft signed certificates cannot be blocked.

It can take up to 3 hours to create and remove a certificate IoC. | ## Classify a false positive or false negative From 4cb7b0ff725dc24fdb77c1f92523830eada4333f Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Thu, 21 Jan 2021 20:49:02 -0800 Subject: [PATCH 096/190] Update defender-endpoint-false-positives-negatives.md --- ...nder-endpoint-false-positives-negatives.md | 111 ++++++++---------- 1 file changed, 47 insertions(+), 64 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md index 4f8b62add6..cb0ee4077d 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md +++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md @@ -33,7 +33,7 @@ ms.custom: FPFN In endpoint protection, a false positive is an entity, such as a file or a process, that was detected and identified as malicious, even though the entity isn't actually a threat. A false negative is an entity that was not detected as a threat, even though it actually is malicious. The process of addressing false positives/negatives includes: -1. Reviewing and classifying alerts +1. [Reviewing and classifying alerts](#review-and-classify-alerts) 2. Reviewing remediation actions that were taken 3. Reviewing and defining exclusions 4. Submitting an entity for analysis @@ -47,10 +47,12 @@ If your security operations team see an alert that was triggered because somethi Managing your alerts and classifying false positives helps to train your threat protection solution and can reduce the number of false positives or false negatives over time. Taking these steps also helps reduce noise in your security operations dashboard so that your security team can focus on higher priority work items. + ### Determine whether an alert is accurate Before you classify or suppress an alert, determine whether the alert is accurate, a false positive, or benign. -1. Go to the Microsoft Defender Security Center (https://securitycenter.windows.com) and sign in. + +1. Go to the Microsoft Defender Security Center ([https://securitycenter.windows.com](https://securitycenter.windows.com)) and sign in. 2. In the navigation pane, choose **Alerts queue**. 3. Select an alert to more details about the alert. (See [Review alerts](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/review-alerts).) 4. Take one of the following steps: @@ -60,7 +62,7 @@ Before you classify or suppress an alert, determine whether the alert is accurat ### Classify an alert as a false positive -Your security team can classify an alert as a false positive in the Microsoft Defender Security Center, in the Alerts queue. +Your security team can classify an alert as a false positive in the Microsoft Defender Security Center, in the **Alerts queue**. 1. Go to the Microsoft Defender Security Center ([https://securitycenter.windows.com](https://securitycenter.windows.com)) and sign in. 2. Select **Alerts queue**, and then select an alert that is a false positive. @@ -110,13 +112,13 @@ If you find that a remediation action was taken automatically on an entity that - Disable a driver - Remove a scheduled task -### To undo an action +### Undo an action 1. Go to the Action center ([https://securitycenter.windows.com/action-center](https://securitycenter.windows.com/action-center)) and sign in. 2. On the **History** tab, select an action that you want to undo. 3. In the flyout pane, select **Undo**. (If the action cannot be undone with this method, you will not see an **Undo** button.) -### To undo multiple actions at one time +### Undo multiple actions at one time 1. Go to the Action center ([https://securitycenter.windows.com/action-center](https://securitycenter.windows.com/action-center)) and sign in. 2. On the **History** tab, select the actions that you want to undo. @@ -163,7 +165,7 @@ In general, you should not need to define exclusions for Microsoft Defender Anti ### Indicators for Microsoft Defender for Endpoint -[Indicators](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/manage-indicators) enable your security operations team to define the detection, prevention, and exclusion of entities. For example, your security operations team can specify certain files to be omitted from scans and remediation actions in Microsoft Defender for Endpoint. Or, indicators can be used to generate alerts for certain files, IP addresses, or URLs. +[Indicators](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/manage-indicators) (specifically, indicators of compromise, or IoCs) enable your security operations team to define the detection, prevention, and exclusion of entities. For example, your security operations team can specify certain files to be omitted from scans and remediation actions in Microsoft Defender for Endpoint. Or, indicators can be used to generate alerts for certain files, IP addresses, or URLs. To specify entities as exclusions for Microsoft Defender for Endpoint, your security team can create "allow" indicators for those entities. Such "allow" indicators in Microsoft Defender for Endpoint apply to: @@ -171,23 +173,52 @@ To specify entities as exclusions for Microsoft Defender for Endpoint, your secu - [Endpoint detection and response](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response) - [Automated investigation & remediation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/automated-investigations) -Your security team can create indicators for files, IP addresses, URLs, domains, and certificates. Use the following resources to create or manage indicators in the Microsoft Defender Security Center ([https://securitycenter.windows.com](https://securitycenter.windows.com)): +Your security team can create indicators for files, IP addresses, URLs, domains, and certificates, as described in the following table: -- [Learn more about indicators](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/manage-indicators) -- [Create an indicator for a file, such as an executable](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-file) -- [Create an indicator for an IP address, URL, or domain](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-ip-domain) -- [Create an indicator for an application certificate](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-certificates) +| Indicator type | Prerequisites | Notes | +|----|----|---| +|Files

Helps prevent suspected malware (or potentially malicious files) from being downloaded from the web. Files can include portable executable (PE) files, such as `.exe` and `.dll` files.

[Create an indicator for a file, such as an executable](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-file). | Microsoft Defender Antivirus with cloud-based protection enabled.

Antimalware client version: 4.18.1901.x or later.

Devices are running one of the following versions of Windows:
- Windows 10, version 1703 or later
- Windows Server 2016
- Windows Server 2019

[Block or allow feature is turned on](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-features). | The allow or block function cannot be done on a file if the file's classification exists on the device's cache prior to the allow or block action

Trusted, signed files are treated differently. Defender for Endpoint is optimized to handle malicious files. Trying to block trusted, signed files, can have performance implications.

Typically, file blocks are enforced within a couple of minutes, but can take upwards of 30 minutes. | +| IP addresses and URLs

Full URL path blocks can be applied on the domain level and all unencrypted URLs

IP is supported for all three protocols

[Create an indicator for an IP address, URL, or domain](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-ip-domain) | Network protection in Defender for Endpoint is enabled in block mode. ([Enable network protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/enable-network-protection).)

Antimalware client version: 4.18.1906.x or later.

Devices are running Windows 10, version 1709 or later

Custom network indicators are turned on in the Microsoft Defender Security Center (See [Advanced features](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-features).) | Only external IPs can be added to the indicator list. Indicators cannot be created for internal IPs. For web protection scenarios, we recommend using the built-in capabilities in Microsoft Edge. Microsoft Edge leverages [Network Protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/network-protection) to inspect network traffic and allows blocks for TCP, HTTP, and HTTPS (TLS). For all other processes, web protection scenarios leverage Network Protection for inspection and enforcement.

There might be up to 2 hours of latency (usually less) between the time the action is taken, and the URL and IP being blocked.

Only single IP addresses are supported (no CIDR blocks or IP ranges)

Encrypted URLs (full path) can only be blocked on first party browsers (Internet Explorer, Edge)

Encrypted URLS (FQDN only) can be blocked outside of first party browsers (Internet Explorer, Edge) | +| Certificates

`.CER` or `.PEM` file extensions are supported.

[Create an indicator for an application certificate](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-certificates) |Microsoft Defender Antivirus with cloud-based protection is enabled ([Manage cloud-based protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/deploy-manage-report-microsoft-defender-antivirus).)

Antimalware client version: 4.18.1901.x or later.

Devices are running one of the following versions of Windows:
- Windows 10, version 1703 or later
- Windows Server 2016
- Windows Server 2019

Virus and threat protection definitions are up to date. | A valid leaf certificate is a signing certificate that has a valid certification path and must be chained to the Root Certificate Authority (CA) trusted by Microsoft.

Alternatively, a custom (self-signed) certificate can be used as long as it's trusted by the client (Root CA certificate is installed under the Local Machine Trusted Root Certification Authorities).

The children or parent of the allow/block certificate IOCs are not included in the allow/block IoC functionality, only leaf certificates are supported.

Microsoft signed certificates cannot be blocked.

It can take up to 3 hours to create and remove a certificate IoC. | > [!TIP] > When you create indicators, you can define them one by one or import multiple items at once. Keep in mind there's a limit of 15,000 indicators you can have in a single tenant. And, you might need to gather certain details first, such as file hash information. Make sure to review the prerequisites before you [create indicators](manage-indicators.md). -| Indicator type | Prerequisites | Notes | -|----|----|---| -|Files

Helps prevent suspected malware (or potentially malicious files) from being downloaded from the web. Files can include portable executable (PE) files, such as `.exe` and `.dll` files.

[Create an indicator for a file, such as an executable](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-file). | Microsoft Defender Antivirus with cloud-based protection enabled.

Antimalware client version must be 4.18.1901.x or later.

Devices are running one of the following versions of Windows:
- Windows 10, version 1703 or later
- Windows Server 2016
- Windows Server 2019

The [Block or allow feature is turned on](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-features). | The allow or block function cannot be done on a file if the file's classification exists on the device's cache prior to the allow or block action

Trusted, signed files are treated differently. Defender for Endpoint is optimized to handle malicious files. Trying to block trusted, signed files, can have performance implications.

Typically, file blocks are enforced within a couple of minutes, but can take upwards of 30 minutes. | -| IP addresses and URLs

Full URL path blocks can be applied on the domain level and all unencrypted URLs

IP is supported for all three protocols

[Create an indicator for an IP address, URL, or domain](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-ip-domain) | Network protection in Defender for Endpoint must be enabled in block mode. ([Enable network protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/enable-network-protection).)

Your antimalware client version must be 4.18.1906.x or later.

Your devices must be running Windows 10, version 1709 or later

Custom network indicators must be turned on in the Microsoft Defender Security Center (See [Advanced features](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-features).) | Only external IPs can be added to the indicator list. Indicators cannot be created for internal IPs. For web protection scenarios, we recommend using the built-in capabilities in Microsoft Edge. Microsoft Edge leverages [Network Protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/network-protection) to inspect network traffic and allows blocks for TCP, HTTP, and HTTPS (TLS). For all other processes, web protection scenarios leverage Network Protection for inspection and enforcement.

There may be up to 2 hours of latency (usually less) between the time the action is taken, and the URL and IP being blocked.

Only single IP addresses are supported (no CIDR blocks or IP ranges)

Encrypted URLs (full path) can only be blocked on first party browsers (Internet Explorer, Edge)

Encrypted URLS (FQDN only) can be blocked outside of first party browsers (Internet Explorer, Edge) | -| Certificates

`.CER` or `.PEM` file extensions are supported.

[Create an indicator for an application certificate](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-certificates) |Microsoft Defender Antivirus with cloud-based protection is enabled ([Manage cloud-based protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/deploy-manage-report-microsoft-defender-antivirus).)

Your antimalware client version must be 4.18.1901.x or later.

Your devices must be running one of the following versions of Windows:
- Windows 10, version 1703 or later
- Windows Server 2016
- Windows Server 2019

Your virus and threat protection definitions must be up to date. | A valid leaf certificate is a signing certificate that has a valid certification path and must be chained to the Root Certificate Authority (CA) trusted by Microsoft.

Alternatively, a custom (self-signed) certificate can be used as long as it's trusted by the client (Root CA certificate is installed under the Local Machine Trusted Root Certification Authorities).

The children or parent of the allow/block certificate IOCs are not included in the allow/block IoC functionality, only leaf certificates are supported.

Microsoft signed certificates cannot be blocked.

It can take up to 3 hours to create and remove a certificate IoC. | +## Submit a file for analysis +You can submit entities, such as files and fileless detections, to Microsoft for analysis. Microsoft security researchers analyze all submissions. After you sign in at the submission site, you can track your submissions. +### Submit a file for analysis + +If you have a file that was either wrongly detected as malicious or was missed, follow these steps to submit the file for analysis. + +1. Review the guidelines here: [Submit files for analysis](https://docs.microsoft.com/windows/security/threat-protection/intelligence/submission-guide). +2. Visit the Microsoft Security Intelligence submission site ([https://www.microsoft.com/wdsi/filesubmission](https://www.microsoft.com/wdsi/filesubmission)), and submit your file(s). + +### Submit a fileless detection for analysis + +If something was detected as malware based on behavior, and you don’t have a file, you can submit your Mpsupport.cab file for analysis. You can get the .cab file by using the Microsoft Malware Protection Command-Line Utility (MPCmdRun.exe) tool. + +1. Go to ` C:\ProgramData\Microsoft\Windows Defender\Platform\`, and then run ** MpCmdRun.exe** as an administrator. +2. Type `mpcmdrun.exe -GetFiles`, and then press **Enter**. + A .cab file is generated that contains various diagnostic logs. The location of the file is specified in the output of the command prompt. By default, the location is `C:\ProgramData\Microsoft\Microsoft Defender\Support\MpSupportFiles.cab`. +3. Review the guidelines here: [Submit files for analysis](https://docs.microsoft.com/windows/security/threat-protection/intelligence/submission-guide). +4. Visit the Microsoft Security Intelligence submission site ([https://www.microsoft.com/wdsi/filesubmission](https://www.microsoft.com/wdsi/filesubmission)), and submit your .cab files. + +### What happens after a file is submitted? + +Your submission is immediately scanned by our systems to give you the latest determination even before an analyst starts handling your case. It’s possible that a file might have already been submitted and processed by an analyst. In those cases, a determination is made quickly. + +For submissions that were not already processed, they are prioritized for analysis as follows: + +- Prevalent files with the potential to impact large numbers of computers are given a higher priority. +- Authenticated customers, especially enterprise customers with valid [Software Assurance IDs (SAIDs)](https://www.microsoft.com/licensing/licensing-programs/software-assurance-default.aspx), are given a higher priority. +- Submissions flagged as high priority by SAID holders are given immediate attention. + +To check for updates regarding your submission, sign in at the [Microsoft Security Intelligence submission site](https://www.microsoft.com/wdsi/filesubmission). + +> [!TIP] +> To learn more, see [Submit files for analysis](https://docs.microsoft.com/windows/security/threat-protection/intelligence/submission-guide#how-does-microsoft-prioritize-submissions). ## Review your threat protection settings @@ -258,54 +289,6 @@ We recommend using Microsoft Endpoint Manager to edit or set PUA protection sett 8. On the **Applicability Rules** tab, specify the OS editions or versions to include or exclude from the policy. For example, you can set the policy to be applied to all devices certain editions of Windows 10. Then choose **Next**. 9. On the **Review + create** tab, review your settings, and, and then choose **Create**. - -## Classify a false positive or false negative - -As alerts are triggered, if you see something that was detected as malicious or suspicious that should not be, you can suppress alerts for that entity and classify alerts as false positives. Managing your alerts and classifying false positives helps to train your threat protection solution. Taking these steps also helps reduce noise in your security operations dashboard so that your security team can focus on higher priority work items. - -### Suppress an alert - -You can suppress an alert in the Microsoft Defender Security Center. - -1. Go to the Microsoft Defender Security Center ([https://securitycenter.windows.com](https://securitycenter.windows.com)) and sign in. -2. In the navigation pane, select **Alerts queue**. -3. Select an alert that you want to suppress to open its **Details** pane. -4. In the **Details** pane, choose the ellipsis (`...`), and then choose **Create a suppression rule**. -5. Specify all the settings for your suppression rule, and then choose **Save**. - -> [!TIP] -> Need help with suppression rules? See [Suppress an alert and create a new suppression rule](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/manage-alerts#suppress-an-alert-and-create-a-new-suppression-rule). - -### Classify an alert as a false positive - -Your security team can classify an alert as a false positive in the Microsoft Defender Security Center, in the Alerts queue. - -1. Go to the Microsoft Defender Security Center ([https://securitycenter.windows.com](https://securitycenter.windows.com)) and sign in. -2. Select **Alerts queue**, and then select an alert that is a false positive. -3. For the selected alert, select **Actions** > **Manage alert**. A flyout pane opens. -4. In the **Manage alert** section, select **True alert** or **False alert**. Use **False alert** to classify a false positive. - -> [!TIP] -> - For more information about suppressing alerts, see [Manage Microsoft Defender for Endpoint alerts](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/manage-alerts). -> - If your organization is using a security information and event management (SIEM) server, make sure to define a suppression rule there, too. - -## Submit a file for analysis - -You can submit files, such as false positives or false negatives, to Microsoft for analysis. Microsoft security researchers analyze all submissions. After you sign in at the submission site, you can track your submissions. - -1. Review the guidelines here: [Submit files for analysis](https://docs.microsoft.com/windows/security/threat-protection/intelligence/submission-guide). - -2. Visit the Microsoft Security Intelligence submission ([https://www.microsoft.com/wdsi/filesubmission](https://www.microsoft.com/wdsi/filesubmission)), and submit your file(s). - -## Confirm your software uses EV code signing - -As explained in the blog, [Partnering with the industry to minimize false positives](https://www.microsoft.com/security/blog/2018/08/16/partnering-with-the-industry-to-minimize-false-positives), digital signatures help to ensure the software integrity. The reputation of digital certificates also plays a role in whether software is considered suspicious or not a threat. By using a reputable certificate, developers can reduce the chances of their software being detected as malware. Extended validation (EV) code signing is a more advanced version of digital certificates and requires a more rigorous vetting and authentication process. - -Want to learn more? See the following resources: - -- [Microsoft Security Blog: Partnering with the industry to minimize false positives](https://www.microsoft.com/security/blog/2018/08/16/partnering-with-the-industry-to-minimize-false-positives/) -- [Get a code signing certificate](https://docs.microsoft.com/windows-hardware/drivers/dashboard/get-a-code-signing-certificate) - ## Still need help? If you still need help after working through all the steps in this article, your best bet is to contact technical support. From 5b04617b295d16a1106326c79c481534acd475fe Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Thu, 21 Jan 2021 20:50:56 -0800 Subject: [PATCH 097/190] Update defender-endpoint-false-positives-negatives.md --- .../defender-endpoint-false-positives-negatives.md | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md index cb0ee4077d..69d5634efb 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md +++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md @@ -19,7 +19,7 @@ ms.collection: - m365-security-compliance - m365initiative-defender-endpoint ms.topic: conceptual -ms.reviewer: ramarom, evaldm, isco, mabraitm, chriggs, yonghree +ms.reviewer: ramarom, evaldm, isco, mabraitm, chriggs, yonghree, jcedola ms.custom: FPFN --- @@ -34,10 +34,10 @@ ms.custom: FPFN In endpoint protection, a false positive is an entity, such as a file or a process, that was detected and identified as malicious, even though the entity isn't actually a threat. A false negative is an entity that was not detected as a threat, even though it actually is malicious. The process of addressing false positives/negatives includes: 1. [Reviewing and classifying alerts](#review-and-classify-alerts) -2. Reviewing remediation actions that were taken -3. Reviewing and defining exclusions -4. Submitting an entity for analysis -5. Reviewing your threat protection settings +2. [Reviewing remediation actions that were taken](#review-remediation-actions) +3. [Reviewing and defining exclusions](#review-or-define-exclusions-for-microsoft-defender-for-endpoint) +4. [Submitting an entity for analysis](#submit-a-file-for-analysis) +5. [Reviewing your threat protection settings](#review-your-threat-protection-settings) If you’re using [Microsoft Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection), and you're seeing false positives/negatives in your [Microsoft Defender Security Center](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/use), use this article as a guide to take action. This article also includes information about [what to do if you still need help](#still-need-help) after taking the recommended steps to address false positives/negatives in your environment. From af20c1f8c8f7088cdd22e4c189ab37f64fcfc0f4 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Thu, 21 Jan 2021 20:53:42 -0800 Subject: [PATCH 098/190] Update defender-endpoint-false-positives-negatives.md --- .../defender-endpoint-false-positives-negatives.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md index 69d5634efb..dd7dfd3caa 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md +++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md @@ -103,7 +103,7 @@ Other actions, such as starting an antivirus scan or collecting an investigation 2. Select the **History** tab. 3. Select an item to view more details about the remediation action that was taken. -If you find that a remediation action was taken automatically on an entity that is not actually a threat, you can undo the action. Remediation actions that you can undo include the following: +If you find that a remediation action was taken automatically on an entity that is not actually a threat, you can undo the action. You can undo the following remediation actions: - Isolate device - Restrict code execution - Quarantine a file @@ -178,7 +178,7 @@ Your security team can create indicators for files, IP addresses, URLs, domains, | Indicator type | Prerequisites | Notes | |----|----|---| |Files

Helps prevent suspected malware (or potentially malicious files) from being downloaded from the web. Files can include portable executable (PE) files, such as `.exe` and `.dll` files.

[Create an indicator for a file, such as an executable](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-file). | Microsoft Defender Antivirus with cloud-based protection enabled.

Antimalware client version: 4.18.1901.x or later.

Devices are running one of the following versions of Windows:
- Windows 10, version 1703 or later
- Windows Server 2016
- Windows Server 2019

[Block or allow feature is turned on](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-features). | The allow or block function cannot be done on a file if the file's classification exists on the device's cache prior to the allow or block action

Trusted, signed files are treated differently. Defender for Endpoint is optimized to handle malicious files. Trying to block trusted, signed files, can have performance implications.

Typically, file blocks are enforced within a couple of minutes, but can take upwards of 30 minutes. | -| IP addresses and URLs

Full URL path blocks can be applied on the domain level and all unencrypted URLs

IP is supported for all three protocols

[Create an indicator for an IP address, URL, or domain](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-ip-domain) | Network protection in Defender for Endpoint is enabled in block mode. ([Enable network protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/enable-network-protection).)

Antimalware client version: 4.18.1906.x or later.

Devices are running Windows 10, version 1709 or later

Custom network indicators are turned on in the Microsoft Defender Security Center (See [Advanced features](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-features).) | Only external IPs can be added to the indicator list. Indicators cannot be created for internal IPs. For web protection scenarios, we recommend using the built-in capabilities in Microsoft Edge. Microsoft Edge leverages [Network Protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/network-protection) to inspect network traffic and allows blocks for TCP, HTTP, and HTTPS (TLS). For all other processes, web protection scenarios leverage Network Protection for inspection and enforcement.

There might be up to 2 hours of latency (usually less) between the time the action is taken, and the URL and IP being blocked.

Only single IP addresses are supported (no CIDR blocks or IP ranges)

Encrypted URLs (full path) can only be blocked on first party browsers (Internet Explorer, Edge)

Encrypted URLS (FQDN only) can be blocked outside of first party browsers (Internet Explorer, Edge) | +| IP addresses and URLs

Full URL path blocks can be applied on the domain level and all unencrypted URLs

IP is supported for all three protocols

[Create an indicator for an IP address, URL, or domain](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-ip-domain) | Network protection in Defender for Endpoint is enabled in block mode. ([Enable network protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/enable-network-protection).)

Antimalware client version: 4.18.1906.x or later.

Devices are running Windows 10, version 1709 or later

Custom network indicators are turned on in the Microsoft Defender Security Center (See [Advanced features](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-features).) | Only external IPs can be added to the indicator list. Indicators cannot be created for internal IPs. For web protection scenarios, we recommend using the built-in capabilities in Microsoft Edge. Microsoft Edge uses [Network Protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/network-protection) to inspect network traffic and allows blocks for TCP, HTTP, and HTTPS (TLS). For all other processes, web protection scenarios use Network Protection for inspection and enforcement.

There might be up to 2 hours of latency (usually less) between the time the action is taken, and the URL and IP being blocked.

Only single IP addresses are supported (no CIDR blocks or IP ranges)

Encrypted URLs (full path) can only be blocked on first party browsers (Internet Explorer, Edge)

Encrypted URLS (FQDN only) can be blocked outside of first party browsers (Internet Explorer, Edge) | | Certificates

`.CER` or `.PEM` file extensions are supported.

[Create an indicator for an application certificate](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-certificates) |Microsoft Defender Antivirus with cloud-based protection is enabled ([Manage cloud-based protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/deploy-manage-report-microsoft-defender-antivirus).)

Antimalware client version: 4.18.1901.x or later.

Devices are running one of the following versions of Windows:
- Windows 10, version 1703 or later
- Windows Server 2016
- Windows Server 2019

Virus and threat protection definitions are up to date. | A valid leaf certificate is a signing certificate that has a valid certification path and must be chained to the Root Certificate Authority (CA) trusted by Microsoft.

Alternatively, a custom (self-signed) certificate can be used as long as it's trusted by the client (Root CA certificate is installed under the Local Machine Trusted Root Certification Authorities).

The children or parent of the allow/block certificate IOCs are not included in the allow/block IoC functionality, only leaf certificates are supported.

Microsoft signed certificates cannot be blocked.

It can take up to 3 hours to create and remove a certificate IoC. | > [!TIP] From 5596fcc20ce34f2ef0ec31a0c5f2112e18140cd4 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Thu, 21 Jan 2021 20:54:20 -0800 Subject: [PATCH 099/190] Update defender-endpoint-false-positives-negatives.md --- .../defender-endpoint-false-positives-negatives.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md index dd7dfd3caa..977f0216f7 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md +++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md @@ -4,8 +4,8 @@ description: Learn how to handle false positives or false negatives in Microsoft keywords: alert, exclusion, defender atp, false positive, false negative search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 -ms.technology: windows +ms.prod: m365-security +ms.technology: mde ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security From 384d221117fb45f3da607eb5d2c907d3284f4c6e Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Thu, 21 Jan 2021 20:58:11 -0800 Subject: [PATCH 100/190] Update defender-endpoint-false-positives-negatives.md --- .../defender-endpoint-false-positives-negatives.md | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md index 977f0216f7..820e4412bb 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md +++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md @@ -175,11 +175,11 @@ To specify entities as exclusions for Microsoft Defender for Endpoint, your secu Your security team can create indicators for files, IP addresses, URLs, domains, and certificates, as described in the following table: -| Indicator type | Prerequisites | Notes | -|----|----|---| -|Files

Helps prevent suspected malware (or potentially malicious files) from being downloaded from the web. Files can include portable executable (PE) files, such as `.exe` and `.dll` files.

[Create an indicator for a file, such as an executable](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-file). | Microsoft Defender Antivirus with cloud-based protection enabled.

Antimalware client version: 4.18.1901.x or later.

Devices are running one of the following versions of Windows:
- Windows 10, version 1703 or later
- Windows Server 2016
- Windows Server 2019

[Block or allow feature is turned on](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-features). | The allow or block function cannot be done on a file if the file's classification exists on the device's cache prior to the allow or block action

Trusted, signed files are treated differently. Defender for Endpoint is optimized to handle malicious files. Trying to block trusted, signed files, can have performance implications.

Typically, file blocks are enforced within a couple of minutes, but can take upwards of 30 minutes. | -| IP addresses and URLs

Full URL path blocks can be applied on the domain level and all unencrypted URLs

IP is supported for all three protocols

[Create an indicator for an IP address, URL, or domain](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-ip-domain) | Network protection in Defender for Endpoint is enabled in block mode. ([Enable network protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/enable-network-protection).)

Antimalware client version: 4.18.1906.x or later.

Devices are running Windows 10, version 1709 or later

Custom network indicators are turned on in the Microsoft Defender Security Center (See [Advanced features](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-features).) | Only external IPs can be added to the indicator list. Indicators cannot be created for internal IPs. For web protection scenarios, we recommend using the built-in capabilities in Microsoft Edge. Microsoft Edge uses [Network Protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/network-protection) to inspect network traffic and allows blocks for TCP, HTTP, and HTTPS (TLS). For all other processes, web protection scenarios use Network Protection for inspection and enforcement.

There might be up to 2 hours of latency (usually less) between the time the action is taken, and the URL and IP being blocked.

Only single IP addresses are supported (no CIDR blocks or IP ranges)

Encrypted URLs (full path) can only be blocked on first party browsers (Internet Explorer, Edge)

Encrypted URLS (FQDN only) can be blocked outside of first party browsers (Internet Explorer, Edge) | -| Certificates

`.CER` or `.PEM` file extensions are supported.

[Create an indicator for an application certificate](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-certificates) |Microsoft Defender Antivirus with cloud-based protection is enabled ([Manage cloud-based protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/deploy-manage-report-microsoft-defender-antivirus).)

Antimalware client version: 4.18.1901.x or later.

Devices are running one of the following versions of Windows:
- Windows 10, version 1703 or later
- Windows Server 2016
- Windows Server 2019

Virus and threat protection definitions are up to date. | A valid leaf certificate is a signing certificate that has a valid certification path and must be chained to the Root Certificate Authority (CA) trusted by Microsoft.

Alternatively, a custom (self-signed) certificate can be used as long as it's trusted by the client (Root CA certificate is installed under the Local Machine Trusted Root Certification Authorities).

The children or parent of the allow/block certificate IOCs are not included in the allow/block IoC functionality, only leaf certificates are supported.

Microsoft signed certificates cannot be blocked.

It can take up to 3 hours to create and remove a certificate IoC. | +| Indicator type | Prerequisites | +|:----|:----| +|Files

Helps prevent suspected malware (or potentially malicious files) from being downloaded from the web. Files can include portable executable (PE) files, such as `.exe` and `.dll` files.

[Create an indicator for a file, such as an executable](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-file).

The allow or block function cannot be done on a file if the file's classification exists on the device's cache prior to the allow or block action

Trusted, signed files are treated differently. Defender for Endpoint is optimized to handle malicious files. Trying to block trusted, signed files, can have performance implications.

Typically, file blocks are enforced within a couple of minutes, but can take upwards of 30 minutes. | Microsoft Defender Antivirus with cloud-based protection enabled.

Antimalware client version: 4.18.1901.x or later.

Devices are running one of the following versions of Windows:
- Windows 10, version 1703 or later
- Windows Server 2016
- Windows Server 2019

[Block or allow feature is turned on](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-features). | +| IP addresses and URLs

Full URL path blocks can be applied on the domain level and all unencrypted URLs

IP is supported for all three protocols

[Create an indicator for an IP address, URL, or domain](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-ip-domain)

Only external IPs can be added to the indicator list. Indicators cannot be created for internal IPs. For web protection scenarios, we recommend using the built-in capabilities in Microsoft Edge. Microsoft Edge uses [Network Protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/network-protection) to inspect network traffic and allows blocks for TCP, HTTP, and HTTPS (TLS). For all other processes, web protection scenarios use Network Protection for inspection and enforcement.

There might be up to 2 hours of latency (usually less) between the time the action is taken, and the URL and IP being blocked.

Only single IP addresses are supported (no CIDR blocks or IP ranges)

Encrypted URLs (full path) can only be blocked on first party browsers (Internet Explorer, Edge)

Encrypted URLS (FQDN only) can be blocked outside of first party browsers (Internet Explorer, Edge)| Network protection in Defender for Endpoint is enabled in block mode. ([Enable network protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/enable-network-protection).)

Antimalware client version: 4.18.1906.x or later.

Devices are running Windows 10, version 1709 or later

Custom network indicators are turned on in the Microsoft Defender Security Center (See [Advanced features](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-features).) | +| Certificates

`.CER` or `.PEM` file extensions are supported.

[Create an indicator for an application certificate](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-certificates)

A valid leaf certificate is a signing certificate that has a valid certification path and must be chained to the Root Certificate Authority (CA) trusted by Microsoft.

Alternatively, a custom (self-signed) certificate can be used as long as it's trusted by the client (Root CA certificate is installed under the Local Machine Trusted Root Certification Authorities).

The children or parent of the allow/block certificate IOCs are not included in the allow/block IoC functionality, only leaf certificates are supported.

Microsoft signed certificates cannot be blocked.

It can take up to 3 hours to create and remove a certificate IoC. |Microsoft Defender Antivirus with cloud-based protection is enabled ([Manage cloud-based protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/deploy-manage-report-microsoft-defender-antivirus).)

Antimalware client version: 4.18.1901.x or later.

Devices are running one of the following versions of Windows:
- Windows 10, version 1703 or later
- Windows Server 2016
- Windows Server 2019

Virus and threat protection definitions are up to date. | > [!TIP] > When you create indicators, you can define them one by one or import multiple items at once. Keep in mind there's a limit of 15,000 indicators you can have in a single tenant. And, you might need to gather certain details first, such as file hash information. Make sure to review the prerequisites before you [create indicators](manage-indicators.md). From e06f4cba036a2a9599136aff2de740050b8168ac Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Thu, 21 Jan 2021 20:59:20 -0800 Subject: [PATCH 101/190] Update defender-endpoint-false-positives-negatives.md --- .../defender-endpoint-false-positives-negatives.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md index 820e4412bb..81d6258ac3 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md +++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md @@ -177,8 +177,8 @@ Your security team can create indicators for files, IP addresses, URLs, domains, | Indicator type | Prerequisites | |:----|:----| -|Files

Helps prevent suspected malware (or potentially malicious files) from being downloaded from the web. Files can include portable executable (PE) files, such as `.exe` and `.dll` files.

[Create an indicator for a file, such as an executable](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-file).

The allow or block function cannot be done on a file if the file's classification exists on the device's cache prior to the allow or block action

Trusted, signed files are treated differently. Defender for Endpoint is optimized to handle malicious files. Trying to block trusted, signed files, can have performance implications.

Typically, file blocks are enforced within a couple of minutes, but can take upwards of 30 minutes. | Microsoft Defender Antivirus with cloud-based protection enabled.

Antimalware client version: 4.18.1901.x or later.

Devices are running one of the following versions of Windows:
- Windows 10, version 1703 or later
- Windows Server 2016
- Windows Server 2019

[Block or allow feature is turned on](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-features). | -| IP addresses and URLs

Full URL path blocks can be applied on the domain level and all unencrypted URLs

IP is supported for all three protocols

[Create an indicator for an IP address, URL, or domain](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-ip-domain)

Only external IPs can be added to the indicator list. Indicators cannot be created for internal IPs. For web protection scenarios, we recommend using the built-in capabilities in Microsoft Edge. Microsoft Edge uses [Network Protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/network-protection) to inspect network traffic and allows blocks for TCP, HTTP, and HTTPS (TLS). For all other processes, web protection scenarios use Network Protection for inspection and enforcement.

There might be up to 2 hours of latency (usually less) between the time the action is taken, and the URL and IP being blocked.

Only single IP addresses are supported (no CIDR blocks or IP ranges)

Encrypted URLs (full path) can only be blocked on first party browsers (Internet Explorer, Edge)

Encrypted URLS (FQDN only) can be blocked outside of first party browsers (Internet Explorer, Edge)| Network protection in Defender for Endpoint is enabled in block mode. ([Enable network protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/enable-network-protection).)

Antimalware client version: 4.18.1906.x or later.

Devices are running Windows 10, version 1709 or later

Custom network indicators are turned on in the Microsoft Defender Security Center (See [Advanced features](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-features).) | +|**Files**

Helps prevent suspected malware (or potentially malicious files) from being downloaded from the web. Files can include portable executable (PE) files, such as `.exe` and `.dll` files.

**[Create an indicator for a file, such as an executable](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-file)**

The allow or block function cannot be done on a file if the file's classification exists on the device's cache prior to the allow or block action

Trusted, signed files are treated differently. Defender for Endpoint is optimized to handle malicious files. Trying to block trusted, signed files, can have performance implications.

Typically, file blocks are enforced within a couple of minutes, but can take upwards of 30 minutes. | Microsoft Defender Antivirus with cloud-based protection enabled.

Antimalware client version: 4.18.1901.x or later.

Devices are running one of the following versions of Windows:
- Windows 10, version 1703 or later
- Windows Server 2016
- Windows Server 2019

[Block or allow feature is turned on](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-features). | +| **IP addresses and URLs**

Full URL path blocks can be applied on the domain level and all unencrypted URLs

IP is supported for all three protocols

**[Create an indicator for an IP address, URL, or domain](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-ip-domain)**

Only external IPs can be added to the indicator list. Indicators cannot be created for internal IPs. For web protection scenarios, we recommend using the built-in capabilities in Microsoft Edge. Microsoft Edge uses [Network Protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/network-protection) to inspect network traffic and allows blocks for TCP, HTTP, and HTTPS (TLS). For all other processes, web protection scenarios use Network Protection for inspection and enforcement.

There might be up to 2 hours of latency (usually less) between the time the action is taken, and the URL and IP being blocked.

Only single IP addresses are supported (no CIDR blocks or IP ranges)

Encrypted URLs (full path) can only be blocked on first party browsers (Internet Explorer, Edge)

Encrypted URLS (FQDN only) can be blocked outside of first party browsers (Internet Explorer, Edge)| Network protection in Defender for Endpoint is enabled in block mode. ([Enable network protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/enable-network-protection).)

Antimalware client version: 4.18.1906.x or later.

Devices are running Windows 10, version 1709 or later

Custom network indicators are turned on in the Microsoft Defender Security Center (See [Advanced features](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-features).) | | Certificates

`.CER` or `.PEM` file extensions are supported.

[Create an indicator for an application certificate](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-certificates)

A valid leaf certificate is a signing certificate that has a valid certification path and must be chained to the Root Certificate Authority (CA) trusted by Microsoft.

Alternatively, a custom (self-signed) certificate can be used as long as it's trusted by the client (Root CA certificate is installed under the Local Machine Trusted Root Certification Authorities).

The children or parent of the allow/block certificate IOCs are not included in the allow/block IoC functionality, only leaf certificates are supported.

Microsoft signed certificates cannot be blocked.

It can take up to 3 hours to create and remove a certificate IoC. |Microsoft Defender Antivirus with cloud-based protection is enabled ([Manage cloud-based protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/deploy-manage-report-microsoft-defender-antivirus).)

Antimalware client version: 4.18.1901.x or later.

Devices are running one of the following versions of Windows:
- Windows 10, version 1703 or later
- Windows Server 2016
- Windows Server 2019

Virus and threat protection definitions are up to date. | > [!TIP] From 5912f7dd084c88e5e4b1af9e08edbecbdb101b71 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Thu, 21 Jan 2021 20:59:45 -0800 Subject: [PATCH 102/190] Update defender-endpoint-false-positives-negatives.md --- .../defender-endpoint-false-positives-negatives.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md index 81d6258ac3..9e6d2a7b81 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md +++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md @@ -179,7 +179,7 @@ Your security team can create indicators for files, IP addresses, URLs, domains, |:----|:----| |**Files**

Helps prevent suspected malware (or potentially malicious files) from being downloaded from the web. Files can include portable executable (PE) files, such as `.exe` and `.dll` files.

**[Create an indicator for a file, such as an executable](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-file)**

The allow or block function cannot be done on a file if the file's classification exists on the device's cache prior to the allow or block action

Trusted, signed files are treated differently. Defender for Endpoint is optimized to handle malicious files. Trying to block trusted, signed files, can have performance implications.

Typically, file blocks are enforced within a couple of minutes, but can take upwards of 30 minutes. | Microsoft Defender Antivirus with cloud-based protection enabled.

Antimalware client version: 4.18.1901.x or later.

Devices are running one of the following versions of Windows:
- Windows 10, version 1703 or later
- Windows Server 2016
- Windows Server 2019

[Block or allow feature is turned on](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-features). | | **IP addresses and URLs**

Full URL path blocks can be applied on the domain level and all unencrypted URLs

IP is supported for all three protocols

**[Create an indicator for an IP address, URL, or domain](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-ip-domain)**

Only external IPs can be added to the indicator list. Indicators cannot be created for internal IPs. For web protection scenarios, we recommend using the built-in capabilities in Microsoft Edge. Microsoft Edge uses [Network Protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/network-protection) to inspect network traffic and allows blocks for TCP, HTTP, and HTTPS (TLS). For all other processes, web protection scenarios use Network Protection for inspection and enforcement.

There might be up to 2 hours of latency (usually less) between the time the action is taken, and the URL and IP being blocked.

Only single IP addresses are supported (no CIDR blocks or IP ranges)

Encrypted URLs (full path) can only be blocked on first party browsers (Internet Explorer, Edge)

Encrypted URLS (FQDN only) can be blocked outside of first party browsers (Internet Explorer, Edge)| Network protection in Defender for Endpoint is enabled in block mode. ([Enable network protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/enable-network-protection).)

Antimalware client version: 4.18.1906.x or later.

Devices are running Windows 10, version 1709 or later

Custom network indicators are turned on in the Microsoft Defender Security Center (See [Advanced features](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-features).) | -| Certificates

`.CER` or `.PEM` file extensions are supported.

[Create an indicator for an application certificate](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-certificates)

A valid leaf certificate is a signing certificate that has a valid certification path and must be chained to the Root Certificate Authority (CA) trusted by Microsoft.

Alternatively, a custom (self-signed) certificate can be used as long as it's trusted by the client (Root CA certificate is installed under the Local Machine Trusted Root Certification Authorities).

The children or parent of the allow/block certificate IOCs are not included in the allow/block IoC functionality, only leaf certificates are supported.

Microsoft signed certificates cannot be blocked.

It can take up to 3 hours to create and remove a certificate IoC. |Microsoft Defender Antivirus with cloud-based protection is enabled ([Manage cloud-based protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/deploy-manage-report-microsoft-defender-antivirus).)

Antimalware client version: 4.18.1901.x or later.

Devices are running one of the following versions of Windows:
- Windows 10, version 1703 or later
- Windows Server 2016
- Windows Server 2019

Virus and threat protection definitions are up to date. | +| **Certificates**

`.CER` or `.PEM` file extensions are supported.

**[Create an indicator for an application certificate](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-certificates)**

A valid leaf certificate is a signing certificate that has a valid certification path and must be chained to the Root Certificate Authority (CA) trusted by Microsoft.

Alternatively, a custom (self-signed) certificate can be used as long as it's trusted by the client (Root CA certificate is installed under the Local Machine Trusted Root Certification Authorities).

The children or parent of the allow/block certificate IOCs are not included in the allow/block IoC functionality, only leaf certificates are supported.

Microsoft signed certificates cannot be blocked.

It can take up to 3 hours to create and remove a certificate IoC. |Microsoft Defender Antivirus with cloud-based protection is enabled ([Manage cloud-based protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/deploy-manage-report-microsoft-defender-antivirus).)

Antimalware client version: 4.18.1901.x or later.

Devices are running one of the following versions of Windows:
- Windows 10, version 1703 or later
- Windows Server 2016
- Windows Server 2019

Virus and threat protection definitions are up to date. | > [!TIP] > When you create indicators, you can define them one by one or import multiple items at once. Keep in mind there's a limit of 15,000 indicators you can have in a single tenant. And, you might need to gather certain details first, such as file hash information. Make sure to review the prerequisites before you [create indicators](manage-indicators.md). From bfee91e04c29c9cb209372e135e9a521d8109666 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Thu, 21 Jan 2021 21:00:49 -0800 Subject: [PATCH 103/190] Update defender-endpoint-false-positives-negatives.md --- .../defender-endpoint-false-positives-negatives.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md index 9e6d2a7b81..6f17620125 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md +++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md @@ -177,7 +177,7 @@ Your security team can create indicators for files, IP addresses, URLs, domains, | Indicator type | Prerequisites | |:----|:----| -|**Files**

Helps prevent suspected malware (or potentially malicious files) from being downloaded from the web. Files can include portable executable (PE) files, such as `.exe` and `.dll` files.

**[Create an indicator for a file, such as an executable](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-file)**

The allow or block function cannot be done on a file if the file's classification exists on the device's cache prior to the allow or block action

Trusted, signed files are treated differently. Defender for Endpoint is optimized to handle malicious files. Trying to block trusted, signed files, can have performance implications.

Typically, file blocks are enforced within a couple of minutes, but can take upwards of 30 minutes. | Microsoft Defender Antivirus with cloud-based protection enabled.

Antimalware client version: 4.18.1901.x or later.

Devices are running one of the following versions of Windows:
- Windows 10, version 1703 or later
- Windows Server 2016
- Windows Server 2019

[Block or allow feature is turned on](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-features). | +|**Files**

Helps prevent suspected malware (or potentially malicious files) from being downloaded from the web. Files can include portable executable (PE) files, such as `.exe` and `.dll` files.

**[Create an indicator for a file, such as an executable](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-file)**

The allow or block function cannot be done on a file if the file's classification exists on the device's cache prior to the allow or block action

Trusted, signed files are treated differently. Defender for Endpoint is optimized to handle malicious files. Trying to block trusted, signed files, can have performance implications.

Typically, file blocks are enforced within a few minutes, but can take upwards of 30 minutes. | Microsoft Defender Antivirus with cloud-based protection enabled.

Antimalware client version: 4.18.1901.x or later.

Devices are running one of the following versions of Windows:
- Windows 10, version 1703 or later
- Windows Server 2016
- Windows Server 2019

[Block or allow feature is turned on](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-features). | | **IP addresses and URLs**

Full URL path blocks can be applied on the domain level and all unencrypted URLs

IP is supported for all three protocols

**[Create an indicator for an IP address, URL, or domain](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-ip-domain)**

Only external IPs can be added to the indicator list. Indicators cannot be created for internal IPs. For web protection scenarios, we recommend using the built-in capabilities in Microsoft Edge. Microsoft Edge uses [Network Protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/network-protection) to inspect network traffic and allows blocks for TCP, HTTP, and HTTPS (TLS). For all other processes, web protection scenarios use Network Protection for inspection and enforcement.

There might be up to 2 hours of latency (usually less) between the time the action is taken, and the URL and IP being blocked.

Only single IP addresses are supported (no CIDR blocks or IP ranges)

Encrypted URLs (full path) can only be blocked on first party browsers (Internet Explorer, Edge)

Encrypted URLS (FQDN only) can be blocked outside of first party browsers (Internet Explorer, Edge)| Network protection in Defender for Endpoint is enabled in block mode. ([Enable network protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/enable-network-protection).)

Antimalware client version: 4.18.1906.x or later.

Devices are running Windows 10, version 1709 or later

Custom network indicators are turned on in the Microsoft Defender Security Center (See [Advanced features](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-features).) | | **Certificates**

`.CER` or `.PEM` file extensions are supported.

**[Create an indicator for an application certificate](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-certificates)**

A valid leaf certificate is a signing certificate that has a valid certification path and must be chained to the Root Certificate Authority (CA) trusted by Microsoft.

Alternatively, a custom (self-signed) certificate can be used as long as it's trusted by the client (Root CA certificate is installed under the Local Machine Trusted Root Certification Authorities).

The children or parent of the allow/block certificate IOCs are not included in the allow/block IoC functionality, only leaf certificates are supported.

Microsoft signed certificates cannot be blocked.

It can take up to 3 hours to create and remove a certificate IoC. |Microsoft Defender Antivirus with cloud-based protection is enabled ([Manage cloud-based protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/deploy-manage-report-microsoft-defender-antivirus).)

Antimalware client version: 4.18.1901.x or later.

Devices are running one of the following versions of Windows:
- Windows 10, version 1703 or later
- Windows Server 2016
- Windows Server 2019

Virus and threat protection definitions are up to date. | From da2f03ef717aa23a0e3a86c7f81ee598a4ba9ddf Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Thu, 21 Jan 2021 21:04:10 -0800 Subject: [PATCH 104/190] Update defender-endpoint-false-positives-negatives.md --- ...nder-endpoint-false-positives-negatives.md | 21 +++++++++---------- 1 file changed, 10 insertions(+), 11 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md index 6f17620125..2896e64818 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md +++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md @@ -33,21 +33,20 @@ ms.custom: FPFN In endpoint protection, a false positive is an entity, such as a file or a process, that was detected and identified as malicious, even though the entity isn't actually a threat. A false negative is an entity that was not detected as a threat, even though it actually is malicious. The process of addressing false positives/negatives includes: -1. [Reviewing and classifying alerts](#review-and-classify-alerts) -2. [Reviewing remediation actions that were taken](#review-remediation-actions) -3. [Reviewing and defining exclusions](#review-or-define-exclusions-for-microsoft-defender-for-endpoint) -4. [Submitting an entity for analysis](#submit-a-file-for-analysis) -5. [Reviewing your threat protection settings](#review-your-threat-protection-settings) +1. [Reviewing and classifying alerts](#part-1-review-and-classify-alerts) +2. [Reviewing remediation actions that were taken](#part-2-review-remediation-actions) +3. [Reviewing and defining exclusions](#part-3-review-or-define-exclusions-for-microsoft-defender-for-endpoint) +4. [Submitting an entity for analysis](#part-4-submit-a-file-for-analysis) +5. [Reviewing your threat protection settings](#part-5-review-and-adjust-your-threat-protection-settings) If you’re using [Microsoft Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection), and you're seeing false positives/negatives in your [Microsoft Defender Security Center](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/use), use this article as a guide to take action. This article also includes information about [what to do if you still need help](#still-need-help) after taking the recommended steps to address false positives/negatives in your environment. -## Review and classify alerts +## Part 1: Review and classify alerts If your security operations team see an alert that was triggered because something was detected as malicious or suspicious that should not have been, you can suppress the alert for that entity. You can also suppress alerts that are not necessarily false positives, but are unimportant. And, you can classify alerts as false positives as needed. Managing your alerts and classifying false positives helps to train your threat protection solution and can reduce the number of false positives or false negatives over time. Taking these steps also helps reduce noise in your security operations dashboard so that your security team can focus on higher priority work items. - ### Determine whether an alert is accurate Before you classify or suppress an alert, determine whether the alert is accurate, a false positive, or benign. @@ -85,7 +84,7 @@ If you have alerts that are either false positives or are for unimportant events > [!TIP] > Need help with suppression rules? See [Suppress an alert and create a new suppression rule](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/manage-alerts#suppress-an-alert-and-create-a-new-suppression-rule). -## Review remediation actions +## Part 2: Review remediation actions [Remediation actions](manage-auto-investigation.md#remediation-actions), such as sending a file to quarantine or stopping a process, can be taken on entities that are detected as threats. Several types of remediation actions can occur automatically through automated investigation and Microsoft Defender Antivirus. Examples of such actions include: - Quarantine a file @@ -124,7 +123,7 @@ If you find that a remediation action was taken automatically on an entity that 2. On the **History** tab, select the actions that you want to undo. 3. In the pane on the right side of the screen, select **Undo**. -## Review or define exclusions for Microsoft Defender for Endpoint +## Part 3: Review or define exclusions for Microsoft Defender for Endpoint An exclusion is an entity that you specify as an exception to remediation actions. The excluded entity might still get detected, but no remediation actions are taken on that entity. That is, the detected file or process won’t be stopped, sent to quarantine, removed, or otherwise changed by Microsoft Defender for Endpoint. @@ -184,7 +183,7 @@ Your security team can create indicators for files, IP addresses, URLs, domains, > [!TIP] > When you create indicators, you can define them one by one or import multiple items at once. Keep in mind there's a limit of 15,000 indicators you can have in a single tenant. And, you might need to gather certain details first, such as file hash information. Make sure to review the prerequisites before you [create indicators](manage-indicators.md). -## Submit a file for analysis +## Part 4: Submit a file for analysis You can submit entities, such as files and fileless detections, to Microsoft for analysis. Microsoft security researchers analyze all submissions. After you sign in at the submission site, you can track your submissions. @@ -220,7 +219,7 @@ To check for updates regarding your submission, sign in at the [Microsoft Securi > [!TIP] > To learn more, see [Submit files for analysis](https://docs.microsoft.com/windows/security/threat-protection/intelligence/submission-guide#how-does-microsoft-prioritize-submissions). -## Review your threat protection settings +## Part 5: Review and adjust your threat protection settings Microsoft Defender for Endpoint offers a wide variety of options, including the ability to fine-tune settings for various features and capabilities. If you’re getting numerous false positives, make sure to review your organization’s threat protection settings. You might need to make some adjustments to the following settings in particular: From 21b877a8f0c60800a12928292c28c5fb344975d0 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Thu, 21 Jan 2021 21:08:15 -0800 Subject: [PATCH 105/190] Update defender-endpoint-false-positives-negatives.md --- .../defender-endpoint-false-positives-negatives.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md index 2896e64818..8061a0af30 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md +++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md @@ -176,9 +176,9 @@ Your security team can create indicators for files, IP addresses, URLs, domains, | Indicator type | Prerequisites | |:----|:----| -|**Files**

Helps prevent suspected malware (or potentially malicious files) from being downloaded from the web. Files can include portable executable (PE) files, such as `.exe` and `.dll` files.

**[Create an indicator for a file, such as an executable](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-file)**

The allow or block function cannot be done on a file if the file's classification exists on the device's cache prior to the allow or block action

Trusted, signed files are treated differently. Defender for Endpoint is optimized to handle malicious files. Trying to block trusted, signed files, can have performance implications.

Typically, file blocks are enforced within a few minutes, but can take upwards of 30 minutes. | Microsoft Defender Antivirus with cloud-based protection enabled.

Antimalware client version: 4.18.1901.x or later.

Devices are running one of the following versions of Windows:
- Windows 10, version 1703 or later
- Windows Server 2016
- Windows Server 2019

[Block or allow feature is turned on](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-features). | -| **IP addresses and URLs**

Full URL path blocks can be applied on the domain level and all unencrypted URLs

IP is supported for all three protocols

**[Create an indicator for an IP address, URL, or domain](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-ip-domain)**

Only external IPs can be added to the indicator list. Indicators cannot be created for internal IPs. For web protection scenarios, we recommend using the built-in capabilities in Microsoft Edge. Microsoft Edge uses [Network Protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/network-protection) to inspect network traffic and allows blocks for TCP, HTTP, and HTTPS (TLS). For all other processes, web protection scenarios use Network Protection for inspection and enforcement.

There might be up to 2 hours of latency (usually less) between the time the action is taken, and the URL and IP being blocked.

Only single IP addresses are supported (no CIDR blocks or IP ranges)

Encrypted URLs (full path) can only be blocked on first party browsers (Internet Explorer, Edge)

Encrypted URLS (FQDN only) can be blocked outside of first party browsers (Internet Explorer, Edge)| Network protection in Defender for Endpoint is enabled in block mode. ([Enable network protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/enable-network-protection).)

Antimalware client version: 4.18.1906.x or later.

Devices are running Windows 10, version 1709 or later

Custom network indicators are turned on in the Microsoft Defender Security Center (See [Advanced features](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-features).) | -| **Certificates**

`.CER` or `.PEM` file extensions are supported.

**[Create an indicator for an application certificate](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-certificates)**

A valid leaf certificate is a signing certificate that has a valid certification path and must be chained to the Root Certificate Authority (CA) trusted by Microsoft.

Alternatively, a custom (self-signed) certificate can be used as long as it's trusted by the client (Root CA certificate is installed under the Local Machine Trusted Root Certification Authorities).

The children or parent of the allow/block certificate IOCs are not included in the allow/block IoC functionality, only leaf certificates are supported.

Microsoft signed certificates cannot be blocked.

It can take up to 3 hours to create and remove a certificate IoC. |Microsoft Defender Antivirus with cloud-based protection is enabled ([Manage cloud-based protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/deploy-manage-report-microsoft-defender-antivirus).)

Antimalware client version: 4.18.1901.x or later.

Devices are running one of the following versions of Windows:
- Windows 10, version 1703 or later
- Windows Server 2016
- Windows Server 2019

Virus and threat protection definitions are up to date. | +|**Files**

Helps prevent suspected malware (or potentially malicious files) from being downloaded from the web. Files can include portable executable (PE) files, such as `.exe` and `.dll` files.

The allow or block function cannot be done on a file if the file's classification exists on the device's cache prior to the allow or block action

Trusted, signed files are treated differently. Defender for Endpoint is optimized to handle malicious files. Trying to block trusted, signed files, can have performance implications.

Typically, file blocks are enforced within a few minutes, but can take upwards of 30 minutes.

**[Create an indicator for a file, such as an executable](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-file)** | Microsoft Defender Antivirus with cloud-based protection enabled (See [Manage cloud-based protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/deploy-manage-report-microsoft-defender-antivirus).)

Antimalware client version: 4.18.1901.x or later.

Devices are running Windows 10, version 1703 or later; Windows Server 2016; or Windows Server 2019

[Block or allow feature is turned on](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-features). | +| **IP addresses and URLs**

Full URL path blocks can be applied on the domain level and all unencrypted URLs

IP is supported for all three protocols

Only external IPs can be added to the indicator list. Indicators cannot be created for internal IPs. For web protection scenarios, we recommend using the built-in capabilities in Microsoft Edge. Microsoft Edge uses [Network Protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/network-protection) to inspect network traffic and allows blocks for TCP, HTTP, and HTTPS (TLS). For all other processes, web protection scenarios use Network Protection for inspection and enforcement.

There might be up to 2 hours of latency (usually less) between the time the action is taken, and the URL and IP being blocked.

Only single IP addresses are supported (no CIDR blocks or IP ranges)

Encrypted URLs (full path) can only be blocked on first party browsers (Internet Explorer, Edge)

Encrypted URLS (FQDN only) can be blocked outside of first party browsers (Internet Explorer, Edge)

**[Create an indicator for an IP address, URL, or domain](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-ip-domain)** | Network protection in Defender for Endpoint is enabled in block mode. ([Enable network protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/enable-network-protection).)

Antimalware client version: 4.18.1906.x or later.

Devices are running Windows 10, version 1709 or later

Custom network indicators are turned on in the Microsoft Defender Security Center (See [Advanced features](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-features).) | +| **Certificates**

`.CER` or `.PEM` file extensions are supported.

A valid leaf certificate is a signing certificate that has a valid certification path and must be chained to the Root Certificate Authority (CA) trusted by Microsoft.

Alternatively, a custom (self-signed) certificate can be used as long as it's trusted by the client (Root CA certificate is installed under the Local Machine Trusted Root Certification Authorities).

The children or parent of the allow/block certificate IOCs are not included in the allow/block IoC functionality, only leaf certificates are supported.

Microsoft signed certificates cannot be blocked.

It can take up to 3 hours to create and remove a certificate IoC.

**[Create an indicator for an application certificate](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-certificates)** | Microsoft Defender Antivirus with cloud-based protection is enabled (See [Manage cloud-based protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/deploy-manage-report-microsoft-defender-antivirus).)

Antimalware client version: 4.18.1901.x or later.

Devices are running one of the following versions of Windows:
- Windows 10, version 1703 or later
- Windows Server 2016
- Windows Server 2019

Virus and threat protection definitions are up to date. | > [!TIP] > When you create indicators, you can define them one by one or import multiple items at once. Keep in mind there's a limit of 15,000 indicators you can have in a single tenant. And, you might need to gather certain details first, such as file hash information. Make sure to review the prerequisites before you [create indicators](manage-indicators.md). From 88a45ee671d150a2c6f0450362b878debfd7df74 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Thu, 21 Jan 2021 21:09:24 -0800 Subject: [PATCH 106/190] Update defender-endpoint-false-positives-negatives.md --- .../defender-endpoint-false-positives-negatives.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md index 8061a0af30..5b2bb0e35f 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md +++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md @@ -178,7 +178,7 @@ Your security team can create indicators for files, IP addresses, URLs, domains, |:----|:----| |**Files**

Helps prevent suspected malware (or potentially malicious files) from being downloaded from the web. Files can include portable executable (PE) files, such as `.exe` and `.dll` files.

The allow or block function cannot be done on a file if the file's classification exists on the device's cache prior to the allow or block action

Trusted, signed files are treated differently. Defender for Endpoint is optimized to handle malicious files. Trying to block trusted, signed files, can have performance implications.

Typically, file blocks are enforced within a few minutes, but can take upwards of 30 minutes.

**[Create an indicator for a file, such as an executable](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-file)** | Microsoft Defender Antivirus with cloud-based protection enabled (See [Manage cloud-based protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/deploy-manage-report-microsoft-defender-antivirus).)

Antimalware client version: 4.18.1901.x or later.

Devices are running Windows 10, version 1703 or later; Windows Server 2016; or Windows Server 2019

[Block or allow feature is turned on](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-features). | | **IP addresses and URLs**

Full URL path blocks can be applied on the domain level and all unencrypted URLs

IP is supported for all three protocols

Only external IPs can be added to the indicator list. Indicators cannot be created for internal IPs. For web protection scenarios, we recommend using the built-in capabilities in Microsoft Edge. Microsoft Edge uses [Network Protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/network-protection) to inspect network traffic and allows blocks for TCP, HTTP, and HTTPS (TLS). For all other processes, web protection scenarios use Network Protection for inspection and enforcement.

There might be up to 2 hours of latency (usually less) between the time the action is taken, and the URL and IP being blocked.

Only single IP addresses are supported (no CIDR blocks or IP ranges)

Encrypted URLs (full path) can only be blocked on first party browsers (Internet Explorer, Edge)

Encrypted URLS (FQDN only) can be blocked outside of first party browsers (Internet Explorer, Edge)

**[Create an indicator for an IP address, URL, or domain](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-ip-domain)** | Network protection in Defender for Endpoint is enabled in block mode. ([Enable network protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/enable-network-protection).)

Antimalware client version: 4.18.1906.x or later.

Devices are running Windows 10, version 1709 or later

Custom network indicators are turned on in the Microsoft Defender Security Center (See [Advanced features](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-features).) | -| **Certificates**

`.CER` or `.PEM` file extensions are supported.

A valid leaf certificate is a signing certificate that has a valid certification path and must be chained to the Root Certificate Authority (CA) trusted by Microsoft.

Alternatively, a custom (self-signed) certificate can be used as long as it's trusted by the client (Root CA certificate is installed under the Local Machine Trusted Root Certification Authorities).

The children or parent of the allow/block certificate IOCs are not included in the allow/block IoC functionality, only leaf certificates are supported.

Microsoft signed certificates cannot be blocked.

It can take up to 3 hours to create and remove a certificate IoC.

**[Create an indicator for an application certificate](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-certificates)** | Microsoft Defender Antivirus with cloud-based protection is enabled (See [Manage cloud-based protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/deploy-manage-report-microsoft-defender-antivirus).)

Antimalware client version: 4.18.1901.x or later.

Devices are running one of the following versions of Windows:
- Windows 10, version 1703 or later
- Windows Server 2016
- Windows Server 2019

Virus and threat protection definitions are up to date. | +| **Certificates**

`.CER` or `.PEM` file extensions are supported.

A valid leaf certificate is a signing certificate that has a valid certification path and must be chained to the Root Certificate Authority (CA) trusted by Microsoft.

Alternatively, a custom (self-signed) certificate can be used as long as it's trusted by the client (Root CA certificate is installed under the Local Machine Trusted Root Certification Authorities).

The children or parent of the allow/block certificate IOCs are not included in the allow/block IoC functionality, only leaf certificates are supported.

Microsoft signed certificates cannot be blocked.

It can take up to 3 hours to create and remove a certificate IoC.

**[Create an indicator for an application certificate](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-certificates)** | Microsoft Defender Antivirus with cloud-based protection is enabled (See [Manage cloud-based protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/deploy-manage-report-microsoft-defender-antivirus).)

Antimalware client version: 4.18.1901.x or later.

Devices are running Windows 10, version 1703 or later; Windows Server 2016; or Windows Server 2019

Virus and threat protection definitions are up to date. | > [!TIP] > When you create indicators, you can define them one by one or import multiple items at once. Keep in mind there's a limit of 15,000 indicators you can have in a single tenant. And, you might need to gather certain details first, such as file hash information. Make sure to review the prerequisites before you [create indicators](manage-indicators.md). From 616ad2ad31e4cbb6c8c9511d36dc7a7aff9150b9 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Thu, 21 Jan 2021 21:10:00 -0800 Subject: [PATCH 107/190] Update defender-endpoint-false-positives-negatives.md --- .../defender-endpoint-false-positives-negatives.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md index 5b2bb0e35f..b7016cc7ba 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md +++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md @@ -37,7 +37,7 @@ In endpoint protection, a false positive is an entity, such as a file or a proce 2. [Reviewing remediation actions that were taken](#part-2-review-remediation-actions) 3. [Reviewing and defining exclusions](#part-3-review-or-define-exclusions-for-microsoft-defender-for-endpoint) 4. [Submitting an entity for analysis](#part-4-submit-a-file-for-analysis) -5. [Reviewing your threat protection settings](#part-5-review-and-adjust-your-threat-protection-settings) +5. [Reviewing and adjusting your threat protection settings](#part-5-review-and-adjust-your-threat-protection-settings) If you’re using [Microsoft Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection), and you're seeing false positives/negatives in your [Microsoft Defender Security Center](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/use), use this article as a guide to take action. This article also includes information about [what to do if you still need help](#still-need-help) after taking the recommended steps to address false positives/negatives in your environment. From 7314f0dc114c77be6ad51885a82d2bda31189ef8 Mon Sep 17 00:00:00 2001 From: Ben Alfasi Date: Fri, 22 Jan 2021 11:43:37 +0200 Subject: [PATCH 108/190] 1 --- .../find-machine-info-by-ip.md | 96 ------------------- 1 file changed, 96 deletions(-) delete mode 100644 windows/security/threat-protection/microsoft-defender-atp/find-machine-info-by-ip.md diff --git a/windows/security/threat-protection/microsoft-defender-atp/find-machine-info-by-ip.md b/windows/security/threat-protection/microsoft-defender-atp/find-machine-info-by-ip.md deleted file mode 100644 index b00bf9017d..0000000000 --- a/windows/security/threat-protection/microsoft-defender-atp/find-machine-info-by-ip.md +++ /dev/null @@ -1,96 +0,0 @@ ---- -title: Find device information by internal IP API -description: Use this API to create calls related to finding a device entry around a specific timestamp by internal IP. -keywords: ip, apis, graph api, supported apis, find device, device information -search.product: eADQiWindows 10XVcnh -ms.prod: m365-security -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security -ms.author: macapara -author: mjcaparas -ms.localizationpriority: medium -manager: dansimp -audience: ITPro -ms.collection: M365-security-compliance -ms.topic: article -ms.technology: mde ---- - -# Find device information by internal IP API - -[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] - - -**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) - -- Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) - -[!include[Microsoft Defender for Endpoint API URIs for US Government](../../includes/microsoft-defender-api-usgov.md)] - -[!include[Improve request performance](../../includes/improve-request-performance.md)] - -Find a device by internal IP. - ->[!NOTE] ->The timestamp must be within the last 30 days. - -## Permissions -One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender for Endpoint APIs](apis-intro.md) - -Permission type | Permission | Permission display name -:---|:---|:--- -Application | Machine.Read.All | 'Read all machine profiles' -Application | Machine.ReadWrite.All | 'Read and write all machine information' - -## HTTP request -``` -GET /api/machines/find(timestamp={time},key={IP}) -``` - -## Request headers - -Name | Type | Description -:---|:---|:--- -Authorization | String | Bearer {token}. **Required**. - - -## Request body -Empty - -## Response -If successful and machine exists - 200 OK. -If no machine found - 404 Not Found. - - -## Example - -**Request** - -Here is an example of the request. - -``` -GET https://graph.microsoft.com/testwdatppreview/machines/find(timestamp=2018-06-19T10:00:00Z,key='10.166.93.61') -Content-type: application/json -``` - -**Response** - -Here is an example of the response. - -The response will return a list of all devices that reported this IP address within sixteen minutes prior and after the timestamp. - -``` -HTTP/1.1 200 OK -Content-type: application/json -{ - "@odata.context": "https://graph.microsoft.com/testwdatppreview/$metadata#Machines", - "value": [ - { - "id": "04c99d46599f078f1c3da3783cf5b95f01ac61bb", - "computerDnsName": "", - "firstSeen": "2017-07-06T01:25:04.9480498Z", - "osPlatform": "Windows10", -… -} -``` From 36c2c65cd728ce4e98098f23554b8acf27f1a4da Mon Sep 17 00:00:00 2001 From: Matthew Palko Date: Fri, 22 Jan 2021 09:57:40 -0800 Subject: [PATCH 109/190] updating logging information for 3rd party CA SSO issue --- .../hello-for-business/hello-deployment-issues.md | 15 ++++++++++++--- 1 file changed, 12 insertions(+), 3 deletions(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-deployment-issues.md b/windows/security/identity-protection/hello-for-business/hello-deployment-issues.md index 96f5181b12..2c22e05685 100644 --- a/windows/security/identity-protection/hello-for-business/hello-deployment-issues.md +++ b/windows/security/identity-protection/hello-for-business/hello-deployment-issues.md @@ -59,14 +59,23 @@ https://support.microsoft.com/topic/a34a400a-51d5-f2a1-c8c0-7a6c9c49cb78). ### Identifying On-premises Resource Access Issues with Third-Party CAs -This issue can be identified using network traces or Kerberos logging from the client. In the network trace, the client will fail to place a TGS_REQ request when a user attempts to access a resource. On the client, this can be observed in Kerberos event logs: +This issue can be identified using network traces or Kerberos logging from the client. In the network trace, the client will fail to place a TGS_REQ request when a user attempts to access a resource. On the client, this can be observed in the Kerberos operation event log under **Application and Services/Microsoft/Windows/Security-Kerberos/Operational**. These logs are default disabled. The failure event for this case will include the following information: + + Log Name: Microsoft-Windows-Kerberos/Operational + Source: Microsoft-Windows-Security-Kerberos + Event ID: 107 + GUID: {98e6cfcb-ee0a-41e0-a57b-622d4e1b30b1} + Task Category: None + Level: Error + Keywords: + User: SYSTEM + Description: The Kerberos client received a KDC certificate that does not have a matched domain name. + Expected Domain Name: ad.contoso.com Error Code: 0xC000006D -See [How to enable Kerberos event logging](https://docs.microsoft.com/troubleshoot/windows-server/identity/enable-kerberos-event-logging#enable-kerberos-event-logging-on-a-specific-computer) for information on enabling Kerberos logs on a client device. - ### Resolving On-premises Resource Access Issue with Third-Party CAs To resolve this issue, domain controller certificates need to be updated so the certificate subject contains directory path of the server object (distinguished name). From cce30db3faa820a68826c9c532b23c8d07ae4659 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Fri, 22 Jan 2021 12:42:42 -0800 Subject: [PATCH 110/190] Update microsoft-defender-antivirus-compatibility.md --- ...microsoft-defender-antivirus-compatibility.md | 16 +++++++++------- 1 file changed, 9 insertions(+), 7 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md b/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md index bac2466090..c39700cab2 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md @@ -13,7 +13,7 @@ ms.author: deniseb ms.custom: nextgen ms.reviewer: tewchen, pahuijbr, shwjha manager: dansimp -ms.date: 01/11/2021 +ms.date: 01/22/2021 ms.technology: mde --- @@ -34,7 +34,7 @@ Microsoft Defender Antivirus is automatically enabled and installed on endpoints ## Antivirus and Microsoft Defender for Endpoint -The following table summarizes what happens with Microsoft Defender Antivirus when third-party antivirus products are used together or without Microsoft Defender for Endpoint. +The following table summarizes what happens with Microsoft Defender Antivirus when third-party antivirus products are used together or without Microsoft Defender for Endpoint. | Windows version | Antimalware protection | Microsoft Defender for Endpoint enrollment | Microsoft Defender Antivirus state | @@ -76,20 +76,22 @@ See [Microsoft Defender Antivirus on Windows Server](microsoft-defender-antiviru ## Functionality and features available in each state -The table in this section summarizes the functionality and features that are available in each state. +The table in this section summarizes the functionality and features that are available in each state. The table is designed to be informational only. It is intended to describe the features & capabilities that are actively working or not, according to whether Microsoft Defender Antivirus is in active mode, in passive mode, or is disabled/uninstalled. > [!IMPORTANT] -> The following table is informational, and it is designed to describe the features & capabilities that are turned on or off according to whether Microsoft Defender Antivirus is in Active mode, in Passive mode, or disabled/uninstalled. Do not turn off capabilities, such as real-time protection, if you are using Microsoft Defender Antivirus in passive mode or are using EDR in block mode. +> Do not turn off capabilities, such as real-time protection, cloud-delivered protection, or limited periodic scanning, if you are using Microsoft Defender Antivirus in passive mode or you are using EDR in block mode. |State |[Real-time protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-real-time-protection-microsoft-defender-antivirus) and [cloud-delivered protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/enable-cloud-protection-microsoft-defender-antivirus) | [Limited periodic scanning availability](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/limited-periodic-scanning-microsoft-defender-antivirus) | [File scanning and detection information](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/customize-run-review-remediate-scans-microsoft-defender-antivirus) | [Threat remediation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-remediation-microsoft-defender-antivirus) | [Security intelligence updates](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus) | |--|--|--|--|--|--| |Active mode

|Yes |No |Yes |Yes |Yes | -|Passive mode |No |No |Yes |Only during [scheduled or on-demand scans](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/scheduled-catch-up-scans-microsoft-defender-antivirus) |Yes | +|Passive mode |No |No* |Yes |Only during [scheduled or on-demand scans](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/scheduled-catch-up-scans-microsoft-defender-antivirus) |Yes | |[EDR in block mode enabled](../microsoft-defender-atp/edr-in-block-mode.md) |No |No |Yes |Yes |Yes | |Automatic disabled mode |No |Yes |No |No |No | -- In Active mode, Microsoft Defender Antivirus is used as the antivirus app on the machine. All configuration made with Configuration Manager, Group Policy, Intune, or other management products will apply. Files are scanned and threats remediated, and detection information are reported in your configuration tool (such as Configuration Manager or the Microsoft Defender Antivirus app on the machine itself). -- In Passive mode, Microsoft Defender Antivirus is not used as the antivirus app, and threats are not remediated by Microsoft Defender Antivirus. Files are scanned and reports are provided for threat detections that are shared with the Microsoft Defender for Endpoint service. Therefore, you might encounter alerts in the Security Center console with Microsoft Defender Antivirus as a source, even when Microsoft Defender Antivirus is in Passive mode. +\* When Microsoft Defender Antivirus is in passive mode, real-time protection does not provide any blocking or enforcement, even though it is turned on and is in passive mode. + +- In active mode, Microsoft Defender Antivirus is used as the antivirus app on the machine. All configuration made with Configuration Manager, Group Policy, Intune, or other management products will apply. Files are scanned and threats remediated, and detection information are reported in your configuration tool (such as Configuration Manager or the Microsoft Defender Antivirus app on the machine itself). +- In passive mode, Microsoft Defender Antivirus is not used as the antivirus app, and threats are not remediated by Microsoft Defender Antivirus. Files are scanned and reports are provided for threat detections that are shared with the Microsoft Defender for Endpoint service. Therefore, you might encounter alerts in the Security Center console with Microsoft Defender Antivirus as a source, even when Microsoft Defender Antivirus is in Passive mode. - When [EDR in block mode](../microsoft-defender-atp/edr-in-block-mode.md) is turned on and Microsoft Defender Antivirus is not the primary antivirus solution, it can still detect and remediate malicious items. - When disabled, Microsoft Defender Antivirus is not used as the antivirus app. Files are not scanned and threats are not remediated. Disabling/uninstalling Microsoft Defender Antivirus is not recommended in general; if possible, keep Microsoft Defender Antivirus in passive mode if you are using a non-Microsoft antimalware/antivirus solution. From 81f83025b6d15dadd7fb8ab916da68c82fa61ed4 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Fri, 22 Jan 2021 12:44:33 -0800 Subject: [PATCH 111/190] Update microsoft-defender-antivirus-compatibility.md --- .../microsoft-defender-antivirus-compatibility.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md b/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md index c39700cab2..8c855a644e 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md @@ -88,7 +88,7 @@ The table in this section summarizes the functionality and features that are ava |[EDR in block mode enabled](../microsoft-defender-atp/edr-in-block-mode.md) |No |No |Yes |Yes |Yes | |Automatic disabled mode |No |Yes |No |No |No | -\* When Microsoft Defender Antivirus is in passive mode, real-time protection does not provide any blocking or enforcement, even though it is turned on and is in passive mode. +\* When Microsoft Defender Antivirus is in passive mode, real-time protection does not provide any blocking or enforcement, even though it is enabled and in passive mode. - In active mode, Microsoft Defender Antivirus is used as the antivirus app on the machine. All configuration made with Configuration Manager, Group Policy, Intune, or other management products will apply. Files are scanned and threats remediated, and detection information are reported in your configuration tool (such as Configuration Manager or the Microsoft Defender Antivirus app on the machine itself). - In passive mode, Microsoft Defender Antivirus is not used as the antivirus app, and threats are not remediated by Microsoft Defender Antivirus. Files are scanned and reports are provided for threat detections that are shared with the Microsoft Defender for Endpoint service. Therefore, you might encounter alerts in the Security Center console with Microsoft Defender Antivirus as a source, even when Microsoft Defender Antivirus is in Passive mode. @@ -106,13 +106,13 @@ The table in this section summarizes the functionality and features that are ava If you uninstall the non-Microsoft antivirus product, and use Microsoft Defender Antivirus to provide protection to your devices, Microsoft Defender Antivirus will return to its normal active mode automatically. > [!WARNING] -> Do not disable, stop, or modify any of the associated services that are used by Microsoft Defender Antivirus, Microsoft Defender for Endpoint, or the Windows Security app. This includes the *wscsvc*, *SecurityHealthService*, *MsSense*, *Sense*, *WinDefend*, or *MsMpEng* services and processes. Manually modifying these services can cause severe instability on your devices and can make your network vulnerable. Disabling, stopping, or modifying those services can also cause problems when using non-Microsoft antivirus solutions and how their information is displayed in the [Windows Security app](microsoft-defender-security-center-antivirus.md). +> Do not disable, stop, or modify any of the associated services that are used by Microsoft Defender Antivirus, Microsoft Defender for Endpoint, or the Windows Security app. This recommendation includes the *wscsvc*, *SecurityHealthService*, *MsSense*, *Sense*, *WinDefend*, or *MsMpEng* services and processes. Manually modifying these services can cause severe instability on your devices and can make your network vulnerable. Disabling, stopping, or modifying those services can also cause problems when using non-Microsoft antivirus solutions and how their information is displayed in the [Windows Security app](microsoft-defender-security-center-antivirus.md). ## See also - [Microsoft Defender Antivirus in Windows 10](microsoft-defender-antivirus-in-windows-10.md) -- [Microsoft Defender Antivirus on Windows Server 2016 and 2019](microsoft-defender-antivirus-on-windows-server-2016.md) +- [Microsoft Defender Antivirus on Windows Server](microsoft-defender-antivirus-on-windows-server-2016.md) - [EDR in block mode](../microsoft-defender-atp/edr-in-block-mode.md) - [Configure Endpoint Protection](https://docs.microsoft.com/mem/configmgr/protect/deploy-use/endpoint-protection-configure) - [Learn about Microsoft 365 Endpoint data loss prevention](https://docs.microsoft.com/microsoft-365/compliance/endpoint-dlp-learn-about) From d4e8437e7a5181c54ba7f8709188f6ed805b459d Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Fri, 22 Jan 2021 12:47:24 -0800 Subject: [PATCH 112/190] Update microsoft-defender-antivirus-compatibility.md --- .../microsoft-defender-antivirus-compatibility.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md b/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md index 8c855a644e..6407748cb0 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md @@ -1,7 +1,7 @@ --- title: Microsoft Defender Antivirus compatibility with other security products -description: Get an overview of what to expect from Microsoft Defender Antivirus with other security products and the operating systems you are using. -keywords: windows defender, next-generation, atp, advanced threat protection, compatibility, passive mode +description: What to expect from Microsoft Defender Antivirus with other security products and the operating systems you are using. +keywords: windows defender, next-generation, antivirus, compatibility, passive mode search.product: eADQiWindows 10XVcnh ms.pagetype: security ms.prod: m365-security @@ -40,7 +40,7 @@ The following table summarizes what happens with Microsoft Defender Antivirus wh | Windows version | Antimalware protection | Microsoft Defender for Endpoint enrollment | Microsoft Defender Antivirus state | |------|------|-------|-------| | Windows 10 | A third-party product that is not offered or developed by Microsoft | Yes | Passive mode | -| Windows 10 | A third-party product that is not offered or developed by Microsoft | No | Automatic disabled mode | +| Windows 10 | A third-party product that is not offered or developed by Microsoft | No | Automatically disabled mode | | Windows 10 | Microsoft Defender Antivirus | Yes | Active mode | | Windows 10 | Microsoft Defender Antivirus | No | Active mode | | Windows Server, version 1803 or newer, or Windows Server 2019 | A third-party product that is not offered or developed by Microsoft | Yes | Active mode[[1](#fn1)] | From 9d3b79c092795b58c610ccb6db325a0b277b0688 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Fri, 22 Jan 2021 12:50:13 -0800 Subject: [PATCH 113/190] Update microsoft-defender-antivirus-compatibility.md --- .../microsoft-defender-antivirus-compatibility.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md b/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md index 6407748cb0..6bea08e495 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md @@ -84,7 +84,7 @@ The table in this section summarizes the functionality and features that are ava |State |[Real-time protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-real-time-protection-microsoft-defender-antivirus) and [cloud-delivered protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/enable-cloud-protection-microsoft-defender-antivirus) | [Limited periodic scanning availability](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/limited-periodic-scanning-microsoft-defender-antivirus) | [File scanning and detection information](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/customize-run-review-remediate-scans-microsoft-defender-antivirus) | [Threat remediation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-remediation-microsoft-defender-antivirus) | [Security intelligence updates](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus) | |--|--|--|--|--|--| |Active mode

|Yes |No |Yes |Yes |Yes | -|Passive mode |No |No* |Yes |Only during [scheduled or on-demand scans](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/scheduled-catch-up-scans-microsoft-defender-antivirus) |Yes | +|Passive mode |No* |No |Yes |Only during [scheduled or on-demand scans](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/scheduled-catch-up-scans-microsoft-defender-antivirus) |Yes | |[EDR in block mode enabled](../microsoft-defender-atp/edr-in-block-mode.md) |No |No |Yes |Yes |Yes | |Automatic disabled mode |No |Yes |No |No |No | From e3c367848245ca9557b88173045e4e48905b0919 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Fri, 22 Jan 2021 12:51:01 -0800 Subject: [PATCH 114/190] Update microsoft-defender-antivirus-compatibility.md --- .../microsoft-defender-antivirus-compatibility.md | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md b/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md index 6bea08e495..eda61a27e0 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md @@ -90,13 +90,17 @@ The table in this section summarizes the functionality and features that are ava \* When Microsoft Defender Antivirus is in passive mode, real-time protection does not provide any blocking or enforcement, even though it is enabled and in passive mode. -- In active mode, Microsoft Defender Antivirus is used as the antivirus app on the machine. All configuration made with Configuration Manager, Group Policy, Intune, or other management products will apply. Files are scanned and threats remediated, and detection information are reported in your configuration tool (such as Configuration Manager or the Microsoft Defender Antivirus app on the machine itself). -- In passive mode, Microsoft Defender Antivirus is not used as the antivirus app, and threats are not remediated by Microsoft Defender Antivirus. Files are scanned and reports are provided for threat detections that are shared with the Microsoft Defender for Endpoint service. Therefore, you might encounter alerts in the Security Center console with Microsoft Defender Antivirus as a source, even when Microsoft Defender Antivirus is in Passive mode. -- When [EDR in block mode](../microsoft-defender-atp/edr-in-block-mode.md) is turned on and Microsoft Defender Antivirus is not the primary antivirus solution, it can still detect and remediate malicious items. -- When disabled, Microsoft Defender Antivirus is not used as the antivirus app. Files are not scanned and threats are not remediated. Disabling/uninstalling Microsoft Defender Antivirus is not recommended in general; if possible, keep Microsoft Defender Antivirus in passive mode if you are using a non-Microsoft antimalware/antivirus solution. ## Keep the following points in mind +- In active mode, Microsoft Defender Antivirus is used as the antivirus app on the machine. All configuration made with Configuration Manager, Group Policy, Intune, or other management products will apply. Files are scanned and threats remediated, and detection information are reported in your configuration tool (such as Configuration Manager or the Microsoft Defender Antivirus app on the machine itself). + +- In passive mode, Microsoft Defender Antivirus is not used as the antivirus app, and threats are not remediated by Microsoft Defender Antivirus. Files are scanned and reports are provided for threat detections that are shared with the Microsoft Defender for Endpoint service. Therefore, you might encounter alerts in the Security Center console with Microsoft Defender Antivirus as a source, even when Microsoft Defender Antivirus is in Passive mode. + +- When [EDR in block mode](../microsoft-defender-atp/edr-in-block-mode.md) is turned on and Microsoft Defender Antivirus is not the primary antivirus solution, it can still detect and remediate malicious items. + +- When disabled, Microsoft Defender Antivirus is not used as the antivirus app. Files are not scanned and threats are not remediated. Disabling/uninstalling Microsoft Defender Antivirus is not recommended in general; if possible, keep Microsoft Defender Antivirus in passive mode if you are using a non-Microsoft antimalware/antivirus solution. + - If you are enrolled in Microsoft Defender for Endpoint and you are using a third-party antimalware product, then passive mode is enabled. [The service requires common information sharing from Microsoft Defender Antivirus service](../microsoft-defender-atp/defender-compatibility.md) in order to properly monitor your devices and network for intrusion attempts and attacks. - When Microsoft Defender Antivirus is disabled automatically, it can be re-enabled automatically if the protection offered by a non-Microsoft antivirus product expires or otherwise stops providing real-time protection from viruses, malware, or other threats. Automatic re-enabling helps to ensure that antivirus protection is maintained on your devices. It also allows you to enable [limited periodic scanning](limited-periodic-scanning-microsoft-defender-antivirus.md), which uses the Microsoft Defender Antivirus engine to periodically check for threats in addition to your main antivirus app. From e44ab03b1935f888964e832040823e6c46a6e5ee Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Fri, 22 Jan 2021 13:01:43 -0800 Subject: [PATCH 115/190] Update microsoft-defender-antivirus-compatibility.md --- ...icrosoft-defender-antivirus-compatibility.md | 17 ++++++++++------- 1 file changed, 10 insertions(+), 7 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md b/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md index eda61a27e0..f83f0d7c2b 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md @@ -81,14 +81,17 @@ The table in this section summarizes the functionality and features that are ava > [!IMPORTANT] > Do not turn off capabilities, such as real-time protection, cloud-delivered protection, or limited periodic scanning, if you are using Microsoft Defender Antivirus in passive mode or you are using EDR in block mode. -|State |[Real-time protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-real-time-protection-microsoft-defender-antivirus) and [cloud-delivered protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/enable-cloud-protection-microsoft-defender-antivirus) | [Limited periodic scanning availability](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/limited-periodic-scanning-microsoft-defender-antivirus) | [File scanning and detection information](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/customize-run-review-remediate-scans-microsoft-defender-antivirus) | [Threat remediation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-remediation-microsoft-defender-antivirus) | [Security intelligence updates](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus) | -|--|--|--|--|--|--| -|Active mode

|Yes |No |Yes |Yes |Yes | -|Passive mode |No* |No |Yes |Only during [scheduled or on-demand scans](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/scheduled-catch-up-scans-microsoft-defender-antivirus) |Yes | -|[EDR in block mode enabled](../microsoft-defender-atp/edr-in-block-mode.md) |No |No |Yes |Yes |Yes | -|Automatic disabled mode |No |Yes |No |No |No | +| |Active mode |Passive mode |EDR in block mode |Disabled/uninstalled | +|:---|:---|:---|:---|:---| +| [Real-time protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-real-time-protection-microsoft-defender-antivirus) and [cloud-delivered protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/enable-cloud-protection-microsoft-defender-antivirus) | Yes | No [[3](#fn3)] | No | No | +| [Limited periodic scanning availability](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/limited-periodic-scanning-microsoft-defender-antivirus) | No | No | No | Yes | +| [File scanning and detection information](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/customize-run-review-remediate-scans-microsoft-defender-antivirus) | Yes | Yes | Yes | No | +| [Threat remediation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-remediation-microsoft-defender-antivirus) | Yes | Sometimes [[4](#fn4)] | Yes | No | +| [Security intelligence updates](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus) | Yes | Yes | Yes | No | -\* When Microsoft Defender Antivirus is in passive mode, real-time protection does not provide any blocking or enforcement, even though it is enabled and in passive mode. +(2) When Microsoft Defender Antivirus is in passive mode, real-time protection does not provide any blocking or enforcement, even though it is enabled and in passive mode. + +(4) When Microsoft Defender Antivirus is in passive mode, threat remediation features are active only during scheduled or on-demand scans. ## Keep the following points in mind From eade25b1aa6e279284484dbd59a956909da2bef0 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Fri, 22 Jan 2021 13:05:38 -0800 Subject: [PATCH 116/190] Update microsoft-defender-antivirus-compatibility.md --- .../microsoft-defender-antivirus-compatibility.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md b/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md index f83f0d7c2b..d9c129f8d8 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md @@ -89,7 +89,7 @@ The table in this section summarizes the functionality and features that are ava | [Threat remediation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-remediation-microsoft-defender-antivirus) | Yes | Sometimes [[4](#fn4)] | Yes | No | | [Security intelligence updates](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus) | Yes | Yes | Yes | No | -(2) When Microsoft Defender Antivirus is in passive mode, real-time protection does not provide any blocking or enforcement, even though it is enabled and in passive mode. +(3) When Microsoft Defender Antivirus is in passive mode, real-time protection does not provide any blocking or enforcement, even though it is enabled and in passive mode. (4) When Microsoft Defender Antivirus is in passive mode, threat remediation features are active only during scheduled or on-demand scans. From 69ccbd231161f4b00dfa6d945a6bca2f9cad1e56 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Fri, 22 Jan 2021 13:06:07 -0800 Subject: [PATCH 117/190] Update microsoft-defender-antivirus-compatibility.md --- .../microsoft-defender-antivirus-compatibility.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md b/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md index d9c129f8d8..4786157c84 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md @@ -81,7 +81,7 @@ The table in this section summarizes the functionality and features that are ava > [!IMPORTANT] > Do not turn off capabilities, such as real-time protection, cloud-delivered protection, or limited periodic scanning, if you are using Microsoft Defender Antivirus in passive mode or you are using EDR in block mode. -| |Active mode |Passive mode |EDR in block mode |Disabled/uninstalled | +|Protection |Active mode |Passive mode |EDR in block mode |Disabled/uninstalled | |:---|:---|:---|:---|:---| | [Real-time protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-real-time-protection-microsoft-defender-antivirus) and [cloud-delivered protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/enable-cloud-protection-microsoft-defender-antivirus) | Yes | No [[3](#fn3)] | No | No | | [Limited periodic scanning availability](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/limited-periodic-scanning-microsoft-defender-antivirus) | No | No | No | Yes | From a82b066840ebfe0dd73fd90f77299510156229d9 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Fri, 22 Jan 2021 13:06:42 -0800 Subject: [PATCH 118/190] Update microsoft-defender-antivirus-compatibility.md --- .../microsoft-defender-antivirus-compatibility.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md b/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md index 4786157c84..431f0cce09 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md @@ -86,7 +86,7 @@ The table in this section summarizes the functionality and features that are ava | [Real-time protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-real-time-protection-microsoft-defender-antivirus) and [cloud-delivered protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/enable-cloud-protection-microsoft-defender-antivirus) | Yes | No [[3](#fn3)] | No | No | | [Limited periodic scanning availability](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/limited-periodic-scanning-microsoft-defender-antivirus) | No | No | No | Yes | | [File scanning and detection information](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/customize-run-review-remediate-scans-microsoft-defender-antivirus) | Yes | Yes | Yes | No | -| [Threat remediation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-remediation-microsoft-defender-antivirus) | Yes | Sometimes [[4](#fn4)] | Yes | No | +| [Threat remediation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-remediation-microsoft-defender-antivirus) | Yes | See note [[4](#fn4)] | Yes | No | | [Security intelligence updates](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus) | Yes | Yes | Yes | No | (3) When Microsoft Defender Antivirus is in passive mode, real-time protection does not provide any blocking or enforcement, even though it is enabled and in passive mode. From 707451815b8aadc582daed8fde478e077e2c0f68 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Fri, 22 Jan 2021 13:08:02 -0800 Subject: [PATCH 119/190] Update microsoft-defender-antivirus-compatibility.md --- .../microsoft-defender-antivirus-compatibility.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md b/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md index 431f0cce09..eec4d1ce3b 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md @@ -81,7 +81,7 @@ The table in this section summarizes the functionality and features that are ava > [!IMPORTANT] > Do not turn off capabilities, such as real-time protection, cloud-delivered protection, or limited periodic scanning, if you are using Microsoft Defender Antivirus in passive mode or you are using EDR in block mode. -|Protection |Active mode |Passive mode |EDR in block mode |Disabled/uninstalled | +|Protection |Active mode |Passive mode |EDR in block mode |Disabled or uninstalled | |:---|:---|:---|:---|:---| | [Real-time protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-real-time-protection-microsoft-defender-antivirus) and [cloud-delivered protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/enable-cloud-protection-microsoft-defender-antivirus) | Yes | No [[3](#fn3)] | No | No | | [Limited periodic scanning availability](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/limited-periodic-scanning-microsoft-defender-antivirus) | No | No | No | Yes | From 244dc8bbb5d5464dea2fe6390c906766bc36e622 Mon Sep 17 00:00:00 2001 From: Carmen Forsmann Date: Fri, 22 Jan 2021 13:09:33 -0800 Subject: [PATCH 120/190] Update waas-delivery-optimization.md Add link to Dynamic Updates blog post. --- windows/deployment/update/waas-delivery-optimization.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/deployment/update/waas-delivery-optimization.md b/windows/deployment/update/waas-delivery-optimization.md index 599fd37ab1..bbafcf8b44 100644 --- a/windows/deployment/update/waas-delivery-optimization.md +++ b/windows/deployment/update/waas-delivery-optimization.md @@ -66,7 +66,7 @@ For information about setting up Delivery Optimization, including tips for the b - Xbox game pass games - MSIX apps (HTTP downloads only) - Edge browser installs and updates - - Dynamic updates + - [Dynamic updates](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/the-benefits-of-windows-10-dynamic-update/ba-p/467847) ## Requirements @@ -93,7 +93,7 @@ The following table lists the minimum Windows 10 version that supports Delivery | MSIX apps (HTTP downloads only) | 2004 | | Configuration Manager Express updates | 1709 + Configuration Manager version 1711 | | Edge browser installs and updates | 1809 | -| Dynamic updates | 1903 | +| [Dynamic updates](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/the-benefits-of-windows-10-dynamic-update/ba-p/467847) | 1903 | > [!NOTE] > Starting with Configuration Manager version 1910, you can use Delivery Optimization for the distribution of all Windows update content for clients running Windows 10 version 1709 or newer, not just express installation files. For more, see [Delivery Optimization starting in version 1910](https://docs.microsoft.com/mem/configmgr/sum/deploy-use/optimize-windows-10-update-delivery#bkmk_DO-1910). From 62bdf47af2aaa078aef65dd8d7f8286ca2e24bc6 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Fri, 22 Jan 2021 13:23:59 -0800 Subject: [PATCH 121/190] Update microsoft-defender-antivirus-compatibility.md --- .../microsoft-defender-antivirus-compatibility.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md b/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md index eec4d1ce3b..91f14d18e0 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md @@ -89,7 +89,7 @@ The table in this section summarizes the functionality and features that are ava | [Threat remediation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-remediation-microsoft-defender-antivirus) | Yes | See note [[4](#fn4)] | Yes | No | | [Security intelligence updates](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus) | Yes | Yes | Yes | No | -(3) When Microsoft Defender Antivirus is in passive mode, real-time protection does not provide any blocking or enforcement, even though it is enabled and in passive mode. +(3) In general, when Microsoft Defender Antivirus is in passive mode, real-time protection does not provide any blocking or enforcement, even though it is enabled and in passive mode. However, if [Microsoft 365 Endpoint data loss prevention](https://docs.microsoft.com/microsoft-365/compliance/endpoint-dlp-learn-about) (Endpoint DLP) is configured and in effect, protective actions are enforced. Endpoint DLP works with real-time protection and behavior monitoring. (4) When Microsoft Defender Antivirus is in passive mode, threat remediation features are active only during scheduled or on-demand scans. From f00f02304d0c69739960d08e511e56e7e405140d Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Fri, 22 Jan 2021 13:35:40 -0800 Subject: [PATCH 122/190] Update microsoft-defender-antivirus-compatibility.md --- .../microsoft-defender-antivirus-compatibility.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md b/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md index 91f14d18e0..7a74769372 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md @@ -43,14 +43,14 @@ The following table summarizes what happens with Microsoft Defender Antivirus wh | Windows 10 | A third-party product that is not offered or developed by Microsoft | No | Automatically disabled mode | | Windows 10 | Microsoft Defender Antivirus | Yes | Active mode | | Windows 10 | Microsoft Defender Antivirus | No | Active mode | -| Windows Server, version 1803 or newer, or Windows Server 2019 | A third-party product that is not offered or developed by Microsoft | Yes | Active mode[[1](#fn1)] | -| Windows Server, version 1803 or newer, or Windows Server 2019 | A third-party product that is not offered or developed by Microsoft | No | Must be set to passive mode (manually)[[1](#fn1)] | +| Windows Server, version 1803 or newer, or Windows Server 2019 | A third-party product that is not offered or developed by Microsoft | Yes | Active mode [[1](#fn1)] | +| Windows Server, version 1803 or newer, or Windows Server 2019 | A third-party product that is not offered or developed by Microsoft | No | Must be set to passive mode (manually) [[1](#fn1)] | | Windows Server, version 1803 or newer, or Windows Server 2019 | Microsoft Defender Antivirus | Yes | Active mode | | Windows Server, version 1803 or newer, or Windows Server 2019 | Microsoft Defender Antivirus | No | Active mode | | Windows Server 2016 | Microsoft Defender Antivirus | Yes | Active mode | | Windows Server 2016 | Microsoft Defender Antivirus | No | Active mode | -| Windows Server 2016 | A third-party product that is not offered or developed by Microsoft | Yes | Must be disabled (manually)[[2](#fn2)] | -| Windows Server 2016 | A third-party product that is not offered or developed by Microsoft | No | Must be disabled (manually)[[2](#fn2)] | +| Windows Server 2016 | A third-party product that is not offered or developed by Microsoft | Yes | Must be disabled (manually) [[2](#fn2)] | +| Windows Server 2016 | A third-party product that is not offered or developed by Microsoft | No | Must be disabled (manually) [[2](#fn2)] | (1) On Windows Server, version 1803 or newer, or Windows Server 2019, Microsoft Defender Antivirus does not enter passive mode automatically when you install a non-Microsoft antivirus product. In those cases, [set Microsoft Defender Antivirus to passive mode](microsoft-defender-antivirus-on-windows-server-2016.md#need-to-set-microsoft-defender-antivirus-to-passive-mode) to prevent problems caused by having multiple antivirus products installed on a server. From 99e5ed848cfe0fd4aec8adcd57b8f85e02c0f637 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Fri, 22 Jan 2021 13:45:39 -0800 Subject: [PATCH 123/190] Update defender-endpoint-false-positives-negatives.md --- .../defender-endpoint-false-positives-negatives.md | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md index b7016cc7ba..0a4832febe 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md +++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md @@ -43,7 +43,7 @@ If you’re using [Microsoft Defender for Endpoint](https://docs.microsoft.com/w ## Part 1: Review and classify alerts -If your security operations team see an alert that was triggered because something was detected as malicious or suspicious that should not have been, you can suppress the alert for that entity. You can also suppress alerts that are not necessarily false positives, but are unimportant. And, you can classify alerts as false positives as needed. +If your security operations team see an alert that was triggered because something was detected as malicious or suspicious that should not have been, you can suppress the alert for that entity. You can also suppress alerts that are not necessarily false positives, but are unimportant. We recommend that you classify alerts as well. Managing your alerts and classifying false positives helps to train your threat protection solution and can reduce the number of false positives or false negatives over time. Taking these steps also helps reduce noise in your security operations dashboard so that your security team can focus on higher priority work items. @@ -54,7 +54,7 @@ Before you classify or suppress an alert, determine whether the alert is accurat 1. Go to the Microsoft Defender Security Center ([https://securitycenter.windows.com](https://securitycenter.windows.com)) and sign in. 2. In the navigation pane, choose **Alerts queue**. 3. Select an alert to more details about the alert. (See [Review alerts](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/review-alerts).) -4. Take one of the following steps: +4. Take one of the following steps:
- If the alert is accurate, assign and investigate the alert further. - If the alert is a false positive, proceed to classify the alert as a false positive, and then suppress the alert. Also, create an indicator for Microsoft Defender for Endpoint. - If the alert is accurate but benign (unimportant), classify the alert as a true positive, and then suppress the alert. @@ -294,4 +294,9 @@ If you still need help after working through all the steps in this article, your 1. Go to the Microsoft Defender Security Center ([https://securitycenter.windows.com](https://securitycenter.windows.com)) and sign in. 2. In the upper right corner, select the question mark (**?**), and then select **Microsoft support**. -3. In the Support Assistant window, describe your issue, and then send your message. From there, you can open a service request. \ No newline at end of file +3. In the Support Assistant window, describe your issue, and then send your message. From there, you can open a service request. + +## See also + +[Manage Microsoft Defender for Endpoint](manage-atp-post-migration.md) + \ No newline at end of file From f508a1704b5862d2f228eaeef81762e2134cc59d Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Fri, 22 Jan 2021 13:47:49 -0800 Subject: [PATCH 124/190] Update defender-endpoint-false-positives-negatives.md --- .../defender-endpoint-false-positives-negatives.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md index 0a4832febe..a05b00432f 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md +++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md @@ -54,10 +54,10 @@ Before you classify or suppress an alert, determine whether the alert is accurat 1. Go to the Microsoft Defender Security Center ([https://securitycenter.windows.com](https://securitycenter.windows.com)) and sign in. 2. In the navigation pane, choose **Alerts queue**. 3. Select an alert to more details about the alert. (See [Review alerts](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/review-alerts).) -4. Take one of the following steps:
- - If the alert is accurate, assign and investigate the alert further. - - If the alert is a false positive, proceed to classify the alert as a false positive, and then suppress the alert. Also, create an indicator for Microsoft Defender for Endpoint. - - If the alert is accurate but benign (unimportant), classify the alert as a true positive, and then suppress the alert. +4. Take one of the following steps:
+ - If the alert is accurate, assign and investigate the alert further. + - If the alert is a false positive, proceed to classify the alert as a false positive, and then suppress the alert. Also, create an indicator for Microsoft Defender for Endpoint. + - If the alert is accurate but benign (unimportant), classify the alert as a true positive, and then suppress the alert. ### Classify an alert as a false positive From f143d389fc4fe91e7feccc6d6986f9642b7b5443 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Fri, 22 Jan 2021 13:56:42 -0800 Subject: [PATCH 125/190] Update defender-endpoint-false-positives-negatives.md --- ...nder-endpoint-false-positives-negatives.md | 19 +++++++++++-------- 1 file changed, 11 insertions(+), 8 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md index a05b00432f..e21d65054d 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md +++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md @@ -31,7 +31,7 @@ ms.custom: FPFN - [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146806) -In endpoint protection, a false positive is an entity, such as a file or a process, that was detected and identified as malicious, even though the entity isn't actually a threat. A false negative is an entity that was not detected as a threat, even though it actually is malicious. The process of addressing false positives/negatives includes: +In endpoint protection, a false positive is an entity, such as a file or a process, that was detected and identified as malicious, even though the entity isn't actually a threat. A false negative is an entity that was not detected as a threat, even though it actually is malicious. If you’re using [Microsoft Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection), and you're seeing false positives/negatives in your [Microsoft Defender Security Center](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/use), your security operations can take steps to address false positives or false negatives. These steps include: 1. [Reviewing and classifying alerts](#part-1-review-and-classify-alerts) 2. [Reviewing remediation actions that were taken](#part-2-review-remediation-actions) @@ -39,7 +39,7 @@ In endpoint protection, a false positive is an entity, such as a file or a proce 4. [Submitting an entity for analysis](#part-4-submit-a-file-for-analysis) 5. [Reviewing and adjusting your threat protection settings](#part-5-review-and-adjust-your-threat-protection-settings) -If you’re using [Microsoft Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection), and you're seeing false positives/negatives in your [Microsoft Defender Security Center](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/use), use this article as a guide to take action. This article also includes information about [what to do if you still need help](#still-need-help) after taking the recommended steps to address false positives/negatives in your environment. +This article also includes information about [what to do if you still need help](#still-need-help) after taking the recommended steps to address false positives/negatives in your environment. ## Part 1: Review and classify alerts @@ -55,18 +55,21 @@ Before you classify or suppress an alert, determine whether the alert is accurat 2. In the navigation pane, choose **Alerts queue**. 3. Select an alert to more details about the alert. (See [Review alerts](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/review-alerts).) 4. Take one of the following steps:
- - If the alert is accurate, assign and investigate the alert further. - - If the alert is a false positive, proceed to classify the alert as a false positive, and then suppress the alert. Also, create an indicator for Microsoft Defender for Endpoint. - - If the alert is accurate but benign (unimportant), classify the alert as a true positive, and then suppress the alert. -### Classify an alert as a false positive + | Alert status | What to do | + |:---|:---| + | The alert is accurate | Assign the alert, and then [investigate it](investigate-alerts.md) further. | + | The alert is a false positive | Proceed to [classify the alert](#classify-an-alert) as a false positive, and then [suppress the alert](#suppress-an-alert).

Also, create an indicator for Microsoft Defender for Endpoint. | + | The alert is accurate but benign (unimportant) | [Classify the alert](#classify-an-alert) as a true positive, and then [suppress the alert](#suppress-an-alert). | -Your security team can classify an alert as a false positive in the Microsoft Defender Security Center, in the **Alerts queue**. +### Classify an alert + +Your security team can classify an alert as a false positive or a true positive in the Microsoft Defender Security Center, in the **Alerts queue**. 1. Go to the Microsoft Defender Security Center ([https://securitycenter.windows.com](https://securitycenter.windows.com)) and sign in. 2. Select **Alerts queue**, and then select an alert that is a false positive. 3. For the selected alert, select **Actions** > **Manage alert**. A flyout pane opens. -4. In the **Manage alert** section, select **True alert** or **False alert**. Use **False alert** to classify a false positive. +4. In the **Manage alert** section, select either **True alert** or **False alert**. (Use **False alert** to classify a false positive.) > [!TIP] > For more information about suppressing alerts, see [Manage Microsoft Defender for Endpoint alerts](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/manage-alerts). And, if your organization is using a security information and event management (SIEM) server, make sure to define a suppression rule there, too. From 87cbe724737cf5cd54d6bb7393c150d0ef345b2e Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Fri, 22 Jan 2021 13:59:31 -0800 Subject: [PATCH 126/190] Update defender-endpoint-false-positives-negatives.md --- .../defender-endpoint-false-positives-negatives.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md index e21d65054d..ebf9e149f7 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md +++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md @@ -179,9 +179,9 @@ Your security team can create indicators for files, IP addresses, URLs, domains, | Indicator type | Prerequisites | |:----|:----| -|**Files**

Helps prevent suspected malware (or potentially malicious files) from being downloaded from the web. Files can include portable executable (PE) files, such as `.exe` and `.dll` files.

The allow or block function cannot be done on a file if the file's classification exists on the device's cache prior to the allow or block action

Trusted, signed files are treated differently. Defender for Endpoint is optimized to handle malicious files. Trying to block trusted, signed files, can have performance implications.

Typically, file blocks are enforced within a few minutes, but can take upwards of 30 minutes.

**[Create an indicator for a file, such as an executable](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-file)** | Microsoft Defender Antivirus with cloud-based protection enabled (See [Manage cloud-based protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/deploy-manage-report-microsoft-defender-antivirus).)

Antimalware client version: 4.18.1901.x or later.

Devices are running Windows 10, version 1703 or later; Windows Server 2016; or Windows Server 2019

[Block or allow feature is turned on](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-features). | -| **IP addresses and URLs**

Full URL path blocks can be applied on the domain level and all unencrypted URLs

IP is supported for all three protocols

Only external IPs can be added to the indicator list. Indicators cannot be created for internal IPs. For web protection scenarios, we recommend using the built-in capabilities in Microsoft Edge. Microsoft Edge uses [Network Protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/network-protection) to inspect network traffic and allows blocks for TCP, HTTP, and HTTPS (TLS). For all other processes, web protection scenarios use Network Protection for inspection and enforcement.

There might be up to 2 hours of latency (usually less) between the time the action is taken, and the URL and IP being blocked.

Only single IP addresses are supported (no CIDR blocks or IP ranges)

Encrypted URLs (full path) can only be blocked on first party browsers (Internet Explorer, Edge)

Encrypted URLS (FQDN only) can be blocked outside of first party browsers (Internet Explorer, Edge)

**[Create an indicator for an IP address, URL, or domain](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-ip-domain)** | Network protection in Defender for Endpoint is enabled in block mode. ([Enable network protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/enable-network-protection).)

Antimalware client version: 4.18.1906.x or later.

Devices are running Windows 10, version 1709 or later

Custom network indicators are turned on in the Microsoft Defender Security Center (See [Advanced features](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-features).) | -| **Certificates**

`.CER` or `.PEM` file extensions are supported.

A valid leaf certificate is a signing certificate that has a valid certification path and must be chained to the Root Certificate Authority (CA) trusted by Microsoft.

Alternatively, a custom (self-signed) certificate can be used as long as it's trusted by the client (Root CA certificate is installed under the Local Machine Trusted Root Certification Authorities).

The children or parent of the allow/block certificate IOCs are not included in the allow/block IoC functionality, only leaf certificates are supported.

Microsoft signed certificates cannot be blocked.

It can take up to 3 hours to create and remove a certificate IoC.

**[Create an indicator for an application certificate](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-certificates)** | Microsoft Defender Antivirus with cloud-based protection is enabled (See [Manage cloud-based protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/deploy-manage-report-microsoft-defender-antivirus).)

Antimalware client version: 4.18.1901.x or later.

Devices are running Windows 10, version 1703 or later; Windows Server 2016; or Windows Server 2019

Virus and threat protection definitions are up to date. | +|**Files**

Helps prevent suspected malware (or potentially malicious files) from being downloaded from the web. Files can include portable executable (PE) files, such as `.exe` and `.dll` files.

The allow or block function cannot be done on a file if the file's classification exists on the device's cache prior to the allow or block action

Trusted, signed files are treated differently. Defender for Endpoint is optimized to handle malicious files. Trying to block trusted, signed files, can have performance implications.

Typically, file blocks are enforced within a few minutes, but can take upwards of 30 minutes.

**[Create an indicator for a file, such as an executable](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-file)** | Microsoft Defender Antivirus with cloud-based protection enabled (See [Manage cloud-based protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/deploy-manage-report-microsoft-defender-antivirus).)

Antimalware client version: 4.18.1901.x or later

Devices are running Windows 10, version 1703 or later; Windows Server 2016; or Windows Server 2019

[Block or allow feature is turned on](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-features) | +| **IP addresses and URLs**

Full URL path blocks can be applied on the domain level and all unencrypted URLs

IP is supported for all three protocols

Only external IPs can be added to the indicator list. Indicators cannot be created for internal IPs. For web protection scenarios, we recommend using the built-in capabilities in Microsoft Edge. Microsoft Edge uses [Network Protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/network-protection) to inspect network traffic and allows blocks for TCP, HTTP, and HTTPS (TLS). For all other processes, web protection scenarios use Network Protection for inspection and enforcement.

There might be up to 2 hours of latency (usually less) between the time the action is taken, and the URL and IP being blocked.

Only single IP addresses are supported (no CIDR blocks or IP ranges)

Encrypted URLs (full path) can only be blocked on first party browsers (Internet Explorer, Edge)

Encrypted URLS (FQDN only) can be blocked outside of first party browsers (Internet Explorer, Edge)

**[Create an indicator for an IP address, URL, or domain](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-ip-domain)** | Network protection in Defender for Endpoint is enabled in block mode (See [Enable network protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/enable-network-protection).)

Antimalware client version: 4.18.1906.x or later

Devices are running Windows 10, version 1709 or later

Custom network indicators are turned on in the Microsoft Defender Security Center (See [Advanced features](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-features).) | +| **Certificates**

`.CER` or `.PEM` file extensions are supported.

A valid leaf certificate is a signing certificate that has a valid certification path and must be chained to the Root Certificate Authority (CA) trusted by Microsoft.

Alternatively, a custom (self-signed) certificate can be used as long as it's trusted by the client (Root CA certificate is installed under the Local Machine Trusted Root Certification Authorities).

The children or parent of the allow/block certificate IOCs are not included in the allow/block IoC functionality, only leaf certificates are supported.

Microsoft signed certificates cannot be blocked.

It can take up to 3 hours to create and remove a certificate IoC.

**[Create an indicator for an application certificate](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-certificates)** | Microsoft Defender Antivirus with cloud-based protection is enabled (See [Manage cloud-based protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/deploy-manage-report-microsoft-defender-antivirus).)

Antimalware client version: 4.18.1901.x or later

Devices are running Windows 10, version 1703 or later; Windows Server 2016; or Windows Server 2019

Virus and threat protection definitions are up to date | > [!TIP] > When you create indicators, you can define them one by one or import multiple items at once. Keep in mind there's a limit of 15,000 indicators you can have in a single tenant. And, you might need to gather certain details first, such as file hash information. Make sure to review the prerequisites before you [create indicators](manage-indicators.md). From 7117e088936828f936875166dc99f7d0e6ee140b Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Fri, 22 Jan 2021 14:02:08 -0800 Subject: [PATCH 127/190] Update defender-endpoint-false-positives-negatives.md --- .../defender-endpoint-false-positives-negatives.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md index ebf9e149f7..5d5c8cd439 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md +++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md @@ -177,11 +177,11 @@ To specify entities as exclusions for Microsoft Defender for Endpoint, your secu Your security team can create indicators for files, IP addresses, URLs, domains, and certificates, as described in the following table: -| Indicator type | Prerequisites | +| Indicator | Prerequisites | |:----|:----| -|**Files**

Helps prevent suspected malware (or potentially malicious files) from being downloaded from the web. Files can include portable executable (PE) files, such as `.exe` and `.dll` files.

The allow or block function cannot be done on a file if the file's classification exists on the device's cache prior to the allow or block action

Trusted, signed files are treated differently. Defender for Endpoint is optimized to handle malicious files. Trying to block trusted, signed files, can have performance implications.

Typically, file blocks are enforced within a few minutes, but can take upwards of 30 minutes.

**[Create an indicator for a file, such as an executable](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-file)** | Microsoft Defender Antivirus with cloud-based protection enabled (See [Manage cloud-based protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/deploy-manage-report-microsoft-defender-antivirus).)

Antimalware client version: 4.18.1901.x or later

Devices are running Windows 10, version 1703 or later; Windows Server 2016; or Windows Server 2019

[Block or allow feature is turned on](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-features) | -| **IP addresses and URLs**

Full URL path blocks can be applied on the domain level and all unencrypted URLs

IP is supported for all three protocols

Only external IPs can be added to the indicator list. Indicators cannot be created for internal IPs. For web protection scenarios, we recommend using the built-in capabilities in Microsoft Edge. Microsoft Edge uses [Network Protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/network-protection) to inspect network traffic and allows blocks for TCP, HTTP, and HTTPS (TLS). For all other processes, web protection scenarios use Network Protection for inspection and enforcement.

There might be up to 2 hours of latency (usually less) between the time the action is taken, and the URL and IP being blocked.

Only single IP addresses are supported (no CIDR blocks or IP ranges)

Encrypted URLs (full path) can only be blocked on first party browsers (Internet Explorer, Edge)

Encrypted URLS (FQDN only) can be blocked outside of first party browsers (Internet Explorer, Edge)

**[Create an indicator for an IP address, URL, or domain](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-ip-domain)** | Network protection in Defender for Endpoint is enabled in block mode (See [Enable network protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/enable-network-protection).)

Antimalware client version: 4.18.1906.x or later

Devices are running Windows 10, version 1709 or later

Custom network indicators are turned on in the Microsoft Defender Security Center (See [Advanced features](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-features).) | -| **Certificates**

`.CER` or `.PEM` file extensions are supported.

A valid leaf certificate is a signing certificate that has a valid certification path and must be chained to the Root Certificate Authority (CA) trusted by Microsoft.

Alternatively, a custom (self-signed) certificate can be used as long as it's trusted by the client (Root CA certificate is installed under the Local Machine Trusted Root Certification Authorities).

The children or parent of the allow/block certificate IOCs are not included in the allow/block IoC functionality, only leaf certificates are supported.

Microsoft signed certificates cannot be blocked.

It can take up to 3 hours to create and remove a certificate IoC.

**[Create an indicator for an application certificate](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-certificates)** | Microsoft Defender Antivirus with cloud-based protection is enabled (See [Manage cloud-based protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/deploy-manage-report-microsoft-defender-antivirus).)

Antimalware client version: 4.18.1901.x or later

Devices are running Windows 10, version 1703 or later; Windows Server 2016; or Windows Server 2019

Virus and threat protection definitions are up to date | +|**[Create an indicator for a file, such as an executable](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-file)**

Helps prevent suspected malware (or potentially malicious files) from being downloaded from the web. Files can include portable executable (PE) files, such as `.exe` and `.dll` files.

The allow or block function cannot be done on a file if the file's classification exists on the device's cache prior to the allow or block action

Trusted, signed files are treated differently. Defender for Endpoint is optimized to handle malicious files. Trying to block trusted, signed files, can have performance implications.

Typically, file blocks are enforced within a few minutes, but can take upwards of 30 minutes. | Microsoft Defender Antivirus with cloud-based protection enabled (See [Manage cloud-based protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/deploy-manage-report-microsoft-defender-antivirus).)

Antimalware client version: 4.18.1901.x or later

Devices are running Windows 10, version 1703 or later; Windows Server 2016; or Windows Server 2019

[Block or allow feature is turned on](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-features) | +| **[Create an indicator for an IP address, URL, or domain](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-ip-domain)**

Full URL path blocks can be applied on the domain level and all unencrypted URLs

IP is supported for all three protocols

Only external IPs can be added to the indicator list. Indicators cannot be created for internal IPs. For web protection scenarios, we recommend using the built-in capabilities in Microsoft Edge. Microsoft Edge uses [Network Protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/network-protection) to inspect network traffic and allows blocks for TCP, HTTP, and HTTPS (TLS). For all other processes, web protection scenarios use Network Protection for inspection and enforcement.

There might be up to 2 hours of latency (usually less) between the time the action is taken, and the URL and IP being blocked.

Only single IP addresses are supported (no CIDR blocks or IP ranges)

Encrypted URLs (full path) can only be blocked on first party browsers (Internet Explorer, Edge)

Encrypted URLS (FQDN only) can be blocked outside of first party browsers (Internet Explorer, Edge) | Network protection in Defender for Endpoint is enabled in block mode (See [Enable network protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/enable-network-protection).)

Antimalware client version: 4.18.1906.x or later

Devices are running Windows 10, version 1709 or later

Custom network indicators are turned on in the Microsoft Defender Security Center (See [Advanced features](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-features).) | +| **[Create an indicator for an application certificate](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-certificates)**

`.CER` or `.PEM` file extensions are supported.

A valid leaf certificate is a signing certificate that has a valid certification path and must be chained to the Root Certificate Authority (CA) trusted by Microsoft.

Alternatively, a custom (self-signed) certificate can be used as long as it's trusted by the client (Root CA certificate is installed under the Local Machine Trusted Root Certification Authorities).

The children or parent of the allow/block certificate IOCs are not included in the allow/block IoC functionality, only leaf certificates are supported.

Microsoft signed certificates cannot be blocked.

It can take up to 3 hours to create and remove a certificate IoC. | Microsoft Defender Antivirus with cloud-based protection is enabled (See [Manage cloud-based protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/deploy-manage-report-microsoft-defender-antivirus).)

Antimalware client version: 4.18.1901.x or later

Devices are running Windows 10, version 1703 or later; Windows Server 2016; or Windows Server 2019

Virus and threat protection definitions are up to date | > [!TIP] > When you create indicators, you can define them one by one or import multiple items at once. Keep in mind there's a limit of 15,000 indicators you can have in a single tenant. And, you might need to gather certain details first, such as file hash information. Make sure to review the prerequisites before you [create indicators](manage-indicators.md). From 313ba03c26e01250398b81e165f00a3eace1f715 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Fri, 22 Jan 2021 14:02:39 -0800 Subject: [PATCH 128/190] Update defender-endpoint-false-positives-negatives.md --- .../defender-endpoint-false-positives-negatives.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md index 5d5c8cd439..68985360e9 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md +++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md @@ -178,7 +178,7 @@ To specify entities as exclusions for Microsoft Defender for Endpoint, your secu Your security team can create indicators for files, IP addresses, URLs, domains, and certificates, as described in the following table: | Indicator | Prerequisites | -|:----|:----| +|:----:|:----:| |**[Create an indicator for a file, such as an executable](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-file)**

Helps prevent suspected malware (or potentially malicious files) from being downloaded from the web. Files can include portable executable (PE) files, such as `.exe` and `.dll` files.

The allow or block function cannot be done on a file if the file's classification exists on the device's cache prior to the allow or block action

Trusted, signed files are treated differently. Defender for Endpoint is optimized to handle malicious files. Trying to block trusted, signed files, can have performance implications.

Typically, file blocks are enforced within a few minutes, but can take upwards of 30 minutes. | Microsoft Defender Antivirus with cloud-based protection enabled (See [Manage cloud-based protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/deploy-manage-report-microsoft-defender-antivirus).)

Antimalware client version: 4.18.1901.x or later

Devices are running Windows 10, version 1703 or later; Windows Server 2016; or Windows Server 2019

[Block or allow feature is turned on](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-features) | | **[Create an indicator for an IP address, URL, or domain](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-ip-domain)**

Full URL path blocks can be applied on the domain level and all unencrypted URLs

IP is supported for all three protocols

Only external IPs can be added to the indicator list. Indicators cannot be created for internal IPs. For web protection scenarios, we recommend using the built-in capabilities in Microsoft Edge. Microsoft Edge uses [Network Protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/network-protection) to inspect network traffic and allows blocks for TCP, HTTP, and HTTPS (TLS). For all other processes, web protection scenarios use Network Protection for inspection and enforcement.

There might be up to 2 hours of latency (usually less) between the time the action is taken, and the URL and IP being blocked.

Only single IP addresses are supported (no CIDR blocks or IP ranges)

Encrypted URLs (full path) can only be blocked on first party browsers (Internet Explorer, Edge)

Encrypted URLS (FQDN only) can be blocked outside of first party browsers (Internet Explorer, Edge) | Network protection in Defender for Endpoint is enabled in block mode (See [Enable network protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/enable-network-protection).)

Antimalware client version: 4.18.1906.x or later

Devices are running Windows 10, version 1709 or later

Custom network indicators are turned on in the Microsoft Defender Security Center (See [Advanced features](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-features).) | | **[Create an indicator for an application certificate](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-certificates)**

`.CER` or `.PEM` file extensions are supported.

A valid leaf certificate is a signing certificate that has a valid certification path and must be chained to the Root Certificate Authority (CA) trusted by Microsoft.

Alternatively, a custom (self-signed) certificate can be used as long as it's trusted by the client (Root CA certificate is installed under the Local Machine Trusted Root Certification Authorities).

The children or parent of the allow/block certificate IOCs are not included in the allow/block IoC functionality, only leaf certificates are supported.

Microsoft signed certificates cannot be blocked.

It can take up to 3 hours to create and remove a certificate IoC. | Microsoft Defender Antivirus with cloud-based protection is enabled (See [Manage cloud-based protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/deploy-manage-report-microsoft-defender-antivirus).)

Antimalware client version: 4.18.1901.x or later

Devices are running Windows 10, version 1703 or later; Windows Server 2016; or Windows Server 2019

Virus and threat protection definitions are up to date | From 5fe58051f530f67580c42bea28161217a1c1387e Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Fri, 22 Jan 2021 14:07:15 -0800 Subject: [PATCH 129/190] Update defender-endpoint-false-positives-negatives.md --- .../defender-endpoint-false-positives-negatives.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md index 68985360e9..cecea25f5e 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md +++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md @@ -76,7 +76,7 @@ Your security team can classify an alert as a false positive or a true positive ### Suppress an alert -If you have alerts that are either false positives or are for unimportant events, you can suppress those alerts in the Microsoft Defender Security Center. +If you have alerts that are either false positives or that are true positives but are for unimportant events, you can suppress those alerts in the Microsoft Defender Security Center. Suppressing alerts helps reduce noise in your security operations dashboard. 1. Go to the Microsoft Defender Security Center ([https://securitycenter.windows.com](https://securitycenter.windows.com)) and sign in. 2. In the navigation pane, select **Alerts queue**. From 8960bc4e9c0b881a801a4e8f8ecb19e442b5494f Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Fri, 22 Jan 2021 14:07:51 -0800 Subject: [PATCH 130/190] Update defender-endpoint-false-positives-negatives.md --- .../defender-endpoint-false-positives-negatives.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md index cecea25f5e..d5976bd76c 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md +++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md @@ -178,7 +178,7 @@ To specify entities as exclusions for Microsoft Defender for Endpoint, your secu Your security team can create indicators for files, IP addresses, URLs, domains, and certificates, as described in the following table: | Indicator | Prerequisites | -|:----:|:----:| +|:----|:----| |**[Create an indicator for a file, such as an executable](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-file)**

Helps prevent suspected malware (or potentially malicious files) from being downloaded from the web. Files can include portable executable (PE) files, such as `.exe` and `.dll` files.

The allow or block function cannot be done on a file if the file's classification exists on the device's cache prior to the allow or block action

Trusted, signed files are treated differently. Defender for Endpoint is optimized to handle malicious files. Trying to block trusted, signed files, can have performance implications.

Typically, file blocks are enforced within a few minutes, but can take upwards of 30 minutes. | Microsoft Defender Antivirus with cloud-based protection enabled (See [Manage cloud-based protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/deploy-manage-report-microsoft-defender-antivirus).)

Antimalware client version: 4.18.1901.x or later

Devices are running Windows 10, version 1703 or later; Windows Server 2016; or Windows Server 2019

[Block or allow feature is turned on](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-features) | | **[Create an indicator for an IP address, URL, or domain](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-ip-domain)**

Full URL path blocks can be applied on the domain level and all unencrypted URLs

IP is supported for all three protocols

Only external IPs can be added to the indicator list. Indicators cannot be created for internal IPs. For web protection scenarios, we recommend using the built-in capabilities in Microsoft Edge. Microsoft Edge uses [Network Protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/network-protection) to inspect network traffic and allows blocks for TCP, HTTP, and HTTPS (TLS). For all other processes, web protection scenarios use Network Protection for inspection and enforcement.

There might be up to 2 hours of latency (usually less) between the time the action is taken, and the URL and IP being blocked.

Only single IP addresses are supported (no CIDR blocks or IP ranges)

Encrypted URLs (full path) can only be blocked on first party browsers (Internet Explorer, Edge)

Encrypted URLS (FQDN only) can be blocked outside of first party browsers (Internet Explorer, Edge) | Network protection in Defender for Endpoint is enabled in block mode (See [Enable network protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/enable-network-protection).)

Antimalware client version: 4.18.1906.x or later

Devices are running Windows 10, version 1709 or later

Custom network indicators are turned on in the Microsoft Defender Security Center (See [Advanced features](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-features).) | | **[Create an indicator for an application certificate](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-certificates)**

`.CER` or `.PEM` file extensions are supported.

A valid leaf certificate is a signing certificate that has a valid certification path and must be chained to the Root Certificate Authority (CA) trusted by Microsoft.

Alternatively, a custom (self-signed) certificate can be used as long as it's trusted by the client (Root CA certificate is installed under the Local Machine Trusted Root Certification Authorities).

The children or parent of the allow/block certificate IOCs are not included in the allow/block IoC functionality, only leaf certificates are supported.

Microsoft signed certificates cannot be blocked.

It can take up to 3 hours to create and remove a certificate IoC. | Microsoft Defender Antivirus with cloud-based protection is enabled (See [Manage cloud-based protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/deploy-manage-report-microsoft-defender-antivirus).)

Antimalware client version: 4.18.1901.x or later

Devices are running Windows 10, version 1703 or later; Windows Server 2016; or Windows Server 2019

Virus and threat protection definitions are up to date | From f386ac4af4d8b6e9ae82cd3a12dd8112b92ccfb8 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Fri, 22 Jan 2021 14:10:31 -0800 Subject: [PATCH 131/190] Update defender-endpoint-false-positives-negatives.md --- .../defender-endpoint-false-positives-negatives.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md index d5976bd76c..3342692fc9 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md +++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md @@ -302,4 +302,5 @@ If you still need help after working through all the steps in this article, your ## See also [Manage Microsoft Defender for Endpoint](manage-atp-post-migration.md) - \ No newline at end of file + +[Overview of Microsoft Defender Security Center](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/use) \ No newline at end of file From 28794addaf76195c266a81fbc9f42834482621b8 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Fri, 22 Jan 2021 14:17:17 -0800 Subject: [PATCH 132/190] Update defender-endpoint-false-positives-negatives.md --- .../defender-endpoint-false-positives-negatives.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md index 3342692fc9..56ef4f1e45 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md +++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md @@ -59,8 +59,8 @@ Before you classify or suppress an alert, determine whether the alert is accurat | Alert status | What to do | |:---|:---| | The alert is accurate | Assign the alert, and then [investigate it](investigate-alerts.md) further. | - | The alert is a false positive | Proceed to [classify the alert](#classify-an-alert) as a false positive, and then [suppress the alert](#suppress-an-alert).

Also, create an indicator for Microsoft Defender for Endpoint. | - | The alert is accurate but benign (unimportant) | [Classify the alert](#classify-an-alert) as a true positive, and then [suppress the alert](#suppress-an-alert). | + | The alert is a false positive | 1. Proceed to [classify the alert](#classify-an-alert) as a false positive, and then [suppress the alert](#suppress-an-alert).

2. [Create an indicator](#indicators-for-microsoft-defender-for-endpoint) for Microsoft Defender for Endpoint.

3. [Submit a file to Microsoft for analysis](#part-4-submit-a-file-for-analysis). | + | The alert is accurate, but benign (unimportant) | [Classify the alert](#classify-an-alert) as a true positive, and then [suppress the alert](#suppress-an-alert). | ### Classify an alert From aabbcc4e3710334f83029829595e8bbd8d3f0749 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Fri, 22 Jan 2021 14:18:46 -0800 Subject: [PATCH 133/190] Update defender-endpoint-false-positives-negatives.md --- .../defender-endpoint-false-positives-negatives.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md index 56ef4f1e45..4cc8fd34a3 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md +++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md @@ -45,7 +45,7 @@ This article also includes information about [what to do if you still need help] If your security operations team see an alert that was triggered because something was detected as malicious or suspicious that should not have been, you can suppress the alert for that entity. You can also suppress alerts that are not necessarily false positives, but are unimportant. We recommend that you classify alerts as well. -Managing your alerts and classifying false positives helps to train your threat protection solution and can reduce the number of false positives or false negatives over time. Taking these steps also helps reduce noise in your security operations dashboard so that your security team can focus on higher priority work items. +Managing your alerts and classifying true/false positives helps to train your threat protection solution and can reduce the number of false positives or false negatives over time. Taking these steps also helps reduce noise in your security operations dashboard so that your security team can focus on higher priority work items. ### Determine whether an alert is accurate From 223f0f72df48f4d2163e19aa778a881ea8767469 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Fri, 22 Jan 2021 14:21:00 -0800 Subject: [PATCH 134/190] Update defender-endpoint-false-positives-negatives.md --- .../defender-endpoint-false-positives-negatives.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md index 4cc8fd34a3..48f1a3208e 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md +++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md @@ -54,7 +54,7 @@ Before you classify or suppress an alert, determine whether the alert is accurat 1. Go to the Microsoft Defender Security Center ([https://securitycenter.windows.com](https://securitycenter.windows.com)) and sign in. 2. In the navigation pane, choose **Alerts queue**. 3. Select an alert to more details about the alert. (See [Review alerts](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/review-alerts).) -4. Take one of the following steps:
+4. Depending on the alert status, take the steps described in the following table:
| Alert status | What to do | |:---|:---| From e4a721f0618a51e419046ab3d179b42160e08574 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Fri, 22 Jan 2021 14:26:14 -0800 Subject: [PATCH 135/190] Update defender-endpoint-false-positives-negatives.md --- .../defender-endpoint-false-positives-negatives.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md index 48f1a3208e..20fe6f78d4 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md +++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md @@ -227,7 +227,7 @@ To check for updates regarding your submission, sign in at the [Microsoft Securi Microsoft Defender for Endpoint offers a wide variety of options, including the ability to fine-tune settings for various features and capabilities. If you’re getting numerous false positives, make sure to review your organization’s threat protection settings. You might need to make some adjustments to the following settings in particular: - [Cloud-delivered protection](#cloud-delivered-protection) -- [Remediation for potentially unwanted apps](#remediation-for-potentially-unwanted-applications-pua) (PUA) +- [Remediation for potentially unwanted applications](#remediation-for-potentially-unwanted-applications) ### Cloud-delivered protection From 9dafcb23f50b744dbc973442916eb7e335bbb52f Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Fri, 22 Jan 2021 14:32:47 -0800 Subject: [PATCH 136/190] Update defender-endpoint-false-positives-negatives.md --- .../defender-endpoint-false-positives-negatives.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md index 20fe6f78d4..195c784c4e 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md +++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md @@ -201,7 +201,7 @@ If you have a file that was either wrongly detected as malicious or was missed, If something was detected as malware based on behavior, and you don’t have a file, you can submit your Mpsupport.cab file for analysis. You can get the .cab file by using the Microsoft Malware Protection Command-Line Utility (MPCmdRun.exe) tool. -1. Go to ` C:\ProgramData\Microsoft\Windows Defender\Platform\`, and then run ** MpCmdRun.exe** as an administrator. +1. Go to ` C:\ProgramData\Microsoft\Windows Defender\Platform\`, and then run `MpCmdRun.exe` as an administrator. 2. Type `mpcmdrun.exe -GetFiles`, and then press **Enter**. A .cab file is generated that contains various diagnostic logs. The location of the file is specified in the output of the command prompt. By default, the location is `C:\ProgramData\Microsoft\Microsoft Defender\Support\MpSupportFiles.cab`. 3. Review the guidelines here: [Submit files for analysis](https://docs.microsoft.com/windows/security/threat-protection/intelligence/submission-guide). From b7ac564fd79b1e104204a9c2155adb1968e9e98e Mon Sep 17 00:00:00 2001 From: Ben Alfasi Date: Sun, 24 Jan 2021 14:30:32 +0200 Subject: [PATCH 137/190] 1 --- .../microsoft-defender-atp/find-machines-by-tag.md | 13 ++++++++++--- .../get-discovered-vulnerabilities.md | 4 ++++ .../microsoft-defender-atp/get-domain-statistics.md | 7 ++++++- .../microsoft-defender-atp/get-file-statistics.md | 7 ++++++- .../microsoft-defender-atp/get-ip-statistics.md | 7 ++++++- .../get-missing-kbs-machine.md | 6 +++++- .../get-security-recommendations.md | 4 ++++ .../microsoft-defender-atp/import-ti-indicators.md | 2 +- 8 files changed, 42 insertions(+), 8 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/find-machines-by-tag.md b/windows/security/threat-protection/microsoft-defender-atp/find-machines-by-tag.md index c077f850b8..e34e5962d8 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/find-machines-by-tag.md +++ b/windows/security/threat-protection/microsoft-defender-atp/find-machines-by-tag.md @@ -32,7 +32,7 @@ ms.topic: article ## API description Find [Machines](machine.md) by [Tag](machine-tags.md). - +
```startswith``` query is supported. ## Limitations 1. Rate limitations for this API are 100 calls per minute and 1500 calls per hour. @@ -56,7 +56,7 @@ Delegated (work or school account) | Machine.ReadWrite | 'Read and write machine ## HTTP request ``` -GET /api/machines/findbytag(tag='{tag}') +GET /api/machines/findbytag?tag={tag}&useStartsWithFilter={true/false} ``` ## Request headers @@ -65,6 +65,13 @@ Name | Type | Description :---|:---|:--- Authorization | String | Bearer {token}. **Required**. +## Request URI parameters + +Name | Type | Description +:---|:---|:--- +tag | String | The tag name. **Required**. +useStartsWithFilter | Boolean | When set to true, the search will find all devices with tag name that starts with the given tag in the query. Defaults to false. **Optional**. + ## Request body Empty @@ -78,5 +85,5 @@ If successful - 200 OK with list of the machines in the response body. Here is an example of the request. ``` -GET https://api.securitycenter.microsoft.com/api/machines/findbytag(tag='testTag') +GET https://api.securitycenter.microsoft.com/api/machines/findbytag?tag=testTag&useStartsWithFilter=true ``` \ No newline at end of file diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-discovered-vulnerabilities.md b/windows/security/threat-protection/microsoft-defender-atp/get-discovered-vulnerabilities.md index 773a35d073..258209f10d 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-discovered-vulnerabilities.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-discovered-vulnerabilities.md @@ -30,8 +30,12 @@ ms.technology: mde [!include[Improve request performance](../../includes/improve-request-performance.md)] +## API description Retrieves a collection of discovered vulnerabilities related to a given device ID. +## Limitations +1. Rate limitations for this API are 50 calls per minute and 1500 calls per hour. + ## Permissions One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender for Endpoint APIs](apis-intro.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-domain-statistics.md b/windows/security/threat-protection/microsoft-defender-atp/get-domain-statistics.md index dda241406d..3720025ad9 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-domain-statistics.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-domain-statistics.md @@ -62,6 +62,11 @@ Header | Value :---|:--- Authorization | Bearer {token}. **Required**. +## Request URI parameters + +Name | Type | Description +:---|:---|:--- +lookBackHours | Int32 | Defines the hours we search back to get the statistics. Defaults to 30 days. **Optional**. ## Request body Empty @@ -77,7 +82,7 @@ If successful and domain exists - 200 OK, with statistics object in the response Here is an example of the request. ``` -GET https://api.securitycenter.microsoft.com/api/domains/example.com/stats +GET https://api.securitycenter.microsoft.com/api/domains/example.com/stats?lookBackHours=48 ``` **Response** diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-file-statistics.md b/windows/security/threat-protection/microsoft-defender-atp/get-file-statistics.md index 45c0c7f97f..ac9da34d73 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-file-statistics.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-file-statistics.md @@ -62,6 +62,11 @@ Name | Type | Description :---|:---|:--- Authorization | String | Bearer {token}. **Required**. +## Request URI parameters + +Name | Type | Description +:---|:---|:--- +lookBackHours | Int32 | Defines the hours we search back to get the statistics. Defaults to 30 days. **Optional**. ## Request body Empty @@ -77,7 +82,7 @@ If successful and file exists - 200 OK with statistical data in the body. If fil Here is an example of the request. ``` -GET https://api.securitycenter.microsoft.com/api/files/0991a395da64e1c5fbe8732ed11e6be064081d9f/stats +GET https://api.securitycenter.microsoft.com/api/files/0991a395da64e1c5fbe8732ed11e6be064081d9f/stats?lookBackHours=48 ``` **Response** diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-ip-statistics.md b/windows/security/threat-protection/microsoft-defender-atp/get-ip-statistics.md index e720d2f338..5ba7c77cd7 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-ip-statistics.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-ip-statistics.md @@ -63,6 +63,11 @@ Name | Type | Description :---|:---|:--- Authorization | String | Bearer {token}. **Required**. +## Request URI parameters + +Name | Type | Description +:---|:---|:--- +lookBackHours | Int32 | Defines the hours we search back to get the statistics. Defaults to 30 days. **Optional**. ## Request body Empty @@ -78,7 +83,7 @@ If successful and ip exists - 200 OK with statistical data in the body. IP do no Here is an example of the request. ```http -GET https://api.securitycenter.microsoft.com/api/ips/10.209.67.177/stats +GET https://api.securitycenter.microsoft.com/api/ips/10.209.67.177/stats?lookBackHours=48 ``` **Response** diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-missing-kbs-machine.md b/windows/security/threat-protection/microsoft-defender-atp/get-missing-kbs-machine.md index 9ac01f22cf..abb4bd89f5 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-missing-kbs-machine.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-missing-kbs-machine.md @@ -30,7 +30,11 @@ ms.technology: mde [!include[Improve request performance](../../includes/improve-request-performance.md)] -Retrieves missing KBs (security updates) by device ID +## API description +Retrieves missing KBs (security updates) by device ID. + +## Limitations +1. Rate limitations for this API are 50 calls per minute and 1500 calls per hour. ## HTTP request diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-security-recommendations.md b/windows/security/threat-protection/microsoft-defender-atp/get-security-recommendations.md index 1d2dfe41dd..f08ce4f926 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-security-recommendations.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-security-recommendations.md @@ -31,8 +31,12 @@ ms.technology: mde [!include[Prerelease information](../../includes/prerelease.md)] +## API description Retrieves a collection of security recommendations related to a given device ID. +## Limitations +1. Rate limitations for this API are 50 calls per minute and 1500 calls per hour. + ## Permissions One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender for Endpoint APIs](apis-intro.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/import-ti-indicators.md b/windows/security/threat-protection/microsoft-defender-atp/import-ti-indicators.md index 822e0f9985..8e33f2ae5c 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/import-ti-indicators.md +++ b/windows/security/threat-protection/microsoft-defender-atp/import-ti-indicators.md @@ -37,7 +37,7 @@ Submits or Updates batch of [Indicator](ti-indicator.md) entities. ## Limitations 1. Rate limitations for this API are 30 calls per minute. 2. There is a limit of 15,000 active [Indicators](ti-indicator.md) per tenant. - +3. Maximum batch size for one API call is 500. ## Permissions One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Get started](apis-intro.md) From b54bd97a85d313c549533a537de4f5dcc35b61ea Mon Sep 17 00:00:00 2001 From: Ben Alfasi Date: Sun, 24 Jan 2021 14:57:21 +0200 Subject: [PATCH 138/190] 2 --- .../add-or-remove-machine-tags.md | 6 ++++-- .../collect-investigation-package.md | 4 +++- .../get-alert-related-domain-info.md | 4 +--- .../get-alert-related-files-info.md | 4 +--- .../get-alert-related-ip-info.md | 4 +--- .../get-alert-related-machine-info.md | 4 +--- .../get-alert-related-user-info.md | 4 +--- .../microsoft-defender-atp/get-domain-statistics.md | 4 +--- .../microsoft-defender-atp/get-file-information.md | 4 +--- .../microsoft-defender-atp/get-file-statistics.md | 4 +--- .../get-investigation-collection.md | 4 +--- .../microsoft-defender-atp/get-ip-statistics.md | 4 +--- .../microsoft-defender-atp/get-kbinfo-collection.md | 7 ++----- .../microsoft-defender-atp/get-machine-by-id.md | 4 +--- .../get-machine-log-on-users.md | 4 +--- .../get-machineaction-object.md | 6 ++---- .../get-machineactions-collection.md | 6 ++---- .../microsoft-defender-atp/get-machines.md | 4 +--- .../get-machinesecuritystates-collection.md | 7 ++----- .../microsoft-defender-atp/get-package-sas-uri.md | 8 ++------ .../get-ti-indicators-collection.md | 12 ++++-------- .../microsoft-defender-atp/get-user-information.md | 7 ++----- .../initiate-autoir-investigation.md | 8 +++++--- .../microsoft-defender-atp/isolate-machine.md | 10 ++++++---- .../microsoft-defender-atp/offboard-machine-api.md | 6 ++++-- .../restrict-code-execution.md | 9 +++++---- .../microsoft-defender-atp/run-advanced-query-api.md | 12 +++++++----- .../microsoft-defender-atp/run-av-scan.md | 6 ++++-- .../stop-and-quarantine-file.md | 6 ++++-- .../microsoft-defender-atp/unisolate-machine.md | 6 ++++-- .../unrestrict-code-execution.md | 6 ++++-- .../microsoft-defender-atp/update-alert.md | 5 +++-- 32 files changed, 82 insertions(+), 107 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/add-or-remove-machine-tags.md b/windows/security/threat-protection/microsoft-defender-atp/add-or-remove-machine-tags.md index c9987f3a99..2a992e5e4f 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/add-or-remove-machine-tags.md +++ b/windows/security/threat-protection/microsoft-defender-atp/add-or-remove-machine-tags.md @@ -90,9 +90,11 @@ If successful, this method returns 200 - Ok response code and the updated Machin Here is an example of a request that adds machine tag. -```http +``` POST https://api.securitycenter.microsoft.com/api/machines/1e5bc9d7e413ddd7902c2932e418702b84d0cc07/tags -Content-type: application/json +``` + +```json { "Value" : "test Tag 2", "Action": "Add" diff --git a/windows/security/threat-protection/microsoft-defender-atp/collect-investigation-package.md b/windows/security/threat-protection/microsoft-defender-atp/collect-investigation-package.md index ee50396e37..7c823acfd6 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/collect-investigation-package.md +++ b/windows/security/threat-protection/microsoft-defender-atp/collect-investigation-package.md @@ -83,7 +83,9 @@ Here is an example of the request. ``` POST https://api.securitycenter.microsoft.com/api/machines/fb9ab6be3965095a09c057be7c90f0a2/collectInvestigationPackage -Content-type: application/json +``` + +```json { "Comment": "Collect forensics due to alert 1234" } diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-domain-info.md b/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-domain-info.md index 9347365103..aaa3ab921d 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-domain-info.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-domain-info.md @@ -85,9 +85,7 @@ GET https://api.securitycenter.microsoft.com/alerts/636688558380765161_213628044 Here is an example of the response. -``` -HTTP/1.1 200 OK -Content-type: application/json +```json { "@odata.context": "https://api.securitycenter.microsoft.com/$metadata#Domains", "value": [ diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-files-info.md b/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-files-info.md index 80dfa7de59..705b9284db 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-files-info.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-files-info.md @@ -86,9 +86,7 @@ GET https://api.securitycenter.microsoft.com/api/alerts/636688558380765161_21362 Here is an example of the response. -``` -HTTP/1.1 200 OK -Content-type: application/json +```json { "@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#Files", "value": [ diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-ip-info.md b/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-ip-info.md index b241dd2b72..02701c84db 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-ip-info.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-ip-info.md @@ -87,9 +87,7 @@ GET https://api.securitycenter.microsoft.com/alerts/636688558380765161_213628044 Here is an example of the response. -``` -HTTP/1.1 200 OK -Content-type: application/json +```json { "@odata.context": "https://api.securitycenter.microsoft.com/$metadata#Ips", "value": [ diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-machine-info.md b/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-machine-info.md index e4850f8d55..a5e59345c3 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-machine-info.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-machine-info.md @@ -88,9 +88,7 @@ GET https://api.securitycenter.microsoft.com/api/alerts/636688558380765161_21362 Here is an example of the response. -``` -HTTP/1.1 200 OK -Content-type: application/json +```json { "@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#Machines/$entity", "id": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07", diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-user-info.md b/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-user-info.md index ea89e7158c..a256a1f597 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-user-info.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-user-info.md @@ -87,9 +87,7 @@ GET https://api.securitycenter.microsoft.com/api/alerts/636688558380765161_21362 Here is an example of the response. -``` -HTTP/1.1 200 OK -Content-type: application/json +```json { "@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#Users/$entity", "id": "contoso\\user1", diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-domain-statistics.md b/windows/security/threat-protection/microsoft-defender-atp/get-domain-statistics.md index 3720025ad9..dd3331b476 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-domain-statistics.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-domain-statistics.md @@ -90,9 +90,7 @@ GET https://api.securitycenter.microsoft.com/api/domains/example.com/stats?lookB Here is an example of the response. -``` -HTTP/1.1 200 OK -Content-type: application/json +```json { "@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#microsoft.windowsDefenderATP.api.InOrgDomainStats", "host": "example.com", diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-file-information.md b/windows/security/threat-protection/microsoft-defender-atp/get-file-information.md index 736c3298e2..019f1385c7 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-file-information.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-file-information.md @@ -85,9 +85,7 @@ GET https://api.securitycenter.microsoft.com/api/files/4388963aaa83afe2042a46a3c Here is an example of the response. -``` -HTTP/1.1 200 OK -Content-type: application/json +```json { "@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#Files/$entity", "sha1": "4388963aaa83afe2042a46a3c017ad50bdcdafb3", diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-file-statistics.md b/windows/security/threat-protection/microsoft-defender-atp/get-file-statistics.md index ac9da34d73..cf1898803a 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-file-statistics.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-file-statistics.md @@ -90,9 +90,7 @@ GET https://api.securitycenter.microsoft.com/api/files/0991a395da64e1c5fbe8732ed Here is an example of the response. -``` -HTTP/1.1 200 OK -Content-type: application/json +```json { "@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#microsoft.windowsDefenderATP.api.InOrgFileStats", "sha1": "0991a395da64e1c5fbe8732ed11e6be064081d9f", diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-investigation-collection.md b/windows/security/threat-protection/microsoft-defender-atp/get-investigation-collection.md index 47662456ae..cca2597b98 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-investigation-collection.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-investigation-collection.md @@ -90,9 +90,7 @@ GET https://api.securitycenter.microsoft.com/api/investigations Here is an example of the response: -``` -HTTP/1.1 200 Ok -Content-type: application/json +```json { "@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#Investigations", "value": [ diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-ip-statistics.md b/windows/security/threat-protection/microsoft-defender-atp/get-ip-statistics.md index 5ba7c77cd7..bc04301ab1 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-ip-statistics.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-ip-statistics.md @@ -91,9 +91,7 @@ GET https://api.securitycenter.microsoft.com/api/ips/10.209.67.177/stats?lookBac Here is an example of the response. -```http -HTTP/1.1 200 OK -Content-type: application/json +```json { "@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#microsoft.windowsDefenderATP.api.InOrgIPStats", "ipAddress": "10.209.67.177", diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-kbinfo-collection.md b/windows/security/threat-protection/microsoft-defender-atp/get-kbinfo-collection.md index f108cdfbf6..0eeced010e 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-kbinfo-collection.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-kbinfo-collection.md @@ -61,18 +61,15 @@ If successful - 200 OK. Here is an example of the request. -``` +```http GET https://graph.microsoft.com/testwdatppreview/KbInfo -Content-type: application/json ``` **Response** Here is an example of the response. -``` -HTTP/1.1 200 OK -Content-type: application/json +```json { "@odata.context": "https://graph.microsoft.com/testwdatppreview/$metadata#KbInfo", "@odata.count": 271, diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-machine-by-id.md b/windows/security/threat-protection/microsoft-defender-atp/get-machine-by-id.md index ceac9cc0ed..0a6ff20f30 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-machine-by-id.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-machine-by-id.md @@ -91,9 +91,7 @@ GET https://api.securitycenter.microsoft.com/api/machines/1e5bc9d7e413ddd7902c29 Here is an example of the response. -```http -HTTP/1.1 200 OK -Content-type: application/json +```json { "@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#Machine", "id": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07", diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-machine-log-on-users.md b/windows/security/threat-protection/microsoft-defender-atp/get-machine-log-on-users.md index f4730dce02..3e9b901fac 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-machine-log-on-users.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-machine-log-on-users.md @@ -87,9 +87,7 @@ GET https://api.securitycenter.microsoft.com/api/machines/1e5bc9d7e413ddd7902c29 Here is an example of the response. -```http -HTTP/1.1 200 OK -Content-type: application/json +```json { "@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#Users", "value": [ diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-machineaction-object.md b/windows/security/threat-protection/microsoft-defender-atp/get-machineaction-object.md index 35d7343116..9520bd1379 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-machineaction-object.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-machineaction-object.md @@ -77,7 +77,7 @@ If successful, this method returns 200, Ok response code with a [Machine Action] Here is an example of the request. -``` +```http GET https://api.securitycenter.microsoft.com/api/machineactions/2e9da30d-27f6-4208-81f2-9cd3d67893ba ``` @@ -86,9 +86,7 @@ GET https://api.securitycenter.microsoft.com/api/machineactions/2e9da30d-27f6-42 Here is an example of the response. -``` -HTTP/1.1 200 Ok -Content-type: application/json +```json { "@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#MachineActions/$entity", "id": "5382f7ea-7557-4ab7-9782-d50480024a4e", diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-machineactions-collection.md b/windows/security/threat-protection/microsoft-defender-atp/get-machineactions-collection.md index 11bd89fa3b..d910d3beda 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-machineactions-collection.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-machineactions-collection.md @@ -82,7 +82,7 @@ If successful, this method returns 200, Ok response code with a collection of [m Here is an example of the request on an organization that has three MachineActions. -``` +```http GET https://api.securitycenter.microsoft.com/api/machineactions ``` @@ -91,9 +91,7 @@ GET https://api.securitycenter.microsoft.com/api/machineactions Here is an example of the response. -``` -HTTP/1.1 200 Ok -Content-type: application/json +```json { "@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#MachineActions", "value": [ diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-machines.md b/windows/security/threat-protection/microsoft-defender-atp/get-machines.md index ad2331e5ab..42a179a64f 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-machines.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-machines.md @@ -92,9 +92,7 @@ GET https://api.securitycenter.microsoft.com/api/machines Here is an example of the response. -```http -HTTP/1.1 200 OK -Content-type: application/json +```json { "@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#Machines", "value": [ diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-machinesecuritystates-collection.md b/windows/security/threat-protection/microsoft-defender-atp/get-machinesecuritystates-collection.md index 9565ba0014..9d1e0ef235 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-machinesecuritystates-collection.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-machinesecuritystates-collection.md @@ -60,9 +60,8 @@ If successful - 200 OK. Here is an example of the request. -``` +```http GET https://graph.microsoft.com/testwdatppreview/machinesecuritystates -Content-type: application/json ``` **Response** @@ -70,9 +69,7 @@ Content-type: application/json Here is an example of the response. Field *id* contains device id and equal to the field *id** in devices info. -``` -HTTP/1.1 200 OK -Content-type: application/json +```json { "@odata.context":"https://graph.microsoft.com/testwdatppreview/$metadata#MachineSecurityStates", "@odata.count":444, diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-package-sas-uri.md b/windows/security/threat-protection/microsoft-defender-atp/get-package-sas-uri.md index ccd17fea22..2683556f81 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-package-sas-uri.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-package-sas-uri.md @@ -73,19 +73,15 @@ If successful, this method returns 200, Ok response code with object that holds Here is an example of the request. -``` +```http GET https://api.securitycenter.microsoft.com/api/machineactions/7327b54fd718525cbca07dacde913b5ac3c85673/GetPackageUri - ``` **Response** Here is an example of the response. -``` -HTTP/1.1 200 Ok -Content-type: application/json - +```json { "@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#Edm.String", "value": "\"https://userrequests-us.securitycenter.windows.com:443/safedownload/WDATP_Investigation_Package.zip?token=gbDyj7y%2fbWGAZjn2sFiZXlliBTXOCVG7yiJ6mXNaQ9pLByC2Wxeno9mENsPFP3xMk5l%2bZiJXjLvqAyNEzUNROxoM2I1er9dxzfVeBsxSmclJjPsAx%2btiNyxSz1Ax%2b5jaT5cL5bZg%2b8wgbwY9urXbTpGjAKh6FB1e%2b0ypcWkPm8UkfOwsmtC%2biZJ2%2bPqnkkeQk7SKMNoAvmh9%2fcqDIPKXGIBjMa0D9auzypOqd8bQXp7p2BnLSH136BxST8n9IHR4PILvRjAYW9kvtHkBpBitfydAsUW4g2oDZSPN3kCLBOoo1C4w4Lkc9Bc3GNU2IW6dfB7SHcp7G9p4BDkeJl3VuDs6esCaeBorpn9FKJ%2fXo7o9pdcI0hUPZ6Ds9hiPpwPUtz5J29CBE3QAopCK%2fsWlf6OW2WyXsrNRSnF1tVE5H3wXpREzuhD7S4AIA3OIEZKzC4jIPLeMu%2bazZU9xGwuc3gICOaokbwMJiZTqcUuK%2fV9YdBdjdg8wJ16NDU96Pl6%2fgew2KYuk6Wo7ZuHotgHI1abcsvdlpe4AvixDbqcRJthsg2PpLRaFLm5av44UGkeK6TJpFvxUn%2f9fg6Zk5yM1KUTHb8XGmutoCM8U9er6AzXZlY0gGc3D3bQOg41EJZkEZLyUEbk1hXJB36ku2%2bW01cG71t7MxMBYz7%2bdXobxpdo%3d%3bRWS%2bCeoDfTyDcfH5pkCg6hYDmCOPr%2fHYQuaUWUBNVnXURYkdyOzVHqp%2fe%2f1BNyPdVoVkpQHpz1pPS3b5g9h7IMmNKCk5gFq5m2nPx6kk9EYtzx8Ndoa2m9Yj%2bSaf8zIFke86YnfQL4AYewsnQNJJh4wc%2bXxGlBq7axDcoiOdX91rKzVicH3GSBkFoLFAKoegWWsF%2fEDZcVpF%2fXUA1K8HvB6dwyfy4y0sAqnNPxYTQ97mG7yHhxPt4Pe9YF2UPPAJVuEf8LNlQ%2bWHC9%2f7msF6UUI4%2fca%2ftpjFs%2fSNeRE8%2fyQj21TI8YTF1SowvaJuDc1ivEoeopNNGG%2bGI%2fX0SckaVxU9Hdkh0zbydSlT5SZwbSwescs0IpzECitBbaLUz4aT8KTs8T0lvx8D7Te3wVsKAJ1r3iFMQZrlk%2bS1WW8rvac7oHRx2HKURn1v7fDIQWgJr9aNsNlFz4fLJ50T2qSHuuepkLVbe93Va072aMGhvr09WVKoTpAf1j2bcFZZU6Za5PxI32mr0k90FgiYFJ1F%2f1vRDrGwvWVWUkR3Z33m4g0gHa52W1FMxQY0TJIwbovD6FaSNDx7xhKZSd5IJ7r6P91Gez49PaZRcAZPjd%2bfbul3JNm1VqQPTLohT7wa0ymRiXpSST74xtFzuEBzNSNATdbngj3%2fwV4JesTjZjIj5Dc%3d%3blumqauVlFuuO8MQffZgs0tLJ4Fq6fpeozPTdDf8Ll6XLegi079%2b4mSPFjTK0y6eohstxdoOdom2wAHiZwk0u4KLKmRkfYOdT1wHY79qKoBQ3ZDHFTys9V%2fcwKGl%2bl8IenWDutHygn5IcA1y7GTZj4g%3d%3d\"" diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-ti-indicators-collection.md b/windows/security/threat-protection/microsoft-defender-atp/get-ti-indicators-collection.md index 58cb3f78a5..5a5ea5a354 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-ti-indicators-collection.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-ti-indicators-collection.md @@ -78,7 +78,7 @@ If successful, this method returns 200, Ok response code with a collection of [I Here is an example of a request that gets all Indicators -``` +```http GET https://api.securitycenter.microsoft.com/api/indicators ``` @@ -86,9 +86,7 @@ GET https://api.securitycenter.microsoft.com/api/indicators Here is an example of the response. -``` -HTTP/1.1 200 Ok -Content-type: application/json +```json { "@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#Indicators", "value": [ @@ -141,7 +139,7 @@ Content-type: application/json Here is an example of a request that gets all Indicators with 'AlertAndBlock' action -``` +```http GET https://api.securitycenter.microsoft.com/api/indicators?$filter=action+eq+'AlertAndBlock' ``` @@ -149,9 +147,7 @@ GET https://api.securitycenter.microsoft.com/api/indicators?$filter=action+eq+'A Here is an example of the response. -``` -HTTP/1.1 200 Ok -Content-type: application/json +```json { "@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#Indicators", "value": [ diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-user-information.md b/windows/security/threat-protection/microsoft-defender-atp/get-user-information.md index 7a7e85e081..d4d47fa618 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-user-information.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-user-information.md @@ -64,9 +64,8 @@ If successful and user exists - 200 OK with [user](user.md) entity in the body. Here is an example of the request. -``` +```http GET https://api.securitycenter.microsoft.com/api/users/user1 -Content-type: application/json ``` **Response** @@ -74,9 +73,7 @@ Content-type: application/json Here is an example of the response. -``` -HTTP/1.1 200 OK -Content-type: application/json +```json { "@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#Users/$entity", "id": "user1", diff --git a/windows/security/threat-protection/microsoft-defender-atp/initiate-autoir-investigation.md b/windows/security/threat-protection/microsoft-defender-atp/initiate-autoir-investigation.md index dfb9ea34c6..caa8fb231b 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/initiate-autoir-investigation.md +++ b/windows/security/threat-protection/microsoft-defender-atp/initiate-autoir-investigation.md @@ -84,9 +84,11 @@ If successful, this method returns 201 - Created response code and [Investigatio Here is an example of the request. -``` +```http POST https://api.securitycenter.microsoft.com/api/machines/1e5bc9d7e413ddd7902c2932e418702b84d0cc07/startInvestigation -Content-type: application/json +``` + +```json { - "Comment": "Test investigation", + "Comment": "Test investigation" } diff --git a/windows/security/threat-protection/microsoft-defender-atp/isolate-machine.md b/windows/security/threat-protection/microsoft-defender-atp/isolate-machine.md index 00d02c3bfe..67f0760774 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/isolate-machine.md +++ b/windows/security/threat-protection/microsoft-defender-atp/isolate-machine.md @@ -90,13 +90,15 @@ If successful, this method returns 201 - Created response code and [Machine Acti Here is an example of the request. -```console +``` POST https://api.securitycenter.microsoft.com/api/machines/1e5bc9d7e413ddd7902c2932e418702b84d0cc07/isolate -Content-type: application/json +``` + +```json { "Comment": "Isolate machine due to alert 1234", - “IsolationType”: “Full” + "IsolationType": "Full" } ``` -- To unisolate a device, see [Release device from isolation](unisolate-machine.md). +- To release a device from isolation, see [Release device from isolation](unisolate-machine.md). \ No newline at end of file diff --git a/windows/security/threat-protection/microsoft-defender-atp/offboard-machine-api.md b/windows/security/threat-protection/microsoft-defender-atp/offboard-machine-api.md index 8eef870362..df8552d5a9 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/offboard-machine-api.md +++ b/windows/security/threat-protection/microsoft-defender-atp/offboard-machine-api.md @@ -87,9 +87,11 @@ If successful, this method returns 201 - Created response code and [Machine Acti Here is an example of the request. -``` +```http POST https://api.securitycenter.microsoft.com/api/machines/1e5bc9d7e413ddd7902c2932e418702b84d0cc07/offboard -Content-type: application/json +``` + +```json { "Comment": "Offboard machine by automation" } diff --git a/windows/security/threat-protection/microsoft-defender-atp/restrict-code-execution.md b/windows/security/threat-protection/microsoft-defender-atp/restrict-code-execution.md index fb99be0444..a78424ca79 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/restrict-code-execution.md +++ b/windows/security/threat-protection/microsoft-defender-atp/restrict-code-execution.md @@ -83,14 +83,15 @@ If successful, this method returns 201 - Created response code and [Machine Acti Here is an example of the request. -``` +```http POST https://api.securitycenter.microsoft.com/api/machines/1e5bc9d7e413ddd7902c2932e418702b84d0cc07/restrictCodeExecution -Content-type: application/json +``` + +```json { "Comment": "Restrict code execution due to alert 1234" } ``` -- To remove code execution restriction from a device, see [Remove app restriction](unrestrict-code-execution.md). - +- To remove code execution restriction from a device, see [Remove app restriction](unrestrict-code-execution.md). \ No newline at end of file diff --git a/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-api.md b/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-api.md index 88fddcc27b..195101b45a 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-api.md +++ b/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-api.md @@ -35,10 +35,10 @@ ms.technology: mde 1. You can only run a query on data from the last 30 days. 2. The results will include a maximum of 100,000 rows. 3. The number of executions is limited per tenant: - - API calls: Up to 15 calls per minute - - Execution time: 10 minutes of running time every hour and 4 hours of running time a day + - API calls: Up to 45 calls per minute. + - Execution time: 10 minutes of running time every hour and 4 hours of running time a day. 4. The maximal execution time of a single request is 10 minutes. -5. 429 response will represent reaching quota limit either by number of requests or by CPU. The 429 response body will also indicate the time until the quota is renewed. +5. 429 response will represent reaching quota limit either by number of requests or by CPU. Read response body to understand what limit has been reached. ## Permissions One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender for Endpoint APIs](apis-intro.md) @@ -82,9 +82,11 @@ Request Here is an example of the request. -``` +```http POST https://api.securitycenter.microsoft.com/api/advancedqueries/run -Content-type: application/json +``` + +```json { "Query":"DeviceProcessEvents | where InitiatingProcessFileName =~ 'powershell.exe' diff --git a/windows/security/threat-protection/microsoft-defender-atp/run-av-scan.md b/windows/security/threat-protection/microsoft-defender-atp/run-av-scan.md index dda698fd60..aac2826f29 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/run-av-scan.md +++ b/windows/security/threat-protection/microsoft-defender-atp/run-av-scan.md @@ -91,9 +91,11 @@ If successful, this method returns 201, Created response code and _MachineAction Here is an example of the request. -``` +```http POST https://api.securitycenter.microsoft.com/api/machines/1e5bc9d7e413ddd7902c2932e418702b84d0cc07/runAntiVirusScan -Content-type: application/json +``` + +```json { "Comment": "Check machine for viruses due to alert 3212", “ScanType”: “Full” diff --git a/windows/security/threat-protection/microsoft-defender-atp/stop-and-quarantine-file.md b/windows/security/threat-protection/microsoft-defender-atp/stop-and-quarantine-file.md index 26a77dc157..6ab096b9f7 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/stop-and-quarantine-file.md +++ b/windows/security/threat-protection/microsoft-defender-atp/stop-and-quarantine-file.md @@ -84,9 +84,11 @@ If successful, this method returns 201 - Created response code and [Machine Acti Here is an example of the request. -``` +```http POST https://api.securitycenter.microsoft.com/api/machines/1e5bc9d7e413ddd7902c2932e418702b84d0cc07/StopAndQuarantineFile -Content-type: application/json +``` + +```json { "Comment": "Stop and quarantine file on machine due to alert 441688558380765161_2136280442", "Sha1": "87662bc3d60e4200ceaf7aae249d1c343f4b83c9" diff --git a/windows/security/threat-protection/microsoft-defender-atp/unisolate-machine.md b/windows/security/threat-protection/microsoft-defender-atp/unisolate-machine.md index 2ddc0fa5f4..9d41281585 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/unisolate-machine.md +++ b/windows/security/threat-protection/microsoft-defender-atp/unisolate-machine.md @@ -84,9 +84,11 @@ If successful, this method returns 201 - Created response code and [Machine Acti Here is an example of the request. -``` +```http POST https://api.securitycenter.microsoft.com/api/machines/1e5bc9d7e413ddd7902c2932e418702b84d0cc07/unisolate -Content-type: application/json +``` + +```json { "Comment": "Unisolate machine since it was clean and validated" } diff --git a/windows/security/threat-protection/microsoft-defender-atp/unrestrict-code-execution.md b/windows/security/threat-protection/microsoft-defender-atp/unrestrict-code-execution.md index c8b9276441..41934f0380 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/unrestrict-code-execution.md +++ b/windows/security/threat-protection/microsoft-defender-atp/unrestrict-code-execution.md @@ -82,9 +82,11 @@ If successful, this method returns 201 - Created response code and [Machine Acti Here is an example of the request. -``` +```http POST https://api.securitycenter.microsoft.com/api/machines/1e5bc9d7e413ddd7902c2932e418702b84d0cc07/unrestrictCodeExecution -Content-type: application/json +``` + +```json { "Comment": "Unrestrict code execution since machine was cleaned and validated" } diff --git a/windows/security/threat-protection/microsoft-defender-atp/update-alert.md b/windows/security/threat-protection/microsoft-defender-atp/update-alert.md index 4f6423b15e..d2f3515f96 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/update-alert.md +++ b/windows/security/threat-protection/microsoft-defender-atp/update-alert.md @@ -91,10 +91,11 @@ If successful, this method returns 200 OK, and the [alert](alerts.md) entity in Here is an example of the request. -``` +```http PATCH https://api.securitycenter.microsoft.com/api/alerts/121688558380765161_2136280442 -Content-Type: application/json +``` +```json { "status": "Resolved", "assignedTo": "secop2@contoso.com", From f803e252caab050a81ec70c30fd0ae8fb48684ef Mon Sep 17 00:00:00 2001 From: Ben Alfasi Date: Sun, 24 Jan 2021 15:46:51 +0200 Subject: [PATCH 139/190] 1 --- .../collect-investigation-package.md | 2 +- .../microsoft-defender-atp/create-alert-by-reference.md | 3 ++- .../microsoft-defender-atp/delete-ti-indicator-by-id.md | 2 +- .../microsoft-defender-atp/find-machines-by-ip.md | 2 +- .../microsoft-defender-atp/find-machines-by-tag.md | 2 +- .../get-alert-related-domain-info.md | 2 +- .../microsoft-defender-atp/get-alert-related-files-info.md | 2 +- .../microsoft-defender-atp/get-alert-related-ip-info.md | 2 +- .../get-alert-related-machine-info.md | 2 +- .../microsoft-defender-atp/get-alert-related-user-info.md | 2 +- .../threat-protection/microsoft-defender-atp/get-alerts.md | 4 ++-- .../microsoft-defender-atp/get-all-recommendations.md | 2 +- .../get-all-vulnerabilities-by-machines.md | 2 +- .../microsoft-defender-atp/get-all-vulnerabilities.md | 2 +- .../microsoft-defender-atp/get-cvekbmap-collection.md | 7 ++----- .../microsoft-defender-atp/get-device-secure-score.md | 2 +- .../get-discovered-vulnerabilities.md | 4 ++-- .../microsoft-defender-atp/get-domain-statistics.md | 2 +- .../microsoft-defender-atp/get-exposure-score.md | 2 +- .../microsoft-defender-atp/get-file-information.md | 2 +- .../microsoft-defender-atp/get-file-related-alerts.md | 2 +- .../microsoft-defender-atp/get-file-related-machines.md | 2 +- .../microsoft-defender-atp/get-file-statistics.md | 2 +- .../microsoft-defender-atp/get-installed-software.md | 2 +- .../microsoft-defender-atp/get-ip-related-alerts.md | 2 +- .../get-machine-group-exposure-score.md | 2 +- .../microsoft-defender-atp/get-machines-by-software.md | 3 +-- .../get-machines-by-vulnerability.md | 2 +- .../microsoft-defender-atp/get-missing-kbs-machine.md | 2 +- .../microsoft-defender-atp/get-missing-kbs-software.md | 2 +- .../microsoft-defender-atp/get-recommendation-by-id.md | 2 +- .../microsoft-defender-atp/get-recommendation-machines.md | 2 +- .../microsoft-defender-atp/get-recommendation-software.md | 2 +- .../get-recommendation-vulnerabilities.md | 2 +- .../microsoft-defender-atp/get-security-recommendations.md | 4 ++-- .../microsoft-defender-atp/get-software-by-id.md | 3 +-- .../get-software-ver-distribution.md | 3 +-- .../microsoft-defender-atp/get-software.md | 2 +- .../microsoft-defender-atp/get-user-related-alerts.md | 2 +- .../microsoft-defender-atp/get-user-related-machines.md | 2 +- .../microsoft-defender-atp/get-vuln-by-software.md | 3 +-- .../microsoft-defender-atp/get-vulnerability-by-id.md | 2 +- .../microsoft-defender-atp/import-ti-indicators.md | 3 ++- .../microsoft-defender-atp/isolate-machine.md | 2 +- .../microsoft-defender-atp/post-ti-indicator.md | 3 ++- .../microsoft-defender-atp/run-av-scan.md | 2 +- .../microsoft-defender-atp/update-alert.md | 2 +- 47 files changed, 54 insertions(+), 58 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/collect-investigation-package.md b/windows/security/threat-protection/microsoft-defender-atp/collect-investigation-package.md index 7c823acfd6..dea6142742 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/collect-investigation-package.md +++ b/windows/security/threat-protection/microsoft-defender-atp/collect-investigation-package.md @@ -81,7 +81,7 @@ If successful, this method returns 201 - Created response code and [Machine Acti Here is an example of the request. -``` +```http POST https://api.securitycenter.microsoft.com/api/machines/fb9ab6be3965095a09c057be7c90f0a2/collectInvestigationPackage ``` diff --git a/windows/security/threat-protection/microsoft-defender-atp/create-alert-by-reference.md b/windows/security/threat-protection/microsoft-defender-atp/create-alert-by-reference.md index ac6a1ed6be..91a38d3f42 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/create-alert-by-reference.md +++ b/windows/security/threat-protection/microsoft-defender-atp/create-alert-by-reference.md @@ -96,9 +96,10 @@ If successful, this method returns 200 OK, and a new [alert](alerts.md) object i Here is an example of the request. -``` +```http POST https://api.securitycenter.microsoft.com/api/alerts/CreateAlertByReference ``` + ```json { "machineId": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07", diff --git a/windows/security/threat-protection/microsoft-defender-atp/delete-ti-indicator-by-id.md b/windows/security/threat-protection/microsoft-defender-atp/delete-ti-indicator-by-id.md index c4921c50f4..127f52cd7a 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/delete-ti-indicator-by-id.md +++ b/windows/security/threat-protection/microsoft-defender-atp/delete-ti-indicator-by-id.md @@ -73,6 +73,6 @@ If Indicator with the specified id was not found - 404 Not Found. Here is an example of the request. -``` +```http DELETE https://api.securitycenter.microsoft.com/api/indicators/995 ``` diff --git a/windows/security/threat-protection/microsoft-defender-atp/find-machines-by-ip.md b/windows/security/threat-protection/microsoft-defender-atp/find-machines-by-ip.md index 5a461d731b..d9ebb6559c 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/find-machines-by-ip.md +++ b/windows/security/threat-protection/microsoft-defender-atp/find-machines-by-ip.md @@ -80,6 +80,6 @@ If the timestamp is not in the past 30 days - 400 Bad Request. Here is an example of the request. -``` +```http GET https://api.securitycenter.microsoft.com/api/machines/findbyip(ip='10.248.240.38',timestamp=2019-09-22T08:44:05Z) ``` diff --git a/windows/security/threat-protection/microsoft-defender-atp/find-machines-by-tag.md b/windows/security/threat-protection/microsoft-defender-atp/find-machines-by-tag.md index e34e5962d8..5bb4e7756f 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/find-machines-by-tag.md +++ b/windows/security/threat-protection/microsoft-defender-atp/find-machines-by-tag.md @@ -84,6 +84,6 @@ If successful - 200 OK with list of the machines in the response body. Here is an example of the request. -``` +```http GET https://api.securitycenter.microsoft.com/api/machines/findbytag?tag=testTag&useStartsWithFilter=true ``` \ No newline at end of file diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-domain-info.md b/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-domain-info.md index aaa3ab921d..c84308bef0 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-domain-info.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-domain-info.md @@ -77,7 +77,7 @@ If successful and alert and domain exist - 200 OK. If alert not found - 404 Not Here is an example of the request. -``` +```http GET https://api.securitycenter.microsoft.com/alerts/636688558380765161_2136280442/domains ``` diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-files-info.md b/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-files-info.md index 705b9284db..015b98dba0 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-files-info.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-files-info.md @@ -77,7 +77,7 @@ If successful and alert and files exist - 200 OK. If alert not found - 404 Not F Here is an example of the request. -``` +```http GET https://api.securitycenter.microsoft.com/api/alerts/636688558380765161_2136280442/files ``` diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-ip-info.md b/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-ip-info.md index 02701c84db..602a1fd1c4 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-ip-info.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-ip-info.md @@ -78,7 +78,7 @@ If successful and alert and an IP exist - 200 OK. If alert not found - 404 Not F Here is an example of the request. -``` +```http GET https://api.securitycenter.microsoft.com/alerts/636688558380765161_2136280442/ips ``` diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-machine-info.md b/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-machine-info.md index a5e59345c3..60d47669c1 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-machine-info.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-machine-info.md @@ -79,7 +79,7 @@ If successful and alert and device exist - 200 OK. If alert not found or device Here is an example of the request. -``` +```http GET https://api.securitycenter.microsoft.com/api/alerts/636688558380765161_2136280442/machine ``` diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-user-info.md b/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-user-info.md index a256a1f597..2afbe73739 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-user-info.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-user-info.md @@ -78,7 +78,7 @@ If successful and alert and a user exists - 200 OK with user in the body. If ale Here is an example of the request. -``` +```http GET https://api.securitycenter.microsoft.com/api/alerts/636688558380765161_2136280442/user ``` diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-alerts.md b/windows/security/threat-protection/microsoft-defender-atp/get-alerts.md index 918af17cc7..eb0067b2ba 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-alerts.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-alerts.md @@ -88,7 +88,7 @@ If successful, this method returns 200 OK, and a list of [alert](alerts.md) obje Here is an example of the request. -``` +```http GET https://api.securitycenter.microsoft.com/api/alerts ``` @@ -152,7 +152,7 @@ Here is an example of the response. Here is an example of the request. -``` +```http GET https://api.securitycenter.microsoft.com/api/alerts?$top=10&$expand=evidence ``` diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-all-recommendations.md b/windows/security/threat-protection/microsoft-defender-atp/get-all-recommendations.md index 9be5af6b31..6548493ea9 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-all-recommendations.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-all-recommendations.md @@ -67,7 +67,7 @@ If successful, this method returns 200 OK with the list of security recommendati Here is an example of the request. -``` +```http GET https://api.securitycenter.microsoft.com/api/recommendations ``` diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-all-vulnerabilities-by-machines.md b/windows/security/threat-protection/microsoft-defender-atp/get-all-vulnerabilities-by-machines.md index 73cc542fda..0126da149d 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-all-vulnerabilities-by-machines.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-all-vulnerabilities-by-machines.md @@ -72,7 +72,7 @@ If successful, this method returns 200 OK with the list of vulnerabilities in th Here is an example of the request. -``` +```http GET https://api.securitycenter.microsoft.com/api/vulnerabilities/machinesVulnerabilities ``` diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-all-vulnerabilities.md b/windows/security/threat-protection/microsoft-defender-atp/get-all-vulnerabilities.md index 17f9e97ef1..00ade14700 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-all-vulnerabilities.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-all-vulnerabilities.md @@ -67,7 +67,7 @@ If successful, this method returns 200 OK with the list of vulnerabilities in th Here is an example of the request. -``` +```http GET https://api.securitycenter.microsoft.com/api/Vulnerabilities ``` diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-cvekbmap-collection.md b/windows/security/threat-protection/microsoft-defender-atp/get-cvekbmap-collection.md index 41df827074..3264cc7d76 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-cvekbmap-collection.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-cvekbmap-collection.md @@ -61,18 +61,15 @@ If successful and map exists - 200 OK. Here is an example of the request. -``` +```http GET https://graph.microsoft.com/testwdatppreview/CveKbMap -Content-type: application/json ``` **Response** Here is an example of the response. -``` -HTTP/1.1 200 OK -Content-type: application/json +```json { "@odata.context":"https://graph.microsoft.com/testwdatppreview/$metadata#CveKbMap", "@odata.count": 4168, diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-device-secure-score.md b/windows/security/threat-protection/microsoft-defender-atp/get-device-secure-score.md index b18413a57e..2edded89ae 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-device-secure-score.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-device-secure-score.md @@ -68,7 +68,7 @@ If successful, this method returns 200 OK, with the device secure score data in Here is an example of the request. -``` +```http GET https://api.securitycenter.microsoft.com/api/configurationScore ``` diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-discovered-vulnerabilities.md b/windows/security/threat-protection/microsoft-defender-atp/get-discovered-vulnerabilities.md index 258209f10d..760ce4ddb9 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-discovered-vulnerabilities.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-discovered-vulnerabilities.md @@ -71,7 +71,7 @@ If successful, this method returns 200 OK with the discovered vulnerability info Here is an example of the request. -``` +```http GET https://api.securitycenter.microsoft.com/api/machines/ac233fa6208e1579620bf44207c4006ed7cc4501/vulnerabilities ``` @@ -79,7 +79,7 @@ GET https://api.securitycenter.microsoft.com/api/machines/ac233fa6208e1579620bf4 Here is an example of the response. -``` +```json { "@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#Collection(Analytics.Contracts.PublicAPI.PublicVulnerabilityDto)", "value": [ diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-domain-statistics.md b/windows/security/threat-protection/microsoft-defender-atp/get-domain-statistics.md index dd3331b476..13a3f3f28f 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-domain-statistics.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-domain-statistics.md @@ -81,7 +81,7 @@ If successful and domain exists - 200 OK, with statistics object in the response Here is an example of the request. -``` +```http GET https://api.securitycenter.microsoft.com/api/domains/example.com/stats?lookBackHours=48 ``` diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-exposure-score.md b/windows/security/threat-protection/microsoft-defender-atp/get-exposure-score.md index c06627a36f..0288816bb4 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-exposure-score.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-exposure-score.md @@ -70,7 +70,7 @@ If successful, this method returns 200 OK, with the exposure data in the respons Here is an example of the request. -``` +```http GET https://api.securitycenter.microsoft.com/api/exposureScore ``` diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-file-information.md b/windows/security/threat-protection/microsoft-defender-atp/get-file-information.md index 019f1385c7..37b4c39da7 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-file-information.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-file-information.md @@ -76,7 +76,7 @@ If successful and file exists - 200 OK with the [file](files.md) entity in the b Here is an example of the request. -``` +```http GET https://api.securitycenter.microsoft.com/api/files/4388963aaa83afe2042a46a3c017ad50bdcdafb3 ``` diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-file-related-alerts.md b/windows/security/threat-protection/microsoft-defender-atp/get-file-related-alerts.md index dd23bde922..1ef694df96 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-file-related-alerts.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-file-related-alerts.md @@ -79,6 +79,6 @@ If successful and file exists - 200 OK with list of [alert](alerts.md) entities Here is an example of the request. -``` +```http GET https://api.securitycenter.microsoft.com/api/files/6532ec91d513acc05f43ee0aa3002599729fd3e1/alerts ``` diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-file-related-machines.md b/windows/security/threat-protection/microsoft-defender-atp/get-file-related-machines.md index 981b5352e4..c0de4442c2 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-file-related-machines.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-file-related-machines.md @@ -79,6 +79,6 @@ If successful and file exists - 200 OK with list of [machine](machine.md) entiti Here is an example of the request. -``` +```http GET https://api.securitycenter.microsoft.com/api/files/1e5bc9d7e413ddd7902c2932e418702b84d0cc07/machines ``` diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-file-statistics.md b/windows/security/threat-protection/microsoft-defender-atp/get-file-statistics.md index cf1898803a..ab8b12267d 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-file-statistics.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-file-statistics.md @@ -81,7 +81,7 @@ If successful and file exists - 200 OK with statistical data in the body. If fil Here is an example of the request. -``` +```http GET https://api.securitycenter.microsoft.com/api/files/0991a395da64e1c5fbe8732ed11e6be064081d9f/stats?lookBackHours=48 ``` diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-installed-software.md b/windows/security/threat-protection/microsoft-defender-atp/get-installed-software.md index 1d74c52f25..9effa5d7a6 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-installed-software.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-installed-software.md @@ -66,7 +66,7 @@ If successful, this method returns 200 OK with the installed software informatio Here is an example of the request. -``` +```http GET https://api.securitycenter.microsoft.com/api/machines/ac233fa6208e1579620bf44207c4006ed7cc4501/software ``` diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-ip-related-alerts.md b/windows/security/threat-protection/microsoft-defender-atp/get-ip-related-alerts.md index ec0bd5533a..d4f66c71d6 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-ip-related-alerts.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-ip-related-alerts.md @@ -79,6 +79,6 @@ If successful and IP exists - 200 OK with list of [alert](alerts.md) entities in Here is an example of the request. -``` +```http GET https://api.securitycenter.microsoft.com/api/ips/10.209.67.177/alerts ``` diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-machine-group-exposure-score.md b/windows/security/threat-protection/microsoft-defender-atp/get-machine-group-exposure-score.md index f7ea61feb1..6f54986e33 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-machine-group-exposure-score.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-machine-group-exposure-score.md @@ -70,7 +70,7 @@ If successful, this method returns 200 OK, with a list of exposure score per dev Here is an example of the request. -``` +```http GET https://api.securitycenter.microsoft.com/api/exposureScore/ByMachineGroups ``` diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-machines-by-software.md b/windows/security/threat-protection/microsoft-defender-atp/get-machines-by-software.md index cbcb0e0b06..b2f9da0734 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-machines-by-software.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-machines-by-software.md @@ -67,7 +67,7 @@ If successful, this method returns 200 OK and a list of devices with the softwar Here is an example of the request. -``` +```http GET https://api.securitycenter.microsoft.com/api/Software/microsoft-_-edge/machineReferences ``` @@ -76,7 +76,6 @@ GET https://api.securitycenter.microsoft.com/api/Software/microsoft-_-edge/machi Here is an example of the response. ```json - { "@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#MachineReferences", "value": [ diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-machines-by-vulnerability.md b/windows/security/threat-protection/microsoft-defender-atp/get-machines-by-vulnerability.md index 35a821c812..bf4208cd36 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-machines-by-vulnerability.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-machines-by-vulnerability.md @@ -67,7 +67,7 @@ If successful, this method returns 200 OK with the vulnerability information in Here is an example of the request. -``` +```http GET https://api.securitycenter.microsoft.com/api/vulnerabilities/CVE-2019-0608/machineReferences ``` diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-missing-kbs-machine.md b/windows/security/threat-protection/microsoft-defender-atp/get-missing-kbs-machine.md index abb4bd89f5..d3c13ddae1 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-missing-kbs-machine.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-missing-kbs-machine.md @@ -62,7 +62,7 @@ If successful, this method returns 200 OK, with the specified device missing kb Here is an example of the request. -``` +```http GET https://api.securitycenter.microsoft.com/api/machines/2339ad14a01bd0299afb93dfa2550136057bff96/getmissingkbs ``` diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-missing-kbs-software.md b/windows/security/threat-protection/microsoft-defender-atp/get-missing-kbs-software.md index 4c037b678e..3b53dabe02 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-missing-kbs-software.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-missing-kbs-software.md @@ -68,7 +68,7 @@ If successful, this method returns 200 OK, with the specified software missing k Here is an example of the request. -``` +```http GET https://api.securitycenter.microsoft.com/api/Software/microsoft-_-edge/getmissingkbs ``` diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-recommendation-by-id.md b/windows/security/threat-protection/microsoft-defender-atp/get-recommendation-by-id.md index d752962405..5548416186 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-recommendation-by-id.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-recommendation-by-id.md @@ -67,7 +67,7 @@ If successful, this method returns 200 OK with the security recommendations in t Here is an example of the request. -``` +```http GET https://api.securitycenter.microsoft.com/api/recommendations/va-_-google-_-chrome ``` diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-recommendation-machines.md b/windows/security/threat-protection/microsoft-defender-atp/get-recommendation-machines.md index 7d46d6e6fe..fa448849b7 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-recommendation-machines.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-recommendation-machines.md @@ -67,7 +67,7 @@ If successful, this method returns 200 OK with the list of devices associated wi Here is an example of the request. -``` +```http GET https://api.securitycenter.microsoft.com/api/recommendations/va-_-google-_-chrome/machineReferences ``` diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-recommendation-software.md b/windows/security/threat-protection/microsoft-defender-atp/get-recommendation-software.md index 4f144b37e3..0fcdc3e55a 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-recommendation-software.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-recommendation-software.md @@ -67,7 +67,7 @@ If successful, this method returns 200 OK with the software associated with the Here is an example of the request. -``` +```http GET https://api.securitycenter.microsoft.com/api/recommendations/va-_-google-_-chrome/software ``` diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-recommendation-vulnerabilities.md b/windows/security/threat-protection/microsoft-defender-atp/get-recommendation-vulnerabilities.md index 6c606f3bfc..e4a52ff2a7 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-recommendation-vulnerabilities.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-recommendation-vulnerabilities.md @@ -67,7 +67,7 @@ If successful, this method returns 200 OK, with the list of vulnerabilities asso Here is an example of the request. -``` +```http GET https://api.securitycenter.microsoft.com/api/recommendations/va-_-google-_-chrome/vulnerabilities ``` diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-security-recommendations.md b/windows/security/threat-protection/microsoft-defender-atp/get-security-recommendations.md index f08ce4f926..2581a14cb0 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-security-recommendations.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-security-recommendations.md @@ -70,7 +70,7 @@ If successful, this method returns 200 OK with the security recommendations in t Here is an example of the request. -``` +```http GET https://api.securitycenter.microsoft.com/api/machines/ac233fa6208e1579620bf44207c4006ed7cc4501/recommendations ``` @@ -79,7 +79,7 @@ GET https://api.securitycenter.microsoft.com/api/machines/ac233fa6208e1579620bf4 Here is an example of the response. -``` +```json { "@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#Recommendations", "value": [ diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-software-by-id.md b/windows/security/threat-protection/microsoft-defender-atp/get-software-by-id.md index da3f09fb2d..58ff771315 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-software-by-id.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-software-by-id.md @@ -67,7 +67,7 @@ If successful, this method returns 200 OK with the specified software data in th Here is an example of the request. -``` +```http GET https://api.securitycenter.microsoft.com/api/Software/microsoft-_-edge ``` @@ -76,7 +76,6 @@ GET https://api.securitycenter.microsoft.com/api/Software/microsoft-_-edge Here is an example of the response. ```json - { "@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#Software/$entity", "id": "microsoft-_-edge", diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-software-ver-distribution.md b/windows/security/threat-protection/microsoft-defender-atp/get-software-ver-distribution.md index c707f59ef2..897e0c91a7 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-software-ver-distribution.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-software-ver-distribution.md @@ -67,7 +67,7 @@ If successful, this method returns 200 OK with a list of software distributions Here is an example of the request. -``` +```http GET https://api.securitycenter.microsoft.com/api/Software/microsoft-_-edge/distributions ``` @@ -76,7 +76,6 @@ GET https://api.securitycenter.microsoft.com/api/Software/microsoft-_-edge/distr Here is an example of the response. ```json - { "@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#Distributions", "value": [ diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-software.md b/windows/security/threat-protection/microsoft-defender-atp/get-software.md index 95e59d134f..b070207ed0 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-software.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-software.md @@ -66,7 +66,7 @@ If successful, this method returns 200 OK with the software inventory in the bod Here is an example of the request. -``` +```http GET https://api.securitycenter.microsoft.com/api/Software ``` diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-user-related-alerts.md b/windows/security/threat-protection/microsoft-defender-atp/get-user-related-alerts.md index 7705c00e4b..341e56d35d 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-user-related-alerts.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-user-related-alerts.md @@ -81,6 +81,6 @@ If successful and user exists - 200 OK. If the user does not exist - 404 Not Fou Here is an example of the request. -``` +```http GET https://api.securitycenter.microsoft.com/api/users/user1/alerts ``` diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-user-related-machines.md b/windows/security/threat-protection/microsoft-defender-atp/get-user-related-machines.md index 7cab2321b4..b91c080c8e 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-user-related-machines.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-user-related-machines.md @@ -82,6 +82,6 @@ If successful and user exists - 200 OK with list of [machine](machine.md) entiti Here is an example of the request. -``` +```http GET https://api.securitycenter.microsoft.com/api/users/user1/machines ``` diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-vuln-by-software.md b/windows/security/threat-protection/microsoft-defender-atp/get-vuln-by-software.md index c60ff31fdb..762572746a 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-vuln-by-software.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-vuln-by-software.md @@ -67,7 +67,7 @@ If successful, this method returns 200 OK with a a list of vulnerabilities expos Here is an example of the request. -``` +```http GET https://api.securitycenter.microsoft.com/api/Software/microsoft-_-edge/vulnerabilities ``` @@ -76,7 +76,6 @@ GET https://api.securitycenter.microsoft.com/api/Software/microsoft-_-edge/vulne Here is an example of the response. ```json - { "@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#Collection(Analytics.Contracts.PublicAPI.PublicVulnerabilityDto)", "value": [ diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-vulnerability-by-id.md b/windows/security/threat-protection/microsoft-defender-atp/get-vulnerability-by-id.md index e8cc9c8257..441ac6bf08 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-vulnerability-by-id.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-vulnerability-by-id.md @@ -67,7 +67,7 @@ If successful, this method returns 200 OK with the vulnerability information in Here is an example of the request. -``` +```http GET https://api.securitycenter.microsoft.com/api/Vulnerabilities/CVE-2019-0608 ``` diff --git a/windows/security/threat-protection/microsoft-defender-atp/import-ti-indicators.md b/windows/security/threat-protection/microsoft-defender-atp/import-ti-indicators.md index 8e33f2ae5c..ae63ad7d4b 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/import-ti-indicators.md +++ b/windows/security/threat-protection/microsoft-defender-atp/import-ti-indicators.md @@ -79,9 +79,10 @@ Indicators | List<[Indicator](ti-indicator.md)> | List of [Indicators](ti-indica Here is an example of the request. -``` +```http POST https://api.securitycenter.microsoft.com/api/indicators/import ``` + ```json { "Indicators": diff --git a/windows/security/threat-protection/microsoft-defender-atp/isolate-machine.md b/windows/security/threat-protection/microsoft-defender-atp/isolate-machine.md index 67f0760774..15f0c9b691 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/isolate-machine.md +++ b/windows/security/threat-protection/microsoft-defender-atp/isolate-machine.md @@ -90,7 +90,7 @@ If successful, this method returns 201 - Created response code and [Machine Acti Here is an example of the request. -``` +```http POST https://api.securitycenter.microsoft.com/api/machines/1e5bc9d7e413ddd7902c2932e418702b84d0cc07/isolate ``` diff --git a/windows/security/threat-protection/microsoft-defender-atp/post-ti-indicator.md b/windows/security/threat-protection/microsoft-defender-atp/post-ti-indicator.md index c5bedda425..f019e3a9d3 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/post-ti-indicator.md +++ b/windows/security/threat-protection/microsoft-defender-atp/post-ti-indicator.md @@ -89,9 +89,10 @@ rbacGroupNames | String | Comma-separated list of RBAC group names the indicator Here is an example of the request. -``` +```http POST https://api.securitycenter.microsoft.com/api/indicators ``` + ```json { "indicatorValue": "220e7d15b011d7fac48f2bd61114db1022197f7f", diff --git a/windows/security/threat-protection/microsoft-defender-atp/run-av-scan.md b/windows/security/threat-protection/microsoft-defender-atp/run-av-scan.md index aac2826f29..68a10a5e99 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/run-av-scan.md +++ b/windows/security/threat-protection/microsoft-defender-atp/run-av-scan.md @@ -98,7 +98,7 @@ POST https://api.securitycenter.microsoft.com/api/machines/1e5bc9d7e413ddd7902c2 ```json { "Comment": "Check machine for viruses due to alert 3212", - “ScanType”: “Full” + "ScanType": "Full" } ``` diff --git a/windows/security/threat-protection/microsoft-defender-atp/update-alert.md b/windows/security/threat-protection/microsoft-defender-atp/update-alert.md index d2f3515f96..a19d0d51e1 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/update-alert.md +++ b/windows/security/threat-protection/microsoft-defender-atp/update-alert.md @@ -103,4 +103,4 @@ PATCH https://api.securitycenter.microsoft.com/api/alerts/121688558380765161_213 "determination": "Malware", "comment": "Resolve my alert and assign to secop2" } -``` +``` \ No newline at end of file From c8dde0220a6429f0e4fa375709c1b642f5ec4a98 Mon Sep 17 00:00:00 2001 From: Ben Alfasi Date: Sun, 24 Jan 2021 16:17:49 +0200 Subject: [PATCH 140/190] 5 --- .../threat-protection/microsoft-defender-atp/investigation.md | 2 +- .../threat-protection/microsoft-defender-atp/machine.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/investigation.md b/windows/security/threat-protection/microsoft-defender-atp/investigation.md index 6afbbec900..64b309d544 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/investigation.md +++ b/windows/security/threat-protection/microsoft-defender-atp/investigation.md @@ -40,7 +40,7 @@ Represent an Automated Investigation entity in Defender for Endpoint. Method|Return Type |Description :---|:---|:--- [List Investigations](get-investigation-collection.md) | Investigation collection | Get collection of Investigation -[Get single Investigation](get-investigation-collection.md) | Investigation entity | Gets single Investigation entity. +[Get single Investigation](get-investigation-object.md) | Investigation entity | Gets single Investigation entity. [Start Investigation](initiate-autoir-investigation.md) | Investigation entity | Starts Investigation on a device. diff --git a/windows/security/threat-protection/microsoft-defender-atp/machine.md b/windows/security/threat-protection/microsoft-defender-atp/machine.md index c0cfd906a5..896f5ca654 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/machine.md +++ b/windows/security/threat-protection/microsoft-defender-atp/machine.md @@ -62,7 +62,7 @@ version | String | Operating system Version. osBuild | Nullable long | Operating system build number. lastIpAddress | String | Last IP on local NIC on the [machine](machine.md). lastExternalIpAddress | String | Last IP through which the [machine](machine.md) accessed the internet. -healthStatus | Enum | [machine](machine.md) health status. Possible values are: "Active", "Inactive", "ImpairedCommunication", "NoSensorData" and "NoSensorDataImpairedCommunication" +healthStatus | Enum | [machine](machine.md) health status. Possible values are: "Active", "Inactive", "ImpairedCommunication", "NoSensorData", "NoSensorDataImpairedCommunication" and "Unknown". rbacGroupName | String | Machine group Name. rbacGroupId | Int | Machine group unique ID. riskScore | Nullable Enum | Risk score as evaluated by Microsoft Defender for Endpoint. Possible values are: 'None', 'Informational', 'Low', 'Medium' and 'High'. From 5823e24e7ac6d543273fdbf8963a454ad921f8d6 Mon Sep 17 00:00:00 2001 From: Ben Alfasi Date: Sun, 24 Jan 2021 16:50:27 +0200 Subject: [PATCH 141/190] 3 --- .../microsoft-defender-atp/run-advanced-query-api.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-api.md b/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-api.md index 195101b45a..1f52029bfe 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-api.md +++ b/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-api.md @@ -36,7 +36,7 @@ ms.technology: mde 2. The results will include a maximum of 100,000 rows. 3. The number of executions is limited per tenant: - API calls: Up to 45 calls per minute. - - Execution time: 10 minutes of running time every hour and 4 hours of running time a day. + - Execution time: 10 minutes of running time every hour and 3 hours of running time a day. 4. The maximal execution time of a single request is 10 minutes. 5. 429 response will represent reaching quota limit either by number of requests or by CPU. Read response body to understand what limit has been reached. From 963bbb8f93de94590c0ed5948d0a965dd92d304e Mon Sep 17 00:00:00 2001 From: MaratMussabekov <48041687+MaratMussabekov@users.noreply.github.com> Date: Mon, 25 Jan 2021 21:09:14 +0500 Subject: [PATCH 142/190] Update TOC.md --- windows/security/threat-protection/TOC.md | 1 + 1 file changed, 1 insertion(+) diff --git a/windows/security/threat-protection/TOC.md b/windows/security/threat-protection/TOC.md index af35c57f47..122083cfeb 100644 --- a/windows/security/threat-protection/TOC.md +++ b/windows/security/threat-protection/TOC.md @@ -114,6 +114,7 @@ ##### [Enable exploit protection](microsoft-defender-atp/enable-exploit-protection.md) ##### [Customize exploit protection](microsoft-defender-atp/customize-exploit-protection.md) ##### [Import, export, and deploy exploit protection configurations](microsoft-defender-atp/import-export-exploit-protection-emet-xml.md) +##### [Troubleshoot exploit protection mitigations](microsoft-defender-atp/troubleshoot-exploit-protection-mitigations.md) ##### [Exploit protection reference](microsoft-defender-atp/exploit-protection-reference.md ) #### [Network protection]() From 463b8b0f8cf8d6b1066728d21cb4b34138608a98 Mon Sep 17 00:00:00 2001 From: Rick Munck <33725928+jmunck@users.noreply.github.com> Date: Mon, 25 Jan 2021 10:13:26 -0600 Subject: [PATCH 143/190] Update security-compliance-toolkit-10.md Removed 1709 as we dont support it any longer and pulled it from the DLC --- .../security/threat-protection/security-compliance-toolkit-10.md | 1 - 1 file changed, 1 deletion(-) diff --git a/windows/security/threat-protection/security-compliance-toolkit-10.md b/windows/security/threat-protection/security-compliance-toolkit-10.md index fd8ba1f7f9..509869f9e5 100644 --- a/windows/security/threat-protection/security-compliance-toolkit-10.md +++ b/windows/security/threat-protection/security-compliance-toolkit-10.md @@ -34,7 +34,6 @@ The Security Compliance Toolkit consists of: - Windows 10 Version 1903 (May 2019 Update) - Windows 10 Version 1809 (October 2018 Update) - Windows 10 Version 1803 (April 2018 Update) - - Windows 10 Version 1709 (Fall Creators Update) - Windows 10 Version 1607 (Anniversary Update) - Windows 10 Version 1507 From f8e3f311ae43ba2b3c195b8c4a5c48b54c9c4869 Mon Sep 17 00:00:00 2001 From: MaratMussabekov <48041687+MaratMussabekov@users.noreply.github.com> Date: Mon, 25 Jan 2021 21:17:00 +0500 Subject: [PATCH 144/190] Update mandatory-settings-for-wip.md --- .../mandatory-settings-for-wip.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/information-protection/windows-information-protection/mandatory-settings-for-wip.md b/windows/security/information-protection/windows-information-protection/mandatory-settings-for-wip.md index eb25f0556d..bf2e926154 100644 --- a/windows/security/information-protection/windows-information-protection/mandatory-settings-for-wip.md +++ b/windows/security/information-protection/windows-information-protection/mandatory-settings-for-wip.md @@ -28,7 +28,7 @@ This list provides all of the tasks and settings that are required for the opera |Task|Description| |----|-----------| |Add at least one app to the **Protected apps** list in your WIP policy.|You must have at least one app added to your **Protected apps** list. For more info about where this area is and how to add apps, see the **Add apps to your Protected apps list** section of the policy creation topics.| -|Choose your WIP protection level.|You must choose the level of protection you want to apply to your WIP-protected content, including **Allow Overrides**, **Silent**, or **Block**. For more info about where this area is and how to decide on your protection level, see the **Manage the WIP protection mode for your enterprise data** section of the policy creation topics. For info about how to collect your audit log files, see [How to collect Windows Information Protection (WIP) audit event logs](collect-wip-audit-event-logs.md).| +|Choose your WIP protection level.|You must choose the level of protection you want to apply to your WIP-protected content, including **Allow Overrides**, **Silent**, or **Block**. For more info about where this area is and how to decide on your protection level, see the [Manage the WIP protection mode for your enterprise data](https://docs.microsoft.com/windows/security/information-protection/windows-information-protection/create-wip-policy-using-configmgr#manage-the-wip-protection-level-for-your-enterprise-data) section of the policy creation topics. For info about how to collect your audit log files, see [How to collect Windows Information Protection (WIP) audit event logs](collect-wip-audit-event-logs.md).| |Specify your corporate identity.|This field is automatically filled out for you by Microsoft Intune. However, you must manually correct it if it’s incorrect or if you need to add additional domains. For more info about where this area is and what it means, see the **Define your enterprise-managed corporate identity** section of the policy creation topics. |Specify your network domain names.|Starting with Windows 10, version 1703, this field is optional.

Specify the DNS suffixes used in your environment. All traffic to the fully-qualified domains appearing in this list will be protected. For more info about where this area is and how to add your suffixes, see the table that appears in the **Choose where apps can access enterprise data** section of the policy creation topics.| |Specify your enterprise IPv4 or IPv6 ranges.|Starting with Windows 10, version 1703, this field is optional.

Specify the addresses for a valid IPv4 or IPv6 value range within your intranet. These addresses, used with your Network domain names, define your corporate network boundaries. For more info about where this area is and what it means, see the table that appears in the **Define your enterprise-managed corporate identity** section of the policy creation topics.| From 28dedc57f594e67d556975d66849129bc3307241 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Mon, 25 Jan 2021 12:35:49 -0800 Subject: [PATCH 145/190] Update defender-endpoint-false-positives-negatives.md --- .../defender-endpoint-false-positives-negatives.md | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md index 195c784c4e..85158c1cb2 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md +++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md @@ -11,7 +11,7 @@ ms.sitesec: library ms.pagetype: security ms.author: deniseb author: denisebmsft -ms.date: 01/22/2021 +ms.date: 01/25/2021 ms.localizationpriority: medium manager: dansimp audience: ITPro @@ -38,12 +38,14 @@ In endpoint protection, a false positive is an entity, such as a file or a proce 3. [Reviewing and defining exclusions](#part-3-review-or-define-exclusions-for-microsoft-defender-for-endpoint) 4. [Submitting an entity for analysis](#part-4-submit-a-file-for-analysis) 5. [Reviewing and adjusting your threat protection settings](#part-5-review-and-adjust-your-threat-protection-settings) +6. [Getting help if you still have issues with false positives/negatives](#still-need-help) -This article also includes information about [what to do if you still need help](#still-need-help) after taking the recommended steps to address false positives/negatives in your environment. +> [!IMPORTANT] +> This article is intended for security operators and administrators. ## Part 1: Review and classify alerts -If your security operations team see an alert that was triggered because something was detected as malicious or suspicious that should not have been, you can suppress the alert for that entity. You can also suppress alerts that are not necessarily false positives, but are unimportant. We recommend that you classify alerts as well. +If you see an alert that was triggered because something was detected as malicious or suspicious that should not have been, you can suppress the alert for that entity. You can also suppress alerts that are not necessarily false positives, but are unimportant. We recommend that you classify alerts as well. Managing your alerts and classifying true/false positives helps to train your threat protection solution and can reduce the number of false positives or false negatives over time. Taking these steps also helps reduce noise in your security operations dashboard so that your security team can focus on higher priority work items. From 4562ca67bd6db40e1773e49f74f9839efde54300 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Mon, 25 Jan 2021 12:39:33 -0800 Subject: [PATCH 146/190] Update defender-endpoint-false-positives-negatives.md --- ...defender-endpoint-false-positives-negatives.md | 15 ++++++++------- 1 file changed, 8 insertions(+), 7 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md index 85158c1cb2..8e5c202978 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md +++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md @@ -136,7 +136,8 @@ To define exclusions across Microsoft Defender for Endpoint, perform the followi - [Define exclusions for Microsoft Defender Antivirus](#exclusions-for-microsoft-defender-antivirus) - [Create “allow” indicators for Microsoft Defender for Endpoint](#indicators-for-microsoft-defender-for-endpoint) -Microsoft Defender Antivirus exclusions don't apply to other Microsoft Defender for Endpoint capabilities, including [endpoint detection and response](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response), [attack surface reduction rules](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction), and [controlled folder access](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/controlled-folders). Files that you exclude using the methods described in this article can still trigger alerts and other detections. To exclude files broadly, use [custom indicators](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/manage-indicators), such as "allow" indicators for Microsoft Defender for Endpoint. +> [!NOTE] +> Microsoft Defender Antivirus exclusions don't apply to other Microsoft Defender for Endpoint capabilities, including [endpoint detection and response](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response), [attack surface reduction rules](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction), and [controlled folder access](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/controlled-folders). Files that you exclude using the methods described in this article can still trigger alerts and other detections. To exclude files broadly, use [custom indicators](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/manage-indicators), such as "allow" indicators for Microsoft Defender for Endpoint. The procedures in this section describe how to define exclusions and indicators. @@ -169,20 +170,20 @@ In general, you should not need to define exclusions for Microsoft Defender Anti ### Indicators for Microsoft Defender for Endpoint -[Indicators](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/manage-indicators) (specifically, indicators of compromise, or IoCs) enable your security operations team to define the detection, prevention, and exclusion of entities. For example, your security operations team can specify certain files to be omitted from scans and remediation actions in Microsoft Defender for Endpoint. Or, indicators can be used to generate alerts for certain files, IP addresses, or URLs. +[Indicators](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/manage-indicators) (specifically, indicators of compromise, or IoCs) enable your security operations team to define the detection, prevention, and exclusion of entities. For example, you can specify certain files to be omitted from scans and remediation actions in Microsoft Defender for Endpoint. Or, indicators can be used to generate alerts for certain files, IP addresses, or URLs. -To specify entities as exclusions for Microsoft Defender for Endpoint, your security team can create "allow" indicators for those entities. Such "allow" indicators in Microsoft Defender for Endpoint apply to: +To specify entities as exclusions for Microsoft Defender for Endpoint, you can create "allow" indicators for those entities. Such "allow" indicators in Microsoft Defender for Endpoint apply to: - [Next-generation protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10) - [Endpoint detection and response](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response) - [Automated investigation & remediation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/automated-investigations) -Your security team can create indicators for files, IP addresses, URLs, domains, and certificates, as described in the following table: +You can create indicators for files, IP addresses, URLs, domains, and certificates, as described in the following table: -| Indicator | Prerequisites | +| Indicator type and considerations | Prerequisites | |:----|:----| -|**[Create an indicator for a file, such as an executable](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-file)**

Helps prevent suspected malware (or potentially malicious files) from being downloaded from the web. Files can include portable executable (PE) files, such as `.exe` and `.dll` files.

The allow or block function cannot be done on a file if the file's classification exists on the device's cache prior to the allow or block action

Trusted, signed files are treated differently. Defender for Endpoint is optimized to handle malicious files. Trying to block trusted, signed files, can have performance implications.

Typically, file blocks are enforced within a few minutes, but can take upwards of 30 minutes. | Microsoft Defender Antivirus with cloud-based protection enabled (See [Manage cloud-based protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/deploy-manage-report-microsoft-defender-antivirus).)

Antimalware client version: 4.18.1901.x or later

Devices are running Windows 10, version 1703 or later; Windows Server 2016; or Windows Server 2019

[Block or allow feature is turned on](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-features) | -| **[Create an indicator for an IP address, URL, or domain](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-ip-domain)**

Full URL path blocks can be applied on the domain level and all unencrypted URLs

IP is supported for all three protocols

Only external IPs can be added to the indicator list. Indicators cannot be created for internal IPs. For web protection scenarios, we recommend using the built-in capabilities in Microsoft Edge. Microsoft Edge uses [Network Protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/network-protection) to inspect network traffic and allows blocks for TCP, HTTP, and HTTPS (TLS). For all other processes, web protection scenarios use Network Protection for inspection and enforcement.

There might be up to 2 hours of latency (usually less) between the time the action is taken, and the URL and IP being blocked.

Only single IP addresses are supported (no CIDR blocks or IP ranges)

Encrypted URLs (full path) can only be blocked on first party browsers (Internet Explorer, Edge)

Encrypted URLS (FQDN only) can be blocked outside of first party browsers (Internet Explorer, Edge) | Network protection in Defender for Endpoint is enabled in block mode (See [Enable network protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/enable-network-protection).)

Antimalware client version: 4.18.1906.x or later

Devices are running Windows 10, version 1709 or later

Custom network indicators are turned on in the Microsoft Defender Security Center (See [Advanced features](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-features).) | +|**[Create an indicator for a file, such as an executable](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-file)**

Helps prevent suspected malware (or potentially malicious files) from being downloaded from the web. Files can include portable executable (PE) files, such as `.exe` and `.dll` files.

The allow or block function cannot be done on a file if the file's classification exists on the device's cache prior to the allow or block action. Trusted, signed files are treated differently. Defender for Endpoint is optimized to handle malicious files. Trying to block trusted, signed files, can have performance implications.

Typically, file blocks are enforced within a few minutes, but can take upwards of 30 minutes. | Microsoft Defender Antivirus with cloud-based protection enabled (See [Manage cloud-based protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/deploy-manage-report-microsoft-defender-antivirus).)

Antimalware client version: 4.18.1901.x or later

Devices are running Windows 10, version 1703 or later; Windows Server 2016; or Windows Server 2019

[Block or allow feature is turned on](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-features) | +| **[Create an indicator for an IP address, URL, or domain](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-ip-domain)**

Full URL path blocks can be applied on the domain level and all unencrypted URLs. IP is supported for all three protocols. Only external IPs can be added to the indicator list; indicators cannot be created for internal IPs.

For web protection scenarios, we recommend using the built-in capabilities in Microsoft Edge. Microsoft Edge uses [Network Protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/network-protection) to inspect network traffic and allows blocks for TCP, HTTP, and HTTPS (TLS). For all other processes, web protection scenarios use Network Protection for inspection and enforcement.

There might be up to 2 hours of latency (usually less) between the time the action is taken, and the URL and IP being blocked.

Only single IP addresses are supported (no CIDR blocks or IP ranges)

Encrypted URLs (full path) can only be blocked on first party browsers (Internet Explorer, Edge)

Encrypted URLS (FQDN only) can be blocked outside of first party browsers (Internet Explorer, Edge) | Network protection in Defender for Endpoint is enabled in block mode (See [Enable network protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/enable-network-protection).)

Antimalware client version: 4.18.1906.x or later

Devices are running Windows 10, version 1709 or later

Custom network indicators are turned on in the Microsoft Defender Security Center (See [Advanced features](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-features).) | | **[Create an indicator for an application certificate](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-certificates)**

`.CER` or `.PEM` file extensions are supported.

A valid leaf certificate is a signing certificate that has a valid certification path and must be chained to the Root Certificate Authority (CA) trusted by Microsoft.

Alternatively, a custom (self-signed) certificate can be used as long as it's trusted by the client (Root CA certificate is installed under the Local Machine Trusted Root Certification Authorities).

The children or parent of the allow/block certificate IOCs are not included in the allow/block IoC functionality, only leaf certificates are supported.

Microsoft signed certificates cannot be blocked.

It can take up to 3 hours to create and remove a certificate IoC. | Microsoft Defender Antivirus with cloud-based protection is enabled (See [Manage cloud-based protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/deploy-manage-report-microsoft-defender-antivirus).)

Antimalware client version: 4.18.1901.x or later

Devices are running Windows 10, version 1703 or later; Windows Server 2016; or Windows Server 2019

Virus and threat protection definitions are up to date | > [!TIP] From 5928b1b0cfbd5d7b5630ea698680f7f63aeaa643 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Mon, 25 Jan 2021 12:42:43 -0800 Subject: [PATCH 147/190] Update defender-endpoint-false-positives-negatives.md --- .../defender-endpoint-false-positives-negatives.md | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md index 8e5c202978..084f8103db 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md +++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md @@ -183,15 +183,15 @@ You can create indicators for files, IP addresses, URLs, domains, and certificat | Indicator type and considerations | Prerequisites | |:----|:----| |**[Create an indicator for a file, such as an executable](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-file)**

Helps prevent suspected malware (or potentially malicious files) from being downloaded from the web. Files can include portable executable (PE) files, such as `.exe` and `.dll` files.

The allow or block function cannot be done on a file if the file's classification exists on the device's cache prior to the allow or block action. Trusted, signed files are treated differently. Defender for Endpoint is optimized to handle malicious files. Trying to block trusted, signed files, can have performance implications.

Typically, file blocks are enforced within a few minutes, but can take upwards of 30 minutes. | Microsoft Defender Antivirus with cloud-based protection enabled (See [Manage cloud-based protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/deploy-manage-report-microsoft-defender-antivirus).)

Antimalware client version: 4.18.1901.x or later

Devices are running Windows 10, version 1703 or later; Windows Server 2016; or Windows Server 2019

[Block or allow feature is turned on](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-features) | -| **[Create an indicator for an IP address, URL, or domain](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-ip-domain)**

Full URL path blocks can be applied on the domain level and all unencrypted URLs. IP is supported for all three protocols. Only external IPs can be added to the indicator list; indicators cannot be created for internal IPs.

For web protection scenarios, we recommend using the built-in capabilities in Microsoft Edge. Microsoft Edge uses [Network Protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/network-protection) to inspect network traffic and allows blocks for TCP, HTTP, and HTTPS (TLS). For all other processes, web protection scenarios use Network Protection for inspection and enforcement.

There might be up to 2 hours of latency (usually less) between the time the action is taken, and the URL and IP being blocked.

Only single IP addresses are supported (no CIDR blocks or IP ranges)

Encrypted URLs (full path) can only be blocked on first party browsers (Internet Explorer, Edge)

Encrypted URLS (FQDN only) can be blocked outside of first party browsers (Internet Explorer, Edge) | Network protection in Defender for Endpoint is enabled in block mode (See [Enable network protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/enable-network-protection).)

Antimalware client version: 4.18.1906.x or later

Devices are running Windows 10, version 1709 or later

Custom network indicators are turned on in the Microsoft Defender Security Center (See [Advanced features](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-features).) | -| **[Create an indicator for an application certificate](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-certificates)**

`.CER` or `.PEM` file extensions are supported.

A valid leaf certificate is a signing certificate that has a valid certification path and must be chained to the Root Certificate Authority (CA) trusted by Microsoft.

Alternatively, a custom (self-signed) certificate can be used as long as it's trusted by the client (Root CA certificate is installed under the Local Machine Trusted Root Certification Authorities).

The children or parent of the allow/block certificate IOCs are not included in the allow/block IoC functionality, only leaf certificates are supported.

Microsoft signed certificates cannot be blocked.

It can take up to 3 hours to create and remove a certificate IoC. | Microsoft Defender Antivirus with cloud-based protection is enabled (See [Manage cloud-based protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/deploy-manage-report-microsoft-defender-antivirus).)

Antimalware client version: 4.18.1901.x or later

Devices are running Windows 10, version 1703 or later; Windows Server 2016; or Windows Server 2019

Virus and threat protection definitions are up to date | +| **[Create an indicator for an IP address, URL, or domain](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-ip-domain)**

Full URL path blocks can be applied on the domain level and all unencrypted URLs. IP is supported for all three protocols. Only external IPs can be added to the indicator list; indicators cannot be created for internal IPs.

For web protection scenarios, we recommend using the built-in capabilities in Microsoft Edge. Microsoft Edge uses [Network Protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/network-protection) to inspect network traffic and allows blocks for TCP, HTTP, and HTTPS (TLS). For all other processes, web protection scenarios use Network Protection for inspection and enforcement.

There might be up to 2 hours of latency (usually less) between the time the action is taken, and the URL and IP being blocked.

Only single IP addresses are supported (no CIDR blocks or IP ranges)

Encrypted URLs (full path) can only be blocked on first party browsers (Internet Explorer, Edge)

Encrypted URLS (FQDN only) can be blocked outside of first party browsers (Internet Explorer, Edge) | Network protection in Defender for Endpoint enabled in block mode (See [Enable network protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/enable-network-protection))

Antimalware client version: 4.18.1906.x or later

Devices are running Windows 10, version 1709 or later

Custom network indicators are turned on in the Microsoft Defender Security Center (See [Advanced features](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-features).) | +| **[Create an indicator for an application certificate](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-certificates)**

`.CER` or `.PEM` file extensions are supported. A valid leaf certificate is a signing certificate that has a valid certification path and must be chained to the Root Certificate Authority (CA) trusted by Microsoft. Alternatively, a custom (self-signed) certificate can be used as long as it's trusted by the client (Root CA certificate is installed under the Local Machine Trusted Root Certification Authorities).

The children or parent of the allow/block certificate IOCs are not included in the allow/block IoC functionality, only leaf certificates are supported.

Microsoft signed certificates cannot be blocked.

It can take up to 3 hours to create and remove a certificate IoC. | Microsoft Defender Antivirus with cloud-based protection is enabled (See [Manage cloud-based protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/deploy-manage-report-microsoft-defender-antivirus).)

Antimalware client version: 4.18.1901.x or later

Devices are running Windows 10, version 1703 or later; Windows Server 2016; or Windows Server 2019

Virus and threat protection definitions are up to date | > [!TIP] > When you create indicators, you can define them one by one or import multiple items at once. Keep in mind there's a limit of 15,000 indicators you can have in a single tenant. And, you might need to gather certain details first, such as file hash information. Make sure to review the prerequisites before you [create indicators](manage-indicators.md). ## Part 4: Submit a file for analysis -You can submit entities, such as files and fileless detections, to Microsoft for analysis. Microsoft security researchers analyze all submissions. After you sign in at the submission site, you can track your submissions. +You can submit entities, such as files and fileless detections, to Microsoft for analysis. Microsoft security researchers analyze all submissions. When you sign in at the submission site, you can track your submissions. ### Submit a file for analysis @@ -202,7 +202,7 @@ If you have a file that was either wrongly detected as malicious or was missed, ### Submit a fileless detection for analysis -If something was detected as malware based on behavior, and you don’t have a file, you can submit your Mpsupport.cab file for analysis. You can get the .cab file by using the Microsoft Malware Protection Command-Line Utility (MPCmdRun.exe) tool. +If something was detected as malware based on behavior, and you don’t have a file, you can submit your `Mpsupport.cab` file for analysis. You can get the .cab file by using the Microsoft Malware Protection Command-Line Utility (MPCmdRun.exe) tool. 1. Go to ` C:\ProgramData\Microsoft\Windows Defender\Platform\`, and then run `MpCmdRun.exe` as an administrator. 2. Type `mpcmdrun.exe -GetFiles`, and then press **Enter**. @@ -294,6 +294,10 @@ We recommend using Microsoft Endpoint Manager to edit or set PUA protection sett 8. On the **Applicability Rules** tab, specify the OS editions or versions to include or exclude from the policy. For example, you can set the policy to be applied to all devices certain editions of Windows 10. Then choose **Next**. 9. On the **Review + create** tab, review your settings, and, and then choose **Create**. +### Automated investigation and remediation + + + ## Still need help? If you still need help after working through all the steps in this article, your best bet is to contact technical support. From 2309a9407d18e11647f246145b695b5374280108 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Mon, 25 Jan 2021 13:14:30 -0800 Subject: [PATCH 148/190] Update defender-endpoint-false-positives-negatives.md --- ...nder-endpoint-false-positives-negatives.md | 32 +++++++++++++++++++ 1 file changed, 32 insertions(+) diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md index 084f8103db..f8d93d2f54 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md +++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md @@ -296,7 +296,39 @@ We recommend using Microsoft Endpoint Manager to edit or set PUA protection sett ### Automated investigation and remediation +[Automated investigation and remediation](automated-investigations.md) (AIR) capabilities are designed to examine alerts and take immediate action to resolve breaches. As alerts are triggered, and an automated investigation runs, a verdict is generated for each piece of evidence investigated. Verdicts can be *Malicious*, *Suspicious*, or *No threats found*. +Depending on the [level of automation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/automation-levels) set for your organization, as well as other security settings, remediation actions can occur automatically or only upon approval by your security operations team. Examples of remediation actions include sending a file to quarantine, stopping a service, removing a scheduled task, and more. (See [Remediation actions](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/manage-auto-investigation#remediation-actions).) + +All remediation actions, whether pending or completed, can be viewed in the Action Center ([https://securitycenter.windows.com/action-center](https://securitycenter.windows.com/action-center)). If necessary, your security operations team can undo a remediation action. And, you can set or change your level of automation. + +### Review actions that were taken + +1. Go to the Action Center ([https://securitycenter.windows.com/action-center](https://securitycenter.windows.com/action-center)) and sign in. +2. Select the **History** tab. +3. Select an item to view more details about that remediation action. + +### Undo remediation actions + +If you’ve determined that a device or a file is not a threat, you can undo remediation actions that were taken, whether those actions were taken automatically or manually. You can undo actions, such as isolating a device, restricting code execution, quarantining a file, removing a registry key, stopping a service, and more. + +1. Go to the Action center ([https://securitycenter.windows.com/action-center](https://securitycenter.windows.com/action-center)) and sign in. +2. Select the **History** tab. +3. Select the actions that you want to undo. +4. In the pane on the right side of the screen, select **Undo**. + +> [!TIP] +> To learn more about remediation actions, see [Review and approve remediation actions following an automated investigation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/manage-auto-investigation#remediation-actions). + +### Review and if needed, edit your automation level + +AIR capabilities in Defender for Endpoint are configured to one of several [levels of automation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/automation-levels). + +- *Full automation* (recommended) means remediation actions are taken automatically on artifacts determined to be malicious. +- *Semi-automation* means some remediation actions are taken automatically, but other remediation actions await approval before being taken. +- *No automated response* (not recommended) means automated investigations do not run on your organization's devices, and no remediation actions are taken or pending as a result of automated investigation. + +To review your AIR configuration and learn more about automation levels, see [Configure AIR capabilities in Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-automated-investigations-remediation) and the [Levels of automation table](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/automation-levels#levels-of-automation). ## Still need help? From 27efc5c2bc073c2823d0882dc57c7c9f1f0b8cf6 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Mon, 25 Jan 2021 13:16:18 -0800 Subject: [PATCH 149/190] Update defender-endpoint-false-positives-negatives.md --- .../defender-endpoint-false-positives-negatives.md | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md index f8d93d2f54..24e9fbf78e 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md +++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md @@ -328,11 +328,13 @@ AIR capabilities in Defender for Endpoint are configured to one of several [leve - *Semi-automation* means some remediation actions are taken automatically, but other remediation actions await approval before being taken. - *No automated response* (not recommended) means automated investigations do not run on your organization's devices, and no remediation actions are taken or pending as a result of automated investigation. -To review your AIR configuration and learn more about automation levels, see [Configure AIR capabilities in Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-automated-investigations-remediation) and the [Levels of automation table](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/automation-levels#levels-of-automation). +To review your AIR configuration and learn more about automation levels, see: +- [Configure AIR capabilities in Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-automated-investigations-remediation) +- [Levels of automation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/automation-levels#levels-of-automation) ## Still need help? -If you still need help after working through all the steps in this article, your best bet is to contact technical support. +If you have worked through all the steps in this article and still need help, your best bet is to contact technical support. 1. Go to the Microsoft Defender Security Center ([https://securitycenter.windows.com](https://securitycenter.windows.com)) and sign in. 2. In the upper right corner, select the question mark (**?**), and then select **Microsoft support**. From 708066fb3779d7e195bc664c7dd7ee24cab311e9 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Mon, 25 Jan 2021 13:21:09 -0800 Subject: [PATCH 150/190] Update defender-endpoint-false-positives-negatives.md --- .../defender-endpoint-false-positives-negatives.md | 1 + 1 file changed, 1 insertion(+) diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md index 24e9fbf78e..695656e24e 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md +++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md @@ -231,6 +231,7 @@ Microsoft Defender for Endpoint offers a wide variety of options, including the - [Cloud-delivered protection](#cloud-delivered-protection) - [Remediation for potentially unwanted applications](#remediation-for-potentially-unwanted-applications) +- [Automated investigation and remediation](#automated-investigation-and-remediation) ### Cloud-delivered protection From dd563409f25933ff6510d5d4c2a062857ced65e4 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Mon, 25 Jan 2021 13:29:24 -0800 Subject: [PATCH 151/190] Update defender-endpoint-false-positives-negatives.md --- ...nder-endpoint-false-positives-negatives.md | 34 ++----------------- 1 file changed, 3 insertions(+), 31 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md index 695656e24e..d201884712 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md +++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md @@ -299,39 +299,11 @@ We recommend using Microsoft Endpoint Manager to edit or set PUA protection sett [Automated investigation and remediation](automated-investigations.md) (AIR) capabilities are designed to examine alerts and take immediate action to resolve breaches. As alerts are triggered, and an automated investigation runs, a verdict is generated for each piece of evidence investigated. Verdicts can be *Malicious*, *Suspicious*, or *No threats found*. -Depending on the [level of automation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/automation-levels) set for your organization, as well as other security settings, remediation actions can occur automatically or only upon approval by your security operations team. Examples of remediation actions include sending a file to quarantine, stopping a service, removing a scheduled task, and more. (See [Remediation actions](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/manage-auto-investigation#remediation-actions).) +Depending on the [level of automation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/automation-levels) set for your organization, as well as other security settings, remediation actions can occur automatically or only upon approval by your security operations team. -All remediation actions, whether pending or completed, can be viewed in the Action Center ([https://securitycenter.windows.com/action-center](https://securitycenter.windows.com/action-center)). If necessary, your security operations team can undo a remediation action. And, you can set or change your level of automation. - -### Review actions that were taken - -1. Go to the Action Center ([https://securitycenter.windows.com/action-center](https://securitycenter.windows.com/action-center)) and sign in. -2. Select the **History** tab. -3. Select an item to view more details about that remediation action. - -### Undo remediation actions - -If you’ve determined that a device or a file is not a threat, you can undo remediation actions that were taken, whether those actions were taken automatically or manually. You can undo actions, such as isolating a device, restricting code execution, quarantining a file, removing a registry key, stopping a service, and more. - -1. Go to the Action center ([https://securitycenter.windows.com/action-center](https://securitycenter.windows.com/action-center)) and sign in. -2. Select the **History** tab. -3. Select the actions that you want to undo. -4. In the pane on the right side of the screen, select **Undo**. - -> [!TIP] -> To learn more about remediation actions, see [Review and approve remediation actions following an automated investigation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/manage-auto-investigation#remediation-actions). - -### Review and if needed, edit your automation level - -AIR capabilities in Defender for Endpoint are configured to one of several [levels of automation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/automation-levels). - -- *Full automation* (recommended) means remediation actions are taken automatically on artifacts determined to be malicious. -- *Semi-automation* means some remediation actions are taken automatically, but other remediation actions await approval before being taken. -- *No automated response* (not recommended) means automated investigations do not run on your organization's devices, and no remediation actions are taken or pending as a result of automated investigation. - -To review your AIR configuration and learn more about automation levels, see: +- [Learn more about automation levels](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/automation-levels) - [Configure AIR capabilities in Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-automated-investigations-remediation) -- [Levels of automation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/automation-levels#levels-of-automation) + ## Still need help? From 995a3ed9aa6c99a38ad8714908adb25b3b8e16c0 Mon Sep 17 00:00:00 2001 From: jcaparas Date: Mon, 25 Jan 2021 13:38:04 -0800 Subject: [PATCH 152/190] Update initiate-autoir-investigation.md --- .../microsoft-defender-atp/initiate-autoir-investigation.md | 1 + 1 file changed, 1 insertion(+) diff --git a/windows/security/threat-protection/microsoft-defender-atp/initiate-autoir-investigation.md b/windows/security/threat-protection/microsoft-defender-atp/initiate-autoir-investigation.md index caa8fb231b..5617ebcae7 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/initiate-autoir-investigation.md +++ b/windows/security/threat-protection/microsoft-defender-atp/initiate-autoir-investigation.md @@ -92,3 +92,4 @@ POST https://api.securitycenter.microsoft.com/api/machines/1e5bc9d7e413ddd7902c2 { "Comment": "Test investigation" } +``` From 3abff941ef1a32cac37e1abe0cf9fee91dc35f7f Mon Sep 17 00:00:00 2001 From: jcaparas Date: Mon, 25 Jan 2021 13:39:46 -0800 Subject: [PATCH 153/190] Update get-software-by-id.md --- .../microsoft-defender-atp/get-software-by-id.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-software-by-id.md b/windows/security/threat-protection/microsoft-defender-atp/get-software-by-id.md index 58ff771315..43ed0055bf 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-software-by-id.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-software-by-id.md @@ -1,6 +1,6 @@ --- title: Get software by Id -description: Retrieves a list of exposure scores by device group. +description: Retrieves a list of sofware by ID. keywords: apis, graph api, supported apis, get, software, mdatp tvm api search.product: eADQiWindows 10XVcnh ms.prod: m365-security From 68d2209f6732092de9cfbad01bf0e1686feb07f3 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Mon, 25 Jan 2021 13:55:09 -0800 Subject: [PATCH 154/190] Update defender-endpoint-false-positives-negatives.md --- .../defender-endpoint-false-positives-negatives.md | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md index d201884712..9707bf3e13 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md +++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md @@ -101,6 +101,9 @@ If you have alerts that are either false positives or that are true positives bu Other actions, such as starting an antivirus scan or collecting an investigation package, can occur through [Live Response](live-response.md). Those actions cannot be undone. +> [!TIP] +> See [Review remediation actions following an automated investigation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/manage-auto-investigation). + ### Review completed actions 1. Go to the Action center ([https://securitycenter.windows.com/action-center](https://securitycenter.windows.com/action-center)) and sign in. @@ -301,8 +304,8 @@ We recommend using Microsoft Endpoint Manager to edit or set PUA protection sett Depending on the [level of automation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/automation-levels) set for your organization, as well as other security settings, remediation actions can occur automatically or only upon approval by your security operations team. -- [Learn more about automation levels](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/automation-levels) -- [Configure AIR capabilities in Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-automated-investigations-remediation) +- [Learn more about automation levels](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/automation-levels); and then +- [Configure AIR capabilities in Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-automated-investigations-remediation). ## Still need help? From 2c2052341de9a76ccc675be197d8f9e4b88a4cec Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Mon, 25 Jan 2021 14:01:18 -0800 Subject: [PATCH 155/190] Update defender-endpoint-false-positives-negatives.md --- .../defender-endpoint-false-positives-negatives.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md index 9707bf3e13..573ce0cf3f 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md +++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md @@ -302,7 +302,7 @@ We recommend using Microsoft Endpoint Manager to edit or set PUA protection sett [Automated investigation and remediation](automated-investigations.md) (AIR) capabilities are designed to examine alerts and take immediate action to resolve breaches. As alerts are triggered, and an automated investigation runs, a verdict is generated for each piece of evidence investigated. Verdicts can be *Malicious*, *Suspicious*, or *No threats found*. -Depending on the [level of automation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/automation-levels) set for your organization, as well as other security settings, remediation actions can occur automatically or only upon approval by your security operations team. +Depending on the [level of automation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/automation-levels) set for your organization, as well as other security settings, remediation actions are taken on artifacts deemed Malicious or Suspicious. Remediation actions can occur automatically, or only upon approval by your security operations team. - [Learn more about automation levels](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/automation-levels); and then - [Configure AIR capabilities in Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-automated-investigations-remediation). From 18bbbe6262a11c530e44a23e596395aaa921f787 Mon Sep 17 00:00:00 2001 From: Jeff Gilbert Date: Mon, 25 Jan 2021 17:58:10 -0500 Subject: [PATCH 156/190] Update create-wip-policy-using-intune-azure.md Updated per request from PM (dereka). --- .../create-wip-policy-using-intune-azure.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md index f36275b6ba..19f213f47f 100644 --- a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md +++ b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md @@ -444,7 +444,7 @@ To stop Windows from automatically blocking these connections, you can add the ` For example: ```console -URL <,proxy>|URL <,proxy>/*AppCompat*/ +URL <,proxy>|URL <,proxy>|/*AppCompat*/ ``` When you use this string, we recommend that you also turn on [Azure Active Directory Conditional Access](https://docs.microsoft.com/azure/active-directory/active-directory-conditional-access), using the **Domain joined or marked as compliant** option, which blocks apps from accessing any enterprise cloud resources that are protected by conditional access. From 2e2653dbb8763aa1004865b394c8bbae887b2adf Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Mon, 25 Jan 2021 15:13:56 -0800 Subject: [PATCH 157/190] Update defender-endpoint-false-positives-negatives.md --- .../defender-endpoint-false-positives-negatives.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md index 573ce0cf3f..9e49265a2f 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md +++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md @@ -205,7 +205,7 @@ If you have a file that was either wrongly detected as malicious or was missed, ### Submit a fileless detection for analysis -If something was detected as malware based on behavior, and you don’t have a file, you can submit your `Mpsupport.cab` file for analysis. You can get the .cab file by using the Microsoft Malware Protection Command-Line Utility (MPCmdRun.exe) tool. +If something was detected as malware based on behavior, and you don’t have a file, you can submit your `Mpsupport.cab` file for analysis. You can get the *.cab* file by using the Microsoft Malware Protection Command-Line Utility (MPCmdRun.exe) tool on Windows 10. 1. Go to ` C:\ProgramData\Microsoft\Windows Defender\Platform\`, and then run `MpCmdRun.exe` as an administrator. 2. Type `mpcmdrun.exe -GetFiles`, and then press **Enter**. From 285c15d89bcdbc854e1d7bd5fe8c1de59454cf6a Mon Sep 17 00:00:00 2001 From: Daniel Simpson Date: Mon, 25 Jan 2021 17:12:21 -0800 Subject: [PATCH 158/190] Update windows/security/threat-protection/microsoft-defender-atp/web-content-filtering.md Co-authored-by: Trond B. Krokli <38162891+illfated@users.noreply.github.com> --- .../microsoft-defender-atp/web-content-filtering.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/web-content-filtering.md b/windows/security/threat-protection/microsoft-defender-atp/web-content-filtering.md index b6d259a0f2..87f0151c05 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/web-content-filtering.md +++ b/windows/security/threat-protection/microsoft-defender-atp/web-content-filtering.md @@ -54,7 +54,7 @@ Before trying out this feature, make sure you have the following requirements: - Access to Microsoft Defender Security Center portal - Devices running Windows 10 Anniversary Update (version 1607) or later with the latest MoCAMP update. -If Windows Defender SmartScreen isn't turned on, Network Protection will take over the blocking. It requires [enabling Network Protection](enable-network-protection.md) on the device. Chrome, Firefox, Brave and Opera are currently 3rd party browsers in which the feature is enabled. +If Windows Defender SmartScreen isn't turned on, Network Protection will take over the blocking. It requires [enabling Network Protection](enable-network-protection.md) on the device. Chrome, Firefox, Brave, and Opera are currently 3rd party browsers in which this feature is enabled. ## Data handling From 7d9fbb1011a636246f5b8ee1eeda47b309177d71 Mon Sep 17 00:00:00 2001 From: MaratMussabekov <48041687+MaratMussabekov@users.noreply.github.com> Date: Tue, 26 Jan 2021 17:28:49 +0500 Subject: [PATCH 159/190] Update network-protection.md --- .../microsoft-defender-atp/network-protection.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/network-protection.md b/windows/security/threat-protection/microsoft-defender-atp/network-protection.md index 7fd98bd981..0cf3df8758 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/network-protection.md +++ b/windows/security/threat-protection/microsoft-defender-atp/network-protection.md @@ -45,7 +45,7 @@ You can also use [audit mode](audit-windows-defender.md) to evaluate how Network ## Requirements -Network protection requires Windows 10 Pro, Enterprise E3, E5, and Microsoft Defender AV real-time protection. +Network protection requires Windows 10 Pro or Enterprise, and Microsoft Defender AV real-time protection. Windows 10 version | Microsoft Defender Antivirus -|- From 930fc4dc29b48afbc9db8b7dc0d2a7c8eb9cd62b Mon Sep 17 00:00:00 2001 From: MaratMussabekov <48041687+MaratMussabekov@users.noreply.github.com> Date: Tue, 26 Jan 2021 17:32:17 +0500 Subject: [PATCH 160/190] Update troubleshoot-np.md --- .../threat-protection/microsoft-defender-atp/troubleshoot-np.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-np.md b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-np.md index 4bfdccfe50..82fcbb7ca7 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-np.md +++ b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-np.md @@ -45,7 +45,7 @@ There are four steps to troubleshooting these problems: Network protection will only work on devices with the following conditions: >[!div class="checklist"] -> * Endpoints are running Windows 10 Enterprise edition, version 1709 or higher (also known as the Fall Creators Update). +> * Endpoints are running Windows 10 Pro or Enterprise edition, version 1709 or higher. > * Endpoints are using Microsoft Defender Antivirus as the sole antivirus protection app. [Using any other antivirus app will cause Microsoft Defender AV to disable itself](../microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md). > * [Real-time protection](../microsoft-defender-antivirus/configure-real-time-protection-microsoft-defender-antivirus.md) is enabled. > * [Cloud-delivered protection](../microsoft-defender-antivirus/enable-cloud-protection-microsoft-defender-antivirus.md) is enabled. From 74cb283b850d34b520e224c3427a835072f062bd Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Tue, 26 Jan 2021 08:56:15 -0800 Subject: [PATCH 161/190] Update defender-endpoint-false-positives-negatives.md --- .../defender-endpoint-false-positives-negatives.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md index 9e49265a2f..d895dbaa84 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md +++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md @@ -11,7 +11,7 @@ ms.sitesec: library ms.pagetype: security ms.author: deniseb author: denisebmsft -ms.date: 01/25/2021 +ms.date: 01/26/2021 ms.localizationpriority: medium manager: dansimp audience: ITPro @@ -35,7 +35,7 @@ In endpoint protection, a false positive is an entity, such as a file or a proce 1. [Reviewing and classifying alerts](#part-1-review-and-classify-alerts) 2. [Reviewing remediation actions that were taken](#part-2-review-remediation-actions) -3. [Reviewing and defining exclusions](#part-3-review-or-define-exclusions-for-microsoft-defender-for-endpoint) +3. [Reviewing and defining exclusions](#part-3-review-or-define-exclusions) 4. [Submitting an entity for analysis](#part-4-submit-a-file-for-analysis) 5. [Reviewing and adjusting your threat protection settings](#part-5-review-and-adjust-your-threat-protection-settings) 6. [Getting help if you still have issues with false positives/negatives](#still-need-help) @@ -131,7 +131,7 @@ If you find that a remediation action was taken automatically on an entity that 2. On the **History** tab, select the actions that you want to undo. 3. In the pane on the right side of the screen, select **Undo**. -## Part 3: Review or define exclusions for Microsoft Defender for Endpoint +## Part 3: Review or define exclusions An exclusion is an entity that you specify as an exception to remediation actions. The excluded entity might still get detected, but no remediation actions are taken on that entity. That is, the detected file or process won’t be stopped, sent to quarantine, removed, or otherwise changed by Microsoft Defender for Endpoint. From 9570f49f975fab39c28c729a2aaa0ecef3cfe3d6 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Tue, 26 Jan 2021 09:08:43 -0800 Subject: [PATCH 162/190] crosslinking --- .../antivirus-false-positives-negatives.md | 7 ++++++- .../microsoft-defender-antivirus-compatibility.md | 1 + 2 files changed, 7 insertions(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/antivirus-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-antivirus/antivirus-false-positives-negatives.md index 099dbc450f..e99e915192 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/antivirus-false-positives-negatives.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/antivirus-false-positives-negatives.md @@ -11,7 +11,7 @@ ms.localizationpriority: medium author: denisebmsft ms.author: deniseb ms.custom: nextgen -ms.date: 06/08/2020 +ms.date: 01/26/2021 ms.reviewer: shwetaj manager: dansimp audience: ITPro @@ -35,6 +35,9 @@ What if something gets detected wrongly as malware, or something is missed? We c - [Create an "Allow" indicator to prevent a false positive from recurring](#create-an-allow-indicator-to-prevent-a-false-positive-from-recurring) - [Define an exclusion on an individual Windows device to prevent an item from being scanned](#define-an-exclusion-on-an-individual-windows-device-to-prevent-an-item-from-being-scanned) +> [!TIP] +> This article focuses on false positives in Microsoft Defender Antivirus. If you want guidance for Microsoft Defender for Endpoint, which includes next-generation protection, endpoint detection and response, automated investigation and remediation, and more, see [Address false positives/negatives in Microsoft Defender for Endpoint](../microsoft-defender-atp/defender-endpoint-false-positives-negatives.md). + ## Submit a file to Microsoft for analysis 1. Review the [submission guidelines](../intelligence/submission-guide.md). @@ -76,3 +79,5 @@ To learn more, see: [What is Microsoft Defender for Endpoint?](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection) [Microsoft 365 Defender](https://docs.microsoft.com/microsoft-365/security/mtp/microsoft-threat-protection) + +[Address false positives/negatives in Microsoft Defender for Endpoint](../microsoft-defender-atp/defender-endpoint-false-positives-negatives.md) \ No newline at end of file diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md b/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md index 7a74769372..ad505f776b 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md @@ -122,4 +122,5 @@ The table in this section summarizes the functionality and features that are ava - [Microsoft Defender Antivirus on Windows Server](microsoft-defender-antivirus-on-windows-server-2016.md) - [EDR in block mode](../microsoft-defender-atp/edr-in-block-mode.md) - [Configure Endpoint Protection](https://docs.microsoft.com/mem/configmgr/protect/deploy-use/endpoint-protection-configure) +- [Address false positives/negatives in Microsoft Defender for Endpoint](../microsoft-defender-atp/defender-endpoint-false-positives-negatives.md) - [Learn about Microsoft 365 Endpoint data loss prevention](https://docs.microsoft.com/microsoft-365/compliance/endpoint-dlp-learn-about) From 79733d6899e099c607c3c2cfac9b538d7ed473e0 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Tue, 26 Jan 2021 09:10:21 -0800 Subject: [PATCH 163/190] Update automated-investigations.md --- .../microsoft-defender-atp/automated-investigations.md | 1 + 1 file changed, 1 insertion(+) diff --git a/windows/security/threat-protection/microsoft-defender-atp/automated-investigations.md b/windows/security/threat-protection/microsoft-defender-atp/automated-investigations.md index 4233bcca90..93e3809c2a 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/automated-investigations.md +++ b/windows/security/threat-protection/microsoft-defender-atp/automated-investigations.md @@ -93,5 +93,6 @@ All remediation actions, whether pending or completed, can be viewed in the [Act ## See also - [PUA protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus) +- [Address false positives/negatives in Microsoft Defender for Endpoint](defender-endpoint-false-positives-negatives.md) - [Automated investigation and response in Microsoft Defender for Office 365](https://docs.microsoft.com/microsoft-365/security/office-365-security/office-365-air) - [Automated investigation and response in Microsoft 365 Defender](https://docs.microsoft.com/microsoft-365/security/mtp/mtp-autoir) From c067a53cca66b8ef72f63d94c56a31f155531c38 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Tue, 26 Jan 2021 09:11:50 -0800 Subject: [PATCH 164/190] Update helpful-resources.md --- .../helpful-resources.md | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/helpful-resources.md b/windows/security/threat-protection/microsoft-defender-atp/helpful-resources.md index 7d275ab90b..fd973e1a2a 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/helpful-resources.md +++ b/windows/security/threat-protection/microsoft-defender-atp/helpful-resources.md @@ -29,31 +29,31 @@ ms.technology: mde Access helpful resources such as links to blogs and other resources related to Microsoft Defender for Endpoint. ## Endpoint protection platform -- [Top scoring in industry +- [Top scoring in industry tests](https://docs.microsoft.com/windows/security/threat-protection/intelligence/top-scoring-industry-antivirus-tests) -- [Inside out: Get to know the advanced technologies at the core of Defender for Endpoint next generation protection](https://www.microsoft.com/security/blog/2019/06/24/inside-out-get-to-know-the-advanced-technologies-at-the-core-of-microsoft-defender-atp-next-generation-protection/) +- [Inside out: Get to know the advanced technologies at the core of Defender for Endpoint next generation protection](https://www.microsoft.com/security/blog/2019/06/24/inside-out-get-to-know-the-advanced-technologies-at-the-core-of-microsoft-defender-atp-next-generation-protection/) -- [Protecting disconnected devices with Defender for Endpoint](https://techcommunity.microsoft.com/t5/Microsoft-Defender-ATP/Protecting-disconnected-devices-with-Microsoft-Defender-ATP/ba-p/500341) +- [Protecting disconnected devices with Defender for Endpoint](https://techcommunity.microsoft.com/t5/Microsoft-Defender-ATP/Protecting-disconnected-devices-with-Microsoft-Defender-ATP/ba-p/500341) -- [Tamper protection in Defender for Endpoint](https://techcommunity.microsoft.com/t5/Microsoft-Defender-ATP/Tamper-protection-in-Microsoft-Defender-ATP/ba-p/389571) +- [Tamper protection in Defender for Endpoint](https://techcommunity.microsoft.com/t5/Microsoft-Defender-ATP/Tamper-protection-in-Microsoft-Defender-ATP/ba-p/389571) ## Endpoint Detection Response -- [Incident response at your fingertips with Defender for Endpoint live response](https://techcommunity.microsoft.com/t5/Microsoft-Defender-ATP/Incident-response-at-your-fingertips-with-Microsoft-Defender-ATP/ba-p/614894) +- [Incident response at your fingertips with Defender for Endpoint live response](https://techcommunity.microsoft.com/t5/Microsoft-Defender-ATP/Incident-response-at-your-fingertips-with-Microsoft-Defender-ATP/ba-p/614894) ## Threat Vulnerability Management -- [Defender for Endpoint Threat & Vulnerability Management now publicly +- [Defender for Endpoint Threat & Vulnerability Management now publicly available!](https://techcommunity.microsoft.com/t5/Microsoft-Defender-ATP/MDATP-Threat-amp-Vulnerability-Management-now-publicly-available/ba-p/460977) ## Operational -- [The Golden Hour remake - Defining metrics for a successful security +- [The Golden Hour remake - Defining metrics for a successful security operations](https://techcommunity.microsoft.com/t5/Microsoft-Defender-ATP/The-Golden-Hour-remake-Defining-metrics-for-a-successful/ba-p/782014) -- [Defender for Endpoint Evaluation lab is now available in public preview +- [Defender for Endpoint Evaluation lab is now available in public preview ](https://techcommunity.microsoft.com/t5/Microsoft-Defender-ATP/Microsoft-Defender-ATP-Evaluation-lab-is-now-available-in-public/ba-p/770271) -- [How automation brings value to your security +- [How automation brings value to your security teams](https://techcommunity.microsoft.com/t5/Microsoft-Defender-ATP/How-automation-brings-value-to-your-security-teams/ba-p/729297) From 8c381211d597a1727bfdf4afcb05e1874ec85404 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Tue, 26 Jan 2021 09:13:01 -0800 Subject: [PATCH 165/190] Update helpful-resources.md --- .../microsoft-defender-atp/helpful-resources.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/windows/security/threat-protection/microsoft-defender-atp/helpful-resources.md b/windows/security/threat-protection/microsoft-defender-atp/helpful-resources.md index fd973e1a2a..88e26c2252 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/helpful-resources.md +++ b/windows/security/threat-protection/microsoft-defender-atp/helpful-resources.md @@ -57,3 +57,5 @@ Access helpful resources such as links to blogs and other resources related to - [How automation brings value to your security teams](https://techcommunity.microsoft.com/t5/Microsoft-Defender-ATP/How-automation-brings-value-to-your-security-teams/ba-p/729297) + +- [Address false positives/negatives in Microsoft Defender for Endpoint](defender-endpoint-false-positives-negatives.md) \ No newline at end of file From e3fb119c6451ff8e454050d406126460f245ef88 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Tue, 26 Jan 2021 09:14:47 -0800 Subject: [PATCH 166/190] Update manage-atp-post-migration.md --- .../microsoft-defender-atp/manage-atp-post-migration.md | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/manage-atp-post-migration.md b/windows/security/threat-protection/microsoft-defender-atp/manage-atp-post-migration.md index 2cb0d3548e..efb39aa306 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/manage-atp-post-migration.md +++ b/windows/security/threat-protection/microsoft-defender-atp/manage-atp-post-migration.md @@ -18,7 +18,7 @@ ms.collection: - M365-security-compliance - m365solution-scenario ms.topic: conceptual -ms.date: 09/22/2020 +ms.date: 01/26/2021 ms.reviewer: chventou --- @@ -43,3 +43,6 @@ The following table lists various tools/methods you can use, with links to learn |**[Group Policy Objects in Azure Active Directory Domain Services](https://docs.microsoft.com/azure/active-directory-domain-services/manage-group-policy)** |[Azure Active Directory Domain Services](https://docs.microsoft.com/azure/active-directory-domain-services/overview) includes built-in Group Policy Objects for users and devices. You can customize the built-in Group Policy Objects as needed for your environment, as well as create custom Group Policy Objects and organizational units (OUs).

See [Manage Microsoft Defender for Endpoint with Group Policy Objects](manage-atp-post-migration-group-policy-objects.md). | |**[PowerShell, WMI, and MPCmdRun.exe](manage-atp-post-migration-other-tools.md)** |*We recommend using Microsoft Endpoint Manager (which includes Intune and Configuration Manager) to manage threat protection features on your organization's devices. However, you can configure some settings, such as Microsoft Defender Antivirus settings on individual devices (endpoints) with PowerShell, WMI, or the MPCmdRun.exe tool.*

You can use PowerShell to manage Microsoft Defender Antivirus, exploit protection, and your attack surface reduction rules. See [Configure Microsoft Defender for Endpoint with PowerShell](manage-atp-post-migration-other-tools.md#configure-microsoft-defender-for-endpoint-with-powershell).

You can use Windows Management Instrumentation (WMI) to manage Microsoft Defender Antivirus and exclusions. See [Configure Microsoft Defender for Endpoint with WMI](manage-atp-post-migration-other-tools.md#configure-microsoft-defender-for-endpoint-with-windows-management-instrumentation-wmi).

You can use the Microsoft Malware Protection Command-Line Utility (MPCmdRun.exe) to manage Microsoft Defender Antivirus and exclusions, as well as validate connections between your network and the cloud. See [Configure Microsoft Defender for Endpoint with MPCmdRun.exe](manage-atp-post-migration-other-tools.md#configure-microsoft-defender-for-endpoint-with-microsoft-malware-protection-command-line-utility-mpcmdrunexe). | +## See also + +- [Address false positives/negatives in Microsoft Defender for Endpoint](defender-endpoint-false-positives-negatives.md) \ No newline at end of file From 92f0b61c0674ae8e52cab1d67873b1ad9594da14 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Tue, 26 Jan 2021 09:23:40 -0800 Subject: [PATCH 167/190] Update defender-endpoint-false-positives-negatives.md --- .../defender-endpoint-false-positives-negatives.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md index d895dbaa84..217c0ca4ff 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md +++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md @@ -307,6 +307,9 @@ Depending on the [level of automation](https://docs.microsoft.com/windows/securi - [Learn more about automation levels](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/automation-levels); and then - [Configure AIR capabilities in Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-automated-investigations-remediation). +> [!TIP] +> We recommend using *Full automation* for automated investigation and remediation. Don't turn these capabilities off because of a false positive. Instead, use ["allow" indicators to define exceptions](#indicators-for-microsoft-defender-for-endpoint), and keep automated investigation and remediation set to take appropriate actions automatically. Following [this guidance](automation-levels.md#levels-of-automation) helps reduce the number of alerts your security operations team must handle. + ## Still need help? From 66e207e995f7d51a6d0f8f2e0301d2c609cfc185 Mon Sep 17 00:00:00 2001 From: Peter Lewis Date: Tue, 26 Jan 2021 17:28:04 +0000 Subject: [PATCH 168/190] fix title fix title which omitted full wording (replace "Set up Microsoft c for macOS device groups in Jamf Pro" with "Set up Microsoft Defender for Endpoint for macOS device groups in Jamf Pro") --- .../microsoft-defender-atp/mac-jamfpro-device-groups.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-jamfpro-device-groups.md b/windows/security/threat-protection/microsoft-defender-atp/mac-jamfpro-device-groups.md index 3b011e3606..73dc882a2c 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/mac-jamfpro-device-groups.md +++ b/windows/security/threat-protection/microsoft-defender-atp/mac-jamfpro-device-groups.md @@ -20,7 +20,7 @@ ms.topic: conceptual ms.technology: mde --- -# Set up Microsoft c for macOS device groups in Jamf Pro +# Set up Microsoft Defender for Endpoint for macOS device groups in Jamf Pro [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] From 99ddcfab0a6114688c9433efb418c6f987d0a1c8 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Tue, 26 Jan 2021 09:31:20 -0800 Subject: [PATCH 169/190] Update auto-investigation-action-center.md --- .../microsoft-defender-atp/auto-investigation-action-center.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/windows/security/threat-protection/microsoft-defender-atp/auto-investigation-action-center.md b/windows/security/threat-protection/microsoft-defender-atp/auto-investigation-action-center.md index e929d6e210..0fb359840a 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/auto-investigation-action-center.md +++ b/windows/security/threat-protection/microsoft-defender-atp/auto-investigation-action-center.md @@ -170,3 +170,6 @@ When you click on the pending actions link, you'll be taken to the Action center - [See the interactive guide: Investigate and remediate threats with Microsoft Defender for Endpoint](https://aka.ms/MDATP-IR-Interactive-Guide) +## See also + +- [Address false positives/negatives in Microsoft Defender for Endpoint](defender-endpoint-false-positives-negatives.md) \ No newline at end of file From 0ee619b4fcec0cb7011e5cf4f1e882a75be2b3b0 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Tue, 26 Jan 2021 10:22:42 -0800 Subject: [PATCH 170/190] Update edr-in-block-mode.md --- .../microsoft-defender-atp/edr-in-block-mode.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/edr-in-block-mode.md b/windows/security/threat-protection/microsoft-defender-atp/edr-in-block-mode.md index 0304cdd397..75f4bba554 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/edr-in-block-mode.md +++ b/windows/security/threat-protection/microsoft-defender-atp/edr-in-block-mode.md @@ -15,7 +15,7 @@ ms.localizationpriority: medium ms.custom: - next-gen - edr -ms.date: 01/07/2021 +ms.date: 01/26/2021 ms.collection: - m365-security-compliance - m365initiative-defender-endpoint @@ -70,7 +70,7 @@ The following image shows an instance of unwanted software that was detected and |Requirement |Details | |---------|---------| |Permissions |Global Administrator or Security Administrator role assigned in [Azure Active Directory](https://docs.microsoft.com/azure/active-directory/fundamentals/active-directory-users-assign-role-azure-portal). See [Basic permissions](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/basic-permissions). | -|Operating system |One of the following versions:
- Windows 10 (all releases)
- Windows Server 2016 or later | +|Operating system |One of the following versions:
- Windows 10 (all releases)
- Windows Server, version 1803 or newer
- Windows Server 2019 | |Windows E5 enrollment |Windows E5 is included in the following subscriptions:
- Microsoft 365 E5
- Microsoft 365 E3 together with the Identity & Threat Protection offering

See [Components](https://docs.microsoft.com/microsoft-365/enterprise/microsoft-365-overview?view=o365-worldwide&preserve-view=true#components) and [features and capabilities for each plan](https://www.microsoft.com/microsoft-365/compare-all-microsoft-365-plans). | |Microsoft Defender Antivirus |Microsoft Defender Antivirus must be installed and running in either active mode or passive mode. (You can use Microsoft Defender Antivirus alongside a non-Microsoft antivirus solution.) [Confirm Microsoft Defender Antivirus is in active or passive mode](#how-do-i-confirm-microsoft-defender-antivirus-is-in-active-or-passive-mode). | |Cloud-delivered protection |Make sure Microsoft Defender Antivirus is configured such that [cloud-delivered protection is enabled](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/enable-cloud-protection-microsoft-defender-antivirus). | From 2b73b1d9c583dce0361b9cf4c9f953519d6b4f79 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Tue, 26 Jan 2021 12:00:16 -0800 Subject: [PATCH 171/190] Update defender-endpoint-false-positives-negatives.md --- .../defender-endpoint-false-positives-negatives.md | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md index 217c0ca4ff..9c411725bb 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md +++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md @@ -31,7 +31,9 @@ ms.custom: FPFN - [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146806) -In endpoint protection, a false positive is an entity, such as a file or a process, that was detected and identified as malicious, even though the entity isn't actually a threat. A false negative is an entity that was not detected as a threat, even though it actually is malicious. If you’re using [Microsoft Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection), and you're seeing false positives/negatives in your [Microsoft Defender Security Center](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/use), your security operations can take steps to address false positives or false negatives. These steps include: +In endpoint protection, a false positive is an entity, such as a file or a process, that was detected and identified as malicious, even though the entity isn't actually a threat. A false negative is an entity that was not detected as a threat, even though it actually is malicious. False positives/negatives can occur with any threat protection solution. + +If you’re using [Microsoft Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection), and you're seeing false positives/negatives in your [Microsoft Defender Security Center](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/use), your security operations can take steps to address false positives or false negatives. These steps include: 1. [Reviewing and classifying alerts](#part-1-review-and-classify-alerts) 2. [Reviewing remediation actions that were taken](#part-2-review-remediation-actions) @@ -40,8 +42,8 @@ In endpoint protection, a false positive is an entity, such as a file or a proce 5. [Reviewing and adjusting your threat protection settings](#part-5-review-and-adjust-your-threat-protection-settings) 6. [Getting help if you still have issues with false positives/negatives](#still-need-help) -> [!IMPORTANT] -> This article is intended for security operators and administrators. +> [!NOTE] +> This article is intended as guidance for security operators and security administrators who are using [Microsoft Defender for Endpoint](microsoft-defender-advanced-threat-protection.md). ## Part 1: Review and classify alerts From 17d43cfd5707c0b32a5c96b5370503a93beed655 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Tue, 26 Jan 2021 12:10:26 -0800 Subject: [PATCH 172/190] Update network-protection.md --- .../microsoft-defender-atp/network-protection.md | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/network-protection.md b/windows/security/threat-protection/microsoft-defender-atp/network-protection.md index 0cf3df8758..2a2ebcab64 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/network-protection.md +++ b/windows/security/threat-protection/microsoft-defender-atp/network-protection.md @@ -45,13 +45,13 @@ You can also use [audit mode](audit-windows-defender.md) to evaluate how Network ## Requirements -Network protection requires Windows 10 Pro or Enterprise, and Microsoft Defender AV real-time protection. +Network protection requires Windows 10 Pro or Enterprise, and Microsoft Defender Antivirus real-time protection. -Windows 10 version | Microsoft Defender Antivirus --|- -Windows 10 version 1709 or later | [Microsoft Defender AV real-time protection](../microsoft-defender-antivirus/configure-real-time-protection-microsoft-defender-antivirus.md) and [cloud-delivered protection](../microsoft-defender-antivirus/enable-cloud-protection-microsoft-defender-antivirus.md) must be enabled +| Windows 10 version | Microsoft Defender Antivirus | +|:---|:---| +| Windows 10 version 1709 or later | [Microsoft Defender AV real-time protection](../microsoft-defender-antivirus/configure-real-time-protection-microsoft-defender-antivirus.md) and [cloud-delivered protection](../microsoft-defender-antivirus/enable-cloud-protection-microsoft-defender-antivirus.md) must be enabled | -After you have enabled the services, you may need to configure your network or firewall to allow the connections between the services and your endpoints. +After you have enabled the services, you might need to configure your network or firewall to allow the connections between the services and your endpoints. - .smartscreen.microsoft.com - .smartscreen-prod.microsoft.com From 8bfa5fd4bf9e6d15aea12d0cd09f0628b01bac3a Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Tue, 26 Jan 2021 12:14:51 -0800 Subject: [PATCH 173/190] Update troubleshoot-np.md --- .../microsoft-defender-atp/troubleshoot-np.md | 38 ++++++++++--------- 1 file changed, 20 insertions(+), 18 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-np.md b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-np.md index 82fcbb7ca7..79cdbc3b60 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-np.md +++ b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-np.md @@ -11,7 +11,7 @@ ms.localizationpriority: medium audience: ITPro author: dansimp ms.author: dansimp -ms.date: 03/27/2019 +ms.date: 01/26/2021 ms.reviewer: manager: dansimp ms.technology: mde @@ -24,14 +24,13 @@ ms.technology: mde **Applies to:** -* [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) - -* IT administrators +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) +- IT administrators When you use [Network protection](network-protection.md) you may encounter issues, such as: -* Network protection blocks a website that is safe (false positive) -* Network protection fails to block a suspicious or known malicious website (false negative) +- Network protection blocks a website that is safe (false positive) +- Network protection fails to block a suspicious or known malicious website (false negative) There are four steps to troubleshooting these problems: @@ -45,11 +44,11 @@ There are four steps to troubleshooting these problems: Network protection will only work on devices with the following conditions: >[!div class="checklist"] -> * Endpoints are running Windows 10 Pro or Enterprise edition, version 1709 or higher. -> * Endpoints are using Microsoft Defender Antivirus as the sole antivirus protection app. [Using any other antivirus app will cause Microsoft Defender AV to disable itself](../microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md). -> * [Real-time protection](../microsoft-defender-antivirus/configure-real-time-protection-microsoft-defender-antivirus.md) is enabled. -> * [Cloud-delivered protection](../microsoft-defender-antivirus/enable-cloud-protection-microsoft-defender-antivirus.md) is enabled. -> * Audit mode is not enabled. Use [Group Policy](enable-network-protection.md#group-policy) to set the rule to **Disabled** (value: **0**). +> - Endpoints are running Windows 10 Pro or Enterprise edition, version 1709 or higher. +> - Endpoints are using Microsoft Defender Antivirus as the sole antivirus protection app. [See what happens when you are using a non-Microsoft antivirus solution](../microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md). +> - [Real-time protection](../microsoft-defender-antivirus/configure-real-time-protection-microsoft-defender-antivirus.md) is enabled. +> - [Cloud-delivered protection](../microsoft-defender-antivirus/enable-cloud-protection-microsoft-defender-antivirus.md) is enabled. +> - Audit mode is not enabled. Use [Group Policy](enable-network-protection.md#group-policy) to set the rule to **Disabled** (value: **0**). ## Use audit mode @@ -61,9 +60,9 @@ You can enable network protection in audit mode and then visit a website that we Set-MpPreference -EnableNetworkProtection AuditMode ``` -1. Perform the connection activity that is causing an issue (for example, attempt to visit the site, or connect to the IP address you do or don't want to block). +2. Perform the connection activity that is causing an issue (for example, attempt to visit the site, or connect to the IP address you do or don't want to block). -1. [Review the network protection event logs](network-protection.md#review-network-protection-events-in-windows-event-viewer) to see if the feature would have blocked the connection if it had been set to **Enabled**. +3. [Review the network protection event logs](network-protection.md#review-network-protection-events-in-windows-event-viewer) to see if the feature would have blocked the connection if it had been set to **Enabled**. If network protection is not blocking a connection that you are expecting it should block, enable the feature. @@ -75,6 +74,8 @@ You can enable network protection in audit mode and then visit a website that we If you've tested the feature with the demo site and with audit mode, and network protection is working on pre-configured scenarios, but is not working as expected for a specific connection, use the [Windows Defender Security Intelligence web-based submission form](https://www.microsoft.com/wdsi/filesubmission) to report a false negative or false positive for network protection. With an E5 subscription, you can also [provide a link to any associated alert](../microsoft-defender-atp/alerts-queue.md). +See [Address false positives/negatives in Microsoft Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives). + ## Exclude website from network protection scope To allow the website that is being blocked (false positive), add its URL to the [list of trusted sites](https://blogs.msdn.microsoft.com/asiatech/2014/08/19/how-to-add-web-sites-to-trusted-sites-via-gpo-from-dc-installed-ie10-or-higher-ie-version/). Web resources from this list bypass the network protection check. @@ -89,16 +90,17 @@ When you report a problem with network protection, you are asked to collect and cd c:\program files\windows defender ``` -1. Run this command to generate the diagnostic logs: +2. Run this command to generate the diagnostic logs: ```PowerShell mpcmdrun -getfiles ``` -1. By default, they are saved to C:\ProgramData\Microsoft\Windows Defender\Support\MpSupportFiles.cab. Attach the file to the submission form. +3. By default, they are saved to C:\ProgramData\Microsoft\Windows Defender\Support\MpSupportFiles.cab. Attach the file to the submission form. ## Related topics -* [Network protection](network-protection.md) -* [Evaluate network protection](evaluate-network-protection.md) -* [Enable network protection](enable-network-protection.md) +- [Network protection](network-protection.md) +- [Evaluate network protection](evaluate-network-protection.md) +- [Enable network protection](enable-network-protection.md) +- [Address false positives/negatives in Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives) From 1bf91a1fd859e054e58303a537815bb4cfbe4c00 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Tue, 26 Jan 2021 12:15:51 -0800 Subject: [PATCH 174/190] Update network-protection.md --- .../microsoft-defender-atp/network-protection.md | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/network-protection.md b/windows/security/threat-protection/microsoft-defender-atp/network-protection.md index 2a2ebcab64..29ed5acfbf 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/network-protection.md +++ b/windows/security/threat-protection/microsoft-defender-atp/network-protection.md @@ -79,11 +79,11 @@ You can review the Windows event log to see events that are created when network 3. This will create a custom view that filters to only show the following events related to network protection: - Event ID | Description - -|- - 5007 | Event when settings are changed - 1125 | Event when network protection fires in audit mode - 1126 | Event when network protection fires in block mode + | Event ID | Description | + |:---|:---| + | 5007 | Event when settings are changed | + | 1125 | Event when network protection fires in audit mode | + | 1126 | Event when network protection fires in block mode | ## Related articles From e2f432e0a8799480ccf021609a4e9d178d294237 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Tue, 26 Jan 2021 12:28:01 -0800 Subject: [PATCH 175/190] Update md-app-guard-overview.md --- .../md-app-guard-overview.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-overview.md b/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-overview.md index 0c47055df2..576fd34c27 100644 --- a/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-overview.md +++ b/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-overview.md @@ -8,7 +8,7 @@ ms.pagetype: security ms.localizationpriority: medium author: denisebmsft ms.author: deniseb -ms.date: 12/17/2020 +ms.date: 01/27/2021 ms.reviewer: manager: dansimp ms.custom: asr From e6fb1e9cee0ae3f6ba9216514805cddc6a1c70f6 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Tue, 26 Jan 2021 12:28:24 -0800 Subject: [PATCH 176/190] Update md-app-guard-overview.md --- .../md-app-guard-overview.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-overview.md b/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-overview.md index 576fd34c27..1187818d92 100644 --- a/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-overview.md +++ b/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-overview.md @@ -52,4 +52,4 @@ Application Guard has been created to target several types of devices: | [Microsoft Defender Application Guard Extension for web browsers](md-app-guard-browser-extension.md) | Describes the Application Guard extension for Chrome and Firefox, including known issues, and a troubleshooting guide | | [Microsoft Defender Application Guard for Microsoft Office](https://docs.microsoft.com/microsoft-365/security/office-365-security/install-app-guard) | Describes Application Guard for Microsoft Office, including minimum hardware requirements, configuration, and a troubleshooting guide | |[Frequently asked questions - Microsoft Defender Application Guard](faq-md-app-guard.md)|Provides answers to frequently asked questions about Application Guard features, integration with the Windows operating system, and general configuration.| -|[Use a network boundary to add trusted sites on Windows devices in Microsoft Intune](https://docs.microsoft.com/en-us/mem/intune/configuration/network-boundary-windows)|Network boundary, a feature that helps you protect your environment from sites that aren't trusted by your organization.| +|[Use a network boundary to add trusted sites on Windows devices in Microsoft Intune](https://docs.microsoft.com/mem/intune/configuration/network-boundary-windows)|Network boundary, a feature that helps you protect your environment from sites that aren't trusted by your organization.| From 2cbc3d3d36c30cbefa068412a6d603e077350e91 Mon Sep 17 00:00:00 2001 From: Daniel Simpson Date: Tue, 26 Jan 2021 13:00:19 -0800 Subject: [PATCH 177/190] Update customize-windows-10-start-screens-by-using-group-policy.md --- .../customize-windows-10-start-screens-by-using-group-policy.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/configuration/customize-windows-10-start-screens-by-using-group-policy.md b/windows/configuration/customize-windows-10-start-screens-by-using-group-policy.md index 3cd4ad2b71..ebadfd9803 100644 --- a/windows/configuration/customize-windows-10-start-screens-by-using-group-policy.md +++ b/windows/configuration/customize-windows-10-start-screens-by-using-group-policy.md @@ -1,5 +1,5 @@ --- -title: Customize Windows 10 Start and tasbkar with Group Policy (Windows 10) +title: Customize Windows 10 Start and taskbar with Group Policy (Windows 10) description: In Windows 10, you can use a Group Policy Object (GPO) to deploy a customized Start layout to users in a domain. ms.assetid: F4A47B36-F1EF-41CD-9CBA-04C83E960545 ms.reviewer: From 8128755e7ef4ff40de3ec3af2895bcdd7ec59206 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Tue, 26 Jan 2021 13:08:23 -0800 Subject: [PATCH 178/190] Update defender-endpoint-false-positives-negatives.md --- ...nder-endpoint-false-positives-negatives.md | 39 ++++++++++++++++--- 1 file changed, 33 insertions(+), 6 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md index 9c411725bb..d40358edae 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md +++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md @@ -183,13 +183,40 @@ To specify entities as exclusions for Microsoft Defender for Endpoint, you can c - [Endpoint detection and response](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response) - [Automated investigation & remediation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/automated-investigations) -You can create indicators for files, IP addresses, URLs, domains, and certificates, as described in the following table: +You can create indicators for files, IP addresses, URLs, domains, and certificates, as described in the following sections: -| Indicator type and considerations | Prerequisites | -|:----|:----| -|**[Create an indicator for a file, such as an executable](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-file)**

Helps prevent suspected malware (or potentially malicious files) from being downloaded from the web. Files can include portable executable (PE) files, such as `.exe` and `.dll` files.

The allow or block function cannot be done on a file if the file's classification exists on the device's cache prior to the allow or block action. Trusted, signed files are treated differently. Defender for Endpoint is optimized to handle malicious files. Trying to block trusted, signed files, can have performance implications.

Typically, file blocks are enforced within a few minutes, but can take upwards of 30 minutes. | Microsoft Defender Antivirus with cloud-based protection enabled (See [Manage cloud-based protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/deploy-manage-report-microsoft-defender-antivirus).)

Antimalware client version: 4.18.1901.x or later

Devices are running Windows 10, version 1703 or later; Windows Server 2016; or Windows Server 2019

[Block or allow feature is turned on](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-features) | -| **[Create an indicator for an IP address, URL, or domain](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-ip-domain)**

Full URL path blocks can be applied on the domain level and all unencrypted URLs. IP is supported for all three protocols. Only external IPs can be added to the indicator list; indicators cannot be created for internal IPs.

For web protection scenarios, we recommend using the built-in capabilities in Microsoft Edge. Microsoft Edge uses [Network Protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/network-protection) to inspect network traffic and allows blocks for TCP, HTTP, and HTTPS (TLS). For all other processes, web protection scenarios use Network Protection for inspection and enforcement.

There might be up to 2 hours of latency (usually less) between the time the action is taken, and the URL and IP being blocked.

Only single IP addresses are supported (no CIDR blocks or IP ranges)

Encrypted URLs (full path) can only be blocked on first party browsers (Internet Explorer, Edge)

Encrypted URLS (FQDN only) can be blocked outside of first party browsers (Internet Explorer, Edge) | Network protection in Defender for Endpoint enabled in block mode (See [Enable network protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/enable-network-protection))

Antimalware client version: 4.18.1906.x or later

Devices are running Windows 10, version 1709 or later

Custom network indicators are turned on in the Microsoft Defender Security Center (See [Advanced features](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-features).) | -| **[Create an indicator for an application certificate](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-certificates)**

`.CER` or `.PEM` file extensions are supported. A valid leaf certificate is a signing certificate that has a valid certification path and must be chained to the Root Certificate Authority (CA) trusted by Microsoft. Alternatively, a custom (self-signed) certificate can be used as long as it's trusted by the client (Root CA certificate is installed under the Local Machine Trusted Root Certification Authorities).

The children or parent of the allow/block certificate IOCs are not included in the allow/block IoC functionality, only leaf certificates are supported.

Microsoft signed certificates cannot be blocked.

It can take up to 3 hours to create and remove a certificate IoC. | Microsoft Defender Antivirus with cloud-based protection is enabled (See [Manage cloud-based protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/deploy-manage-report-microsoft-defender-antivirus).)

Antimalware client version: 4.18.1901.x or later

Devices are running Windows 10, version 1703 or later; Windows Server 2016; or Windows Server 2019

Virus and threat protection definitions are up to date | +#### Indicators for files + +When you [create an "allow" indicator for a file, such as an executable](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-file), it helps prevent files that your organization is using from being blocked. Files can include portable executable (PE) files, such as `.exe` and `.dll` files. + +Before you create indicators for files, make sure the following requirements are met: +- Microsoft Defender Antivirus is configured with cloud-based protection enabled (See [Manage cloud-based protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/deploy-manage-report-microsoft-defender-antivirus).) +- Antimalware client version is 4.18.1901.x or later +- Devices are running Windows 10, version 1703 or later; Windows Server 2016; or Windows Server 2019 +- The [Block or allow feature is turned on](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-features) + +#### Indicators for IP addresses, URLs, or domains + +When you [create an "allow" indicator for an IP address, URL, or domain](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-ip-domain), it helps prevent the sites or IP addresses your organization uses from being blocked. + +Before you create indicators for IP addresses, URLs, or domains, make sure the following requirements are met: +- Network protection in Defender for Endpoint is enabled in block mode (See [Enable network protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/enable-network-protection)) +- Antimalware client version is 4.18.1906.x or later +- Devices are running Windows 10, version 1709, or later + +Custom network indicators are turned on in the Microsoft Defender Security Center (See [Advanced features](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-features).) + +#### Indicators for application certificates + +When you [create an "allow" indicator for an application certificate](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-certificates)**, it helps prevent applications, such as internally developed applications, that you organization uses from being blocked. + +`.CER` or `.PEM` file extensions are supported. A valid leaf certificate is a signing certificate that has a valid certification path and must be chained to the Root Certificate Authority (CA) trusted by Microsoft. Alternatively, a custom (self-signed) certificate can be used as long as it's trusted by the client (Root CA certificate is installed under the Local Machine Trusted Root Certification Authorities). + +Before you create indicators for application certificates, make sure the following requirements are met: +- Microsoft Defender Antivirus is configured with cloud-based protection enabled (See [Manage cloud-based protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/deploy-manage-report-microsoft-defender-antivirus).) +- Antimalware client version is 4.18.1901.x or later +- Devices are running Windows 10, version 1703 or later; Windows Server 2016; or Windows Server 2019 +- Virus and threat protection definitions are up to date > [!TIP] > When you create indicators, you can define them one by one or import multiple items at once. Keep in mind there's a limit of 15,000 indicators you can have in a single tenant. And, you might need to gather certain details first, such as file hash information. Make sure to review the prerequisites before you [create indicators](manage-indicators.md). From 9462c60ab32a5b72766646a6d88d2259a6688024 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Tue, 26 Jan 2021 13:12:57 -0800 Subject: [PATCH 179/190] Update defender-endpoint-false-positives-negatives.md --- .../defender-endpoint-false-positives-negatives.md | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md index d40358edae..a055c2e2f7 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md +++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md @@ -208,9 +208,7 @@ Custom network indicators are turned on in the Microsoft Defender Security Cente #### Indicators for application certificates -When you [create an "allow" indicator for an application certificate](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-certificates)**, it helps prevent applications, such as internally developed applications, that you organization uses from being blocked. - -`.CER` or `.PEM` file extensions are supported. A valid leaf certificate is a signing certificate that has a valid certification path and must be chained to the Root Certificate Authority (CA) trusted by Microsoft. Alternatively, a custom (self-signed) certificate can be used as long as it's trusted by the client (Root CA certificate is installed under the Local Machine Trusted Root Certification Authorities). +When you [create an "allow" indicator for an application certificate](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-certificates)**, it helps prevent applications, such as internally developed applications, that your organization uses from being blocked. `.CER` or `.PEM` file extensions are supported. Before you create indicators for application certificates, make sure the following requirements are met: - Microsoft Defender Antivirus is configured with cloud-based protection enabled (See [Manage cloud-based protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/deploy-manage-report-microsoft-defender-antivirus).) From 474099df034bf4f0f31aa59f9e6095a7d3208864 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Tue, 26 Jan 2021 13:14:30 -0800 Subject: [PATCH 180/190] Update defender-endpoint-false-positives-negatives.md --- .../defender-endpoint-false-positives-negatives.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md index a055c2e2f7..f327f3bbc5 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md +++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md @@ -329,7 +329,7 @@ We recommend using Microsoft Endpoint Manager to edit or set PUA protection sett [Automated investigation and remediation](automated-investigations.md) (AIR) capabilities are designed to examine alerts and take immediate action to resolve breaches. As alerts are triggered, and an automated investigation runs, a verdict is generated for each piece of evidence investigated. Verdicts can be *Malicious*, *Suspicious*, or *No threats found*. -Depending on the [level of automation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/automation-levels) set for your organization, as well as other security settings, remediation actions are taken on artifacts deemed Malicious or Suspicious. Remediation actions can occur automatically, or only upon approval by your security operations team. +Depending on the [level of automation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/automation-levels) set for your organization and other security settings, remediation actions are taken on artifacts deemed Malicious or Suspicious. Remediation actions can occur automatically, or only upon approval by your security operations team. - [Learn more about automation levels](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/automation-levels); and then - [Configure AIR capabilities in Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-automated-investigations-remediation). From 2c8970880b66249c95bf2beea131184d0857517f Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Tue, 26 Jan 2021 13:19:51 -0800 Subject: [PATCH 181/190] Update defender-endpoint-false-positives-negatives.md --- .../defender-endpoint-false-positives-negatives.md | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md index f327f3bbc5..f32e43f1a9 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md +++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md @@ -183,7 +183,10 @@ To specify entities as exclusions for Microsoft Defender for Endpoint, you can c - [Endpoint detection and response](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response) - [Automated investigation & remediation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/automated-investigations) -You can create indicators for files, IP addresses, URLs, domains, and certificates, as described in the following sections: +You can create indicators for: +- [Files](#indicators-for-files) +- [IP addresses, URLs, and domains](#indicators-for-ip-addresses-urls-or-domains) +- [Application certificates](#indicators-for-application-certificates) #### Indicators for files From d572315a16f509b1a726b333916bf1bd4ef6f822 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Tue, 26 Jan 2021 13:21:16 -0800 Subject: [PATCH 182/190] Update defender-endpoint-false-positives-negatives.md --- .../defender-endpoint-false-positives-negatives.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md index f32e43f1a9..89da6e7ecf 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md +++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md @@ -211,7 +211,7 @@ Custom network indicators are turned on in the Microsoft Defender Security Cente #### Indicators for application certificates -When you [create an "allow" indicator for an application certificate](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-certificates)**, it helps prevent applications, such as internally developed applications, that your organization uses from being blocked. `.CER` or `.PEM` file extensions are supported. +When you [create an "allow" indicator for an application certificate](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-certificates), it helps prevent applications, such as internally developed applications, that your organization uses from being blocked. `.CER` or `.PEM` file extensions are supported. Before you create indicators for application certificates, make sure the following requirements are met: - Microsoft Defender Antivirus is configured with cloud-based protection enabled (See [Manage cloud-based protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/deploy-manage-report-microsoft-defender-antivirus).) From 0fc5c1575c45368487396bb4cef1ffe83d54c36e Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Tue, 26 Jan 2021 15:09:47 -0800 Subject: [PATCH 183/190] Update defender-endpoint-false-positives-negatives.md --- .../defender-endpoint-false-positives-negatives.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md index 89da6e7ecf..99428b624b 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md +++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md @@ -63,7 +63,7 @@ Before you classify or suppress an alert, determine whether the alert is accurat | Alert status | What to do | |:---|:---| | The alert is accurate | Assign the alert, and then [investigate it](investigate-alerts.md) further. | - | The alert is a false positive | 1. Proceed to [classify the alert](#classify-an-alert) as a false positive, and then [suppress the alert](#suppress-an-alert).

2. [Create an indicator](#indicators-for-microsoft-defender-for-endpoint) for Microsoft Defender for Endpoint.

3. [Submit a file to Microsoft for analysis](#part-4-submit-a-file-for-analysis). | + | The alert is a false positive | 1. [Classify the alert](#classify-an-alert) as a false positive.
2. [Suppress the alert](#suppress-an-alert).
3. [Create an indicator](#indicators-for-microsoft-defender-for-endpoint) for Microsoft Defender for Endpoint.
4. [Submit a file to Microsoft for analysis](#part-4-submit-a-file-for-analysis). | | The alert is accurate, but benign (unimportant) | [Classify the alert](#classify-an-alert) as a true positive, and then [suppress the alert](#suppress-an-alert). | ### Classify an alert From 71ce32654daec644b5ddbd198d5fa7f167bacedf Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Tue, 26 Jan 2021 15:11:16 -0800 Subject: [PATCH 184/190] Update defender-endpoint-false-positives-negatives.md --- .../defender-endpoint-false-positives-negatives.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md index 99428b624b..65a56a8421 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md +++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md @@ -85,7 +85,7 @@ If you have alerts that are either false positives or that are true positives bu 1. Go to the Microsoft Defender Security Center ([https://securitycenter.windows.com](https://securitycenter.windows.com)) and sign in. 2. In the navigation pane, select **Alerts queue**. 3. Select an alert that you want to suppress to open its **Details** pane. -4. In the **Details** pane, choose the ellipsis (**...**), and then choose **Create a suppression rule**. +4. In the **Details** pane, choose the ellipsis (**...**), and then **Create a suppression rule**. 5. Specify all the settings for your suppression rule, and then choose **Save**. > [!TIP] From 5db57d8657c4b511930d491c3010cd25ef049736 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Tue, 26 Jan 2021 15:11:44 -0800 Subject: [PATCH 185/190] Update defender-endpoint-false-positives-negatives.md --- .../defender-endpoint-false-positives-negatives.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md index 65a56a8421..3cdec79594 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md +++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md @@ -268,7 +268,7 @@ Microsoft Defender for Endpoint offers a wide variety of options, including the ### Cloud-delivered protection -Check your cloud-delivered protection level for Microsoft Defender Antivirus. By default, this is set to **Not configured**, which corresponds to a normal level of protection for most organizations. If your cloud-delivered protection is set to **High**, **High +**, or **Zero tolerance**, you might experience a higher number of false positives. +Check your cloud-delivered protection level for Microsoft Defender Antivirus. By default, cloud-delivered protection is set to **Not configured**, which corresponds to a normal level of protection for most organizations. If your cloud-delivered protection is set to **High**, **High +**, or **Zero tolerance**, you might experience a higher number of false positives. > [!TIP] > To learn more about configuring your cloud-delivered protection, see [Specify the cloud-delivered protection level](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/specify-cloud-protection-level-microsoft-defender-antivirus). From 98147f674b436cc6716e980e2869d013fe4e21bf Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Tue, 26 Jan 2021 15:12:09 -0800 Subject: [PATCH 186/190] Update defender-endpoint-false-positives-negatives.md --- .../defender-endpoint-false-positives-negatives.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md index 3cdec79594..f749263f1b 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md +++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md @@ -280,7 +280,7 @@ We recommend using Microsoft Endpoint Manager to edit or set your cloud-delivere 1. Go to the Microsoft Endpoint Manager admin center ([https://endpoint.microsoft.com](https://endpoint.microsoft.com)) and sign in. 2. Choose **Endpoint security** > **Antivirus** and then select an existing policy. (If you don’t have an existing policy, or you want to create a new policy, skip to [the next procedure](#use-microsoft-endpoint-manager-to-set-cloud-delivered-protection-settings-for-a-new-policy)). 3. Under **Manage**, select **Properties**. Then, next to **Configuration settings**, choose **Edit**. -4. Expand **Cloud protection**, and review your current setting in the **Cloud-delivered protection level** row. We recommend setting this to **Not configured**, which provides strong protection while reducing the chances of getting false positives. +4. Expand **Cloud protection**, and review your current setting in the **Cloud-delivered protection level** row. We recommend setting cloud-delivered protection to **Not configured**, which provides strong protection while reducing the chances of getting false positives. 5. Choose **Review + save**, and then **Save**. #### Use Microsoft Endpoint Manager to set cloud-delivered protection settings (for a new policy) From 4dce3eb74897b63e1b9d8093282a41702e395c25 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Tue, 26 Jan 2021 15:12:47 -0800 Subject: [PATCH 187/190] Update defender-endpoint-false-positives-negatives.md --- .../defender-endpoint-false-positives-negatives.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md index f749263f1b..731967a11e 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md +++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md @@ -300,7 +300,7 @@ We recommend using Microsoft Endpoint Manager to edit or set your cloud-delivere Potentially unwanted applications (PUA) are a category of software that can cause devices to run slowly, display unexpected ads, or install other software that might be unexpected or unwanted. Examples of PUA include advertising software, bundling software, and evasion software that behaves differently with security products. Although PUA is not considered malware, some kinds of software are PUA based on their behavior and reputation. -Depending on the apps your organization is using, you might be getting false positives as a result of your PUA protection settings. If this is happening, consider running PUA protection in audit mode for a while, or apply PUA protection to a subset of devices in your organization. PUA protection can be configured for the Microsoft Edge browser and for Microsoft Defender Antivirus. +Depending on the apps your organization is using, you might be getting false positives as a result of your PUA protection settings. If necessary, consider running PUA protection in audit mode for a while, or apply PUA protection to a subset of devices in your organization. PUA protection can be configured for the Microsoft Edge browser and for Microsoft Defender Antivirus. We recommend using Microsoft Endpoint Manager to edit or set PUA protection settings. From 37c3f8535612fc56170dfa2c61bdf3befbfbb465 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Tue, 26 Jan 2021 15:17:47 -0800 Subject: [PATCH 188/190] Update defender-endpoint-false-positives-negatives.md --- ...fender-endpoint-false-positives-negatives.md | 17 +++++++++-------- 1 file changed, 9 insertions(+), 8 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md index 731967a11e..251443c99e 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md +++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md @@ -31,16 +31,17 @@ ms.custom: FPFN - [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146806) -In endpoint protection, a false positive is an entity, such as a file or a process, that was detected and identified as malicious, even though the entity isn't actually a threat. A false negative is an entity that was not detected as a threat, even though it actually is malicious. False positives/negatives can occur with any threat protection solution. +In endpoint protection solutions, a false positive is an entity, such as a file or a process, that was detected and identified as malicious, even though the entity isn't actually a threat. A false negative is an entity that was not detected as a threat, even though it actually is malicious. False positives/negatives can occur with any threat protection solution, includling [Microsoft Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection). -If you’re using [Microsoft Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection), and you're seeing false positives/negatives in your [Microsoft Defender Security Center](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/use), your security operations can take steps to address false positives or false negatives. These steps include: +Fortunately, steps can be taken to address and reduce these kinds of issues. If you're seeing false positives/negatives in your [Microsoft Defender Security Center](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/use), your security operations can take steps to address false positives or false negatives: -1. [Reviewing and classifying alerts](#part-1-review-and-classify-alerts) -2. [Reviewing remediation actions that were taken](#part-2-review-remediation-actions) -3. [Reviewing and defining exclusions](#part-3-review-or-define-exclusions) -4. [Submitting an entity for analysis](#part-4-submit-a-file-for-analysis) -5. [Reviewing and adjusting your threat protection settings](#part-5-review-and-adjust-your-threat-protection-settings) -6. [Getting help if you still have issues with false positives/negatives](#still-need-help) +1. [Review and classify alerts](#part-1-review-and-classify-alerts) +2. [Review remediation actions that were taken](#part-2-review-remediation-actions) +3. [Review and define exclusions](#part-3-review-or-define-exclusions) +4. [Submit an entity for analysis](#part-4-submit-a-file-for-analysis) +5. [Review and adjust your threat protection settings](#part-5-review-and-adjust-your-threat-protection-settings) + +And, you can [get help if you still have issues with false positives/negatives](#still-need-help) after performing the tasks described in this article. > [!NOTE] > This article is intended as guidance for security operators and security administrators who are using [Microsoft Defender for Endpoint](microsoft-defender-advanced-threat-protection.md). From 2124e871d4e374b3206bd09300c846ed9e118495 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Tue, 26 Jan 2021 15:18:18 -0800 Subject: [PATCH 189/190] Update defender-endpoint-false-positives-negatives.md --- .../defender-endpoint-false-positives-negatives.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md index 251443c99e..9fef03cef6 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md +++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md @@ -31,7 +31,7 @@ ms.custom: FPFN - [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146806) -In endpoint protection solutions, a false positive is an entity, such as a file or a process, that was detected and identified as malicious, even though the entity isn't actually a threat. A false negative is an entity that was not detected as a threat, even though it actually is malicious. False positives/negatives can occur with any threat protection solution, includling [Microsoft Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection). +In endpoint protection solutions, a false positive is an entity, such as a file or a process, that was detected and identified as malicious, even though the entity isn't actually a threat. A false negative is an entity that was not detected as a threat, even though it actually is malicious. False positives/negatives can occur with any threat protection solution, including [Microsoft Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection). Fortunately, steps can be taken to address and reduce these kinds of issues. If you're seeing false positives/negatives in your [Microsoft Defender Security Center](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/use), your security operations can take steps to address false positives or false negatives: From 8c5574fd668f3c09831eb4f953c3f0fa40ffe846 Mon Sep 17 00:00:00 2001 From: Gary Moore Date: Tue, 26 Jan 2021 15:23:49 -0800 Subject: [PATCH 190/190] Re-labeled code blocks As written, the commands in the code blocks that I re-labeled work from the Windows command line, but not from the PowerShell command line. --- .../microsoft-defender-atp/troubleshoot-np.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-np.md b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-np.md index 79cdbc3b60..05563e45c4 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-np.md +++ b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-np.md @@ -86,13 +86,13 @@ When you report a problem with network protection, you are asked to collect and 1. Open an elevated command prompt and change to the Windows Defender directory: - ```PowerShell + ```console cd c:\program files\windows defender ``` 2. Run this command to generate the diagnostic logs: - ```PowerShell + ```console mpcmdrun -getfiles ```