diff --git a/windows/client-management/mdm/bitlocker-csp.md b/windows/client-management/mdm/bitlocker-csp.md index 7625ab46bb..17e70ad2c6 100644 --- a/windows/client-management/mdm/bitlocker-csp.md +++ b/windows/client-management/mdm/bitlocker-csp.md @@ -429,7 +429,7 @@ The following diagram shows the BitLocker configuration service provider in tree

The possible values for 'xx' are:

- 0 = Empty -- 1 = Use default recovery message and URL. +- 1 = Use default recovery message and URL (in this case you don't need to specify a value for "RecoveryMessage_Input" or "RecoveryUrl_Input"). - 2 = Custom recovery message is set. - 3 = Custom recovery URL is set. - 'yy' = string of max length 900. diff --git a/windows/client-management/mdm/vpnv2-csp.md b/windows/client-management/mdm/vpnv2-csp.md index b57e6e3f98..af1097e973 100644 --- a/windows/client-management/mdm/vpnv2-csp.md +++ b/windows/client-management/mdm/vpnv2-csp.md @@ -401,7 +401,7 @@ Value type is chr. Supported operations include Get, Add, Replace, and Delete. Nodes under the PluginProfile are required when using a Microsoft Store based VPN plugin. **VPNv2/***ProfileName***/PluginProfile/ServerUrlList** -Required for plug-in profiles. Comma separated list of servers in URL, hostname, or IP format. +Required for plug-in profiles. Semicolon-separated list of servers in URL, hostname, or IP format. Value type is chr. Supported operations include Get, Add, Replace, and Delete. diff --git a/windows/deployment/update/windows-update-resources.md b/windows/deployment/update/windows-update-resources.md index 66befc0f13..0066e48950 100644 --- a/windows/deployment/update/windows-update-resources.md +++ b/windows/deployment/update/windows-update-resources.md @@ -106,7 +106,7 @@ The following resources provide additional information about using Windows Updat - regsvr32.exe wuwebv.dll 7. Reset Winsock. To do this, type the following command at a command prompt, and then press ENTER: ``` - netsh reset winsock + netsh winsock reset ``` 8. If you are running Windows XP or Windows Server 2003, you have to set the proxy settings. To do this, type the following command at a command prompt, and then press ENTER: ``` diff --git a/windows/privacy/windows-endpoints-1809-non-enterprise-editions.md b/windows/privacy/windows-endpoints-1809-non-enterprise-editions.md index 370860330f..b6be3b5acd 100644 --- a/windows/privacy/windows-endpoints-1809-non-enterprise-editions.md +++ b/windows/privacy/windows-endpoints-1809-non-enterprise-editions.md @@ -40,52 +40,52 @@ We used the following methodology to derive these network endpoints: | **Destination** | **Protocol** | **Description** | | --- | --- | --- | -|*.aria.microsoft.com* | HTTPS | Office Telemetry -|*.dl.delivery.mp.microsoft.com* | HTTP | Enables connections to Windows Update. -|*.download.windowsupdate.com* | HTTP | Used to download operating system patches and updates. -|*.g.akamai.net | HTTPS | Used to check for updates to maps that have been downloaded for offline use. -|*.msn.com* |TLSv1.2/HTTPS | Windows Spotlight related traffic -|*.Skype.com | HTTP/HTTPS | Skype related traffic -|*.smartscreen.microsoft.com* | HTTPS | Windows Defender Smartscreen related traffic -|*.telecommand.telemetry.microsoft.com* | HTTPS | Used by Windows Error Reporting. -|*cdn.onenote.net* | HTTP | OneNote related traffic -|*displaycatalog.mp.microsoft.com* | HTTPS | Used to communicate with Microsoft Store. -|*emdl.ws.microsoft.com* | HTTP | Windows Update related traffic -|*geo-prod.do.dsp.mp.microsoft.com* |TLSv1.2/HTTPS | Enables connections to Windows Update. -|*hwcdn.net* | HTTP | Used by the Highwinds Content Delivery Network to perform Windows updates. -|*img-prod-cms-rt-microsoft-com.akamaized.net* | HTTPS | Used to download image files that are called when applications run (Microsoft Store or Inbox MSN Apps). -|*maps.windows.com* | HTTPS | Related to Maps application. -|*msedge.net* | HTTPS | Used by OfficeHub to get the metadata of Office apps. -|*nexusrules.officeapps.live.com* | HTTPS | Office Telemetry -|*photos.microsoft.com* | HTTPS | Photos App related traffic -|*prod.do.dsp.mp.microsoft.com* |TLSv1.2/HTTPS | Used for Windows Update downloads of apps and OS updates. -|*wac.phicdn.net* | HTTP | Windows Update related traffic -|*windowsupdate.com* | HTTP | Windows Update related traffic -|*wns.windows.com* | HTTPS, TLSv1.2 | Used for the Windows Push Notification Services (WNS). -|*wpc.v0cdn.net* | | Windows Telemetry related traffic +|\*.aria.microsoft.com\* | HTTPS | Office Telemetry +|\*.dl.delivery.mp.microsoft.com\* | HTTP | Enables connections to Windows Update. +|\*.download.windowsupdate.com\* | HTTP | Used to download operating system patches and updates. +|\*.g.akamai.net | HTTPS | Used to check for updates to maps that have been downloaded for offline use. +|\*.msn.com\* |TLSv1.2/HTTPS | Windows Spotlight related traffic +|\*.Skype.com | HTTP/HTTPS | Skype related traffic +|\*.smartscreen.microsoft.com\* | HTTPS | Windows Defender Smartscreen related traffic +|\*.telecommand.telemetry.microsoft.com\* | HTTPS | Used by Windows Error Reporting. +|\*cdn.onenote.net* | HTTP | OneNote related traffic +|\*displaycatalog.mp.microsoft.com\* | HTTPS | Used to communicate with Microsoft Store. +|\*emdl.ws.microsoft.com\* | HTTP | Windows Update related traffic +|\*geo-prod.do.dsp.mp.microsoft.com\* |TLSv1.2/HTTPS | Enables connections to Windows Update. +|\*hwcdn.net* | HTTP | Used by the Highwinds Content Delivery Network to perform Windows updates. +|\*img-prod-cms-rt-microsoft-com.akamaized.net* | HTTPS | Used to download image files that are called when applications run (Microsoft Store or Inbox MSN Apps). +|\*maps.windows.com\* | HTTPS | Related to Maps application. +|\*msedge.net* | HTTPS | Used by OfficeHub to get the metadata of Office apps. +|\*nexusrules.officeapps.live.com\* | HTTPS | Office Telemetry +|\*photos.microsoft.com\* | HTTPS | Photos App related traffic +|\*prod.do.dsp.mp.microsoft.com\* |TLSv1.2/HTTPS | Used for Windows Update downloads of apps and OS updates. +|\*wac.phicdn.net* | HTTP | Windows Update related traffic +|\*windowsupdate.com\* | HTTP | Windows Update related traffic +|\*wns.windows.com\* | HTTPS, TLSv1.2 | Used for the Windows Push Notification Services (WNS). +|\*wpc.v0cdn.net* | | Windows Telemetry related traffic |auth.gfx.ms/16.000.27934.1/OldConvergedLogin_PCore.js | | MSA related |evoke-windowsservices-tas.msedge* | HTTPS | The following endpoint is used by the Photos app to download configuration files, and to connect to the Office 365 portal's shared infrastructure, including Office Online. To turn off traffic for this endpoint, either uninstall the Photos app or disable the Microsoft Store. If you disable the Microsoft store, other Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them. -|fe2.update.microsoft.com* |TLSv1.2/HTTPS | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store. -|fe3.*.mp.microsoft.com.* |TLSv1.2/HTTPS | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store. +|fe2.update.microsoft.com\* |TLSv1.2/HTTPS | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store. +|fe3.\*.mp.microsoft.com.\* |TLSv1.2/HTTPS | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store. |fs.microsoft.com | | Font Streaming (in ENT traffic) -|g.live.com* | HTTPS | Used by OneDrive +|g.live.com\* | HTTPS | Used by OneDrive |iriscoremetadataprod.blob.core.windows.net | HTTPS | Windows Telemetry -|mscrl.micorosoft.com | | Certificate Revocation List related traffic. -|ocsp.digicert.com* | HTTP | CRL and OCSP checks to the issuing certificate authorities. +|mscrl.microsoft.com | | Certificate Revocation List related traffic. +|ocsp.digicert.com\* | HTTP | CRL and OCSP checks to the issuing certificate authorities. |officeclient.microsoft.com | HTTPS | Office related traffic. |oneclient.sfx.ms* | HTTPS | Used by OneDrive for Business to download and verify app updates. -|purchase.mp.microsoft.com* | HTTPS | Used to communicate with Microsoft Store. -|query.prod.cms.rt.microsoft.com* | HTTPS | Used to retrieve Windows Spotlight metadata. -|ris.api.iris.microsoft.com* |TLSv1.2/HTTPS | Used to retrieve Windows Spotlight metadata. +|purchase.mp.microsoft.com\* | HTTPS | Used to communicate with Microsoft Store. +|query.prod.cms.rt.microsoft.com\* | HTTPS | Used to retrieve Windows Spotlight metadata. +|ris.api.iris.microsoft.com\* |TLSv1.2/HTTPS | Used to retrieve Windows Spotlight metadata. |ris-prod-atm.trafficmanager.net | HTTPS | Azure traffic manager -|settings.data.microsoft.com* | HTTPS | Used for Windows apps to dynamically update their configuration. -|settings-win.data.microsoft.com* | HTTPS | Used for Windows apps to dynamically update their configuration. -|sls.update.microsoft.com* |TLSv1.2/HTTPS | Enables connections to Windows Update. -|store*.dsx.mp.microsoft.com* | HTTPS | Used to communicate with Microsoft Store. -|storecatalogrevocation.storequality.microsoft.com* | HTTPS | Used to revoke licenses for malicious apps on the Microsoft Store. -|store-images.s-microsoft.com* | HTTP | Used to get images that are used for Microsoft Store suggestions. -|tile-service.weather.microsoft.com* | HTTP | Used to download updates to the Weather app Live Tile. -|tsfe.trafficshaping.dsp.mp.microsoft.com* |TLSv1.2 | Used for content regulation. +|settings.data.microsoft.com\* | HTTPS | Used for Windows apps to dynamically update their configuration. +|settings-win.data.microsoft.com\* | HTTPS | Used for Windows apps to dynamically update their configuration. +|sls.update.microsoft.com\* |TLSv1.2/HTTPS | Enables connections to Windows Update. +|store*.dsx.mp.microsoft.com\* | HTTPS | Used to communicate with Microsoft Store. +|storecatalogrevocation.storequality.microsoft.com\* | HTTPS | Used to revoke licenses for malicious apps on the Microsoft Store. +|store-images.s-microsoft.com\* | HTTP | Used to get images that are used for Microsoft Store suggestions. +|tile-service.weather.microsoft.com\* | HTTP | Used to download updates to the Weather app Live Tile. +|tsfe.trafficshaping.dsp.mp.microsoft.com\* |TLSv1.2 | Used for content regulation. |v10.events.data.microsoft.com | HTTPS | Diagnostic Data |wdcp.microsoft.* |TLSv1.2 | Used for Windows Defender when Cloud-based Protection is enabled. |wd-prod-cp-us-west-1-fe.westus.cloudapp.azure.com | HTTPS | Windows Defender related traffic. @@ -111,7 +111,7 @@ We used the following methodology to derive these network endpoints: | ipv4.login.msa.akadns6.net | HTTPS | Used for Microsoft accounts to sign in. | | location-inference-westus.cloudapp.net | HTTPS | Used for location data. | | modern.watson.data.microsoft.com.akadns.net | HTTPS | Used by Windows Error Reporting. | -| ocsp.digicert.com* | HTTP | CRL and OCSP checks to the issuing certificate authorities. | +| ocsp.digicert.com\* | HTTP | CRL and OCSP checks to the issuing certificate authorities. | | ris.api.iris.microsoft.com.akadns.net | HTTPS | Used to retrieve Windows Spotlight metadata. | | tile-service.weather.microsoft.com/* | HTTP | Used to download updates to the Weather app Live Tile. | | tsfe.trafficshaping.dsp.mp.microsoft.com | HTTPS | Used for content regulation. | @@ -127,10 +127,10 @@ We used the following methodology to derive these network endpoints: | *.g.akamaiedge.net | HTTPS | Used to check for updates to maps that have been downloaded for offline use. | | *.s-msedge.net | HTTPS | Used by OfficeHub to get the metadata of Office apps. | | *.telecommand.telemetry.microsoft.com.akadns.net | HTTPS | Used by Windows Error Reporting. | -| *.tlu.dl.delivery.mp.microsoft.com* | HTTP | Enables connections to Windows Update. | -| *.windowsupdate.com* | HTTP | Enables connections to Windows Update. | +| *.tlu.dl.delivery.mp.microsoft.com\* | HTTP | Enables connections to Windows Update. | +| *.windowsupdate.com\* | HTTP | Enables connections to Windows Update. | | *geo-prod.do.dsp.mp.microsoft.com | HTTPS | Enables connections to Windows Update. | -| au.download.windowsupdate.com* | HTTP | Enables connections to Windows Update. | +| au.download.windowsupdate.com\* | HTTP | Enables connections to Windows Update. | | cdn.onenote.net/livetile/* | HTTPS | Used for OneNote Live Tile. | | client-office365-tas.msedge.net/* | HTTPS | Used to connect to the Office 365 portal’s shared infrastructure, including Office Online. | | config.edge.skype.com/* | HTTPS | Used to retrieve Skype configuration values.  | @@ -151,7 +151,7 @@ We used the following methodology to derive these network endpoints: | maps.windows.com/windows-app-web-link | HTTPS | Link to Maps application | | modern.watson.data.microsoft.com.akadns.net | HTTPS | Used by Windows Error Reporting. | | ocos-office365-s2s.msedge.net/* | HTTPS | Used to connect to the Office 365 portal's shared infrastructure. | -| ocsp.digicert.com* | HTTP | CRL and OCSP checks to the issuing certificate authorities. | +| ocsp.digicert.com\* | HTTP | CRL and OCSP checks to the issuing certificate authorities. | | oneclient.sfx.ms/* | HTTPS | Used by OneDrive for Business to download and verify app updates. | | settings-win.data.microsoft.com/settings/* | HTTPS | Used as a way for apps to dynamically update their configuration. | | sls.update.microsoft.com/* | HTTPS | Enables connections to Windows Update. | diff --git a/windows/security/threat-protection/TOC.md b/windows/security/threat-protection/TOC.md index 3feed9a1fa..e65fbfe36a 100644 --- a/windows/security/threat-protection/TOC.md +++ b/windows/security/threat-protection/TOC.md @@ -228,6 +228,7 @@ ####### [Onboard non-persistent virtual desktop infrastructure (VDI) machines](windows-defender-atp/configure-endpoints-vdi-windows-defender-advanced-threat-protection.md) ###### [Onboard servers](windows-defender-atp/configure-server-endpoints-windows-defender-advanced-threat-protection.md) ###### [Onboard non-Windows machines](windows-defender-atp/configure-endpoints-non-windows-windows-defender-advanced-threat-protection.md) +###### [Onboard machines without Internet access](windows-defender-atp/onboard-offline-machines.md) ###### [Run a detection test on a newly onboarded machine](windows-defender-atp/run-detection-test-windows-defender-advanced-threat-protection.md) ###### [Run simulated attacks on machines](windows-defender-atp/attack-simulations-windows-defender-advanced-threat-protection.md) ###### [Configure proxy and Internet connectivity settings](windows-defender-atp/configure-proxy-internet-windows-defender-advanced-threat-protection.md) diff --git a/windows/security/threat-protection/auditing/event-5159.md b/windows/security/threat-protection/auditing/event-5159.md index 74fd606119..a1cf9746d1 100644 --- a/windows/security/threat-protection/auditing/event-5159.md +++ b/windows/security/threat-protection/auditing/event-5159.md @@ -17,37 +17,48 @@ ms.date: 04/19/2017 - Windows Server 2016 -This event is logged if the Windows Filtering Platform has blocked a bind to a local port. - -There is no example of this event in this document. +Event 5159 illustration ***Subcategory:*** [Audit Filtering Platform Connection](audit-filtering-platform-connection.md) -***Event Schema:*** +***Event Description:*** -*The Windows Filtering Platform has blocked a bind to a local port.* +This event is logged if the Windows Filtering Platform has blocked a bind to a local port. -*Application Information:* +
-> *Process ID:%1* -> -> *Application Name:%2* +***Event XML:*** +``` +- +- + + 5159 + 0 + 0 + 12810 + 0 + 0x8010000000000000 + + 44097 + + + Security + DC01.contoso.local + + +- + 7924 + \device\harddiskvolume2\users\test\desktop\netcat\nc.exe + 0.0.0.0 + 5555 + 6 + 84614 + %%14608 + 36 + + -*Network Information:* - -> *Source Address:%3* -> -> *Source Port:%4* -> -> *Protocol:%5* - -*Filter Information:* - -> *Filter Run-Time ID:%6* -> -> *Layer Name:%7* -> -> *Layer Run-Time ID:%8* +``` ***Required Server Roles:*** None. @@ -55,6 +66,76 @@ There is no example of this event in this document. ***Event Versions:*** 0. +***Field Descriptions:*** + +**Application Information**: + +- **Process ID** \[Type = Pointer\]: hexadecimal Process ID of the process which was permitted to bind to the local port. Process ID (PID) is a number used by the operating system to uniquely identify an active process. To see the PID for a specific process you can, for example, use Task Manager (Details tab, PID column): + + Task manager illustration + + If you convert the hexadecimal value to decimal, you can compare it to the values in Task Manager. + + You can also correlate this process ID with a process ID in other events, for example, “[4688](event-4688.md): A new process has been created” **Process Information\\New Process ID**. + + + +- **Application Name** \[Type = UnicodeString\]**:** full path and the name of the executable for the process. + + Logical disk is displayed in format \\device\\harddiskvolume\#. You can get all local volume numbers by using **diskpart** utility. The command to get volume numbers using diskpart is “**list volume”**: + +DiskPart illustration + +**Network Information:** + +- **Source Address** \[Type = UnicodeString\]**:** the local IP address of the computer running the application. + + - IPv4 Address + + - IPv6 Address + + - :: - all IP addresses in IPv6 format + + - 0.0.0.0 - all IP addresses in IPv4 format + + - 127.0.0.1 , ::1 - localhost + +- **Source Port** \[Type = UnicodeString\]**:** the port number used by the application. + +- **Protocol** \[Type = UInt32\]: the protocol number being used. + +| Service | Protocol Number | +|----------------------------------------------------|-----------------| +| Internet Control Message Protocol (ICMP) | 1 | +| Transmission Control Protocol (TCP) | 6 | +| User Datagram Protocol (UDP) | 17 | +| General Routing Encapsulation (PPTP data over GRE) | 47 | +| Authentication Header (AH) IPSec | 51 | +| Encapsulation Security Payload (ESP) IPSec | 50 | +| Exterior Gateway Protocol (EGP) | 8 | +| Gateway-Gateway Protocol (GGP) | 3 | +| Host Monitoring Protocol (HMP) | 20 | +| Internet Group Management Protocol (IGMP) | 88 | +| MIT Remote Virtual Disk (RVD) | 66 | +| OSPF Open Shortest Path First | 89 | +| PARC Universal Packet Protocol (PUP) | 12 | +| Reliable Datagram Protocol (RDP) | 27 | +| Reservation Protocol (RSVP) QoS | 46 | + +**Filter Information:** + +- **Filter Run-Time ID** \[Type = UInt64\]: unique filter ID which blocks the application from binding to the port. By default, Windows firewall won't prevent a port from binding by an application, and if this application doesn’t match any filters, you will get value 0 in this field. + + To find specific Windows Filtering Platform filter by ID you need to execute the following command: **netsh wfp show filters**. As a result of this command, **filters.xml** file will be generated. You need to open this file and find the specific substring with the required filter ID (**<filterId>**)**,** for example: + + Filters.xml file illustration + +- **Layer Name** \[Type = UnicodeString\]: [Application Layer Enforcement](https://msdn.microsoft.com/library/windows/desktop/aa363971(v=vs.85).aspx) layer name. + +- **Layer Run-Time ID** \[Type = UInt64\]: Windows Filtering Platform layer identifier. To find specific Windows Filtering Platform layer ID you need to execute the following command: **netsh wfp show state**. As result of this command **wfpstate.xml** file will be generated. You need to open this file and find specific substring with required layer ID (**<layerId>**)**,** for example: + +Wfpstate xml illustration + ## Security Monitoring Recommendations - There is no recommendation for this event in this document. diff --git a/windows/security/threat-protection/auditing/images/event-5159.png b/windows/security/threat-protection/auditing/images/event-5159.png new file mode 100644 index 0000000000..a2f9134fe8 Binary files /dev/null and b/windows/security/threat-protection/auditing/images/event-5159.png differ diff --git a/windows/security/threat-protection/windows-defender-atp/TOC.md b/windows/security/threat-protection/windows-defender-atp/TOC.md index 3a56abbd31..bf7a2585b8 100644 --- a/windows/security/threat-protection/windows-defender-atp/TOC.md +++ b/windows/security/threat-protection/windows-defender-atp/TOC.md @@ -227,6 +227,7 @@ ###### [Onboard non-persistent virtual desktop infrastructure (VDI) machines](configure-endpoints-vdi-windows-defender-advanced-threat-protection.md) ##### [Onboard servers](configure-server-endpoints-windows-defender-advanced-threat-protection.md) ##### [Onboard non-Windows machines](configure-endpoints-non-windows-windows-defender-advanced-threat-protection.md) +##### [Onboard machines without Internet access](onboard-offline-machines.md) ##### [Run a detection test on a newly onboarded machine](run-detection-test-windows-defender-advanced-threat-protection.md) ##### [Run simulated attacks on machines](attack-simulations-windows-defender-advanced-threat-protection.md) ##### [Configure proxy and Internet connectivity settings](configure-proxy-internet-windows-defender-advanced-threat-protection.md) diff --git a/windows/security/threat-protection/windows-defender-atp/onboard-offline-machines.md b/windows/security/threat-protection/windows-defender-atp/onboard-offline-machines.md new file mode 100644 index 0000000000..0cda2cfeab --- /dev/null +++ b/windows/security/threat-protection/windows-defender-atp/onboard-offline-machines.md @@ -0,0 +1,54 @@ +--- +title: Onboard machines without Internet access to Windows Defender ATP +description: Onboard machines without Internet access so that they can send sensor data to the Windows Defender ATP sensor +keywords: onboard, servers, vm, on-premise, oms gateway, log analytics, azure log analytics, mma +search.product: eADQiWindows 10XVcnh +search.appverid: met150 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: article +--- + +# Onboard machines without Internet access to Windows Defender ATP + +**Applies to:** + +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) + +To onboard machines without Internet access, you'll need to take the following general steps: + + +## On-premise machines + +- Setup Azure Log Analytics (formerly known as OMS Gateway) to act as proxy or hub: + - [Azure Log Analytics Agent](https://docs.microsoft.com/azure/azure-monitor/platform/gateway#download-the-log-analytics-gateway) + - [Install and configure Microsoft Monitoring Agent (MMA)](configure-server-endpoints-windows-defender-advanced-threat-protection.md#install-and-configure-microsoft-monitoring-agent-mma-to-report-sensor-data-to-windows-defender-atp) point to Microsoft Defender ATP Workspace key & ID + +- Offline machines in the same network of Azure Log Analytics + - Configure MMA to point to: + - Azure Log Analytics IP as a proxy + - Microsoft Defender ATP workspace key & ID + +## Azure virtual machines +- Configure and enable [Azure Log Analytics workspace](https://docs.microsoft.com/azure/azure-monitor/platform/gateway) + + - Setup Azure Log Analytics (formerly known as OMS Gateway) to act as proxy or hub: + - [Azure Log Analytics Agent](https://docs.microsoft.com/azure/azure-monitor/platform/gateway#download-the-log-analytics-gateway) + - [Install and configure Microsoft Monitoring Agent (MMA)](configure-server-endpoints-windows-defender-advanced-threat-protection.md#install-and-configure-microsoft-monitoring-agent-mma-to-report-sensor-data-to-windows-defender-atp) point to Microsoft Defender ATP Workspace key & ID + - Offline Azure VMs in the same network of OMS Gateway + - Configure Azure Log Analytics IP as a proxy + - Azure Log Analytics Workspace Key & ID + + - Azure Security Center (ASC) + - [Security Policy \> Log Analytics Workspace](https://docs.microsoft.com/azure/security-center/security-center-wdatp#enable-windows-defender-atp-integration) + - [Threat Detection \> Allow Windows Defender ATP to access my data](https://docs.microsoft.com/azure/security-center/security-center-wdatp#enable-windows-defender-atp-integration) + + For more information, see [Working with security policies](https://docs.microsoft.com/azure/security-center/tutorial-security-policy). \ No newline at end of file diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-attack-surface-reduction.md b/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-attack-surface-reduction.md index 307b13fd20..93e5640492 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-attack-surface-reduction.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-attack-surface-reduction.md @@ -53,8 +53,8 @@ To review apps that would have been blocked, open Event Viewer and filter for Ev | Event ID | Description | |----------|-------------| |5007 | Event when settings are changed | -| 1121 | Event when an attack surface reduction rule fires in audit mode | -| 1122 | Event when an attack surface reduction rule fires in block mode | +| 1121 | Event when an attack surface reduction rule fires in block mode | +| 1122 | Event when an attack surface reduction rule fires in audit mode | ## Customize attack surface reduction rules