mirror of
https://github.com/MicrosoftDocs/windows-itpro-docs.git
synced 2025-06-20 04:43:37 +00:00
Merged PR 13303: update
This commit is contained in:
Joey Caparas
Binary file not shown.
|
After Width: | Height: | Size: 142 KiB |
@ -6,7 +6,7 @@ ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.pagetype: security
|
||||
author: aadake
|
||||
ms.date: 10/03/2018
|
||||
ms.date: 12/08/2018
|
||||
---
|
||||
|
||||
# Kernel DMA Protection for Thunderbolt™ 3
|
||||
@ -65,11 +65,17 @@ Systems released prior to Windows 10 version 1803 do not support Kernel DMA Prot
|
||||
|
||||
Systems running Windows 10 version 1803 that do support Kernel DMA Protection do have this security feature enabled automatically by the OS with no user or IT admin configuration required.
|
||||
|
||||
**To check if a device supports Kernel DMA Protection**
|
||||
### Using Security Center
|
||||
|
||||
Beginning with Wndows 10 version 1809, you can use Security Center to check if Kernel DMA Protection is enabled. Click **Start** > **Settings** > **Update & Security** > **Windows Security** > **Open Windows Security** > **Device security** > **Core isolation details** > **Memory access protection**.
|
||||
|
||||
|
||||
|
||||
### Using System information
|
||||
|
||||
1. Launch MSINFO32.exe in a command prompt, or in the Windows search bar.
|
||||
2. Check the value of **Kernel DMA Protection**.
|
||||
|
||||
|
||||
3. If the current state of **Kernel DMA Protection** is OFF and **Virtualization Technology in Firmware** is NO:
|
||||
- Reboot into BIOS settings
|
||||
- Turn on Intel Virtualization Technology.
|
||||
|
||||
Binary file not shown.
|
After Width: | Height: | Size: 58 KiB |
Binary file not shown.
|
After Width: | Height: | Size: 64 KiB |
@ -11,7 +11,7 @@ ms.pagetype: security
|
||||
ms.localizationpriority: medium
|
||||
author: andreabichsel
|
||||
ms.author: v-anbic
|
||||
ms.date: 09/03/2018
|
||||
ms.date: 12/10/2018
|
||||
---
|
||||
|
||||
# Configure and manage Windows Defender Antivirus with the mpcmdrun.exe command-line tool
|
||||
@ -37,16 +37,20 @@ MpCmdRun.exe [command] [-options]
|
||||
|
||||
Command | Description
|
||||
:---|:---
|
||||
\- ? **or** -h | Displays all available options for the tool
|
||||
\-Scan [-ScanType #] [-File <path> [-DisableRemediation] [-BootSectorScan]][-Timeout <days>] | Scans for malicious software
|
||||
\-Trace [-Grouping #] [-Level #]| Starts diagnostic tracing
|
||||
\-GetFiles | Collects support information
|
||||
\-RemoveDefinitions [-All] | Restores the installed signature definitions to a previous backup copy or to the original default set of signatures
|
||||
\-AddDynamicSignature [-Path] | Loads a dynamic signature
|
||||
\-ListAllDynamicSignature [-Path] | Lists the loaded dynamic signatures
|
||||
\-RemoveDynamicSignature [-SignatureSetID] | Removes a dynamic signature
|
||||
\-ValidateMapsConnection | Used to validate connection to the [cloud-delivered protection service](configure-network-connections-windows-defender-antivirus.md)
|
||||
\-SignatureUpdate [-UNC [-Path <path>]] | Checks for new definition updates
|
||||
\-? **or** -h | Displays all available options for this tool
|
||||
\-Scan [-ScanType #] [-File <path> [-DisableRemediation] [-BootSectorScan]] [-Timeout <days>] [-Cancel] | Scans for malicious software
|
||||
\-Trace [-Grouping #] [-Level #] | Starts diagnostic tracing
|
||||
\-GetFiles | Collects support information
|
||||
\-GetFilesDiagTrack | Same as Getfiles but outputs to temporary DiagTrack folder
|
||||
\-RemoveDefinitions [-All] | Restores the installed signature definitions to a previous backup copy or to the original default set of signatures
|
||||
\-RemoveDefinitions [-DynamicSignatures] | Removes only the dynamically downloaded signatures
|
||||
\-SignatureUpdate [-UNC \| -MMPC] | Checks for new definition updates
|
||||
\-Restore [-ListAll \| [[-Name <name>] [-All] \| [-FilePath <filePath>]] [-Path <path>]] | Restores or lists quarantined item(s)
|
||||
\-AddDynamicSignature [-Path] | Loads a dynamic signature
|
||||
\-ListAllDynamicSignatures | Lists the loaded dynamic signatures
|
||||
\-RemoveDynamicSignature [-SignatureSetID] | Removes a dynamic signature
|
||||
\-CheckExclusion -path <path> | Checks whether a path is excluded
|
||||
|
||||
|
||||
## Related topics
|
||||
|
||||
|
||||
@ -11,7 +11,7 @@ ms.pagetype: security
|
||||
ms.localizationpriority: medium
|
||||
author: andreabichsel
|
||||
ms.author: v-anbic
|
||||
ms.date: 09/03/2018
|
||||
ms.date: 12/10/2018
|
||||
---
|
||||
|
||||
# Configure scheduled quick or full Windows Defender Antivirus scans
|
||||
@ -42,7 +42,6 @@ To configure the Group Policy settings described in this topic:
|
||||
|
||||
6. Double-click the policy **Setting** as specified in the table below, and set the option to your desired configuration. Click **OK**, and repeat for any other settings.
|
||||
|
||||
|
||||
Also see the [Manage when protection updates should be downloaded and applied](manage-protection-update-schedule-windows-defender-antivirus.md) and [Prevent or allow users to locally modify policy settings](configure-local-policy-overrides-windows-defender-antivirus.md) topics.
|
||||
|
||||
## Quick scan versus full scan and custom scan
|
||||
@ -66,6 +65,8 @@ A custom scan allows you to specify the files and folders to scan, such as a USB
|
||||
|
||||
Scheduled scans will run at the day and time you specify. You can use Group Policy, PowerShell, and WMI to configure scheduled scans.
|
||||
|
||||
>[!NOTE]
|
||||
>If a computer is unplugged and running on battery during a scheduled full scan, the scheduled scan will stop with event 1002, which states that the scan stopped before completion. Windows Defender Antivirus will run a full scan at the next scheduled time.
|
||||
|
||||
**Use Group Policy to schedule scans:**
|
||||
|
||||
|
||||
@ -1,39 +0,0 @@
|
||||
---
|
||||
title: Querying Application Control events centrally using Advanced hunting (Windows 10)
|
||||
description: Learn about Windows Defender Application Guard and how it helps to combat malicious content and malware out on the Internet.
|
||||
ms.prod: w10
|
||||
ms.mktglfcycl: manage
|
||||
ms.sitesec: library
|
||||
ms.pagetype: security
|
||||
ms.localizationpriority: medium
|
||||
author: mdsakibMSFT
|
||||
ms.author: justinha
|
||||
ms.date: 12/06/2018
|
||||
---
|
||||
|
||||
# Querying Application Control events centrally using Advanced hunting
|
||||
|
||||
A Windows Defender Application Control (WDAC) policy logs events locally in Windows Event Viewer in either enforced or audit mode.
|
||||
While Event Viewer helps to see the impact on a single system, IT Pros want to gauge the impact across many systems.
|
||||
|
||||
In November 2018, we added functionality in Windows Defender Advanced Threat Protection (Windows Defender ATP) that makes it easy to view WDAC events centrally from all systems that are connected to Windows Defender ATP.
|
||||
|
||||
Advanced hunting in Windows Defender ATP allows customers to query data using a rich set of capabilities. WDAC events can be queried with using an ActionType that starts with “AppControl”.
|
||||
This capability is supported beginning with Windows version 1607.
|
||||
|
||||
Here is a simple example query that shows all the WDAC events generated in the last seven days from machines being monitored by Windows Defender ATP:
|
||||
|
||||
```kusto
|
||||
MiscEvents
|
||||
| where EventTime > ago(7d) and
|
||||
ActionType startswith "AppControl"
|
||||
| summarize Machines=dcount(ComputerName) by ActionType
|
||||
| order by Machines desc
|
||||
```
|
||||
|
||||
The query results can be used for several important functions related to managing WDAC including:
|
||||
|
||||
- Assessing the impact of deploying policies in audit mode
|
||||
Since applications still run in audit mode, it is an ideal way to see the impact and correctness of the rules included in the policy. Integrating the generated events with Advanced hunting makes it much easier to have broad deployments of audit mode policies and see how the included rules would impact those systems in real world usage. This audit mode data will help streamline the transition to using policies in enforced mode.
|
||||
- Monitoring blocks from policies in enforced mode
|
||||
Policies deployed in enforced mode may block executables or scripts that fail to meet any of the included allow rules. Legitimate new applications and updates or potentially unwanted or malicious software could be blocked. In either case, the Advanced hunting queries report the blocks for further investigation.
|
||||
@ -59,7 +59,7 @@ To see a live example of these operators, run them as part of the **Get started*
|
||||
|
||||
## Access query language documentation
|
||||
|
||||
For more information on the query language and supported operators, see [Query Language](https://docs.loganalytics.io/docs/Language-Reference/).
|
||||
For more information on the query language and supported operators, see [Query Language](https://docs.microsoft.com/azure/log-analytics/query-language/query-language).
|
||||
|
||||
## Use exposed tables in Advanced hunting
|
||||
|
||||
|
||||
@ -50,7 +50,6 @@ detectionSource | string | Detection source.
|
||||
threatFamilyName | string | Threat family.
|
||||
title | string | Alert title.
|
||||
description | String | Description of the threat, identified by the alert.
|
||||
recommendedAction | String | Action recommended for handling the suspected threat.
|
||||
alertCreationTime | DateTimeOffset | The date and time (in UTC) the alert was created.
|
||||
lastEventTime | DateTimeOffset | The last occurance of the event that triggered the alert on the same machine.
|
||||
firstEventTime | DateTimeOffset | The first occurance of the event that triggered the alert on that machine.
|
||||
@ -74,7 +73,6 @@ machineId | String | ID of a [machine](machine-windows-defender-advanced-threat-
|
||||
"threatFamilyName": "Mikatz",
|
||||
"title": "Windows Defender AV detected 'Mikatz', high-severity malware",
|
||||
"description": "Some description"
|
||||
"recommendedAction": "Some recommended action"
|
||||
"alertCreationTime": "2018-11-26T16:19:21.8409809Z",
|
||||
"firstEventTime": "2018-11-26T16:17:50.0948658Z",
|
||||
"lastEventTime": "2018-11-26T16:18:01.809871Z",
|
||||
|
||||
@ -26,7 +26,8 @@ ms.date: 11/20/2018
|
||||
>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-attacksimulations-abovefoldlink)
|
||||
|
||||
>[!TIP]
|
||||
> Learn about the latest enhancements in Windows Defender ATP: [What's new in Windows Defender ATP](https://cloudblogs.microsoft.com/microsoftsecure/2018/11/15/whats-new-in-windows-defender-atp/).
|
||||
>- Learn about the latest enhancements in Windows Defender ATP: [What's new in Windows Defender ATP](https://cloudblogs.microsoft.com/microsoftsecure/2018/11/15/whats-new-in-windows-defender-atp/).
|
||||
>- Windows Defender ATP demonstrated industry-leading optics and detection capabilities in the recent MITRE evaluation. Read: [Insights from the MITRE ATT&CK-based evaluation](https://cloudblogs.microsoft.com/microsoftsecure/2018/12/03/insights-from-the-mitre-attack-based-evaluation-of-windows-defender-atp/).
|
||||
|
||||
|
||||
You might want to experience Windows Defender ATP before you onboard more than a few machines to the service. To do this, you can run controlled attack simulations on a few test machines. After running the simulated attacks, you can review how Windows Defender ATP surfaces malicious activity and explore how it enables an efficient response.
|
||||
|
||||
@ -11,7 +11,7 @@ ms.pagetype: security
|
||||
ms.author: macapara
|
||||
author: mjcaparas
|
||||
ms.localizationpriority: medium
|
||||
ms.date: 09/19/2018
|
||||
ms.date: 12/06/2018
|
||||
---
|
||||
|
||||
# Onboard Windows 10 machines using Mobile Device Management tools
|
||||
@ -34,27 +34,10 @@ For more information on enabling MDM with Microsoft Intune, see [Setup Windows D
|
||||
|
||||
## Onboard machines using Microsoft Intune
|
||||
|
||||
Follow the instructions from [Intune](https://docs.microsoft.com/intune/advanced-threat-protection).
|
||||
|
||||
For more information on using Windows Defender ATP CSP see, [WindowsAdvancedThreatProtection CSP](https://msdn.microsoft.com/library/windows/hardware/mt723296(v=vs.85).aspx) and [WindowsAdvancedThreatProtection DDF file](https://msdn.microsoft.com/library/windows/hardware/mt723297(v=vs.85).aspx).
|
||||
|
||||
### Use the Azure Intune Portal to deploy Windows Defender Advanced Threat Protection policies on Windows 10 1607 and higher
|
||||
|
||||
1. Login to the [Microsoft Azure portal](https://portal.azure.com).
|
||||
|
||||
2. Select **Device Configuration > Profiles > Create profile**.
|
||||
|
||||
3. Enter a **Name** and **Description**.
|
||||
|
||||
4. For **Platform**, select **Windows 10 and later**.
|
||||
|
||||
5. For **Profile type**, select **Windows Defender ATP (Windows 10 Desktop)**.
|
||||
|
||||
6. Configure the settings:
|
||||
- **Onboard Configuration Package**: Browse and select the **WindowsDefenderATP.onboarding** file you downloaded. This file enables a setting so devices can report to the Windows Defender ATP service.
|
||||
- **Sample sharing for all files**: Allows samples to be collected, and shared with Windows Defender ATP. For example, if you see a suspicious file, you can submit it to Windows Defender ATP for deep analysis.
|
||||
- **Expedite telemetry reporting frequency**: For devices that are at high risk, enable this setting so it reports telemetry to the Windows Defender ATP service more frequently.
|
||||
- **Offboard Configuration Package**: If you want to remove Windows Defender ATP monitoring, you can download an offboarding package from Windows Defender Security Center, and add it. Otherwise, skip this property.
|
||||
|
||||
7. Select **OK**, and **Create** to save your changes, which creates the profile.
|
||||
|
||||
> [!NOTE]
|
||||
> - The **Health Status for onboarded machines** policy uses read-only properties and can't be remediated.
|
||||
|
||||
@ -84,8 +84,8 @@ Content-Length: application/json
|
||||
"machineId": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07",
|
||||
"severity": "Low",
|
||||
"title": "test alert",
|
||||
"description": "redalert",
|
||||
"recommendedAction": "white alert",
|
||||
"description": "test alert",
|
||||
"recommendedAction": "test alert",
|
||||
"eventTime": "2018-08-03T16:45:21.7115183Z",
|
||||
"reportId": "20776",
|
||||
"category": "None"
|
||||
|
||||
@ -11,7 +11,7 @@ ms.pagetype: security
|
||||
ms.author: macapara
|
||||
author: mjcaparas
|
||||
ms.localizationpriority: medium
|
||||
ms.date: 10/08/2018
|
||||
ms.date: 12/10/2018
|
||||
---
|
||||
|
||||
# Enable SIEM integration in Windows Defender ATP
|
||||
@ -20,20 +20,29 @@ ms.date: 10/08/2018
|
||||
- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf)
|
||||
|
||||
|
||||
|
||||
>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-enablesiem-abovefoldlink)
|
||||
|
||||
Enable security information and event management (SIEM) integration so you can pull alerts from Windows Defender Security Center using your SIEM solution or by connecting directly to the alerts REST API.
|
||||
|
||||
## Prerequisites
|
||||
- The user who activates the setting must have permissions to create an app in Azure Active Directory (AAD). This is typically someone with a **Global administrator** role.
|
||||
- During the initial activation, a pop-up screen is displayed for credentials to be entered. Make sure that you allow pop-ups for this site.
|
||||
|
||||
## Enabling SIEM integration
|
||||
1. In the navigation pane, select **Settings** > **SIEM**.
|
||||
|
||||
|
||||
|
||||
|
||||
>[!TIP]
|
||||
>If you encounter an error when trying to enable the SIEM connector application, check the pop-up blocker settings of your browser. It might be blocking the new window being opened when you enable the capability.
|
||||
|
||||
2. Select **Enable SIEM integration**. This activates the **SIEM connector access details** section with pre-populated values and an application is created under you Azure Active Directory (AAD) tenant.
|
||||
|
||||
> [!WARNING]
|
||||
>The client secret is only displayed once. Make sure you keep a copy of it in a safe place.<br>
|
||||
For more information about getting a new secret see, [Learn how to get a new secret](troubleshoot-custom-ti-windows-defender-advanced-threat-protection.md#learn-how-to-get-a-new-client-secret).
|
||||
> [!WARNING]
|
||||
>The client secret is only displayed once. Make sure you keep a copy of it in a safe place.<br>
|
||||
For more information about getting a new secret see, [Learn how to get a new secret](troubleshoot-custom-ti-windows-defender-advanced-threat-protection.md#learn-how-to-get-a-new-client-secret).
|
||||
|
||||
|
||||
|
||||
3. Choose the SIEM type you use in your organization.
|
||||
|
||||
|
||||
@ -100,8 +100,7 @@ Content-type: application/json
|
||||
"detectionSource": "WindowsDefenderAv",
|
||||
"threatFamilyName": "Mikatz",
|
||||
"title": "Windows Defender AV detected 'Mikatz', high-severity malware",
|
||||
"description": "Some description"
|
||||
"recommendedAction": "Some recommended action"
|
||||
"description": "Some description",
|
||||
"alertCreationTime": "2018-11-26T16:19:21.8409809Z",
|
||||
"firstEventTime": "2018-11-26T16:17:50.0948658Z",
|
||||
"lastEventTime": "2018-11-26T16:18:01.809871Z",
|
||||
|
||||
@ -87,8 +87,7 @@ Here is an example of the response.
|
||||
"detectionSource": "WindowsDefenderAv",
|
||||
"threatFamilyName": "Mikatz",
|
||||
"title": "Windows Defender AV detected 'Mikatz', high-severity malware",
|
||||
"description": "Some description"
|
||||
"recommendedAction": "Some recommended action"
|
||||
"description": "Some description",
|
||||
"alertCreationTime": "2018-11-25T16:19:21.8409809Z",
|
||||
"firstEventTime": "2018-11-25T16:17:50.0948658Z",
|
||||
"lastEventTime": "2018-11-25T16:18:01.809871Z",
|
||||
|
||||
@ -100,8 +100,7 @@ Here is an example of the response.
|
||||
"detectionSource": "WindowsDefenderAv",
|
||||
"threatFamilyName": "Mikatz",
|
||||
"title": "Windows Defender AV detected 'Mikatz', high-severity malware",
|
||||
"description": "Some description"
|
||||
"recommendedAction": "Some recommended action"
|
||||
"description": "Some description",
|
||||
"alertCreationTime": "2018-11-26T16:19:21.8409809Z",
|
||||
"firstEventTime": "2018-11-26T16:17:50.0948658Z",
|
||||
"lastEventTime": "2018-11-26T16:18:01.809871Z",
|
||||
@ -121,8 +120,7 @@ Here is an example of the response.
|
||||
"detectionSource": "WindowsDefenderAv",
|
||||
"threatFamilyName": "Mikatz",
|
||||
"title": "Windows Defender AV detected 'Mikatz', high-severity malware",
|
||||
"description": "Some description"
|
||||
"recommendedAction": "Some recommended action"
|
||||
"description": "Some description",
|
||||
"alertCreationTime": "2018-11-25T16:19:21.8409809Z",
|
||||
"firstEventTime": "2018-11-25T16:17:50.0948658Z",
|
||||
"lastEventTime": "2018-11-25T16:18:01.809871Z",
|
||||
|
||||
@ -96,8 +96,7 @@ Content-type: application/json
|
||||
"detectionSource": "WindowsDefenderAv",
|
||||
"threatFamilyName": "Mikatz",
|
||||
"title": "Windows Defender AV detected 'Mikatz', high-severity malware",
|
||||
"description": "Some description"
|
||||
"recommendedAction": "Some recommended action"
|
||||
"description": "Some description",
|
||||
"alertCreationTime": "2018-11-25T16:19:21.8409809Z",
|
||||
"firstEventTime": "2018-11-25T16:17:50.0948658Z",
|
||||
"lastEventTime": "2018-11-25T16:18:01.809871Z",
|
||||
@ -117,8 +116,7 @@ Content-type: application/json
|
||||
"detectionSource": "WindowsDefenderAv",
|
||||
"threatFamilyName": "Mikatz",
|
||||
"title": "Windows Defender AV detected 'Mikatz', high-severity malware",
|
||||
"description": "Some description"
|
||||
"recommendedAction": "Some recommended action"
|
||||
"description": "Some description",
|
||||
"alertCreationTime": "2018-11-24T16:19:21.8409809Z",
|
||||
"firstEventTime": "2018-11-24T16:17:50.0948658Z",
|
||||
"lastEventTime": "2018-11-24T16:18:01.809871Z",
|
||||
|
||||
@ -94,8 +94,7 @@ Content-type: application/json
|
||||
"detectionSource": "WindowsDefenderAv",
|
||||
"threatFamilyName": "Mikatz",
|
||||
"title": "Windows Defender AV detected 'Mikatz', high-severity malware",
|
||||
"description": "Some description"
|
||||
"recommendedAction": "Some recommended action"
|
||||
"description": "Some description",
|
||||
"alertCreationTime": "2018-11-26T16:19:21.8409809Z",
|
||||
"firstEventTime": "2018-11-26T16:17:50.0948658Z",
|
||||
"lastEventTime": "2018-11-26T16:18:01.809871Z",
|
||||
|
||||
@ -93,8 +93,7 @@ Content-type: application/json
|
||||
"detectionSource": "WindowsDefenderAv",
|
||||
"threatFamilyName": "Mikatz",
|
||||
"title": "Windows Defender AV detected 'Mikatz', high-severity malware",
|
||||
"description": "Some description"
|
||||
"recommendedAction": "Some recommended action"
|
||||
"description": "Some description",
|
||||
"alertCreationTime": "2018-11-25T16:19:21.8409809Z",
|
||||
"firstEventTime": "2018-11-25T16:17:50.0948658Z",
|
||||
"lastEventTime": "2018-11-25T16:18:01.809871Z",
|
||||
|
||||
@ -93,8 +93,7 @@ Content-type: application/json
|
||||
"detectionSource": "WindowsDefenderAv",
|
||||
"threatFamilyName": "Mikatz",
|
||||
"title": "Windows Defender AV detected 'Mikatz', high-severity malware",
|
||||
"description": "Some description"
|
||||
"recommendedAction": "Some recommended action"
|
||||
"description": "Some description",
|
||||
"alertCreationTime": "2018-11-25T16:19:21.8409809Z",
|
||||
"firstEventTime": "2018-11-25T16:17:50.0948658Z",
|
||||
"lastEventTime": "2018-11-25T16:18:01.809871Z",
|
||||
|
||||
@ -20,7 +20,8 @@ ms.date: 11/20/2018
|
||||
- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf)
|
||||
|
||||
>[!TIP]
|
||||
> Learn about the latest enhancements in Windows Defender ATP: [What's new in Windows Defender ATP](https://cloudblogs.microsoft.com/microsoftsecure/2018/11/15/whats-new-in-windows-defender-atp/).
|
||||
>- Learn about the latest enhancements in Windows Defender ATP: [What's new in Windows Defender ATP](https://cloudblogs.microsoft.com/microsoftsecure/2018/11/15/whats-new-in-windows-defender-atp/).
|
||||
>- Windows Defender ATP demonstrated industry-leading optics and detection capabilities in the recent MITRE evaluation. Read: [Insights from the MITRE ATT&CK-based evaluation](https://cloudblogs.microsoft.com/microsoftsecure/2018/12/03/insights-from-the-mitre-attack-based-evaluation-of-windows-defender-atp/).
|
||||
|
||||
Learn about the minimum requirements and initial steps you need to take to get started with Windows Defender ATP.
|
||||
|
||||
|
||||
@ -93,8 +93,7 @@ Content-type: application/json
|
||||
"detectionSource": "WindowsDefenderAv",
|
||||
"threatFamilyName": "Mikatz",
|
||||
"title": "Windows Defender AV detected 'Mikatz', high-severity malware",
|
||||
"description": "Some description"
|
||||
"recommendedAction": "Some recommended action"
|
||||
"description": "Some description",
|
||||
"alertCreationTime": "2018-11-25T16:19:21.8409809Z",
|
||||
"firstEventTime": "2018-11-25T16:17:50.0948658Z",
|
||||
"lastEventTime": "2018-11-25T16:18:01.809871Z",
|
||||
@ -114,8 +113,7 @@ Content-type: application/json
|
||||
"detectionSource": "WindowsDefenderAv",
|
||||
"threatFamilyName": "Mikatz",
|
||||
"title": "Windows Defender AV detected 'Mikatz', high-severity malware",
|
||||
"description": "Some description"
|
||||
"recommendedAction": "Some recommended action"
|
||||
"description": "Some description",
|
||||
"alertCreationTime": "2018-11-24T16:19:21.8409809Z",
|
||||
"firstEventTime": "2018-11-24T16:17:50.0948658Z",
|
||||
"lastEventTime": "2018-11-24T16:18:01.809871Z",
|
||||
|
||||
Binary file not shown.
|
After Width: | Height: | Size: 49 KiB |
Binary file not shown.
|
After Width: | Height: | Size: 68 KiB |
@ -40,7 +40,7 @@ id | Guid | Identity of the [Machine Action](machineaction-windows-defender-adva
|
||||
type | Enum | Type of the action. Possible values are: "RunAntiVirusScan", "Offboard", "CollectInvestigationPackage", "Isolate", "Unisolate", "StopAndQuarantineFile", "RestrictCodeExecution" and "UnrestrictCodeExecution"
|
||||
requestor | String | Identity of the person that executed the action.
|
||||
requestorComment | String | Comment that was written when issuing the action.
|
||||
status | Enum | Current status of the command. Possible values are: "InProgress", "Succeeded", "Failed", "TimeOut" and "Cancelled".
|
||||
status | Enum | Current status of the command. Possible values are: "Pending", "InProgress", "Succeeded", "Failed", "TimeOut" and "Cancelled".
|
||||
machineId | String | Id of the machine on which the action was executed.
|
||||
creationDateTimeUtc | DateTimeOffset | The date and time when the action was created.
|
||||
lastUpdateTimeUtc | DateTimeOffset | The last date and time when the action status was updated.
|
||||
|
||||
@ -25,7 +25,8 @@ There are some minimum requirements for onboarding machines to the service.
|
||||
|
||||
|
||||
>[!TIP]
|
||||
> Learn about the latest enhancements in Windows Defender ATP: [What's new in Windows Defender ATP](https://cloudblogs.microsoft.com/microsoftsecure/2018/11/15/whats-new-in-windows-defender-atp/).
|
||||
>- Learn about the latest enhancements in Windows Defender ATP: [What's new in Windows Defender ATP](https://cloudblogs.microsoft.com/microsoftsecure/2018/11/15/whats-new-in-windows-defender-atp/).
|
||||
>- Windows Defender ATP demonstrated industry-leading optics and detection capabilities in the recent MITRE evaluation. Read: [Insights from the MITRE ATT&CK-based evaluation](https://cloudblogs.microsoft.com/microsoftsecure/2018/12/03/insights-from-the-mitre-attack-based-evaluation-of-windows-defender-atp/).
|
||||
|
||||
## Licensing requirements
|
||||
Windows Defender Advanced Threat Protection requires one of the following Microsoft Volume Licensing offers:
|
||||
|
||||
@ -22,7 +22,8 @@ ms.date: 11/20/2018
|
||||
Understand the concepts behind the capabilities in Windows Defender ATP so you take full advantage of the complete threat protection platform.
|
||||
|
||||
>[!TIP]
|
||||
> Learn about the latest enhancements in Windows Defender ATP: [What's new in Windows Defender ATP](https://cloudblogs.microsoft.com/microsoftsecure/2018/11/15/whats-new-in-windows-defender-atp/).
|
||||
>- Learn about the latest enhancements in Windows Defender ATP: [What's new in Windows Defender ATP](https://cloudblogs.microsoft.com/microsoftsecure/2018/11/15/whats-new-in-windows-defender-atp/).
|
||||
>- Windows Defender ATP demonstrated industry-leading optics and detection capabilities in the recent MITRE evaluation. Read: [Insights from the MITRE ATT&CK-based evaluation](https://cloudblogs.microsoft.com/microsoftsecure/2018/12/03/insights-from-the-mitre-attack-based-evaluation-of-windows-defender-atp/).
|
||||
|
||||
## In this section
|
||||
|
||||
|
||||
@ -73,7 +73,7 @@ The response will include an access token and expiry information.
|
||||
```json
|
||||
{
|
||||
"token_type": "Bearer",
|
||||
"expires_in": "3599"
|
||||
"expires_in": "3599",
|
||||
"ext_expires_in": "0",
|
||||
"expires_on": "1488720683",
|
||||
"not_before": "1488720683",
|
||||
|
||||
@ -98,8 +98,7 @@ Here is an example of the response.
|
||||
"detectionSource": "WindowsDefenderAv",
|
||||
"threatFamilyName": "Mikatz",
|
||||
"title": "Windows Defender AV detected 'Mikatz', high-severity malware",
|
||||
"description": "Some description"
|
||||
"recommendedAction": "Some recommended action"
|
||||
"description": "Some description",
|
||||
"alertCreationTime": "2018-11-26T16:19:21.8409809Z",
|
||||
"firstEventTime": "2018-11-26T16:17:50.0948658Z",
|
||||
"lastEventTime": "2018-11-26T16:18:01.809871Z",
|
||||
|
||||
@ -68,7 +68,8 @@ Windows Defender ATP uses the following combination of technology built into Win
|
||||
|
||||
|
||||
>[!TIP]
|
||||
> Learn about the latest enhancements in Windows Defender ATP: [What's new in Windows Defender ATP](https://cloudblogs.microsoft.com/microsoftsecure/2018/11/15/whats-new-in-windows-defender-atp/).
|
||||
>- Learn about the latest enhancements in Windows Defender ATP: [What's new in Windows Defender ATP](https://cloudblogs.microsoft.com/microsoftsecure/2018/11/15/whats-new-in-windows-defender-atp/).
|
||||
>- Windows Defender ATP demonstrated industry-leading optics and detection capabilities in the recent MITRE evaluation. Read: [Insights from the MITRE ATT&CK-based evaluation](https://cloudblogs.microsoft.com/microsoftsecure/2018/12/03/insights-from-the-mitre-attack-based-evaluation-of-windows-defender-atp/).
|
||||
|
||||
**[Attack surface reduction](overview-attack-surface-reduction.md)**<br>
|
||||
The attack surface reduction set of capabilities provide the first line of defense in the stack. By ensuring configuration settings are properly set and exploit mitigation techniques are applied, these set of capabilities resist attacks and exploitations.
|
||||
|
||||
@ -33,13 +33,13 @@ You can also get detailed reporting into events and blocks as part of Windows Se
|
||||
|
||||
You can create custom views in the Windows Event Viewer to only see events for specific capabilities and settings.
|
||||
|
||||
The easiest way to do this is to import a custom view as an XML file. You can obtain XML files for each of the features in the [Exploit Guard Evaluation Package](https://aka.ms/mp7z2w), or you can copy the XML directly from this page.
|
||||
The easiest way to do this is to import a custom view as an XML file. You can copy the XML directly from this page.
|
||||
|
||||
You can also manually navigate to the event area that corresponds to the feature, see the [list of attack surface reduction events](#list-of-attack-surface-reduction-events) section at the end of this topic for more details.
|
||||
|
||||
### Import an existing XML custom view
|
||||
|
||||
1. Download the [Exploit Guard Evaluation Package](https://aka.ms/mp7z2w) and extract the appropriate file to an easily accessible location. The following filenames are each of the custom views:
|
||||
1. Create an empty .txt file and copy the XML for the custom view you want to use into the .txt file. Do this for each of the custom views you want to use. Rename the files as follows (ensure you change the type from .txt to .xml):
|
||||
- Controlled folder access events custom view: *cfa-events.xml*
|
||||
- Exploit protection events custom view: *ep-events.xml*
|
||||
- Attack surface reduction events custom view: *asr-events.xml*
|
||||
|
||||
Reference in New Issue
Block a user