From 6f768e2360b52b7d3f8b709d5554d8914906238d Mon Sep 17 00:00:00 2001 From: Lindsay <45809756+lindspea@users.noreply.github.com> Date: Wed, 3 Jul 2019 16:23:56 +0200 Subject: [PATCH 1/6] Update attack-surface-reduction-exploit-guard.md Added example query. --- .../attack-surface-reduction-exploit-guard.md | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md index ac87bbc9ed..23084d3586 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md @@ -45,6 +45,19 @@ Triggered rules display a notification on the device. You can [customize the not For information about configuring attack surface reduction rules, see [Enable attack surface reduction rules](enable-attack-surface-reduction.md). +## Review attack surface reduction events in the Windows Defender ATP Security Center + +Windows Defender ATP provides detailed reporting into events and blocks as part of its alert investigation scenarios. + +You can query Microsoft Defender ATP data by using [Advanced hunting](https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-windows-defender-advanced-threat-protection). If you're using [audit mode](audit-windows-defender-exploit-guard.md), you can use Advanced hunting to see how controlled folder access settings would affect your environment if they were enabled. + +Here is an example query: + +``` +MiscEvents +| where ActionType startswith 'Asr' +``` + ## Review attack surface reduction events in Windows Event Viewer You can review the Windows event log to view events that are created when attack surface reduction rules fire: From ef330ecd69e8039702edff57dc381e49613a2a39 Mon Sep 17 00:00:00 2001 From: Lindsay <45809756+lindspea@users.noreply.github.com> Date: Sun, 7 Jul 2019 13:08:31 +0200 Subject: [PATCH 2/6] Update windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md Co-Authored-By: Nicole Turner <39884432+nenonix@users.noreply.github.com> --- .../attack-surface-reduction-exploit-guard.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md index 23084d3586..5630ada92e 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md @@ -49,7 +49,7 @@ For information about configuring attack surface reduction rules, see [Enable at Windows Defender ATP provides detailed reporting into events and blocks as part of its alert investigation scenarios. -You can query Microsoft Defender ATP data by using [Advanced hunting](https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-windows-defender-advanced-threat-protection). If you're using [audit mode](audit-windows-defender-exploit-guard.md), you can use Advanced hunting to see how controlled folder access settings would affect your environment if they were enabled. +You can query Microsoft Defender ATP data by using [Advanced hunting](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-windows-defender-advanced-threat-protection). If you're using [audit mode](audit-windows-defender-exploit-guard.md), you can use Advanced hunting to see how controlled folder access settings could affect your environment. Here is an example query: From aeb16491cf3550f5a1a541bbef42a0041af3b0e8 Mon Sep 17 00:00:00 2001 From: Daniel Simpson Date: Mon, 8 Jul 2019 09:39:43 -0700 Subject: [PATCH 3/6] Update attack-surface-reduction-exploit-guard.md changing "Windows Defender ATP" to "Microsoft Defender ATP" --- .../attack-surface-reduction-exploit-guard.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md index 5630ada92e..89e37b7f6d 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md @@ -45,9 +45,9 @@ Triggered rules display a notification on the device. You can [customize the not For information about configuring attack surface reduction rules, see [Enable attack surface reduction rules](enable-attack-surface-reduction.md). -## Review attack surface reduction events in the Windows Defender ATP Security Center +## Review attack surface reduction events in the Microsoft Defender ATP Security Center -Windows Defender ATP provides detailed reporting into events and blocks as part of its alert investigation scenarios. +Microsoft Defender ATP provides detailed reporting into events and blocks as part of its alert investigation scenarios. You can query Microsoft Defender ATP data by using [Advanced hunting](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-windows-defender-advanced-threat-protection). If you're using [audit mode](audit-windows-defender-exploit-guard.md), you can use Advanced hunting to see how controlled folder access settings could affect your environment. From 0c635cc936d94d3cfaa09508b140fbbfd4261c5e Mon Sep 17 00:00:00 2001 From: Lindsay <45809756+lindspea@users.noreply.github.com> Date: Tue, 9 Jul 2019 06:04:21 +0200 Subject: [PATCH 4/6] Update windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md Co-Authored-By: Nicole Turner <39884432+nenonix@users.noreply.github.com> --- .../attack-surface-reduction-exploit-guard.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md index 89e37b7f6d..07d023ebd2 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md @@ -45,7 +45,7 @@ Triggered rules display a notification on the device. You can [customize the not For information about configuring attack surface reduction rules, see [Enable attack surface reduction rules](enable-attack-surface-reduction.md). -## Review attack surface reduction events in the Microsoft Defender ATP Security Center +## Review attack surface reduction events in the Microsoft Security Center Microsoft Defender ATP provides detailed reporting into events and blocks as part of its alert investigation scenarios. From 19902e5d9a8b66ef1732024b69d27120d8d8dc00 Mon Sep 17 00:00:00 2001 From: Lindsay <45809756+lindspea@users.noreply.github.com> Date: Tue, 9 Jul 2019 06:08:01 +0200 Subject: [PATCH 5/6] Update attack-surface-reduction-exploit-guard.md --- .../attack-surface-reduction-exploit-guard.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md index 07d023ebd2..89e37b7f6d 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md @@ -45,7 +45,7 @@ Triggered rules display a notification on the device. You can [customize the not For information about configuring attack surface reduction rules, see [Enable attack surface reduction rules](enable-attack-surface-reduction.md). -## Review attack surface reduction events in the Microsoft Security Center +## Review attack surface reduction events in the Microsoft Defender ATP Security Center Microsoft Defender ATP provides detailed reporting into events and blocks as part of its alert investigation scenarios. From 278d0260a1cb2503b903f81d05b32801d4554c57 Mon Sep 17 00:00:00 2001 From: Lindsay <45809756+lindspea@users.noreply.github.com> Date: Tue, 9 Jul 2019 06:16:38 +0200 Subject: [PATCH 6/6] Update attack-surface-reduction-exploit-guard.md --- .../attack-surface-reduction-exploit-guard.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md index 89e37b7f6d..07d023ebd2 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md @@ -45,7 +45,7 @@ Triggered rules display a notification on the device. You can [customize the not For information about configuring attack surface reduction rules, see [Enable attack surface reduction rules](enable-attack-surface-reduction.md). -## Review attack surface reduction events in the Microsoft Defender ATP Security Center +## Review attack surface reduction events in the Microsoft Security Center Microsoft Defender ATP provides detailed reporting into events and blocks as part of its alert investigation scenarios.