mirror of
https://github.com/MicrosoftDocs/windows-itpro-docs.git
synced 2025-05-15 06:47:21 +00:00
multiple updates
This commit is contained in:
Joey Caparas
parent
43eb7d4053
commit
ad29b549b4
@ -90,9 +90,9 @@
|
||||
|
||||
#### [Automated investigations](windows-defender-atp\automated-investigations-windows-defender-advanced-threat-protection.md)
|
||||
#### [Advanced hunting](windows-defender-atp\advanced-hunting-windows-defender-advanced-threat-protection.md)
|
||||
##### [Advanced hunting table reference](windows-defender-atp\advanced-hunting-reference-windows-defender-advanced-threat-protection.md)
|
||||
##### [Advanced hunting reference](windows-defender-atp\advanced-hunting-reference-windows-defender-advanced-threat-protection.md)
|
||||
|
||||
### [Enable conditional access](windows-defender-atp\conditional-access-windows-defender-advanced-threat-protection.md)
|
||||
### [Enable conditional access to better protect users, devices, and data](windows-defender-atp\conditional-access-windows-defender-advanced-threat-protection.md)
|
||||
|
||||
###API and SIEM support
|
||||
#### [Pull alerts to your SIEM tools](windows-defender-atp\configure-siem-windows-defender-advanced-threat-protection.md)
|
||||
|
||||
@ -25,6 +25,8 @@ ms.date: 04/16/2018
|
||||
|
||||
[!include[Prerelease information](prerelease.md)]
|
||||
|
||||
>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)
|
||||
|
||||
## Advanced hunting query best practices
|
||||
The following best practices serve as a guideline for you to maximize the advanced hunting capability.
|
||||
- Use time filters first. Azure Kusto is highly optimized to utilize time filters. For more information, see [Azure Kusto](https://docs.microsoft.com/connectors/kusto/).
|
||||
@ -104,7 +106,9 @@ Use the following table to understand what the columns represent, its data type,
|
||||
| RemoteUrl | string | URL or fully qualified domain name (FQDN) that was being connected to. |
|
||||
| ReportIndex | long | Event identifier that is unique among the same event type. |
|
||||
| SHA1 | string | SHA-1 of the file that the recorded action was applied to. |
|
||||
| SHA256 | string | SHA-256 of the file that the recorded action was applied to.
|
||||
| SHA256 | string | SHA-256 of the file that the recorded action was applied to.
|
||||
|
||||
>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-advancedhuntingref-belowfoldlink)
|
||||
|
||||
|
||||
|
||||
|
||||
@ -25,6 +25,9 @@ ms.date: 04/16/2018
|
||||
|
||||
[!include[Prerelease information](prerelease.md)]
|
||||
|
||||
|
||||
>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-advancedhunting-abovefoldlink)
|
||||
|
||||
Advanced hunting allows you to proactively hunt for possible threats across your organization using a powerful search and query tool. Take advantage of the following capabilities:
|
||||
|
||||
- **Powerful query language with IntelliSense** - Built on top of a query language that gives you the flexibility you need to take hunting to the next level.
|
||||
@ -159,8 +162,11 @@ The filter selections will resolve as an additional query term and the results w
|
||||
## Public Advanced Hunting query GitHub repository
|
||||
Check out the [Advanced Hunting repository](https://github.com/Microsoft/Advanced-Hunting-Queries). Contribute and use example queries shared by our customers.
|
||||
|
||||
|
||||
>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-advancedhunting-belowfoldlink)
|
||||
|
||||
## Related topic
|
||||
- [Advanced hunting table reference](advanced-hunting-reference-windows-defender-advanced-threat-protection.md)
|
||||
- [Advanced hunting reference](advanced-hunting-reference-windows-defender-advanced-threat-protection.md)
|
||||
|
||||
|
||||
|
||||
|
||||
@ -212,6 +212,9 @@ You also have the option of selecting multiple investigations to approve or reje
|
||||
|
||||
|
||||
|
||||
## Related topic
|
||||
- [Investigate Windows Defender ATP alerts](investigate-alerts-windows-defender-advanced-threat-protection.md)
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
@ -23,6 +23,10 @@ ms.date: 03/05/2018
|
||||
- Windows 10 Pro Education
|
||||
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
|
||||
|
||||
[!include[Prerelease information](prerelease.md)]
|
||||
|
||||
>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-conditionalaccess-abovefoldlink)
|
||||
|
||||
Conditional access is a capability that helps you better protect your users and enterprise information by making sure that only secure devices have access to applications.
|
||||
|
||||
With conditional access, you can control access to enterprise information based on the risk level of a device. This helps keep trusted users on trusted devices using trusted applications.
|
||||
@ -61,6 +65,10 @@ You'll need to take the following steps to enable conditional access:
|
||||
3. Create a device compliance policy in Intune. For more information, see [Create a compliance policy in the Azure portal](https://docs.microsoft.com/en-us/intune/compliance-policy-create-windows#create-a-compliance-policy-in-the-azure-portal).
|
||||
3. Define a conditional access policy in AAD. For more information, see [Get started with conditional access in Azure Active Directory](https://docs.microsoft.com/en-us/azure/active-directory/active-directory-conditional-access-azure-portal-get-started).
|
||||
|
||||
>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-conditionalaccess-belowfoldlink)
|
||||
|
||||
## Related topic
|
||||
- [Configure advanced features in Windows Defender ATP](advanced-features-windows-defender-advanced-threat-protection.md)
|
||||
|
||||
|
||||
|
||||
|
||||
@ -23,11 +23,9 @@ ms.date: 10/16/2017
|
||||
- Windows 10 Pro Education
|
||||
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
|
||||
|
||||
|
||||
|
||||
>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-configuresiem-abovefoldlink)
|
||||
|
||||
## Pull alerts using supported security information and events management (SIEM) tools
|
||||
## Pull alerts using security information and events management (SIEM) tools
|
||||
Windows Defender ATP supports (SIEM) tools to pull alerts. Windows Defender ATP exposes alerts through an HTTPS endpoint hosted in Azure. The endpoint can be configured to pull alerts from your enterprise tenant in Azure Active Directory (AAD) using the OAuth 2.0 authentication protocol for an AAD application that represents the specific SIEM connector installed in your environment.
|
||||
|
||||
|
||||
|
||||
@ -47,7 +47,7 @@ You’ll need to use the access token in the Authorization header when doing RES
|
||||
|
||||
## Related topics
|
||||
- [Understand threat intelligence concepts](threat-indicator-concepts-windows-defender-advanced-threat-protection.md)
|
||||
- [Enable the custom threat intelligence API in Windows Defender ATP](enable-custom-ti-windows-defender-advanced-threat-protection.md)
|
||||
- [Create custom alerts using the threat intelligence API](custom-ti-api-windows-defender-advanced-threat-protection.md)
|
||||
- [PowerShell code examples for the custom threat intelligence API](powershell-example-code-windows-defender-advanced-threat-protection.md)
|
||||
- [Python code examples for the custom threat intelligence API](python-example-code-windows-defender-advanced-threat-protection.md)
|
||||
- [Experiment with custom threat intelligence alerts](experiment-custom-ti-windows-defender-advanced-threat-protection.md)
|
||||
|
||||
@ -40,10 +40,8 @@ Set the baselines for calculating the score of Windows Defender security control
|
||||
|
||||
## Related topics
|
||||
- [View the Secure score dashboard](security-analytics-dashboard-windows-defender-advanced-threat-protection.md)
|
||||
- [Update general settings in Windows Defender ATP](general-settings-windows-defender-advanced-threat-protection.md)
|
||||
- [Turn on advanced features in Windows Defender ATP](advanced-features-windows-defender-advanced-threat-protection.md)
|
||||
- [Turn on the preview experience in Windows Defender ATP](preview-settings-windows-defender-advanced-threat-protection.md)
|
||||
- [Configure email notifications in Windows Defender ATP](configure-email-notifications-windows-defender-advanced-threat-protection.md)
|
||||
- [Enable SIEM integration in Windows Defender ATP](enable-siem-integration-windows-defender-advanced-threat-protection.md)
|
||||
- [Enable the custom threat intelligence API in Windows Defender ATP](enable-custom-ti-windows-defender-advanced-threat-protection.md)
|
||||
- [Create and build Power BI reports](powerbi-reports-windows-defender-advanced-threat-protection.md)
|
||||
- [Update data retention settings for Windows Defender ATP](general-settings-windows-defender-advanced-threat-protection.md)
|
||||
- [Configure alert notifications in Windows Defender ATP](configure-email-notifications-windows-defender-advanced-threat-protection.md)
|
||||
- [Configure automation notifications in Windows Defender ATP](configure-automation-notifications-windows-defender-advanced-threat-protection.md)
|
||||
- [Enable and create Power BI reports using Windows Defender ATP data](powerbi-reports-windows-defender-advanced-threat-protection.md)
|
||||
- [Configure advanced features in Windows Defender ATP](/advanced-features-windows-defender-advanced-threat-protection.md)
|
||||
@ -152,8 +152,8 @@ This step will guide you in exploring the custom alert in the portal.
|
||||
|
||||
## Related topics
|
||||
- [Understand threat intelligence concepts](threat-indicator-concepts-windows-defender-advanced-threat-protection.md)
|
||||
- [Create custom alerts using the threat intelligence API](custom-ti-api-windows-defender-advanced-threat-protection.md)
|
||||
- [Enable the custom threat intelligence API in Windows Defender ATP](enable-custom-ti-windows-defender-advanced-threat-protection.md)
|
||||
- [Create custom alerts using the threat intelligence API](custom-ti-api-windows-defender-advanced-threat-protection.md)
|
||||
- [PowerShell code examples for the custom threat intelligence API](powershell-example-code-windows-defender-advanced-threat-protection.md)
|
||||
- [Python code examples for the custom threat intelligence API](python-example-code-windows-defender-advanced-threat-protection.md)
|
||||
- [Troubleshoot custom threat intelligence issues](troubleshoot-custom-ti-windows-defender-advanced-threat-protection.md)
|
||||
|
||||
Binary file not shown.
|
Before Width: | Height: | Size: 398 KiB After Width: | Height: | Size: 398 KiB |
@ -34,6 +34,7 @@ ms.date: 04/16/2018
|
||||
Follow the corresponding instructions depending on your preferred deployment method.
|
||||
|
||||
## Offboard Windows 10 machines
|
||||
- [Offboard machines using a local script](configure-endpoints-script-windows-defender-advanced-threat-protection.md#offboard-machines-using-a-local-script)
|
||||
- [Offboard machines using Group Policy](configure-endpoints-gp-windows-defender-advanced-threat-protection.md#offboard-machines-using-group-policy)
|
||||
- [Offboard machines using System Center Configuration Manager](configure-endpoints-sccm-windows-defender-advanced-threat-protection.md#offboard-machines-using-system-center-configuration-manager)
|
||||
- [Offboard machines using Mobile Device Management tools](configure-endpoints-mdm-windows-defender-advanced-threat-protection.md#offboard-and-monitor-machines-using-mobile-device-management-tools)
|
||||
|
||||
@ -201,4 +201,3 @@ In general, if you know of a specific threat name, CVE, or KB, you can identify
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
@ -180,8 +180,8 @@ $ioc =
|
||||
|
||||
## Related topics
|
||||
- [Understand threat intelligence concepts](threat-indicator-concepts-windows-defender-advanced-threat-protection.md)
|
||||
- [Create custom alerts using the threat intelligence API](custom-ti-api-windows-defender-advanced-threat-protection.md)
|
||||
- [Enable the custom threat intelligence API in Windows Defender ATP](enable-custom-ti-windows-defender-advanced-threat-protection.md)
|
||||
- [Create custom alerts using the threat intelligence API](custom-ti-api-windows-defender-advanced-threat-protection.md)
|
||||
- [Python code examples for the custom threat intelligence API](python-example-code-windows-defender-advanced-threat-protection.md)
|
||||
- [Experiment with custom threat intelligence alerts](experiment-custom-ti-windows-defender-advanced-threat-protection.md)
|
||||
- [Troubleshoot custom threat intelligence issues](troubleshoot-custom-ti-windows-defender-advanced-threat-protection.md)
|
||||
|
||||
@ -33,9 +33,8 @@ Use the **Settings** menu to modify general settings, advanced features, enable
|
||||
Topic | Description
|
||||
:---|:---
|
||||
[Update general settings](general-settings-windows-defender-advanced-threat-protection.md) | Modify your general settings that were previously defined as part of the onboarding process.
|
||||
[Enable advanced features](advanced-features-windows-defender-advanced-threat-protection.md)| Enable features such as **Block file** and other features that require integration with other products.
|
||||
[Enable the preview experience](preview-settings-windows-defender-advanced-threat-protection.md) | Allows you to turn on preview features so you can try upcoming features.
|
||||
[Configure email notifications](configure-email-notifications-windows-defender-advanced-threat-protection.md) | Enables you to configure and identify a group of individuals who will immediately be informed of new alerts through email notifications.
|
||||
[Enable SIEM integration](enable-siem-integration-windows-defender-advanced-threat-protection.md) | Enable security information and event management (SIEM) integration to pull alerts from the Windows Defender ATP portal using your SIEM solution.
|
||||
[Enable Threat intel API](enable-custom-ti-windows-defender-advanced-threat-protection.md) | Before you can create custom threat intelligence (TI) using REST API, you'll need to set up the custom threat intelligence application.
|
||||
[Create and build Power BI reports](powerbi-reports-windows-defender-advanced-threat-protection.md) | Get security insights by creating and building Power BI dashboards using data from Windows Defender ATP and other data sources.
|
||||
Permissions | Manage portal access using RBAC as well as machine groups.
|
||||
APIs | Enable the threat intel and SIEM integration.
|
||||
Rules | Configure suppressions rules and automation settings.
|
||||
Machine management | Onboard and offboard machines.
|
||||
|
||||
|
||||
@ -183,8 +183,8 @@ with requests.Session() as session:
|
||||
|
||||
## Related topics
|
||||
- [Understand threat intelligence concepts](threat-indicator-concepts-windows-defender-advanced-threat-protection.md)
|
||||
- [Create custom alerts using the threat intelligence API](custom-ti-api-windows-defender-advanced-threat-protection.md)
|
||||
- [Enable the custom threat intelligence API in Windows Defender ATP](enable-custom-ti-windows-defender-advanced-threat-protection.md)
|
||||
- [Create custom alerts using the threat intelligence API](custom-ti-api-windows-defender-advanced-threat-protection.md)
|
||||
- [PowerShell code examples for the custom threat intelligence API](powershell-example-code-windows-defender-advanced-threat-protection.md)
|
||||
- [Experiment with custom threat intelligence alerts](experiment-custom-ti-windows-defender-advanced-threat-protection.md)
|
||||
- [Troubleshoot custom threat intelligence issues](troubleshoot-custom-ti-windows-defender-advanced-threat-protection.md)
|
||||
|
||||
@ -108,4 +108,4 @@ When you first log in to the Windows Defender ATP portal, you're granted either
|
||||
2. Click the drop-down button and select **Delete role**.
|
||||
|
||||
## Related topic
|
||||
- [Manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md)
|
||||
- [Create and manage machine groups in Windows Defender ATP](machine-groups-windows-defender-advanced-threat-protection.md)
|
||||
@ -40,3 +40,5 @@ IP | Run API calls such as get IP related alerts, IP related machines, IP statis
|
||||
Machines | Run API calls such as find machine information by IP, get machines, get machines by ID, information about logged on users, and alerts related to a given machine ID.
|
||||
User | Run API calls such as get alert related user information, user information, user related alerts, and user related machines.
|
||||
|
||||
## Related topic
|
||||
- [Use the Windows Defender ATP exposed APIs](exposed-apis-windows-defender-advanced-threat-protection.md)
|
||||
|
||||
@ -52,8 +52,8 @@ Here is an example of an IOC:
|
||||
IOCs have a many-to-one relationship with alert definitions such that an alert definition can have many IOCs that correspond to it.
|
||||
|
||||
## Related topics
|
||||
- [Create custom alerts using the threat intelligence API](custom-ti-api-windows-defender-advanced-threat-protection.md)
|
||||
- [Enable the custom threat intelligence API in Windows Defender ATP](enable-custom-ti-windows-defender-advanced-threat-protection.md)
|
||||
- [Create custom alerts using the threat intelligence API](custom-ti-api-windows-defender-advanced-threat-protection.md)
|
||||
- [PowerShell code examples for the custom threat intelligence API](powershell-example-code-windows-defender-advanced-threat-protection.md)
|
||||
- [Python code examples for the custom threat intelligence API](python-example-code-windows-defender-advanced-threat-protection.md)
|
||||
- [Experiment with custom threat intelligence alerts](experiment-custom-ti-windows-defender-advanced-threat-protection.md)
|
||||
|
||||
@ -53,8 +53,8 @@ If your client secret expires or if you've misplaced the copy provided when you
|
||||
|
||||
## Related topics
|
||||
- [Understand threat intelligence concepts](threat-indicator-concepts-windows-defender-advanced-threat-protection.md)
|
||||
- [Create custom alerts using the threat intelligence API](custom-ti-api-windows-defender-advanced-threat-protection.md)
|
||||
- [Enable the custom threat intelligence API in Windows Defender ATP](enable-custom-ti-windows-defender-advanced-threat-protection.md)
|
||||
- [Create custom alerts using the threat intelligence API](custom-ti-api-windows-defender-advanced-threat-protection.md)
|
||||
- [PowerShell code examples for the custom threat intelligence API](powershell-example-code-windows-defender-advanced-threat-protection.md)
|
||||
- [Python code examples for the custom threat intelligence API](python-example-code-windows-defender-advanced-threat-protection.md)
|
||||
- [Experiment with custom threat intelligence alerts](experiment-custom-ti-windows-defender-advanced-threat-protection.md)
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user