deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-25 15:23:40 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Merge branch 'master' into fix--MD037/no-space-in-emphasis

Browse Source
This commit is contained in:
Nick Schonning
2019-07-18 14:49:08 -04:00
committed by GitHub
parent 680646be9a 51515d6cce
commit ae0fb89541
399 changed files with 3344 additions and 2553 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
windows/security/threat-protection/TOC.md
View File

@ -422,14 +422,13 @@
##### [Check service health](microsoft-defender-atp/service-status.md)
#### [Troubleshoot live response issues]()
#### [Troubleshoot live response issues](microsoft-defender-atp/troubleshoot-live-response.md)
##### [Troubleshoot issues related to live response](microsoft-defender-atp/troubleshoot-live-response.md)
####Troubleshoot attack surface reduction
##### [Network protection](windows-defender-exploit-guard/troubleshoot-np.md)
##### [Attack surface reduction rules](windows-defender-exploit-guard/troubleshoot-asr.md)
##### [Collect diagnostic data for files](windows-defender-exploit-guard/collect-cab-files-exploit-guard-submission.md)
#### [Troubleshoot next generation protection](windows-defender-antivirus/troubleshoot-windows-defender-antivirus.md)

2
windows/security/threat-protection/auditing/advanced-security-audit-policy-settings.md
View File

@ -9,7 +9,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: none
author: dulcemontemayor
author: Mir0sh
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance

2
windows/security/threat-protection/auditing/advanced-security-auditing-faq.md
View File

@ -9,7 +9,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: none
author: dulcemontemayor
author: Mir0sh
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance

2
windows/security/threat-protection/auditing/advanced-security-auditing.md
View File

@ -9,7 +9,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: none
author: dulcemontemayor
author: Mir0sh
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance

2
windows/security/threat-protection/auditing/appendix-a-security-monitoring-recommendations-for-many-audit-events.md
View File

@ -6,7 +6,7 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dulcemontemayor
author: Mir0sh
ms.date: 04/19/2017
ms.reviewer:
manager: dansimp

2
windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md
View File

@ -9,7 +9,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: none
author: dulcemontemayor
author: Mir0sh
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance

2
windows/security/threat-protection/auditing/audit-account-lockout.md
View File

@ -10,7 +10,7 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dulcemontemayor
author: Mir0sh
ms.date: 07/16/2018
---

2
windows/security/threat-protection/auditing/audit-application-generated.md
View File

@ -10,7 +10,7 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dulcemontemayor
author: Mir0sh
ms.date: 04/19/2017
---

2
windows/security/threat-protection/auditing/audit-application-group-management.md
View File

@ -10,7 +10,7 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dulcemontemayor
author: Mir0sh
ms.date: 04/19/2017
---

2
windows/security/threat-protection/auditing/audit-audit-policy-change.md
View File

@ -10,7 +10,7 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dulcemontemayor
author: Mir0sh
ms.date: 04/19/2017
---

2
windows/security/threat-protection/auditing/audit-authentication-policy-change.md
View File

@ -10,7 +10,7 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dulcemontemayor
author: Mir0sh
ms.date: 04/19/2017
---

2
windows/security/threat-protection/auditing/audit-authorization-policy-change.md
View File

@ -10,7 +10,7 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dulcemontemayor
author: Mir0sh
ms.date: 04/19/2017
---

2
windows/security/threat-protection/auditing/audit-central-access-policy-staging.md
View File

@ -10,7 +10,7 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dulcemontemayor
author: Mir0sh
ms.date: 04/19/2017
---

2
windows/security/threat-protection/auditing/audit-certification-services.md
View File

@ -10,7 +10,7 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dulcemontemayor
author: Mir0sh
ms.date: 04/19/2017
---

2
windows/security/threat-protection/auditing/audit-computer-account-management.md
View File

@ -10,7 +10,7 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dulcemontemayor
author: Mir0sh
ms.date: 04/19/2017
---

2
windows/security/threat-protection/auditing/audit-credential-validation.md
View File

@ -10,7 +10,7 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dulcemontemayor
author: Mir0sh
ms.date: 04/19/2017
---

2
windows/security/threat-protection/auditing/audit-detailed-directory-service-replication.md
View File

@ -10,7 +10,7 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dulcemontemayor
author: Mir0sh
ms.date: 04/19/2017
---

2
windows/security/threat-protection/auditing/audit-detailed-file-share.md
View File

@ -10,7 +10,7 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dulcemontemayor
author: Mir0sh
ms.date: 04/19/2017
---

2
windows/security/threat-protection/auditing/audit-directory-service-access.md
View File

@ -10,7 +10,7 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dulcemontemayor
author: Mir0sh
ms.date: 04/19/2017
---

2
windows/security/threat-protection/auditing/audit-directory-service-changes.md
View File

@ -10,7 +10,7 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dulcemontemayor
author: Mir0sh
ms.date: 04/19/2017
---

2
windows/security/threat-protection/auditing/audit-directory-service-replication.md
View File

@ -10,7 +10,7 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dulcemontemayor
author: Mir0sh
ms.date: 04/19/2017
---

2
windows/security/threat-protection/auditing/audit-distribution-group-management.md
View File

@ -10,7 +10,7 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dulcemontemayor
author: Mir0sh
ms.date: 04/19/2017
---

2
windows/security/threat-protection/auditing/audit-dpapi-activity.md
View File

@ -10,7 +10,7 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dulcemontemayor
author: Mir0sh
ms.date: 04/19/2017
---

2
windows/security/threat-protection/auditing/audit-file-share.md
View File

@ -10,7 +10,7 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dulcemontemayor
author: Mir0sh
ms.date: 04/19/2017
---

2
windows/security/threat-protection/auditing/audit-file-system.md
View File

@ -10,7 +10,7 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dulcemontemayor
author: Mir0sh
ms.date: 04/19/2017
---

2
windows/security/threat-protection/auditing/audit-filtering-platform-connection.md
View File

@ -10,7 +10,7 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dulcemontemayor
author: Mir0sh
ms.date: 04/19/2017
---

2
windows/security/threat-protection/auditing/audit-filtering-platform-packet-drop.md
View File

@ -10,7 +10,7 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dulcemontemayor
author: Mir0sh
ms.date: 04/19/2017
---

2
windows/security/threat-protection/auditing/audit-filtering-platform-policy-change.md
View File

@ -10,7 +10,7 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dulcemontemayor
author: Mir0sh
ms.date: 04/19/2017
---

2
windows/security/threat-protection/auditing/audit-group-membership.md
View File

@ -10,7 +10,7 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dulcemontemayor
author: Mir0sh
ms.date: 04/19/2017
---

2
windows/security/threat-protection/auditing/audit-handle-manipulation.md
View File

@ -10,7 +10,7 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dulcemontemayor
author: Mir0sh
ms.date: 04/19/2017
---

32
windows/security/threat-protection/auditing/audit-ipsec-driver.md
View File

@ -10,7 +10,7 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dulcemontemayor
author: Mir0sh
ms.date: 10/02/2018
---
@ -20,7 +20,6 @@ ms.date: 10/02/2018
- Windows 10
- Windows Server 2016
Audit IPsec Driver allows you to audit events generated by IPSec driver such as the following:
- Startup and shutdown of the IPsec services.
@ -37,9 +36,11 @@ Audit IPsec Driver allows you to audit events generated by IPSec driver such as
A high rate of packet drops by the IPsec filter driver may indicate attempts to gain access to the network by unauthorized systems.
Failure to process IPsec filters poses a potential security risk because some network interfaces may not get the protection that is provided by the IPsec filter.
Failure to process IPsec filters poses a potential security risk because some network interfaces may not get the protection that is provided by the IPsec filter. This subcategory is outside the scope of this document.
This subcategory is outside the scope of this document.
**Event volume:** Medium
**Default:** Not configured
| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments |
|-------------------|-----------------|-----------------|------------------|------------------|-------------------------------------------------------------------------------------------------------------------------------------------|
@ -47,25 +48,26 @@ This subcategory is outside the scope of this document.
| Member Server | - | - | - | - | There is no recommendation for this subcategory in this document, unless you know exactly what you need to monitor at IPsec Driver level. |
| Workstation | - | - | - | - | There is no recommendation for this subcategory in this document, unless you know exactly what you need to monitor at IPsec Driver level. |
## 4960(S): IPsec dropped an inbound packet that failed an integrity check. If this problem persists, it could indicate a network issue or that packets are being modified in transit to this computer. Verify that the packets sent from the remote computer are the same as those received by this computer. This error might also indicate interoperability problems with other IPsec implementations.
**Events List:**
## 4961(S): IPsec dropped an inbound packet that failed a replay check. If this problem persists, it could indicate a replay attack against this computer.
- 4960(S): IPsec dropped an inbound packet that failed an integrity check. If this problem persists, it could indicate a network issue or that packets are being modified in transit to this computer. Verify that the packets sent from the remote computer are the same as those received by this computer. This error might also indicate interoperability problems with other IPsec implementations.
## 4962(S): IPsec dropped an inbound packet that failed a replay check. The inbound packet had too low a sequence number to ensure it was not a replay.
- 4961(S): IPsec dropped an inbound packet that failed a replay check. If this problem persists, it could indicate a replay attack against this computer.
## 4963(S): IPsec dropped an inbound clear text packet that should have been secured. This is usually due to the remote computer changing its IPsec policy without informing this computer. This could also be a spoofing attack attempt.
- 4962(S): IPsec dropped an inbound packet that failed a replay check. The inbound packet had too low a sequence number to ensure it was not a replay.
## 4965(S): IPsec received a packet from a remote computer with an incorrect Security Parameter Index (SPI). This is usually caused by malfunctioning hardware that is corrupting packets. If these errors persist, verify that the packets sent from the remote computer are the same as those received by this computer. This error may also indicate interoperability problems with other IPsec implementations. In that case, if connectivity is not impeded, then these events can be ignored.
- 4963(S): IPsec dropped an inbound clear text packet that should have been secured. This is usually due to the remote computer changing its IPsec policy without informing this computer. This could also be a spoofing attack attempt.
## 5478(S): IPsec Services has started successfully.
- 4965(S): IPsec received a packet from a remote computer with an incorrect Security Parameter Index (SPI). This is usually caused by malfunctioning hardware that is corrupting packets. If these errors persist, verify that the packets sent from the remote computer are the same as those received by this computer. This error may also indicate interoperability problems with other IPsec implementations. In that case, if connectivity is not impeded, then these events can be ignored.
## 5479(S): IPsec Services has been shut down successfully. The shutdown of IPsec Services can put the computer at greater risk of network attack or expose the computer to potential security risks.
- 5478(S): IPsec Services has started successfully.
## 5480(F): IPsec Services failed to get the complete list of network interfaces on the computer. This poses a potential security risk because some of the network interfaces may not get the protection provided by the applied IPsec filters. Use the IP Security Monitor snap-in to diagnose the problem.
- 5479(S): IPsec Services has been shut down successfully. The shutdown of IPsec Services can put the computer at greater risk of network attack or expose the computer to potential security risks.
## 5483(F): IPsec Services failed to initialize RPC server. IPsec Services could not be started.
- 5480(F): IPsec Services failed to get the complete list of network interfaces on the computer. This poses a potential security risk because some of the network interfaces may not get the protection provided by the applied IPsec filters. Use the IP Security Monitor snap-in to diagnose the problem.
## 5484(F): IPsec Services has experienced a critical failure and has been shut down. The shutdown of IPsec Services can put the computer at greater risk of network attack or expose the computer to potential security risks.
- 5483(F): IPsec Services failed to initialize RPC server. IPsec Services could not be started.
## 5485(F): IPsec Services failed to process some IPsec filters on a plug-and-play event for network interfaces. This poses a potential security risk because some of the network interfaces may not get the protection provided by the applied IPsec filters. Use the IP Security Monitor snap-in to diagnose the problem.
- 5484(F): IPsec Services has experienced a critical failure and has been shut down. The shutdown of IPsec Services can put the computer at greater risk of network attack or expose the computer to potential security risks.
- 5485(F): IPsec Services failed to process some IPsec filters on a plug-and-play event for network interfaces. This poses a potential security risk because some of the network interfaces may not get the protection provided by the applied IPsec filters. Use the IP Security Monitor snap-in to diagnose the problem.

2
windows/security/threat-protection/auditing/audit-ipsec-extended-mode.md
View File

@ -10,7 +10,7 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dulcemontemayor
author: Mir0sh
ms.date: 10/02/2018
---

2
windows/security/threat-protection/auditing/audit-ipsec-main-mode.md
View File

@ -10,7 +10,7 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dulcemontemayor
author: Mir0sh
ms.date: 10/02/2018
---

2
windows/security/threat-protection/auditing/audit-ipsec-quick-mode.md
View File

@ -10,7 +10,7 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dulcemontemayor
author: Mir0sh
ms.date: 10/02/2018
---

2
windows/security/threat-protection/auditing/audit-kerberos-authentication-service.md
View File

@ -10,7 +10,7 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dulcemontemayor
author: Mir0sh
ms.date: 04/19/2017
---

2
windows/security/threat-protection/auditing/audit-kerberos-service-ticket-operations.md
View File

@ -10,7 +10,7 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dulcemontemayor
author: Mir0sh
ms.date: 04/19/2017
---

2
windows/security/threat-protection/auditing/audit-kernel-object.md
View File

@ -10,7 +10,7 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dulcemontemayor
author: Mir0sh
ms.date: 04/19/2017
---

2
windows/security/threat-protection/auditing/audit-logoff.md
View File

@ -10,7 +10,7 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dulcemontemayor
author: Mir0sh
ms.date: 07/16/2018
---

2
windows/security/threat-protection/auditing/audit-logon.md
View File

@ -10,7 +10,7 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dulcemontemayor
author: Mir0sh
ms.date: 04/19/2017
---

2
windows/security/threat-protection/auditing/audit-mpssvc-rule-level-policy-change.md
View File

@ -10,7 +10,7 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dulcemontemayor
author: Mir0sh
ms.date: 04/19/2017
---

2
windows/security/threat-protection/auditing/audit-network-policy-server.md
View File

@ -10,7 +10,7 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dulcemontemayor
author: Mir0sh
ms.date: 04/19/2017
---

2
windows/security/threat-protection/auditing/audit-non-sensitive-privilege-use.md
View File

@ -10,7 +10,7 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dulcemontemayor
author: Mir0sh
ms.date: 04/19/2017
---

2
windows/security/threat-protection/auditing/audit-other-account-logon-events.md
View File

@ -10,7 +10,7 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dulcemontemayor
author: Mir0sh
ms.date: 04/19/2017
---

2
windows/security/threat-protection/auditing/audit-other-account-management-events.md
View File

@ -10,7 +10,7 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dulcemontemayor
author: Mir0sh
ms.date: 04/19/2017
---

2
windows/security/threat-protection/auditing/audit-other-logonlogoff-events.md
View File

@ -10,7 +10,7 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dulcemontemayor
author: Mir0sh
ms.date: 04/19/2017
---

2
windows/security/threat-protection/auditing/audit-other-object-access-events.md
View File

@ -10,7 +10,7 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dulcemontemayor
author: Mir0sh
ms.date: 05/29/2017
---

2
windows/security/threat-protection/auditing/audit-other-policy-change-events.md
View File

@ -10,7 +10,7 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dulcemontemayor
author: Mir0sh
ms.date: 04/19/2017
---

2
windows/security/threat-protection/auditing/audit-other-privilege-use-events.md
View File

@ -10,7 +10,7 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dulcemontemayor
author: Mir0sh
ms.date: 04/19/2017
---

2
windows/security/threat-protection/auditing/audit-other-system-events.md
View File

@ -10,7 +10,7 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dulcemontemayor
author: Mir0sh
ms.date: 04/19/2017
---

2
windows/security/threat-protection/auditing/audit-pnp-activity.md
View File

@ -10,7 +10,7 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dulcemontemayor
author: Mir0sh
ms.date: 04/19/2017
---

2
windows/security/threat-protection/auditing/audit-process-creation.md
View File

@ -10,7 +10,7 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dulcemontemayor
author: Mir0sh
ms.date: 04/19/2017
---

2
windows/security/threat-protection/auditing/audit-process-termination.md
View File

@ -10,7 +10,7 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dulcemontemayor
author: Mir0sh
ms.date: 04/19/2017
---

2
windows/security/threat-protection/auditing/audit-registry.md
View File

@ -10,7 +10,7 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dulcemontemayor
author: Mir0sh
ms.date: 04/19/2017
---

2
windows/security/threat-protection/auditing/audit-removable-storage.md
View File

@ -10,7 +10,7 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dulcemontemayor
author: Mir0sh
ms.date: 04/19/2017
---

2
windows/security/threat-protection/auditing/audit-rpc-events.md
View File

@ -10,7 +10,7 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dulcemontemayor
author: Mir0sh
ms.date: 04/19/2017
---

2
windows/security/threat-protection/auditing/audit-sam.md
View File

@ -10,7 +10,7 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dulcemontemayor
author: Mir0sh
ms.date: 04/19/2017
---

2
windows/security/threat-protection/auditing/audit-security-group-management.md
View File

@ -10,7 +10,7 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dulcemontemayor
author: Mir0sh
ms.date: 02/28/2019
---

5
windows/security/threat-protection/auditing/audit-security-state-change.md
View File

@ -10,7 +10,7 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dulcemontemayor
author: Mir0sh
ms.date: 04/19/2017
---
@ -39,5 +39,6 @@ Audit Security State Change contains Windows startup, recovery, and shutdown eve
- [4621](event-4621.md)(S): Administrator recovered system from CrashOnAuditFail.
>**Note**  Event **4609(S): Windows is shutting down** currently doesnt generate. It is a defined event, but it is never invoked by the operating system.
>[!NOTE]
>Event **4609(S): Windows is shutting down** doesn't currently generate. It is a defined event, but it is never invoked by the operating system.

2
windows/security/threat-protection/auditing/audit-security-system-extension.md
View File

@ -10,7 +10,7 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dulcemontemayor
author: Mir0sh
ms.date: 04/19/2017
---

5
windows/security/threat-protection/auditing/audit-sensitive-privilege-use.md
View File

@ -10,7 +10,7 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dulcemontemayor
author: Mir0sh
ms.date: 04/19/2017
---
@ -71,6 +71,7 @@ If you configure this policy setting, an audit event is generated when sensitive
- [4985](event-4985.md)(S): The state of a transaction has changed.
>**Note**  For some reason event “[4985](event-4985.md)(S): The state of a transaction has changed" from [Audit File System](audit-file-system.md) subcategory generates also in this subcategory. See description of event [4985](event-4985.md) in [Audit File System](audit-file-system.md) subcategory.
>[!NOTE]
> The event “[4985](event-4985.md)(S): The state of a transaction has changed" from [Audit File System](audit-file-system.md) subcategory also generates in this subcategory. See description of event [4985](event-4985.md) in [Audit File System](audit-file-system.md) subcategory.

2
windows/security/threat-protection/auditing/audit-special-logon.md
View File

@ -10,7 +10,7 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dulcemontemayor
author: Mir0sh
ms.date: 04/19/2017
---

2
windows/security/threat-protection/auditing/audit-system-integrity.md
View File

@ -10,7 +10,7 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dulcemontemayor
author: Mir0sh
ms.date: 04/19/2017
---

2
windows/security/threat-protection/auditing/audit-user-account-management.md
View File

@ -10,7 +10,7 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dulcemontemayor
author: Mir0sh
ms.date: 04/19/2017
---

2
windows/security/threat-protection/auditing/audit-user-device-claims.md
View File

@ -10,7 +10,7 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dulcemontemayor
author: Mir0sh
ms.date: 04/19/2017
---

2
windows/security/threat-protection/auditing/basic-audit-account-logon-events.md
View File

@ -9,7 +9,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: none
author: dulcemontemayor
author: Mir0sh
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance

2
windows/security/threat-protection/auditing/basic-audit-account-management.md
View File

@ -9,7 +9,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: none
author: dulcemontemayor
author: Mir0sh
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance

2
windows/security/threat-protection/auditing/basic-audit-directory-service-access.md
View File

@ -9,7 +9,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: none
author: dulcemontemayor
author: Mir0sh
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance

2
windows/security/threat-protection/auditing/basic-audit-logon-events.md
View File

@ -9,7 +9,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: none
author: dulcemontemayor
author: Mir0sh
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance

2
windows/security/threat-protection/auditing/basic-audit-object-access.md
View File

@ -9,7 +9,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: none
author: dulcemontemayor
author: Mir0sh
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance

2
windows/security/threat-protection/auditing/basic-audit-policy-change.md
View File

@ -9,7 +9,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: none
author: dulcemontemayor
author: Mir0sh
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance

2
windows/security/threat-protection/auditing/basic-audit-privilege-use.md
View File

@ -9,7 +9,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: none
author: dulcemontemayor
author: Mir0sh
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance

2
windows/security/threat-protection/auditing/basic-audit-process-tracking.md
View File

@ -9,7 +9,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: none
author: dulcemontemayor
author: Mir0sh
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance

2
windows/security/threat-protection/auditing/basic-audit-system-events.md
View File

@ -9,7 +9,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: none
author: dulcemontemayor
author: Mir0sh
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance

2
windows/security/threat-protection/auditing/basic-security-audit-policies.md
View File

@ -9,7 +9,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: none
author: dulcemontemayor
author: Mir0sh
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance

2
windows/security/threat-protection/auditing/basic-security-audit-policy-settings.md
View File

@ -9,7 +9,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: none
author: dulcemontemayor
author: Mir0sh
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance

2
windows/security/threat-protection/auditing/create-a-basic-audit-policy-settings-for-an-event-category.md
View File

@ -9,7 +9,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: none
author: dulcemontemayor
author: Mir0sh
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance

2
windows/security/threat-protection/auditing/event-1100.md
View File

@ -6,7 +6,7 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dulcemontemayor
author: Mir0sh
ms.date: 04/19/2017
ms.reviewer:
manager: dansimp

2
windows/security/threat-protection/auditing/event-1102.md
View File

@ -6,7 +6,7 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dulcemontemayor
author: Mir0sh
ms.date: 04/19/2017
ms.reviewer:
manager: dansimp

2
windows/security/threat-protection/auditing/event-1104.md
View File

@ -6,7 +6,7 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dulcemontemayor
author: Mir0sh
ms.date: 04/19/2017
ms.reviewer:
manager: dansimp

2
windows/security/threat-protection/microsoft-defender-atp/TOC.md
View File

@ -418,7 +418,7 @@
#### [Check service health](service-status.md)
### [Troubleshoot live response issues]()
### [Troubleshoot live response issues](troubleshoot-live-response.md)
#### [Troubleshoot issues related to live response](troubleshoot-live-response.md)
### Troubleshoot attack surface reduction

2
windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-best-practices.md
View File

@ -37,7 +37,7 @@ The following best practices serve as a guideline of query performance best prac
- When joining between two tables, project only needed columns from both sides of the join.
>[!Tip]
>For more guidance on improving query performance, read [Kusto query best practices](https://docs.microsoft.com/en-us/azure/kusto/query/best-practices).
>For more guidance on improving query performance, read [Kusto query best practices](https://docs.microsoft.com/azure/kusto/query/best-practices).
## Query tips and pitfalls

1
windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-reference.md
View File

@ -72,7 +72,6 @@ To effectively build queries that span multiple tables, you need to understand t
| Ipv6Dhcp | string | IPv6 address of DHCP server |
| IsAzureADJoined | boolean | Boolean indicator of whether machine is joined to the Azure Active Directory |
| IsAzureInfoProtectionApplied | boolean | Indicates whether the file is encrypted by Azure Information Protection |
| IsWindowsInfoProtectionApplied | boolean | Indicates whether Windows Information Protection (WIP) policies apply to the file |
| LocalIP | string | IP address assigned to the local machine used during communication |
| LocalPort | int | TCP port on the local machine used during communication |
| LocalIPType | string | Type of IP address, for example Public, Private, Reserved, Loopback, Teredo, FourToSixMapping, and Broadcast |

2
windows/security/threat-protection/microsoft-defender-atp/configuration-score.md
View File

@ -48,7 +48,7 @@ The goal is to remediate the issues in the security recommendations list to impr
- **Related component** — **Accounts**, **Application**, **Network**, **OS**, or **Security controls**
- **Remediation type** — **Configuration change** or **Software update**
See how you can [improve your security configuration](https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/threat-and-vuln-mgt-scenarios#improve-your-security-configuration), for details.
See how you can [improve your security configuration](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/threat-and-vuln-mgt-scenarios#improve-your-security-configuration), for details.
## Related topics
- [Risk-based Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md)

8
windows/security/threat-protection/microsoft-defender-atp/configure-email-notifications.md
View File

@ -47,7 +47,7 @@ You can create rules that determine the machines and alert severities to send em
2. Click **Add notification rule**.
3. Specify the General information:
3. Specify the General information:
- **Rule name** - Specify a name for the notification rule.
- **Include organization name** - Specify the customer name that appears on the email notification.
- **Include tenant-specific portal link** - Adds a link with the tenant ID to allow access to a specific tenant.
@ -93,9 +93,9 @@ This section lists various issues that you may encounter when using email notifi
**Solution:** Make sure that the notifications are not blocked by email filters:
1. Check that the Microsoft Defender ATP email notifications are not sent to the Junk Email folder. Mark them as Not junk.
2. Check that your email security product is not blocking the email notifications from Microsoft Defender ATP.
3. Check your email application rules that might be catching and moving your Microsoft Defender ATP email notifications.
1. Check that the Microsoft Defender ATP email notifications are not sent to the Junk Email folder. Mark them as Not junk.
2. Check that your email security product is not blocking the email notifications from Microsoft Defender ATP.
3. Check your email application rules that might be catching and moving your Microsoft Defender ATP email notifications.
## Related topics
- [Update data retention settings](data-retention-settings.md)

26
windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-gp.md
View File

@ -46,7 +46,7 @@ ms.date: 04/24/2018
d. Click **Download package** and save the .zip file.
2. Extract the contents of the .zip file to a shared, read-only location that can be accessed by the machine. You should have a folder called *OptionalParamsPolicy* and the file *WindowsDefenderATPOnboardingScript.cmd*.
2. Extract the contents of the .zip file to a shared, read-only location that can be accessed by the machine. You should have a folder called *OptionalParamsPolicy* and the file *WindowsDefenderATPOnboardingScript.cmd*.
3. Open the [Group Policy Management Console](https://docs.microsoft.com/internet-explorer/ie11-deploy-guide/group-policy-and-group-policy-mgmt-console-ie11) (GPMC), right-click the Group Policy Object (GPO) you want to configure and click **Edit**.
@ -98,7 +98,7 @@ For security reasons, the package used to Offboard machines will expire 30 days
> [!NOTE]
> Onboarding and offboarding policies must not be deployed on the same machine at the same time, otherwise this will cause unpredictable collisions.
1. Get the offboarding package from [Microsoft Defender Security Center](https://securitycenter.windows.com/):
1. Get the offboarding package from [Microsoft Defender Security Center](https://securitycenter.windows.com/):
a. In the navigation pane, select **Settings** > **Offboarding**.
@ -108,21 +108,21 @@ For security reasons, the package used to Offboard machines will expire 30 days
d. Click **Download package** and save the .zip file.
2. Extract the contents of the .zip file to a shared, read-only location that can be accessed by the machine. You should have a file named *WindowsDefenderATPOffboardingScript_valid_until_YYYY-MM-DD.cmd*.
2. Extract the contents of the .zip file to a shared, read-only location that can be accessed by the machine. You should have a file named *WindowsDefenderATPOffboardingScript_valid_until_YYYY-MM-DD.cmd*.
3. Open the [Group Policy Management Console](https://docs.microsoft.com/internet-explorer/ie11-deploy-guide/group-policy-and-group-policy-mgmt-console-ie11) (GPMC), right-click the Group Policy Object (GPO) you want to configure and click **Edit**.
3. Open the [Group Policy Management Console](https://docs.microsoft.com/internet-explorer/ie11-deploy-guide/group-policy-and-group-policy-mgmt-console-ie11) (GPMC), right-click the Group Policy Object (GPO) you want to configure and click **Edit**.
4. In the **Group Policy Management Editor**, go to **Computer configuration,** then **Preferences**, and then **Control panel settings**.
4. In the **Group Policy Management Editor**, go to **Computer configuration,** then **Preferences**, and then **Control panel settings**.
5. Right-click **Scheduled tasks**, point to **New**, and then click **Immediate task**.
5. Right-click **Scheduled tasks**, point to **New**, and then click **Immediate task**.
6. In the **Task** window that opens, go to the **General** tab. Choose the local SYSTEM user account (BUILTIN\SYSTEM) under **Security options**.
6. In the **Task** window that opens, go to the **General** tab. Choose the local SYSTEM user account (BUILTIN\SYSTEM) under **Security options**.
7. Select **Run whether user is logged on or not** and check the **Run with highest privileges** check-box.
7. Select **Run whether user is logged on or not** and check the **Run with highest privileges** check-box.
8. Go to the **Actions** tab and click **New...**. Ensure that **Start a program** is selected in the **Action** field. Enter the file name and location of the shared *WindowsDefenderATPOffboardingScript_valid_until_YYYY-MM-DD.cmd* file.
8. Go to the **Actions** tab and click **New...**. Ensure that **Start a program** is selected in the **Action** field. Enter the file name and location of the shared *WindowsDefenderATPOffboardingScript_valid_until_YYYY-MM-DD.cmd* file.
9. Click **OK** and close any open GPMC windows.
9. Click **OK** and close any open GPMC windows.
> [!IMPORTANT]
> Offboarding causes the machine to stop sending sensor data to the portal but data from the machine, including reference to any alerts it has had will be retained for up to 6 months.
@ -132,9 +132,9 @@ For security reasons, the package used to Offboard machines will expire 30 days
With Group Policy there isnt an option to monitor deployment of policies on the machines. Monitoring can be done directly on the portal, or by using the different deployment tools.
## Monitor machines using the portal
1. Go to [Microsoft Defender Security Center](https://securitycenter.windows.com/).
2. Click **Machines list**.
3. Verify that machines are appearing.
1. Go to [Microsoft Defender Security Center](https://securitycenter.windows.com/).
2. Click **Machines list**.
3. Verify that machines are appearing.
> [!NOTE]
> It can take several days for machines to start showing on the **Machines list**. This includes the time it takes for the policies to be distributed to the machine, the time it takes before the user logs on, and the time it takes for the endpoint to start reporting.

4
windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-sccm.md
View File

@ -103,7 +103,7 @@ For security reasons, the package used to Offboard machines will expire 30 days
> [!NOTE]
> Onboarding and offboarding policies must not be deployed on the same machine at the same time, otherwise this will cause unpredictable collisions.
1. Get the offboarding package from [Microsoft Defender Security Center](https://securitycenter.windows.com/):
1. Get the offboarding package from [Microsoft Defender Security Center](https://securitycenter.windows.com/):
a. In the navigation pane, select **Settings** > **Offboarding**.
@ -113,7 +113,7 @@ For security reasons, the package used to Offboard machines will expire 30 days
d. Click **Download package**, and save the .zip file.
2. Extract the contents of the .zip file to a shared, read-only location that can be accessed by the network administrators who will deploy the package. You should have a file named *WindowsDefenderATPOffboardingScript_valid_until_YYYY-MM-DD.cmd*.
2. Extract the contents of the .zip file to a shared, read-only location that can be accessed by the network administrators who will deploy the package. You should have a file named *WindowsDefenderATPOffboardingScript_valid_until_YYYY-MM-DD.cmd*.
3. Deploy the package by following the steps in the [Packages and Programs in Configuration Manager](https://docs.microsoft.com/sccm/apps/deploy-use/packages-and-programs) topic.

10
windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-script.md
View File

@ -93,7 +93,7 @@ For security reasons, the package used to Offboard machines will expire 30 days
> [!NOTE]
> Onboarding and offboarding policies must not be deployed on the same machine at the same time, otherwise this will cause unpredictable collisions.
1. Get the offboarding package from [Microsoft Defender Security Center](https://securitycenter.windows.com/):
1. Get the offboarding package from [Microsoft Defender Security Center](https://securitycenter.windows.com/):
a. In the navigation pane, select **Settings** > **Offboarding**.
@ -103,7 +103,7 @@ For security reasons, the package used to Offboard machines will expire 30 days
d. Click **Download package** and save the .zip file.
2. Extract the contents of the .zip file to a shared, read-only location that can be accessed by the machines. You should have a file named *WindowsDefenderATPOffboardingScript_valid_until_YYYY-MM-DD.cmd*.
2. Extract the contents of the .zip file to a shared, read-only location that can be accessed by the machines. You should have a file named *WindowsDefenderATPOffboardingScript_valid_until_YYYY-MM-DD.cmd*.
3. Open an elevated command-line prompt on the machine and run the script:
@ -127,11 +127,11 @@ You can follow the different verification steps in the [Troubleshoot onboarding
Monitoring can also be done directly on the portal, or by using the different deployment tools.
### Monitor machines using the portal
1. Go to Microsoft Defender Security Center.
1. Go to Microsoft Defender Security Center.
2. Click **Machines list**.
2. Click **Machines list**.
3. Verify that machines are appearing.
3. Verify that machines are appearing.
## Related topics

4
windows/security/threat-protection/microsoft-defender-atp/configure-machines-onboarding.md
View File

@ -65,11 +65,11 @@ From the overview, create a configuration profile specifically for the deploymen
3. After creating the profile, assign it to all your machines. You can review profiles and their deployment status anytime by accessing **Device configuration > Profiles** on Intune.
![Profile assignment screen screen on Intune](images/secconmgmt_onboarding_3assignprofile.png)<br>
![Profile assignment screen on Intune](images/secconmgmt_onboarding_3assignprofile.png)<br>
*Assigning the new agent profile to all machines*
>[!TIP]
>To learn more about Intune profiles, read [Assign user and device profiles in Microsoft Intune](https://docs.microsoft.com/en-us/intune/device-profile-assign).
>To learn more about Intune profiles, read [Assign user and device profiles in Microsoft Intune](https://docs.microsoft.com/intune/device-profile-assign).
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-onboardconfigure-belowfoldlink)

6
windows/security/threat-protection/microsoft-defender-atp/configure-machines.md
View File

@ -47,13 +47,13 @@ In doing so, you benefit from:
Machine configuration management works closely with Intune device management to establish the inventory of the machines in your organization and the baseline security configuration. You will be able to track and manage configuration issues on Intune-managed Windows 10 machines.
Before you can ensure your machines are configured properly, enroll them to Intune management. Intune enrollment is robust and has several enrollment options for Windows 10 machines. For more information about Intune enrollment options, read [Set up enrollment for Windows devices](https://docs.microsoft.com/en-us/intune/windows-enroll).
Before you can ensure your machines are configured properly, enroll them to Intune management. Intune enrollment is robust and has several enrollment options for Windows 10 machines. For more information about Intune enrollment options, read [Set up enrollment for Windows devices](https://docs.microsoft.com/intune/windows-enroll).
>[!NOTE]
>To enroll Windows devices to Intune, administrators must have already been assigned licenses. [Read about assigning licenses for device enrollment](https://docs.microsoft.com/en-us/intune/licenses-assign).
>To enroll Windows devices to Intune, administrators must have already been assigned licenses. [Read about assigning licenses for device enrollment](https://docs.microsoft.com/intune/licenses-assign).
>[!TIP]
>To optimize machine management through Intune, [connect Intune to Microsoft Defender ATP](https://docs.microsoft.com/en-us/intune/advanced-threat-protection#enable-windows-defender-atp-in-intune).
>To optimize machine management through Intune, [connect Intune to Microsoft Defender ATP](https://docs.microsoft.com/intune/advanced-threat-protection#enable-windows-defender-atp-in-intune).
## Known issues and limitations in this preview
During preview, you might encounter a few known limitations:

3
windows/security/threat-protection/microsoft-defender-atp/configure-proxy-internet.md
View File

@ -134,7 +134,7 @@ You can find the Azure IP range on [Microsoft Azure Datacenter IP Ranges](https:
Verify the proxy configuration completed successfully, that WinHTTP can discover and communicate through the proxy server in your environment, and that the proxy server allows traffic to the Microsoft Defender ATP service URLs.
1. Download the [connectivity verification tool](https://go.microsoft.com/fwlink/p/?linkid=823683) to the PC where Microsoft Defender ATP sensor is running on.
1. Download the [connectivity verification tool](https://aka.ms/mdatpanalyzer) to the PC where Microsoft Defender ATP sensor is running on.
2. Extract the contents of WDATPConnectivityAnalyzer on the machine.
@ -172,6 +172,7 @@ If at least one of the connectivity options returns a (200) status, then the Mic
However, if the connectivity check results indicate a failure, an HTTP error is displayed (see HTTP Status Codes). You can then use the URLs in the table shown in [Enable access to Microsoft Defender ATP service URLs in the proxy server](#enable-access-to-microsoft-defender-atp-service-urls-in-the-proxy-server). The URLs you'll use will depend on the region selected during the onboarding procedure.
> [!NOTE]
> The Connectivity Analyzer tool is not compatible with ASR rule [Block process creations originating from PSExec and WMI commands](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard#attack-surface-reduction-rules). You will need to temporarily disable this rule to run the connectivity tool.
> When the TelemetryProxyServer is set, in Registry or via Group Policy, Microsoft Defender ATP will fall back to direct if it can't access the defined proxy.
## Related topics

8
windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints.md
View File

@ -104,14 +104,14 @@ The following steps are required to enable this integration:
### Install and configure Microsoft Monitoring Agent (MMA) to report sensor data to Microsoft Defender ATP
1. Download the agent setup file: [Windows 64-bit agent](https://go.microsoft.com/fwlink/?LinkId=828603).
1. Download the agent setup file: [Windows 64-bit agent](https://go.microsoft.com/fwlink/?LinkId=828603).
2. Using the Workspace ID and Workspace key provided in the previous procedure, choose any of the following installation methods to install the agent on the server:
2. Using the Workspace ID and Workspace key provided in the previous procedure, choose any of the following installation methods to install the agent on the server:
- [Manually install the agent using setup](https://docs.microsoft.com/azure/log-analytics/log-analytics-windows-agents#install-the-agent-using-setup) <br>
On the **Agent Setup Options** page, choose **Connect the agent to Azure Log Analytics (OMS)**.
- [Install the agent using the command line](https://docs.microsoft.com/azure/log-analytics/log-analytics-windows-agents#install-the-agent-using-the-command-line) and [configure the agent using a script](https://docs.microsoft.com/azure/log-analytics/log-analytics-windows-agents#add-a-workspace-using-a-script).
3. You'll need to configure proxy settings for the Microsoft Monitoring Agent. For more information, see [Configure proxy settings](https://docs.microsoft.com/azure/log-analytics/log-analytics-windows-agents#configure-proxy-settings).
3. You'll need to configure proxy settings for the Microsoft Monitoring Agent. For more information, see [Configure proxy settings](https://docs.microsoft.com/azure/log-analytics/log-analytics-windows-agents#configure-proxy-settings).
Once completed, you should see onboarded servers in the portal within an hour.
@ -149,7 +149,7 @@ Supported tools include:
1. Configure Microsoft Defender ATP onboarding settings on the server. For more information, see [Onboard Windows 10 machines](configure-endpoints.md).
2. If youre running a third party antimalware solution, you'll need to apply the following Windows Defender AV passive mode settings and verify it was configured correctly:
2. If youre running a third party antimalware solution, you'll need to apply the following Windows Defender AV passive mode settings and verify it was configured correctly:
a. Set the following registry entry:
- Path: `HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection`

5
windows/security/threat-protection/microsoft-defender-atp/configure-splunk.md
View File

@ -15,7 +15,6 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: article
ms.date: 10/16/2017
---
# Configure Splunk to pull Microsoft Defender ATP alerts
@ -33,7 +32,7 @@ You'll need to configure Splunk so that it can pull Microsoft Defender ATP alert
## Before you begin
- Install the [REST API Modular Input app](https://splunkbase.splunk.com/app/1546/) in Splunk.
- Install the open source [Windows Defender ATP Modular Inputs TA](https://splunkbase.splunk.com/app/4128/) in Splunk.
- Make sure you have enabled the **SIEM integration** feature from the **Settings** menu. For more information, see [Enable SIEM integration in Microsoft Defender ATP](enable-siem-integration.md)
- Have the details file you saved from enabling the **SIEM integration** feature ready. You'll need to get the following values:
@ -52,7 +51,7 @@ You'll need to configure Splunk so that it can pull Microsoft Defender ATP alert
3. Click **REST** under **Local inputs**.
NOTE:
This input will only appear after you install the [REST API Modular Input app](https://splunkbase.splunk.com/app/1546/).
This input will only appear after you install the [Windows Defender ATP Modular Inputs TA](https://splunkbase.splunk.com/app/4128/).
4. Click **New**.

10
windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules.md
View File

@ -28,13 +28,13 @@ Create custom detection rules from [Advanced hunting](overview-hunting.md) queri
>[!NOTE]
>To create and manage custom detections, [your role](user-roles.md#create-roles-and-assign-the-role-to-an-azure-active-directory-group) needs to have the **manage security settings** permission.
1. In the navigation pane, select **Advanced hunting**.
1. In the navigation pane, select **Advanced hunting**.
2. Select an existing query that you'd like to base the monitor on or create a new query.
2. Select an existing query that you'd like to base the monitor on or create a new query.
3. Select **Create detection rule**.
3. Select **Create detection rule**.
4. Specify the alert details:
4. Specify the alert details:
- Alert title
- Severity
@ -42,7 +42,7 @@ Create custom detection rules from [Advanced hunting](overview-hunting.md) queri
- Description
- Recommended actions
5. Click **Create**.
5. Click **Create**.
> [!TIP]
> TIP #1: Running the query for the first time before saving it can help you find any mistakes or errors and give you a preview of the data you can expect to be returned.<br>

6
windows/security/threat-protection/microsoft-defender-atp/experiment-custom-ti.md
View File

@ -141,11 +141,11 @@ This step will guide you in simulating an event in connection to a malicious IP
## Step 4: Explore the custom alert in the portal
This step will guide you in exploring the custom alert in the portal.
1. Open [Microsoft Defender Security Center](http://securitycenter.windows.com/) on a browser.
1. Open [Microsoft Defender Security Center](http://securitycenter.windows.com/) on a browser.
2. Log in with your Microsoft Defender ATP credentials.
2. Log in with your Microsoft Defender ATP credentials.
3. The dashboard should display the custom TI alert for the victim machine resulting from the simulated attack.
3. The dashboard should display the custom TI alert for the victim machine resulting from the simulated attack.
![Image of sample custom ti alert in the portal](images/atp-sample-custom-ti-alert.png)

2
windows/security/threat-protection/microsoft-defender-atp/investigate-files.md
View File

@ -83,7 +83,7 @@ Use the slider or the range selector to quickly specify a time period that you w
## Deep analysis
The **Deep analysis** tab allows you to [submit the file for deep analysis](respond-file-alerts.md#deep-analysis), to uncover more details about the the file's behavior, as well as the effect it is having within your organizations. After you submit the file, the deep analysis report will appear in this tab once results are available. If deep analysis did not find anything, the report will be empty and the results space will remain blank.
The **Deep analysis** tab allows you to [submit the file for deep analysis](respond-file-alerts.md#deep-analysis), to uncover more details about the file's behavior, as well as the effect it is having within your organizations. After you submit the file, the deep analysis report will appear in this tab once results are available. If deep analysis did not find anything, the report will be empty and the results space will remain blank.
![Image of deep analysis tab](images/submit-file.png)

1
windows/security/threat-protection/microsoft-defender-atp/manage-alerts.md
View File

@ -74,6 +74,7 @@ Create custom rules to control when alerts are suppressed, or resolved. You can
* Folder path - wildcard supported
* IP address
* URL - wildcard supported
* Command line - wildcard supported
3. Select the **Trigerring IOC**.

36
windows/security/threat-protection/microsoft-defender-atp/powerbi-reports.md
View File

@ -130,25 +130,25 @@ For more information, see [Create a Power BI dashboard from a report](https://po
You can create a custom dashboard in Power BI Desktop to create visualizations that cater to the specific views that your organization requires.
### Before you begin
1. Make sure you use Power BI Desktop June 2017 and above. [Download the latest version](https://powerbi.microsoft.com/en-us/desktop/).
1. Make sure you use Power BI Desktop June 2017 and above. [Download the latest version](https://powerbi.microsoft.com/en-us/desktop/).
2. In the Microsoft Defender Security Center navigation pane, select **Settings** > **Power BI reports**.
2. In the Microsoft Defender Security Center navigation pane, select **Settings** > **Power BI reports**.
![Image of settings Power BI reports](images/atp-settings-powerbi.png)
3. Click **Download connector** to download the WDATPPowerBI.zip file and extract it.
3. Click **Download connector** to download the WDATPPowerBI.zip file and extract it.
![Settings with download connector button](images/atp-download-connector.png)
4. Create a new directory `Microsoft Power BI Desktop\Custom Connectors` under the user's Documents folder.
4. Create a new directory `Microsoft Power BI Desktop\Custom Connectors` under the user's Documents folder.
5. Copy WDATPDataConnector.mez from the zip to the directory you just created.
5. Copy WDATPDataConnector.mez from the zip to the directory you just created.
6. Open Power BI Desktop.
6. Open Power BI Desktop.
7. Click **File** > **Options and settings** > **Custom data connectors**.
7. Click **File** > **Options and settings** > **Custom data connectors**.
8. Select **New table and matrix visuals** and **Custom data connectors** and click **OK**.
8. Select **New table and matrix visuals** and **Custom data connectors** and click **OK**.
>[!NOTE]
>If you are using Power BI Desktop July 2017 version (or later), you won't need to select **New table and matrix visuals**. You'll only need to select **Custom data connectors**.
@ -160,36 +160,36 @@ You can create a custom dashboard in Power BI Desktop to create visualizations t
## Customize the Microsoft Defender ATP Power BI dashboard
After completing the steps in the Before you begin section, you can proceed with building your custom dashboard.
1. Open WDATPPowerBI.pbit from the zip with Power BI Desktop.
1. Open WDATPPowerBI.pbit from the zip with Power BI Desktop.
2. If this is the first time youre using Power BI with Microsoft Defender ATP, youll need to sign in and give consent to Microsoft Defender ATP Power BI app. By providing consent, youre allowing Microsoft Defender ATP Power BI to sign in and read your profile, and access your data.
2. If this is the first time youre using Power BI with Microsoft Defender ATP, youll need to sign in and give consent to Microsoft Defender ATP Power BI app. By providing consent, youre allowing Microsoft Defender ATP Power BI to sign in and read your profile, and access your data.
![Consent image](images/atp-powerbi-consent.png)
3. Click **Accept**. Power BI Desktop will start downloading your Microsoft Defender ATP data from Microsoft Graph. When all data has been downloaded, you can proceed to customize your reports.
3. Click **Accept**. Power BI Desktop will start downloading your Microsoft Defender ATP data from Microsoft Graph. When all data has been downloaded, you can proceed to customize your reports.
## Mashup Microsoft Defender ATP data with other data sources
You can use Power BI Desktop to analyse data from Microsoft Defender ATP and mash that data up with other data sources to gain better security perspective in your organization.
1. In Power BI Desktop, in the Home ribbon, click **Get data** and search for **Microsoft Defender Advanced Threat Protection**.
1. In Power BI Desktop, in the Home ribbon, click **Get data** and search for **Microsoft Defender Advanced Threat Protection**.
2. Click **Connect**.
3. On the Preview Connector windows, click **Continue**.
3. On the Preview Connector windows, click **Continue**.
4. If this is the first time youre using Power BI with Microsoft Defender ATP, youll need to sign in and give consent to Microsoft Defender ATP Power BI app. By providing consent, youre allowing Microsoft Defender ATP Power BI to sign in and read your profile, and access your data.
4. If this is the first time youre using Power BI with Microsoft Defender ATP, youll need to sign in and give consent to Microsoft Defender ATP Power BI app. By providing consent, youre allowing Microsoft Defender ATP Power BI to sign in and read your profile, and access your data.
![Consent image](images/atp-powerbi-consent.png)
5. Click **Accept**. Power BI Desktop will start downloading your Microsoft Defender ATP data from Microsoft Graph. When all data has been downloaded, you can proceed to customize your reports.
5. Click **Accept**. Power BI Desktop will start downloading your Microsoft Defender ATP data from Microsoft Graph. When all data has been downloaded, you can proceed to customize your reports.
6. In the Navigator dialog box, select the Microsoft Defender ATP feeds you'd like to download and use in your reports and click Load. Data will start to be downloaded from the Microsoft Graph.
6. In the Navigator dialog box, select the Microsoft Defender ATP feeds you'd like to download and use in your reports and click Load. Data will start to be downloaded from the Microsoft Graph.
7. Load other data sources by clicking **Get data item** in the Home ribbon, and select another data source.
7. Load other data sources by clicking **Get data item** in the Home ribbon, and select another data source.
8. Add visuals and select fields from the available data sources.
8. Add visuals and select fields from the available data sources.
## Using the Power BI reports
There are a couple of tabs on the report that's generated:

2
windows/security/threat-protection/microsoft-defender-atp/pull-alerts-using-rest-api.md
View File

@ -173,7 +173,7 @@ Here is an example return value:
### Get access token
The following code example demonstrates how to obtain an access token and call the Microsoft Defender ATP API.
```syntax
```csharp
AuthenticationContext context = new AuthenticationContext(string.Format("https://login.windows.net/{0}/oauth2", tenantId));
ClientCredential clientCredentials = new ClientCredential(clientId, clientSecret);
AuthenticationResult authenticationResult = context.AcquireToken(resource, clientCredentials);

12
windows/security/threat-protection/microsoft-defender-atp/python-example-code.md
View File

@ -39,7 +39,7 @@ The following example demonstrates how to obtain an Azure AD access token that y
Replace the *auth_url*, *client_id*, and *client_secret* values with the ones you got from **Settings** page in the portal:
```
```python
import json
import requests
from pprint import pprint
@ -62,7 +62,7 @@ token = json.loads(response.text)["access_token"]
## Step 2: Create request session object
Add HTTP headers to the session object, including the Authorization header with the token that was obtained.
```
```python
with requests.Session() as session:
session.headers = {
'Authorization': 'Bearer {}'.format(token),
@ -74,7 +74,7 @@ with requests.Session() as session:
## Step 3: Create calls to the custom threat intelligence API
After adding HTTP headers to the session object, you can now create calls to the API. The following example demonstrates how you can view all the alert definition entities:
```
```python
response = session.get("https://ti.securitycenter.windows.com/V1.0/AlertDefinitions")
pprint(json.loads(response.text))
```
@ -85,7 +85,7 @@ The response is empty on initial use of the API.
## Step 4: Create a new alert definition
The following example demonstrates how you to create a new alert definition.
```
```python
alert_definition = {"Name": "The alert's name",
"Severity": "Low",
"InternalDescription": "An internal description of the alert",
@ -104,7 +104,7 @@ The following example demonstrates how you to create a new alert definition.
## Step 5: Create a new indicator of compromise
You can now use the alert ID obtained from creating a new alert definition to create a new indicator of compromise.
```
```python
alert_definition_id = json.loads(response.text)["Id"]
ioc = {'Type': "Sha1",
@ -121,7 +121,7 @@ You can now use the alert ID obtained from creating a new alert definition to cr
## Complete code
You can use the complete code to create calls to the API.
```syntax
```python
import json
import requests
from pprint import pprint

4
windows/security/threat-protection/microsoft-defender-atp/raw-data-export-event-hub.md
View File

@ -27,7 +27,7 @@ Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://w
## Before you begin:
1. Create an [event hub](https://docs.microsoft.com/en-us/azure/event-hubs/) in your tenant.
1. Create an [event hub](https://docs.microsoft.com/azure/event-hubs/) in your tenant.
2. Log in to your [Azure tenant](https://ms.portal.azure.com/), go to **Subscriptions > Your subscription > Resource Providers > Register to **Microsoft.insights****.
## Enable raw data streaming:
@ -86,4 +86,4 @@ To get the data types for event properties do the following:
- [Overview of Advanced Hunting](overview-hunting.md)
- [Microsoft Defender ATP streaming API](raw-data-export.md)
- [Stream Microsoft Defender ATP events to your Azure storage account](raw-data-export-storage.md)
- [Azure Event Hubs documentation](https://docs.microsoft.com/en-us/azure/event-hubs/)
- [Azure Event Hubs documentation](https://docs.microsoft.com/azure/event-hubs/)

Some files were not shown because too many files have changed in this diff Show More