mirror of
https://github.com/MicrosoftDocs/windows-itpro-docs.git
synced 2025-05-16 07:17:24 +00:00
Merge pull request #3629 from MicrosoftDocs/master
publish 8/25/2020 10:30 AM PT
This commit is contained in:
Jeff Borsecnik
GitHub
commit
afcbbfe837
@ -4,7 +4,7 @@ ms.assetid: f2417bfe-7d25-4e82-bc07-de316caa8dac
|
||||
ms.reviewer:
|
||||
manager: laurawi
|
||||
ms.author: greglin
|
||||
description:
|
||||
description: How to activate using Key Management Service in Windows 10.
|
||||
keywords: vamt, volume activation, activation, windows activation
|
||||
ms.prod: w10
|
||||
ms.mktglfcycl: deploy
|
||||
@ -45,14 +45,16 @@ Installing a KMS host key on a computer running Windows 10 allows you to activa
|
||||
Clients locate the KMS server by using resource records in DNS, so some configuration of DNS may be required. This scenario can be beneficial if your organization uses volume activation for clients and MAK-based activation for a smaller number of servers.
|
||||
To enable KMS functionality, a KMS key is installed on a KMS host; then, the host is activated over the Internet or by phone using Microsoft’s activation services.
|
||||
|
||||
**Configure KMS in Windows 10**
|
||||
**Configure KMS in Windows 10**
|
||||
|
||||
To activate by using the telephone, use the slmgr.vbs script.
|
||||
|
||||
1. Run **slmgr.vbs /dti** and confirm the installation ID.
|
||||
To activate , use the slmgr.vbs command. Open an elevated command prompt and run one of the following commands:
|
||||
- To install the KMS key, type `slmgr.vbs /ipk <KmsKey>`.
|
||||
- To activate online, type `slmgr.vbs/ato`.
|
||||
- To activate by telephone , follow these steps:
|
||||
1. Run `slmgr.vbs /dti` and confirm the installation ID.
|
||||
2. Call [Microsoft Licensing Activation Centers worldwide telephone numbers](https://www.microsoft.com/licensing/existing-customer/activation-centers) and follow the voice prompts to enter the installation ID that you obtained in step 1 on your telephone.
|
||||
3. Follow the voice prompts and write down the responded 48-digit confirmation ID for OS activation.
|
||||
4. Run **slmgr.vbs /atp \<confirmation ID\>**.
|
||||
4. Run `slmgr.vbs /atp \<confirmation ID\>`.
|
||||
|
||||
For more information, see the information for Windows 7 in [Deploy KMS Activation](https://go.microsoft.com/fwlink/p/?LinkId=717032).
|
||||
|
||||
|
||||
@ -1,6 +1,6 @@
|
||||
---
|
||||
title: 4706(S) A new trust was created to a domain. (Windows 10)
|
||||
description: Describes security event 4706(S) A new trust was created to a domain.
|
||||
description: Describes security event 4706(S) A new trust was created to a domain. This event is generated when a new trust is created for a domain.
|
||||
ms.pagetype: security
|
||||
ms.prod: w10
|
||||
ms.mktglfcycl: deploy
|
||||
|
||||
@ -1,6 +1,6 @@
|
||||
---
|
||||
title: 4707(S) A trust to a domain was removed. (Windows 10)
|
||||
description: Describes security event 4707(S) A trust to a domain was removed.
|
||||
description: Describes security event 4707(S) A trust to a domain was removed. This event is generated when a domain trust is removed.
|
||||
ms.pagetype: security
|
||||
ms.prod: w10
|
||||
ms.mktglfcycl: deploy
|
||||
|
||||
@ -1,6 +1,6 @@
|
||||
---
|
||||
title: 4713(S) Kerberos policy was changed. (Windows 10)
|
||||
description: Describes security event 4713(S) Kerberos policy was changed.
|
||||
description: Describes security event 4713(S) Kerberos policy was changed. This event is generated when Kerberos policy is changed.
|
||||
ms.pagetype: security
|
||||
ms.prod: w10
|
||||
ms.mktglfcycl: deploy
|
||||
|
||||
@ -1,6 +1,6 @@
|
||||
---
|
||||
title: 4719(S) System audit policy was changed. (Windows 10)
|
||||
description: Describes security event 4719(S) System audit policy was changed.
|
||||
description: Describes security event 4719(S) System audit policy was changed. This event is generated when the computer audit policy changes.
|
||||
ms.pagetype: security
|
||||
ms.prod: w10
|
||||
ms.mktglfcycl: deploy
|
||||
|
||||
@ -1,6 +1,6 @@
|
||||
---
|
||||
title: 4720(S) A user account was created. (Windows 10)
|
||||
description: Describes security event 4720(S) A user account was created.
|
||||
description: Describes security event 4720(S) A user account was created. This event is generated a user object is created.
|
||||
ms.pagetype: security
|
||||
ms.prod: w10
|
||||
ms.mktglfcycl: deploy
|
||||
|
||||
@ -1,6 +1,6 @@
|
||||
---
|
||||
title: 4722(S) A user account was enabled. (Windows 10)
|
||||
description: Describes security event 4722(S) A user account was enabled.
|
||||
description: Describes security event 4722(S) A user account was enabled. This event is generated when a user or computer object is enabled.
|
||||
ms.pagetype: security
|
||||
ms.prod: w10
|
||||
ms.mktglfcycl: deploy
|
||||
|
||||
@ -1,6 +1,6 @@
|
||||
---
|
||||
title: 4725(S) A user account was disabled. (Windows 10)
|
||||
description: Describes security event 4725(S) A user account was disabled.
|
||||
description: Describes security event 4725(S) A user account was disabled. This event is generated when a user or computer object is disabled.
|
||||
ms.pagetype: security
|
||||
ms.prod: w10
|
||||
ms.mktglfcycl: deploy
|
||||
|
||||
@ -1,6 +1,6 @@
|
||||
---
|
||||
title: 4726(S) A user account was deleted. (Windows 10)
|
||||
description: Describes security event 4726(S) A user account was deleted.
|
||||
description: Describes security event 4726(S) A user account was deleted. This event is generated when a user object is deleted.
|
||||
ms.pagetype: security
|
||||
ms.prod: w10
|
||||
ms.mktglfcycl: deploy
|
||||
|
||||
@ -1,6 +1,6 @@
|
||||
---
|
||||
title: 4738(S) A user account was changed. (Windows 10)
|
||||
description: Describes security event 4738(S) A user account was changed.
|
||||
description: Describes security event 4738(S) A user account was changed. This event is generated when a user object is changed.
|
||||
ms.pagetype: security
|
||||
ms.prod: w10
|
||||
ms.mktglfcycl: deploy
|
||||
@ -32,7 +32,7 @@ This event generates on domain controllers, member servers, and workstations.
|
||||
|
||||
For each change, a separate 4738 event will be generated.
|
||||
|
||||
You might see this event without any changes inside, that is, where all **Changed Attributes** apear as “-“. This usually happens when a change is made to an attribute that is not listed in the event. In this case there is no way to determine which attribute was changed. For example, if the [discretionary access control list](https://msdn.microsoft.com/library/windows/desktop/aa374872(v=vs.85).aspx) (DACL) is changed, a 4738 event will generate, but all attributes will be “-“.
|
||||
You might see this event without any changes inside, that is, where all **Changed Attributes** appear as “-“. This usually happens when a change is made to an attribute that is not listed in the event. In this case there is no way to determine which attribute was changed. For example, if the [discretionary access control list](https://msdn.microsoft.com/library/windows/desktop/aa374872(v=vs.85).aspx) (DACL) is changed, a 4738 event will generate, but all attributes will be “-“.
|
||||
|
||||
Some changes do not invoke a 4738 event.
|
||||
|
||||
|
||||
@ -1,6 +1,6 @@
|
||||
---
|
||||
title: 4739(S) Domain Policy was changed. (Windows 10)
|
||||
description: Describes security event 4739(S) Domain Policy was changed.
|
||||
description: Describes security event 4739(S) Domain Policy was changed. This event is generated when certain changes are made to the local computer security policy.
|
||||
ms.pagetype: security
|
||||
ms.prod: w10
|
||||
ms.mktglfcycl: deploy
|
||||
|
||||
@ -1,6 +1,6 @@
|
||||
---
|
||||
title: 4740(S) A user account was locked out. (Windows 10)
|
||||
description: Describes security event 4740(S) A user account was locked out.
|
||||
description: Describes security event 4740(S) A user account was locked out. This event is generated every time a user account is locked out.
|
||||
ms.pagetype: security
|
||||
ms.prod: w10
|
||||
ms.mktglfcycl: deploy
|
||||
|
||||
@ -1,6 +1,6 @@
|
||||
---
|
||||
title: 4741(S) A computer account was created. (Windows 10)
|
||||
description: Describes security event 4741(S) A computer account was created.
|
||||
description: Describes security event 4741(S) A computer account was created. This event is generated every time a computer object is created.
|
||||
ms.pagetype: security
|
||||
ms.prod: w10
|
||||
ms.mktglfcycl: deploy
|
||||
|
||||
@ -1,6 +1,6 @@
|
||||
---
|
||||
title: 4742(S) A computer account was changed. (Windows 10)
|
||||
description: Describes security event 4742(S) A computer account was changed.
|
||||
description: Describes security event 4742(S) A computer account was changed. This event is generated every time a computer object is changed.
|
||||
ms.pagetype: security
|
||||
ms.prod: w10
|
||||
ms.mktglfcycl: deploy
|
||||
@ -36,7 +36,7 @@ For each change, a separate 4742 event will be generated.
|
||||
|
||||
Some changes do not invoke a 4742 event, for example, changes made using Active Directory Users and Computers management console in **Managed By** tab in computer account properties.
|
||||
|
||||
You might see this event without any changes inside, that is, where all **Changed Attributes** apear as “-“. This usually happens when a change is made to an attribute that is not listed in the event. In this case there is no way to determine which attribute was changed. For example, this would happen if you change the **Description** of a group object using the Active Directory Users and Computers administrative console. Also, if the [discretionary access control list](https://msdn.microsoft.com/library/windows/desktop/aa374872(v=vs.85).aspx) (DACL) is changed, a 4742 event will generate, but all attributes will be “-“.
|
||||
You might see this event without any changes inside, that is, where all **Changed Attributes** appear as “-“. This usually happens when a change is made to an attribute that is not listed in the event. In this case there is no way to determine which attribute was changed. For example, this would happen if you change the **Description** of a group object using the Active Directory Users and Computers administrative console. Also, if the [discretionary access control list](https://msdn.microsoft.com/library/windows/desktop/aa374872(v=vs.85).aspx) (DACL) is changed, a 4742 event will generate, but all attributes will be “-“.
|
||||
|
||||
***Important*:** If you manually change any user-related setting or attribute, for example if you set the SMARTCARD\_REQUIRED flag in **userAccountControl** for the computer account, then the **sAMAccountType** of the computer account will be changed to NORMAL\_USER\_ACCOUNT and you will get “[4738](event-4738.md): A user account was changed” instead of 4742 for this computer account. Essentially, the computer account will “become” a user account. For NORMAL\_USER\_ACCOUNT you will always get events from [Audit User Account Management](audit-user-account-management.md) subcategory. We strongly recommend that you avoid changing any user-related settings manually for computer objects.
|
||||
|
||||
|
||||
@ -1,6 +1,6 @@
|
||||
---
|
||||
title: 4743(S) A computer account was deleted. (Windows 10)
|
||||
description: Describes security event 4743(S) A computer account was deleted.
|
||||
description: Describes security event 4743(S) A computer account was deleted. This event is generated every time a computer object is deleted.
|
||||
ms.pagetype: security
|
||||
ms.prod: w10
|
||||
ms.mktglfcycl: deploy
|
||||
|
||||
@ -1,6 +1,6 @@
|
||||
---
|
||||
title: 4764(S) A group's type was changed. (Windows 10)
|
||||
description: Describes security event 4764(S) A group’s type was changed.
|
||||
description: "Describes security event 4764(S) A group's type was changed. This event is generated when the type of a group is changed."
|
||||
ms.pagetype: security
|
||||
ms.prod: w10
|
||||
ms.mktglfcycl: deploy
|
||||
|
||||
@ -1,6 +1,6 @@
|
||||
---
|
||||
title: 4765(S) SID History was added to an account. (Windows 10)
|
||||
description: Describes security event 4765(S) SID History was added to an account.
|
||||
description: Describes security event 4765(S) SID History was added to an account. This event is generated when SID History is added to an account.
|
||||
ms.pagetype: security
|
||||
ms.prod: w10
|
||||
ms.mktglfcycl: deploy
|
||||
|
||||
@ -1,6 +1,6 @@
|
||||
---
|
||||
title: 4767(S) A user account was unlocked. (Windows 10)
|
||||
description: Describes security event 4767(S) A user account was unlocked.
|
||||
description: Describes security event 4767(S) A user account was unlocked. This event is generated every time a user account is unlocked.
|
||||
ms.pagetype: security
|
||||
ms.prod: w10
|
||||
ms.mktglfcycl: deploy
|
||||
|
||||
@ -1,6 +1,6 @@
|
||||
---
|
||||
title: 4771(F) Kerberos pre-authentication failed. (Windows 10)
|
||||
description: Describes security event 4771(F) Kerberos pre-authentication failed.
|
||||
description: Describes security event 4771(F) Kerberos pre-authentication failed. This event is generated when the Key Distribution Center fails to issue a Kerberos TGT.
|
||||
ms.pagetype: security
|
||||
ms.prod: w10
|
||||
ms.mktglfcycl: deploy
|
||||
|
||||
@ -1,6 +1,6 @@
|
||||
---
|
||||
title: 4774(S, F) An account was mapped for logon. (Windows 10)
|
||||
description: Describes security event 4774(S, F) An account was mapped for logon.
|
||||
description: Describes security event 4774(S, F) An account was mapped for logon. This event is generated when an account is mapped for logon.
|
||||
ms.pagetype: security
|
||||
ms.prod: w10
|
||||
ms.mktglfcycl: deploy
|
||||
|
||||
@ -1,6 +1,6 @@
|
||||
---
|
||||
title: 4781(S) The name of an account was changed. (Windows 10)
|
||||
description: Describes security event 4781(S) The name of an account was changed.
|
||||
description: Describes security event 4781(S) The name of an account was changed. This event is generated every time a user or computer account name is changed.
|
||||
ms.pagetype: security
|
||||
ms.prod: w10
|
||||
ms.mktglfcycl: deploy
|
||||
|
||||
@ -1,6 +1,6 @@
|
||||
---
|
||||
title: 4800(S) The workstation was locked. (Windows 10)
|
||||
description: Describes security event 4800(S) The workstation was locked.
|
||||
description: Describes security event 4800(S) The workstation was locked. This event is generated when a workstation is locked.
|
||||
ms.pagetype: security
|
||||
ms.prod: w10
|
||||
ms.mktglfcycl: deploy
|
||||
|
||||
@ -1,6 +1,6 @@
|
||||
---
|
||||
title: 4801(S) The workstation was unlocked. (Windows 10)
|
||||
description: Describes security event 4801(S) The workstation was unlocked.
|
||||
description: Describes security event 4801(S) The workstation was unlocked. This event is generated when workstation is unlocked.
|
||||
ms.pagetype: security
|
||||
ms.prod: w10
|
||||
ms.mktglfcycl: deploy
|
||||
|
||||
@ -1,6 +1,6 @@
|
||||
---
|
||||
title: 4802(S) The screen saver was invoked. (Windows 10)
|
||||
description: Describes security event 4802(S) The screen saver was invoked.
|
||||
description: Describes security event 4802(S) The screen saver was invoked. This event is generated when screen saver is invoked.
|
||||
ms.pagetype: security
|
||||
ms.prod: w10
|
||||
ms.mktglfcycl: deploy
|
||||
|
||||
@ -1,6 +1,6 @@
|
||||
---
|
||||
title: 4803(S) The screen saver was dismissed. (Windows 10)
|
||||
description: Describes security event 4803(S) The screen saver was dismissed.
|
||||
description: Describes security event 4803(S) The screen saver was dismissed. This event is generated when screen saver is dismissed.
|
||||
ms.pagetype: security
|
||||
ms.prod: w10
|
||||
ms.mktglfcycl: deploy
|
||||
|
||||
@ -1,6 +1,6 @@
|
||||
---
|
||||
title: 4826(S) Boot Configuration Data loaded. (Windows 10)
|
||||
description: Describes security event 4826(S) Boot Configuration Data loaded.
|
||||
description: Describes security event 4826(S) Boot Configuration Data loaded. This event is generated every time system starts and loads Boot Configuration Data settings.
|
||||
ms.pagetype: security
|
||||
ms.prod: w10
|
||||
ms.mktglfcycl: deploy
|
||||
|
||||
@ -1,6 +1,6 @@
|
||||
---
|
||||
title: 4864(S) A namespace collision was detected. (Windows 10)
|
||||
description: Describes security event 4864(S) A namespace collision was detected.
|
||||
description: Describes security event 4864(S) A namespace collision was detected. This event is generated when a namespace collision is detected.
|
||||
ms.pagetype: security
|
||||
ms.prod: w10
|
||||
ms.mktglfcycl: deploy
|
||||
|
||||
@ -1,6 +1,6 @@
|
||||
---
|
||||
title: 4908(S) Special Groups Logon table modified. (Windows 10)
|
||||
description: Describes security event 4908(S) Special Groups Logon table modified.
|
||||
description: Describes security event 4908(S) Special Groups Logon table modified. This event is generated when the Special Groups Logon table is modified.
|
||||
ms.pagetype: security
|
||||
ms.prod: w10
|
||||
ms.mktglfcycl: deploy
|
||||
|
||||
@ -1,6 +1,6 @@
|
||||
---
|
||||
title: 4912(S) Per User Audit Policy was changed. (Windows 10)
|
||||
description: Describes security event 4912(S) Per User Audit Policy was changed.
|
||||
description: Describes security event 4912(S) Per User Audit Policy was changed. This event is generated every time Per User Audit Policy is changed.
|
||||
ms.pagetype: security
|
||||
ms.prod: w10
|
||||
ms.mktglfcycl: deploy
|
||||
|
||||
@ -1,6 +1,6 @@
|
||||
---
|
||||
title: 4935(F) Replication failure begins. (Windows 10)
|
||||
description: Describes security event 4935(F) Replication failure begins.
|
||||
description: Describes security event 4935(F) Replication failure begins. This event is generated when Active Directory replication failure begins.
|
||||
ms.pagetype: security
|
||||
ms.prod: w10
|
||||
ms.mktglfcycl: deploy
|
||||
|
||||
@ -1,6 +1,6 @@
|
||||
---
|
||||
title: 4936(S) Replication failure ends. (Windows 10)
|
||||
description: Describes security event 4936(S) Replication failure ends.
|
||||
description: Describes security event 4936(S) Replication failure ends. This event is generated when Active Directory replication failure ends.
|
||||
ms.pagetype: security
|
||||
ms.prod: w10
|
||||
ms.mktglfcycl: deploy
|
||||
|
||||
@ -1,6 +1,6 @@
|
||||
---
|
||||
title: 5039(-) A registry key was virtualized. (Windows 10)
|
||||
description: Describes security event 5039(-) A registry key was virtualized.
|
||||
description: Describes security event 5039(-) A registry key was virtualized. This event is generated when a registry key is virtualized using LUAFV.
|
||||
ms.pagetype: security
|
||||
ms.prod: w10
|
||||
ms.mktglfcycl: deploy
|
||||
|
||||
@ -1,6 +1,6 @@
|
||||
---
|
||||
title: 5051(-) A file was virtualized. (Windows 10)
|
||||
description: Describes security event 5051(-) A file was virtualized.
|
||||
description: Describes security event 5051(-) A file was virtualized. This event is generated when a file is virtualized using LUAFV.
|
||||
ms.pagetype: security
|
||||
ms.prod: w10
|
||||
ms.mktglfcycl: deploy
|
||||
|
||||
@ -1,6 +1,6 @@
|
||||
---
|
||||
title: 5058(S, F) Key file operation. (Windows 10)
|
||||
description: Describes security event 5058(S, F) Key file operation.
|
||||
description: Describes security event 5058(S, F) Key file operation. This event is generated when an operation is performed on a file that contains a KSP key.
|
||||
ms.pagetype: security
|
||||
ms.prod: w10
|
||||
ms.mktglfcycl: deploy
|
||||
|
||||
@ -1,6 +1,6 @@
|
||||
---
|
||||
title: 5059(S, F) Key migration operation. (Windows 10)
|
||||
description: Describes security event 5059(S, F) Key migration operation.
|
||||
description: Describes security event 5059(S, F) Key migration operation. This event is generated when a cryptographic key is exported/imported using a Key Storage Provider.
|
||||
ms.pagetype: security
|
||||
ms.prod: w10
|
||||
ms.mktglfcycl: deploy
|
||||
|
||||
@ -1,6 +1,6 @@
|
||||
---
|
||||
title: 5060(F) Verification operation failed. (Windows 10)
|
||||
description: Describes security event 5060(F) Verification operation failed.
|
||||
description: Describes security event 5060(F) Verification operation failed. This event is generated in case of CNG verification operation failure.
|
||||
ms.pagetype: security
|
||||
ms.prod: w10
|
||||
ms.mktglfcycl: deploy
|
||||
|
||||
@ -1,6 +1,6 @@
|
||||
---
|
||||
title: 5061(S, F) Cryptographic operation. (Windows 10)
|
||||
description: Describes security event 5061(S, F) Cryptographic operation.
|
||||
description: Describes security event 5061(S, F) Cryptographic operation. This event is generated when a cryptographic operation is performed using a Key Storage Provider.
|
||||
ms.pagetype: security
|
||||
ms.prod: w10
|
||||
ms.mktglfcycl: deploy
|
||||
|
||||
@ -1,6 +1,6 @@
|
||||
---
|
||||
title: 5142(S) A network share object was added. (Windows 10)
|
||||
description: Describes security event 5142(S) A network share object was added.
|
||||
description: Describes security event 5142(S) A network share object was added. This event is generated when a network share object is added.
|
||||
ms.pagetype: security
|
||||
ms.prod: w10
|
||||
ms.mktglfcycl: deploy
|
||||
|
||||
@ -1,6 +1,6 @@
|
||||
---
|
||||
title: 5143(S) A network share object was modified. (Windows 10)
|
||||
description: Describes security event 5143(S) A network share object was modified.
|
||||
description: Describes security event 5143(S) A network share object was modified. This event is generated when a network share object is modified.
|
||||
ms.pagetype: security
|
||||
ms.prod: w10
|
||||
ms.mktglfcycl: deploy
|
||||
|
||||
@ -1,6 +1,6 @@
|
||||
---
|
||||
title: 5144(S) A network share object was deleted. (Windows 10)
|
||||
description: Describes security event 5144(S) A network share object was deleted.
|
||||
description: Describes security event 5144(S) A network share object was deleted. This event is generated when a network share object is deleted.
|
||||
ms.pagetype: security
|
||||
ms.prod: w10
|
||||
ms.mktglfcycl: deploy
|
||||
|
||||
@ -1,6 +1,6 @@
|
||||
---
|
||||
title: 5168(F) SPN check for SMB/SMB2 failed. (Windows 10)
|
||||
description: Describes security event 5168(F) SPN check for SMB/SMB2 failed.
|
||||
description: Describes security event 5168(F) SPN check for SMB/SMB2 failed. This event is generated when an SMB SPN check fails.
|
||||
ms.pagetype: security
|
||||
ms.prod: w10
|
||||
ms.mktglfcycl: deploy
|
||||
|
||||
@ -1,6 +1,6 @@
|
||||
---
|
||||
title: 6407(-) 1%. (Windows 10)
|
||||
description: Describes security event 6407(-) 1%.
|
||||
description: Describes security event 6407(-) 1%. This is a BranchCache event, which is outside the scope of this document.
|
||||
ms.pagetype: security
|
||||
ms.prod: w10
|
||||
ms.mktglfcycl: deploy
|
||||
|
||||
@ -1,6 +1,6 @@
|
||||
---
|
||||
title: 6420(S) A device was disabled. (Windows 10)
|
||||
description: Describes security event 6420(S) A device was disabled.
|
||||
description: Describes security event 6420(S) A device was disabled. This event is generated when a specific device is disabled.
|
||||
ms.pagetype: security
|
||||
ms.prod: w10
|
||||
ms.mktglfcycl: deploy
|
||||
|
||||
@ -1,6 +1,6 @@
|
||||
---
|
||||
title: 6422(S) A device was enabled. (Windows 10)
|
||||
description: Describes security event 6422(S) A device was enabled.
|
||||
description: Describes security event 6422(S) A device was enabled. This event is generated when a specific device is enabled.
|
||||
ms.pagetype: security
|
||||
ms.prod: w10
|
||||
ms.mktglfcycl: deploy
|
||||
|
||||
@ -1,6 +1,6 @@
|
||||
---
|
||||
title: Other Events (Windows 10)
|
||||
description: Describes the Other Events auditing subcategory.
|
||||
description: Describes the Other Events auditing subcategory, which includes events that are generated automatically and enabled by default.
|
||||
ms.pagetype: security
|
||||
ms.prod: w10
|
||||
ms.mktglfcycl: deploy
|
||||
|
||||
@ -1,7 +1,7 @@
|
||||
---
|
||||
title: Memory integrity
|
||||
keywords: mitigations, vulnerabilities, vulnerability, mitigation, exploit, exploits, emet
|
||||
description: Memory integrity.
|
||||
description: Learn about memory integrity, a feature of Windows that ensures code running in the Windows kernel is securely designed and trustworthy.
|
||||
search.product: eADQiWindows 10XVcnh
|
||||
ms.prod: w10
|
||||
ms.mktglfcycl: manage
|
||||
|
||||
@ -1,6 +1,6 @@
|
||||
---
|
||||
title: Threat Protection (Windows 10)
|
||||
description: Learn how Microsoft Defender ATP helps protect against threats.
|
||||
description: Microsoft Defender Advanced Threat Protection is a unified platform for preventative protection, post-breach detection, automated investigation, and response.
|
||||
keywords: threat protection, Microsoft Defender Advanced Threat Protection, attack surface reduction, next-generation protection, endpoint detection and response, automated investigation and response, microsoft threat experts, Microsoft Secure Score for Devices, advanced hunting, cyber threat hunting, web threat protection
|
||||
search.product: eADQiWindows 10XVcnh
|
||||
ms.prod: w10
|
||||
|
||||
@ -1,6 +1,6 @@
|
||||
---
|
||||
title: Security intelligence
|
||||
description: Safety tips about malware and how you can protect your organization
|
||||
description: Learn about different types of malware, safety tips on how you can protect your organization, and resources for industry collaboration programs.
|
||||
keywords: security, malware
|
||||
ms.prod: w10
|
||||
ms.mktglfcycl: secure
|
||||
|
||||
@ -1,6 +1,6 @@
|
||||
---
|
||||
title: Configure Microsoft Defender Antivirus notifications
|
||||
description: Configure and customize Microsoft Defender Antivirus notifications.
|
||||
description: Learn how to configure and customize both standard and additional Microsoft Defender Antivirus notifications on endpoints.
|
||||
keywords: notifications, defender, antivirus, endpoint, management, admin
|
||||
search.product: eADQiWindows 10XVcnh
|
||||
ms.prod: w10
|
||||
|
||||
@ -1,6 +1,6 @@
|
||||
---
|
||||
title: Microsoft Defender Antivirus on Windows Server 2016 and 2019
|
||||
description: Enable and configure Microsoft Defender AV on Windows Server 2016 and 2019
|
||||
description: Learn how to enable and configure Microsoft Defender Antivirus on Windows Server 2016 and Windows Server 2019.
|
||||
keywords: windows defender, server, scep, system center endpoint protection, server 2016, current branch, server 2012
|
||||
search.product: eADQiWindows 10XVcnh
|
||||
ms.pagetype: security
|
||||
|
||||
@ -1,6 +1,6 @@
|
||||
---
|
||||
title: Configure Microsoft Defender Antivirus with Group Policy
|
||||
description: Configure Microsoft Defender Antivirus settings with Group Policy
|
||||
description: Learn how to use a Group Policy to configure and manage Microsoft Defender Antivirus on your endpoints in Microsoft Defender ATP.
|
||||
keywords: group policy, GPO, configuration, settings
|
||||
search.product: eADQiWindows 10XVcnh
|
||||
ms.prod: w10
|
||||
|
||||
@ -1,6 +1,6 @@
|
||||
---
|
||||
title: Configure Microsoft Defender Antivirus with WMI
|
||||
description: Use WMI scripts to configure Microsoft Defender AV.
|
||||
description: Learn how to configure and manage Microsoft Defender Antivirus by using WMI scripts to retrieve, modify, and update settings in Microsoft Defender ATP.
|
||||
keywords: wmi, scripts, windows management instrumentation, configuration
|
||||
search.product: eADQiWindows 10XVcnh
|
||||
ms.prod: w10
|
||||
|
||||
@ -1,6 +1,6 @@
|
||||
---
|
||||
title: Add or Remove Machine Tags API
|
||||
description: Use this API to Add or Remove machine tags.
|
||||
description: Learn how to use the Add or Remove machine tags API to adds or remove a tag for a machine in Microsoft Defender Advanced Threat Protection.
|
||||
keywords: apis, graph api, supported apis, tags, machine tags
|
||||
search.product: eADQiWindows 10XVcnh
|
||||
ms.prod: w10
|
||||
|
||||
@ -1,6 +1,6 @@
|
||||
---
|
||||
title: Advanced hunting schema reference
|
||||
description: Learn about the tables in the advanced hunting schema to understand the data you can run threat hunting queries on
|
||||
description: Learn about the tables in the advanced hunting schema to understand the data you can run threat hunting queries on.
|
||||
keywords: advanced hunting, threat hunting, cyber threat hunting, mdatp, microsoft defender atp, wdatp search, query, telemetry, schema reference, kusto, table, data
|
||||
search.product: eADQiWindows 10XVcnh
|
||||
search.appverid: met150
|
||||
|
||||
@ -1,6 +1,6 @@
|
||||
---
|
||||
title: Get alerts API
|
||||
description: Retrieve recent Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) alerts.
|
||||
description: Learn about the methods and properties of the Alert resource type in Microsoft Defender Advanced Threat Protection.
|
||||
keywords: apis, graph api, supported apis, get, alerts, recent
|
||||
search.product: eADQiWindows 10XVcnh
|
||||
ms.prod: w10
|
||||
|
||||
@ -1,6 +1,6 @@
|
||||
---
|
||||
title: Create alert from event API
|
||||
description: Creates an alert using event details
|
||||
description: Learn how to use the Create alert API to create a new Alert on top of Event in Microsoft Defender Advanced Threat Protection.
|
||||
keywords: apis, graph api, supported apis, get, alert, information, id
|
||||
search.product: eADQiWindows 10XVcnh
|
||||
ms.prod: w10
|
||||
|
||||
@ -1,6 +1,6 @@
|
||||
---
|
||||
title: Delete Indicator API.
|
||||
description: Deletes Indicator entity by ID.
|
||||
description: Learn how to use the Delete Indicator API to delete an Indicator entity by ID in Microsoft Defender Advanced Threat Protection.
|
||||
keywords: apis, public api, supported apis, delete, ti indicator, entity, id
|
||||
search.product: eADQiWindows 10XVcnh
|
||||
ms.prod: w10
|
||||
|
||||
@ -1,6 +1,6 @@
|
||||
---
|
||||
title: Turning on network protection
|
||||
description: Enable Network protection with Group Policy, PowerShell, or Mobile Device Management and Configuration Manager
|
||||
description: Enable Network protection with Group Policy, PowerShell, or Mobile Device Management and Configuration Manager.
|
||||
keywords: ANetwork protection, exploits, malicious website, ip, domain, domains, enable, turn on
|
||||
search.product: eADQiWindows 10XVcnh
|
||||
ms.prod: w10
|
||||
|
||||
@ -1,6 +1,6 @@
|
||||
---
|
||||
title: Get alert information by ID API
|
||||
description: Retrieve a Microsoft Defender ATP alert by its ID.
|
||||
description: Learn how to use the Get alert information by ID API to retrieve a specific alert by its ID in Microsoft Defender Advanced Threat Protection.
|
||||
keywords: apis, graph api, supported apis, get, alert, information, id
|
||||
search.product: eADQiWindows 10XVcnh
|
||||
ms.prod: w10
|
||||
|
||||
@ -1,6 +1,6 @@
|
||||
---
|
||||
title: Get alert related user information
|
||||
description: Retrieves the user associated to a specific alert.
|
||||
description: Learn how to use the Get alert related user information API to retrieve the user related to a specific alert in Microsoft Defender Advanced Threat Protection.
|
||||
keywords: apis, graph api, supported apis, get, alert, information, related, user
|
||||
search.product: eADQiWindows 10XVcnh
|
||||
ms.prod: w10
|
||||
|
||||
@ -1,6 +1,6 @@
|
||||
---
|
||||
title: List alerts API
|
||||
description: Retrieve a collection of recent Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) alerts.
|
||||
description: Learn how to use the List alerts API to retrieve a collection of alerts in Microsoft Defender Advanced Threat Protection.
|
||||
keywords: apis, graph api, supported apis, get, alerts, recent
|
||||
search.product: eADQiWindows 10XVcnh
|
||||
ms.prod: w10
|
||||
|
||||
@ -1,6 +1,6 @@
|
||||
---
|
||||
title: Get CVE-KB map API
|
||||
description: Retrieves a map of CVE's to KB's.
|
||||
description: Learn how to use the Get CVE-KB map API to retrieve a map of CVE's to KB's and CVE details in Microsoft Defender Advanced Threat Protection.
|
||||
keywords: apis, graph api, supported apis, get, cve, kb
|
||||
search.product: eADQiWindows 10XVcnh
|
||||
search.appverid: met150
|
||||
|
||||
@ -1,6 +1,6 @@
|
||||
---
|
||||
title: Get domain related alerts API
|
||||
description: Retrieves a collection of alerts related to a given domain address.
|
||||
description: Learn how to use the Get domain related alerts API to retrieve alerts related to a given domain address in Microsoft Defender Advanced Threat Protection.
|
||||
keywords: apis, graph api, supported apis, get, domain, related, alerts
|
||||
search.product: eADQiWindows 10XVcnh
|
||||
ms.prod: w10
|
||||
|
||||
@ -1,6 +1,6 @@
|
||||
---
|
||||
title: Get domain related machines API
|
||||
description: Retrieves a collection of devices related to a given domain address.
|
||||
description: Learn how to use the Get domain related machines API to get machines that communicated to or from a domain in Microsoft Defender Advanced Threat Protection.
|
||||
keywords: apis, graph api, supported apis, get, domain, related, devices
|
||||
search.product: eADQiWindows 10XVcnh
|
||||
ms.prod: w10
|
||||
|
||||
@ -1,6 +1,6 @@
|
||||
---
|
||||
title: Get domain statistics API
|
||||
description: Retrieves the prevalence for the given domain.
|
||||
description: Learn how to use the Get domain statistics API to retrieve the statistics on the given domain in Microsoft Defender Advanced Threat Protection.
|
||||
keywords: apis, graph api, supported apis, get, domain, domain related devices
|
||||
search.product: eADQiWindows 10XVcnh
|
||||
ms.prod: w10
|
||||
|
||||
@ -1,6 +1,6 @@
|
||||
---
|
||||
title: Get file information API
|
||||
description: Retrieves a file by identifier Sha1, Sha256, or MD5.
|
||||
description: Learn how to use the Get file information API to get a file by Sha1, Sha256, or MD5 identifier in Microsoft Defender Advanced Threat Protection.
|
||||
keywords: apis, graph api, supported apis, get, file, information, sha1, sha256, md5
|
||||
search.product: eADQiWindows 10XVcnh
|
||||
ms.prod: w10
|
||||
|
||||
@ -1,6 +1,6 @@
|
||||
---
|
||||
title: Get file related alerts API
|
||||
description: Retrieves a collection of alerts related to a given file hash.
|
||||
description: Learn how to use the Get file related alerts API to get a collection of alerts related to a given file hash in Microsoft Defender Advanced Threat Protection.
|
||||
keywords: apis, graph api, supported apis, get, file, hash
|
||||
search.product: eADQiWindows 10XVcnh
|
||||
ms.prod: w10
|
||||
|
||||
@ -1,6 +1,6 @@
|
||||
---
|
||||
title: Get file related machines API
|
||||
description: Retrieves a collection of devices related to a given file hash.
|
||||
description: Learn how to use the Get file related machines API to get a collection of machines related to a file hash in Microsoft Defender Advanced Threat Protection.
|
||||
keywords: apis, graph api, supported apis, get, devices, hash
|
||||
search.product: eADQiWindows 10XVcnh
|
||||
ms.prod: w10
|
||||
|
||||
@ -1,6 +1,6 @@
|
||||
---
|
||||
title: Get file statistics API
|
||||
description: Retrieves the prevalence for the given file.
|
||||
description: Learn how to use the Get file statistics API to retrieve the statistics for the given file in Microsoft Defender Advanced Threat Protection.
|
||||
keywords: apis, graph api, supported apis, get, file, statistics
|
||||
search.product: eADQiWindows 10XVcnh
|
||||
ms.prod: w10
|
||||
|
||||
@ -1,6 +1,6 @@
|
||||
---
|
||||
title: Get machine by ID API
|
||||
description: Retrieves a device entity by ID.
|
||||
description: Learn how to use the Get machine by ID API to retrieve a machine by its device ID or computer name in Microsoft Defender Advanced Threat Protection.
|
||||
keywords: apis, graph api, supported apis, get, devices, entity, id
|
||||
search.product: eADQiWindows 10XVcnh
|
||||
ms.prod: w10
|
||||
|
||||
@ -1,6 +1,6 @@
|
||||
---
|
||||
title: Get machine log on users API
|
||||
description: Retrieve a collection of logged on users on a specific device using Microsoft Defender ATP APIs.
|
||||
description: Learn how to use the Get machine log on users API to retrieve a collection of logged on users on a device in Microsoft Defender Advanced Threat Protection.
|
||||
keywords: apis, graph api, supported apis, get, device, log on, users
|
||||
search.product: eADQiWindows 10XVcnh
|
||||
ms.prod: w10
|
||||
|
||||
@ -1,6 +1,6 @@
|
||||
---
|
||||
title: Get machine related alerts API
|
||||
description: Retrieves a collection of alerts related to a given device ID.
|
||||
description: Learn how to use the Get machine related alerts API to retrieve all alerts related to a specific device in Microsoft Defender Advanced Threat Protection.
|
||||
keywords: apis, graph api, supported apis, get, devices, related, alerts
|
||||
search.product: eADQiWindows 10XVcnh
|
||||
ms.prod: w10
|
||||
|
||||
@ -1,6 +1,6 @@
|
||||
---
|
||||
title: Get MachineAction object API
|
||||
description: Use this API to create calls related to get machineaction object
|
||||
description: Learn how to use the Get MachineAction API to retrieve a specific Machine Action by its ID in Microsoft Defender Advanced Threat Protection.
|
||||
keywords: apis, graph api, supported apis, machineaction object
|
||||
search.product: eADQiWindows 10XVcnh
|
||||
ms.prod: w10
|
||||
|
||||
@ -1,6 +1,6 @@
|
||||
---
|
||||
title: List machineActions API
|
||||
description: Use the Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) API to create calls related to get machineactions collection.
|
||||
description: Learn how to use the List MachineActions API to retrieve a collection of Machine Actions in Microsoft Defender Advanced Threat Protection.
|
||||
keywords: apis, graph api, supported apis, machineaction collection
|
||||
search.product: eADQiWindows 10XVcnh
|
||||
ms.prod: w10
|
||||
|
||||
@ -1,6 +1,6 @@
|
||||
---
|
||||
title: Get RBAC machine groups collection API
|
||||
description: Retrieves a collection of RBAC device groups.
|
||||
description: Learn how to use the Get KB collection API to retrieve a collection of RBAC device groups in Microsoft Defender Advanced Threat Protection.
|
||||
keywords: apis, graph api, supported apis, get, RBAC, group
|
||||
search.product: eADQiWindows 10XVcnh
|
||||
search.appverid: met150
|
||||
|
||||
@ -1,6 +1,6 @@
|
||||
---
|
||||
title: List machines API
|
||||
description: Retrieves a collection of recently seen devices.
|
||||
description: Learn how to use the List machines API to retrieve a collection of machines that have communicated with Microsoft Defender ATP cloud.
|
||||
keywords: apis, graph api, supported apis, get, devices
|
||||
search.product: eADQiWindows 10XVcnh
|
||||
ms.prod: w10
|
||||
|
||||
@ -1,6 +1,6 @@
|
||||
---
|
||||
title: Get machines security states collection API
|
||||
description: Retrieve a collection of device security states using Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP.
|
||||
description: Retrieve a collection of device security states using Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP).
|
||||
keywords: apis, graph api, supported apis, get, device, security, state
|
||||
search.product: eADQiWindows 10XVcnh
|
||||
search.appverid: met150
|
||||
|
||||
@ -1,6 +1,6 @@
|
||||
---
|
||||
title: List Indicators API
|
||||
description: Use this API to create calls related to get Indicators collection
|
||||
description: Learn how to use the List Indicators API to retrieve a collection of all active Indicators in Microsoft Defender Advanced Threat Protection.
|
||||
keywords: apis, public api, supported apis, Indicators collection
|
||||
search.product: eADQiWindows 10XVcnh
|
||||
ms.prod: w10
|
||||
|
||||
@ -1,6 +1,6 @@
|
||||
---
|
||||
title: Get user information API
|
||||
description: Retrieve a User entity by key such as user name or domain.
|
||||
description: Learn how to use the Get user information API to retrieve a User entity by key, or user name, in Microsoft Defender Advanced Threat Protection.
|
||||
keywords: apis, graph api, supported apis, get, user, user information
|
||||
search.product: eADQiWindows 10XVcnh
|
||||
ms.prod: w10
|
||||
|
||||
@ -1,6 +1,6 @@
|
||||
---
|
||||
title: Get user related machines API
|
||||
description: Retrieves a collection of devices related to a given user ID.
|
||||
description: Learn how to use the Get user related machines API to retrieve a collection of devices related to a user ID in Microsoft Defender Advanced Threat Protection.
|
||||
keywords: apis, graph api, supported apis, get, user, user related alerts
|
||||
search.product: eADQiWindows 10XVcnh
|
||||
ms.prod: w10
|
||||
|
||||
Binary file not shown.
|
After Width: | Height: | Size: 536 KiB |
Binary file not shown.
|
After Width: | Height: | Size: 106 KiB |
Binary file not shown.
|
After Width: | Height: | Size: 304 KiB |
Binary file not shown.
|
Before Width: | Height: | Size: 152 KiB |
Binary file not shown.
|
Before Width: | Height: | Size: 81 KiB |
@ -1,6 +1,6 @@
|
||||
---
|
||||
title: Investigate connection events that occur behind forward proxies
|
||||
description: Investigate connection events that occur behind forward proxies
|
||||
description: Learn how to use advanced HTTP level monitoring through network protection in Microsoft Defender ATP, which surfaces a real target, instead of a proxy.
|
||||
keywords: proxy, network protection, forward proxy, network events, audit, block, domain names, domain
|
||||
search.product: eADQiWindows 10XVcnh
|
||||
search.appverid: met150
|
||||
|
||||
@ -1,6 +1,6 @@
|
||||
---
|
||||
title: Isolate machine API
|
||||
description: Use this API to create calls related isolating a device.
|
||||
description: Learn how to use the Isolate machine API to isolate a device from accessing external network in Microsoft Defender Advanced Threat Protection.
|
||||
keywords: apis, graph api, supported apis, isolate device
|
||||
search.product: eADQiWindows 10XVcnh
|
||||
ms.prod: w10
|
||||
@ -84,13 +84,13 @@ Here is an example of the request.
|
||||
|
||||
[!include[Improve request performance](../../includes/improve-request-performance.md)]
|
||||
|
||||
```
|
||||
```console
|
||||
POST https://api.securitycenter.windows.com/api/machines/1e5bc9d7e413ddd7902c2932e418702b84d0cc07/isolate
|
||||
Content-type: application/json
|
||||
{
|
||||
"Comment": "Isolate machine due to alert 1234",
|
||||
“IsolationType”: “Full”
|
||||
}
|
||||
|
||||
```
|
||||
|
||||
- To unisolate a device, see [Release device from isolation](unisolate-machine.md).
|
||||
|
||||
@ -1,6 +1,6 @@
|
||||
---
|
||||
title: JAMF-based deployment for Microsoft Defender ATP for Mac
|
||||
description: Install Microsoft Defender ATP for Mac, using JAMF.
|
||||
description: Learn about all the steps needed to deploy Microsoft Defender Advanced Threat Protection for Mac through JAMF.
|
||||
keywords: microsoft, defender, atp, mac, installation, deploy, uninstallation, intune, jamf, macos, catalina, mojave, high sierra
|
||||
search.product: eADQiWindows 10XVcnh
|
||||
search.appverid: met150
|
||||
|
||||
@ -1,6 +1,6 @@
|
||||
---
|
||||
title: What's new in Microsoft Defender Advanced Threat Protection for Mac
|
||||
description: List of major changes for Microsoft Defender ATP for Mac.
|
||||
description: Learn about the major changes for previous versions of Microsoft Defender Advanced Threat Protection for Mac.
|
||||
keywords: microsoft, defender, atp, mac, installation, macos, whatsnew
|
||||
search.product: eADQiWindows 10XVcnh
|
||||
search.appverid: met150
|
||||
|
||||
@ -1,6 +1,6 @@
|
||||
---
|
||||
title: Machine resource type
|
||||
description: Retrieves top machines
|
||||
description: Learn about the methods and properties of the Machine resource type in Microsoft Defender Advanced Threat Protection.
|
||||
keywords: apis, supported apis, get, machines
|
||||
search.product: eADQiWindows 10XVcnh
|
||||
ms.prod: w10
|
||||
|
||||
@ -1,6 +1,6 @@
|
||||
---
|
||||
title: machineAction resource type
|
||||
description: Quickly respond to detected attacks by isolating machines or collecting an investigation package.
|
||||
description: Learn about the methods and properties of the MachineAction resource type in Microsoft Defender Advanced Threat Protection.
|
||||
keywords: apis, supported apis, get, machineaction, recent
|
||||
search.product: eADQiWindows 10XVcnh
|
||||
ms.prod: w10
|
||||
|
||||
@ -1,6 +1,6 @@
|
||||
---
|
||||
title: Manage Microsoft Defender Advanced Threat Protection suppression rules
|
||||
description: Manage suppression rules
|
||||
description: You might need to prevent alerts from appearing in the portal by using suppression rules. Learn how to manage your suppression rules in Microsoft Defender ATP.
|
||||
keywords: manage suppression, rules, rule name, scope, action, alerts, turn on, turn off
|
||||
search.product: eADQiWindows 10XVcnh
|
||||
search.appverid: met150
|
||||
|
||||
@ -1,7 +1,7 @@
|
||||
---
|
||||
title: Microsoft Defender ATP for Mac
|
||||
ms.reviewer:
|
||||
description: Describes how to install and use Microsoft Defender ATP for Mac.
|
||||
description: Learn how to install, configure, update, and use Microsoft Defender Advanced Threat Protection for Mac.
|
||||
keywords: microsoft, defender, atp, mac, installation, deploy, uninstallation, intune, jamf, macos, catalina, mojave, high sierra
|
||||
search.product: eADQiWindows 10XVcnh
|
||||
search.appverid: met150
|
||||
|
||||
@ -1,6 +1,6 @@
|
||||
---
|
||||
title: Submit or Update Indicator API
|
||||
description: Use this API to submit or Update Indicator.
|
||||
description: Learn how to use the Submit or Update Indicator API to submit or update a new Indicator entity in Microsoft Defender Advanced Threat Protection.
|
||||
keywords: apis, graph api, supported apis, submit, ti, indicator, update
|
||||
search.product: eADQiWindows 10XVcnh
|
||||
ms.prod: w10
|
||||
|
||||
@ -1,7 +1,7 @@
|
||||
---
|
||||
title: Advanced Hunting API
|
||||
ms.reviewer:
|
||||
description: Use the Advanced hunting API to run advanced queries on Microsoft Defender Advanced Threat Protection
|
||||
description: Learn to use the advanced hunting API to run advanced queries on Microsoft Defender Advanced Threat Protection. Find out about limitations and see an example.
|
||||
keywords: apis, supported apis, advanced hunting, query
|
||||
search.product: eADQiWindows 10XVcnh
|
||||
ms.prod: w10
|
||||
|
||||
@ -1,7 +1,7 @@
|
||||
---
|
||||
title: Advanced Hunting with Python API Guide
|
||||
ms.reviewer:
|
||||
description: Learn the basics of querying the Microsoft Defender Advanced Threat Protection API, using Python.
|
||||
description: Learn how to query using the Microsoft Defender Advanced Threat Protection API, by using Python, with examples.
|
||||
keywords: apis, supported apis, advanced hunting, query
|
||||
search.product: eADQiWindows 10XVcnh
|
||||
ms.prod: w10
|
||||
|
||||
@ -1,6 +1,6 @@
|
||||
---
|
||||
title: Stop and quarantine file API
|
||||
description: Use this API to stop and quarantine file.
|
||||
description: Learn how to stop running a file on a device and delete the file in Microsoft Defender Advanced Threat Protection. See an example.
|
||||
keywords: apis, graph api, supported apis, stop and quarantine file
|
||||
search.product: eADQiWindows 10XVcnh
|
||||
ms.prod: w10
|
||||
|
||||
@ -22,49 +22,84 @@ ms.topic: article
|
||||
**Applies to:**
|
||||
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
|
||||
|
||||
Cyberthreats are emerging more frequently and prevalently. It is critical for organizations to quickly assess their security posture, covering the impact of emerging threats and their organizational resilience.
|
||||
With more sophisticated adversaries and new threats emerging frequently and prevalently, it's critical to be able to quickly:
|
||||
|
||||
Threat analytics is a set of reports published by Microsoft security researchers as soon as emerging threats and outbreaks are identified. The reports help you assess the impact of threats to your environment and identify actions that can contain them.
|
||||
- Assess the impact of new threats
|
||||
- Review your resilience against or exposure to the threats
|
||||
- Identify the actions you can take to stop or contain the threats
|
||||
|
||||
Watch this short video to quickly understand how threat analytics can help you track the latest threats and stop them.
|
||||
Threat analytics is a set of reports from expert Microsoft security researchers covering the most relevant threats, including:
|
||||
|
||||
- Active threat actors and their campaigns
|
||||
- Popular and new attack techniques
|
||||
- Critical vulnerabilities
|
||||
- Common attack surfaces
|
||||
- Prevalent malware
|
||||
|
||||
Each report provides a detailed analysis of a threat and extensive guidance on how to defend against the threat. It also incorporates data from your network, indicating whether the threat is active and if you have applicable security updates and recommended settings in place.
|
||||
|
||||
Watch this short video to learn more about how threat analytics can help you track the latest threats and stop them.
|
||||
<p></p>
|
||||
|
||||
> [!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RE4bw1f]
|
||||
|
||||
## View the threat analytics dashboard
|
||||
|
||||
The threat analytics dashboard is a great jump off point for getting to the reports that are most relevant to your organization. It provides several overviews about the threats covered in the reports:
|
||||
The threat analytics dashboard is a great jump off point for getting to the reports that are most relevant to your organization. It summarizes the threats in the following sections:
|
||||
|
||||
- **Latest threats** — lists the most recently published threat reports, along with the number of devices with resolved and unresolved alerts.
|
||||
- **High-impact threats** — lists the threats that have had the highest impact on the organization in terms of the number of devices that have had related alerts, along with the number of devices with resolved and unresolved alerts.
|
||||
- **Threat summary** — shows the number of threats among the threats reported in threat analytics with actual alerts.
|
||||
- **Latest threats**—lists the most recently published threat reports, along with the number of devices with active and resolved alerts.
|
||||
- **High-impact threats**—lists the threats that have had the highest impact to the organization. This section ranks threats by the number of devices that have active alerts.
|
||||
- **Threat summary**—shows the overall impact of all the threats reported in threat analytics by showing the number of threats with active and resolved alerts.
|
||||
|
||||
Select a threat from the dashboard to view the report for that threat.
|
||||
|
||||
|
||||
|
||||
Select a threat from any of the overviews or from the table to view the report for that threat.
|
||||
|
||||
## View a threat analytics report
|
||||
|
||||
Each threat report generally provides an overview of the threat and an analysis of the techniques and tools used by the threat. It also provides mitigation recommendations and detection information. It includes several cards that show dynamic data about how your organization is impacted by the threat and how prepared it is to stop the threat.
|
||||
Each threat analytics report provides information in three sections: **Overview**, **Analyst report**, and **Mitigations**.
|
||||
|
||||
|
||||
### Quickly understand a threat and assess its impact to your network in the overview
|
||||
|
||||
### Organizational impact
|
||||
Each report includes cards designed to provide information about the organizational impact of a threat:
|
||||
The **Overview** section provides a preview of the detailed analyst report. It also provides charts that highlight the impact of the threat to your organization and your exposure through misconfigured and unpatched devices.
|
||||
|
||||
|
||||
_Overview section of a threat analytics report_
|
||||
|
||||
#### Organizational impact
|
||||
Each report includes charts designed to provide information about the organizational impact of a threat:
|
||||
- **Devices with alerts**—shows the current number of distinct devices that have been impacted by the threat. A device is categorized as **Active** if there is at least one alert associated with that threat and **Resolved** if *all* alerts associated with the threat on the device have been resolved.
|
||||
- **Devices with alerts over time**—shows the number of distinct devices with **Active** and **Resolved** alerts over time. The number of resolved alerts indicates how quickly your organization responds to alerts associated with a threat. Ideally, the chart should be showing alerts resolved within a few days.
|
||||
|
||||
### Organizational resilience
|
||||
Each report also includes cards that provide an overview of how resilient your organization can be against a given threat:
|
||||
#### Organizational resilience and exposure
|
||||
Each report includes charts that provide an overview of how resilient your organization is against a given threat:
|
||||
- **Security configuration status**—shows the number of devices that have applied the recommended security settings that can help mitigate the threat. Devices are considered **Secure** if they have applied _all_ the tracked settings.
|
||||
- **Vulnerability patching status**—shows the number of devices that have applied security updates or patches that address vulnerabilities exploited by the threat.
|
||||
- **Mitigation details** — lists specific actionable recommendations that can help you increase your organizational resilience. This card lists tracked mitigations, including recommended settings and vulnerability patches, along with the number of devices that don't have the mitigations in place.
|
||||
|
||||
### Additional report details and limitations
|
||||
### Get expert insight from the analyst report
|
||||
Go to the **Analyst report** section to read through the detailed expert write-up. Most reports provide detailed descriptions of attack chains, including tactics and techniques mapped to the MITRE ATT&CK framework, exhaustive lists of recommendations, and powerful [threat hunting](advanced-hunting-overview.md) guidance.
|
||||
|
||||
|
||||
_Analyst report section of a threat analytics report_
|
||||
|
||||
### Review list of mitigations and the status of your devices
|
||||
In the **Mitigations** section, review the list of specific actionable recommendations that can help you increase your organizational resilience against the threat. The list of tracked mitigations includes recommended settings and vulnerability patches. It also shows the number of devices that don't have these mitigations in place.
|
||||
|
||||
Mitigation information in this section incorporates data from [threat and vulnerability management](next-gen-threat-and-vuln-mgt.md), which also provides detailed drill-down information from various links in the report.
|
||||
|
||||
|
||||
_Mitigations section of a threat analytics report_
|
||||
|
||||
|
||||
## Additional report details and limitations
|
||||
When using the reports, keep the following in mind:
|
||||
|
||||
- Data is scoped based on your RBAC permissions. You will only see the status of devices that you have been granted access to on the RBAC.
|
||||
- Charts reflect only mitigations that are tracked. Check the report overview for additional mitigations that are not reflected in the charts.
|
||||
- Data is scoped based on your role-based access control (RBAC) scope. You will see the status of devices in [groups that you can access](machine-groups.md).
|
||||
- Charts reflect only mitigations that are tracked. Check the report overview for additional mitigations that are not shown in the charts.
|
||||
- Mitigations don't guarantee complete resilience. The provided mitigations reflect the best possible actions needed to improve resiliency.
|
||||
- Devices are counted as "unavailable" if they have been unable to transmit data to the service.
|
||||
- Antivirus related statistics are based on Microsoft Defender Antivirus settings. Devices with third-party antivirus solutions can appear as "exposed".
|
||||
- Devices are counted as "unavailable" if they have not transmitted data to the service.
|
||||
- Antivirus-related statistics are based on Microsoft Defender Antivirus settings. Devices with third-party antivirus solutions can appear as "exposed".
|
||||
|
||||
## Related topics
|
||||
- [Proactively find threats with advanced hunting](advanced-hunting-overview.md)
|
||||
- [Assess and resolve security weaknesses and exposures](next-gen-threat-and-vuln-mgt.md)
|
||||
|
||||
@ -1,7 +1,7 @@
|
||||
---
|
||||
title: Integrate Microsoft Defender ATP with other Microsoft solutions
|
||||
ms.reviewer:
|
||||
description: Learn how Microsoft Defender ATP integrations with other Microsoft solutions
|
||||
description: Learn how Microsoft Defender ATP integrates with other Microsoft solutions, including Azure Advanced Threat Protection and Azure Security Center.
|
||||
keywords: microsoft threat protection, conditional access, office, advanced threat protection, azure atp, azure security center, microsoft cloud app security
|
||||
search.product: eADQiWindows 10XVcnh
|
||||
search.appverid: met150
|
||||
|
||||
@ -1,7 +1,7 @@
|
||||
---
|
||||
title: Troubleshoot exploit protection mitigations
|
||||
keywords: Exploit protection, mitigations, troubleshoot, import, export, configure, emet, convert, conversion, deploy, install
|
||||
description: Remove unwanted Exploit protection mitigations.
|
||||
description: Learn how to deal with unwanted mitigations in Windows Security, including a process to remove all mitigations and import a baseline configuration file instead.
|
||||
search.product: eADQiWindows 10XVcnh
|
||||
ms.prod: w10
|
||||
ms.mktglfcycl: manage
|
||||
|
||||
Some files were not shown because too many files have changed in this diff Show More
Loading…
x
Reference in New Issue
Block a user