deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-17 07:47:22 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

acrolinx updates

Browse Source
This commit is contained in:
Beth Levin 2020-08-14 17:33:33 -07:00
parent aea5fdeba2
commit c2f39a02b4
14 changed files with 99 additions and 135 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
windows/security/threat-protection/TOC.md
View File

@ -85,6 +85,7 @@
##### [Exploit protection evaluation](microsoft-defender-atp/evaluate-exploit-protection.md)
##### [Enable exploit protection](microsoft-defender-atp/enable-exploit-protection.md)
##### [Customize exploit protection](microsoft-defender-atp/customize-exploit-protection.md)
##### [Import, export, and deploy exploit protection configurations](microsoft-defender-atp/import-export-exploit-protection-emet-xml.md)
#### [Network protection]()
@ -557,7 +558,7 @@
####### [Score methods and properties](microsoft-defender-atp/score.md)
####### [List exposure score by machine group](microsoft-defender-atp/get-machine-group-exposure-score.md)
####### [Get exposure score](microsoft-defender-atp/get-exposure-score.md)
####### [Get machine secure score](microsoft-defender-atp/get-device-secure-score.md)
####### [Get device secure score](microsoft-defender-atp/get-device-secure-score.md)
###### [Software]()
####### [Software methods and properties](microsoft-defender-atp/software.md)

22
windows/security/threat-protection/microsoft-defender-atp/event-views.md
View File

@ -20,19 +20,17 @@ manager: dansimp
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
You can review attack surface reduction events in Event Viewer. This is useful so you can monitor what rules or settings are working, and determine if any settings are too "noisy" or impacting your day to day workflow.
Review attack surface reduction events in Event Viewer to monitor what rules or settings are working. You can also determine if any settings are too "noisy" or impacting your day to day workflow.
Reviewing the events is also handy when you are evaluating the features, as you can enable audit mode for the features or settings, and then review what would have happened if they were fully enabled.
Reviewing events is handy when you're evaluating the features. You can enable audit mode for features or settings, and then review what would have happened if they were fully enabled.
This topic lists all the events, their associated feature or setting, and describes how to create custom views to filter to specific events.
This article lists all the events, their associated feature or setting, and describes how to create custom views to filter to specific events.
You can also get detailed reporting into events and blocks as part of Windows Security, which you access if you have an E5 subscription and use [Microsoft Defender Advanced Threat Protection](../microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md).
Get detailed reporting into events and blocks as part of Windows Security if you have an E5 subscription and use [Microsoft Defender Advanced Threat Protection](../microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md).
## Use custom views to review attack surface reduction capabilities
You can create custom views in the Windows Event Viewer to only see events for specific capabilities and settings.
The easiest way to do this is to import a custom view as an XML file. You can copy the XML directly from this page.
Create custom views in the Windows Event Viewer to only see events for specific capabilities and settings. The easiest way is to import a custom view as an XML file. You can copy the XML directly from this page.
You can also manually navigate to the event area that corresponds to the feature.
@ -54,7 +52,7 @@ You can also manually navigate to the event area that corresponds to the feature
5. Select **Open**.
6. This will create a custom view that filters to only show the events related to that feature.
6. It will create a custom view that filters to only show the events related to that feature.
### Copy the XML directly
@ -64,13 +62,13 @@ You can also manually navigate to the event area that corresponds to the feature
![Animation highlighting the create custom view option on the Event viewer window](../images/events-create.gif)
3. Go to the XML tab and select **Edit query manually**. You'll see a warning that you won't be able to edit the query using the **Filter** tab if you use the XML option. Select **Yes**.
3. Go to the XML tab and select **Edit query manually**. You'll see a warning that you can't edit the query using the **Filter** tab if you use the XML option. Select **Yes**.
4. Paste the XML code for the feature you want to filter events from into the XML section.
5. Select **OK**. Specify a name for your filter.
6. This will create a custom view that filters to only show the events related to that feature.
6. It will create a custom view that filters to only show the events related to that feature.
### XML for attack surface reduction rule events
@ -131,9 +129,9 @@ All attack surface reduction events are located under **Applications and Service
You can access these events in Windows Event viewer:
1. Open the **Start** menu and type **event viewer**, and then click on the **Event Viewer** result.
1. Open the **Start** menu and type **event viewer**, and then select the **Event Viewer** result.
2. Expand **Applications and Services Logs > Microsoft > Windows** and then go to the folder listed under **Provider/source** in the table below.
3. Double-click on the sub item to see events. Scroll through the events to find the one you are looking.
3. Double-click on the sub item to see events. Scroll through the events to find the one you're looking.
![Animation showing using Event Viewer](../images/event-viewer.gif)

24
windows/security/threat-protection/microsoft-defender-atp/get-device-secure-score.md
View File

@ -1,5 +1,5 @@
---
title: Get Machine Secure score
title: Get device secure score
description: Retrieves the organizational device secure score.
keywords: apis, graph api, supported apis, get, alerts, recent
search.product: eADQiWindows 10XVcnh
@ -7,8 +7,8 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: dolmont
author: DulceMontemayor
author: levinec
ms.author: ellevin
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
@ -16,17 +16,16 @@ ms.collection: M365-security-compliance
ms.topic: article
---
# Get Machine Secure score
# Get device secure score
**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
[!include[Prerelease information](../../includes/prerelease.md)]
Retrieves the organizational device secure score.
Retrieves your [Microsoft Secure Score for Devices](tvm-microsoft-secure-score-devices.md). A higher Microsoft Secure Score for Devices means your endpoints are more resilient from cybersecurity threat attacks.
## Permissions
One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md) for details.
Permission type | Permission | Permission display name
@ -35,6 +34,7 @@ Application | Score.Read.Alll | 'Read Threat and Vulnerability Management score'
Delegated (work or school account) | Score.Read | 'Read Threat and Vulnerability Management score'
## HTTP request
```
GET /api/configurationScore
```
@ -45,17 +45,17 @@ Name | Type | Description
:---|:---|:---
Authorization | String | Bearer {token}. **Required**.
## Request body
Empty
## Response
If successful, this method returns 200 OK, with the with device secure score data in the response body.
If successful, this method returns 200 OK, with the device secure score data in the response body.
## Example
**Request**
### Request
Here is an example of the request.
@ -63,14 +63,13 @@ Here is an example of the request.
GET https://api.securitycenter.windows.com/api/configurationScore
```
**Response**
### Response
Here is an example of the response.
>[!NOTE]
>The response list shown here may be truncated for brevity.
```json
{
"@odata.context": "https://api-us.securitycenter.windows.com/api/$metadata#ConfigurationScore/$entity",
@ -80,4 +79,5 @@ Here is an example of the response.
```
## Related topics
- [OData queries with Microsoft Defender ATP](exposed-apis-odata-samples.md)

19
windows/security/threat-protection/microsoft-defender-atp/get-discovered-vulnerabilities.md
View File

@ -7,8 +7,8 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: dolmont
author: DulceMontemayor
author: levinec
ms.author: ellevin
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
@ -17,14 +17,14 @@ ms.topic: article
---
# Get discovered vulnerabilities
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
[!include[Prerelease information](../../includes/prerelease.md)]
Retrieves a collection of discovered vulnerabilities related to a given device ID.
## Permissions
One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md)
Permission type | Permission | Permission display name
@ -33,6 +33,7 @@ Application |Vulnerability.Read.All | 'Read Threat and Vulnerability Management
Delegated (work or school account) | Vulnerability.Read | 'Read Threat and Vulnerability Management vulnerability information'
## HTTP request
```
GET /api/machines/{machineId}/vulnerabilities
```
@ -43,17 +44,17 @@ Name | Type | Description
:---|:---|:---
Authorization | String | Bearer {token}. **Required**.
## Request body
Empty
## Response
If successful, this method returns 200 OK with the discovered vulnerability information in the body.
If successful, this method returns 200 OK with the discovered vulnerability information in the body.
## Example
**Request**
### Request
Here is an example of the request.
@ -61,11 +62,10 @@ Here is an example of the request.
GET https://api.securitycenter.windows.com/api/machines/ac233fa6208e1579620bf44207c4006ed7cc4501/vulnerabilities
```
**Response**
### Response
Here is an example of the response.
```
{
"@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Collection(Analytics.Contracts.PublicAPI.PublicVulnerabilityDto)",
@ -89,5 +89,6 @@ Here is an example of the response.
```
## Related topics
- [Risk-based Threat & Vulnerability Management](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt)
- [Vulnerabilities in your organization](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-weaknesses)

19
windows/security/threat-protection/microsoft-defender-atp/get-exposure-score.md
View File

@ -7,8 +7,8 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: dolmont
author: DulceMontemayor
author: levinec
ms.author: ellevin
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
@ -27,6 +27,7 @@ ms.topic: article
Retrieves the organizational exposure score.
## Permissions
One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md)
Permission type | Permission | Permission display name
@ -34,8 +35,8 @@ Permission type | Permission | Permission display name
Application | Score.Read.All | 'Read Threat and Vulnerability Management score'
Delegated (work or school account) | Score.Read | 'Read Threat and Vulnerability Management score'
## HTTP request
```
GET /api/exposureScore
```
@ -46,17 +47,17 @@ Name | Type | Description
:---|:---|:---
Authorization | String | Bearer {token}. **Required**.
## Request body
Empty
## Response
If successful, this method returns 200 OK, with the exposure data in the response body.
If successful, this method returns 200 OK, with the exposure data in the response body.
## Example
**Request**
### Request
Here is an example of the request.
@ -64,14 +65,13 @@ Here is an example of the request.
GET https://api.securitycenter.windows.com/api/exposureScore
```
**Response**
### Response
Here is an example of the response.
>[!NOTE]
>The response list shown here may be truncated for brevity.
```json
{
"@odata.context": "https://api-us.securitycenter.windows.com/api/$metadata#ExposureScore/$entity",
@ -82,7 +82,6 @@ Here is an example of the response.
```
## Related topics
- [Risk-based Threat & Vulnerability Management](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt)
- [Threat & Vulnerability exposure score](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-exposure-score)

14
windows/security/threat-protection/microsoft-defender-atp/get-machine-group-exposure-score.md
View File

@ -7,8 +7,8 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: dolmont
author: DulceMontemayor
author: levinec
ms.author: ellevin
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
@ -27,6 +27,7 @@ ms.topic: article
Retrieves a collection of alerts related to a given domain address.
## Permissions
One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md)
Permission type | Permission | Permission display name
@ -35,6 +36,7 @@ Application | Score.Read.All | 'Read Threat and Vulnerability Management score'
Delegated (work or school account) | Score.Read | 'Read Threat and Vulnerability Management score'
## HTTP request
```
GET /api/exposureScore/ByMachineGroups
```
@ -46,15 +48,16 @@ GET /api/exposureScore/ByMachineGroups
| Authorization | String | Bearer {token}.**Required**.
## Request body
Empty
## Response
If successful, this method returns 200 OK, with a list of exposure score per device group data in the response body.
If successful, this method returns 200 OK, with a list of exposure score per device group data in the response body.
## Example
**Request**
### Request
Here is an example of the request.
@ -62,7 +65,7 @@ Here is an example of the request.
GET https://api.securitycenter.windows.com/api/exposureScore/ByMachineGroups
```
**Response**
### Response
Here is an example of the response.
@ -87,5 +90,6 @@ Here is an example of the response.
```
## Related topics
- [Risk-based Threat & Vulnerability Management](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt)
- [Threat & Vulnerability exposure score](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-exposure-score)

4
windows/security/threat-protection/microsoft-defender-atp/get-missing-kbs-machine.md
View File

@ -1,6 +1,6 @@
---
title: Get missing KBs by device ID
description: Retrieves missing KBs by device Id
description: Retrieves missing security updates by device ID
keywords: apis, graph api, supported apis, get, list, file, information, device id, threat & vulnerability management api, mdatp tvm api
search.product: eADQiWindows 10XVcnh
ms.prod: w10
@ -22,7 +22,7 @@ ms.topic: article
- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
Retrieves missing KBs by device Id
Retrieves missing KBs (security updates) by device ID
## HTTP request

4
windows/security/threat-protection/microsoft-defender-atp/get-missing-kbs-software.md
View File

@ -1,6 +1,6 @@
---
title: Get missing KBs by software ID
description: Retrieves missing KBs by software ID
description: Retrieves missing security updates by software ID
keywords: apis, graph api, supported apis, get, list, file, information, software id, threat & vulnerability management api, mdatp tvm api
search.product: eADQiWindows 10XVcnh
ms.prod: w10
@ -22,7 +22,7 @@ ms.topic: article
- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
Retrieves missing KBs by software ID
Retrieves missing KBs (security updates) by software ID
## Permissions

76
windows/security/threat-protection/microsoft-defender-atp/import-export-exploit-protection-emet-xml.md
View File

@ -1,7 +1,7 @@
---
title: Import, export, and deploy exploit protection configurations
keywords: Exploit protection, mitigations, import, export, configure, emet, convert, conversion, deploy, install
description: Use Group Policy to deploy mitigations configuration. You can also convert an existing EMET configuration and import it as an Exploit protection configuration.
description: Use Group Policy to deploy mitigations configuration.
keywords: Exploit protection, mitigations, import, export, configure, convert, conversion, deploy, install
search.product: eADQiWindows 10XVcnh
ms.pagetype: security
ms.prod: w10
@ -11,7 +11,6 @@ ms.localizationpriority: medium
audience: ITPro
author: levinec
ms.author: ellevin
ms.date: 04/30/2018
ms.reviewer:
manager: dansimp
---
@ -22,35 +21,27 @@ manager: dansimp
* [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](microsoft-defender-advanced-threat-protection.md)
Exploit protection applies helps protect devices from malware that use exploits to spread and infect. It consists of a number of mitigations that can be applied at either the operating system level, or at the individual app level.
Exploit protection helps protect devices from malware that use exploits to spread and infect. It consists of a number of mitigations that can be applied at either the operating system level, or at the individual app level.
Many of the features that are part of the [Enhanced Mitigation Experience Toolkit (EMET)](https://support.microsoft.com/help/2458544/) are now included in exploit protection.
You use the Windows Security app or PowerShell to create a set of mitigations (known as a configuration). You can then export this configuration as an XML file and share it with multiple devices on your network. Then, they all have the same set of mitigation settings.
You use the Windows Security app or PowerShell to create a set of mitigations (known as a configuration). You can then export this configuration as an XML file and share it with multiple devices on your network so they all have the same set of mitigation settings.
You can also convert and import an existing EMET configuration XML file into an exploit protection configuration XML.
This topic describes how to create a configuration file and deploy it across your network, and how to convert an EMET configuration.
The [Evaluation Package](https://demo.wd.microsoft.com/Page/EP) contains a sample configuration file (name *ProcessMitigation.xml* (Selfhost v4) that you can use to see how the XML structure looks. The sample file also contains settings that have been converted from an EMET configuration. You can open the file in a text editor (such as Notepad) or import it directly into exploit protection and then review the settings in the Windows Security app, as described further in this topic.
The [Evaluation Package](https://demo.wd.microsoft.com/Page/EP) contains a sample configuration file (name *ProcessMitigation.xml* (Selfhost v4) you can use to see how the XML structure looks. The sample file also contains settings that have been converted from an [Enhanced Mitigation Experience Toolkit (no longer supported)](https://support.microsoft.com/en-us/help/2458544/the-enhanced-mitigation-experience-toolkit) configuration. You can open the file in a text editor (such as Notepad) or import it directly into exploit protection and review the settings in the Windows Security app.
## Create and export a configuration file
Before you export a configuration file, you need to ensure you have the correct settings.
Before you export a configuration file, you need to ensure you have the correct settings. First, configure exploit protection on a single, dedicated device. See [Customize exploit protection](customize-exploit-protection.md) for more information about configuring mitigations.
You should first configure exploit protection on a single, dedicated device. See [Customize exploit protection](customize-exploit-protection.md) for descriptions about and instructions for configuring mitigations.
When you have configured exploit protection to your desired state (including both system-level and app-level mitigations), you can export the file using either the Windows Security app or PowerShell.
When you've configured exploit protection to your desired state (including both system-level and app-level mitigations), you can export the file using either the Windows Security app or PowerShell.
### Use the Windows Security app to export a configuration file
1. Open the Windows Security app by clicking the shield icon in the task bar or searching the start menu for **Defender**.
1. Open the Windows Security app by selecting the shield icon in the task bar. Or, search the start menu for **Defender**.
2. Click the **App & browser control** tile (or the app icon on the left menu bar) and then click **Exploit protection settings**:
2. Select the **App & browser control** tile (or the app icon on the left menu bar) and then select **Exploit protection settings**:
![Highlight of the Exploit protection settings option in the Windows Security app](../images/wdsc-exp-prot.png)
3. At the bottom of the **Exploit protection** section, click **Export settings** and then choose the location and name of the XML file where you want the configuration to be saved.
3. At the bottom of the **Exploit protection** section, select **Export settings**. Choose the location and name of the XML file where you want the configuration to be saved.
> [!IMPORTANT]
> If you want to use Default configuration, use the settings "On by default" instead of "Use Default (On)" to get the settings exported correctly on the XML file.
@ -62,7 +53,7 @@ When you have configured exploit protection to your desired state (including bot
### Use PowerShell to export a configuration file
1. Type **powershell** in the Start menu, right click **Windows PowerShell** and click **Run as administrator**.
1. Type **powershell** in the Start menu, right-click **Windows PowerShell** and select **Run as administrator**.
2. Enter the following cmdlet:
```PowerShell
@ -86,7 +77,7 @@ After importing, the settings will be instantly applied and can be reviewed in t
### Use PowerShell to import a configuration file
1. Type **powershell** in the Start menu, right click **Windows PowerShell** and click **Run as administrator**.
1. Type **powershell** in the Start menu, right-click **Windows PowerShell** and select **Run as administrator**.
2. Enter the following cmdlet:
```PowerShell
@ -101,37 +92,7 @@ After importing, the settings will be instantly applied and can be reviewed in t
> [!IMPORTANT]
>
> Ensure you import a configuration file that is created specifically for exploit protection. You cannot directly import an EMET configuration file, you must convert it first.
## Convert an EMET configuration file to an exploit protection configuration file
You can convert an existing EMET configuration file to the new format used by exploit protection. You must do this if you want to import an EMET configuration into exploit protection in Windows 10.
You can only do this conversion in PowerShell.
> [!WARNING]
>
> You cannot directly convert the default EMET configuration files that are distributed with EMET. These files are intended to help set up EMET for a first-time user. Attempting to directly convert these files into an Exploit protection configuration file will not work.
>
> However, if you want to apply the same settings as in the default EMET configuration files, you must first import the default configuration file into EMET, then export the settings to a new file.
>
> You can then convert that file using the PowerShell cmdlet described here before importing the settings into Exploit protection.
1. Type **powershell** in the Start menu, right click **Windows PowerShell** and click **Run as administrator**.
2. Enter the following cmdlet:
```PowerShell
ConvertTo-ProcessMitigationPolicy -EMETFilePath emetFile.xml -OutputFilePath filename.xml
```
Change `emetFile` to the name and location of the EMET configuration file, and change `filename` to whichever location and file name you want to use.
> [!IMPORTANT]
>
> If you have enabled Mandatory ASLR for any apps in EMET, export the EMET settings to an XML file, and then convert the XML file into an Exploit protection configuration file, you will need to manually edit the converted XML file to ensure the Mandatory ASLR mitigation setting is correctly configured:
>
> 1. Open the PowerShell-converted XML file in a text editor.
> 2. Search for `ASLR ForceRelocateImages="false"` and change it to `ASLR ForceRelocateImages="true"` for each app that you want Mandatory ASLR to be enabled.
> Ensure you import a configuration file that is created specifically for exploit protection.
## Manage or deploy a configuration
@ -142,29 +103,28 @@ You can use Group Policy to deploy the configuration you've created to multiple
### Use Group Policy to distribute the configuration
1. On your Group Policy management device, open the [Group Policy Management Console](https://docs.microsoft.com/previous-versions/windows/desktop/gpmc/group-policy-management-console-portal), right-click the Group Policy Object you want to configure and click **Edit**.
1. On your Group Policy management device, open the [Group Policy Management Console](https://docs.microsoft.com/previous-versions/windows/desktop/gpmc/group-policy-management-console-portal), right-click the Group Policy Object you want to configure and **Edit**.
2. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
2. In the **Group Policy Management Editor**, go to **Computer configuration** and select **Administrative templates**.
3. Expand the tree to **Windows components** > **Windows Defender Exploit Guard** > **Exploit protection**.
![Screenshot of the group policy setting for exploit protection](../images/exp-prot-gp.png)
4. Double-click the **Use a common set of Exploit protection settings** setting and set the option to **Enabled**.
4. Double-click **Use a common set of Exploit protection settings** and set the option to **Enabled**.
5. In the **Options::** section, enter the location and file name of the Exploit protection configuration file that you want to use, such as in the following examples:
5. In the **Options:** section, enter the location and file name of the Exploit protection configuration file that you want to use, such as in the following examples:
* C:\MitigationSettings\Config.XML
* \\\Server\Share\Config.xml
* https://localhost:8080/Config.xml
* C:\ExploitConfigfile.xml
6. Click **OK** and [Deploy the updated GPO as you normally do](https://docs.microsoft.com/windows/win32/srvnodes/group-policy).
6. Select **OK** and [Deploy the updated GPO as you normally do](https://docs.microsoft.com/windows/win32/srvnodes/group-policy).
## Related topics
* [Protect devices from exploits](exploit-protection.md)
* [Comparison with Enhanced Mitigation Experience Toolkit](emet-exploit-protection.md)
* [Evaluate exploit protection](evaluate-exploit-protection.md)
* [Enable exploit protection](enable-exploit-protection.md)
* [Configure and audit exploit protection mitigations](customize-exploit-protection.md)

4
windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt.md
View File

@ -105,7 +105,7 @@ Ensure that your devices:
Run threat and vulnerability management-related API calls to automate vulnerability management workflows. Learn more from this [Microsoft Tech Community blog post](https://techcommunity.microsoft.com/t5/microsoft-defender-atp/threat-amp-vulnerability-management-apis-are-now-generally/ba-p/1304615).
See the following topics for related APIs:
See the following articles for related APIs:
- [Supported Microsoft Defender ATP APIs](exposed-apis-list.md)
- [Machine APIs](machine.md)
@ -115,7 +115,7 @@ See the following topics for related APIs:
- [Vulnerability APIs](vulnerability.md)
- [List vulnerabilities by machine and software](get-all-vulnerabilities-by-machines.md)
## Related topics
## See also
- [Supported operating systems and platforms](tvm-supported-os.md)
- [Threat and vulnerability management dashboard](tvm-dashboard-insights.md)

7
windows/security/threat-protection/microsoft-defender-atp/score.md
View File

@ -7,8 +7,8 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: dolmont
author: DulceMontemayor
ms.author: ellevin
author: levinec
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
@ -25,14 +25,15 @@ ms.topic: article
[!include[Prerelease information](../../includes/prerelease.md)]
## Methods
Method |Return Type |Description
:---|:---|:---
[Get exposure score](get-exposure-score.md) | [Score](score.md) | Get the organizational exposure score.
[Get device secure score](get-device-secure-score.md) | [Score](score.md) | Get the organizational device secure score.
[List exposure score by device group](get-machine-group-exposure-score.md)| [Score](score.md) | List scores by device group.
## Properties
Property | Type | Description
:---|:---|:---
Score | Double | The current score.

8
windows/security/threat-protection/microsoft-defender-atp/tvm-dashboard-insights.md
View File

@ -55,9 +55,9 @@ You can navigate through the portal using the menu options available in all sect
Area | Description
:---|:---
**Dashboard** | Get a high-level view of the organization exposure score, Microsoft Secure Score for Devices, device exposure distribution, top security recommendations, top vulnerable software, top remediation activities, and top exposed device data.
[**Security recommendations**](tvm-remediation.md) | See the list of security recommendations, their related components, whether software or software versions in your network have reached end-of-support, insights, number or exposed devices, impact, and request for remediation. When you select an item from the list, a flyout panel opens with vulnerability details, a link to open the software page, and remediation and exception options. You can also open a ticket in Intune if your devices are joined through Azure Active Directory and you have enabled your Intune connections in Microsoft Defender ATP.
[**Security recommendations**](tvm-remediation.md) | See the list of security recommendations, their related components, whether software or software versions in your network have reached end-of-support, insights, number or exposed devices, impact, and request for remediation. When you select an item from the list, a flyout panel opens with vulnerability details, a link to open the software page, and remediation and exception options. You can also open a ticket in Intune if your devices are joined through Azure Active Directory and you've enabled your Intune connections in Microsoft Defender ATP.
[**Remediation**](tvm-remediation.md) | See the remediation activity, related component, remediation type, status, due date, option to export the remediation and process data to CSV, and active exceptions.
[**Software inventory**](tvm-software-inventory.md) | See the list of software, versions, weaknesses, whether there's an exploit found on the software, whether the software or software version has reached end-of-support, prevalence in the organization, how many were installed, how many exposed devices there are, and the numerical value of the impact. You can select each item in the list and opt to open the software page that shows the associated vulnerabilities, misconfigurations, affected device, version distribution details, and missing KBs or security updates.
[**Software inventory**](tvm-software-inventory.md) | See the list of software, versions, weaknesses, whether there's an exploit found on the software, whether the software or software version has reached end-of-support, prevalence in the organization, how many were installed, how many exposed devices there are, and the numerical value of the impact. You can select each item in the list and opt to open the software page that shows the associated vulnerabilities, misconfigurations, affected device, version distribution details, and missing KBs (security updates).
[**Weaknesses**](tvm-weaknesses.md) | See the list of common vulnerabilities and exposures, the severity, the common vulnerability scoring system (CVSS) V3 score, related software, age, when it was published, related threat alerts, and how many exposed devices there are. You can select each item in the list to see a flyout panel with the vulnerability description and other details.
## Threat and vulnerability management dashboard
@ -68,12 +68,12 @@ Area | Description
[**Exposure score**](tvm-exposure-score.md) | See the current state of your organization's device exposure to threats and vulnerabilities. Several factors affect your organization's exposure score: weaknesses discovered in your devices, likelihood of your devices to be breached, value of the devices to your organization, and relevant alerts discovered with your devices. The goal is to lower the exposure score of your organization to be more secure. To reduce the score, you need to remediate the related security configuration issues listed in the security recommendations.
[**Microsoft Secure Score for Devices**](tvm-microsoft-secure-score-devices.md) | See the security posture of the operating system, applications, network, accounts, and security controls of your organization. The goal is to remediate the related security configuration issues to increase your score for devices. Selecting the bars will take you to the **Security recommendation** page.
**Device exposure distribution** | See how many devices are exposed based on their exposure level. Select a section in the doughnut chart to go to the **Devices list** page and view the affected device names, exposure level, risk level, and other details such as domain, operating system platform, its health state, when it was last seen, and its tags.
**Top security recommendations** | See the collated security recommendations which are sorted and prioritized based on your organization's risk exposure and the urgency that it requires. Select **Show more** to see the rest of the security recommendations in the list or **Show exceptions** for the list of recommendations that have an exception.
**Top security recommendations** | See the collated security recommendations that are sorted and prioritized based on your organization's risk exposure and the urgency that it requires. Select **Show more** to see the rest of the security recommendations in the list. Select **Show exceptions** for the list of recommendations that have an exception.
**Top vulnerable software** | Get real-time visibility into your organization's software inventory with a stack-ranked list of vulnerable software installed on your network's devices and how they impact your organizational exposure score. Select an item for details or **Show more** to see the rest of the vulnerable software list in the **Software inventory** page.
**Top remediation activities** | Track the remediation activities generated from the security recommendations. You can select each item on the list to see the details in the **Remediation** page or select **Show more** to view the rest of the remediation activities, and active exceptions.
**Top exposed devices** | View exposed device names and their exposure level. Select a device name from the list to go to the device page where you can view the alerts, risks, incidents, security recommendations, installed software, and discovered vulnerabilities associated with the exposed devices. Select **Show more** to see the rest of the exposed devices list. From the devices list, you can manage tags, initiate automated investigations, initiate a live response session, collect an investigation package, run antivirus scan, restrict app execution, and isolate device.
See [Microsoft Defender ATP icons](portal-overview.md#microsoft-defender-atp-icons) for more information on the icons used throughout the portal.
For more information on the icons used throughout the portal, see [Microsoft Defender ATP icons](portal-overview.md#microsoft-defender-atp-icons).
## Related topics

4
windows/security/threat-protection/microsoft-defender-atp/tvm-exposure-score.md
View File

@ -30,7 +30,7 @@ Your exposure score is visible in the [Threat and vulnerability management dashb
- Detect and respond to areas that require investigation or action to improve the current state.
- Communicate with peers and management about the impact of security efforts.
The card gives you a high-level view of your exposure score trend over time. Any spikes in the chart gives you a visual indication of a high cybersecurity threat exposure that you can investigate further.
The card gives you a high-level view of your exposure score trend over time. Any spikes in the chart give you a visual indication of a high cybersecurity threat exposure that you can investigate further.
![Exposure score card](images/tvm_exp_score.png)
@ -38,7 +38,7 @@ The card gives you a high-level view of your exposure score trend over time. Any
Threat and vulnerability management introduces a new exposure score metric, which visually represents how exposed your devices are to imminent threats.
The exposure score is continuously calculated on each device in the organization and influenced by the following factors:
The exposure score is continuously calculated on each device in the organization. It is influenced by the following factors:
- Weaknesses, such as vulnerabilities discovered on the device
- External and internal threats such as public exploit code and security alerts

16
windows/security/threat-protection/microsoft-defender-atp/tvm-microsoft-secure-score-devices.md
View File

@ -1,6 +1,6 @@
---
title: Overview of Microsoft Secure Score for Devices in Microsoft Defender Security Center
description: Your score for devices shows the collective security configuration state of your devices across application, operating system, network, accounts, and security controls
description: Your score for devices shows the collective security configuration state of your devices across application, operating system, network, accounts, and security controls.
keywords: Microsoft Secure Score for Devices, mdatp Microsoft Secure Score for Devices, secure score, configuration score, threat and vulnerability management, security controls, improvement opportunities, security configuration score over time, security posture, baseline
search.product: eADQiWindows 10XVcnh
search.appverid: met150
@ -37,7 +37,7 @@ Select a category to go to the [**Security recommendations**](tvm-security-recom
## Turn on the Microsoft Secure Score connector
Forward Microsoft Defender ATP signals, giving Microsoft Secure Score visibility into the device security posture. Forwarded data is stored and processed in the same location as the your Microsoft Secure Score data.
Forward Microsoft Defender ATP signals, giving Microsoft Secure Score visibility into the device security posture. Forwarded data is stored and processed in the same location as your Microsoft Secure Score data.
Changes might take up to a few hours to reflect in the dashboard.
@ -52,7 +52,7 @@ Changes might take up to a few hours to reflect in the dashboard.
>[!NOTE]
> Microsoft Secure Score for Devices currently supports configurations set via Group Policy. Due to the current partial Intune support, configurations which might have been set through Intune might show up as misconfigured. Contact your IT Administrator to verify the actual configuration status in case your organization is using Intune for secure configuration management.
The data in the Microsoft Secure Score for Devices card is the product of meticulous and ongoing vulnerability discovery process aggregated with configuration discovery assessments that continuously:
The data in the Microsoft Secure Score for Devices card is the product of meticulous and ongoing vulnerability discovery process. It is aggregated with configuration discovery assessments that continuously:
- Compare collected configurations to the collected benchmarks to discover misconfigured assets
- Map configurations to vulnerabilities that can be remediated or partially remediated (risk reduction)
@ -61,9 +61,9 @@ The data in the Microsoft Secure Score for Devices card is the product of meticu
## Improve your security configuration
You can improve your security configuration when you remediate issues from the security recommendations list. As you do so, your Microsoft Secure Score for Devices improves, which means your organization becomes more resilient against cybersecurity threats and vulnerabilities.
Improve your security configuration by remediating issues from the security recommendations list. As you do so, your Microsoft Secure Score for Devices improves and your organization becomes more resilient against cybersecurity threats and vulnerabilities.
1. From the Microsoft Secure Score for Devices card in the threat and vulnerability management dashboard, select the one of the categories to view the list of recommendations related to that category. It will take you to the [**Security recommendations**](tvm-security-recommendation.md) page. If you want to see all security recommendations, once you get to the Security recommendations page, clear the search field.
1. From the Microsoft Secure Score for Devices card in the threat and vulnerability management dashboard, select the one of the categories. You'll view the list of recommendations related to that category. It will take you to the [**Security recommendations**](tvm-security-recommendation.md) page. If you want to see all security recommendations, once you get to the Security recommendations page, clear the search field.
2. Select an item on the list. The flyout panel will open with details related to the recommendation. Select **Remediation options**.
@ -71,15 +71,15 @@ You can improve your security configuration when you remediate issues from the s
3. Read the description to understand the context of the issue and what to do next. Select a due date, add notes, and select **Export all remediation activity data to CSV** so you can attach it to an email for follow-up.
4. **Submit request**. You will see a confirmation message that the remediation task has been created.
4. **Submit request**. You'll see a confirmation message that the remediation task has been created.
![Remediation task creation confirmation](images/tvm_remediation_task_created.png)
5. Save your CSV file.
![Save csv file](images/tvm_save_csv_file.png)
6. Send a follow-up email to your IT Administrator and allow the time that you have allotted for the remediation to propagate in the system.
6. Send a follow-up email to your IT Administrator and allow the time that you've allotted for the remediation to propagate in the system.
7. Review the **Microsoft Secure Score for Devices** card again on the dashboard. The number of security controls recommendations will decrease. When you select **Security controls** to go back to the **Security recommendations** page, the item that you have addressed will not be listed there anymore, and your Microsoft Secure Score for Devices should increase.
7. Review the **Microsoft Secure Score for Devices** card again on the dashboard. The number of security controls recommendations will decrease. When you select **Security controls** to go back to the **Security recommendations** page, the item that you've addressed won't be listed there anymore. Your Microsoft Secure Score for Devices should increase.
>[!IMPORTANT]
>To boost your vulnerability assessment detection rates, download the following mandatory security updates and deploy them in your network: